The response to each PartiQL statement in the batch.
" + "smithy.api#documentation": "The response to each PartiQL statement in the batch. The values of the list are \n ordered according to the ordering of the request statements.
" } }, "ConsumedCapacity": { @@ -833,7 +833,67 @@ "aws.api#clientDiscoveredEndpoint": { "required": false }, - "smithy.api#documentation": "The BatchGetItem operation returns the attributes of one or more items\n from one or more tables. You identify requested items by primary key.
A single operation can retrieve up to 16 MB of data, which can contain as many as 100\n items. BatchGetItem returns a partial result if the response size limit is\n exceeded, the table's provisioned throughput is exceeded, more than 1MB per partition is requested,\n or an internal processing failure occurs. If a partial result is returned, the operation returns a value for\n UnprocessedKeys. You can use this value to retry the operation starting\n with the next item to get.
If you request more than 100 items, BatchGetItem returns a\n ValidationException with the message \"Too many items requested for\n the BatchGetItem call.\"
For example, if you ask to retrieve 100 items, but each individual item is 300 KB in\n size, the system returns 52 items (so as not to exceed the 16 MB limit). It also returns\n an appropriate UnprocessedKeys value so you can get the next page of\n results. If desired, your application can include its own logic to assemble the pages of\n results into one dataset.
If none of the items can be processed due to insufficient\n provisioned throughput on all of the tables in the request, then\n BatchGetItem returns a\n ProvisionedThroughputExceededException. If at least\n one of the items is successfully processed, then\n BatchGetItem completes successfully, while returning the keys of the\n unread items in UnprocessedKeys.
If DynamoDB returns any unprocessed items, you should retry the batch operation on\n those items. However, we strongly recommend that you use an exponential\n backoff algorithm. If you retry the batch operation immediately, the\n underlying read or write requests can still fail due to throttling on the individual\n tables. If you delay the batch operation using exponential backoff, the individual\n requests in the batch are much more likely to succeed.
\nFor more information, see Batch Operations and Error Handling in the Amazon DynamoDB\n Developer Guide.
\nBy default, BatchGetItem performs eventually consistent reads on every\n table in the request. If you want strongly consistent reads instead, you can set\n ConsistentRead to true for any or all tables.
In order to minimize response latency, BatchGetItem may retrieve items in\n parallel.
When designing your application, keep in mind that DynamoDB does not return items in\n any particular order. To help parse the response by item, include the primary key values\n for the items in your request in the ProjectionExpression parameter.
If a requested item does not exist, it is not returned in the result. Requests for\n nonexistent items consume the minimum read capacity units according to the type of read.\n For more information, see Working with Tables in the Amazon DynamoDB Developer\n Guide.
" + "smithy.api#documentation": "The BatchGetItem operation returns the attributes of one or more items\n from one or more tables. You identify requested items by primary key.
A single operation can retrieve up to 16 MB of data, which can contain as many as 100\n items. BatchGetItem returns a partial result if the response size limit is\n exceeded, the table's provisioned throughput is exceeded, more than 1MB per partition is requested,\n or an internal processing failure occurs. If a partial result is returned, the operation returns a value for\n UnprocessedKeys. You can use this value to retry the operation starting\n with the next item to get.
If you request more than 100 items, BatchGetItem returns a\n ValidationException with the message \"Too many items requested for\n the BatchGetItem call.\"
For example, if you ask to retrieve 100 items, but each individual item is 300 KB in\n size, the system returns 52 items (so as not to exceed the 16 MB limit). It also returns\n an appropriate UnprocessedKeys value so you can get the next page of\n results. If desired, your application can include its own logic to assemble the pages of\n results into one dataset.
If none of the items can be processed due to insufficient\n provisioned throughput on all of the tables in the request, then\n BatchGetItem returns a\n ProvisionedThroughputExceededException. If at least\n one of the items is successfully processed, then\n BatchGetItem completes successfully, while returning the keys of the\n unread items in UnprocessedKeys.
If DynamoDB returns any unprocessed items, you should retry the batch operation on\n those items. However, we strongly recommend that you use an exponential\n backoff algorithm. If you retry the batch operation immediately, the\n underlying read or write requests can still fail due to throttling on the individual\n tables. If you delay the batch operation using exponential backoff, the individual\n requests in the batch are much more likely to succeed.
\nFor more information, see Batch Operations and Error Handling in the Amazon DynamoDB\n Developer Guide.
\nBy default, BatchGetItem performs eventually consistent reads on every\n table in the request. If you want strongly consistent reads instead, you can set\n ConsistentRead to true for any or all tables.
In order to minimize response latency, BatchGetItem may retrieve items in\n parallel.
When designing your application, keep in mind that DynamoDB does not return items in\n any particular order. To help parse the response by item, include the primary key values\n for the items in your request in the ProjectionExpression parameter.
If a requested item does not exist, it is not returned in the result. Requests for\n nonexistent items consume the minimum read capacity units according to the type of read.\n For more information, see Working with Tables in the Amazon DynamoDB Developer\n Guide.
", + "smithy.api#examples": [ + { + "title": "To retrieve multiple items from a table", + "documentation": "This example reads multiple items from the Music table using a batch of three GetItem requests. Only the AlbumTitle attribute is returned.", + "input": { + "RequestItems": { + "Music": { + "Keys": [ + { + "Artist": { + "S": "No One You Know" + }, + "SongTitle": { + "S": "Call Me Today" + } + }, + { + "Artist": { + "S": "Acme Band" + }, + "SongTitle": { + "S": "Happy Day" + } + }, + { + "Artist": { + "S": "No One You Know" + }, + "SongTitle": { + "S": "Scared of My Shadow" + } + } + ], + "ProjectionExpression": "AlbumTitle" + } + } + }, + "output": { + "Responses": { + "Music": [ + { + "AlbumTitle": { + "S": "Somewhat Famous" + } + }, + { + "AlbumTitle": { + "S": "Blue Sky Blues" + } + }, + { + "AlbumTitle": { + "S": "Louder Than Ever" + } + } + ] + } + } + } + ] } }, "com.amazonaws.dynamodb#BatchGetItemInput": { @@ -920,6 +980,12 @@ "traits": { "smithy.api#documentation": "The error message associated with the PartiQL batch response.
" } + }, + "Item": { + "target": "com.amazonaws.dynamodb#AttributeMap", + "traits": { + "smithy.api#documentation": "The item which caused the condition check to fail. This will be set if ReturnValuesOnConditionCheckFailure is specified as ALL_OLD.
The read consistency of the PartiQL batch request.
" } + }, + "ReturnValuesOnConditionCheckFailure": { + "target": "com.amazonaws.dynamodb#ReturnValuesOnConditionCheckFailure", + "traits": { + "smithy.api#documentation": "An optional parameter that returns the item attributes for a PartiQL batch request\n operation that failed a condition check.
\nThere is no additional cost associated with requesting a return value aside from the\n small network and processing overhead of receiving a larger response. No read capacity\n units are consumed.
" + } } }, "traits": { @@ -1082,7 +1154,65 @@ "aws.api#clientDiscoveredEndpoint": { "required": false }, - "smithy.api#documentation": "The BatchWriteItem operation puts or deletes multiple items in one or\n more tables. A single call to BatchWriteItem can transmit up to 16MB of\n data over the network, consisting of up to 25 item put or delete operations. While\n individual items can be up to 400 KB once stored, it's important to note that an item's\n representation might be greater than 400KB while being sent in DynamoDB's JSON format\n for the API call. For more details on this distinction, see Naming Rules and Data Types.
\n BatchWriteItem cannot update items. If you perform a BatchWriteItem\n operation on an existing item, that item's values will be overwritten by the\n operation and it will appear like it was updated. To update items, we recommend you\n use the UpdateItem action.
The individual PutItem and DeleteItem operations specified\n in BatchWriteItem are atomic; however BatchWriteItem as a\n whole is not. If any requested operations fail because the table's provisioned\n throughput is exceeded or an internal processing failure occurs, the failed operations\n are returned in the UnprocessedItems response parameter. You can\n investigate and optionally resend the requests. Typically, you would call\n BatchWriteItem in a loop. Each iteration would check for unprocessed\n items and submit a new BatchWriteItem request with those unprocessed items\n until all items have been processed.
If none of the items can be processed due to insufficient\n provisioned throughput on all of the tables in the request, then\n BatchWriteItem returns a\n ProvisionedThroughputExceededException.
If DynamoDB returns any unprocessed items, you should retry the batch operation on\n those items. However, we strongly recommend that you use an exponential\n backoff algorithm. If you retry the batch operation immediately, the\n underlying read or write requests can still fail due to throttling on the individual\n tables. If you delay the batch operation using exponential backoff, the individual\n requests in the batch are much more likely to succeed.
\nFor more information, see Batch Operations and Error Handling in the Amazon DynamoDB\n Developer Guide.
\nWith BatchWriteItem, you can efficiently write or delete large amounts of\n data, such as from Amazon EMR, or copy data from another database into DynamoDB. In\n order to improve performance with these large-scale operations,\n BatchWriteItem does not behave in the same way as individual\n PutItem and DeleteItem calls would. For example, you\n cannot specify conditions on individual put and delete requests, and\n BatchWriteItem does not return deleted items in the response.
If you use a programming language that supports concurrency, you can use threads to\n write items in parallel. Your application must include the necessary logic to manage the\n threads. With languages that don't support threading, you must update or delete the\n specified items one at a time. In both situations, BatchWriteItem performs\n the specified put and delete operations in parallel, giving you the power of the thread\n pool approach without having to introduce complexity into your application.
Parallel processing reduces latency, but each specified put and delete request\n consumes the same number of write capacity units whether it is processed in parallel or\n not. Delete operations on nonexistent items consume one write capacity unit.
\nIf one or more of the following is true, DynamoDB rejects the entire batch write\n operation:
\nOne or more tables specified in the BatchWriteItem request does\n not exist.
Primary key attributes specified on an item in the request do not match those\n in the corresponding table's primary key schema.
\nYou try to perform multiple operations on the same item in the same\n BatchWriteItem request. For example, you cannot put and delete\n the same item in the same BatchWriteItem request.
Your request contains at least two items with identical hash and range keys\n (which essentially is two put operations).
\nThere are more than 25 requests in the batch.
\nAny individual item in a batch exceeds 400 KB.
\nThe total request size exceeds 16 MB.
\nThe BatchWriteItem operation puts or deletes multiple items in one or\n more tables. A single call to BatchWriteItem can transmit up to 16MB of\n data over the network, consisting of up to 25 item put or delete operations. While\n individual items can be up to 400 KB once stored, it's important to note that an item's\n representation might be greater than 400KB while being sent in DynamoDB's JSON format\n for the API call. For more details on this distinction, see Naming Rules and Data Types.
\n BatchWriteItem cannot update items. If you perform a BatchWriteItem\n operation on an existing item, that item's values will be overwritten by the\n operation and it will appear like it was updated. To update items, we recommend you\n use the UpdateItem action.
The individual PutItem and DeleteItem operations specified\n in BatchWriteItem are atomic; however BatchWriteItem as a\n whole is not. If any requested operations fail because the table's provisioned\n throughput is exceeded or an internal processing failure occurs, the failed operations\n are returned in the UnprocessedItems response parameter. You can\n investigate and optionally resend the requests. Typically, you would call\n BatchWriteItem in a loop. Each iteration would check for unprocessed\n items and submit a new BatchWriteItem request with those unprocessed items\n until all items have been processed.
If none of the items can be processed due to insufficient\n provisioned throughput on all of the tables in the request, then\n BatchWriteItem returns a\n ProvisionedThroughputExceededException.
If DynamoDB returns any unprocessed items, you should retry the batch operation on\n those items. However, we strongly recommend that you use an exponential\n backoff algorithm. If you retry the batch operation immediately, the\n underlying read or write requests can still fail due to throttling on the individual\n tables. If you delay the batch operation using exponential backoff, the individual\n requests in the batch are much more likely to succeed.
\nFor more information, see Batch Operations and Error Handling in the Amazon DynamoDB\n Developer Guide.
\nWith BatchWriteItem, you can efficiently write or delete large amounts of\n data, such as from Amazon EMR, or copy data from another database into DynamoDB. In\n order to improve performance with these large-scale operations,\n BatchWriteItem does not behave in the same way as individual\n PutItem and DeleteItem calls would. For example, you\n cannot specify conditions on individual put and delete requests, and\n BatchWriteItem does not return deleted items in the response.
If you use a programming language that supports concurrency, you can use threads to\n write items in parallel. Your application must include the necessary logic to manage the\n threads. With languages that don't support threading, you must update or delete the\n specified items one at a time. In both situations, BatchWriteItem performs\n the specified put and delete operations in parallel, giving you the power of the thread\n pool approach without having to introduce complexity into your application.
Parallel processing reduces latency, but each specified put and delete request\n consumes the same number of write capacity units whether it is processed in parallel or\n not. Delete operations on nonexistent items consume one write capacity unit.
\nIf one or more of the following is true, DynamoDB rejects the entire batch write\n operation:
\nOne or more tables specified in the BatchWriteItem request does\n not exist.
Primary key attributes specified on an item in the request do not match those\n in the corresponding table's primary key schema.
\nYou try to perform multiple operations on the same item in the same\n BatchWriteItem request. For example, you cannot put and delete\n the same item in the same BatchWriteItem request.
Your request contains at least two items with identical hash and range keys\n (which essentially is two put operations).
\nThere are more than 25 requests in the batch.
\nAny individual item in a batch exceeds 400 KB.
\nThe total request size exceeds 16 MB.
\nThe conditional request failed.
" } + }, + "Item": { + "target": "com.amazonaws.dynamodb#AttributeMap", + "traits": { + "smithy.api#documentation": "Item which caused the ConditionalCheckFailedException.
Deletes a single item in a table by primary key. You can perform a conditional delete\n operation that deletes the item if it exists, or if it has an expected attribute\n value.
\nIn addition to deleting an item, you can also return the item's attribute values in\n the same operation, using the ReturnValues parameter.
Unless you specify conditions, the DeleteItem is an idempotent operation;\n running it multiple times on the same item or attribute does not\n result in an error response.
Conditional deletes are useful for deleting items only if specific conditions are met.\n If those conditions are met, DynamoDB performs the delete. Otherwise, the item is not\n deleted.
" + "smithy.api#documentation": "Deletes a single item in a table by primary key. You can perform a conditional delete\n operation that deletes the item if it exists, or if it has an expected attribute\n value.
\nIn addition to deleting an item, you can also return the item's attribute values in\n the same operation, using the ReturnValues parameter.
Unless you specify conditions, the DeleteItem is an idempotent operation;\n running it multiple times on the same item or attribute does not\n result in an error response.
Conditional deletes are useful for deleting items only if specific conditions are met.\n If those conditions are met, DynamoDB performs the delete. Otherwise, the item is not\n deleted.
", + "smithy.api#examples": [ + { + "title": "To delete an item", + "documentation": "This example deletes an item from the Music table.", + "input": { + "TableName": "Music", + "Key": { + "Artist": { + "S": "No One You Know" + }, + "SongTitle": { + "S": "Scared of My Shadow" + } + } + }, + "output": { + "ConsumedCapacity": { + "CapacityUnits": 1, + "TableName": "Music" + } + } + } + ] } }, "com.amazonaws.dynamodb#DeleteItemInput": { @@ -2335,6 +2494,12 @@ "traits": { "smithy.api#documentation": "One or more values that can be substituted in an expression.
\nUse the : (colon) character in an expression to\n dereference an attribute value. For example, suppose that you wanted to check whether\n the value of the ProductStatus attribute was one of the following:
\n\n Available | Backordered | Discontinued\n
You would first need to specify ExpressionAttributeValues as\n follows:
\n { \":avail\":{\"S\":\"Available\"}, \":back\":{\"S\":\"Backordered\"},\n \":disc\":{\"S\":\"Discontinued\"} }\n
You could then use these values in an expression, such as this:
\n\n ProductStatus IN (:avail, :back, :disc)\n
For more information on expression attribute values, see Condition Expressions in the Amazon DynamoDB Developer\n Guide.
" } + }, + "ReturnValuesOnConditionCheckFailure": { + "target": "com.amazonaws.dynamodb#ReturnValuesOnConditionCheckFailure", + "traits": { + "smithy.api#documentation": "An optional parameter that returns the item attributes for a DeleteItem\n operation that failed a condition check.
There is no additional cost associated with requesting a return value aside from the\n small network and processing overhead of receiving a larger response. No read capacity\n units are consumed.
" + } } }, "traits": { @@ -2443,7 +2608,29 @@ "aws.api#clientDiscoveredEndpoint": { "required": false }, - "smithy.api#documentation": "The DeleteTable operation deletes a table and all of its items. After a\n DeleteTable request, the specified table is in the\n DELETING state until DynamoDB completes the deletion. If the table is\n in the ACTIVE state, you can delete it. If a table is in\n CREATING or UPDATING states, then DynamoDB returns a\n ResourceInUseException. If the specified table does not exist, DynamoDB\n returns a ResourceNotFoundException. If table is already in the\n DELETING state, no error is returned.
This operation only applies to Version 2019.11.21 (Current) \n of global tables.\n
\nDynamoDB might continue to accept data read and write operations, such as\n GetItem and PutItem, on a table in the\n DELETING state until the table deletion is complete.
When you delete a table, any indexes on that table are also deleted.
\nIf you have DynamoDB Streams enabled on the table, then the corresponding stream on\n that table goes into the DISABLED state, and the stream is automatically\n deleted after 24 hours.
Use the DescribeTable action to check the status of the table.
The DeleteTable operation deletes a table and all of its items. After a\n DeleteTable request, the specified table is in the\n DELETING state until DynamoDB completes the deletion. If the table is\n in the ACTIVE state, you can delete it. If a table is in\n CREATING or UPDATING states, then DynamoDB returns a\n ResourceInUseException. If the specified table does not exist, DynamoDB\n returns a ResourceNotFoundException. If table is already in the\n DELETING state, no error is returned.
This operation only applies to Version 2019.11.21 (Current) \n of global tables.\n
\nDynamoDB might continue to accept data read and write operations, such as\n GetItem and PutItem, on a table in the\n DELETING state until the table deletion is complete.
When you delete a table, any indexes on that table are also deleted.
\nIf you have DynamoDB Streams enabled on the table, then the corresponding stream on\n that table goes into the DISABLED state, and the stream is automatically\n deleted after 24 hours.
Use the DescribeTable action to check the status of the table.
Returns the regional endpoint information. This action must be included in your VPC \n endpoint policies, or access to the DescribeEndpoints API will be denied. For more information \n on policy permissions, please see Internetwork traffic privacy.
" + "smithy.api#documentation": "Returns the regional endpoint information. For more information \n on policy permissions, please see Internetwork traffic privacy.
" } }, "com.amazonaws.dynamodb#DescribeEndpointsRequest": { @@ -3005,7 +3192,19 @@ "aws.api#clientDiscoveredEndpoint": { "required": false }, - "smithy.api#documentation": "Returns the current provisioned-capacity quotas for your Amazon Web Services account in\n a Region, both for the Region as a whole and for any one DynamoDB table that you create\n there.
\nWhen you establish an Amazon Web Services account, the account has initial quotas on\n the maximum read capacity units and write capacity units that you can provision across\n all of your DynamoDB tables in a given Region. Also, there are per-table\n quotas that apply when you create a table there. For more information, see Service,\n Account, and Table Quotas page in the Amazon DynamoDB\n Developer Guide.
\nAlthough you can increase these quotas by filing a case at Amazon Web Services Support Center, obtaining the\n increase is not instantaneous. The DescribeLimits action lets you write\n code to compare the capacity you are currently using to those quotas imposed by your\n account so that you have enough time to apply for an increase before you hit a\n quota.
For example, you could use one of the Amazon Web Services SDKs to do the\n following:
\nCall DescribeLimits for a particular Region to obtain your\n current account quotas on provisioned capacity there.
Create a variable to hold the aggregate read capacity units provisioned for\n all your tables in that Region, and one to hold the aggregate write capacity\n units. Zero them both.
\nCall ListTables to obtain a list of all your DynamoDB\n tables.
For each table name listed by ListTables, do the\n following:
Call DescribeTable with the table name.
Use the data returned by DescribeTable to add the read\n capacity units and write capacity units provisioned for the table itself\n to your variables.
If the table has one or more global secondary indexes (GSIs), loop\n over these GSIs and add their provisioned capacity values to your\n variables as well.
\nReport the account quotas for that Region returned by\n DescribeLimits, along with the total current provisioned\n capacity levels you have calculated.
This will let you see whether you are getting close to your account-level\n quotas.
\nThe per-table quotas apply only when you are creating a new table. They restrict the\n sum of the provisioned capacity of the new table itself and all its global secondary\n indexes.
\nFor existing tables and their GSIs, DynamoDB doesn't let you increase provisioned\n capacity extremely rapidly, but the only quota that applies is that the aggregate\n provisioned capacity over all your tables and GSIs cannot exceed either of the\n per-account quotas.
\n\n DescribeLimits should only be called periodically. You can expect\n throttling errors if you call it more than once in a minute.
The DescribeLimits Request element has no content.
Returns the current provisioned-capacity quotas for your Amazon Web Services account in\n a Region, both for the Region as a whole and for any one DynamoDB table that you create\n there.
\nWhen you establish an Amazon Web Services account, the account has initial quotas on\n the maximum read capacity units and write capacity units that you can provision across\n all of your DynamoDB tables in a given Region. Also, there are per-table\n quotas that apply when you create a table there. For more information, see Service,\n Account, and Table Quotas page in the Amazon DynamoDB\n Developer Guide.
\nAlthough you can increase these quotas by filing a case at Amazon Web Services Support Center, obtaining the\n increase is not instantaneous. The DescribeLimits action lets you write\n code to compare the capacity you are currently using to those quotas imposed by your\n account so that you have enough time to apply for an increase before you hit a\n quota.
For example, you could use one of the Amazon Web Services SDKs to do the\n following:
\nCall DescribeLimits for a particular Region to obtain your\n current account quotas on provisioned capacity there.
Create a variable to hold the aggregate read capacity units provisioned for\n all your tables in that Region, and one to hold the aggregate write capacity\n units. Zero them both.
\nCall ListTables to obtain a list of all your DynamoDB\n tables.
For each table name listed by ListTables, do the\n following:
Call DescribeTable with the table name.
Use the data returned by DescribeTable to add the read\n capacity units and write capacity units provisioned for the table itself\n to your variables.
If the table has one or more global secondary indexes (GSIs), loop\n over these GSIs and add their provisioned capacity values to your\n variables as well.
\nReport the account quotas for that Region returned by\n DescribeLimits, along with the total current provisioned\n capacity levels you have calculated.
This will let you see whether you are getting close to your account-level\n quotas.
\nThe per-table quotas apply only when you are creating a new table. They restrict the\n sum of the provisioned capacity of the new table itself and all its global secondary\n indexes.
\nFor existing tables and their GSIs, DynamoDB doesn't let you increase provisioned\n capacity extremely rapidly, but the only quota that applies is that the aggregate\n provisioned capacity over all your tables and GSIs cannot exceed either of the\n per-account quotas.
\n\n DescribeLimits should only be called periodically. You can expect\n throttling errors if you call it more than once in a minute.
The DescribeLimits Request element has no content.
The maximum number of items to evaluate (not necessarily the number of matching\n items). If DynamoDB processes the number of items up to the limit while processing the\n results, it stops the operation and returns the matching values up to that point, along\n with a key in LastEvaluatedKey to apply in a subsequent operation so you\n can pick up where you left off. Also, if the processed dataset size exceeds 1 MB before\n DynamoDB reaches this limit, it stops the operation and returns the matching values up\n to the limit, and a key in LastEvaluatedKey to apply in a subsequent\n operation to continue the operation.
An optional parameter that returns the item attributes for an\n ExecuteStatement operation that failed a condition check.
There is no additional cost associated with requesting a return value aside from the\n small network and processing overhead of receiving a larger response. No read capacity\n units are consumed.
" + } } }, "traits": { @@ -5409,7 +5578,37 @@ "aws.api#clientDiscoveredEndpoint": { "required": false }, - "smithy.api#documentation": "The GetItem operation returns a set of attributes for the item with the\n given primary key. If there is no matching item, GetItem does not return\n any data and there will be no Item element in the response.
\n GetItem provides an eventually consistent read by default. If your\n application requires a strongly consistent read, set ConsistentRead to\n true. Although a strongly consistent read might take more time than an\n eventually consistent read, it always returns the last updated value.
The GetItem operation returns a set of attributes for the item with the\n given primary key. If there is no matching item, GetItem does not return\n any data and there will be no Item element in the response.
\n GetItem provides an eventually consistent read by default. If your\n application requires a strongly consistent read, set ConsistentRead to\n true. Although a strongly consistent read might take more time than an\n eventually consistent read, it always returns the last updated value.
Returns an array of table names associated with the current account and endpoint. The\n output from ListTables is paginated, with each page returning a maximum of\n 100 table names.
The parameter values.
" } + }, + "ReturnValuesOnConditionCheckFailure": { + "target": "com.amazonaws.dynamodb#ReturnValuesOnConditionCheckFailure", + "traits": { + "smithy.api#documentation": "An optional parameter that returns the item attributes for a PartiQL\n ParameterizedStatement operation that failed a condition check.
There is no additional cost associated with requesting a return value aside from the\n small network and processing overhead of receiving a larger response. No read capacity\n units are consumed.
" + } } }, "traits": { @@ -7856,7 +8075,34 @@ "aws.api#clientDiscoveredEndpoint": { "required": false }, - "smithy.api#documentation": "Creates a new item, or replaces an old item with a new item. If an item that has the\n same primary key as the new item already exists in the specified table, the new item\n completely replaces the existing item. You can perform a conditional put operation (add\n a new item if one with the specified primary key doesn't exist), or replace an existing\n item if it has certain attribute values. You can return the item's attribute values in\n the same operation, using the ReturnValues parameter.
When you add an item, the primary key attributes are the only required attributes.\n
\nEmpty String and Binary attribute values are allowed. Attribute values of type String\n and Binary must have a length greater than zero if the attribute is used as a key\n attribute for a table or index. Set type attributes cannot be empty.
\nInvalid Requests with empty values will be rejected with a\n ValidationException exception.
To prevent a new item from replacing an existing item, use a conditional\n expression that contains the attribute_not_exists function with the\n name of the attribute being used as the partition key for the table. Since every\n record must contain that attribute, the attribute_not_exists function\n will only succeed if no matching item exists.
For more information about PutItem, see Working with\n Items in the Amazon DynamoDB Developer Guide.
Creates a new item, or replaces an old item with a new item. If an item that has the\n same primary key as the new item already exists in the specified table, the new item\n completely replaces the existing item. You can perform a conditional put operation (add\n a new item if one with the specified primary key doesn't exist), or replace an existing\n item if it has certain attribute values. You can return the item's attribute values in\n the same operation, using the ReturnValues parameter.
When you add an item, the primary key attributes are the only required attributes.\n
\nEmpty String and Binary attribute values are allowed. Attribute values of type String\n and Binary must have a length greater than zero if the attribute is used as a key\n attribute for a table or index. Set type attributes cannot be empty.
\nInvalid Requests with empty values will be rejected with a\n ValidationException exception.
To prevent a new item from replacing an existing item, use a conditional\n expression that contains the attribute_not_exists function with the\n name of the attribute being used as the partition key for the table. Since every\n record must contain that attribute, the attribute_not_exists function\n will only succeed if no matching item exists.
For more information about PutItem, see Working with\n Items in the Amazon DynamoDB Developer Guide.
One or more values that can be substituted in an expression.
\nUse the : (colon) character in an expression to\n dereference an attribute value. For example, suppose that you wanted to check whether\n the value of the ProductStatus attribute was one of the following:
\n\n Available | Backordered | Discontinued\n
You would first need to specify ExpressionAttributeValues as\n follows:
\n { \":avail\":{\"S\":\"Available\"}, \":back\":{\"S\":\"Backordered\"},\n \":disc\":{\"S\":\"Discontinued\"} }\n
You could then use these values in an expression, such as this:
\n\n ProductStatus IN (:avail, :back, :disc)\n
For more information on expression attribute values, see Condition Expressions in the Amazon DynamoDB Developer\n Guide.
" } + }, + "ReturnValuesOnConditionCheckFailure": { + "target": "com.amazonaws.dynamodb#ReturnValuesOnConditionCheckFailure", + "traits": { + "smithy.api#documentation": "An optional parameter that returns the item attributes for a PutItem\n operation that failed a condition check.
There is no additional cost associated with requesting a return value aside from the\n small network and processing overhead of receiving a larger response. No read capacity\n units are consumed.
" + } } }, "traits": { @@ -8008,6 +8260,34 @@ "required": false }, "smithy.api#documentation": "You must provide the name of the partition key attribute and a single value for that\n attribute. Query returns all items with that partition key value.\n Optionally, you can provide a sort key attribute and use a comparison operator to refine\n the search results.
Use the KeyConditionExpression parameter to provide a specific value for\n the partition key. The Query operation will return all of the items from\n the table or index with that partition key value. You can optionally narrow the scope of\n the Query operation by specifying a sort key value and a comparison\n operator in KeyConditionExpression. To further refine the\n Query results, you can optionally provide a\n FilterExpression. A FilterExpression determines which\n items within the results should be returned to you. All of the other results are\n discarded.
A Query operation always returns a result set. If no matching items are\n found, the result set will be empty. Queries that do not return results consume the\n minimum number of read capacity units for that type of read operation.
DynamoDB calculates the number of read capacity units consumed based on item\n size, not on the amount of data that is returned to an application. The number of\n capacity units consumed will be the same whether you request all of the attributes\n (the default behavior) or just some of them (using a projection expression). The\n number will also be the same whether or not you use a FilterExpression.\n
\n Query results are always sorted by the sort key value. If the data type of\n the sort key is Number, the results are returned in numeric order; otherwise, the\n results are returned in order of UTF-8 bytes. By default, the sort order is ascending.\n To reverse the order, set the ScanIndexForward parameter to false.
A single Query operation will read up to the maximum number of items set\n (if using the Limit parameter) or a maximum of 1 MB of data and then apply\n any filtering to the results using FilterExpression. If\n LastEvaluatedKey is present in the response, you will need to paginate\n the result set. For more information, see Paginating\n the Results in the Amazon DynamoDB Developer Guide.
\n FilterExpression is applied after a Query finishes, but before\n the results are returned. A FilterExpression cannot contain partition key\n or sort key attributes. You need to specify those attributes in the\n KeyConditionExpression.
A Query operation can return an empty result set and a\n LastEvaluatedKey if all the items read for the page of results are\n filtered out.
You can query a table, a local secondary index, or a global secondary index. For a\n query on a table or on a local secondary index, you can set the\n ConsistentRead parameter to true and obtain a strongly\n consistent result. Global secondary indexes support eventually consistent reads only, so\n do not specify ConsistentRead when querying a global secondary\n index.
The Scan operation returns one or more items and item attributes by\n accessing every item in a table or a secondary index. To have DynamoDB return fewer\n items, you can provide a FilterExpression operation.
If the total number of scanned items exceeds the maximum dataset size limit of 1 MB,\n the scan stops and results are returned to the user as a LastEvaluatedKey\n value to continue the scan in a subsequent operation. The results also include the\n number of items exceeding the limit. A scan can result in no table data meeting the\n filter criteria.
A single Scan operation reads up to the maximum number of items set (if\n using the Limit parameter) or a maximum of 1 MB of data and then apply any\n filtering to the results using FilterExpression. If\n LastEvaluatedKey is present in the response, you need to paginate the\n result set. For more information, see Paginating the\n Results in the Amazon DynamoDB Developer Guide.
\n Scan operations proceed sequentially; however, for faster performance on\n a large table or secondary index, applications can request a parallel Scan\n operation by providing the Segment and TotalSegments\n parameters. For more information, see Parallel\n Scan in the Amazon DynamoDB Developer Guide.
\n Scan uses eventually consistent reads when accessing the data in a table;\n therefore, the result set might not include the changes to data in the table immediately\n before the operation began. If you need a consistent copy of the data, as of the time\n that the Scan begins, you can set the ConsistentRead parameter\n to true.
The Scan operation returns one or more items and item attributes by\n accessing every item in a table or a secondary index. To have DynamoDB return fewer\n items, you can provide a FilterExpression operation.
If the total size of scanned items exceeds the maximum dataset size limit of 1 MB,\n the scan completes and results are returned to the user. The LastEvaluatedKey \n value is also returned and the requestor can use the LastEvaluatedKey to continue \n the scan in a subsequent operation. Each scan response also includes number of items that were \n scanned (ScannedCount) as part of the request. If using a FilterExpression, a scan result \n can result in no items meeting the criteria and the Count will result in zero. If \n you did not use a FilterExpression in the scan request, then Count is \n the same as ScannedCount.
\n Count and ScannedCount only return the count of items specific to a \n single scan request and, unless the table is less than 1MB, do not represent the total number \n of items in the table.\n
A single Scan operation first reads up to the maximum number of items set (if\n using the Limit parameter) or a maximum of 1 MB of data and then applies any\n filtering to the results if a FilterExpression is provided. If\n LastEvaluatedKey is present in the response, pagination is required to complete the\n full table scan. For more information, see Paginating the\n Results in the Amazon DynamoDB Developer Guide.
\n Scan operations proceed sequentially; however, for faster performance on\n a large table or secondary index, applications can request a parallel Scan\n operation by providing the Segment and TotalSegments\n parameters. For more information, see Parallel\n Scan in the Amazon DynamoDB Developer Guide.
By default, a Scan uses eventually consistent reads when accessing the items in a table. \n Therefore, the results from an eventually consistent Scan may not include the latest item \n changes at the time the scan iterates through each item in the table. If you require a strongly consistent \n read of each item as the scan iterates through the items in the table, you can set the ConsistentRead \n parameter to true. Strong consistency only relates to the consistency of the read at the item level.
\n DynamoDB does not provide snapshot isolation for a scan operation when the ConsistentRead \n parameter is set to true. Thus, a DynamoDB scan operation does not guarantee that all reads in a scan \n see a consistent snapshot of the table when the scan operation was requested.\n
Use ReturnValuesOnConditionCheckFailure to get the item attributes if the\n Update condition fails. For\n ReturnValuesOnConditionCheckFailure, the valid values are: NONE,\n ALL_OLD, UPDATED_OLD, ALL_NEW, UPDATED_NEW.
Use ReturnValuesOnConditionCheckFailure to get the item attributes if the\n Update condition fails. For\n ReturnValuesOnConditionCheckFailure, the valid values are: NONE and\n ALL_OLD.
Edits an existing item's attributes, or adds a new item to the table if it does not\n already exist. You can put, delete, or add attribute values. You can also perform a\n conditional update on an existing item (insert a new attribute name-value pair if it\n doesn't exist, or replace an existing name-value pair if it has certain expected\n attribute values).
\nYou can also return the item's attribute values in the same UpdateItem\n operation using the ReturnValues parameter.
Edits an existing item's attributes, or adds a new item to the table if it does not\n already exist. You can put, delete, or add attribute values. You can also perform a\n conditional update on an existing item (insert a new attribute name-value pair if it\n doesn't exist, or replace an existing name-value pair if it has certain expected\n attribute values).
\nYou can also return the item's attribute values in the same UpdateItem\n operation using the ReturnValues parameter.
One or more values that can be substituted in an expression.
\nUse the : (colon) character in an expression to\n dereference an attribute value. For example, suppose that you wanted to check whether\n the value of the ProductStatus attribute was one of the following:
\n Available | Backordered | Discontinued\n
You would first need to specify ExpressionAttributeValues as\n follows:
\n { \":avail\":{\"S\":\"Available\"}, \":back\":{\"S\":\"Backordered\"},\n \":disc\":{\"S\":\"Discontinued\"} }\n
You could then use these values in an expression, such as this:
\n\n ProductStatus IN (:avail, :back, :disc)\n
For more information on expression attribute values, see Condition Expressions in the Amazon DynamoDB Developer\n Guide.
" } + }, + "ReturnValuesOnConditionCheckFailure": { + "target": "com.amazonaws.dynamodb#ReturnValuesOnConditionCheckFailure", + "traits": { + "smithy.api#documentation": "An optional parameter that returns the item attributes for an UpdateItem operation that failed a\n condition check.
There is no additional cost associated with requesting a return value aside from the\n small network and processing overhead of receiving a larger response. No read capacity\n units are consumed.
" + } } }, "traits": { diff --git a/aws/sdk/aws-models/ec2.json b/aws/sdk/aws-models/ec2.json index 4d35d56d54a90ff66504566931f254972243fcae..ee7045e56bf980b4a15daa8dd814036844abc5cc 100644 --- a/aws/sdk/aws-models/ec2.json +++ b/aws/sdk/aws-models/ec2.json @@ -1535,7 +1535,20 @@ "target": "com.amazonaws.ec2#AllocateAddressResult" }, "traits": { - "smithy.api#documentation": "Allocates an Elastic IP address to your Amazon Web Services account. After you allocate the Elastic IP address you can associate \n it with an instance or network interface. After you release an Elastic IP address, it is released to the IP address \n pool and can be allocated to a different Amazon Web Services account.
\nYou can allocate an Elastic IP address from an address pool owned by Amazon Web Services or from an address pool created \n from a public IPv4 address range that you have brought to Amazon Web Services for use with your Amazon Web Services resources using bring your own \n IP addresses (BYOIP). For more information, see Bring Your Own IP Addresses (BYOIP) in the Amazon Elastic Compute Cloud User Guide.
\nIf you release an Elastic IP address, you might be able to recover it. You cannot recover\n an Elastic IP address that you released after it is allocated to another Amazon Web Services account. To attempt to recover an Elastic IP address that you released, specify\n it in this operation.
\nFor more information, see Elastic IP Addresses in the Amazon Elastic Compute Cloud User Guide.
\nYou can allocate a carrier IP address which is a public IP address from a telecommunication carrier, \n to a network interface which resides in a subnet in a Wavelength Zone (for example an EC2 instance).
" + "smithy.api#documentation": "Allocates an Elastic IP address to your Amazon Web Services account. After you allocate the Elastic IP address you can associate \n it with an instance or network interface. After you release an Elastic IP address, it is released to the IP address \n pool and can be allocated to a different Amazon Web Services account.
\nYou can allocate an Elastic IP address from an address pool owned by Amazon Web Services or from an address pool created \n from a public IPv4 address range that you have brought to Amazon Web Services for use with your Amazon Web Services resources using bring your own \n IP addresses (BYOIP). For more information, see Bring Your Own IP Addresses (BYOIP) in the Amazon Elastic Compute Cloud User Guide.
\nIf you release an Elastic IP address, you might be able to recover it. You cannot recover\n an Elastic IP address that you released after it is allocated to another Amazon Web Services account. To attempt to recover an Elastic IP address that you released, specify\n it in this operation.
\nFor more information, see Elastic IP Addresses in the Amazon Elastic Compute Cloud User Guide.
\nYou can allocate a carrier IP address which is a public IP address from a telecommunication carrier, \n to a network interface which resides in a subnet in a Wavelength Zone (for example an EC2 instance).
", + "smithy.api#examples": [ + { + "title": "To allocate an Elastic IP address", + "documentation": "This example allocates an Elastic IP address.", + "output": { + "PublicIp": "203.0.113.0", + "AllocationId": "eipalloc-64d5890a", + "PublicIpv4Pool": "amazon", + "NetworkBorderGroup": "us-east-1", + "Domain": "vpc" + } + } + ] } }, "com.amazonaws.ec2#AllocateAddressRequest": { @@ -1726,8 +1739,7 @@ "aws.protocols#ec2QueryName": "Quantity", "smithy.api#clientOptional": {}, "smithy.api#default": 0, - "smithy.api#documentation": "The number of Dedicated Hosts to allocate to your account with these\n parameters.
", - "smithy.api#required": {}, + "smithy.api#documentation": "The number of Dedicated Hosts to allocate to your account with these parameters. If you are \n allocating the Dedicated Hosts on an Outpost, and you specify AssetIds, \n you can omit this parameter. In this case, Amazon EC2 allocates a Dedicated Host on each \n specified hardware asset. If you specify both AssetIds and \n Quantity, then the value that you specify for \n Quantity must be equal to the number of asset IDs specified.
", "smithy.api#xmlName": "quantity" } }, @@ -1747,7 +1759,7 @@ "OutpostArn": { "target": "com.amazonaws.ec2#String", "traits": { - "smithy.api#documentation": "The Amazon Resource Name (ARN) of the Amazon Web Services Outpost on which to allocate\n the Dedicated Host.
" + "smithy.api#documentation": "The Amazon Resource Name (ARN) of the Amazon Web Services Outpost on which to allocate\n the Dedicated Host. If you specify OutpostArn, you can \n optionally specify AssetIds.
\nIf you are allocating the Dedicated Host in a Region, omit this parameter.
" } }, "HostMaintenance": { @@ -1755,6 +1767,13 @@ "traits": { "smithy.api#documentation": "Indicates whether to enable or disable host maintenance for the Dedicated Host. For\n more information, see Host\n maintenance in the Amazon EC2 User Guide.
" } + }, + "AssetIds": { + "target": "com.amazonaws.ec2#AssetIdList", + "traits": { + "smithy.api#documentation": "The IDs of the Outpost hardware assets on which to allocate the Dedicated Hosts. Targeting \n specific hardware assets on an Outpost can help to minimize latency between your workloads. \n This parameter is supported only if you specify OutpostArn. \n If you are allocating the Dedicated Hosts in a Region, omit this parameter.
\nIf you specify this parameter, you can omit Quantity. \n In this case, Amazon EC2 allocates a Dedicated Host on each specified hardware \n asset.
\nIf you specify both AssetIds and \n Quantity, then the value for \n Quantity must be equal to the number of asset IDs \n specified.
\nAssigns one or more secondary private IP addresses to the specified network interface.
\nYou can specify one or more specific secondary IP addresses, or you can specify the number \n of secondary IP addresses to be automatically assigned within the subnet's CIDR block range. \n The number of secondary IP addresses that you can assign to an instance varies by instance type.\n For information about instance types, see Instance Types in the Amazon Elastic Compute Cloud User Guide. For more information about \n Elastic IP addresses, see Elastic IP Addresses in the Amazon Elastic Compute Cloud User Guide.
\nWhen you move a secondary private IP address to another network interface, any Elastic IP address \n that is associated with the IP address is also moved.
\nRemapping an IP address is an asynchronous operation. When you move an IP address from one network\n interface to another, check network/interfaces/macs/mac/local-ipv4s in the instance\n metadata to confirm that the remapping is complete.
You must specify either the IP addresses or the IP address count in the request.
\nYou can optionally use Prefix Delegation on the network interface. You must specify\n either the IPv4 Prefix Delegation prefixes, or the IPv4 Prefix Delegation count. For\n information, see \n Assigning prefixes to Amazon EC2 network interfaces in the Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Assigns one or more secondary private IP addresses to the specified network interface.
\nYou can specify one or more specific secondary IP addresses, or you can specify the number \n of secondary IP addresses to be automatically assigned within the subnet's CIDR block range. \n The number of secondary IP addresses that you can assign to an instance varies by instance type.\n For information about instance types, see Instance Types in the Amazon Elastic Compute Cloud User Guide. For more information about \n Elastic IP addresses, see Elastic IP Addresses in the Amazon Elastic Compute Cloud User Guide.
\nWhen you move a secondary private IP address to another network interface, any Elastic IP address \n that is associated with the IP address is also moved.
\nRemapping an IP address is an asynchronous operation. When you move an IP address from one network\n interface to another, check network/interfaces/macs/mac/local-ipv4s in the instance\n metadata to confirm that the remapping is complete.
You must specify either the IP addresses or the IP address count in the request.
\nYou can optionally use Prefix Delegation on the network interface. You must specify\n either the IPv4 Prefix Delegation prefixes, or the IPv4 Prefix Delegation count. For\n information, see \n Assigning prefixes to Amazon EC2 network interfaces in the Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To assign a specific secondary private IP address to an interface", + "documentation": "This example assigns the specified secondary private IP address to the specified network interface.", + "input": { + "NetworkInterfaceId": "eni-e5aa89a3", + "PrivateIpAddresses": [ + "10.0.0.82" + ] + } + } + ] } }, "com.amazonaws.ec2#AssignPrivateIpAddressesRequest": { @@ -5870,7 +5883,7 @@ "target": "com.amazonaws.ec2#AssignPrivateNatGatewayAddressResult" }, "traits": { - "smithy.api#documentation": "Assigns one or more private IPv4 addresses to a private NAT gateway. For more information, see Work with NAT gateways in the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Assigns one or more private IPv4 addresses to a private NAT gateway. For more information, see \n Work with NAT gateways in the Amazon VPC User Guide.
" } }, "com.amazonaws.ec2#AssignPrivateNatGatewayAddressRequest": { @@ -5880,7 +5893,7 @@ "target": "com.amazonaws.ec2#NatGatewayId", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The NAT gateway ID.
", + "smithy.api#documentation": "The ID of the NAT gateway.
", "smithy.api#required": {} } }, @@ -5919,7 +5932,7 @@ "target": "com.amazonaws.ec2#NatGatewayId", "traits": { "aws.protocols#ec2QueryName": "NatGatewayId", - "smithy.api#documentation": "The NAT gateway ID.
", + "smithy.api#documentation": "The ID of the NAT gateway.
", "smithy.api#xmlName": "natGatewayId" } }, @@ -5970,7 +5983,20 @@ "target": "com.amazonaws.ec2#AssociateAddressResult" }, "traits": { - "smithy.api#documentation": "Associates an Elastic IP address, or carrier IP address (for instances that are in\n subnets in Wavelength Zones) with an instance or a network interface. Before you can use an\n Elastic IP address, you must allocate it to your account.
\nIf the Elastic IP address is already\n associated with a different instance, it is disassociated from that instance and associated\n with the specified instance. If you associate an Elastic IP address with an instance that has\n an existing Elastic IP address, the existing address is disassociated from the instance, but\n remains allocated to your account.
\n[Subnets in Wavelength Zones] You can associate an IP address from the telecommunication\n carrier to the instance or network interface.
\nYou cannot associate an Elastic IP address with an interface in a different network border group.
\nThis is an idempotent operation. If you perform the operation more than once, Amazon EC2\n doesn't return an error, and you may be charged for each time the Elastic IP address is\n remapped to the same instance. For more information, see the Elastic IP\n Addresses section of Amazon EC2\n Pricing.
\nAssociates an Elastic IP address, or carrier IP address (for instances that are in\n subnets in Wavelength Zones) with an instance or a network interface. Before you can use an\n Elastic IP address, you must allocate it to your account.
\nIf the Elastic IP address is already\n associated with a different instance, it is disassociated from that instance and associated\n with the specified instance. If you associate an Elastic IP address with an instance that has\n an existing Elastic IP address, the existing address is disassociated from the instance, but\n remains allocated to your account.
\n[Subnets in Wavelength Zones] You can associate an IP address from the telecommunication\n carrier to the instance or network interface.
\nYou cannot associate an Elastic IP address with an interface in a different network border group.
\nThis is an idempotent operation. If you perform the operation more than once, Amazon EC2\n doesn't return an error, and you may be charged for each time the Elastic IP address is\n remapped to the same instance. For more information, see the Elastic IP\n Addresses section of Amazon EC2\n Pricing.
\nAssociates a set of DHCP options (that you've previously created) with the specified VPC, or associates no DHCP options with the VPC.
\nAfter you associate the options with the VPC, any existing instances and all new instances that you launch in that VPC use the options. You don't need to restart or relaunch the instances. They automatically pick up the changes within a few hours, depending on how frequently the instance renews its DHCP lease. You can explicitly renew the lease using the operating system on the instance.
\nFor more information, see DHCP options sets\n in the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Associates a set of DHCP options (that you've previously created) with the specified VPC, or associates no DHCP options with the VPC.
\nAfter you associate the options with the VPC, any existing instances and all new instances that you launch in that VPC use the options. You don't need to restart or relaunch the instances. They automatically pick up the changes within a few hours, depending on how frequently the instance renews its DHCP lease. You can explicitly renew the lease using the operating system on the instance.
\nFor more information, see DHCP options sets\n in the Amazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To associate a DHCP options set with a VPC", + "documentation": "This example associates the specified DHCP options set with the specified VPC.", + "input": { + "DhcpOptionsId": "dopt-d9070ebb", + "VpcId": "vpc-a01106c2" + } + } + ] } }, "com.amazonaws.ec2#AssociateDhcpOptionsRequest": { @@ -6257,7 +6293,30 @@ "target": "com.amazonaws.ec2#AssociateIamInstanceProfileResult" }, "traits": { - "smithy.api#documentation": "Associates an IAM instance profile with a running or stopped instance. You cannot\n associate more than one IAM instance profile with an instance.
" + "smithy.api#documentation": "Associates an IAM instance profile with a running or stopped instance. You cannot\n associate more than one IAM instance profile with an instance.
", + "smithy.api#examples": [ + { + "title": "To associate an IAM instance profile with an instance", + "documentation": "This example associates an IAM instance profile named admin-role with the specified instance.", + "input": { + "IamInstanceProfile": { + "Name": "admin-role" + }, + "InstanceId": "i-123456789abcde123" + }, + "output": { + "IamInstanceProfileAssociation": { + "InstanceId": "i-123456789abcde123", + "State": "associating", + "AssociationId": "iip-assoc-0e7736511a163c209", + "IamInstanceProfile": { + "Id": "AIPAJBLK7RKJKWDXVHIEC", + "Arn": "arn:aws:iam::123456789012:instance-profile/admin-role" + } + } + } + } + ] } }, "com.amazonaws.ec2#AssociateIamInstanceProfileRequest": { @@ -6443,7 +6502,7 @@ "target": "com.amazonaws.ec2#AssociateNatGatewayAddressResult" }, "traits": { - "smithy.api#documentation": "Associates Elastic IP addresses (EIPs) and private IPv4 addresses with a public NAT gateway. For more information, see Work with NAT gateways in the Amazon Virtual Private Cloud User Guide.
\nBy default, you can associate up to 2 Elastic IP addresses per public NAT gateway. You can increase the limit by requesting a quota adjustment. For more information, see Elastic IP address quotas in the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Associates Elastic IP addresses (EIPs) and private IPv4 addresses with a public NAT gateway. For more information, \n see Work with NAT gateways in the Amazon VPC User Guide.
\nBy default, you can associate up to 2 Elastic IP addresses per public NAT gateway. You can increase the limit by requesting a quota adjustment. For more information, see Elastic IP address quotas in the Amazon VPC User Guide.
" } }, "com.amazonaws.ec2#AssociateNatGatewayAddressRequest": { @@ -6453,7 +6512,7 @@ "target": "com.amazonaws.ec2#NatGatewayId", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The NAT gateway ID.
", + "smithy.api#documentation": "The ID of the NAT gateway.
", "smithy.api#required": {} } }, @@ -6493,7 +6552,7 @@ "target": "com.amazonaws.ec2#NatGatewayId", "traits": { "aws.protocols#ec2QueryName": "NatGatewayId", - "smithy.api#documentation": "The NAT gateway ID.
", + "smithy.api#documentation": "The ID of the NAT gateway.
", "smithy.api#xmlName": "natGatewayId" } }, @@ -6519,7 +6578,20 @@ "target": "com.amazonaws.ec2#AssociateRouteTableResult" }, "traits": { - "smithy.api#documentation": "Associates a subnet in your VPC or an internet gateway or virtual private gateway\n attached to your VPC with a route table in your VPC. This association causes traffic\n from the subnet or gateway to be routed according to the routes in the route table. The\n action returns an association ID, which you need in order to disassociate the route\n table later. A route table can be associated with multiple subnets.
\nFor more information, see Route tables in the\n Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Associates a subnet in your VPC or an internet gateway or virtual private gateway\n attached to your VPC with a route table in your VPC. This association causes traffic\n from the subnet or gateway to be routed according to the routes in the route table. The\n action returns an association ID, which you need in order to disassociate the route\n table later. A route table can be associated with multiple subnets.
\nFor more information, see Route tables in the\n Amazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To associate a route table with a subnet", + "documentation": "This example associates the specified route table with the specified subnet.", + "input": { + "SubnetId": "subnet-9d4a7b6", + "RouteTableId": "rtb-22574640" + }, + "output": { + "AssociationId": "rtbassoc-781d0d1a" + } + } + ] } }, "com.amazonaws.ec2#AssociateRouteTableRequest": { @@ -6940,7 +7012,7 @@ "target": "com.amazonaws.ec2#AssociateVpcCidrBlockResult" }, "traits": { - "smithy.api#documentation": "Associates a CIDR block with your VPC. You can associate a secondary IPv4 CIDR block,\n an Amazon-provided IPv6 CIDR block, or an IPv6 CIDR block from an IPv6 address pool that\n you provisioned through bring your own IP addresses (BYOIP). The IPv6 CIDR block size is fixed\n at /56.
\nYou must specify one of the following in the request: an IPv4 CIDR block, an IPv6\n pool, or an Amazon-provided IPv6 CIDR block.
\nFor more information about associating CIDR blocks with your VPC and applicable\n restrictions, see VPC and subnet sizing in the\n Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Associates a CIDR block with your VPC. You can associate a secondary IPv4 CIDR block,\n an Amazon-provided IPv6 CIDR block, or an IPv6 CIDR block from an IPv6 address pool that\n you provisioned through bring your own IP addresses (BYOIP). The IPv6 CIDR block size is fixed\n at /56.
\nYou must specify one of the following in the request: an IPv4 CIDR block, an IPv6\n pool, or an Amazon-provided IPv6 CIDR block.
\nFor more information about associating CIDR blocks with your VPC and applicable\n restrictions, see IP addressing for your VPCs and subnets \n in the Amazon VPC User Guide.
" } }, "com.amazonaws.ec2#AssociateVpcCidrBlockRequest": { @@ -7272,7 +7344,7 @@ "target": "com.amazonaws.ec2#AttachClassicLinkVpcResult" }, "traits": { - "smithy.api#documentation": "We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nLinks an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's\n\t\t\tsecurity groups. You cannot link an EC2-Classic instance to more than one VPC at a time. You\n\t\t\tcan only link an instance that's in the running state. An instance is\n\t\t\tautomatically unlinked from a VPC when it's stopped - you can link it to the VPC again when\n\t\t\tyou restart it.
After you've linked an instance, you cannot change the VPC security groups that are associated with it. To change the security groups, you must first unlink the instance, and then link it again.
\nLinking your instance to a VPC is sometimes referred to as attaching your instance.
" + "smithy.api#documentation": "This action is deprecated.
\nLinks an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC\n\t\t\tsecurity groups. You cannot link an EC2-Classic instance to more than one VPC at a time. You\n\t\t\tcan only link an instance that's in the running state. An instance is\n\t\t\tautomatically unlinked from a VPC when it's stopped - you can link it to the VPC again when\n\t\t\tyou restart it.
After you've linked an instance, you cannot change the VPC security groups that are associated with it. To change the security groups, you must first unlink the instance, and then link it again.
\nLinking your instance to a VPC is sometimes referred to as attaching your instance.
" } }, "com.amazonaws.ec2#AttachClassicLinkVpcRequest": { @@ -7292,7 +7364,7 @@ "target": "com.amazonaws.ec2#GroupIdStringList", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The ID of one or more of the VPC's security groups. You cannot specify security groups from a different VPC.
", + "smithy.api#documentation": "The IDs of the security groups. You cannot specify security groups from a different VPC.
", "smithy.api#required": {}, "smithy.api#xmlName": "SecurityGroupId" } @@ -7302,7 +7374,7 @@ "traits": { "aws.protocols#ec2QueryName": "InstanceId", "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The ID of an EC2-Classic instance to link to the ClassicLink-enabled VPC.
", + "smithy.api#documentation": "The ID of the EC2-Classic instance.
", "smithy.api#required": {}, "smithy.api#xmlName": "instanceId" } @@ -7312,7 +7384,7 @@ "traits": { "aws.protocols#ec2QueryName": "VpcId", "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The ID of a ClassicLink-enabled VPC.
", + "smithy.api#documentation": "The ID of the ClassicLink-enabled VPC.
", "smithy.api#required": {}, "smithy.api#xmlName": "vpcId" } @@ -7349,7 +7421,17 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Attaches an internet gateway or a virtual private gateway to a VPC, enabling connectivity between the internet and\n\t\t\tthe VPC. For more information about your VPC and internet gateway, see the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Attaches an internet gateway or a virtual private gateway to a VPC, enabling connectivity \n\t\t between the internet and the VPC. For more information, see Internet gateways in the \n\t\t Amazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To attach an Internet gateway to a VPC", + "documentation": "This example attaches the specified Internet gateway to the specified VPC.", + "input": { + "InternetGatewayId": "igw-c0a643a9", + "VpcId": "vpc-a01106c2" + } + } + ] } }, "com.amazonaws.ec2#AttachInternetGatewayRequest": { @@ -7399,7 +7481,21 @@ "target": "com.amazonaws.ec2#AttachNetworkInterfaceResult" }, "traits": { - "smithy.api#documentation": "Attaches a network interface to an instance.
" + "smithy.api#documentation": "Attaches a network interface to an instance.
", + "smithy.api#examples": [ + { + "title": "To attach a network interface to an instance", + "documentation": "This example attaches the specified network interface to the specified instance.", + "input": { + "NetworkInterfaceId": "eni-e5aa89a3", + "InstanceId": "i-1234567890abcdef0", + "DeviceIndex": 1 + }, + "output": { + "AttachmentId": "eni-attach-66c4350a" + } + } + ] } }, "com.amazonaws.ec2#AttachNetworkInterfaceRequest": { @@ -7577,7 +7673,25 @@ "target": "com.amazonaws.ec2#VolumeAttachment" }, "traits": { - "smithy.api#documentation": "Attaches an EBS volume to a running or stopped instance and exposes it to the instance\n with the specified device name.
\nEncrypted EBS volumes must be attached to instances that support Amazon EBS encryption. For\n more information, see Amazon EBS encryption in the Amazon Elastic Compute Cloud User Guide.
\nAfter you attach an EBS volume, you must make it available. For more information, see \n Make an EBS volume available for use.
\nIf a volume has an Amazon Web Services Marketplace product code:
\nThe volume can be attached only to a stopped instance.
\nAmazon Web Services Marketplace product codes are copied from the volume to the instance.
\nYou must be subscribed to the product.
\nThe instance type and operating system of the instance must support the product. For\n example, you can't detach a volume from a Windows instance and attach it to a Linux\n instance.
\nFor more information, see Attach an Amazon EBS volume to an instance in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Attaches an EBS volume to a running or stopped instance and exposes it to the instance\n with the specified device name.
\nEncrypted EBS volumes must be attached to instances that support Amazon EBS encryption. For\n more information, see Amazon EBS encryption in the Amazon Elastic Compute Cloud User Guide.
\nAfter you attach an EBS volume, you must make it available. For more information, see \n Make an EBS volume available for use.
\nIf a volume has an Amazon Web Services Marketplace product code:
\nThe volume can be attached only to a stopped instance.
\nAmazon Web Services Marketplace product codes are copied from the volume to the instance.
\nYou must be subscribed to the product.
\nThe instance type and operating system of the instance must support the product. For\n example, you can't detach a volume from a Windows instance and attach it to a Linux\n instance.
\nFor more information, see Attach an Amazon EBS volume to an instance in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To attach a volume to an instance", + "documentation": "This example attaches a volume (``vol-1234567890abcdef0``) to an instance (``i-01474ef662b89480``) as ``/dev/sdf``.", + "input": { + "VolumeId": "vol-1234567890abcdef0", + "InstanceId": "i-01474ef662b89480", + "Device": "/dev/sdf" + }, + "output": { + "AttachTime": "2016-08-29T18:52:32.724Z", + "InstanceId": "i-01474ef662b89480", + "VolumeId": "vol-1234567890abcdef0", + "State": "attaching", + "Device": "/dev/sdf" + } + } + ] } }, "com.amazonaws.ec2#AttachVolumeRequest": { @@ -7956,7 +8070,29 @@ "target": "com.amazonaws.ec2#AuthorizeSecurityGroupEgressResult" }, "traits": { - "smithy.api#documentation": "[VPC only] Adds the specified outbound (egress) rules to a security group for use with a VPC.
\nAn outbound rule permits instances to send traffic to the specified IPv4 or IPv6 CIDR\n address ranges, or to the instances that are associated with the specified source\n security groups. When specifying an outbound rule for your security group in a VPC, the\n IpPermissions must include a destination for the traffic.
You specify a protocol for each rule (for example, TCP). \n For the TCP and UDP protocols, you must also specify the destination port or port range. \n For the ICMP protocol, you must also specify the ICMP type and code. \n You can use -1 for the type or code to mean all types or all codes.
\nRule changes are propagated to affected instances as quickly as possible. However, a small delay might occur.
\nFor information about VPC security group quotas, see Amazon VPC quotas.
" + "smithy.api#documentation": "Adds the specified outbound (egress) rules to a security group for use with a VPC.
\nAn outbound rule permits instances to send traffic to the specified IPv4 or IPv6 CIDR\n address ranges, or to the instances that are associated with the specified source\n security groups. When specifying an outbound rule for your security group in a VPC, the\n IpPermissions must include a destination for the traffic.
You specify a protocol for each rule (for example, TCP). \n For the TCP and UDP protocols, you must also specify the destination port or port range. \n For the ICMP protocol, you must also specify the ICMP type and code. \n You can use -1 for the type or code to mean all types or all codes.
\nRule changes are propagated to affected instances as quickly as possible. However, a small delay might occur.
\nFor information about VPC security group quotas, see Amazon VPC quotas.
", + "smithy.api#examples": [ + { + "title": "To add a rule that allows outbound traffic to a specific address range", + "documentation": "This example adds a rule that grants access to the specified address ranges on TCP port 80.", + "input": { + "GroupId": "sg-1a2b3c4d", + "IpPermissions": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "IpRanges": [ + { + "CidrIp": "10.0.0.0/16" + } + ] + } + ] + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#AuthorizeSecurityGroupEgressRequest": { @@ -8089,7 +8225,30 @@ "target": "com.amazonaws.ec2#AuthorizeSecurityGroupIngressResult" }, "traits": { - "smithy.api#documentation": "Adds the specified inbound (ingress) rules to a security group.
\nAn inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 CIDR\n address range, or from the instances that are associated with the specified destination security \n groups. When specifying an inbound rule for your security group in a VPC, the\n IpPermissions must include a source for the traffic.
You specify a protocol for each rule (for example, TCP). \n For TCP and UDP, you must also specify the destination port or port range. \n For ICMP/ICMPv6, you must also specify the ICMP/ICMPv6 type and code. \n You can use -1 to mean all types or all codes.
\nRule changes are propagated to instances within the security group as quickly as possible. \n However, a small delay might occur.
\nFor more information about VPC security group quotas, see Amazon VPC quotas.
\nWe are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nAdds the specified inbound (ingress) rules to a security group.
\nAn inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 CIDR\n address range, or from the instances that are associated with the specified destination security \n groups. When specifying an inbound rule for your security group in a VPC, the\n IpPermissions must include a source for the traffic.
You specify a protocol for each rule (for example, TCP). \n For TCP and UDP, you must also specify the destination port or port range. \n For ICMP/ICMPv6, you must also specify the ICMP/ICMPv6 type and code. \n You can use -1 to mean all types or all codes.
\nRule changes are propagated to instances within the security group as quickly as possible. \n However, a small delay might occur.
\nFor more information about VPC security group quotas, see Amazon VPC quotas.
", + "smithy.api#examples": [ + { + "title": "To add a rule that allows inbound SSH traffic from an IPv4 address range", + "documentation": "This example enables inbound traffic on TCP port 22 (SSH). The rule includes a description to help you identify it later.", + "input": { + "GroupId": "sg-903004f8", + "IpPermissions": [ + { + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "IpRanges": [ + { + "CidrIp": "203.0.113.0/24", + "Description": "SSH access from the LA office" + } + ] + } + ] + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#AuthorizeSecurityGroupIngressRequest": { @@ -8118,7 +8277,7 @@ "GroupName": { "target": "com.amazonaws.ec2#SecurityGroupName", "traits": { - "smithy.api#documentation": "[EC2-Classic, default VPC] The name of the security group. You must specify either the\n security group ID or the security group name in the request. For security groups in a\n nondefault VPC, you must specify the security group ID.
" + "smithy.api#documentation": "[Default VPC] The name of the security group. You must specify either the\n security group ID or the security group name in the request. For security groups in a\n nondefault VPC, you must specify the security group ID.
" } }, "IpPermissions": { @@ -8130,19 +8289,19 @@ "IpProtocol": { "target": "com.amazonaws.ec2#String", "traits": { - "smithy.api#documentation": "The IP protocol name (tcp, udp, icmp) or number\n (see Protocol Numbers). To specify icmpv6, use a set of IP permissions.
[VPC only] Use -1 to specify all protocols. If you specify -1 or a \n protocol other than tcp, udp, or icmp, traffic on all ports \n is allowed, regardless of any ports you specify.
Alternatively, use a set of IP permissions to specify multiple rules and a description for the rule.
" + "smithy.api#documentation": "The IP protocol name (tcp, udp, icmp) or number\n (see Protocol Numbers). To specify icmpv6, use a set of IP permissions.
Use -1 to specify all protocols. If you specify -1 or a \n protocol other than tcp, udp, or icmp, traffic on all ports \n is allowed, regardless of any ports you specify.
Alternatively, use a set of IP permissions to specify multiple rules and a description for the rule.
" } }, "SourceSecurityGroupName": { "target": "com.amazonaws.ec2#String", "traits": { - "smithy.api#documentation": "[EC2-Classic, default VPC] The name of the source security group. You can't specify this parameter \n in combination with the following parameters: the CIDR IP address range, the start of the port range, \n the IP protocol, and the end of the port range. Creates rules that grant full ICMP, UDP, and TCP access. \n To create a rule with a specific IP protocol and port range, use a set of IP permissions instead. For \n EC2-VPC, the source security group must be in the same VPC.
" + "smithy.api#documentation": "[Default VPC] The name of the source security group. You can't specify this parameter \n in combination with the following parameters: the CIDR IP address range, the start of the port range, \n the IP protocol, and the end of the port range. Creates rules that grant full ICMP, UDP, and TCP access. \n To create a rule with a specific IP protocol and port range, use a set of IP permissions instead. \n The source security group must be in the same VPC.
" } }, "SourceSecurityGroupOwnerId": { "target": "com.amazonaws.ec2#String", "traits": { - "smithy.api#documentation": "[nondefault VPC] The Amazon Web Services account ID for the source security group, if the source security group is \n in a different account. You can't specify this parameter in combination with the following parameters: \n the CIDR IP address range, the IP protocol, the start of the port range, and the end of the port range. \n Creates rules that grant full ICMP, UDP, and TCP access. To create a rule with a specific IP protocol \n and port range, use a set of IP permissions instead.
" + "smithy.api#documentation": "[Nondefault VPC] The Amazon Web Services account ID for the source security group, if the source security group is \n in a different account. You can't specify this parameter in combination with the following parameters: \n the CIDR IP address range, the IP protocol, the start of the port range, and the end of the port range. \n Creates rules that grant full ICMP, UDP, and TCP access. To create a rule with a specific IP protocol \n and port range, use a set of IP permissions instead.
" } }, "ToPort": { @@ -8351,6 +8510,9 @@ "smithy.api#documentation": "Describes Availability Zones, Local Zones, and Wavelength Zones.
" } }, + "com.amazonaws.ec2#AvailabilityZoneId": { + "type": "string" + }, "com.amazonaws.ec2#AvailabilityZoneList": { "type": "list", "member": { @@ -8510,6 +8672,9 @@ "com.amazonaws.ec2#BareMetalFlag": { "type": "boolean" }, + "com.amazonaws.ec2#BaselineBandwidthInGbps": { + "type": "double" + }, "com.amazonaws.ec2#BaselineBandwidthInMbps": { "type": "integer" }, @@ -9622,7 +9787,28 @@ "target": "com.amazonaws.ec2#CancelSpotFleetRequestsResponse" }, "traits": { - "smithy.api#documentation": "Cancels the specified Spot Fleet requests.
\nAfter you cancel a Spot Fleet request, the Spot Fleet launches no new instances.
\nYou must also specify whether a canceled Spot Fleet request should terminate its instances. If you\n choose to terminate the instances, the Spot Fleet request enters the\n cancelled_terminating state. Otherwise, the Spot Fleet request enters\n the cancelled_running state and the instances continue to run until they\n are interrupted or you terminate them manually.
Cancels the specified Spot Fleet requests.
\nAfter you cancel a Spot Fleet request, the Spot Fleet launches no new instances.
\nYou must also specify whether a canceled Spot Fleet request should terminate its instances. If you\n choose to terminate the instances, the Spot Fleet request enters the\n cancelled_terminating state. Otherwise, the Spot Fleet request enters\n the cancelled_running state and the instances continue to run until they\n are interrupted or you terminate them manually.
Cancels one or more Spot Instance requests.
\nCanceling a Spot Instance request does not terminate running Spot Instances\n associated with the request.
\nCancels one or more Spot Instance requests.
\nCanceling a Spot Instance request does not terminate running Spot Instances\n associated with the request.
\nDescribes the ClassicLink DNS support status of a VPC.
" + "smithy.api#documentation": "Deprecated.
\nDescribes the ClassicLink DNS support status of a VPC.
" } }, "com.amazonaws.ec2#ClassicLinkDnsSupportList": { @@ -10957,7 +11162,7 @@ "target": "com.amazonaws.ec2#GroupIdentifierList", "traits": { "aws.protocols#ec2QueryName": "GroupSet", - "smithy.api#documentation": "A list of security groups.
", + "smithy.api#documentation": "The security groups.
", "smithy.api#xmlName": "groupSet" } }, @@ -10987,7 +11192,7 @@ } }, "traits": { - "smithy.api#documentation": "We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nDescribes a linked EC2-Classic instance.
" + "smithy.api#documentation": "Deprecated.
\nDescribes a linked EC2-Classic instance.
" } }, "com.amazonaws.ec2#ClassicLinkInstanceList": { @@ -12267,7 +12472,20 @@ "target": "com.amazonaws.ec2#ConfirmProductInstanceResult" }, "traits": { - "smithy.api#documentation": "Determines whether a product code is associated with an instance. This action can only\n be used by the owner of the product code. It is useful when a product code owner must\n verify whether another user's instance is eligible for support.
" + "smithy.api#documentation": "Determines whether a product code is associated with an instance. This action can only\n be used by the owner of the product code. It is useful when a product code owner must\n verify whether another user's instance is eligible for support.
", + "smithy.api#examples": [ + { + "title": "To confirm the product instance", + "documentation": "This example determines whether the specified product code is associated with the specified instance.", + "input": { + "ProductCode": "774F4FF8", + "InstanceId": "i-1234567890abcdef0" + }, + "output": { + "OwnerId": "123456789012" + } + } + ] } }, "com.amazonaws.ec2#ConfirmProductInstanceRequest": { @@ -12719,7 +12937,22 @@ "target": "com.amazonaws.ec2#CopyImageResult" }, "traits": { - "smithy.api#documentation": "Initiates the copy of an AMI. You can copy an AMI from one Region to another, or from a\n Region to an Outpost. You can't copy an AMI from an Outpost to a Region, from one Outpost\n to another, or within the same Outpost. To copy an AMI to another partition, see CreateStoreImageTask.
\nTo copy an AMI from one Region to another, specify the source Region using the \n \t\tSourceRegion parameter, and specify the \n \t\tdestination Region using its endpoint. Copies of encrypted backing snapshots for\n \t\tthe AMI are encrypted. Copies of unencrypted backing snapshots remain unencrypted, \n \t\tunless you set Encrypted during the copy operation. You cannot \n \t\tcreate an unencrypted copy of an encrypted backing snapshot.
To copy an AMI from a Region to an Outpost, specify the source Region using the \n \t\tSourceRegion parameter, and specify the \n \t\tARN of the destination Outpost using DestinationOutpostArn. \n \t\tBacking snapshots copied to an Outpost are encrypted by default using the default\n \t\tencryption key for the Region, or a different key that you specify in the request using \n \t\tKmsKeyId. Outposts do not support unencrypted \n \t\tsnapshots. For more information, \n \t\t\tAmazon EBS local snapshots on Outposts in the Amazon EC2 User Guide.
\nFor more information about the prerequisites and limits when copying an AMI, see Copy an AMI in the\n Amazon EC2 User Guide.
" + "smithy.api#documentation": "Initiates the copy of an AMI. You can copy an AMI from one Region to another, or from a\n Region to an Outpost. You can't copy an AMI from an Outpost to a Region, from one Outpost\n to another, or within the same Outpost. To copy an AMI to another partition, see CreateStoreImageTask.
\nTo copy an AMI from one Region to another, specify the source Region using the \n \t\tSourceRegion parameter, and specify the \n \t\tdestination Region using its endpoint. Copies of encrypted backing snapshots for\n \t\tthe AMI are encrypted. Copies of unencrypted backing snapshots remain unencrypted, \n \t\tunless you set Encrypted during the copy operation. You cannot \n \t\tcreate an unencrypted copy of an encrypted backing snapshot.
To copy an AMI from a Region to an Outpost, specify the source Region using the \n \t\tSourceRegion parameter, and specify the \n \t\tARN of the destination Outpost using DestinationOutpostArn. \n \t\tBacking snapshots copied to an Outpost are encrypted by default using the default\n \t\tencryption key for the Region, or a different key that you specify in the request using \n \t\tKmsKeyId. Outposts do not support unencrypted \n \t\tsnapshots. For more information, \n \t\t\tAmazon EBS local snapshots on Outposts in the Amazon EC2 User Guide.
\nFor more information about the prerequisites and limits when copying an AMI, see Copy an AMI in the\n Amazon EC2 User Guide.
", + "smithy.api#examples": [ + { + "title": "To copy an AMI to another region", + "documentation": "This example copies the specified AMI from the us-east-1 region to the current region.", + "input": { + "Description": "", + "Name": "My server", + "SourceImageId": "ami-5731123e", + "SourceRegion": "us-east-1" + }, + "output": { + "ImageId": "ami-438bea42" + } + } + ] } }, "com.amazonaws.ec2#CopyImageRequest": { @@ -12835,7 +13068,22 @@ "target": "com.amazonaws.ec2#CopySnapshotResult" }, "traits": { - "smithy.api#documentation": "Copies a point-in-time snapshot of an EBS volume and stores it in Amazon S3. You can copy a\n snapshot within the same Region, from one Region to another, or from a Region to an Outpost. \n You can't copy a snapshot from an Outpost to a Region, from one Outpost to another, or within \n the same Outpost.
\nYou can use the snapshot to create EBS volumes or Amazon Machine Images (AMIs).
\nWhen copying snapshots to a Region, copies of encrypted EBS snapshots remain encrypted. \n \tCopies of unencrypted snapshots remain unencrypted, unless you enable encryption for the \n \tsnapshot copy operation. By default, encrypted snapshot copies use the default Key Management Service (KMS) \n \tKMS key; however, you can specify a different KMS key. To copy an encrypted \n \tsnapshot that has been shared from another account, you must have permissions for the KMS key \n \tused to encrypt the snapshot.
\nSnapshots copied to an Outpost are encrypted by default using the default\n \t\tencryption key for the Region, or a different key that you specify in the request using \n \t\tKmsKeyId. Outposts do not support unencrypted \n \t\tsnapshots. For more information, \n \t\t\tAmazon EBS local snapshots on Outposts in the Amazon Elastic Compute Cloud User Guide.
\nSnapshots created by copying another snapshot have an arbitrary volume ID that should not\n be used for any purpose.
\nFor more information, see Copy an Amazon EBS snapshot in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Copies a point-in-time snapshot of an EBS volume and stores it in Amazon S3. You can copy a\n snapshot within the same Region, from one Region to another, or from a Region to an Outpost. \n You can't copy a snapshot from an Outpost to a Region, from one Outpost to another, or within \n the same Outpost.
\nYou can use the snapshot to create EBS volumes or Amazon Machine Images (AMIs).
\nWhen copying snapshots to a Region, copies of encrypted EBS snapshots remain encrypted. \n \tCopies of unencrypted snapshots remain unencrypted, unless you enable encryption for the \n \tsnapshot copy operation. By default, encrypted snapshot copies use the default Key Management Service (KMS) \n \tKMS key; however, you can specify a different KMS key. To copy an encrypted \n \tsnapshot that has been shared from another account, you must have permissions for the KMS key \n \tused to encrypt the snapshot.
\nSnapshots copied to an Outpost are encrypted by default using the default\n \t\tencryption key for the Region, or a different key that you specify in the request using \n \t\tKmsKeyId. Outposts do not support unencrypted \n \t\tsnapshots. For more information, \n \t\t\tAmazon EBS local snapshots on Outposts in the Amazon Elastic Compute Cloud User Guide.
\nSnapshots created by copying another snapshot have an arbitrary volume ID that should not\n be used for any purpose.
\nFor more information, see Copy an Amazon EBS snapshot in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To copy a snapshot", + "documentation": "This example copies a snapshot with the snapshot ID of ``snap-066877671789bd71b`` from the ``us-west-2`` region to the ``us-east-1`` region and adds a short description to identify the snapshot.", + "input": { + "SourceRegion": "us-west-2", + "SourceSnapshotId": "snap-066877671789bd71b", + "Description": "This is my copied snapshot.", + "DestinationRegion": "us-east-1" + }, + "output": { + "SnapshotId": "snap-066877671789bd71b" + } + } + ] } }, "com.amazonaws.ec2#CopySnapshotRequest": { @@ -13040,7 +13288,7 @@ "target": "com.amazonaws.ec2#AmdSevSnpSpecification", "traits": { "aws.protocols#ec2QueryName": "AmdSevSnp", - "smithy.api#documentation": "Indicates whether the instance is enabled for AMD SEV-SNP.
", + "smithy.api#documentation": "Indicates whether the instance is enabled for AMD SEV-SNP. For more information, see \n AMD SEV-SNP.
", "smithy.api#xmlName": "amdSevSnp" } } @@ -13071,7 +13319,7 @@ "AmdSevSnp": { "target": "com.amazonaws.ec2#AmdSevSnpSpecification", "traits": { - "smithy.api#documentation": "Indicates whether to enable the instance for AMD SEV-SNP. AMD SEV-SNP is supported \n with M6a, R6a, and C6a instance types only.
" + "smithy.api#documentation": "Indicates whether to enable the instance for AMD SEV-SNP. AMD SEV-SNP is supported \n with M6a, R6a, and C6a instance types only. For more information, see \n AMD SEV-SNP.
" } } }, @@ -13301,13 +13549,13 @@ } }, "AvailabilityZone": { - "target": "com.amazonaws.ec2#String", + "target": "com.amazonaws.ec2#AvailabilityZoneName", "traits": { "smithy.api#documentation": "The Availability Zone in which to create the Capacity Reservation.
" } }, "AvailabilityZoneId": { - "target": "com.amazonaws.ec2#String", + "target": "com.amazonaws.ec2#AvailabilityZoneId", "traits": { "smithy.api#documentation": "The ID of the Availability Zone in which to create the Capacity Reservation.
" } @@ -13863,7 +14111,27 @@ "target": "com.amazonaws.ec2#CreateCustomerGatewayResult" }, "traits": { - "smithy.api#documentation": "Provides information to Amazon Web Services about your customer gateway device. The\n customer gateway device is the appliance at your end of the VPN connection. You\n must provide the IP address of the customer gateway device’s external\n interface. The IP address must be static and can be behind a device performing network\n address translation (NAT).
\nFor devices that use Border Gateway Protocol (BGP), you can also provide the device's\n BGP Autonomous System Number (ASN). You can use an existing ASN assigned to your network.\n If you don't have an ASN already, you can use a private ASN. For more information, see \n Customer gateway \n options for your Site-to-Site VPN connection in the Amazon Web Services Site-to-Site VPN User Guide.
\nTo create more than one customer gateway with the same VPN type, IP address, and\n BGP ASN, specify a unique device name for each customer gateway. An identical request\n returns information about the existing customer gateway; it doesn't create a new customer\n gateway.
" + "smithy.api#documentation": "Provides information to Amazon Web Services about your customer gateway device. The\n customer gateway device is the appliance at your end of the VPN connection. You\n must provide the IP address of the customer gateway device’s external\n interface. The IP address must be static and can be behind a device performing network\n address translation (NAT).
\nFor devices that use Border Gateway Protocol (BGP), you can also provide the device's\n BGP Autonomous System Number (ASN). You can use an existing ASN assigned to your network.\n If you don't have an ASN already, you can use a private ASN. For more information, see \n Customer gateway \n options for your Site-to-Site VPN connection in the Amazon Web Services Site-to-Site VPN User Guide.
\nTo create more than one customer gateway with the same VPN type, IP address, and\n BGP ASN, specify a unique device name for each customer gateway. An identical request\n returns information about the existing customer gateway; it doesn't create a new customer\n gateway.
", + "smithy.api#examples": [ + { + "title": "To create a customer gateway", + "documentation": "This example creates a customer gateway with the specified IP address for its outside interface.", + "input": { + "Type": "ipsec.1", + "PublicIp": "12.1.2.3", + "BgpAsn": 65534 + }, + "output": { + "CustomerGateway": { + "CustomerGatewayId": "cgw-0e11f167", + "IpAddress": "12.1.2.3", + "State": "available", + "Type": "ipsec.1", + "BgpAsn": "65534" + } + } + } + ] } }, "com.amazonaws.ec2#CreateCustomerGatewayRequest": { @@ -13958,7 +14226,7 @@ "target": "com.amazonaws.ec2#CreateDefaultSubnetResult" }, "traits": { - "smithy.api#documentation": "Creates a default subnet with a size /20 IPv4 CIDR block in the\n specified Availability Zone in your default VPC. You can have only one default subnet\n per Availability Zone. For more information, see Creating a default\n subnet in the Amazon Virtual Private Cloud User Guide.
Creates a default subnet with a size /20 IPv4 CIDR block in the\n specified Availability Zone in your default VPC. You can have only one default subnet\n per Availability Zone. For more information, see Create a default\n subnet in the Amazon VPC User Guide.
Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet\n\t\t\tin each Availability Zone. For more information about the components of a default VPC,\n\t\t\tsee Default VPC and\n\t\t\tdefault subnets in the Amazon Virtual Private Cloud User Guide. You cannot\n\t\t\tspecify the components of the default VPC yourself.
If you deleted your previous default VPC, you can create a default VPC. You cannot have\n\t\t\tmore than one default VPC per Region.
\nIf your account supports EC2-Classic, you cannot use this action to create a default VPC\n\t\t\tin a Region that supports EC2-Classic. If you want a default VPC in a Region that\n\t\t\tsupports EC2-Classic, see \"I really want a default VPC for my existing EC2 account. Is\n\t\t\tthat possible?\" in the Default VPCs\n\t\t\tFAQ.
\nWe are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nCreates a default VPC with a size /16 IPv4 CIDR block and a default subnet\n\t\t\tin each Availability Zone. For more information about the components of a default VPC,\n\t\t\tsee Default VPCs \n\t\t in the Amazon VPC User Guide. You cannot specify the components of the \n\t\t default VPC yourself.
If you deleted your previous default VPC, you can create a default VPC. You cannot have\n\t\t\tmore than one default VPC per Region.
" } }, "com.amazonaws.ec2#CreateDefaultVpcRequest": { @@ -14062,7 +14330,42 @@ "target": "com.amazonaws.ec2#CreateDhcpOptionsResult" }, "traits": { - "smithy.api#documentation": "Creates a set of DHCP options for your VPC. After creating the set, you must\n\t\t\t\tassociate it with the VPC, causing all existing and new instances that you launch in\n\t\t\t\tthe VPC to use this set of DHCP options. The following are the individual DHCP\n\t\t\t\toptions you can specify. For more information about the options, see RFC 2132.
\n\n domain-name-servers - The IP addresses of up to four domain name\n servers, or AmazonProvidedDNS. The default DHCP option set specifies\n AmazonProvidedDNS. If specifying more than one domain name server, specify the\n IP addresses in a single parameter, separated by commas. To have your instance\n receive a custom DNS hostname as specified in domain-name, you must\n set domain-name-servers to a custom DNS server.
\n domain-name - If you're using AmazonProvidedDNS in\n us-east-1, specify ec2.internal. If you're using\n AmazonProvidedDNS in another Region, specify\n region.compute.internal (for example,\n ap-northeast-1.compute.internal). Otherwise, specify a domain\n name (for example, ExampleCompany.com). This value is used to complete\n unqualified DNS hostnames. Important: Some\n Linux operating systems accept multiple domain names separated by spaces.\n However, Windows and other Linux operating systems treat the value as a single\n domain, which results in unexpected behavior. If your DHCP options set is\n associated with a VPC that has instances with multiple operating systems,\n specify only one domain name.
\n ntp-servers - The IP addresses of up to four Network Time Protocol (NTP)\n servers.
\n netbios-name-servers - The IP addresses of up to four NetBIOS name\n servers.
\n netbios-node-type - The NetBIOS node type (1, 2, 4, or 8). We recommend that\n you specify 2 (broadcast and multicast are not currently supported). For more information\n about these node types, see RFC 2132.
Your VPC automatically starts out with a set of DHCP options that includes only a DNS\n\t\t\tserver that we provide (AmazonProvidedDNS). If you create a set of options, and if your\n\t\t\tVPC has an internet gateway, make sure to set the domain-name-servers\n\t\t\toption either to AmazonProvidedDNS or to a domain name server of your\n\t\t\tchoice. For more information, see DHCP options sets in the\n\t\t\tAmazon Virtual Private Cloud User Guide.
Creates a set of DHCP options for your VPC. After creating the set, you must\n\t\t\t\tassociate it with the VPC, causing all existing and new instances that you launch in\n\t\t\t\tthe VPC to use this set of DHCP options. The following are the individual DHCP\n\t\t\t\toptions you can specify. For more information about the options, see RFC 2132.
\n\n domain-name-servers - The IP addresses of up to four domain name\n servers, or AmazonProvidedDNS. The default DHCP option set specifies\n AmazonProvidedDNS. If specifying more than one domain name server, specify the\n IP addresses in a single parameter, separated by commas. To have your instance\n receive a custom DNS hostname as specified in domain-name, you must\n set domain-name-servers to a custom DNS server.
\n domain-name - If you're using AmazonProvidedDNS in\n us-east-1, specify ec2.internal. If you're using\n AmazonProvidedDNS in another Region, specify\n region.compute.internal (for example,\n ap-northeast-1.compute.internal). Otherwise, specify a domain\n name (for example, ExampleCompany.com). This value is used to complete\n unqualified DNS hostnames. Important: Some\n Linux operating systems accept multiple domain names separated by spaces.\n However, Windows and other Linux operating systems treat the value as a single\n domain, which results in unexpected behavior. If your DHCP options set is\n associated with a VPC that has instances with multiple operating systems,\n specify only one domain name.
\n ntp-servers - The IP addresses of up to four Network Time Protocol (NTP)\n servers.
\n netbios-name-servers - The IP addresses of up to four NetBIOS name\n servers.
\n netbios-node-type - The NetBIOS node type (1, 2, 4, or 8). We recommend that\n you specify 2 (broadcast and multicast are not currently supported). For more information\n about these node types, see RFC 2132.
Your VPC automatically starts out with a set of DHCP options that includes only a DNS\n\t\t\tserver that we provide (AmazonProvidedDNS). If you create a set of options, and if your\n\t\t\tVPC has an internet gateway, make sure to set the domain-name-servers\n\t\t\toption either to AmazonProvidedDNS or to a domain name server of your\n\t\t\tchoice. For more information, see DHCP options sets in the\n\t\t\tAmazon VPC User Guide.
Launches an EC2 Fleet.
\nYou can create a single EC2 Fleet that includes multiple launch specifications that vary by\n instance type, AMI, Availability Zone, or subnet.
\nFor more information, see EC2 Fleet in the Amazon EC2 User Guide.
" + "smithy.api#documentation": "Creates an EC2 Fleet that contains the configuration information for On-Demand Instances and Spot Instances.\n Instances are launched immediately if there is available capacity.
\nA single EC2 Fleet can include multiple launch specifications that vary by instance type,\n AMI, Availability Zone, or subnet.
\nFor more information, see EC2 Fleet in the Amazon EC2 User Guide.
" } }, "com.amazonaws.ec2#CreateFleetError": { @@ -14527,7 +14830,7 @@ "LogFormat": { "target": "com.amazonaws.ec2#String", "traits": { - "smithy.api#documentation": "The fields to include in the flow log record. List the fields in the order in which\n they should appear. If you omit this parameter, the flow log is created using the\n default format. If you specify this parameter, you must include at least one\n field. For more information about the available fields, see Flow log\n records in the Amazon VPC User Guide or Transit Gateway Flow Log\n records in the Amazon Web Services Transit Gateway Guide.
\nSpecify the fields using the ${field-id} format, separated by spaces. For\n the CLI, surround this parameter value with single quotes on Linux or\n double quotes on Windows.
The fields to include in the flow log record. List the fields in the order in which\n they should appear. If you omit this parameter, the flow log is created using the\n default format. If you specify this parameter, you must include at least one\n field. For more information about the available fields, see Flow log\n records in the Amazon VPC User Guide or Transit Gateway Flow Log\n records in the Amazon Web Services Transit Gateway Guide.
\nSpecify the fields using the ${field-id} format, separated by spaces.
Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance \n \tthat is either running or stopped.
\nBy default, when Amazon EC2 creates the new AMI, it reboots the instance so that it can \n\t\t\t\t\ttake snapshots of the attached volumes while data is at rest, in order to ensure a consistent \n\t\t\t\t\tstate. You can set the NoReboot parameter to true in the API request, \n\t\t\t\t\tor use the --no-reboot option in the CLI to prevent Amazon EC2 from shutting down and \n\t\t\t\t\trebooting the instance.
If you choose to bypass the shutdown and reboot process by setting the NoReboot \n\t\t\t\t\tparameter to true in the API request, or by using the --no-reboot option \n\t\t\t\t\tin the CLI, we can't guarantee the file system integrity of the created image.
If you customized your instance with instance store volumes or Amazon EBS volumes in addition to the root device volume, the \n \tnew AMI contains block device mapping information for those volumes. When you launch an instance from this new AMI, \n \tthe instance automatically launches with those additional volumes.
\nFor more information, see Create an Amazon EBS-backed Linux\n AMI in the Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance \n \tthat is either running or stopped.
\nIf you customized your instance with instance store volumes or Amazon EBS volumes in addition to the root device volume, the \n \tnew AMI contains block device mapping information for those volumes. When you launch an instance from this new AMI, \n \tthe instance automatically launches with those additional volumes.
\nFor more information, see Create an Amazon EBS-backed Linux\n AMI in the Amazon Elastic Compute Cloud User Guide.
" } }, "com.amazonaws.ec2#CreateImageRequest": { @@ -14746,7 +15049,7 @@ "aws.protocols#ec2QueryName": "NoReboot", "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "By default, when Amazon EC2 creates the new AMI, it reboots the instance so that it can \n\t\t\t\t\ttake snapshots of the attached volumes while data is at rest, in order to ensure a consistent \n\t\t\t\t\tstate. You can set the NoReboot parameter to true in the API request, \n\t\t\t\t\tor use the --no-reboot option in the CLI to prevent Amazon EC2 from shutting down and \n\t\t\t\t\trebooting the instance.
If you choose to bypass the shutdown and reboot process by setting the NoReboot \n\t\t\t\t\tparameter to true in the API request, or by using the --no-reboot option \n\t\t\t\t\tin the CLI, we can't guarantee the file system integrity of the created image.
Default: false (follow standard reboot process)
Indicates whether or not the instance should be automatically rebooted before creating \n the image. Specify one of the following values:
\n\n true - The instance is not rebooted before creating the image. This \n creates crash-consistent snapshots that include only the data that has been written \n to the volumes at the time the snapshots are created. Buffered data and data in \n memory that has not yet been written to the volumes is not included in the snapshots.
\n false - The instance is rebooted before creating the image. This \n ensures that all buffered data and data in memory is written to the volumes before the \n snapshots are created.
Default: false\n
Creates an EC2 Instance Connect Endpoint.
\nAn EC2 Instance Connect Endpoint allows you to connect to a resource, without\n requiring the resource to have a public IPv4 address. For more information, see Connect to your resources without requiring a public IPv4 address using EC2\n Instance Connect Endpoint in the Amazon EC2 User\n Guide.
" + "smithy.api#documentation": "Creates an EC2 Instance Connect Endpoint.
\nAn EC2 Instance Connect Endpoint allows you to connect to an instance, without\n requiring the instance to have a public IPv4 address. For more information, see Connect to your instances without requiring a public IPv4 address using EC2\n Instance Connect Endpoint in the Amazon EC2 User\n Guide.
" } }, "com.amazonaws.ec2#CreateInstanceConnectEndpointRequest": { @@ -14946,7 +15249,7 @@ "target": "com.amazonaws.ec2#CreateInstanceExportTaskResult" }, "traits": { - "smithy.api#documentation": "Exports a running or stopped instance to an Amazon S3 bucket.
\nFor information about the supported operating systems, image formats, and known limitations\n for the types of instances you can export, see Exporting an instance as a VM Using VM Import/Export\n in the VM Import/Export User Guide.
" + "smithy.api#documentation": "Exports a running or stopped instance to an Amazon S3 bucket.
\nFor information about the prerequisites for your Amazon S3 bucket, supported operating systems,\n image formats, and known limitations for the types of instances you can export, see Exporting an instance as a VM Using VM\n Import/Export in the VM Import/Export User Guide.
" } }, "com.amazonaws.ec2#CreateInstanceExportTaskRequest": { @@ -15027,7 +15330,20 @@ "target": "com.amazonaws.ec2#CreateInternetGatewayResult" }, "traits": { - "smithy.api#documentation": "Creates an internet gateway for use with a VPC. After creating the internet gateway,\n\t\t\tyou attach it to a VPC using AttachInternetGateway.
\nFor more information about your VPC and internet gateway, see the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Creates an internet gateway for use with a VPC. After creating the internet gateway,\n\t\t\tyou attach it to a VPC using AttachInternetGateway.
\nFor more information, see Internet gateways in the \n Amazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To create an Internet gateway", + "documentation": "This example creates an Internet gateway.", + "output": { + "InternetGateway": { + "Tags": [], + "InternetGatewayId": "igw-c0a643a9", + "Attachments": [] + } + } + } + ] } }, "com.amazonaws.ec2#CreateInternetGatewayRequest": { @@ -15445,7 +15761,16 @@ "target": "com.amazonaws.ec2#KeyPair" }, "traits": { - "smithy.api#documentation": "Creates an ED25519 or 2048-bit RSA key pair with the specified name and in the\n specified PEM or PPK format. Amazon EC2 stores the public key and displays the private\n key for you to save to a file. The private key is returned as an unencrypted PEM encoded\n PKCS#1 private key or an unencrypted PPK formatted private key for use with PuTTY. If a\n key with the specified name already exists, Amazon EC2 returns an error.
\nThe key pair returned to you is available only in the Amazon Web Services Region in which you create it.\n If you prefer, you can create your own key pair using a third-party tool and upload it\n to any Region using ImportKeyPair.
\nYou can have up to 5,000 key pairs per Amazon Web Services Region.
\nFor more information, see Amazon EC2 key pairs in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Creates an ED25519 or 2048-bit RSA key pair with the specified name and in the\n specified PEM or PPK format. Amazon EC2 stores the public key and displays the private\n key for you to save to a file. The private key is returned as an unencrypted PEM encoded\n PKCS#1 private key or an unencrypted PPK formatted private key for use with PuTTY. If a\n key with the specified name already exists, Amazon EC2 returns an error.
\nThe key pair returned to you is available only in the Amazon Web Services Region in which you create it.\n If you prefer, you can create your own key pair using a third-party tool and upload it\n to any Region using ImportKeyPair.
\nYou can have up to 5,000 key pairs per Amazon Web Services Region.
\nFor more information, see Amazon EC2 key pairs in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a key pair", + "documentation": "This example creates a key pair named my-key-pair.", + "input": { + "KeyName": "my-key-pair" + } + } + ] } }, "com.amazonaws.ec2#CreateKeyPairRequest": { @@ -15502,7 +15827,50 @@ "target": "com.amazonaws.ec2#CreateLaunchTemplateResult" }, "traits": { - "smithy.api#documentation": "Creates a launch template.
\nA launch template contains the parameters to launch an instance. When you launch an\n instance using RunInstances, you can specify a launch template instead\n of providing the launch parameters in the request. For more information, see Launch\n an instance from a launch template in the\n Amazon Elastic Compute Cloud User Guide.
\nIf you want to clone an existing launch template as the basis for creating a new\n launch template, you can use the Amazon EC2 console. The API, SDKs, and CLI do not support\n cloning a template. For more information, see Create a launch template from an existing launch template in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Creates a launch template.
\nA launch template contains the parameters to launch an instance. When you launch an\n instance using RunInstances, you can specify a launch template instead\n of providing the launch parameters in the request. For more information, see Launch\n an instance from a launch template in the\n Amazon Elastic Compute Cloud User Guide.
\nIf you want to clone an existing launch template as the basis for creating a new\n launch template, you can use the Amazon EC2 console. The API, SDKs, and CLI do not support\n cloning a template. For more information, see Create a launch template from an existing launch template in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a launch template", + "documentation": "This example creates a launch template that specifies the subnet in which to launch the instance, assigns a public IP address and an IPv6 address to the instance, and creates a tag for the instance.", + "input": { + "LaunchTemplateName": "my-template", + "VersionDescription": "WebVersion1", + "LaunchTemplateData": { + "NetworkInterfaces": [ + { + "AssociatePublicIpAddress": true, + "DeviceIndex": 0, + "Ipv6AddressCount": 1, + "SubnetId": "subnet-7b16de0c" + } + ], + "ImageId": "ami-8c1be5f6", + "InstanceType": "t2.small", + "TagSpecifications": [ + { + "ResourceType": "instance", + "Tags": [ + { + "Key": "Name", + "Value": "webserver" + } + ] + } + ] + } + }, + "output": { + "LaunchTemplate": { + "LatestVersionNumber": 1, + "LaunchTemplateId": "lt-01238c059e3466abc", + "LaunchTemplateName": "my-template", + "DefaultVersionNumber": 1, + "CreatedBy": "arn:aws:iam::123456789012:root", + "CreateTime": "2017-11-27T09:13:24.000Z" + } + } + } + ] } }, "com.amazonaws.ec2#CreateLaunchTemplateRequest": { @@ -15589,7 +15957,48 @@ "target": "com.amazonaws.ec2#CreateLaunchTemplateVersionResult" }, "traits": { - "smithy.api#documentation": "Creates a new version of a launch template. You can specify an existing version of\n launch template from which to base the new version.
\nLaunch template versions are numbered in the order in which they are created. You\n cannot specify, change, or replace the numbering of launch template versions.
\nLaunch templates are immutable; after you create a launch template, you can't modify\n it. Instead, you can create a new version of the launch template that includes any\n changes you require.
\nFor more information, see Modify a launch template (manage launch template versions) in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Creates a new version of a launch template. You can specify an existing version of\n launch template from which to base the new version.
\nLaunch template versions are numbered in the order in which they are created. You\n cannot specify, change, or replace the numbering of launch template versions.
\nLaunch templates are immutable; after you create a launch template, you can't modify\n it. Instead, you can create a new version of the launch template that includes any\n changes you require.
\nFor more information, see Modify a launch template (manage launch template versions) in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a launch template version", + "documentation": "This example creates a new launch template version based on version 1 of the specified launch template and specifies a different AMI ID.", + "input": { + "LaunchTemplateId": "lt-0abcd290751193123", + "SourceVersion": "1", + "VersionDescription": "WebVersion2", + "LaunchTemplateData": { + "ImageId": "ami-c998b6b2" + } + }, + "output": { + "LaunchTemplateVersion": { + "VersionDescription": "WebVersion2", + "LaunchTemplateId": "lt-0abcd290751193123", + "LaunchTemplateName": "my-template", + "VersionNumber": 2, + "CreatedBy": "arn:aws:iam::123456789012:root", + "LaunchTemplateData": { + "ImageId": "ami-c998b6b2", + "InstanceType": "t2.micro", + "NetworkInterfaces": [ + { + "Ipv6Addresses": [ + { + "Ipv6Address": "2001:db8:1234:1a00::123" + } + ], + "DeviceIndex": 0, + "SubnetId": "subnet-7b16de0c", + "AssociatePublicIpAddress": true + } + ] + }, + "DefaultVersion": false, + "CreateTime": "2017-12-01T13:35:46.000Z" + } + } + } + ] } }, "com.amazonaws.ec2#CreateLaunchTemplateVersionRequest": { @@ -16052,7 +16461,31 @@ "target": "com.amazonaws.ec2#CreateNatGatewayResult" }, "traits": { - "smithy.api#documentation": "Creates a NAT gateway in the specified subnet. This action creates a network interface\n in the specified subnet with a private IP address from the IP address range of the\n subnet. You can create either a public NAT gateway or a private NAT gateway.
\nWith a public NAT gateway, internet-bound traffic from a private subnet can be routed\n to the NAT gateway, so that instances in a private subnet can connect to the internet.
\nWith a private NAT gateway, private communication is routed across VPCs and on-premises\n networks through a transit gateway or virtual private gateway. Common use cases include\n running large workloads behind a small pool of allowlisted IPv4 addresses, preserving\n private IPv4 addresses, and communicating between overlapping networks.
\nFor more information, see NAT gateways in the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Creates a NAT gateway in the specified subnet. This action creates a network interface\n in the specified subnet with a private IP address from the IP address range of the\n subnet. You can create either a public NAT gateway or a private NAT gateway.
\nWith a public NAT gateway, internet-bound traffic from a private subnet can be routed\n to the NAT gateway, so that instances in a private subnet can connect to the internet.
\nWith a private NAT gateway, private communication is routed across VPCs and on-premises\n networks through a transit gateway or virtual private gateway. Common use cases include\n running large workloads behind a small pool of allowlisted IPv4 addresses, preserving\n private IPv4 addresses, and communicating between overlapping networks.
\nFor more information, see NAT gateways in the Amazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a NAT gateway", + "documentation": "This example creates a NAT gateway in subnet subnet-1a2b3c4d and associates an Elastic IP address with the allocation ID eipalloc-37fc1a52 with the NAT gateway.", + "input": { + "SubnetId": "subnet-1a2b3c4d", + "AllocationId": "eipalloc-37fc1a52" + }, + "output": { + "NatGateway": { + "NatGatewayAddresses": [ + { + "AllocationId": "eipalloc-37fc1a52" + } + ], + "VpcId": "vpc-1122aabb", + "State": "pending", + "NatGatewayId": "nat-08d48af2a8e83edfd", + "SubnetId": "subnet-1a2b3c4d", + "CreateTime": "2015-12-17T12:45:26.732Z" + } + } + } + ] } }, "com.amazonaws.ec2#CreateNatGatewayRequest": { @@ -16109,14 +16542,14 @@ "SecondaryAllocationIds": { "target": "com.amazonaws.ec2#AllocationIdList", "traits": { - "smithy.api#documentation": "Secondary EIP allocation IDs. For more information about secondary addresses, see Create a NAT gateway in the Amazon Virtual Private Cloud User Guide.
", + "smithy.api#documentation": "Secondary EIP allocation IDs. For more information, see Create a NAT gateway \n in the Amazon VPC User Guide.
", "smithy.api#xmlName": "SecondaryAllocationId" } }, "SecondaryPrivateIpAddresses": { "target": "com.amazonaws.ec2#IpList", "traits": { - "smithy.api#documentation": "Secondary private IPv4 addresses. For more information about secondary addresses, see Create a NAT gateway in the Amazon Virtual Private Cloud User Guide.
", + "smithy.api#documentation": "Secondary private IPv4 addresses. For more information about secondary addresses, see Create a NAT gateway in the Amazon VPC User Guide.
", "smithy.api#xmlName": "SecondaryPrivateIpAddress" } }, @@ -16125,7 +16558,7 @@ "traits": { "smithy.api#clientOptional": {}, "smithy.api#default": 0, - "smithy.api#documentation": "[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. For more information about secondary addresses, see Create a NAT gateway in the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. \n For more information about secondary addresses, see Create a NAT gateway \n in the Amazon VPC User Guide.
" } } }, @@ -16166,7 +16599,41 @@ "target": "com.amazonaws.ec2#CreateNetworkAclResult" }, "traits": { - "smithy.api#documentation": "Creates a network ACL in a VPC. Network ACLs provide an optional layer of security (in addition to security groups) for the instances in your VPC.
\nFor more information, see Network ACLs in the\n\t\t\t\tAmazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Creates a network ACL in a VPC. Network ACLs provide an optional layer of security (in addition to security groups) for the instances in your VPC.
\nFor more information, see Network ACLs in the\n\t\t\t\tAmazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a network ACL", + "documentation": "This example creates a network ACL for the specified VPC.", + "input": { + "VpcId": "vpc-a01106c2" + }, + "output": { + "NetworkAcl": { + "Associations": [], + "NetworkAclId": "acl-5fb85d36", + "VpcId": "vpc-a01106c2", + "Tags": [], + "Entries": [ + { + "CidrBlock": "0.0.0.0/0", + "RuleNumber": 32767, + "Protocol": "-1", + "Egress": true, + "RuleAction": "deny" + }, + { + "CidrBlock": "0.0.0.0/0", + "RuleNumber": 32767, + "Protocol": "-1", + "Egress": false, + "RuleAction": "deny" + } + ], + "IsDefault": false + } + } + } + ] } }, "com.amazonaws.ec2#CreateNetworkAclEntry": { @@ -16178,7 +16645,25 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Creates an entry (a rule) in a network ACL with the specified rule number. Each network ACL has a set of numbered ingress rules \n\t\t and a separate set of numbered egress rules. When determining whether a packet should be allowed in or out of a subnet associated \n\t\t with the ACL, we process the entries in the ACL according to the rule numbers, in ascending order. Each network ACL has a set of \n\t\t ingress rules and a separate set of egress rules.
\nWe recommend that you leave room between the rule numbers (for example, 100, 110, 120, ...), and not number them one right after the \n\t\t other (for example, 101, 102, 103, ...). This makes it easier to add a rule between existing ones without having to renumber the rules.
\nAfter you add an entry, you can't modify it; you must either replace it, or create an entry and delete the old one.
\nFor more information about network ACLs, see Network ACLs in the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Creates an entry (a rule) in a network ACL with the specified rule number. Each network ACL has a set of numbered ingress rules \n\t\t and a separate set of numbered egress rules. When determining whether a packet should be allowed in or out of a subnet associated \n\t\t with the ACL, we process the entries in the ACL according to the rule numbers, in ascending order. Each network ACL has a set of \n\t\t ingress rules and a separate set of egress rules.
\nWe recommend that you leave room between the rule numbers (for example, 100, 110, 120, ...), and not number them one right after the \n\t\t other (for example, 101, 102, 103, ...). This makes it easier to add a rule between existing ones without having to renumber the rules.
\nAfter you add an entry, you can't modify it; you must either replace it, or create an entry and delete the old one.
\nFor more information about network ACLs, see Network ACLs \n in the Amazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a network ACL entry", + "documentation": "This example creates an entry for the specified network ACL. The rule allows ingress traffic from anywhere (0.0.0.0/0) on UDP port 53 (DNS) into any associated subnet.", + "input": { + "NetworkAclId": "acl-5fb85d36", + "RuleNumber": 100, + "Protocol": "17", + "RuleAction": "allow", + "Egress": false, + "CidrBlock": "0.0.0.0/0", + "PortRange": { + "From": 53, + "To": 53 + } + } + } + ] } }, "com.amazonaws.ec2#CreateNetworkAclEntryRequest": { @@ -16746,6 +17231,14 @@ "smithy.api#documentation": "Unique, case-sensitive identifier that you provide to ensure the idempotency of the request. For more information, see Ensuring Idempotency.
", "smithy.api#idempotencyToken": {} } + }, + "EnablePrimaryIpv6": { + "target": "com.amazonaws.ec2#Boolean", + "traits": { + "smithy.api#clientOptional": {}, + "smithy.api#default": false, + "smithy.api#documentation": "If you’re creating a network interface in a dual-stack or IPv6-only subnet, you have\n the option to assign a primary IPv6 IP address. A primary IPv6 address is an IPv6 GUA\n address associated with an ENI that you have enabled to use a primary IPv6 address. Use this option if the instance that\n this ENI will be attached to relies on its IPv6 address not changing. Amazon Web Services\n will automatically assign an IPv6 address associated with the ENI attached to your\n instance to be the primary IPv6 address. Once you enable an IPv6 GUA address to be a\n primary IPv6, you cannot disable it. When you enable an IPv6 GUA address to be a primary\n IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is\n terminated or the network interface is detached. If you have multiple IPv6 addresses\n associated with an ENI attached to your instance and you enable a primary IPv6 address,\n the first IPv6 GUA address associated with the ENI becomes the primary IPv6\n address.
" + } } }, "traits": { @@ -16785,7 +17278,18 @@ "target": "com.amazonaws.ec2#CreatePlacementGroupResult" }, "traits": { - "smithy.api#documentation": "Creates a placement group in which to launch instances. The strategy of the placement\n group determines how the instances are organized within the group.
\nA cluster placement group is a logical grouping of instances within a\n single Availability Zone that benefit from low network latency, high network throughput.\n A spread placement group places instances on distinct hardware. A\n partition placement group places groups of instances in different\n partitions, where instances in one partition do not share the same hardware with\n instances in another partition.
For more information, see Placement groups in the\n Amazon EC2 User Guide.
" + "smithy.api#documentation": "Creates a placement group in which to launch instances. The strategy of the placement\n group determines how the instances are organized within the group.
\nA cluster placement group is a logical grouping of instances within a\n single Availability Zone that benefit from low network latency, high network throughput.\n A spread placement group places instances on distinct hardware. A\n partition placement group places groups of instances in different\n partitions, where instances in one partition do not share the same hardware with\n instances in another partition.
For more information, see Placement groups in the\n Amazon EC2 User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a placement group", + "documentation": "This example creates a placement group with the specified name.", + "input": { + "GroupName": "my-cluster", + "Strategy": "cluster" + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#CreatePlacementGroupRequest": { @@ -17157,7 +17661,18 @@ "target": "com.amazonaws.ec2#CreateRouteResult" }, "traits": { - "smithy.api#documentation": "Creates a route in a route table within a VPC.
\nYou must specify either a destination CIDR block or a prefix list ID. You must also specify \n exactly one of the resources from the parameter list.
\nWhen determining how to route traffic, we use the route with the most specific match.\n For example, traffic is destined for the IPv4 address 192.0.2.3, and the\n route table includes the following two IPv4 routes:
\n 192.0.2.0/24 (goes to some target A)
\n 192.0.2.0/28 (goes to some target B)
Both routes apply to the traffic destined for 192.0.2.3. However, the second route\n\t\t\t\tin the list covers a smaller number of IP addresses and is therefore more specific,\n\t\t\t\tso we use that route to determine where to target the traffic.
For more information about route tables, see Route tables in the\n Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Creates a route in a route table within a VPC.
\nYou must specify either a destination CIDR block or a prefix list ID. You must also specify \n exactly one of the resources from the parameter list.
\nWhen determining how to route traffic, we use the route with the most specific match.\n For example, traffic is destined for the IPv4 address 192.0.2.3, and the\n route table includes the following two IPv4 routes:
\n 192.0.2.0/24 (goes to some target A)
\n 192.0.2.0/28 (goes to some target B)
Both routes apply to the traffic destined for 192.0.2.3. However, the second route\n\t\t\t\tin the list covers a smaller number of IP addresses and is therefore more specific,\n\t\t\t\tso we use that route to determine where to target the traffic.
For more information about route tables, see Route tables in the\n Amazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a route", + "documentation": "This example creates a route for the specified route table. The route matches all traffic (0.0.0.0/0) and routes it to the specified Internet gateway.", + "input": { + "RouteTableId": "rtb-22574640", + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": "igw-c0a643a9" + } + } + ] } }, "com.amazonaws.ec2#CreateRouteRequest": { @@ -17315,7 +17830,32 @@ "target": "com.amazonaws.ec2#CreateRouteTableResult" }, "traits": { - "smithy.api#documentation": "Creates a route table for the specified VPC. After you create a route table, you can add routes and associate the table with a subnet.
\nFor more information, see Route tables in the\n\t\t\t\tAmazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Creates a route table for the specified VPC. After you create a route table, you can add routes and associate the table with a subnet.
\nFor more information, see Route tables in the\n\t\t\t\tAmazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a route table", + "documentation": "This example creates a route table for the specified VPC.", + "input": { + "VpcId": "vpc-a01106c2" + }, + "output": { + "RouteTable": { + "Associations": [], + "RouteTableId": "rtb-22574640", + "VpcId": "vpc-a01106c2", + "PropagatingVgws": [], + "Tags": [], + "Routes": [ + { + "GatewayId": "local", + "DestinationCidrBlock": "10.0.0.0/16", + "State": "active" + } + ] + } + } + } + ] } }, "com.amazonaws.ec2#CreateRouteTableRequest": { @@ -17378,7 +17918,21 @@ "target": "com.amazonaws.ec2#CreateSecurityGroupResult" }, "traits": { - "smithy.api#documentation": "Creates a security group.
\nA security group acts as a virtual firewall for your instance to control inbound and outbound traffic.\n For more information, see\n\t\t\t\tAmazon EC2 security groups in \n\t\t\t\tthe Amazon Elastic Compute Cloud User Guide and \n\t\t\t\tSecurity groups for your VPC in the\n\t\t\t\tAmazon Virtual Private Cloud User Guide.
\nWhen you create a security group, you specify a friendly name of your choice. You can have a security group for use in EC2-Classic with the same name as a security group for use in a VPC. However, you can't have two security groups for use in EC2-Classic with the same name or two security groups for use in a VPC with the same name.
\nYou have a default security group for use in EC2-Classic and a default security group for use in your VPC. If you don't specify a security group when you launch an instance, the instance is launched into the appropriate default security group. A default security group includes a default rule that grants instances unrestricted network access to each other.
\nYou can add or remove rules from your security groups using \n\t\t\t\t\tAuthorizeSecurityGroupIngress,\n\t\t\t\t\tAuthorizeSecurityGroupEgress,\n\t\t\t\t\tRevokeSecurityGroupIngress, and\n\t\t\t\t\tRevokeSecurityGroupEgress.
\nFor more information about VPC security group limits, see Amazon VPC Limits.
\nWe are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nCreates a security group.
\nA security group acts as a virtual firewall for your instance to control inbound and outbound traffic.\n For more information, see\n\t\t\t\tAmazon EC2 security groups in \n\t\t\t\tthe Amazon Elastic Compute Cloud User Guide and \n\t\t\t\tSecurity groups for your VPC in the\n\t\t\t\tAmazon Virtual Private Cloud User Guide.
\nWhen you create a security group, you specify a friendly name of your choice. \n You can't have two security groups for the same VPC with the same name.
\nYou have a default security group for use in your VPC. If you don't specify a security group \n when you launch an instance, the instance is launched into the appropriate default security group. \n A default security group includes a default rule that grants instances unrestricted network access \n to each other.
\nYou can add or remove rules from your security groups using \n\t\t\t\t\tAuthorizeSecurityGroupIngress,\n\t\t\t\t\tAuthorizeSecurityGroupEgress,\n\t\t\t\t\tRevokeSecurityGroupIngress, and\n\t\t\t\t\tRevokeSecurityGroupEgress.
\nFor more information about VPC security group limits, see Amazon VPC Limits.
", + "smithy.api#examples": [ + { + "title": "To create a security group for a VPC", + "documentation": "This example creates a security group for the specified VPC.", + "input": { + "Description": "My security group", + "GroupName": "my-security-group", + "VpcId": "vpc-1a2b3c4d" + }, + "output": { + "GroupId": "sg-903004f8" + } + } + ] } }, "com.amazonaws.ec2#CreateSecurityGroupRequest": { @@ -17388,7 +17942,7 @@ "target": "com.amazonaws.ec2#String", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "A description for the security group.
\nConstraints: Up to 255 characters in length
\nConstraints for EC2-Classic: ASCII characters
\nConstraints for EC2-VPC: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*
", + "smithy.api#documentation": "A description for the security group.
\nConstraints: Up to 255 characters in length
\nValid characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*
", "smithy.api#required": {}, "smithy.api#xmlName": "GroupDescription" } @@ -17397,14 +17951,14 @@ "target": "com.amazonaws.ec2#String", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The name of the security group.
\nConstraints: Up to 255 characters in length. Cannot start with\n sg-.
Constraints for EC2-Classic: ASCII characters
\nConstraints for EC2-VPC: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*
", + "smithy.api#documentation": "The name of the security group.
\nConstraints: Up to 255 characters in length. Cannot start with sg-.
Valid characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*
", "smithy.api#required": {} } }, "VpcId": { "target": "com.amazonaws.ec2#VpcId", "traits": { - "smithy.api#documentation": "[EC2-VPC] The ID of the VPC. Required for EC2-VPC.
" + "smithy.api#documentation": "The ID of the VPC. Required for a nondefault VPC.
" } }, "TagSpecifications": { @@ -17462,7 +18016,27 @@ "target": "com.amazonaws.ec2#Snapshot" }, "traits": { - "smithy.api#documentation": "Creates a snapshot of an EBS volume and stores it in Amazon S3. You can use snapshots for\n \tbackups, to make copies of EBS volumes, and to save data before shutting down an\n \tinstance.
\nYou can create snapshots of volumes in a Region and volumes on an Outpost. If you \n \tcreate a snapshot of a volume in a Region, the snapshot must be stored in the same \n \tRegion as the volume. If you create a snapshot of a volume on an Outpost, the snapshot \n \tcan be stored on the same Outpost as the volume, or in the Region for that Outpost.
\nWhen a snapshot is created, any Amazon Web Services Marketplace product codes that are associated with the\n source volume are propagated to the snapshot.
\nYou can take a snapshot of an attached volume that is in use. However, snapshots only\n capture data that has been written to your Amazon EBS volume at the time the snapshot command is\n issued; this might exclude any data that has been cached by any applications or the operating\n system. If you can pause any file systems on the volume long enough to take a snapshot, your\n snapshot should be complete. However, if you cannot pause all file writes to the volume, you\n should unmount the volume from within the instance, issue the snapshot command, and then\n remount the volume to ensure a consistent and complete snapshot. You may remount and use your\n volume while the snapshot status is pending.
When you create a snapshot for an EBS volume that serves as a root device, we recommend \n that you stop the instance before taking the snapshot.
\nSnapshots that are taken from encrypted volumes are automatically encrypted. Volumes that\n are created from encrypted snapshots are also automatically encrypted. Your encrypted volumes\n and any associated snapshots always remain protected.
\nYou can tag your snapshots during creation. For more information, see Tag your Amazon EC2\n resources in the Amazon Elastic Compute Cloud User Guide.
\nFor more information, see Amazon Elastic Block Store and Amazon EBS encryption in the Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Creates a snapshot of an EBS volume and stores it in Amazon S3. You can use snapshots for\n \tbackups, to make copies of EBS volumes, and to save data before shutting down an\n \tinstance.
\nYou can create snapshots of volumes in a Region and volumes on an Outpost. If you \n \tcreate a snapshot of a volume in a Region, the snapshot must be stored in the same \n \tRegion as the volume. If you create a snapshot of a volume on an Outpost, the snapshot \n \tcan be stored on the same Outpost as the volume, or in the Region for that Outpost.
\nWhen a snapshot is created, any Amazon Web Services Marketplace product codes that are associated with the\n source volume are propagated to the snapshot.
\nYou can take a snapshot of an attached volume that is in use. However, snapshots only\n capture data that has been written to your Amazon EBS volume at the time the snapshot command is\n issued; this might exclude any data that has been cached by any applications or the operating\n system. If you can pause any file systems on the volume long enough to take a snapshot, your\n snapshot should be complete. However, if you cannot pause all file writes to the volume, you\n should unmount the volume from within the instance, issue the snapshot command, and then\n remount the volume to ensure a consistent and complete snapshot. You may remount and use your\n volume while the snapshot status is pending.
When you create a snapshot for an EBS volume that serves as a root device, we recommend \n that you stop the instance before taking the snapshot.
\nSnapshots that are taken from encrypted volumes are automatically encrypted. Volumes that\n are created from encrypted snapshots are also automatically encrypted. Your encrypted volumes\n and any associated snapshots always remain protected.
\nYou can tag your snapshots during creation. For more information, see Tag your Amazon EC2\n resources in the Amazon Elastic Compute Cloud User Guide.
\nFor more information, see Amazon Elastic Block Store and Amazon EBS encryption in the Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a snapshot", + "documentation": "This example creates a snapshot of the volume with a volume ID of ``vol-1234567890abcdef0`` and a short description to identify the snapshot.", + "input": { + "VolumeId": "vol-1234567890abcdef0", + "Description": "This is my root volume snapshot." + }, + "output": { + "Description": "This is my root volume snapshot.", + "Tags": [], + "VolumeId": "vol-1234567890abcdef0", + "State": "pending", + "VolumeSize": 8, + "StartTime": "2014-02-28T21:06:01.000Z", + "OwnerId": "012345678910", + "SnapshotId": "snap-066877671789bd71b" + } + } + ] } }, "com.amazonaws.ec2#CreateSnapshotRequest": { @@ -17596,7 +18170,25 @@ "target": "com.amazonaws.ec2#CreateSpotDatafeedSubscriptionResult" }, "traits": { - "smithy.api#documentation": "Creates a data feed for Spot Instances, enabling you to view Spot Instance usage logs.\n You can create one data feed per Amazon Web Services account. For more information, see\n Spot Instance data feed \n in the Amazon EC2 User Guide for Linux Instances.
" + "smithy.api#documentation": "Creates a data feed for Spot Instances, enabling you to view Spot Instance usage logs.\n You can create one data feed per Amazon Web Services account. For more information, see\n Spot Instance data feed \n in the Amazon EC2 User Guide for Linux Instances.
", + "smithy.api#examples": [ + { + "title": "To create a Spot Instance datafeed", + "documentation": "This example creates a Spot Instance data feed for your AWS account.", + "input": { + "Bucket": "my-s3-bucket", + "Prefix": "spotdata" + }, + "output": { + "SpotDatafeedSubscription": { + "OwnerId": "123456789012", + "Prefix": "spotdata", + "Bucket": "my-s3-bucket", + "State": "Active" + } + } + } + ] } }, "com.amazonaws.ec2#CreateSpotDatafeedSubscriptionRequest": { @@ -17729,7 +18321,27 @@ "target": "com.amazonaws.ec2#CreateSubnetResult" }, "traits": { - "smithy.api#documentation": "Creates a subnet in the specified VPC. For an IPv4 only subnet, specify an IPv4 CIDR block.\n If the VPC has an IPv6 CIDR block, you can create an IPv6 only subnet or a dual stack subnet instead.\n For an IPv6 only subnet, specify an IPv6 CIDR block. For a dual stack subnet, specify both\n an IPv4 CIDR block and an IPv6 CIDR block.
\nA subnet CIDR block must not overlap the CIDR block of an existing subnet in the VPC.\n After you create a subnet, you can't change its CIDR block.
\nThe allowed size for an IPv4 subnet is between a /28 netmask (16 IP addresses) and \n a /16 netmask (65,536 IP addresses). Amazon Web Services reserves both the first four and \n the last IPv4 address in each subnet's CIDR block. They're not available for your use.
\nIf you've associated an IPv6 CIDR block with your VPC, you can associate an IPv6 CIDR block \n with a subnet when you create it. The allowed block size for an IPv6 subnet is a /64 netmask.
\nIf you add more than one subnet to a VPC, they're set up in a star topology with a\n logical router in the middle.
\nWhen you stop an instance in a subnet, it retains its private IPv4 address. It's\n therefore possible to have a subnet with no running instances (they're all stopped), but\n no remaining IP addresses available.
\nFor more information, see Subnets in the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Creates a subnet in the specified VPC. For an IPv4 only subnet, specify an IPv4 CIDR block.\n If the VPC has an IPv6 CIDR block, you can create an IPv6 only subnet or a dual stack subnet instead.\n For an IPv6 only subnet, specify an IPv6 CIDR block. For a dual stack subnet, specify both\n an IPv4 CIDR block and an IPv6 CIDR block.
\nA subnet CIDR block must not overlap the CIDR block of an existing subnet in the VPC.\n After you create a subnet, you can't change its CIDR block.
\nThe allowed size for an IPv4 subnet is between a /28 netmask (16 IP addresses) and \n a /16 netmask (65,536 IP addresses). Amazon Web Services reserves both the first four and \n the last IPv4 address in each subnet's CIDR block. They're not available for your use.
\nIf you've associated an IPv6 CIDR block with your VPC, you can associate an IPv6 CIDR block \n with a subnet when you create it. The allowed block size for an IPv6 subnet is a /64 netmask.
\nIf you add more than one subnet to a VPC, they're set up in a star topology with a\n logical router in the middle.
\nWhen you stop an instance in a subnet, it retains its private IPv4 address. It's\n therefore possible to have a subnet with no running instances (they're all stopped), but\n no remaining IP addresses available.
\nFor more information, see Subnets in the Amazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a subnet", + "documentation": "This example creates a subnet in the specified VPC with the specified CIDR block. We recommend that you let us select an Availability Zone for you.", + "input": { + "VpcId": "vpc-a01106c2", + "CidrBlock": "10.0.1.0/24" + }, + "output": { + "Subnet": { + "VpcId": "vpc-a01106c2", + "CidrBlock": "10.0.1.0/24", + "State": "pending", + "AvailabilityZone": "us-west-2c", + "SubnetId": "subnet-9d4a7b6c", + "AvailableIpAddressCount": 251 + } + } + } + ] } }, "com.amazonaws.ec2#CreateSubnetCidrReservation": { @@ -17741,7 +18353,7 @@ "target": "com.amazonaws.ec2#CreateSubnetCidrReservationResult" }, "traits": { - "smithy.api#documentation": "Creates a subnet CIDR reservation. For information about subnet CIDR reservations, see Subnet CIDR reservations in the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Creates a subnet CIDR reservation. For more information, see Subnet CIDR reservations \n in the Amazon Virtual Private Cloud User Guide and Assign prefixes \n to network interfaces in the Amazon Elastic Compute Cloud User Guide.
" } }, "com.amazonaws.ec2#CreateSubnetCidrReservationRequest": { @@ -17767,14 +18379,14 @@ "target": "com.amazonaws.ec2#SubnetCidrReservationType", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The type of reservation.
\nThe following are valid values:
\n\n prefix: The Amazon EC2\n Prefix\n Delegation feature assigns the IP addresses to network interfaces that are\n associated with an instance. For information about Prefix\n Delegation,\n see Prefix Delegation\n for Amazon EC2 network interfaces in the\n Amazon Elastic Compute Cloud User Guide.
\n explicit: You manually assign the IP addresses to resources that\n reside in your subnet.
The type of reservation. The reservation type determines how the reserved IP addresses are \n assigned to resources.
\n\n prefix - Amazon Web Services assigns the reserved IP addresses to \n network interfaces.
\n explicit - You assign the reserved IP addresses to network interfaces.
The\n description\n to assign to the subnet CIDR reservation.
" + "smithy.api#documentation": "The description to assign to the subnet CIDR reservation.
" } }, "DryRun": { @@ -17826,7 +18438,7 @@ "AvailabilityZone": { "target": "com.amazonaws.ec2#String", "traits": { - "smithy.api#documentation": "The Availability Zone or Local Zone for the subnet.
\nDefault: Amazon Web Services selects one for you. If you create more than one subnet in your VPC, we \n do not necessarily select a different zone for each subnet.
\nTo create a subnet in a Local Zone, set this value to the Local Zone ID, for example\n us-west-2-lax-1a. For information about the Regions that support Local Zones, \n see Available Regions in the Amazon Elastic Compute Cloud User Guide.
To create a subnet in an Outpost, set this value to the Availability Zone for the\n Outpost and specify the Outpost ARN.
" + "smithy.api#documentation": "The Availability Zone or Local Zone for the subnet.
\nDefault: Amazon Web Services selects one for you. If you create more than one subnet in your VPC, we \n do not necessarily select a different zone for each subnet.
\nTo create a subnet in a Local Zone, set this value to the Local Zone ID, for example\n us-west-2-lax-1a. For information about the Regions that support Local Zones, \n see Local Zones locations.
To create a subnet in an Outpost, set this value to the Availability Zone for the\n Outpost and specify the Outpost ARN.
" } }, "AvailabilityZoneId": { @@ -17909,7 +18521,24 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Adds or overwrites only the specified tags for the specified Amazon EC2 resource or\n resources. When you specify an existing tag key, the value is overwritten with\n the new value. Each resource can have a maximum of 50 tags. Each tag consists of a key and\n optional value. Tag keys must be unique per resource.
\nFor more information about tags, see Tag your Amazon EC2 resources in the\n Amazon Elastic Compute Cloud User Guide. For more information about\n creating IAM policies that control users' access to resources based on tags, see Supported\n resource-level permissions for Amazon EC2 API actions in the Amazon\n Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Adds or overwrites only the specified tags for the specified Amazon EC2 resource or\n resources. When you specify an existing tag key, the value is overwritten with\n the new value. Each resource can have a maximum of 50 tags. Each tag consists of a key and\n optional value. Tag keys must be unique per resource.
\nFor more information about tags, see Tag your Amazon EC2 resources in the\n Amazon Elastic Compute Cloud User Guide. For more information about\n creating IAM policies that control users' access to resources based on tags, see Supported\n resource-level permissions for Amazon EC2 API actions in the Amazon\n Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To add a tag to a resource", + "documentation": "This example adds the tag Stack=production to the specified image, or overwrites an existing tag for the AMI where the tag key is Stack.", + "input": { + "Resources": [ + "ami-78a54011" + ], + "Tags": [ + { + "Key": "Stack", + "Value": "production" + } + ] + } + } + ] } }, "com.amazonaws.ec2#CreateTagsRequest": { @@ -18198,7 +18827,7 @@ "traits": { "smithy.api#clientOptional": {}, "smithy.api#default": 0, - "smithy.api#documentation": "The number of bytes in each packet to mirror. These are bytes after the VXLAN header. Do\n not specify this parameter when you want to mirror the entire packet. To mirror a subset of\n the packet, set this to the length (in bytes) that you want to mirror. For example, if you\n set this value to 100, then the first 100 bytes that meet the filter criteria are copied to\n the target.
\nIf you do not want to mirror the entire packet, use the PacketLength parameter to specify the number of bytes in each packet to mirror.
The number of bytes in each packet to mirror. These are bytes after the VXLAN header. Do\n not specify this parameter when you want to mirror the entire packet. To mirror a subset of\n the packet, set this to the length (in bytes) that you want to mirror. For example, if you\n set this value to 100, then the first 100 bytes that meet the filter criteria are copied to\n the target.
\nIf you do not want to mirror the entire packet, use the PacketLength parameter to specify the number of bytes in each packet to mirror.
For sessions with Network Load Balancer (NLB) Traffic Mirror targets the default PacketLength will be set to 8500. Valid values are 1-8500. Setting a PacketLength greater than 8500 will result in an error response.
Creates an EBS volume that can be attached to an instance in the same Availability Zone.
\nYou can create a new empty volume or restore a volume from an EBS snapshot.\n Any Amazon Web Services Marketplace product codes from the snapshot are propagated to the volume.
\nYou can create encrypted volumes. Encrypted volumes must be attached to instances that \n support Amazon EBS encryption. Volumes that are created from encrypted snapshots are also automatically \n encrypted. For more information, see Amazon EBS encryption\n in the Amazon Elastic Compute Cloud User Guide.
\nYou can tag your volumes during creation. For more information, see Tag your Amazon EC2\n resources in the Amazon Elastic Compute Cloud User Guide.
\nFor more information, see Create an Amazon EBS volume in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Creates an EBS volume that can be attached to an instance in the same Availability Zone.
\nYou can create a new empty volume or restore a volume from an EBS snapshot.\n Any Amazon Web Services Marketplace product codes from the snapshot are propagated to the volume.
\nYou can create encrypted volumes. Encrypted volumes must be attached to instances that \n support Amazon EBS encryption. Volumes that are created from encrypted snapshots are also automatically \n encrypted. For more information, see Amazon EBS encryption\n in the Amazon Elastic Compute Cloud User Guide.
\nYou can tag your volumes during creation. For more information, see Tag your Amazon EC2\n resources in the Amazon Elastic Compute Cloud User Guide.
\nFor more information, see Create an Amazon EBS volume in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a new volume", + "documentation": "This example creates an 80 GiB General Purpose (SSD) volume in the Availability Zone ``us-east-1a``.", + "input": { + "AvailabilityZone": "us-east-1a", + "Size": 80, + "VolumeType": "gp2" + }, + "output": { + "AvailabilityZone": "us-east-1a", + "Encrypted": false, + "VolumeType": "gp2", + "VolumeId": "vol-6b60b7c7", + "State": "creating", + "Iops": 240, + "SnapshotId": "", + "CreateTime": "2016-08-29T18:52:32.724Z", + "Size": 80 + } + } + ] } }, "com.amazonaws.ec2#CreateVolumePermission": { @@ -19820,7 +20471,7 @@ "target": "com.amazonaws.ec2#AvailabilityZoneName", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The Availability Zone in which to create the volume.
", + "smithy.api#documentation": "The ID of the Availability Zone in which to create the volume. For example, us-east-1a.
Creates a VPC with the specified CIDR blocks. For more information, see\n\t VPC CIDR blocks in the Amazon Virtual Private Cloud User Guide.
\nYou can optionally request an IPv6 CIDR block for the VPC. You can request an Amazon-provided \n IPv6 CIDR block from Amazon's pool of IPv6 addresses, or an IPv6 CIDR block from an IPv6 address \n pool that you provisioned through bring your own IP addresses (BYOIP).
\nBy default, each instance that you launch in the VPC has the default DHCP options, which\n\t\t\tinclude only a default DNS server that we provide (AmazonProvidedDNS). For more\n\t\t\tinformation, see DHCP option sets in the Amazon Virtual Private Cloud User Guide.
\nYou can specify the instance tenancy value for the VPC when you create it. You can't change\n this value for the VPC after you create it. For more information, see Dedicated Instances in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Creates a VPC with the specified CIDR blocks. For more information, see IP addressing for your VPCs and subnets in the \n Amazon VPC User Guide.
\nYou can optionally request an IPv6 CIDR block for the VPC. You can request an Amazon-provided \n IPv6 CIDR block from Amazon's pool of IPv6 addresses, or an IPv6 CIDR block from an IPv6 address \n pool that you provisioned through bring your own IP addresses (BYOIP).
\nBy default, each instance that you launch in the VPC has the default DHCP options, which\n\t\t\tinclude only a default DNS server that we provide (AmazonProvidedDNS). For more\n\t\t\tinformation, see DHCP option sets in the Amazon VPC User Guide.
\nYou can specify the instance tenancy value for the VPC when you create it. You can't change\n this value for the VPC after you create it. For more information, see Dedicated Instances in the\n Amazon EC2 User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a VPC", + "documentation": "This example creates a VPC with the specified CIDR block.", + "input": { + "CidrBlock": "10.0.0.0/16" + }, + "output": { + "Vpc": { + "InstanceTenancy": "default", + "State": "pending", + "VpcId": "vpc-a01106c2", + "CidrBlock": "10.0.0.0/16", + "DhcpOptionsId": "dopt-7a8b9c2d" + } + } + } + ] } }, "com.amazonaws.ec2#CreateVpcEndpoint": { @@ -19940,7 +20609,7 @@ "target": "com.amazonaws.ec2#CreateVpcEndpointResult" }, "traits": { - "smithy.api#documentation": "Creates a VPC endpoint for a specified service. An endpoint enables you to create a\n private connection between your VPC and the service. The service may be provided by Amazon Web Services,\n an Amazon Web Services Marketplace Partner, or another Amazon Web Services account. For more information, \n see the Amazon Web Services PrivateLink Guide.
" + "smithy.api#documentation": "Creates a VPC endpoint. A VPC endpoint provides a private connection between the\n specified VPC and the specified endpoint service. You can use an endpoint service\n provided by Amazon Web Services, an Amazon Web Services Marketplace Partner, or another\n Amazon Web Services account. For more information, see the Amazon Web Services PrivateLink User Guide.
" } }, "com.amazonaws.ec2#CreateVpcEndpointConnectionNotification": { @@ -20050,7 +20719,7 @@ "target": "com.amazonaws.ec2#VpcId", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The ID of the VPC for the endpoint.
", + "smithy.api#documentation": "The ID of the VPC.
", "smithy.api#required": {} } }, @@ -20058,7 +20727,7 @@ "target": "com.amazonaws.ec2#String", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The service name.
", + "smithy.api#documentation": "The name of the endpoint service.
", "smithy.api#required": {} } }, @@ -20078,14 +20747,14 @@ "SubnetIds": { "target": "com.amazonaws.ec2#VpcEndpointSubnetIdList", "traits": { - "smithy.api#documentation": "(Interface and Gateway Load Balancer endpoints) The IDs of the subnets in which to create an endpoint\n network interface. For a Gateway Load Balancer endpoint, you can specify only one subnet.
", + "smithy.api#documentation": "(Interface and Gateway Load Balancer endpoints) The IDs of the subnets in which to create endpoint\n network interfaces. For a Gateway Load Balancer endpoint, you can specify only one subnet.
", "smithy.api#xmlName": "SubnetId" } }, "SecurityGroupIds": { "target": "com.amazonaws.ec2#VpcEndpointSecurityGroupIdList", "traits": { - "smithy.api#documentation": "(Interface endpoint) The IDs of the security groups to associate with the\n endpoint network interface. If this parameter is not specified, we use the default \n security group for the VPC.
", + "smithy.api#documentation": "(Interface endpoint) The IDs of the security groups to associate with the\n endpoint network interfaces. If this parameter is not specified, we use the default \n security group for the VPC.
", "smithy.api#xmlName": "SecurityGroupId" } }, @@ -20121,6 +20790,13 @@ "smithy.api#documentation": "The tags to associate with the endpoint.
", "smithy.api#xmlName": "TagSpecification" } + }, + "SubnetConfigurations": { + "target": "com.amazonaws.ec2#SubnetConfigurationsList", + "traits": { + "smithy.api#documentation": "The subnet configurations for the endpoint.
", + "smithy.api#xmlName": "SubnetConfiguration" + } } }, "traits": { @@ -21311,7 +21987,16 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified customer gateway. You must delete the VPN connection before you\n can delete the customer gateway.
" + "smithy.api#documentation": "Deletes the specified customer gateway. You must delete the VPN connection before you\n can delete the customer gateway.
", + "smithy.api#examples": [ + { + "title": "To delete a customer gateway", + "documentation": "This example deletes the specified customer gateway.", + "input": { + "CustomerGatewayId": "cgw-0e11f167" + } + } + ] } }, "com.amazonaws.ec2#DeleteCustomerGatewayRequest": { @@ -21350,7 +22035,16 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified set of DHCP options. You must disassociate the set of DHCP options before you can delete it. You can disassociate the set of DHCP options by associating either a new set of options or the default set of options with the VPC.
" + "smithy.api#documentation": "Deletes the specified set of DHCP options. You must disassociate the set of DHCP options before you can delete it. You can disassociate the set of DHCP options by associating either a new set of options or the default set of options with the VPC.
", + "smithy.api#examples": [ + { + "title": "To delete a DHCP options set", + "documentation": "This example deletes the specified DHCP options set.", + "input": { + "DhcpOptionsId": "dopt-d9070ebb" + } + } + ] } }, "com.amazonaws.ec2#DeleteDhcpOptionsRequest": { @@ -21859,7 +22553,16 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified internet gateway. You must detach the internet gateway from the\n\t\t\tVPC before you can delete it.
" + "smithy.api#documentation": "Deletes the specified internet gateway. You must detach the internet gateway from the\n\t\t\tVPC before you can delete it.
", + "smithy.api#examples": [ + { + "title": "To delete an Internet gateway", + "documentation": "This example deletes the specified Internet gateway.", + "input": { + "InternetGatewayId": "igw-c0a643a9" + } + } + ] } }, "com.amazonaws.ec2#DeleteInternetGatewayRequest": { @@ -22112,10 +22815,19 @@ "target": "com.amazonaws.ec2#DeleteKeyPairRequest" }, "output": { - "target": "smithy.api#Unit" + "target": "com.amazonaws.ec2#DeleteKeyPairResult" }, "traits": { - "smithy.api#documentation": "Deletes the specified key pair, by removing the public key from Amazon EC2.
" + "smithy.api#documentation": "Deletes the specified key pair, by removing the public key from Amazon EC2.
", + "smithy.api#examples": [ + { + "title": "To delete a key pair", + "documentation": "This example deletes the specified key pair.", + "input": { + "KeyName": "my-key-pair" + } + } + ] } }, "com.amazonaws.ec2#DeleteKeyPairRequest": { @@ -22148,6 +22860,32 @@ "smithy.api#input": {} } }, + "com.amazonaws.ec2#DeleteKeyPairResult": { + "type": "structure", + "members": { + "Return": { + "target": "com.amazonaws.ec2#Boolean", + "traits": { + "aws.protocols#ec2QueryName": "Return", + "smithy.api#clientOptional": {}, + "smithy.api#default": false, + "smithy.api#documentation": "Is true if the request succeeds, and an error otherwise.
The ID of the key pair.
", + "smithy.api#xmlName": "keyPairId" + } + } + }, + "traits": { + "smithy.api#output": {} + } + }, "com.amazonaws.ec2#DeleteLaunchTemplate": { "type": "operation", "input": { @@ -22157,7 +22895,26 @@ "target": "com.amazonaws.ec2#DeleteLaunchTemplateResult" }, "traits": { - "smithy.api#documentation": "Deletes a launch template. Deleting a launch template deletes all of its\n versions.
" + "smithy.api#documentation": "Deletes a launch template. Deleting a launch template deletes all of its\n versions.
", + "smithy.api#examples": [ + { + "title": "To delete a launch template", + "documentation": "This example deletes the specified launch template.", + "input": { + "LaunchTemplateId": "lt-0abcd290751193123" + }, + "output": { + "LaunchTemplate": { + "LatestVersionNumber": 2, + "LaunchTemplateId": "lt-0abcd290751193123", + "LaunchTemplateName": "my-template", + "DefaultVersionNumber": 2, + "CreatedBy": "arn:aws:iam::123456789012:root", + "CreateTime": "2017-11-23T16:46:25.000Z" + } + } + } + ] } }, "com.amazonaws.ec2#DeleteLaunchTemplateRequest": { @@ -22213,7 +22970,29 @@ "target": "com.amazonaws.ec2#DeleteLaunchTemplateVersionsResult" }, "traits": { - "smithy.api#documentation": "Deletes one or more versions of a launch template. You cannot delete the default\n version of a launch template; you must first assign a different version as the default.\n If the default version is the only version for the launch template, you must delete the\n entire launch template using DeleteLaunchTemplate.
" + "smithy.api#documentation": "Deletes one or more versions of a launch template.
\nYou can't delete the default version of a launch template; you must first assign a\n different version as the default. If the default version is the only version for the\n launch template, you must delete the entire launch template using DeleteLaunchTemplate.
\nYou can delete up to 200 launch template versions in a single request. To delete more\n than 200 versions in a single request, use DeleteLaunchTemplate, which\n deletes the launch template and all of its versions.
\nFor more information, see Delete a launch template version in the EC2 User\n Guide.
", + "smithy.api#examples": [ + { + "title": "To delete a launch template version", + "documentation": "This example deletes the specified launch template version.", + "input": { + "LaunchTemplateId": "lt-0abcd290751193123", + "Versions": [ + "1" + ] + }, + "output": { + "SuccessfullyDeletedLaunchTemplateVersions": [ + { + "LaunchTemplateName": "my-template", + "VersionNumber": 1, + "LaunchTemplateId": "lt-0abcd290751193123" + } + ], + "UnsuccessfullyDeletedLaunchTemplateVersions": [] + } + } + ] } }, "com.amazonaws.ec2#DeleteLaunchTemplateVersionsRequest": { @@ -22243,7 +23022,7 @@ "target": "com.amazonaws.ec2#VersionStringList", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The version numbers of one or more launch template versions to delete.
", + "smithy.api#documentation": "The version numbers of one or more launch template versions to delete. You can specify\n up to 200 launch template version numbers.
", "smithy.api#required": {}, "smithy.api#xmlName": "LaunchTemplateVersion" } @@ -22652,7 +23431,19 @@ "target": "com.amazonaws.ec2#DeleteNatGatewayResult" }, "traits": { - "smithy.api#documentation": "Deletes the specified NAT gateway. Deleting a public NAT gateway disassociates its Elastic IP address, \n but does not release the address from your account. Deleting a NAT gateway does not delete any NAT gateway \n routes in your route tables.
" + "smithy.api#documentation": "Deletes the specified NAT gateway. Deleting a public NAT gateway disassociates its Elastic IP address, \n but does not release the address from your account. Deleting a NAT gateway does not delete any NAT gateway \n routes in your route tables.
", + "smithy.api#examples": [ + { + "title": "To delete a NAT gateway", + "documentation": "This example deletes the specified NAT gateway.", + "input": { + "NatGatewayId": "nat-04ae55e711cec5680" + }, + "output": { + "NatGatewayId": "nat-04ae55e711cec5680" + } + } + ] } }, "com.amazonaws.ec2#DeleteNatGatewayRequest": { @@ -22705,7 +23496,16 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified network ACL. You can't delete the ACL if it's associated with any subnets. You can't delete the default network ACL.
" + "smithy.api#documentation": "Deletes the specified network ACL. You can't delete the ACL if it's associated with any subnets. You can't delete the default network ACL.
", + "smithy.api#examples": [ + { + "title": "To delete a network ACL", + "documentation": "This example deletes the specified network ACL.", + "input": { + "NetworkAclId": "acl-5fb85d36" + } + } + ] } }, "com.amazonaws.ec2#DeleteNetworkAclEntry": { @@ -22717,7 +23517,18 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified ingress or egress entry (rule) from the specified network ACL.
" + "smithy.api#documentation": "Deletes the specified ingress or egress entry (rule) from the specified network ACL.
", + "smithy.api#examples": [ + { + "title": "To delete a network ACL entry", + "documentation": "This example deletes ingress rule number 100 from the specified network ACL.", + "input": { + "NetworkAclId": "acl-5fb85d36", + "RuleNumber": 100, + "Egress": true + } + } + ] } }, "com.amazonaws.ec2#DeleteNetworkAclEntryRequest": { @@ -23015,7 +23826,16 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified network interface. You must detach the network interface before you can delete it.
" + "smithy.api#documentation": "Deletes the specified network interface. You must detach the network interface before you can delete it.
", + "smithy.api#examples": [ + { + "title": "To delete a network interface", + "documentation": "This example deletes the specified network interface.", + "input": { + "NetworkInterfaceId": "eni-e5aa89a3" + } + } + ] } }, "com.amazonaws.ec2#DeleteNetworkInterfacePermission": { @@ -23120,7 +23940,17 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified placement group. You must terminate all instances in the\n placement group before you can delete the placement group. For more information, see\n Placement groups in the Amazon EC2 User Guide.
" + "smithy.api#documentation": "Deletes the specified placement group. You must terminate all instances in the\n placement group before you can delete the placement group. For more information, see\n Placement groups in the Amazon EC2 User Guide.
", + "smithy.api#examples": [ + { + "title": "To delete a placement group", + "documentation": "This example deletes the specified placement group.\n", + "input": { + "GroupName": "my-cluster" + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#DeletePlacementGroupRequest": { @@ -23337,7 +24167,17 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified route from the specified route table.
" + "smithy.api#documentation": "Deletes the specified route from the specified route table.
", + "smithy.api#examples": [ + { + "title": "To delete a route", + "documentation": "This example deletes the specified route from the specified route table.", + "input": { + "RouteTableId": "rtb-22574640", + "DestinationCidrBlock": "0.0.0.0/0" + } + } + ] } }, "com.amazonaws.ec2#DeleteRouteRequest": { @@ -23399,7 +24239,16 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified route table. You must disassociate the route table from any subnets before you can delete it. You can't delete the main route table.
" + "smithy.api#documentation": "Deletes the specified route table. You must disassociate the route table from any subnets before you can delete it. You can't delete the main route table.
", + "smithy.api#examples": [ + { + "title": "To delete a route table", + "documentation": "This example deletes the specified route table.", + "input": { + "RouteTableId": "rtb-22574640" + } + } + ] } }, "com.amazonaws.ec2#DeleteRouteTableRequest": { @@ -23439,7 +24288,17 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes a security group.
\nIf you attempt to delete a security group that is associated with an instance, or is\n\t\t\t referenced by another security group, the operation fails with\n\t\t\t\tInvalidGroup.InUse in EC2-Classic or\n\t\t\t\tDependencyViolation in EC2-VPC.
We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nDeletes a security group.
\nIf you attempt to delete a security group that is associated with an instance or network interface or is\n\t\t\t referenced by another security group, the operation fails with\n\t\t\t\tDependencyViolation.
The ID of the security group. Required for a nondefault VPC.
" + "smithy.api#documentation": "The ID of the security group.
" } }, "GroupName": { "target": "com.amazonaws.ec2#SecurityGroupName", "traits": { - "smithy.api#documentation": "[EC2-Classic, default VPC] The name of the security group. You can specify either the\n security group name or the security group ID. For security groups in a nondefault VPC,\n you must specify the security group ID.
" + "smithy.api#documentation": "[Default VPC] The name of the security group. You can specify either the\n security group name or the security group ID. For security groups in a nondefault VPC,\n you must specify the security group ID.
" } }, "DryRun": { @@ -23481,7 +24340,17 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified snapshot.
\nWhen you make periodic snapshots of a volume, the snapshots are incremental, and only the\n blocks on the device that have changed since your last snapshot are saved in the new snapshot.\n When you delete a snapshot, only the data not needed for any other snapshot is removed. So\n regardless of which prior snapshots have been deleted, all active snapshots will have access\n to all the information needed to restore the volume.
\nYou cannot delete a snapshot of the root device of an EBS volume used by a registered AMI.\n You must first de-register the AMI before you can delete the snapshot.
\nFor more information, see Delete an Amazon EBS snapshot in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Deletes the specified snapshot.
\nWhen you make periodic snapshots of a volume, the snapshots are incremental, and only the\n blocks on the device that have changed since your last snapshot are saved in the new snapshot.\n When you delete a snapshot, only the data not needed for any other snapshot is removed. So\n regardless of which prior snapshots have been deleted, all active snapshots will have access\n to all the information needed to restore the volume.
\nYou cannot delete a snapshot of the root device of an EBS volume used by a registered AMI.\n You must first de-register the AMI before you can delete the snapshot.
\nFor more information, see Delete an Amazon EBS snapshot in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To delete a snapshot", + "documentation": "This example deletes a snapshot with the snapshot ID of ``snap-1234567890abcdef0``. If the command succeeds, no output is returned.", + "input": { + "SnapshotId": "snap-1234567890abcdef0" + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#DeleteSnapshotRequest": { @@ -23519,7 +24388,13 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the data feed for Spot Instances.
" + "smithy.api#documentation": "Deletes the data feed for Spot Instances.
", + "smithy.api#examples": [ + { + "title": "To cancel a Spot Instance data feed subscription", + "documentation": "This example deletes a Spot data feed subscription for the account." + } + ] } }, "com.amazonaws.ec2#DeleteSpotDatafeedSubscriptionRequest": { @@ -23550,7 +24425,16 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified subnet. You must terminate all running instances in the subnet before you can delete the subnet.
" + "smithy.api#documentation": "Deletes the specified subnet. You must terminate all running instances in the subnet before you can delete the subnet.
", + "smithy.api#examples": [ + { + "title": "To delete a subnet", + "documentation": "This example deletes the specified subnet.", + "input": { + "SubnetId": "subnet-9d4a7b6c" + } + } + ] } }, "com.amazonaws.ec2#DeleteSubnetCidrReservation": { @@ -23640,7 +24524,24 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified set of tags from the specified set of resources.
\nTo list the current tags, use DescribeTags. For more information about\n tags, see Tag\n your Amazon EC2 resources in the Amazon Elastic Compute Cloud User\n Guide.
" + "smithy.api#documentation": "Deletes the specified set of tags from the specified set of resources.
\nTo list the current tags, use DescribeTags. For more information about\n tags, see Tag\n your Amazon EC2 resources in the Amazon Elastic Compute Cloud User\n Guide.
", + "smithy.api#examples": [ + { + "title": "To delete a tag from a resource", + "documentation": "This example deletes the tag Stack=test from the specified image.", + "input": { + "Resources": [ + "ami-78a54011" + ], + "Tags": [ + { + "Key": "Stack", + "Value": "test" + } + ] + } + } + ] } }, "com.amazonaws.ec2#DeleteTagsRequest": { @@ -24720,7 +25621,17 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified EBS volume. The volume must be in the available state\n (not attached to an instance).
The volume can remain in the deleting state for several minutes.
For more information, see Delete an Amazon EBS volume in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Deletes the specified EBS volume. The volume must be in the available state\n (not attached to an instance).
The volume can remain in the deleting state for several minutes.
For more information, see Delete an Amazon EBS volume in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To delete a volume", + "documentation": "This example deletes an available volume with the volume ID of ``vol-049df61146c4d7901``. If the command succeeds, no output is returned.", + "input": { + "VolumeId": "vol-049df61146c4d7901" + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#DeleteVolumeRequest": { @@ -24758,7 +25669,16 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified VPC. You must detach or delete all gateways and resources that are associated with the VPC before you can delete it. For example, you must terminate all instances running in the VPC, delete all security groups associated with the VPC (except the default one), delete all route tables associated with the VPC (except the default one), and so on.
" + "smithy.api#documentation": "Deletes the specified VPC. You must detach or delete all gateways and resources that are associated with the VPC before you can delete it. For example, you must terminate all instances running in the VPC, delete all security groups associated with the VPC (except the default one), delete all route tables associated with the VPC (except the default one), and so on.
", + "smithy.api#examples": [ + { + "title": "To delete a VPC", + "documentation": "This example deletes the specified VPC.", + "input": { + "VpcId": "vpc-a01106c2" + } + } + ] } }, "com.amazonaws.ec2#DeleteVpcEndpointConnectionNotifications": { @@ -25553,7 +26473,33 @@ "target": "com.amazonaws.ec2#DescribeAccountAttributesResult" }, "traits": { - "smithy.api#documentation": "Describes attributes of your Amazon Web Services account. The following are the supported account attributes:
\n\n supported-platforms: Indicates whether your account can launch instances\n into EC2-Classic and EC2-VPC, or only into EC2-VPC.
\n default-vpc: The ID of the default VPC for your account, or\n none.
\n max-instances: This attribute is no longer supported. The returned\n value does not reflect your actual vCPU limit for running On-Demand Instances.\n For more information, see On-Demand Instance Limits in the\n Amazon Elastic Compute Cloud User Guide.
\n vpc-max-security-groups-per-interface: The maximum number of security groups\n that you can assign to a network interface.
\n max-elastic-ips: The maximum number of Elastic IP addresses that you can\n allocate for use with EC2-Classic.
\n vpc-max-elastic-ips: The maximum number of Elastic IP addresses that you can\n allocate for use with EC2-VPC.
We are retiring EC2-Classic on August 15, 2022. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon EC2 User Guide.
\nDescribes attributes of your Amazon Web Services account. The following are the supported account attributes:
\n\n default-vpc: The ID of the default VPC for your account, or none.
\n max-instances: This attribute is no longer supported. The returned\n value does not reflect your actual vCPU limit for running On-Demand Instances.\n For more information, see On-Demand Instance Limits in the\n Amazon Elastic Compute Cloud User Guide.
\n max-elastic-ips: The maximum number of Elastic IP addresses that you can allocate.
\n supported-platforms: This attribute is deprecated.
\n vpc-max-elastic-ips: The maximum number of Elastic IP addresses that you can allocate.
\n vpc-max-security-groups-per-interface: The maximum number of security groups\n that you can assign to a network interface.
Describes the specified Elastic IP addresses or all of your Elastic IP addresses.
" + "smithy.api#documentation": "Describes the specified Elastic IP addresses or all of your Elastic IP addresses.
", + "smithy.api#examples": [ + { + "title": "To describe your Elastic IP addresses", + "documentation": "This example describes your Elastic IP addresses.", + "output": { + "Addresses": [ + { + "InstanceId": "i-1234567890abcdef0", + "PublicIp": "198.51.100.0", + "Domain": "standard" + }, + { + "Domain": "vpc", + "InstanceId": "i-1234567890abcdef0", + "NetworkInterfaceId": "eni-12345678", + "AssociationId": "eipassoc-12345678", + "NetworkInterfaceOwnerId": "123456789012", + "PublicIp": "203.0.113.0", + "AllocationId": "eipalloc-12345678", + "PrivateIpAddress": "10.0.1.241" + } + ] + } + } + ] } }, "com.amazonaws.ec2#DescribeAddressesAttribute": { @@ -25902,7 +26873,41 @@ "target": "com.amazonaws.ec2#DescribeAvailabilityZonesResult" }, "traits": { - "smithy.api#documentation": "Describes the Availability Zones, Local Zones, and Wavelength Zones that are available to\n you. If there is an event impacting a zone, you can use this request to view the state and any\n provided messages for that zone.
\nFor more information about Availability Zones, Local Zones, and Wavelength Zones, see\n Regions and zones \n in the Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Describes the Availability Zones, Local Zones, and Wavelength Zones that are available to\n you. If there is an event impacting a zone, you can use this request to view the state and any\n provided messages for that zone.
\nFor more information about Availability Zones, Local Zones, and Wavelength Zones, see\n Regions and zones \n in the Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe your Availability Zones", + "documentation": "This example describes the Availability Zones that are available to you. The response includes Availability Zones only for the current region.", + "output": { + "AvailabilityZones": [ + { + "State": "available", + "RegionName": "us-east-1", + "Messages": [], + "ZoneName": "us-east-1b" + }, + { + "State": "available", + "RegionName": "us-east-1", + "Messages": [], + "ZoneName": "us-east-1c" + }, + { + "State": "available", + "RegionName": "us-east-1", + "Messages": [], + "ZoneName": "us-east-1d" + }, + { + "State": "available", + "RegionName": "us-east-1", + "Messages": [], + "ZoneName": "us-east-1e" + } + ] + } + } + ] } }, "com.amazonaws.ec2#DescribeAvailabilityZonesRequest": { @@ -26504,7 +27509,7 @@ "target": "com.amazonaws.ec2#DescribeClassicLinkInstancesResult" }, "traits": { - "smithy.api#documentation": "Describes one or more of your linked EC2-Classic instances. This request only returns\n\t\t\tinformation about EC2-Classic instances linked to a VPC through ClassicLink. You cannot\n\t\t\tuse this request to return information about other instances.
\nWe are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nThis action is deprecated.
\nDescribes one or more of your linked EC2-Classic instances. This request only returns\n\t\t\tinformation about EC2-Classic instances linked to a VPC through ClassicLink. You cannot\n\t\t\tuse this request to return information about other instances.
", "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -26529,7 +27534,7 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n group-id - The ID of a VPC security group that's associated with the instance.
\n instance-id - The ID of the instance.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC to which the instance is\n\t\t\t\t\tlinked.
\n vpc-id - The ID of the VPC that the instance is linked to.
The filters.
\n\n group-id - The ID of a VPC security group that's associated with the instance.
\n instance-id - The ID of the instance.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC to which the instance is linked.
One or more instance IDs. Must be instances linked to a VPC through ClassicLink.
", + "smithy.api#documentation": "The instance IDs. Must be instances linked to a VPC through ClassicLink.
", "smithy.api#xmlName": "InstanceId" } }, @@ -27313,6 +28318,28 @@ }, "traits": { "smithy.api#documentation": "Describes one or more of your VPN customer gateways.
\nFor more information, see Amazon Web Services Site-to-Site VPN in the Amazon Web Services Site-to-Site VPN\n User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe a customer gateway", + "documentation": "This example describes the specified customer gateway.", + "input": { + "CustomerGatewayIds": [ + "cgw-0e11f167" + ] + }, + "output": { + "CustomerGateways": [ + { + "CustomerGatewayId": "cgw-0e11f167", + "IpAddress": "12.1.2.3", + "State": "available", + "Type": "ipsec.1", + "BgpAsn": "65534" + } + ] + } + } + ], "smithy.waiters#waitable": { "CustomerGatewayAvailable": { "acceptors": [ @@ -27411,7 +28438,38 @@ "target": "com.amazonaws.ec2#DescribeDhcpOptionsResult" }, "traits": { - "smithy.api#documentation": "Describes one or more of your DHCP options sets.
\nFor more information, see DHCP options sets in the\n\t\t\t\tAmazon Virtual Private Cloud User Guide.
", + "smithy.api#documentation": "Describes one or more of your DHCP options sets.
\nFor more information, see DHCP options sets in the\n\t\t\t\tAmazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe a DHCP options set", + "documentation": "This example describes the specified DHCP options set.", + "input": { + "DhcpOptionsIds": [ + "dopt-d9070ebb" + ] + }, + "output": { + "DhcpOptions": [ + { + "DhcpConfigurations": [ + { + "Values": [ + { + "Value": "10.2.5.2" + }, + { + "Value": "10.2.5.1" + } + ], + "Key": "domain-name-servers" + } + ], + "DhcpOptionsId": "dopt-d9070ebb" + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -27443,7 +28501,7 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n dhcp-options-id - The ID of a DHCP options set.
\n key - The key for one of the options (for example, domain-name).
\n value - The value for one of the options.
\n owner-id - The ID of the Amazon Web Services account that owns the DHCP options set.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
The filters.
\n\n dhcp-options-id - The ID of a DHCP options set.
\n key - The key for one of the options (for example, domain-name).
\n value - The value for one of the options.
\n owner-id - The ID of the Amazon Web Services account that owns the DHCP options set.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
One or more egress-only internet gateway IDs.
", + "smithy.api#documentation": "The IDs of the egress-only internet gateways.
", "smithy.api#xmlName": "EgressOnlyInternetGatewayId" } }, @@ -27563,7 +28621,7 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
The filters.
\n\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
Describes your IAM instance profile associations.
", + "smithy.api#examples": [ + { + "title": "To describe an IAM instance profile association", + "documentation": "This example describes the specified IAM instance profile association.", + "input": { + "AssociationIds": [ + "iip-assoc-0db249b1f25fa24b8" + ] + }, + "output": { + "IamInstanceProfileAssociations": [ + { + "InstanceId": "i-09eb09efa73ec1dee", + "State": "associated", + "AssociationId": "iip-assoc-0db249b1f25fa24b8", + "IamInstanceProfile": { + "Id": "AIPAJVQN4F5WVLGCJDRGM", + "Arn": "arn:aws:iam::123456789012:instance-profile/admin-role" + } + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -29346,7 +30428,25 @@ "target": "com.amazonaws.ec2#ImageAttribute" }, "traits": { - "smithy.api#documentation": "Describes the specified attribute of the specified AMI. You can specify only one attribute at a time.
" + "smithy.api#documentation": "Describes the specified attribute of the specified AMI. You can specify only one attribute at a time.
", + "smithy.api#examples": [ + { + "title": "To describe the launch permissions for an AMI", + "documentation": "This example describes the launch permissions for the specified AMI.", + "input": { + "Attribute": "launchPermission", + "ImageId": "ami-5731123e" + }, + "output": { + "ImageId": "ami-5731123e", + "LaunchPermissions": [ + { + "UserId": "123456789012" + } + ] + } + } + ] } }, "com.amazonaws.ec2#DescribeImageAttributeRequest": { @@ -29394,6 +30494,48 @@ }, "traits": { "smithy.api#documentation": "Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.
\nThe images available to you include public images, private images that you own, and private images owned by other \n Amazon Web Services accounts for which you have explicit launch permissions.
\nRecently deregistered images appear in the returned results for a short interval and then\n return empty results. After all instances that reference a deregistered AMI are terminated,\n specifying the ID of the image will eventually return an error indicating that the AMI ID\n cannot be found.
", + "smithy.api#examples": [ + { + "title": "To describe an AMI", + "documentation": "This example describes the specified AMI.", + "input": { + "ImageIds": [ + "ami-5731123e" + ] + }, + "output": { + "Images": [ + { + "VirtualizationType": "paravirtual", + "Name": "My server", + "Hypervisor": "xen", + "ImageId": "ami-5731123e", + "RootDeviceType": "ebs", + "State": "available", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/sda1", + "Ebs": { + "DeleteOnTermination": true, + "SnapshotId": "snap-1234567890abcdef0", + "VolumeSize": 8, + "VolumeType": "standard" + } + } + ], + "Architecture": "x86_64", + "ImageLocation": "123456789012/My server", + "KernelId": "aki-88aa75e1", + "OwnerId": "123456789012", + "RootDeviceName": "/dev/sda1", + "Public": false, + "ImageType": "machine", + "Description": "An AMI for my server" + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -29466,7 +30608,7 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "The filters.
\n\n architecture - The image architecture (i386 |\n x86_64 | arm64).
\n block-device-mapping.delete-on-termination - A Boolean value that indicates\n \twhether the Amazon EBS volume is deleted on instance termination.
\n block-device-mapping.device-name - The device name specified in the block device mapping (for\n example, /dev/sdh or xvdh).
\n block-device-mapping.snapshot-id - The ID of the snapshot used for the Amazon EBS\n volume.
\n block-device-mapping.volume-size - The volume size of the Amazon EBS volume, in GiB.
\n block-device-mapping.volume-type - The volume type of the Amazon EBS volume\n (io1 | io2 | gp2 | gp3 | sc1\n | st1 | standard).
\n block-device-mapping.encrypted - A Boolean that indicates whether the Amazon EBS volume is encrypted.
\n creation-date - The time when the image was created, in the ISO 8601\n format in the UTC time zone (YYYY-MM-DDThh:mm:ss.sssZ), for example,\n 2021-09-29T11:04:43.305Z. You can use a wildcard (*), for\n example, 2021-09-29T*, which matches an entire day.
\n description - The description of the image (provided during image\n creation).
\n ena-support - A Boolean that indicates whether enhanced networking\n with ENA is enabled.
\n hypervisor - The hypervisor type (ovm |\n xen).
\n image-id - The ID of the image.
\n image-type - The image type (machine | kernel |\n ramdisk).
\n is-public - A Boolean that indicates whether the image is public.
\n kernel-id - The kernel ID.
\n manifest-location - The location of the image manifest.
\n name - The name of the AMI (provided during image creation).
\n owner-alias - The owner alias (amazon | aws-marketplace). \n The valid aliases are defined in an Amazon-maintained list. This is not the Amazon Web Services account alias that can be \n \tset using the IAM console. We recommend that you use the Owner \n \trequest parameter instead of this filter.
\n owner-id - The Amazon Web Services account ID of the owner. We recommend that you use the \n \t\tOwner request parameter instead of this filter.
\n platform - The platform. The only supported value is windows.
\n product-code - The product code.
\n product-code.type - The type of the product code (marketplace).
\n ramdisk-id - The RAM disk ID.
\n root-device-name - The device name of the root device volume (for example, /dev/sda1).
\n root-device-type - The type of the root device volume (ebs |\n instance-store).
\n state - The state of the image (available | pending\n | failed).
\n state-reason-code - The reason code for the state change.
\n state-reason-message - The message for the state change.
\n sriov-net-support - A value of simple indicates\n that enhanced networking with the Intel 82599 VF interface is enabled.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n virtualization-type - The virtualization type (paravirtual |\n hvm).
The filters.
\n\n architecture - The image architecture (i386 | x86_64 | \n arm64 | x86_64_mac | arm64_mac).
\n block-device-mapping.delete-on-termination - A Boolean value that indicates\n \twhether the Amazon EBS volume is deleted on instance termination.
\n block-device-mapping.device-name - The device name specified in the block device mapping (for\n example, /dev/sdh or xvdh).
\n block-device-mapping.snapshot-id - The ID of the snapshot used for the Amazon EBS\n volume.
\n block-device-mapping.volume-size - The volume size of the Amazon EBS volume, in GiB.
\n block-device-mapping.volume-type - The volume type of the Amazon EBS volume\n (io1 | io2 | gp2 | gp3 | sc1\n | st1 | standard).
\n block-device-mapping.encrypted - A Boolean that indicates whether the Amazon EBS volume is encrypted.
\n creation-date - The time when the image was created, in the ISO 8601\n format in the UTC time zone (YYYY-MM-DDThh:mm:ss.sssZ), for example,\n 2021-09-29T11:04:43.305Z. You can use a wildcard (*), for\n example, 2021-09-29T*, which matches an entire day.
\n description - The description of the image (provided during image\n creation).
\n ena-support - A Boolean that indicates whether enhanced networking\n with ENA is enabled.
\n hypervisor - The hypervisor type (ovm |\n xen).
\n image-id - The ID of the image.
\n image-type - The image type (machine | kernel |\n ramdisk).
\n is-public - A Boolean that indicates whether the image is public.
\n kernel-id - The kernel ID.
\n manifest-location - The location of the image manifest.
\n name - The name of the AMI (provided during image creation).
\n owner-alias - The owner alias (amazon | aws-marketplace). \n The valid aliases are defined in an Amazon-maintained list. This is not the Amazon Web Services account alias that can be \n \tset using the IAM console. We recommend that you use the Owner \n \trequest parameter instead of this filter.
\n owner-id - The Amazon Web Services account ID of the owner. We recommend that you use the \n \t\tOwner request parameter instead of this filter.
\n platform - The platform. The only supported value is windows.
\n product-code - The product code.
\n product-code.type - The type of the product code (marketplace).
\n ramdisk-id - The RAM disk ID.
\n root-device-name - The device name of the root device volume (for example, /dev/sda1).
\n root-device-type - The type of the root device volume (ebs |\n instance-store).
\n state - The state of the image (available | pending\n | failed).
\n state-reason-code - The reason code for the state change.
\n state-reason-message - The message for the state change.
\n sriov-net-support - A value of simple indicates\n that enhanced networking with the Intel 82599 VF interface is enabled.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n virtualization-type - The virtualization type (paravirtual |\n hvm).
Describes the specified attribute of the specified instance. You can specify only one\n attribute at a time. Valid attribute values are: instanceType |\n kernel | ramdisk | userData |\n disableApiTermination | instanceInitiatedShutdownBehavior\n | rootDeviceName | blockDeviceMapping |\n productCodes | sourceDestCheck | groupSet |\n ebsOptimized | sriovNetSupport\n
Describes the specified attribute of the specified instance. You can specify only one\n attribute at a time. Valid attribute values are: instanceType |\n kernel | ramdisk | userData |\n disableApiTermination | instanceInitiatedShutdownBehavior\n | rootDeviceName | blockDeviceMapping |\n productCodes | sourceDestCheck | groupSet |\n ebsOptimized | sriovNetSupport\n
Describes the status of the specified instances or all of your instances. By default,\n only running instances are described, unless you specifically indicate to return the\n status of all instances.
\nInstance status includes the following components:
\n\n Status checks - Amazon EC2 performs status\n checks on running EC2 instances to identify hardware and software issues. For\n more information, see Status checks for your instances and Troubleshoot\n instances with failed status checks in the Amazon EC2 User\n Guide.
\n\n Scheduled events - Amazon EC2 can schedule\n events (such as reboot, stop, or terminate) for your instances related to\n hardware issues, software updates, or system maintenance. For more information,\n see Scheduled events for your instances in the Amazon EC2 User\n Guide.
\n\n Instance state - You can manage your instances\n from the moment you launch them through their termination. For more information,\n see Instance\n lifecycle in the Amazon EC2 User Guide.
\nOne or more filters. Filter names and values are case-sensitive.
\n\n auto-recovery-supported - Indicates whether Amazon CloudWatch action based recovery is supported (true | false).
\n bare-metal - Indicates whether it is a bare metal instance type (true | false).
\n burstable-performance-supported - Indicates whether it is a burstable\n performance instance type (true | false).
\n current-generation - Indicates whether this instance type is the latest\n generation instance type of an instance family (true | false).
\n ebs-info.ebs-optimized-info.baseline-bandwidth-in-mbps - The baseline\n bandwidth performance for an EBS-optimized instance type, in Mbps.
\n ebs-info.ebs-optimized-info.baseline-iops - The baseline input/output storage\n operations per second for an EBS-optimized instance type.
\n ebs-info.ebs-optimized-info.baseline-throughput-in-mbps - The baseline\n throughput performance for an EBS-optimized instance type, in MB/s.
\n ebs-info.ebs-optimized-info.maximum-bandwidth-in-mbps - The maximum bandwidth\n performance for an EBS-optimized instance type, in Mbps.
\n ebs-info.ebs-optimized-info.maximum-iops - The maximum input/output storage\n operations per second for an EBS-optimized instance type.
\n ebs-info.ebs-optimized-info.maximum-throughput-in-mbps - The maximum\n throughput performance for an EBS-optimized instance type, in MB/s.
\n ebs-info.ebs-optimized-support - Indicates whether the instance type is\n EBS-optimized (supported | unsupported |\n default).
\n ebs-info.encryption-support - Indicates whether EBS encryption is supported\n (supported | unsupported).
\n ebs-info.nvme-support - Indicates whether non-volatile memory express (NVMe)\n is supported for EBS volumes (required | supported | unsupported).
\n free-tier-eligible - Indicates whether the instance type is eligible to use\n in the free tier (true | false).
\n hibernation-supported - Indicates whether On-Demand hibernation is supported (true | false).
\n hypervisor - The hypervisor (nitro | xen).
\n instance-storage-info.disk.count - The number of local disks.
\n instance-storage-info.disk.size-in-gb - The storage size of each instance storage disk, in\n GB.
\n instance-storage-info.disk.type - The storage technology for the local\n instance storage disks (hdd | ssd).
\n instance-storage-info.encryption-support - Indicates whether data is encrypted at rest \n (required | supported | unsupported).
\n instance-storage-info.nvme-support - Indicates whether non-volatile memory\n express (NVMe) is supported for instance store (required | supported |\n unsupported).
\n instance-storage-info.total-size-in-gb - The total amount of storage available from all local\n instance storage, in GB.
\n instance-storage-supported - Indicates whether the instance type has local\n instance storage (true | false).
\n instance-type - The instance type (for example c5.2xlarge or\n c5*).
\n memory-info.size-in-mib - The memory size.
\n network-info.efa-info.maximum-efa-interfaces - The maximum number of Elastic \n Fabric Adapters (EFAs) per instance.
\n network-info.efa-supported - Indicates whether the instance type supports\n Elastic Fabric Adapter (EFA) (true | false).
\n network-info.ena-support - Indicates whether Elastic Network Adapter (ENA) is\n supported or required (required | supported |\n unsupported).
\n network-info.encryption-in-transit-supported - Indicates whether the instance type \n automatically encrypts in-transit traffic between instances (true | false).
\n network-info.ipv4-addresses-per-interface - The maximum number of private IPv4 addresses per\n network interface.
\n network-info.ipv6-addresses-per-interface - The maximum number of private IPv6 addresses per\n network interface.
\n network-info.ipv6-supported - Indicates whether the instance type supports IPv6 (true | false).
\n network-info.maximum-network-cards - The maximum number of network cards per\n instance.
\n network-info.maximum-network-interfaces - The maximum number of network interfaces per instance.
\n network-info.network-performance - The network performance (for example, \"25\n Gigabit\").
\n processor-info.supported-architecture - The CPU architecture\n (arm64 | i386 | x86_64).
\n processor-info.sustained-clock-speed-in-ghz - The CPU clock speed, in GHz.
\n supported-boot-mode - The boot mode (legacy-bios |\n uefi).
\n supported-root-device-type - The root device type (ebs |\n instance-store).
\n supported-usage-class - The usage class (on-demand |\n spot).
\n supported-virtualization-type - The virtualization type (hvm |\n paravirtual).
\n vcpu-info.default-cores - The default number of cores for the instance type.
\n vcpu-info.default-threads-per-core - The default number of threads per core for the instance\n type.
\n vcpu-info.default-vcpus - The default number of vCPUs for the instance type.
\n vcpu-info.valid-cores - The number of cores that can be configured for the instance type.
\n vcpu-info.valid-threads-per-core - The number of threads per core that can be configured for the instance type.\n For example, \"1\" or \"1,2\".
One or more filters. Filter names and values are case-sensitive.
\n\n auto-recovery-supported - Indicates whether Amazon CloudWatch action based recovery is supported (true | false).
\n bare-metal - Indicates whether it is a bare metal instance type (true | false).
\n burstable-performance-supported - Indicates whether the instance type is a \n burstable performance T instance type (true | false).
\n current-generation - Indicates whether this instance type is the latest\n generation instance type of an instance family (true | false).
\n ebs-info.ebs-optimized-info.baseline-bandwidth-in-mbps - The baseline\n bandwidth performance for an EBS-optimized instance type, in Mbps.
\n ebs-info.ebs-optimized-info.baseline-iops - The baseline input/output storage\n operations per second for an EBS-optimized instance type.
\n ebs-info.ebs-optimized-info.baseline-throughput-in-mbps - The baseline\n throughput performance for an EBS-optimized instance type, in MB/s.
\n ebs-info.ebs-optimized-info.maximum-bandwidth-in-mbps - The maximum bandwidth\n performance for an EBS-optimized instance type, in Mbps.
\n ebs-info.ebs-optimized-info.maximum-iops - The maximum input/output storage\n operations per second for an EBS-optimized instance type.
\n ebs-info.ebs-optimized-info.maximum-throughput-in-mbps - The maximum\n throughput performance for an EBS-optimized instance type, in MB/s.
\n ebs-info.ebs-optimized-support - Indicates whether the instance type is\n EBS-optimized (supported | unsupported |\n default).
\n ebs-info.encryption-support - Indicates whether EBS encryption is supported\n (supported | unsupported).
\n ebs-info.nvme-support - Indicates whether non-volatile memory express (NVMe)\n is supported for EBS volumes (required | supported | unsupported).
\n free-tier-eligible - Indicates whether the instance type is eligible to use\n in the free tier (true | false).
\n hibernation-supported - Indicates whether On-Demand hibernation is supported (true | false).
\n hypervisor - The hypervisor (nitro | xen).
\n instance-storage-info.disk.count - The number of local disks.
\n instance-storage-info.disk.size-in-gb - The storage size of each instance storage disk, in\n GB.
\n instance-storage-info.disk.type - The storage technology for the local\n instance storage disks (hdd | ssd).
\n instance-storage-info.encryption-support - Indicates whether data is encrypted at rest \n (required | supported | unsupported).
\n instance-storage-info.nvme-support - Indicates whether non-volatile memory\n express (NVMe) is supported for instance store (required | supported |\n unsupported).
\n instance-storage-info.total-size-in-gb - The total amount of storage available from all local\n instance storage, in GB.
\n instance-storage-supported - Indicates whether the instance type has local\n instance storage (true | false).
\n instance-type - The instance type (for example c5.2xlarge or\n c5*).
\n memory-info.size-in-mib - The memory size.
\n network-info.efa-info.maximum-efa-interfaces - The maximum number of Elastic \n Fabric Adapters (EFAs) per instance.
\n network-info.efa-supported - Indicates whether the instance type supports\n Elastic Fabric Adapter (EFA) (true | false).
\n network-info.ena-support - Indicates whether Elastic Network Adapter (ENA) is\n supported or required (required | supported |\n unsupported).
\n network-info.encryption-in-transit-supported - Indicates whether the instance type \n automatically encrypts in-transit traffic between instances (true | false).
\n network-info.ipv4-addresses-per-interface - The maximum number of private IPv4 addresses per\n network interface.
\n network-info.ipv6-addresses-per-interface - The maximum number of private IPv6 addresses per\n network interface.
\n network-info.ipv6-supported - Indicates whether the instance type supports IPv6 (true | false).
\n network-info.maximum-network-cards - The maximum number of network cards per\n instance.
\n network-info.maximum-network-interfaces - The maximum number of network interfaces per instance.
\n network-info.network-performance - The network performance (for example, \"25\n Gigabit\").
\n nitro-enclaves-support - Indicates whether Nitro Enclaves is supported (supported |\n unsupported).
\n nitro-tpm-support - Indicates whether NitroTPM is supported (supported |\n unsupported).
\n nitro-tpm-info.supported-versions - The supported NitroTPM version (2.0).
\n processor-info.supported-architecture - The CPU architecture\n (arm64 | i386 | x86_64).
\n processor-info.sustained-clock-speed-in-ghz - The CPU clock speed, in GHz.
\n processor-info.supported-features - The supported CPU features (amd-sev-snp).
\n supported-boot-mode - The boot mode (legacy-bios |\n uefi).
\n supported-root-device-type - The root device type (ebs |\n instance-store).
\n supported-usage-class - The usage class (on-demand |\n spot).
\n supported-virtualization-type - The virtualization type (hvm |\n paravirtual).
\n vcpu-info.default-cores - The default number of cores for the instance type.
\n vcpu-info.default-threads-per-core - The default number of threads per core for the instance\n type.
\n vcpu-info.default-vcpus - The default number of vCPUs for the instance type.
\n vcpu-info.valid-cores - The number of cores that can be configured for the instance type.
\n vcpu-info.valid-threads-per-core - The number of threads per core that can be configured for the instance type.\n For example, \"1\" or \"1,2\".
Describes the specified instances or all instances.
\nIf you specify instance IDs, the output includes information for only the specified\n instances. If you specify filters, the output includes information for only those\n instances that meet the filter criteria. If you do not specify instance IDs or filters,\n the output includes information for all instances, which can affect performance. We\n recommend that you use pagination to ensure that the operation returns quickly and\n successfully.
\nIf you specify an instance ID that is not valid, an error is returned. If you specify\n an instance that you do not own, it is not included in the output.
\nRecently terminated instances might appear in the returned results. This interval is\n usually less than one hour.
\nIf you describe instances in the rare case where an Availability Zone is experiencing\n a service disruption and you specify instance IDs that are in the affected zone, or do\n not specify any instance IDs at all, the call fails. If you describe instances and\n specify only instance IDs that are in an unaffected zone, the call works\n normally.
", + "smithy.api#examples": [ + { + "title": "To describe an Amazon EC2 instance", + "documentation": "This example describes the specified instance.", + "input": { + "InstanceIds": [ + "i-1234567890abcdef0" + ] + }, + "output": {} + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -30584,7 +31795,7 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "The filters.
\n\n affinity - The affinity setting for an instance running on a\n Dedicated Host (default | host).
\n architecture - The instance architecture (i386 |\n x86_64 | arm64).
\n availability-zone - The Availability Zone of the instance.
\n block-device-mapping.attach-time - The attach time for an EBS\n volume mapped to the instance, for example,\n 2010-09-15T17:15:20.000Z.
\n block-device-mapping.delete-on-termination - A Boolean that\n indicates whether the EBS volume is deleted on instance termination.
\n block-device-mapping.device-name - The device name specified in the\n block device mapping (for example, /dev/sdh or\n xvdh).
\n block-device-mapping.status - The status for the EBS volume\n (attaching | attached | detaching |\n detached).
\n block-device-mapping.volume-id - The volume ID of the EBS\n volume.
\n capacity-reservation-id - The ID of the Capacity Reservation into which the\n instance was launched.
\n client-token - The idempotency token you provided when you launched\n the instance.
\n dns-name - The public DNS name of the instance.
\n hibernation-options.configured - A Boolean that indicates whether\n the instance is enabled for hibernation. A value of true means that\n the instance is enabled for hibernation.
\n host-id - The ID of the Dedicated Host on which the instance is\n running, if applicable.
\n hypervisor - The hypervisor type of the instance\n (ovm | xen). The value xen is used\n for both Xen and Nitro hypervisors.
\n iam-instance-profile.arn - The instance profile associated with\n the instance. Specified as an ARN.
\n image-id - The ID of the image used to launch the\n instance.
\n instance-id - The ID of the instance.
\n instance-lifecycle - Indicates whether this is a Spot Instance or\n a Scheduled Instance (spot | scheduled).
\n instance-state-code - The state of the instance, as a 16-bit\n unsigned integer. The high byte is used for internal purposes and should be\n ignored. The low byte is set based on the state represented. The valid values\n are: 0 (pending), 16 (running), 32 (shutting-down), 48 (terminated), 64\n (stopping), and 80 (stopped).
\n instance-state-name - The state of the instance\n (pending | running | shutting-down |\n terminated | stopping |\n stopped).
\n instance-type - The type of instance (for example,\n t2.micro).
\n instance.group-id - The ID of the security group for the\n instance.
\n instance.group-name - The name of the security group for the\n instance.
\n ip-address - The public IPv4 address of the instance.
\n kernel-id - The kernel ID.
\n key-name - The name of the key pair used when the instance was\n launched.
\n launch-index - When launching multiple instances, this is the\n index for the instance in the launch group (for example, 0, 1, 2, and so on).\n
\n launch-time - The time when the instance was launched, in the ISO\n 8601 format in the UTC time zone (YYYY-MM-DDThh:mm:ss.sssZ), for example,\n 2021-09-29T11:04:43.305Z. You can use a wildcard\n (*), for example, 2021-09-29T*, which matches an\n entire day.
\n metadata-options.http-tokens - The metadata request authorization\n state (optional | required)
\n metadata-options.http-put-response-hop-limit - The HTTP metadata\n request put response hop limit (integer, possible values 1 to\n 64)
\n metadata-options.http-endpoint - The status of access to the HTTP\n metadata endpoint on your instance (enabled |\n disabled)
\n metadata-options.instance-metadata-tags - The status of access to\n instance tags from the instance metadata (enabled |\n disabled)
\n monitoring-state - Indicates whether detailed monitoring is\n enabled (disabled | enabled).
\n network-interface.addresses.private-ip-address - The private IPv4\n address associated with the network interface.
\n network-interface.addresses.primary - Specifies whether the IPv4\n address of the network interface is the primary private IPv4 address.
\n network-interface.addresses.association.public-ip - The ID of the\n association of an Elastic IP address (IPv4) with a network interface.
\n network-interface.addresses.association.ip-owner-id - The owner\n ID of the private IPv4 address associated with the network interface.
\n network-interface.association.public-ip - The address of the\n Elastic IP address (IPv4) bound to the network interface.
\n network-interface.association.ip-owner-id - The owner of the\n Elastic IP address (IPv4) associated with the network interface.
\n network-interface.association.allocation-id - The allocation ID\n returned when you allocated the Elastic IP address (IPv4) for your network\n interface.
\n network-interface.association.association-id - The association ID\n returned when the network interface was associated with an IPv4 address.
\n network-interface.attachment.attachment-id - The ID of the\n interface attachment.
\n network-interface.attachment.instance-id - The ID of the instance\n to which the network interface is attached.
\n network-interface.attachment.instance-owner-id - The owner ID of\n the instance to which the network interface is attached.
\n network-interface.attachment.device-index - The device index to\n which the network interface is attached.
\n network-interface.attachment.status - The status of the\n attachment (attaching | attached |\n detaching | detached).
\n network-interface.attachment.attach-time - The time that the\n network interface was attached to an instance.
\n network-interface.attachment.delete-on-termination - Specifies\n whether the attachment is deleted when an instance is terminated.
\n network-interface.availability-zone - The Availability Zone for\n the network interface.
\n network-interface.description - The description of the network\n interface.
\n network-interface.group-id - The ID of a security group\n associated with the network interface.
\n network-interface.group-name - The name of a security group\n associated with the network interface.
\n network-interface.ipv6-addresses.ipv6-address - The IPv6 address\n associated with the network interface.
\n network-interface.mac-address - The MAC address of the network\n interface.
\n network-interface.network-interface-id - The ID of the network\n interface.
\n network-interface.owner-id - The ID of the owner of the network\n interface.
\n network-interface.private-dns-name - The private DNS name of the\n network interface.
\n network-interface.requester-id - The requester ID for the network\n interface.
\n network-interface.requester-managed - Indicates whether the\n network interface is being managed by Amazon Web Services.
\n network-interface.status - The status of the network interface\n (available) | in-use).
\n network-interface.source-dest-check - Whether the network\n interface performs source/destination checking. A value of true\n means that checking is enabled, and false means that checking is\n disabled. The value must be false for the network interface to\n perform network address translation (NAT) in your VPC.
\n network-interface.subnet-id - The ID of the subnet for the\n network interface.
\n network-interface.vpc-id - The ID of the VPC for the network\n interface.
\n outpost-arn - The Amazon Resource Name (ARN) of the\n Outpost.
\n owner-id - The Amazon Web Services account ID of the instance\n owner.
\n placement-group-name - The name of the placement group for the\n instance.
\n placement-partition-number - The partition in which the instance is\n located.
\n platform - The platform. To list only Windows instances, use\n windows.
\n private-dns-name - The private IPv4 DNS name of the\n instance.
\n private-ip-address - The private IPv4 address of the\n instance.
\n product-code - The product code associated with the AMI used to\n launch the instance.
\n product-code.type - The type of product code (devpay |\n marketplace).
\n ramdisk-id - The RAM disk ID.
\n reason - The reason for the current state of the instance (for\n example, shows \"User Initiated [date]\" when you stop or terminate the instance).\n Similar to the state-reason-code filter.
\n requester-id - The ID of the entity that launched the instance on\n your behalf (for example, Amazon Web Services Management Console, Auto Scaling, and so\n on).
\n reservation-id - The ID of the instance's reservation. A\n reservation ID is created any time you launch an instance. A reservation ID has\n a one-to-one relationship with an instance launch request, but can be associated\n with more than one instance if you launch multiple instances using the same\n launch request. For example, if you launch one instance, you get one reservation\n ID. If you launch ten instances using the same launch request, you also get one\n reservation ID.
\n root-device-name - The device name of the root device volume (for\n example, /dev/sda1).
\n root-device-type - The type of the root device volume\n (ebs | instance-store).
\n source-dest-check - Indicates whether the instance performs\n source/destination checking. A value of true means that checking is\n enabled, and false means that checking is disabled. The value must\n be false for the instance to perform network address translation\n (NAT) in your VPC.
\n spot-instance-request-id - The ID of the Spot Instance\n request.
\n state-reason-code - The reason code for the state change.
\n state-reason-message - A message that describes the state\n change.
\n subnet-id - The ID of the subnet for the instance.
\n tag: - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value.\n For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources that have a tag with a specific key, regardless of the tag value.
\n tenancy - The tenancy of an instance (dedicated |\n default | host).
\n virtualization-type - The virtualization type of the instance\n (paravirtual | hvm).
\n vpc-id - The ID of the VPC that the instance is running in.
The filters.
\n\n affinity - The affinity setting for an instance running on a\n Dedicated Host (default | host).
\n architecture - The instance architecture (i386 |\n x86_64 | arm64).
\n availability-zone - The Availability Zone of the instance.
\n block-device-mapping.attach-time - The attach time for an EBS\n volume mapped to the instance, for example,\n 2022-09-15T17:15:20.000Z.
\n block-device-mapping.delete-on-termination - A Boolean that\n indicates whether the EBS volume is deleted on instance termination.
\n block-device-mapping.device-name - The device name specified in\n the block device mapping (for example, /dev/sdh or\n xvdh).
\n block-device-mapping.status - The status for the EBS volume\n (attaching | attached | detaching |\n detached).
\n block-device-mapping.volume-id - The volume ID of the EBS\n volume.
\n boot-mode - The boot mode that was specified by the AMI\n (legacy-bios | uefi |\n uefi-preferred).
\n capacity-reservation-id - The ID of the Capacity Reservation into which the\n instance was launched.
\n capacity-reservation-specification.capacity-reservation-preference\n - The instance's Capacity Reservation preference (open | none).
\n capacity-reservation-specification.capacity-reservation-target.capacity-reservation-id\n - The ID of the targeted Capacity Reservation.
\n capacity-reservation-specification.capacity-reservation-target.capacity-reservation-resource-group-arn\n - The ARN of the targeted Capacity Reservation group.
\n client-token - The idempotency token you provided when you\n launched the instance.
\n current-instance-boot-mode - The boot mode that is used to launch\n the instance at launch or start (legacy-bios |\n uefi).
\n dns-name - The public DNS name of the instance.
\n ebs-optimized - A Boolean that indicates whether the instance is\n optimized for Amazon EBS I/O.
\n ena-support - A Boolean that indicates whether the instance is\n enabled for enhanced networking with ENA.
\n enclave-options.enabled - A Boolean that indicates whether the\n instance is enabled for Amazon Web Services Nitro Enclaves.
\n hibernation-options.configured - A Boolean that indicates whether\n the instance is enabled for hibernation. A value of true means that\n the instance is enabled for hibernation.
\n host-id - The ID of the Dedicated Host on which the instance is\n running, if applicable.
\n hypervisor - The hypervisor type of the instance\n (ovm | xen). The value xen is used\n for both Xen and Nitro hypervisors.
\n iam-instance-profile.arn - The instance profile associated with\n the instance. Specified as an ARN.
\n iam-instance-profile.id - The instance profile associated with\n the instance. Specified as an ID.
\n iam-instance-profile.name - The instance profile associated with\n the instance. Specified as an name.
\n image-id - The ID of the image used to launch the\n instance.
\n instance-id - The ID of the instance.
\n instance-lifecycle - Indicates whether this is a Spot Instance or\n a Scheduled Instance (spot | scheduled).
\n instance-state-code - The state of the instance, as a 16-bit\n unsigned integer. The high byte is used for internal purposes and should be\n ignored. The low byte is set based on the state represented. The valid values\n are: 0 (pending), 16 (running), 32 (shutting-down), 48 (terminated), 64\n (stopping), and 80 (stopped).
\n instance-state-name - The state of the instance\n (pending | running | shutting-down |\n terminated | stopping |\n stopped).
\n instance-type - The type of instance (for example,\n t2.micro).
\n instance.group-id - The ID of the security group for the\n instance.
\n instance.group-name - The name of the security group for the\n instance.
\n ip-address - The public IPv4 address of the instance.
\n ipv6-address - The IPv6 address of the instance.
\n kernel-id - The kernel ID.
\n key-name - The name of the key pair used when the instance was\n launched.
\n launch-index - When launching multiple instances, this is the\n index for the instance in the launch group (for example, 0, 1, 2, and so on).\n
\n launch-time - The time when the instance was launched, in the ISO\n 8601 format in the UTC time zone (YYYY-MM-DDThh:mm:ss.sssZ), for example,\n 2021-09-29T11:04:43.305Z. You can use a wildcard\n (*), for example, 2021-09-29T*, which matches an\n entire day.
\n license-pool -
\n maintenance-options.auto-recovery - The current automatic\n recovery behavior of the instance (disabled | default).
\n metadata-options.http-endpoint - The status of access to the HTTP\n metadata endpoint on your instance (enabled |\n disabled)
\n metadata-options.http-protocol-ipv4 - Indicates whether the IPv4\n endpoint is enabled (disabled | enabled).
\n metadata-options.http-protocol-ipv6 - Indicates whether the IPv6\n endpoint is enabled (disabled | enabled).
\n metadata-options.http-put-response-hop-limit - The HTTP metadata\n request put response hop limit (integer, possible values 1 to\n 64)
\n metadata-options.http-tokens - The metadata request authorization\n state (optional | required)
\n metadata-options.instance-metadata-tags - The status of access to\n instance tags from the instance metadata (enabled |\n disabled)
\n metadata-options.state - The state of the metadata option changes\n (pending | applied).
\n monitoring-state - Indicates whether detailed monitoring is\n enabled (disabled | enabled).
\n network-interface.addresses.primary - Specifies whether the IPv4\n address of the network interface is the primary private IPv4 address.
\n network-interface.addresses.private-ip-address - The private IPv4\n address associated with the network interface.
\n network-interface.addresses.association.public-ip - The ID of the\n association of an Elastic IP address (IPv4) with a network interface.
\n network-interface.addresses.association.ip-owner-id - The owner\n ID of the private IPv4 address associated with the network interface.
\n network-interface.association.public-ip - The address of the\n Elastic IP address (IPv4) bound to the network interface.
\n network-interface.association.ip-owner-id - The owner of the\n Elastic IP address (IPv4) associated with the network interface.
\n network-interface.association.allocation-id - The allocation ID\n returned when you allocated the Elastic IP address (IPv4) for your network\n interface.
\n network-interface.association.association-id - The association ID\n returned when the network interface was associated with an IPv4 address.
\n network-interface.attachment.attachment-id - The ID of the\n interface attachment.
\n network-interface.attachment.instance-id - The ID of the instance\n to which the network interface is attached.
\n network-interface.attachment.instance-owner-id - The owner ID of\n the instance to which the network interface is attached.
\n network-interface.attachment.device-index - The device index to\n which the network interface is attached.
\n network-interface.attachment.status - The status of the\n attachment (attaching | attached |\n detaching | detached).
\n network-interface.attachment.attach-time - The time that the\n network interface was attached to an instance.
\n network-interface.attachment.delete-on-termination - Specifies\n whether the attachment is deleted when an instance is terminated.
\n network-interface.availability-zone - The Availability Zone for\n the network interface.
\n network-interface.description - The description of the network\n interface.
\n network-interface.group-id - The ID of a security group\n associated with the network interface.
\n network-interface.group-name - The name of a security group\n associated with the network interface.
\n network-interface.ipv6-addresses.ipv6-address - The IPv6 address\n associated with the network interface.
\n network-interface.mac-address - The MAC address of the network\n interface.
\n network-interface.network-interface-id - The ID of the network\n interface.
\n network-interface.owner-id - The ID of the owner of the network\n interface.
\n network-interface.private-dns-name - The private DNS name of the\n network interface.
\n network-interface.requester-id - The requester ID for the network\n interface.
\n network-interface.requester-managed - Indicates whether the\n network interface is being managed by Amazon Web Services.
\n network-interface.status - The status of the network interface\n (available) | in-use).
\n network-interface.source-dest-check - Whether the network\n interface performs source/destination checking. A value of true\n means that checking is enabled, and false means that checking is\n disabled. The value must be false for the network interface to\n perform network address translation (NAT) in your VPC.
\n network-interface.subnet-id - The ID of the subnet for the\n network interface.
\n network-interface.vpc-id - The ID of the VPC for the network\n interface.
\n outpost-arn - The Amazon Resource Name (ARN) of the\n Outpost.
\n owner-id - The Amazon Web Services account ID of the instance\n owner.
\n placement-group-name - The name of the placement group for the\n instance.
\n placement-partition-number - The partition in which the instance is\n located.
\n platform - The platform. To list only Windows instances, use\n windows.
\n platform-details - The platform (Linux/UNIX |\n Red Hat BYOL Linux | Red Hat Enterprise Linux |\n Red Hat Enterprise Linux with HA | Red Hat Enterprise\n Linux with SQL Server Standard and HA | Red Hat Enterprise\n Linux with SQL Server Enterprise and HA | Red Hat Enterprise\n Linux with SQL Server Standard | Red Hat Enterprise Linux with\n SQL Server Web | Red Hat Enterprise Linux with SQL Server\n Enterprise | SQL Server Enterprise | SQL Server\n Standard | SQL Server Web | SUSE Linux |\n Ubuntu Pro | Windows | Windows BYOL |\n Windows with SQL Server Enterprise | Windows with SQL\n Server Standard | Windows with SQL Server Web).
\n private-dns-name - The private IPv4 DNS name of the\n instance.
\n private-dns-name-options.enable-resource-name-dns-a-record - A\n Boolean that indicates whether to respond to DNS queries for instance hostnames\n with DNS A records.
\n private-dns-name-options.enable-resource-name-dns-aaaa-record - A\n Boolean that indicates whether to respond to DNS queries for instance hostnames\n with DNS AAAA records.
\n private-dns-name-options.hostname-type - The type of hostname\n (ip-name | resource-name).
\n private-ip-address - The private IPv4 address of the\n instance.
\n product-code - The product code associated with the AMI used to\n launch the instance.
\n product-code.type - The type of product code (devpay\n | marketplace).
\n ramdisk-id - The RAM disk ID.
\n reason - The reason for the current state of the instance (for\n example, shows \"User Initiated [date]\" when you stop or terminate the instance).\n Similar to the state-reason-code filter.
\n requester-id - The ID of the entity that launched the instance on\n your behalf (for example, Amazon Web Services Management Console, Auto Scaling, and so\n on).
\n reservation-id - The ID of the instance's reservation. A\n reservation ID is created any time you launch an instance. A reservation ID has\n a one-to-one relationship with an instance launch request, but can be associated\n with more than one instance if you launch multiple instances using the same\n launch request. For example, if you launch one instance, you get one reservation\n ID. If you launch ten instances using the same launch request, you also get one\n reservation ID.
\n root-device-name - The device name of the root device volume (for\n example, /dev/sda1).
\n root-device-type - The type of the root device volume\n (ebs | instance-store).
\n source-dest-check - Indicates whether the instance performs\n source/destination checking. A value of true means that checking is\n enabled, and false means that checking is disabled. The value must\n be false for the instance to perform network address translation\n (NAT) in your VPC.
\n spot-instance-request-id - The ID of the Spot Instance\n request.
\n state-reason-code - The reason code for the state change.
\n state-reason-message - A message that describes the state\n change.
\n subnet-id - The ID of the subnet for the instance.
\n tag: - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value.\n For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources that have a tag with a specific key, regardless of the tag value.
\n tenancy - The tenancy of an instance (dedicated |\n default | host).
\n tpm-support - Indicates if the instance is configured for\n NitroTPM support (v2.0).
\n usage-operation - The usage operation value for the instance\n (RunInstances | RunInstances:00g0 |\n RunInstances:0010 | RunInstances:1010 |\n RunInstances:1014 | RunInstances:1110 |\n RunInstances:0014 | RunInstances:0210 |\n RunInstances:0110 | RunInstances:0100 |\n RunInstances:0004 | RunInstances:0200 |\n RunInstances:000g | RunInstances:0g00 |\n RunInstances:0002 | RunInstances:0800 |\n RunInstances:0102 | RunInstances:0006 |\n RunInstances:0202).
\n usage-operation-update-time - The time that the usage operation\n was last updated, for example, 2022-09-15T17:15:20.000Z.
\n virtualization-type - The virtualization type of the instance\n (paravirtual | hvm).
\n vpc-id - The ID of the VPC that the instance is running in.
Describes one or more of your internet gateways.
", + "smithy.api#examples": [ + { + "title": "To describe the Internet gateway for a VPC", + "documentation": "This example describes the Internet gateway for the specified VPC.", + "input": { + "Filters": [ + { + "Name": "attachment.vpc-id", + "Values": [ + "vpc-a01106c2" + ] + } + ] + }, + "output": { + "InternetGateways": [ + { + "Tags": [], + "InternetGatewayId": "igw-c0a643a9", + "Attachments": [ + { + "State": "attached", + "VpcId": "vpc-a01106c2" + } + ] + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -30712,7 +31953,7 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n attachment.state - The current state of the attachment between the gateway\n and the VPC (available). Present only if a VPC is attached.
\n attachment.vpc-id - The ID of an attached VPC.
\n internet-gateway-id - The ID of the Internet gateway.
\n owner-id - The ID of the Amazon Web Services account that owns the internet gateway.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
The filters.
\n\n attachment.state - The current state of the attachment between the gateway\n and the VPC (available). Present only if a VPC is attached.
\n attachment.vpc-id - The ID of an attached VPC.
\n internet-gateway-id - The ID of the Internet gateway.
\n owner-id - The ID of the Amazon Web Services account that owns the internet gateway.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
One or more internet gateway IDs.
\nDefault: Describes all your internet gateways.
", + "smithy.api#documentation": "The IDs of the internet gateways.
\nDefault: Describes all your internet gateways.
", "smithy.api#xmlName": "internetGatewayId" } }, @@ -31303,6 +32544,25 @@ }, "traits": { "smithy.api#documentation": "Describes the specified key pairs or all of your key pairs.
\nFor more information about key pairs, see Amazon EC2 key pairs \n\t\t\t\tin the Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To display a key pair", + "documentation": "This example displays the fingerprint for the specified key.", + "input": { + "KeyNames": [ + "my-key-pair" + ] + }, + "output": { + "KeyPairs": [ + { + "KeyName": "my-key-pair", + "KeyFingerprint": "1f:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f" + } + ] + } + } + ], "smithy.api#suppress": [ "WaitableTraitInvalidErrorType" ], @@ -31404,6 +32664,66 @@ }, "traits": { "smithy.api#documentation": "Describes one or more versions of a specified launch template. You can describe all\n versions, individual versions, or a range of versions. You can also describe all the\n latest versions or all the default versions of all the launch templates in your\n account.
", + "smithy.api#examples": [ + { + "title": "To describe the versions for a launch template", + "documentation": "This example describes the versions for the specified launch template.", + "input": { + "LaunchTemplateId": "068f72b72934aff71" + }, + "output": { + "LaunchTemplateVersions": [ + { + "LaunchTemplateId": "lt-068f72b72934aff71", + "LaunchTemplateName": "Webservers", + "VersionNumber": 2, + "CreatedBy": "arn:aws:iam::123456789102:root", + "LaunchTemplateData": { + "KeyName": "kp-us-east", + "ImageId": "ami-6057e21a", + "InstanceType": "t2.medium", + "NetworkInterfaces": [ + { + "SubnetId": "subnet-1a2b3c4d", + "DeviceIndex": 0, + "Groups": [ + "sg-7c227019" + ] + } + ] + }, + "DefaultVersion": false, + "CreateTime": "2017-11-20T13:12:32.000Z" + }, + { + "LaunchTemplateId": "lt-068f72b72934aff71", + "LaunchTemplateName": "Webservers", + "VersionNumber": 1, + "CreatedBy": "arn:aws:iam::123456789102:root", + "LaunchTemplateData": { + "UserData": "", + "KeyName": "kp-us-east", + "ImageId": "ami-aabbcc11", + "InstanceType": "t2.medium", + "NetworkInterfaces": [ + { + "SubnetId": "subnet-7b16de0c", + "DeviceIndex": 0, + "DeleteOnTermination": false, + "Groups": [ + "sg-7c227019" + ], + "AssociatePublicIpAddress": true + } + ] + }, + "DefaultVersion": true, + "CreateTime": "2017-11-20T12:52:33.000Z" + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -31522,6 +32842,29 @@ }, "traits": { "smithy.api#documentation": "Describes one or more launch templates.
", + "smithy.api#examples": [ + { + "title": "To describe a launch template", + "documentation": "This example describes the specified launch template.", + "input": { + "LaunchTemplateIds": [ + "lt-01238c059e3466abc" + ] + }, + "output": { + "LaunchTemplates": [ + { + "LatestVersionNumber": 1, + "LaunchTemplateName": "my-template", + "LaunchTemplateId": "lt-01238c059e3466abc", + "CreatedBy": "arn:aws:iam::123456789012:root", + "CreateTime": "2018-01-16T04:32:57.000Z", + "DefaultVersionNumber": 1 + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -32227,6 +33570,20 @@ }, "traits": { "smithy.api#documentation": "This action is deprecated.
\nDescribes your Elastic IP addresses that are being moved from or being restored to the EC2-Classic platform. \n This request does not return information about any other Elastic IP addresses in your account.
", + "smithy.api#examples": [ + { + "title": "To describe your moving addresses", + "documentation": "This example describes all of your moving Elastic IP addresses.", + "output": { + "MovingAddressStatuses": [ + { + "PublicIp": "198.51.100.0", + "MoveStatus": "movingToVpc" + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -32331,6 +33688,41 @@ }, "traits": { "smithy.api#documentation": "Describes one or more of your NAT gateways.
", + "smithy.api#examples": [ + { + "title": "To describe a NAT gateway", + "documentation": "This example describes the NAT gateway for the specified VPC.", + "input": { + "Filter": [ + { + "Name": "vpc-id", + "Values": [ + "vpc-1a2b3c4d" + ] + } + ] + }, + "output": { + "NatGateways": [ + { + "NatGatewayAddresses": [ + { + "PublicIp": "198.11.222.333", + "NetworkInterfaceId": "eni-9dec76cd", + "AllocationId": "eipalloc-89c620ec", + "PrivateIp": "10.0.0.149" + } + ], + "VpcId": "vpc-1a2b3c4d", + "State": "available", + "NatGatewayId": "nat-05dba92075d71c408", + "SubnetId": "subnet-847e4dc2", + "CreateTime": "2015-12-01T12:26:55.983Z" + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -32440,7 +33832,7 @@ "Filter": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n nat-gateway-id - The ID of the NAT gateway.
\n state - The state of the NAT gateway (pending |\n failed | available | deleting | deleted).
\n subnet-id - The ID of the subnet in which the NAT gateway resides.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC in which the NAT gateway resides.
The filters.
\n\n nat-gateway-id - The ID of the NAT gateway.
\n state - The state of the NAT gateway (pending |\n failed | available | deleting | deleted).
\n subnet-id - The ID of the subnet in which the NAT gateway resides.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC in which the NAT gateway resides.
One or more NAT gateway IDs.
", + "smithy.api#documentation": "The IDs of the NAT gateways.
", "smithy.api#xmlName": "NatGatewayId" } }, @@ -32502,7 +33894,51 @@ "target": "com.amazonaws.ec2#DescribeNetworkAclsResult" }, "traits": { - "smithy.api#documentation": "Describes one or more of your network ACLs.
\nFor more information, see Network ACLs in the\n\t\t\t\tAmazon Virtual Private Cloud User Guide.
", + "smithy.api#documentation": "Describes one or more of your network ACLs.
\nFor more information, see Network ACLs in the\n\t\t\t\tAmazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe a network ACL", + "documentation": "This example describes the specified network ACL.", + "input": { + "NetworkAclIds": [ + "acl-5fb85d36" + ] + }, + "output": { + "NetworkAcls": [ + { + "Associations": [ + { + "SubnetId": "subnet-65ea5f08", + "NetworkAclId": "acl-9aeb5ef7", + "NetworkAclAssociationId": "aclassoc-66ea5f0b" + } + ], + "NetworkAclId": "acl-5fb85d36", + "VpcId": "vpc-a01106c2", + "Tags": [], + "Entries": [ + { + "CidrBlock": "0.0.0.0/0", + "RuleNumber": 32767, + "Protocol": "-1", + "Egress": true, + "RuleAction": "deny" + }, + { + "CidrBlock": "0.0.0.0/0", + "RuleNumber": 32767, + "Protocol": "-1", + "Egress": false, + "RuleAction": "deny" + } + ], + "IsDefault": false + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -32527,7 +33963,7 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n association.association-id - The ID of an association ID for the ACL.
\n association.network-acl-id - The ID of the network ACL involved in the association.
\n association.subnet-id - The ID of the subnet involved in the association.
\n default - Indicates whether the ACL is the default network ACL for the VPC.
\n entry.cidr - The IPv4 CIDR range specified in the entry.
\n entry.icmp.code - The ICMP code specified in the entry, if any.
\n entry.icmp.type - The ICMP type specified in the entry, if any.
\n entry.ipv6-cidr - The IPv6 CIDR range specified in the entry.
\n entry.port-range.from - The start of the port range specified in the entry.
\n entry.port-range.to - The end of the port range specified in the entry.
\n entry.protocol - The protocol specified in the entry (tcp | udp | icmp or a protocol number).
\n entry.rule-action - Allows or denies the matching traffic (allow | deny).
\n entry.egress - A Boolean that indicates the type of rule. Specify true \n\t\t for egress rules, or false for ingress rules.
\n entry.rule-number - The number of an entry (in other words, rule) in\n the set of ACL entries.
\n network-acl-id - The ID of the network ACL.
\n owner-id - The ID of the Amazon Web Services account that owns the network ACL.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC for the network ACL.
The filters.
\n\n association.association-id - The ID of an association ID for the ACL.
\n association.network-acl-id - The ID of the network ACL involved in the association.
\n association.subnet-id - The ID of the subnet involved in the association.
\n default - Indicates whether the ACL is the default network ACL for the VPC.
\n entry.cidr - The IPv4 CIDR range specified in the entry.
\n entry.icmp.code - The ICMP code specified in the entry, if any.
\n entry.icmp.type - The ICMP type specified in the entry, if any.
\n entry.ipv6-cidr - The IPv6 CIDR range specified in the entry.
\n entry.port-range.from - The start of the port range specified in the entry.
\n entry.port-range.to - The end of the port range specified in the entry.
\n entry.protocol - The protocol specified in the entry (tcp | udp | icmp or a protocol number).
\n entry.rule-action - Allows or denies the matching traffic (allow | deny).
\n entry.egress - A Boolean that indicates the type of rule. Specify true \n\t\t for egress rules, or false for ingress rules.
\n entry.rule-number - The number of an entry (in other words, rule) in\n the set of ACL entries.
\n network-acl-id - The ID of the network ACL.
\n owner-id - The ID of the Amazon Web Services account that owns the network ACL.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC for the network ACL.
One or more network ACL IDs.
\nDefault: Describes all your network ACLs.
", + "smithy.api#documentation": "The IDs of the network ACLs.
\nDefault: Describes all your network ACLs.
", "smithy.api#xmlName": "NetworkAclId" } }, @@ -32980,7 +34416,29 @@ "target": "com.amazonaws.ec2#DescribeNetworkInterfaceAttributeResult" }, "traits": { - "smithy.api#documentation": "Describes a network interface attribute. You can specify only one attribute at a time.
" + "smithy.api#documentation": "Describes a network interface attribute. You can specify only one attribute at a time.
", + "smithy.api#examples": [ + { + "title": "To describe the attachment attribute of a network interface", + "documentation": "This example describes the attachment attribute of the specified network interface.", + "input": { + "NetworkInterfaceId": "eni-686ea200", + "Attribute": "attachment" + }, + "output": { + "NetworkInterfaceId": "eni-686ea200", + "Attachment": { + "Status": "attached", + "DeviceIndex": 0, + "AttachTime": "2015-05-21T20:02:20.000Z", + "InstanceId": "i-1234567890abcdef0", + "DeleteOnTermination": true, + "AttachmentId": "eni-attach-43348162", + "InstanceOwnerId": "123456789012" + } + } + } + ] } }, "com.amazonaws.ec2#DescribeNetworkInterfaceAttributeRequest": { @@ -33169,6 +34627,70 @@ }, "traits": { "smithy.api#documentation": "Describes one or more of your network interfaces.
", + "smithy.api#examples": [ + { + "title": "To describe a network interface", + "documentation": "", + "input": { + "NetworkInterfaceIds": [ + "eni-e5aa89a3" + ] + }, + "output": { + "NetworkInterfaces": [ + { + "Status": "in-use", + "MacAddress": "02:2f:8f:b0:cf:75", + "SourceDestCheck": true, + "VpcId": "vpc-a01106c2", + "Description": "my network interface", + "Association": { + "PublicIp": "203.0.113.12", + "AssociationId": "eipassoc-0fbb766a", + "PublicDnsName": "ec2-203-0-113-12.compute-1.amazonaws.com", + "IpOwnerId": "123456789012" + }, + "NetworkInterfaceId": "eni-e5aa89a3", + "PrivateIpAddresses": [ + { + "PrivateDnsName": "ip-10-0-1-17.ec2.internal", + "Association": { + "PublicIp": "203.0.113.12", + "AssociationId": "eipassoc-0fbb766a", + "PublicDnsName": "ec2-203-0-113-12.compute-1.amazonaws.com", + "IpOwnerId": "123456789012" + }, + "Primary": true, + "PrivateIpAddress": "10.0.1.17" + } + ], + "RequesterManaged": false, + "PrivateDnsName": "ip-10-0-1-17.ec2.internal", + "AvailabilityZone": "us-east-1d", + "Attachment": { + "Status": "attached", + "DeviceIndex": 1, + "AttachTime": "2013-11-30T23:36:42.000Z", + "InstanceId": "i-1234567890abcdef0", + "DeleteOnTermination": false, + "AttachmentId": "eni-attach-66c4350a", + "InstanceOwnerId": "123456789012" + }, + "Groups": [ + { + "GroupName": "default", + "GroupId": "sg-8637d3e3" + } + ], + "SubnetId": "subnet-b61f49f0", + "OwnerId": "123456789012", + "TagSet": [], + "PrivateIpAddress": "10.0.1.17" + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -33615,7 +35137,61 @@ "target": "com.amazonaws.ec2#DescribeRegionsResult" }, "traits": { - "smithy.api#documentation": "Describes the Regions that are enabled for your account, or all Regions.
\nFor a list of the Regions supported by Amazon EC2, see \n Amazon Elastic Compute Cloud endpoints and quotas.
\nFor information about enabling and disabling Regions for your account, see Managing Amazon Web Services Regions in the Amazon Web Services General Reference.
" + "smithy.api#documentation": "Describes the Regions that are enabled for your account, or all Regions.
\nFor a list of the Regions supported by Amazon EC2, see \n Amazon Elastic Compute Cloud endpoints and quotas.
\nFor information about enabling and disabling Regions for your account, see Managing Amazon Web Services Regions in the Amazon Web Services General Reference.
", + "smithy.api#examples": [ + { + "title": "To describe your regions", + "documentation": "This example describes all the regions that are available to you.", + "output": { + "Regions": [ + { + "Endpoint": "ec2.ap-south-1.amazonaws.com", + "RegionName": "ap-south-1" + }, + { + "Endpoint": "ec2.eu-west-1.amazonaws.com", + "RegionName": "eu-west-1" + }, + { + "Endpoint": "ec2.ap-southeast-1.amazonaws.com", + "RegionName": "ap-southeast-1" + }, + { + "Endpoint": "ec2.ap-southeast-2.amazonaws.com", + "RegionName": "ap-southeast-2" + }, + { + "Endpoint": "ec2.eu-central-1.amazonaws.com", + "RegionName": "eu-central-1" + }, + { + "Endpoint": "ec2.ap-northeast-2.amazonaws.com", + "RegionName": "ap-northeast-2" + }, + { + "Endpoint": "ec2.ap-northeast-1.amazonaws.com", + "RegionName": "ap-northeast-1" + }, + { + "Endpoint": "ec2.us-east-1.amazonaws.com", + "RegionName": "us-east-1" + }, + { + "Endpoint": "ec2.sa-east-1.amazonaws.com", + "RegionName": "sa-east-1" + }, + { + "Endpoint": "ec2.us-west-1.amazonaws.com", + "RegionName": "us-west-1" + }, + { + "Endpoint": "ec2.us-west-2.amazonaws.com", + "RegionName": "us-west-2" + } + ] + } + } + ] } }, "com.amazonaws.ec2#DescribeRegionsRequest": { @@ -34155,7 +35731,42 @@ "target": "com.amazonaws.ec2#DescribeRouteTablesResult" }, "traits": { - "smithy.api#documentation": "Describes one or more of your route tables.
\nEach subnet in your VPC must be associated with a route table. If a subnet is not explicitly associated with any route table, it is implicitly associated with the main route table. This command does not return the subnet ID for implicit associations.
\nFor more information, see Route tables in the\n\t\t\t\tAmazon Virtual Private Cloud User Guide.
", + "smithy.api#documentation": "Describes one or more of your route tables.
\nEach subnet in your VPC must be associated with a route table. If a subnet is not explicitly associated with any route table, it is implicitly associated with the main route table. This command does not return the subnet ID for implicit associations.
\nFor more information, see Route tables in the\n\t\t\t\tAmazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe a route table", + "documentation": "This example describes the specified route table.", + "input": { + "RouteTableIds": [ + "rtb-1f382e7d" + ] + }, + "output": { + "RouteTables": [ + { + "Associations": [ + { + "RouteTableAssociationId": "rtbassoc-d8ccddba", + "Main": true, + "RouteTableId": "rtb-1f382e7d" + } + ], + "RouteTableId": "rtb-1f382e7d", + "VpcId": "vpc-a01106c2", + "PropagatingVgws": [], + "Tags": [], + "Routes": [ + { + "GatewayId": "local", + "DestinationCidrBlock": "10.0.0.0/16", + "State": "active" + } + ] + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -34180,7 +35791,7 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n association.route-table-association-id - The ID of an association\n ID for the route table.
\n association.route-table-id - The ID of the route table involved in\n the association.
\n association.subnet-id - The ID of the subnet involved in the\n association.
\n association.main - Indicates whether the route table is the main\n route table for the VPC (true | false). Route tables\n that do not have an association ID are not returned in the response.
\n owner-id - The ID of the Amazon Web Services account that owns the route table.
\n route-table-id - The ID of the route table.
\n route.destination-cidr-block - The IPv4 CIDR range specified in a\n route in the table.
\n route.destination-ipv6-cidr-block - The IPv6 CIDR range specified in a route in the route table.
\n route.destination-prefix-list-id - The ID (prefix) of the Amazon Web Service\n specified in a route in the table.
\n route.egress-only-internet-gateway-id - The ID of an\n egress-only Internet gateway specified in a route in the route table.
\n route.gateway-id - The ID of a gateway specified in a route in the table.
\n route.instance-id - The ID of an instance specified in a route in the table.
\n route.nat-gateway-id - The ID of a NAT gateway.
\n route.transit-gateway-id - The ID of a transit gateway.
\n route.origin - Describes how the route was created. \n CreateRouteTable indicates that the route was automatically\n created when the route table was created; CreateRoute indicates\n that the route was manually added to the route table;\n EnableVgwRoutePropagation indicates that the route was\n propagated by route propagation.
\n route.state - The state of a route in the route table\n (active | blackhole). The blackhole state\n indicates that the route's target isn't available (for example, the specified\n gateway isn't attached to the VPC, the specified NAT instance has been\n terminated, and so on).
\n route.vpc-peering-connection-id - The ID of a VPC peering\n\t\t connection specified in a route in the table.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC for the route table.
The filters.
\n\n association.route-table-association-id - The ID of an association\n ID for the route table.
\n association.route-table-id - The ID of the route table involved in\n the association.
\n association.subnet-id - The ID of the subnet involved in the\n association.
\n association.main - Indicates whether the route table is the main\n route table for the VPC (true | false). Route tables\n that do not have an association ID are not returned in the response.
\n owner-id - The ID of the Amazon Web Services account that owns the route table.
\n route-table-id - The ID of the route table.
\n route.destination-cidr-block - The IPv4 CIDR range specified in a\n route in the table.
\n route.destination-ipv6-cidr-block - The IPv6 CIDR range specified in a route in the route table.
\n route.destination-prefix-list-id - The ID (prefix) of the Amazon Web Service\n specified in a route in the table.
\n route.egress-only-internet-gateway-id - The ID of an\n egress-only Internet gateway specified in a route in the route table.
\n route.gateway-id - The ID of a gateway specified in a route in the table.
\n route.instance-id - The ID of an instance specified in a route in the table.
\n route.nat-gateway-id - The ID of a NAT gateway.
\n route.transit-gateway-id - The ID of a transit gateway.
\n route.origin - Describes how the route was created. \n CreateRouteTable indicates that the route was automatically\n created when the route table was created; CreateRoute indicates\n that the route was manually added to the route table;\n EnableVgwRoutePropagation indicates that the route was\n propagated by route propagation.
\n route.state - The state of a route in the route table\n (active | blackhole). The blackhole state\n indicates that the route's target isn't available (for example, the specified\n gateway isn't attached to the VPC, the specified NAT instance has been\n terminated, and so on).
\n route.vpc-peering-connection-id - The ID of a VPC peering\n\t\t connection specified in a route in the table.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC for the route table.
One or more route table IDs.
\nDefault: Describes all your route tables.
", + "smithy.api#documentation": "The IDs of the route tables.
\nDefault: Describes all your route tables.
", "smithy.api#xmlName": "RouteTableId" } }, @@ -34471,7 +36082,27 @@ "target": "com.amazonaws.ec2#DescribeSecurityGroupReferencesResult" }, "traits": { - "smithy.api#documentation": "[VPC only] Describes the VPCs on the other side of a VPC peering connection that are referencing the security groups you've specified in this request.
" + "smithy.api#documentation": "Describes the VPCs on the other side of a VPC peering connection that are referencing the security groups you've specified in this request.
", + "smithy.api#examples": [ + { + "title": "To describe security group references", + "documentation": "This example describes the security group references for the specified security group.", + "input": { + "GroupId": [ + "sg-903004f8" + ] + }, + "output": { + "SecurityGroupReferenceSet": [ + { + "ReferencingVpcId": "vpc-1a2b3c4d", + "GroupId": "sg-903004f8", + "VpcPeeringConnectionId": "pcx-b04deed9" + } + ] + } + } + ] } }, "com.amazonaws.ec2#DescribeSecurityGroupReferencesRequest": { @@ -34619,7 +36250,19 @@ "target": "com.amazonaws.ec2#DescribeSecurityGroupsResult" }, "traits": { - "smithy.api#documentation": "Describes the specified security groups or all of your security groups.
\nA security group is for use with instances either in the EC2-Classic platform \n\t\t\t\tor in a specific VPC. For more information, see\n\t\t\t\tAmazon EC2 security groups in \n\t\t\t\tthe Amazon Elastic Compute Cloud User Guide and \n\t\t\t\tSecurity groups for your VPC in the\n\t\t\t\tAmazon Virtual Private Cloud User Guide.
\nWe are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nDescribes the specified security groups or all of your security groups.
", + "smithy.api#examples": [ + { + "title": "To describe a security group", + "documentation": "This example describes the specified security group.", + "input": { + "GroupIds": [ + "sg-903004f8" + ] + }, + "output": {} + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -34684,7 +36327,7 @@ "GroupNames": { "target": "com.amazonaws.ec2#GroupNameStringList", "traits": { - "smithy.api#documentation": "[EC2-Classic and default VPC only] The names of the security groups. You can specify either\n\t\t\tthe security group name or the security group ID. For security groups in a nondefault VPC, use\n\t\t\tthe group-name filter to describe security groups by name.
Default: Describes all of your security groups.
", + "smithy.api#documentation": "[Default VPC] The names of the security groups. You can specify either\n\t\t\tthe security group name or the security group ID.
\nDefault: Describes all of your security groups.
", "smithy.api#xmlName": "GroupName" } }, @@ -34750,7 +36393,21 @@ "target": "com.amazonaws.ec2#DescribeSnapshotAttributeResult" }, "traits": { - "smithy.api#documentation": "Describes the specified attribute of the specified snapshot. You can specify only one\n attribute at a time.
\nFor more information about EBS snapshots, see Amazon EBS snapshots in the Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Describes the specified attribute of the specified snapshot. You can specify only one\n attribute at a time.
\nFor more information about EBS snapshots, see Amazon EBS snapshots in the Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe snapshot attributes", + "documentation": "This example describes the ``createVolumePermission`` attribute on a snapshot with the snapshot ID of ``snap-066877671789bd71b``.", + "input": { + "SnapshotId": "snap-066877671789bd71b", + "Attribute": "createVolumePermission" + }, + "output": { + "SnapshotId": "snap-066877671789bd71b", + "CreateVolumePermissions": [] + } + } + ] } }, "com.amazonaws.ec2#DescribeSnapshotAttributeRequest": { @@ -34909,6 +36566,32 @@ }, "traits": { "smithy.api#documentation": "Describes the specified EBS snapshots available to you or all of the EBS snapshots\n available to you.
\nThe snapshots available to you include public snapshots, private snapshots that you own,\n and private snapshots owned by other Amazon Web Services accounts for which you have explicit create volume\n permissions.
\nThe create volume permissions fall into the following categories:
\n\n public: The owner of the snapshot granted create volume\n permissions for the snapshot to the all group. All Amazon Web Services accounts have create\n volume permissions for these snapshots.
\n explicit: The owner of the snapshot granted create volume\n permissions to a specific Amazon Web Services account.
\n\n implicit: An Amazon Web Services account has implicit create volume permissions\n for all snapshots it owns.
\nThe list of snapshots returned can be filtered by specifying snapshot IDs, snapshot\n owners, or Amazon Web Services accounts with create volume permissions. If no options are specified, \n Amazon EC2 returns all snapshots for which you have create volume permissions.
\nIf you specify one or more snapshot IDs, only snapshots that have the specified IDs are\n returned. If you specify an invalid snapshot ID, an error is returned. If you specify a\n snapshot ID for which you do not have access, it is not included in the returned\n results.
\nIf you specify one or more snapshot owners using the OwnerIds option, only\n snapshots from the specified owners and for which you have access are returned. The results\n can include the Amazon Web Services account IDs of the specified owners, amazon for snapshots\n owned by Amazon, or self for snapshots that you own.
If you specify a list of restorable users, only snapshots with create snapshot permissions\n for those users are returned. You can specify Amazon Web Services account IDs (if you own the snapshots),\n self for snapshots for which you own or have explicit permissions, or\n all for public snapshots.
If you are describing a long list of snapshots, we recommend that you paginate the output to make the\n list more manageable. For more information, see Pagination.
\nTo get the state of fast snapshot restores for a snapshot, use DescribeFastSnapshotRestores.
\nFor more information about EBS snapshots, see Amazon EBS snapshots in the Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe a snapshot", + "documentation": "This example describes a snapshot with the snapshot ID of ``snap-1234567890abcdef0``.", + "input": { + "SnapshotIds": [ + "snap-1234567890abcdef0" + ] + }, + "output": { + "Snapshots": [ + { + "Description": "This is my snapshot.", + "VolumeId": "vol-049df61146c4d7901", + "State": "completed", + "VolumeSize": 8, + "Progress": "100%", + "StartTime": "2014-02-28T21:28:32.000Z", + "SnapshotId": "snap-1234567890abcdef0", + "OwnerId": "012345678910" + } + ], + "NextToken": "" + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -35037,7 +36720,21 @@ "target": "com.amazonaws.ec2#DescribeSpotDatafeedSubscriptionResult" }, "traits": { - "smithy.api#documentation": "Describes the data feed for Spot Instances. For more information, see Spot\n Instance data feed in the Amazon EC2 User Guide for Linux Instances.
" + "smithy.api#documentation": "Describes the data feed for Spot Instances. For more information, see Spot\n Instance data feed in the Amazon EC2 User Guide for Linux Instances.
", + "smithy.api#examples": [ + { + "title": "To describe the datafeed for your AWS account", + "documentation": "This example describes the Spot Instance datafeed subscription for your AWS account.", + "output": { + "SpotDatafeedSubscription": { + "OwnerId": "123456789012", + "Prefix": "spotdata", + "Bucket": "my-s3-bucket", + "State": "Active" + } + } + } + ] } }, "com.amazonaws.ec2#DescribeSpotDatafeedSubscriptionRequest": { @@ -35085,7 +36782,26 @@ "target": "com.amazonaws.ec2#DescribeSpotFleetInstancesResponse" }, "traits": { - "smithy.api#documentation": "Describes the running instances for the specified Spot Fleet.
" + "smithy.api#documentation": "Describes the running instances for the specified Spot Fleet.
", + "smithy.api#examples": [ + { + "title": "To describe the Spot Instances associated with a Spot fleet", + "documentation": "This example lists the Spot Instances associated with the specified Spot fleet.", + "input": { + "SpotFleetRequestId": "sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE" + }, + "output": { + "SpotFleetRequestId": "sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE", + "ActiveInstances": [ + { + "InstanceId": "i-1234567890abcdef0", + "InstanceType": "m3.medium", + "SpotInstanceRequestId": "sir-08b93456" + } + ] + } + } + ] } }, "com.amazonaws.ec2#DescribeSpotFleetInstancesMaxResults": { @@ -35187,7 +36903,54 @@ "target": "com.amazonaws.ec2#DescribeSpotFleetRequestHistoryResponse" }, "traits": { - "smithy.api#documentation": "Describes the events for the specified Spot Fleet request during the specified\n time.
\nSpot Fleet events are delayed by up to 30 seconds before they can be described. This\n ensures that you can query by the last evaluated time and not miss a recorded event.\n Spot Fleet events are available for 48 hours.
\nFor more information, see Monitor fleet events using Amazon\n EventBridge in the Amazon EC2 User Guide.
" + "smithy.api#documentation": "Describes the events for the specified Spot Fleet request during the specified\n time.
\nSpot Fleet events are delayed by up to 30 seconds before they can be described. This\n ensures that you can query by the last evaluated time and not miss a recorded event.\n Spot Fleet events are available for 48 hours.
\nFor more information, see Monitor fleet events using Amazon\n EventBridge in the Amazon EC2 User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe Spot fleet history", + "documentation": "This example returns the history for the specified Spot fleet starting at the specified time.", + "input": { + "SpotFleetRequestId": "sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE", + "StartTime": "2015-05-26T00:00:00Z" + }, + "output": { + "HistoryRecords": [ + { + "Timestamp": "2015-05-26T23:17:20.697Z", + "EventInformation": { + "EventSubType": "submitted" + }, + "EventType": "fleetRequestChange" + }, + { + "Timestamp": "2015-05-26T23:17:20.873Z", + "EventInformation": { + "EventSubType": "active" + }, + "EventType": "fleetRequestChange" + }, + { + "Timestamp": "2015-05-26T23:21:21.712Z", + "EventInformation": { + "InstanceId": "i-1234567890abcdef0", + "EventSubType": "launched" + }, + "EventType": "instanceChange" + }, + { + "Timestamp": "2015-05-26T23:21:21.816Z", + "EventInformation": { + "InstanceId": "i-1234567890abcdef1", + "EventSubType": "launched" + }, + "EventType": "instanceChange" + } + ], + "SpotFleetRequestId": "sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE", + "StartTime": "2015-05-26T00:00:00Z", + "NextToken": "CpHNsscimcV5oH7bSbub03CI2Qms5+ypNpNm+53MNlR0YcXAkp0xFlfKf91yVxSExmbtma3awYxMFzNA663ZskT0AHtJ6TCb2Z8bQC2EnZgyELbymtWPfpZ1ZbauVg+P+TfGlWxWWB/Vr5dk5d4LfdgA/DRAHUrYgxzrEXAMPLE=" + } + } + ] } }, "com.amazonaws.ec2#DescribeSpotFleetRequestHistoryMaxResults": { @@ -35324,6 +37087,60 @@ }, "traits": { "smithy.api#documentation": "Describes your Spot Fleet requests.
\nSpot Fleet requests are deleted 48 hours after they are canceled and their instances\n are terminated.
", + "smithy.api#examples": [ + { + "title": "To describe a Spot fleet request", + "documentation": "This example describes the specified Spot fleet request.", + "input": { + "SpotFleetRequestIds": [ + "sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE" + ] + }, + "output": { + "SpotFleetRequestConfigs": [ + { + "SpotFleetRequestId": "sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE", + "SpotFleetRequestConfig": { + "TargetCapacity": 20, + "LaunchSpecifications": [ + { + "EbsOptimized": false, + "NetworkInterfaces": [ + { + "SubnetId": "subnet-a61dafcf", + "DeviceIndex": 0, + "DeleteOnTermination": false, + "AssociatePublicIpAddress": true, + "SecondaryPrivateIpAddressCount": 0 + } + ], + "InstanceType": "cc2.8xlarge", + "ImageId": "ami-1a2b3c4d" + }, + { + "EbsOptimized": false, + "NetworkInterfaces": [ + { + "SubnetId": "subnet-a61dafcf", + "DeviceIndex": 0, + "DeleteOnTermination": false, + "AssociatePublicIpAddress": true, + "SecondaryPrivateIpAddressCount": 0 + } + ], + "InstanceType": "r3.8xlarge", + "ImageId": "ami-1a2b3c4d" + } + ], + "SpotPrice": "0.05", + "IamFleetRole": "arn:aws:iam::123456789012:role/my-spot-fleet-role" + }, + "SpotFleetRequestState": "active" + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -35412,6 +37229,58 @@ }, "traits": { "smithy.api#documentation": "Describes the specified Spot Instance requests.
\nYou can use DescribeSpotInstanceRequests to find a running Spot Instance by\n examining the response. If the status of the Spot Instance is fulfilled, the\n instance ID appears in the response and contains the identifier of the instance.\n Alternatively, you can use DescribeInstances\n with a filter to look for instances where the instance lifecycle is\n spot.
We recommend that you set MaxResults to a value between 5 and 1000 to\n limit the number of items returned. This paginates the output, which makes the list\n more manageable and returns the items faster. If the list of items exceeds your\n MaxResults value, then that number of items is returned along with a\n NextToken value that can be passed to a subsequent\n DescribeSpotInstanceRequests request to retrieve the remaining\n items.
Spot Instance requests are deleted four hours after they are canceled and their instances are\n terminated.
", + "smithy.api#examples": [ + { + "title": "To describe a Spot Instance request", + "documentation": "This example describes the specified Spot Instance request.", + "input": { + "SpotInstanceRequestIds": [ + "sir-08b93456" + ] + }, + "output": { + "SpotInstanceRequests": [ + { + "Status": { + "UpdateTime": "2014-04-30T18:16:21.000Z", + "Code": "fulfilled", + "Message": "Your Spot request is fulfilled." + }, + "ProductDescription": "Linux/UNIX", + "InstanceId": "i-1234567890abcdef0", + "SpotInstanceRequestId": "sir-08b93456", + "State": "active", + "LaunchedAvailabilityZone": "us-west-1b", + "LaunchSpecification": { + "ImageId": "ami-7aba833f", + "KeyName": "my-key-pair", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/sda1", + "Ebs": { + "DeleteOnTermination": true, + "VolumeType": "standard", + "VolumeSize": 8 + } + } + ], + "EbsOptimized": false, + "SecurityGroups": [ + { + "GroupName": "my-security-group", + "GroupId": "sg-e38f24a7" + } + ], + "InstanceType": "m1.small" + }, + "Type": "one-time", + "CreateTime": "2014-04-30T18:14:55.000Z", + "SpotPrice": "0.010000" + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -35578,6 +37447,40 @@ }, "traits": { "smithy.api#documentation": "Describes the Spot price history. For more information, see Spot Instance pricing history in the\n Amazon EC2 User Guide for Linux Instances.
\nWhen you specify a start and end time, the operation returns the prices of the\n instance types within that time range. It also returns the last price change before the\n start time, which is the effective price as of the start time.
", + "smithy.api#examples": [ + { + "title": "To describe Spot price history for Linux/UNIX (Amazon VPC)", + "documentation": "This example returns the Spot Price history for m1.xlarge, Linux/UNIX (Amazon VPC) instances for a particular day in January.", + "input": { + "StartTime": "2014-01-06T07:08:09.05Z", + "EndTime": "2014-01-06T08:09:10.05Z", + "InstanceTypes": [ + "m1.xlarge" + ], + "ProductDescriptions": [ + "Linux/UNIX (Amazon VPC)" + ] + }, + "output": { + "SpotPriceHistory": [ + { + "Timestamp": "2014-01-06T04:32:53.000Z", + "ProductDescription": "Linux/UNIX (Amazon VPC)", + "InstanceType": "m1.xlarge", + "SpotPrice": "0.080000", + "AvailabilityZone": "us-west-1a" + }, + { + "Timestamp": "2014-01-05T11:28:26.000Z", + "ProductDescription": "Linux/UNIX (Amazon VPC)", + "InstanceType": "m1.xlarge", + "SpotPrice": "0.080000", + "AvailabilityZone": "us-west-1c" + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -35702,7 +37605,7 @@ "target": "com.amazonaws.ec2#DescribeStaleSecurityGroupsResult" }, "traits": { - "smithy.api#documentation": "[VPC only] Describes the stale security group rules for security groups in a specified VPC. \n Rules are stale when they reference a deleted security group in the same VPC or in a peer VPC, \n or if they reference a security group in a peer VPC for which the VPC peering connection has \n been deleted.
", + "smithy.api#documentation": "Describes the stale security group rules for security groups in a specified VPC. \n Rules are stale when they reference a deleted security group in the same VPC or in a peer VPC, \n or if they reference a security group in a peer VPC for which the VPC peering connection has \n been deleted.
", "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -35807,6 +37710,43 @@ "outputToken": "NextToken", "items": "StoreImageTaskResults", "pageSize": "MaxResults" + }, + "smithy.waiters#waitable": { + "StoreImageTaskComplete": { + "acceptors": [ + { + "state": "success", + "matcher": { + "output": { + "path": "StoreImageTaskResults[].StoreTaskState", + "expected": "Completed", + "comparator": "allStringEquals" + } + } + }, + { + "state": "failure", + "matcher": { + "output": { + "path": "StoreImageTaskResults[].StoreTaskState", + "expected": "Failed", + "comparator": "anyStringEquals" + } + } + }, + { + "state": "retry", + "matcher": { + "output": { + "path": "StoreImageTaskResults[].StoreTaskState", + "expected": "InProgress", + "comparator": "anyStringEquals" + } + } + } + ], + "minDelay": 5 + } } } }, @@ -35897,7 +37837,37 @@ "target": "com.amazonaws.ec2#DescribeSubnetsResult" }, "traits": { - "smithy.api#documentation": "Describes one or more of your subnets.
\nFor more information, see Your VPC and subnets in the\n\t\t\t\tAmazon Virtual Private Cloud User Guide.
", + "smithy.api#documentation": "Describes one or more of your subnets.
\nFor more information, see Subnets in the\n\t\t\t\tAmazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe the subnets for a VPC", + "documentation": "This example describes the subnets for the specified VPC.", + "input": { + "Filters": [ + { + "Name": "vpc-id", + "Values": [ + "vpc-a01106c2" + ] + } + ] + }, + "output": { + "Subnets": [ + { + "VpcId": "vpc-a01106c2", + "CidrBlock": "10.0.1.0/24", + "MapPublicIpOnLaunch": false, + "DefaultForAz": false, + "State": "available", + "AvailabilityZone": "us-east-1c", + "SubnetId": "subnet-9d4a7b6c", + "AvailableIpAddressCount": 251 + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -35939,14 +37909,14 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n availability-zone - The Availability Zone for the subnet. You can also use\n availabilityZone as the filter name.
\n availability-zone-id - The ID of the Availability Zone for the subnet.\n You can also use availabilityZoneId as the filter name.
\n available-ip-address-count - The number of IPv4 addresses in the\n subnet that are available.
\n cidr-block - The IPv4 CIDR block of the subnet. The CIDR block\n you specify must exactly match the subnet's CIDR block for information to be\n returned for the subnet. You can also use cidr or\n cidrBlock as the filter names.
\n customer-owned-ipv4-pool - The customer-owned IPv4 address pool\n associated with the subnet.
\n default-for-az - Indicates whether this is the default subnet for\n the Availability Zone (true | false). You can also use\n defaultForAz as the filter name.
\n enable-dns64 - Indicates whether DNS queries made to the\n Amazon-provided DNS Resolver in this subnet should return synthetic IPv6\n addresses for IPv4-only destinations.
\n enable-lni-at-device-index - Indicates the device position for\n local network interfaces in this subnet. For example, 1 indicates\n local network interfaces in this subnet are the secondary network interface\n (eth1).
\n ipv6-cidr-block-association.ipv6-cidr-block - An IPv6 CIDR\n block associated with the subnet.
\n ipv6-cidr-block-association.association-id - An association ID\n for an IPv6 CIDR block associated with the subnet.
\n ipv6-cidr-block-association.state - The state of an IPv6 CIDR\n block associated with the subnet.
\n ipv6-native - Indicates whether this is an IPv6 only subnet\n (true | false).
\n map-customer-owned-ip-on-launch - Indicates whether a network\n interface created in this subnet (including a network interface created by RunInstances) receives a customer-owned IPv4 address.
\n map-public-ip-on-launch - Indicates whether instances launched in\n this subnet receive a public IPv4 address.
\n outpost-arn - The Amazon Resource Name (ARN) of the Outpost.
\n owner-id - The ID of the Amazon Web Services account that owns the\n subnet.
\n private-dns-name-options-on-launch.hostname-type - The type of\n hostname to assign to instances in the subnet at launch. For IPv4-only and\n dual-stack (IPv4 and IPv6) subnets, an instance DNS name can be based on the\n instance IPv4 address (ip-name) or the instance ID (resource-name). For IPv6\n only subnets, an instance DNS name must be based on the instance ID\n (resource-name).
\n private-dns-name-options-on-launch.enable-resource-name-dns-a-record\n - Indicates whether to respond to DNS queries for instance hostnames with DNS A\n records.
\n private-dns-name-options-on-launch.enable-resource-name-dns-aaaa-record\n - Indicates whether to respond to DNS queries for instance hostnames with DNS\n AAAA records.
\n state - The state of the subnet (pending | available).
\n subnet-arn - The Amazon Resource Name (ARN) of the subnet.
\n subnet-id - The ID of the subnet.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC for the subnet.
The filters.
\n\n availability-zone - The Availability Zone for the subnet. You can also use\n availabilityZone as the filter name.
\n availability-zone-id - The ID of the Availability Zone for the subnet.\n You can also use availabilityZoneId as the filter name.
\n available-ip-address-count - The number of IPv4 addresses in the\n subnet that are available.
\n cidr-block - The IPv4 CIDR block of the subnet. The CIDR block\n you specify must exactly match the subnet's CIDR block for information to be\n returned for the subnet. You can also use cidr or\n cidrBlock as the filter names.
\n customer-owned-ipv4-pool - The customer-owned IPv4 address pool\n associated with the subnet.
\n default-for-az - Indicates whether this is the default subnet for\n the Availability Zone (true | false). You can also use\n defaultForAz as the filter name.
\n enable-dns64 - Indicates whether DNS queries made to the\n Amazon-provided DNS Resolver in this subnet should return synthetic IPv6\n addresses for IPv4-only destinations.
\n enable-lni-at-device-index - Indicates the device position for\n local network interfaces in this subnet. For example, 1 indicates\n local network interfaces in this subnet are the secondary network interface\n (eth1).
\n ipv6-cidr-block-association.ipv6-cidr-block - An IPv6 CIDR\n block associated with the subnet.
\n ipv6-cidr-block-association.association-id - An association ID\n for an IPv6 CIDR block associated with the subnet.
\n ipv6-cidr-block-association.state - The state of an IPv6 CIDR\n block associated with the subnet.
\n ipv6-native - Indicates whether this is an IPv6 only subnet\n (true | false).
\n map-customer-owned-ip-on-launch - Indicates whether a network\n interface created in this subnet (including a network interface created by RunInstances) receives a customer-owned IPv4 address.
\n map-public-ip-on-launch - Indicates whether instances launched in\n this subnet receive a public IPv4 address.
\n outpost-arn - The Amazon Resource Name (ARN) of the Outpost.
\n owner-id - The ID of the Amazon Web Services account that owns the\n subnet.
\n private-dns-name-options-on-launch.hostname-type - The type of\n hostname to assign to instances in the subnet at launch. For IPv4-only and\n dual-stack (IPv4 and IPv6) subnets, an instance DNS name can be based on the\n instance IPv4 address (ip-name) or the instance ID (resource-name). For IPv6\n only subnets, an instance DNS name must be based on the instance ID\n (resource-name).
\n private-dns-name-options-on-launch.enable-resource-name-dns-a-record\n - Indicates whether to respond to DNS queries for instance hostnames with DNS A\n records.
\n private-dns-name-options-on-launch.enable-resource-name-dns-aaaa-record\n - Indicates whether to respond to DNS queries for instance hostnames with DNS\n AAAA records.
\n state - The state of the subnet (pending | available).
\n subnet-arn - The Amazon Resource Name (ARN) of the subnet.
\n subnet-id - The ID of the subnet.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC for the subnet.
One or more subnet IDs.
\nDefault: Describes all your subnets.
", + "smithy.api#documentation": "The IDs of the subnets.
\nDefault: Describes all your subnets.
", "smithy.api#xmlName": "SubnetId" } }, @@ -36013,6 +37983,38 @@ }, "traits": { "smithy.api#documentation": "Describes the specified tags for your EC2 resources.
\nFor more information about tags, see Tag your Amazon EC2 resources in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe the tags for a single resource", + "documentation": "This example describes the tags for the specified instance.", + "input": { + "Filters": [ + { + "Name": "resource-id", + "Values": [ + "i-1234567890abcdef8" + ] + } + ] + }, + "output": { + "Tags": [ + { + "ResourceType": "instance", + "ResourceId": "i-1234567890abcdef8", + "Value": "test", + "Key": "Stack" + }, + { + "ResourceType": "instance", + "ResourceId": "i-1234567890abcdef8", + "Value": "Beta Server", + "Key": "Name" + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -37799,7 +39801,23 @@ "target": "com.amazonaws.ec2#DescribeVolumeAttributeResult" }, "traits": { - "smithy.api#documentation": "Describes the specified attribute of the specified volume. You can specify only one\n attribute at a time.
\nFor more information about EBS volumes, see Amazon EBS volumes in the Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Describes the specified attribute of the specified volume. You can specify only one\n attribute at a time.
\nFor more information about EBS volumes, see Amazon EBS volumes in the Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe a volume attribute", + "documentation": "This example describes the ``autoEnableIo`` attribute of the volume with the ID ``vol-049df61146c4d7901``.", + "input": { + "VolumeId": "vol-049df61146c4d7901", + "Attribute": "autoEnableIO" + }, + "output": { + "AutoEnableIO": { + "Value": false + }, + "VolumeId": "vol-049df61146c4d7901" + } + } + ] } }, "com.amazonaws.ec2#DescribeVolumeAttributeRequest": { @@ -37878,6 +39896,40 @@ }, "traits": { "smithy.api#documentation": "Describes the status of the specified volumes. Volume status provides the result of the\n checks performed on your volumes to determine events that can impair the performance of your\n volumes. The performance of a volume can be affected if an issue occurs on the volume's\n underlying host. If the volume's underlying host experiences a power outage or system issue,\n after the system is restored, there could be data inconsistencies on the volume. Volume events\n notify you if this occurs. Volume actions notify you if any action needs to be taken in\n response to the event.
\nThe DescribeVolumeStatus operation provides the following information about\n the specified volumes:
\n Status: Reflects the current status of the volume. The possible\n values are ok, impaired , warning, or\n insufficient-data. If all checks pass, the overall status of the volume is\n ok. If the check fails, the overall status is impaired. If the\n status is insufficient-data, then the checks might still be taking place on your\n volume at the time. We recommend that you retry the request. For more information about volume\n status, see Monitor the status of your volumes in the\n Amazon Elastic Compute Cloud User Guide.
\n Events: Reflect the cause of a volume status and might require you to\n take action. For example, if your volume returns an impaired status, then the\n volume event might be potential-data-inconsistency. This means that your volume\n has been affected by an issue with the underlying host, has all I/O operations disabled, and\n might have inconsistent data.
\n Actions: Reflect the actions you might have to take in response to an\n event. For example, if the status of the volume is impaired and the volume event\n shows potential-data-inconsistency, then the action shows\n enable-volume-io. This means that you may want to enable the I/O operations for\n the volume by calling the EnableVolumeIO action and then check the volume\n for data consistency.
Volume status is based on the volume status checks, and does not reflect the volume state.\n Therefore, volume status does not indicate volumes in the error state (for\n example, when a volume is incapable of accepting I/O.)
Describes the specified EBS volumes or all of your EBS volumes.
\nIf you are describing a long list of volumes, we recommend that you paginate the output to make the list\n more manageable. For more information, see Pagination.
\nFor more information about EBS volumes, see Amazon EBS volumes in the Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe all volumes", + "documentation": "This example describes all of your volumes in the default region.", + "output": { + "Volumes": [ + { + "AvailabilityZone": "us-east-1a", + "Attachments": [ + { + "AttachTime": "2013-12-18T22:35:00.000Z", + "InstanceId": "i-1234567890abcdef0", + "VolumeId": "vol-049df61146c4d7901", + "State": "attached", + "DeleteOnTermination": true, + "Device": "/dev/sda1" + } + ], + "VolumeType": "standard", + "VolumeId": "vol-049df61146c4d7901", + "State": "in-use", + "SnapshotId": "snap-1234567890abcdef0", + "CreateTime": "2013-12-18T22:35:00.084Z", + "Size": 8 + } + ], + "NextToken": "" + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -38219,7 +40301,23 @@ "target": "com.amazonaws.ec2#DescribeVpcAttributeResult" }, "traits": { - "smithy.api#documentation": "Describes the specified attribute of the specified VPC. You can specify only one attribute at a time.
" + "smithy.api#documentation": "Describes the specified attribute of the specified VPC. You can specify only one attribute at a time.
", + "smithy.api#examples": [ + { + "title": "To describe the enableDnsSupport attribute", + "documentation": "This example describes the enableDnsSupport attribute. This attribute indicates whether DNS resolution is enabled for the VPC. If this attribute is true, the Amazon DNS server resolves DNS hostnames for your instances to their corresponding IP addresses; otherwise, it does not.", + "input": { + "VpcId": "vpc-a01106c2", + "Attribute": "enableDnsSupport" + }, + "output": { + "VpcId": "vpc-a01106c2", + "EnableDnsSupport": { + "Value": true + } + } + } + ] } }, "com.amazonaws.ec2#DescribeVpcAttributeRequest": { @@ -38305,7 +40403,7 @@ "target": "com.amazonaws.ec2#DescribeVpcClassicLinkResult" }, "traits": { - "smithy.api#documentation": "Describes the ClassicLink status of one or more VPCs.
\nWe are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nThis action is deprecated.
\nDescribes the ClassicLink status of the specified VPCs.
" } }, "com.amazonaws.ec2#DescribeVpcClassicLinkDnsSupport": { @@ -38317,7 +40415,7 @@ "target": "com.amazonaws.ec2#DescribeVpcClassicLinkDnsSupportResult" }, "traits": { - "smithy.api#documentation": "We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nDescribes the ClassicLink DNS support status of one or more VPCs. If enabled, the DNS\n hostname of a linked EC2-Classic instance resolves to its private IP address when\n addressed from an instance in the VPC to which it's linked. Similarly, the DNS hostname\n of an instance in a VPC resolves to its private IP address when addressed from a linked\n EC2-Classic instance. For more information, see ClassicLink in the Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#documentation": "This action is deprecated.
\nDescribes the ClassicLink DNS support status of one or more VPCs. If enabled, the DNS\n hostname of a linked EC2-Classic instance resolves to its private IP address when\n addressed from an instance in the VPC to which it's linked. Similarly, the DNS hostname\n of an instance in a VPC resolves to its private IP address when addressed from a linked\n EC2-Classic instance.
", "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -38369,7 +40467,7 @@ "VpcIds": { "target": "com.amazonaws.ec2#VpcClassicLinkIdList", "traits": { - "smithy.api#documentation": "One or more VPC IDs.
", + "smithy.api#documentation": "The IDs of the VPCs.
", "smithy.api#xmlName": "VpcIds" } } @@ -38408,7 +40506,7 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n is-classic-link-enabled - Whether the VPC is enabled for ClassicLink\n\t\t\t\t\t (true | false).
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
The filters.
\n\n is-classic-link-enabled - Whether the VPC is enabled for ClassicLink\n\t\t\t\t\t (true | false).
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
One or more VPCs for which you want to describe the ClassicLink status.
", + "smithy.api#documentation": "The VPCs for which you want to describe the ClassicLink status.
", "smithy.api#xmlName": "VpcId" } } @@ -38441,7 +40539,7 @@ "target": "com.amazonaws.ec2#VpcClassicLinkList", "traits": { "aws.protocols#ec2QueryName": "VpcSet", - "smithy.api#documentation": "The ClassicLink status of one or more VPCs.
", + "smithy.api#documentation": "The ClassicLink status of the VPCs.
", "smithy.api#xmlName": "vpcSet" } } @@ -39038,7 +41136,7 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n accepter-vpc-info.cidr-block - The IPv4 CIDR block of the accepter\n VPC.
\n accepter-vpc-info.owner-id - The ID of the Amazon Web Services account that owns the\n accepter VPC.
\n accepter-vpc-info.vpc-id - The ID of the accepter VPC.
\n expiration-time - The expiration date and time for the VPC peering\n connection.
\n requester-vpc-info.cidr-block - The IPv4 CIDR block of the\n requester's VPC.
\n requester-vpc-info.owner-id - The ID of the Amazon Web Services account that owns the\n requester VPC.
\n requester-vpc-info.vpc-id - The ID of the requester VPC.
\n status-code - The status of the VPC peering connection\n (pending-acceptance | failed |\n expired | provisioning | active |\n deleting | deleted |\n rejected).
\n status-message - A message that provides more information about the status\n of the VPC peering connection, if applicable.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-peering-connection-id - The ID of the VPC peering connection.
The filters.
\n\n accepter-vpc-info.cidr-block - The IPv4 CIDR block of the accepter\n VPC.
\n accepter-vpc-info.owner-id - The ID of the Amazon Web Services account that owns the\n accepter VPC.
\n accepter-vpc-info.vpc-id - The ID of the accepter VPC.
\n expiration-time - The expiration date and time for the VPC peering\n connection.
\n requester-vpc-info.cidr-block - The IPv4 CIDR block of the\n requester's VPC.
\n requester-vpc-info.owner-id - The ID of the Amazon Web Services account that owns the\n requester VPC.
\n requester-vpc-info.vpc-id - The ID of the requester VPC.
\n status-code - The status of the VPC peering connection\n (pending-acceptance | failed |\n expired | provisioning | active |\n deleting | deleted |\n rejected).
\n status-message - A message that provides more information about the status\n of the VPC peering connection, if applicable.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-peering-connection-id - The ID of the VPC peering connection.
One or more VPC peering connection IDs.
\nDefault: Describes all your VPC peering connections.
", + "smithy.api#documentation": "The IDs of the VPC peering connections.
\nDefault: Describes all your VPC peering connections.
", "smithy.api#xmlName": "VpcPeeringConnectionId" } }, @@ -39112,6 +41210,35 @@ }, "traits": { "smithy.api#documentation": "Describes one or more of your VPCs.
", + "smithy.api#examples": [ + { + "title": "To describe a VPC", + "documentation": "This example describes the specified VPC.", + "input": { + "VpcIds": [ + "vpc-a01106c2" + ] + }, + "output": { + "Vpcs": [ + { + "VpcId": "vpc-a01106c2", + "InstanceTenancy": "default", + "Tags": [ + { + "Value": "MyVPC", + "Key": "Name" + } + ], + "State": "available", + "DhcpOptionsId": "dopt-7a8b9c2d", + "CidrBlock": "10.0.0.0/16", + "IsDefault": false + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -39173,14 +41300,14 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n cidr - The primary IPv4 CIDR block of the VPC. The CIDR block you\n specify must exactly match the VPC's CIDR block for information to be returned\n for the VPC. Must contain the slash followed by one or two digits (for example,\n /28).
\n cidr-block-association.cidr-block - An IPv4 CIDR block associated with the\n VPC.
\n cidr-block-association.association-id - The association ID for\n an IPv4 CIDR block associated with the VPC.
\n cidr-block-association.state - The state of an IPv4 CIDR block\n associated with the VPC.
\n dhcp-options-id - The ID of a set of DHCP options.
\n ipv6-cidr-block-association.ipv6-cidr-block - An IPv6 CIDR\n block associated with the VPC.
\n ipv6-cidr-block-association.ipv6-pool - The ID of the IPv6 address pool from which the IPv6 CIDR block is allocated.
\n ipv6-cidr-block-association.association-id - The association\n ID for an IPv6 CIDR block associated with the VPC.
\n ipv6-cidr-block-association.state - The state of an IPv6 CIDR\n block associated with the VPC.
\n is-default - Indicates whether the VPC is the default VPC.
\n owner-id - The ID of the Amazon Web Services account that owns the VPC.
\n state - The state of the VPC (pending | available).
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC.
The filters.
\n\n cidr - The primary IPv4 CIDR block of the VPC. The CIDR block you\n specify must exactly match the VPC's CIDR block for information to be returned\n for the VPC. Must contain the slash followed by one or two digits (for example,\n /28).
\n cidr-block-association.cidr-block - An IPv4 CIDR block associated with the\n VPC.
\n cidr-block-association.association-id - The association ID for\n an IPv4 CIDR block associated with the VPC.
\n cidr-block-association.state - The state of an IPv4 CIDR block\n associated with the VPC.
\n dhcp-options-id - The ID of a set of DHCP options.
\n ipv6-cidr-block-association.ipv6-cidr-block - An IPv6 CIDR\n block associated with the VPC.
\n ipv6-cidr-block-association.ipv6-pool - The ID of the IPv6 address pool from which the IPv6 CIDR block is allocated.
\n ipv6-cidr-block-association.association-id - The association\n ID for an IPv6 CIDR block associated with the VPC.
\n ipv6-cidr-block-association.state - The state of an IPv6 CIDR\n block associated with the VPC.
\n is-default - Indicates whether the VPC is the default VPC.
\n owner-id - The ID of the Amazon Web Services account that owns the VPC.
\n state - The state of the VPC (pending | available).
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC.
One or more VPC IDs.
\nDefault: Describes all your VPCs.
", + "smithy.api#documentation": "The IDs of the VPCs.
\nDefault: Describes all your VPCs.
", "smithy.api#xmlName": "VpcId" } }, @@ -39515,7 +41642,7 @@ "target": "com.amazonaws.ec2#DetachClassicLinkVpcResult" }, "traits": { - "smithy.api#documentation": "We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nUnlinks (detaches) a linked EC2-Classic instance from a VPC. After the instance has been unlinked, the VPC security groups are no longer associated with it. An instance is automatically unlinked from a VPC when it's stopped.
" + "smithy.api#documentation": "This action is deprecated.
\nUnlinks (detaches) a linked EC2-Classic instance from a VPC. After the instance has been unlinked, \n\t\t the VPC security groups are no longer associated with it. An instance is automatically unlinked from \n\t\t a VPC when it's stopped.
" } }, "com.amazonaws.ec2#DetachClassicLinkVpcRequest": { @@ -39583,7 +41710,17 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Detaches an internet gateway from a VPC, disabling connectivity between the internet\n\t\t\tand the VPC. The VPC must not contain any running instances with Elastic IP addresses or\n\t\t\tpublic IPv4 addresses.
" + "smithy.api#documentation": "Detaches an internet gateway from a VPC, disabling connectivity between the internet\n\t\t\tand the VPC. The VPC must not contain any running instances with Elastic IP addresses or\n\t\t\tpublic IPv4 addresses.
", + "smithy.api#examples": [ + { + "title": "To detach an Internet gateway from a VPC", + "documentation": "This example detaches the specified Internet gateway from the specified VPC.", + "input": { + "InternetGatewayId": "igw-c0a643a9", + "VpcId": "vpc-a01106c2" + } + } + ] } }, "com.amazonaws.ec2#DetachInternetGatewayRequest": { @@ -39633,7 +41770,16 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Detaches a network interface from an instance.
" + "smithy.api#documentation": "Detaches a network interface from an instance.
", + "smithy.api#examples": [ + { + "title": "To detach a network interface from an instance", + "documentation": "This example detaches the specified network interface from its attached instance.", + "input": { + "AttachmentId": "eni-attach-66c4350a" + } + } + ] } }, "com.amazonaws.ec2#DetachNetworkInterfaceRequest": { @@ -39759,7 +41905,23 @@ "target": "com.amazonaws.ec2#VolumeAttachment" }, "traits": { - "smithy.api#documentation": "Detaches an EBS volume from an instance. Make sure to unmount any file systems on the\n device within your operating system before detaching the volume. Failure to do so can result\n in the volume becoming stuck in the busy state while detaching. If this happens,\n detachment can be delayed indefinitely until you unmount the volume, force detachment, reboot\n the instance, or all three. If an EBS volume is the root device of an instance, it can't be\n detached while the instance is running. To detach the root volume, stop the instance\n first.
When a volume with an Amazon Web Services Marketplace product code is detached from an instance, the\n product code is no longer associated with the instance.
\nFor more information, see Detach an Amazon EBS volume in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Detaches an EBS volume from an instance. Make sure to unmount any file systems on the\n device within your operating system before detaching the volume. Failure to do so can result\n in the volume becoming stuck in the busy state while detaching. If this happens,\n detachment can be delayed indefinitely until you unmount the volume, force detachment, reboot\n the instance, or all three. If an EBS volume is the root device of an instance, it can't be\n detached while the instance is running. To detach the root volume, stop the instance\n first.
When a volume with an Amazon Web Services Marketplace product code is detached from an instance, the\n product code is no longer associated with the instance.
\nFor more information, see Detach an Amazon EBS volume in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To detach a volume from an instance", + "documentation": "This example detaches the volume (``vol-049df61146c4d7901``) from the instance it is attached to.", + "input": { + "VolumeId": "vol-1234567890abcdef0" + }, + "output": { + "AttachTime": "2014-02-27T19:23:06.000Z", + "InstanceId": "i-1234567890abcdef0", + "VolumeId": "vol-049df61146c4d7901", + "State": "detaching", + "Device": "/dev/sdb" + } + } + ] } }, "com.amazonaws.ec2#DetachVolumeRequest": { @@ -39920,7 +42082,7 @@ "target": "com.amazonaws.ec2#DhcpConfigurationValueList", "traits": { "aws.protocols#ec2QueryName": "ValueSet", - "smithy.api#documentation": "One or more values for the DHCP option.
", + "smithy.api#documentation": "The values for the DHCP option.
", "smithy.api#xmlName": "valueSet" } } @@ -39954,7 +42116,7 @@ "target": "com.amazonaws.ec2#DhcpConfigurationList", "traits": { "aws.protocols#ec2QueryName": "DhcpConfigurationSet", - "smithy.api#documentation": "One or more DHCP options in the set.
", + "smithy.api#documentation": "The DHCP options in the set.
", "smithy.api#xmlName": "dhcpConfigurationSet" } }, @@ -39984,7 +42146,7 @@ } }, "traits": { - "smithy.api#documentation": "Describes a set of DHCP options.
" + "smithy.api#documentation": "The set of DHCP options.
" } }, "com.amazonaws.ec2#DhcpOptionsId": { @@ -40597,6 +42759,50 @@ "smithy.api#output": {} } }, + "com.amazonaws.ec2#DisableImageBlockPublicAccess": { + "type": "operation", + "input": { + "target": "com.amazonaws.ec2#DisableImageBlockPublicAccessRequest" + }, + "output": { + "target": "com.amazonaws.ec2#DisableImageBlockPublicAccessResult" + }, + "traits": { + "smithy.api#documentation": "Disables block public access for AMIs at the account level in the\n specified Amazon Web Services Region. This removes the block public access restriction\n from your account. With the restriction removed, you can publicly share your AMIs in the\n specified Amazon Web Services Region.
\nThe API can take up to 10 minutes to configure this setting. During this time, if you run\n GetImageBlockPublicAccessState, the response will be\n block-new-sharing. When the API has completed the configuration, the response\n will be unblocked.
For more information, see Block public access to your AMIs in\n the Amazon EC2 User Guide.
" + } + }, + "com.amazonaws.ec2#DisableImageBlockPublicAccessRequest": { + "type": "structure", + "members": { + "DryRun": { + "target": "com.amazonaws.ec2#Boolean", + "traits": { + "smithy.api#clientOptional": {}, + "smithy.api#default": false, + "smithy.api#documentation": "Checks whether you have the required permissions for the action, without actually making the request, \n\t\t\tand provides an error response. If you have the required permissions, the error response is \n\t\t\tDryRunOperation. Otherwise, it is UnauthorizedOperation.
Returns unblocked if the request succeeds; otherwise, it returns an\n error.
Disables a virtual private gateway (VGW) from propagating routes to a specified route\n table of a VPC.
" + "smithy.api#documentation": "Disables a virtual private gateway (VGW) from propagating routes to a specified route\n table of a VPC.
", + "smithy.api#examples": [ + { + "title": "To disable route propagation", + "documentation": "This example disables the specified virtual private gateway from propagating static routes to the specified route table.", + "input": { + "RouteTableId": "rtb-22574640", + "GatewayId": "vgw-9a4cacf3" + } + } + ] } }, "com.amazonaws.ec2#DisableVgwRoutePropagationRequest": { @@ -40869,7 +43085,7 @@ "target": "com.amazonaws.ec2#DisableVpcClassicLinkResult" }, "traits": { - "smithy.api#documentation": "Disables ClassicLink for a VPC. You cannot disable ClassicLink for a VPC that has EC2-Classic instances linked to it.
\nWe are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nThis action is deprecated.
\nDisables ClassicLink for a VPC. You cannot disable ClassicLink for a VPC that has EC2-Classic instances\n linked to it.
" } }, "com.amazonaws.ec2#DisableVpcClassicLinkDnsSupport": { @@ -40881,7 +43097,7 @@ "target": "com.amazonaws.ec2#DisableVpcClassicLinkDnsSupportResult" }, "traits": { - "smithy.api#documentation": "Disables ClassicLink DNS support for a VPC. If disabled, DNS hostnames resolve to\n\t\t\tpublic IP addresses when addressed between a linked EC2-Classic instance and instances\n\t\t\tin the VPC to which it's linked. For more information, see ClassicLink in the\n\t\t\t\tAmazon Elastic Compute Cloud User Guide.
\nYou must specify a VPC ID in the request.
\nWe are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nThis action is deprecated.
\nDisables ClassicLink DNS support for a VPC. If disabled, DNS hostnames resolve to\n\t\t\tpublic IP addresses when addressed between a linked EC2-Classic instance and instances\n\t\t\tin the VPC to which it's linked.
\nYou must specify a VPC ID in the request.
" } }, "com.amazonaws.ec2#DisableVpcClassicLinkDnsSupportRequest": { @@ -40972,7 +43188,16 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Disassociates an Elastic IP address from the instance or network interface it's associated with.
\nThis is an idempotent operation. If you perform the operation more than once, Amazon EC2 doesn't return an error.
" + "smithy.api#documentation": "Disassociates an Elastic IP address from the instance or network interface it's associated with.
\nThis is an idempotent operation. If you perform the operation more than once, Amazon EC2 doesn't return an error.
", + "smithy.api#examples": [ + { + "title": "To disassociate an Elastic IP address", + "documentation": "This example disassociates an Elastic IP address from an instance.", + "input": { + "AssociationId": "eipassoc-2bebb745" + } + } + ] } }, "com.amazonaws.ec2#DisassociateAddressRequest": { @@ -41144,7 +43369,27 @@ "target": "com.amazonaws.ec2#DisassociateIamInstanceProfileResult" }, "traits": { - "smithy.api#documentation": "Disassociates an IAM instance profile from a running or stopped instance.
\nUse DescribeIamInstanceProfileAssociations to get the association\n ID.
" + "smithy.api#documentation": "Disassociates an IAM instance profile from a running or stopped instance.
\nUse DescribeIamInstanceProfileAssociations to get the association\n ID.
", + "smithy.api#examples": [ + { + "title": "To disassociate an IAM instance profile", + "documentation": "This example disassociates the specified IAM instance profile from an instance.", + "input": { + "AssociationId": "iip-assoc-05020b59952902f5f" + }, + "output": { + "IamInstanceProfileAssociation": { + "InstanceId": "i-123456789abcde123", + "State": "disassociating", + "AssociationId": "iip-assoc-05020b59952902f5f", + "IamInstanceProfile": { + "Id": "AIPAI5IVIHMFFYY2DKV5Y", + "Arn": "arn:aws:iam::123456789012:instance-profile/admin-role" + } + } + } + } + ] } }, "com.amazonaws.ec2#DisassociateIamInstanceProfileRequest": { @@ -41300,7 +43545,7 @@ "target": "com.amazonaws.ec2#DisassociateNatGatewayAddressResult" }, "traits": { - "smithy.api#documentation": "Disassociates secondary Elastic IP addresses (EIPs) from a public NAT gateway. You cannot disassociate your primary EIP. For more information, see Edit secondary IP address associations in the Amazon Virtual Private Cloud User Guide.
\nWhile disassociating is in progress, you cannot associate/disassociate additional EIPs while the connections are being drained. You are, however, allowed to delete the NAT gateway.
\nAn EIP will only be released at the end of MaxDrainDurationSeconds. The EIPs stay\n associated and support the existing connections but do not support any new connections\n (new connections are distributed across the remaining associated EIPs). As the existing\n connections drain out, the EIPs (and the corresponding private IPs mapped to them) get\n released.
" + "smithy.api#documentation": "Disassociates secondary Elastic IP addresses (EIPs) from a public NAT gateway. \n You cannot disassociate your primary EIP. For more information, see Edit secondary IP address associations in the Amazon VPC User Guide.
\nWhile disassociating is in progress, you cannot associate/disassociate additional EIPs while the connections are being drained. You are, however, allowed to delete the NAT gateway.
\nAn EIP is released only at the end of MaxDrainDurationSeconds. It stays\n associated and supports the existing connections but does not support any new connections\n (new connections are distributed across the remaining associated EIPs). As the existing\n connections drain out, the EIPs (and the corresponding private IP addresses mapped to them) \n are released.
" } }, "com.amazonaws.ec2#DisassociateNatGatewayAddressRequest": { @@ -41310,7 +43555,7 @@ "target": "com.amazonaws.ec2#NatGatewayId", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The NAT gateway ID.
", + "smithy.api#documentation": "The ID of the NAT gateway.
", "smithy.api#required": {} } }, @@ -41351,7 +43596,7 @@ "target": "com.amazonaws.ec2#NatGatewayId", "traits": { "aws.protocols#ec2QueryName": "NatGatewayId", - "smithy.api#documentation": "The NAT gateway ID.
", + "smithy.api#documentation": "The ID of the NAT gateway.
", "smithy.api#xmlName": "natGatewayId" } }, @@ -41377,7 +43622,16 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Disassociates a subnet or gateway from a route table.
\nAfter you perform this action, the subnet no longer uses the routes in the route table.\n\t\t\t\tInstead, it uses the routes in the VPC's main route table. For more information\n\t\t\t\tabout route tables, see Route\n\t\t\t\ttables in the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Disassociates a subnet or gateway from a route table.
\nAfter you perform this action, the subnet no longer uses the routes in the route table.\n\t\t\t\tInstead, it uses the routes in the VPC's main route table. For more information\n\t\t\t\tabout route tables, see Route\n\t\t\t\ttables in the Amazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To disassociate a route table", + "documentation": "This example disassociates the specified route table from its associated subnet.", + "input": { + "AssociationId": "rtbassoc-781d0d1a" + } + } + ] } }, "com.amazonaws.ec2#DisassociateRouteTableRequest": { @@ -42309,7 +44563,7 @@ "target": "com.amazonaws.ec2#String", "traits": { "aws.protocols#ec2QueryName": "OutpostArn", - "smithy.api#documentation": "The ARN of the Outpost on which the snapshot is stored.
\nThis parameter is only supported on BlockDeviceMapping objects called by\n \n CreateImage.
The ARN of the Outpost on which the snapshot is stored.
\nThis parameter is not supported when using CreateImage.
", "smithy.api#xmlName": "outpostArn" } }, @@ -43790,6 +46044,58 @@ "smithy.api#output": {} } }, + "com.amazonaws.ec2#EnableImageBlockPublicAccess": { + "type": "operation", + "input": { + "target": "com.amazonaws.ec2#EnableImageBlockPublicAccessRequest" + }, + "output": { + "target": "com.amazonaws.ec2#EnableImageBlockPublicAccessResult" + }, + "traits": { + "smithy.api#documentation": "Enables block public access for AMIs at the account level in the\n specified Amazon Web Services Region. This prevents the public sharing of your AMIs. However, if you already\n have public AMIs, they will remain publicly available.
\nThe API can take up to 10 minutes to configure this setting. During this time, if you run\n GetImageBlockPublicAccessState, the response will be unblocked. When\n the API has completed the configuration, the response will be\n block-new-sharing.
For more information, see Block\n public access to your AMIs in the Amazon EC2 User Guide.
" + } + }, + "com.amazonaws.ec2#EnableImageBlockPublicAccessRequest": { + "type": "structure", + "members": { + "ImageBlockPublicAccessState": { + "target": "com.amazonaws.ec2#ImageBlockPublicAccessEnabledState", + "traits": { + "smithy.api#clientOptional": {}, + "smithy.api#documentation": "Specify block-new-sharing to enable block public access for AMIs at the\n account level in the specified Region. This will block any attempt to publicly share your AMIs\n in the specified Region.
Checks whether you have the required permissions for the action, without actually making the request, \n\t\t\tand provides an error response. If you have the required permissions, the error response is \n\t\t\tDryRunOperation. Otherwise, it is UnauthorizedOperation.
Returns block-new-sharing if the request succeeds; otherwise, it returns an\n error.
Enables a virtual private gateway (VGW) to propagate routes to the specified route\n table of a VPC.
" + "smithy.api#documentation": "Enables a virtual private gateway (VGW) to propagate routes to the specified route\n table of a VPC.
", + "smithy.api#examples": [ + { + "title": "To enable route propagation", + "documentation": "This example enables the specified virtual private gateway to propagate static routes to the specified route table.", + "input": { + "RouteTableId": "rtb-22574640", + "GatewayId": "vgw-9a4cacf3" + } + } + ] } }, "com.amazonaws.ec2#EnableVgwRoutePropagationRequest": { @@ -44116,7 +46432,16 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Enables I/O operations for a volume that had I/O operations disabled because the data on\n the volume was potentially inconsistent.
" + "smithy.api#documentation": "Enables I/O operations for a volume that had I/O operations disabled because the data on\n the volume was potentially inconsistent.
", + "smithy.api#examples": [ + { + "title": "To enable I/O for a volume", + "documentation": "This example enables I/O on volume ``vol-1234567890abcdef0``.", + "input": { + "VolumeId": "vol-1234567890abcdef0" + } + } + ] } }, "com.amazonaws.ec2#EnableVolumeIORequest": { @@ -44156,7 +46481,7 @@ "target": "com.amazonaws.ec2#EnableVpcClassicLinkResult" }, "traits": { - "smithy.api#documentation": "We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nEnables a VPC for ClassicLink. You can then link EC2-Classic instances to your\n\t\t\tClassicLink-enabled VPC to allow communication over private IP addresses. You cannot\n\t\t\tenable your VPC for ClassicLink if any of your VPC route tables have existing routes for\n\t\t\taddress ranges within the 10.0.0.0/8 IP address range, excluding local\n\t\t\troutes for VPCs in the 10.0.0.0/16 and 10.1.0.0/16 IP address\n\t\t\tranges. For more information, see ClassicLink in the\n\t\t\t\tAmazon Elastic Compute Cloud User Guide.
This action is deprecated.
\nEnables a VPC for ClassicLink. You can then link EC2-Classic instances to your\n\t\t\tClassicLink-enabled VPC to allow communication over private IP addresses. You cannot\n\t\t\tenable your VPC for ClassicLink if any of your VPC route tables have existing routes for\n\t\t\taddress ranges within the 10.0.0.0/8 IP address range, excluding local\n\t\t\troutes for VPCs in the 10.0.0.0/16 and 10.1.0.0/16 IP address\n\t\t\tranges.
We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nEnables a VPC to support DNS hostname resolution for ClassicLink. If enabled, the DNS\n\t\t\thostname of a linked EC2-Classic instance resolves to its private IP address when\n\t\t\taddressed from an instance in the VPC to which it's linked. Similarly, the DNS hostname\n\t\t\tof an instance in a VPC resolves to its private IP address when addressed from a linked\n\t\t\tEC2-Classic instance. For more information, see ClassicLink in the\n\t\t\t\tAmazon Elastic Compute Cloud User Guide.
\nYou must specify a VPC ID in the request.
" + "smithy.api#documentation": "This action is deprecated.
\nEnables a VPC to support DNS hostname resolution for ClassicLink. If enabled, the DNS\n\t\t\thostname of a linked EC2-Classic instance resolves to its private IP address when\n\t\t\taddressed from an instance in the VPC to which it's linked. Similarly, the DNS hostname\n\t\t\tof an instance in a VPC resolves to its private IP address when addressed from a linked\n\t\t\tEC2-Classic instance.
\nYou must specify a VPC ID in the request.
" } }, "com.amazonaws.ec2#EnableVpcClassicLinkDnsSupportRequest": { @@ -44465,7 +46790,7 @@ "min": 1, "max": 30 }, - "smithy.api#pattern": "^[a-zA-Z0-9\\.\\*]+$" + "smithy.api#pattern": "^[a-zA-Z0-9\\.\\*\\-]+$" } }, "com.amazonaws.ec2#ExcludedInstanceTypeSet": { @@ -46719,7 +49044,7 @@ "target": "com.amazonaws.ec2#ImageId", "traits": { "aws.protocols#ec2QueryName": "ImageId", - "smithy.api#documentation": "The ID of the AMI. An AMI is required to launch an instance. The AMI ID must be specified here or in the launch template.
", + "smithy.api#documentation": "The ID of the AMI. An AMI is required to launch an instance. This parameter is only\n available for fleets of type instant. For fleets of type maintain\n and request, you must specify the AMI ID in the launch template.
The ID of the AMI. An AMI is required to launch an instance. The AMI ID must be specified here or in the launch template.
" + "smithy.api#documentation": "The ID of the AMI. An AMI is required to launch an instance. This parameter is only\n available for fleets of type instant. For fleets of type maintain\n and request, you must specify the AMI ID in the launch template.
Gets the console output for the specified instance. For Linux instances, the instance\n console output displays the exact console output that would normally be displayed on a\n physical monitor attached to a computer. For Windows instances, the instance console\n output includes the last three system event log errors.
\nBy default, the console output returns buffered information that was posted shortly\n after an instance transition state (start, stop, reboot, or terminate). This information\n is available for at least one hour after the most recent post. Only the most recent 64\n KB of console output is available.
\nYou can optionally retrieve the latest serial console output at any time during the\n instance lifecycle. This option is supported on instance types that use the Nitro\n hypervisor.
\nFor more information, see Instance\n console output in the Amazon EC2 User Guide.
" + "smithy.api#documentation": "Gets the console output for the specified instance. For Linux instances, the instance\n console output displays the exact console output that would normally be displayed on a\n physical monitor attached to a computer. For Windows instances, the instance console\n output includes the last three system event log errors.
\nBy default, the console output returns buffered information that was posted shortly\n after an instance transition state (start, stop, reboot, or terminate). This information\n is available for at least one hour after the most recent post. Only the most recent 64\n KB of console output is available.
\nYou can optionally retrieve the latest serial console output at any time during the\n instance lifecycle. This option is supported on instance types that use the Nitro\n hypervisor.
\nFor more information, see Instance\n console output in the Amazon EC2 User Guide.
", + "smithy.api#examples": [ + { + "title": "To get the console output", + "documentation": "This example gets the console output for the specified instance.", + "input": { + "InstanceId": "i-1234567890abcdef0" + }, + "output": { + "InstanceId": "i-1234567890abcdef0", + "Output": "...", + "Timestamp": "2018-05-25T21:23:53.000Z" + } + } + ] } }, "com.amazonaws.ec2#GetConsoleOutputRequest": { @@ -48436,6 +50775,14 @@ "smithy.api#documentation": "Indicates whether encryption by default is enabled.
", "smithy.api#xmlName": "ebsEncryptionByDefault" } + }, + "SseType": { + "target": "com.amazonaws.ec2#SSEType", + "traits": { + "aws.protocols#ec2QueryName": "SseType", + "smithy.api#documentation": "Reserved for future use.
", + "smithy.api#xmlName": "sseType" + } } }, "traits": { @@ -48451,7 +50798,7 @@ "target": "com.amazonaws.ec2#GetFlowLogsIntegrationTemplateResult" }, "traits": { - "smithy.api#documentation": "Generates a CloudFormation template that streamlines and automates the integration of VPC flow logs \n with Amazon Athena. This make it easier for you to query and gain insights from VPC flow logs data. \n Based on the information that you provide, we configure resources in the template to do the following:
\nCreate a table in Athena that maps fields to a custom log format
\nCreate a Lambda function that updates the table with new partitions on a daily, weekly, or\n monthly basis
\nCreate a table partitioned between two timestamps in the past
\nCreate a set of named queries in Athena that you can use to get started quickly
\nGenerates a CloudFormation template that streamlines and automates the integration of VPC flow logs \n with Amazon Athena. This make it easier for you to query and gain insights from VPC flow logs data. \n Based on the information that you provide, we configure resources in the template to do the following:
\nCreate a table in Athena that maps fields to a custom log format
\nCreate a Lambda function that updates the table with new partitions on a daily, weekly, or\n monthly basis
\nCreate a table partitioned between two timestamps in the past
\nCreate a set of named queries in Athena that you can use to get started quickly
\n\n GetFlowLogsIntegrationTemplate does not support integration between\n Amazon Web Services Transit Gateway Flow Logs and Amazon Athena.
Gets the current state of block public access for AMIs at the account\n level in the specified Amazon Web Services Region.
\nFor more information, see Block\n public access to your AMIs in the Amazon EC2 User Guide.
" + } + }, + "com.amazonaws.ec2#GetImageBlockPublicAccessStateRequest": { + "type": "structure", + "members": { + "DryRun": { + "target": "com.amazonaws.ec2#Boolean", + "traits": { + "smithy.api#clientOptional": {}, + "smithy.api#default": false, + "smithy.api#documentation": "Checks whether you have the required permissions for the action, without actually making the request, \n\t\t\tand provides an error response. If you have the required permissions, the error response is \n\t\t\tDryRunOperation. Otherwise, it is UnauthorizedOperation.
The current state of block public access for AMIs at the account level in the specified\n Amazon Web Services Region.
\nPossible values:
\n\n block-new-sharing - Any attempt to publicly share your AMIs in the\n specified Region is blocked.
\n unblocked - Your AMIs in the specified Region can be publicly\n shared.
Retrieves the configuration data of the specified instance. You can use this data to\n create a launch template.
\nThis action calls on other describe actions to get instance information. Depending on\n your instance configuration, you may need to allow the following actions in your IAM\n policy: DescribeSpotInstanceRequests,\n DescribeInstanceCreditSpecifications, DescribeVolumes,\n DescribeInstanceAttribute, and DescribeElasticGpus. Or,\n you can allow describe* depending on your instance requirements.
Retrieves the configuration data of the specified instance. You can use this data to\n create a launch template.
\nThis action calls on other describe actions to get instance information. Depending on\n your instance configuration, you may need to allow the following actions in your IAM\n policy: DescribeSpotInstanceRequests,\n DescribeInstanceCreditSpecifications, DescribeVolumes,\n DescribeInstanceAttribute, and DescribeElasticGpus. Or,\n you can allow describe* depending on your instance requirements.
The password of the instance. Returns an empty string if the password is not\n available.
", @@ -51429,13 +53879,13 @@ "aws.protocols#ec2QueryName": "Configured", "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "If this parameter is set to true, your instance is enabled for\n hibernation; otherwise, it is not enabled for hibernation.
If true, your instance is enabled for hibernation; otherwise, it is not\n enabled for hibernation.
Indicates whether your instance is configured for hibernation. This parameter is valid\n only if the instance meets the hibernation\n prerequisites. For more information, see Hibernate your instance in the\n Amazon EC2 User Guide.
" + "smithy.api#documentation": "Indicates whether your instance is configured for hibernation. This parameter is valid\n only if the instance meets the hibernation\n prerequisites. For more information, see Hibernate your instance in the\n Amazon EC2 User Guide.
" } }, "com.amazonaws.ec2#HibernationOptionsRequest": { @@ -51446,12 +53896,12 @@ "traits": { "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "If you set this parameter to true, your instance is enabled for\n hibernation.
Default: false\n
Set to true to enable your instance for hibernation.
Default: false\n
Indicates whether your instance is configured for hibernation. This parameter is valid\n only if the instance meets the hibernation\n prerequisites. For more information, see Hibernate your instance in the\n Amazon EC2 User Guide.
" + "smithy.api#documentation": "Indicates whether your instance is configured for hibernation. This parameter is valid\n only if the instance meets the hibernation\n prerequisites. For more information, see Hibernate your instance in the\n Amazon EC2 User Guide.
" } }, "com.amazonaws.ec2#HistoryRecord": { @@ -51692,6 +54142,14 @@ "smithy.api#documentation": "Indicates whether host maintenance is enabled or disabled for the Dedicated\n Host.
", "smithy.api#xmlName": "hostMaintenance" } + }, + "AssetId": { + "target": "com.amazonaws.ec2#AssetId", + "traits": { + "aws.protocols#ec2QueryName": "AssetId", + "smithy.api#documentation": "The ID of the Outpost hardware asset on which the Dedicated Host is allocated.
", + "smithy.api#xmlName": "assetId" + } } }, "traits": { @@ -52848,6 +55306,28 @@ } } }, + "com.amazonaws.ec2#ImageBlockPublicAccessDisabledState": { + "type": "enum", + "members": { + "unblocked": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "unblocked" + } + } + } + }, + "com.amazonaws.ec2#ImageBlockPublicAccessEnabledState": { + "type": "enum", + "members": { + "block_new_sharing": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "block-new-sharing" + } + } + } + }, "com.amazonaws.ec2#ImageDiskContainer": { "type": "structure", "members": { @@ -53250,7 +55730,7 @@ "KmsKeyId": { "target": "com.amazonaws.ec2#KmsKeyId", "traits": { - "smithy.api#documentation": "An identifier for the symmetric KMS key to use when creating the\n encrypted AMI. This parameter is only required if you want to use a non-default KMS key; if this\n parameter is not specified, the default KMS key for EBS is used. If a KmsKeyId is\n specified, the Encrypted flag must also be set.
The KMS key identifier may be provided in any of the following formats:
\nKey ID
\nKey alias. The alias ARN contains the arn:aws:kms namespace, followed by the Region of the key, the Amazon Web Services account ID of the key owner, the alias namespace, and then the key alias. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias.
ARN using key ID. The ID ARN contains the arn:aws:kms namespace, followed by the Region of the key, the Amazon Web Services account ID of the key owner, the key namespace, and then the key ID. For example, arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef.
ARN using key alias. The alias ARN contains the arn:aws:kms namespace, followed by the Region of the key, the Amazon Web Services account ID of the key owner, the alias namespace, and then the key alias. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias.
Amazon Web Services parses KmsKeyId asynchronously, meaning that the action you call may appear to complete even\n though you provided an invalid identifier. This action will eventually report failure.
The specified KMS key must exist in the Region that the AMI is being copied to.
\nAmazon EBS does not support asymmetric KMS keys.
" + "smithy.api#documentation": "An identifier for the symmetric KMS key to use when creating the\n encrypted AMI. This parameter is only required if you want to use a non-default KMS key; if this\n parameter is not specified, the default KMS key for EBS is used. If a KmsKeyId is\n specified, the Encrypted flag must also be set.
The KMS key identifier may be provided in any of the following formats:
\nKey ID
\nKey alias
\nARN using key ID. The ID ARN contains the arn:aws:kms namespace, followed by the Region of the key, the Amazon Web Services account ID of the key owner, the key namespace, and then the key ID. For example, arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef.
ARN using key alias. The alias ARN contains the arn:aws:kms namespace, followed by the Region of the key, the Amazon Web Services account ID of the key owner, the alias namespace, and then the key alias. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias.
Amazon Web Services parses KmsKeyId asynchronously, meaning that the action you call may appear to complete even\n though you provided an invalid identifier. This action will eventually report failure.
The specified KMS key must exist in the Region that the AMI is being copied to.
\nAmazon EBS does not support asymmetric KMS keys.
" } }, "LicenseType": { @@ -53262,7 +55742,7 @@ "Platform": { "target": "com.amazonaws.ec2#String", "traits": { - "smithy.api#documentation": "The operating system of the virtual machine.
\nValid values: Windows | Linux\n
The operating system of the virtual machine. If you import a VM that is compatible with\n Unified Extensible Firmware Interface (UEFI) using an EBS snapshot, you must specify a value for\n the platform.
\nValid values: Windows | Linux\n
Creates an import instance task using metadata from the specified disk image.
\nThis API action supports only single-volume VMs. To import multi-volume VMs, use ImportImage\n instead.
\nThis API action is not supported by the Command Line Interface (CLI). For \n information about using the Amazon EC2 CLI, which is deprecated, see\n Importing a VM to Amazon EC2 in the Amazon EC2 CLI Reference PDF file.
\nFor information about the import manifest referenced by this API action, see VM Import Manifest.
" + "smithy.api#documentation": "We recommend that you use the \n ImportImage\n \n API. For more information, see Importing a VM as an image using VM\n Import/Export in the VM Import/Export User Guide.
Creates an import instance task using metadata from the specified disk image.
\nThis API action is not supported by the Command Line Interface (CLI). For\n information about using the Amazon EC2 CLI, which is deprecated, see Importing\n a VM to Amazon EC2 in the Amazon EC2 CLI Reference PDF file.
\nThis API action supports only single-volume VMs. To import multi-volume VMs, use ImportImage\n instead.
\nFor information about the import manifest referenced by this API action, see VM Import Manifest.
" } }, "com.amazonaws.ec2#ImportInstanceLaunchSpecification": { @@ -54049,7 +56529,7 @@ "KmsKeyId": { "target": "com.amazonaws.ec2#KmsKeyId", "traits": { - "smithy.api#documentation": "An identifier for the symmetric KMS key to use when creating the\n encrypted snapshot. This parameter is only required if you want to use a non-default KMS key; if this\n parameter is not specified, the default KMS key for EBS is used. If a KmsKeyId is\n specified, the Encrypted flag must also be set.
The KMS key identifier may be provided in any of the following formats:
\nKey ID
\nKey alias. The alias ARN contains the arn:aws:kms namespace, followed by the Region of the key, the Amazon Web Services account ID of the key owner, the alias namespace, and then the key alias. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias.
ARN using key ID. The ID ARN contains the arn:aws:kms namespace, followed by the Region of the key, the Amazon Web Services account ID of the key owner, the key namespace, and then the key ID. For example, arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef.
ARN using key alias. The alias ARN contains the arn:aws:kms namespace, followed by the Region of the key, the Amazon Web Services account ID of the key owner, the alias namespace, and then the key alias. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias.
Amazon Web Services parses KmsKeyId asynchronously, meaning that the action you call may appear to complete even\n though you provided an invalid identifier. This action will eventually report failure.
The specified KMS key must exist in the Region that the snapshot is being copied to.
\nAmazon EBS does not support asymmetric KMS keys.
" + "smithy.api#documentation": "An identifier for the symmetric KMS key to use when creating the\n encrypted snapshot. This parameter is only required if you want to use a non-default KMS key; if this\n parameter is not specified, the default KMS key for EBS is used. If a KmsKeyId is\n specified, the Encrypted flag must also be set.
The KMS key identifier may be provided in any of the following formats:
\nKey ID
\nKey alias
\nARN using key ID. The ID ARN contains the arn:aws:kms namespace, followed by the Region of the key, the Amazon Web Services account ID of the key owner, the key namespace, and then the key ID. For example, arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef.
ARN using key alias. The alias ARN contains the arn:aws:kms namespace, followed by the Region of the key, the Amazon Web Services account ID of the key owner, the alias namespace, and then the key alias. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias.
Amazon Web Services parses KmsKeyId asynchronously, meaning that the action you call may appear to complete even\n though you provided an invalid identifier. This action will eventually report failure.
The specified KMS key must exist in the Region that the snapshot is being copied to.
\nAmazon EBS does not support asymmetric KMS keys.
" } }, "RoleName": { @@ -54327,6 +56807,14 @@ "smithy.api#documentation": "Describes the Inference accelerators for the instance type.
", "smithy.api#xmlName": "accelerators" } + }, + "TotalInferenceMemoryInMiB": { + "target": "com.amazonaws.ec2#totalInferenceMemory", + "traits": { + "aws.protocols#ec2QueryName": "TotalInferenceMemoryInMiB", + "smithy.api#documentation": "The total size of the memory for the inference accelerators for the instance type, in MiB.
", + "smithy.api#xmlName": "totalInferenceMemoryInMiB" + } } }, "traits": { @@ -54362,6 +56850,14 @@ "smithy.api#documentation": "The manufacturer of the Inference accelerator.
", "smithy.api#xmlName": "manufacturer" } + }, + "MemoryInfo": { + "target": "com.amazonaws.ec2#InferenceDeviceMemoryInfo", + "traits": { + "aws.protocols#ec2QueryName": "MemoryInfo", + "smithy.api#documentation": "Describes the memory available to the inference accelerator.
", + "smithy.api#xmlName": "memoryInfo" + } } }, "traits": { @@ -54377,6 +56873,25 @@ "com.amazonaws.ec2#InferenceDeviceManufacturerName": { "type": "string" }, + "com.amazonaws.ec2#InferenceDeviceMemoryInfo": { + "type": "structure", + "members": { + "SizeInMiB": { + "target": "com.amazonaws.ec2#InferenceDeviceMemorySize", + "traits": { + "aws.protocols#ec2QueryName": "SizeInMiB", + "smithy.api#documentation": "The size of the memory available to the inference accelerator, in MiB.
", + "smithy.api#xmlName": "sizeInMiB" + } + } + }, + "traits": { + "smithy.api#documentation": "Describes the memory available to the inference accelerator.
" + } + }, + "com.amazonaws.ec2#InferenceDeviceMemorySize": { + "type": "integer" + }, "com.amazonaws.ec2#InferenceDeviceName": { "type": "string" }, @@ -55902,6 +58417,16 @@ "smithy.api#documentation": "The IPv6 address.
", "smithy.api#xmlName": "ipv6Address" } + }, + "IsPrimaryIpv6": { + "target": "com.amazonaws.ec2#Boolean", + "traits": { + "aws.protocols#ec2QueryName": "IsPrimaryIpv6", + "smithy.api#clientOptional": {}, + "smithy.api#default": false, + "smithy.api#documentation": "Determines if an IPv6 address associated with a network interface is the primary IPv6 address. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. \n For more information, see RunInstances.
", + "smithy.api#xmlName": "isPrimaryIpv6" + } } }, "traits": { @@ -56706,6 +59231,14 @@ "smithy.api#default": 0, "smithy.api#documentation": "The number of IPv6 delegated prefixes to be automatically assigned to the network interface. \n You cannot use this option if you use the Ipv6Prefix option.
The primary IPv6 address of the network interface. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. For more information about primary IPv6 addresses, see RunInstances.
" + } } }, "traits": { @@ -56967,7 +59500,7 @@ } }, "traits": { - "smithy.api#documentation": "The attributes for the instance types. When you specify instance attributes, Amazon EC2 will\n identify instance types with these attributes.
\nWhen you specify multiple attributes, you get instance types that satisfy all of the\n specified attributes. If you specify multiple values for an attribute, you get instance\n types that satisfy any of the specified values.
\nTo limit the list of instance types from which Amazon EC2 can identify matching instance types, \n you can use one of the following parameters, but not both in the same request:
\n\n AllowedInstanceTypes - The instance types to include in the list. All \n other instance types are ignored, even if they match your specified attributes.
\n ExcludedInstanceTypes - The instance types to exclude from the list, \n even if they match your specified attributes.
You must specify VCpuCount and MemoryMiB. All other attributes\n are optional. Any unspecified optional attribute is set to its default.
For more information, see Attribute-based instance type selection for EC2 Fleet, Attribute-based instance type selection for Spot Fleet, and Spot\n placement score in the Amazon EC2 User Guide.
" + "smithy.api#documentation": "The attributes for the instance types. When you specify instance attributes, Amazon EC2 will\n identify instance types with these attributes.
\nYou must specify VCpuCount and MemoryMiB. All other attributes\n are optional. Any unspecified optional attribute is set to its default.
When you specify multiple attributes, you get instance types that satisfy all of the\n specified attributes. If you specify multiple values for an attribute, you get instance\n types that satisfy any of the specified values.
\nTo limit the list of instance types from which Amazon EC2 can identify matching instance types, \n you can use one of the following parameters, but not both in the same request:
\n\n AllowedInstanceTypes - The instance types to include in the list. All \n other instance types are ignored, even if they match your specified attributes.
\n ExcludedInstanceTypes - The instance types to exclude from the list, \n even if they match your specified attributes.
If you specify InstanceRequirements, you can't specify\n InstanceType.
Attribute-based instance type selection is only supported when using Auto Scaling\n groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in\n the launch instance\n wizard or with the RunInstances API, you\n can't specify InstanceRequirements.
For more information, see Attribute-based instance type selection for EC2 Fleet, Attribute-based instance type selection for Spot Fleet, and Spot\n placement score in the Amazon EC2 User Guide.
" } }, "com.amazonaws.ec2#InstanceRequirementsRequest": { @@ -57119,7 +59652,7 @@ "NetworkBandwidthGbps": { "target": "com.amazonaws.ec2#NetworkBandwidthGbpsRequest", "traits": { - "smithy.api#documentation": "The minimum and maximum amount of network bandwidth, in gigabits per second (Gbps).
\nDefault: No minimum or maximum limits
" + "smithy.api#documentation": "The minimum and maximum amount of baseline network bandwidth, in gigabits per second \n (Gbps). For more information, see Amazon EC2 instance network bandwidth in the Amazon EC2 User Guide.
\nDefault: No minimum or maximum limits
" } }, "AllowedInstanceTypes": { @@ -57131,7 +59664,7 @@ } }, "traits": { - "smithy.api#documentation": "The attributes for the instance types. When you specify instance attributes, Amazon EC2 will\n identify instance types with these attributes.
\nWhen you specify multiple attributes, you get instance types that satisfy all of the\n specified attributes. If you specify multiple values for an attribute, you get instance\n types that satisfy any of the specified values.
\nTo limit the list of instance types from which Amazon EC2 can identify matching instance types, \n you can use one of the following parameters, but not both in the same request:
\n\n AllowedInstanceTypes - The instance types to include in the list. All \n other instance types are ignored, even if they match your specified attributes.
\n ExcludedInstanceTypes - The instance types to exclude from the list, \n even if they match your specified attributes.
You must specify VCpuCount and MemoryMiB. All other attributes\n are optional. Any unspecified optional attribute is set to its default.
For more information, see Attribute-based instance type selection for EC2 Fleet, Attribute-based instance type selection for Spot Fleet, and Spot\n placement score in the Amazon EC2 User Guide.
" + "smithy.api#documentation": "The attributes for the instance types. When you specify instance attributes, Amazon EC2 will\n identify instance types with these attributes.
\nYou must specify VCpuCount and MemoryMiB. All other attributes\n are optional. Any unspecified optional attribute is set to its default.
When you specify multiple attributes, you get instance types that satisfy all of the\n specified attributes. If you specify multiple values for an attribute, you get instance\n types that satisfy any of the specified values.
\nTo limit the list of instance types from which Amazon EC2 can identify matching instance types, \n you can use one of the following parameters, but not both in the same request:
\n\n AllowedInstanceTypes - The instance types to include in the list. All \n other instance types are ignored, even if they match your specified attributes.
\n ExcludedInstanceTypes - The instance types to exclude from the list, \n even if they match your specified attributes.
If you specify InstanceRequirements, you can't specify\n InstanceType.
Attribute-based instance type selection is only supported when using Auto Scaling\n groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in\n the launch instance\n wizard, or with the RunInstances API or\n AWS::EC2::Instance Amazon Web Services CloudFormation resource, you can't specify\n InstanceRequirements.
For more information, see Attribute-based instance type selection for EC2 Fleet, Attribute-based instance type selection for Spot Fleet, and Spot\n placement score in the Amazon EC2 User Guide.
" } }, "com.amazonaws.ec2#InstanceRequirementsWithMetadataRequest": { @@ -61525,6 +64058,528 @@ "traits": { "smithy.api#enumValue": "i4g.16xlarge" } + }, + "hpc7g_4xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "hpc7g.4xlarge" + } + }, + "hpc7g_8xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "hpc7g.8xlarge" + } + }, + "hpc7g_16xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "hpc7g.16xlarge" + } + }, + "c7gn_medium": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gn.medium" + } + }, + "c7gn_large": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gn.large" + } + }, + "c7gn_xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gn.xlarge" + } + }, + "c7gn_2xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gn.2xlarge" + } + }, + "c7gn_4xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gn.4xlarge" + } + }, + "c7gn_8xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gn.8xlarge" + } + }, + "c7gn_12xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gn.12xlarge" + } + }, + "c7gn_16xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gn.16xlarge" + } + }, + "p5_48xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "p5.48xlarge" + } + }, + "m7i_large": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i.large" + } + }, + "m7i_xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i.xlarge" + } + }, + "m7i_2xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i.2xlarge" + } + }, + "m7i_4xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i.4xlarge" + } + }, + "m7i_8xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i.8xlarge" + } + }, + "m7i_12xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i.12xlarge" + } + }, + "m7i_16xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i.16xlarge" + } + }, + "m7i_24xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i.24xlarge" + } + }, + "m7i_48xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i.48xlarge" + } + }, + "m7i_flex_large": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i-flex.large" + } + }, + "m7i_flex_xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i-flex.xlarge" + } + }, + "m7i_flex_2xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i-flex.2xlarge" + } + }, + "m7i_flex_4xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i-flex.4xlarge" + } + }, + "m7i_flex_8xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i-flex.8xlarge" + } + }, + "m7a_medium": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7a.medium" + } + }, + "m7a_large": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7a.large" + } + }, + "m7a_xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7a.xlarge" + } + }, + "m7a_2xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7a.2xlarge" + } + }, + "m7a_4xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7a.4xlarge" + } + }, + "m7a_8xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7a.8xlarge" + } + }, + "m7a_12xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7a.12xlarge" + } + }, + "m7a_16xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7a.16xlarge" + } + }, + "m7a_24xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7a.24xlarge" + } + }, + "m7a_32xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7a.32xlarge" + } + }, + "m7a_48xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7a.48xlarge" + } + }, + "m7a_metal_48xl": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7a.metal-48xl" + } + }, + "hpc7a_12xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "hpc7a.12xlarge" + } + }, + "hpc7a_24xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "hpc7a.24xlarge" + } + }, + "hpc7a_48xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "hpc7a.48xlarge" + } + }, + "hpc7a_96xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "hpc7a.96xlarge" + } + }, + "c7gd_medium": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gd.medium" + } + }, + "c7gd_large": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gd.large" + } + }, + "c7gd_xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gd.xlarge" + } + }, + "c7gd_2xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gd.2xlarge" + } + }, + "c7gd_4xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gd.4xlarge" + } + }, + "c7gd_8xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gd.8xlarge" + } + }, + "c7gd_12xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gd.12xlarge" + } + }, + "c7gd_16xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gd.16xlarge" + } + }, + "m7gd_medium": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7gd.medium" + } + }, + "m7gd_large": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7gd.large" + } + }, + "m7gd_xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7gd.xlarge" + } + }, + "m7gd_2xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7gd.2xlarge" + } + }, + "m7gd_4xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7gd.4xlarge" + } + }, + "m7gd_8xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7gd.8xlarge" + } + }, + "m7gd_12xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7gd.12xlarge" + } + }, + "m7gd_16xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7gd.16xlarge" + } + }, + "r7gd_medium": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "r7gd.medium" + } + }, + "r7gd_large": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "r7gd.large" + } + }, + "r7gd_xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "r7gd.xlarge" + } + }, + "r7gd_2xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "r7gd.2xlarge" + } + }, + "r7gd_4xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "r7gd.4xlarge" + } + }, + "r7gd_8xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "r7gd.8xlarge" + } + }, + "r7gd_12xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "r7gd.12xlarge" + } + }, + "r7gd_16xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "r7gd.16xlarge" + } + }, + "r7a_medium": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "r7a.medium" + } + }, + "r7a_large": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "r7a.large" + } + }, + "r7a_xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "r7a.xlarge" + } + }, + "r7a_2xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "r7a.2xlarge" + } + }, + "r7a_4xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "r7a.4xlarge" + } + }, + "r7a_8xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "r7a.8xlarge" + } + }, + "r7a_12xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "r7a.12xlarge" + } + }, + "r7a_16xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "r7a.16xlarge" + } + }, + "r7a_24xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "r7a.24xlarge" + } + }, + "r7a_32xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "r7a.32xlarge" + } + }, + "r7a_48xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "r7a.48xlarge" + } + }, + "c7i_large": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7i.large" + } + }, + "c7i_xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7i.xlarge" + } + }, + "c7i_2xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7i.2xlarge" + } + }, + "c7i_4xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7i.4xlarge" + } + }, + "c7i_8xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7i.8xlarge" + } + }, + "c7i_12xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7i.12xlarge" + } + }, + "c7i_16xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7i.16xlarge" + } + }, + "c7i_24xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7i.24xlarge" + } + }, + "c7i_48xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7i.48xlarge" + } + }, + "mac2_m2pro_metal": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "mac2-m2pro.metal" + } } } }, @@ -61712,7 +64767,7 @@ "target": "com.amazonaws.ec2#BurstablePerformanceFlag", "traits": { "aws.protocols#ec2QueryName": "BurstablePerformanceSupported", - "smithy.api#documentation": "Indicates whether the instance type is a burstable performance instance type.
", + "smithy.api#documentation": "Indicates whether the instance type is a burstable performance T instance \n type. For more information, see Burstable \n performance instances.
", "smithy.api#xmlName": "burstablePerformanceSupported" } }, @@ -61739,6 +64794,30 @@ "smithy.api#documentation": "The supported boot modes. For more information, see Boot modes in the\n Amazon EC2 User Guide.
", "smithy.api#xmlName": "supportedBootModes" } + }, + "NitroEnclavesSupport": { + "target": "com.amazonaws.ec2#NitroEnclavesSupport", + "traits": { + "aws.protocols#ec2QueryName": "NitroEnclavesSupport", + "smithy.api#documentation": "Indicates whether Nitro Enclaves is supported.
", + "smithy.api#xmlName": "nitroEnclavesSupport" + } + }, + "NitroTpmSupport": { + "target": "com.amazonaws.ec2#NitroTpmSupport", + "traits": { + "aws.protocols#ec2QueryName": "NitroTpmSupport", + "smithy.api#documentation": "Indicates whether NitroTPM is supported.
", + "smithy.api#xmlName": "nitroTpmSupport" + } + }, + "NitroTpmInfo": { + "target": "com.amazonaws.ec2#NitroTpmInfo", + "traits": { + "aws.protocols#ec2QueryName": "NitroTpmInfo", + "smithy.api#documentation": "Describes the supported NitroTPM versions for the instance type.
", + "smithy.api#xmlName": "nitroTpmInfo" + } } }, "traits": { @@ -62006,7 +65085,7 @@ } }, "traits": { - "smithy.api#documentation": "Describes the attachment of a VPC to an internet gateway or an egress-only internet\n\t\t\tgateway.
" + "smithy.api#documentation": "Describes the attachment of a VPC to an internet gateway or an egress-only internet gateway.
" } }, "com.amazonaws.ec2#InternetGatewayAttachmentList": { @@ -62107,7 +65186,7 @@ "target": "com.amazonaws.ec2#String", "traits": { "aws.protocols#ec2QueryName": "IpProtocol", - "smithy.api#documentation": "The IP protocol name (tcp, udp, icmp, icmpv6) \n or number (see Protocol Numbers).
[VPC only] Use -1 to specify all protocols. When authorizing\n security group rules, specifying -1 or a protocol number other than\n tcp, udp, icmp, or icmpv6 allows\n traffic on all ports, regardless of any port range you specify. For tcp,\n udp, and icmp, you must specify a port range. For icmpv6,\n the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
The IP protocol name (tcp, udp, icmp, icmpv6) \n or number (see Protocol Numbers).
Use -1 to specify all protocols. When authorizing\n security group rules, specifying -1 or a protocol number other than\n tcp, udp, icmp, or icmpv6 allows\n traffic on all ports, regardless of any port range you specify. For tcp,\n udp, and icmp, you must specify a port range. For icmpv6,\n the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
[VPC only] The IPv6 ranges.
", + "smithy.api#documentation": "The IPv6 ranges.
", "smithy.api#xmlName": "ipv6Ranges" } }, @@ -62131,7 +65210,7 @@ "target": "com.amazonaws.ec2#PrefixListIdList", "traits": { "aws.protocols#ec2QueryName": "PrefixListIds", - "smithy.api#documentation": "[VPC only] The prefix list IDs.
", + "smithy.api#documentation": "The prefix list IDs.
", "smithy.api#xmlName": "prefixListIds" } }, @@ -64598,7 +67677,7 @@ } }, "traits": { - "smithy.api#documentation": "[EC2-VPC only] Describes an IPv6 range.
" + "smithy.api#documentation": "Describes an IPv6 range.
" } }, "com.amazonaws.ec2#Ipv6RangeList": { @@ -65293,7 +68372,7 @@ "target": "com.amazonaws.ec2#FleetLaunchTemplateSpecification", "traits": { "aws.protocols#ec2QueryName": "LaunchTemplateSpecification", - "smithy.api#documentation": "The launch template.
", + "smithy.api#documentation": "The launch template to use. Make sure that the launch template does not contain the\n NetworkInterfaceId parameter because you can't specify a network interface\n ID in a Spot Fleet.
Indicates whether the instance is enabled for \n AMD SEV-SNP.
", + "smithy.api#documentation": "Indicates whether the instance is enabled for AMD SEV-SNP. For more information, see \n AMD SEV-SNP.
", "smithy.api#xmlName": "amdSevSnp" } } @@ -65377,7 +68456,7 @@ "AmdSevSnp": { "target": "com.amazonaws.ec2#AmdSevSnpSpecification", "traits": { - "smithy.api#documentation": "Indicates whether to enable the instance for AMD SEV-SNP. AMD SEV-SNP is supported \n with M6a, R6a, and C6a instance types only.
" + "smithy.api#documentation": "Indicates whether to enable the instance for AMD SEV-SNP. AMD SEV-SNP is supported \n with M6a, R6a, and C6a instance types only. For more information, see \n AMD SEV-SNP.
" } } }, @@ -66204,6 +69283,16 @@ "smithy.api#documentation": "The number of IPv6 prefixes that Amazon Web Services automatically assigned to the network\n interface.
", "smithy.api#xmlName": "ipv6PrefixCount" } + }, + "PrimaryIpv6": { + "target": "com.amazonaws.ec2#Boolean", + "traits": { + "aws.protocols#ec2QueryName": "PrimaryIpv6", + "smithy.api#clientOptional": {}, + "smithy.api#default": false, + "smithy.api#documentation": "The primary IPv6 address of the network interface. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. For more information about primary IPv6 addresses, see RunInstances.
", + "smithy.api#xmlName": "primaryIpv6" + } } }, "traits": { @@ -66356,6 +69445,14 @@ "smithy.api#default": 0, "smithy.api#documentation": "The number of IPv6 prefixes to be automatically assigned to the network interface. You\n cannot use this option if you use the Ipv6Prefix option.
The primary IPv6 address of the network interface. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. For more information about primary IPv6 addresses, see RunInstances.
" + } } }, "traits": { @@ -68209,6 +71306,12 @@ "traits": { "smithy.api#enumValue": "availability-zone-id" } + }, + "outpost": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "outpost" + } } } }, @@ -69538,7 +72641,24 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Modifies the specified attribute of the specified AMI. You can specify only one attribute at a time.
\nTo specify the attribute, you can use the Attribute parameter, or one of the following parameters: \n Description, ImdsSupport, or LaunchPermission.
Images with an Amazon Web Services Marketplace product code cannot be made public.
\nTo enable the SriovNetSupport enhanced networking attribute of an image, enable SriovNetSupport on an instance \n and create an AMI from the instance.
" + "smithy.api#documentation": "Modifies the specified attribute of the specified AMI. You can specify only one attribute at a time.
\nTo specify the attribute, you can use the Attribute parameter, or one of the following parameters: \n Description, ImdsSupport, or LaunchPermission.
Images with an Amazon Web Services Marketplace product code cannot be made public.
\nTo enable the SriovNetSupport enhanced networking attribute of an image, enable SriovNetSupport on an instance \n and create an AMI from the instance.
", + "smithy.api#examples": [ + { + "title": "To make an AMI public", + "documentation": "This example makes the specified AMI public.", + "input": { + "ImageId": "ami-5731123e", + "LaunchPermission": { + "Add": [ + { + "Group": "all" + } + ] + } + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#ModifyImageAttributeRequest": { @@ -69648,7 +72768,20 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Modifies the specified attribute of the specified instance. You can specify only one\n attribute at a time.
\n\n Note: Using this action to change the security groups\n associated with an elastic network interface (ENI) attached to an instance can\n result in an error if the instance has more than one ENI. To change the security groups\n associated with an ENI attached to an instance that has multiple ENIs, we recommend that\n you use the ModifyNetworkInterfaceAttribute action.
\nTo modify some attributes, the instance must be stopped. For more information, see\n Modify a stopped instance in the\n Amazon EC2 User Guide.
" + "smithy.api#documentation": "Modifies the specified attribute of the specified instance. You can specify only one\n attribute at a time.
\n\n Note: Using this action to change the security groups\n associated with an elastic network interface (ENI) attached to an instance can\n result in an error if the instance has more than one ENI. To change the security groups\n associated with an ENI attached to an instance that has multiple ENIs, we recommend that\n you use the ModifyNetworkInterfaceAttribute action.
\nTo modify some attributes, the instance must be stopped. For more information, see\n Modify a stopped instance in the\n Amazon EC2 User Guide.
", + "smithy.api#examples": [ + { + "title": "To modify the instance type", + "documentation": "This example modifies the instance type of the specified stopped instance.", + "input": { + "InstanceId": "i-1234567890abcdef0", + "InstanceType": { + "Value": "m5.large" + } + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#ModifyInstanceAttributeRequest": { @@ -70182,7 +73315,7 @@ "HttpProtocolIpv6": { "target": "com.amazonaws.ec2#InstanceMetadataProtocolState", "traits": { - "smithy.api#documentation": "Enables or disables the IPv6 endpoint for the instance metadata service. This setting\n applies only if you have enabled the HTTP metadata endpoint.
" + "smithy.api#documentation": "Enables or disables the IPv6 endpoint for the instance metadata service. \n Applies only if you enabled the HTTP metadata endpoint.
" } }, "InstanceMetadataTags": { @@ -70271,7 +73404,7 @@ "target": "com.amazonaws.ec2#HostTenancy", "traits": { "aws.protocols#ec2QueryName": "Tenancy", - "smithy.api#documentation": "The tenancy for the instance.
\nFor T3 instances, you can't change the tenancy from dedicated to\n host, or from host to dedicated.\n Attempting to make one of these unsupported tenancy changes results in the\n InvalidTenancy error code.
The tenancy for the instance.
\nFor T3 instances, you must launch the instance on a Dedicated Host to use a\n tenancy of host. You can't change the tenancy from\n host to dedicated or default.\n Attempting to make one of these unsupported tenancy changes results in an\n InvalidRequest error code.
The ARN of the host resource group in which to place the instance.
" + "smithy.api#documentation": "The ARN of the host resource group in which to place the instance. The instance must\n have a tenancy of host to specify this parameter.
Modifies a launch template. You can specify which version of the launch template to\n set as the default version. When launching an instance, the default version applies when\n a launch template version is not specified.
" + "smithy.api#documentation": "Modifies a launch template. You can specify which version of the launch template to\n set as the default version. When launching an instance, the default version applies when\n a launch template version is not specified.
", + "smithy.api#examples": [ + { + "title": "To change the default version of a launch template", + "documentation": "This example specifies version 2 as the default version of the specified launch template.", + "input": { + "LaunchTemplateId": "lt-0abcd290751193123", + "DefaultVersion": "2" + }, + "output": { + "LaunchTemplate": { + "LatestVersionNumber": 2, + "LaunchTemplateId": "lt-0abcd290751193123", + "LaunchTemplateName": "WebServers", + "DefaultVersionNumber": 2, + "CreatedBy": "arn:aws:iam::123456789012:root", + "CreateTime": "2017-12-01T13:35:46.000Z" + } + } + } + ] } }, "com.amazonaws.ec2#ModifyLaunchTemplateRequest": { @@ -70965,7 +74118,20 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Modifies the specified network interface attribute. You can specify only one\n attribute at a time. You can use this action to attach and detach security groups from\n an existing EC2 instance.
" + "smithy.api#documentation": "Modifies the specified network interface attribute. You can specify only one\n attribute at a time. You can use this action to attach and detach security groups from\n an existing EC2 instance.
", + "smithy.api#examples": [ + { + "title": "To modify the attachment attribute of a network interface", + "documentation": "This example modifies the attachment attribute of the specified network interface.", + "input": { + "NetworkInterfaceId": "eni-686ea200", + "Attachment": { + "AttachmentId": "eni-attach-43348162", + "DeleteOnTermination": false + } + } + } + ] } }, "com.amazonaws.ec2#ModifyNetworkInterfaceAttributeRequest": { @@ -71027,6 +74193,14 @@ "traits": { "smithy.api#documentation": "Updates the ENA Express configuration for the network interface that’s attached to the\n\t\t\tinstance.
" } + }, + "EnablePrimaryIpv6": { + "target": "com.amazonaws.ec2#Boolean", + "traits": { + "smithy.api#clientOptional": {}, + "smithy.api#default": false, + "smithy.api#documentation": "If you’re modifying a network interface in a dual-stack or IPv6-only subnet, you have\n the option to assign a primary IPv6 IP address. A primary IPv6 address is an IPv6 GUA\n address associated with an ENI that you have enabled to use a primary IPv6 address. Use\n this option if the instance that this ENI will be attached to relies on its IPv6 address\n not changing. Amazon Web Services will automatically assign an IPv6 address associated\n with the ENI attached to your instance to be the primary IPv6 address. Once you enable\n an IPv6 GUA address to be a primary IPv6, you cannot disable it. When you enable an IPv6\n GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6\n address until the instance is terminated or the network interface is detached. If you\n have multiple IPv6 addresses associated with an ENI attached to your instance and you\n enable a primary IPv6 address, the first IPv6 GUA address associated with the ENI\n becomes the primary IPv6 address.
" + } } }, "traits": { @@ -71246,7 +74420,22 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Adds or removes permission settings for the specified snapshot. You may add or remove\n specified Amazon Web Services account IDs from a snapshot's list of create volume permissions, but you cannot\n do both in a single operation. If you need to both add and remove account IDs for a snapshot,\n you must use multiple operations. You can make up to 500 modifications to a snapshot in a single operation.
\nEncrypted snapshots and snapshots with Amazon Web Services Marketplace product codes cannot be made\n public. Snapshots encrypted with your default KMS key cannot be shared with other accounts.
\nFor more information about modifying snapshot permissions, see Share a snapshot in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Adds or removes permission settings for the specified snapshot. You may add or remove\n specified Amazon Web Services account IDs from a snapshot's list of create volume permissions, but you cannot\n do both in a single operation. If you need to both add and remove account IDs for a snapshot,\n you must use multiple operations. You can make up to 500 modifications to a snapshot in a single operation.
\nEncrypted snapshots and snapshots with Amazon Web Services Marketplace product codes cannot be made\n public. Snapshots encrypted with your default KMS key cannot be shared with other accounts.
\nFor more information about modifying snapshot permissions, see Share a snapshot in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To modify a snapshot attribute", + "documentation": "This example modifies snapshot ``snap-1234567890abcdef0`` to remove the create volume permission for a user with the account ID ``123456789012``. If the command succeeds, no output is returned.", + "input": { + "SnapshotId": "snap-1234567890abcdef0", + "Attribute": "createVolumePermission", + "OperationType": "remove", + "UserIds": [ + "123456789012" + ] + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#ModifySnapshotAttributeRequest": { @@ -71382,7 +74571,20 @@ "target": "com.amazonaws.ec2#ModifySpotFleetRequestResponse" }, "traits": { - "smithy.api#documentation": "Modifies the specified Spot Fleet request.
\nYou can only modify a Spot Fleet request of type maintain.
While the Spot Fleet request is being modified, it is in the modifying\n state.
To scale up your Spot Fleet, increase its target capacity. The Spot Fleet launches the\n additional Spot Instances according to the allocation strategy for the Spot Fleet\n request. If the allocation strategy is lowestPrice, the Spot Fleet launches\n instances using the Spot Instance pool with the lowest price. If the allocation strategy\n is diversified, the Spot Fleet distributes the instances across the Spot\n Instance pools. If the allocation strategy is capacityOptimized, Spot Fleet\n launches instances from Spot Instance pools with optimal capacity for the number of instances\n that are launching.
To scale down your Spot Fleet, decrease its target capacity. First, the Spot Fleet\n cancels any open requests that exceed the new target capacity. You can request that the\n Spot Fleet terminate Spot Instances until the size of the fleet no longer exceeds the\n new target capacity. If the allocation strategy is lowestPrice, the Spot\n Fleet terminates the instances with the highest price per unit. If the allocation\n strategy is capacityOptimized, the Spot Fleet terminates the instances in\n the Spot Instance pools that have the least available Spot Instance capacity. If the allocation\n strategy is diversified, the Spot Fleet terminates instances across the\n Spot Instance pools. Alternatively, you can request that the Spot Fleet keep the fleet\n at its current size, but not replace any Spot Instances that are interrupted or that you\n terminate manually.
If you are finished with your Spot Fleet for now, but will use it again later, you can\n set the target capacity to 0.
" + "smithy.api#documentation": "Modifies the specified Spot Fleet request.
\nYou can only modify a Spot Fleet request of type maintain.
While the Spot Fleet request is being modified, it is in the modifying\n state.
To scale up your Spot Fleet, increase its target capacity. The Spot Fleet launches the\n additional Spot Instances according to the allocation strategy for the Spot Fleet\n request. If the allocation strategy is lowestPrice, the Spot Fleet launches\n instances using the Spot Instance pool with the lowest price. If the allocation strategy\n is diversified, the Spot Fleet distributes the instances across the Spot\n Instance pools. If the allocation strategy is capacityOptimized, Spot Fleet\n launches instances from Spot Instance pools with optimal capacity for the number of instances\n that are launching.
To scale down your Spot Fleet, decrease its target capacity. First, the Spot Fleet\n cancels any open requests that exceed the new target capacity. You can request that the\n Spot Fleet terminate Spot Instances until the size of the fleet no longer exceeds the\n new target capacity. If the allocation strategy is lowestPrice, the Spot\n Fleet terminates the instances with the highest price per unit. If the allocation\n strategy is capacityOptimized, the Spot Fleet terminates the instances in\n the Spot Instance pools that have the least available Spot Instance capacity. If the allocation\n strategy is diversified, the Spot Fleet terminates instances across the\n Spot Instance pools. Alternatively, you can request that the Spot Fleet keep the fleet\n at its current size, but not replace any Spot Instances that are interrupted or that you\n terminate manually.
If you are finished with your Spot Fleet for now, but will use it again later, you can\n set the target capacity to 0.
", + "smithy.api#examples": [ + { + "title": "To increase the target capacity of a Spot fleet request", + "documentation": "This example increases the target capacity of the specified Spot fleet request.", + "input": { + "SpotFleetRequestId": "sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE", + "TargetCapacity": 20 + }, + "output": { + "Return": true + } + } + ] } }, "com.amazonaws.ec2#ModifySpotFleetRequestRequest": { @@ -71471,7 +74673,19 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Modifies a subnet attribute. You can only modify one attribute at a time.
\nUse this action to modify subnets on Amazon Web Services Outposts.
\nTo modify a subnet on an Outpost rack, set both\n MapCustomerOwnedIpOnLaunch and\n CustomerOwnedIpv4Pool. These two parameters act as a single\n attribute.
To modify a subnet on an Outpost server, set either\n EnableLniAtDeviceIndex or\n DisableLniAtDeviceIndex.
For more information about Amazon Web Services Outposts, see the following:
\n\n Outpost servers\n
\n\n Outpost racks\n
\nModifies a subnet attribute. You can only modify one attribute at a time.
\nUse this action to modify subnets on Amazon Web Services Outposts.
\nTo modify a subnet on an Outpost rack, set both\n MapCustomerOwnedIpOnLaunch and\n CustomerOwnedIpv4Pool. These two parameters act as a single\n attribute.
To modify a subnet on an Outpost server, set either\n EnableLniAtDeviceIndex or\n DisableLniAtDeviceIndex.
For more information about Amazon Web Services Outposts, see the following:
\n\n Outpost servers\n
\n\n Outpost racks\n
\nThe number of bytes in each packet to mirror. These are bytes after the VXLAN header. To mirror a subset, set this to the length (in bytes) to mirror. For example, if you set this value to 100, then the first 100 bytes that meet the filter criteria are copied to the target. Do not specify this parameter when you want to mirror the entire packet.
" + "smithy.api#documentation": "The number of bytes in each packet to mirror. These are bytes after the VXLAN header. To mirror a subset, set this to the length (in bytes) to mirror. For example, if you set this value to 100, then the first 100 bytes that meet the filter criteria are copied to the target. Do not specify this parameter when you want to mirror the entire packet.
\nFor sessions with Network Load Balancer (NLB) traffic mirror targets, the default PacketLength will be set to 8500. Valid values are 1-8500. Setting a PacketLength greater than 8500 will result in an error response.
Modifies a volume attribute.
\nBy default, all I/O operations for the volume are suspended when the data on the volume is\n determined to be potentially inconsistent, to prevent undetectable, latent data corruption.\n The I/O access to the volume can be resumed by first enabling I/O access and then checking the\n data consistency on your volume.
\nYou can change the default behavior to resume I/O operations. We recommend that you change\n this only for boot volumes or for volumes that are stateless or disposable.
" + "smithy.api#documentation": "Modifies a volume attribute.
\nBy default, all I/O operations for the volume are suspended when the data on the volume is\n determined to be potentially inconsistent, to prevent undetectable, latent data corruption.\n The I/O access to the volume can be resumed by first enabling I/O access and then checking the\n data consistency on your volume.
\nYou can change the default behavior to resume I/O operations. We recommend that you change\n this only for boot volumes or for volumes that are stateless or disposable.
", + "smithy.api#examples": [ + { + "title": "To modify a volume attribute", + "documentation": "This example sets the ``autoEnableIo`` attribute of the volume with the ID ``vol-1234567890abcdef0`` to ``true``. If the command succeeds, no output is returned.", + "input": { + "DryRun": true, + "VolumeId": "vol-1234567890abcdef0", + "AutoEnableIO": { + "Value": true + } + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#ModifyVolumeAttributeRequest": { @@ -72920,7 +76148,19 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Modifies the specified attribute of the specified VPC.
" + "smithy.api#documentation": "Modifies the specified attribute of the specified VPC.
", + "smithy.api#examples": [ + { + "title": "To modify the enableDnsSupport attribute", + "documentation": "This example modifies the enableDnsSupport attribute. This attribute indicates whether DNS resolution is enabled for the VPC. If this attribute is true, the Amazon DNS server resolves DNS hostnames for instances in the VPC to their corresponding IP addresses; otherwise, it does not.", + "input": { + "VpcId": "vpc-a01106c2", + "EnableDnsSupport": { + "Value": false + } + } + } + ] } }, "com.amazonaws.ec2#ModifyVpcAttributeRequest": { @@ -73101,14 +76341,14 @@ "AddSecurityGroupIds": { "target": "com.amazonaws.ec2#VpcEndpointSecurityGroupIdList", "traits": { - "smithy.api#documentation": "(Interface endpoint) The IDs of the security groups to associate with the network interface.
", + "smithy.api#documentation": "(Interface endpoint) The IDs of the security groups to associate with the endpoint network interfaces.
", "smithy.api#xmlName": "AddSecurityGroupId" } }, "RemoveSecurityGroupIds": { "target": "com.amazonaws.ec2#VpcEndpointSecurityGroupIdList", "traits": { - "smithy.api#documentation": "(Interface endpoint) The IDs of the security groups to disassociate from the network interface.
", + "smithy.api#documentation": "(Interface endpoint) The IDs of the security groups to disassociate from the endpoint network interfaces.
", "smithy.api#xmlName": "RemoveSecurityGroupId" } }, @@ -73129,7 +76369,14 @@ "traits": { "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "(Interface endpoint) Indicates whether a private hosted zone is associated with the\n VPC.
" + "smithy.api#documentation": "(Interface endpoint) Indicates whether a private hosted zone is associated with the VPC.
" + } + }, + "SubnetConfigurations": { + "target": "com.amazonaws.ec2#SubnetConfigurationsList", + "traits": { + "smithy.api#documentation": "The subnet configurations for the endpoint.
", + "smithy.api#xmlName": "SubnetConfiguration" } } }, @@ -73418,7 +76665,7 @@ "target": "com.amazonaws.ec2#ModifyVpcPeeringConnectionOptionsResult" }, "traits": { - "smithy.api#documentation": "We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nModifies the VPC peering connection options on one side of a VPC peering connection. You can do the following:
\nEnable/disable communication over the peering connection between an EC2-Classic instance that's linked to your VPC (using ClassicLink) and instances in the peer VPC.
\nEnable/disable communication over the peering connection between instances in your VPC and an EC2-Classic instance that's linked to the peer VPC.
\nEnable/disable the ability to resolve public DNS hostnames to private IP\n addresses when queried from instances in the peer VPC.
\nIf the peered VPCs are in the same Amazon Web Services account, you can enable DNS\n resolution for queries from the local VPC. This ensures that queries from the local VPC\n resolve to private IP addresses in the peer VPC. This option is not available if the\n peered VPCs are in different Amazon Web Services accounts or different Regions. For\n peered VPCs in different Amazon Web Services accounts, each Amazon Web Services account\n owner must initiate a separate request to modify the peering connection options. For\n inter-region peering connections, you must use the Region for the requester VPC to\n modify the requester VPC peering options and the Region for the accepter VPC to modify\n the accepter VPC peering options. To verify which VPCs are the accepter and the\n requester for a VPC peering connection, use the DescribeVpcPeeringConnections command.
" + "smithy.api#documentation": "Modifies the VPC peering connection options on one side of a VPC peering connection.
\nIf the peered VPCs are in the same Amazon Web Services account, you can enable DNS\n resolution for queries from the local VPC. This ensures that queries from the local VPC\n resolve to private IP addresses in the peer VPC. This option is not available if the\n peered VPCs are in different Amazon Web Services accounts or different Regions. For\n peered VPCs in different Amazon Web Services accounts, each Amazon Web Services account\n owner must initiate a separate request to modify the peering connection options. For\n inter-region peering connections, you must use the Region for the requester VPC to\n modify the requester VPC peering options and the Region for the accepter VPC to modify\n the accepter VPC peering options. To verify which VPCs are the accepter and the\n requester for a VPC peering connection, use the DescribeVpcPeeringConnections command.
" } }, "com.amazonaws.ec2#ModifyVpcPeeringConnectionOptionsRequest": { @@ -73490,7 +76737,7 @@ "target": "com.amazonaws.ec2#ModifyVpcTenancyResult" }, "traits": { - "smithy.api#documentation": "Modifies the instance tenancy attribute of the specified VPC. You can change the\n instance tenancy attribute of a VPC to default only. You cannot change the\n instance tenancy attribute to dedicated.
After you modify the tenancy of the VPC, any new instances that you launch into the\n VPC have a tenancy of default, unless you specify otherwise during launch.\n The tenancy of any existing instances in the VPC is not affected.
For more information, see Dedicated Instances in the\n\t\t\t\tAmazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Modifies the instance tenancy attribute of the specified VPC. You can change the\n instance tenancy attribute of a VPC to default only. You cannot change the\n instance tenancy attribute to dedicated.
After you modify the tenancy of the VPC, any new instances that you launch into the\n VPC have a tenancy of default, unless you specify otherwise during launch.\n The tenancy of any existing instances in the VPC is not affected.
For more information, see Dedicated Instances in the\n\t\t\t\tAmazon EC2 User Guide.
" } }, "com.amazonaws.ec2#ModifyVpcTenancyRequest": { @@ -73841,7 +77088,7 @@ } }, "PreSharedKey": { - "target": "com.amazonaws.ec2#String", + "target": "com.amazonaws.ec2#preSharedKey", "traits": { "smithy.api#documentation": "The pre-shared key (PSK) to establish initial authentication between the virtual\n private gateway and the customer gateway.
\nConstraints: Allowed characters are alphanumeric characters, periods (.), and\n underscores (_). Must be between 8 and 64 characters in length and cannot start with\n zero (0).
" } @@ -73971,7 +77218,8 @@ } }, "traits": { - "smithy.api#documentation": "The Amazon Web Services Site-to-Site VPN tunnel options to modify.
" + "smithy.api#documentation": "The Amazon Web Services Site-to-Site VPN tunnel options to modify.
", + "smithy.api#sensitive": {} } }, "com.amazonaws.ec2#MonitorInstances": { @@ -74083,7 +77331,19 @@ "target": "com.amazonaws.ec2#MoveAddressToVpcResult" }, "traits": { - "smithy.api#documentation": "This action is deprecated.
\nMoves an Elastic IP address from the EC2-Classic platform to the EC2-VPC platform. The\n Elastic IP address must be allocated to your account for more than 24 hours, and it must not\n be associated with an instance. After the Elastic IP address is moved, it is no longer\n available for use in the EC2-Classic platform, unless you move it back using the\n RestoreAddressToClassic request. You cannot move an Elastic IP address that was\n originally allocated for use in the EC2-VPC platform to the EC2-Classic platform.
" + "smithy.api#documentation": "This action is deprecated.
\nMoves an Elastic IP address from the EC2-Classic platform to the EC2-VPC platform. The\n Elastic IP address must be allocated to your account for more than 24 hours, and it must not\n be associated with an instance. After the Elastic IP address is moved, it is no longer\n available for use in the EC2-Classic platform, unless you move it back using the\n RestoreAddressToClassic request. You cannot move an Elastic IP address that was\n originally allocated for use in the EC2-VPC platform to the EC2-Classic platform.
", + "smithy.api#examples": [ + { + "title": "To move an address to EC2-VPC", + "documentation": "This example moves the specified Elastic IP address to the EC2-VPC platform.", + "input": { + "PublicIp": "54.123.4.56" + }, + "output": { + "Status": "MoveInProgress" + } + } + ] } }, "com.amazonaws.ec2#MoveAddressToVpcRequest": { @@ -74575,7 +77835,7 @@ "target": "com.amazonaws.ec2#NetworkAclEntryList", "traits": { "aws.protocols#ec2QueryName": "EntrySet", - "smithy.api#documentation": "One or more entries (rules) in the network ACL.
", + "smithy.api#documentation": "The entries (rules) in the network ACL.
", "smithy.api#xmlName": "entrySet" } }, @@ -74857,6 +78117,22 @@ "smithy.api#documentation": "The maximum number of network interfaces for the network card.
", "smithy.api#xmlName": "maximumNetworkInterfaces" } + }, + "BaselineBandwidthInGbps": { + "target": "com.amazonaws.ec2#BaselineBandwidthInGbps", + "traits": { + "aws.protocols#ec2QueryName": "BaselineBandwidthInGbps", + "smithy.api#documentation": "The baseline network performance of the network card, in Gbps.
", + "smithy.api#xmlName": "baselineBandwidthInGbps" + } + }, + "PeakBandwidthInGbps": { + "target": "com.amazonaws.ec2#PeakBandwidthInGbps", + "traits": { + "aws.protocols#ec2QueryName": "PeakBandwidthInGbps", + "smithy.api#documentation": "The peak (burst) network performance of the network card, in Gbps.
", + "smithy.api#xmlName": "peakBandwidthInGbps" + } } }, "traits": { @@ -76057,6 +79333,16 @@ "smithy.api#documentation": "The IPv6 address.
", "smithy.api#xmlName": "ipv6Address" } + }, + "IsPrimaryIpv6": { + "target": "com.amazonaws.ec2#Boolean", + "traits": { + "aws.protocols#ec2QueryName": "IsPrimaryIpv6", + "smithy.api#clientOptional": {}, + "smithy.api#default": false, + "smithy.api#documentation": "Determines if an IPv6 address associated with a network interface is the primary IPv6 address. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. For more information, see ModifyNetworkInterfaceAttribute.
", + "smithy.api#xmlName": "isPrimaryIpv6" + } } }, "traits": { @@ -76418,7 +79704,7 @@ "Values": { "target": "com.amazonaws.ec2#ValueStringList", "traits": { - "smithy.api#documentation": "One or more values for the DHCP option.
", + "smithy.api#documentation": "The values for the DHCP option.
", "smithy.api#xmlName": "Value" } } @@ -76439,6 +79725,68 @@ "com.amazonaws.ec2#NextToken": { "type": "string" }, + "com.amazonaws.ec2#NitroEnclavesSupport": { + "type": "enum", + "members": { + "UNSUPPORTED": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "unsupported" + } + }, + "SUPPORTED": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "supported" + } + } + } + }, + "com.amazonaws.ec2#NitroTpmInfo": { + "type": "structure", + "members": { + "SupportedVersions": { + "target": "com.amazonaws.ec2#NitroTpmSupportedVersionsList", + "traits": { + "aws.protocols#ec2QueryName": "SupportedVersions", + "smithy.api#documentation": "Indicates the supported NitroTPM versions.
", + "smithy.api#xmlName": "supportedVersions" + } + } + }, + "traits": { + "smithy.api#documentation": "Describes the supported NitroTPM versions for the instance type.
" + } + }, + "com.amazonaws.ec2#NitroTpmSupport": { + "type": "enum", + "members": { + "UNSUPPORTED": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "unsupported" + } + }, + "SUPPORTED": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "supported" + } + } + } + }, + "com.amazonaws.ec2#NitroTpmSupportedVersionType": { + "type": "string" + }, + "com.amazonaws.ec2#NitroTpmSupportedVersionsList": { + "type": "list", + "member": { + "target": "com.amazonaws.ec2#NitroTpmSupportedVersionType", + "traits": { + "smithy.api#xmlName": "item" + } + } + }, "com.amazonaws.ec2#OccurrenceDayRequestSet": { "type": "list", "member": { @@ -76911,6 +80259,12 @@ } } }, + "com.amazonaws.ec2#PasswordData": { + "type": "string", + "traits": { + "smithy.api#sensitive": {} + } + }, "com.amazonaws.ec2#PathComponent": { "type": "structure", "members": { @@ -77272,6 +80626,9 @@ "smithy.api#documentation": "Describes the data that identifies an Amazon FPGA image (AFI) on the PCI bus.
" } }, + "com.amazonaws.ec2#PeakBandwidthInGbps": { + "type": "double" + }, "com.amazonaws.ec2#PeeringAttachmentStatus": { "type": "structure", "members": { @@ -77315,7 +80672,7 @@ "aws.protocols#ec2QueryName": "AllowEgressFromLocalClassicLinkToRemoteVpc", "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "If true, enables outbound communication from an EC2-Classic instance that's linked to\n a local VPC using ClassicLink to instances in a peer VPC.
", + "smithy.api#documentation": "Deprecated.
", "smithy.api#xmlName": "allowEgressFromLocalClassicLinkToRemoteVpc" } }, @@ -77325,13 +80682,13 @@ "aws.protocols#ec2QueryName": "AllowEgressFromLocalVpcToRemoteClassicLink", "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "If true, enables outbound communication from instances in a local VPC to an\n EC2-Classic instance that's linked to a peer VPC using ClassicLink.
", + "smithy.api#documentation": "Deprecated.
", "smithy.api#xmlName": "allowEgressFromLocalVpcToRemoteClassicLink" } } }, "traits": { - "smithy.api#documentation": "We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nDescribes the VPC peering connection options.
" + "smithy.api#documentation": "Describes the VPC peering connection options.
" } }, "com.amazonaws.ec2#PeeringConnectionOptionsRequest": { @@ -77342,7 +80699,7 @@ "traits": { "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "If true, enables a local VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the peer VPC.
" + "smithy.api#documentation": "If true, enables a local VPC to resolve public DNS hostnames to private IP addresses \n when queried from instances in the peer VPC.
" } }, "AllowEgressFromLocalClassicLinkToRemoteVpc": { @@ -77350,7 +80707,7 @@ "traits": { "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "If true, enables outbound communication from an EC2-Classic instance that's linked to\n a local VPC using ClassicLink to instances in a peer VPC.
" + "smithy.api#documentation": "Deprecated.
" } }, "AllowEgressFromLocalVpcToRemoteClassicLink": { @@ -77358,12 +80715,12 @@ "traits": { "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "If true, enables outbound communication from instances in a local VPC to an\n EC2-Classic instance that's linked to a peer VPC using ClassicLink.
" + "smithy.api#documentation": "Deprecated.
" } } }, "traits": { - "smithy.api#documentation": "We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nThe VPC peering connection options.
" + "smithy.api#documentation": "The VPC peering connection options.
" } }, "com.amazonaws.ec2#PeeringTgwInfo": { @@ -77913,7 +81270,7 @@ "com.amazonaws.ec2#PlacementGroupArn": { "type": "string", "traits": { - "smithy.api#pattern": "^arn:aws([a-z-]+)?:ec2:[a-z\\d-]+:\\d{12}:placement-group/([^\\s].+[^\\s]){1,255}$" + "smithy.api#pattern": "^arn:aws([a-z-]+)?:ec2:[a-z\\d-]+:\\d{12}:placement-group/^.{1,255}$" } }, "com.amazonaws.ec2#PlacementGroupId": { @@ -78877,7 +82234,7 @@ "target": "com.amazonaws.ec2#SupportedAdditionalProcessorFeatureList", "traits": { "aws.protocols#ec2QueryName": "SupportedFeatures", - "smithy.api#documentation": "Indicates whether the instance type supports AMD SEV-SNP. If the request returns \n amd-sev-snp, AMD SEV-SNP is supported. Otherwise, it is not supported.
Indicates whether the instance type supports AMD SEV-SNP. If the request returns \n amd-sev-snp, AMD SEV-SNP is supported. Otherwise, it is not supported. \n For more information, see \n AMD SEV-SNP.
Requests a reboot of the specified instances. This operation is asynchronous; it only\n queues a request to reboot the specified instances. The operation succeeds if the\n instances are valid and belong to you. Requests to reboot terminated instances are\n ignored.
\nIf an instance does not cleanly shut down within a few minutes, Amazon EC2 performs a\n hard reboot.
\nFor more information about troubleshooting, see Troubleshoot an unreachable\n instance in the Amazon EC2 User Guide.
" + "smithy.api#documentation": "Requests a reboot of the specified instances. This operation is asynchronous; it only\n queues a request to reboot the specified instances. The operation succeeds if the\n instances are valid and belong to you. Requests to reboot terminated instances are\n ignored.
\nIf an instance does not cleanly shut down within a few minutes, Amazon EC2 performs a\n hard reboot.
\nFor more information about troubleshooting, see Troubleshoot an unreachable\n instance in the Amazon EC2 User Guide.
", + "smithy.api#examples": [ + { + "title": "To reboot an EC2 instance", + "documentation": "This example reboots the specified EC2 instance.", + "input": { + "InstanceIds": [ + "i-1234567890abcdef5" + ] + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#RebootInstancesRequest": { @@ -80795,7 +84164,16 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Releases the specified Elastic IP address.
\n[Default VPC] Releasing an Elastic IP address automatically disassociates it\n\t\t\t\tfrom any instance that it's associated with. To disassociate an Elastic IP address without\n\t\t\t\treleasing it, use DisassociateAddress.
\n[Nondefault VPC] You must use DisassociateAddress to disassociate the Elastic IP address\n\t\t\t before you can release it. Otherwise, Amazon EC2 returns an error (InvalidIPAddress.InUse).
After releasing an Elastic IP address, it is released to the IP address pool. \n Be sure to update your DNS records and any servers or devices that communicate with the address. \n If you attempt to release an Elastic IP address that you already released, you'll get an\n AuthFailure error if the address is already allocated to another Amazon Web Services account.
After you release an Elastic IP address, you might be able to recover it.\n For more information, see AllocateAddress.
" + "smithy.api#documentation": "Releases the specified Elastic IP address.
\n[Default VPC] Releasing an Elastic IP address automatically disassociates it\n\t\t\t\tfrom any instance that it's associated with. To disassociate an Elastic IP address without\n\t\t\t\treleasing it, use DisassociateAddress.
\n[Nondefault VPC] You must use DisassociateAddress to disassociate the Elastic IP address\n\t\t\t before you can release it. Otherwise, Amazon EC2 returns an error (InvalidIPAddress.InUse).
After releasing an Elastic IP address, it is released to the IP address pool. \n Be sure to update your DNS records and any servers or devices that communicate with the address. \n If you attempt to release an Elastic IP address that you already released, you'll get an\n AuthFailure error if the address is already allocated to another Amazon Web Services account.
After you release an Elastic IP address, you might be able to recover it.\n For more information, see AllocateAddress.
", + "smithy.api#examples": [ + { + "title": "To release an Elastic IP address", + "documentation": "This example releases the specified Elastic IP address.", + "input": { + "AllocationId": "eipalloc-64d5890a" + } + } + ] } }, "com.amazonaws.ec2#ReleaseAddressRequest": { @@ -80897,7 +84275,7 @@ "target": "com.amazonaws.ec2#ReleaseIpamPoolAllocationResult" }, "traits": { - "smithy.api#documentation": "Release an allocation within an IPAM pool. The Region you use should be the IPAM pool locale. The locale is the Amazon Web Services Region where this IPAM pool is available for allocations. You can only use this action to release manual allocations. To remove an allocation for a resource without deleting the resource, set its monitored state to false using ModifyIpamResourceCidr. For more information, see Release an allocation in the Amazon VPC IPAM User Guide.\n
\nAll EC2 API actions follow an eventual consistency model.
\nRelease an allocation within an IPAM pool. The Region you use should be the IPAM pool locale. The locale is the Amazon Web Services Region where this IPAM pool is available for allocations. You can only use this action to release manual allocations. To remove an allocation for a resource without deleting the resource, set its monitored state to false using ModifyIpamResourceCidr. For more information, see Release an allocation in the Amazon VPC IPAM User Guide.\n
\nAll EC2 API actions follow an eventual consistency model.
\nChanges which network ACL a subnet is associated with. By default when you create a\n\t\t\tsubnet, it's automatically associated with the default network ACL. For more\n\t\t\tinformation, see Network\n\t\t\tACLs in the Amazon Virtual Private Cloud User Guide.
\nThis is an idempotent operation.
" + "smithy.api#documentation": "Changes which network ACL a subnet is associated with. By default when you create a\n\t\t\tsubnet, it's automatically associated with the default network ACL. For more\n\t\t\tinformation, see Network ACLs in the Amazon VPC User Guide.
\nThis is an idempotent operation.
", + "smithy.api#examples": [ + { + "title": "To replace the network ACL associated with a subnet", + "documentation": "This example associates the specified network ACL with the subnet for the specified network ACL association.", + "input": { + "AssociationId": "aclassoc-e5b95c8c", + "NetworkAclId": "acl-5fb85d36" + }, + "output": { + "NewAssociationId": "aclassoc-3999875b" + } + } + ] } }, "com.amazonaws.ec2#ReplaceNetworkAclAssociationRequest": { @@ -81139,7 +84530,25 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Replaces an entry (rule) in a network ACL. For more information, see Network ACLs in the\n\t\t\t\tAmazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Replaces an entry (rule) in a network ACL. For more information, see Network ACLs in the\n\t\t\t\tAmazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To replace a network ACL entry", + "documentation": "This example replaces an entry for the specified network ACL. The new rule 100 allows ingress traffic from 203.0.113.12/24 on UDP port 53 (DNS) into any associated subnet.", + "input": { + "NetworkAclId": "acl-5fb85d36", + "RuleNumber": 100, + "Protocol": "17", + "RuleAction": "allow", + "Egress": false, + "CidrBlock": "203.0.113.12/24", + "PortRange": { + "From": 53, + "To": 53 + } + } + } + ] } }, "com.amazonaws.ec2#ReplaceNetworkAclEntryRequest": { @@ -81396,7 +84805,18 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Replaces an existing route within a route table in a VPC.
\nYou must specify either a destination CIDR block or a prefix list ID. You must also specify \n exactly one of the resources from the parameter list, or reset the local route to its default \n target.
\nFor more information, see Route tables in the\n Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Replaces an existing route within a route table in a VPC.
\nYou must specify either a destination CIDR block or a prefix list ID. You must also specify \n exactly one of the resources from the parameter list, or reset the local route to its default \n target.
\nFor more information, see Route tables in the\n Amazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To replace a route", + "documentation": "This example replaces the specified route in the specified table table. The new route matches the specified CIDR and sends the traffic to the specified virtual private gateway.", + "input": { + "RouteTableId": "rtb-22574640", + "DestinationCidrBlock": "10.0.0.0/16", + "GatewayId": "vgw-9a4cacf3" + } + } + ] } }, "com.amazonaws.ec2#ReplaceRouteRequest": { @@ -81544,7 +84964,20 @@ "target": "com.amazonaws.ec2#ReplaceRouteTableAssociationResult" }, "traits": { - "smithy.api#documentation": "Changes the route table associated with a given subnet, internet gateway, or virtual private gateway in a VPC. After the operation\n completes, the subnet or gateway uses the routes in the new route table. For more\n information about route tables, see Route\n tables in the Amazon Virtual Private Cloud User Guide.
\nYou can also use this operation to change which table is the main route table in the VPC. Specify the main route table's association ID and the route table ID of the new main route table.
" + "smithy.api#documentation": "Changes the route table associated with a given subnet, internet gateway, or virtual private gateway in a VPC. After the operation\n completes, the subnet or gateway uses the routes in the new route table. For more\n information about route tables, see Route\n tables in the Amazon VPC User Guide.
\nYou can also use this operation to change which table is the main route table in the VPC. Specify the main route table's association ID and the route table ID of the new main route table.
", + "smithy.api#examples": [ + { + "title": "To replace the route table associated with a subnet", + "documentation": "This example associates the specified route table with the subnet for the specified route table association.", + "input": { + "AssociationId": "rtbassoc-781d0d1a", + "RouteTableId": "rtb-22574640" + }, + "output": { + "NewAssociationId": "rtbassoc-3a1f0f58" + } + } + ] } }, "com.amazonaws.ec2#ReplaceRouteTableAssociationRequest": { @@ -82193,7 +85626,7 @@ "InstanceRequirements": { "target": "com.amazonaws.ec2#InstanceRequirementsRequest", "traits": { - "smithy.api#documentation": "The attributes for the instance types. When you specify instance attributes, Amazon EC2 will\n identify instance types with these attributes.
\nIf you specify InstanceRequirements, you can't specify\n InstanceType.
The attributes for the instance types. When you specify instance attributes, Amazon EC2 will\n identify instance types with these attributes.
\nYou must specify VCpuCount and MemoryMiB. All other attributes\n are optional. Any unspecified optional attribute is set to its default.
When you specify multiple attributes, you get instance types that satisfy all of the\n specified attributes. If you specify multiple values for an attribute, you get instance\n types that satisfy any of the specified values.
\nTo limit the list of instance types from which Amazon EC2 can identify matching instance types, \n you can use one of the following parameters, but not both in the same request:
\n\n AllowedInstanceTypes - The instance types to include in the list. All \n other instance types are ignored, even if they match your specified attributes.
\n ExcludedInstanceTypes - The instance types to exclude from the list, \n even if they match your specified attributes.
If you specify InstanceRequirements, you can't specify\n InstanceType.
Attribute-based instance type selection is only supported when using Auto Scaling\n groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in\n the launch instance\n wizard, or with the RunInstances API or\n AWS::EC2::Instance Amazon Web Services CloudFormation resource, you can't specify InstanceRequirements.
For more information, see Attribute-based instance type selection for EC2 Fleet, Attribute-based instance type selection for Spot Fleet, and Spot\n placement score in the Amazon EC2 User Guide.
" } }, "PrivateDnsNameOptions": { @@ -82230,7 +85663,39 @@ "target": "com.amazonaws.ec2#RequestSpotFleetResponse" }, "traits": { - "smithy.api#documentation": "Creates a Spot Fleet request.
\nThe Spot Fleet request specifies the total target capacity and the On-Demand target\n capacity. Amazon EC2 calculates the difference between the total capacity and On-Demand\n capacity, and launches the difference as Spot capacity.
\nYou can submit a single request that includes multiple launch specifications that vary\n by instance type, AMI, Availability Zone, or subnet.
\nBy default, the Spot Fleet requests Spot Instances in the Spot Instance pool where the\n price per unit is the lowest. Each launch specification can include its own instance\n weighting that reflects the value of the instance type to your application\n workload.
\nAlternatively, you can specify that the Spot Fleet distribute the target capacity\n across the Spot pools included in its launch specifications. By ensuring that the Spot\n Instances in your Spot Fleet are in different Spot pools, you can improve the\n availability of your fleet.
\nYou can specify tags for the Spot Fleet request and instances launched by the fleet.\n You cannot tag other resource types in a Spot Fleet request because only the\n spot-fleet-request and instance resource types are\n supported.
For more information, see Spot Fleet requests\n in the Amazon EC2 User Guide.
\nWe strongly discourage using the RequestSpotFleet API because it is a legacy\n API with no planned investment. For options for requesting Spot Instances, see\n Which\n is the best Spot request method to use? in the\n Amazon EC2 User Guide.
\nCreates a Spot Fleet request.
\nThe Spot Fleet request specifies the total target capacity and the On-Demand target\n capacity. Amazon EC2 calculates the difference between the total capacity and On-Demand\n capacity, and launches the difference as Spot capacity.
\nYou can submit a single request that includes multiple launch specifications that vary\n by instance type, AMI, Availability Zone, or subnet.
\nBy default, the Spot Fleet requests Spot Instances in the Spot Instance pool where the\n price per unit is the lowest. Each launch specification can include its own instance\n weighting that reflects the value of the instance type to your application\n workload.
\nAlternatively, you can specify that the Spot Fleet distribute the target capacity\n across the Spot pools included in its launch specifications. By ensuring that the Spot\n Instances in your Spot Fleet are in different Spot pools, you can improve the\n availability of your fleet.
\nYou can specify tags for the Spot Fleet request and instances launched by the fleet.\n You cannot tag other resource types in a Spot Fleet request because only the\n spot-fleet-request and instance resource types are\n supported.
For more information, see Spot Fleet requests\n in the Amazon EC2 User Guide.
\nWe strongly discourage using the RequestSpotFleet API because it is a legacy\n API with no planned investment. For options for requesting Spot Instances, see\n Which\n is the best Spot request method to use? in the\n Amazon EC2 User Guide.
\nCreates a Spot Instance request.
\nFor more information, see Spot Instance requests in\n the Amazon EC2 User Guide for Linux Instances.
\nWe strongly discourage using the RequestSpotInstances API because it is a legacy\n API with no planned investment. For options for requesting Spot Instances, see\n Which\n is the best Spot request method to use? in the\n Amazon EC2 User Guide for Linux Instances.
\nCreates a Spot Instance request.
\nFor more information, see Spot Instance requests in\n the Amazon EC2 User Guide for Linux Instances.
\nWe strongly discourage using the RequestSpotInstances API because it is a legacy\n API with no planned investment. For options for requesting Spot Instances, see\n Which\n is the best Spot request method to use? in the\n Amazon EC2 User Guide for Linux Instances.
\nResets an attribute of an AMI to its default value.
" + "smithy.api#documentation": "Resets an attribute of an AMI to its default value.
", + "smithy.api#examples": [ + { + "title": "To reset the launchPermission attribute", + "documentation": "This example resets the launchPermission attribute for the specified AMI. By default, AMIs are private.", + "input": { + "Attribute": "launchPermission", + "ImageId": "ami-5731123e" + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#ResetImageAttributeName": { @@ -83755,7 +87256,18 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Resets an attribute of an instance to its default value. To reset the\n kernel or ramdisk, the instance must be in a stopped\n state. To reset the sourceDestCheck, the instance can be either running or\n stopped.
The sourceDestCheck attribute controls whether source/destination\n checking is enabled. The default value is true, which means checking is\n enabled. This value must be false for a NAT instance to perform NAT. For\n more information, see NAT Instances in the\n Amazon VPC User Guide.
Resets an attribute of an instance to its default value. To reset the\n kernel or ramdisk, the instance must be in a stopped\n state. To reset the sourceDestCheck, the instance can be either running or\n stopped.
The sourceDestCheck attribute controls whether source/destination\n checking is enabled. The default value is true, which means checking is\n enabled. This value must be false for a NAT instance to perform NAT. For\n more information, see NAT Instances in the\n Amazon VPC User Guide.
Resets permission settings for the specified snapshot.
\nFor more information about modifying snapshot permissions, see Share a snapshot in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Resets permission settings for the specified snapshot.
\nFor more information about modifying snapshot permissions, see Share a snapshot in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To reset a snapshot attribute", + "documentation": "This example resets the create volume permissions for snapshot ``snap-1234567890abcdef0``. If the command succeeds, no output is returned.", + "input": { + "SnapshotId": "snap-1234567890abcdef0", + "Attribute": "createVolumePermission" + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#ResetSnapshotAttributeRequest": { @@ -85102,6 +88625,14 @@ "smithy.api#documentation": "The size of the volume, in GiB.
", "smithy.api#xmlName": "volumeSize" } + }, + "SseType": { + "target": "com.amazonaws.ec2#SSEType", + "traits": { + "aws.protocols#ec2QueryName": "SseType", + "smithy.api#documentation": "Reserved for future use.
", + "smithy.api#xmlName": "sseType" + } } }, "traits": { @@ -85298,7 +88829,7 @@ "target": "com.amazonaws.ec2#RevokeSecurityGroupEgressResult" }, "traits": { - "smithy.api#documentation": "[VPC only] Removes the specified outbound (egress) rules from a security group for EC2-VPC.\n This action does not apply to security groups for use in EC2-Classic.
\nYou can specify rules using either rule IDs or security group rule properties. If you use\n rule properties, the values that you specify (for example, ports) must match the existing rule's \n values exactly. Each rule has a protocol, from and to ports, and destination (CIDR range, \n security group, or prefix list). For the TCP and UDP protocols, you must also specify the \n destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type \n and code. If the security group rule has a description, you do not need to specify the description \n to revoke the rule.
\n[Default VPC] If the values you specify do not match the existing rule's values, no error is\n returned, and the output describes the security group rules that were not revoked.
\nAmazon Web Services recommends that you describe the security group to verify that the rules were removed.
\nRule changes are propagated to instances within the security group as quickly as possible. However, \n a small delay might occur.
" + "smithy.api#documentation": "Removes the specified outbound (egress) rules from the specified security group.
\nYou can specify rules using either rule IDs or security group rule properties. If you use\n rule properties, the values that you specify (for example, ports) must match the existing rule's \n values exactly. Each rule has a protocol, from and to ports, and destination (CIDR range, \n security group, or prefix list). For the TCP and UDP protocols, you must also specify the \n destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type \n and code. If the security group rule has a description, you do not need to specify the description \n to revoke the rule.
\nFor a default VPC, if the values you specify do not match the existing rule's values, no error is\n returned, and the output describes the security group rules that were not revoked.
\nAmazon Web Services recommends that you describe the security group to verify that the rules were removed.
\nRule changes are propagated to instances within the security group as quickly as possible. However, \n a small delay might occur.
" } }, "com.amazonaws.ec2#RevokeSecurityGroupEgressRequest": { @@ -85431,7 +88962,7 @@ "target": "com.amazonaws.ec2#RevokeSecurityGroupIngressResult" }, "traits": { - "smithy.api#documentation": "Removes the specified inbound (ingress) rules from a security group.
\nYou can specify rules using either rule IDs or security group rule properties. If you use\n rule properties, the values that you specify (for example, ports) must match the existing rule's \n values exactly. Each rule has a protocol, from and to ports, and source (CIDR range, \n security group, or prefix list). For the TCP and UDP protocols, you must also specify the \n destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type \n and code. If the security group rule has a description, you do not need to specify the description \n to revoke the rule.
\n[EC2-Classic, default VPC] If the values you specify do not match the existing rule's values, no error is\n returned, and the output describes the security group rules that were not revoked.
\nAmazon Web Services recommends that you describe the security group to verify that the rules were removed.
\nRule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.
\nWe are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nRemoves the specified inbound (ingress) rules from a security group.
\nYou can specify rules using either rule IDs or security group rule properties. If you use\n rule properties, the values that you specify (for example, ports) must match the existing rule's \n values exactly. Each rule has a protocol, from and to ports, and source (CIDR range, \n security group, or prefix list). For the TCP and UDP protocols, you must also specify the \n destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type \n and code. If the security group rule has a description, you do not need to specify the description \n to revoke the rule.
\nFor a default VPC, if the values you specify do not match the existing rule's values, no error is\n returned, and the output describes the security group rules that were not revoked.
\nAmazon Web Services recommends that you describe the security group to verify that the rules were removed.
\nRule changes are propagated to instances within the security group as quickly as possible. \n However, a small delay might occur.
" } }, "com.amazonaws.ec2#RevokeSecurityGroupIngressRequest": { @@ -85454,13 +88985,13 @@ "GroupId": { "target": "com.amazonaws.ec2#SecurityGroupId", "traits": { - "smithy.api#documentation": "The ID of the security group. You must specify either the security group ID or the\n security group name in the request. For security groups in a nondefault VPC, you must\n specify the security group ID.
" + "smithy.api#documentation": "The ID of the security group.
" } }, "GroupName": { "target": "com.amazonaws.ec2#SecurityGroupName", "traits": { - "smithy.api#documentation": "[EC2-Classic, default VPC] The name of the security group. You must specify either the\n security group ID or the security group name in the request. For security groups in a\n nondefault VPC, you must specify the security group ID.
" + "smithy.api#documentation": "[Default VPC] The name of the security group. You must specify either the\n security group ID or the security group name in the request. For security groups in a\n nondefault VPC, you must specify the security group ID.
" } }, "IpPermissions": { @@ -85478,13 +89009,13 @@ "SourceSecurityGroupName": { "target": "com.amazonaws.ec2#String", "traits": { - "smithy.api#documentation": "[EC2-Classic, default VPC] The name of the source security group. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the start of the port range, the IP protocol, and the end of the port range. For EC2-VPC, the source security group must be in the same VPC. To revoke a specific rule for an IP protocol and port range, use a set of IP permissions instead.
" + "smithy.api#documentation": "[Default VPC] The name of the source security group. You can't specify this parameter \n in combination with the following parameters: the CIDR IP address range, the start of the port range, \n the IP protocol, and the end of the port range. The source security group must be in the same VPC. \n To revoke a specific rule for an IP protocol and port range, use a set of IP permissions instead.
" } }, "SourceSecurityGroupOwnerId": { "target": "com.amazonaws.ec2#String", "traits": { - "smithy.api#documentation": "[EC2-Classic] The Amazon Web Services account ID of the source security group, if the source security group is in a different account. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the IP protocol, the start of the port range, and the end of the port range. To revoke a specific rule for an IP protocol and port range, use a set of IP permissions instead.
" + "smithy.api#documentation": "Not supported.
" } }, "ToPort": { @@ -86099,7 +89630,44 @@ "target": "com.amazonaws.ec2#Reservation" }, "traits": { - "smithy.api#documentation": "Launches the specified number of instances using an AMI for which you have\n permissions.
\nYou can specify a number of options, or leave the default options. The following rules\n apply:
\nIf you don't specify a subnet ID, we choose a default subnet from\n your default VPC for you. If you don't have a default VPC, you must specify a\n subnet ID in the request.
\nAll instances have a network interface with a primary private IPv4\n address. If you don't specify this address, we choose one from the IPv4 range of\n your subnet.
\nNot all instance types support IPv6 addresses. For more information, see\n Instance\n types.
\nIf you don't specify a security group ID, we use the default security group.\n For more information, see Security\n groups.
\nIf any of the AMIs have a product code attached for which the user has not\n subscribed, the request fails.
\nYou can create a launch template,\n which is a resource that contains the parameters to launch an instance. When you launch\n an instance using RunInstances, you can specify the launch template\n instead of specifying the launch parameters.
\nTo ensure faster instance launches, break up large requests into smaller batches. For\n example, create five separate launch requests for 100 instances each instead of one\n launch request for 500 instances.
\nAn instance is ready for you to use when it's in the running state. You\n can check the state of your instance using DescribeInstances. You can\n tag instances and EBS volumes during launch, after launch, or both. For more\n information, see CreateTags and Tagging your Amazon EC2\n resources.
Linux instances have access to the public key of the key pair at boot. You can use\n this key to provide secure access to the instance. Amazon EC2 public images use this\n feature to provide secure access without passwords. For more information, see Key\n pairs.
\nFor troubleshooting, see What to do if\n an instance immediately terminates, and Troubleshooting connecting to your instance.
" + "smithy.api#documentation": "Launches the specified number of instances using an AMI for which you have\n permissions.
\nYou can specify a number of options, or leave the default options. The following rules\n apply:
\nIf you don't specify a subnet ID, we choose a default subnet from\n your default VPC for you. If you don't have a default VPC, you must specify a\n subnet ID in the request.
\nAll instances have a network interface with a primary private IPv4\n address. If you don't specify this address, we choose one from the IPv4 range of\n your subnet.
\nNot all instance types support IPv6 addresses. For more information, see\n Instance\n types.
\nIf you don't specify a security group ID, we use the default security group.\n For more information, see Security\n groups.
\nIf any of the AMIs have a product code attached for which the user has not\n subscribed, the request fails.
\nYou can create a launch template,\n which is a resource that contains the parameters to launch an instance. When you launch\n an instance using RunInstances, you can specify the launch template\n instead of specifying the launch parameters.
\nTo ensure faster instance launches, break up large requests into smaller batches. For\n example, create five separate launch requests for 100 instances each instead of one\n launch request for 500 instances.
\nAn instance is ready for you to use when it's in the running state. You\n can check the state of your instance using DescribeInstances. You can\n tag instances and EBS volumes during launch, after launch, or both. For more\n information, see CreateTags and Tagging your Amazon EC2\n resources.
Linux instances have access to the public key of the key pair at boot. You can use\n this key to provide secure access to the instance. Amazon EC2 public images use this\n feature to provide secure access without passwords. For more information, see Key\n pairs.
\nFor troubleshooting, see What to do if\n an instance immediately terminates, and Troubleshooting connecting to your instance.
", + "smithy.api#examples": [ + { + "title": "To launch an instance", + "documentation": "This example launches an instance using the specified AMI, instance type, security group, subnet, block device mapping, and tags.", + "input": { + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/sdh", + "Ebs": { + "VolumeSize": 100 + } + } + ], + "ImageId": "ami-abc12345", + "InstanceType": "t2.micro", + "KeyName": "my-key-pair", + "MaxCount": 1, + "MinCount": 1, + "SecurityGroupIds": [ + "sg-1a2b3c4d" + ], + "SubnetId": "subnet-6e7f829e", + "TagSpecifications": [ + { + "ResourceType": "instance", + "Tags": [ + { + "Key": "Purpose", + "Value": "test" + } + ] + } + ] + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#RunInstancesMonitoringEnabled": { @@ -86140,7 +89708,7 @@ "InstanceType": { "target": "com.amazonaws.ec2#InstanceType", "traits": { - "smithy.api#documentation": "The instance type. For more information, see Instance types in the\n Amazon EC2 User Guide.
\nDefault: m1.small\n
The instance type. For more information, see Instance types in the\n Amazon EC2 User Guide.
" } }, "Ipv6AddressCount": { @@ -86364,7 +89932,7 @@ "HibernationOptions": { "target": "com.amazonaws.ec2#HibernationOptionsRequest", "traits": { - "smithy.api#documentation": "Indicates whether an instance is enabled for hibernation. For more information, see\n Hibernate\n your instance in the Amazon EC2 User Guide.
\nYou can't enable hibernation and Amazon Web Services Nitro Enclaves on the same\n instance.
" + "smithy.api#documentation": "Indicates whether an instance is enabled for hibernation. This parameter is valid only\n if the instance meets the hibernation\n prerequisites. For more information, see Hibernate your instance in the\n Amazon EC2 User Guide.
\nYou can't enable hibernation and Amazon Web Services Nitro Enclaves on the same\n instance.
" } }, "LicenseSpecifications": { @@ -86383,13 +89951,13 @@ "EnclaveOptions": { "target": "com.amazonaws.ec2#EnclaveOptionsRequest", "traits": { - "smithy.api#documentation": "Indicates whether the instance is enabled for Amazon Web Services Nitro Enclaves. For\n more information, see What is Amazon Web Services Nitro\n Enclaves? in the Amazon Web Services Nitro Enclaves User\n Guide.
\nYou can't enable Amazon Web Services Nitro Enclaves and hibernation on the same\n instance.
" + "smithy.api#documentation": "Indicates whether the instance is enabled for Amazon Web Services Nitro Enclaves. For\n more information, see What is Amazon Web Services Nitro\n Enclaves? in the Amazon Web Services Nitro Enclaves User\n Guide.
\nYou can't enable Amazon Web Services Nitro Enclaves and hibernation on the same\n instance.
" } }, "PrivateDnsNameOptions": { "target": "com.amazonaws.ec2#PrivateDnsNameOptionsRequest", "traits": { - "smithy.api#documentation": "The options for the instance hostname. The default values are inherited from the\n subnet.
" + "smithy.api#documentation": "The options for the instance hostname. \n The default values are inherited from the subnet.\n Applies only if creating a network interface, not attaching an existing one.
" } }, "MaintenanceOptions": { @@ -86405,6 +89973,14 @@ "smithy.api#default": false, "smithy.api#documentation": "Indicates whether an instance is enabled for stop protection. For more information,\n see Stop\n protection.
" } + }, + "EnablePrimaryIpv6": { + "target": "com.amazonaws.ec2#Boolean", + "traits": { + "smithy.api#clientOptional": {}, + "smithy.api#default": false, + "smithy.api#documentation": "If you’re launching an instance into a dual-stack or IPv6-only subnet, you can enable\n assigning a primary IPv6 address. A primary IPv6 address is an IPv6 GUA address\n associated with an ENI that you have enabled to use a primary IPv6 address. Use this\n option if an instance relies on its IPv6 address not changing. When you launch the\n instance, Amazon Web Services will automatically assign an IPv6 address associated with\n the ENI attached to your instance to be the primary IPv6 address. Once you enable an\n IPv6 GUA address to be a primary IPv6, you cannot disable it. When you enable an IPv6\n GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6\n address until the instance is terminated or the network interface is detached. If you\n have multiple IPv6 addresses associated with an ENI attached to your instance and you\n enable a primary IPv6 address, the first IPv6 GUA address associated with the ENI\n becomes the primary IPv6 address.
" + } } }, "traits": { @@ -86557,7 +90133,7 @@ } }, "UploadPolicySignature": { - "target": "com.amazonaws.ec2#String", + "target": "com.amazonaws.ec2#S3StorageUploadPolicySignature", "traits": { "aws.protocols#ec2QueryName": "UploadPolicySignature", "smithy.api#documentation": "The signature of the JSON document.
", @@ -86569,6 +90145,35 @@ "smithy.api#documentation": "Describes the storage parameters for Amazon S3 and Amazon S3 buckets for an instance store-backed AMI.
" } }, + "com.amazonaws.ec2#S3StorageUploadPolicySignature": { + "type": "string", + "traits": { + "smithy.api#sensitive": {} + } + }, + "com.amazonaws.ec2#SSEType": { + "type": "enum", + "members": { + "sse_ebs": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "sse-ebs" + } + }, + "sse_kms": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "sse-kms" + } + }, + "none": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "none" + } + } + } + }, "com.amazonaws.ec2#ScheduledInstance": { "type": "structure", "members": { @@ -87653,7 +91258,7 @@ "target": "com.amazonaws.ec2#IpPermissionList", "traits": { "aws.protocols#ec2QueryName": "IpPermissionsEgress", - "smithy.api#documentation": "[VPC only] The outbound rules associated with the security group.
", + "smithy.api#documentation": "The outbound rules associated with the security group.
", "smithy.api#xmlName": "ipPermissionsEgress" } }, @@ -87669,7 +91274,7 @@ "target": "com.amazonaws.ec2#String", "traits": { "aws.protocols#ec2QueryName": "VpcId", - "smithy.api#documentation": "[VPC only] The ID of the VPC for the security group.
", + "smithy.api#documentation": "The ID of the VPC for the security group.
", "smithy.api#xmlName": "vpcId" } } @@ -88720,6 +92325,14 @@ "smithy.api#documentation": "Only for archived snapshots that are temporarily restored. Indicates the date and \n time when a temporarily restored snapshot will be automatically re-archived.
", "smithy.api#xmlName": "restoreExpiryTime" } + }, + "SseType": { + "target": "com.amazonaws.ec2#SSEType", + "traits": { + "aws.protocols#ec2QueryName": "SseType", + "smithy.api#documentation": "Reserved for future use.
", + "smithy.api#xmlName": "sseType" + } } }, "traits": { @@ -88980,6 +92593,14 @@ "smithy.api#documentation": "The ARN of the Outpost on which the snapshot is stored. For more information, see Amazon EBS local snapshots on Outposts in the \n \t\tAmazon Elastic Compute Cloud User Guide.
", "smithy.api#xmlName": "outpostArn" } + }, + "SseType": { + "target": "com.amazonaws.ec2#SSEType", + "traits": { + "aws.protocols#ec2QueryName": "SseType", + "smithy.api#documentation": "Reserved for future use.
", + "smithy.api#xmlName": "sseType" + } } }, "traits": { @@ -90173,6 +93794,12 @@ "traits": { "smithy.api#enumValue": "failed" } + }, + "disabled": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "disabled" + } } } }, @@ -90761,7 +94388,33 @@ "target": "com.amazonaws.ec2#StartInstancesResult" }, "traits": { - "smithy.api#documentation": "Starts an Amazon EBS-backed instance that you've previously stopped.
\nInstances that use Amazon EBS volumes as their root devices can be quickly stopped and\n started. When an instance is stopped, the compute resources are released and you are not\n billed for instance usage. However, your root partition Amazon EBS volume remains and\n continues to persist your data, and you are charged for Amazon EBS volume usage. You can\n restart your instance at any time. Every time you start your instance, Amazon EC2\n charges a one-minute minimum for instance usage, and thereafter charges per second for\n instance usage.
\nBefore stopping an instance, make sure it is in a state from which it can be\n restarted. Stopping an instance does not preserve data stored in RAM.
\nPerforming this operation on an instance that uses an instance store as its root\n device returns an error.
\nIf you attempt to start a T3 instance with host tenancy and the\n unlimted CPU credit option, the request fails. The\n unlimited CPU credit option is not supported on Dedicated Hosts. Before\n you start the instance, either change its CPU credit option to standard, or\n change its tenancy to default or dedicated.
For more information, see Stop and start your instance\n in the Amazon EC2 User Guide.
" + "smithy.api#documentation": "Starts an Amazon EBS-backed instance that you've previously stopped.
\nInstances that use Amazon EBS volumes as their root devices can be quickly stopped and\n started. When an instance is stopped, the compute resources are released and you are not\n billed for instance usage. However, your root partition Amazon EBS volume remains and\n continues to persist your data, and you are charged for Amazon EBS volume usage. You can\n restart your instance at any time. Every time you start your instance, Amazon EC2\n charges a one-minute minimum for instance usage, and thereafter charges per second for\n instance usage.
\nBefore stopping an instance, make sure it is in a state from which it can be\n restarted. Stopping an instance does not preserve data stored in RAM.
\nPerforming this operation on an instance that uses an instance store as its root\n device returns an error.
\nIf you attempt to start a T3 instance with host tenancy and the\n unlimted CPU credit option, the request fails. The\n unlimited CPU credit option is not supported on Dedicated Hosts. Before\n you start the instance, either change its CPU credit option to standard, or\n change its tenancy to default or dedicated.
For more information, see Stop and start your instance\n in the Amazon EC2 User Guide.
", + "smithy.api#examples": [ + { + "title": "To start a stopped EC2 instance", + "documentation": "This example starts the specified EC2 instance.", + "input": { + "InstanceIds": [ + "i-1234567890abcdef0" + ] + }, + "output": { + "StartingInstances": [ + { + "InstanceId": "i-1234567890abcdef0", + "CurrentState": { + "Code": 0, + "Name": "pending" + }, + "PreviousState": { + "Code": 80, + "Name": "stopped" + } + } + ] + } + } + ] } }, "com.amazonaws.ec2#StartInstancesRequest": { @@ -91196,7 +94849,33 @@ "target": "com.amazonaws.ec2#StopInstancesResult" }, "traits": { - "smithy.api#documentation": "Stops an Amazon EBS-backed instance. For more information, see Stop and start\n your instance in the Amazon EC2 User Guide.
\nYou can use the Stop action to hibernate an instance if the instance is enabled for\n hibernation and it meets the hibernation\n prerequisites. For more information, see Hibernate your instance in the\n Amazon EC2 User Guide.
\nWe don't charge usage for a stopped instance, or data transfer fees; however, your\n root partition Amazon EBS volume remains and continues to persist your data, and you are\n charged for Amazon EBS volume usage. Every time you start your instance, Amazon EC2\n charges a one-minute minimum for instance usage, and thereafter charges per second for\n instance usage.
\nYou can't stop or hibernate instance store-backed instances. You can't use the Stop\n action to hibernate Spot Instances, but you can specify that Amazon EC2 should hibernate\n Spot Instances when they are interrupted. For more information, see Hibernating interrupted Spot Instances in the\n Amazon EC2 User Guide.
\nWhen you stop or hibernate an instance, we shut it down. You can restart your instance\n at any time. Before stopping or hibernating an instance, make sure it is in a state from\n which it can be restarted. Stopping an instance does not preserve data stored in RAM,\n but hibernating an instance does preserve data stored in RAM. If an instance cannot\n hibernate successfully, a normal shutdown occurs.
\nStopping and hibernating an instance is different to rebooting or terminating it. For\n example, when you stop or hibernate an instance, the root device and any other devices\n attached to the instance persist. When you terminate an instance, the root device and\n any other devices attached during the instance launch are automatically deleted. For\n more information about the differences between rebooting, stopping, hibernating, and\n terminating instances, see Instance lifecycle\n in the Amazon EC2 User Guide.
\nWhen you stop an instance, we attempt to shut it down forcibly after a short while. If\n your instance appears stuck in the stopping state after a period of time, there may be\n an issue with the underlying host computer. For more information, see Troubleshoot\n stopping your instance in the Amazon EC2 User Guide.
" + "smithy.api#documentation": "Stops an Amazon EBS-backed instance. For more information, see Stop and start\n your instance in the Amazon EC2 User Guide.
\nYou can use the Stop action to hibernate an instance if the instance is enabled for\n hibernation and it meets the hibernation\n prerequisites. For more information, see Hibernate your instance in the\n Amazon EC2 User Guide.
\nWe don't charge usage for a stopped instance, or data transfer fees; however, your\n root partition Amazon EBS volume remains and continues to persist your data, and you are\n charged for Amazon EBS volume usage. Every time you start your instance, Amazon EC2\n charges a one-minute minimum for instance usage, and thereafter charges per second for\n instance usage.
\nYou can't stop or hibernate instance store-backed instances. You can't use the Stop\n action to hibernate Spot Instances, but you can specify that Amazon EC2 should hibernate\n Spot Instances when they are interrupted. For more information, see Hibernating interrupted Spot Instances in the\n Amazon EC2 User Guide.
\nWhen you stop or hibernate an instance, we shut it down. You can restart your instance\n at any time. Before stopping or hibernating an instance, make sure it is in a state from\n which it can be restarted. Stopping an instance does not preserve data stored in RAM,\n but hibernating an instance does preserve data stored in RAM. If an instance cannot\n hibernate successfully, a normal shutdown occurs.
\nStopping and hibernating an instance is different to rebooting or terminating it. For\n example, when you stop or hibernate an instance, the root device and any other devices\n attached to the instance persist. When you terminate an instance, the root device and\n any other devices attached during the instance launch are automatically deleted. For\n more information about the differences between rebooting, stopping, hibernating, and\n terminating instances, see Instance lifecycle\n in the Amazon EC2 User Guide.
\nWhen you stop an instance, we attempt to shut it down forcibly after a short while. If\n your instance appears stuck in the stopping state after a period of time, there may be\n an issue with the underlying host computer. For more information, see Troubleshoot\n stopping your instance in the Amazon EC2 User Guide.
", + "smithy.api#examples": [ + { + "title": "To stop a running EC2 instance", + "documentation": "This example stops the specified EC2 instance.", + "input": { + "InstanceIds": [ + "i-1234567890abcdef0" + ] + }, + "output": { + "StoppingInstances": [ + { + "InstanceId": "i-1234567890abcdef0", + "CurrentState": { + "Code": 64, + "Name": "stopping" + }, + "PreviousState": { + "Code": 16, + "Name": "running" + } + } + ] + } + } + ] } }, "com.amazonaws.ec2#StopInstancesRequest": { @@ -91748,7 +95427,7 @@ "target": "com.amazonaws.ec2#String", "traits": { "aws.protocols#ec2QueryName": "Description", - "smithy.api#documentation": "The\n description\n assigned to the subnet CIDR\n reservation.
", + "smithy.api#documentation": "The description assigned to the subnet CIDR reservation.
", "smithy.api#xmlName": "description" } }, @@ -91794,6 +95473,41 @@ } } }, + "com.amazonaws.ec2#SubnetConfiguration": { + "type": "structure", + "members": { + "SubnetId": { + "target": "com.amazonaws.ec2#SubnetId", + "traits": { + "smithy.api#documentation": "The ID of the subnet.
" + } + }, + "Ipv4": { + "target": "com.amazonaws.ec2#String", + "traits": { + "smithy.api#documentation": "The IPv4 address to assign to the endpoint network interface in the subnet. You must provide \n an IPv4 address if the VPC endpoint supports IPv4.
\nIf you specify an IPv4 address when modifying a VPC endpoint, we replace the existing \n endpoint network interface with a new endpoint network interface with this IP address. \n This process temporarily disconnects the subnet and the VPC endpoint.
" + } + }, + "Ipv6": { + "target": "com.amazonaws.ec2#String", + "traits": { + "smithy.api#documentation": "The IPv6 address to assign to the endpoint network interface in the subnet. You must provide \n an IPv6 address if the VPC endpoint supports IPv6.
\nIf you specify an IPv6 address when modifying a VPC endpoint, we replace the existing \n endpoint network interface with a new endpoint network interface with this IP address. \n This process temporarily disconnects the subnet and the VPC endpoint.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Describes the configuration of a subnet for a VPC endpoint.
" + } + }, + "com.amazonaws.ec2#SubnetConfigurationsList": { + "type": "list", + "member": { + "target": "com.amazonaws.ec2#SubnetConfiguration", + "traits": { + "smithy.api#xmlName": "item" + } + } + }, "com.amazonaws.ec2#SubnetId": { "type": "string" }, @@ -92568,7 +96282,7 @@ } }, "ConnectionId": { - "target": "com.amazonaws.ec2#VpnConnectionId", + "target": "com.amazonaws.ec2#String", "traits": { "smithy.api#documentation": "The ID of the client connection to be terminated.
" } @@ -92674,7 +96388,33 @@ "target": "com.amazonaws.ec2#TerminateInstancesResult" }, "traits": { - "smithy.api#documentation": "Shuts down the specified instances. This operation is idempotent; if you terminate an\n instance more than once, each call succeeds.
\nIf you specify multiple instances and the request fails (for example, because of a\n single incorrect instance ID), none of the instances are terminated.
\nIf you terminate multiple instances across multiple Availability Zones, and one or\n more of the specified instances are enabled for termination protection, the request\n fails with the following results:
\nThe specified instances that are in the same Availability Zone as the\n protected instance are not terminated.
\nThe specified instances that are in different Availability Zones, where no\n other specified instances are protected, are successfully terminated.
\nFor example, say you have the following instances:
\nInstance A: us-east-1a; Not protected
Instance B: us-east-1a; Not protected
Instance C: us-east-1b; Protected
Instance D: us-east-1b; not protected
If you attempt to terminate all of these instances in the same request, the request\n reports failure with the following results:
\nInstance A and Instance B are successfully terminated because none of the\n specified instances in us-east-1a are enabled for termination\n protection.
Instance C and Instance D fail to terminate because at least one of the\n specified instances in us-east-1b (Instance C) is enabled for\n termination protection.
Terminated instances remain visible after termination (for approximately one\n hour).
\nBy default, Amazon EC2 deletes all EBS volumes that were attached when the instance\n launched. Volumes attached after instance launch continue running.
\nYou can stop, start, and terminate EBS-backed instances. You can only terminate\n instance store-backed instances. What happens to an instance differs if you stop it or\n terminate it. For example, when you stop an instance, the root device and any other\n devices attached to the instance persist. When you terminate an instance, any attached\n EBS volumes with the DeleteOnTermination block device mapping parameter set\n to true are automatically deleted. For more information about the\n differences between stopping and terminating instances, see Instance lifecycle\n in the Amazon EC2 User Guide.
For more information about troubleshooting, see Troubleshooting terminating your instance in the\n Amazon EC2 User Guide.
" + "smithy.api#documentation": "Shuts down the specified instances. This operation is idempotent; if you terminate an\n instance more than once, each call succeeds.
\nIf you specify multiple instances and the request fails (for example, because of a\n single incorrect instance ID), none of the instances are terminated.
\nIf you terminate multiple instances across multiple Availability Zones, and one or\n more of the specified instances are enabled for termination protection, the request\n fails with the following results:
\nThe specified instances that are in the same Availability Zone as the\n protected instance are not terminated.
\nThe specified instances that are in different Availability Zones, where no\n other specified instances are protected, are successfully terminated.
\nFor example, say you have the following instances:
\nInstance A: us-east-1a; Not protected
Instance B: us-east-1a; Not protected
Instance C: us-east-1b; Protected
Instance D: us-east-1b; not protected
If you attempt to terminate all of these instances in the same request, the request\n reports failure with the following results:
\nInstance A and Instance B are successfully terminated because none of the\n specified instances in us-east-1a are enabled for termination\n protection.
Instance C and Instance D fail to terminate because at least one of the\n specified instances in us-east-1b (Instance C) is enabled for\n termination protection.
Terminated instances remain visible after termination (for approximately one\n hour).
\nBy default, Amazon EC2 deletes all EBS volumes that were attached when the instance\n launched. Volumes attached after instance launch continue running.
\nYou can stop, start, and terminate EBS-backed instances. You can only terminate\n instance store-backed instances. What happens to an instance differs if you stop it or\n terminate it. For example, when you stop an instance, the root device and any other\n devices attached to the instance persist. When you terminate an instance, any attached\n EBS volumes with the DeleteOnTermination block device mapping parameter set\n to true are automatically deleted. For more information about the\n differences between stopping and terminating instances, see Instance lifecycle\n in the Amazon EC2 User Guide.
For more information about troubleshooting, see Troubleshooting terminating your instance in the\n Amazon EC2 User Guide.
", + "smithy.api#examples": [ + { + "title": "To terminate an EC2 instance", + "documentation": "This example terminates the specified EC2 instance.", + "input": { + "InstanceIds": [ + "i-1234567890abcdef0" + ] + }, + "output": { + "TerminatingInstances": [ + { + "InstanceId": "i-1234567890abcdef0", + "CurrentState": { + "Code": 32, + "Name": "shutting-down" + }, + "PreviousState": { + "Code": 16, + "Name": "running" + } + } + ] + } + } + ] } }, "com.amazonaws.ec2#TerminateInstancesRequest": { @@ -96580,7 +100320,7 @@ } }, "PreSharedKey": { - "target": "com.amazonaws.ec2#String", + "target": "com.amazonaws.ec2#preSharedKey", "traits": { "aws.protocols#ec2QueryName": "PreSharedKey", "smithy.api#documentation": "The pre-shared key (PSK) to establish initial authentication between the virtual\n private gateway and the customer gateway.
", @@ -96837,7 +100577,19 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Unassigns one or more secondary private IP addresses, or IPv4 Prefix Delegation prefixes from a \n \tnetwork interface.
" + "smithy.api#documentation": "Unassigns one or more secondary private IP addresses, or IPv4 Prefix Delegation prefixes from a \n \tnetwork interface.
", + "smithy.api#examples": [ + { + "title": "To unassign a secondary private IP address from a network interface", + "documentation": "This example unassigns the specified private IP address from the specified network interface.", + "input": { + "NetworkInterfaceId": "eni-e5aa89a3", + "PrivateIpAddresses": [ + "10.0.0.82" + ] + } + } + ] } }, "com.amazonaws.ec2#UnassignPrivateIpAddressesRequest": { @@ -96883,7 +100635,7 @@ "target": "com.amazonaws.ec2#UnassignPrivateNatGatewayAddressResult" }, "traits": { - "smithy.api#documentation": "Unassigns secondary private IPv4 addresses from a private NAT gateway. You cannot unassign your primary private IP. For more information, see Edit secondary IP address associations in the Amazon Virtual Private Cloud User Guide.
\nWhile unassigning is in progress, you cannot assign/unassign additional IP addresses while the connections are being drained. You are, however, allowed to delete the NAT gateway.
\nA private IP address will only be released at the end of MaxDrainDurationSeconds. The\n private IP addresses stay associated and support the existing connections but do not\n support any new connections (new connections are distributed across the remaining\n assigned private IP address). After the existing connections drain out, the private IP\n addresses get released.
\n \n " + "smithy.api#documentation": "Unassigns secondary private IPv4 addresses from a private NAT gateway. You cannot unassign your primary private IP. For more information, see Edit secondary IP address associations in the Amazon VPC User Guide.
\nWhile unassigning is in progress, you cannot assign/unassign additional IP addresses while the connections are being drained. You are, however, allowed to delete the NAT gateway.
\nA private IP address will only be released at the end of MaxDrainDurationSeconds. The\n private IP addresses stay associated and support the existing connections, but do not\n support any new connections (new connections are distributed across the remaining\n assigned private IP address). After the existing connections drain out, the private IP\n addresses are released.
\n \n " } }, "com.amazonaws.ec2#UnassignPrivateNatGatewayAddressRequest": { @@ -96893,7 +100645,7 @@ "target": "com.amazonaws.ec2#NatGatewayId", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The NAT gateway ID.
", + "smithy.api#documentation": "The ID of the NAT gateway.
", "smithy.api#required": {} } }, @@ -96934,7 +100686,7 @@ "target": "com.amazonaws.ec2#NatGatewayId", "traits": { "aws.protocols#ec2QueryName": "NatGatewayId", - "smithy.api#documentation": "The NAT gateway ID.
", + "smithy.api#documentation": "The ID of the NAT gateway.
", "smithy.api#xmlName": "natGatewayId" } }, @@ -97196,7 +100948,30 @@ "target": "com.amazonaws.ec2#UpdateSecurityGroupRuleDescriptionsEgressResult" }, "traits": { - "smithy.api#documentation": "[VPC only] Updates the description of an egress (outbound) security group rule. You\n\t\t\tcan replace an existing description, or add a description to a rule that did not have one\n\t\t\tpreviously. You can remove a description for a security group rule by omitting the \n\t\t\tdescription parameter in the request.
" + "smithy.api#documentation": "Updates the description of an egress (outbound) security group rule. You\n\t\t\tcan replace an existing description, or add a description to a rule that did not have one\n\t\t\tpreviously. You can remove a description for a security group rule by omitting the \n\t\t\tdescription parameter in the request.
", + "smithy.api#examples": [ + { + "title": "To update an outbound security group rule description", + "documentation": "This example updates the description for the specified security group rule.", + "input": { + "GroupId": "sg-123abc12", + "IpPermissions": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "IpRanges": [ + { + "CidrIp": "203.0.113.0/24", + "Description": "Outbound HTTP access to server 2" + } + ] + } + ] + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#UpdateSecurityGroupRuleDescriptionsEgressRequest": { @@ -97219,7 +100994,7 @@ "GroupName": { "target": "com.amazonaws.ec2#SecurityGroupName", "traits": { - "smithy.api#documentation": "[Default VPC] The name of the security group. You must specify either the security group\n\t\t\tID or the security group name in the request.
" + "smithy.api#documentation": "[Default VPC] The name of the security group. You must specify either the security group\n\t\t\tID or the security group name.
" } }, "IpPermissions": { @@ -97267,7 +101042,30 @@ "target": "com.amazonaws.ec2#UpdateSecurityGroupRuleDescriptionsIngressResult" }, "traits": { - "smithy.api#documentation": "Updates the description of an ingress (inbound) security group rule. You can replace an\n\t\t\texisting description, or add a description to a rule that did not have one previously.\n\t\t You can remove a description for a security group rule by omitting the description \n\t\t parameter in the request.
" + "smithy.api#documentation": "Updates the description of an ingress (inbound) security group rule. You can replace an\n\t\t\texisting description, or add a description to a rule that did not have one previously.\n\t\t You can remove a description for a security group rule by omitting the description \n\t\t parameter in the request.
", + "smithy.api#examples": [ + { + "title": "To update an inbound security group rule description", + "documentation": "This example updates the description for the specified security group rule.", + "input": { + "GroupId": "sg-123abc12", + "IpPermissions": [ + { + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "IpRanges": [ + { + "CidrIp": "203.0.113.0/16", + "Description": "SSH access from the LA office" + } + ] + } + ] + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#UpdateSecurityGroupRuleDescriptionsIngressRequest": { @@ -97290,7 +101088,7 @@ "GroupName": { "target": "com.amazonaws.ec2#SecurityGroupName", "traits": { - "smithy.api#documentation": "[EC2-Classic, default VPC] The name of the security group. You must specify either the\n security group ID or the security group name in the request. For security groups in a\n nondefault VPC, you must specify the security group ID.
" + "smithy.api#documentation": "[Default VPC] The name of the security group. You must specify either the\n security group ID or the security group name. For security groups in a\n nondefault VPC, you must specify the security group ID.
" } }, "IpPermissions": { @@ -97302,7 +101100,7 @@ "SecurityGroupRuleDescriptions": { "target": "com.amazonaws.ec2#SecurityGroupRuleDescriptionList", "traits": { - "smithy.api#documentation": "[VPC only] The description for the ingress security group rules. You must specify either\n a description or IP permissions.
", + "smithy.api#documentation": "The description for the ingress security group rules. You must specify either\n a description or IP permissions.
", "smithy.api#xmlName": "SecurityGroupRuleDescription" } } @@ -97448,7 +101246,7 @@ "target": "com.amazonaws.ec2#String", "traits": { "aws.protocols#ec2QueryName": "GroupName", - "smithy.api#documentation": "The name of the security group. In a request, use this parameter for a security group\n in EC2-Classic or a default VPC only. For a security group in a nondefault VPC, use the\n security group ID.
\nFor a referenced security group in another VPC, this value is not returned if the\n referenced security group is deleted.
", + "smithy.api#documentation": "[Default VPC] The name of the security group. For a security group in a nondefault VPC, \n use the security group ID.
\nFor a referenced security group in another VPC, this value is not returned if the\n referenced security group is deleted.
", "smithy.api#xmlName": "groupName" } }, @@ -97464,7 +101262,7 @@ "target": "com.amazonaws.ec2#String", "traits": { "aws.protocols#ec2QueryName": "UserId", - "smithy.api#documentation": "The ID of an Amazon Web Services account.
\nFor a referenced security group in another VPC, the account ID of the referenced\n security group is returned in the response. If the referenced security group is deleted,\n this value is not returned.
\n[EC2-Classic] Required when adding or removing rules that reference a security group\n in another Amazon Web Services account.
", + "smithy.api#documentation": "The ID of an Amazon Web Services account.
\nFor a referenced security group in another VPC, the account ID of the referenced\n security group is returned in the response. If the referenced security group is deleted,\n this value is not returned.
", "smithy.api#xmlName": "userId" } }, @@ -97486,7 +101284,7 @@ } }, "traits": { - "smithy.api#documentation": "Describes a security group and Amazon Web Services account ID pair.
\nWe are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nDescribes a security group and Amazon Web Services account ID pair.
" } }, "com.amazonaws.ec2#UserIdGroupPairList": { @@ -98444,10 +102242,24 @@ "traits": { "smithy.api#documentation": "Sends Verified Access logs to Kinesis.
" } + }, + "LogVersion": { + "target": "com.amazonaws.ec2#String", + "traits": { + "smithy.api#documentation": "\n\t\t The logging version to use.\n\t
\nValid values: ocsf-0.1 | ocsf-1.0.0-rc.2\n
\n\t\t Include trust data sent by trust providers into the logs. \n\t
" + } } }, "traits": { - "smithy.api#documentation": "Describes the destinations for Verified Access logs.
" + "smithy.api#documentation": "Options for Verified Access logs.
" } }, "com.amazonaws.ec2#VerifiedAccessLogS3Destination": { @@ -98561,10 +102373,28 @@ "smithy.api#documentation": "Kinesis logging destination.
", "smithy.api#xmlName": "kinesisDataFirehose" } + }, + "LogVersion": { + "target": "com.amazonaws.ec2#String", + "traits": { + "aws.protocols#ec2QueryName": "LogVersion", + "smithy.api#documentation": "\n Describes current setting for the logging version.\n
", + "smithy.api#xmlName": "logVersion" + } + }, + "IncludeTrustContext": { + "target": "com.amazonaws.ec2#Boolean", + "traits": { + "aws.protocols#ec2QueryName": "IncludeTrustContext", + "smithy.api#clientOptional": {}, + "smithy.api#default": false, + "smithy.api#documentation": "\n\t\t Describes current setting for including trust data into the logs.\n\t
", + "smithy.api#xmlName": "includeTrustContext" + } } }, "traits": { - "smithy.api#documentation": "Describes the destinations for Verified Access logs.
" + "smithy.api#documentation": "Describes the options for Verified Access logs.
" } }, "com.amazonaws.ec2#VerifiedAccessTrustProvider": { @@ -99009,6 +102839,14 @@ "smithy.api#documentation": "The throughput that the volume supports, in MiB/s.
", "smithy.api#xmlName": "throughput" } + }, + "SseType": { + "target": "com.amazonaws.ec2#SSEType", + "traits": { + "aws.protocols#ec2QueryName": "SseType", + "smithy.api#documentation": "Reserved for future use.
", + "smithy.api#xmlName": "sseType" + } } }, "traits": { @@ -100060,7 +103898,7 @@ } }, "traits": { - "smithy.api#documentation": "We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nDescribes whether a VPC is enabled for ClassicLink.
" + "smithy.api#documentation": "Deprecated.
\nDescribes whether a VPC is enabled for ClassicLink.
" } }, "com.amazonaws.ec2#VpcClassicLinkIdList": { @@ -100603,7 +104441,7 @@ "aws.protocols#ec2QueryName": "AllowDnsResolutionFromRemoteVpc", "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "Indicates whether a local VPC can resolve public DNS hostnames to private IP addresses when queried from instances in a peer VPC.
", + "smithy.api#documentation": "Indicates whether a local VPC can resolve public DNS hostnames to private IP addresses \n when queried from instances in a peer VPC.
", "smithy.api#xmlName": "allowDnsResolutionFromRemoteVpc" } }, @@ -100613,7 +104451,7 @@ "aws.protocols#ec2QueryName": "AllowEgressFromLocalClassicLinkToRemoteVpc", "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "Indicates whether a local ClassicLink connection can communicate with the peer VPC over the VPC peering connection.
", + "smithy.api#documentation": "Deprecated.
", "smithy.api#xmlName": "allowEgressFromLocalClassicLinkToRemoteVpc" } }, @@ -100623,13 +104461,13 @@ "aws.protocols#ec2QueryName": "AllowEgressFromLocalVpcToRemoteClassicLink", "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "Indicates whether a local VPC can communicate with a ClassicLink connection in the peer VPC over the VPC peering connection.
", + "smithy.api#documentation": "Deprecated.
", "smithy.api#xmlName": "allowEgressFromLocalVpcToRemoteClassicLink" } } }, "traits": { - "smithy.api#documentation": "We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nDescribes the VPC peering connection options.
" + "smithy.api#documentation": "Describes the VPC peering connection options.
" } }, "com.amazonaws.ec2#VpcPeeringConnectionStateReason": { @@ -100811,7 +104649,7 @@ "type": "structure", "members": { "CustomerGatewayConfiguration": { - "target": "com.amazonaws.ec2#String", + "target": "com.amazonaws.ec2#customerGatewayConfiguration", "traits": { "aws.protocols#ec2QueryName": "CustomerGatewayConfiguration", "smithy.api#documentation": "The configuration information for the VPN connection's customer gateway (in the native\n XML format). This element is always present in the CreateVpnConnection\n response; however, it's present in the DescribeVpnConnections response\n only if the VPN connection is in the pending or available\n state.
The pre-shared key (PSK) to establish initial authentication between the virtual\n private gateway and customer gateway.
\nConstraints: Allowed characters are alphanumeric characters, periods (.), and\n underscores (_). Must be between 8 and 64 characters in length and cannot start with\n zero (0).
" } @@ -101678,6 +105516,18 @@ } } }, + "com.amazonaws.ec2#customerGatewayConfiguration": { + "type": "string", + "traits": { + "smithy.api#sensitive": {} + } + }, + "com.amazonaws.ec2#preSharedKey": { + "type": "string", + "traits": { + "smithy.api#sensitive": {} + } + }, "com.amazonaws.ec2#scope": { "type": "enum", "members": { @@ -101709,6 +105559,9 @@ }, "com.amazonaws.ec2#totalGpuMemory": { "type": "integer" + }, + "com.amazonaws.ec2#totalInferenceMemory": { + "type": "integer" } } } diff --git a/aws/sdk/aws-models/ecs.json b/aws/sdk/aws-models/ecs.json index 51c17eda2f478e13fc8c6cc946099e43fd292c43..e575905c962bf52a8f10f244cd17aafb054944d8 100644 --- a/aws/sdk/aws-models/ecs.json +++ b/aws/sdk/aws-models/ecs.json @@ -332,52 +332,56 @@ "type": "error" }, { - "conditions": [], - "type": "tree", - "rules": [ + "conditions": [ { - "conditions": [ + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - } - ], - "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", - "type": "error" - }, - { - "conditions": [], - "endpoint": { - "url": { - "ref": "Endpoint" + "ref": "UseDualStack" }, - "properties": {}, - "headers": {} - }, - "type": "endpoint" + true + ] } - ] + ], + "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", + "type": "error" + }, + { + "conditions": [], + "endpoint": { + "url": { + "ref": "Endpoint" + }, + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, { - "conditions": [], + "conditions": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "Region" + } + ] + } + ], "type": "tree", "rules": [ { "conditions": [ { - "fn": "isSet", + "fn": "aws.partition", "argv": [ { "ref": "Region" } - ] + ], + "assign": "PartitionResult" } ], "type": "tree", @@ -385,13 +389,22 @@ { "conditions": [ { - "fn": "aws.partition", + "fn": "booleanEquals", "argv": [ { - "ref": "Region" - } - ], - "assign": "PartitionResult" + "ref": "UseFIPS" + }, + true + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] } ], "type": "tree", @@ -401,224 +414,175 @@ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseFIPS" - }, - true + "fn": "getAttr", + "argv": [ + { + "ref": "PartitionResult" + }, + "supportsFIPS" + ] + } ] }, { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseDualStack" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsFIPS" - ] - } - ] - }, - { - "fn": "booleanEquals", - "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsDualStack" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ { - "conditions": [], - "endpoint": { - "url": "https://ecs-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsDualStack" ] } ] - }, + } + ], + "type": "tree", + "rules": [ { "conditions": [], - "error": "FIPS and DualStack are enabled, but this partition does not support one or both", - "type": "error" + "endpoint": { + "url": "https://ecs-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, + { + "conditions": [], + "error": "FIPS and DualStack are enabled, but this partition does not support one or both", + "type": "error" + } + ] + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" + }, + true + ] + } + ], + "type": "tree", + "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseFIPS" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsFIPS" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ { - "conditions": [], - "endpoint": { - "url": "https://ecs-fips.{Region}.{PartitionResult#dnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsFIPS" ] } ] - }, + } + ], + "type": "tree", + "rules": [ { "conditions": [], - "error": "FIPS is enabled but this partition does not support FIPS", - "type": "error" + "endpoint": { + "url": "https://ecs-fips.{Region}.{PartitionResult#dnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, + { + "conditions": [], + "error": "FIPS is enabled but this partition does not support FIPS", + "type": "error" + } + ] + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] + } + ], + "type": "tree", + "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseDualStack" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsDualStack" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ { - "conditions": [], - "endpoint": { - "url": "https://ecs.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsDualStack" ] } ] - }, - { - "conditions": [], - "error": "DualStack is enabled but this partition does not support DualStack", - "type": "error" } - ] - }, - { - "conditions": [], + ], "type": "tree", "rules": [ { "conditions": [], "endpoint": { - "url": "https://ecs.{Region}.{PartitionResult#dnsSuffix}", + "url": "https://ecs.{Region}.{PartitionResult#dualStackDnsSuffix}", "properties": {}, "headers": {} }, "type": "endpoint" } ] + }, + { + "conditions": [], + "error": "DualStack is enabled but this partition does not support DualStack", + "type": "error" } ] + }, + { + "conditions": [], + "endpoint": { + "url": "https://ecs.{Region}.{PartitionResult#dnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] - }, - { - "conditions": [], - "error": "Invalid Configuration: Missing Region", - "type": "error" } ] + }, + { + "conditions": [], + "error": "Invalid Configuration: Missing Region", + "type": "error" } ] }, @@ -1471,7 +1435,7 @@ "autoScalingGroupArn": { "target": "com.amazonaws.ecs#String", "traits": { - "smithy.api#documentation": "The Amazon Resource Name (ARN) that identifies the Auto Scaling group.
", + "smithy.api#documentation": "The Amazon Resource Name (ARN) that identifies the Auto Scaling group, or the Auto Scaling group name.
", "smithy.api#required": {} } }, @@ -2361,13 +2325,13 @@ "startTimeout": { "target": "com.amazonaws.ecs#BoxedInteger", "traits": { - "smithy.api#documentation": "Time duration (in seconds) to wait before giving up on resolving dependencies for a\n\t\t\tcontainer. For example, you specify two containers in a task definition with containerA\n\t\t\thaving a dependency on containerB reaching a COMPLETE,\n\t\t\tSUCCESS, or HEALTHY status. If a startTimeout\n\t\t\tvalue is specified for containerB and it doesn't reach the desired status within that\n\t\t\ttime then containerA gives up and not start. This results in the task transitioning to a\n\t\t\t\tSTOPPED state.
When the ECS_CONTAINER_START_TIMEOUT container agent configuration\n\t\t\t\tvariable is used, it's enforced independently from this start timeout value.
For tasks using the Fargate launch type, the task or service requires\n\t\t\tthe following platforms:
\nLinux platform version 1.3.0 or later.
Windows platform version 1.0.0 or later.
For tasks using the EC2 launch type, your container instances require at\n\t\t\tleast version 1.26.0 of the container agent to use a container start\n\t\t\ttimeout value. However, we recommend using the latest container agent version. For\n\t\t\tinformation about checking your agent version and updating to the latest version, see\n\t\t\t\tUpdating the Amazon ECS\n\t\t\t\tContainer Agent in the Amazon Elastic Container Service Developer Guide. If you're using an Amazon ECS-optimized Linux AMI,\n\t\t\tyour instance needs at least version 1.26.0-1 of the ecs-init\n\t\t\tpackage. If your container instances are launched from version 20190301 or\n\t\t\tlater, then they contain the required versions of the container agent and\n\t\t\t\tecs-init. For more information, see Amazon ECS-optimized Linux AMI\n\t\t\tin the Amazon Elastic Container Service Developer Guide.
Time duration (in seconds) to wait before giving up on resolving dependencies for a\n\t\t\tcontainer. For example, you specify two containers in a task definition with containerA\n\t\t\thaving a dependency on containerB reaching a COMPLETE,\n\t\t\tSUCCESS, or HEALTHY status. If a startTimeout\n\t\t\tvalue is specified for containerB and it doesn't reach the desired status within that\n\t\t\ttime then containerA gives up and not start. This results in the task transitioning to a\n\t\t\t\tSTOPPED state.
When the ECS_CONTAINER_START_TIMEOUT container agent configuration\n\t\t\t\tvariable is used, it's enforced independently from this start timeout value.
For tasks using the Fargate launch type, the task or service requires\n\t\t\tthe following platforms:
\nLinux platform version 1.3.0 or later.
Windows platform version 1.0.0 or later.
For tasks using the EC2 launch type, your container instances require at\n\t\t\tleast version 1.26.0 of the container agent to use a container start\n\t\t\ttimeout value. However, we recommend using the latest container agent version. For\n\t\t\tinformation about checking your agent version and updating to the latest version, see\n\t\t\t\tUpdating the Amazon ECS\n\t\t\t\tContainer Agent in the Amazon Elastic Container Service Developer Guide. If you're using an Amazon ECS-optimized Linux AMI,\n\t\t\tyour instance needs at least version 1.26.0-1 of the ecs-init\n\t\t\tpackage. If your container instances are launched from version 20190301 or\n\t\t\tlater, then they contain the required versions of the container agent and\n\t\t\t\tecs-init. For more information, see Amazon ECS-optimized Linux AMI\n\t\t\tin the Amazon Elastic Container Service Developer Guide.
The valid values are 2-120 seconds.
" } }, "stopTimeout": { "target": "com.amazonaws.ecs#BoxedInteger", "traits": { - "smithy.api#documentation": "Time duration (in seconds) to wait before the container is forcefully killed if it\n\t\t\tdoesn't exit normally on its own.
\nFor tasks using the Fargate launch type, the task or service requires\n\t\t\tthe following platforms:
\nLinux platform version 1.3.0 or later.
Windows platform version 1.0.0 or later.
The max stop timeout value is 120 seconds and if the parameter is not specified, the\n\t\t\tdefault value of 30 seconds is used.
\nFor tasks that use the EC2 launch type, if the stopTimeout\n\t\t\tparameter isn't specified, the value set for the Amazon ECS container agent configuration\n\t\t\tvariable ECS_CONTAINER_STOP_TIMEOUT is used. If neither the\n\t\t\t\tstopTimeout parameter or the ECS_CONTAINER_STOP_TIMEOUT\n\t\t\tagent configuration variable are set, then the default values of 30 seconds for Linux\n\t\t\tcontainers and 30 seconds on Windows containers are used. Your container instances\n\t\t\trequire at least version 1.26.0 of the container agent to use a container stop timeout\n\t\t\tvalue. However, we recommend using the latest container agent version. For information\n\t\t\tabout checking your agent version and updating to the latest version, see Updating the Amazon ECS Container Agent in the Amazon Elastic Container Service Developer Guide. If you're using\n\t\t\tan Amazon ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1 of the\n\t\t\t\tecs-init package. If your container instances are launched from version\n\t\t\t\t20190301 or later, then they contain the required versions of the\n\t\t\tcontainer agent and ecs-init. For more information, see Amazon ECS-optimized Linux AMI in the Amazon Elastic Container Service Developer Guide.
Time duration (in seconds) to wait before the container is forcefully killed if it\n\t\t\tdoesn't exit normally on its own.
\nFor tasks using the Fargate launch type, the task or service requires\n\t\t\tthe following platforms:
\nLinux platform version 1.3.0 or later.
Windows platform version 1.0.0 or later.
The max stop timeout value is 120 seconds and if the parameter is not specified, the\n\t\t\tdefault value of 30 seconds is used.
\nFor tasks that use the EC2 launch type, if the stopTimeout\n\t\t\tparameter isn't specified, the value set for the Amazon ECS container agent configuration\n\t\t\tvariable ECS_CONTAINER_STOP_TIMEOUT is used. If neither the\n\t\t\t\tstopTimeout parameter or the ECS_CONTAINER_STOP_TIMEOUT\n\t\t\tagent configuration variable are set, then the default values of 30 seconds for Linux\n\t\t\tcontainers and 30 seconds on Windows containers are used. Your container instances\n\t\t\trequire at least version 1.26.0 of the container agent to use a container stop timeout\n\t\t\tvalue. However, we recommend using the latest container agent version. For information\n\t\t\tabout checking your agent version and updating to the latest version, see Updating the Amazon ECS Container Agent in the Amazon Elastic Container Service Developer Guide. If you're using\n\t\t\tan Amazon ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1 of the\n\t\t\t\tecs-init package. If your container instances are launched from version\n\t\t\t\t20190301 or later, then they contain the required versions of the\n\t\t\tcontainer agent and ecs-init. For more information, see Amazon ECS-optimized Linux AMI in the Amazon Elastic Container Service Developer Guide.
The valid values are 2-120 seconds.
" } }, "hostname": { @@ -2469,7 +2433,7 @@ "systemControls": { "target": "com.amazonaws.ecs#SystemControls", "traits": { - "smithy.api#documentation": "A list of namespaced kernel parameters to set in the container. This parameter maps to\n\t\t\t\tSysctls in the Create a container section of the\n\t\t\tDocker Remote API and the --sysctl option to docker run.
We don't recommended that you specify network-related systemControls\n\t\t\t\tparameters for multiple containers in a single task that also uses either the\n\t\t\t\t\tawsvpc or host network modes. For tasks that use the\n\t\t\t\t\tawsvpc network mode, the container that's started last determines\n\t\t\t\twhich systemControls parameters take effect. For tasks that use the\n\t\t\t\t\thost network mode, it changes the container instance's namespaced\n\t\t\t\tkernel parameters as well as the containers.
A list of namespaced kernel parameters to set in the container. This parameter maps to\n\t\t\t\tSysctls in the Create a container section of the\n\t\t\tDocker Remote API and the --sysctl option to docker run. For example, you can\n\t\t\tconfigure net.ipv4.tcp_keepalive_time setting to maintain\n\t\t\tlonger lived connections.
We don't recommended that you specify network-related systemControls\n\t\t\t\tparameters for multiple containers in a single task that also uses either the\n\t\t\t\t\tawsvpc or host network modes. For tasks that use the\n\t\t\t\t\tawsvpc network mode, the container that's started last determines\n\t\t\t\twhich systemControls parameters take effect. For tasks that use the\n\t\t\t\t\thost network mode, it changes the container instance's namespaced\n\t\t\t\tkernel parameters as well as the containers.
This parameter is not supported for Windows containers.
\nThis parameter is only supported for tasks that are hosted on\n Fargate if the tasks are using platform version 1.4.0 or later\n (Linux). This isn't supported for Windows containers on\n Fargate.
The FireLens configuration for the container. This is used to specify and configure a\n\t\t\tlog router for container logs. For more information, see Custom Log Routing\n\t\t\tin the Amazon Elastic Container Service Developer Guide.
" } + }, + "credentialSpecs": { + "target": "com.amazonaws.ecs#StringList", + "traits": { + "smithy.api#documentation": "A list of ARNs in SSM or Amazon S3 to a credential spec\n\t\t\t\t(CredSpec) file that configures the container for Active Directory\n\t\t\tauthentication. We recommend that you use this parameter instead of the\n\t\t\t\tdockerSecurityOptions. The maximum number of ARNs is\n\t\t\t1.
There are two formats for each ARN.
\nYou use credentialspecdomainless:MyARN to provide a\n\t\t\t\t\t\t\tCredSpec with an additional section for a secret in Secrets Manager.\n\t\t\t\t\t\tYou provide the login credentials to the domain in the secret.
Each task that runs on any container instance can join different\n\t\t\t\t\t\tdomains.
\nYou can use this format without joining the container instance to a\n\t\t\t\t\t\tdomain.
\nYou use credentialspec:MyARN to provide a\n\t\t\t\t\t\t\tCredSpec for a single domain.
You must join the container instance to the domain before you start any\n\t\t\t\t\t\ttasks that use this task definition.
\nIn both formats, replace MyARN with the ARN in\n\t\t\tSSM or Amazon S3.
If you provide a credentialspecdomainless:MyARN, the\n\t\t\t\tcredspec must provide a ARN in Secrets Manager for a secret containing the\n\t\t\tusername, password, and the domain to connect to. For better security, the instance\n\t\t\tisn't joined to the domain for domainless authentication. Other applications on the\n\t\t\tinstance can't use the domainless credentials. You can use this parameter to run tasks\n\t\t\ton the same instance, even it the tasks need to join different domains. For more\n\t\t\tinformation, see Using gMSAs for Windows\n\t\t\t\tContainers and Using gMSAs for Linux\n\t\t\t\tContainers.
The number of tasks on the container instance that are in the RUNNING\n\t\t\tstatus.
The number of tasks on the container instance that have a desired status (desiredStatus) of RUNNING.
The overrides that are sent to a container. An empty container override can be passed\n\t\t\tin. An example of an empty container override is {\"containerOverrides\": [ ]\n\t\t\t\t}. If a non-empty container override is specified, the name\n\t\t\tparameter must be included.
The overrides that are sent to a container. An empty container override can be passed\n\t\t\tin. An example of an empty container override is {\"containerOverrides\": [ ]\n\t\t\t\t}. If a non-empty container override is specified, the name\n\t\t\tparameter must be included.
You can use Secrets Manager or Amazon Web Services Systems Manager Parameter Store to store the sensitive\n\t\t\tdata. For more information, see Retrieve secrets through environment variables in the Amazon ECS Developer Guide.
" } }, "com.amazonaws.ecs#ContainerOverrides": { @@ -2945,7 +2915,27 @@ } ], "traits": { - "smithy.api#documentation": "Creates a new Amazon ECS cluster. By default, your account receives a default\n\t\t\tcluster when you launch your first container instance. However, you can create your own\n\t\t\tcluster with a unique name with the CreateCluster action.
When you call the CreateCluster API operation, Amazon ECS attempts to\n\t\t\t\tcreate the Amazon ECS service-linked role for your account. This is so that it can manage\n\t\t\t\trequired resources in other Amazon Web Services services on your behalf. However, if the user\n\t\t\t\tthat makes the call doesn't have permissions to create the service-linked role, it\n\t\t\t\tisn't created. For more information, see Using\n\t\t\t\t\tservice-linked roles for Amazon ECS in the Amazon Elastic Container Service Developer Guide.
\nCreates a new Amazon ECS cluster. By default, your account receives a default\n\t\t\tcluster when you launch your first container instance. However, you can create your own\n\t\t\tcluster with a unique name with the CreateCluster action.
When you call the CreateCluster API operation, Amazon ECS attempts to\n\t\t\t\tcreate the Amazon ECS service-linked role for your account. This is so that it can manage\n\t\t\t\trequired resources in other Amazon Web Services services on your behalf. However, if the user\n\t\t\t\tthat makes the call doesn't have permissions to create the service-linked role, it\n\t\t\t\tisn't created. For more information, see Using\n\t\t\t\t\tservice-linked roles for Amazon ECS in the Amazon Elastic Container Service Developer Guide.
\nRuns and maintains your desired number of tasks from a specified task definition. If\n\t\t\tthe number of tasks running in a service drops below the desiredCount,\n\t\t\tAmazon ECS runs another copy of the task in the specified cluster. To update an existing\n\t\t\tservice, see the UpdateService action.
Starting April 15, 2023, Amazon Web Services will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
\nIn addition to maintaining the desired count of tasks in your service, you can\n\t\t\toptionally run your service behind one or more load balancers. The load balancers\n\t\t\tdistribute traffic across the tasks that are associated with the service. For more\n\t\t\tinformation, see Service load balancing in the Amazon Elastic Container Service Developer Guide.
\nTasks for services that don't use a load balancer are considered healthy if they're in\n\t\t\tthe RUNNING state. Tasks for services that use a load balancer are\n\t\t\tconsidered healthy if they're in the RUNNING state and are reported as\n\t\t\thealthy by the load balancer.
There are two service scheduler strategies available:
\n\n REPLICA - The replica scheduling strategy places and\n\t\t\t\t\tmaintains your desired number of tasks across your cluster. By default, the\n\t\t\t\t\tservice scheduler spreads tasks across Availability Zones. You can use task\n\t\t\t\t\tplacement strategies and constraints to customize task placement decisions. For\n\t\t\t\t\tmore information, see Service scheduler concepts in the Amazon Elastic Container Service Developer Guide.
\n DAEMON - The daemon scheduling strategy deploys exactly one\n\t\t\t\t\ttask on each active container instance that meets all of the task placement\n\t\t\t\t\tconstraints that you specify in your cluster. The service scheduler also\n\t\t\t\t\tevaluates the task placement constraints for running tasks. It also stops tasks\n\t\t\t\t\tthat don't meet the placement constraints. When using this strategy, you don't\n\t\t\t\t\tneed to specify a desired number of tasks, a task placement strategy, or use\n\t\t\t\t\tService Auto Scaling policies. For more information, see Service scheduler concepts in the Amazon Elastic Container Service Developer Guide.
You can optionally specify a deployment configuration for your service. The deployment\n\t\t\tis initiated by changing properties. For example, the deployment might be initiated by\n\t\t\tthe task definition or by your desired count of a service. This is done with an UpdateService operation. The default value for a replica service for\n\t\t\t\tminimumHealthyPercent is 100%. The default value for a daemon service\n\t\t\tfor minimumHealthyPercent is 0%.
If a service uses the ECS deployment controller, the minimum healthy\n\t\t\tpercent represents a lower limit on the number of tasks in a service that must remain in\n\t\t\tthe RUNNING state during a deployment. Specifically, it represents it as a\n\t\t\tpercentage of your desired number of tasks (rounded up to the nearest integer). This\n\t\t\thappens when any of your container instances are in the DRAINING state if\n\t\t\tthe service contains tasks using the EC2 launch type. Using this\n\t\t\tparameter, you can deploy without using additional cluster capacity. For example, if you\n\t\t\tset your service to have desired number of four tasks and a minimum healthy percent of\n\t\t\t50%, the scheduler might stop two existing tasks to free up cluster capacity before\n\t\t\tstarting two new tasks. If they're in the RUNNING state, tasks for services\n\t\t\tthat don't use a load balancer are considered healthy . If they're in the\n\t\t\t\tRUNNING state and reported as healthy by the load balancer, tasks for\n\t\t\tservices that do use a load balancer are considered healthy . The\n\t\t\tdefault value for minimum healthy percent is 100%.
If a service uses the ECS deployment controller, the maximum percent parameter represents an upper limit on the\n\t\t\tnumber of tasks in a service that are allowed in the RUNNING or\n\t\t\t\tPENDING state during a deployment. Specifically, it represents it as a\n\t\t\tpercentage of the desired number of tasks (rounded down to the nearest integer). This\n\t\t\thappens when any of your container instances are in the DRAINING state if\n\t\t\tthe service contains tasks using the EC2 launch type. Using this\n\t\t\tparameter, you can define the deployment batch size. For example, if your service has a\n\t\t\tdesired number of four tasks and a maximum percent value of 200%, the scheduler may\n\t\t\tstart four new tasks before stopping the four older tasks (provided that the cluster\n\t\t\tresources required to do this are available). The default value for maximum percent is\n\t\t\t200%.
If a service uses either the CODE_DEPLOY or EXTERNAL\n\t\t\tdeployment controller types and tasks that use the EC2 launch type, the\n\t\t\t\tminimum healthy percent and maximum percent values are used only to define the lower and upper limit\n\t\t\ton the number of the tasks in the service that remain in the RUNNING state.\n\t\t\tThis is while the container instances are in the DRAINING state. If the\n\t\t\ttasks in the service use the Fargate launch type, the minimum healthy\n\t\t\tpercent and maximum percent values aren't used. This is the case even if they're\n\t\t\tcurrently visible when describing your service.
When creating a service that uses the EXTERNAL deployment controller, you\n\t\t\tcan specify only parameters that aren't controlled at the task set level. The only\n\t\t\trequired parameter is the service name. You control your services using the CreateTaskSet operation. For more information, see Amazon ECS deployment types in the Amazon Elastic Container Service Developer Guide.
When the service scheduler launches new tasks, it determines task placement. For\n\t\t\tinformation about task placement and task placement strategies, see Amazon ECS\n\t\t\t\ttask placement in the Amazon Elastic Container Service Developer Guide.
" + "smithy.api#documentation": "Runs and maintains your desired number of tasks from a specified task definition. If\n\t\t\tthe number of tasks running in a service drops below the desiredCount,\n\t\t\tAmazon ECS runs another copy of the task in the specified cluster. To update an existing\n\t\t\tservice, see the UpdateService action.
Starting April 15, 2023, Amazon Web Services will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
\nIn addition to maintaining the desired count of tasks in your service, you can\n\t\t\toptionally run your service behind one or more load balancers. The load balancers\n\t\t\tdistribute traffic across the tasks that are associated with the service. For more\n\t\t\tinformation, see Service load balancing in the Amazon Elastic Container Service Developer Guide.
\nTasks for services that don't use a load balancer are considered healthy if they're in\n\t\t\tthe RUNNING state. Tasks for services that use a load balancer are\n\t\t\tconsidered healthy if they're in the RUNNING state and are reported as\n\t\t\thealthy by the load balancer.
There are two service scheduler strategies available:
\n\n REPLICA - The replica scheduling strategy places and\n\t\t\t\t\tmaintains your desired number of tasks across your cluster. By default, the\n\t\t\t\t\tservice scheduler spreads tasks across Availability Zones. You can use task\n\t\t\t\t\tplacement strategies and constraints to customize task placement decisions. For\n\t\t\t\t\tmore information, see Service scheduler concepts in the Amazon Elastic Container Service Developer Guide.
\n DAEMON - The daemon scheduling strategy deploys exactly one\n\t\t\t\t\ttask on each active container instance that meets all of the task placement\n\t\t\t\t\tconstraints that you specify in your cluster. The service scheduler also\n\t\t\t\t\tevaluates the task placement constraints for running tasks. It also stops tasks\n\t\t\t\t\tthat don't meet the placement constraints. When using this strategy, you don't\n\t\t\t\t\tneed to specify a desired number of tasks, a task placement strategy, or use\n\t\t\t\t\tService Auto Scaling policies. For more information, see Service scheduler concepts in the Amazon Elastic Container Service Developer Guide.
You can optionally specify a deployment configuration for your service. The deployment\n\t\t\tis initiated by changing properties. For example, the deployment might be initiated by\n\t\t\tthe task definition or by your desired count of a service. This is done with an UpdateService operation. The default value for a replica service for\n\t\t\t\tminimumHealthyPercent is 100%. The default value for a daemon service\n\t\t\tfor minimumHealthyPercent is 0%.
If a service uses the ECS deployment controller, the minimum healthy\n\t\t\tpercent represents a lower limit on the number of tasks in a service that must remain in\n\t\t\tthe RUNNING state during a deployment. Specifically, it represents it as a\n\t\t\tpercentage of your desired number of tasks (rounded up to the nearest integer). This\n\t\t\thappens when any of your container instances are in the DRAINING state if\n\t\t\tthe service contains tasks using the EC2 launch type. Using this\n\t\t\tparameter, you can deploy without using additional cluster capacity. For example, if you\n\t\t\tset your service to have desired number of four tasks and a minimum healthy percent of\n\t\t\t50%, the scheduler might stop two existing tasks to free up cluster capacity before\n\t\t\tstarting two new tasks. If they're in the RUNNING state, tasks for services\n\t\t\tthat don't use a load balancer are considered healthy . If they're in the\n\t\t\t\tRUNNING state and reported as healthy by the load balancer, tasks for\n\t\t\tservices that do use a load balancer are considered healthy . The\n\t\t\tdefault value for minimum healthy percent is 100%.
If a service uses the ECS deployment controller, the maximum percent parameter represents an upper limit on the\n\t\t\tnumber of tasks in a service that are allowed in the RUNNING or\n\t\t\t\tPENDING state during a deployment. Specifically, it represents it as a\n\t\t\tpercentage of the desired number of tasks (rounded down to the nearest integer). This\n\t\t\thappens when any of your container instances are in the DRAINING state if\n\t\t\tthe service contains tasks using the EC2 launch type. Using this\n\t\t\tparameter, you can define the deployment batch size. For example, if your service has a\n\t\t\tdesired number of four tasks and a maximum percent value of 200%, the scheduler may\n\t\t\tstart four new tasks before stopping the four older tasks (provided that the cluster\n\t\t\tresources required to do this are available). The default value for maximum percent is\n\t\t\t200%.
If a service uses either the CODE_DEPLOY or EXTERNAL\n\t\t\tdeployment controller types and tasks that use the EC2 launch type, the\n\t\t\t\tminimum healthy percent and maximum percent values are used only to define the lower and upper limit\n\t\t\ton the number of the tasks in the service that remain in the RUNNING state.\n\t\t\tThis is while the container instances are in the DRAINING state. If the\n\t\t\ttasks in the service use the Fargate launch type, the minimum healthy\n\t\t\tpercent and maximum percent values aren't used. This is the case even if they're\n\t\t\tcurrently visible when describing your service.
When creating a service that uses the EXTERNAL deployment controller, you\n\t\t\tcan specify only parameters that aren't controlled at the task set level. The only\n\t\t\trequired parameter is the service name. You control your services using the CreateTaskSet operation. For more information, see Amazon ECS deployment types in the Amazon Elastic Container Service Developer Guide.
When the service scheduler launches new tasks, it determines task placement. For\n\t\t\tinformation about task placement and task placement strategies, see Amazon ECS\n\t\t\t\ttask placement in the Amazon Elastic Container Service Developer Guide.
", + "smithy.api#examples": [ + { + "title": "To create a new service", + "documentation": "This example creates a service in your default region called ``ecs-simple-service``. The service uses the ``hello_world`` task definition and it maintains 10 copies of that task.", + "input": { + "serviceName": "ecs-simple-service", + "taskDefinition": "hello_world", + "desiredCount": 10 + }, + "output": { + "service": { + "clusterArn": "arn:aws:ecs:us-east-1:012345678910:cluster/default", + "createdAt": "2016-08-29T16:13:47.298Z", + "deploymentConfiguration": { + "maximumPercent": 200, + "minimumHealthyPercent": 100 + }, + "deployments": [ + { + "createdAt": "2016-08-29T16:13:47.298Z", + "desiredCount": 10, + "id": "ecs-svc/9223370564342348388", + "pendingCount": 0, + "runningCount": 0, + "status": "PRIMARY", + "taskDefinition": "arn:aws:ecs:us-east-1:012345678910:task-definition/hello_world:6", + "updatedAt": "2016-08-29T16:13:47.298Z" + }, + { + "createdAt": "2016-08-29T15:52:44.481Z", + "desiredCount": 0, + "id": "ecs-svc/9223370564343611322", + "pendingCount": 0, + "runningCount": 0, + "status": "ACTIVE", + "taskDefinition": "arn:aws:ecs:us-east-1:012345678910:task-definition/hello_world:6", + "updatedAt": "2016-08-29T16:11:38.941Z" + } + ], + "desiredCount": 10, + "events": [], + "loadBalancers": [], + "pendingCount": 0, + "runningCount": 0, + "serviceArn": "arn:aws:ecs:us-east-1:012345678910:service/ecs-simple-service", + "serviceName": "ecs-simple-service", + "status": "ACTIVE", + "taskDefinition": "arn:aws:ecs:us-east-1:012345678910:task-definition/hello_world:6" + } + } + } + ] } }, "com.amazonaws.ecs#CreateServiceRequest": { @@ -3175,13 +3217,13 @@ "target": "com.amazonaws.ecs#Boolean", "traits": { "smithy.api#default": false, - "smithy.api#documentation": "Specifies whether to turn on Amazon ECS managed tags for the tasks within the service. For\n\t\t\tmore information, see Tagging your Amazon ECS\n\t\t\t\tresources in the Amazon Elastic Container Service Developer Guide.
" + "smithy.api#documentation": "Specifies whether to turn on Amazon ECS managed tags for the tasks within the service. For\n\t\t\tmore information, see Tagging your Amazon ECS\n\t\t\t\tresources in the Amazon Elastic Container Service Developer Guide.
\nWhen you use Amazon ECS managed tags, you need to set the propagateTags\n\t\t\trequest parameter.
Specifies whether to propagate the tags from the task definition to the task. If no\n\t\t\tvalue is specified, the tags aren't propagated. Tags can only be propagated to the task\n\t\t\tduring task creation. To add tags to a task after task creation, use the TagResource API action.
" + "smithy.api#documentation": "Specifies whether to propagate the tags from the task definition to the task. If no\n\t\t\tvalue is specified, the tags aren't propagated. Tags can only be propagated to the task\n\t\t\tduring task creation. To add tags to a task after task creation, use the TagResource API action.
\nThe default is NONE.
The task definition for the tasks in the task set to use.
", + "smithy.api#documentation": "The task definition for the tasks in the task set to use. If a revision isn't specified, the\n\t\t\tlatest ACTIVE revision is used.
Disables an account setting for a specified user, role, or the root user for\n\t\t\tan account.
" + "smithy.api#documentation": "Disables an account setting for a specified user, role, or the root user for\n\t\t\tan account.
", + "smithy.api#examples": [ + { + "title": "To delete your account setting", + "documentation": "This example deletes the account setting for your user for the specified resource type.", + "input": { + "name": "serviceLongArnFormat" + }, + "output": { + "setting": { + "name": "serviceLongArnFormat", + "value": "enabled", + "principalArn": "arn:aws:iam::Deletes the specified cluster. The cluster transitions to the INACTIVE\n\t\t\tstate. Clusters with an INACTIVE status might remain discoverable in your\n\t\t\taccount for a period of time. However, this behavior is subject to change in the future.\n\t\t\tWe don't recommend that you rely on INACTIVE clusters persisting.
You must deregister all container instances from this cluster before you may delete\n\t\t\tit. You can list the container instances in a cluster with ListContainerInstances and deregister them with DeregisterContainerInstance.
" + "smithy.api#documentation": "Deletes the specified cluster. The cluster transitions to the INACTIVE\n\t\t\tstate. Clusters with an INACTIVE status might remain discoverable in your\n\t\t\taccount for a period of time. However, this behavior is subject to change in the future.\n\t\t\tWe don't recommend that you rely on INACTIVE clusters persisting.
You must deregister all container instances from this cluster before you may delete\n\t\t\tit. You can list the container instances in a cluster with ListContainerInstances and deregister them with DeregisterContainerInstance.
", + "smithy.api#examples": [ + { + "title": "To delete an empty cluster", + "documentation": "This example deletes an empty cluster in your default region.", + "input": { + "cluster": "my_cluster" + }, + "output": { + "cluster": { + "activeServicesCount": 0, + "clusterArn": "arn:aws:ecs:us-east-1:012345678910:cluster/my_cluster", + "clusterName": "my_cluster", + "pendingTasksCount": 0, + "registeredContainerInstancesCount": 0, + "runningTasksCount": 0, + "status": "INACTIVE" + } + } + } + ] } }, "com.amazonaws.ecs#DeleteClusterRequest": { @@ -3627,7 +3705,17 @@ } ], "traits": { - "smithy.api#documentation": "Deletes a specified service within a cluster. You can delete a service if you have no\n\t\t\trunning tasks in it and the desired task count is zero. If the service is actively\n\t\t\tmaintaining tasks, you can't delete it, and you must update the service to a desired\n\t\t\ttask count of zero. For more information, see UpdateService.
\nWhen you delete a service, if there are still running tasks that require cleanup,\n\t\t\t\tthe service status moves from ACTIVE to DRAINING, and the\n\t\t\t\tservice is no longer visible in the console or in the ListServices\n\t\t\t\tAPI operation. After all tasks have transitioned to either STOPPING or\n\t\t\t\t\tSTOPPED status, the service status moves from DRAINING\n\t\t\t\tto INACTIVE. Services in the DRAINING or\n\t\t\t\t\tINACTIVE status can still be viewed with the DescribeServices API operation. However, in the future,\n\t\t\t\t\tINACTIVE services may be cleaned up and purged from Amazon ECS record\n\t\t\t\tkeeping, and DescribeServices calls on those services return a\n\t\t\t\t\tServiceNotFoundException error.
If you attempt to create a new service with the same name as an existing service\n\t\t\t\tin either ACTIVE or DRAINING status, you receive an\n\t\t\t\terror.
Deletes a specified service within a cluster. You can delete a service if you have no\n\t\t\trunning tasks in it and the desired task count is zero. If the service is actively\n\t\t\tmaintaining tasks, you can't delete it, and you must update the service to a desired\n\t\t\ttask count of zero. For more information, see UpdateService.
\nWhen you delete a service, if there are still running tasks that require cleanup,\n\t\t\t\tthe service status moves from ACTIVE to DRAINING, and the\n\t\t\t\tservice is no longer visible in the console or in the ListServices\n\t\t\t\tAPI operation. After all tasks have transitioned to either STOPPING or\n\t\t\t\t\tSTOPPED status, the service status moves from DRAINING\n\t\t\t\tto INACTIVE. Services in the DRAINING or\n\t\t\t\t\tINACTIVE status can still be viewed with the DescribeServices API operation. However, in the future,\n\t\t\t\t\tINACTIVE services may be cleaned up and purged from Amazon ECS record\n\t\t\t\tkeeping, and DescribeServices calls on those services return a\n\t\t\t\t\tServiceNotFoundException error.
If you attempt to create a new service with the same name as an existing service\n\t\t\t\tin either ACTIVE or DRAINING status, you receive an\n\t\t\t\terror.
Deletes one or more task definitions.
\nYou must deregister a task definition revision before you delete it. For more information,\n\t\t\tsee DeregisterTaskDefinition.
\nWhen you delete a task definition revision, it is immediately transitions from the\n\t\tINACTIVE to DELETE_IN_PROGRESS. Existing tasks and services\n\t\tthat reference a DELETE_IN_PROGRESS task definition revision continue to run\n\t\twithout disruption. Existing services that reference a DELETE_IN_PROGRESS task\n\t\tdefinition revision can still scale up or down by modifying the service's desired\n\t\tcount.
You can't use a DELETE_IN_PROGRESS task definition revision to run new tasks\n\t\t\tor create new services. You also can't update an existing service to reference a\n\t\t\tDELETE_IN_PROGRESS task definition revision.
A task definition revision will stay in DELETE_IN_PROGRESS status until\n\t\t\tall the associated tasks and services have been terminated.
Deletes one or more task definitions.
\nYou must deregister a task definition revision before you delete it. For more information,\n\t\t\tsee DeregisterTaskDefinition.
\nWhen you delete a task definition revision, it is immediately transitions from the\n\t\tINACTIVE to DELETE_IN_PROGRESS. Existing tasks and services\n\t\tthat reference a DELETE_IN_PROGRESS task definition revision continue to run\n\t\twithout disruption. Existing services that reference a DELETE_IN_PROGRESS task\n\t\tdefinition revision can still scale up or down by modifying the service's desired\n\t\tcount.
You can't use a DELETE_IN_PROGRESS task definition revision to run new tasks\n\t\t\tor create new services. You also can't update an existing service to reference a\n\t\t\tDELETE_IN_PROGRESS task definition revision.
A task definition revision will stay in DELETE_IN_PROGRESS status until\n\t\t\tall the associated tasks and services have been terminated.
When you delete all INACTIVE task definition revisions, the task definition name is not displayed in the console and not returned in the API. If a task definition revisions are in the DELETE_IN_PROGRESS state, the task definition name is displayed in the console and returned in the API. The task definition name is retained by Amazon ECS and the revision is incremented the next time you create a task definition with that name.
The deployment circuit breaker can only be used for services using the rolling\n\t\t\t\tupdate (ECS) deployment type.
The deployment circuit breaker determines whether a\n\t\t\tservice deployment will fail if the service can't reach a steady state. If it is turned on, a\n\t\t\tservice deployment will transition to a failed state and stop launching new tasks. You\n\t\t\tcan also configure Amazon ECS to roll back your service to the last completed deployment\n\t\t\tafter a failure. For more information, see Rolling\n\t\t\t\tupdate in the Amazon Elastic Container Service Developer Guide.
" + "smithy.api#documentation": "The deployment circuit breaker can only be used for services using the rolling\n\t\t\t\tupdate (ECS) deployment type.
The deployment circuit breaker determines whether a\n\t\t\tservice deployment will fail if the service can't reach a steady state. If it is turned on, a\n\t\t\tservice deployment will transition to a failed state and stop launching new tasks. You\n\t\t\tcan also configure Amazon ECS to roll back your service to the last completed deployment\n\t\t\tafter a failure. For more information, see Rolling\n\t\t\t\tupdate in the Amazon Elastic Container Service Developer Guide.
\nFor more information about API failure reasons, see API failure reasons in the Amazon Elastic Container Service Developer Guide.
" } }, "com.amazonaws.ecs#DeploymentConfiguration": { @@ -4119,7 +4207,19 @@ } ], "traits": { - "smithy.api#documentation": "Deregisters an Amazon ECS container instance from the specified cluster. This instance is\n\t\t\tno longer available to run tasks.
\nIf you intend to use the container instance for some other purpose after\n\t\t\tderegistration, we recommend that you stop all of the tasks running on the container\n\t\t\tinstance before deregistration. That prevents any orphaned tasks from consuming\n\t\t\tresources.
\nDeregistering a container instance removes the instance from a cluster, but it doesn't\n\t\t\tterminate the EC2 instance. If you are finished using the instance, be sure to terminate\n\t\t\tit in the Amazon EC2 console to stop billing.
\nIf you terminate a running container instance, Amazon ECS automatically deregisters the\n\t\t\t\tinstance from your cluster (stopped container instances or instances with\n\t\t\t\tdisconnected agents aren't automatically deregistered when terminated).
\nDeregisters an Amazon ECS container instance from the specified cluster. This instance is\n\t\t\tno longer available to run tasks.
\nIf you intend to use the container instance for some other purpose after\n\t\t\tderegistration, we recommend that you stop all of the tasks running on the container\n\t\t\tinstance before deregistration. That prevents any orphaned tasks from consuming\n\t\t\tresources.
\nDeregistering a container instance removes the instance from a cluster, but it doesn't\n\t\t\tterminate the EC2 instance. If you are finished using the instance, be sure to terminate\n\t\t\tit in the Amazon EC2 console to stop billing.
\nIf you terminate a running container instance, Amazon ECS automatically deregisters the\n\t\t\t\tinstance from your cluster (stopped container instances or instances with\n\t\t\t\tdisconnected agents aren't automatically deregistered when terminated).
\nDescribes one or more of your clusters.
" + "smithy.api#documentation": "Describes one or more of your clusters.
", + "smithy.api#examples": [ + { + "title": "To describe a cluster", + "documentation": "This example provides a description of the specified cluster in your default region.", + "input": { + "clusters": [ + "default" + ] + }, + "output": { + "clusters": [ + { + "clusterName": "default", + "status": "ACTIVE", + "clusterArn": "arn:aws:ecs:us-east-1:aws_account_id:cluster/default" + } + ], + "failures": [] + } + } + ] } }, "com.amazonaws.ecs#DescribeClustersRequest": { @@ -4382,7 +4503,91 @@ } ], "traits": { - "smithy.api#documentation": "Describes one or more container instances. Returns metadata about each container\n\t\t\tinstance requested.
" + "smithy.api#documentation": "Describes one or more container instances. Returns metadata about each container\n\t\t\tinstance requested.
", + "smithy.api#examples": [ + { + "title": "To describe container instance", + "documentation": "This example provides a description of the specified container instance in your default region, using the container instance UUID as an identifier.", + "input": { + "cluster": "default", + "containerInstances": [ + "f2756532-8f13-4d53-87c9-aed50dc94cd7" + ] + }, + "output": { + "failures": [], + "containerInstances": [ + { + "status": "ACTIVE", + "registeredResources": [ + { + "doubleValue": 0.0, + "type": "INTEGER", + "longValue": 0, + "integerValue": 2048, + "name": "CPU" + }, + { + "doubleValue": 0.0, + "type": "INTEGER", + "longValue": 0, + "integerValue": 3768, + "name": "MEMORY" + }, + { + "name": "PORTS", + "longValue": 0, + "doubleValue": 0.0, + "stringSetValue": [ + "2376", + "22", + "51678", + "2375" + ], + "type": "STRINGSET", + "integerValue": 0 + } + ], + "ec2InstanceId": "i-807f3249", + "agentConnected": true, + "containerInstanceArn": "arn:aws:ecs:us-east-1:012345678910:container-instance/f2756532-8f13-4d53-87c9-aed50dc94cd7", + "pendingTasksCount": 0, + "remainingResources": [ + { + "doubleValue": 0.0, + "type": "INTEGER", + "longValue": 0, + "integerValue": 1948, + "name": "CPU" + }, + { + "doubleValue": 0.0, + "type": "INTEGER", + "longValue": 0, + "integerValue": 3668, + "name": "MEMORY" + }, + { + "name": "PORTS", + "longValue": 0, + "doubleValue": 0.0, + "stringSetValue": [ + "2376", + "22", + "80", + "51678", + "2375" + ], + "type": "STRINGSET", + "integerValue": 0 + } + ], + "runningTasksCount": 1 + } + ] + } + } + ] } }, "com.amazonaws.ecs#DescribeContainerInstancesRequest": { @@ -4456,6 +4661,57 @@ ], "traits": { "smithy.api#documentation": "Describes the specified services running in your cluster.
", + "smithy.api#examples": [ + { + "title": "To describe a service", + "documentation": "This example provides descriptive information about the service named ``ecs-simple-service``.", + "input": { + "services": [ + "ecs-simple-service" + ] + }, + "output": { + "failures": [], + "services": [ + { + "clusterArn": "arn:aws:ecs:us-east-1:012345678910:cluster/default", + "createdAt": "2016-08-29T16:25:52.130Z", + "deploymentConfiguration": { + "maximumPercent": 200, + "minimumHealthyPercent": 100 + }, + "deployments": [ + { + "createdAt": "2016-08-29T16:25:52.130Z", + "desiredCount": 1, + "id": "ecs-svc/9223370564341623665", + "pendingCount": 0, + "runningCount": 0, + "status": "PRIMARY", + "taskDefinition": "arn:aws:ecs:us-east-1:012345678910:task-definition/hello_world:6", + "updatedAt": "2016-08-29T16:25:52.130Z" + } + ], + "desiredCount": 1, + "events": [ + { + "createdAt": "2016-08-29T16:25:58.520Z", + "id": "38c285e5-d335-4b68-8b15-e46dedc8e88d", + "message": "(service ecs-simple-service) was unable to place a task because no container instance met all of its requirements. The closest matching (container-instance 3f4de1c5-ffdd-4954-af7e-75b4be0c8841) is already using a port required by your task. For more information, see the Troubleshooting section of the Amazon ECS Developer Guide." + } + ], + "loadBalancers": [], + "pendingCount": 0, + "runningCount": 0, + "serviceArn": "arn:aws:ecs:us-east-1:012345678910:service/ecs-simple-service", + "serviceName": "ecs-simple-service", + "status": "ACTIVE", + "taskDefinition": "arn:aws:ecs:us-east-1:012345678910:task-definition/hello_world:6" + } + ] + } + } + ], "smithy.waiters#waitable": { "ServicesInactive": { "acceptors": [ @@ -4597,7 +4853,61 @@ } ], "traits": { - "smithy.api#documentation": "Describes a task definition. You can specify a family and\n\t\t\t\trevision to find information about a specific task definition, or you\n\t\t\tcan simply specify the family to find the latest ACTIVE revision in that\n\t\t\tfamily.
You can only describe INACTIVE task definitions while an active task\n\t\t\t\tor service references them.
Describes a task definition. You can specify a family and\n\t\t\t\trevision to find information about a specific task definition, or you\n\t\t\tcan simply specify the family to find the latest ACTIVE revision in that\n\t\t\tfamily.
You can only describe INACTIVE task definitions while an active task\n\t\t\t\tor service references them.
Describes a specified task or tasks.
\nCurrently, stopped tasks appear in the returned results for at least one hour.
", + "smithy.api#documentation": "Describes a specified task or tasks.
\nCurrently, stopped tasks appear in the returned results for at least one hour.
\nIf you have tasks with tags, and then delete the cluster, the tagged tasks are\n\t\t\treturned in the response. If you create a new cluster with the same name as the deleted\n\t\t\tcluster, the tagged tasks are not included in the response.
", + "smithy.api#examples": [ + { + "title": "To describe a task", + "documentation": "This example provides a description of the specified task, using the task UUID as an identifier.", + "input": { + "tasks": [ + "c5cba4eb-5dad-405e-96db-71ef8eefe6a8" + ] + }, + "output": { + "failures": [], + "tasks": [ + { + "taskArn": "arn:aws:ecs:A list of files containing the environment variables to pass to a container. You can\n\t\t\tspecify up to ten environment files. The file must have a .env file\n\t\t\textension. Each line in an environment file should contain an environment variable in\n\t\t\t\tVARIABLE=VALUE format. Lines beginning with # are treated\n\t\t\tas comments and are ignored. For more information about the environment variable file\n\t\t\tsyntax, see Declare default\n\t\t\t\tenvironment variables in file.
If there are environment variables specified using the environment\n\t\t\tparameter in a container definition, they take precedence over the variables contained\n\t\t\twithin an environment file. If multiple environment files are specified that contain the\n\t\t\tsame variable, they're processed from the top down. We recommend that you use unique\n\t\t\tvariable names. For more information, see Specifying environment\n\t\t\t\tvariables in the Amazon Elastic Container Service Developer Guide.
This parameter is only supported for tasks hosted on Fargate using the\n\t\t\tfollowing platform versions:
\nLinux platform version 1.4.0 or later.
Windows platform version 1.0.0 or later.
A list of files containing the environment variables to pass to a container. You can\n\t\t\tspecify up to ten environment files. The file must have a .env file\n\t\t\textension. Each line in an environment file should contain an environment variable in\n\t\t\t\tVARIABLE=VALUE format. Lines beginning with # are treated\n\t\t\tas comments and are ignored. For more information about the environment variable file\n\t\t\tsyntax, see Declare default\n\t\t\t\tenvironment variables in file.
If there are environment variables specified using the environment\n\t\t\tparameter in a container definition, they take precedence over the variables contained\n\t\t\twithin an environment file. If multiple environment files are specified that contain the\n\t\t\tsame variable, they're processed from the top down. We recommend that you use unique\n\t\t\tvariable names. For more information, see Specifying environment\n\t\t\t\tvariables in the Amazon Elastic Container Service Developer Guide.
You must use the following platforms for the Fargate launch type:
\nLinux platform version 1.4.0 or later.
Windows platform version 1.0.0 or later.
Retrieves the protection status of tasks in an Amazon ECS service.
" + "smithy.api#documentation": "Retrieves the protection status of tasks in an Amazon ECS service.
", + "smithy.api#examples": [ + { + "title": "To get the protection status of a task", + "documentation": "In this example, we get the protection status for a single task.", + "input": { + "cluster": "test-task-protection", + "tasks": [ + "b8b1cf532d0e46ba8d44a40d1de16772" + ] + }, + "output": { + "protectedTasks": [ + { + "taskArn": "arn:aws:ecs:us-west-2:012345678910:task/b8b1cf532d0e46ba8d44a40d1de16772", + "protectionEnabled": true, + "expirationDate": "2022-11-02T06:56:32.553Z" + } + ], + "failures": [] + } + } + ] } }, "com.amazonaws.ecs#GetTaskProtectionRequest": { @@ -5672,7 +6051,7 @@ } }, "traits": { - "smithy.api#documentation": "An object representing a container health check. Health check parameters that are\n\t\t\tspecified in a container definition override any Docker health checks that exist in the\n\t\t\tcontainer image (such as those specified in a parent image or from the image's\n\t\t\tDockerfile). This configuration maps to the HEALTHCHECK parameter of docker run.
The Amazon ECS container agent only monitors and reports on the health checks specified\n\t\t\t\tin the task definition. Amazon ECS does not monitor Docker health checks that are\n\t\t\t\tembedded in a container image and not specified in the container definition. Health\n\t\t\t\tcheck parameters that are specified in a container definition override any Docker\n\t\t\t\thealth checks that exist in the container image.
\nYou can view the health status of both individual containers and a task with the\n\t\t\tDescribeTasks API operation or when viewing the task details in the console.
\nThe following describes the possible healthStatus values for a\n\t\t\tcontainer:
\n HEALTHY-The container health check has passed\n\t\t\t\t\tsuccessfully.
\n UNHEALTHY-The container health check has failed.
\n UNKNOWN-The container health check is being evaluated or\n\t\t\t\t\tthere's no container health check defined.
The following describes the possible healthStatus values for a task. The\n\t\t\tcontainer health check status of\n\t\t\tnon-essential containers don't have an effect on the health status of a task.
\n HEALTHY-All essential containers within the task have\n\t\t\t\t\tpassed their health checks.
\n UNHEALTHY-One or more essential containers have failed\n\t\t\t\t\ttheir health check.
\n UNKNOWN-The essential containers within the task are still\n\t\t\t\t\thaving their health checks evaluated, there are only nonessential containers\n\t\t\t\t\twith health checks defined, or there are no container health checks\n\t\t\t\t\tdefined.
If a task is run manually, and not as part of a service, the task will continue its\n\t\t\tlifecycle regardless of its health status. For tasks that are part of a service, if the\n\t\t\ttask reports as unhealthy then the task will be stopped and the service scheduler will\n\t\t\treplace it.
\nThe following are notes about container health check support:
\nContainer health checks require version 1.17.0 or greater of the Amazon ECS\n\t\t\t\t\tcontainer agent. For more information, see Updating the\n\t\t\t\t\t\tAmazon ECS container agent.
\nContainer health checks are supported for Fargate tasks if\n\t\t\t\t\tyou're using platform version 1.1.0 or greater. For more\n\t\t\t\t\tinformation, see Fargate\n\t\t\t\t\t\tplatform versions.
Container health checks aren't supported for tasks that are part of a service\n\t\t\t\t\tthat's configured to use a Classic Load Balancer.
\nAn object representing a container health check. Health check parameters that are\n\t\t\tspecified in a container definition override any Docker health checks that exist in the\n\t\t\tcontainer image (such as those specified in a parent image or from the image's\n\t\t\tDockerfile). This configuration maps to the HEALTHCHECK parameter of docker run.
The Amazon ECS container agent only monitors and reports on the health checks specified\n\t\t\t\tin the task definition. Amazon ECS does not monitor Docker health checks that are\n\t\t\t\tembedded in a container image and not specified in the container definition. Health\n\t\t\t\tcheck parameters that are specified in a container definition override any Docker\n\t\t\t\thealth checks that exist in the container image.
\nYou can view the health status of both individual containers and a task with the\n\t\t\tDescribeTasks API operation or when viewing the task details in the console.
\nThe health check is designed to make sure that your containers survive\n\t\t\tagent restarts, upgrades, or temporary unavailability.
\nThe following describes the possible healthStatus values for a\n\t\t\tcontainer:
\n HEALTHY-The container health check has passed\n\t\t\t\t\tsuccessfully.
\n UNHEALTHY-The container health check has failed.
\n UNKNOWN-The container health check is being evaluated or\n\t\t\t\t\tthere's no container health check defined.
The following describes the possible healthStatus values for a task. The\n\t\t\tcontainer health check status of\n\t\t\tnon-essential containers don't have an effect on the health status of a task.
\n HEALTHY-All essential containers within the task have\n\t\t\t\t\tpassed their health checks.
\n UNHEALTHY-One or more essential containers have failed\n\t\t\t\t\ttheir health check.
\n UNKNOWN-The essential containers within the task are still\n\t\t\t\t\thaving their health checks evaluated, there are only nonessential containers\n\t\t\t\t\twith health checks defined, or there are no container health checks\n\t\t\t\t\tdefined.
If a task is run manually, and not as part of a service, the task will continue its\n\t\t\tlifecycle regardless of its health status. For tasks that are part of a service, if the\n\t\t\ttask reports as unhealthy then the task will be stopped and the service scheduler will\n\t\t\treplace it.
\nThe following are notes about container health check support:
\nWhen the Amazon ECS agent cannot connect to the Amazon ECS service, the\n\t\t\t\t\tservice reports the container as UNHEALTHY.
The health check statuses are the \"last heard from\" response from the Amazon ECS agent. There\n\t\t\t\t\tare no assumptions made about the status of the container health checks.
\nContainer health checks require version 1.17.0 or greater of the Amazon ECS\n\t\t\t\t\tcontainer agent. For more information, see Updating the\n\t\t\t\t\t\tAmazon ECS container agent.
\nContainer health checks are supported for Fargate tasks if\n\t\t\t\t\tyou're using platform version 1.1.0 or greater. For more\n\t\t\t\t\tinformation, see Fargate\n\t\t\t\t\t\tplatform versions.
Container health checks aren't supported for tasks that are part of a service\n\t\t\t\t\tthat's configured to use a Classic Load Balancer.
\nLists the account settings for a specified principal.
", + "smithy.api#examples": [ + { + "title": "To view your effective account settings", + "documentation": "This example displays the effective account settings for your account.", + "input": { + "effectiveSettings": true + }, + "output": { + "settings": [ + { + "name": "containerInstanceLongArnFormat", + "value": "disabled", + "principalArn": "arn:aws:iam::Returns a list of existing clusters.
", + "smithy.api#examples": [ + { + "title": "To list your available clusters", + "documentation": "This example lists all of your available clusters in your default region.", + "output": { + "clusterArns": [ + "arn:aws:ecs:us-east-1:Returns a list of container instances in a specified cluster. You can filter the\n\t\t\tresults of a ListContainerInstances operation with cluster query language\n\t\t\tstatements inside the filter parameter. For more information, see Cluster Query Language in the Amazon Elastic Container Service Developer Guide.
Returns a list of services. You can filter the results by cluster, launch type, and\n\t\t\tscheduling strategy.
", + "smithy.api#examples": [ + { + "title": "To list the services in a cluster", + "documentation": "This example lists the services running in the default cluster for an account.", + "output": { + "serviceArns": [ + "arn:aws:ecs:us-east-1:012345678910:service/my-http-service" + ] + } + } + ], "smithy.api#paginated": { "inputToken": "nextToken", "outputToken": "nextToken", @@ -6575,7 +7020,24 @@ } ], "traits": { - "smithy.api#documentation": "List the tags for an Amazon ECS resource.
" + "smithy.api#documentation": "List the tags for an Amazon ECS resource.
", + "smithy.api#examples": [ + { + "title": "To list the tags for a cluster.", + "documentation": "This example lists the tags for the 'dev' cluster.", + "input": { + "resourceArn": "arn:aws:ecs:region:aws_account_id:cluster/dev" + }, + "output": { + "tags": [ + { + "key": "team", + "value": "dev" + } + ] + } + } + ] } }, "com.amazonaws.ecs#ListTagsForResourceRequest": { @@ -6628,6 +7090,20 @@ ], "traits": { "smithy.api#documentation": "Returns a list of task definition families that are registered to your account. This\n\t\t\tlist includes task definition families that no longer have any ACTIVE task\n\t\t\tdefinition revisions.
You can filter out task definition families that don't contain any ACTIVE\n\t\t\ttask definition revisions by setting the status parameter to\n\t\t\t\tACTIVE. You can also filter the results with the\n\t\t\t\tfamilyPrefix parameter.
Returns a list of task definitions that are registered to your account. You can filter\n\t\t\tthe results by family name with the familyPrefix parameter or by status\n\t\t\twith the status parameter.
Returns a list of tasks. You can filter the results by cluster, task definition\n\t\t\tfamily, container instance, launch type, what IAM principal started the task, or by the\n\t\t\tdesired status of the task.
\nRecently stopped tasks might appear in the returned results. Currently, stopped tasks\n\t\t\tappear in the returned results for at least one hour.
", + "smithy.api#documentation": "Returns a list of tasks. You can filter the results by cluster, task definition\n\t\t\tfamily, container instance, launch type, what IAM principal started the task, or by the\n\t\t\tdesired status of the task.
\nRecently stopped tasks might appear in the returned results.
", + "smithy.api#examples": [ + { + "title": "To list the tasks in a cluster", + "documentation": "This example lists all of the tasks in a cluster.", + "input": { + "cluster": "default" + }, + "output": { + "taskArns": [ + "arn:aws:ecs:us-east-1:012345678910:task/0cc43cdb-3bee-4407-9c26-c0e6ea5bee84", + "arn:aws:ecs:us-east-1:012345678910:task/6b809ef6-c67e-4467-921f-ee261c15a0a1" + ] + } + } + ], "smithy.api#paginated": { "inputToken": "nextToken", "outputToken": "nextToken", @@ -6898,13 +7405,13 @@ "targetGroupArn": { "target": "com.amazonaws.ecs#String", "traits": { - "smithy.api#documentation": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or\n\t\t\ttask set.
\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer. If you're using a\n\t\t\tClassic Load Balancer, omit the target group ARN.
\nFor services using the ECS deployment controller, you can specify one or\n\t\t\tmultiple target groups. For more information, see Registering multiple target groups with a service in\n\t\t\tthe Amazon Elastic Container Service Developer Guide.
For services using the CODE_DEPLOY deployment controller, you're required\n\t\t\tto define two target groups for the load balancer. For more information, see Blue/green deployment with CodeDeploy in the\n\t\t\tAmazon Elastic Container Service Developer Guide.
If your service's task definition uses the awsvpc network mode, you\n\t\t\t\tmust choose ip as the target type, not instance. Do this\n\t\t\t\twhen creating your target groups because tasks that use the awsvpc\n\t\t\t\tnetwork mode are associated with an elastic network interface, not an Amazon EC2\n\t\t\t\tinstance. This network mode is required for the Fargate launch\n\t\t\t\ttype.
The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or\n\t\t\ttask set.
\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer.
\nFor services using the ECS deployment controller, you can specify one or\n\t\t\tmultiple target groups. For more information, see Registering multiple target groups with a service in\n\t\t\tthe Amazon Elastic Container Service Developer Guide.
For services using the CODE_DEPLOY deployment controller, you're required\n\t\t\tto define two target groups for the load balancer. For more information, see Blue/green deployment with CodeDeploy in the\n\t\t\tAmazon Elastic Container Service Developer Guide.
If your service's task definition uses the awsvpc network mode, you\n\t\t\t\tmust choose ip as the target type, not instance. Do this\n\t\t\t\twhen creating your target groups because tasks that use the awsvpc\n\t\t\t\tnetwork mode are associated with an elastic network interface, not an Amazon EC2\n\t\t\t\tinstance. This network mode is required for the Fargate launch\n\t\t\t\ttype.
The name of the load balancer to associate with the Amazon ECS service or task set.
\nA load balancer name is only specified when using a Classic Load Balancer. If you are using an Application Load Balancer\n\t\t\tor a Network Load Balancer the load balancer name parameter should be omitted.
" + "smithy.api#documentation": "The name of the load balancer to associate with the Amazon ECS service or task set.
\nIf you are using an Application Load Balancer or a Network Load Balancer the load balancer name parameter should be\n\t\t\tomitted.
" } }, "containerName": { @@ -6954,7 +7461,7 @@ } }, "traits": { - "smithy.api#documentation": "The log configuration for the container. This parameter maps to LogConfig\n\t\t\tin the Create a container section of the Docker Remote API and the\n\t\t\t\t--log-driver option to \n docker\n\t\t\t\t\trun\n .
By default, containers use the same logging driver that the Docker daemon uses.\n\t\t\tHowever, the container might use a different logging driver than the Docker daemon by\n\t\t\tspecifying a log driver configuration in the container definition. For more information\n\t\t\tabout the options for different supported log drivers, see Configure logging\n\t\t\t\tdrivers in the Docker documentation.
\nUnderstand the following when specifying a log configuration for your\n\t\t\tcontainers.
\nAmazon ECS currently supports a subset of the logging drivers available to the\n\t\t\t\t\tDocker daemon (shown in the valid values below). Additional log drivers may be\n\t\t\t\t\tavailable in future releases of the Amazon ECS container agent.
\nThis parameter requires version 1.18 of the Docker Remote API or greater on\n\t\t\t\t\tyour container instance.
\nFor tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must\n\t\t\t\t\tregister the available logging drivers with the\n\t\t\t\t\t\tECS_AVAILABLE_LOGGING_DRIVERS environment variable before\n\t\t\t\t\tcontainers placed on that instance can use these log configuration options. For\n\t\t\t\t\tmore information, see Amazon ECS container agent configuration in the\n\t\t\t\t\tAmazon Elastic Container Service Developer Guide.
For tasks that are on Fargate, because you don't have access to the\n\t\t\t\t\tunderlying infrastructure your tasks are hosted on, any additional software\n\t\t\t\t\tneeded must be installed outside of the task. For example, the Fluentd output\n\t\t\t\t\taggregators or a remote host running Logstash to send Gelf logs to.
\nThe log configuration for the container. This parameter maps to LogConfig\n\t\t\tin the Create a container section of the Docker Remote API and the\n\t\t\t\t--log-driver option to \n docker\n\t\t\t\t\trun\n .
By default, containers use the same logging driver that the Docker daemon uses.\n\t\t\tHowever, the container might use a different logging driver than the Docker daemon by\n\t\t\tspecifying a log driver configuration in the container definition. For more information\n\t\t\tabout the options for different supported log drivers, see Configure logging\n\t\t\t\tdrivers in the Docker documentation.
\nUnderstand the following when specifying a log configuration for your\n\t\t\tcontainers.
\nAmazon ECS currently supports a subset of the logging drivers available to the Docker daemon.\n\t\t\t\t\tAdditional log drivers may be available in future releases of the Amazon ECS\n\t\t\t\t\tcontainer agent.
\nFor tasks on Fargate, the supported log drivers are awslogs,\n\t\t\t\t\t\tsplunk, and awsfirelens.
For tasks hosted on Amazon EC2 instances, the supported log drivers are\n\t\t\t\t\t\tawslogs, fluentd, gelf,\n\t\t\t\t\t\tjson-file, journald,\n\t\t\t\t\t\tlogentries,syslog, splunk, and\n\t\t\t\t\t\tawsfirelens.
This parameter requires version 1.18 of the Docker Remote API or greater on\n\t\t\t\t\tyour container instance.
\nFor tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must\n\t\t\t\t\tregister the available logging drivers with the\n\t\t\t\t\t\tECS_AVAILABLE_LOGGING_DRIVERS environment variable before\n\t\t\t\t\tcontainers placed on that instance can use these log configuration options. For\n\t\t\t\t\tmore information, see Amazon ECS container agent configuration in the\n\t\t\t\t\tAmazon Elastic Container Service Developer Guide.
For tasks that are on Fargate, because you don't have access to the\n\t\t\t\t\tunderlying infrastructure your tasks are hosted on, any additional software\n\t\t\t\t\tneeded must be installed outside of the task. For example, the Fluentd output\n\t\t\t\t\taggregators or a remote host running Logstash to send Gelf logs to.
\nThe maximum number of Amazon EC2 instances that Amazon ECS will scale out at one time. The scale\n\t\t\tin process is not affected by this parameter. If this parameter is omitted, the default\n\t\t\tvalue of 1 is used.
The maximum number of Amazon EC2 instances that Amazon ECS will scale out at one time. The scale in\n\t\t\tprocess is not affected by this parameter. If this parameter is omitted, the default\n\t\t\tvalue of 10000 is used.
The port number on the container instance to reserve for your container.
\nIf you specify a containerPortRange, leave this field empty and the value of\n\t\t\tthe hostPort is set as follows:
For containers in a task with the awsvpc network mode, the\n\t\t\t\t\t\thostPort is set to the same value as the\n\t\t\t\t\t\tcontainerPort. This is a static mapping strategy.
For containers in a task with the bridge network mode, the Amazon ECS agent finds\n\t\t\t\t\topen ports on the host and automatically binds them to the container ports. This\n\t\t\t\t\tis a dynamic mapping strategy.
If you use containers in a task with the awsvpc or host\n\t\t\tnetwork mode, the hostPort can either be left blank or set to the same\n\t\t\tvalue as the containerPort.
If you use containers in a task with the bridge network mode, you can\n\t\t\tspecify a non-reserved host port for your container port mapping, or you can omit the\n\t\t\t\thostPort (or set it to 0) while specifying a\n\t\t\t\tcontainerPort and your container automatically receives a port in the\n\t\t\tephemeral port range for your container instance operating system and Docker\n\t\t\tversion.
The default ephemeral port range for Docker version 1.6.0 and later is listed on the\n\t\t\tinstance under /proc/sys/net/ipv4/ip_local_port_range. If this kernel\n\t\t\tparameter is unavailable, the default ephemeral port range from 49153 through 65535 is\n\t\t\tused. Do not attempt to specify a host port in the ephemeral port range as these are\n\t\t\treserved for automatic assignment. In general, ports below 32768 are outside of the\n\t\t\tephemeral port range.
The default reserved ports are 22 for SSH, the Docker ports 2375 and 2376, and the\n\t\t\tAmazon ECS container agent ports 51678-51680. Any host port that was previously specified in\n\t\t\ta running task is also reserved while the task is running. That is, after a task stops,\n\t\t\tthe host port is released. The current reserved ports are displayed in the\n\t\t\tremainingResources of DescribeContainerInstances\n\t\t\toutput. A container instance can have up to 100 reserved ports at a time. This number\n\t\t\tincludes the default reserved ports. Automatically assigned ports aren't included in the\n\t\t\t100 reserved ports quota.
The port number on the container instance to reserve for your container.
\nIf you specify a containerPortRange, leave this field empty and the value of\n\t\t\tthe hostPort is set as follows:
For containers in a task with the awsvpc network mode, the\n\t\t\t\t\t\thostPort is set to the same value as the\n\t\t\t\t\t\tcontainerPort. This is a static mapping strategy.
For containers in a task with the bridge network mode, the Amazon ECS agent finds\n\t\t\t\t\topen ports on the host and automatically binds them to the container ports. This\n\t\t\t\t\tis a dynamic mapping strategy.
If you use containers in a task with the awsvpc or host\n\t\t\tnetwork mode, the hostPort can either be left blank or set to the same\n\t\t\tvalue as the containerPort.
If you use containers in a task with the bridge network mode, you can\n\t\t\tspecify a non-reserved host port for your container port mapping, or you can omit the\n\t\t\t\thostPort (or set it to 0) while specifying a\n\t\t\t\tcontainerPort and your container automatically receives a port in the\n\t\t\tephemeral port range for your container instance operating system and Docker\n\t\t\tversion.
The default ephemeral port range for Docker version 1.6.0 and later is listed on the\n\t\t\tinstance under /proc/sys/net/ipv4/ip_local_port_range. If this kernel\n\t\t\tparameter is unavailable, the default ephemeral port range from 49153 through 65535\n\t\t\t(Linux) or 49152 through 65535 (Windows) is used. Do not attempt to specify a host port\n\t\t\tin the ephemeral port range as these are reserved for automatic assignment. In general,\n\t\t\tports below 32768 are outside of the ephemeral port range.
The default reserved ports are 22 for SSH, the Docker ports 2375 and 2376, and the\n\t\t\tAmazon ECS container agent ports 51678-51680. Any host port that was previously specified in\n\t\t\ta running task is also reserved while the task is running. That is, after a task stops,\n\t\t\tthe host port is released. The current reserved ports are displayed in the\n\t\t\tremainingResources of DescribeContainerInstances\n\t\t\toutput. A container instance can have up to 100 reserved ports at a time. This number\n\t\t\tincludes the default reserved ports. Automatically assigned ports aren't included in the\n\t\t\t100 reserved ports quota.
Modifies an account setting. Account settings are set on a per-Region basis.
\nIf you change the root user account setting, the default settings are reset for users\n\t\t\tand roles that do not have specified individual account settings. For more information,\n\t\t\tsee Account\n\t\t\t\tSettings in the Amazon Elastic Container Service Developer Guide.
\nWhen serviceLongArnFormat, taskLongArnFormat, or\n\t\t\t\tcontainerInstanceLongArnFormat are specified, the Amazon Resource Name\n\t\t\t(ARN) and resource ID format of the resource type for a specified user, role, or\n\t\t\tthe root user for an account is affected. The opt-in and opt-out account setting must be\n\t\t\tset for each Amazon ECS resource separately. The ARN and resource ID format of a resource\n\t\t\tis defined by the opt-in status of the user or role that created the resource. You\n\t\t\tmust turn on this setting to use Amazon ECS features such as resource tagging.
When awsvpcTrunking is specified, the elastic network interface (ENI)\n\t\t\tlimit for any new container instances that support the feature is changed. If\n\t\t\t\tawsvpcTrunking is turned on, any new container instances that support the\n\t\t\tfeature are launched have the increased ENI limits available to them. For more\n\t\t\tinformation, see Elastic Network\n\t\t\t\tInterface Trunking in the Amazon Elastic Container Service Developer Guide.
When containerInsights is specified, the default setting indicating whether\n\t\t\tAmazon Web Services CloudWatch Container Insights is turned on for your clusters is changed. If\n\t\t\t\tcontainerInsights is turned on, any new clusters that are created will\n\t\t\thave Container Insights turned on unless you disable it during cluster creation. For\n\t\t\tmore information, see CloudWatch\n\t\t\t\tContainer Insights in the Amazon Elastic Container Service Developer Guide.
Amazon ECS is introducing tagging authorization for resource creation. Users must have\n\t\t\tpermissions for actions that create the resource, such as ecsCreateCluster.\n\t\t\tIf tags are specified when you create a resource, Amazon Web Services performs additional\n\t\t\tauthorization to verify if users or roles have permissions to create tags. Therefore,\n\t\t\tyou must grant explicit permissions to use the ecs:TagResource action. For\n\t\t\tmore information, see Grant\n\t\t\t\tpermission to tag resources on creation in the Amazon ECS Developer\n\t\t\t\t\tGuide.
Modifies an account setting. Account settings are set on a per-Region basis.
\nIf you change the root user account setting, the default settings are reset for users\n\t\t\tand roles that do not have specified individual account settings. For more information,\n\t\t\tsee Account\n\t\t\t\tSettings in the Amazon Elastic Container Service Developer Guide.
\nWhen you specify serviceLongArnFormat, taskLongArnFormat, or\n\t\t\t\tcontainerInstanceLongArnFormat, the Amazon Resource Name (ARN) and\n\t\t\tresource ID format of the resource type for a specified user, role, or the root user for an\n\t\t\taccount is affected. The opt-in and opt-out account setting must be set for each Amazon ECS\n\t\t\tresource separately. The ARN and resource ID format of a resource is defined by the\n\t\t\topt-in status of the user or role that created the resource. You must turn on this\n\t\t\tsetting to use Amazon ECS features such as resource tagging.
When you specify awsvpcTrunking, the elastic network interface (ENI) limit for\n\t\t\tany new container instances that support the feature is changed. If\n\t\t\t\tawsvpcTrunking is turned on, any new container instances that support\n\t\t\tthe feature are launched have the increased ENI limits available to them. For more\n\t\t\tinformation, see Elastic Network\n\t\t\t\tInterface Trunking in the Amazon Elastic Container Service Developer Guide.
When you specify containerInsights, the default setting indicating whether\n\t\t\tAmazon Web Services CloudWatch Container Insights is turned on for your clusters is changed. If\n\t\t\t\tcontainerInsights is turned on, any new clusters that are created will\n\t\t\thave Container Insights turned on unless you disable it during cluster creation. For\n\t\t\tmore information, see CloudWatch\n\t\t\t\tContainer Insights in the Amazon Elastic Container Service Developer Guide.
Amazon ECS is introducing tagging authorization for resource creation. Users must have\n\t\t\tpermissions for actions that create the resource, such as ecsCreateCluster.\n\t\t\tIf tags are specified when you create a resource, Amazon Web Services performs additional\n\t\t\tauthorization to verify if users or roles have permissions to create tags. Therefore,\n\t\t\tyou must grant explicit permissions to use the ecs:TagResource action. For\n\t\t\tmore information, see Grant\n\t\t\t\tpermission to tag resources on creation in the Amazon ECS Developer\n\t\t\t\t\tGuide.
When Amazon Web Services determines that a security or infrastructure update is needed for an Amazon ECS\n\t\t\ttask hosted on Fargate, the tasks need to be stopped and new tasks launched to replace\n\t\t\tthem. Use fargateTaskRetirementWaitPeriod to configure the wait time to\n\t\t\tretire a Fargate task. For information about the Fargate tasks maintenance, see Amazon Web Services Fargate task maintenance in the Amazon ECS Developer\n\t\t\t\t\tGuide.
Modifies an account setting for all users on an account for whom no individual\n\t\t\taccount setting has been specified. Account settings are set on a per-Region\n\t\t\tbasis.
" + "smithy.api#documentation": "Modifies an account setting for all users on an account for whom no individual\n\t\t\taccount setting has been specified. Account settings are set on a per-Region\n\t\t\tbasis.
", + "smithy.api#examples": [ + { + "title": "To modify the default account settings for all IAM users or roles on an account", + "documentation": "This example modifies the default account setting for the specified resource for all IAM users or roles on an account. These changes apply to the entire AWS account, unless an IAM user or role explicitly overrides these settings for themselves.", + "input": { + "name": "serviceLongArnFormat", + "value": "enabled" + }, + "output": { + "setting": { + "name": "serviceLongArnFormat", + "value": "enabled", + "principalArn": "arn:aws:iam::The resource name for which to modify the account setting. If\n\t\t\t\tserviceLongArnFormat is specified, the ARN for your Amazon ECS services is\n\t\t\taffected. If taskLongArnFormat is specified, the ARN and resource ID for\n\t\t\tyour Amazon ECS tasks is affected. If containerInstanceLongArnFormat is\n\t\t\tspecified, the ARN and resource ID for your Amazon ECS container instances is affected. If\n\t\t\t\tawsvpcTrunking is specified, the ENI limit for your Amazon ECS container\n\t\t\tinstances is affected. If containerInsights is specified, the default\n\t\t\tsetting for Amazon Web Services CloudWatch Container Insights for your clusters is affected. If\n\t\t\t\ttagResourceAuthorization is specified, the opt-in option for tagging\n\t\t\tresources on creation is affected. For information about the opt-in timeline, see Tagging authorization timeline in the Amazon ECS Developer\n\t\t\t\tGuide.
When you specify fargateFIPSMode for the name and\n\t\t\tenabled for the value, Fargate uses FIPS-140 compliant\n\t\t\tcryptographic algorithms on your tasks. For more information about FIPS-140 compliance\n\t\t\twith Fargate, see Amazon Web Services Fargate Federal Information Processing Standard (FIPS) 140-2\n\t\t\t\tcompliance in the Amazon Elastic Container Service Developer Guide.
The resource name for which to modify the account setting. If you specify\n\t\t\t\tserviceLongArnFormat, the ARN for your Amazon ECS services is affected. If\n\t\t\tyou specify taskLongArnFormat, the ARN and resource ID for your Amazon ECS\n\t\t\ttasks is affected. If you specify containerInstanceLongArnFormat, the ARN\n\t\t\tand resource ID for your Amazon ECS container instances is affected. If you specify\n\t\t\t\tawsvpcTrunking, the ENI limit for your Amazon ECS container instances is\n\t\t\taffected. If you specify containerInsights, the default setting for Amazon Web Services\n\t\t\tCloudWatch Container Insights for your clusters is affected. If you specify\n\t\t\t\ttagResourceAuthorization, the opt-in option for tagging resources on\n\t\t\tcreation is affected. For information about the opt-in timeline, see Tagging authorization timeline in the Amazon ECS Developer\n\t\t\t\tGuide. If you specify fargateTaskRetirementWaitPeriod, the\n\t\t\tdefault wait time to retire a Fargate task due to required maintenance is\n\t\t\taffected.
When you specify fargateFIPSMode for the name and\n\t\t\tenabled for the value, Fargate uses FIPS-140 compliant\n\t\t\tcryptographic algorithms on your tasks. For more information about FIPS-140 compliance\n\t\t\twith Fargate, see Amazon Web Services Fargate Federal Information Processing Standard (FIPS) 140-2\n\t\t\t\tcompliance in the Amazon Elastic Container Service Developer Guide.
When Amazon Web Services determines that a security or infrastructure update is needed for an Amazon ECS task\n\t\t\thosted on Fargate, the tasks need to be stopped and new tasks launched to replace\n\t\t\tthem. Use fargateTaskRetirementWaitPeriod to set the wait time to retire a\n\t\t\tFargate task to the default. For information about the Fargate tasks maintenance,\n\t\t\tsee Amazon Web Services Fargate task\n\t\t\t\tmaintenance in the Amazon ECS Developer Guide.
The account setting value for the specified principal ARN. Accepted values are\n\t\t\t\tenabled, disabled, on, and\n\t\t\toff.
The account setting value for the specified principal ARN. Accepted values are\n\t\t\t\tenabled, disabled, on, and\n\t\t\toff.
When you specify fargateTaskRetirementWaitPeriod for the\n\t\t\t\tname, the following are the valid values:
\n 0 - Amazon Web Services sends the notification, and immediately retires the affected tasks.
\n 7 - Amazon Web Services sends the notification, and waits 7 calendar days to retire the tasks.
\n 14 - Amazon Web Services sends the notification, and waits 14 calendar days to retire the tasks.
The Amazon ECS resource name for which to modify the account setting. If\n\t\t\t\tserviceLongArnFormat is specified, the ARN for your Amazon ECS services is\n\t\t\taffected. If taskLongArnFormat is specified, the ARN and resource ID for\n\t\t\tyour Amazon ECS tasks is affected. If containerInstanceLongArnFormat is\n\t\t\tspecified, the ARN and resource ID for your Amazon ECS container instances is affected. If\n\t\t\t\tawsvpcTrunking is specified, the elastic network interface (ENI) limit\n\t\t\tfor your Amazon ECS container instances is affected. If containerInsights is\n\t\t\tspecified, the default setting for Amazon Web Services CloudWatch Container Insights for your clusters is\n\t\t\taffected. If fargateFIPSMode is specified, Fargate FIPS 140 compliance is\n\t\t\taffected. If tagResourceAuthorization is specified, the opt-in option for\n\t\t\ttagging resources on creation is affected. For information about the opt-in timeline,\n\t\t\tsee Tagging authorization timeline in the Amazon ECS Developer\n\t\t\t\t\tGuide.
The Amazon ECS resource name for which to modify the account setting. If you specify\n\t\t\t\tserviceLongArnFormat, the ARN for your Amazon ECS services is affected. If\n\t\t\tyou specify taskLongArnFormat, the ARN and resource ID for your Amazon ECS\n\t\t\ttasks is affected. If you specify containerInstanceLongArnFormat, the ARN\n\t\t\tand resource ID for your Amazon ECS container instances is affected. If you specify\n\t\t\t\tawsvpcTrunking, the elastic network interface (ENI) limit for your\n\t\t\tAmazon ECS container instances is affected. If you specify containerInsights,\n\t\t\tthe default setting for Amazon Web Services CloudWatch Container Insights for your clusters is affected. If\n\t\t\tyou specify fargateFIPSMode, Fargate FIPS 140 compliance is affected. If\n\t\t\tyou specify tagResourceAuthorization, the opt-in option for tagging\n\t\t\tresources on creation is affected. For information about the opt-in timeline, see Tagging authorization timeline in the Amazon ECS Developer\n\t\t\t\tGuide. If you specify fargateTaskRetirementWaitPeriod, the\n\t\t\twait time to retire a Fargate task is affected.
The account setting value for the specified principal ARN. Accepted values are\n\t\t\t\tenabled, disabled, on, and\n\t\t\toff.
The account setting value for the specified principal ARN. Accepted values are\n\t\t\t\tenabled, disabled, on, and\n\t\t\toff.
When you specify fargateTaskRetirementWaitPeriod for the name, the\n\t\t\tfollowing are the valid values:
\n 0 - Amazon Web Services sends the notification, and immediately retires the affected tasks.
\n 7 - Amazon Web Services sends the notification, and waits 7 calendar days to retire the tasks.
\n 14 - Amazon Web Services sends the notification, and waits 14 calendar days to retire the tasks.
The ARN of the principal, which can be a user, role, or the root user. If\n\t\t\tyou specify the root user, it modifies the account setting for all users, roles,\n\t\t\tand the root user of the account unless a user or role explicitly overrides these\n\t\t\tsettings. If this field is omitted, the setting is changed only for the authenticated\n\t\t\tuser.
\nFederated users assume the account setting of the root user and can't have\n\t\t\t\texplicit account settings set for them.
\nThe ARN of the principal, which can be a user, role, or the root user. If\n\t\t\tyou specify the root user, it modifies the account setting for all users, roles,\n\t\t\tand the root user of the account unless a user or role explicitly overrides these\n\t\t\tsettings. If this field is omitted, the setting is changed only for the authenticated\n\t\t\tuser.
\nYou must use the root user when you set the Fargate wait time\n\t\t\t\t\t(fargateTaskRetirementWaitPeriod).
Federated users assume the account setting of the root user and can't have\n\t\t\t\texplicit account settings set for them.
\nRegisters a new task definition from the supplied family and\n\t\t\t\tcontainerDefinitions. Optionally, you can add data volumes to your\n\t\t\tcontainers with the volumes parameter. For more information about task\n\t\t\tdefinition parameters and defaults, see Amazon ECS Task\n\t\t\t\tDefinitions in the Amazon Elastic Container Service Developer Guide.
You can specify a role for your task with the taskRoleArn parameter.\n\t\t\tWhen you specify a role for a task, its containers can then use the latest versions\n\t\t\tof the CLI or SDKs to make API requests to the Amazon Web Services services that are specified in\n\t\t\tthe policy that's associated with the role. For more information, see IAM\n\t\t\t\tRoles for Tasks in the Amazon Elastic Container Service Developer Guide.
You can specify a Docker networking mode for the containers in your task definition\n\t\t\twith the networkMode parameter. The available network modes correspond to\n\t\t\tthose described in Network\n\t\t\t\tsettings in the Docker run reference. If you specify the awsvpc\n\t\t\tnetwork mode, the task is allocated an elastic network interface, and you must specify a\n\t\t\t\tNetworkConfiguration when you create a service or run a task with\n\t\t\tthe task definition. For more information, see Task Networking\n\t\t\tin the Amazon Elastic Container Service Developer Guide.
Registers a new task definition from the supplied family and\n\t\t\t\tcontainerDefinitions. Optionally, you can add data volumes to your\n\t\t\tcontainers with the volumes parameter. For more information about task\n\t\t\tdefinition parameters and defaults, see Amazon ECS Task\n\t\t\t\tDefinitions in the Amazon Elastic Container Service Developer Guide.
You can specify a role for your task with the taskRoleArn parameter.\n\t\t\tWhen you specify a role for a task, its containers can then use the latest versions\n\t\t\tof the CLI or SDKs to make API requests to the Amazon Web Services services that are specified in\n\t\t\tthe policy that's associated with the role. For more information, see IAM\n\t\t\t\tRoles for Tasks in the Amazon Elastic Container Service Developer Guide.
You can specify a Docker networking mode for the containers in your task definition\n\t\t\twith the networkMode parameter. The available network modes correspond to\n\t\t\tthose described in Network\n\t\t\t\tsettings in the Docker run reference. If you specify the awsvpc\n\t\t\tnetwork mode, the task is allocated an elastic network interface, and you must specify a\n\t\t\t\tNetworkConfiguration when you create a service or run a task with\n\t\t\tthe task definition. For more information, see Task Networking\n\t\t\tin the Amazon Elastic Container Service Developer Guide.
The process namespace to use for the containers in the task. The valid\n values are host or task. If host\n is specified, then all containers within the tasks that specified the\n host PID mode on the same container instance share the\n same process namespace with the host Amazon EC2 instance. If task is\n specified, all containers within the specified task share the same\n process namespace. If no value is specified, the default is a private\n namespace. For more information, see PID settings in the Docker run\n reference.
If the host PID mode is used, be aware that there is a\n heightened risk of undesired process namespace expose. For more\n information, see Docker\n security.
This parameter is not supported for Windows containers or tasks run on Fargate.
\nThe process namespace to use for the containers in the task. The valid\n values are host or task. On Fargate for\n Linux containers, the only valid value is task. For\n example, monitoring sidecars might need pidMode to access\n information about other containers running in the same task.
If host is specified, all containers within the tasks\n that specified the host PID mode on the same container\n instance share the same process namespace with the host Amazon EC2\n instance.
If task is specified, all containers within the specified\n task share the same process namespace.
If no value is specified, the\n default is a private namespace for each container. For more information,\n see PID settings in the Docker run\n reference.
\nIf the host PID mode is used, there's a heightened risk\n of undesired process namespace exposure. For more information, see\n Docker security.
This parameter is not supported for Windows containers.
\nThis parameter is only supported for tasks that are hosted on\n Fargate if the tasks are using platform version 1.4.0 or later\n (Linux). This isn't supported for Windows containers on\n Fargate.
Starts a new task using the specified task definition.
\nYou can allow Amazon ECS to place tasks for you, or you can customize how Amazon ECS places\n\t\t\ttasks using placement constraints and placement strategies. For more information, see\n\t\t\t\tScheduling Tasks in the Amazon Elastic Container Service Developer Guide.
\nAlternatively, you can use StartTask to use your own scheduler or\n\t\t\tplace tasks manually on specific container instances.
\nStarting April 15, 2023, Amazon Web Services will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
\nThe Amazon ECS API follows an eventual consistency model. This is because of the\n\t\t\tdistributed nature of the system supporting the API. This means that the result of an\n\t\t\tAPI command you run that affects your Amazon ECS resources might not be immediately visible\n\t\t\tto all subsequent commands you run. Keep this in mind when you carry out an API command\n\t\t\tthat immediately follows a previous API command.
\nTo manage eventual consistency, you can do the following:
\nConfirm the state of the resource before you run a command to modify it. Run\n\t\t\t\t\tthe DescribeTasks command using an exponential backoff algorithm to ensure that\n\t\t\t\t\tyou allow enough time for the previous command to propagate through the system.\n\t\t\t\t\tTo do this, run the DescribeTasks command repeatedly, starting with a couple of\n\t\t\t\t\tseconds of wait time and increasing gradually up to five minutes of wait\n\t\t\t\t\ttime.
\nAdd wait time between subsequent commands, even if the DescribeTasks command\n\t\t\t\t\treturns an accurate response. Apply an exponential backoff algorithm starting\n\t\t\t\t\twith a couple of seconds of wait time, and increase gradually up to about five\n\t\t\t\t\tminutes of wait time.
\nStarts a new task using the specified task definition.
\nYou can allow Amazon ECS to place tasks for you, or you can customize how Amazon ECS places\n\t\t\ttasks using placement constraints and placement strategies. For more information, see\n\t\t\t\tScheduling Tasks in the Amazon Elastic Container Service Developer Guide.
\nAlternatively, you can use StartTask to use your own scheduler or\n\t\t\tplace tasks manually on specific container instances.
\nStarting April 15, 2023, Amazon Web Services will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
\nThe Amazon ECS API follows an eventual consistency model. This is because of the\n\t\t\tdistributed nature of the system supporting the API. This means that the result of an\n\t\t\tAPI command you run that affects your Amazon ECS resources might not be immediately visible\n\t\t\tto all subsequent commands you run. Keep this in mind when you carry out an API command\n\t\t\tthat immediately follows a previous API command.
\nTo manage eventual consistency, you can do the following:
\nConfirm the state of the resource before you run a command to modify it. Run\n\t\t\t\t\tthe DescribeTasks command using an exponential backoff algorithm to ensure that\n\t\t\t\t\tyou allow enough time for the previous command to propagate through the system.\n\t\t\t\t\tTo do this, run the DescribeTasks command repeatedly, starting with a couple of\n\t\t\t\t\tseconds of wait time and increasing gradually up to five minutes of wait\n\t\t\t\t\ttime.
\nAdd wait time between subsequent commands, even if the DescribeTasks command\n\t\t\t\t\treturns an accurate response. Apply an exponential backoff algorithm starting\n\t\t\t\t\twith a couple of seconds of wait time, and increase gradually up to about five\n\t\t\t\t\tminutes of wait time.
\nThe value for the namespaced kernel parameter that's specified in\n\t\t\t\tnamespace.
The namespaced kernel parameter to set a\n\t\t\tvalue for.
Valid IPC namespace values: \"kernel.msgmax\" | \"kernel.msgmnb\" | \"kernel.msgmni\"\n\t\t\t| \"kernel.sem\" | \"kernel.shmall\" | \"kernel.shmmax\" |\n\t\t\t\"kernel.shmmni\" | \"kernel.shm_rmid_forced\", and\n\t\t\tSysctls that start with\n\t\t\t\"fs.mqueue.*\"\n
Valid network namespace values: Sysctls that start with\n\t\t\t\"net.*\"\n
All of these values are supported by Fargate.
" } } }, @@ -9903,7 +10535,23 @@ } ], "traits": { - "smithy.api#documentation": "Associates the specified tags to a resource with the specified\n\t\t\t\tresourceArn. If existing tags on a resource aren't specified in the\n\t\t\trequest parameters, they aren't changed. When a resource is deleted, the tags that are\n\t\t\tassociated with that resource are deleted as well.
Associates the specified tags to a resource with the specified\n\t\t\t\tresourceArn. If existing tags on a resource aren't specified in the\n\t\t\trequest parameters, they aren't changed. When a resource is deleted, the tags that are\n\t\t\tassociated with that resource are deleted as well.
The stop code indicating why a task was stopped. The stoppedReason might\n\t\t\tcontain additional details.
The following are valid values:
\n\n TaskFailedToStart\n
\n EssentialContainerExited\n
\n UserInitiated\n
\n TerminationNotice\n
\n ServiceSchedulerInitiated\n
\n SpotInterruption\n
The stop code indicating why a task was stopped. The stoppedReason might\n\t\t\tcontain additional details.
For more information about stop code, see Stopped tasks error codes in the Amazon ECS User Guide.
\nThe following are valid values:
\n\n TaskFailedToStart\n
\n EssentialContainerExited\n
\n UserInitiated\n
\n TerminationNotice\n
\n ServiceSchedulerInitiated\n
\n SpotInterruption\n
The Unix timestamp for the time when the task stops. More specifically, it's for the\n\t\t\ttime when the task transitions from the RUNNING state to\n\t\t\t\tSTOPPED.
The Unix timestamp for the time when the task stops. More specifically, it's for the\n\t\t\ttime when the task transitions from the RUNNING state to\n\t\t\t\tSTOPPING.
The task launch types the task definition was validated against. For more information, see Amazon ECS launch types\n\t\t\tin the Amazon Elastic Container Service Developer Guide.
" + "smithy.api#documentation": "The task launch types the task definition was validated against. The valid values are\n\t\t\t\tEC2, FARGATE, and EXTERNAL. For more\n\t\t\tinformation, see Amazon ECS launch types\n\t\t\tin the Amazon Elastic Container Service Developer Guide.
The process namespace to use for the containers in the task. The valid\n values are host or task. If host\n is specified, then all containers within the tasks that specified the\n host PID mode on the same container instance share the\n same process namespace with the host Amazon EC2 instance. If task is\n specified, all containers within the specified task share the same\n process namespace. If no value is specified, the default is a private\n namespace. For more information, see PID settings in the Docker run\n reference.
If the host PID mode is used, be aware that there is a\n heightened risk of undesired process namespace expose. For more\n information, see Docker\n security.
This parameter is not supported for Windows containers or tasks run on Fargate.
\nThe process namespace to use for the containers in the task. The valid\n values are host or task. On Fargate for\n Linux containers, the only valid value is task. For\n example, monitoring sidecars might need pidMode to access\n information about other containers running in the same task.
If host is specified, all containers within the tasks\n that specified the host PID mode on the same container\n instance share the same process namespace with the host Amazon EC2\n instance.
If task is specified, all containers within the specified\n task share the same process namespace.
If no value is specified, the\n default is a private namespace for each container. For more information,\n see PID settings in the Docker run\n reference.
\nIf the host PID mode is used, there's a heightened risk\n of undesired process namespace exposure. For more information, see\n Docker security.
This parameter is not supported for Windows containers.
\nThis parameter is only supported for tasks that are hosted on\n Fargate if the tasks are using platform version 1.4.0 or later\n (Linux). This isn't supported for Windows containers on\n Fargate.
Deletes specified tags from a resource.
" + "smithy.api#documentation": "Deletes specified tags from a resource.
", + "smithy.api#examples": [ + { + "title": "To untag a cluster.", + "documentation": "This example deletes the 'team' tag from the 'dev' cluster.", + "input": { + "resourceArn": "arn:aws:ecs:region:aws_account_id:cluster/dev", + "tagKeys": [ + "team" + ] + }, + "output": {} + } + ] } }, "com.amazonaws.ecs#UntagResourceRequest": { @@ -11432,7 +12093,18 @@ } ], "traits": { - "smithy.api#documentation": "Modifies the parameters of a service.
\nFor services using the rolling update (ECS) you can update the desired\n\t\t\tcount, deployment configuration, network configuration, load balancers, service\n\t\t\tregistries, enable ECS managed tags option, propagate tags option, task placement\n\t\t\tconstraints and strategies, and task definition. When you update any of these\n\t\t\tparameters, Amazon ECS starts new tasks with the new configuration.
For services using the blue/green (CODE_DEPLOY) deployment controller,\n\t\t\tonly the desired count, deployment configuration, health check grace period, task\n\t\t\tplacement constraints and strategies, enable ECS managed tags option, and propagate tags\n\t\t\tcan be updated using this API. If the network configuration, platform version, task\n\t\t\tdefinition, or load balancer need to be updated, create a new CodeDeploy deployment. For more\n\t\t\tinformation, see CreateDeployment in the CodeDeploy API Reference.
For services using an external deployment controller, you can update only the desired\n\t\t\tcount, task placement constraints and strategies, health check grace period, enable ECS\n\t\t\tmanaged tags option, and propagate tags option, using this API. If the launch type, load\n\t\t\tbalancer, network configuration, platform version, or task definition need to be\n\t\t\tupdated, create a new task set For more information, see CreateTaskSet.
\nYou can add to or subtract from the number of instantiations of a task definition in a\n\t\t\tservice by specifying the cluster that the service is running in and a new\n\t\t\t\tdesiredCount parameter.
If you have updated the Docker image of your application, you can create a new task\n\t\t\tdefinition with that image and deploy it to your service. The service scheduler uses the\n\t\t\tminimum healthy percent and maximum percent parameters (in the service's deployment\n\t\t\tconfiguration) to determine the deployment strategy.
\nIf your updated Docker image uses the same tag as what is in the existing task\n\t\t\t\tdefinition for your service (for example, my_image:latest), you don't\n\t\t\t\tneed to create a new revision of your task definition. You can update the service\n\t\t\t\tusing the forceNewDeployment option. The new tasks launched by the\n\t\t\t\tdeployment pull the current image/tag combination from your repository when they\n\t\t\t\tstart.
You can also update the deployment configuration of a service. When a deployment is\n\t\t\ttriggered by updating the task definition of a service, the service scheduler uses the\n\t\t\tdeployment configuration parameters, minimumHealthyPercent and\n\t\t\t\tmaximumPercent, to determine the deployment strategy.
If minimumHealthyPercent is below 100%, the scheduler can ignore\n\t\t\t\t\t\tdesiredCount temporarily during a deployment. For example, if\n\t\t\t\t\t\tdesiredCount is four tasks, a minimum of 50% allows the\n\t\t\t\t\tscheduler to stop two existing tasks before starting two new tasks. Tasks for\n\t\t\t\t\tservices that don't use a load balancer are considered healthy if they're in the\n\t\t\t\t\t\tRUNNING state. Tasks for services that use a load balancer are\n\t\t\t\t\tconsidered healthy if they're in the RUNNING state and are reported\n\t\t\t\t\tas healthy by the load balancer.
The maximumPercent parameter represents an upper limit on the\n\t\t\t\t\tnumber of running tasks during a deployment. You can use it to define the\n\t\t\t\t\tdeployment batch size. For example, if desiredCount is four tasks,\n\t\t\t\t\ta maximum of 200% starts four new tasks before stopping the four older tasks\n\t\t\t\t\t(provided that the cluster resources required to do this are available).
When UpdateService stops a task during a deployment, the equivalent\n\t\t\tof docker stop is issued to the containers running in the task. This\n\t\t\tresults in a SIGTERM and a 30-second timeout. After this,\n\t\t\t\tSIGKILL is sent and the containers are forcibly stopped. If the\n\t\t\tcontainer handles the SIGTERM gracefully and exits within 30 seconds from\n\t\t\treceiving it, no SIGKILL is sent.
When the service scheduler launches new tasks, it determines task placement in your\n\t\t\tcluster with the following logic.
\nDetermine which of the container instances in your cluster can support your\n\t\t\t\t\tservice's task definition. For example, they have the required CPU, memory,\n\t\t\t\t\tports, and container instance attributes.
\nBy default, the service scheduler attempts to balance tasks across\n\t\t\t\t\tAvailability Zones in this manner even though you can choose a different\n\t\t\t\t\tplacement strategy.
\nSort the valid container instances by the fewest number of running\n\t\t\t\t\t\t\ttasks for this service in the same Availability Zone as the instance.\n\t\t\t\t\t\t\tFor example, if zone A has one running service task and zones B and C\n\t\t\t\t\t\t\teach have zero, valid container instances in either zone B or C are\n\t\t\t\t\t\t\tconsidered optimal for placement.
\nPlace the new service task on a valid container instance in an optimal\n\t\t\t\t\t\t\tAvailability Zone (based on the previous steps), favoring container\n\t\t\t\t\t\t\tinstances with the fewest number of running tasks for this\n\t\t\t\t\t\t\tservice.
\nWhen the service scheduler stops running tasks, it attempts to maintain balance across\n\t\t\tthe Availability Zones in your cluster using the following logic:
\nSort the container instances by the largest number of running tasks for this\n\t\t\t\t\tservice in the same Availability Zone as the instance. For example, if zone A\n\t\t\t\t\thas one running service task and zones B and C each have two, container\n\t\t\t\t\tinstances in either zone B or C are considered optimal for termination.
\nStop the task on a container instance in an optimal Availability Zone (based\n\t\t\t\t\ton the previous steps), favoring container instances with the largest number of\n\t\t\t\t\trunning tasks for this service.
\nYou must have a service-linked role when you update any of the following service\n\t\t\t\tproperties. If you specified a custom role when you created the service, Amazon ECS\n\t\t\t\tautomatically replaces the roleARN associated with the service with the ARN of your\n\t\t\t\tservice-linked role. For more information, see Service-linked roles in the Amazon Elastic Container Service Developer Guide.
\n\n loadBalancers,\n
\n serviceRegistries\n
Modifies the parameters of a service.
\nFor services using the rolling update (ECS) you can update the desired\n\t\t\tcount, deployment configuration, network configuration, load balancers, service\n\t\t\tregistries, enable ECS managed tags option, propagate tags option, task placement\n\t\t\tconstraints and strategies, and task definition. When you update any of these\n\t\t\tparameters, Amazon ECS starts new tasks with the new configuration.
For services using the blue/green (CODE_DEPLOY) deployment controller,\n\t\t\tonly the desired count, deployment configuration, health check grace period, task\n\t\t\tplacement constraints and strategies, enable ECS managed tags option, and propagate tags\n\t\t\tcan be updated using this API. If the network configuration, platform version, task\n\t\t\tdefinition, or load balancer need to be updated, create a new CodeDeploy deployment. For more\n\t\t\tinformation, see CreateDeployment in the CodeDeploy API Reference.
For services using an external deployment controller, you can update only the desired\n\t\t\tcount, task placement constraints and strategies, health check grace period, enable ECS\n\t\t\tmanaged tags option, and propagate tags option, using this API. If the launch type, load\n\t\t\tbalancer, network configuration, platform version, or task definition need to be\n\t\t\tupdated, create a new task set For more information, see CreateTaskSet.
\nYou can add to or subtract from the number of instantiations of a task definition in a\n\t\t\tservice by specifying the cluster that the service is running in and a new\n\t\t\t\tdesiredCount parameter.
If you have updated the Docker image of your application, you can create a new task\n\t\t\tdefinition with that image and deploy it to your service. The service scheduler uses the\n\t\t\tminimum healthy percent and maximum percent parameters (in the service's deployment\n\t\t\tconfiguration) to determine the deployment strategy.
\nIf your updated Docker image uses the same tag as what is in the existing task\n\t\t\t\tdefinition for your service (for example, my_image:latest), you don't\n\t\t\t\tneed to create a new revision of your task definition. You can update the service\n\t\t\t\tusing the forceNewDeployment option. The new tasks launched by the\n\t\t\t\tdeployment pull the current image/tag combination from your repository when they\n\t\t\t\tstart.
You can also update the deployment configuration of a service. When a deployment is\n\t\t\ttriggered by updating the task definition of a service, the service scheduler uses the\n\t\t\tdeployment configuration parameters, minimumHealthyPercent and\n\t\t\t\tmaximumPercent, to determine the deployment strategy.
If minimumHealthyPercent is below 100%, the scheduler can ignore\n\t\t\t\t\t\tdesiredCount temporarily during a deployment. For example, if\n\t\t\t\t\t\tdesiredCount is four tasks, a minimum of 50% allows the\n\t\t\t\t\tscheduler to stop two existing tasks before starting two new tasks. Tasks for\n\t\t\t\t\tservices that don't use a load balancer are considered healthy if they're in the\n\t\t\t\t\t\tRUNNING state. Tasks for services that use a load balancer are\n\t\t\t\t\tconsidered healthy if they're in the RUNNING state and are reported\n\t\t\t\t\tas healthy by the load balancer.
The maximumPercent parameter represents an upper limit on the\n\t\t\t\t\tnumber of running tasks during a deployment. You can use it to define the\n\t\t\t\t\tdeployment batch size. For example, if desiredCount is four tasks,\n\t\t\t\t\ta maximum of 200% starts four new tasks before stopping the four older tasks\n\t\t\t\t\t(provided that the cluster resources required to do this are available).
When UpdateService stops a task during a deployment, the equivalent\n\t\t\tof docker stop is issued to the containers running in the task. This\n\t\t\tresults in a SIGTERM and a 30-second timeout. After this,\n\t\t\t\tSIGKILL is sent and the containers are forcibly stopped. If the\n\t\t\tcontainer handles the SIGTERM gracefully and exits within 30 seconds from\n\t\t\treceiving it, no SIGKILL is sent.
When the service scheduler launches new tasks, it determines task placement in your\n\t\t\tcluster with the following logic.
\nDetermine which of the container instances in your cluster can support your\n\t\t\t\t\tservice's task definition. For example, they have the required CPU, memory,\n\t\t\t\t\tports, and container instance attributes.
\nBy default, the service scheduler attempts to balance tasks across\n\t\t\t\t\tAvailability Zones in this manner even though you can choose a different\n\t\t\t\t\tplacement strategy.
\nSort the valid container instances by the fewest number of running\n\t\t\t\t\t\t\ttasks for this service in the same Availability Zone as the instance.\n\t\t\t\t\t\t\tFor example, if zone A has one running service task and zones B and C\n\t\t\t\t\t\t\teach have zero, valid container instances in either zone B or C are\n\t\t\t\t\t\t\tconsidered optimal for placement.
\nPlace the new service task on a valid container instance in an optimal\n\t\t\t\t\t\t\tAvailability Zone (based on the previous steps), favoring container\n\t\t\t\t\t\t\tinstances with the fewest number of running tasks for this\n\t\t\t\t\t\t\tservice.
\nWhen the service scheduler stops running tasks, it attempts to maintain balance across\n\t\t\tthe Availability Zones in your cluster using the following logic:
\nSort the container instances by the largest number of running tasks for this\n\t\t\t\t\tservice in the same Availability Zone as the instance. For example, if zone A\n\t\t\t\t\thas one running service task and zones B and C each have two, container\n\t\t\t\t\tinstances in either zone B or C are considered optimal for termination.
\nStop the task on a container instance in an optimal Availability Zone (based\n\t\t\t\t\ton the previous steps), favoring container instances with the largest number of\n\t\t\t\t\trunning tasks for this service.
\nYou must have a service-linked role when you update any of the following service\n\t\t\t\tproperties:
\n\n loadBalancers,
\n serviceRegistries\n
For more information about the role see the CreateService request parameter\n\t\t\t\t\n role\n .
Updates the protection status of a task. You can set protectionEnabled to\n\t\t\t\ttrue to protect your task from termination during scale-in events from\n\t\t\t\tService\n\t\t\t\tAutoscaling or deployments.
Task-protection, by default, expires after 2 hours at which point Amazon ECS clears the\n\t\t\t\tprotectionEnabled property making the task eligible for termination by\n\t\t\ta subsequent scale-in event.
You can specify a custom expiration period for task protection from 1 minute to up to\n\t\t\t2,880 minutes (48 hours). To specify the custom expiration period, set the\n\t\t\t\texpiresInMinutes property. The expiresInMinutes property\n\t\t\tis always reset when you invoke this operation for a task that already has\n\t\t\t\tprotectionEnabled set to true. You can keep extending the\n\t\t\tprotection expiration period of a task by invoking this operation repeatedly.
To learn more about Amazon ECS task protection, see Task scale-in\n\t\t\t\tprotection in the \n Amazon Elastic Container Service Developer Guide\n .
\nThis operation is only supported for tasks belonging to an Amazon ECS service. Invoking\n\t\t\t\tthis operation for a standalone task will result in an TASK_NOT_VALID\n\t\t\t\tfailure. For more information, see API failure\n\t\t\t\t\treasons.
If you prefer to set task protection from within the container, we recommend using\n\t\t\t\tthe Task scale-in protection endpoint.
\nUpdates the protection status of a task. You can set protectionEnabled to\n\t\t\t\ttrue to protect your task from termination during scale-in events from\n\t\t\t\tService\n\t\t\t\tAutoscaling or deployments.
Task-protection, by default, expires after 2 hours at which point Amazon ECS clears the\n\t\t\t\tprotectionEnabled property making the task eligible for termination by\n\t\t\ta subsequent scale-in event.
You can specify a custom expiration period for task protection from 1 minute to up to\n\t\t\t2,880 minutes (48 hours). To specify the custom expiration period, set the\n\t\t\t\texpiresInMinutes property. The expiresInMinutes property\n\t\t\tis always reset when you invoke this operation for a task that already has\n\t\t\t\tprotectionEnabled set to true. You can keep extending the\n\t\t\tprotection expiration period of a task by invoking this operation repeatedly.
To learn more about Amazon ECS task protection, see Task scale-in\n\t\t\t\tprotection in the \n Amazon Elastic Container Service Developer Guide\n .
\nThis operation is only supported for tasks belonging to an Amazon ECS service. Invoking\n\t\t\t\tthis operation for a standalone task will result in an TASK_NOT_VALID\n\t\t\t\tfailure. For more information, see API failure\n\t\t\t\t\treasons.
If you prefer to set task protection from within the container, we recommend using\n\t\t\t\tthe Task scale-in protection endpoint.
\nThe name of the volume. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. This name is referenced in the\n\t\t\t\tsourceVolume parameter of container definition\n\t\t\tmountPoints.
The name of the volume. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. This name is referenced in the\n\t\t\t\tsourceVolume parameter of container definition\n\t\t\tmountPoints.
This is required wwhen you use an Amazon EFS volume.
" } }, "host": { diff --git a/aws/sdk/aws-models/iam.json b/aws/sdk/aws-models/iam.json index 3f222206c623eb12b1bec2ad5ece45974c145ce2..8ad03eb52813f489eabca01610f5891b6c27fd01 100644 --- a/aws/sdk/aws-models/iam.json +++ b/aws/sdk/aws-models/iam.json @@ -222,6 +222,9 @@ { "target": "com.amazonaws.iam#GetLoginProfile" }, + { + "target": "com.amazonaws.iam#GetMFADevice" + }, { "target": "com.amazonaws.iam#GetOpenIDConnectProvider" }, @@ -585,52 +588,56 @@ "type": "error" }, { - "conditions": [], - "type": "tree", - "rules": [ + "conditions": [ { - "conditions": [ + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - } - ], - "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", - "type": "error" - }, - { - "conditions": [], - "endpoint": { - "url": { - "ref": "Endpoint" + "ref": "UseDualStack" }, - "properties": {}, - "headers": {} - }, - "type": "endpoint" + true + ] } - ] + ], + "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", + "type": "error" + }, + { + "conditions": [], + "endpoint": { + "url": { + "ref": "Endpoint" + }, + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, { - "conditions": [], + "conditions": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "Region" + } + ] + } + ], "type": "tree", "rules": [ { "conditions": [ { - "fn": "isSet", + "fn": "aws.partition", "argv": [ { "ref": "Region" } - ] + ], + "assign": "PartitionResult" } ], "type": "tree", @@ -638,597 +645,557 @@ { "conditions": [ { - "fn": "aws.partition", + "fn": "stringEquals", "argv": [ { - "ref": "Region" - } - ], - "assign": "PartitionResult" - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "stringEquals", + "fn": "getAttr", "argv": [ { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "name" - ] + "ref": "PartitionResult" }, - "aws" + "name" ] }, + "aws" + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - false - ] + "ref": "UseFIPS" }, + false + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - false - ] - } - ], - "endpoint": { - "url": "https://iam.amazonaws.com", - "properties": { - "authSchemes": [ - { - "name": "sigv4", - "signingName": "iam", - "signingRegion": "us-east-1" - } - ] + "ref": "UseDualStack" }, - "headers": {} - }, - "type": "endpoint" + false + ] + } + ], + "endpoint": { + "url": "https://iam.amazonaws.com", + "properties": { + "authSchemes": [ + { + "name": "sigv4", + "signingName": "iam", + "signingRegion": "us-east-1" + } + ] }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ { - "conditions": [ + "fn": "stringEquals", + "argv": [ { - "fn": "stringEquals", + "fn": "getAttr", "argv": [ { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "name" - ] + "ref": "PartitionResult" }, - "aws" + "name" ] }, + "aws" + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" + }, + true + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - true - ] + "ref": "UseDualStack" }, + false + ] + } + ], + "endpoint": { + "url": "https://iam-fips.amazonaws.com", + "properties": { + "authSchemes": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - false - ] + "name": "sigv4", + "signingName": "iam", + "signingRegion": "us-east-1" } - ], - "endpoint": { - "url": "https://iam-fips.amazonaws.com", - "properties": { - "authSchemes": [ - { - "name": "sigv4", - "signingName": "iam", - "signingRegion": "us-east-1" - } - ] - }, - "headers": {} - }, - "type": "endpoint" + ] }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ { - "conditions": [ + "fn": "stringEquals", + "argv": [ { - "fn": "stringEquals", + "fn": "getAttr", "argv": [ { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "name" - ] + "ref": "PartitionResult" }, - "aws-cn" + "name" ] }, + "aws-cn" + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - false - ] + "ref": "UseFIPS" + }, + false + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" }, + false + ] + } + ], + "endpoint": { + "url": "https://iam.cn-north-1.amazonaws.com.cn", + "properties": { + "authSchemes": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - false - ] + "name": "sigv4", + "signingName": "iam", + "signingRegion": "cn-north-1" } - ], - "endpoint": { - "url": "https://iam.cn-north-1.amazonaws.com.cn", - "properties": { - "authSchemes": [ - { - "name": "sigv4", - "signingName": "iam", - "signingRegion": "cn-north-1" - } - ] - }, - "headers": {} - }, - "type": "endpoint" + ] }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ { - "conditions": [ + "fn": "stringEquals", + "argv": [ { - "fn": "stringEquals", + "fn": "getAttr", "argv": [ { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "name" - ] + "ref": "PartitionResult" }, - "aws-us-gov" + "name" ] }, + "aws-us-gov" + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - false - ] + "ref": "UseFIPS" }, + false + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - false - ] - } - ], - "endpoint": { - "url": "https://iam.us-gov.amazonaws.com", - "properties": { - "authSchemes": [ - { - "name": "sigv4", - "signingName": "iam", - "signingRegion": "us-gov-west-1" - } - ] + "ref": "UseDualStack" }, - "headers": {} - }, - "type": "endpoint" + false + ] + } + ], + "endpoint": { + "url": "https://iam.us-gov.amazonaws.com", + "properties": { + "authSchemes": [ + { + "name": "sigv4", + "signingName": "iam", + "signingRegion": "us-gov-west-1" + } + ] }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ { - "conditions": [ + "fn": "stringEquals", + "argv": [ { - "fn": "stringEquals", + "fn": "getAttr", "argv": [ { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "name" - ] + "ref": "PartitionResult" }, - "aws-us-gov" + "name" ] }, + "aws-us-gov" + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - true - ] + "ref": "UseFIPS" }, + true + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - false - ] - } - ], - "endpoint": { - "url": "https://iam.us-gov.amazonaws.com", - "properties": { - "authSchemes": [ - { - "name": "sigv4", - "signingName": "iam", - "signingRegion": "us-gov-west-1" - } - ] + "ref": "UseDualStack" }, - "headers": {} - }, - "type": "endpoint" + false + ] + } + ], + "endpoint": { + "url": "https://iam.us-gov.amazonaws.com", + "properties": { + "authSchemes": [ + { + "name": "sigv4", + "signingName": "iam", + "signingRegion": "us-gov-west-1" + } + ] }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ { - "conditions": [ + "fn": "stringEquals", + "argv": [ { - "fn": "stringEquals", + "fn": "getAttr", "argv": [ { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "name" - ] + "ref": "PartitionResult" }, - "aws-iso" + "name" ] }, + "aws-iso" + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - false - ] + "ref": "UseFIPS" }, + false + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - false - ] - } - ], - "endpoint": { - "url": "https://iam.us-iso-east-1.c2s.ic.gov", - "properties": { - "authSchemes": [ - { - "name": "sigv4", - "signingName": "iam", - "signingRegion": "us-iso-east-1" - } - ] + "ref": "UseDualStack" }, - "headers": {} - }, - "type": "endpoint" + false + ] + } + ], + "endpoint": { + "url": "https://iam.us-iso-east-1.c2s.ic.gov", + "properties": { + "authSchemes": [ + { + "name": "sigv4", + "signingName": "iam", + "signingRegion": "us-iso-east-1" + } + ] }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ { - "conditions": [ + "fn": "stringEquals", + "argv": [ { - "fn": "stringEquals", + "fn": "getAttr", "argv": [ { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "name" - ] + "ref": "PartitionResult" }, - "aws-iso-b" + "name" ] }, + "aws-iso-b" + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - false - ] + "ref": "UseFIPS" }, + false + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - false - ] + "ref": "UseDualStack" + }, + false + ] + } + ], + "endpoint": { + "url": "https://iam.us-isob-east-1.sc2s.sgov.gov", + "properties": { + "authSchemes": [ + { + "name": "sigv4", + "signingName": "iam", + "signingRegion": "us-isob-east-1" } - ], - "endpoint": { - "url": "https://iam.us-isob-east-1.sc2s.sgov.gov", - "properties": { - "authSchemes": [ - { - "name": "sigv4", - "signingName": "iam", - "signingRegion": "us-isob-east-1" - } - ] + ] + }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" }, - "headers": {} - }, - "type": "endpoint" + true + ] }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] + } + ], + "type": "tree", + "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseFIPS" - }, - true + "fn": "getAttr", + "argv": [ + { + "ref": "PartitionResult" + }, + "supportsFIPS" + ] + } ] }, { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseDualStack" - }, - true + "fn": "getAttr", + "argv": [ + { + "ref": "PartitionResult" + }, + "supportsDualStack" + ] + } ] } ], "type": "tree", "rules": [ { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsFIPS" - ] - } - ] - }, - { - "fn": "booleanEquals", - "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsDualStack" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [], - "endpoint": { - "url": "https://iam-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } - ] - } - ] - }, + "conditions": [], + "endpoint": { + "url": "https://iam-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" + } + ] + }, + { + "conditions": [], + "error": "FIPS and DualStack are enabled, but this partition does not support one or both", + "type": "error" + } + ] + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ { - "conditions": [], - "error": "FIPS and DualStack are enabled, but this partition does not support one or both", - "type": "error" - } + "ref": "UseFIPS" + }, + true ] - }, + } + ], + "type": "tree", + "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseFIPS" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsFIPS" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ { - "conditions": [], - "endpoint": { - "url": "https://iam-fips.{Region}.{PartitionResult#dnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsFIPS" ] } ] - }, + } + ], + "type": "tree", + "rules": [ { "conditions": [], - "error": "FIPS is enabled but this partition does not support FIPS", - "type": "error" + "endpoint": { + "url": "https://iam-fips.{Region}.{PartitionResult#dnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, + { + "conditions": [], + "error": "FIPS is enabled but this partition does not support FIPS", + "type": "error" + } + ] + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] + } + ], + "type": "tree", + "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseDualStack" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsDualStack" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ { - "conditions": [], - "endpoint": { - "url": "https://iam.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsDualStack" ] } ] - }, - { - "conditions": [], - "error": "DualStack is enabled but this partition does not support DualStack", - "type": "error" } - ] - }, - { - "conditions": [], + ], "type": "tree", "rules": [ { "conditions": [], "endpoint": { - "url": "https://iam.{Region}.{PartitionResult#dnsSuffix}", + "url": "https://iam.{Region}.{PartitionResult#dualStackDnsSuffix}", "properties": {}, "headers": {} }, "type": "endpoint" } ] + }, + { + "conditions": [], + "error": "DualStack is enabled but this partition does not support DualStack", + "type": "error" } ] + }, + { + "conditions": [], + "endpoint": { + "url": "https://iam.{Region}.{PartitionResult#dnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] - }, - { - "conditions": [], - "error": "Invalid Configuration: Missing Region", - "type": "error" } ] + }, + { + "conditions": [], + "error": "Invalid Configuration: Missing Region", + "type": "error" } ] }, @@ -1975,7 +1942,17 @@ } ], "traits": { - "smithy.api#documentation": "Adds a new client ID (also known as audience) to the list of client IDs already\n registered for the specified IAM OpenID Connect (OIDC) provider resource.
\nThis operation is idempotent; it does not fail or return an error if you add an\n existing client ID to the provider.
" + "smithy.api#documentation": "Adds a new client ID (also known as audience) to the list of client IDs already\n registered for the specified IAM OpenID Connect (OIDC) provider resource.
\nThis operation is idempotent; it does not fail or return an error if you add an\n existing client ID to the provider.
", + "smithy.api#examples": [ + { + "title": "To add a client ID (audience) to an Open-ID Connect (OIDC) provider", + "documentation": "The following add-client-id-to-open-id-connect-provider command adds the client ID my-application-ID to the OIDC provider named server.example.com:", + "input": { + "ClientID": "my-application-ID", + "OpenIDConnectProviderArn": "arn:aws:iam::123456789012:oidc-provider/server.example.com" + } + } + ] } }, "com.amazonaws.iam#AddClientIDToOpenIDConnectProviderRequest": { @@ -2026,7 +2003,17 @@ } ], "traits": { - "smithy.api#documentation": "Adds the specified IAM role to the specified instance profile. An instance profile\n can contain only one role, and this quota cannot be increased. You can remove the\n existing role and then add a different role to an instance profile. You must then wait\n for the change to appear across all of Amazon Web Services because of eventual\n consistency. To force the change, you must disassociate the instance profile and then associate the\n instance profile, or you can stop your instance and then restart it.
\nThe caller of this operation must be granted the PassRole permission\n on the IAM role by a permissions policy.
For more information about roles, see Working with roles. For more\n information about instance profiles, see About instance\n profiles.
" + "smithy.api#documentation": "Adds the specified IAM role to the specified instance profile. An instance profile\n can contain only one role, and this quota cannot be increased. You can remove the\n existing role and then add a different role to an instance profile. You must then wait\n for the change to appear across all of Amazon Web Services because of eventual\n consistency. To force the change, you must disassociate the instance profile and then associate the\n instance profile, or you can stop your instance and then restart it.
\nThe caller of this operation must be granted the PassRole permission\n on the IAM role by a permissions policy.
For more information about roles, see IAM roles in the\n IAM User Guide. For more information about instance profiles,\n see Using\n instance profiles in the IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To add a role to an instance profile", + "documentation": "The following command adds the role named S3Access to the instance profile named Webserver:", + "input": { + "RoleName": "S3Access", + "InstanceProfileName": "Webserver" + } + } + ] } }, "com.amazonaws.iam#AddRoleToInstanceProfileRequest": { @@ -2071,7 +2058,17 @@ } ], "traits": { - "smithy.api#documentation": "Adds the specified user to the specified group.
" + "smithy.api#documentation": "Adds the specified user to the specified group.
", + "smithy.api#examples": [ + { + "title": "To add a user to an IAM group", + "documentation": "The following command adds an IAM user named Bob to the IAM group named Admins:", + "input": { + "UserName": "Bob", + "GroupName": "Admins" + } + } + ] } }, "com.amazonaws.iam#AddUserToGroupRequest": { @@ -2128,7 +2125,17 @@ } ], "traits": { - "smithy.api#documentation": "Attaches the specified managed policy to the specified IAM group.
\nYou use this operation to attach a managed policy to a group. To embed an inline\n policy in a group, use PutGroupPolicy.
\nAs a best practice, you can validate your IAM policies. \n To learn more, see Validating IAM policies \n in the IAM User Guide.
\nFor more information about policies, see Managed policies and inline\n policies in the IAM User Guide.
" + "smithy.api#documentation": "Attaches the specified managed policy to the specified IAM group.
\nYou use this operation to attach a managed policy to a group. To embed an inline\n policy in a group, use \n PutGroupPolicy\n .
As a best practice, you can validate your IAM policies. \n To learn more, see Validating IAM policies \n in the IAM User Guide.
\nFor more information about policies, see Managed policies and inline\n policies in the IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To attach a managed policy to an IAM group", + "documentation": "The following command attaches the AWS managed policy named ReadOnlyAccess to the IAM group named Finance.", + "input": { + "GroupName": "Finance", + "PolicyArn": "arn:aws:iam::aws:policy/ReadOnlyAccess" + } + } + ] } }, "com.amazonaws.iam#AttachGroupPolicyRequest": { @@ -2182,7 +2189,17 @@ } ], "traits": { - "smithy.api#documentation": "Attaches the specified managed policy to the specified IAM role. When you attach a\n managed policy to a role, the managed policy becomes part of the role's permission\n (access) policy.
\nYou cannot use a managed policy as the role's trust policy. The role's trust\n policy is created at the same time as the role, using CreateRole.\n You can update a role's trust policy using UpdateAssumeRolePolicy.
\nUse this operation to attach a managed policy to a role. To embed\n an inline policy in a role, use PutRolePolicy. For more information\n about policies, see Managed policies and inline\n policies in the IAM User Guide.
\nAs a best practice, you can validate your IAM policies. \n To learn more, see Validating IAM policies \n in the IAM User Guide.
" + "smithy.api#documentation": "Attaches the specified managed policy to the specified IAM role. When you attach a\n managed policy to a role, the managed policy becomes part of the role's permission\n (access) policy.
\nYou cannot use a managed policy as the role's trust policy. The role's trust\n policy is created at the same time as the role, using \n CreateRole\n . You can update a role's trust policy using\n \n UpdateAssumerolePolicy\n .
Use this operation to attach a managed policy to a role. To embed\n an inline policy in a role, use \n PutRolePolicy\n . For more information about policies, see Managed\n policies and inline policies in the\n IAM User Guide.
As a best practice, you can validate your IAM policies. \n To learn more, see Validating IAM policies \n in the IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To attach a managed policy to an IAM role", + "documentation": "The following command attaches the AWS managed policy named ReadOnlyAccess to the IAM role named ReadOnlyRole.", + "input": { + "RoleName": "ReadOnlyRole", + "PolicyArn": "arn:aws:iam::aws:policy/ReadOnlyAccess" + } + } + ] } }, "com.amazonaws.iam#AttachRolePolicyRequest": { @@ -2233,7 +2250,17 @@ } ], "traits": { - "smithy.api#documentation": "Attaches the specified managed policy to the specified user.
\nYou use this operation to attach a managed policy to a user. To\n embed an inline policy in a user, use PutUserPolicy.
\nAs a best practice, you can validate your IAM policies. \n To learn more, see Validating IAM policies \n in the IAM User Guide.
\nFor more information about policies, see Managed policies and inline\n policies in the IAM User Guide.
" + "smithy.api#documentation": "Attaches the specified managed policy to the specified user.
\nYou use this operation to attach a managed policy to a user. To\n embed an inline policy in a user, use \n PutUserPolicy\n .
As a best practice, you can validate your IAM policies. \n To learn more, see Validating IAM policies \n in the IAM User Guide.
\nFor more information about policies, see Managed policies and inline\n policies in the IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To attach a managed policy to an IAM user", + "documentation": "The following command attaches the AWS managed policy named AdministratorAccess to the IAM user named Alice.", + "input": { + "UserName": "Alice", + "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess" + } + } + ] } }, "com.amazonaws.iam#AttachUserPolicyRequest": { @@ -2301,6 +2328,35 @@ "smithy.api#sensitive": {} } }, + "com.amazonaws.iam#CertificationKeyType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 128 + }, + "smithy.api#pattern": "^[\\u0020-\\u00FF]+$" + } + }, + "com.amazonaws.iam#CertificationMapType": { + "type": "map", + "key": { + "target": "com.amazonaws.iam#CertificationKeyType" + }, + "value": { + "target": "com.amazonaws.iam#CertificationValueType" + } + }, + "com.amazonaws.iam#CertificationValueType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 32 + }, + "smithy.api#pattern": "^[\\u0020-\\u00FF]+$" + } + }, "com.amazonaws.iam#ChangePassword": { "type": "operation", "input": { @@ -2330,7 +2386,17 @@ } ], "traits": { - "smithy.api#documentation": "Changes the password of the IAM user who is calling this operation. This operation\n can be performed using the CLI, the Amazon Web Services API, or the My\n Security Credentials page in the Amazon Web Services Management Console. The Amazon Web Services account root user password is\n not affected by this operation.
\nUse UpdateLoginProfile to use the CLI, the Amazon Web Services API, or the\n Users page in the IAM console to change the\n password for any IAM user. For more information about modifying passwords, see Managing\n passwords in the IAM User Guide.
" + "smithy.api#documentation": "Changes the password of the IAM user who is calling this operation. This operation\n can be performed using the CLI, the Amazon Web Services API, or the My\n Security Credentials page in the Amazon Web Services Management Console. The Amazon Web Services account root user password is\n not affected by this operation.
\nUse UpdateLoginProfile to use the CLI, the Amazon Web Services API, or the\n Users page in the IAM console to change the\n password for any IAM user. For more information about modifying passwords, see Managing\n passwords in the IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To change the password for your IAM user", + "documentation": "The following command changes the password for the current IAM user.", + "input": { + "NewPassword": "]35d/{pB9Fo9wJ", + "OldPassword": "3s0K_;xh4~8XXI" + } + } + ] } }, "com.amazonaws.iam#ChangePasswordRequest": { @@ -2534,7 +2600,25 @@ } ], "traits": { - "smithy.api#documentation": " Creates a new Amazon Web Services secret access key and corresponding Amazon Web Services access key ID for the\n specified user. The default status for new keys is Active.
If you do not specify a user name, IAM determines the user name implicitly based on\n the Amazon Web Services access key ID signing the request. This operation works for access keys under\n the Amazon Web Services account. Consequently, you can use this operation to manage Amazon Web Services account root\n user credentials. This is true even if the Amazon Web Services account has no associated users.
\nFor information about quotas on the number of keys you can create, see IAM and STS\n quotas in the IAM User Guide.
\nTo ensure the security of your Amazon Web Services account, the secret access key is accessible\n only during key and user creation. You must save the key (for example, in a text\n file) if you want to be able to access it again. If a secret key is lost, you can\n delete the access keys for the associated user and then create new keys.
\n Creates a new Amazon Web Services secret access key and corresponding Amazon Web Services access key ID for the\n specified user. The default status for new keys is Active.
If you do not specify a user name, IAM determines the user name implicitly based on\n the Amazon Web Services access key ID signing the request. This operation works for access keys under\n the Amazon Web Services account. Consequently, you can use this operation to manage Amazon Web Services account root\n user credentials. This is true even if the Amazon Web Services account has no associated users.
\nFor information about quotas on the number of keys you can create, see IAM and STS\n quotas in the IAM User Guide.
\nTo ensure the security of your Amazon Web Services account, the secret access key is accessible\n only during key and user creation. You must save the key (for example, in a text\n file) if you want to be able to access it again. If a secret key is lost, you can\n delete the access keys for the associated user and then create new keys.
\nCreates an alias for your Amazon Web Services account. For information about using an Amazon Web Services account\n alias, see Creating, deleting, and\n listing an Amazon Web Services account alias in the Amazon Web Services Sign-In User\n Guide.
" + "smithy.api#documentation": "Creates an alias for your Amazon Web Services account. For information about using an Amazon Web Services account\n alias, see Creating, deleting, and\n listing an Amazon Web Services account alias in the Amazon Web Services Sign-In User\n Guide.
", + "smithy.api#examples": [ + { + "title": "To create an account alias", + "documentation": "The following command associates the alias examplecorp to your AWS account.", + "input": { + "AccountAlias": "examplecorp" + } + } + ] } }, "com.amazonaws.iam#CreateAccountAliasRequest": { @@ -2631,7 +2724,25 @@ } ], "traits": { - "smithy.api#documentation": "Creates a new group.
\nFor information about the number of groups you can create, see IAM and STS\n quotas in the IAM User Guide.
" + "smithy.api#documentation": "Creates a new group.
\nFor information about the number of groups you can create, see IAM and STS\n quotas in the IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To create an IAM group", + "documentation": "The following command creates an IAM group named Admins.", + "input": { + "GroupName": "Admins" + }, + "output": { + "Group": { + "Path": "/", + "CreateDate": "2015-03-09T20:30:24.940Z", + "GroupId": "AIDGPMS9RO4H3FEXAMPLE", + "Arn": "arn:aws:iam::123456789012:group/Admins", + "GroupName": "Admins" + } + } + } + ] } }, "com.amazonaws.iam#CreateGroupRequest": { @@ -2697,7 +2808,26 @@ } ], "traits": { - "smithy.api#documentation": "Creates a new instance profile. For information about instance profiles, see Using\n roles for applications on Amazon EC2 in the\n IAM User Guide, and Instance profiles in the Amazon EC2 User Guide.
\nFor information about the number of instance profiles you can create, see IAM object\n quotas in the IAM User Guide.
" + "smithy.api#documentation": "Creates a new instance profile. For information about instance profiles, see Using\n roles for applications on Amazon EC2 in the\n IAM User Guide, and Instance profiles in the Amazon EC2 User Guide.
\nFor information about the number of instance profiles you can create, see IAM object\n quotas in the IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To create an instance profile", + "documentation": "The following command creates an instance profile named Webserver that is ready to have a role attached and then be associated with an EC2 instance.", + "input": { + "InstanceProfileName": "Webserver" + }, + "output": { + "InstanceProfile": { + "InstanceProfileId": "AIPAJMBYC7DLSPEXAMPLE", + "Roles": [], + "CreateDate": "2015-03-09T20:33:19.626Z", + "InstanceProfileName": "Webserver", + "Path": "/", + "Arn": "arn:aws:iam::123456789012:instance-profile/Webserver" + } + } + } + ] } }, "com.amazonaws.iam#CreateInstanceProfileRequest": { @@ -2769,7 +2899,25 @@ } ], "traits": { - "smithy.api#documentation": "Creates a password for the specified IAM user. A password allows an IAM user to\n access Amazon Web Services services through the Amazon Web Services Management Console.
\nYou can use the CLI, the Amazon Web Services API, or the Users\n page in the IAM console to create a password for any IAM user. Use ChangePassword to update your own existing password in the My Security Credentials page in the Amazon Web Services Management Console.
\nFor more information about managing passwords, see Managing passwords in the\n IAM User Guide.
" + "smithy.api#documentation": "Creates a password for the specified IAM user. A password allows an IAM user to\n access Amazon Web Services services through the Amazon Web Services Management Console.
\nYou can use the CLI, the Amazon Web Services API, or the Users\n page in the IAM console to create a password for any IAM user. Use ChangePassword to update your own existing password in the My Security Credentials page in the Amazon Web Services Management Console.
\nFor more information about managing passwords, see Managing passwords in the\n IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To create an instance profile", + "documentation": "The following command changes IAM user Bob's password and sets the flag that required Bob to change the password the next time he signs in.", + "input": { + "UserName": "Bob", + "Password": "h]6EszR}vJ*m", + "PasswordResetRequired": true + }, + "output": { + "LoginProfile": { + "UserName": "Bob", + "CreateDate": "2015-03-10T20:55:40.274Z", + "PasswordResetRequired": true + } + } + } + ] } }, "com.amazonaws.iam#CreateLoginProfileRequest": { @@ -2843,7 +2991,25 @@ } ], "traits": { - "smithy.api#documentation": "Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC).
\nThe OIDC provider that you create with this operation can be used as a principal in a\n role's trust policy. Such a policy establishes a trust relationship between Amazon Web Services and\n the OIDC provider.
\nIf you are using an OIDC identity provider from Google, Facebook, or Amazon Cognito, you don't\n need to create a separate IAM identity provider. These OIDC identity providers are\n already built-in to Amazon Web Services and are available for your use. Instead, you can move directly\n to creating new roles using your identity provider. To learn more, see Creating\n a role for web identity or OpenID connect federation in the IAM\n User Guide.
\nWhen you create the IAM OIDC provider, you specify the following:
\nThe URL of the OIDC identity provider (IdP) to trust
\nA list of client IDs (also known as audiences) that identify the application\n or applications allowed to authenticate using the OIDC provider
\nA list of tags that are attached to the specified IAM OIDC provider
\nA list of thumbprints of one or more server certificates that the IdP\n uses
\nYou get all of this information from the OIDC IdP you want to use to access\n Amazon Web Services.
\nAmazon Web Services secures communication with some OIDC identity providers (IdPs) through our\n library of trusted certificate authorities (CAs) instead of using a certificate\n thumbprint to verify your IdP server certificate. These OIDC IdPs include Google, Auth0,\n and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS) endpoint. In these\n cases, your legacy thumbprint remains in your configuration, but is no longer used for\n validation.
\nThe trust for the OIDC provider is derived from the IAM provider that this\n operation creates. Therefore, it is best to limit access to the CreateOpenIDConnectProvider operation to highly privileged\n users.
\nCreates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC).
\nThe OIDC provider that you create with this operation can be used as a principal in a\n role's trust policy. Such a policy establishes a trust relationship between Amazon Web Services and\n the OIDC provider.
\nIf you are using an OIDC identity provider from Google, Facebook, or Amazon Cognito, you don't\n need to create a separate IAM identity provider. These OIDC identity providers are\n already built-in to Amazon Web Services and are available for your use. Instead, you can move directly\n to creating new roles using your identity provider. To learn more, see Creating\n a role for web identity or OpenID connect federation in the IAM\n User Guide.
\nWhen you create the IAM OIDC provider, you specify the following:
\nThe URL of the OIDC identity provider (IdP) to trust
\nA list of client IDs (also known as audiences) that identify the application\n or applications allowed to authenticate using the OIDC provider
\nA list of tags that are attached to the specified IAM OIDC provider
\nA list of thumbprints of one or more server certificates that the IdP\n uses
\nYou get all of this information from the OIDC IdP you want to use to access\n Amazon Web Services.
\nAmazon Web Services secures communication with some OIDC identity providers (IdPs) through our\n library of trusted root certificate authorities (CAs) instead of using a certificate\n thumbprint to verify your IdP server certificate. These OIDC IdPs include Auth0, GitHub,\n Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS) endpoint. In\n these cases, your legacy thumbprint remains in your configuration, but is no longer used\n for validation.
\nThe trust for the OIDC provider is derived from the IAM provider that this\n operation creates. Therefore, it is best to limit access to the CreateOpenIDConnectProvider operation to highly privileged\n users.
\nCreates a new role for your Amazon Web Services account. For more information about roles, see\n IAM\n roles. For information about quotas for role names and the number of roles\n you can create, see IAM and STS quotas in the\n IAM User Guide.
" + "smithy.api#documentation": "Creates a new role for your Amazon Web Services account.
\nFor more information about roles, see IAM roles in the\n IAM User Guide. For information about quotas for role names\n and the number of roles you can create, see IAM and STS quotas in the\n IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To create an IAM role", + "documentation": "The following command creates a role named Test-Role and attaches a trust policy that you must convert from JSON to a string. Upon success, the response includes the same policy as a URL-encoded JSON string.", + "input": { + "AssumeRolePolicyDocument": "Creates a new IAM user for your Amazon Web Services account.
\nFor information about quotas for the number of IAM users you can create, see IAM and STS\n quotas in the IAM User Guide.
" + "smithy.api#documentation": "Creates a new IAM user for your Amazon Web Services account.
\nFor information about quotas for the number of IAM users you can create, see IAM and STS\n quotas in the IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To create an IAM user", + "documentation": "The following create-user command creates an IAM user named Bob in the current account.", + "input": { + "UserName": "Bob" + }, + "output": { + "User": { + "UserName": "Bob", + "Path": "/", + "CreateDate": "2013-06-08T03:20:41.270Z", + "UserId": "AKIAIOSFODNN7EXAMPLE", + "Arn": "arn:aws:iam::123456789012:user/Bob" + } + } + } + ] } }, "com.amazonaws.iam#CreateUserRequest": { @@ -3639,7 +3844,17 @@ } ], "traits": { - "smithy.api#documentation": "Deletes the access key pair associated with the specified IAM user.
\nIf you do not specify a user name, IAM determines the user name implicitly based on\n the Amazon Web Services access key ID signing the request. This operation works for access keys under\n the Amazon Web Services account. Consequently, you can use this operation to manage Amazon Web Services account root\n user credentials even if the Amazon Web Services account has no associated users.
" + "smithy.api#documentation": "Deletes the access key pair associated with the specified IAM user.
\nIf you do not specify a user name, IAM determines the user name implicitly based on\n the Amazon Web Services access key ID signing the request. This operation works for access keys under\n the Amazon Web Services account. Consequently, you can use this operation to manage Amazon Web Services account root\n user credentials even if the Amazon Web Services account has no associated users.
", + "smithy.api#examples": [ + { + "title": "To delete an access key for an IAM user", + "documentation": "The following command deletes one access key (access key ID and secret access key) assigned to the IAM user named Bob.", + "input": { + "UserName": "Bob", + "AccessKeyId": "AKIDPMS9RO4H3FEXAMPLE" + } + } + ] } }, "com.amazonaws.iam#DeleteAccessKeyRequest": { @@ -3686,7 +3901,16 @@ } ], "traits": { - "smithy.api#documentation": "Deletes the specified Amazon Web Services account alias. For information about using an Amazon Web Services\n account alias, see Creating, deleting, and\n listing an Amazon Web Services account alias in the Amazon Web Services Sign-In User\n Guide.
" + "smithy.api#documentation": "Deletes the specified Amazon Web Services account alias. For information about using an Amazon Web Services\n account alias, see Creating, deleting, and\n listing an Amazon Web Services account alias in the Amazon Web Services Sign-In User\n Guide.
", + "smithy.api#examples": [ + { + "title": "To delete an account alias", + "documentation": "The following command removes the alias mycompany from the current AWS account:", + "input": { + "AccountAlias": "mycompany" + } + } + ] } }, "com.amazonaws.iam#DeleteAccountAliasRequest": { @@ -3724,7 +3948,13 @@ } ], "traits": { - "smithy.api#documentation": "Deletes the password policy for the Amazon Web Services account. There are no parameters.
" + "smithy.api#documentation": "Deletes the password policy for the Amazon Web Services account. There are no parameters.
", + "smithy.api#examples": [ + { + "title": "To delete the current account password policy", + "documentation": "The following command removes the password policy from the current AWS account:" + } + ] } }, "com.amazonaws.iam#DeleteConflictException": { @@ -3790,7 +4020,17 @@ } ], "traits": { - "smithy.api#documentation": "Deletes the specified inline policy that is embedded in the specified IAM\n group.
\nA group can also have managed policies attached to it. To detach a managed policy from\n a group, use DetachGroupPolicy. For more information about policies,\n refer to Managed policies and inline\n policies in the IAM User Guide.
" + "smithy.api#documentation": "Deletes the specified inline policy that is embedded in the specified IAM\n group.
\nA group can also have managed policies attached to it. To detach a managed policy from\n a group, use DetachGroupPolicy. For more information about policies,\n refer to Managed policies and inline\n policies in the IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To delete a policy from an IAM group", + "documentation": "The following command deletes the policy named ExamplePolicy from the group named Admins:", + "input": { + "GroupName": "Admins", + "PolicyName": "ExamplePolicy" + } + } + ] } }, "com.amazonaws.iam#DeleteGroupPolicyRequest": { @@ -3853,7 +4093,16 @@ } ], "traits": { - "smithy.api#documentation": "Deletes the specified instance profile. The instance profile must not have an\n associated role.
\nMake sure that you do not have any Amazon EC2 instances running with the instance\n profile you are about to delete. Deleting a role or instance profile that is\n associated with a running instance will break any applications running on the\n instance.
\nFor more information about instance profiles, see About instance\n profiles.
" + "smithy.api#documentation": "Deletes the specified instance profile. The instance profile must not have an\n associated role.
\nMake sure that you do not have any Amazon EC2 instances running with the instance\n profile you are about to delete. Deleting a role or instance profile that is\n associated with a running instance will break any applications running on the\n instance.
\nFor more information about instance profiles, see Using\n instance profiles in the IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To delete an instance profile", + "documentation": "The following command deletes the instance profile named ExampleInstanceProfile", + "input": { + "InstanceProfileName": "ExampleInstanceProfile" + } + } + ] } }, "com.amazonaws.iam#DeleteInstanceProfileRequest": { @@ -3894,7 +4143,16 @@ } ], "traits": { - "smithy.api#documentation": "Deletes the password for the specified IAM user, For more information, see Managing\n passwords for IAM users.
\nYou can use the CLI, the Amazon Web Services API, or the Users\n page in the IAM console to delete a password for any IAM user. You can use ChangePassword to update, but not delete, your own password in the\n My Security Credentials page in the\n Amazon Web Services Management Console.
\nDeleting a user's password does not prevent a user from accessing Amazon Web Services through\n the command line interface or the API. To prevent all user access, you must also\n either make any access keys inactive or delete them. For more information about\n making keys inactive or deleting them, see UpdateAccessKey and\n DeleteAccessKey.
\nDeletes the password for the specified IAM user, For more information, see Managing\n passwords for IAM users.
\nYou can use the CLI, the Amazon Web Services API, or the Users\n page in the IAM console to delete a password for any IAM user. You can use ChangePassword to update, but not delete, your own password in the\n My Security Credentials page in the\n Amazon Web Services Management Console.
\nDeleting a user's password does not prevent a user from accessing Amazon Web Services through\n the command line interface or the API. To prevent all user access, you must also\n either make any access keys inactive or delete them. For more information about\n making keys inactive or deleting them, see UpdateAccessKey and\n DeleteAccessKey.
\nDeletes the specified role. Unlike the Amazon Web Services Management Console, when you delete a role\n programmatically, you must delete the items attached to the role manually, or the\n deletion fails. For more information, see Deleting an IAM role. Before attempting to delete a role, remove the\n following attached items:
\nInline policies (DeleteRolePolicy)
\nAttached managed policies (DetachRolePolicy)
\nInstance profile (RemoveRoleFromInstanceProfile)
\nOptional – Delete instance profile after detaching from role for\n resource clean up (DeleteInstanceProfile)
\nMake sure that you do not have any Amazon EC2 instances running with the role you\n are about to delete. Deleting a role or instance profile that is associated with a\n running instance will break any applications running on the instance.
\nDeletes the specified role. Unlike the Amazon Web Services Management Console, when you delete a role\n programmatically, you must delete the items attached to the role manually, or the\n deletion fails. For more information, see Deleting an IAM role. Before attempting to delete a role, remove the\n following attached items:
\nInline policies (DeleteRolePolicy)
\nAttached managed policies (DetachRolePolicy)
\nInstance profile (RemoveRoleFromInstanceProfile)
\nOptional – Delete instance profile after detaching from role for\n resource clean up (DeleteInstanceProfile)
\nMake sure that you do not have any Amazon EC2 instances running with the role you\n are about to delete. Deleting a role or instance profile that is associated with a\n running instance will break any applications running on the instance.
\nDeletes the specified inline policy that is embedded in the specified IAM\n role.
\nA role can also have managed policies attached to it. To detach a managed policy from\n a role, use DetachRolePolicy. For more information about policies,\n refer to Managed policies and inline\n policies in the IAM User Guide.
" + "smithy.api#documentation": "Deletes the specified inline policy that is embedded in the specified IAM\n role.
\nA role can also have managed policies attached to it. To detach a managed policy from\n a role, use DetachRolePolicy. For more information about policies,\n refer to Managed policies and inline\n policies in the IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To remove a policy from an IAM role", + "documentation": "The following command removes the policy named ExamplePolicy from the role named Test-Role.", + "input": { + "RoleName": "Test-Role", + "PolicyName": "ExamplePolicy" + } + } + ] } }, "com.amazonaws.iam#DeleteRolePolicyRequest": { @@ -4413,7 +4690,17 @@ } ], "traits": { - "smithy.api#documentation": "Deletes a signing certificate associated with the specified IAM user.
\nIf you do not specify a user name, IAM determines the user name implicitly based on\n the Amazon Web Services access key ID signing the request. This operation works for access keys under\n the Amazon Web Services account. Consequently, you can use this operation to manage Amazon Web Services account root\n user credentials even if the Amazon Web Services account has no associated IAM users.
" + "smithy.api#documentation": "Deletes a signing certificate associated with the specified IAM user.
\nIf you do not specify a user name, IAM determines the user name implicitly based on\n the Amazon Web Services access key ID signing the request. This operation works for access keys under\n the Amazon Web Services account. Consequently, you can use this operation to manage Amazon Web Services account root\n user credentials even if the Amazon Web Services account has no associated IAM users.
", + "smithy.api#examples": [ + { + "title": "To delete a signing certificate for an IAM user", + "documentation": "The following command deletes the specified signing certificate for the IAM user named Anika.", + "input": { + "UserName": "Anika", + "CertificateId": "TA7SMP42TDN5Z26OBPJE7EXAMPLE" + } + } + ] } }, "com.amazonaws.iam#DeleteSigningCertificateRequest": { @@ -4463,7 +4750,16 @@ } ], "traits": { - "smithy.api#documentation": "Deletes the specified IAM user. Unlike the Amazon Web Services Management Console, when you delete a user\n programmatically, you must delete the items attached to the user manually, or the\n deletion fails. For more information, see Deleting an IAM\n user. Before attempting to delete a user, remove the following items:
\nPassword (DeleteLoginProfile)
\nAccess keys (DeleteAccessKey)
\nSigning certificate (DeleteSigningCertificate)
\nSSH public key (DeleteSSHPublicKey)
\nGit credentials (DeleteServiceSpecificCredential)
\nMulti-factor authentication (MFA) device (DeactivateMFADevice, DeleteVirtualMFADevice)
\nInline policies (DeleteUserPolicy)
\nAttached managed policies (DetachUserPolicy)
\nGroup memberships (RemoveUserFromGroup)
\nDeletes the specified IAM user. Unlike the Amazon Web Services Management Console, when you delete a user\n programmatically, you must delete the items attached to the user manually, or the\n deletion fails. For more information, see Deleting an IAM\n user. Before attempting to delete a user, remove the following items:
\nPassword (DeleteLoginProfile)
\nAccess keys (DeleteAccessKey)
\nSigning certificate (DeleteSigningCertificate)
\nSSH public key (DeleteSSHPublicKey)
\nGit credentials (DeleteServiceSpecificCredential)
\nMulti-factor authentication (MFA) device (DeactivateMFADevice, DeleteVirtualMFADevice)
\nInline policies (DeleteUserPolicy)
\nAttached managed policies (DetachUserPolicy)
\nGroup memberships (RemoveUserFromGroup)
\nDeletes the specified inline policy that is embedded in the specified IAM\n user.
\nA user can also have managed policies attached to it. To detach a managed policy from\n a user, use DetachUserPolicy. For more information about policies,\n refer to Managed policies and inline\n policies in the IAM User Guide.
" + "smithy.api#documentation": "Deletes the specified inline policy that is embedded in the specified IAM\n user.
\nA user can also have managed policies attached to it. To detach a managed policy from\n a user, use DetachUserPolicy. For more information about policies,\n refer to Managed policies and inline\n policies in the IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To remove a policy from an IAM user", + "documentation": "The following delete-user-policy command removes the specified policy from the IAM user named Juan:", + "input": { + "UserName": "Juan", + "PolicyName": "ExamplePolicy" + } + } + ] } }, "com.amazonaws.iam#DeleteUserPolicyRequest": { @@ -4587,7 +4893,16 @@ } ], "traits": { - "smithy.api#documentation": "Deletes a virtual MFA device.
\nYou must deactivate a user's virtual MFA device before you can delete it. For\n information about deactivating MFA devices, see DeactivateMFADevice.
\nDeletes a virtual MFA device.
\nYou must deactivate a user's virtual MFA device before you can delete it. For\n information about deactivating MFA devices, see DeactivateMFADevice.
\nGenerates a report for service last accessed data for Organizations. You can generate a\n report for any entities (organization root, organizational unit, or account) or policies\n in your organization.
\nTo call this operation, you must be signed in using your Organizations management account\n credentials. You can use your long-term IAM user or root user credentials, or temporary\n credentials from assuming an IAM role. SCPs must be enabled for your organization\n root. You must have the required IAM and Organizations permissions. For more information, see\n Refining permissions using service last accessed data in the\n IAM User Guide.
\nYou can generate a service last accessed data report for entities by specifying only\n the entity's path. This data includes a list of services that are allowed by any service\n control policies (SCPs) that apply to the entity.
\nYou can generate a service last accessed data report for a policy by specifying an\n entity's path and an optional Organizations policy ID. This data includes a list of services that\n are allowed by the specified SCP.
\nFor each service in both report types, the data includes the most recent account\n activity that the policy allows to account principals in the entity or the entity's\n children. For important information about the data, reporting period, permissions\n required, troubleshooting, and supported Regions see Reducing permissions using\n service last accessed data in the\n IAM User Guide.
\nThe data includes all attempts to access Amazon Web Services, not just the successful ones. This\n includes all attempts that were made using the Amazon Web Services Management Console, the Amazon Web Services API through any\n of the SDKs, or any of the command line tools. An unexpected entry in the service\n last accessed data does not mean that an account has been compromised, because the\n request might have been denied. Refer to your CloudTrail logs as the authoritative\n source for information about all API calls and whether they were successful or\n denied access. For more information, see Logging IAM events with\n CloudTrail in the IAM User Guide.
\nThis operation returns a JobId. Use this parameter in the \n GetOrganizationsAccessReport\n operation to check the status of\n the report generation. To check the status of this request, use the JobId\n parameter in the \n GetOrganizationsAccessReport\n operation\n and test the JobStatus response parameter. When the job is complete, you\n can retrieve the report.
To generate a service last accessed data report for entities, specify an entity path\n without specifying the optional Organizations policy ID. The type of entity that you specify\n determines the data returned in the report.
\n\n Root – When you specify the\n organizations root as the entity, the resulting report lists all of the services\n allowed by SCPs that are attached to your root. For each service, the report\n includes data for all accounts in your organization except the\n management account, because the management account is not limited by SCPs.
\n\n OU – When you specify an\n organizational unit (OU) as the entity, the resulting report lists all of the\n services allowed by SCPs that are attached to the OU and its parents. For each\n service, the report includes data for all accounts in the OU or its children.\n This data excludes the management account, because the management account is not\n limited by SCPs.
\n\n management account – When you specify the\n management account, the resulting report lists all Amazon Web Services services, because the\n management account is not limited by SCPs. For each service, the report includes\n data for only the management account.
\n\n Account – When you specify another\n account as the entity, the resulting report lists all of the services allowed by\n SCPs that are attached to the account and its parents. For each service, the\n report includes data for only the specified account.
\nTo generate a service last accessed data report for policies, specify an entity path\n and the optional Organizations policy ID. The type of entity that you specify determines the data\n returned for each service.
\n\n Root – When you specify the root\n entity and a policy ID, the resulting report lists all of the services that are\n allowed by the specified SCP. For each service, the report includes data for all\n accounts in your organization to which the SCP applies. This data excludes the\n management account, because the management account is not limited by SCPs. If the\n SCP is not attached to any entities in the organization, then the report will\n return a list of services with no data.
\n\n OU – When you specify an OU entity and\n a policy ID, the resulting report lists all of the services that are allowed by\n the specified SCP. For each service, the report includes data for all accounts\n in the OU or its children to which the SCP applies. This means that other\n accounts outside the OU that are affected by the SCP might not be included in\n the data. This data excludes the management account, because the\n management account is not limited by SCPs. If the SCP is not attached to the OU\n or one of its children, the report will return a list of services with no\n data.
\n\n management account – When you specify the\n management account, the resulting report lists all Amazon Web Services services, because the\n management account is not limited by SCPs. If you specify a policy ID in the CLI\n or API, the policy is ignored. For each service, the report includes data for\n only the management account.
\n\n Account – When you specify another\n account entity and a policy ID, the resulting report lists all of the services\n that are allowed by the specified SCP. For each service, the report includes\n data for only the specified account. This means that other accounts in the\n organization that are affected by the SCP might not be included in the data. If\n the SCP is not attached to the account, the report will return a list of\n services with no data.
\nService last accessed data does not use other policy types when determining\n whether a principal could access a service. These other policy types include\n identity-based policies, resource-based policies, access control lists, IAM\n permissions boundaries, and STS assume role policies. It only applies SCP logic.\n For more about the evaluation of policy types, see Evaluating policies in the\n IAM User Guide.
\nFor more information about service last accessed data, see Reducing policy scope by\n viewing user activity in the IAM User Guide.
" + "smithy.api#documentation": "Generates a report for service last accessed data for Organizations. You can generate a\n report for any entities (organization root, organizational unit, or account) or policies\n in your organization.
\nTo call this operation, you must be signed in using your Organizations management account\n credentials. You can use your long-term IAM user or root user credentials, or temporary\n credentials from assuming an IAM role. SCPs must be enabled for your organization\n root. You must have the required IAM and Organizations permissions. For more information, see\n Refining permissions using service last accessed data in the\n IAM User Guide.
\nYou can generate a service last accessed data report for entities by specifying only\n the entity's path. This data includes a list of services that are allowed by any service\n control policies (SCPs) that apply to the entity.
\nYou can generate a service last accessed data report for a policy by specifying an\n entity's path and an optional Organizations policy ID. This data includes a list of services that\n are allowed by the specified SCP.
\nFor each service in both report types, the data includes the most recent account\n activity that the policy allows to account principals in the entity or the entity's\n children. For important information about the data, reporting period, permissions\n required, troubleshooting, and supported Regions see Reducing permissions using\n service last accessed data in the\n IAM User Guide.
\nThe data includes all attempts to access Amazon Web Services, not just the successful ones. This\n includes all attempts that were made using the Amazon Web Services Management Console, the Amazon Web Services API through any\n of the SDKs, or any of the command line tools. An unexpected entry in the service\n last accessed data does not mean that an account has been compromised, because the\n request might have been denied. Refer to your CloudTrail logs as the authoritative\n source for information about all API calls and whether they were successful or\n denied access. For more information, see Logging IAM events with\n CloudTrail in the IAM User Guide.
\nThis operation returns a JobId. Use this parameter in the \n GetOrganizationsAccessReport\n operation to check the status of\n the report generation. To check the status of this request, use the JobId\n parameter in the \n GetOrganizationsAccessReport\n operation\n and test the JobStatus response parameter. When the job is complete, you\n can retrieve the report.
To generate a service last accessed data report for entities, specify an entity path\n without specifying the optional Organizations policy ID. The type of entity that you specify\n determines the data returned in the report.
\n\n Root – When you specify the\n organizations root as the entity, the resulting report lists all of the services\n allowed by SCPs that are attached to your root. For each service, the report\n includes data for all accounts in your organization except the\n management account, because the management account is not limited by SCPs.
\n\n OU – When you specify an\n organizational unit (OU) as the entity, the resulting report lists all of the\n services allowed by SCPs that are attached to the OU and its parents. For each\n service, the report includes data for all accounts in the OU or its children.\n This data excludes the management account, because the management account is not\n limited by SCPs.
\n\n management account – When you specify the\n management account, the resulting report lists all Amazon Web Services services, because the\n management account is not limited by SCPs. For each service, the report includes\n data for only the management account.
\n\n Account – When you specify another\n account as the entity, the resulting report lists all of the services allowed by\n SCPs that are attached to the account and its parents. For each service, the\n report includes data for only the specified account.
\nTo generate a service last accessed data report for policies, specify an entity path\n and the optional Organizations policy ID. The type of entity that you specify determines the data\n returned for each service.
\n\n Root – When you specify the root\n entity and a policy ID, the resulting report lists all of the services that are\n allowed by the specified SCP. For each service, the report includes data for all\n accounts in your organization to which the SCP applies. This data excludes the\n management account, because the management account is not limited by SCPs. If the\n SCP is not attached to any entities in the organization, then the report will\n return a list of services with no data.
\n\n OU – When you specify an OU entity and\n a policy ID, the resulting report lists all of the services that are allowed by\n the specified SCP. For each service, the report includes data for all accounts\n in the OU or its children to which the SCP applies. This means that other\n accounts outside the OU that are affected by the SCP might not be included in\n the data. This data excludes the management account, because the\n management account is not limited by SCPs. If the SCP is not attached to the OU\n or one of its children, the report will return a list of services with no\n data.
\n\n management account – When you specify the\n management account, the resulting report lists all Amazon Web Services services, because the\n management account is not limited by SCPs. If you specify a policy ID in the CLI\n or API, the policy is ignored. For each service, the report includes data for\n only the management account.
\n\n Account – When you specify another\n account entity and a policy ID, the resulting report lists all of the services\n that are allowed by the specified SCP. For each service, the report includes\n data for only the specified account. This means that other accounts in the\n organization that are affected by the SCP might not be included in the data. If\n the SCP is not attached to the account, the report will return a list of\n services with no data.
\nService last accessed data does not use other policy types when determining\n whether a principal could access a service. These other policy types include\n identity-based policies, resource-based policies, access control lists, IAM\n permissions boundaries, and STS assume role policies. It only applies SCP logic.\n For more about the evaluation of policy types, see Evaluating policies in the\n IAM User Guide.
\nFor more information about service last accessed data, see Reducing policy scope by\n viewing user activity in the IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To generate a service last accessed data report for an organizational unit", + "documentation": "The following operation generates a report for the organizational unit ou-rge0-awexample", + "input": { + "EntityPath": "o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-1a2b3c-k9l8m7n6o5example" + }, + "output": { + "JobId": "examplea-1234-b567-cde8-90fg123abcd4" + } + } + ] } }, "com.amazonaws.iam#GenerateOrganizationsAccessReportRequest": { @@ -5266,7 +5593,19 @@ } ], "traits": { - "smithy.api#documentation": "Generates a report that includes details about when an IAM resource (user, group,\n role, or policy) was last used in an attempt to access Amazon Web Services services. Recent activity\n usually appears within four hours. IAM reports activity for at least the last 400\n days, or less if your Region began supporting this feature within the last year. For\n more information, see Regions where data is tracked.
\nThe service last accessed data includes all attempts to access an Amazon Web Services API, not\n just the successful ones. This includes all attempts that were made using the\n Amazon Web Services Management Console, the Amazon Web Services API through any of the SDKs, or any of the command line tools.\n An unexpected entry in the service last accessed data does not mean that your\n account has been compromised, because the request might have been denied. Refer to\n your CloudTrail logs as the authoritative source for information about all API calls\n and whether they were successful or denied access. For more information, see Logging\n IAM events with CloudTrail in the\n IAM User Guide.
\nThe GenerateServiceLastAccessedDetails operation returns a\n JobId. Use this parameter in the following operations to retrieve the\n following details from your report:
\n GetServiceLastAccessedDetails – Use this operation\n for users, groups, roles, or policies to list every Amazon Web Services service that the\n resource could access using permissions policies. For each service, the response\n includes information about the most recent access attempt.
\nThe JobId returned by\n GenerateServiceLastAccessedDetail must be used by the same role\n within a session, or by the same user when used to call\n GetServiceLastAccessedDetail.
\n GetServiceLastAccessedDetailsWithEntities – Use this\n operation for groups and policies to list information about the associated\n entities (users or roles) that attempted to access a specific Amazon Web Services service.\n
\nTo check the status of the GenerateServiceLastAccessedDetails request,\n use the JobId parameter in the same operations and test the\n JobStatus response parameter.
For additional information about the permissions policies that allow an identity\n (user, group, or role) to access specific services, use the ListPoliciesGrantingServiceAccess operation.
\nService last accessed data does not use other policy types when determining\n whether a resource could access a service. These other policy types include\n resource-based policies, access control lists, Organizations policies, IAM permissions\n boundaries, and STS assume role policies. It only applies permissions policy\n logic. For more about the evaluation of policy types, see Evaluating policies in the\n IAM User Guide.
\nFor more information about service and action last accessed data, see Reducing permissions using service last accessed data in the\n IAM User Guide.
" + "smithy.api#documentation": "Generates a report that includes details about when an IAM resource (user, group,\n role, or policy) was last used in an attempt to access Amazon Web Services services. Recent activity\n usually appears within four hours. IAM reports activity for at least the last 400\n days, or less if your Region began supporting this feature within the last year. For\n more information, see Regions where data is tracked.
\nThe service last accessed data includes all attempts to access an Amazon Web Services API, not\n just the successful ones. This includes all attempts that were made using the\n Amazon Web Services Management Console, the Amazon Web Services API through any of the SDKs, or any of the command line tools.\n An unexpected entry in the service last accessed data does not mean that your\n account has been compromised, because the request might have been denied. Refer to\n your CloudTrail logs as the authoritative source for information about all API calls\n and whether they were successful or denied access. For more information, see Logging\n IAM events with CloudTrail in the\n IAM User Guide.
\nThe GenerateServiceLastAccessedDetails operation returns a\n JobId. Use this parameter in the following operations to retrieve the\n following details from your report:
\n GetServiceLastAccessedDetails – Use this operation\n for users, groups, roles, or policies to list every Amazon Web Services service that the\n resource could access using permissions policies. For each service, the response\n includes information about the most recent access attempt.
\nThe JobId returned by\n GenerateServiceLastAccessedDetail must be used by the same role\n within a session, or by the same user when used to call\n GetServiceLastAccessedDetail.
\n GetServiceLastAccessedDetailsWithEntities – Use this\n operation for groups and policies to list information about the associated\n entities (users or roles) that attempted to access a specific Amazon Web Services service.\n
\nTo check the status of the GenerateServiceLastAccessedDetails request,\n use the JobId parameter in the same operations and test the\n JobStatus response parameter.
For additional information about the permissions policies that allow an identity\n (user, group, or role) to access specific services, use the ListPoliciesGrantingServiceAccess operation.
\nService last accessed data does not use other policy types when determining\n whether a resource could access a service. These other policy types include\n resource-based policies, access control lists, Organizations policies, IAM permissions\n boundaries, and STS assume role policies. It only applies permissions policy\n logic. For more about the evaluation of policy types, see Evaluating policies in the\n IAM User Guide.
\nFor more information about service and action last accessed data, see Reducing permissions using service last accessed data in the\n IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To generate a service last accessed data report for a policy", + "documentation": "The following operation generates a report for the policy: ExamplePolicy1", + "input": { + "Arn": "arn:aws:iam::123456789012:policy/ExamplePolicy1" + }, + "output": { + "JobId": "examplef-1305-c245-eba4-71fe298bcda7" + } + } + ] } }, "com.amazonaws.iam#GenerateServiceLastAccessedDetailsRequest": { @@ -5468,7 +5807,27 @@ } ], "traits": { - "smithy.api#documentation": "Retrieves the password policy for the Amazon Web Services account. This tells you the complexity\n requirements and mandatory rotation periods for the IAM user passwords in your account.\n For more information about using a password policy, see Managing an IAM password\n policy.
" + "smithy.api#documentation": "Retrieves the password policy for the Amazon Web Services account. This tells you the complexity\n requirements and mandatory rotation periods for the IAM user passwords in your account.\n For more information about using a password policy, see Managing an IAM password\n policy.
", + "smithy.api#examples": [ + { + "title": "To see the current account password policy", + "documentation": "The following command displays details about the password policy for the current AWS account.", + "output": { + "PasswordPolicy": { + "AllowUsersToChangePassword": false, + "RequireNumbers": true, + "RequireLowercaseCharacters": false, + "RequireUppercaseCharacters": false, + "MinimumPasswordLength": 8, + "RequireSymbols": true, + "ExpirePasswords": false, + "PasswordReusePrevention": 12, + "MaxPasswordAge": 90, + "HardExpiry": false + } + } + } + ] } }, "com.amazonaws.iam#GetAccountPasswordPolicyResponse": { @@ -5501,7 +5860,43 @@ } ], "traits": { - "smithy.api#documentation": "Retrieves information about IAM entity usage and IAM quotas in the Amazon Web Services\n account.
\nFor information about IAM quotas, see IAM and STS quotas in the\n IAM User Guide.
" + "smithy.api#documentation": "Retrieves information about IAM entity usage and IAM quotas in the Amazon Web Services\n account.
\nFor information about IAM quotas, see IAM and STS quotas in the\n IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To get information about IAM entity quotas and usage in the current account", + "documentation": "The following command returns information about the IAM entity quotas and usage in the current AWS account.", + "output": { + "SummaryMap": { + "Users": 27, + "UsersQuota": 5000, + "Groups": 15, + "GroupsQuota": 100, + "Policies": 8, + "PoliciesQuota": 1000, + "PolicySizeQuota": 5120, + "PolicyVersionsInUse": 22, + "PolicyVersionsInUseQuota": 10000, + "VersionsPerPolicyQuota": 5, + "ServerCertificates": 1, + "ServerCertificatesQuota": 20, + "UserPolicySizeQuota": 2048, + "GroupPolicySizeQuota": 5120, + "GroupsPerUserQuota": 10, + "GlobalEndpointTokenVersion": 2, + "SigningCertificatesPerUserQuota": 2, + "AccessKeysPerUserQuota": 2, + "MFADevices": 6, + "MFADevicesInUse": 3, + "AccountMFAEnabled": 0, + "AccountAccessKeysPresent": 1, + "AccountSigningCertificatesPresent": 0, + "AttachedPoliciesPerGroupQuota": 10, + "AttachedPoliciesPerRoleQuota": 10, + "AttachedPoliciesPerUserQuota": 10 + } + } + } + ] } }, "com.amazonaws.iam#GetAccountSummaryResponse": { @@ -5837,7 +6232,35 @@ } ], "traits": { - "smithy.api#documentation": "Retrieves information about the specified instance profile, including the instance\n profile's path, GUID, ARN, and role. For more information about instance profiles, see\n About\n instance profiles in the IAM User Guide.
", + "smithy.api#documentation": "Retrieves information about the specified instance profile, including the instance\n profile's path, GUID, ARN, and role. For more information about instance profiles, see\n Using\n instance profiles in the IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To get information about an instance profile", + "documentation": "The following command gets information about the instance profile named ExampleInstanceProfile.", + "input": { + "InstanceProfileName": "ExampleInstanceProfile" + }, + "output": { + "InstanceProfile": { + "InstanceProfileId": "AID2MAB8DPLSRHEXAMPLE", + "Roles": [ + { + "AssumeRolePolicyDocument": "Retrieves the user name for the specified IAM user. A login profile is created when\n you create a password for the user to access the Amazon Web Services Management Console. If the user does not exist\n or does not have a password, the operation returns a 404 (NoSuchEntity)\n error.
If you create an IAM user with access to the console, the CreateDate\n reflects the date you created the initial password for the user.
If you create an IAM user with programmatic access, and then later add a password\n for the user to access the Amazon Web Services Management Console, the CreateDate reflects the initial\n password creation date. A user with programmatic access does not have a login profile\n unless you create a password for the user to access the Amazon Web Services Management Console.
Retrieves the user name for the specified IAM user. A login profile is created when\n you create a password for the user to access the Amazon Web Services Management Console. If the user does not exist\n or does not have a password, the operation returns a 404 (NoSuchEntity)\n error.
If you create an IAM user with access to the console, the CreateDate\n reflects the date you created the initial password for the user.
If you create an IAM user with programmatic access, and then later add a password\n for the user to access the Amazon Web Services Management Console, the CreateDate reflects the initial\n password creation date. A user with programmatic access does not have a login profile\n unless you create a password for the user to access the Amazon Web Services Management Console.
The name of the user whose login profile you want to retrieve.
\nThis parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric \n characters with no spaces. You can also include any of the following characters: _+=,.@-
", - "smithy.api#required": {} + "smithy.api#documentation": "The name of the user whose login profile you want to retrieve.
\nThis parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric \n characters with no spaces. You can also include any of the following characters: _+=,.@-
", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#input": {} + } + }, + "com.amazonaws.iam#GetLoginProfileResponse": { + "type": "structure", + "members": { + "LoginProfile": { + "target": "com.amazonaws.iam#LoginProfile", + "traits": { + "smithy.api#documentation": "A structure containing the user name and the profile creation date for the\n user.
", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "Contains the response to a successful GetLoginProfile request.\n
", + "smithy.api#output": {} + } + }, + "com.amazonaws.iam#GetMFADevice": { + "type": "operation", + "input": { + "target": "com.amazonaws.iam#GetMFADeviceRequest" + }, + "output": { + "target": "com.amazonaws.iam#GetMFADeviceResponse" + }, + "errors": [ + { + "target": "com.amazonaws.iam#NoSuchEntityException" + }, + { + "target": "com.amazonaws.iam#ServiceFailureException" + } + ], + "traits": { + "smithy.api#documentation": "Retrieves information about an MFA device for a specified user.
" + } + }, + "com.amazonaws.iam#GetMFADeviceRequest": { + "type": "structure", + "members": { + "SerialNumber": { + "target": "com.amazonaws.iam#serialNumberType", + "traits": { + "smithy.api#documentation": "Serial number that uniquely identifies the MFA device. For this API, we only accept\n FIDO security key ARNs.
", + "smithy.api#required": {} + } + }, + "UserName": { + "target": "com.amazonaws.iam#userNameType", + "traits": { + "smithy.api#documentation": "The friendly name identifying the user.
" } } }, @@ -5925,19 +6420,36 @@ "smithy.api#input": {} } }, - "com.amazonaws.iam#GetLoginProfileResponse": { + "com.amazonaws.iam#GetMFADeviceResponse": { "type": "structure", "members": { - "LoginProfile": { - "target": "com.amazonaws.iam#LoginProfile", + "UserName": { + "target": "com.amazonaws.iam#userNameType", "traits": { - "smithy.api#documentation": "A structure containing the user name and the profile creation date for the\n user.
", + "smithy.api#documentation": "The friendly name identifying the user.
" + } + }, + "SerialNumber": { + "target": "com.amazonaws.iam#serialNumberType", + "traits": { + "smithy.api#documentation": "Serial number that uniquely identifies the MFA device. For this API, we only accept\n FIDO security key ARNs.
", "smithy.api#required": {} } + }, + "EnableDate": { + "target": "com.amazonaws.iam#dateType", + "traits": { + "smithy.api#documentation": "The date that a specified user's MFA device was first enabled.
" + } + }, + "Certifications": { + "target": "com.amazonaws.iam#CertificationMapType", + "traits": { + "smithy.api#documentation": "The certifications of a specified user's MFA device. We currently provide FIPS-140-2,\n FIPS-140-3, and FIDO certification levels obtained from FIDO Alliance Metadata Service\n (MDS).
" + } } }, "traits": { - "smithy.api#documentation": "Contains the response to a successful GetLoginProfile request.\n
", "smithy.api#output": {} } }, @@ -6032,7 +6544,47 @@ } ], "traits": { - "smithy.api#documentation": "Retrieves the service last accessed data report for Organizations that was previously\n generated using the \n GenerateOrganizationsAccessReport\n \n operation. This operation retrieves the status of your report job and the report\n contents.
Depending on the parameters that you passed when you generated the report, the data\n returned could include different information. For details, see GenerateOrganizationsAccessReport.
\nTo call this operation, you must be signed in to the management account in your\n organization. SCPs must be enabled for your organization root. You must have permissions\n to perform this operation. For more information, see Refining permissions using\n service last accessed data in the\n IAM User Guide.
\nFor each service that principals in an account (root user, IAM users, or IAM roles)\n could access using SCPs, the operation returns details about the most recent access\n attempt. If there was no attempt, the service is listed without details about the most\n recent attempt to access the service. If the operation fails, it returns the reason that\n it failed.
\nBy default, the list is sorted by service namespace.
" + "smithy.api#documentation": "Retrieves the service last accessed data report for Organizations that was previously\n generated using the \n GenerateOrganizationsAccessReport\n \n operation. This operation retrieves the status of your report job and the report\n contents.
Depending on the parameters that you passed when you generated the report, the data\n returned could include different information. For details, see GenerateOrganizationsAccessReport.
\nTo call this operation, you must be signed in to the management account in your\n organization. SCPs must be enabled for your organization root. You must have permissions\n to perform this operation. For more information, see Refining permissions using\n service last accessed data in the\n IAM User Guide.
\nFor each service that principals in an account (root user, IAM users, or IAM roles)\n could access using SCPs, the operation returns details about the most recent access\n attempt. If there was no attempt, the service is listed without details about the most\n recent attempt to access the service. If the operation fails, it returns the reason that\n it failed.
\nBy default, the list is sorted by service namespace.
", + "smithy.api#examples": [ + { + "title": "To get details from a previously generated organizational unit report", + "documentation": "The following operation gets details about the report with the job ID: examplea-1234-b567-cde8-90fg123abcd4", + "input": { + "JobId": "examplea-1234-b567-cde8-90fg123abcd4" + }, + "output": { + "IsTruncated": false, + "JobCompletionDate": "2019-06-18T19:47:35.241Z", + "JobCreationDate": "2019-06-18T19:47:31.466Z", + "JobStatus": "COMPLETED", + "NumberOfServicesAccessible": 3, + "NumberOfServicesNotAccessed": 1, + "AccessDetails": [ + { + "EntityPath": "o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-1a2b3c-k9l8m7n6o5example/111122223333", + "LastAuthenticatedTime": "2019-05-25T16:29:52Z", + "Region": "us-east-1", + "ServiceName": "Amazon DynamoDB", + "ServiceNamespace": "dynamodb", + "TotalAuthenticatedEntities": 2 + }, + { + "EntityPath": "o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-1a2b3c-k9l8m7n6o5example/123456789012", + "LastAuthenticatedTime": "2019-06-15T13:12:06Z", + "Region": "us-east-1", + "ServiceName": "AWS Identity and Access Management", + "ServiceNamespace": "iam", + "TotalAuthenticatedEntities": 4 + }, + { + "ServiceName": "Amazon Simple Storage Service", + "ServiceNamespace": "s3", + "TotalAuthenticatedEntities": 0 + } + ] + } + } + ] } }, "com.amazonaws.iam#GetOrganizationsAccessReportRequest": { @@ -6282,7 +6834,31 @@ } ], "traits": { - "smithy.api#documentation": "Retrieves information about the specified role, including the role's path, GUID, ARN,\n and the role's trust policy that grants permission to assume the role. For more\n information about roles, see Working with roles.
\nPolicies returned by this operation are URL-encoded compliant \n with RFC 3986. You can use a URL \n decoding method to convert the policy back to plain JSON text. For example, if you use Java, you \n can use the decode method of the java.net.URLDecoder utility class in \n the Java SDK. Other languages and SDKs provide similar functionality.
Retrieves information about the specified role, including the role's path, GUID, ARN,\n and the role's trust policy that grants permission to assume the role. For more\n information about roles, see IAM roles in the\n IAM User Guide.
\nPolicies returned by this operation are URL-encoded compliant \n with RFC 3986. You can use a URL \n decoding method to convert the policy back to plain JSON text. For example, if you use Java, you \n can use the decode method of the java.net.URLDecoder utility class in \n the Java SDK. Other languages and SDKs provide similar functionality.
Retrieves the specified inline policy document that is embedded with the specified\n IAM role.
\nPolicies returned by this operation are URL-encoded compliant \n with RFC 3986. You can use a URL \n decoding method to convert the policy back to plain JSON text. For example, if you use Java, you \n can use the decode method of the java.net.URLDecoder utility class in \n the Java SDK. Other languages and SDKs provide similar functionality.
An IAM role can also have managed policies attached to it. To retrieve a managed\n policy document that is attached to a role, use GetPolicy to determine\n the policy's default version, then use GetPolicyVersion to retrieve\n the policy document.
\nFor more information about policies, see Managed policies and inline\n policies in the IAM User Guide.
\nFor more information about roles, see Using roles to delegate permissions and\n federate identities.
" + "smithy.api#documentation": "Retrieves the specified inline policy document that is embedded with the specified\n IAM role.
\nPolicies returned by this operation are URL-encoded compliant \n with RFC 3986. You can use a URL \n decoding method to convert the policy back to plain JSON text. For example, if you use Java, you \n can use the decode method of the java.net.URLDecoder utility class in \n the Java SDK. Other languages and SDKs provide similar functionality.
An IAM role can also have managed policies attached to it. To retrieve a managed\n policy document that is attached to a role, use GetPolicy to determine\n the policy's default version, then use GetPolicyVersion to retrieve\n the policy document.
\nFor more information about policies, see Managed policies and inline\n policies in the IAM User Guide.
\nFor more information about roles, see IAM roles in the\n IAM User Guide.
" } }, "com.amazonaws.iam#GetRolePolicyRequest": { @@ -6613,7 +7189,36 @@ } ], "traits": { - "smithy.api#documentation": "Retrieves a service last accessed report that was created using the\n GenerateServiceLastAccessedDetails operation. You can use the\n JobId parameter in GetServiceLastAccessedDetails to\n retrieve the status of your report job. When the report is complete, you can retrieve\n the generated report. The report includes a list of Amazon Web Services services that the resource\n (user, group, role, or managed policy) can access.
Service last accessed data does not use other policy types when determining\n whether a resource could access a service. These other policy types include\n resource-based policies, access control lists, Organizations policies, IAM permissions\n boundaries, and STS assume role policies. It only applies permissions policy\n logic. For more about the evaluation of policy types, see Evaluating policies in the\n IAM User Guide.
\nFor each service that the resource could access using permissions policies, the\n operation returns details about the most recent access attempt. If there was no attempt,\n the service is listed without details about the most recent attempt to access the\n service. If the operation fails, the GetServiceLastAccessedDetails\n operation returns the reason that it failed.
The GetServiceLastAccessedDetails operation returns a list of services.\n This list includes the number of entities that have attempted to access the service and\n the date and time of the last attempt. It also returns the ARN of the following entity,\n depending on the resource ARN that you used to generate the report:
\n User – Returns the user ARN that you\n used to generate the report
\n\n Group – Returns the ARN of the group\n member (user) that last attempted to access the service
\n\n Role – Returns the role ARN that you\n used to generate the report
\n\n Policy – Returns the ARN of the user\n or role that last used the policy to attempt to access the service
\nBy default, the list is sorted by service namespace.
\nIf you specified ACTION_LEVEL granularity when you generated the report,\n this operation returns service and action last accessed data. This includes the most\n recent access attempt for each tracked action within a service. Otherwise, this\n operation returns only service data.
For more information about service and action last accessed data, see Reducing permissions using service last accessed data in the\n IAM User Guide.
" + "smithy.api#documentation": "Retrieves a service last accessed report that was created using the\n GenerateServiceLastAccessedDetails operation. You can use the\n JobId parameter in GetServiceLastAccessedDetails to\n retrieve the status of your report job. When the report is complete, you can retrieve\n the generated report. The report includes a list of Amazon Web Services services that the resource\n (user, group, role, or managed policy) can access.
Service last accessed data does not use other policy types when determining\n whether a resource could access a service. These other policy types include\n resource-based policies, access control lists, Organizations policies, IAM permissions\n boundaries, and STS assume role policies. It only applies permissions policy\n logic. For more about the evaluation of policy types, see Evaluating policies in the\n IAM User Guide.
\nFor each service that the resource could access using permissions policies, the\n operation returns details about the most recent access attempt. If there was no attempt,\n the service is listed without details about the most recent attempt to access the\n service. If the operation fails, the GetServiceLastAccessedDetails\n operation returns the reason that it failed.
The GetServiceLastAccessedDetails operation returns a list of services.\n This list includes the number of entities that have attempted to access the service and\n the date and time of the last attempt. It also returns the ARN of the following entity,\n depending on the resource ARN that you used to generate the report:
\n User – Returns the user ARN that you\n used to generate the report
\n\n Group – Returns the ARN of the group\n member (user) that last attempted to access the service
\n\n Role – Returns the role ARN that you\n used to generate the report
\n\n Policy – Returns the ARN of the user\n or role that last used the policy to attempt to access the service
\nBy default, the list is sorted by service namespace.
\nIf you specified ACTION_LEVEL granularity when you generated the report,\n this operation returns service and action last accessed data. This includes the most\n recent access attempt for each tracked action within a service. Otherwise, this\n operation returns only service data.
For more information about service and action last accessed data, see Reducing permissions using service last accessed data in the\n IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To get details from a previously-generated report", + "documentation": "The following operation gets details about the report with the job ID: examplef-1305-c245-eba4-71fe298bcda7", + "input": { + "JobId": "examplef-1305-c245-eba4-71fe298bcda7" + }, + "output": { + "JobStatus": "COMPLETED", + "JobCreationDate": "2018-10-24T19:47:31.466Z", + "ServicesLastAccessed": [ + { + "TotalAuthenticatedEntities": 2, + "LastAuthenticated": "2018-10-24T19:11:00Z", + "ServiceNamespace": "iam", + "LastAuthenticatedEntity": "arn:aws:iam::123456789012:user/AWSExampleUser01", + "ServiceName": "AWS Identity and Access Management" + }, + { + "TotalAuthenticatedEntities": 0, + "ServiceNamespace": "s3", + "ServiceName": "Amazon Simple Storage Service" + } + ], + "JobCompletionDate": "2018-10-24T19:47:35.241Z", + "IsTruncated": false + } + } + ] } }, "com.amazonaws.iam#GetServiceLastAccessedDetailsRequest": { @@ -6721,7 +7326,44 @@ } ], "traits": { - "smithy.api#documentation": "After you generate a group or policy report using the\n GenerateServiceLastAccessedDetails operation, you can use the\n JobId parameter in\n GetServiceLastAccessedDetailsWithEntities. This operation retrieves the\n status of your report job and a list of entities that could have used group or policy\n permissions to access the specified service.
\n Group – For a group report, this\n operation returns a list of users in the group that could have used the group’s\n policies in an attempt to access the service.
\n\n Policy – For a policy report, this\n operation returns a list of entities (users or roles) that could have used the\n policy in an attempt to access the service.
\nYou can also use this operation for user or role reports to retrieve details about\n those entities.
\nIf the operation fails, the GetServiceLastAccessedDetailsWithEntities\n operation returns the reason that it failed.
By default, the list of associated entities is sorted by date, with the most recent\n access listed first.
" + "smithy.api#documentation": "After you generate a group or policy report using the\n GenerateServiceLastAccessedDetails operation, you can use the\n JobId parameter in\n GetServiceLastAccessedDetailsWithEntities. This operation retrieves the\n status of your report job and a list of entities that could have used group or policy\n permissions to access the specified service.
\n Group – For a group report, this\n operation returns a list of users in the group that could have used the group’s\n policies in an attempt to access the service.
\n\n Policy – For a policy report, this\n operation returns a list of entities (users or roles) that could have used the\n policy in an attempt to access the service.
\nYou can also use this operation for user or role reports to retrieve details about\n those entities.
\nIf the operation fails, the GetServiceLastAccessedDetailsWithEntities\n operation returns the reason that it failed.
By default, the list of associated entities is sorted by date, with the most recent\n access listed first.
", + "smithy.api#examples": [ + { + "title": "To get sntity details from a previously-generated report", + "documentation": "The following operation returns details about the entities that attempted to access the IAM service.", + "input": { + "JobId": "examplef-1305-c245-eba4-71fe298bcda7", + "ServiceNamespace": "iam" + }, + "output": { + "JobStatus": "COMPLETED", + "JobCreationDate": "2018-10-24T19:47:31.466Z", + "JobCompletionDate": "2018-10-24T19:47:35.241Z", + "EntityDetailsList": [ + { + "EntityInfo": { + "Id": "AIDAEX2EXAMPLEB6IGCDC", + "Name": "AWSExampleUser01", + "Type": "USER", + "Path": "/", + "Arn": "arn:aws:iam::123456789012:user/AWSExampleUser01" + }, + "LastAuthenticated": "2018-10-24T19:10:00Z" + }, + { + "EntityInfo": { + "Id": "AROAEAEXAMPLEIANXSIU4", + "Name": "AWSExampleRole01", + "Type": "ROLE", + "Path": "/", + "Arn": "arn:aws:iam::123456789012:role/AWSExampleRole01" + } + } + ], + "IsTruncated": false + } + } + ] } }, "com.amazonaws.iam#GetServiceLastAccessedDetailsWithEntitiesRequest": { @@ -6890,6 +7532,24 @@ ], "traits": { "smithy.api#documentation": "Retrieves information about the specified IAM user, including the user's creation\n date, path, unique ID, and ARN.
\nIf you do not specify a user name, IAM determines the user name implicitly based on\n the Amazon Web Services access key ID used to sign the request to this operation.
", + "smithy.api#examples": [ + { + "title": "To get information about an IAM user", + "documentation": "The following command gets information about the IAM user named Bob.", + "input": { + "UserName": "Bob" + }, + "output": { + "User": { + "UserName": "Bob", + "Path": "/", + "CreateDate": "2012-09-21T23:03:13Z", + "UserId": "AKIAIOSFODNN7EXAMPLE", + "Arn": "arn:aws:iam::123456789012:user/Bob" + } + } + } + ], "smithy.api#suppress": [ "WaitableTraitInvalidErrorType" ], @@ -7305,6 +7965,31 @@ ], "traits": { "smithy.api#documentation": "Returns information about the access key IDs associated with the specified IAM user.\n If there is none, the operation returns an empty list.
\nAlthough each user is limited to a small number of keys, you can still paginate the\n results using the MaxItems and Marker parameters.
If the UserName is not specified, the user name is determined implicitly\n based on the Amazon Web Services access key ID used to sign the request. If a temporary access key is\n used, then UserName is required. If a long-term key is assigned to the\n user, then UserName is not required. This operation works for access keys\n under the Amazon Web Services account. Consequently, you can use this operation to manage Amazon Web Services account root user\n credentials even if the Amazon Web Services account has no associated users.
To ensure the security of your Amazon Web Services account, the secret access key is accessible\n only during key and user creation.
\nLists the account alias associated with the Amazon Web Services account (Note: you can have only\n one). For information about using an Amazon Web Services account alias, see Creating,\n deleting, and listing an Amazon Web Services account alias in the Amazon Web Services Sign-In\n User Guide.
", + "smithy.api#examples": [ + { + "title": "To list account aliases", + "documentation": "The following command lists the aliases for the current account.", + "output": { + "AccountAliases": [ + "exmaple-corporation" + ] + } + } + ], "smithy.api#paginated": { "inputToken": "Marker", "outputToken": "Marker", @@ -7841,6 +8537,21 @@ ], "traits": { "smithy.api#documentation": "Lists the names of the inline policies that are embedded in the specified IAM\n group.
\nAn IAM group can also have managed policies attached to it. To list the managed\n policies that are attached to a group, use ListAttachedGroupPolicies.\n For more information about policies, see Managed policies and inline\n policies in the IAM User Guide.
\nYou can paginate the results using the MaxItems and Marker\n parameters. If there are no inline policies embedded with the specified group, the\n operation returns an empty list.
Lists the IAM groups that have the specified path prefix.
\n You can paginate the results using the MaxItems and Marker\n parameters.
Lists the IAM groups that the specified IAM user belongs to.
\nYou can paginate the results using the MaxItems and Marker\n parameters.
Lists the tags that are attached to the specified IAM instance profile. The returned list of tags is sorted by tag key.\n For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
" + "smithy.api#documentation": "Lists the tags that are attached to the specified IAM instance profile. The returned list of tags is sorted by tag key.\n For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
", + "smithy.api#paginated": { + "inputToken": "Marker", + "outputToken": "Marker", + "items": "Tags", + "pageSize": "MaxItems" + } } }, "com.amazonaws.iam#ListInstanceProfileTagsRequest": { @@ -8154,7 +8929,7 @@ } ], "traits": { - "smithy.api#documentation": "Lists the instance profiles that have the specified path prefix. If there are none,\n the operation returns an empty list. For more information about instance profiles, see\n About\n instance profiles.
\nIAM resource-listing operations return a subset of the available \n attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for an instance profile, see GetInstanceProfile.
\nYou can paginate the results using the MaxItems and Marker\n parameters.
Lists the instance profiles that have the specified path prefix. If there are none,\n the operation returns an empty list. For more information about instance profiles, see\n Using\n instance profiles in the IAM User Guide.
\nIAM resource-listing operations return a subset of the available \n attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for an instance profile, see GetInstanceProfile.
\nYou can paginate the results using the MaxItems and Marker\n parameters.
Lists the instance profiles that have the specified associated IAM role. If there\n are none, the operation returns an empty list. For more information about instance\n profiles, go to About instance\n profiles.
\nYou can paginate the results using the MaxItems and Marker\n parameters.
Lists the instance profiles that have the specified associated IAM role. If there\n are none, the operation returns an empty list. For more information about instance\n profiles, go to Using\n instance profiles in the IAM User Guide.
\nYou can paginate the results using the MaxItems and Marker\n parameters.
Lists the tags that are attached to the specified IAM virtual multi-factor authentication (MFA) device. The returned list of tags is\n sorted by tag key. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
" + "smithy.api#documentation": "Lists the tags that are attached to the specified IAM virtual multi-factor authentication (MFA) device. The returned list of tags is\n sorted by tag key. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
", + "smithy.api#paginated": { + "inputToken": "Marker", + "outputToken": "Marker", + "items": "Tags", + "pageSize": "MaxItems" + } } }, "com.amazonaws.iam#ListMFADeviceTagsRequest": { @@ -8479,7 +9260,13 @@ } ], "traits": { - "smithy.api#documentation": "Lists the tags that are attached to the specified OpenID Connect (OIDC)-compatible\n identity provider. The returned list of tags is sorted by tag key. For more information, see About web identity\n federation.
\nFor more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
" + "smithy.api#documentation": "Lists the tags that are attached to the specified OpenID Connect (OIDC)-compatible\n identity provider. The returned list of tags is sorted by tag key. For more information, see About web identity\n federation.
\nFor more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
", + "smithy.api#paginated": { + "inputToken": "Marker", + "outputToken": "Marker", + "items": "Tags", + "pageSize": "MaxItems" + } } }, "com.amazonaws.iam#ListOpenIDConnectProviderTagsRequest": { @@ -8616,7 +9403,51 @@ } ], "traits": { - "smithy.api#documentation": "Retrieves a list of policies that the IAM identity (user, group, or role) can use to\n access each specified service.
\nThis operation does not use other policy types when determining whether a resource\n could access a service. These other policy types include resource-based policies,\n access control lists, Organizations policies, IAM permissions boundaries, and STS\n assume role policies. It only applies permissions policy logic. For more about the\n evaluation of policy types, see Evaluating policies in the\n IAM User Guide.
\nThe list of policies returned by the operation depends on the ARN of the identity that\n you provide.
\n\n User – The list of policies includes\n the managed and inline policies that are attached to the user directly. The list\n also includes any additional managed and inline policies that are attached to\n the group to which the user belongs.
\n\n Group – The list of policies includes\n only the managed and inline policies that are attached to the group directly.\n Policies that are attached to the group’s user are not included.
\n\n Role – The list of policies includes\n only the managed and inline policies that are attached to the role.
\nFor each managed policy, this operation returns the ARN and policy name. For each\n inline policy, it returns the policy name and the entity to which it is attached. Inline\n policies do not have an ARN. For more information about these policy types, see Managed policies and inline policies in the\n IAM User Guide.
\nPolicies that are attached to users and roles as permissions boundaries are not\n returned. To view which managed policy is currently used to set the permissions boundary\n for a user or role, use the GetUser or GetRole\n operations.
" + "smithy.api#documentation": "Retrieves a list of policies that the IAM identity (user, group, or role) can use to\n access each specified service.
\nThis operation does not use other policy types when determining whether a resource\n could access a service. These other policy types include resource-based policies,\n access control lists, Organizations policies, IAM permissions boundaries, and STS\n assume role policies. It only applies permissions policy logic. For more about the\n evaluation of policy types, see Evaluating policies in the\n IAM User Guide.
\nThe list of policies returned by the operation depends on the ARN of the identity that\n you provide.
\n\n User – The list of policies includes\n the managed and inline policies that are attached to the user directly. The list\n also includes any additional managed and inline policies that are attached to\n the group to which the user belongs.
\n\n Group – The list of policies includes\n only the managed and inline policies that are attached to the group directly.\n Policies that are attached to the group’s user are not included.
\n\n Role – The list of policies includes\n only the managed and inline policies that are attached to the role.
\nFor each managed policy, this operation returns the ARN and policy name. For each\n inline policy, it returns the policy name and the entity to which it is attached. Inline\n policies do not have an ARN. For more information about these policy types, see Managed policies and inline policies in the\n IAM User Guide.
\nPolicies that are attached to users and roles as permissions boundaries are not\n returned. To view which managed policy is currently used to set the permissions boundary\n for a user or role, use the GetUser or GetRole\n operations.
", + "smithy.api#examples": [ + { + "title": "To list policies that allow access to a service", + "documentation": "The following operation lists policies that allow ExampleUser01 to access IAM or EC2.", + "input": { + "Arn": "arn:aws:iam::123456789012:user/ExampleUser01", + "ServiceNamespaces": [ + "iam", + "ec2" + ] + }, + "output": { + "IsTruncated": false, + "PoliciesGrantingServiceAccess": [ + { + "Policies": [ + { + "PolicyArn": "arn:aws:iam::123456789012:policy/ExampleIamPolicy", + "PolicyType": "MANAGED", + "PolicyName": "ExampleIamPolicy" + }, + { + "EntityName": "AWSExampleGroup1", + "EntityType": "GROUP", + "PolicyType": "INLINE", + "PolicyName": "ExampleGroup1Policy" + } + ], + "ServiceNamespace": "iam" + }, + { + "Policies": [ + { + "PolicyArn": "arn:aws:iam::123456789012:policy/ExampleEc2Policy", + "PolicyType": "MANAGED", + "PolicyName": "ExampleEc2Policy" + } + ], + "ServiceNamespace": "ec2" + } + ] + } + } + ] } }, "com.amazonaws.iam#ListPoliciesGrantingServiceAccessEntry": { @@ -8788,7 +9619,13 @@ } ], "traits": { - "smithy.api#documentation": "Lists the tags that are attached to the specified IAM customer managed policy.\n The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
" + "smithy.api#documentation": "Lists the tags that are attached to the specified IAM customer managed policy.\n The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
", + "smithy.api#paginated": { + "inputToken": "Marker", + "outputToken": "Marker", + "items": "Tags", + "pageSize": "MaxItems" + } } }, "com.amazonaws.iam#ListPolicyTagsRequest": { @@ -9029,7 +9866,35 @@ } ], "traits": { - "smithy.api#documentation": "Lists the tags that are attached to the specified role. The returned list of tags is\n sorted by tag key. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
" + "smithy.api#documentation": "Lists the tags that are attached to the specified role. The returned list of tags is\n sorted by tag key. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To list the tags attached to an IAM role", + "documentation": "The following example shows how to list the tags attached to a role.", + "input": { + "RoleName": "taggedrole1" + }, + "output": { + "Tags": [ + { + "Key": "Dept", + "Value": "12345" + }, + { + "Key": "Team", + "Value": "Accounting" + } + ], + "IsTruncated": false + } + } + ], + "smithy.api#paginated": { + "inputToken": "Marker", + "outputToken": "Marker", + "items": "Tags", + "pageSize": "MaxItems" + } } }, "com.amazonaws.iam#ListRoleTagsRequest": { @@ -9101,7 +9966,7 @@ } ], "traits": { - "smithy.api#documentation": "Lists the IAM roles that have the specified path prefix. If there are none, the\n operation returns an empty list. For more information about roles, see Working with\n roles.
\nIAM resource-listing operations return a subset of the available \n attributes for the resource. This operation does not return the following attributes, even though they are an attribute of the returned object:
\nPermissionsBoundary
\nRoleLastUsed
\nTags
\nTo view all of the information for a role, see GetRole.
\nYou can paginate the results using the MaxItems and Marker\n parameters.
Lists the IAM roles that have the specified path prefix. If there are none, the\n operation returns an empty list. For more information about roles, see IAM roles in the\n IAM User Guide.
\nIAM resource-listing operations return a subset of the available \n attributes for the resource. This operation does not return the following attributes, even though they are an attribute of the returned object:
\nPermissionsBoundary
\nRoleLastUsed
\nTags
\nTo view all of the information for a role, see GetRole.
\nYou can paginate the results using the MaxItems and Marker\n parameters.
Lists the tags that are attached to the specified Security Assertion Markup Language\n (SAML) identity provider. The returned list of tags is sorted by tag key. For more information, see About SAML 2.0-based\n federation.
\nFor more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
" + "smithy.api#documentation": "Lists the tags that are attached to the specified Security Assertion Markup Language\n (SAML) identity provider. The returned list of tags is sorted by tag key. For more information, see About SAML 2.0-based\n federation.
\nFor more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
", + "smithy.api#paginated": { + "inputToken": "Marker", + "outputToken": "Marker", + "items": "Tags", + "pageSize": "MaxItems" + } } }, "com.amazonaws.iam#ListSAMLProviderTagsRequest": { @@ -9376,7 +10247,13 @@ } ], "traits": { - "smithy.api#documentation": "Lists the tags that are attached to the specified IAM server certificate. The\n returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
\nFor certificates in a Region supported by Certificate Manager (ACM), we\n recommend that you don't use IAM server certificates. Instead, use ACM to provision,\n manage, and deploy your server certificates. For more information about IAM server\n certificates, Working with server\n certificates in the IAM User Guide.
\nLists the tags that are attached to the specified IAM server certificate. The\n returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
\nFor certificates in a Region supported by Certificate Manager (ACM), we\n recommend that you don't use IAM server certificates. Instead, use ACM to provision,\n manage, and deploy your server certificates. For more information about IAM server\n certificates, Working with server\n certificates in the IAM User Guide.
\nReturns information about the signing certificates associated with the specified IAM\n user. If none exists, the operation returns an empty list.
\nAlthough each user is limited to a small number of signing certificates, you can still\n paginate the results using the MaxItems and Marker\n parameters.
If the UserName field is not specified, the user name is determined\n implicitly based on the Amazon Web Services access key ID used to sign the request for this operation.\n This operation works for access keys under the Amazon Web Services account. Consequently, you can use\n this operation to manage Amazon Web Services account root user credentials even if the Amazon Web Services account has no\n associated users.
Lists the tags that are attached to the specified IAM user. The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To list the tags attached to an IAM user", + "documentation": "The following example shows how to list the tags attached to a user.", + "input": { + "UserName": "anika" + }, + "output": { + "Tags": [ + { + "Key": "Dept", + "Value": "12345" + }, + { + "Key": "Team", + "Value": "Accounting" + } + ], + "IsTruncated": false + } + } + ], "smithy.api#paginated": { "inputToken": "Marker", "outputToken": "Marker", @@ -9825,6 +10744,32 @@ ], "traits": { "smithy.api#documentation": "Lists the IAM users that have the specified path prefix. If no path prefix is\n specified, the operation returns all users in the Amazon Web Services account. If there are none, the\n operation returns an empty list.
\nIAM resource-listing operations return a subset of the available \n attributes for the resource. This operation does not return the following attributes, even though they are an attribute of the returned object:
\nPermissionsBoundary
\nTags
\nTo view all of the information for a user, see GetUser.
\nYou can paginate the results using the MaxItems and Marker\n parameters.
Lists the virtual MFA devices defined in the Amazon Web Services account by assignment status. If\n you do not specify an assignment status, the operation returns a list of all virtual MFA\n devices. Assignment status can be Assigned, Unassigned, or\n Any.
IAM resource-listing operations return a subset of the available \n attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view tag information for a virtual MFA device, see ListMFADeviceTags.
\nYou can paginate the results using the MaxItems and Marker\n parameters.
Adds or updates an inline policy document that is embedded in the specified IAM\n group.
\nA user can also have managed policies attached to it. To attach a managed policy to a\n group, use AttachGroupPolicy. To create a new managed policy, use\n CreatePolicy. For information about policies, see Managed\n policies and inline policies in the\n IAM User Guide.
\nFor information about the maximum number of inline policies that you can embed in a\n group, see IAM and STS quotas in the IAM User Guide.
\nBecause policy documents can be large, you should use POST rather than GET when\n calling PutGroupPolicy. For general information about using the Query\n API with IAM, see Making query requests in the\n IAM User Guide.
Adds or updates an inline policy document that is embedded in the specified IAM\n group.
\nA user can also have managed policies attached to it. To attach a managed policy to a\n group, use \n AttachGroupPolicy\n . To create a new managed policy, use\n \n CreatePolicy\n . For information about policies, see Managed\n policies and inline policies in the\n IAM User Guide.
For information about the maximum number of inline policies that you can embed in a\n group, see IAM and STS quotas in the IAM User Guide.
\nBecause policy documents can be large, you should use POST rather than GET when\n calling PutGroupPolicy. For general information about using the Query\n API with IAM, see Making query requests in the\n IAM User Guide.
The policy document.
\nYou must provide policies in JSON format in IAM. However, for CloudFormation templates\n formatted in YAML, you can provide the policy in JSON or YAML format. CloudFormation always\n converts a YAML policy to JSON format before submitting it to = IAM.
\nThe regex pattern \n used to validate this parameter is a string of characters consisting of the following:
\nAny printable ASCII \n character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set \n (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and \n carriage return (\\u000D)
The policy document.
\nYou must provide policies in JSON format in IAM. However, for CloudFormation templates\n formatted in YAML, you can provide the policy in JSON or YAML format. CloudFormation always\n converts a YAML policy to JSON format before submitting it to IAM.
\nThe regex pattern \n used to validate this parameter is a string of characters consisting of the following:
\nAny printable ASCII \n character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set \n (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and \n carriage return (\\u000D)
Adds or updates an inline policy document that is embedded in the specified IAM\n role.
\nWhen you embed an inline policy in a role, the inline policy is used as part of the\n role's access (permissions) policy. The role's trust policy is created at the same time\n as the role, using CreateRole. You can update a role's trust policy\n using UpdateAssumeRolePolicy. For more information about IAM roles,\n see Using roles to\n delegate permissions and federate identities.
\nA role can also have a managed policy attached to it. To attach a managed policy to a\n role, use AttachRolePolicy. To create a new managed policy, use CreatePolicy. For information about policies, see Managed\n policies and inline policies in the\n IAM User Guide.
\nFor information about the maximum number of inline policies that you can embed with a\n role, see IAM and STS quotas in the IAM User Guide.
\nBecause policy documents can be large, you should use POST rather than GET when\n calling PutRolePolicy. For general information about using the Query\n API with IAM, see Making query requests in the\n IAM User Guide.
Adds or updates an inline policy document that is embedded in the specified IAM\n role.
\nWhen you embed an inline policy in a role, the inline policy is used as part of the\n role's access (permissions) policy. The role's trust policy is created at the same time\n as the role, using \n CreateRole\n .\n You can update a role's trust policy using \n UpdateAssumeRolePolicy\n . For more information about roles,\n see IAM\n roles in the IAM User Guide.
A role can also have a managed policy attached to it. To attach a managed policy to a\n role, use \n AttachRolePolicy\n . To create a new managed policy, use\n \n CreatePolicy\n . For information about policies, see Managed\n policies and inline policies in the\n IAM User Guide.
For information about the maximum number of inline policies that you can embed with a\n role, see IAM and STS quotas in the IAM User Guide.
\nBecause policy documents can be large, you should use POST rather than GET when\n calling PutRolePolicy. For general information about using the Query\n API with IAM, see Making query requests in the\n IAM User Guide.
Adds or updates an inline policy document that is embedded in the specified IAM\n user.
\nAn IAM user can also have a managed policy attached to it. To attach a managed\n policy to a user, use AttachUserPolicy. To create a new managed\n policy, use CreatePolicy. For information about policies, see Managed\n policies and inline policies in the\n IAM User Guide.
\nFor information about the maximum number of inline policies that you can embed in a\n user, see IAM and STS quotas in the IAM User Guide.
\nBecause policy documents can be large, you should use POST rather than GET when\n calling PutUserPolicy. For general information about using the Query\n API with IAM, see Making query requests in the\n IAM User Guide.
Adds or updates an inline policy document that is embedded in the specified IAM\n user.
\nAn IAM user can also have a managed policy attached to it. To attach a managed\n policy to a user, use \n AttachUserPolicy\n . To create a new managed policy, use\n \n CreatePolicy\n . For information about policies, see Managed\n policies and inline policies in the\n IAM User Guide.
For information about the maximum number of inline policies that you can embed in a\n user, see IAM and STS quotas in the IAM User Guide.
\nBecause policy documents can be large, you should use POST rather than GET when\n calling PutUserPolicy. For general information about using the Query\n API with IAM, see Making query requests in the\n IAM User Guide.
Removes the specified IAM role from the specified EC2 instance profile.
\nMake sure that you do not have any Amazon EC2 instances running with the role you\n are about to remove from the instance profile. Removing a role from an instance\n profile that is associated with a running instance might break any applications\n running on the instance.
\nFor more information about IAM roles, see Working with roles. For more\n information about instance profiles, see About instance\n profiles.
" + "smithy.api#documentation": "Removes the specified IAM role from the specified EC2 instance profile.
\nMake sure that you do not have any Amazon EC2 instances running with the role you\n are about to remove from the instance profile. Removing a role from an instance\n profile that is associated with a running instance might break any applications\n running on the instance.
\nFor more information about roles, see IAM roles in the\n IAM User Guide. For more information about instance profiles,\n see Using\n instance profiles in the IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To remove a role from an instance profile", + "documentation": "The following command removes the role named Test-Role from the instance profile named ExampleInstanceProfile.", + "input": { + "RoleName": "Test-Role", + "InstanceProfileName": "ExampleInstanceProfile" + } + } + ] } }, "com.amazonaws.iam#RemoveRoleFromInstanceProfileRequest": { @@ -11109,7 +12113,17 @@ } ], "traits": { - "smithy.api#documentation": "Removes the specified user from the specified group.
" + "smithy.api#documentation": "Removes the specified user from the specified group.
", + "smithy.api#examples": [ + { + "title": "To remove a user from an IAM group", + "documentation": "The following command removes the user named Bob from the IAM group named Admins.", + "input": { + "UserName": "Bob", + "GroupName": "Admins" + } + } + ] } }, "com.amazonaws.iam#RemoveUserFromGroupRequest": { @@ -12077,7 +13091,16 @@ } ], "traits": { - "smithy.api#documentation": "Sets the specified version of the global endpoint token as the token version used for\n the Amazon Web Services account.
\nBy default, Security Token Service (STS) is available as a global service, and all STS requests\n go to a single endpoint at https://sts.amazonaws.com. Amazon Web Services recommends\n using Regional STS endpoints to reduce latency, build in redundancy, and increase\n session token availability. For information about Regional endpoints for STS, see\n Security Token Service\n endpoints and quotas in the Amazon Web Services General Reference.
If you make an STS call to the global endpoint, the resulting session tokens might\n be valid in some Regions but not others. It depends on the version that is set in this\n operation. Version 1 tokens are valid only in Amazon Web Services Regions that are\n available by default. These tokens do not work in manually enabled Regions, such as Asia\n Pacific (Hong Kong). Version 2 tokens are valid in all Regions. However, version 2\n tokens are longer and might affect systems where you temporarily store tokens. For\n information, see Activating and\n deactivating STS in an Amazon Web Services Region in the\n IAM User Guide.
\nTo view the current session token version, see the\n GlobalEndpointTokenVersion entry in the response of the GetAccountSummary operation.
Sets the specified version of the global endpoint token as the token version used for\n the Amazon Web Services account.
\nBy default, Security Token Service (STS) is available as a global service, and all STS requests\n go to a single endpoint at https://sts.amazonaws.com. Amazon Web Services recommends\n using Regional STS endpoints to reduce latency, build in redundancy, and increase\n session token availability. For information about Regional endpoints for STS, see\n Security Token Service\n endpoints and quotas in the Amazon Web Services General Reference.
If you make an STS call to the global endpoint, the resulting session tokens might\n be valid in some Regions but not others. It depends on the version that is set in this\n operation. Version 1 tokens are valid only in Amazon Web Services Regions that are\n available by default. These tokens do not work in manually enabled Regions, such as Asia\n Pacific (Hong Kong). Version 2 tokens are valid in all Regions. However, version 2\n tokens are longer and might affect systems where you temporarily store tokens. For\n information, see Activating and\n deactivating STS in an Amazon Web Services Region in the\n IAM User Guide.
\nTo view the current session token version, see the\n GlobalEndpointTokenVersion entry in the response of the GetAccountSummary operation.
Adds one or more tags to an IAM role. The role can be a regular role or a\n service-linked role. If a tag with the same key name already exists, then that tag is\n overwritten with the new value.
\nA tag consists of a key name and an associated value. By assigning tags to your\n resources, you can do the following:
\n\n Administrative grouping and discovery - Attach\n tags to resources to aid in organization and search. For example, you could search for all\n resources with the key name Project and the value\n MyImportantProject. Or search for all resources with the key name\n Cost Center and the value 41200.
\n\n Access control - Include tags in IAM user-based\n and resource-based policies. You can use tags to restrict access to only an IAM role\n that has a specified tag attached. You can also restrict access to only those resources\n that have a certain tag attached. For examples of policies that show how to use tags to\n control access, see Control access using IAM tags in the\n IAM User Guide.
\n\n Cost allocation - Use tags to help track which\n individuals and teams are using which Amazon Web Services resources.
\nIf any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request \n fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
\nAmazon Web Services always interprets the tag Value as a single string. If you\n need to store an array, you can store comma-separated values in the string. However, you\n must interpret the value in your code.
For more information about tagging, see Tagging IAM identities in the\n IAM User Guide.
" + "smithy.api#documentation": "Adds one or more tags to an IAM role. The role can be a regular role or a\n service-linked role. If a tag with the same key name already exists, then that tag is\n overwritten with the new value.
\nA tag consists of a key name and an associated value. By assigning tags to your\n resources, you can do the following:
\n\n Administrative grouping and discovery - Attach\n tags to resources to aid in organization and search. For example, you could search for all\n resources with the key name Project and the value\n MyImportantProject. Or search for all resources with the key name\n Cost Center and the value 41200.
\n\n Access control - Include tags in IAM user-based\n and resource-based policies. You can use tags to restrict access to only an IAM role\n that has a specified tag attached. You can also restrict access to only those resources\n that have a certain tag attached. For examples of policies that show how to use tags to\n control access, see Control access using IAM tags in the\n IAM User Guide.
\n\n Cost allocation - Use tags to help track which\n individuals and teams are using which Amazon Web Services resources.
\nIf any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request \n fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
\nAmazon Web Services always interprets the tag Value as a single string. If you\n need to store an array, you can store comma-separated values in the string. However, you\n must interpret the value in your code.
For more information about tagging, see Tagging IAM identities in the\n IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To add a tag key and value to an IAM role", + "documentation": "The following example shows how to add tags to an existing role.", + "input": { + "RoleName": "taggedrole", + "Tags": [ + { + "Key": "Dept", + "Value": "Accounting" + }, + { + "Key": "CostCenter", + "Value": "12345" + } + ] + } + } + ] } }, "com.amazonaws.iam#TagRoleRequest": { @@ -12826,7 +13868,26 @@ } ], "traits": { - "smithy.api#documentation": "Adds one or more tags to an IAM user. If a tag with the same key name already exists,\n then that tag is overwritten with the new value.
\nA tag consists of a key name and an associated value. By assigning tags to your\n resources, you can do the following:
\n\n Administrative grouping and discovery - Attach\n tags to resources to aid in organization and search. For example, you could search for all\n resources with the key name Project and the value\n MyImportantProject. Or search for all resources with the key name\n Cost Center and the value 41200.
\n\n Access control - Include tags in IAM identity-based\n and resource-based policies. You can use tags to restrict access to only an IAM\n requesting user that has a specified tag attached. You can also restrict access to only\n those resources that have a certain tag attached. For examples of policies that show how\n to use tags to control access, see Control access using IAM tags in the\n IAM User Guide.
\n\n Cost allocation - Use tags to help track which\n individuals and teams are using which Amazon Web Services resources.
\nIf any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request \n fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
\nAmazon Web Services always interprets the tag Value as a single string. If you\n need to store an array, you can store comma-separated values in the string. However, you\n must interpret the value in your code.
For more information about tagging, see Tagging IAM identities in the\n IAM User Guide.
" + "smithy.api#documentation": "Adds one or more tags to an IAM user. If a tag with the same key name already exists,\n then that tag is overwritten with the new value.
\nA tag consists of a key name and an associated value. By assigning tags to your\n resources, you can do the following:
\n\n Administrative grouping and discovery - Attach\n tags to resources to aid in organization and search. For example, you could search for all\n resources with the key name Project and the value\n MyImportantProject. Or search for all resources with the key name\n Cost Center and the value 41200.
\n\n Access control - Include tags in IAM identity-based\n and resource-based policies. You can use tags to restrict access to only an IAM\n requesting user that has a specified tag attached. You can also restrict access to only\n those resources that have a certain tag attached. For examples of policies that show how\n to use tags to control access, see Control access using IAM tags in the\n IAM User Guide.
\n\n Cost allocation - Use tags to help track which\n individuals and teams are using which Amazon Web Services resources.
\nIf any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request \n fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
\nAmazon Web Services always interprets the tag Value as a single string. If you\n need to store an array, you can store comma-separated values in the string. However, you\n must interpret the value in your code.
For more information about tagging, see Tagging IAM identities in the\n IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To add a tag key and value to an IAM user", + "documentation": "The following example shows how to add tags to an existing user.", + "input": { + "UserName": "anika", + "Tags": [ + { + "Key": "Dept", + "Value": "Accounting" + }, + { + "Key": "CostCenter", + "Value": "12345" + } + ] + } + } + ] } }, "com.amazonaws.iam#TagUserRequest": { @@ -13132,7 +14193,19 @@ } ], "traits": { - "smithy.api#documentation": "Removes the specified tags from the role. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
" + "smithy.api#documentation": "Removes the specified tags from the role. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To remove a tag from an IAM role", + "documentation": "The following example shows how to remove a tag with the key 'Dept' from a role named 'taggedrole'.", + "input": { + "RoleName": "taggedrole", + "TagKeys": [ + "Dept" + ] + } + } + ] } }, "com.amazonaws.iam#UntagRoleRequest": { @@ -13273,7 +14346,19 @@ } ], "traits": { - "smithy.api#documentation": "Removes the specified tags from the user. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
" + "smithy.api#documentation": "Removes the specified tags from the user. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To remove a tag from an IAM user", + "documentation": "The following example shows how to remove tags that are attached to a user named 'anika'.", + "input": { + "UserName": "anika", + "TagKeys": [ + "Dept" + ] + } + } + ] } }, "com.amazonaws.iam#UntagUserRequest": { @@ -13318,7 +14403,18 @@ } ], "traits": { - "smithy.api#documentation": "Changes the status of the specified access key from Active to Inactive, or vice versa.\n This operation can be used to disable a user's key as part of a key rotation\n workflow.
\nIf the UserName is not specified, the user name is determined implicitly\n based on the Amazon Web Services access key ID used to sign the request. If a temporary access key is\n used, then UserName is required. If a long-term key is assigned to the\n user, then UserName is not required. This operation works for access keys\n under the Amazon Web Services account. Consequently, you can use this operation to manage Amazon Web Services account root user\n credentials even if the Amazon Web Services account has no associated users.
For information about rotating keys, see Managing keys and certificates\n in the IAM User Guide.
" + "smithy.api#documentation": "Changes the status of the specified access key from Active to Inactive, or vice versa.\n This operation can be used to disable a user's key as part of a key rotation\n workflow.
\nIf the UserName is not specified, the user name is determined implicitly\n based on the Amazon Web Services access key ID used to sign the request. If a temporary access key is\n used, then UserName is required. If a long-term key is assigned to the\n user, then UserName is not required. This operation works for access keys\n under the Amazon Web Services account. Consequently, you can use this operation to manage Amazon Web Services account root user\n credentials even if the Amazon Web Services account has no associated users.
For information about rotating keys, see Managing keys and certificates\n in the IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To activate or deactivate an access key for an IAM user", + "documentation": "The following command deactivates the specified access key (access key ID and secret access key) for the IAM user named Bob.", + "input": { + "UserName": "Bob", + "Status": "Inactive", + "AccessKeyId": "AKIAIOSFODNN7EXAMPLE" + } + } + ] } }, "com.amazonaws.iam#UpdateAccessKeyRequest": { @@ -13372,7 +14468,17 @@ } ], "traits": { - "smithy.api#documentation": "Updates the password policy settings for the Amazon Web Services account.
\nThis operation does not support partial updates. No parameters are required, but\n if you do not specify a parameter, that parameter's value reverts to its default\n value. See the Request Parameters section for each\n parameter's default value. Also note that some parameters do not allow the default\n parameter to be explicitly set. Instead, to invoke the default value, do not include\n that parameter when you invoke the operation.
\nFor more information about using a password policy, see Managing an IAM password\n policy in the IAM User Guide.
" + "smithy.api#documentation": "Updates the password policy settings for the Amazon Web Services account.
\nThis operation does not support partial updates. No parameters are required, but\n if you do not specify a parameter, that parameter's value reverts to its default\n value. See the Request Parameters section for each\n parameter's default value. Also note that some parameters do not allow the default\n parameter to be explicitly set. Instead, to invoke the default value, do not include\n that parameter when you invoke the operation.
\nFor more information about using a password policy, see Managing an IAM password\n policy in the IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To set or change the current account password policy", + "documentation": "The following command sets the password policy to require a minimum length of eight characters and to require one or more numbers in the password:", + "input": { + "MinimumPasswordLength": 8, + "RequireNumbers": true + } + } + ] } }, "com.amazonaws.iam#UpdateAccountPasswordPolicyRequest": { @@ -13468,7 +14574,17 @@ } ], "traits": { - "smithy.api#documentation": "Updates the policy that grants an IAM entity permission to assume a role. This is\n typically referred to as the \"role trust policy\". For more information about roles, see\n Using roles to\n delegate permissions and federate identities.
" + "smithy.api#documentation": "Updates the policy that grants an IAM entity permission to assume a role. This is\n typically referred to as the \"role trust policy\". For more information about roles, see\n Using roles to\n delegate permissions and federate identities.
", + "smithy.api#examples": [ + { + "title": "To update the trust policy for an IAM role", + "documentation": "The following command updates the role trust policy for the role named Test-Role:", + "input": { + "PolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"ec2.amazonaws.com\"]},\"Action\":[\"sts:AssumeRole\"]}]}", + "RoleName": "S3AccessForEC2Instances" + } + } + ] } }, "com.amazonaws.iam#UpdateAssumeRolePolicyRequest": { @@ -13516,7 +14632,17 @@ } ], "traits": { - "smithy.api#documentation": "Updates the name and/or the path of the specified IAM group.
\nYou should understand the implications of changing a group's path or name. For\n more information, see Renaming users and\n groups in the IAM User Guide.
\nThe person making the request (the principal), must have permission to change the\n role group with the old name and the new name. For example, to change the group\n named Managers to MGRs, the principal must have a policy\n that allows them to update both groups. If the principal has permission to update\n the Managers group, but not the MGRs group, then the\n update fails. For more information about permissions, see Access management.\n
Updates the name and/or the path of the specified IAM group.
\nYou should understand the implications of changing a group's path or name. For\n more information, see Renaming users and\n groups in the IAM User Guide.
\nThe person making the request (the principal), must have permission to change the\n role group with the old name and the new name. For example, to change the group\n named Managers to MGRs, the principal must have a policy\n that allows them to update both groups. If the principal has permission to update\n the Managers group, but not the MGRs group, then the\n update fails. For more information about permissions, see Access management.\n
Changes the password for the specified IAM user. You can use the CLI, the Amazon Web Services\n API, or the Users page in the IAM console to change\n the password for any IAM user. Use ChangePassword to change your own\n password in the My Security Credentials page in the\n Amazon Web Services Management Console.
\nFor more information about modifying passwords, see Managing passwords in the\n IAM User Guide.
" + "smithy.api#documentation": "Changes the password for the specified IAM user. You can use the CLI, the Amazon Web Services\n API, or the Users page in the IAM console to change\n the password for any IAM user. Use ChangePassword to change your own\n password in the My Security Credentials page in the\n Amazon Web Services Management Console.
\nFor more information about modifying passwords, see Managing passwords in the\n IAM User Guide.
", + "smithy.api#examples": [ + { + "title": "To change the password for an IAM user", + "documentation": "The following command creates or changes the password for the IAM user named Bob.", + "input": { + "UserName": "Bob", + "Password": "SomeKindOfPassword123!@#" + } + } + ] } }, "com.amazonaws.iam#UpdateLoginProfileRequest": { @@ -13622,7 +14758,7 @@ } ], "traits": { - "smithy.api#documentation": "Replaces the existing list of server certificate thumbprints associated with an OpenID\n Connect (OIDC) provider resource object with a new list of thumbprints.
\nThe list that you pass with this operation completely replaces the existing list of\n thumbprints. (The lists are not merged.)
\nTypically, you need to update a thumbprint only when the identity provider certificate\n changes, which occurs rarely. However, if the provider's certificate\n does change, any attempt to assume an IAM role that specifies\n the OIDC provider as a principal fails until the certificate thumbprint is\n updated.
\nAmazon Web Services secures communication with some OIDC identity providers (IdPs) through our\n library of trusted certificate authorities (CAs) instead of using a certificate\n thumbprint to verify your IdP server certificate. These OIDC IdPs include Google, Auth0,\n and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS) endpoint. In these\n cases, your legacy thumbprint remains in your configuration, but is no longer used for\n validation.
\nTrust for the OIDC provider is derived from the provider certificate and is\n validated by the thumbprint. Therefore, it is best to limit access to the\n UpdateOpenIDConnectProviderThumbprint operation to highly\n privileged users.
Replaces the existing list of server certificate thumbprints associated with an OpenID\n Connect (OIDC) provider resource object with a new list of thumbprints.
\nThe list that you pass with this operation completely replaces the existing list of\n thumbprints. (The lists are not merged.)
\nTypically, you need to update a thumbprint only when the identity provider certificate\n changes, which occurs rarely. However, if the provider's certificate\n does change, any attempt to assume an IAM role that specifies\n the OIDC provider as a principal fails until the certificate thumbprint is\n updated.
\nAmazon Web Services secures communication with some OIDC identity providers (IdPs) through our\n library of trusted root certificate authorities (CAs) instead of using a certificate\n thumbprint to verify your IdP server certificate. These OIDC IdPs include Auth0, GitHub,\n Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS) endpoint. In\n these cases, your legacy thumbprint remains in your configuration, but is no longer used\n for validation.
\nTrust for the OIDC provider is derived from the provider certificate and is\n validated by the thumbprint. Therefore, it is best to limit access to the\n UpdateOpenIDConnectProviderThumbprint operation to highly\n privileged users.
Changes the status of the specified user signing certificate from active to disabled,\n or vice versa. This operation can be used to disable an IAM user's signing\n certificate as part of a certificate rotation work flow.
\nIf the UserName field is not specified, the user name is determined\n implicitly based on the Amazon Web Services access key ID used to sign the request. This operation\n works for access keys under the Amazon Web Services account. Consequently, you can use this operation\n to manage Amazon Web Services account root user credentials even if the Amazon Web Services account has no associated\n users.
Changes the status of the specified user signing certificate from active to disabled,\n or vice versa. This operation can be used to disable an IAM user's signing\n certificate as part of a certificate rotation work flow.
\nIf the UserName field is not specified, the user name is determined\n implicitly based on the Amazon Web Services access key ID used to sign the request. This operation\n works for access keys under the Amazon Web Services account. Consequently, you can use this operation\n to manage Amazon Web Services account root user credentials even if the Amazon Web Services account has no associated\n users.
Updates the name and/or the path of the specified IAM user.
\nYou should understand the implications of changing an IAM user's path or\n name. For more information, see Renaming an IAM\n user and Renaming an IAM\n group in the IAM User Guide.
\nTo change a user name, the requester must have appropriate permissions on both\n the source object and the target object. For example, to change Bob to Robert, the\n entity making the request must have permission on Bob and Robert, or must have\n permission on all (*). For more information about permissions, see Permissions and policies.
\nUpdates the name and/or the path of the specified IAM user.
\nYou should understand the implications of changing an IAM user's path or\n name. For more information, see Renaming an IAM\n user and Renaming an IAM\n group in the IAM User Guide.
\nTo change a user name, the requester must have appropriate permissions on both\n the source object and the target object. For example, to change Bob to Robert, the\n entity making the request must have permission on Bob and Robert, or must have\n permission on all (*). For more information about permissions, see Permissions and policies.
\nUploads a server certificate entity for the Amazon Web Services account. The server certificate\n entity includes a public key certificate, a private key, and an optional certificate\n chain, which should all be PEM-encoded.
\nWe recommend that you use Certificate Manager to\n provision, manage, and deploy your server certificates. With ACM you can request a\n certificate, deploy it to Amazon Web Services resources, and let ACM handle certificate renewals for\n you. Certificates provided by ACM are free. For more information about using ACM,\n see the Certificate Manager User\n Guide.
\nFor more information about working with server certificates, see Working\n with server certificates in the IAM User Guide. This\n topic includes a list of Amazon Web Services services that can use the server certificates that you\n manage with IAM.
\nFor information about the number of server certificates you can upload, see IAM and STS\n quotas in the IAM User Guide.
\nBecause the body of the public key certificate, private key, and the certificate\n chain can be large, you should use POST rather than GET when calling\n UploadServerCertificate. For information about setting up\n signatures and authorization through the API, see Signing Amazon Web Services API\n requests in the Amazon Web Services General Reference. For general\n information about using the Query API with IAM, see Calling the API by making HTTP query\n requests in the IAM User Guide.
Uploads a server certificate entity for the Amazon Web Services account. The server certificate\n entity includes a public key certificate, a private key, and an optional certificate\n chain, which should all be PEM-encoded.
\nWe recommend that you use Certificate Manager to\n provision, manage, and deploy your server certificates. With ACM you can request a\n certificate, deploy it to Amazon Web Services resources, and let ACM handle certificate renewals for\n you. Certificates provided by ACM are free. For more information about using ACM,\n see the Certificate Manager User\n Guide.
\nFor more information about working with server certificates, see Working\n with server certificates in the IAM User Guide. This\n topic includes a list of Amazon Web Services services that can use the server certificates that you\n manage with IAM.
\nFor information about the number of server certificates you can upload, see IAM and STS\n quotas in the IAM User Guide.
\nBecause the body of the public key certificate, private key, and the certificate\n chain can be large, you should use POST rather than GET when calling\n UploadServerCertificate. For information about setting up\n signatures and authorization through the API, see Signing Amazon Web Services API\n requests in the Amazon Web Services General Reference. For general\n information about using the Query API with IAM, see Calling the API by making HTTP query\n requests in the IAM User Guide.
Uploads an X.509 signing certificate and associates it with the specified IAM user.\n Some Amazon Web Services services require you to use certificates to validate requests that are signed\n with a corresponding private key. When you upload the certificate, its default status is\n Active.
For information about when you would use an X.509 signing certificate, see Managing\n server certificates in IAM in the\n IAM User Guide.
\nIf the UserName is not specified, the IAM user name is determined\n implicitly based on the Amazon Web Services access key ID used to sign the request. This operation\n works for access keys under the Amazon Web Services account. Consequently, you can use this operation\n to manage Amazon Web Services account root user credentials even if the Amazon Web Services account has no associated\n users.
Because the body of an X.509 certificate can be large, you should use POST rather\n than GET when calling UploadSigningCertificate. For information about\n setting up signatures and authorization through the API, see Signing\n Amazon Web Services API requests in the Amazon Web Services General Reference. For\n general information about using the Query API with IAM, see Making query\n requests in the IAM User Guide.
Uploads an X.509 signing certificate and associates it with the specified IAM user.\n Some Amazon Web Services services require you to use certificates to validate requests that are signed\n with a corresponding private key. When you upload the certificate, its default status is\n Active.
For information about when you would use an X.509 signing certificate, see Managing\n server certificates in IAM in the\n IAM User Guide.
\nIf the UserName is not specified, the IAM user name is determined\n implicitly based on the Amazon Web Services access key ID used to sign the request. This operation\n works for access keys under the Amazon Web Services account. Consequently, you can use this operation\n to manage Amazon Web Services account root user credentials even if the Amazon Web Services account has no associated\n users.
Because the body of an X.509 certificate can be large, you should use POST rather\n than GET when calling UploadSigningCertificate. For information about\n setting up signatures and authorization through the API, see Signing\n Amazon Web Services API requests in the Amazon Web Services General Reference. For\n general information about using the Query API with IAM, see Making query\n requests in the IAM User Guide.
Cancels the deletion of a KMS key. When this operation succeeds, the key state of the KMS\n key is Disabled. To enable the KMS key, use EnableKey.
For more information about scheduling and canceling deletion of a KMS key, see Deleting KMS keys in the\n Key Management Service Developer Guide.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:CancelKeyDeletion (key policy)
\n\n Related operations: ScheduleKeyDeletion\n
" + "smithy.api#documentation": "Cancels the deletion of a KMS key. When this operation succeeds, the key state of the KMS\n key is Disabled. To enable the KMS key, use EnableKey.
For more information about scheduling and canceling deletion of a KMS key, see Deleting KMS keys in the\n Key Management Service Developer Guide.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:CancelKeyDeletion (key policy)
\n\n Related operations: ScheduleKeyDeletion\n
", + "smithy.api#examples": [ + { + "title": "To cancel deletion of a KMS key", + "documentation": "The following example cancels deletion of the specified KMS key.", + "input": { + "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" + }, + "output": { + "KeyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" + } + } + ] } }, "com.amazonaws.kms#CancelKeyDeletionRequest": { @@ -350,7 +362,17 @@ } ], "traits": { - "smithy.api#documentation": "Connects or reconnects a custom key store to its backing key store. For an CloudHSM key\n store, ConnectCustomKeyStore connects the key store to its associated CloudHSM\n cluster. For an external key store, ConnectCustomKeyStore connects the key store\n to the external key store proxy that communicates with your external key manager.
The custom key store must be connected before you can create KMS keys in the key store or\n use the KMS keys it contains. You can disconnect and reconnect a custom key store at any\n time.
\nThe connection process for a custom key store can take an extended amount of time to\n complete. This operation starts the connection process, but it does not wait for it to\n complete. When it succeeds, this operation quickly returns an HTTP 200 response and a JSON\n object with no properties. However, this response does not indicate that the custom key store\n is connected. To get the connection state of the custom key store, use the DescribeCustomKeyStores operation.
\nThis operation is part of the custom key stores feature in KMS, which\ncombines the convenience and extensive integration of KMS with the isolation and control of a\nkey store that you own and manage.
\nThe ConnectCustomKeyStore operation might fail for various reasons. To find\n the reason, use the DescribeCustomKeyStores operation and see the\n ConnectionErrorCode in the response. For help interpreting the\n ConnectionErrorCode, see CustomKeyStoresListEntry.
To fix the failure, use the DisconnectCustomKeyStore operation to\n disconnect the custom key store, correct the error, use the UpdateCustomKeyStore operation if necessary, and then use\n ConnectCustomKeyStore again.
\n CloudHSM key store\n
\nDuring the connection process for an CloudHSM key store, KMS finds the CloudHSM cluster that\n is associated with the custom key store, creates the connection infrastructure, connects to\n the cluster, logs into the CloudHSM client as the kmsuser CU, and rotates its\n password.
To connect an CloudHSM key store, its associated CloudHSM cluster must have at least one active\n HSM. To get the number of active HSMs in a cluster, use the DescribeClusters operation. To add HSMs\n to the cluster, use the CreateHsm operation. Also, the \n kmsuser crypto\n user (CU) must not be logged into the cluster. This prevents KMS from using this\n account to log in.
If you are having trouble connecting or disconnecting a CloudHSM key store, see Troubleshooting an CloudHSM key\n store in the Key Management Service Developer Guide.
\n\n External key store\n
\nWhen you connect an external key store that uses public endpoint connectivity, KMS tests\n its ability to communicate with your external key manager by sending a request via the\n external key store proxy.
\nWhen you connect to an external key store that uses VPC endpoint service connectivity,\n KMS establishes the networking elements that it needs to communicate with your external key\n manager via the external key store proxy. This includes creating an interface endpoint to the\n VPC endpoint service and a private hosted zone for traffic between KMS and the VPC endpoint\n service.
\nTo connect an external key store, KMS must be able to connect to the external key store\n proxy, the external key store proxy must be able to communicate with your external key\n manager, and the external key manager must be available for cryptographic operations.
\nIf you are having trouble connecting or disconnecting an external key store, see Troubleshooting an external\n key store in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
\n\n Required permissions: kms:ConnectCustomKeyStore (IAM policy)
\n\n Related operations\n
\n\n CreateCustomKeyStore\n
\n\n DeleteCustomKeyStore\n
\n\n UpdateCustomKeyStore\n
\nConnects or reconnects a custom key store to its backing key store. For an CloudHSM key\n store, ConnectCustomKeyStore connects the key store to its associated CloudHSM\n cluster. For an external key store, ConnectCustomKeyStore connects the key store\n to the external key store proxy that communicates with your external key manager.
The custom key store must be connected before you can create KMS keys in the key store or\n use the KMS keys it contains. You can disconnect and reconnect a custom key store at any\n time.
\nThe connection process for a custom key store can take an extended amount of time to\n complete. This operation starts the connection process, but it does not wait for it to\n complete. When it succeeds, this operation quickly returns an HTTP 200 response and a JSON\n object with no properties. However, this response does not indicate that the custom key store\n is connected. To get the connection state of the custom key store, use the DescribeCustomKeyStores operation.
\nThis operation is part of the custom key stores feature in KMS, which\ncombines the convenience and extensive integration of KMS with the isolation and control of a\nkey store that you own and manage.
\nThe ConnectCustomKeyStore operation might fail for various reasons. To find\n the reason, use the DescribeCustomKeyStores operation and see the\n ConnectionErrorCode in the response. For help interpreting the\n ConnectionErrorCode, see CustomKeyStoresListEntry.
To fix the failure, use the DisconnectCustomKeyStore operation to\n disconnect the custom key store, correct the error, use the UpdateCustomKeyStore operation if necessary, and then use\n ConnectCustomKeyStore again.
\n CloudHSM key store\n
\nDuring the connection process for an CloudHSM key store, KMS finds the CloudHSM cluster that\n is associated with the custom key store, creates the connection infrastructure, connects to\n the cluster, logs into the CloudHSM client as the kmsuser CU, and rotates its\n password.
To connect an CloudHSM key store, its associated CloudHSM cluster must have at least one active\n HSM. To get the number of active HSMs in a cluster, use the DescribeClusters operation. To add HSMs\n to the cluster, use the CreateHsm operation. Also, the \n kmsuser crypto\n user (CU) must not be logged into the cluster. This prevents KMS from using this\n account to log in.
If you are having trouble connecting or disconnecting a CloudHSM key store, see Troubleshooting an CloudHSM key\n store in the Key Management Service Developer Guide.
\n\n External key store\n
\nWhen you connect an external key store that uses public endpoint connectivity, KMS tests\n its ability to communicate with your external key manager by sending a request via the\n external key store proxy.
\nWhen you connect to an external key store that uses VPC endpoint service connectivity,\n KMS establishes the networking elements that it needs to communicate with your external key\n manager via the external key store proxy. This includes creating an interface endpoint to the\n VPC endpoint service and a private hosted zone for traffic between KMS and the VPC endpoint\n service.
\nTo connect an external key store, KMS must be able to connect to the external key store\n proxy, the external key store proxy must be able to communicate with your external key\n manager, and the external key manager must be available for cryptographic operations.
\nIf you are having trouble connecting or disconnecting an external key store, see Troubleshooting an external\n key store in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
\n\n Required permissions: kms:ConnectCustomKeyStore (IAM policy)
\n\n Related operations\n
\n\n CreateCustomKeyStore\n
\n\n DeleteCustomKeyStore\n
\n\n UpdateCustomKeyStore\n
\nDescribeCustomKeyStores operation.",
+ "input": {
+ "CustomKeyStoreId": "cks-1234567890abcdef0"
+ },
+ "output": {}
+ }
+ ]
}
},
"com.amazonaws.kms#ConnectCustomKeyStoreRequest": {
@@ -555,7 +577,17 @@
}
],
"traits": {
- "smithy.api#documentation": "Creates a friendly name for a KMS key.
\nAdding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see ABAC for KMS in the Key Management Service Developer Guide.
\nYou can use an alias to identify a KMS key in the KMS console, in the DescribeKey operation and in cryptographic operations, such as Encrypt and\n GenerateDataKey. You can also change the KMS key that's associated with\n the alias (UpdateAlias) or delete the alias (DeleteAlias)\n at any time. These operations don't affect the underlying KMS key.
\nYou can associate the alias with any customer managed key in the same Amazon Web Services Region. Each\n alias is associated with only one KMS key at a time, but a KMS key can have multiple aliases.\n A valid KMS key is required. You can't create an alias without a KMS key.
\nThe alias must be unique in the account and Region, but you can have aliases with the same\n name in different Regions. For detailed information about aliases, see Using aliases in the\n Key Management Service Developer Guide.
\nThis operation does not return a response. To get the alias that you created, use the\n ListAliases operation.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on an alias in a different Amazon Web Services account.
\n\n Required permissions\n
\n\n kms:CreateAlias on\n the alias (IAM policy).
\n\n kms:CreateAlias on\n the KMS key (key policy).
\nFor details, see Controlling access to aliases in the\n Key Management Service Developer Guide.
\n\n Related operations:\n
\n\n DeleteAlias\n
\n\n ListAliases\n
\n\n UpdateAlias\n
\nCreates a friendly name for a KMS key.
\nAdding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see ABAC for KMS in the Key Management Service Developer Guide.
\nYou can use an alias to identify a KMS key in the KMS console, in the DescribeKey operation and in cryptographic operations, such as Encrypt and\n GenerateDataKey. You can also change the KMS key that's associated with\n the alias (UpdateAlias) or delete the alias (DeleteAlias)\n at any time. These operations don't affect the underlying KMS key.
\nYou can associate the alias with any customer managed key in the same Amazon Web Services Region. Each\n alias is associated with only one KMS key at a time, but a KMS key can have multiple aliases.\n A valid KMS key is required. You can't create an alias without a KMS key.
\nThe alias must be unique in the account and Region, but you can have aliases with the same\n name in different Regions. For detailed information about aliases, see Using aliases in the\n Key Management Service Developer Guide.
\nThis operation does not return a response. To get the alias that you created, use the\n ListAliases operation.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on an alias in a different Amazon Web Services account.
\n\n Required permissions\n
\n\n kms:CreateAlias on\n the alias (IAM policy).
\n\n kms:CreateAlias on\n the KMS key (key policy).
\nFor details, see Controlling access to aliases in the\n Key Management Service Developer Guide.
\n\n Related operations:\n
\n\n DeleteAlias\n
\n\n ListAliases\n
\n\n UpdateAlias\n
\nCreates a custom key store backed by a key store that you own and manage. When you use a\n KMS key in a custom key store for a cryptographic operation, the cryptographic operation is\n actually performed in your key store using your keys. KMS supports CloudHSM key stores\n backed by an CloudHSM cluster\n and external key stores backed by an external key store proxy and\n external key manager outside of Amazon Web Services.
\nThis operation is part of the custom key stores feature in KMS, which\ncombines the convenience and extensive integration of KMS with the isolation and control of a\nkey store that you own and manage.
\nBefore you create the custom key store, the required elements must be in place and\n operational. We recommend that you use the test tools that KMS provides to verify the\n configuration your external key store proxy. For details about the required elements and\n verification tests, see Assemble the prerequisites (for\n CloudHSM key stores) or Assemble the prerequisites (for\n external key stores) in the Key Management Service Developer Guide.
\nTo create a custom key store, use the following parameters.
\nTo create an CloudHSM key store, specify the CustomKeyStoreName,\n CloudHsmClusterId, KeyStorePassword, and\n TrustAnchorCertificate. The CustomKeyStoreType parameter is\n optional for CloudHSM key stores. If you include it, set it to the default value,\n AWS_CLOUDHSM. For help with failures, see Troubleshooting an CloudHSM key store in the\n Key Management Service Developer Guide.
To create an external key store, specify the CustomKeyStoreName and a\n CustomKeyStoreType of EXTERNAL_KEY_STORE. Also, specify values\n for XksProxyConnectivity, XksProxyAuthenticationCredential,\n XksProxyUriEndpoint, and XksProxyUriPath. If your\n XksProxyConnectivity value is VPC_ENDPOINT_SERVICE, specify\n the XksProxyVpcEndpointServiceName parameter. For help with failures, see\n Troubleshooting\n an external key store in the Key Management Service Developer Guide.
For external key stores:
\nSome external key managers provide a simpler method for creating an external key store.\n For details, see your external key manager documentation.
\nWhen creating an external key store in the KMS console, you can upload a JSON-based\n proxy configuration file with the desired values. You cannot use a proxy configuration\n with the CreateCustomKeyStore operation. However, you can use the values in\n the file to help you determine the correct values for the CreateCustomKeyStore\n parameters.
When the operation completes successfully, it returns the ID of the new custom key store.\n Before you can use your new custom key store, you need to use the ConnectCustomKeyStore operation to connect a new CloudHSM key store to its CloudHSM\n cluster, or to connect a new external key store to the external key store proxy for your\n external key manager. Even if you are not going to use your custom key store immediately, you\n might want to connect it to verify that all settings are correct and then disconnect it until\n you are ready to use it.
\nFor help with failures, see Troubleshooting a custom key store in the\n Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
\n\n Required permissions: kms:CreateCustomKeyStore (IAM policy).
\n\n Related operations:\n
\n\n DeleteCustomKeyStore\n
\n\n UpdateCustomKeyStore\n
\nCreates a custom key store backed by a key store that you own and manage. When you use a\n KMS key in a custom key store for a cryptographic operation, the cryptographic operation is\n actually performed in your key store using your keys. KMS supports CloudHSM key stores\n backed by an CloudHSM cluster\n and external key\n stores backed by an external key store proxy and external key manager outside of\n Amazon Web Services.
\nThis operation is part of the custom key stores feature in KMS, which\ncombines the convenience and extensive integration of KMS with the isolation and control of a\nkey store that you own and manage.
\nBefore you create the custom key store, the required elements must be in place and\n operational. We recommend that you use the test tools that KMS provides to verify the\n configuration your external key store proxy. For details about the required elements and\n verification tests, see Assemble the prerequisites (for\n CloudHSM key stores) or Assemble the prerequisites (for\n external key stores) in the Key Management Service Developer Guide.
\nTo create a custom key store, use the following parameters.
\nTo create an CloudHSM key store, specify the CustomKeyStoreName,\n CloudHsmClusterId, KeyStorePassword, and\n TrustAnchorCertificate. The CustomKeyStoreType parameter is\n optional for CloudHSM key stores. If you include it, set it to the default value,\n AWS_CLOUDHSM. For help with failures, see Troubleshooting an CloudHSM key store in the\n Key Management Service Developer Guide.
To create an external key store, specify the CustomKeyStoreName and a\n CustomKeyStoreType of EXTERNAL_KEY_STORE. Also, specify values\n for XksProxyConnectivity, XksProxyAuthenticationCredential,\n XksProxyUriEndpoint, and XksProxyUriPath. If your\n XksProxyConnectivity value is VPC_ENDPOINT_SERVICE, specify\n the XksProxyVpcEndpointServiceName parameter. For help with failures, see\n Troubleshooting\n an external key store in the Key Management Service Developer Guide.
For external key stores:
\nSome external key managers provide a simpler method for creating an external key store.\n For details, see your external key manager documentation.
\nWhen creating an external key store in the KMS console, you can upload a JSON-based\n proxy configuration file with the desired values. You cannot use a proxy configuration with\n the CreateCustomKeyStore operation. However, you can use the values in the file\n to help you determine the correct values for the CreateCustomKeyStore\n parameters.
When the operation completes successfully, it returns the ID of the new custom key store.\n Before you can use your new custom key store, you need to use the ConnectCustomKeyStore operation to connect a new CloudHSM key store to its CloudHSM\n cluster, or to connect a new external key store to the external key store proxy for your\n external key manager. Even if you are not going to use your custom key store immediately, you\n might want to connect it to verify that all settings are correct and then disconnect it until\n you are ready to use it.
\nFor help with failures, see Troubleshooting a custom key store in the\n Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
\n\n Required permissions: kms:CreateCustomKeyStore (IAM policy).
\n\n Related operations:\n
\n\n DeleteCustomKeyStore\n
\n\n UpdateCustomKeyStore\n
\nSpecifies the name of the Amazon VPC endpoint service for interface endpoints that is used to\n communicate with your external key store proxy (XKS proxy). This parameter is required when\n the value of CustomKeyStoreType is EXTERNAL_KEY_STORE and the value\n of XksProxyConnectivity is VPC_ENDPOINT_SERVICE.
The Amazon VPC endpoint service must fulfill all requirements for use with an external key\n store.
\n\n Uniqueness requirements:\n
\nExternal key stores with VPC_ENDPOINT_SERVICE connectivity can share an\n Amazon VPC, but each external key store must have its own VPC endpoint service and private DNS\n name.
Specifies the name of the Amazon VPC endpoint service for interface endpoints that is used to\n communicate with your external key store proxy (XKS proxy). This parameter is required when\n the value of CustomKeyStoreType is EXTERNAL_KEY_STORE and the value\n of XksProxyConnectivity is VPC_ENDPOINT_SERVICE.
The Amazon VPC endpoint service must fulfill all\n requirements for use with an external key store.
\n\n Uniqueness requirements:\n
\nExternal key stores with VPC_ENDPOINT_SERVICE connectivity can share an\n Amazon VPC, but each external key store must have its own VPC endpoint service and private DNS\n name.
Indicates how KMS communicates with the external key store proxy. This parameter is\n required for custom key stores with a CustomKeyStoreType of\n EXTERNAL_KEY_STORE.
If the external key store proxy uses a public endpoint, specify\n PUBLIC_ENDPOINT. If the external key store proxy uses a Amazon VPC\n endpoint service for communication with KMS, specify VPC_ENDPOINT_SERVICE. For\n help making this choice, see Choosing a connectivity option in the Key Management Service Developer Guide.
An Amazon VPC endpoint service keeps your communication with KMS in a private address space\n entirely within Amazon Web Services, but it requires more configuration, including establishing a Amazon VPC with multiple subnets, a VPC endpoint service, a network load balancer, and a\n verified private DNS name. A public endpoint is simpler to set up, but it might be slower and\n might not fulfill your security requirements. You might consider testing with a public\n endpoint, and then establishing a VPC endpoint service for production tasks. Note that this\n choice does not determine the location of the external key store proxy. Even if you choose a\n VPC endpoint service, the proxy can be hosted within the VPC or outside of Amazon Web Services such as in\n your corporate data center.
" + "smithy.api#documentation": "Indicates how KMS communicates with the external key store proxy. This parameter is\n required for custom key stores with a CustomKeyStoreType of\n EXTERNAL_KEY_STORE.
If the external key store proxy uses a public endpoint, specify\n PUBLIC_ENDPOINT. If the external key store proxy uses a Amazon VPC\n endpoint service for communication with KMS, specify VPC_ENDPOINT_SERVICE. For\n help making this choice, see Choosing a connectivity\n option in the Key Management Service Developer Guide.
An Amazon VPC endpoint service keeps your communication with KMS in a private address space\n entirely within Amazon Web Services, but it requires more configuration, including establishing a Amazon VPC with multiple subnets, a VPC endpoint service, a network load balancer, and a\n verified private DNS name. A public endpoint is simpler to set up, but it might be slower and\n might not fulfill your security requirements. You might consider testing with a public\n endpoint, and then establishing a VPC endpoint service for production tasks. Note that this\n choice does not determine the location of the external key store proxy. Even if you choose a\n VPC endpoint service, the proxy can be hosted within the VPC or outside of Amazon Web Services such as in\n your corporate data center.
" } } }, @@ -743,6 +790,9 @@ { "target": "com.amazonaws.kms#DisabledException" }, + { + "target": "com.amazonaws.kms#DryRunOperationException" + }, { "target": "com.amazonaws.kms#InvalidArnException" }, @@ -763,7 +813,25 @@ } ], "traits": { - "smithy.api#documentation": "Adds a grant to a KMS key.
\nA grant is a policy instrument that allows Amazon Web Services principals to use\n KMS keys in cryptographic operations. It also can allow them to view a KMS key (DescribeKey) and create and manage grants. When authorizing access to a KMS key,\n grants are considered along with key policies and IAM policies. Grants are often used for\n temporary permissions because you can create one, use its permissions, and delete it without\n changing your key policies or IAM policies.
\nFor detailed information about grants, including grant terminology, see Grants in KMS in the\n \n Key Management Service Developer Guide\n . For examples of working with grants in several\n programming languages, see Programming grants.
\nThe CreateGrant operation returns a GrantToken and a\n GrantId.
When you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until the grant is available throughout KMS. This state is known as eventual consistency. Once the grant has achieved eventual consistency, the grantee\n principal can use the permissions in the grant without identifying the grant.
\nHowever, to use the permissions in the grant immediately, use the\n GrantToken that CreateGrant returns. For details, see Using a\n grant token in the \n Key Management Service Developer Guide\n .
The CreateGrant operation also returns a GrantId. You can\n use the GrantId and a key identifier to identify the grant in the RetireGrant and RevokeGrant operations. To find the grant\n ID, use the ListGrants or ListRetirableGrants\n operations.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, specify the key\n ARN in the value of the KeyId parameter.
\n Required permissions: kms:CreateGrant (key policy)
\n\n Related operations:\n
\n\n ListGrants\n
\n\n ListRetirableGrants\n
\n\n RetireGrant\n
\n\n RevokeGrant\n
\nAdds a grant to a KMS key.
\nA grant is a policy instrument that allows Amazon Web Services principals to use\n KMS keys in cryptographic operations. It also can allow them to view a KMS key (DescribeKey) and create and manage grants. When authorizing access to a KMS key,\n grants are considered along with key policies and IAM policies. Grants are often used for\n temporary permissions because you can create one, use its permissions, and delete it without\n changing your key policies or IAM policies.
\nFor detailed information about grants, including grant terminology, see Grants in KMS in the\n \n Key Management Service Developer Guide\n . For examples of working with grants in several\n programming languages, see Programming grants.
\nThe CreateGrant operation returns a GrantToken and a\n GrantId.
When you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until the grant is available throughout KMS. This state is known as eventual consistency. Once the grant has achieved eventual consistency, the grantee\n principal can use the permissions in the grant without identifying the grant.
\nHowever, to use the permissions in the grant immediately, use the\n GrantToken that CreateGrant returns. For details, see Using a\n grant token in the \n Key Management Service Developer Guide\n .
The CreateGrant operation also returns a GrantId. You can\n use the GrantId and a key identifier to identify the grant in the RetireGrant and RevokeGrant operations. To find the grant\n ID, use the ListGrants or ListRetirableGrants\n operations.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, specify the key\n ARN in the value of the KeyId parameter.
\n Required permissions: kms:CreateGrant (key policy)
\n\n Related operations:\n
\n\n ListGrants\n
\n\n ListRetirableGrants\n
\n\n RetireGrant\n
\n\n RevokeGrant\n
\nThe identity that gets the permissions specified in the grant.
\nTo specify the grantee principal, use the Amazon Resource Name (ARN) of an\n Amazon Web Services principal. Valid principals include Amazon Web Services accounts, IAM users, IAM roles,\n federated users, and assumed role users. For help with the ARN syntax for a principal, see\n IAM ARNs in the \n Identity and Access Management User Guide\n .
", + "smithy.api#documentation": "The identity that gets the permissions specified in the grant.
\nTo specify the grantee principal, use the Amazon Resource Name (ARN) of an Amazon Web Services\n principal. Valid principals include Amazon Web Services accounts, IAM users, IAM roles,\n federated users, and assumed role users. For help with the ARN syntax for a principal, see\n IAM ARNs in the \n Identity and Access Management User Guide\n .
", "smithy.api#required": {} } }, @@ -813,6 +881,12 @@ "traits": { "smithy.api#documentation": "A friendly name for the grant. Use this value to prevent the unintended creation of\n duplicate grants when retrying this request.
\nDo not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.
\nWhen this value is absent, all CreateGrant requests result in a new grant\n with a unique GrantId even if all the supplied parameters are identical. This can\n result in unintended duplicates when you retry the CreateGrant request.
When this value is present, you can retry a CreateGrant request with\n identical parameters; if the grant already exists, the original GrantId is\n returned without creating a new grant. Note that the returned grant token is unique with every\n CreateGrant request, even when a duplicate GrantId is returned.\n All grant tokens for the same grant ID can be used interchangeably.
Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" + } } }, "traits": { @@ -889,7 +963,7 @@ } ], "traits": { - "smithy.api#documentation": "Creates a unique customer managed KMS key in your Amazon Web Services account and Region.\n You can use a KMS key in cryptographic operations, such as encryption and signing. Some Amazon Web Services\n services let you use KMS keys that you create and manage to protect your service\n resources.
\nA KMS key is a logical representation of a cryptographic key. In addition to the key\n material used in cryptographic operations, a KMS key includes metadata, such as the key ID,\n key policy, creation date, description, and key state. For details, see Managing keys in the\n Key Management Service Developer Guide\n
\nUse the parameters of CreateKey to specify the type of KMS key, the source of\n its key material, its key policy, description, tags, and other properties.
KMS has replaced the term customer master key (CMK) with KMS key and KMS key. The concept has not changed. To prevent breaking changes, KMS is keeping some variations of this term.
\nTo create different types of KMS keys, use the following guidance:
\nBy default, CreateKey creates a symmetric encryption KMS key with key\n material that KMS generates. This is the basic and most widely used type of KMS key, and\n provides the best performance.
To create a symmetric encryption KMS key, you don't need to specify any parameters.\n The default value for KeySpec, SYMMETRIC_DEFAULT, the default\n value for KeyUsage, ENCRYPT_DECRYPT, and the default value for\n Origin, AWS_KMS, create a symmetric encryption KMS key with\n KMS key material.
If you need a key for basic encryption and decryption or you are creating a KMS key\n to protect your resources in an Amazon Web Services service, create a symmetric encryption KMS key.\n The key material in a symmetric encryption key never leaves KMS unencrypted. You can\n use a symmetric encryption KMS key to encrypt and decrypt data up to 4,096 bytes, but\n they are typically used to generate data keys and data keys pairs. For details, see\n GenerateDataKey and GenerateDataKeyPair.
\n\n
To create an asymmetric KMS key, use the KeySpec parameter to specify\n the type of key material in the KMS key. Then, use the KeyUsage parameter\n to determine whether the KMS key will be used to encrypt and decrypt or sign and verify.\n You can't change these properties after the KMS key is created.
Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, or an SM2 key pair (China Regions only). The private key in an asymmetric \n KMS key never leaves KMS unencrypted. However, you can use the GetPublicKey operation to download the public key\n so it can be used outside of KMS. KMS keys with RSA or SM2 key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both). \n KMS keys with ECC key pairs can be used only to sign and verify messages. \n For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
\n\n
To create an HMAC KMS key, set the KeySpec parameter to a key spec\n value for HMAC KMS keys. Then set the KeyUsage parameter to\n GENERATE_VERIFY_MAC. You must set the key usage even though\n GENERATE_VERIFY_MAC is the only valid key usage value for HMAC KMS keys.\n You can't change these properties after the KMS key is created.
HMAC KMS keys are symmetric keys that never leave KMS unencrypted. You can use\n HMAC keys to generate (GenerateMac) and verify (VerifyMac) HMAC codes for messages up to 4096 bytes.
\n\n
To create a multi-Region primary key in the local Amazon Web Services Region,\n use the MultiRegion parameter with a value of True. To create\n a multi-Region replica key, that is, a KMS key with the same key ID\n and key material as a primary key, but in a different Amazon Web Services Region, use the ReplicateKey operation. To change a replica key to a primary key, and its\n primary key to a replica key, use the UpdatePrimaryRegion\n operation.
You can create multi-Region KMS keys for all supported KMS key types: symmetric\n encryption KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, and asymmetric\n signing KMS keys. You can also create multi-Region keys with imported key material.\n However, you can't create multi-Region keys in a custom key store.
\nThis operation supports multi-Region keys, an KMS feature that lets you create multiple\n interoperable KMS keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key\n material, and other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt\n it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide.
\n\n
To import your own key material into a KMS key, begin by creating a KMS key with no\n key material. To do this, use the Origin parameter of\n CreateKey with a value of EXTERNAL. Next, use GetParametersForImport operation to get a public key and import token. Use\n the wrapping public key to encrypt your key material. Then, use ImportKeyMaterial with your import token to import the key material. For step-by-step instructions, see\n Importing Key Material in the \n Key Management Service Developer Guide\n .
You can import key material into KMS keys of all supported KMS key types: symmetric\n encryption KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, and asymmetric\n signing KMS keys. You can also create multi-Region keys with imported key material.\n However, you can't import key material into a KMS key in a custom key store.
\nTo create a multi-Region primary key with imported key material, use the\n Origin parameter of CreateKey with a value of\n EXTERNAL and the MultiRegion parameter with a value of\n True. To create replicas of the multi-Region primary key, use the ReplicateKey operation. For instructions, see Importing key material into\n multi-Region keys. For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide.
\n
A custom key store lets you protect your Amazon Web Services resources using keys in a backing key\n store that you own and manage. When you request a cryptographic operation with a KMS key\n in a custom key store, the operation is performed in the backing key store using its\n cryptographic keys.
\nKMS supports CloudHSM key stores backed by an CloudHSM cluster and external key stores backed by an\n external key manager outside of Amazon Web Services. When you create a KMS key in an CloudHSM key store,\n KMS generates an encryption key in the CloudHSM cluster and associates it with the KMS\n key. When you create a KMS key in an external key store, you specify an existing\n encryption key in the external key manager.
\nSome external key managers provide a simpler method for creating a KMS key in an\n external key store. For details, see your external key manager documentation.
\nBefore you create a KMS key in a custom key store, the ConnectionState\n of the key store must be CONNECTED. To connect the custom key store, use\n the ConnectCustomKeyStore operation. To find the\n ConnectionState, use the DescribeCustomKeyStores\n operation.
To create a KMS key in a custom key store, use the CustomKeyStoreId.\n Use the default KeySpec value, SYMMETRIC_DEFAULT, and the\n default KeyUsage value, ENCRYPT_DECRYPT to create a symmetric\n encryption key. No other key type is supported in a custom key store.
To create a KMS key in an CloudHSM key store, use the\n Origin parameter with a value of AWS_CLOUDHSM. The CloudHSM\n cluster that is associated with the custom key store must have at least two active HSMs\n in different Availability Zones in the Amazon Web Services Region.
To create a KMS key in an external key store, use the Origin parameter\n with a value of EXTERNAL_KEY_STORE and an XksKeyId parameter\n that identifies an existing external key.
Some external key managers provide a simpler method for creating a KMS key in an\n external key store. For details, see your external key manager documentation.
\n\n Cross-account use: No. You cannot use this operation to\n create a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:CreateKey (IAM policy). To use the\n Tags parameter, kms:TagResource (IAM policy). For examples and information about related\n permissions, see Allow a user to create\n KMS keys in the Key Management Service Developer Guide.
\n Related operations:\n
\n\n DescribeKey\n
\n\n ListKeys\n
\n\n ScheduleKeyDeletion\n
\nCreates a unique customer managed KMS key in your Amazon Web Services account and Region.\n You can use a KMS key in cryptographic operations, such as encryption and signing. Some Amazon Web Services\n services let you use KMS keys that you create and manage to protect your service\n resources.
\nA KMS key is a logical representation of a cryptographic key. In addition to the key\n material used in cryptographic operations, a KMS key includes metadata, such as the key ID,\n key policy, creation date, description, and key state. For details, see Managing keys in the\n Key Management Service Developer Guide\n
\nUse the parameters of CreateKey to specify the type of KMS key, the source of\n its key material, its key policy, description, tags, and other properties.
KMS has replaced the term customer master key (CMK) with KMS key and KMS key. The concept has not changed. To prevent breaking changes, KMS is keeping some variations of this term.
\nTo create different types of KMS keys, use the following guidance:
\nBy default, CreateKey creates a symmetric encryption KMS key with key\n material that KMS generates. This is the basic and most widely used type of KMS key, and\n provides the best performance.
To create a symmetric encryption KMS key, you don't need to specify any parameters.\n The default value for KeySpec, SYMMETRIC_DEFAULT, the default\n value for KeyUsage, ENCRYPT_DECRYPT, and the default value for\n Origin, AWS_KMS, create a symmetric encryption KMS key with\n KMS key material.
If you need a key for basic encryption and decryption or you are creating a KMS key\n to protect your resources in an Amazon Web Services service, create a symmetric encryption KMS key.\n The key material in a symmetric encryption key never leaves KMS unencrypted. You can\n use a symmetric encryption KMS key to encrypt and decrypt data up to 4,096 bytes, but\n they are typically used to generate data keys and data keys pairs. For details, see\n GenerateDataKey and GenerateDataKeyPair.
\n\n
To create an asymmetric KMS key, use the KeySpec parameter to specify\n the type of key material in the KMS key. Then, use the KeyUsage parameter\n to determine whether the KMS key will be used to encrypt and decrypt or sign and verify.\n You can't change these properties after the KMS key is created.
Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, or an\n SM2 key pair (China Regions only). The private key in an asymmetric KMS key never leaves\n KMS unencrypted. However, you can use the GetPublicKey operation to\n download the public key so it can be used outside of KMS. KMS keys with RSA or SM2 key\n pairs can be used to encrypt or decrypt data or sign and verify messages (but not both).\n KMS keys with ECC key pairs can be used only to sign and verify messages. For\n information about asymmetric KMS keys, see Asymmetric KMS keys in the\n Key Management Service Developer Guide.
\n\n
To create an HMAC KMS key, set the KeySpec parameter to a key spec\n value for HMAC KMS keys. Then set the KeyUsage parameter to\n GENERATE_VERIFY_MAC. You must set the key usage even though\n GENERATE_VERIFY_MAC is the only valid key usage value for HMAC KMS keys.\n You can't change these properties after the KMS key is created.
HMAC KMS keys are symmetric keys that never leave KMS unencrypted. You can use\n HMAC keys to generate (GenerateMac) and verify (VerifyMac) HMAC codes for messages up to 4096 bytes.
\n\n
To create a multi-Region primary key in the local Amazon Web Services Region,\n use the MultiRegion parameter with a value of True. To create\n a multi-Region replica key, that is, a KMS key with the same key ID\n and key material as a primary key, but in a different Amazon Web Services Region, use the ReplicateKey operation. To change a replica key to a primary key, and its\n primary key to a replica key, use the UpdatePrimaryRegion\n operation.
You can create multi-Region KMS keys for all supported KMS key types: symmetric\n encryption KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, and asymmetric\n signing KMS keys. You can also create multi-Region keys with imported key material.\n However, you can't create multi-Region keys in a custom key store.
\nThis operation supports multi-Region keys, an KMS feature that lets you create multiple\n interoperable KMS keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key\n material, and other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt\n it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide.
\n\n
To import your own key material into a KMS key, begin by creating a KMS key with no\n key material. To do this, use the Origin parameter of\n CreateKey with a value of EXTERNAL. Next, use GetParametersForImport operation to get a public key and import token. Use\n the wrapping public key to encrypt your key material. Then, use ImportKeyMaterial with your import token to import the key material. For\n step-by-step instructions, see Importing Key Material in the \n Key Management Service Developer Guide\n .
You can import key material into KMS keys of all supported KMS key types: symmetric\n encryption KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, and asymmetric\n signing KMS keys. You can also create multi-Region keys with imported key material.\n However, you can't import key material into a KMS key in a custom key store.
\nTo create a multi-Region primary key with imported key material, use the\n Origin parameter of CreateKey with a value of\n EXTERNAL and the MultiRegion parameter with a value of\n True. To create replicas of the multi-Region primary key, use the ReplicateKey operation. For instructions, see Importing key material into\n multi-Region keys. For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide.
\n
A custom key store lets you protect your Amazon Web Services resources using keys in a backing key\n store that you own and manage. When you request a cryptographic operation with a KMS key\n in a custom key store, the operation is performed in the backing key store using its\n cryptographic keys.
\nKMS supports CloudHSM key stores backed by an CloudHSM cluster and external key stores backed by an\n external key manager outside of Amazon Web Services. When you create a KMS key in an CloudHSM key store,\n KMS generates an encryption key in the CloudHSM cluster and associates it with the KMS\n key. When you create a KMS key in an external key store, you specify an existing\n encryption key in the external key manager.
\nSome external key managers provide a simpler method for creating a KMS key in an\n external key store. For details, see your external key manager documentation.
\nBefore you create a KMS key in a custom key store, the ConnectionState\n of the key store must be CONNECTED. To connect the custom key store, use\n the ConnectCustomKeyStore operation. To find the\n ConnectionState, use the DescribeCustomKeyStores\n operation.
To create a KMS key in a custom key store, use the CustomKeyStoreId.\n Use the default KeySpec value, SYMMETRIC_DEFAULT, and the\n default KeyUsage value, ENCRYPT_DECRYPT to create a symmetric\n encryption key. No other key type is supported in a custom key store.
To create a KMS key in an CloudHSM key store, use the\n Origin parameter with a value of AWS_CLOUDHSM. The CloudHSM\n cluster that is associated with the custom key store must have at least two active HSMs\n in different Availability Zones in the Amazon Web Services Region.
To create a KMS key in an external key store, use the\n Origin parameter with a value of EXTERNAL_KEY_STORE and an\n XksKeyId parameter that identifies an existing external key.
Some external key managers provide a simpler method for creating a KMS key in an\n external key store. For details, see your external key manager documentation.
\n\n Cross-account use: No. You cannot use this operation to\n create a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:CreateKey (IAM policy). To use the\n Tags parameter, kms:TagResource (IAM policy). For examples and information about related\n permissions, see Allow a user to create\n KMS keys in the Key Management Service Developer Guide.
\n Related operations:\n
\n\n DescribeKey\n
\n\n ListKeys\n
\n\n ScheduleKeyDeletion\n
\nA description of the KMS key. Use a description that helps you decide whether the KMS key is appropriate for a task. The\n default value is an empty string (no description).
\nDo not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.
\nTo set or change the description after the key is created, use UpdateKeyDescription.
" + "smithy.api#documentation": "A description of the KMS key. Use a description that helps you decide whether the KMS key\n is appropriate for a task. The default value is an empty string (no description).
\nDo not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.
\nTo set or change the description after the key is created, use UpdateKeyDescription.
" } }, "KeyUsage": { "target": "com.amazonaws.kms#KeyUsageType", "traits": { - "smithy.api#documentation": "Determines the cryptographic operations for which you can use the KMS key. The default value is\n ENCRYPT_DECRYPT. This parameter is optional when you are creating a symmetric\n encryption KMS key; otherwise, it is required. You can't change the KeyUsage\n value after the KMS key is created.
Select only one valid value.
\nFor symmetric encryption KMS keys, omit the parameter or specify\n ENCRYPT_DECRYPT.
For HMAC KMS keys (symmetric), specify GENERATE_VERIFY_MAC.
For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or\n SIGN_VERIFY.
For asymmetric KMS keys with ECC key material, specify\n SIGN_VERIFY.
For asymmetric KMS keys with SM2 key material (China Regions only), specify ENCRYPT_DECRYPT or\n SIGN_VERIFY.
Determines the cryptographic operations for which you can use the KMS key. The default value is\n ENCRYPT_DECRYPT. This parameter is optional when you are creating a symmetric\n encryption KMS key; otherwise, it is required. You can't change the KeyUsage\n value after the KMS key is created.
Select only one valid value.
\nFor symmetric encryption KMS keys, omit the parameter or specify\n ENCRYPT_DECRYPT.
For HMAC KMS keys (symmetric), specify GENERATE_VERIFY_MAC.
For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or\n SIGN_VERIFY.
For asymmetric KMS keys with ECC key material, specify\n SIGN_VERIFY.
For asymmetric KMS keys with SM2 key material (China Regions only), specify\n ENCRYPT_DECRYPT or SIGN_VERIFY.
Specifies the type of KMS key to create. The default value,\n SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit AES-GCM key that is used for encryption and decryption, except in China Regions, \n where it creates a 128-bit symmetric key that uses SM4 encryption. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the \n Key Management Service Developer Guide\n .
The KeySpec determines whether the KMS key contains a symmetric key or an\n asymmetric key pair. It also determines the algorithms that the KMS key supports. You can't\n change the KeySpec after the KMS key is created. To further restrict the\n algorithms that can be used with the KMS key, use a condition key in its key policy or IAM\n policy. For more information, see kms:EncryptionAlgorithm, kms:MacAlgorithm or kms:Signing Algorithm in the \n Key Management Service Developer Guide\n .
\n Amazon Web Services services that\n are integrated with KMS use symmetric encryption KMS keys to protect your data.\n These services do not support asymmetric KMS keys or HMAC KMS keys.
\nKMS supports the following key specs for KMS keys:
\nSymmetric encryption key (default)
\n\n SYMMETRIC_DEFAULT\n
HMAC keys (symmetric)
\n\n HMAC_224\n
\n HMAC_256\n
\n HMAC_384\n
\n HMAC_512\n
Asymmetric RSA key pairs
\n\n RSA_2048\n
\n RSA_3072\n
\n RSA_4096\n
Asymmetric NIST-recommended elliptic curve key pairs
\n\n ECC_NIST_P256 (secp256r1)
\n ECC_NIST_P384 (secp384r1)
\n ECC_NIST_P521 (secp521r1)
Other asymmetric elliptic curve key pairs
\n\n ECC_SECG_P256K1 (secp256k1), commonly used for\n cryptocurrencies.
SM2 key pairs (China Regions only)
\n\n SM2\n
Specifies the type of KMS key to create. The default value,\n SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit AES-GCM key that is used for\n encryption and decryption, except in China Regions, where it creates a 128-bit symmetric key\n that uses SM4 encryption. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the \n Key Management Service Developer Guide\n .
The KeySpec determines whether the KMS key contains a symmetric key or an\n asymmetric key pair. It also determines the algorithms that the KMS key supports. You can't\n change the KeySpec after the KMS key is created. To further restrict the\n algorithms that can be used with the KMS key, use a condition key in its key policy or IAM\n policy. For more information, see kms:EncryptionAlgorithm, kms:MacAlgorithm or kms:Signing Algorithm in the \n Key Management Service Developer Guide\n .
\n Amazon Web Services services that\n are integrated with KMS use symmetric encryption KMS keys to protect your data.\n These services do not support asymmetric KMS keys or HMAC KMS keys.
\nKMS supports the following key specs for KMS keys:
\nSymmetric encryption key (default)
\n\n SYMMETRIC_DEFAULT\n
HMAC keys (symmetric)
\n\n HMAC_224\n
\n HMAC_256\n
\n HMAC_384\n
\n HMAC_512\n
Asymmetric RSA key pairs
\n\n RSA_2048\n
\n RSA_3072\n
\n RSA_4096\n
Asymmetric NIST-recommended elliptic curve key pairs
\n\n ECC_NIST_P256 (secp256r1)
\n ECC_NIST_P384 (secp384r1)
\n ECC_NIST_P521 (secp521r1)
Other asymmetric elliptic curve key pairs
\n\n ECC_SECG_P256K1 (secp256k1), commonly used for\n cryptocurrencies.
SM2 key pairs (China Regions only)
\n\n SM2\n
The source of the key material for the KMS key. You cannot change the origin after you\n create the KMS key. The default is AWS_KMS, which means that KMS creates the\n key material.
To create a\n KMS key with no key material (for imported key material), set this value to\n EXTERNAL. For more information about importing key material into KMS, see\n Importing Key\n Material in the Key Management Service Developer Guide. The EXTERNAL origin value is valid\n only for symmetric KMS keys.
To create a KMS key in an CloudHSM key store and create its key\n material in the associated CloudHSM cluster, set this value to AWS_CLOUDHSM. You\n must also use the CustomKeyStoreId parameter to identify the CloudHSM key store. The\n KeySpec value must be SYMMETRIC_DEFAULT.
To create a KMS key in\n an external key store, set this value to EXTERNAL_KEY_STORE. You must\n also use the CustomKeyStoreId parameter to identify the external key store and\n the XksKeyId parameter to identify the associated external key. The\n KeySpec value must be SYMMETRIC_DEFAULT.
The source of the key material for the KMS key. You cannot change the origin after you\n create the KMS key. The default is AWS_KMS, which means that KMS creates the\n key material.
To create a\n KMS key with no key material (for imported key material), set this value to\n EXTERNAL. For more information about importing key material into KMS, see\n Importing Key\n Material in the Key Management Service Developer Guide. The EXTERNAL origin value is valid\n only for symmetric KMS keys.
To create a KMS\n key in an CloudHSM key store and create its key material in the associated CloudHSM\n cluster, set this value to AWS_CLOUDHSM. You must also use the\n CustomKeyStoreId parameter to identify the CloudHSM key store. The\n KeySpec value must be SYMMETRIC_DEFAULT.
To create a KMS key in\n an external key store, set this value to EXTERNAL_KEY_STORE. You must\n also use the CustomKeyStoreId parameter to identify the external key store and\n the XksKeyId parameter to identify the associated external key. The\n KeySpec value must be SYMMETRIC_DEFAULT.
Creates the KMS key in the specified custom key store. The ConnectionState of\n the custom key store must be CONNECTED. To find the CustomKeyStoreID and\n ConnectionState use the DescribeCustomKeyStores operation.
This parameter is valid only for symmetric encryption KMS keys in a single Region. You\n cannot create any other type of KMS key in a custom key store.
\nWhen you create a KMS key in an CloudHSM key store, KMS generates a non-exportable 256-bit\n symmetric key in its associated CloudHSM cluster and associates it with the KMS key. When you\n create a KMS key in an external key store, you must use the XksKeyId parameter to specify an\n external key that serves as key material for the KMS key.
Creates the KMS key in the specified custom key store. The ConnectionState of\n the custom key store must be CONNECTED. To find the CustomKeyStoreID and\n ConnectionState use the DescribeCustomKeyStores operation.
This parameter is valid only for symmetric encryption KMS keys in a single Region. You\n cannot create any other type of KMS key in a custom key store.
\nWhen you create a KMS key in an CloudHSM key store, KMS generates a non-exportable 256-bit\n symmetric key in its associated CloudHSM cluster and associates it with the KMS key. When you\n create a KMS key in an external key store, you must use the XksKeyId parameter to\n specify an external key that serves as key material for the KMS key.
Describes the connection error. This field appears in the response only when the\n ConnectionState is FAILED.
Many failures can be resolved by updating the properties of the custom key store. To\n update a custom key store, disconnect it (DisconnectCustomKeyStore), correct\n the errors (UpdateCustomKeyStore), and try to connect again (ConnectCustomKeyStore). For additional help resolving these errors, see How to Fix a\n Connection Failure in Key Management Service Developer Guide.
\n\n All custom key stores:\n
\n\n INTERNAL_ERROR — KMS could not complete the request due to an\n internal error. Retry the request. For ConnectCustomKeyStore requests,\n disconnect the custom key store before trying to connect again.
\n NETWORK_ERRORS — Network errors are preventing KMS from\n connecting the custom key store to its backing key store.
\n CloudHSM key stores:\n
\n\n CLUSTER_NOT_FOUND — KMS cannot find the CloudHSM cluster with the\n specified cluster ID.
\n INSUFFICIENT_CLOUDHSM_HSMS — The associated CloudHSM cluster does not\n contain any active HSMs. To connect a custom key store to its CloudHSM cluster, the cluster\n must contain at least one active HSM.
\n INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET — At least one private subnet\n associated with the CloudHSM cluster doesn't have any available IP addresses. A CloudHSM key\n store connection requires one free IP address in each of the associated private subnets,\n although two are preferable. For details, see How to Fix a Connection\n Failure in the Key Management Service Developer Guide.
\n INVALID_CREDENTIALS — The KeyStorePassword for the\n custom key store doesn't match the current password of the kmsuser crypto\n user in the CloudHSM cluster. Before you can connect your custom key store to its CloudHSM\n cluster, you must change the kmsuser account password and update the\n KeyStorePassword value for the custom key store.
\n SUBNET_NOT_FOUND — A subnet in the CloudHSM cluster configuration was\n deleted. If KMS cannot find all of the subnets in the cluster configuration, attempts to\n connect the custom key store to the CloudHSM cluster fail. To fix this error, create a\n cluster from a recent backup and associate it with your custom key store. (This process\n creates a new cluster configuration with a VPC and private subnets.) For details, see\n How\n to Fix a Connection Failure in the Key Management Service Developer Guide.
\n USER_LOCKED_OUT — The kmsuser CU account is locked\n out of the associated CloudHSM cluster due to too many failed password attempts. Before you\n can connect your custom key store to its CloudHSM cluster, you must change the\n kmsuser account password and update the key store password value for the\n custom key store.
\n USER_LOGGED_IN — The kmsuser CU account is logged\n into the associated CloudHSM cluster. This prevents KMS from rotating the\n kmsuser account password and logging into the cluster. Before you can\n connect your custom key store to its CloudHSM cluster, you must log the kmsuser\n CU out of the cluster. If you changed the kmsuser password to log into the\n cluster, you must also and update the key store password value for the custom key store.\n For help, see How to Log Out and\n Reconnect in the Key Management Service Developer Guide.
\n USER_NOT_FOUND — KMS cannot find a kmsuser CU\n account in the associated CloudHSM cluster. Before you can connect your custom key store to\n its CloudHSM cluster, you must create a kmsuser CU account in the cluster, and\n then update the key store password value for the custom key store.
\n External key stores:\n
\n\n INVALID_CREDENTIALS — One or both of the\n XksProxyAuthenticationCredential values is not valid on the specified\n external key store proxy.
\n XKS_PROXY_ACCESS_DENIED — KMS requests are denied access to the\n external key store proxy. If the external key store proxy has authorization rules, verify\n that they permit KMS to communicate with the proxy on your behalf.
\n XKS_PROXY_INVALID_CONFIGURATION — A configuration error is\n preventing the external key store from connecting to its proxy. Verify the value of the\n XksProxyUriPath.
\n XKS_PROXY_INVALID_RESPONSE — KMS cannot interpret the response\n from the external key store proxy. If you see this connection error code repeatedly,\n notify your external key store proxy vendor.
\n XKS_PROXY_INVALID_TLS_CONFIGURATION — KMS cannot connect to the\n external key store proxy because the TLS configuration is invalid. Verify that the XKS\n proxy supports TLS 1.2 or 1.3. Also, verify that the TLS certificate is not expired, and\n that it matches the hostname in the XksProxyUriEndpoint value, and that it is\n signed by a certificate authority included in the Trusted Certificate Authorities\n list.
\n XKS_PROXY_NOT_REACHABLE — KMS can't communicate with your\n external key store proxy. Verify that the XksProxyUriEndpoint and\n XksProxyUriPath are correct. Use the tools for your external key store\n proxy to verify that the proxy is active and available on its network. Also, verify that\n your external key manager instances are operating properly. Connection attempts fail with\n this connection error code if the proxy reports that all external key manager instances\n are unavailable.
\n XKS_PROXY_TIMED_OUT — KMS can connect to the external key store\n proxy, but the proxy does not respond to KMS in the time allotted. If you see this\n connection error code repeatedly, notify your external key store proxy vendor.
\n XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATION — The Amazon VPC\n endpoint service configuration doesn't conform to the requirements for an KMS external\n key store.
The VPC endpoint service must be an endpoint service for interface endpoints in the caller's Amazon Web Services account.
\nIt must have a network load balancer (NLB) connected to at least two subnets, each in a different Availability Zone.
\nThe Allow principals list must include \n\t the KMS service principal for the Region, cks.kms., \n\t such as cks.kms.us-east-1.amazonaws.com.
It must not require acceptance of connection requests.
\nIt must have a private DNS name. The private DNS name for an external key store with VPC_ENDPOINT_SERVICE connectivity\n\t must be unique in its Amazon Web Services Region.
The domain of the private DNS name must have a verification status of\n\t verified.
The TLS certificate specifies the private DNS hostname at which the endpoint is reachable.
\n\n XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND — KMS can't find the VPC\n endpoint service that it uses to communicate with the external key store proxy. Verify\n that the XksProxyVpcEndpointServiceName is correct and the KMS service\n principal has service consumer permissions on the Amazon VPC endpoint service.
Describes the connection error. This field appears in the response only when the\n ConnectionState is FAILED.
Many failures can be resolved by updating the properties of the custom key store. To\n update a custom key store, disconnect it (DisconnectCustomKeyStore), correct\n the errors (UpdateCustomKeyStore), and try to connect again (ConnectCustomKeyStore). For additional help resolving these errors, see How to Fix a\n Connection Failure in Key Management Service Developer Guide.
\n\n All custom key stores:\n
\n\n INTERNAL_ERROR — KMS could not complete the request due to an\n internal error. Retry the request. For ConnectCustomKeyStore requests,\n disconnect the custom key store before trying to connect again.
\n NETWORK_ERRORS — Network errors are preventing KMS from\n connecting the custom key store to its backing key store.
\n CloudHSM key stores:\n
\n\n CLUSTER_NOT_FOUND — KMS cannot find the CloudHSM cluster with the\n specified cluster ID.
\n INSUFFICIENT_CLOUDHSM_HSMS — The associated CloudHSM cluster does not\n contain any active HSMs. To connect a custom key store to its CloudHSM cluster, the cluster\n must contain at least one active HSM.
\n INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET — At least one private\n subnet associated with the CloudHSM cluster doesn't have any available IP addresses. A CloudHSM\n key store connection requires one free IP address in each of the associated private\n subnets, although two are preferable. For details, see How to Fix a Connection\n Failure in the Key Management Service Developer Guide.
\n INVALID_CREDENTIALS — The KeyStorePassword for the\n custom key store doesn't match the current password of the kmsuser crypto\n user in the CloudHSM cluster. Before you can connect your custom key store to its CloudHSM\n cluster, you must change the kmsuser account password and update the\n KeyStorePassword value for the custom key store.
\n SUBNET_NOT_FOUND — A subnet in the CloudHSM cluster configuration was\n deleted. If KMS cannot find all of the subnets in the cluster configuration, attempts to\n connect the custom key store to the CloudHSM cluster fail. To fix this error, create a\n cluster from a recent backup and associate it with your custom key store. (This process\n creates a new cluster configuration with a VPC and private subnets.) For details, see\n How\n to Fix a Connection Failure in the Key Management Service Developer Guide.
\n USER_LOCKED_OUT — The kmsuser CU account is locked\n out of the associated CloudHSM cluster due to too many failed password attempts. Before you\n can connect your custom key store to its CloudHSM cluster, you must change the\n kmsuser account password and update the key store password value for the\n custom key store.
\n USER_LOGGED_IN — The kmsuser CU account is logged\n into the associated CloudHSM cluster. This prevents KMS from rotating the\n kmsuser account password and logging into the cluster. Before you can\n connect your custom key store to its CloudHSM cluster, you must log the kmsuser\n CU out of the cluster. If you changed the kmsuser password to log into the\n cluster, you must also and update the key store password value for the custom key store.\n For help, see How to Log Out and\n Reconnect in the Key Management Service Developer Guide.
\n USER_NOT_FOUND — KMS cannot find a kmsuser CU\n account in the associated CloudHSM cluster. Before you can connect your custom key store to\n its CloudHSM cluster, you must create a kmsuser CU account in the cluster, and\n then update the key store password value for the custom key store.
\n External key stores:\n
\n\n INVALID_CREDENTIALS — One or both of the\n XksProxyAuthenticationCredential values is not valid on the specified\n external key store proxy.
\n XKS_PROXY_ACCESS_DENIED — KMS requests are denied access to the\n external key store proxy. If the external key store proxy has authorization rules, verify\n that they permit KMS to communicate with the proxy on your behalf.
\n XKS_PROXY_INVALID_CONFIGURATION — A configuration error is\n preventing the external key store from connecting to its proxy. Verify the value of the\n XksProxyUriPath.
\n XKS_PROXY_INVALID_RESPONSE — KMS cannot interpret the response\n from the external key store proxy. If you see this connection error code repeatedly,\n notify your external key store proxy vendor.
\n XKS_PROXY_INVALID_TLS_CONFIGURATION — KMS cannot connect to the\n external key store proxy because the TLS configuration is invalid. Verify that the XKS\n proxy supports TLS 1.2 or 1.3. Also, verify that the TLS certificate is not expired, and\n that it matches the hostname in the XksProxyUriEndpoint value, and that it is\n signed by a certificate authority included in the Trusted Certificate Authorities list.
\n XKS_PROXY_NOT_REACHABLE — KMS can't communicate with your\n external key store proxy. Verify that the XksProxyUriEndpoint and\n XksProxyUriPath are correct. Use the tools for your external key store\n proxy to verify that the proxy is active and available on its network. Also, verify that\n your external key manager instances are operating properly. Connection attempts fail with\n this connection error code if the proxy reports that all external key manager instances\n are unavailable.
\n XKS_PROXY_TIMED_OUT — KMS can connect to the external key store\n proxy, but the proxy does not respond to KMS in the time allotted. If you see this\n connection error code repeatedly, notify your external key store proxy vendor.
\n XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATION — The Amazon VPC\n endpoint service configuration doesn't conform to the requirements for an KMS external\n key store.
The VPC endpoint service must be an endpoint service for interface endpoints in the caller's Amazon Web Services account.
\nIt must have a network load balancer (NLB) connected to at least two subnets, each in a different Availability Zone.
\nThe Allow principals list must include \n\t the KMS service principal for the Region, cks.kms., \n\t such as cks.kms.us-east-1.amazonaws.com.
It must not require acceptance of connection requests.
\nIt must have a private DNS name. The private DNS name for an external key store with VPC_ENDPOINT_SERVICE connectivity\n\t must be unique in its Amazon Web Services Region.
The domain of the private DNS name must have a verification status of\n\t verified.
The TLS certificate specifies the private DNS hostname at which the endpoint is reachable.
\n\n XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND — KMS can't find the VPC\n endpoint service that it uses to communicate with the external key store proxy. Verify\n that the XksProxyVpcEndpointServiceName is correct and the KMS service\n principal has service consumer permissions on the Amazon VPC endpoint service.
Decrypts ciphertext that was encrypted by a KMS key using any of the following\n operations:
\n\n Encrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\nYou can use this operation to decrypt ciphertext that was encrypted under a symmetric\n encryption KMS key or an asymmetric encryption KMS key. When the KMS key is asymmetric, you\n must specify the KMS key and the encryption algorithm that was used to encrypt the ciphertext.\n For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
\nThe Decrypt operation also decrypts ciphertext that was encrypted outside of\n KMS by the public key in an KMS asymmetric KMS key. However, it cannot decrypt symmetric\n ciphertext produced by other libraries, such as the Amazon Web Services Encryption SDK or Amazon S3 client-side encryption.\n These libraries return a ciphertext format that is incompatible with KMS.
If the ciphertext was encrypted under a symmetric encryption KMS key, the\n KeyId parameter is optional. KMS can get this information from metadata that\n it adds to the symmetric ciphertext blob. This feature adds durability to your implementation\n by ensuring that authorized users can decrypt ciphertext decades after it was encrypted, even\n if they've lost track of the key ID. However, specifying the KMS key is always recommended as\n a best practice. When you use the KeyId parameter to specify a KMS key, KMS\n only uses the KMS key you specify. If the ciphertext was encrypted under a different KMS key,\n the Decrypt operation fails. This practice ensures that you use the KMS key that\n you intend.
Whenever possible, use key policies to give users permission to call the\n Decrypt operation on a particular KMS key, instead of using &IAM; policies.\n Otherwise, you might create an &IAM; policy that gives the user Decrypt\n permission on all KMS keys. This user could decrypt ciphertext that was encrypted by KMS keys\n in other accounts if the key policy for the cross-account KMS key permits it. If you must use\n an IAM policy for Decrypt permissions, limit the user to particular KMS keys or\n particular trusted accounts. For details, see Best practices for IAM\n policies in the Key Management Service Developer Guide.
\n Decrypt also supports Amazon Web Services Nitro Enclaves, which provide an\n isolated compute environment in Amazon EC2. To call Decrypt for a Nitro enclave, use\n the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter to provide the\n attestation document for the enclave. Instead of the plaintext data, the response includes the\n plaintext data encrypted with the public key from the attestation document\n (CiphertextForRecipient).For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide..
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. If you use the KeyId\n parameter to identify a KMS key in a different Amazon Web Services account, specify the key ARN or the alias\n ARN of the KMS key.
\n Required permissions: kms:Decrypt (key policy)
\n\n Related operations:\n
\n\n Encrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\n\n ReEncrypt\n
\nDecrypts ciphertext that was encrypted by a KMS key using any of the following\n operations:
\n\n Encrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\nYou can use this operation to decrypt ciphertext that was encrypted under a symmetric\n encryption KMS key or an asymmetric encryption KMS key. When the KMS key is asymmetric, you\n must specify the KMS key and the encryption algorithm that was used to encrypt the ciphertext.\n For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
\nThe Decrypt operation also decrypts ciphertext that was encrypted outside of\n KMS by the public key in an KMS asymmetric KMS key. However, it cannot decrypt symmetric\n ciphertext produced by other libraries, such as the Amazon Web Services Encryption SDK or Amazon S3 client-side encryption.\n These libraries return a ciphertext format that is incompatible with KMS.
If the ciphertext was encrypted under a symmetric encryption KMS key, the\n KeyId parameter is optional. KMS can get this information from metadata that\n it adds to the symmetric ciphertext blob. This feature adds durability to your implementation\n by ensuring that authorized users can decrypt ciphertext decades after it was encrypted, even\n if they've lost track of the key ID. However, specifying the KMS key is always recommended as\n a best practice. When you use the KeyId parameter to specify a KMS key, KMS\n only uses the KMS key you specify. If the ciphertext was encrypted under a different KMS key,\n the Decrypt operation fails. This practice ensures that you use the KMS key that\n you intend.
Whenever possible, use key policies to give users permission to call the\n Decrypt operation on a particular KMS key, instead of using &IAM; policies.\n Otherwise, you might create an &IAM; policy that gives the user Decrypt\n permission on all KMS keys. This user could decrypt ciphertext that was encrypted by KMS keys\n in other accounts if the key policy for the cross-account KMS key permits it. If you must use\n an IAM policy for Decrypt permissions, limit the user to particular KMS keys or\n particular trusted accounts. For details, see Best practices for IAM\n policies in the Key Management Service Developer Guide.
\n Decrypt also supports Amazon Web Services Nitro Enclaves, which provide an\n isolated compute environment in Amazon EC2. To call Decrypt for a Nitro enclave, use\n the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter to provide the\n attestation document for the enclave. Instead of the plaintext data, the response includes the\n plaintext data encrypted with the public key from the attestation document\n (CiphertextForRecipient).For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide..
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. If you use the KeyId\n parameter to identify a KMS key in a different Amazon Web Services account, specify the key ARN or the alias\n ARN of the KMS key.
\n Required permissions: kms:Decrypt (key policy)
\n\n Related operations:\n
\n\n Encrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\n\n ReEncrypt\n
\nA signed attestation document from\n an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key.\n The only valid encryption algorithm is RSAES_OAEP_SHA_256.
This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this\n parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
\nWhen you use this parameter, instead of returning the plaintext data, KMS encrypts the\n plaintext data with the public key in the attestation document, and returns the resulting\n ciphertext in the CiphertextForRecipient field in the response. This ciphertext\n can be decrypted only with the private key in the enclave. The Plaintext field in\n the response is null or empty.
For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
" + "smithy.api#documentation": "A signed attestation document from\n an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key. The\n only valid encryption algorithm is RSAES_OAEP_SHA_256.
This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this\n parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
\nWhen you use this parameter, instead of returning the plaintext data, KMS encrypts the\n plaintext data with the public key in the attestation document, and returns the resulting\n ciphertext in the CiphertextForRecipient field in the response. This ciphertext\n can be decrypted only with the private key in the enclave. The Plaintext field in\n the response is null or empty.
For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
" + } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -1417,7 +1515,7 @@ "Plaintext": { "target": "com.amazonaws.kms#PlaintextType", "traits": { - "smithy.api#documentation": "Decrypted plaintext data. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.
\nIf the response includes the CiphertextForRecipient field, the\n Plaintext field is null or empty.
Decrypted plaintext data. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.
\nIf the response includes the CiphertextForRecipient field, the\n Plaintext field is null or empty.
Deletes the specified alias.
\nAdding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see ABAC for KMS in the Key Management Service Developer Guide.
\nBecause an alias is not a property of a KMS key, you can delete and change the aliases of\n a KMS key without affecting the KMS key. Also, aliases do not appear in the response from the\n DescribeKey operation. To get the aliases of all KMS keys, use the ListAliases operation.
\nEach KMS key can have multiple aliases. To change the alias of a KMS key, use DeleteAlias to delete the current alias and CreateAlias to\n create a new alias. To associate an existing alias with a different KMS key, call UpdateAlias.
\n\n Cross-account use: No. You cannot perform this operation on an alias in a different Amazon Web Services account.
\n\n Required permissions\n
\n\n kms:DeleteAlias on\n the alias (IAM policy).
\n\n kms:DeleteAlias on\n the KMS key (key policy).
\nFor details, see Controlling access to aliases in the\n Key Management Service Developer Guide.
\n\n Related operations:\n
\n\n CreateAlias\n
\n\n ListAliases\n
\n\n UpdateAlias\n
\nDeletes the specified alias.
\nAdding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see ABAC for KMS in the Key Management Service Developer Guide.
\nBecause an alias is not a property of a KMS key, you can delete and change the aliases of\n a KMS key without affecting the KMS key. Also, aliases do not appear in the response from the\n DescribeKey operation. To get the aliases of all KMS keys, use the ListAliases operation.
\nEach KMS key can have multiple aliases. To change the alias of a KMS key, use DeleteAlias to delete the current alias and CreateAlias to\n create a new alias. To associate an existing alias with a different KMS key, call UpdateAlias.
\n\n Cross-account use: No. You cannot perform this operation on an alias in a different Amazon Web Services account.
\n\n Required permissions\n
\n\n kms:DeleteAlias on\n the alias (IAM policy).
\n\n kms:DeleteAlias on\n the KMS key (key policy).
\nFor details, see Controlling access to aliases in the\n Key Management Service Developer Guide.
\n\n Related operations:\n
\n\n CreateAlias\n
\n\n ListAliases\n
\n\n UpdateAlias\n
\nDeletes a custom key store. This operation does not affect any backing elements of the\n custom key store. It does not delete the CloudHSM cluster that is associated with an CloudHSM key\n store, or affect any users or keys in the cluster. For an external key store, it does not\n affect the external key store proxy, external key manager, or any external keys.
\nThis operation is part of the custom key stores feature in KMS, which\ncombines the convenience and extensive integration of KMS with the isolation and control of a\nkey store that you own and manage.
\nThe custom key store that you delete cannot contain any KMS keys. Before deleting the key store,\n verify that you will never need to use any of the KMS keys in the key store for any\n cryptographic operations. Then, use ScheduleKeyDeletion to delete the KMS keys from the\n key store. After the required waiting period expires and all KMS keys are deleted from the\n custom key store, use DisconnectCustomKeyStore to disconnect the key store\n from KMS. Then, you can delete the custom key store.
\nFor keys in an CloudHSM key store, the ScheduleKeyDeletion operation makes a\n best effort to delete the key material from the associated cluster. However, you might need to\n manually delete the orphaned key\n material from the cluster and its backups. KMS never creates, manages, or deletes\n cryptographic keys in the external key manager associated with an external key store. You must\n manage them using your external key manager tools.
Instead of deleting the custom key store, consider using the DisconnectCustomKeyStore operation to disconnect the custom key store from its\n backing key store. While the key store is disconnected, you cannot create or use the KMS keys\n in the key store. But, you do not need to delete KMS keys and you can reconnect a disconnected\n custom key store at any time.
\nIf the operation succeeds, it returns a JSON object with no\nproperties.
\n\n Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
\n\n Required permissions: kms:DeleteCustomKeyStore (IAM policy)
\n\n Related operations:\n
\n\n CreateCustomKeyStore\n
\n\n UpdateCustomKeyStore\n
\nDeletes a custom key store. This operation does not affect any backing elements of the\n custom key store. It does not delete the CloudHSM cluster that is associated with an CloudHSM key\n store, or affect any users or keys in the cluster. For an external key store, it does not\n affect the external key store proxy, external key manager, or any external keys.
\nThis operation is part of the custom key stores feature in KMS, which\ncombines the convenience and extensive integration of KMS with the isolation and control of a\nkey store that you own and manage.
\nThe custom key store that you delete cannot contain any KMS keys. Before deleting the key store,\n verify that you will never need to use any of the KMS keys in the key store for any\n cryptographic operations. Then, use ScheduleKeyDeletion to delete the KMS keys from the\n key store. After the required waiting period expires and all KMS keys are deleted from the\n custom key store, use DisconnectCustomKeyStore to disconnect the key store\n from KMS. Then, you can delete the custom key store.
\nFor keys in an CloudHSM key store, the ScheduleKeyDeletion operation makes a\n best effort to delete the key material from the associated cluster. However, you might need to\n manually delete the orphaned key\n material from the cluster and its backups. KMS never creates, manages, or deletes\n cryptographic keys in the external key manager associated with an external key store. You must\n manage them using your external key manager tools.
Instead of deleting the custom key store, consider using the DisconnectCustomKeyStore operation to disconnect the custom key store from its\n backing key store. While the key store is disconnected, you cannot create or use the KMS keys\n in the key store. But, you do not need to delete KMS keys and you can reconnect a disconnected\n custom key store at any time.
\nIf the operation succeeds, it returns a JSON object with no\nproperties.
\n\n Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
\n\n Required permissions: kms:DeleteCustomKeyStore (IAM policy)
\n\n Related operations:\n
\n\n CreateCustomKeyStore\n
\n\n UpdateCustomKeyStore\n
\nDeletes key material that was previously imported. This operation makes the specified KMS\n key temporarily unusable. To restore the usability of the KMS key, reimport the same key\n material. For more information about importing key material into KMS, see Importing Key Material\n in the Key Management Service Developer Guide.
\nWhen the specified KMS key is in the PendingDeletion state, this operation\n does not change the KMS key's state. Otherwise, it changes the KMS key's state to\n PendingImport.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:DeleteImportedKeyMaterial (key policy)
\n\n Related operations:\n
\n\n ImportKeyMaterial\n
\nDeletes key material that was previously imported. This operation makes the specified KMS\n key temporarily unusable. To restore the usability of the KMS key, reimport the same key\n material. For more information about importing key material into KMS, see Importing Key Material\n in the Key Management Service Developer Guide.
\nWhen the specified KMS key is in the PendingDeletion state, this operation\n does not change the KMS key's state. Otherwise, it changes the KMS key's state to\n PendingImport.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:DeleteImportedKeyMaterial (key policy)
\n\n Related operations:\n
\n\n ImportKeyMaterial\n
\nGets information about custom key stores in the account and Region.
\nThis operation is part of the custom key stores feature in KMS, which\ncombines the convenience and extensive integration of KMS with the isolation and control of a\nkey store that you own and manage.
\nBy default, this operation returns information about all custom key stores in the account\n and Region. To get only information about a particular custom key store, use either the\n CustomKeyStoreName or CustomKeyStoreId parameter (but not\n both).
To determine whether the custom key store is connected to its CloudHSM cluster or external\n key store proxy, use the ConnectionState element in the response. If an attempt\n to connect the custom key store failed, the ConnectionState value is\n FAILED and the ConnectionErrorCode element in the response\n indicates the cause of the failure. For help interpreting the\n ConnectionErrorCode, see CustomKeyStoresListEntry.
Custom key stores have a DISCONNECTED connection state if the key store has\n never been connected or you used the DisconnectCustomKeyStore operation to\n disconnect it. Otherwise, the connection state is CONNECTED. If your custom key store\n connection state is CONNECTED but you are having trouble using it, verify that\n the backing store is active and available. For an CloudHSM key store, verify that the associated\n CloudHSM cluster is active and contains the minimum number of HSMs required for the operation, if\n any. For an external key store, verify that the external key store proxy and its associated\n external key manager are reachable and enabled.
For help repairing your CloudHSM key store, see the Troubleshooting CloudHSM key stores. For help\n repairing your external key store, see the Troubleshooting external key stores. Both\n topics are in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
\n\n Required permissions: kms:DescribeCustomKeyStores (IAM policy)
\n\n Related operations:\n
\n\n CreateCustomKeyStore\n
\n\n DeleteCustomKeyStore\n
\n\n UpdateCustomKeyStore\n
\nGets information about custom key stores in the account and Region.
\nThis operation is part of the custom key stores feature in KMS, which\ncombines the convenience and extensive integration of KMS with the isolation and control of a\nkey store that you own and manage.
\nBy default, this operation returns information about all custom key stores in the account\n and Region. To get only information about a particular custom key store, use either the\n CustomKeyStoreName or CustomKeyStoreId parameter (but not\n both).
To determine whether the custom key store is connected to its CloudHSM cluster or external\n key store proxy, use the ConnectionState element in the response. If an attempt\n to connect the custom key store failed, the ConnectionState value is\n FAILED and the ConnectionErrorCode element in the response\n indicates the cause of the failure. For help interpreting the\n ConnectionErrorCode, see CustomKeyStoresListEntry.
Custom key stores have a DISCONNECTED connection state if the key store has\n never been connected or you used the DisconnectCustomKeyStore operation to\n disconnect it. Otherwise, the connection state is CONNECTED. If your custom key store\n connection state is CONNECTED but you are having trouble using it, verify that\n the backing store is active and available. For an CloudHSM key store, verify that the associated\n CloudHSM cluster is active and contains the minimum number of HSMs required for the operation, if\n any. For an external key store, verify that the external key store proxy and its associated\n external key manager are reachable and enabled.
For help repairing your CloudHSM key store, see the Troubleshooting CloudHSM key stores. For help\n repairing your external key store, see the Troubleshooting external key stores.\n Both topics are in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
\n\n Required permissions: kms:DescribeCustomKeyStores (IAM policy)
\n\n Related operations:\n
\n\n CreateCustomKeyStore\n
\n\n DeleteCustomKeyStore\n
\n\n UpdateCustomKeyStore\n
\nSets the state of a KMS key to disabled. This change temporarily prevents use of the KMS\n key for cryptographic operations.
\nFor more information about how key state affects the use of a KMS key, see\n Key states of KMS keys in the \n Key Management Service Developer Guide\n .
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:DisableKey (key policy)
\n\n Related operations: EnableKey\n
" + "smithy.api#documentation": "Sets the state of a KMS key to disabled. This change temporarily prevents use of the KMS\n key for cryptographic operations.
\nFor more information about how key state affects the use of a KMS key, see\n Key states of KMS keys in the \n Key Management Service Developer Guide\n .
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:DisableKey (key policy)
\n\n Related operations: EnableKey\n
", + "smithy.api#examples": [ + { + "title": "To disable a KMS key", + "documentation": "The following example disables the specified KMS key.", + "input": { + "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" + } + } + ] } }, "com.amazonaws.kms#DisableKeyRequest": { @@ -1824,7 +1968,16 @@ } ], "traits": { - "smithy.api#documentation": "Disables automatic\n rotation of the key material of the specified symmetric encryption KMS key.
\nAutomatic key rotation is supported only on symmetric encryption KMS keys.\n You cannot enable automatic rotation of asymmetric KMS keys, HMAC KMS keys, KMS keys with imported key material, or KMS keys in a custom key store. To enable or disable automatic rotation of a set of related multi-Region keys, set the property on the primary key.
\nYou can enable (EnableKeyRotation) and disable automatic rotation of the\n key material in customer managed KMS keys. Key material rotation of Amazon Web Services managed KMS keys is not\n configurable. KMS always rotates the key material for every year. Rotation of Amazon Web Services owned KMS\n keys varies.
\nIn May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three\n years to every year. For details, see EnableKeyRotation.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:DisableKeyRotation (key policy)
\n\n Related operations:\n
\n\n EnableKeyRotation\n
\n\n GetKeyRotationStatus\n
\nDisables automatic\n rotation of the key material of the specified symmetric encryption KMS key.
\nAutomatic key rotation is supported only on symmetric encryption KMS keys.\n You cannot enable automatic rotation of asymmetric KMS keys, HMAC KMS keys, KMS keys with imported key material, or KMS keys in a custom key store. To enable or disable automatic rotation of a set of related multi-Region keys, set the property on the primary key.
\nYou can enable (EnableKeyRotation) and disable automatic rotation of the\n key material in customer managed KMS keys. Key material rotation of Amazon Web Services managed KMS keys is not\n configurable. KMS always rotates the key material for every year. Rotation of Amazon Web Services owned KMS\n keys varies.
\nIn May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three\n years to every year. For details, see EnableKeyRotation.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:DisableKeyRotation (key policy)
\n\n Related operations:\n
\n\n EnableKeyRotation\n
\n\n GetKeyRotationStatus\n
\nDisconnects the custom key store from its backing key store. This operation disconnects an\n CloudHSM key store from its associated CloudHSM cluster or disconnects an external key store from\n the external key store proxy that communicates with your external key manager.
\nThis operation is part of the custom key stores feature in KMS, which\ncombines the convenience and extensive integration of KMS with the isolation and control of a\nkey store that you own and manage.
\nWhile a custom key store is disconnected, you can manage the custom key store and its KMS\n keys, but you cannot create or use its KMS keys. You can reconnect the custom key store at any\n time.
\nWhile a custom key store is disconnected, all attempts to create KMS keys in the custom key store or to use existing KMS keys in cryptographic operations will\n fail. This action can prevent users from storing and accessing sensitive data.
\nWhen you disconnect a custom key store, its ConnectionState changes to\n Disconnected. To find the connection state of a custom key store, use the DescribeCustomKeyStores operation. To reconnect a custom key store, use the\n ConnectCustomKeyStore operation.
If the operation succeeds, it returns a JSON object with no\nproperties.
\n\n Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
\n\n Required permissions: kms:DisconnectCustomKeyStore (IAM policy)
\n\n Related operations:\n
\n\n CreateCustomKeyStore\n
\n\n DeleteCustomKeyStore\n
\n\n UpdateCustomKeyStore\n
\nDisconnects the custom key store from its backing key store. This operation disconnects an\n CloudHSM key store from its associated CloudHSM cluster or disconnects an external key store from\n the external key store proxy that communicates with your external key manager.
\nThis operation is part of the custom key stores feature in KMS, which\ncombines the convenience and extensive integration of KMS with the isolation and control of a\nkey store that you own and manage.
\nWhile a custom key store is disconnected, you can manage the custom key store and its KMS\n keys, but you cannot create or use its KMS keys. You can reconnect the custom key store at any\n time.
\nWhile a custom key store is disconnected, all attempts to create KMS keys in the custom key store or to use existing KMS keys in cryptographic operations will\n fail. This action can prevent users from storing and accessing sensitive data.
\nWhen you disconnect a custom key store, its ConnectionState changes to\n Disconnected. To find the connection state of a custom key store, use the DescribeCustomKeyStores operation. To reconnect a custom key store, use the\n ConnectCustomKeyStore operation.
If the operation succeeds, it returns a JSON object with no\nproperties.
\n\n Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
\n\n Required permissions: kms:DisconnectCustomKeyStore (IAM policy)
\n\n Related operations:\n
\n\n CreateCustomKeyStore\n
\n\n DeleteCustomKeyStore\n
\n\n UpdateCustomKeyStore\n
\nDescribeCustomKeyStores operation.",
+ "input": {
+ "CustomKeyStoreId": "cks-1234567890abcdef0"
+ },
+ "output": {}
+ }
+ ]
}
},
"com.amazonaws.kms#DisconnectCustomKeyStoreRequest": {
@@ -1904,6 +2067,23 @@
"smithy.api#output": {}
}
},
+ "com.amazonaws.kms#DryRunOperationException": {
+ "type": "structure",
+ "members": {
+ "message": {
+ "target": "com.amazonaws.kms#ErrorMessageType"
+ }
+ },
+ "traits": {
+ "aws.protocols#awsQueryError": {
+ "code": "DryRunOperation",
+ "httpResponseCode": 412
+ },
+ "smithy.api#documentation": "\n The request was rejected because the DryRun parameter was specified.\n
", + "smithy.api#error": "client", + "smithy.api#httpError": 412 + } + }, "com.amazonaws.kms#EnableKey": { "type": "operation", "input": { @@ -1933,7 +2113,16 @@ } ], "traits": { - "smithy.api#documentation": "Sets the key state of a KMS key to enabled. This allows you to use the KMS key for\n cryptographic operations.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:EnableKey (key policy)
\n\n Related operations: DisableKey\n
" + "smithy.api#documentation": "Sets the key state of a KMS key to enabled. This allows you to use the KMS key for\n cryptographic operations.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:EnableKey (key policy)
\n\n Related operations: DisableKey\n
", + "smithy.api#examples": [ + { + "title": "To enable a KMS key", + "documentation": "The following example enables the specified KMS key.", + "input": { + "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" + } + } + ] } }, "com.amazonaws.kms#EnableKeyRequest": { @@ -1983,7 +2172,16 @@ } ], "traits": { - "smithy.api#documentation": "Enables automatic rotation\n of the key material of the specified symmetric encryption KMS key.
\nWhen you enable automatic rotation of acustomer managed KMS key, KMS\n rotates the key material of the KMS key one year (approximately 365 days) from the enable date\n and every year thereafter. You can monitor rotation of the key material for your KMS keys in\n CloudTrail and Amazon CloudWatch. To disable rotation of the key material in a customer\n managed KMS key, use the DisableKeyRotation operation.
\nAutomatic key rotation is supported only on symmetric encryption KMS keys.\n You cannot enable automatic rotation of asymmetric KMS keys, HMAC KMS keys, KMS keys with imported key material, or KMS keys in a custom key store. To enable or disable automatic rotation of a set of related multi-Region keys, set the property on the primary key.
\nYou cannot enable or disable automatic rotation Amazon Web Services managed KMS keys. KMS\n always rotates the key material of Amazon Web Services managed keys every year. Rotation of Amazon Web Services owned KMS\n keys varies.
\nIn May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three\n years (approximately 1,095 days) to every year (approximately 365 days).
\nNew Amazon Web Services managed keys are automatically rotated one year after they are created, and\n approximately every year thereafter.
\nExisting Amazon Web Services managed keys are automatically rotated one year after their most recent\n rotation, and every year thereafter.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:EnableKeyRotation (key policy)
\n\n Related operations:\n
\n\n DisableKeyRotation\n
\n\n GetKeyRotationStatus\n
\nEnables automatic rotation\n of the key material of the specified symmetric encryption KMS key.
\nWhen you enable automatic rotation of acustomer managed KMS key, KMS\n rotates the key material of the KMS key one year (approximately 365 days) from the enable date\n and every year thereafter. You can monitor rotation of the key material for your KMS keys in\n CloudTrail and Amazon CloudWatch. To disable rotation of the key material in a customer\n managed KMS key, use the DisableKeyRotation operation.
\nAutomatic key rotation is supported only on symmetric encryption KMS keys.\n You cannot enable automatic rotation of asymmetric KMS keys, HMAC KMS keys, KMS keys with imported key material, or KMS keys in a custom key store. To enable or disable automatic rotation of a set of related multi-Region keys, set the property on the primary key.
\nYou cannot enable or disable automatic rotation Amazon Web Services managed KMS keys. KMS\n always rotates the key material of Amazon Web Services managed keys every year. Rotation of Amazon Web Services owned KMS\n keys varies.
\nIn May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three\n years (approximately 1,095 days) to every year (approximately 365 days).
\nNew Amazon Web Services managed keys are automatically rotated one year after they are created, and\n approximately every year thereafter.
\nExisting Amazon Web Services managed keys are automatically rotated one year after their most recent\n rotation, and every year thereafter.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:EnableKeyRotation (key policy)
\n\n Related operations:\n
\n\n DisableKeyRotation\n
\n\n GetKeyRotationStatus\n
\nEncrypts plaintext of up to 4,096 bytes using a KMS key. You can use a symmetric or\n asymmetric KMS key with a KeyUsage of ENCRYPT_DECRYPT.
You can use this operation to encrypt small amounts of arbitrary data, such as a personal\n identifier or database password, or other sensitive information. You don't need to use the\n Encrypt operation to encrypt a data key. The GenerateDataKey\n and GenerateDataKeyPair operations return a plaintext data key and an\n encrypted copy of that data key.
If you use a symmetric encryption KMS key, you can use an encryption context to add\n additional security to your encryption operation. If you specify an\n EncryptionContext when encrypting data, you must specify the same encryption\n context (a case-sensitive exact match) when decrypting the data. Otherwise, the request to\n decrypt fails with an InvalidCiphertextException. For more information, see\n Encryption\n Context in the Key Management Service Developer Guide.
If you specify an asymmetric KMS key, you must also specify the encryption algorithm. The\n algorithm must be compatible with the KMS key spec.
\nWhen you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt operation fails.
\nYou are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.
\nThe maximum size of the data that you can encrypt varies with the type of KMS key and the\n encryption algorithm that you choose.
\nSymmetric encryption KMS keys
\n\n SYMMETRIC_DEFAULT: 4096 bytes
\n RSA_2048\n
\n RSAES_OAEP_SHA_1: 214 bytes
\n RSAES_OAEP_SHA_256: 190 bytes
\n RSA_3072\n
\n RSAES_OAEP_SHA_1: 342 bytes
\n RSAES_OAEP_SHA_256: 318 bytes
\n RSA_4096\n
\n RSAES_OAEP_SHA_1: 470 bytes
\n RSAES_OAEP_SHA_256: 446 bytes
\n SM2PKE: 1024 bytes (China Regions only)
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes.\n To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:Encrypt (key policy)
\n\n Related operations:\n
\n\n Decrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\nEncrypts plaintext of up to 4,096 bytes using a KMS key. You can use a symmetric or\n asymmetric KMS key with a KeyUsage of ENCRYPT_DECRYPT.
You can use this operation to encrypt small amounts of arbitrary data, such as a personal\n identifier or database password, or other sensitive information. You don't need to use the\n Encrypt operation to encrypt a data key. The GenerateDataKey\n and GenerateDataKeyPair operations return a plaintext data key and an\n encrypted copy of that data key.
If you use a symmetric encryption KMS key, you can use an encryption context to add\n additional security to your encryption operation. If you specify an\n EncryptionContext when encrypting data, you must specify the same encryption\n context (a case-sensitive exact match) when decrypting the data. Otherwise, the request to\n decrypt fails with an InvalidCiphertextException. For more information, see\n Encryption\n Context in the Key Management Service Developer Guide.
If you specify an asymmetric KMS key, you must also specify the encryption algorithm. The\n algorithm must be compatible with the KMS key spec.
\nWhen you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt operation fails.
\nYou are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.
\nThe maximum size of the data that you can encrypt varies with the type of KMS key and the\n encryption algorithm that you choose.
\nSymmetric encryption KMS keys
\n\n SYMMETRIC_DEFAULT: 4096 bytes
\n RSA_2048\n
\n RSAES_OAEP_SHA_1: 214 bytes
\n RSAES_OAEP_SHA_256: 190 bytes
\n RSA_3072\n
\n RSAES_OAEP_SHA_1: 342 bytes
\n RSAES_OAEP_SHA_256: 318 bytes
\n RSA_4096\n
\n RSAES_OAEP_SHA_1: 470 bytes
\n RSAES_OAEP_SHA_256: 446 bytes
\n SM2PKE: 1024 bytes (China Regions only)
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:Encrypt (key policy)
\n\n Related operations:\n
\n\n Decrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\nSpecifies the encryption algorithm that KMS will use to encrypt the plaintext message.\n The algorithm must be compatible with the KMS key that you specify.
\nThis parameter is required only for asymmetric KMS keys. The default value,\n SYMMETRIC_DEFAULT, is the algorithm used for symmetric encryption KMS keys. If you are\n using an asymmetric KMS key, we recommend RSAES_OAEP_SHA_256.
The SM2PKE algorithm is only available in China Regions.
" + "smithy.api#documentation": "Specifies the encryption algorithm that KMS will use to encrypt the plaintext message.\n The algorithm must be compatible with the KMS key that you specify.
\nThis parameter is required only for asymmetric KMS keys. The default value,\n SYMMETRIC_DEFAULT, is the algorithm used for symmetric encryption KMS keys. If\n you are using an asymmetric KMS key, we recommend RSAES_OAEP_SHA_256.
The SM2PKE algorithm is only available in China Regions.
" + } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -2207,6 +2429,9 @@ { "target": "com.amazonaws.kms#DisabledException" }, + { + "target": "com.amazonaws.kms#DryRunOperationException" + }, { "target": "com.amazonaws.kms#InvalidGrantTokenException" }, @@ -2227,7 +2452,22 @@ } ], "traits": { - "smithy.api#documentation": "Returns a unique symmetric data key for use outside of KMS. This operation returns a\n plaintext copy of the data key and a copy that is encrypted under a symmetric encryption KMS\n key that you specify. The bytes in the plaintext key are random; they are not related \n to the caller or the KMS key. You can use the plaintext key to encrypt your data outside of KMS \n and store the encrypted data key with the encrypted data.
\nTo generate a data key, specify the symmetric encryption KMS key that will be used to\n encrypt the data key. You cannot use an asymmetric KMS key to encrypt data keys. To get the\n type of your KMS key, use the DescribeKey operation.
\nYou must also specify the length of the data key. Use either the KeySpec or \n NumberOfBytes parameters (but not both). For 128-bit and 256-bit data keys, use \n the KeySpec parameter.
To generate a 128-bit SM4 data key (China Regions only), specify a KeySpec value of\n AES_128 or a NumberOfBytes value of 16. The symmetric \n encryption key used in China Regions to encrypt your data key is an SM4 encryption key.
To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key pair, use\n the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operation. To get a cryptographically secure\n random byte string, use GenerateRandom.
\nYou can use an optional encryption context to add additional security to the encryption\n operation. If you specify an EncryptionContext, you must specify the same\n encryption context (a case-sensitive exact match) when decrypting the encrypted data key.\n Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the\n Key Management Service Developer Guide.
\n GenerateDataKey also supports Amazon Web Services Nitro Enclaves, which provide an\n isolated compute environment in Amazon EC2. To call GenerateDataKey for an Amazon Web Services Nitro\n enclave, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter\n to provide the attestation document for the enclave. GenerateDataKey returns a\n copy of the data key encrypted under the specified KMS key, as usual. But instead of a\n plaintext copy of the data key, the response includes a copy of the data key encrypted under\n the public key from the attestation document (CiphertextForRecipient).\n For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide..
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n How to use your data key\n
\nWe recommend that you use the following pattern to encrypt data locally in your\n application. You can write your own code or use a client-side encryption library, such as the\n Amazon Web Services Encryption SDK, the\n Amazon DynamoDB Encryption Client,\n or Amazon S3\n client-side encryption to do these tasks for you.
\nTo encrypt data outside of KMS:
\nUse the GenerateDataKey operation to get a data key.
Use the plaintext data key (in the Plaintext field of the response) to\n encrypt your data outside of KMS. Then erase the plaintext data key from memory.
Store the encrypted data key (in the CiphertextBlob field of the\n response) with the encrypted data.
To decrypt data outside of KMS:
\nUse the Decrypt operation to decrypt the encrypted data key. The\n operation returns a plaintext copy of the data key.
\nUse the plaintext data key to decrypt data outside of KMS, then erase the plaintext\n data key from memory.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GenerateDataKey (key policy)
\n\n Related operations:\n
\n\n Decrypt\n
\n\n Encrypt\n
\n\n GenerateDataKeyPair\n
\nReturns a unique symmetric data key for use outside of KMS. This operation returns a\n plaintext copy of the data key and a copy that is encrypted under a symmetric encryption KMS\n key that you specify. The bytes in the plaintext key are random; they are not related to the\n caller or the KMS key. You can use the plaintext key to encrypt your data outside of KMS and\n store the encrypted data key with the encrypted data.
\nTo generate a data key, specify the symmetric encryption KMS key that will be used to\n encrypt the data key. You cannot use an asymmetric KMS key to encrypt data keys. To get the\n type of your KMS key, use the DescribeKey operation.
\nYou must also specify the length of the data key. Use either the KeySpec or\n NumberOfBytes parameters (but not both). For 128-bit and 256-bit data keys, use\n the KeySpec parameter.
To generate a 128-bit SM4 data key (China Regions only), specify a KeySpec\n value of AES_128 or a NumberOfBytes value of 16. The\n symmetric encryption key used in China Regions to encrypt your data key is an SM4 encryption\n key.
To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key pair, use\n the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operation. To get a cryptographically secure\n random byte string, use GenerateRandom.
\nYou can use an optional encryption context to add additional security to the encryption\n operation. If you specify an EncryptionContext, you must specify the same\n encryption context (a case-sensitive exact match) when decrypting the encrypted data key.\n Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the\n Key Management Service Developer Guide.
\n GenerateDataKey also supports Amazon Web Services Nitro Enclaves, which provide an\n isolated compute environment in Amazon EC2. To call GenerateDataKey for an Amazon Web Services Nitro\n enclave, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter\n to provide the attestation document for the enclave. GenerateDataKey returns a\n copy of the data key encrypted under the specified KMS key, as usual. But instead of a\n plaintext copy of the data key, the response includes a copy of the data key encrypted under\n the public key from the attestation document (CiphertextForRecipient).\n For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide..
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n How to use your data key\n
\nWe recommend that you use the following pattern to encrypt data locally in your\n application. You can write your own code or use a client-side encryption library, such as the\n Amazon Web Services Encryption SDK, the\n Amazon DynamoDB Encryption Client,\n or Amazon S3\n client-side encryption to do these tasks for you.
\nTo encrypt data outside of KMS:
\nUse the GenerateDataKey operation to get a data key.
Use the plaintext data key (in the Plaintext field of the response) to\n encrypt your data outside of KMS. Then erase the plaintext data key from memory.
Store the encrypted data key (in the CiphertextBlob field of the\n response) with the encrypted data.
To decrypt data outside of KMS:
\nUse the Decrypt operation to decrypt the encrypted data key. The\n operation returns a plaintext copy of the data key.
\nUse the plaintext data key to decrypt data outside of KMS, then erase the plaintext\n data key from memory.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GenerateDataKey (key policy)
\n\n Related operations:\n
\n\n Decrypt\n
\n\n Encrypt\n
\n\n GenerateDataKeyPair\n
\nReturns a unique asymmetric data key pair for use outside of KMS. This operation returns\n a plaintext public key, a plaintext private key, and a copy of the private key that is\n encrypted under the symmetric encryption KMS key you specify. You can use the data key pair to\n perform asymmetric cryptography and implement digital signatures outside of KMS. The bytes\n in the keys are random; they not related to the caller or to the KMS key that is used to\n encrypt the private key.
\nYou can use the public key that GenerateDataKeyPair returns to encrypt data\n or verify a signature outside of KMS. Then, store the encrypted private key with the data.\n When you are ready to decrypt data or sign a message, you can use the Decrypt operation to decrypt the encrypted private key.
To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt\n the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a\n custom key store. To get the type and origin of your KMS key, use the DescribeKey operation.
\nUse the KeyPairSpec parameter to choose an RSA or Elliptic Curve (ECC) data\n key pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends that you use\n ECC key pairs for signing, and use RSA and SM2 key pairs for either encryption or signing, but not both.\n However, KMS cannot enforce any restrictions on the use of data key pairs outside of KMS.
If you are using the data key pair to encrypt data, or for any operation where you don't\n immediately need a private key, consider using the GenerateDataKeyPairWithoutPlaintext operation.\n GenerateDataKeyPairWithoutPlaintext returns a plaintext public key and an\n encrypted private key, but omits the plaintext private key that you need only to decrypt\n ciphertext or sign a message. Later, when you need to decrypt the data or sign a message, use\n the Decrypt operation to decrypt the encrypted private key in the data key\n pair.
\n GenerateDataKeyPair returns a unique data key pair for each request. The\n bytes in the keys are random; they are not related to the caller or the KMS key that is used\n to encrypt the private key. The public key is a DER-encoded X.509 SubjectPublicKeyInfo, as\n specified in RFC 5280. The private\n key is a DER-encoded PKCS8 PrivateKeyInfo, as specified in RFC 5958.
\n GenerateDataKeyPair also supports Amazon Web Services Nitro Enclaves, which provide an\n isolated compute environment in Amazon EC2. To call GenerateDataKeyPair for an Amazon Web Services Nitro\n enclave, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter\n to provide the attestation document for the enclave. GenerateDataKeyPair returns the public data key and a\n copy of the private data key encrypted under the specified KMS key, as usual. But instead of a\n plaintext copy of the private data key (PrivateKeyPlaintext), the response includes a copy of the private data key encrypted under\n the public key from the attestation document (CiphertextForRecipient).\n For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide..
You can use an optional encryption context to add additional security to the encryption\n operation. If you specify an EncryptionContext, you must specify the same\n encryption context (a case-sensitive exact match) when decrypting the encrypted data key.\n Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the\n Key Management Service Developer Guide.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GenerateDataKeyPair (key policy)
\n\n Related operations:\n
\n\n Decrypt\n
\n\n Encrypt\n
\n\n GenerateDataKey\n
\nReturns a unique asymmetric data key pair for use outside of KMS. This operation returns\n a plaintext public key, a plaintext private key, and a copy of the private key that is\n encrypted under the symmetric encryption KMS key you specify. You can use the data key pair to\n perform asymmetric cryptography and implement digital signatures outside of KMS. The bytes\n in the keys are random; they not related to the caller or to the KMS key that is used to\n encrypt the private key.
\nYou can use the public key that GenerateDataKeyPair returns to encrypt data\n or verify a signature outside of KMS. Then, store the encrypted private key with the data.\n When you are ready to decrypt data or sign a message, you can use the Decrypt operation to decrypt the encrypted private key.
To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt\n the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a\n custom key store. To get the type and origin of your KMS key, use the DescribeKey operation.
\nUse the KeyPairSpec parameter to choose an RSA or Elliptic Curve (ECC) data\n key pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends that\n you use ECC key pairs for signing, and use RSA and SM2 key pairs for either encryption or\n signing, but not both. However, KMS cannot enforce any restrictions on the use of data key\n pairs outside of KMS.
If you are using the data key pair to encrypt data, or for any operation where you don't\n immediately need a private key, consider using the GenerateDataKeyPairWithoutPlaintext operation.\n GenerateDataKeyPairWithoutPlaintext returns a plaintext public key and an\n encrypted private key, but omits the plaintext private key that you need only to decrypt\n ciphertext or sign a message. Later, when you need to decrypt the data or sign a message, use\n the Decrypt operation to decrypt the encrypted private key in the data key\n pair.
\n GenerateDataKeyPair returns a unique data key pair for each request. The\n bytes in the keys are random; they are not related to the caller or the KMS key that is used\n to encrypt the private key. The public key is a DER-encoded X.509 SubjectPublicKeyInfo, as\n specified in RFC 5280. The private\n key is a DER-encoded PKCS8 PrivateKeyInfo, as specified in RFC 5958.
\n GenerateDataKeyPair also supports Amazon Web Services Nitro Enclaves, which provide an\n isolated compute environment in Amazon EC2. To call GenerateDataKeyPair for an Amazon Web Services\n Nitro enclave, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient\n parameter to provide the attestation document for the enclave.\n GenerateDataKeyPair returns the public data key and a copy of the private data\n key encrypted under the specified KMS key, as usual. But instead of a plaintext copy of the\n private data key (PrivateKeyPlaintext), the response includes a copy of the\n private data key encrypted under the public key from the attestation document\n (CiphertextForRecipient). For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide..
You can use an optional encryption context to add additional security to the encryption\n operation. If you specify an EncryptionContext, you must specify the same\n encryption context (a case-sensitive exact match) when decrypting the encrypted data key.\n Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the\n Key Management Service Developer Guide.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GenerateDataKeyPair (key policy)
\n\n Related operations:\n
\n\n Decrypt\n
\n\n Encrypt\n
\n\n GenerateDataKey\n
\nA signed attestation document from\n an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key.\n The only valid encryption algorithm is RSAES_OAEP_SHA_256.
This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this\n parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
\nWhen you use this parameter, instead of returning a plaintext copy of the private data key, KMS encrypts\n the plaintext private data key under the public key in the attestation document, and returns the\n resulting ciphertext in the CiphertextForRecipient field in the response. This\n ciphertext can be decrypted only with the private key in the enclave. The\n CiphertextBlob field in the response contains a copy of the private data key encrypted\n under the KMS key specified by the KeyId parameter. The PrivateKeyPlaintext\n field in the response is null or empty.
For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
" + "smithy.api#documentation": "A signed attestation document from\n an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key. The\n only valid encryption algorithm is RSAES_OAEP_SHA_256.
This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this\n parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
\nWhen you use this parameter, instead of returning a plaintext copy of the private data\n key, KMS encrypts the plaintext private data key under the public key in the attestation\n document, and returns the resulting ciphertext in the CiphertextForRecipient\n field in the response. This ciphertext can be decrypted only with the private key in the\n enclave. The CiphertextBlob field in the response contains a copy of the private\n data key encrypted under the KMS key specified by the KeyId parameter. The\n PrivateKeyPlaintext field in the response is null or empty.
For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
" + } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -2323,7 +2589,7 @@ "PrivateKeyPlaintext": { "target": "com.amazonaws.kms#PlaintextType", "traits": { - "smithy.api#documentation": "The plaintext copy of the private key. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.
\nIf the response includes the CiphertextForRecipient field, the\n PrivateKeyPlaintext field is null or empty.
The plaintext copy of the private key. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.
\nIf the response includes the CiphertextForRecipient field, the\n PrivateKeyPlaintext field is null or empty.
The plaintext private data key encrypted with the public key from the Nitro enclave. This ciphertext can\n be decrypted only by using a private key in the Nitro enclave.
\nThis field is included in the response only when the Recipient parameter in\n the request includes a valid attestation document from an Amazon Web Services Nitro enclave.\n For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
The plaintext private data key encrypted with the public key from the Nitro enclave. This\n ciphertext can be decrypted only by using a private key in the Nitro enclave.
\nThis field is included in the response only when the Recipient parameter in\n the request includes a valid attestation document from an Amazon Web Services Nitro enclave.\n For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
Returns a unique asymmetric data key pair for use outside of KMS. This operation returns\n a plaintext public key and a copy of the private key that is encrypted under the symmetric\n encryption KMS key you specify. Unlike GenerateDataKeyPair, this operation\n does not return a plaintext private key. The bytes in the keys are random; they are not\n related to the caller or to the KMS key that is used to encrypt the private key.
\nYou can use the public key that GenerateDataKeyPairWithoutPlaintext returns\n to encrypt data or verify a signature outside of KMS. Then, store the encrypted private key\n with the data. When you are ready to decrypt data or sign a message, you can use the Decrypt operation to decrypt the encrypted private key.
To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt\n the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a\n custom key store. To get the type and origin of your KMS key, use the DescribeKey operation.
\nUse the KeyPairSpec parameter to choose an RSA or Elliptic Curve (ECC) data\n key pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends that you \n use ECC key pairs for signing, and use RSA and SM2 key pairs for either encryption or signing, but not\n both. However, KMS cannot enforce any restrictions on the use of data key pairs outside of KMS.
\n GenerateDataKeyPairWithoutPlaintext returns a unique data key pair for each\n request. The bytes in the key are not related to the caller or KMS key that is used to encrypt\n the private key. The public key is a DER-encoded X.509 SubjectPublicKeyInfo, as specified in\n RFC 5280.
You can use an optional encryption context to add additional security to the encryption\n operation. If you specify an EncryptionContext, you must specify the same\n encryption context (a case-sensitive exact match) when decrypting the encrypted data key.\n Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the\n Key Management Service Developer Guide.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GenerateDataKeyPairWithoutPlaintext (key\n policy)
\n\n Related operations:\n
\n\n Decrypt\n
\n\n Encrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\nReturns a unique asymmetric data key pair for use outside of KMS. This operation returns\n a plaintext public key and a copy of the private key that is encrypted under the symmetric\n encryption KMS key you specify. Unlike GenerateDataKeyPair, this operation\n does not return a plaintext private key. The bytes in the keys are random; they are not\n related to the caller or to the KMS key that is used to encrypt the private key.
\nYou can use the public key that GenerateDataKeyPairWithoutPlaintext returns\n to encrypt data or verify a signature outside of KMS. Then, store the encrypted private key\n with the data. When you are ready to decrypt data or sign a message, you can use the Decrypt operation to decrypt the encrypted private key.
To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt\n the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a\n custom key store. To get the type and origin of your KMS key, use the DescribeKey operation.
\nUse the KeyPairSpec parameter to choose an RSA or Elliptic Curve (ECC) data\n key pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends that\n you use ECC key pairs for signing, and use RSA and SM2 key pairs for either encryption or\n signing, but not both. However, KMS cannot enforce any restrictions on the use of data key\n pairs outside of KMS.
\n GenerateDataKeyPairWithoutPlaintext returns a unique data key pair for each\n request. The bytes in the key are not related to the caller or KMS key that is used to encrypt\n the private key. The public key is a DER-encoded X.509 SubjectPublicKeyInfo, as specified in\n RFC 5280.
You can use an optional encryption context to add additional security to the encryption\n operation. If you specify an EncryptionContext, you must specify the same\n encryption context (a case-sensitive exact match) when decrypting the encrypted data key.\n Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the\n Key Management Service Developer Guide.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GenerateDataKeyPairWithoutPlaintext (key\n policy)
\n\n Related operations:\n
\n\n Decrypt\n
\n\n Encrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\nA list of grant tokens.
\nUse a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the\n Key Management Service Developer Guide.
" } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" + } } }, "traits": { @@ -2499,7 +2790,13 @@ "Recipient": { "target": "com.amazonaws.kms#RecipientInfo", "traits": { - "smithy.api#documentation": "A signed attestation document from\n an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key.\n The only valid encryption algorithm is RSAES_OAEP_SHA_256.
This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this\n parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
\nWhen you use this parameter, instead of returning the plaintext data key, KMS encrypts\n the plaintext data key under the public key in the attestation document, and returns the\n resulting ciphertext in the CiphertextForRecipient field in the response. This\n ciphertext can be decrypted only with the private key in the enclave. The\n CiphertextBlob field in the response contains a copy of the data key encrypted\n under the KMS key specified by the KeyId parameter. The Plaintext\n field in the response is null or empty.
For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
" + "smithy.api#documentation": "A signed attestation document from\n an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key. The\n only valid encryption algorithm is RSAES_OAEP_SHA_256.
This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this\n parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
\nWhen you use this parameter, instead of returning the plaintext data key, KMS encrypts\n the plaintext data key under the public key in the attestation document, and returns the\n resulting ciphertext in the CiphertextForRecipient field in the response. This\n ciphertext can be decrypted only with the private key in the enclave. The\n CiphertextBlob field in the response contains a copy of the data key encrypted\n under the KMS key specified by the KeyId parameter. The Plaintext\n field in the response is null or empty.
For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
" + } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -2519,7 +2816,7 @@ "Plaintext": { "target": "com.amazonaws.kms#PlaintextType", "traits": { - "smithy.api#documentation": "The plaintext data key. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. Use this data key to encrypt your data outside of\n KMS. Then, remove it from memory as soon as possible.
\nIf the response includes the CiphertextForRecipient field, the\n Plaintext field is null or empty.
The plaintext data key. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. Use this data key to encrypt your data outside of\n KMS. Then, remove it from memory as soon as possible.
\nIf the response includes the CiphertextForRecipient field, the\n Plaintext field is null or empty.
The plaintext data key encrypted with the public key from the Nitro enclave. This ciphertext can\n be decrypted only by using a private key in the Nitro enclave.
\nThis field is included in the response only when the Recipient parameter in\n the request includes a valid attestation document from an Amazon Web Services Nitro enclave.\n For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
The plaintext data key encrypted with the public key from the Nitro enclave. This\n ciphertext can be decrypted only by using a private key in the Nitro enclave.
\nThis field is included in the response only when the Recipient parameter in\n the request includes a valid attestation document from an Amazon Web Services Nitro enclave.\n For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
Returns a unique symmetric data key for use outside of KMS. This operation returns a\n data key that is encrypted under a symmetric encryption KMS key that you specify. The bytes in\n the key are random; they are not related to the caller or to the KMS key.
\n\n GenerateDataKeyWithoutPlaintext is identical to the GenerateDataKey operation except that it does not return a plaintext copy of the\n data key.
This operation is useful for systems that need to encrypt data at some point, but not\n immediately. When you need to encrypt the data, you call the Decrypt\n operation on the encrypted copy of the key.
\nIt's also useful in distributed systems with different levels of trust. For example, you\n might store encrypted data in containers. One component of your system creates new containers\n and stores an encrypted data key with each container. Then, a different component puts the\n data into the containers. That component first decrypts the data key, uses the plaintext data\n key to encrypt data, puts the encrypted data into the container, and then destroys the\n plaintext data key. In this system, the component that creates the containers never sees the\n plaintext data key.
\nTo request an asymmetric data key pair, use the GenerateDataKeyPair or\n GenerateDataKeyPairWithoutPlaintext operations.
\nTo generate a data key, you must specify the symmetric encryption KMS key that is used to\n encrypt the data key. You cannot use an asymmetric KMS key or a key in a custom key store to generate a data key. To get the\n type of your KMS key, use the DescribeKey operation.
\nYou must also specify the length of the data key. Use either the KeySpec or \n NumberOfBytes parameters (but not both). For 128-bit and 256-bit data keys, use \n the KeySpec parameter.
To generate an SM4 data key (China Regions only), specify a KeySpec value of\n AES_128 or NumberOfBytes value of 16. The symmetric\n encryption key used in China Regions to encrypt your data key is an SM4 encryption key.
If the operation succeeds, you will find the encrypted copy of the data key in the\n CiphertextBlob field.
You can use an optional encryption context to add additional security to the encryption\n operation. If you specify an EncryptionContext, you must specify the same\n encryption context (a case-sensitive exact match) when decrypting the encrypted data key.\n Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the\n Key Management Service Developer Guide.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GenerateDataKeyWithoutPlaintext (key\n policy)
\n\n Related operations:\n
\n\n Decrypt\n
\n\n Encrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\nReturns a unique symmetric data key for use outside of KMS. This operation returns a\n data key that is encrypted under a symmetric encryption KMS key that you specify. The bytes in\n the key are random; they are not related to the caller or to the KMS key.
\n\n GenerateDataKeyWithoutPlaintext is identical to the GenerateDataKey operation except that it does not return a plaintext copy of the\n data key.
This operation is useful for systems that need to encrypt data at some point, but not\n immediately. When you need to encrypt the data, you call the Decrypt\n operation on the encrypted copy of the key.
\nIt's also useful in distributed systems with different levels of trust. For example, you\n might store encrypted data in containers. One component of your system creates new containers\n and stores an encrypted data key with each container. Then, a different component puts the\n data into the containers. That component first decrypts the data key, uses the plaintext data\n key to encrypt data, puts the encrypted data into the container, and then destroys the\n plaintext data key. In this system, the component that creates the containers never sees the\n plaintext data key.
\nTo request an asymmetric data key pair, use the GenerateDataKeyPair or\n GenerateDataKeyPairWithoutPlaintext operations.
\nTo generate a data key, you must specify the symmetric encryption KMS key that is used to\n encrypt the data key. You cannot use an asymmetric KMS key or a key in a custom key store to\n generate a data key. To get the type of your KMS key, use the DescribeKey\n operation.
\nYou must also specify the length of the data key. Use either the KeySpec or\n NumberOfBytes parameters (but not both). For 128-bit and 256-bit data keys, use\n the KeySpec parameter.
To generate an SM4 data key (China Regions only), specify a KeySpec value of\n AES_128 or NumberOfBytes value of 16. The symmetric\n encryption key used in China Regions to encrypt your data key is an SM4 encryption key.
If the operation succeeds, you will find the encrypted copy of the data key in the\n CiphertextBlob field.
You can use an optional encryption context to add additional security to the encryption\n operation. If you specify an EncryptionContext, you must specify the same\n encryption context (a case-sensitive exact match) when decrypting the encrypted data key.\n Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the\n Key Management Service Developer Guide.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GenerateDataKeyWithoutPlaintext (key\n policy)
\n\n Related operations:\n
\n\n Decrypt\n
\n\n Encrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\nA list of grant tokens.
\nUse a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the\n Key Management Service Developer Guide.
" } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" + } } }, "traits": { @@ -2648,6 +2968,9 @@ { "target": "com.amazonaws.kms#DisabledException" }, + { + "target": "com.amazonaws.kms#DryRunOperationException" + }, { "target": "com.amazonaws.kms#InvalidGrantTokenException" }, @@ -2668,7 +2991,23 @@ } ], "traits": { - "smithy.api#documentation": "Generates a hash-based message authentication code (HMAC) for a message using an HMAC KMS key and a MAC algorithm that the key supports.\n HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry standards defined in RFC 2104.
\nYou can use value that GenerateMac returns in the VerifyMac operation to\n demonstrate that the original message has not changed. Also, because a secret key is used to\n create the hash, you can verify that the party that generated the hash has the required secret\n key. You can also use the raw result to implement HMAC-based algorithms such as key derivation\n functions. This operation is part of KMS support for HMAC KMS keys. For\n details, see HMAC keys in\n KMS in the \n Key Management Service Developer Guide\n .
\nBest practices recommend that you limit the time during which any signing mechanism,\n including an HMAC, is effective. This deters an attack where the actor uses a signed message\n to establish validity repeatedly or long after the message is superseded. HMAC tags do not\n include a timestamp, but you can include a timestamp in the token or message to help you\n detect when its time to refresh the HMAC.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GenerateMac (key policy)
\n\n Related operations: VerifyMac\n
" + "smithy.api#documentation": "Generates a hash-based message authentication code (HMAC) for a message using an HMAC KMS\n key and a MAC algorithm that the key supports. HMAC KMS keys and the HMAC algorithms that\n KMS uses conform to industry standards defined in RFC 2104.
\nYou can use value that GenerateMac returns in the VerifyMac operation to\n demonstrate that the original message has not changed. Also, because a secret key is used to\n create the hash, you can verify that the party that generated the hash has the required secret\n key. You can also use the raw result to implement HMAC-based algorithms such as key derivation\n functions. This operation is part of KMS support for HMAC KMS keys. For\n details, see HMAC keys in\n KMS in the \n Key Management Service Developer Guide\n .
\nBest practices recommend that you limit the time during which any signing mechanism,\n including an HMAC, is effective. This deters an attack where the actor uses a signed message\n to establish validity repeatedly or long after the message is superseded. HMAC tags do not\n include a timestamp, but you can include a timestamp in the token or message to help you\n detect when its time to refresh the HMAC.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GenerateMac (key policy)
\n\n Related operations: VerifyMac\n
", + "smithy.api#examples": [ + { + "title": "To generate an HMAC for a message", + "documentation": "This example generates an HMAC for a message, an HMAC KMS key, and a MAC algorithm. The algorithm must be supported by the specified HMAC KMS key.", + "input": { + "Message": "Hello World", + "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", + "MacAlgorithm": "HMAC_SHA_384" + }, + "output": { + "Mac": "A list of grant tokens.
\nUse a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the\n Key Management Service Developer Guide.
" } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" + } } }, "traits": { @@ -2712,7 +3057,7 @@ "Mac": { "target": "com.amazonaws.kms#CiphertextType", "traits": { - "smithy.api#documentation": "The hash-based message authentication code (HMAC) that was generated for the\n specified message, HMAC KMS key, and MAC algorithm.
\nThis is the standard, raw HMAC defined in RFC 2104.
" + "smithy.api#documentation": "The hash-based message authentication code (HMAC) that was generated for the specified\n message, HMAC KMS key, and MAC algorithm.
\nThis is the standard, raw HMAC defined in RFC 2104.
" } }, "MacAlgorithm": { @@ -2758,7 +3103,19 @@ } ], "traits": { - "smithy.api#documentation": "Returns a random byte string that is cryptographically secure.
\nYou must use the NumberOfBytes parameter to specify the length of the random\n byte string. There is no default value for string length.
By default, the random byte string is generated in KMS. To generate the byte string in\n the CloudHSM cluster associated with an CloudHSM key store, use the CustomKeyStoreId\n parameter.
\n GenerateRandom also supports Amazon Web Services Nitro Enclaves, which provide an\n isolated compute environment in Amazon EC2. To call GenerateRandom for a Nitro\n enclave, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter\n to provide the attestation document for the enclave. Instead of plaintext bytes, the response\n includes the plaintext bytes encrypted under the public key from the attestation document\n (CiphertextForRecipient).For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
For more information about entropy and random number generation, see\n Key Management Service Cryptographic Details.
\n\n Cross-account use: Not applicable.\n GenerateRandom does not use any account-specific resources, such as KMS\n keys.
\n Required permissions: kms:GenerateRandom (IAM policy)
" + "smithy.api#documentation": "Returns a random byte string that is cryptographically secure.
\nYou must use the NumberOfBytes parameter to specify the length of the random\n byte string. There is no default value for string length.
By default, the random byte string is generated in KMS. To generate the byte string in\n the CloudHSM cluster associated with an CloudHSM key store, use the CustomKeyStoreId\n parameter.
\n GenerateRandom also supports Amazon Web Services Nitro Enclaves, which provide an\n isolated compute environment in Amazon EC2. To call GenerateRandom for a Nitro\n enclave, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter\n to provide the attestation document for the enclave. Instead of plaintext bytes, the response\n includes the plaintext bytes encrypted under the public key from the attestation document\n (CiphertextForRecipient).For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
For more information about entropy and random number generation, see\n Key Management Service Cryptographic Details.
\n\n Cross-account use: Not applicable.\n GenerateRandom does not use any account-specific resources, such as KMS\n keys.
\n Required permissions: kms:GenerateRandom (IAM policy)
", + "smithy.api#examples": [ + { + "title": "To generate random data", + "documentation": "The following example generates 32 bytes of random data.", + "input": { + "NumberOfBytes": 32 + }, + "output": { + "Plaintext": "Generates the random byte string in the CloudHSM cluster that is associated with the\n specified CloudHSM key store. To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
\nExternal key store IDs are not valid for this parameter. If you specify the ID of an\n external key store, GenerateRandom throws an\n UnsupportedOperationException.
Generates the random byte string in the CloudHSM cluster that is associated with the\n specified CloudHSM key store. To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
\nExternal key store IDs are not valid for this parameter. If you specify the ID of an\n external key store, GenerateRandom throws an\n UnsupportedOperationException.
A signed attestation document from\n an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key.\n The only valid encryption algorithm is RSAES_OAEP_SHA_256.
This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this\n parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
\nWhen you use this parameter, instead of returning plaintext bytes, KMS encrypts the\n plaintext bytes under the public key in the attestation document, and returns the resulting\n ciphertext in the CiphertextForRecipient field in the response. This ciphertext\n can be decrypted only with the private key in the enclave. The Plaintext field in\n the response is null or empty.
For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
" + "smithy.api#documentation": "A signed attestation document from\n an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key. The\n only valid encryption algorithm is RSAES_OAEP_SHA_256.
This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this\n parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
\nWhen you use this parameter, instead of returning plaintext bytes, KMS encrypts the\n plaintext bytes under the public key in the attestation document, and returns the resulting\n ciphertext in the CiphertextForRecipient field in the response. This ciphertext\n can be decrypted only with the private key in the enclave. The Plaintext field in\n the response is null or empty.
For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
" } } }, @@ -2793,13 +3150,13 @@ "Plaintext": { "target": "com.amazonaws.kms#PlaintextType", "traits": { - "smithy.api#documentation": "The random byte string. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.
\nIf the response includes the CiphertextForRecipient field, the\n Plaintext field is null or empty.
The random byte string. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.
\nIf the response includes the CiphertextForRecipient field, the\n Plaintext field is null or empty.
The plaintext random bytes encrypted with the public key from the Nitro enclave. This ciphertext can\n be decrypted only by using a private key in the Nitro enclave.
\nThis field is included in the response only when the Recipient parameter in\n the request includes a valid attestation document from an Amazon Web Services Nitro enclave.\n For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
The plaintext random bytes encrypted with the public key from the Nitro enclave. This\n ciphertext can be decrypted only by using a private key in the Nitro enclave.
\nThis field is included in the response only when the Recipient parameter in\n the request includes a valid attestation document from an Amazon Web Services Nitro enclave.\n For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
Gets a key policy attached to the specified KMS key.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:GetKeyPolicy (key policy)
\n\n Related operations: PutKeyPolicy\n
" + "smithy.api#documentation": "Gets a key policy attached to the specified KMS key.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:GetKeyPolicy (key policy)
\n\n Related operations: PutKeyPolicy\n
", + "smithy.api#examples": [ + { + "title": "To retrieve a key policy", + "documentation": "The following example retrieves the key policy for the specified KMS key.", + "input": { + "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", + "PolicyName": "default" + }, + "output": { + "Policy": "{\n \"Version\" : \"2012-10-17\",\n \"Id\" : \"key-default-1\",\n \"Statement\" : [ {\n \"Sid\" : \"Enable IAM User Permissions\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"arn:aws:iam::111122223333:root\"\n },\n \"Action\" : \"kms:*\",\n \"Resource\" : \"*\"\n } ]\n}" + } + } + ] } }, "com.amazonaws.kms#GetKeyPolicyRequest": { @@ -2901,7 +3271,19 @@ } ], "traits": { - "smithy.api#documentation": "Gets a Boolean value that indicates whether automatic rotation of the key material is\n enabled for the specified KMS key.
\nWhen you enable automatic rotation for customer managed KMS keys, KMS\n rotates the key material of the KMS key one year (approximately 365 days) from the enable date\n and every year thereafter. You can monitor rotation of the key material for your KMS keys in\n CloudTrail and Amazon CloudWatch.
\nAutomatic key rotation is supported only on symmetric encryption KMS keys.\n You cannot enable automatic rotation of asymmetric KMS keys, HMAC KMS keys, KMS keys with imported key material, or KMS keys in a custom key store. To enable or disable automatic rotation of a set of related multi-Region keys, set the property on the primary key..
\nYou can enable (EnableKeyRotation) and disable automatic rotation (DisableKeyRotation) of the key material in customer managed KMS keys. Key\n material rotation of Amazon Web Services managed KMS keys is not\n configurable. KMS always rotates the key material in Amazon Web Services managed KMS keys every year. The\n key rotation status for Amazon Web Services managed KMS keys is always true.
In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three\n years to every year. For details, see EnableKeyRotation.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\nDisabled: The key rotation status does not change when you disable a KMS key. However,\n while the KMS key is disabled, KMS does not rotate the key material. When you re-enable\n the KMS key, rotation resumes. If the key material in the re-enabled KMS key hasn't been\n rotated in one year, KMS rotates it immediately, and every year thereafter. If it's been\n less than a year since the key material in the re-enabled KMS key was rotated, the KMS key\n resumes its prior rotation schedule.
\nPending deletion: While a KMS key is pending deletion, its key rotation status is\n false and KMS does not rotate the key material. If you cancel the\n deletion, the original key rotation status returns to true.
\n Cross-account use: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, specify the key\n ARN in the value of the KeyId parameter.
\n Required permissions: kms:GetKeyRotationStatus (key policy)
\n\n Related operations:\n
\n\n DisableKeyRotation\n
\n\n EnableKeyRotation\n
\nGets a Boolean value that indicates whether automatic rotation of the key material is\n enabled for the specified KMS key.
\nWhen you enable automatic rotation for customer managed KMS keys, KMS\n rotates the key material of the KMS key one year (approximately 365 days) from the enable date\n and every year thereafter. You can monitor rotation of the key material for your KMS keys in\n CloudTrail and Amazon CloudWatch.
\nAutomatic key rotation is supported only on symmetric encryption KMS keys.\n You cannot enable automatic rotation of asymmetric KMS keys, HMAC KMS keys, KMS keys with imported key material, or KMS keys in a custom key store. To enable or disable automatic rotation of a set of related multi-Region keys, set the property on the primary key..
\nYou can enable (EnableKeyRotation) and disable automatic rotation (DisableKeyRotation) of the key material in customer managed KMS keys. Key\n material rotation of Amazon Web Services managed KMS keys is not\n configurable. KMS always rotates the key material in Amazon Web Services managed KMS keys every year. The\n key rotation status for Amazon Web Services managed KMS keys is always true.
In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three\n years to every year. For details, see EnableKeyRotation.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\nDisabled: The key rotation status does not change when you disable a KMS key. However,\n while the KMS key is disabled, KMS does not rotate the key material. When you re-enable\n the KMS key, rotation resumes. If the key material in the re-enabled KMS key hasn't been\n rotated in one year, KMS rotates it immediately, and every year thereafter. If it's been\n less than a year since the key material in the re-enabled KMS key was rotated, the KMS key\n resumes its prior rotation schedule.
\nPending deletion: While a KMS key is pending deletion, its key rotation status is\n false and KMS does not rotate the key material. If you cancel the\n deletion, the original key rotation status returns to true.
\n Cross-account use: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, specify the key\n ARN in the value of the KeyId parameter.
\n Required permissions: kms:GetKeyRotationStatus (key policy)
\n\n Related operations:\n
\n\n DisableKeyRotation\n
\n\n EnableKeyRotation\n
\nReturns the public key and an import token you need to import or reimport key material for\n a KMS key.
\nBy default, KMS keys are created with key material that KMS generates. This operation\n supports Importing key\n material, an advanced feature that lets you generate and import the cryptographic\n key material for a KMS key. For more information about importing key material into KMS, see\n Importing key\n material in the Key Management Service Developer Guide.
\nBefore calling GetParametersForImport, use the CreateKey\n operation with an Origin value of EXTERNAL to create a KMS key with\n no key material. You can import key material for a symmetric encryption KMS key, HMAC KMS key,\n asymmetric encryption KMS key, or asymmetric signing KMS key. You can also import key material\n into a multi-Region key of\n any supported type. However, you can't import key material into a KMS key in a custom key store. You can also use\n GetParametersForImport to get a public key and import token to reimport the original key material into a KMS key whose key material expired or was\n deleted.
\n GetParametersForImport returns the items that you need to import your key\n material.
The public key (or \"wrapping key\") of an RSA key pair that KMS generates.
\nYou will use this public key to encrypt (\"wrap\") your key material while it's in\n transit to KMS.
\nA import token that ensures that KMS can decrypt your key material and associate it with the correct KMS key.
\nThe public key and its import token are permanently linked and must be used together. Each\n public key and import token set is valid for 24 hours. The expiration date and time appear in\n the ParametersValidTo field in the GetParametersForImport response.\n You cannot use an expired public key or import token in an ImportKeyMaterial\n request. If your key and token expire, send another GetParametersForImport\n request.
\n GetParametersForImport requires the following information:
The key ID of the KMS key for which you are importing the key material.
\nThe key spec of the public key (\"wrapping key\") that you will use to encrypt your key\n material during import.
\nThe wrapping algorithm that you will use with the public key to encrypt your key\n material.
\nYou can use the same or a different public key spec and wrapping algorithm each time you\n import or reimport the same key material.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:GetParametersForImport (key policy)
\n\n Related operations:\n
\n\n ImportKeyMaterial\n
\nReturns the public key and an import token you need to import or reimport key material for\n a KMS key.
\nBy default, KMS keys are created with key material that KMS generates. This operation\n supports Importing key\n material, an advanced feature that lets you generate and import the cryptographic\n key material for a KMS key. For more information about importing key material into KMS, see\n Importing key\n material in the Key Management Service Developer Guide.
\nBefore calling GetParametersForImport, use the CreateKey\n operation with an Origin value of EXTERNAL to create a KMS key with\n no key material. You can import key material for a symmetric encryption KMS key, HMAC KMS key,\n asymmetric encryption KMS key, or asymmetric signing KMS key. You can also import key material\n into a multi-Region key of\n any supported type. However, you can't import key material into a KMS key in a custom key store. You can also use\n GetParametersForImport to get a public key and import token to reimport the original key\n material into a KMS key whose key material expired or was deleted.
\n GetParametersForImport returns the items that you need to import your key\n material.
The public key (or \"wrapping key\") of an RSA key pair that KMS generates.
\nYou will use this public key to encrypt (\"wrap\") your key material while it's in\n transit to KMS.
\nA import token that ensures that KMS can decrypt your key material and associate it\n with the correct KMS key.
\nThe public key and its import token are permanently linked and must be used together. Each\n public key and import token set is valid for 24 hours. The expiration date and time appear in\n the ParametersValidTo field in the GetParametersForImport response.\n You cannot use an expired public key or import token in an ImportKeyMaterial\n request. If your key and token expire, send another GetParametersForImport\n request.
\n GetParametersForImport requires the following information:
The key ID of the KMS key for which you are importing the key material.
\nThe key spec of the public key (\"wrapping key\") that you will use to encrypt your key\n material during import.
\nThe wrapping algorithm that you will use with the public key to encrypt your key\n material.
\nYou can use the same or a different public key spec and wrapping algorithm each time you\n import or reimport the same key material.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:GetParametersForImport (key policy)
\n\n Related operations:\n
\n\n ImportKeyMaterial\n
\nThe algorithm you will use with the RSA public key (PublicKey) in the\n response to protect your key material during import. For more information, see Select a wrapping algorithm in the Key Management Service Developer Guide.
For RSA_AES wrapping algorithms, you encrypt your key material with an AES key that you\n generate, then encrypt your AES key with the RSA public key from KMS. For RSAES wrapping\n algorithms, you encrypt your key material directly with the RSA public key from KMS.
\nThe wrapping algorithms that you can use depend on the type of key material that you are\n importing. To import an RSA private key, you must use an RSA_AES wrapping algorithm.
\n\n RSA_AES_KEY_WRAP_SHA_256 — Supported for wrapping RSA and ECC key\n material.
\n\n RSA_AES_KEY_WRAP_SHA_1 — Supported for wrapping RSA and ECC key material.
\n\n RSAES_OAEP_SHA_256 — Supported for all types of key material, except RSA key material (private key).
\nYou cannot use the RSAES_OAEP_SHA_256 wrapping algorithm with the RSA_2048 wrapping key spec to wrap \n ECC_NIST_P521 key material.
\n\n RSAES_OAEP_SHA_1 — Supported for all types of key material, except RSA key material (private\n key).
\nYou cannot use the RSAES_OAEP_SHA_1 wrapping algorithm with the RSA_2048 wrapping key spec to wrap \n ECC_NIST_P521 key material.
\n\n RSAES_PKCS1_V1_5 (Deprecated) — Supported only for symmetric encryption key\n material (and only in legacy mode).
\nThe algorithm you will use with the RSA public key (PublicKey) in the\n response to protect your key material during import. For more information, see Select a wrapping algorithm in the Key Management Service Developer Guide.
For RSA_AES wrapping algorithms, you encrypt your key material with an AES key that you\n generate, then encrypt your AES key with the RSA public key from KMS. For RSAES wrapping\n algorithms, you encrypt your key material directly with the RSA public key from KMS.
\nThe wrapping algorithms that you can use depend on the type of key material that you are\n importing. To import an RSA private key, you must use an RSA_AES wrapping algorithm.
\n\n RSA_AES_KEY_WRAP_SHA_256 — Supported for\n wrapping RSA and ECC key material.
\n\n RSA_AES_KEY_WRAP_SHA_1 — Supported for\n wrapping RSA and ECC key material.
\n\n RSAES_OAEP_SHA_256 — Supported for all types\n of key material, except RSA key material (private key).
\nYou cannot use the RSAES_OAEP_SHA_256 wrapping algorithm with the RSA_2048 wrapping\n key spec to wrap ECC_NIST_P521 key material.
\n\n RSAES_OAEP_SHA_1 — Supported for all types of\n key material, except RSA key material (private key).
\nYou cannot use the RSAES_OAEP_SHA_1 wrapping algorithm with the RSA_2048 wrapping key\n spec to wrap ECC_NIST_P521 key material.
\n\n RSAES_PKCS1_V1_5 (Deprecated) — Supported only\n for symmetric encryption key material (and only in legacy mode).
\nReturns the public key of an asymmetric KMS key. Unlike the private key of a asymmetric\n KMS key, which never leaves KMS unencrypted, callers with kms:GetPublicKey\n permission can download the public key of an asymmetric KMS key. You can share the public key\n to allow others to encrypt messages and verify signatures outside of KMS.\n For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
You do not need to download the public key. Instead, you can use the public key within\n KMS by calling the Encrypt, ReEncrypt, or Verify operations with the identifier of an asymmetric KMS key. When you use the\n public key within KMS, you benefit from the authentication, authorization, and logging that\n are part of every KMS operation. You also reduce of risk of encrypting data that cannot be\n decrypted. These features are not effective outside of KMS.
\nTo help you use the public key safely outside of KMS, GetPublicKey returns\n important information about the public key in the response, including:
\n KeySpec: The type of key material in the public key, such as\n RSA_4096 or ECC_NIST_P521.
\n KeyUsage: Whether the key is used for encryption or signing.
\n\n EncryptionAlgorithms or SigningAlgorithms: A list of the encryption algorithms or the signing\n algorithms for the key.
\nAlthough KMS cannot enforce these restrictions on external operations, it is crucial\n that you use this information to prevent the public key from being used improperly. For\n example, you can prevent a public signing key from being used encrypt data, or prevent a\n public key from being used with an encryption algorithm that is not supported by KMS. You\n can also avoid errors, such as using the wrong signing algorithm in a verification\n operation.
\nTo verify a signature outside of KMS with an SM2 public key (China Regions only), you must \n specify the distinguishing ID. By default, KMS uses 1234567812345678 as the \n distinguishing ID. For more information, see Offline verification\n with SM2 key pairs.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use:\n Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GetPublicKey (key policy)
\n\n Related operations: CreateKey\n
" + "smithy.api#documentation": "Returns the public key of an asymmetric KMS key. Unlike the private key of a asymmetric\n KMS key, which never leaves KMS unencrypted, callers with kms:GetPublicKey\n permission can download the public key of an asymmetric KMS key. You can share the public key\n to allow others to encrypt messages and verify signatures outside of KMS.\n For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
You do not need to download the public key. Instead, you can use the public key within\n KMS by calling the Encrypt, ReEncrypt, or Verify operations with the identifier of an asymmetric KMS key. When you use the\n public key within KMS, you benefit from the authentication, authorization, and logging that\n are part of every KMS operation. You also reduce of risk of encrypting data that cannot be\n decrypted. These features are not effective outside of KMS.
\nTo help you use the public key safely outside of KMS, GetPublicKey returns\n important information about the public key in the response, including:
\n KeySpec: The type of key material in the public key, such as\n RSA_4096 or ECC_NIST_P521.
\n KeyUsage: Whether the key is used for encryption or signing.
\n\n EncryptionAlgorithms or SigningAlgorithms: A list of the encryption algorithms or the signing\n algorithms for the key.
\nAlthough KMS cannot enforce these restrictions on external operations, it is crucial\n that you use this information to prevent the public key from being used improperly. For\n example, you can prevent a public signing key from being used encrypt data, or prevent a\n public key from being used with an encryption algorithm that is not supported by KMS. You\n can also avoid errors, such as using the wrong signing algorithm in a verification\n operation.
\nTo verify a signature outside of KMS with an SM2 public key (China Regions only), you\n must specify the distinguishing ID. By default, KMS uses 1234567812345678 as\n the distinguishing ID. For more information, see Offline\n verification with SM2 key pairs.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GetPublicKey (key policy)
\n\n Related operations: CreateKey\n
", + "smithy.api#examples": [ + { + "title": "To download the public key of an asymmetric KMS key", + "documentation": "This example gets the public key of an asymmetric RSA KMS key used for encryption and decryption. The operation returns the key spec, key usage, and encryption or signing algorithms to help you use the public key correctly outside of AWS KMS.", + "input": { + "KeyId": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321" + }, + "output": { + "KeyId": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", + "PublicKey": "Imports or reimports key material into an existing KMS key that was created without key\n material. ImportKeyMaterial also sets the expiration model and expiration date of\n the imported key material.
By default, KMS keys are created with key material that KMS generates. This operation\n supports Importing key\n material, an advanced feature that lets you generate and import the cryptographic\n key material for a KMS key. For more information about importing key material into KMS, see\n Importing key\n material in the Key Management Service Developer Guide.
\nAfter you successfully import key material into a KMS key, you can reimport\n the same key material into that KMS key, but you cannot import different key\n material. You might reimport key material to replace key material that expired or key material\n that you deleted. You might also reimport key material to change the expiration model or\n expiration date of the key material. Before reimporting key material, if necessary, call DeleteImportedKeyMaterial to delete the current imported key material.
\nEach time you import key material into KMS, you can determine whether\n (ExpirationModel) and when (ValidTo) the key material expires. To\n change the expiration of your key material, you must import it again, either by calling\n ImportKeyMaterial or using the import features of the\n KMS console.
Before calling ImportKeyMaterial:
Create or identify a KMS key with no key material. The KMS key must have an\n Origin value of EXTERNAL, which indicates that the KMS key is\n designed for imported key material.
To create an new KMS key for imported key material, call the CreateKey operation with an Origin value of EXTERNAL. You can create a\n symmetric encryption KMS key, HMAC KMS key, asymmetric encryption KMS key, or asymmetric\n signing KMS key. You can also import key material into a multi-Region key of any\n supported type. However, you can't import key material into a KMS key in a custom key store.
Use the DescribeKey operation to verify that the\n KeyState of the KMS key is PendingImport, which indicates that\n the KMS key has no key material.
If you are reimporting the same key material into an existing KMS key, you might need\n to call the DeleteImportedKeyMaterial to delete its existing key\n material.
\nCall the GetParametersForImport operation to get a public key and\n import token set for importing key material.
\nUse the public key in the GetParametersForImport response to encrypt\n your key material.
\n Then, in an ImportKeyMaterial request, you submit your encrypted key\n material and import token. When calling this operation, you must specify the following\n values:
The key ID or key ARN of the KMS key to associate with the imported key material. Its\n Origin must be EXTERNAL and its KeyState must be\n PendingImport. You cannot perform this operation on a KMS key in a custom key store, or on a KMS\n key in a different Amazon Web Services account. To get the Origin and KeyState\n of a KMS key, call DescribeKey.
The encrypted key material.
\nThe import token that GetParametersForImport returned. You must use\n a public key and token from the same GetParametersForImport response.
Whether the key material expires (ExpirationModel) and, if so, when\n (ValidTo). For help with this choice, see Setting an expiration time in the Key Management Service Developer Guide.
If you set an expiration date, KMS deletes the key material from the KMS key on the\n specified date, making the KMS key unusable. To use the KMS key in cryptographic\n operations again, you must reimport the same key material. However, you can delete and\n reimport the key material at any time, including before the key material expires. Each\n time you reimport, you can eliminate or reset the expiration time.
\nWhen this operation is successful, the key state of the KMS key changes from\n PendingImport to Enabled, and you can use the KMS key in\n cryptographic operations.
If this operation fails, use the exception to help determine the problem. If the error is\n related to the key material, the import token, or wrapping key, use GetParametersForImport to get a new public key and import token for the KMS key\n and repeat the import procedure. For help, see How To Import Key\n Material in the Key Management Service Developer Guide.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:ImportKeyMaterial (key policy)
\n\n Related operations:\n
\nImports or reimports key material into an existing KMS key that was created without key\n material. ImportKeyMaterial also sets the expiration model and expiration date of\n the imported key material.
By default, KMS keys are created with key material that KMS generates. This operation\n supports Importing key\n material, an advanced feature that lets you generate and import the cryptographic\n key material for a KMS key. For more information about importing key material into KMS, see\n Importing key\n material in the Key Management Service Developer Guide.
\nAfter you successfully import key material into a KMS key, you can reimport\n the same key material into that KMS key, but you cannot import different key\n material. You might reimport key material to replace key material that expired or key material\n that you deleted. You might also reimport key material to change the expiration model or\n expiration date of the key material. Before reimporting key material, if necessary, call DeleteImportedKeyMaterial to delete the current imported key material.
\nEach time you import key material into KMS, you can determine whether\n (ExpirationModel) and when (ValidTo) the key material expires. To\n change the expiration of your key material, you must import it again, either by calling\n ImportKeyMaterial or using the import features of the KMS console.
Before calling ImportKeyMaterial:
Create or identify a KMS key with no key material. The KMS key must have an\n Origin value of EXTERNAL, which indicates that the KMS key is\n designed for imported key material.
To create an new KMS key for imported key material, call the CreateKey operation with an Origin value of EXTERNAL. You can create a\n symmetric encryption KMS key, HMAC KMS key, asymmetric encryption KMS key, or asymmetric\n signing KMS key. You can also import key material into a multi-Region key of any\n supported type. However, you can't import key material into a KMS key in a custom key store.
Use the DescribeKey operation to verify that the\n KeyState of the KMS key is PendingImport, which indicates that\n the KMS key has no key material.
If you are reimporting the same key material into an existing KMS key, you might need\n to call the DeleteImportedKeyMaterial to delete its existing key\n material.
\nCall the GetParametersForImport operation to get a public key and\n import token set for importing key material.
\nUse the public key in the GetParametersForImport response to encrypt\n your key material.
\n Then, in an ImportKeyMaterial request, you submit your encrypted key\n material and import token. When calling this operation, you must specify the following\n values:
The key ID or key ARN of the KMS key to associate with the imported key material. Its\n Origin must be EXTERNAL and its KeyState must be\n PendingImport. You cannot perform this operation on a KMS key in a custom key store, or on a KMS\n key in a different Amazon Web Services account. To get the Origin and KeyState\n of a KMS key, call DescribeKey.
The encrypted key material.
\nThe import token that GetParametersForImport returned. You must use\n a public key and token from the same GetParametersForImport response.
Whether the key material expires (ExpirationModel) and, if so, when\n (ValidTo). For help with this choice, see Setting an expiration time in the Key Management Service Developer Guide.
If you set an expiration date, KMS deletes the key material from the KMS key on the\n specified date, making the KMS key unusable. To use the KMS key in cryptographic\n operations again, you must reimport the same key material. However, you can delete and\n reimport the key material at any time, including before the key material expires. Each\n time you reimport, you can eliminate or reset the expiration time.
\nWhen this operation is successful, the key state of the KMS key changes from\n PendingImport to Enabled, and you can use the KMS key in\n cryptographic operations.
If this operation fails, use the exception to help determine the problem. If the error is\n related to the key material, the import token, or wrapping key, use GetParametersForImport to get a new public key and import token for the KMS key\n and repeat the import procedure. For help, see How To Import Key\n Material in the Key Management Service Developer Guide.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:ImportKeyMaterial (key policy)
\n\n Related operations:\n
\nThe request was rejected because the state of the specified resource is not valid for this\n request.
\nThis exceptions means one of the following:
\nThe key state of the KMS key is not compatible with the operation.
\nTo find the key state, use the DescribeKey operation. For more\n information about which key states are compatible with each KMS operation, see\n Key states of KMS keys in the \n Key Management Service Developer Guide\n .
\nFor cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.
\nThe request was rejected because the state of the specified resource is not valid for this\n request.
\nThis exceptions means one of the following:
\nThe key state of the KMS key is not compatible with the operation.
\nTo find the key state, use the DescribeKey operation. For more\n information about which key states are compatible with each KMS operation, see\n Key states of KMS keys in the \n Key Management Service Developer Guide\n .
\nFor cryptographic operations on KMS keys in custom key stores, this exception\n represents a general failure with many possible causes. To identify the cause, see the\n error message that accompanies the exception.
\nInformation about the external key that is associated with a KMS key in an\n external key store.
\nFor more information, see \n External key in the Key Management Service Developer Guide.
" + "smithy.api#documentation": "Information about the external key that is associated with a KMS key in an external key\n store.
\nFor more information, see External key in the\n Key Management Service Developer Guide.
" } } }, @@ -4186,6 +4599,57 @@ ], "traits": { "smithy.api#documentation": "Gets a list of aliases in the caller's Amazon Web Services account and region. For more information\n about aliases, see CreateAlias.
\nBy default, the ListAliases operation returns all aliases in the account and\n region. To get only the aliases associated with a particular KMS key, use the\n KeyId parameter.
The ListAliases response can include aliases that you created and associated\n with your customer managed keys, and aliases that Amazon Web Services created and associated with Amazon Web Services\n managed keys in your account. You can recognize Amazon Web Services aliases because their names have the\n format aws/, such as aws/dynamodb.
The response might also include aliases that have no TargetKeyId field. These\n are predefined aliases that Amazon Web Services has created but has not yet associated with a KMS key.\n Aliases that Amazon Web Services creates in your account, including predefined aliases, do not count against\n your KMS aliases\n quota.
\n Cross-account use: No. ListAliases does not\n return aliases in other Amazon Web Services accounts.
\n Required permissions: kms:ListAliases (IAM policy)
\nFor details, see Controlling access to aliases in the\n Key Management Service Developer Guide.
\n\n Related operations:\n
\n\n CreateAlias\n
\n\n DeleteAlias\n
\n\n UpdateAlias\n
\nGets the names of the key policies that are attached to a KMS key. This operation is\n designed to get policy names that you can use in a GetKeyPolicy operation.\n However, the only valid policy name is default.
\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:ListKeyPolicies (key policy)
\n\n Related operations:\n
\n\n GetKeyPolicy\n
\n\n PutKeyPolicy\n
\nGets a list of all KMS keys in the caller's Amazon Web Services account and Region.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:ListKeys (IAM policy)
\n\n Related operations:\n
\n\n CreateKey\n
\n\n DescribeKey\n
\n\n ListAliases\n
\n\n ListResourceTags\n
\nReturns all tags on the specified KMS key.
\nFor general information about tags, including the format and syntax, see Tagging Amazon Web Services resources in\n the Amazon Web Services General Reference. For information about using\n tags in KMS, see Tagging\n keys.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:ListResourceTags (key policy)
\n\n Related operations:\n
\n\n CreateKey\n
\n\n ReplicateKey\n
\n\n TagResource\n
\n\n UntagResource\n
\nAttaches a key policy to the specified KMS key.
\nFor more information about key policies, see Key Policies in the Key Management Service Developer Guide.\n For help writing and formatting a JSON policy document, see the IAM JSON Policy Reference in the \n Identity and Access Management User Guide\n . For examples of adding a key policy in multiple programming languages,\n see Setting a key policy in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:PutKeyPolicy (key policy)
\n\n Related operations: GetKeyPolicy\n
" + "smithy.api#documentation": "Attaches a key policy to the specified KMS key.
\nFor more information about key policies, see Key Policies in the Key Management Service Developer Guide.\n For help writing and formatting a JSON policy document, see the IAM JSON Policy Reference in the \n Identity and Access Management User Guide\n . For examples of adding a key policy in multiple programming languages,\n see Setting a key policy in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:PutKeyPolicy (key policy)
\n\n Related operations: GetKeyPolicy\n
", + "smithy.api#examples": [ + { + "title": "To attach a key policy to a KMS key", + "documentation": "The following example attaches a key policy to the specified KMS key.", + "input": { + "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", + "PolicyName": "default", + "Policy": "{\n \"Version\": \"2012-10-17\",\n \"Id\": \"custom-policy-2016-12-07\",\n \"Statement\": [\n {\n \"Sid\": \"Enable IAM User Permissions\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::111122223333:root\"\n },\n \"Action\": \"kms:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow access for Key Administrators\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": [\n \"arn:aws:iam::111122223333:user/ExampleAdminUser\",\n \"arn:aws:iam::111122223333:role/ExampleAdminRole\"\n ]\n },\n \"Action\": [\n \"kms:Create*\",\n \"kms:Describe*\",\n \"kms:Enable*\",\n \"kms:List*\",\n \"kms:Put*\",\n \"kms:Update*\",\n \"kms:Revoke*\",\n \"kms:Disable*\",\n \"kms:Get*\",\n \"kms:Delete*\",\n \"kms:ScheduleKeyDeletion\",\n \"kms:CancelKeyDeletion\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow use of the key\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::111122223333:role/ExamplePowerUserRole\"\n },\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:Decrypt\",\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:DescribeKey\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow attachment of persistent resources\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::111122223333:role/ExamplePowerUserRole\"\n },\n \"Action\": [\n \"kms:CreateGrant\",\n \"kms:ListGrants\",\n \"kms:RevokeGrant\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"Bool\": {\n \"kms:GrantIsForAWSResource\": \"true\"\n }\n }\n }\n ]\n}\n" + } + } + ] } }, "com.amazonaws.kms#PutKeyPolicyRequest": { @@ -5023,6 +5578,9 @@ { "target": "com.amazonaws.kms#DisabledException" }, + { + "target": "com.amazonaws.kms#DryRunOperationException" + }, { "target": "com.amazonaws.kms#IncorrectKeyException" }, @@ -5049,7 +5607,22 @@ } ], "traits": { - "smithy.api#documentation": "Decrypts ciphertext and then reencrypts it entirely within KMS. You can use this\n operation to change the KMS key under which data is encrypted, such as when you manually\n rotate a KMS key or change the KMS key that protects a ciphertext. You can also use\n it to reencrypt ciphertext under the same KMS key, such as to change the encryption\n context of a ciphertext.
\nThe ReEncrypt operation can decrypt ciphertext that was encrypted by using a\n KMS key in an KMS operation, such as Encrypt or GenerateDataKey. It can also decrypt ciphertext that was encrypted by using the\n public key of an asymmetric KMS key\n outside of KMS. However, it cannot decrypt ciphertext produced by other libraries, such as\n the Amazon Web Services Encryption SDK or\n Amazon S3\n client-side encryption. These libraries return a ciphertext format that is\n incompatible with KMS.
When you use the ReEncrypt operation, you need to provide information for the\n decrypt operation and the subsequent encrypt operation.
If your ciphertext was encrypted under an asymmetric KMS key, you must use the\n SourceKeyId parameter to identify the KMS key that encrypted the\n ciphertext. You must also supply the encryption algorithm that was used. This information\n is required to decrypt the data.
If your ciphertext was encrypted under a symmetric encryption KMS key, the\n SourceKeyId parameter is optional. KMS can get this information from\n metadata that it adds to the symmetric ciphertext blob. This feature adds durability to\n your implementation by ensuring that authorized users can decrypt ciphertext decades after\n it was encrypted, even if they've lost track of the key ID. However, specifying the source\n KMS key is always recommended as a best practice. When you use the\n SourceKeyId parameter to specify a KMS key, KMS uses only the KMS key you\n specify. If the ciphertext was encrypted under a different KMS key, the\n ReEncrypt operation fails. This practice ensures that you use the KMS key\n that you intend.
To reencrypt the data, you must use the DestinationKeyId parameter to\n specify the KMS key that re-encrypts the data after it is decrypted. If the destination\n KMS key is an asymmetric KMS key, you must also provide the encryption algorithm. The\n algorithm that you choose must be compatible with the KMS key.
When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt operation fails.
\nYou are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. The source KMS key and\n destination KMS key can be in different Amazon Web Services accounts. Either or both KMS keys can be in a\n different account than the caller. To specify a KMS key in a different account, you must use\n its key ARN or alias ARN.
\n\n Required permissions:
\n\n kms:ReEncryptFrom\n permission on the source KMS key (key policy)
\n\n kms:ReEncryptTo\n permission on the destination KMS key (key policy)
\nTo permit reencryption from or to a KMS key, include the \"kms:ReEncrypt*\"\n permission in your key policy. This permission is\n automatically included in the key policy when you use the console to create a KMS key. But you\n must include it manually when you create a KMS key programmatically or when you use the PutKeyPolicy operation to set a key policy.
\n Related operations:\n
\n\n Decrypt\n
\n\n Encrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\nDecrypts ciphertext and then reencrypts it entirely within KMS. You can use this\n operation to change the KMS key under which data is encrypted, such as when you manually\n rotate a KMS key or change the KMS key that protects a ciphertext. You can also use\n it to reencrypt ciphertext under the same KMS key, such as to change the encryption\n context of a ciphertext.
\nThe ReEncrypt operation can decrypt ciphertext that was encrypted by using a\n KMS key in an KMS operation, such as Encrypt or GenerateDataKey. It can also decrypt ciphertext that was encrypted by using the\n public key of an asymmetric KMS key\n outside of KMS. However, it cannot decrypt ciphertext produced by other libraries, such as\n the Amazon Web Services Encryption SDK or\n Amazon S3\n client-side encryption. These libraries return a ciphertext format that is\n incompatible with KMS.
When you use the ReEncrypt operation, you need to provide information for the\n decrypt operation and the subsequent encrypt operation.
If your ciphertext was encrypted under an asymmetric KMS key, you must use the\n SourceKeyId parameter to identify the KMS key that encrypted the\n ciphertext. You must also supply the encryption algorithm that was used. This information\n is required to decrypt the data.
If your ciphertext was encrypted under a symmetric encryption KMS key, the\n SourceKeyId parameter is optional. KMS can get this information from\n metadata that it adds to the symmetric ciphertext blob. This feature adds durability to\n your implementation by ensuring that authorized users can decrypt ciphertext decades after\n it was encrypted, even if they've lost track of the key ID. However, specifying the source\n KMS key is always recommended as a best practice. When you use the\n SourceKeyId parameter to specify a KMS key, KMS uses only the KMS key you\n specify. If the ciphertext was encrypted under a different KMS key, the\n ReEncrypt operation fails. This practice ensures that you use the KMS key\n that you intend.
To reencrypt the data, you must use the DestinationKeyId parameter to\n specify the KMS key that re-encrypts the data after it is decrypted. If the destination\n KMS key is an asymmetric KMS key, you must also provide the encryption algorithm. The\n algorithm that you choose must be compatible with the KMS key.
When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt operation fails.
\nYou are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. The source KMS key and\n destination KMS key can be in different Amazon Web Services accounts. Either or both KMS keys can be in a\n different account than the caller. To specify a KMS key in a different account, you must use\n its key ARN or alias ARN.
\n\n Required permissions:
\n\n kms:ReEncryptFrom\n permission on the source KMS key (key policy)
\n\n kms:ReEncryptTo\n permission on the destination KMS key (key policy)
\nTo permit reencryption from or to a KMS key, include the \"kms:ReEncrypt*\"\n permission in your key policy. This permission is\n automatically included in the key policy when you use the console to create a KMS key. But you\n must include it manually when you create a KMS key programmatically or when you use the PutKeyPolicy operation to set a key policy.
\n Related operations:\n
\n\n Decrypt\n
\n\n Encrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\nA list of grant tokens.
\nUse a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the\n Key Management Service Developer Guide.
" } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" + } } }, "traits": { @@ -5154,13 +5733,13 @@ "KeyEncryptionAlgorithm": { "target": "com.amazonaws.kms#KeyEncryptionMechanism", "traits": { - "smithy.api#documentation": "The encryption algorithm that KMS should use with the public key for an Amazon Web Services Nitro Enclave to encrypt plaintext \n values for the response. The only valid value is RSAES_OAEP_SHA_256.
The encryption algorithm that KMS should use with the public key for an Amazon Web Services Nitro\n Enclave to encrypt plaintext values for the response. The only valid value is\n RSAES_OAEP_SHA_256.
The attestation document for an Amazon Web Services Nitro Enclave. This document includes the enclave's public\n key.
" + "smithy.api#documentation": "The attestation document for an Amazon Web Services Nitro Enclave. This document includes the enclave's\n public key.
" } } }, @@ -5219,7 +5798,51 @@ } ], "traits": { - "smithy.api#documentation": "Replicates a multi-Region key into the specified Region. This operation creates a\n multi-Region replica key based on a multi-Region primary key in a different Region of the same\n Amazon Web Services partition. You can create multiple replicas of a primary key, but each must be in a\n different Region. To create a multi-Region primary key, use the CreateKey\n operation.
\nThis operation supports multi-Region keys, an KMS feature that lets you create multiple\n interoperable KMS keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key\n material, and other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt\n it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide.
\nA replica key is a fully-functional KMS key that can be used\n independently of its primary and peer replica keys. A primary key and its replica keys share\n properties that make them interoperable. They have the same key ID and key material. They also\n have the same key\n spec, key\n usage, key\n material origin, and automatic key rotation status. KMS automatically synchronizes these shared\n properties among related multi-Region keys. All other properties of a replica key can differ,\n including its key\n policy, tags, aliases, and Key states of KMS keys. KMS pricing and quotas for KMS keys apply to each\n primary key and replica key.
\nWhen this operation completes, the new replica key has a transient key state of\n Creating. This key state changes to Enabled (or\n PendingImport) after a few seconds when the process of creating the new replica\n key is complete. While the key state is Creating, you can manage key, but you\n cannot yet use it in cryptographic operations. If you are creating and using the replica key\n programmatically, retry on KMSInvalidStateException or call\n DescribeKey to check its KeyState value before using it. For\n details about the Creating key state, see Key states of KMS keys in the\n Key Management Service Developer Guide.
You cannot create more than one replica of a primary key in any Region. If the Region\n already includes a replica of the key you're trying to replicate, ReplicateKey\n returns an AlreadyExistsException error. If the key state of the existing replica\n is PendingDeletion, you can cancel the scheduled key deletion (CancelKeyDeletion) or wait for the key to be deleted. The new replica key you\n create will have the same shared\n properties as the original replica key.
The CloudTrail log of a ReplicateKey operation records a\n ReplicateKey operation in the primary key's Region and a CreateKey operation in the replica key's Region.
If you replicate a multi-Region primary key with imported key material, the replica key is\n created with no key material. You must import the same key material that you imported into the\n primary key. For details, see Importing key material into multi-Region keys in the Key Management Service Developer Guide.
\nTo convert a replica key to a primary key, use the UpdatePrimaryRegion\n operation.
\n\n ReplicateKey uses different default values for the KeyPolicy\n and Tags parameters than those used in the KMS console. For details, see the\n parameter descriptions.
\n Cross-account use: No. You cannot use this operation to\n create a replica key in a different Amazon Web Services account.
\n\n Required permissions:
\n\n kms:ReplicateKey on the primary key (in the primary key's Region).\n Include this permission in the primary key's key policy.
\n kms:CreateKey in an IAM policy in the replica Region.
To use the Tags parameter, kms:TagResource in an IAM policy\n in the replica Region.
\n Related operations\n
\n\n CreateKey\n
\n\n UpdatePrimaryRegion\n
\nReplicates a multi-Region key into the specified Region. This operation creates a\n multi-Region replica key based on a multi-Region primary key in a different Region of the same\n Amazon Web Services partition. You can create multiple replicas of a primary key, but each must be in a\n different Region. To create a multi-Region primary key, use the CreateKey\n operation.
\nThis operation supports multi-Region keys, an KMS feature that lets you create multiple\n interoperable KMS keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key\n material, and other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt\n it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide.
\nA replica key is a fully-functional KMS key that can be used\n independently of its primary and peer replica keys. A primary key and its replica keys share\n properties that make them interoperable. They have the same key ID and key material. They also\n have the same key\n spec, key\n usage, key\n material origin, and automatic key rotation status. KMS automatically synchronizes these shared\n properties among related multi-Region keys. All other properties of a replica key can differ,\n including its key\n policy, tags, aliases, and Key states of KMS keys. KMS pricing and quotas for KMS keys apply to each\n primary key and replica key.
\nWhen this operation completes, the new replica key has a transient key state of\n Creating. This key state changes to Enabled (or\n PendingImport) after a few seconds when the process of creating the new replica\n key is complete. While the key state is Creating, you can manage key, but you\n cannot yet use it in cryptographic operations. If you are creating and using the replica key\n programmatically, retry on KMSInvalidStateException or call\n DescribeKey to check its KeyState value before using it. For\n details about the Creating key state, see Key states of KMS keys in the\n Key Management Service Developer Guide.
You cannot create more than one replica of a primary key in any Region. If the Region\n already includes a replica of the key you're trying to replicate, ReplicateKey\n returns an AlreadyExistsException error. If the key state of the existing replica\n is PendingDeletion, you can cancel the scheduled key deletion (CancelKeyDeletion) or wait for the key to be deleted. The new replica key you\n create will have the same shared\n properties as the original replica key.
The CloudTrail log of a ReplicateKey operation records a\n ReplicateKey operation in the primary key's Region and a CreateKey operation in the replica key's Region.
If you replicate a multi-Region primary key with imported key material, the replica key is\n created with no key material. You must import the same key material that you imported into the\n primary key. For details, see Importing key material into multi-Region keys in the Key Management Service Developer Guide.
\nTo convert a replica key to a primary key, use the UpdatePrimaryRegion\n operation.
\n\n ReplicateKey uses different default values for the KeyPolicy\n and Tags parameters than those used in the KMS console. For details, see the\n parameter descriptions.
\n Cross-account use: No. You cannot use this operation to\n create a replica key in a different Amazon Web Services account.
\n\n Required permissions:
\n\n kms:ReplicateKey on the primary key (in the primary key's Region).\n Include this permission in the primary key's key policy.
\n kms:CreateKey in an IAM policy in the replica Region.
To use the Tags parameter, kms:TagResource in an IAM policy\n in the replica Region.
\n Related operations\n
\n\n CreateKey\n
\n\n UpdatePrimaryRegion\n
\nDeletes a grant. Typically, you retire a grant when you no longer need its permissions. To\n identify the grant to retire, use a grant token, or both the grant ID and a\n key identifier (key ID or key ARN) of the KMS key. The CreateGrant operation\n returns both values.
\nThis operation can be called by the retiring principal for a grant,\n by the grantee principal if the grant allows the RetireGrant\n operation, and by the Amazon Web Services account in which the grant is created. It can also be called by\n principals to whom permission for retiring a grant is delegated. For details, see Retiring and revoking\n grants in the Key Management Service Developer Guide.
For detailed information about grants, including grant terminology, see Grants in KMS in the\n \n Key Management Service Developer Guide\n . For examples of working with grants in several\n programming languages, see Programming grants.
\n\n Cross-account use: Yes. You can retire a grant on a KMS\n key in a different Amazon Web Services account.
\n\n Required permissions::Permission to retire a grant is\n determined primarily by the grant. For details, see Retiring and revoking grants in\n the Key Management Service Developer Guide.
\n\n Related operations:\n
\n\n CreateGrant\n
\n\n ListGrants\n
\n\n ListRetirableGrants\n
\n\n RevokeGrant\n
\nDeletes a grant. Typically, you retire a grant when you no longer need its permissions. To\n identify the grant to retire, use a grant token, or both the grant ID and a\n key identifier (key ID or key ARN) of the KMS key. The CreateGrant operation\n returns both values.
\nThis operation can be called by the retiring principal for a grant,\n by the grantee principal if the grant allows the RetireGrant\n operation, and by the Amazon Web Services account in which the grant is created. It can also be called by\n principals to whom permission for retiring a grant is delegated. For details, see Retiring and revoking\n grants in the Key Management Service Developer Guide.
For detailed information about grants, including grant terminology, see Grants in KMS in the\n \n Key Management Service Developer Guide\n . For examples of working with grants in several\n programming languages, see Programming grants.
\n\n Cross-account use: Yes. You can retire a grant on a KMS\n key in a different Amazon Web Services account.
\n\n Required permissions::Permission to retire a grant is\n determined primarily by the grant. For details, see Retiring and revoking grants in\n the Key Management Service Developer Guide.
\n\n Related operations:\n
\n\n CreateGrant\n
\n\n ListGrants\n
\n\n ListRetirableGrants\n
\n\n RevokeGrant\n
\nIdentifies the grant to retire. To get the grant ID, use CreateGrant,\n ListGrants, or ListRetirableGrants.
\nGrant ID Example -\n 0123456789012345678901234567890123456789012345678901234567890123
\nChecks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" + } } }, "traits": { @@ -5368,6 +6010,9 @@ { "target": "com.amazonaws.kms#DependencyTimeoutException" }, + { + "target": "com.amazonaws.kms#DryRunOperationException" + }, { "target": "com.amazonaws.kms#InvalidArnException" }, @@ -5385,7 +6030,17 @@ } ], "traits": { - "smithy.api#documentation": "Deletes the specified grant. You revoke a grant to terminate the permissions that the\n grant allows. For more information, see Retiring and revoking grants in\n the \n Key Management Service Developer Guide\n .
\nWhen you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until the grant is available throughout KMS. This state is known as eventual consistency. For details, see Eventual consistency in\n the \n Key Management Service Developer Guide\n .
\nFor detailed information about grants, including grant terminology, see Grants in KMS in the\n \n Key Management Service Developer Guide\n . For examples of working with grants in several\n programming languages, see Programming grants.
\n\n Cross-account use: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, specify the key\n ARN in the value of the KeyId parameter.
\n Required permissions: kms:RevokeGrant (key policy).
\n\n Related operations:\n
\n\n CreateGrant\n
\n\n ListGrants\n
\n\n ListRetirableGrants\n
\n\n RetireGrant\n
\nDeletes the specified grant. You revoke a grant to terminate the permissions that the\n grant allows. For more information, see Retiring and revoking grants in\n the \n Key Management Service Developer Guide\n .
\nWhen you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until the grant is available throughout KMS. This state is known as eventual consistency. For details, see Eventual consistency in\n the \n Key Management Service Developer Guide\n .
\nFor detailed information about grants, including grant terminology, see Grants in KMS in the\n \n Key Management Service Developer Guide\n . For examples of working with grants in several\n programming languages, see Programming grants.
\n\n Cross-account use: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, specify the key\n ARN in the value of the KeyId parameter.
\n Required permissions: kms:RevokeGrant (key policy).
\n\n Related operations:\n
\n\n CreateGrant\n
\n\n ListGrants\n
\n\n ListRetirableGrants\n
\n\n RetireGrant\n
\nIdentifies the grant to revoke. To get the grant ID, use CreateGrant,\n ListGrants, or ListRetirableGrants.
", "smithy.api#required": {} } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" + } } }, "traits": { @@ -5436,7 +6097,7 @@ } ], "traits": { - "smithy.api#documentation": "Schedules the deletion of a KMS key. By default, KMS applies a waiting period of 30\n days, but you can specify a waiting period of 7-30 days. When this operation is successful,\n the key state of the KMS key changes to PendingDeletion and the key can't be used\n in any cryptographic operations. It remains in this state for the duration of the waiting\n period. Before the waiting period ends, you can use CancelKeyDeletion to\n cancel the deletion of the KMS key. After the waiting period ends, KMS deletes the KMS key,\n its key material, and all KMS data associated with it, including all aliases that refer to\n it.
Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key\n is deleted, all data that was encrypted under the KMS key is unrecoverable. (The only\n exception is a multi-Region replica\n key, or an asymmetric or HMAC KMS key with imported key material[BUGBUG-link to\n importing-keys-managing.html#import-delete-key.) To prevent the use of a KMS key without\n deleting it, use DisableKey.
\nYou can schedule the deletion of a multi-Region primary key and its replica keys at any\n time. However, KMS will not delete a multi-Region primary key with existing replica keys. If\n you schedule the deletion of a primary key with replicas, its key state changes to\n PendingReplicaDeletion and it cannot be replicated or used in cryptographic\n operations. This status can continue indefinitely. When the last of its replicas keys is\n deleted (not just scheduled), the key state of the primary key changes to\n PendingDeletion and its waiting period (PendingWindowInDays)\n begins. For details, see Deleting multi-Region keys in the\n Key Management Service Developer Guide.
When KMS deletes\n a KMS key from an CloudHSM key store, it makes a best effort to delete the associated\n key material from the associated CloudHSM cluster. However, you might need to manually delete\n the orphaned key material from the cluster and its backups. Deleting a KMS key from an\n external key store has no effect on the associated external key. However, for both\n types of custom key stores, deleting a KMS key is destructive and irreversible. You cannot\n decrypt ciphertext encrypted under the KMS key by using only its associated external key or\n CloudHSM key. Also, you cannot recreate a KMS key in an external key store by creating a new KMS\n key with the same key material.
\nFor more information about scheduling a KMS key for deletion, see Deleting KMS keys in the\n Key Management Service Developer Guide.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:ScheduleKeyDeletion (key\n policy)
\n\n Related operations\n
\n\n CancelKeyDeletion\n
\n\n DisableKey\n
\nSchedules the deletion of a KMS key. By default, KMS applies a waiting period of 30\n days, but you can specify a waiting period of 7-30 days. When this operation is successful,\n the key state of the KMS key changes to PendingDeletion and the key can't be used\n in any cryptographic operations. It remains in this state for the duration of the waiting\n period. Before the waiting period ends, you can use CancelKeyDeletion to\n cancel the deletion of the KMS key. After the waiting period ends, KMS deletes the KMS key,\n its key material, and all KMS data associated with it, including all aliases that refer to\n it.
Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key\n is deleted, all data that was encrypted under the KMS key is unrecoverable. (The only\n exception is a multi-Region replica\n key, or an asymmetric or HMAC KMS\n key with imported key material.) To prevent the use of a KMS key without deleting\n it, use DisableKey.
\nYou can schedule the deletion of a multi-Region primary key and its replica keys at any\n time. However, KMS will not delete a multi-Region primary key with existing replica keys. If\n you schedule the deletion of a primary key with replicas, its key state changes to\n PendingReplicaDeletion and it cannot be replicated or used in cryptographic\n operations. This status can continue indefinitely. When the last of its replicas keys is\n deleted (not just scheduled), the key state of the primary key changes to\n PendingDeletion and its waiting period (PendingWindowInDays)\n begins. For details, see Deleting multi-Region keys in the\n Key Management Service Developer Guide.
When KMS deletes\n a KMS key from an CloudHSM key store, it makes a best effort to delete the associated\n key material from the associated CloudHSM cluster. However, you might need to manually delete\n the orphaned key material from the cluster and its backups. Deleting a KMS key from an\n external key store has no effect on the associated external key. However, for both\n types of custom key stores, deleting a KMS key is destructive and irreversible. You cannot\n decrypt ciphertext encrypted under the KMS key by using only its associated external key or\n CloudHSM key. Also, you cannot recreate a KMS key in an external key store by creating a new KMS\n key with the same key material.
\nFor more information about scheduling a KMS key for deletion, see Deleting KMS keys in the\n Key Management Service Developer Guide.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:ScheduleKeyDeletion (key\n policy)
\n\n Related operations\n
\n\n CancelKeyDeletion\n
\n\n DisableKey\n
\nThe waiting period, specified in number of days. After the waiting period ends, KMS\n deletes the KMS key.
\nIf the KMS key is a multi-Region primary key with replica keys, the waiting period begins\n when the last of its replica keys is deleted. Otherwise, the waiting period begins\n immediately.
\nThis value is optional. If you include a value, it must be between 7 and 30, inclusive. If\n you do not include a value, it defaults to 30. You can use the \n kms:ScheduleKeyDeletionPendingWindowInDays\n \n condition key to further constrain the values that principals can specify in the \n PendingWindowInDays parameter.
The waiting period, specified in number of days. After the waiting period ends, KMS\n deletes the KMS key.
\nIf the KMS key is a multi-Region primary key with replica keys, the waiting period begins\n when the last of its replica keys is deleted. Otherwise, the waiting period begins\n immediately.
\nThis value is optional. If you include a value, it must be between 7 and 30, inclusive. If\n you do not include a value, it defaults to 30. You can use the \n kms:ScheduleKeyDeletionPendingWindowInDays\n condition key to further\n constrain the values that principals can specify in the PendingWindowInDays\n parameter.
Creates a digital\n signature for a message or message digest by using the private key in an asymmetric\n signing KMS key. To verify the signature, use the Verify operation, or use\n the public key in the same asymmetric KMS key outside of KMS. For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
\nDigital signatures are generated and verified by using asymmetric key pair, such as an RSA\n or ECC pair that is represented by an asymmetric KMS key. The key owner (or an authorized\n user) uses their private key to sign a message. Anyone with the public key can verify that the\n message was signed with that particular private key and that the message hasn't changed since\n it was signed.
\nTo use the Sign operation, provide the following information:
Use the KeyId parameter to identify an asymmetric KMS key with a\n KeyUsage value of SIGN_VERIFY. To get the\n KeyUsage value of a KMS key, use the DescribeKey\n operation. The caller must have kms:Sign permission on the KMS key.
Use the Message parameter to specify the message or message digest to\n sign. You can submit messages of up to 4096 bytes. To sign a larger message, generate a\n hash digest of the message, and then provide the hash digest in the Message\n parameter. To indicate whether the message is a full message or a digest, use the\n MessageType parameter.
Choose a signing algorithm that is compatible with the KMS key.
\nWhen signing a message, be sure to record the KMS key and the signing algorithm. This\n information is required to verify the signature.
\nBest practices recommend that you limit the time during which any signature is\n effective. This deters an attack where the actor uses a signed message to establish validity\n repeatedly or long after the message is superseded. Signatures do not include a timestamp,\n but you can include a timestamp in the signed message to help you detect when its time to\n refresh the signature.
\nTo verify the signature that this operation generates, use the Verify\n operation. Or use the GetPublicKey operation to download the public key and\n then use the public key to verify the signature outside of KMS.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:Sign (key policy)
\n\n Related operations: Verify\n
" + "smithy.api#documentation": "Creates a digital\n signature for a message or message digest by using the private key in an asymmetric\n signing KMS key. To verify the signature, use the Verify operation, or use\n the public key in the same asymmetric KMS key outside of KMS. For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
\nDigital signatures are generated and verified by using asymmetric key pair, such as an RSA\n or ECC pair that is represented by an asymmetric KMS key. The key owner (or an authorized\n user) uses their private key to sign a message. Anyone with the public key can verify that the\n message was signed with that particular private key and that the message hasn't changed since\n it was signed.
\nTo use the Sign operation, provide the following information:
Use the KeyId parameter to identify an asymmetric KMS key with a\n KeyUsage value of SIGN_VERIFY. To get the\n KeyUsage value of a KMS key, use the DescribeKey\n operation. The caller must have kms:Sign permission on the KMS key.
Use the Message parameter to specify the message or message digest to\n sign. You can submit messages of up to 4096 bytes. To sign a larger message, generate a\n hash digest of the message, and then provide the hash digest in the Message\n parameter. To indicate whether the message is a full message or a digest, use the\n MessageType parameter.
Choose a signing algorithm that is compatible with the KMS key.
\nWhen signing a message, be sure to record the KMS key and the signing algorithm. This\n information is required to verify the signature.
\nBest practices recommend that you limit the time during which any signature is\n effective. This deters an attack where the actor uses a signed message to establish validity\n repeatedly or long after the message is superseded. Signatures do not include a timestamp,\n but you can include a timestamp in the signed message to help you detect when its time to\n refresh the signature.
\nTo verify the signature that this operation generates, use the Verify\n operation. Or use the GetPublicKey operation to download the public key and\n then use the public key to verify the signature outside of KMS.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:Sign (key policy)
\n\n Related operations: Verify\n
", + "smithy.api#examples": [ + { + "title": "To digitally sign a message with an asymmetric KMS key.", + "documentation": "This operation uses the private key in an asymmetric elliptic curve (ECC) KMS key to generate a digital signature for a given message.", + "input": { + "KeyId": "alias/ECC_signing_key", + "Message": "Specifies the message or message digest to sign. Messages can be 0-4096 bytes. To sign a\n larger message, provide a message digest.
\nIf you provide a message digest, use the DIGEST value of MessageType to\n prevent the digest from being hashed again while signing.
Specifies the message or message digest to sign. Messages can be 0-4096 bytes. To sign a\n larger message, provide a message digest.
\nIf you provide a message digest, use the DIGEST value of\n MessageType to prevent the digest from being hashed again while signing.
Tells KMS whether the value of the Message parameter should be hashed\n as part of the signing algorithm. Use RAW for unhashed messages; use DIGEST\n for message digests, which are already hashed.
When the value of MessageType is RAW, KMS uses the standard\n signing algorithm, which begins with a hash function. When the value is DIGEST, KMS skips\n the hashing step in the signing algorithm.
Use the DIGEST value only when the value of the Message\n parameter is a message digest. If you use the DIGEST value with an unhashed message,\n the security of the signing operation can be compromised.
When the value of MessageTypeis DIGEST, the length\n of the Message value must match the length of hashed messages for the specified signing algorithm.
You can submit a message digest and omit the MessageType or specify\n RAW so the digest is hashed again while signing. However, this can cause verification failures when \n verifying with a system that assumes a single hash.
The hashing algorithm in that Sign uses is based on the SigningAlgorithm value.
Signing algorithms that end in SHA_256 use the SHA_256 hashing algorithm.
\nSigning algorithms that end in SHA_384 use the SHA_384 hashing algorithm.
\nSigning algorithms that end in SHA_512 use the SHA_512 hashing algorithm.
\nSM2DSA uses the SM3 hashing algorithm. For details, see Offline verification with SM2 key pairs.
\nTells KMS whether the value of the Message parameter should be hashed as\n part of the signing algorithm. Use RAW for unhashed messages; use\n DIGEST for message digests, which are already hashed.
When the value of MessageType is RAW, KMS uses the standard\n signing algorithm, which begins with a hash function. When the value is DIGEST,\n KMS skips the hashing step in the signing algorithm.
Use the DIGEST value only when the value of the Message\n parameter is a message digest. If you use the DIGEST value with an unhashed\n message, the security of the signing operation can be compromised.
When the value of MessageTypeis DIGEST, the length of the\n Message value must match the length of hashed messages for the specified\n signing algorithm.
You can submit a message digest and omit the MessageType or specify\n RAW so the digest is hashed again while signing. However, this can cause\n verification failures when verifying with a system that assumes a single hash.
The hashing algorithm in that Sign uses is based on the\n SigningAlgorithm value.
Signing algorithms that end in SHA_256 use the SHA_256 hashing algorithm.
\nSigning algorithms that end in SHA_384 use the SHA_384 hashing algorithm.
\nSigning algorithms that end in SHA_512 use the SHA_512 hashing algorithm.
\nSM2DSA uses the SM3 hashing algorithm. For details, see Offline\n verification with SM2 key pairs.
\nSpecifies the signing algorithm to use when signing the message.
\nChoose an algorithm that is compatible with the type and size of the specified asymmetric\n KMS key. When signing with RSA key pairs, RSASSA-PSS algorithms are preferred. We include\n RSASSA-PKCS1-v1_5 algorithms for compatibility with existing applications.
", + "smithy.api#documentation": "Specifies the signing algorithm to use when signing the message.
\nChoose an algorithm that is compatible with the type and size of the specified asymmetric\n KMS key. When signing with RSA key pairs, RSASSA-PSS algorithms are preferred. We include\n RSASSA-PKCS1-v1_5 algorithms for compatibility with existing applications.
", "smithy.api#required": {} } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" + } } }, "traits": { @@ -5757,7 +6444,22 @@ } ], "traits": { - "smithy.api#documentation": "Adds or edits tags on a customer managed key.
\nTagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for KMS in the Key Management Service Developer Guide.
\nEach tag consists of a tag key and a tag value, both of which are case-sensitive strings.\n The tag value can be an empty (null) string. To add a tag, specify a new tag key and a tag\n value. To edit a tag, specify an existing tag key and a new tag value.
\nYou can use this operation to tag a customer managed key, but you cannot\n tag an Amazon Web Services\n managed key, an Amazon Web Services owned key, a custom key\n store, or an alias.
\nYou can also add tags to a KMS key while creating it (CreateKey) or\n replicating it (ReplicateKey).
\nFor information about using tags in KMS, see Tagging keys. For general information about\n tags, including the format and syntax, see Tagging Amazon Web Services resources in the Amazon\n Web Services General Reference.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:TagResource (key policy)
\n\n Related operations\n
\n\n CreateKey\n
\n\n ListResourceTags\n
\n\n ReplicateKey\n
\n\n UntagResource\n
\nAdds or edits tags on a customer managed key.
\nTagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for KMS in the Key Management Service Developer Guide.
\nEach tag consists of a tag key and a tag value, both of which are case-sensitive strings.\n The tag value can be an empty (null) string. To add a tag, specify a new tag key and a tag\n value. To edit a tag, specify an existing tag key and a new tag value.
\nYou can use this operation to tag a customer managed key, but you cannot\n tag an Amazon Web Services\n managed key, an Amazon Web Services owned key, a custom key\n store, or an alias.
\nYou can also add tags to a KMS key while creating it (CreateKey) or\n replicating it (ReplicateKey).
\nFor information about using tags in KMS, see Tagging keys. For general information about\n tags, including the format and syntax, see Tagging Amazon Web Services resources in the Amazon\n Web Services General Reference.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:TagResource (key policy)
\n\n Related operations\n
\n\n CreateKey\n
\n\n ListResourceTags\n
\n\n ReplicateKey\n
\n\n UntagResource\n
\nOne or more tags. Each tag consists of a tag key and a tag value. The tag value can be an empty (null)\n string.
\nDo not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.
\nYou cannot have more than one tag on a KMS key with the same tag key. If you specify an\n existing tag key with a different tag value, KMS replaces the current tag value with the\n specified one.
", + "smithy.api#documentation": "One or more tags. Each tag consists of a tag key and a tag value. The tag value can be an\n empty (null) string.
\nDo not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.
\nYou cannot have more than one tag on a KMS key with the same tag key. If you specify an\n existing tag key with a different tag value, KMS replaces the current tag value with the\n specified one.
", "smithy.api#required": {} } } @@ -6023,52 +6725,56 @@ "type": "error" }, { - "conditions": [], - "type": "tree", - "rules": [ + "conditions": [ { - "conditions": [ + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - } - ], - "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", - "type": "error" - }, - { - "conditions": [], - "endpoint": { - "url": { - "ref": "Endpoint" + "ref": "UseDualStack" }, - "properties": {}, - "headers": {} - }, - "type": "endpoint" + true + ] } - ] + ], + "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", + "type": "error" + }, + { + "conditions": [], + "endpoint": { + "url": { + "ref": "Endpoint" + }, + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, { - "conditions": [], + "conditions": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "Region" + } + ] + } + ], "type": "tree", "rules": [ { "conditions": [ { - "fn": "isSet", + "fn": "aws.partition", "argv": [ { "ref": "Region" } - ] + ], + "assign": "PartitionResult" } ], "type": "tree", @@ -6076,13 +6782,22 @@ { "conditions": [ { - "fn": "aws.partition", + "fn": "booleanEquals", "argv": [ { - "ref": "Region" - } - ], - "assign": "PartitionResult" + "ref": "UseFIPS" + }, + true + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] } ], "type": "tree", @@ -6092,224 +6807,175 @@ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseFIPS" - }, - true + "fn": "getAttr", + "argv": [ + { + "ref": "PartitionResult" + }, + "supportsFIPS" + ] + } ] }, { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseDualStack" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsFIPS" - ] - } - ] - }, - { - "fn": "booleanEquals", - "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsDualStack" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [], - "endpoint": { - "url": "https://kms-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsDualStack" ] } ] - }, + } + ], + "type": "tree", + "rules": [ { "conditions": [], - "error": "FIPS and DualStack are enabled, but this partition does not support one or both", - "type": "error" + "endpoint": { + "url": "https://kms-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, + { + "conditions": [], + "error": "FIPS and DualStack are enabled, but this partition does not support one or both", + "type": "error" + } + ] + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" + }, + true + ] + } + ], + "type": "tree", + "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseFIPS" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsFIPS" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ { - "conditions": [], - "endpoint": { - "url": "https://kms-fips.{Region}.{PartitionResult#dnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsFIPS" ] } ] - }, + } + ], + "type": "tree", + "rules": [ { "conditions": [], - "error": "FIPS is enabled but this partition does not support FIPS", - "type": "error" + "endpoint": { + "url": "https://kms-fips.{Region}.{PartitionResult#dnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, + { + "conditions": [], + "error": "FIPS is enabled but this partition does not support FIPS", + "type": "error" + } + ] + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] + } + ], + "type": "tree", + "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseDualStack" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsDualStack" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ { - "conditions": [], - "endpoint": { - "url": "https://kms.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsDualStack" ] } ] - }, - { - "conditions": [], - "error": "DualStack is enabled but this partition does not support DualStack", - "type": "error" } - ] - }, - { - "conditions": [], + ], "type": "tree", "rules": [ { "conditions": [], "endpoint": { - "url": "https://kms.{Region}.{PartitionResult#dnsSuffix}", + "url": "https://kms.{Region}.{PartitionResult#dualStackDnsSuffix}", "properties": {}, "headers": {} }, "type": "endpoint" } ] + }, + { + "conditions": [], + "error": "DualStack is enabled but this partition does not support DualStack", + "type": "error" } ] + }, + { + "conditions": [], + "endpoint": { + "url": "https://kms.{Region}.{PartitionResult#dnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] - }, - { - "conditions": [], - "error": "Invalid Configuration: Missing Region", - "type": "error" } ] + }, + { + "conditions": [], + "error": "Invalid Configuration: Missing Region", + "type": "error" } ] }, @@ -7292,7 +7958,20 @@ } ], "traits": { - "smithy.api#documentation": "Deletes tags from a customer managed key. To delete a tag,\n specify the tag key and the KMS key.
\nTagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for KMS in the Key Management Service Developer Guide.
\nWhen it succeeds, the UntagResource operation doesn't return any output.\n Also, if the specified tag key isn't found on the KMS key, it doesn't throw an exception or\n return a response. To confirm that the operation worked, use the ListResourceTags operation.
For information about using tags in KMS, see Tagging keys. For general information about\n tags, including the format and syntax, see Tagging Amazon Web Services resources in the Amazon\n Web Services General Reference.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:UntagResource (key policy)
\n\n Related operations\n
\n\n CreateKey\n
\n\n ListResourceTags\n
\n\n ReplicateKey\n
\n\n TagResource\n
\nDeletes tags from a customer managed key. To delete a tag,\n specify the tag key and the KMS key.
\nTagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for KMS in the Key Management Service Developer Guide.
\nWhen it succeeds, the UntagResource operation doesn't return any output.\n Also, if the specified tag key isn't found on the KMS key, it doesn't throw an exception or\n return a response. To confirm that the operation worked, use the ListResourceTags operation.
For information about using tags in KMS, see Tagging keys. For general information about\n tags, including the format and syntax, see Tagging Amazon Web Services resources in the Amazon\n Web Services General Reference.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:UntagResource (key policy)
\n\n Related operations\n
\n\n CreateKey\n
\n\n ListResourceTags\n
\n\n ReplicateKey\n
\n\n TagResource\n
\nAssociates an existing KMS alias with a different KMS key. Each alias is associated with\n only one KMS key at a time, although a KMS key can have multiple aliases. The alias and the\n KMS key must be in the same Amazon Web Services account and Region.
\nAdding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see ABAC for KMS in the Key Management Service Developer Guide.
\nThe current and new KMS key must be the same type (both symmetric or both asymmetric or\n both HMAC), and they must have the same key usage. This restriction prevents errors in code\n that uses aliases. If you must assign an alias to a different type of KMS key, use DeleteAlias to delete the old alias and CreateAlias to create\n a new alias.
\nYou cannot use UpdateAlias to change an alias name. To change an alias name,\n use DeleteAlias to delete the old alias and CreateAlias to\n create a new alias.
Because an alias is not a property of a KMS key, you can create, update, and delete the\n aliases of a KMS key without affecting the KMS key. Also, aliases do not appear in the\n response from the DescribeKey operation. To get the aliases of all KMS keys\n in the account, use the ListAliases operation.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions\n
\n\n kms:UpdateAlias on\n the alias (IAM policy).
\n\n kms:UpdateAlias on\n the current KMS key (key policy).
\n\n kms:UpdateAlias on\n the new KMS key (key policy).
\nFor details, see Controlling access to aliases in the\n Key Management Service Developer Guide.
\n\n Related operations:\n
\n\n CreateAlias\n
\n\n DeleteAlias\n
\n\n ListAliases\n
\nAssociates an existing KMS alias with a different KMS key. Each alias is associated with\n only one KMS key at a time, although a KMS key can have multiple aliases. The alias and the\n KMS key must be in the same Amazon Web Services account and Region.
\nAdding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see ABAC for KMS in the Key Management Service Developer Guide.
\nThe current and new KMS key must be the same type (both symmetric or both asymmetric or\n both HMAC), and they must have the same key usage. This restriction prevents errors in code\n that uses aliases. If you must assign an alias to a different type of KMS key, use DeleteAlias to delete the old alias and CreateAlias to create\n a new alias.
\nYou cannot use UpdateAlias to change an alias name. To change an alias name,\n use DeleteAlias to delete the old alias and CreateAlias to\n create a new alias.
Because an alias is not a property of a KMS key, you can create, update, and delete the\n aliases of a KMS key without affecting the KMS key. Also, aliases do not appear in the\n response from the DescribeKey operation. To get the aliases of all KMS keys\n in the account, use the ListAliases operation.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions\n
\n\n kms:UpdateAlias on\n the alias (IAM policy).
\n\n kms:UpdateAlias on\n the current KMS key (key policy).
\n\n kms:UpdateAlias on\n the new KMS key (key policy).
\nFor details, see Controlling access to aliases in the\n Key Management Service Developer Guide.
\n\n Related operations:\n
\n\n CreateAlias\n
\n\n DeleteAlias\n
\n\n ListAliases\n
\nChanges the properties of a custom key store. You can use this operation to change the\n properties of an CloudHSM key store or an external key store.
\nUse the required CustomKeyStoreId parameter to identify the custom key store.\n Use the remaining optional parameters to change its properties. This operation does not return\n any property values. To verify the updated property values, use the DescribeCustomKeyStores operation.
This operation is part of the custom key stores feature in KMS, which\ncombines the convenience and extensive integration of KMS with the isolation and control of a\nkey store that you own and manage.
\nWhen updating the properties of an external key store, verify that the updated settings\n connect your key store, via the external key store proxy, to the same external key manager\n as the previous settings, or to a backup or snapshot of the external key manager with the\n same cryptographic keys. If the updated connection settings fail, you can fix them and\n retry, although an extended delay might disrupt Amazon Web Services services. However, if KMS\n permanently loses its access to cryptographic keys, ciphertext encrypted under those keys is\n unrecoverable.
\nFor external key stores:
\nSome external key managers provide a simpler method for updating an external key store.\n For details, see your external key manager documentation.
\nWhen updating an external key store in the KMS console, you can upload a JSON-based\n proxy configuration file with the desired values. You cannot upload the proxy configuration\n file to the UpdateCustomKeyStore operation. However, you can use the file to\n help you determine the correct values for the UpdateCustomKeyStore\n parameters.
For an CloudHSM key store, you can use this operation to change the custom key store friendly\n name (NewCustomKeyStoreName), to tell KMS about a change to the\n kmsuser crypto user password (KeyStorePassword), or to associate\n the custom key store with a different, but related, CloudHSM cluster\n (CloudHsmClusterId). To update any property of an CloudHSM key store, the\n ConnectionState of the CloudHSM key store must be DISCONNECTED.
For an external key store, you can use this operation to change the custom key store\n friendly name (NewCustomKeyStoreName), or to tell KMS about a change to the\n external key store proxy authentication credentials\n (XksProxyAuthenticationCredential), connection method\n (XksProxyConnectivity), external proxy endpoint\n (XksProxyUriEndpoint) and path (XksProxyUriPath). For external key\n stores with an XksProxyConnectivity of VPC_ENDPOINT_SERVICE, you can\n also update the Amazon VPC endpoint service name (XksProxyVpcEndpointServiceName). To\n update most properties of an external key store, the ConnectionState of the\n external key store must be DISCONNECTED. However, you can update the\n CustomKeyStoreName, XksProxyAuthenticationCredential, and\n XksProxyUriPath of an external key store when it is in the CONNECTED or\n DISCONNECTED state.
If your update requires a DISCONNECTED state, before using\n UpdateCustomKeyStore, use the DisconnectCustomKeyStore\n operation to disconnect the custom key store. After the UpdateCustomKeyStore\n operation completes, use the ConnectCustomKeyStore to reconnect the custom\n key store. To find the ConnectionState of the custom key store, use the DescribeCustomKeyStores operation.
\n
\nBefore updating the custom key store, verify that the new values allow KMS to connect\n the custom key store to its backing key store. For example, before you change the\n XksProxyUriPath value, verify that the external key store proxy is reachable at\n the new path.
If the operation succeeds, it returns a JSON object with no\nproperties.
\n\n Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
\n\n Required permissions: kms:UpdateCustomKeyStore (IAM policy)
\n\n Related operations:\n
\n\n CreateCustomKeyStore\n
\n\n DeleteCustomKeyStore\n
\nChanges the properties of a custom key store. You can use this operation to change the\n properties of an CloudHSM key store or an external key store.
\nUse the required CustomKeyStoreId parameter to identify the custom key store.\n Use the remaining optional parameters to change its properties. This operation does not return\n any property values. To verify the updated property values, use the DescribeCustomKeyStores operation.
This operation is part of the custom key stores feature in KMS, which\ncombines the convenience and extensive integration of KMS with the isolation and control of a\nkey store that you own and manage.
\nWhen updating the properties of an external key store, verify that the updated settings\n connect your key store, via the external key store proxy, to the same external key manager\n as the previous settings, or to a backup or snapshot of the external key manager with the\n same cryptographic keys. If the updated connection settings fail, you can fix them and\n retry, although an extended delay might disrupt Amazon Web Services services. However, if KMS\n permanently loses its access to cryptographic keys, ciphertext encrypted under those keys is\n unrecoverable.
\nFor external key stores:
\nSome external key managers provide a simpler method for updating an external key store.\n For details, see your external key manager documentation.
\nWhen updating an external key store in the KMS console, you can upload a JSON-based\n proxy configuration file with the desired values. You cannot upload the proxy configuration\n file to the UpdateCustomKeyStore operation. However, you can use the file to\n help you determine the correct values for the UpdateCustomKeyStore\n parameters.
For an CloudHSM key store, you can use this operation to change the custom key store friendly\n name (NewCustomKeyStoreName), to tell KMS about a change to the\n kmsuser crypto user password (KeyStorePassword), or to associate\n the custom key store with a different, but related, CloudHSM cluster\n (CloudHsmClusterId). To update any property of an CloudHSM key store, the\n ConnectionState of the CloudHSM key store must be DISCONNECTED.
For an external key store, you can use this operation to change the custom key store\n friendly name (NewCustomKeyStoreName), or to tell KMS about a change to the\n external key store proxy authentication credentials\n (XksProxyAuthenticationCredential), connection method\n (XksProxyConnectivity), external proxy endpoint\n (XksProxyUriEndpoint) and path (XksProxyUriPath). For external key\n stores with an XksProxyConnectivity of VPC_ENDPOINT_SERVICE, you can\n also update the Amazon VPC endpoint service name (XksProxyVpcEndpointServiceName). To\n update most properties of an external key store, the ConnectionState of the\n external key store must be DISCONNECTED. However, you can update the\n CustomKeyStoreName, XksProxyAuthenticationCredential, and\n XksProxyUriPath of an external key store when it is in the CONNECTED or\n DISCONNECTED state.
If your update requires a DISCONNECTED state, before using\n UpdateCustomKeyStore, use the DisconnectCustomKeyStore\n operation to disconnect the custom key store. After the UpdateCustomKeyStore\n operation completes, use the ConnectCustomKeyStore to reconnect the custom\n key store. To find the ConnectionState of the custom key store, use the DescribeCustomKeyStores operation.
\n
\nBefore updating the custom key store, verify that the new values allow KMS to connect\n the custom key store to its backing key store. For example, before you change the\n XksProxyUriPath value, verify that the external key store proxy is reachable at\n the new path.
If the operation succeeds, it returns a JSON object with no\nproperties.
\n\n Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
\n\n Required permissions: kms:UpdateCustomKeyStore (IAM policy)
\n\n Related operations:\n
\n\n CreateCustomKeyStore\n
\n\n DeleteCustomKeyStore\n
\nUpdates the description of a KMS key. To see the description of a KMS key, use DescribeKey.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:UpdateKeyDescription (key policy)
\n\n Related operations\n
\n\n CreateKey\n
\n\n DescribeKey\n
\nUpdates the description of a KMS key. To see the description of a KMS key, use DescribeKey.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:UpdateKeyDescription (key policy)
\n\n Related operations\n
\n\n CreateKey\n
\n\n DescribeKey\n
\nChanges the primary key of a multi-Region key.
\nThis operation changes the replica key in the specified Region to a primary key and\n changes the former primary key to a replica key. For example, suppose you have a primary key\n in us-east-1 and a replica key in eu-west-2. If you run\n UpdatePrimaryRegion with a PrimaryRegion value of\n eu-west-2, the primary key is now the key in eu-west-2, and the\n key in us-east-1 becomes a replica key. For details, see Updating the primary Region in the Key Management Service Developer Guide.
This operation supports multi-Region keys, an KMS feature that lets you create multiple\n interoperable KMS keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key\n material, and other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt\n it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide.
\nThe primary key of a multi-Region key is the source for properties\n that are always shared by primary and replica keys, including the key material, key ID, key spec, key usage, key material\n origin, and automatic\n key rotation. It's the only key that can be replicated. You cannot delete the primary\n key until all replica keys are deleted.
\nThe key ID and primary Region that you specify uniquely identify the replica key that will\n become the primary key. The primary Region must already have a replica key. This operation\n does not create a KMS key in the specified Region. To find the replica keys, use the DescribeKey operation on the primary key or any replica key. To create a replica\n key, use the ReplicateKey operation.
\nYou can run this operation while using the affected multi-Region keys in cryptographic\n operations. This operation should not delay, interrupt, or cause failures in cryptographic\n operations.
\nEven after this operation completes, the process of updating the primary Region might\n still be in progress for a few more seconds. Operations such as DescribeKey might\n display both the old and new primary keys as replicas. The old and new primary keys have a\n transient key state of Updating. The original key state is restored when the\n update is complete. While the key state is Updating, you can use the keys in\n cryptographic operations, but you cannot replicate the new primary key or perform certain\n management operations, such as enabling or disabling these keys. For details about the\n Updating key state, see Key states of KMS keys in the Key Management Service Developer Guide.
This operation does not return any output. To verify that primary key is changed, use the\n DescribeKey operation.
\n\n Cross-account use: No. You cannot use this operation in a\n different Amazon Web Services account.
\n\n Required permissions:
\n\n kms:UpdatePrimaryRegion on the current primary key (in the primary key's\n Region). Include this permission primary key's key policy.
\n kms:UpdatePrimaryRegion on the current replica key (in the replica key's\n Region). Include this permission in the replica key's key policy.
\n Related operations\n
\n\n CreateKey\n
\n\n ReplicateKey\n
\nChanges the primary key of a multi-Region key.
\nThis operation changes the replica key in the specified Region to a primary key and\n changes the former primary key to a replica key. For example, suppose you have a primary key\n in us-east-1 and a replica key in eu-west-2. If you run\n UpdatePrimaryRegion with a PrimaryRegion value of\n eu-west-2, the primary key is now the key in eu-west-2, and the\n key in us-east-1 becomes a replica key. For details, see Updating the primary Region in the Key Management Service Developer Guide.
This operation supports multi-Region keys, an KMS feature that lets you create multiple\n interoperable KMS keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key\n material, and other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt\n it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide.
\nThe primary key of a multi-Region key is the source for properties\n that are always shared by primary and replica keys, including the key material, key ID, key spec, key usage, key material\n origin, and automatic\n key rotation. It's the only key that can be replicated. You cannot delete the primary\n key until all replica keys are deleted.
\nThe key ID and primary Region that you specify uniquely identify the replica key that will\n become the primary key. The primary Region must already have a replica key. This operation\n does not create a KMS key in the specified Region. To find the replica keys, use the DescribeKey operation on the primary key or any replica key. To create a replica\n key, use the ReplicateKey operation.
\nYou can run this operation while using the affected multi-Region keys in cryptographic\n operations. This operation should not delay, interrupt, or cause failures in cryptographic\n operations.
\nEven after this operation completes, the process of updating the primary Region might\n still be in progress for a few more seconds. Operations such as DescribeKey might\n display both the old and new primary keys as replicas. The old and new primary keys have a\n transient key state of Updating. The original key state is restored when the\n update is complete. While the key state is Updating, you can use the keys in\n cryptographic operations, but you cannot replicate the new primary key or perform certain\n management operations, such as enabling or disabling these keys. For details about the\n Updating key state, see Key states of KMS keys in the Key Management Service Developer Guide.
This operation does not return any output. To verify that primary key is changed, use the\n DescribeKey operation.
\n\n Cross-account use: No. You cannot use this operation in a\n different Amazon Web Services account.
\n\n Required permissions:
\n\n kms:UpdatePrimaryRegion on the current primary key (in the primary key's\n Region). Include this permission primary key's key policy.
\n kms:UpdatePrimaryRegion on the current replica key (in the replica key's\n Region). Include this permission in the replica key's key policy.
\n Related operations\n
\n\n CreateKey\n
\n\n ReplicateKey\n
\nVerifies a digital signature that was generated by the Sign operation.
\n \nVerification confirms that an authorized user signed the message with the specified KMS\n key and signing algorithm, and the message hasn't changed since it was signed. If the\n signature is verified, the value of the SignatureValid field in the response is\n True. If the signature verification fails, the Verify operation\n fails with an KMSInvalidSignatureException exception.
A digital signature is generated by using the private key in an asymmetric KMS key. The\n signature is verified by using the public key in the same asymmetric KMS key.\n For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
\nTo use the Verify operation, specify the\n same asymmetric KMS key, message, and signing algorithm that were used to produce the\n signature. The message type does not need to be the same as the one used for signing, but it must \n indicate whether the value of the Message parameter should be\n hashed as part of the verification process.
You can also verify the digital signature by using the public key of the KMS key outside\n of KMS. Use the GetPublicKey operation to download the public key in the\n asymmetric KMS key and then use the public key to verify the signature outside of KMS. The\n advantage of using the Verify operation is that it is performed within KMS. As\n a result, it's easy to call, the operation is performed within the FIPS boundary, it is logged\n in CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use\n the KMS key to verify signatures.
To verify a signature outside of KMS with an SM2 public key (China Regions only), you must \n specify the distinguishing ID. By default, KMS uses 1234567812345678 as the \n distinguishing ID. For more information, see Offline verification\n with SM2 key pairs.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:Verify (key policy)
\n\n Related operations: Sign\n
" + "smithy.api#documentation": "Verifies a digital signature that was generated by the Sign operation.
\n \nVerification confirms that an authorized user signed the message with the specified KMS\n key and signing algorithm, and the message hasn't changed since it was signed. If the\n signature is verified, the value of the SignatureValid field in the response is\n True. If the signature verification fails, the Verify operation\n fails with an KMSInvalidSignatureException exception.
A digital signature is generated by using the private key in an asymmetric KMS key. The\n signature is verified by using the public key in the same asymmetric KMS key.\n For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
\nTo use the Verify operation, specify the same asymmetric KMS key, message,\n and signing algorithm that were used to produce the signature. The message type does not need\n to be the same as the one used for signing, but it must indicate whether the value of the\n Message parameter should be hashed as part of the verification process.
You can also verify the digital signature by using the public key of the KMS key outside\n of KMS. Use the GetPublicKey operation to download the public key in the\n asymmetric KMS key and then use the public key to verify the signature outside of KMS. The\n advantage of using the Verify operation is that it is performed within KMS. As\n a result, it's easy to call, the operation is performed within the FIPS boundary, it is logged\n in CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use\n the KMS key to verify signatures.
To verify a signature outside of KMS with an SM2 public key (China Regions only), you\n must specify the distinguishing ID. By default, KMS uses 1234567812345678 as\n the distinguishing ID. For more information, see Offline\n verification with SM2 key pairs.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:Verify (key policy)
\n\n Related operations: Sign\n
", + "smithy.api#examples": [ + { + "title": "To use an asymmetric KMS key to verify a digital signature", + "documentation": "This operation uses the public key in an elliptic curve (ECC) asymmetric key to verify a digital signature within AWS KMS.", + "input": { + "KeyId": "alias/ECC_signing_key", + "Message": "Verifies the hash-based message authentication code (HMAC) for a specified message, HMAC\n KMS key, and MAC algorithm. To verify the HMAC, VerifyMac computes an HMAC using\n the message, HMAC KMS key, and MAC algorithm that you specify, and compares the computed HMAC\n to the HMAC that you specify. If the HMACs are identical, the verification succeeds;\n otherwise, it fails. Verification indicates that the message hasn't changed since the HMAC was\n calculated, and the specified key was used to generate and verify the HMAC.
HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry standards\n defined in RFC 2104.
\nThis operation is part of KMS support for HMAC KMS keys. For details, see\n HMAC keys in KMS in the\n Key Management Service Developer Guide.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:VerifyMac (key policy)
\n\n Related operations: GenerateMac\n
" + "smithy.api#documentation": "Verifies the hash-based message authentication code (HMAC) for a specified message, HMAC\n KMS key, and MAC algorithm. To verify the HMAC, VerifyMac computes an HMAC using\n the message, HMAC KMS key, and MAC algorithm that you specify, and compares the computed HMAC\n to the HMAC that you specify. If the HMACs are identical, the verification succeeds;\n otherwise, it fails. Verification indicates that the message hasn't changed since the HMAC was\n calculated, and the specified key was used to generate and verify the HMAC.
HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry standards\n defined in RFC 2104.
\nThis operation is part of KMS support for HMAC KMS keys. For details, see\n HMAC keys in KMS in the\n Key Management Service Developer Guide.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:VerifyMac (key policy)
\n\n Related operations: GenerateMac\n
", + "smithy.api#examples": [ + { + "title": "To verify an HMAC", + "documentation": "This example verifies an HMAC for a particular message, HMAC KMS keys, and MAC algorithm. A value of 'true' in the MacValid value in the response indicates that the HMAC is valid.", + "input": { + "Message": "Hello World", + "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", + "MacAlgorithm": "HMAC_SHA_384", + "Mac": "A list of grant tokens.
\nUse a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the\n Key Management Service Developer Guide.
" } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" + } } }, "traits": { @@ -7769,14 +8536,14 @@ "Message": { "target": "com.amazonaws.kms#PlaintextType", "traits": { - "smithy.api#documentation": "Specifies the message that was signed. You can submit a raw message of up to 4096 bytes,\n or a hash digest of the message. If you submit a digest, use the MessageType parameter\n with a value of DIGEST.
If the message specified here is different from the message that was signed, the signature\n verification fails. A message and its hash digest are considered to be the same\n message.
", + "smithy.api#documentation": "Specifies the message that was signed. You can submit a raw message of up to 4096 bytes,\n or a hash digest of the message. If you submit a digest, use the MessageType\n parameter with a value of DIGEST.
If the message specified here is different from the message that was signed, the signature\n verification fails. A message and its hash digest are considered to be the same\n message.
", "smithy.api#required": {} } }, "MessageType": { "target": "com.amazonaws.kms#MessageType", "traits": { - "smithy.api#documentation": "Tells KMS whether the value of the Message parameter should be hashed\n as part of the signing algorithm. Use RAW for unhashed messages; use DIGEST\n for message digests, which are already hashed.
When the value of MessageType is RAW, KMS uses the standard\n signing algorithm, which begins with a hash function. When the value is DIGEST, KMS \n skips the hashing step in the signing algorithm.
Use the DIGEST value only when the value of the Message\n parameter is a message digest. If you use the DIGEST value with an unhashed message,\n the security of the verification operation can be compromised.
When the value of MessageTypeis DIGEST, the length\n of the Message value must match the length of hashed messages for the specified signing algorithm.
You can submit a message digest and omit the MessageType or specify\n RAW so the digest is hashed again while signing. However, if the signed message is hashed once\n while signing, but twice while verifying, verification fails, even when the message hasn't changed.
The hashing algorithm in that Verify uses is based on the SigningAlgorithm value.
Signing algorithms that end in SHA_256 use the SHA_256 hashing algorithm.
\nSigning algorithms that end in SHA_384 use the SHA_384 hashing algorithm.
\nSigning algorithms that end in SHA_512 use the SHA_512 hashing algorithm.
\nSM2DSA uses the SM3 hashing algorithm. For details, see Offline verification with SM2 key pairs.
\nTells KMS whether the value of the Message parameter should be hashed as\n part of the signing algorithm. Use RAW for unhashed messages; use\n DIGEST for message digests, which are already hashed.
When the value of MessageType is RAW, KMS uses the standard\n signing algorithm, which begins with a hash function. When the value is DIGEST,\n KMS skips the hashing step in the signing algorithm.
Use the DIGEST value only when the value of the Message\n parameter is a message digest. If you use the DIGEST value with an unhashed\n message, the security of the verification operation can be compromised.
When the value of MessageTypeis DIGEST, the length of the\n Message value must match the length of hashed messages for the specified\n signing algorithm.
You can submit a message digest and omit the MessageType or specify\n RAW so the digest is hashed again while signing. However, if the signed message\n is hashed once while signing, but twice while verifying, verification fails, even when the\n message hasn't changed.
The hashing algorithm in that Verify uses is based on the\n SigningAlgorithm value.
Signing algorithms that end in SHA_256 use the SHA_256 hashing algorithm.
\nSigning algorithms that end in SHA_384 use the SHA_384 hashing algorithm.
\nSigning algorithms that end in SHA_512 use the SHA_512 hashing algorithm.
\nSM2DSA uses the SM3 hashing algorithm. For details, see Offline\n verification with SM2 key pairs.
\nA list of grant tokens.
\nUse a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the\n Key Management Service Developer Guide.
" } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" + } } }, "traits": { @@ -7877,12 +8650,12 @@ "Id": { "target": "com.amazonaws.kms#XksKeyIdType", "traits": { - "smithy.api#documentation": "The ID of the external key in its external key manager. This is the ID that the external key store proxy uses to identify the external key.
" + "smithy.api#documentation": "The ID of the external key in its external key manager. This is the ID that the external\n key store proxy uses to identify the external key.
" } } }, "traits": { - "smithy.api#documentation": "Information about the external key that is associated with a KMS key in an\n external key store.
\nThis element appears in a CreateKey or DescribeKey\n response only for a KMS key in an external key store.
\nThe external key is a symmetric encryption key that is hosted by\n an external key manager outside of Amazon Web Services. When you use the KMS key in an external key store\n in a cryptographic operation, the cryptographic operation is performed in the\n external key manager using the specified external key. For more information, see External key in the Key Management Service Developer Guide.
" + "smithy.api#documentation": "Information about the external key that is\n associated with a KMS key in an external key store.
\nThis element appears in a CreateKey or DescribeKey\n response only for a KMS key in an external key store.
\nThe external key is a symmetric encryption key that is hosted by an\n external key manager outside of Amazon Web Services. When you use the KMS key in an external key store in a\n cryptographic operation, the cryptographic operation is performed in the external key manager\n using the specified external key. For more information, see External key in the\n Key Management Service Developer Guide.
" } }, "com.amazonaws.kms#XksKeyIdType": { @@ -7924,7 +8697,7 @@ "code": "XksKeyNotFoundException", "httpResponseCode": 400 }, - "smithy.api#documentation": "The request was rejected because the external key store proxy could not find the external key. This\n exception is thrown when the value of the XksKeyId parameter doesn't identify a\n key in the external key manager associated with the external key proxy.
Verify that the XksKeyId represents an existing key in the external key\n manager. Use the key identifier that the external key store proxy uses to identify the key.\n For details, see the documentation provided with your external key store proxy or key\n manager.
The request was rejected because the external key store proxy could not find the external\n key. This exception is thrown when the value of the XksKeyId parameter doesn't\n identify a key in the external key manager associated with the external key proxy.
Verify that the XksKeyId represents an existing key in the external key\n manager. Use the key identifier that the external key store proxy uses to identify the key.\n For details, see the documentation provided with your external key store proxy or key\n manager.
The part of the external key store proxy authentication credential\n that uniquely identifies the secret access key.
" + "smithy.api#documentation": "The part of the external key store proxy authentication credential that uniquely identifies the secret access\n key.
" } }, "UriEndpoint": { @@ -8145,7 +8918,7 @@ "code": "XksProxyUriUnreachableException", "httpResponseCode": 400 }, - "smithy.api#documentation": "KMS was unable to reach the specified XksProxyUriPath. The path must be\n reachable before you create the external key store or update its settings.
This exception is also thrown when the external key store proxy response to a GetHealthStatus\n request indicates that all external key manager instances are unavailable.
KMS was unable to reach the specified XksProxyUriPath. The path must be\n reachable before you create the external key store or update its settings.
This exception is also thrown when the external key store proxy response to a\n GetHealthStatus request indicates that all external key manager instances are\n unavailable.
The request was rejected because the Amazon VPC endpoint service configuration does not fulfill\n the requirements for an external key store proxy. For details, see the exception message and\n review the requirements for Amazon VPC endpoint service connectivity for an external key\n store.
", + "smithy.api#documentation": "The request was rejected because the Amazon VPC endpoint service configuration does not fulfill\n the requirements for an external key store proxy. For details, see the exception message and\n review the\n requirements for Amazon VPC endpoint service connectivity for an external key\n store.
", "smithy.api#error": "client", "smithy.api#httpError": 400 } diff --git a/aws/sdk/aws-models/lambda.json b/aws/sdk/aws-models/lambda.json index df1e4216396295c44edde192633ebd9d73be1f99..9f2a524dd9c55571fe23b799ff13e85c38d6edb2 100644 --- a/aws/sdk/aws-models/lambda.json +++ b/aws/sdk/aws-models/lambda.json @@ -306,52 +306,56 @@ "type": "error" }, { - "conditions": [], - "type": "tree", - "rules": [ + "conditions": [ { - "conditions": [ + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - } - ], - "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", - "type": "error" - }, - { - "conditions": [], - "endpoint": { - "url": { - "ref": "Endpoint" + "ref": "UseDualStack" }, - "properties": {}, - "headers": {} - }, - "type": "endpoint" + true + ] } - ] + ], + "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", + "type": "error" + }, + { + "conditions": [], + "endpoint": { + "url": { + "ref": "Endpoint" + }, + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, { - "conditions": [], + "conditions": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "Region" + } + ] + } + ], "type": "tree", "rules": [ { "conditions": [ { - "fn": "isSet", + "fn": "aws.partition", "argv": [ { "ref": "Region" } - ] + ], + "assign": "PartitionResult" } ], "type": "tree", @@ -359,13 +363,22 @@ { "conditions": [ { - "fn": "aws.partition", + "fn": "booleanEquals", "argv": [ { - "ref": "Region" - } - ], - "assign": "PartitionResult" + "ref": "UseFIPS" + }, + true + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] } ], "type": "tree", @@ -375,224 +388,175 @@ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseFIPS" - }, - true + "fn": "getAttr", + "argv": [ + { + "ref": "PartitionResult" + }, + "supportsFIPS" + ] + } ] }, { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseDualStack" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsFIPS" - ] - } - ] - }, - { - "fn": "booleanEquals", - "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsDualStack" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [], - "endpoint": { - "url": "https://lambda-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsDualStack" ] } ] - }, + } + ], + "type": "tree", + "rules": [ { "conditions": [], - "error": "FIPS and DualStack are enabled, but this partition does not support one or both", - "type": "error" + "endpoint": { + "url": "https://lambda-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, + { + "conditions": [], + "error": "FIPS and DualStack are enabled, but this partition does not support one or both", + "type": "error" + } + ] + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" + }, + true + ] + } + ], + "type": "tree", + "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseFIPS" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsFIPS" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [], - "endpoint": { - "url": "https://lambda-fips.{Region}.{PartitionResult#dnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsFIPS" ] } ] - }, + } + ], + "type": "tree", + "rules": [ { "conditions": [], - "error": "FIPS is enabled but this partition does not support FIPS", - "type": "error" + "endpoint": { + "url": "https://lambda-fips.{Region}.{PartitionResult#dnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, + { + "conditions": [], + "error": "FIPS is enabled but this partition does not support FIPS", + "type": "error" + } + ] + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] + } + ], + "type": "tree", + "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseDualStack" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsDualStack" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [], - "endpoint": { - "url": "https://lambda.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsDualStack" ] } ] - }, - { - "conditions": [], - "error": "DualStack is enabled but this partition does not support DualStack", - "type": "error" } - ] - }, - { - "conditions": [], + ], "type": "tree", "rules": [ { "conditions": [], "endpoint": { - "url": "https://lambda.{Region}.{PartitionResult#dnsSuffix}", + "url": "https://lambda.{Region}.{PartitionResult#dualStackDnsSuffix}", "properties": {}, "headers": {} }, "type": "endpoint" } ] + }, + { + "conditions": [], + "error": "DualStack is enabled but this partition does not support DualStack", + "type": "error" } ] + }, + { + "conditions": [], + "endpoint": { + "url": "https://lambda.{Region}.{PartitionResult#dnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] - }, - { - "conditions": [], - "error": "Invalid Configuration: Missing Region", - "type": "error" } ] + }, + { + "conditions": [], + "error": "Invalid Configuration: Missing Region", + "type": "error" } ] }, @@ -2567,13 +2531,13 @@ "StartingPosition": { "target": "com.amazonaws.lambda#EventSourcePosition", "traits": { - "smithy.api#documentation": "The position in a stream from which to start reading. Required for Amazon Kinesis, Amazon\n DynamoDB, and Amazon MSK Streams sources. AT_TIMESTAMP is supported only for\n Amazon Kinesis streams and Amazon DocumentDB.
The position in a stream from which to start reading. Required for Amazon Kinesis and\n Amazon DynamoDB Stream event sources. AT_TIMESTAMP is supported only for\n Amazon Kinesis streams, Amazon DocumentDB, Amazon MSK, and self-managed Apache Kafka.
With StartingPosition set to AT_TIMESTAMP, the time from which to start\n reading.
With StartingPosition set to AT_TIMESTAMP, the time from which to start\n reading. StartingPositionTimestamp cannot be in the future.
Deletes a Lambda function. To delete a specific function version, use the Qualifier parameter.\n Otherwise, all versions and aliases are deleted.
To delete Lambda event source mappings that invoke a function, use DeleteEventSourceMapping. For Amazon Web Services and resources that invoke your function\n directly, delete the trigger in the service where you originally configured it.
", + "smithy.api#documentation": "Deletes a Lambda function. To delete a specific function version, use the Qualifier parameter.\n Otherwise, all versions and aliases are deleted. This doesn't require the user to have explicit\n permissions for DeleteAlias.
To delete Lambda event source mappings that invoke a function, use DeleteEventSourceMapping. For Amazon Web Services and resources that invoke your function\n directly, delete the trigger in the service where you originally configured it.
", "smithy.api#http": { "method": "DELETE", "uri": "/2015-03-31/functions/{FunctionName}", @@ -3912,13 +3879,13 @@ "StartingPosition": { "target": "com.amazonaws.lambda#EventSourcePosition", "traits": { - "smithy.api#documentation": "The position in a stream from which to start reading. Required for Amazon Kinesis, Amazon DynamoDB, and Amazon MSK stream sources. AT_TIMESTAMP is supported only for Amazon Kinesis\n streams and Amazon DocumentDB.
The position in a stream from which to start reading. Required for Amazon Kinesis and\n Amazon DynamoDB Stream event sources. AT_TIMESTAMP is supported only for\n Amazon Kinesis streams, Amazon DocumentDB, Amazon MSK, and self-managed Apache Kafka.
With StartingPosition set to AT_TIMESTAMP, the time from which to start\n reading.
With StartingPosition set to AT_TIMESTAMP, the time from which to start\n reading. StartingPositionTimestamp cannot be in the future.
The exception type.
" + } + }, + "Message": { + "target": "com.amazonaws.lambda#String", + "traits": { + "smithy.api#documentation": "The exception message.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Lambda has detected your function being invoked in a recursive loop with other Amazon Web Services resources and stopped your function's invocation.
", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, "com.amazonaws.lambda#RemoveLayerVersionPermission": { "type": "operation", "input": { @@ -9948,6 +9943,12 @@ "traits": { "smithy.api#enumValue": "ruby3.2" } + }, + "python311": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "python3.11" + } } } }, @@ -10131,7 +10132,7 @@ } }, "traits": { - "smithy.api#documentation": "The function's Lambda SnapStart setting. Set ApplyOn to PublishedVersions to create a\n snapshot of the initialized execution environment when you publish a function version.
SnapStart is supported with the java11 runtime. For more information, see\n Improving startup performance with Lambda\n SnapStart.
The function's Lambda SnapStart setting. Set ApplyOn to PublishedVersions to create a\n snapshot of the initialized execution environment when you publish a function version.
Deletes the specified pronunciation lexicon stored in an Amazon Web Services Region. A lexicon which has been deleted is not available for\n speech synthesis, nor is it possible to retrieve it using either the\n GetLexicon or ListLexicon APIs.
For more information, see Managing Lexicons.
", + "smithy.api#examples": [ + { + "title": "To delete a lexicon", + "documentation": "Deletes a specified pronunciation lexicon stored in an AWS Region.", + "input": { + "Name": "example" + }, + "output": {} + } + ], "smithy.api#http": { "method": "DELETE", "uri": "/v1/lexicons/{Name}", @@ -110,6 +120,40 @@ ], "traits": { "smithy.api#documentation": "Returns the list of voices that are available for use when\n requesting speech synthesis. Each voice speaks a specified language, is\n either male or female, and is identified by an ID, which is the ASCII\n version of the voice name.
\nWhen synthesizing speech ( SynthesizeSpeech ), you\n provide the voice ID for the voice you want from the list of voices\n returned by DescribeVoices.
For example, you want your news reader application to read news in\n a specific language, but giving a user the option to choose the voice.\n Using the DescribeVoices operation you can provide the user\n with a list of available voices to select from.
You can optionally specify a language code to filter the available\n voices. For example, if you specify en-US, the operation\n returns a list of all available US English voices.
This operation requires permissions to perform the\n polly:DescribeVoices action.
Returns a list of pronunciation lexicons stored in an Amazon Web Services Region. For more information, see Managing Lexicons.
", + "smithy.api#examples": [ + { + "title": "To list all lexicons in a region", + "documentation": "Returns a list of pronunciation lexicons stored in an AWS Region.", + "output": { + "Lexicons": [ + { + "Attributes": { + "LanguageCode": "en-US", + "LastModified": 1.478542980117E9, + "Alphabet": "ipa", + "LexemesCount": 1, + "LexiconArn": "arn:aws:polly:us-east-1:123456789012:lexicon/example", + "Size": 503 + }, + "Name": "example" + } + ] + } + } + ], "smithy.api#http": { "method": "GET", "uri": "/v1/lexicons", @@ -1211,52 +1288,56 @@ "type": "error" }, { - "conditions": [], - "type": "tree", - "rules": [ + "conditions": [ { - "conditions": [ + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - } - ], - "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", - "type": "error" - }, - { - "conditions": [], - "endpoint": { - "url": { - "ref": "Endpoint" + "ref": "UseDualStack" }, - "properties": {}, - "headers": {} - }, - "type": "endpoint" + true + ] } - ] + ], + "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", + "type": "error" + }, + { + "conditions": [], + "endpoint": { + "url": { + "ref": "Endpoint" + }, + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, { - "conditions": [], + "conditions": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "Region" + } + ] + } + ], "type": "tree", "rules": [ { "conditions": [ { - "fn": "isSet", + "fn": "aws.partition", "argv": [ { "ref": "Region" } - ] + ], + "assign": "PartitionResult" } ], "type": "tree", @@ -1264,13 +1345,22 @@ { "conditions": [ { - "fn": "aws.partition", + "fn": "booleanEquals", "argv": [ { - "ref": "Region" - } - ], - "assign": "PartitionResult" + "ref": "UseFIPS" + }, + true + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] } ], "type": "tree", @@ -1280,224 +1370,175 @@ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseFIPS" - }, - true + "fn": "getAttr", + "argv": [ + { + "ref": "PartitionResult" + }, + "supportsFIPS" + ] + } ] }, { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseDualStack" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsFIPS" - ] - } - ] - }, - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsDualStack" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [], - "endpoint": { - "url": "https://polly-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsDualStack" ] } ] - }, + } + ], + "type": "tree", + "rules": [ { "conditions": [], - "error": "FIPS and DualStack are enabled, but this partition does not support one or both", - "type": "error" + "endpoint": { + "url": "https://polly-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, + { + "conditions": [], + "error": "FIPS and DualStack are enabled, but this partition does not support one or both", + "type": "error" + } + ] + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" + }, + true + ] + } + ], + "type": "tree", + "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseFIPS" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsFIPS" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [], - "endpoint": { - "url": "https://polly-fips.{Region}.{PartitionResult#dnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsFIPS" ] } ] - }, + } + ], + "type": "tree", + "rules": [ { "conditions": [], - "error": "FIPS is enabled but this partition does not support FIPS", - "type": "error" + "endpoint": { + "url": "https://polly-fips.{Region}.{PartitionResult#dnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, + { + "conditions": [], + "error": "FIPS is enabled but this partition does not support FIPS", + "type": "error" + } + ] + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] + } + ], + "type": "tree", + "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseDualStack" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsDualStack" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [], - "endpoint": { - "url": "https://polly.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsDualStack" ] } ] - }, - { - "conditions": [], - "error": "DualStack is enabled but this partition does not support DualStack", - "type": "error" } - ] - }, - { - "conditions": [], + ], "type": "tree", "rules": [ { "conditions": [], "endpoint": { - "url": "https://polly.{Region}.{PartitionResult#dnsSuffix}", + "url": "https://polly.{Region}.{PartitionResult#dualStackDnsSuffix}", "properties": {}, "headers": {} }, "type": "endpoint" } ] + }, + { + "conditions": [], + "error": "DualStack is enabled but this partition does not support DualStack", + "type": "error" } ] + }, + { + "conditions": [], + "endpoint": { + "url": "https://polly.{Region}.{PartitionResult#dnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] - }, - { - "conditions": [], - "error": "Invalid Configuration: Missing Region", - "type": "error" } ] + }, + { + "conditions": [], + "error": "Invalid Configuration: Missing Region", + "type": "error" } ] }, @@ -2162,6 +2203,17 @@ ], "traits": { "smithy.api#documentation": "Stores a pronunciation lexicon in an Amazon Web Services Region. If\n a lexicon with the same name already exists in the region, it is\n overwritten by the new lexicon. Lexicon operations have eventual\n consistency, therefore, it might take some time before the lexicon is\n available to the SynthesizeSpeech operation.
\nFor more information, see Managing Lexicons.
", + "smithy.api#examples": [ + { + "title": "To save a lexicon", + "documentation": "Stores a pronunciation lexicon in an AWS Region.", + "input": { + "Name": "W3C", + "Content": "file://example.pls" + }, + "output": {} + } + ], "smithy.api#http": { "method": "PUT", "uri": "/v1/lexicons/{Name}", @@ -2597,6 +2649,27 @@ ], "traits": { "smithy.api#documentation": "Synthesizes UTF-8 input, plain text or SSML, to a stream of bytes.\n SSML input must be valid, well-formed SSML. Some alphabets might not be\n available with all the voices (for example, Cyrillic might not be read at\n all by English voices) unless phoneme mapping is used. For more\n information, see How it Works.
", + "smithy.api#examples": [ + { + "title": "To synthesize speech", + "documentation": "Synthesizes plain text or SSML into a file of human-like speech.", + "input": { + "LexiconNames": [ + "example" + ], + "OutputFormat": "mp3", + "SampleRate": "8000", + "Text": "All Gaul is divided into three parts", + "TextType": "text", + "VoiceId": "Joanna" + }, + "output": { + "AudioStream": "TEXT", + "ContentType": "audio/mpeg", + "RequestCharacters": 37 + } + } + ], "smithy.api#http": { "method": "POST", "uri": "/v1/speech", @@ -3389,6 +3462,24 @@ "traits": { "smithy.api#enumValue": "Sofie" } + }, + "Lisa": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "Lisa" + } + }, + "Isabelle": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "Isabelle" + } + }, + "Zayd": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "Zayd" + } } } }, diff --git a/aws/sdk/aws-models/qldb-session.json b/aws/sdk/aws-models/qldb-session.json index b12ca953200f104ee14b640efdfb59d947b1be9a..df4974f8c5d895919ddf984afec12df9f093a500 100644 --- a/aws/sdk/aws-models/qldb-session.json +++ b/aws/sdk/aws-models/qldb-session.json @@ -326,7 +326,7 @@ "min": 1, "max": 32 }, - "smithy.api#pattern": "(?!^.*--)(?!^[0-9]+$)(?!^-)(?!.*-$)^[A-Za-z0-9-]+$" + "smithy.api#pattern": "^(?!^.*--)(?!^[0-9]+$)(?!^-)(?!.*-$)^[A-Za-z0-9-]+$" } }, "com.amazonaws.qldbsession#LimitExceededException": { @@ -471,52 +471,56 @@ "type": "error" }, { - "conditions": [], - "type": "tree", - "rules": [ + "conditions": [ { - "conditions": [ + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - } - ], - "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", - "type": "error" - }, - { - "conditions": [], - "endpoint": { - "url": { - "ref": "Endpoint" + "ref": "UseDualStack" }, - "properties": {}, - "headers": {} - }, - "type": "endpoint" + true + ] } - ] + ], + "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", + "type": "error" + }, + { + "conditions": [], + "endpoint": { + "url": { + "ref": "Endpoint" + }, + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, { - "conditions": [], + "conditions": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "Region" + } + ] + } + ], "type": "tree", "rules": [ { "conditions": [ { - "fn": "isSet", + "fn": "aws.partition", "argv": [ { "ref": "Region" } - ] + ], + "assign": "PartitionResult" } ], "type": "tree", @@ -524,13 +528,22 @@ { "conditions": [ { - "fn": "aws.partition", + "fn": "booleanEquals", "argv": [ { - "ref": "Region" - } - ], - "assign": "PartitionResult" + "ref": "UseFIPS" + }, + true + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] } ], "type": "tree", @@ -540,224 +553,175 @@ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseFIPS" - }, - true + "fn": "getAttr", + "argv": [ + { + "ref": "PartitionResult" + }, + "supportsFIPS" + ] + } ] }, { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseDualStack" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsFIPS" - ] - } - ] - }, - { - "fn": "booleanEquals", - "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsDualStack" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [], - "endpoint": { - "url": "https://session.qldb-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsDualStack" ] } ] - }, + } + ], + "type": "tree", + "rules": [ { "conditions": [], - "error": "FIPS and DualStack are enabled, but this partition does not support one or both", - "type": "error" + "endpoint": { + "url": "https://session.qldb-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, + { + "conditions": [], + "error": "FIPS and DualStack are enabled, but this partition does not support one or both", + "type": "error" + } + ] + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" + }, + true + ] + } + ], + "type": "tree", + "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseFIPS" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsFIPS" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ { - "conditions": [], - "endpoint": { - "url": "https://session.qldb-fips.{Region}.{PartitionResult#dnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsFIPS" ] } ] - }, + } + ], + "type": "tree", + "rules": [ { "conditions": [], - "error": "FIPS is enabled but this partition does not support FIPS", - "type": "error" + "endpoint": { + "url": "https://session.qldb-fips.{Region}.{PartitionResult#dnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, + { + "conditions": [], + "error": "FIPS is enabled but this partition does not support FIPS", + "type": "error" + } + ] + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] + } + ], + "type": "tree", + "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseDualStack" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsDualStack" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ { - "conditions": [], - "endpoint": { - "url": "https://session.qldb.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsDualStack" ] } ] - }, - { - "conditions": [], - "error": "DualStack is enabled but this partition does not support DualStack", - "type": "error" } - ] - }, - { - "conditions": [], + ], "type": "tree", "rules": [ { "conditions": [], "endpoint": { - "url": "https://session.qldb.{Region}.{PartitionResult#dnsSuffix}", + "url": "https://session.qldb.{Region}.{PartitionResult#dualStackDnsSuffix}", "properties": {}, "headers": {} }, "type": "endpoint" } ] + }, + { + "conditions": [], + "error": "DualStack is enabled but this partition does not support DualStack", + "type": "error" } ] + }, + { + "conditions": [], + "endpoint": { + "url": "https://session.qldb.{Region}.{PartitionResult#dnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] - }, - { - "conditions": [], - "error": "Invalid Configuration: Missing Region", - "type": "error" } ] + }, + { + "conditions": [], + "error": "Invalid Configuration: Missing Region", + "type": "error" } ] }, @@ -1334,6 +1298,9 @@ "smithy.api#documentation": "Command to fetch a page.
" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.qldbsession#SendCommandResult": { @@ -1381,6 +1348,9 @@ "smithy.api#documentation": "Contains the details of the fetched page.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.qldbsession#SessionToken": { diff --git a/aws/sdk/aws-models/route53.json b/aws/sdk/aws-models/route53.json index 72d97074e3538ad81d121e7e26fd070469a806ec..cb171eb7c426892eccde410769c438ad4b5d9fda 100644 --- a/aws/sdk/aws-models/route53.json +++ b/aws/sdk/aws-models/route53.json @@ -263,6 +263,7 @@ "arnNamespace": "route53", "cloudFormationName": "Route53", "cloudTrailEventSource": "route53.amazonaws.com", + "docId": "route53-2013-04-01", "endpointPrefix": "route53" }, "aws.auth#sigv4": { @@ -334,52 +335,56 @@ "type": "error" }, { - "conditions": [], - "type": "tree", - "rules": [ + "conditions": [ { - "conditions": [ + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - } - ], - "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", - "type": "error" - }, - { - "conditions": [], - "endpoint": { - "url": { - "ref": "Endpoint" + "ref": "UseDualStack" }, - "properties": {}, - "headers": {} - }, - "type": "endpoint" + true + ] } - ] + ], + "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", + "type": "error" + }, + { + "conditions": [], + "endpoint": { + "url": { + "ref": "Endpoint" + }, + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, { - "conditions": [], + "conditions": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "Region" + } + ] + } + ], "type": "tree", "rules": [ { "conditions": [ { - "fn": "isSet", + "fn": "aws.partition", "argv": [ { "ref": "Region" } - ] + ], + "assign": "PartitionResult" } ], "type": "tree", @@ -387,597 +392,557 @@ { "conditions": [ { - "fn": "aws.partition", + "fn": "stringEquals", "argv": [ { - "ref": "Region" - } - ], - "assign": "PartitionResult" - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "stringEquals", + "fn": "getAttr", "argv": [ { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "name" - ] + "ref": "PartitionResult" }, - "aws" + "name" ] }, + "aws" + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - false - ] + "ref": "UseFIPS" }, + false + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - false - ] - } - ], - "endpoint": { - "url": "https://route53.amazonaws.com", - "properties": { - "authSchemes": [ - { - "name": "sigv4", - "signingName": "route53", - "signingRegion": "us-east-1" - } - ] + "ref": "UseDualStack" }, - "headers": {} - }, - "type": "endpoint" + false + ] + } + ], + "endpoint": { + "url": "https://route53.amazonaws.com", + "properties": { + "authSchemes": [ + { + "name": "sigv4", + "signingName": "route53", + "signingRegion": "us-east-1" + } + ] }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ { - "conditions": [ + "fn": "stringEquals", + "argv": [ { - "fn": "stringEquals", + "fn": "getAttr", "argv": [ { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "name" - ] + "ref": "PartitionResult" }, - "aws" + "name" ] }, + "aws" + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - true - ] + "ref": "UseFIPS" }, + true + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - false - ] - } - ], - "endpoint": { - "url": "https://route53-fips.amazonaws.com", - "properties": { - "authSchemes": [ - { - "name": "sigv4", - "signingName": "route53", - "signingRegion": "us-east-1" - } - ] + "ref": "UseDualStack" }, - "headers": {} - }, - "type": "endpoint" + false + ] + } + ], + "endpoint": { + "url": "https://route53-fips.amazonaws.com", + "properties": { + "authSchemes": [ + { + "name": "sigv4", + "signingName": "route53", + "signingRegion": "us-east-1" + } + ] }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ { - "conditions": [ + "fn": "stringEquals", + "argv": [ { - "fn": "stringEquals", + "fn": "getAttr", "argv": [ { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "name" - ] + "ref": "PartitionResult" }, - "aws-cn" + "name" ] }, + "aws-cn" + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - false - ] + "ref": "UseFIPS" }, + false + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - false - ] - } - ], - "endpoint": { - "url": "https://route53.amazonaws.com.cn", - "properties": { - "authSchemes": [ - { - "name": "sigv4", - "signingName": "route53", - "signingRegion": "cn-northwest-1" - } - ] + "ref": "UseDualStack" }, - "headers": {} - }, - "type": "endpoint" + false + ] + } + ], + "endpoint": { + "url": "https://route53.amazonaws.com.cn", + "properties": { + "authSchemes": [ + { + "name": "sigv4", + "signingName": "route53", + "signingRegion": "cn-northwest-1" + } + ] }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ { - "conditions": [ + "fn": "stringEquals", + "argv": [ { - "fn": "stringEquals", + "fn": "getAttr", "argv": [ { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "name" - ] + "ref": "PartitionResult" }, - "aws-us-gov" + "name" ] }, + "aws-us-gov" + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - false - ] + "ref": "UseFIPS" }, + false + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - false - ] - } - ], - "endpoint": { - "url": "https://route53.us-gov.amazonaws.com", - "properties": { - "authSchemes": [ - { - "name": "sigv4", - "signingName": "route53", - "signingRegion": "us-gov-west-1" - } - ] + "ref": "UseDualStack" }, - "headers": {} - }, - "type": "endpoint" + false + ] + } + ], + "endpoint": { + "url": "https://route53.us-gov.amazonaws.com", + "properties": { + "authSchemes": [ + { + "name": "sigv4", + "signingName": "route53", + "signingRegion": "us-gov-west-1" + } + ] }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ { - "conditions": [ + "fn": "stringEquals", + "argv": [ { - "fn": "stringEquals", + "fn": "getAttr", "argv": [ { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "name" - ] + "ref": "PartitionResult" }, - "aws-us-gov" + "name" ] }, + "aws-us-gov" + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - true - ] + "ref": "UseFIPS" }, + true + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - false - ] - } - ], - "endpoint": { - "url": "https://route53.us-gov.amazonaws.com", - "properties": { - "authSchemes": [ - { - "name": "sigv4", - "signingName": "route53", - "signingRegion": "us-gov-west-1" - } - ] + "ref": "UseDualStack" }, - "headers": {} - }, - "type": "endpoint" + false + ] + } + ], + "endpoint": { + "url": "https://route53.us-gov.amazonaws.com", + "properties": { + "authSchemes": [ + { + "name": "sigv4", + "signingName": "route53", + "signingRegion": "us-gov-west-1" + } + ] }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ { - "conditions": [ + "fn": "stringEquals", + "argv": [ { - "fn": "stringEquals", + "fn": "getAttr", "argv": [ { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "name" - ] + "ref": "PartitionResult" }, - "aws-iso" + "name" ] }, + "aws-iso" + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - false - ] + "ref": "UseFIPS" + }, + false + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" }, + false + ] + } + ], + "endpoint": { + "url": "https://route53.c2s.ic.gov", + "properties": { + "authSchemes": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - false - ] + "name": "sigv4", + "signingName": "route53", + "signingRegion": "us-iso-east-1" } - ], - "endpoint": { - "url": "https://route53.c2s.ic.gov", - "properties": { - "authSchemes": [ - { - "name": "sigv4", - "signingName": "route53", - "signingRegion": "us-iso-east-1" - } - ] - }, - "headers": {} - }, - "type": "endpoint" + ] }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ { - "conditions": [ + "fn": "stringEquals", + "argv": [ { - "fn": "stringEquals", + "fn": "getAttr", "argv": [ { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "name" - ] + "ref": "PartitionResult" }, - "aws-iso-b" + "name" ] }, + "aws-iso-b" + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - false - ] + "ref": "UseFIPS" }, + false + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - false - ] - } - ], - "endpoint": { - "url": "https://route53.sc2s.sgov.gov", - "properties": { - "authSchemes": [ - { - "name": "sigv4", - "signingName": "route53", - "signingRegion": "us-isob-east-1" - } - ] + "ref": "UseDualStack" }, - "headers": {} - }, - "type": "endpoint" + false + ] + } + ], + "endpoint": { + "url": "https://route53.sc2s.sgov.gov", + "properties": { + "authSchemes": [ + { + "name": "sigv4", + "signingName": "route53", + "signingRegion": "us-isob-east-1" + } + ] }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ { - "conditions": [ + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - true - ] + "ref": "UseFIPS" }, + true + ] + }, + { + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - } - ], - "type": "tree", - "rules": [ + "ref": "UseDualStack" + }, + true + ] + } + ], + "type": "tree", + "rules": [ + { + "conditions": [ { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsFIPS" - ] - } - ] - }, + "fn": "booleanEquals", + "argv": [ + true, { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsDualStack" - ] - } + "ref": "PartitionResult" + }, + "supportsFIPS" ] } - ], - "type": "tree", - "rules": [ + ] + }, + { + "fn": "booleanEquals", + "argv": [ + true, { - "conditions": [], - "type": "tree", - "rules": [ + "fn": "getAttr", + "argv": [ { - "conditions": [], - "endpoint": { - "url": "https://route53-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsDualStack" ] } ] - }, + } + ], + "type": "tree", + "rules": [ { "conditions": [], - "error": "FIPS and DualStack are enabled, but this partition does not support one or both", - "type": "error" + "endpoint": { + "url": "https://route53-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, + { + "conditions": [], + "error": "FIPS and DualStack are enabled, but this partition does not support one or both", + "type": "error" + } + ] + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" + }, + true + ] + } + ], + "type": "tree", + "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseFIPS" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsFIPS" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ { - "conditions": [], - "endpoint": { - "url": "https://route53-fips.{Region}.{PartitionResult#dnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsFIPS" ] } ] - }, + } + ], + "type": "tree", + "rules": [ { "conditions": [], - "error": "FIPS is enabled but this partition does not support FIPS", - "type": "error" + "endpoint": { + "url": "https://route53-fips.{Region}.{PartitionResult#dnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, + { + "conditions": [], + "error": "FIPS is enabled but this partition does not support FIPS", + "type": "error" + } + ] + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] + } + ], + "type": "tree", + "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseDualStack" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsDualStack" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ { - "conditions": [], - "endpoint": { - "url": "https://route53.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsDualStack" ] } ] - }, - { - "conditions": [], - "error": "DualStack is enabled but this partition does not support DualStack", - "type": "error" } - ] - }, - { - "conditions": [], + ], "type": "tree", "rules": [ { "conditions": [], "endpoint": { - "url": "https://route53.{Region}.{PartitionResult#dnsSuffix}", + "url": "https://route53.{Region}.{PartitionResult#dualStackDnsSuffix}", "properties": {}, "headers": {} }, "type": "endpoint" } ] + }, + { + "conditions": [], + "error": "DualStack is enabled but this partition does not support DualStack", + "type": "error" } ] + }, + { + "conditions": [], + "endpoint": { + "url": "https://route53.{Region}.{PartitionResult#dnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] - }, - { - "conditions": [], - "error": "Invalid Configuration: Missing Region", - "type": "error" } ] + }, + { + "conditions": [], + "error": "Invalid Configuration: Missing Region", + "type": "error" } ] }, @@ -1628,6 +1593,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#ActivateKeySigningKeyResponse": { @@ -1639,6 +1607,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#AlarmIdentifier": { @@ -1747,6 +1718,28 @@ ], "traits": { "smithy.api#documentation": "Associates an Amazon VPC with a private hosted zone.
\nTo perform the association, the VPC and the private hosted zone must already\n\t\t\t\texist. You can't convert a public hosted zone into a private hosted zone.
\nIf you want to associate a VPC that was created by using one Amazon Web Services account with a private hosted zone that was created by using a\n\t\t\t\tdifferent account, the Amazon Web Services account that created the private hosted\n\t\t\t\tzone must first submit a CreateVPCAssociationAuthorization request.\n\t\t\t\tThen the account that created the VPC must submit an\n\t\t\t\t\tAssociateVPCWithHostedZone request.
When granting access, the hosted zone and the Amazon VPC must belong to\n\t\t\t\tthe same partition. A partition is a group of Amazon Web Services Regions. Each\n\t\t\t\t\tAmazon Web Services account is scoped to one partition.
\nThe following are the supported partitions:
\n\n aws - Amazon Web Services Regions
\n aws-cn - China Regions
\n aws-us-gov - Amazon Web Services GovCloud (US) Region
For more information, see Access Management\n\t\t\t\tin the Amazon Web Services General Reference.
\nA complex type that contains information about the request to associate a VPC with a\n\t\t\tprivate hosted zone.
" + "smithy.api#documentation": "A complex type that contains information about the request to associate a VPC with a\n\t\t\tprivate hosted zone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#AssociateVPCWithHostedZoneResponse": { @@ -1795,7 +1789,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the\n\t\t\t\tAssociateVPCWithHostedZone request.
A complex type that contains the response information for the\n\t\t\t\tAssociateVPCWithHostedZone request.
Creates, changes, or deletes a resource record set, which contains authoritative DNS\n\t\t\tinformation for a specified domain name or subdomain name. For example, you can use\n\t\t\t\tChangeResourceRecordSets to create a resource record set that routes\n\t\t\ttraffic for test.example.com to a web server that has an IP address of\n\t\t\t192.0.2.44.
\n Deleting Resource Record Sets\n
\nTo delete a resource record set, you must specify all the same values that you\n\t\t\tspecified when you created it.
\n\n Change Batches and Transactional Changes\n
\nThe request body must include a document with a\n\t\t\t\tChangeResourceRecordSetsRequest element. The request body contains a\n\t\t\tlist of change items, known as a change batch. Change batches are considered\n\t\t\ttransactional changes. Route 53 validates the changes in the request and then either\n\t\t\tmakes all or none of the changes in the change batch request. This ensures that DNS\n\t\t\trouting isn't adversely affected by partial changes to the resource record sets in a\n\t\t\thosted zone.
For example, suppose a change batch request contains two changes: it deletes the\n\t\t\t\tCNAME resource record set for www.example.com and creates an alias\n\t\t\tresource record set for www.example.com. If validation for both records succeeds, Route\n\t\t\t53 deletes the first resource record set and creates the second resource record set in a\n\t\t\tsingle operation. If validation for either the DELETE or the\n\t\t\t\tCREATE action fails, then the request is canceled, and the original\n\t\t\t\tCNAME record continues to exist.
If you try to delete the same resource record set more than once in a single\n\t\t\t\tchange batch, Route 53 returns an InvalidChangeBatch error.
\n Traffic Flow\n
\nTo create resource record sets for complex routing configurations, use either the\n\t\t\ttraffic flow visual editor in the Route 53 console or the API actions for traffic\n\t\t\tpolicies and traffic policy instances. Save the configuration as a traffic policy, then\n\t\t\tassociate the traffic policy with one or more domain names (such as example.com) or\n\t\t\tsubdomain names (such as www.example.com), in the same hosted zone or in multiple hosted\n\t\t\tzones. You can roll back the updates if the new configuration isn't performing as\n\t\t\texpected. For more information, see Using Traffic Flow to Route\n\t\t\t\tDNS Traffic in the Amazon Route 53 Developer\n\t\t\tGuide.
\n\n Create, Delete, and Upsert\n
\nUse ChangeResourceRecordsSetsRequest to perform the following\n\t\t\tactions:
\n CREATE: Creates a resource record set that has the specified\n\t\t\t\t\tvalues.
\n DELETE: Deletes an existing resource record set that has the\n\t\t\t\t\tspecified values.
\n UPSERT: If a resource set exists Route 53 updates it with the\n\t\t\t\t\tvalues in the request.
\n Syntaxes for Creating, Updating, and Deleting Resource Record\n\t\t\t\tSets\n
\nThe syntax for a request depends on the type of resource record set that you want to\n\t\t\tcreate, delete, or update, such as weighted, alias, or failover. The XML elements in\n\t\t\tyour request must appear in the order listed in the syntax.
\nFor an example for each type of resource record set, see \"Examples.\"
\nDon't refer to the syntax in the \"Parameter Syntax\" section, which includes\n\t\t\tall of the elements for every kind of resource record set that you can create, delete,\n\t\t\tor update by using ChangeResourceRecordSets.
\n Change Propagation to Route 53 DNS Servers\n
\nWhen you submit a ChangeResourceRecordSets request, Route 53 propagates\n\t\t\tyour changes to all of the Route 53 authoritative DNS servers. While your changes are\n\t\t\tpropagating, GetChange returns a status of PENDING. When\n\t\t\tpropagation is complete, GetChange returns a status of INSYNC.\n\t\t\tChanges generally propagate to all Route 53 name servers within 60 seconds. For more\n\t\t\tinformation, see GetChange.
\n Limits on ChangeResourceRecordSets Requests\n
\nFor information about the limits on a ChangeResourceRecordSets request,\n\t\t\tsee Limits in the Amazon Route 53 Developer Guide.
Creates, changes, or deletes a resource record set, which contains authoritative DNS\n\t\t\tinformation for a specified domain name or subdomain name. For example, you can use\n\t\t\t\tChangeResourceRecordSets to create a resource record set that routes\n\t\t\ttraffic for test.example.com to a web server that has an IP address of\n\t\t\t192.0.2.44.
\n Deleting Resource Record Sets\n
\nTo delete a resource record set, you must specify all the same values that you\n\t\t\tspecified when you created it.
\n\n Change Batches and Transactional Changes\n
\nThe request body must include a document with a\n\t\t\t\tChangeResourceRecordSetsRequest element. The request body contains a\n\t\t\tlist of change items, known as a change batch. Change batches are considered\n\t\t\ttransactional changes. Route 53 validates the changes in the request and then either\n\t\t\tmakes all or none of the changes in the change batch request. This ensures that DNS\n\t\t\trouting isn't adversely affected by partial changes to the resource record sets in a\n\t\t\thosted zone.
For example, suppose a change batch request contains two changes: it deletes the\n\t\t\t\tCNAME resource record set for www.example.com and creates an alias\n\t\t\tresource record set for www.example.com. If validation for both records succeeds, Route\n\t\t\t53 deletes the first resource record set and creates the second resource record set in a\n\t\t\tsingle operation. If validation for either the DELETE or the\n\t\t\t\tCREATE action fails, then the request is canceled, and the original\n\t\t\t\tCNAME record continues to exist.
If you try to delete the same resource record set more than once in a single\n\t\t\t\tchange batch, Route 53 returns an InvalidChangeBatch error.
\n Traffic Flow\n
\nTo create resource record sets for complex routing configurations, use either the\n\t\t\ttraffic flow visual editor in the Route 53 console or the API actions for traffic\n\t\t\tpolicies and traffic policy instances. Save the configuration as a traffic policy, then\n\t\t\tassociate the traffic policy with one or more domain names (such as example.com) or\n\t\t\tsubdomain names (such as www.example.com), in the same hosted zone or in multiple hosted\n\t\t\tzones. You can roll back the updates if the new configuration isn't performing as\n\t\t\texpected. For more information, see Using Traffic Flow to Route\n\t\t\t\tDNS Traffic in the Amazon Route 53 Developer\n\t\t\tGuide.
\n\n Create, Delete, and Upsert\n
\nUse ChangeResourceRecordsSetsRequest to perform the following\n\t\t\tactions:
\n CREATE: Creates a resource record set that has the specified\n\t\t\t\t\tvalues.
\n DELETE: Deletes an existing resource record set that has the\n\t\t\t\t\tspecified values.
\n UPSERT: If a resource set exists Route 53 updates it with the\n\t\t\t\t\tvalues in the request.
\n Syntaxes for Creating, Updating, and Deleting Resource Record\n\t\t\t\tSets\n
\nThe syntax for a request depends on the type of resource record set that you want to\n\t\t\tcreate, delete, or update, such as weighted, alias, or failover. The XML elements in\n\t\t\tyour request must appear in the order listed in the syntax.
\nFor an example for each type of resource record set, see \"Examples.\"
\nDon't refer to the syntax in the \"Parameter Syntax\" section, which includes\n\t\t\tall of the elements for every kind of resource record set that you can create, delete,\n\t\t\tor update by using ChangeResourceRecordSets.
\n Change Propagation to Route 53 DNS Servers\n
\nWhen you submit a ChangeResourceRecordSets request, Route 53 propagates your\n\t\t\tchanges to all of the Route 53 authoritative DNS servers managing the hosted zone. While\n\t\t\tyour changes are propagating, GetChange returns a status of\n\t\t\t\tPENDING. When propagation is complete, GetChange returns a\n\t\t\tstatus of INSYNC. Changes generally propagate to all Route 53 name servers\n\t\t\tmanaging the hosted zone within 60 seconds. For more information, see GetChange.
\n Limits on ChangeResourceRecordSets Requests\n
\nFor information about the limits on a ChangeResourceRecordSets request,\n\t\t\tsee Limits in the Amazon Route 53 Developer Guide.
A complex type that contains change information for the resource record set.
" + "smithy.api#documentation": "A complex type that contains change information for the resource record set.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ChangeResourceRecordSetsResponse": { @@ -2052,7 +2089,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type containing the response for the request.
" + "smithy.api#documentation": "A complex type containing the response for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ChangeStatus": { @@ -2099,6 +2137,30 @@ ], "traits": { "smithy.api#documentation": "Adds, edits, or deletes tags for a health check or a hosted zone.
\nFor information about using tags for cost allocation, see Using Cost Allocation\n\t\t\t\tTags in the Billing and Cost Management User Guide.
", + "smithy.api#examples": [ + { + "title": "To add or remove tags from a hosted zone or health check", + "documentation": "The following example adds two tags and removes one tag from the hosted zone with ID Z3M3LMPEXAMPLE.", + "input": { + "ResourceType": "hostedzone", + "ResourceId": "Z3M3LMPEXAMPLE", + "AddTags": [ + { + "Key": "apex", + "Value": "3874" + }, + { + "Key": "acme", + "Value": "4938" + } + ], + "RemoveTagKeys": [ + "Nadir" + ] + }, + "output": {} + } + ], "smithy.api#http": { "method": "POST", "uri": "/2013-04-01/tags/{ResourceType}/{ResourceId}", @@ -2139,14 +2201,16 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the tags that you want to add, edit, or\n\t\t\tdelete.
" + "smithy.api#documentation": "A complex type that contains information about the tags that you want to add, edit, or\n\t\t\tdelete.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ChangeTagsForResourceResponse": { "type": "structure", "members": {}, "traits": { - "smithy.api#documentation": "Empty response for the request.
" + "smithy.api#documentation": "Empty response for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#Changes": { @@ -2700,6 +2764,12 @@ "traits": { "smithy.api#enumValue": "ap-southeast-4" } + }, + "il_central_1": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "il-central-1" + } } }, "traits": { @@ -2886,6 +2956,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#CreateCidrCollectionResponse": { @@ -2904,6 +2977,9 @@ "smithy.api#httpHeader": "Location" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#CreateHealthCheck": { @@ -2953,7 +3029,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the health check request information.
" + "smithy.api#documentation": "A complex type that contains the health check request information.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#CreateHealthCheckResponse": { @@ -2976,7 +3053,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type containing the response information for the new health check.
" + "smithy.api#documentation": "A complex type containing the response information for the new health check.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#CreateHostedZone": { @@ -3057,12 +3135,13 @@ "DelegationSetId": { "target": "com.amazonaws.route53#ResourceId", "traits": { - "smithy.api#documentation": "If you want to associate a reusable delegation set with this hosted zone, the ID that\n\t\t\t\tAmazon Route 53 assigned to the reusable delegation set when you created it.\n\t\t\tFor more information about reusable delegation sets, see CreateReusableDelegationSet.
" + "smithy.api#documentation": "If you want to associate a reusable delegation set with this hosted zone, the ID that\n\t\t\t\tAmazon Route 53 assigned to the reusable delegation set when you created it.\n\t\t\tFor more information about reusable delegation sets, see CreateReusableDelegationSet.
\nIf you are using a reusable delegation set to create a public hosted zone for a subdomain,\n\t\t\tmake sure that the parent hosted zone doesn't use one or more of the same name servers.\n\t\t\tIf you have overlapping nameservers, the operation will cause a\n\t\t\t\tConflictingDomainsExist error.
A complex type that contains information about the request to create a public or\n\t\t\tprivate hosted zone.
" + "smithy.api#documentation": "A complex type that contains information about the request to create a public or\n\t\t\tprivate hosted zone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#CreateHostedZoneResponse": { @@ -3105,7 +3184,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type containing the response information for the hosted zone.
" + "smithy.api#documentation": "A complex type containing the response information for the hosted zone.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#CreateKeySigningKey": { @@ -3195,6 +3275,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#CreateKeySigningKeyResponse": { @@ -3221,6 +3304,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#CreateQueryLoggingConfig": { @@ -3277,6 +3363,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#CreateQueryLoggingConfigResponse": { @@ -3297,6 +3386,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#CreateReusableDelegationSet": { @@ -3355,6 +3447,9 @@ "smithy.api#documentation": "If you want to mark the delegation set for an existing hosted zone as reusable, the ID\n\t\t\tfor that hosted zone.
" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#CreateReusableDelegationSetResponse": { @@ -3375,6 +3470,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#CreateTrafficPolicy": { @@ -3482,7 +3580,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the resource record sets that you want\n\t\t\tto create based on a specified traffic policy.
" + "smithy.api#documentation": "A complex type that contains information about the resource record sets that you want\n\t\t\tto create based on a specified traffic policy.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#CreateTrafficPolicyInstanceResponse": { @@ -3505,7 +3604,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the\n\t\t\t\tCreateTrafficPolicyInstance request.
A complex type that contains the response information for the\n\t\t\t\tCreateTrafficPolicyInstance request.
A complex type that contains information about the traffic policy that you want to\n\t\t\tcreate.
" + "smithy.api#documentation": "A complex type that contains information about the traffic policy that you want to\n\t\t\tcreate.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#CreateTrafficPolicyResponse": { @@ -3556,7 +3657,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the\n\t\t\t\tCreateTrafficPolicy request.
A complex type that contains the response information for the\n\t\t\t\tCreateTrafficPolicy request.
A complex type that contains information about the traffic policy that you want to\n\t\t\tcreate a new version for.
" + "smithy.api#documentation": "A complex type that contains information about the traffic policy that you want to\n\t\t\tcreate a new version for.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#CreateTrafficPolicyVersionResponse": { @@ -3642,7 +3745,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the\n\t\t\t\tCreateTrafficPolicyVersion request.
A complex type that contains the response information for the\n\t\t\t\tCreateTrafficPolicyVersion request.
A complex type that contains information about the request to authorize associating a\n\t\t\tVPC with your private hosted zone. Authorization is only required when a private hosted\n\t\t\tzone and a VPC were created by using different accounts.
" + "smithy.api#documentation": "A complex type that contains information about the request to authorize associating a\n\t\t\tVPC with your private hosted zone. Authorization is only required when a private hosted\n\t\t\tzone and a VPC were created by using different accounts.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#CreateVPCAssociationAuthorizationResponse": { @@ -3721,7 +3826,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information from a\n\t\t\t\tCreateVPCAssociationAuthorization request.
A complex type that contains the response information from a\n\t\t\t\tCreateVPCAssociationAuthorization request.
This action deletes a health check.
" + "smithy.api#documentation": "This action deletes a health check.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#DeleteHealthCheckResponse": { "type": "structure", "members": {}, "traits": { - "smithy.api#documentation": "An empty element.
" + "smithy.api#documentation": "An empty element.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#DeleteHostedZone": { @@ -4112,7 +4232,8 @@ } }, "traits": { - "smithy.api#documentation": "A request to delete a hosted zone.
" + "smithy.api#documentation": "A request to delete a hosted zone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#DeleteHostedZoneResponse": { @@ -4127,7 +4248,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to a DeleteHostedZone\n\t\t\trequest.
A complex type that contains the response to a DeleteHostedZone\n\t\t\trequest.
A request to delete a reusable delegation set.
" + "smithy.api#documentation": "A request to delete a reusable delegation set.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#DeleteReusableDelegationSetResponse": { "type": "structure", "members": {}, "traits": { - "smithy.api#documentation": "An empty element.
" + "smithy.api#documentation": "An empty element.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#DeleteTrafficPolicy": { @@ -4370,14 +4506,16 @@ } }, "traits": { - "smithy.api#documentation": "A request to delete a specified traffic policy instance.
" + "smithy.api#documentation": "A request to delete a specified traffic policy instance.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#DeleteTrafficPolicyInstanceResponse": { "type": "structure", "members": {}, "traits": { - "smithy.api#documentation": "An empty element.
" + "smithy.api#documentation": "An empty element.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#DeleteTrafficPolicyRequest": { @@ -4401,14 +4539,16 @@ } }, "traits": { - "smithy.api#documentation": "A request to delete a specified traffic policy version.
" + "smithy.api#documentation": "A request to delete a specified traffic policy version.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#DeleteTrafficPolicyResponse": { "type": "structure", "members": {}, "traits": { - "smithy.api#documentation": "An empty element.
" + "smithy.api#documentation": "An empty element.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#DeleteVPCAssociationAuthorization": { @@ -4465,14 +4605,16 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the request to remove authorization to\n\t\t\tassociate a VPC that was created by one Amazon Web Services account with a hosted zone\n\t\t\tthat was created with a different Amazon Web Services account.
" + "smithy.api#documentation": "A complex type that contains information about the request to remove authorization to\n\t\t\tassociate a VPC that was created by one Amazon Web Services account with a hosted zone\n\t\t\tthat was created with a different Amazon Web Services account.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#DeleteVPCAssociationAuthorizationResponse": { "type": "structure", "members": {}, "traits": { - "smithy.api#documentation": "Empty response for the request.
" + "smithy.api#documentation": "Empty response for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#Dimension": { @@ -4575,6 +4717,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#DisableHostedZoneDNSSECResponse": { @@ -4586,6 +4731,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#Disabled": { @@ -4654,7 +4802,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the VPC that you want to disassociate\n\t\t\tfrom a specified private hosted zone.
" + "smithy.api#documentation": "A complex type that contains information about the VPC that you want to disassociate\n\t\t\tfrom a specified private hosted zone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#DisassociateVPCFromHostedZoneResponse": { @@ -4669,7 +4818,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the disassociate\n\t\t\trequest.
" + "smithy.api#documentation": "A complex type that contains the response information for the disassociate\n\t\t\trequest.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#EnableHostedZoneDNSSEC": { @@ -4729,6 +4879,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#EnableHostedZoneDNSSECResponse": { @@ -4740,6 +4893,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#EnableSNI": { @@ -4951,7 +5107,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the request to create a hosted\n\t\t\tzone.
" + "smithy.api#documentation": "A complex type that contains information about the request to create a hosted\n\t\t\tzone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetAccountLimitResponse": { @@ -4974,7 +5131,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the requested limit.
" + "smithy.api#documentation": "A complex type that contains the requested limit.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#GetChange": { @@ -4994,7 +5152,7 @@ } ], "traits": { - "smithy.api#documentation": "Returns the current status of a change batch request. The status is one of the\n\t\t\tfollowing values:
\n\n PENDING indicates that the changes in this request have not\n\t\t\t\t\tpropagated to all Amazon Route 53 DNS servers. This is the initial status of all\n\t\t\t\t\tchange batch requests.
\n INSYNC indicates that the changes have propagated to all Route 53\n\t\t\t\t\tDNS servers.
Returns the current status of a change batch request. The status is one of the\n\t\t\tfollowing values:
\n\n PENDING indicates that the changes in this request have not\n\t\t\t\t\tpropagated to all Amazon Route 53 DNS servers managing the hosted zone. This is the initial status of all\n\t\t\t\t\tchange batch requests.
\n INSYNC indicates that the changes have propagated to all Route 53\n\t\t\t\t\tDNS servers managing the hosted zone.
The input for a GetChange request.
" + "smithy.api#documentation": "The input for a GetChange request.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetChangeResponse": { @@ -5047,7 +5206,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the ChangeInfo element.
A complex type that contains the ChangeInfo element.
Empty request.
" + "smithy.api#documentation": "Empty request.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetCheckerIpRangesResponse": { @@ -5086,7 +5247,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the CheckerIpRanges element.
A complex type that contains the CheckerIpRanges element.
A request for information about whether a specified geographic location is supported\n\t\t\tfor Amazon Route 53 geolocation resource record sets.
" + "smithy.api#documentation": "A request for information about whether a specified geographic location is supported\n\t\t\tfor Amazon Route 53 geolocation resource record sets.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetGeoLocationResponse": { @@ -5215,7 +5384,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the specified geolocation\n\t\t\tcode.
" + "smithy.api#documentation": "A complex type that contains the response information for the specified geolocation\n\t\t\tcode.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#GetHealthCheck": { @@ -5267,7 +5437,8 @@ "type": "structure", "members": {}, "traits": { - "smithy.api#documentation": "A request for the number of health checks that are associated with the current Amazon Web Services account.
" + "smithy.api#documentation": "A request for the number of health checks that are associated with the current Amazon Web Services account.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetHealthCheckCountResponse": { @@ -5282,7 +5453,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to a GetHealthCheckCount\n\t\t\trequest.
A complex type that contains the response to a GetHealthCheckCount\n\t\t\trequest.
A request for the reason that a health check failed most recently.
" + "smithy.api#documentation": "A request for the reason that a health check failed most recently.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetHealthCheckLastFailureReasonResponse": { @@ -5338,7 +5511,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to a\n\t\t\t\tGetHealthCheckLastFailureReason request.
A complex type that contains the response to a\n\t\t\t\tGetHealthCheckLastFailureReason request.
A request to get information about a specified health check.
" + "smithy.api#documentation": "A request to get information about a specified health check.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetHealthCheckResponse": { @@ -5369,7 +5544,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to a GetHealthCheck\n\t\t\trequest.
A complex type that contains the response to a GetHealthCheck\n\t\t\trequest.
A request to get the status for a health check.
" + "smithy.api#documentation": "A request to get the status for a health check.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetHealthCheckStatusResponse": { @@ -5425,7 +5602,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to a GetHealthCheck\n\t\t\trequest.
A complex type that contains the response to a GetHealthCheck\n\t\t\trequest.
Gets information about a specified hosted zone including the four name servers\n\t\t\tassigned to the hosted zone.
", + "smithy.api#examples": [ + { + "title": "To get information about a hosted zone", + "documentation": "The following example gets information about the Z3M3LMPEXAMPLE hosted zone.", + "input": { + "Id": "Z3M3LMPEXAMPLE" + }, + "output": { + "HostedZone": { + "ResourceRecordSetCount": 8, + "CallerReference": "C741617D-04E4-F8DE-B9D7-0D150FC61C2E", + "Config": { + "PrivateZone": false + }, + "Id": "/hostedzone/Z3M3LMPEXAMPLE", + "Name": "myawsbucket.com." + }, + "DelegationSet": { + "NameServers": [ + "ns-2048.awsdns-64.com", + "ns-2049.awsdns-65.net", + "ns-2050.awsdns-66.org", + "ns-2051.awsdns-67.co.uk" + ] + } + } + } + ], "smithy.api#http": { "method": "GET", "uri": "/2013-04-01/hostedzone/{Id}", @@ -5479,7 +5685,8 @@ "type": "structure", "members": {}, "traits": { - "smithy.api#documentation": "A request to retrieve a count of all the hosted zones that are associated with the\n\t\t\tcurrent Amazon Web Services account.
" + "smithy.api#documentation": "A request to retrieve a count of all the hosted zones that are associated with the\n\t\t\tcurrent Amazon Web Services account.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetHostedZoneCountResponse": { @@ -5494,7 +5701,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to a GetHostedZoneCount\n\t\t\trequest.
A complex type that contains the response to a GetHostedZoneCount\n\t\t\trequest.
A complex type that contains information about the request to create a hosted\n\t\t\tzone.
" + "smithy.api#documentation": "A complex type that contains information about the request to create a hosted\n\t\t\tzone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetHostedZoneLimitResponse": { @@ -5569,7 +5778,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the requested limit.
" + "smithy.api#documentation": "A complex type that contains the requested limit.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#GetHostedZoneRequest": { @@ -5585,7 +5795,8 @@ } }, "traits": { - "smithy.api#documentation": "A request to get information about a specified hosted zone.
" + "smithy.api#documentation": "A request to get information about a specified hosted zone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetHostedZoneResponse": { @@ -5612,7 +5823,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contain the response to a GetHostedZone\n\t\t\trequest.
A complex type that contain the response to a GetHostedZone\n\t\t\trequest.
A complex type that contains information about the request to create a hosted\n\t\t\tzone.
" + "smithy.api#documentation": "A complex type that contains information about the request to create a hosted\n\t\t\tzone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetReusableDelegationSetLimitResponse": { @@ -5762,7 +5981,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the requested limit.
" + "smithy.api#documentation": "A complex type that contains the requested limit.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#GetReusableDelegationSetRequest": { @@ -5778,7 +5998,8 @@ } }, "traits": { - "smithy.api#documentation": "A request to get information about a specified reusable delegation set.
" + "smithy.api#documentation": "A request to get information about a specified reusable delegation set.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetReusableDelegationSetResponse": { @@ -5793,7 +6014,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to the GetReusableDelegationSet\n\t\t\trequest.
A complex type that contains the response to the GetReusableDelegationSet\n\t\t\trequest.
Request to get the number of traffic policy instances that are associated with the\n\t\t\tcurrent Amazon Web Services account.
" + "smithy.api#documentation": "Request to get the number of traffic policy instances that are associated with the\n\t\t\tcurrent Amazon Web Services account.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetTrafficPolicyInstanceCountResponse": { @@ -5882,7 +6105,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the resource record sets that Amazon\n\t\t\tRoute 53 created based on a specified traffic policy.
" + "smithy.api#documentation": "A complex type that contains information about the resource record sets that Amazon\n\t\t\tRoute 53 created based on a specified traffic policy.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#GetTrafficPolicyInstanceRequest": { @@ -5898,7 +6122,8 @@ } }, "traits": { - "smithy.api#documentation": "Gets information about a specified traffic policy instance.
" + "smithy.api#documentation": "Gets information about a specified traffic policy instance.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetTrafficPolicyInstanceResponse": { @@ -5913,7 +6138,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the resource record sets that Amazon\n\t\t\tRoute 53 created based on a specified traffic policy.
" + "smithy.api#documentation": "A complex type that contains information about the resource record sets that Amazon\n\t\t\tRoute 53 created based on a specified traffic policy.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#GetTrafficPolicyRequest": { @@ -5937,7 +6163,8 @@ } }, "traits": { - "smithy.api#documentation": "Gets information about a specific traffic policy version.
" + "smithy.api#documentation": "Gets information about a specific traffic policy version.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetTrafficPolicyResponse": { @@ -5952,7 +6179,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the request.
" + "smithy.api#documentation": "A complex type that contains the response information for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#HealthCheck": { @@ -7160,6 +7388,9 @@ "smithy.api#httpQuery": "maxresults" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#ListCidrBlocksResponse": { @@ -7177,6 +7408,9 @@ "smithy.api#documentation": "A complex type that contains information about the CIDR blocks.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#ListCidrCollections": { @@ -7224,6 +7458,9 @@ "smithy.api#httpQuery": "maxresults" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#ListCidrCollectionsResponse": { @@ -7241,6 +7478,9 @@ "smithy.api#documentation": "A complex type with information about the CIDR collection.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#ListCidrLocations": { @@ -7299,6 +7539,9 @@ "smithy.api#httpQuery": "maxresults" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#ListCidrLocationsResponse": { @@ -7316,6 +7559,9 @@ "smithy.api#documentation": "A complex type that contains information about the list of CIDR locations.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#ListGeoLocations": { @@ -7373,7 +7619,8 @@ } }, "traits": { - "smithy.api#documentation": "A request to get a list of geographic locations that Amazon Route 53 supports for\n\t\t\tgeolocation resource record sets.
" + "smithy.api#documentation": "A request to get a list of geographic locations that Amazon Route 53 supports for\n\t\t\tgeolocation resource record sets.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListGeoLocationsResponse": { @@ -7421,7 +7668,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type containing the response information for the request.
" + "smithy.api#documentation": "A complex type containing the response information for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListHealthChecks": { @@ -7474,7 +7722,8 @@ } }, "traits": { - "smithy.api#documentation": "A request to retrieve a list of the health checks that are associated with the current\n\t\t\t\tAmazon Web Services account.
" + "smithy.api#documentation": "A request to retrieve a list of the health checks that are associated with the current\n\t\t\t\tAmazon Web Services account.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListHealthChecksResponse": { @@ -7517,7 +7766,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to a ListHealthChecks\n\t\t\trequest.
A complex type that contains the response to a ListHealthChecks\n\t\t\trequest.
Retrieves a list of the public and private hosted zones that are associated with the\n\t\t\tcurrent Amazon Web Services account in ASCII order by domain name.
" + "smithy.api#documentation": "Retrieves a list of the public and private hosted zones that are associated with the\n\t\t\tcurrent Amazon Web Services account in ASCII order by domain name.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListHostedZonesByNameResponse": { @@ -7659,7 +7910,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the request.
" + "smithy.api#documentation": "A complex type that contains the response information for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListHostedZonesByVPC": { @@ -7722,7 +7974,8 @@ } }, "traits": { - "smithy.api#documentation": "Lists all the private hosted zones that a specified VPC is associated with, regardless\n\t\t\tof which Amazon Web Services account created the hosted zones.
" + "smithy.api#documentation": "Lists all the private hosted zones that a specified VPC is associated with, regardless\n\t\t\tof which Amazon Web Services account created the hosted zones.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListHostedZonesByVPCResponse": { @@ -7748,6 +8001,9 @@ "smithy.api#documentation": "The value that you will use for NextToken in the next\n\t\t\t\tListHostedZonesByVPC request.
A request to retrieve a list of the public and private hosted zones that are\n\t\t\tassociated with the current Amazon Web Services account.
" + "smithy.api#documentation": "A request to retrieve a list of the public and private hosted zones that are\n\t\t\tassociated with the current Amazon Web Services account.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListHostedZonesResponse": { @@ -7817,6 +8074,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#ListQueryLoggingConfigs": { @@ -7877,6 +8137,9 @@ "smithy.api#httpQuery": "maxresults" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#ListQueryLoggingConfigsResponse": { @@ -7895,6 +8158,9 @@ "smithy.api#documentation": "If a response includes the last of the query logging configurations that are\n\t\t\tassociated with the current Amazon Web Services account, NextToken doesn't\n\t\t\tappear in the response.
If a response doesn't include the last of the configurations, you can get more\n\t\t\tconfigurations by submitting another ListQueryLoggingConfigs request. Get the value of NextToken\n\t\t\tthat Amazon Route 53 returned in the previous response and include it in\n\t\t\t\tNextToken in the next request.
A request for the resource record sets that are associated with a specified hosted\n\t\t\tzone.
" + "smithy.api#documentation": "A request for the resource record sets that are associated with a specified hosted\n\t\t\tzone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListResourceRecordSetsResponse": { @@ -8011,7 +8278,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains list information for the resource record set.
" + "smithy.api#documentation": "A complex type that contains list information for the resource record set.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListReusableDelegationSets": { @@ -8055,7 +8323,8 @@ } }, "traits": { - "smithy.api#documentation": "A request to get a list of the reusable delegation sets that are associated with the\n\t\t\tcurrent Amazon Web Services account.
" + "smithy.api#documentation": "A request to get a list of the reusable delegation sets that are associated with the\n\t\t\tcurrent Amazon Web Services account.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListReusableDelegationSetsResponse": { @@ -8098,7 +8367,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the reusable delegation sets that are\n\t\t\tassociated with the current Amazon Web Services account.
" + "smithy.api#documentation": "A complex type that contains information about the reusable delegation sets that are\n\t\t\tassociated with the current Amazon Web Services account.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListTagsForResource": { @@ -8156,7 +8426,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type containing information about a request for a list of the tags that are\n\t\t\tassociated with an individual resource.
" + "smithy.api#documentation": "A complex type containing information about a request for a list of the tags that are\n\t\t\tassociated with an individual resource.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListTagsForResourceResponse": { @@ -8171,7 +8442,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the health checks or hosted zones for\n\t\t\twhich you want to list tags.
" + "smithy.api#documentation": "A complex type that contains information about the health checks or hosted zones for\n\t\t\twhich you want to list tags.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListTagsForResources": { @@ -8228,7 +8500,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the health checks or hosted zones for\n\t\t\twhich you want to list tags.
" + "smithy.api#documentation": "A complex type that contains information about the health checks or hosted zones for\n\t\t\twhich you want to list tags.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListTagsForResourcesResponse": { @@ -8243,7 +8516,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type containing tags for the specified resources.
" + "smithy.api#documentation": "A complex type containing tags for the specified resources.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListTrafficPolicies": { @@ -8287,7 +8561,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the information about the request to list the traffic\n\t\t\tpolicies that are associated with the current Amazon Web Services account.
" + "smithy.api#documentation": "A complex type that contains the information about the request to list the traffic\n\t\t\tpolicies that are associated with the current Amazon Web Services account.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListTrafficPoliciesResponse": { @@ -8324,7 +8599,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the request.
" + "smithy.api#documentation": "A complex type that contains the response information for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListTrafficPolicyInstances": { @@ -8414,7 +8690,8 @@ } }, "traits": { - "smithy.api#documentation": "A request for the traffic policy instances that you created in a specified hosted\n\t\t\tzone.
" + "smithy.api#documentation": "A request for the traffic policy instances that you created in a specified hosted\n\t\t\tzone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListTrafficPolicyInstancesByHostedZoneResponse": { @@ -8456,7 +8733,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the request.
" + "smithy.api#documentation": "A complex type that contains the response information for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListTrafficPolicyInstancesByPolicy": { @@ -8536,7 +8814,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the information about the request to list your traffic\n\t\t\tpolicy instances.
" + "smithy.api#documentation": "A complex type that contains the information about the request to list your traffic\n\t\t\tpolicy instances.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListTrafficPolicyInstancesByPolicyResponse": { @@ -8584,7 +8863,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the request.
" + "smithy.api#documentation": "A complex type that contains the response information for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListTrafficPolicyInstancesRequest": { @@ -8620,7 +8900,8 @@ } }, "traits": { - "smithy.api#documentation": "A request to get information about the traffic policy instances that you created by\n\t\t\tusing the current Amazon Web Services account.
" + "smithy.api#documentation": "A request to get information about the traffic policy instances that you created by\n\t\t\tusing the current Amazon Web Services account.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListTrafficPolicyInstancesResponse": { @@ -8668,7 +8949,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the request.
" + "smithy.api#documentation": "A complex type that contains the response information for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListTrafficPolicyVersions": { @@ -8723,7 +9005,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the information about the request to list your traffic\n\t\t\tpolicies.
" + "smithy.api#documentation": "A complex type that contains the information about the request to list your traffic\n\t\t\tpolicies.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListTrafficPolicyVersionsResponse": { @@ -8760,7 +9043,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the request.
" + "smithy.api#documentation": "A complex type that contains the response information for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListVPCAssociationAuthorizations": { @@ -8818,7 +9102,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about that can be associated with your hosted\n\t\t\tzone.
" + "smithy.api#documentation": "A complex type that contains information about that can be associated with your hosted\n\t\t\tzone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListVPCAssociationAuthorizationsResponse": { @@ -8846,7 +9131,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the request.
" + "smithy.api#documentation": "A complex type that contains the response information for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#LocationSummaries": { @@ -9744,6 +10030,12 @@ "traits": { "smithy.api#enumValue": "ap-southeast-4" } + }, + "il_central_1": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "il-central-1" + } } }, "traits": { @@ -10147,7 +10439,7 @@ } ], "traits": { - "smithy.api#documentation": "Gets the value that Amazon Route 53 returns in response to a DNS request for a\n\t\t\tspecified record name and type. You can optionally specify the IP address of a DNS\n\t\t\tresolver, an EDNS0 client subnet IP address, and a subnet mask.
\nThis call only supports querying public hosted zones.
", + "smithy.api#documentation": "Gets the value that Amazon Route 53 returns in response to a DNS request for a\n\t\t\tspecified record name and type. You can optionally specify the IP address of a DNS\n\t\t\tresolver, an EDNS0 client subnet IP address, and a subnet mask.
\nThis call only supports querying public hosted zones.
\nThe TestDnsAnswer returns information similar to what you would expect from the answer\n\t\t\tsection of the dig command. Therefore, if you query for the name\n\t\t\tservers of a subdomain that point to the parent name servers, those will not be\n\t\t\treturned.
Gets the value that Amazon Route 53 returns in response to a DNS request for a\n\t\t\tspecified record name and type. You can optionally specify the IP address of a DNS\n\t\t\tresolver, an EDNS0 client subnet IP address, and a subnet mask.
" + "smithy.api#documentation": "Gets the value that Amazon Route 53 returns in response to a DNS request for a\n\t\t\tspecified record name and type. You can optionally specify the IP address of a DNS\n\t\t\tresolver, an EDNS0 client subnet IP address, and a subnet mask.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#TestDNSAnswerResponse": { @@ -10255,7 +10548,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to a TestDNSAnswer request.\n\t\t
A complex type that contains the response to a TestDNSAnswer request.\n\t\t
A complex type that contains information about a request to update a health\n\t\t\tcheck.
" + "smithy.api#documentation": "A complex type that contains information about a request to update a health\n\t\t\tcheck.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#UpdateHealthCheckResponse": { @@ -10849,7 +11144,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to the UpdateHealthCheck\n\t\t\trequest.
A complex type that contains the response to the UpdateHealthCheck\n\t\t\trequest.
A request to update the comment for a hosted zone.
" + "smithy.api#documentation": "A request to update the comment for a hosted zone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#UpdateHostedZoneCommentResponse": { @@ -10914,7 +11211,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to the UpdateHostedZoneComment\n\t\t\trequest.
A complex type that contains the response to the UpdateHostedZoneComment\n\t\t\trequest.
A complex type that contains information about the traffic policy that you want to\n\t\t\tupdate the comment for.
" + "smithy.api#documentation": "A complex type that contains information about the traffic policy that you want to\n\t\t\tupdate the comment for.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#UpdateTrafficPolicyCommentResponse": { @@ -10988,7 +11287,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the traffic policy.
" + "smithy.api#documentation": "A complex type that contains the response information for the traffic policy.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#UpdateTrafficPolicyInstance": { @@ -11059,7 +11359,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the resource record sets that you want\n\t\t\tto update based on a specified traffic policy instance.
" + "smithy.api#documentation": "A complex type that contains information about the resource record sets that you want\n\t\t\tto update based on a specified traffic policy instance.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#UpdateTrafficPolicyInstanceResponse": { @@ -11074,7 +11375,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the resource record sets that Amazon\n\t\t\tRoute 53 created based on a specified traffic policy.
" + "smithy.api#documentation": "A complex type that contains information about the resource record sets that Amazon\n\t\t\tRoute 53 created based on a specified traffic policy.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#UsageCount": { @@ -11345,6 +11647,12 @@ "traits": { "smithy.api#enumValue": "ap-southeast-4" } + }, + "il_central_1": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "il-central-1" + } } }, "traits": { diff --git a/aws/sdk/aws-models/s3.json b/aws/sdk/aws-models/s3.json index f0227a4af82df327387802e426feab8a8700eb78..d63436f320d4a33aa59510367d201b1bd89c4bb8 100644 --- a/aws/sdk/aws-models/s3.json +++ b/aws/sdk/aws-models/s3.json @@ -44,7 +44,7 @@ } }, "traits": { - "smithy.api#documentation": "Specifies the days since the initiation of an incomplete multipart upload that Amazon S3 will\n wait before permanently removing all parts of the upload. For more information, see \n Aborting Incomplete Multipart Uploads Using a Bucket Lifecycle Configuration in the\n Amazon S3 User Guide.
" + "smithy.api#documentation": "Specifies the days since the initiation of an incomplete multipart upload that Amazon S3 will\n wait before permanently removing all parts of the upload. For more information, see \n Aborting Incomplete Multipart Uploads Using a Bucket Lifecycle Configuration in\n the Amazon S3 User Guide.
" } }, "com.amazonaws.s3#AbortMultipartUpload": { @@ -101,7 +101,7 @@ "Bucket": { "target": "com.amazonaws.s3#BucketName", "traits": { - "smithy.api#documentation": "The bucket name to which the upload was taking place.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name to which the upload was taking place.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Completes a multipart upload by assembling previously uploaded parts.
\nYou first initiate the multipart upload and then upload all parts using the UploadPart\n operation. After successfully uploading all relevant parts of an upload, you call this\n action to complete the upload. Upon receiving this request, Amazon S3 concatenates all the\n parts in ascending order by part number to create a new object. In the Complete Multipart\n Upload request, you must provide the parts list. You must ensure that the parts list is\n complete. This action concatenates the parts that you provide in the list. For each part in\n the list, you must provide the part number and the ETag value, returned after\n that part was uploaded.
Processing of a Complete Multipart Upload request could take several minutes to\n complete. After Amazon S3 begins processing the request, it sends an HTTP response header that\n specifies a 200 OK response. While processing is in progress, Amazon S3 periodically sends white\n space characters to keep the connection from timing out. A request could fail after the\n initial 200 OK response has been sent. This means that a 200 OK response can\n contain either a success or an error. If you call the S3 API directly, make sure to design\n your application to parse the contents of the response and handle it appropriately. If you\n use Amazon Web Services SDKs, SDKs handle this condition. The SDKs detect the embedded error and apply\n error handling per your configuration settings (including automatically retrying the\n request as appropriate). If the condition persists, the SDKs throws an exception (or, for\n the SDKs that don't use exceptions, they return the error).
Note that if CompleteMultipartUpload fails, applications should be prepared\n to retry the failed requests. For more information, see Amazon S3 Error Best\n Practices.
You cannot use Content-Type: application/x-www-form-urlencoded with\n Complete Multipart Upload requests. Also, if you do not provide a\n Content-Type header, CompleteMultipartUpload returns a 200\n OK response.
For more information about multipart uploads, see Uploading Objects Using Multipart\n Upload.
\nFor information about permissions required to use the multipart upload API, see Multipart Upload\n and Permissions.
\n\n CompleteMultipartUpload has the following special errors:
Error code: EntityTooSmall\n
Description: Your proposed upload is smaller than the minimum allowed object\n size. Each part must be at least 5 MB in size, except the last part.
\n400 Bad Request
\nError code: InvalidPart\n
Description: One or more of the specified parts could not be found. The part\n might not have been uploaded, or the specified entity tag might not have\n matched the part's entity tag.
\n400 Bad Request
\nError code: InvalidPartOrder\n
Description: The list of parts was not in ascending order. The parts list\n must be specified in order by part number.
\n400 Bad Request
\nError code: NoSuchUpload\n
Description: The specified multipart upload does not exist. The upload ID\n might be invalid, or the multipart upload might have been aborted or\n completed.
\n404 Not Found
\nThe following operations are related to CompleteMultipartUpload:
\n UploadPart\n
\n\n AbortMultipartUpload\n
\n\n ListParts\n
\n\n ListMultipartUploads\n
\nCompletes a multipart upload by assembling previously uploaded parts.
\nYou first initiate the multipart upload and then upload all parts using the UploadPart\n operation. After successfully uploading all relevant parts of an upload, you call this\n action to complete the upload. Upon receiving this request, Amazon S3 concatenates all the parts\n in ascending order by part number to create a new object. In the Complete Multipart Upload\n request, you must provide the parts list. You must ensure that the parts list is complete.\n This action concatenates the parts that you provide in the list. For each part in the list,\n you must provide the part number and the ETag value, returned after that part\n was uploaded.
Processing of a Complete Multipart Upload request could take several minutes to\n complete. After Amazon S3 begins processing the request, it sends an HTTP response header that\n specifies a 200 OK response. While processing is in progress, Amazon S3 periodically sends white\n space characters to keep the connection from timing out. A request could fail after the\n initial 200 OK response has been sent. This means that a 200 OK response can\n contain either a success or an error. If you call the S3 API directly, make sure to design\n your application to parse the contents of the response and handle it appropriately. If you\n use Amazon Web Services SDKs, SDKs handle this condition. The SDKs detect the embedded error and apply\n error handling per your configuration settings (including automatically retrying the\n request as appropriate). If the condition persists, the SDKs throws an exception (or, for\n the SDKs that don't use exceptions, they return the error).
Note that if CompleteMultipartUpload fails, applications should be prepared\n to retry the failed requests. For more information, see Amazon S3 Error Best\n Practices.
You cannot use Content-Type: application/x-www-form-urlencoded with\n Complete Multipart Upload requests. Also, if you do not provide a\n Content-Type header, CompleteMultipartUpload returns a 200\n OK response.
For more information about multipart uploads, see Uploading Objects Using Multipart\n Upload.
\nFor information about permissions required to use the multipart upload API, see Multipart Upload\n and Permissions.
\n\n CompleteMultipartUpload has the following special errors:
Error code: EntityTooSmall\n
Description: Your proposed upload is smaller than the minimum allowed object\n size. Each part must be at least 5 MB in size, except the last part.
\n400 Bad Request
\nError code: InvalidPart\n
Description: One or more of the specified parts could not be found. The part\n might not have been uploaded, or the specified entity tag might not have\n matched the part's entity tag.
\n400 Bad Request
\nError code: InvalidPartOrder\n
Description: The list of parts was not in ascending order. The parts list\n must be specified in order by part number.
\n400 Bad Request
\nError code: NoSuchUpload\n
Description: The specified multipart upload does not exist. The upload ID\n might be invalid, or the multipart upload might have been aborted or\n completed.
\n404 Not Found
\nThe following operations are related to CompleteMultipartUpload:
\n UploadPart\n
\n\n AbortMultipartUpload\n
\n\n ListParts\n
\n\n ListMultipartUploads\n
\nThe name of the bucket that contains the newly created object. Does not return the access point\n ARN or access point alias if used.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The name of the bucket that contains the newly created object. Does not return the access point\n ARN or access point alias if used.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Name of the bucket to which the multipart upload was initiated.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
Name of the bucket to which the multipart upload was initiated.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Creates a copy of an object that is already stored in Amazon S3.
\nYou can store individual objects of up to 5 TB in Amazon S3. You create a copy of your\n object up to 5 GB in size in a single atomic action using this API. However, to copy an\n object greater than 5 GB, you must use the multipart upload Upload Part - Copy\n (UploadPartCopy) API. For more information, see Copy Object Using the\n REST Multipart Upload API.
\nAll copy requests must be authenticated. Additionally, you must have\n read access to the source object and write\n access to the destination bucket. For more information, see REST Authentication. Both the\n Region that you want to copy the object from and the Region that you want to copy the\n object to must be enabled for your account.
\nA copy request might return an error when Amazon S3 receives the copy request or while Amazon S3\n is copying the files. If the error occurs before the copy action starts, you receive a\n standard Amazon S3 error. If the error occurs during the copy operation, the error response is\n embedded in the 200 OK response. This means that a 200 OK\n response can contain either a success or an error. If you call the S3 API directly, make\n sure to design your application to parse the contents of the response and handle it\n appropriately. If you use Amazon Web Services SDKs, SDKs handle this condition. The SDKs detect the\n embedded error and apply error handling per your configuration settings (including\n automatically retrying the request as appropriate). If the condition persists, the SDKs\n throws an exception (or, for the SDKs that don't use exceptions, they return the\n error).
If the copy is successful, you receive a response with information about the copied\n object.
\nIf the request is an HTTP 1.1 request, the response is chunk encoded. If it were not,\n it would not contain the content-length, and you would need to read the entire\n body.
\nThe copy request charge is based on the storage class and Region that you specify for\n the destination object. For pricing information, see Amazon S3 pricing.
\nAmazon S3 transfer acceleration does not support cross-Region copies. If you request a\n cross-Region copy using a transfer acceleration endpoint, you get a 400 Bad\n Request error. For more information, see Transfer\n Acceleration.
When copying an object, you can preserve all metadata (the default) or specify new metadata.\n However, the access control list (ACL) is not preserved and is set to private for the user making the request. To\n override the default ACL setting, specify a new ACL when generating a copy request. For\n more information, see Using ACLs.
\nTo specify whether you want the object metadata copied from the source object or\n replaced with metadata provided in the request, you can optionally add the\n x-amz-metadata-directive header. When you grant permissions, you can use\n the s3:x-amz-metadata-directive condition key to enforce certain metadata\n behavior when objects are uploaded. For more information, see Specifying Conditions in a\n Policy in the Amazon S3 User Guide. For a complete list of\n Amazon S3-specific condition keys, see Actions, Resources, and Condition Keys for\n Amazon S3.
\n x-amz-website-redirect-location is unique to each object and must be\n specified in the request headers to copy the value.
To only copy an object under certain conditions, such as whether the Etag\n matches or whether the object was modified before or after a specified date, use the\n following request parameters:
\n x-amz-copy-source-if-match\n
\n x-amz-copy-source-if-none-match\n
\n x-amz-copy-source-if-unmodified-since\n
\n x-amz-copy-source-if-modified-since\n
If both the x-amz-copy-source-if-match and\n x-amz-copy-source-if-unmodified-since headers are present in the request\n and evaluate as follows, Amazon S3 returns 200 OK and copies the data:
\n x-amz-copy-source-if-match condition evaluates to true
\n x-amz-copy-source-if-unmodified-since condition evaluates to\n false
If both the x-amz-copy-source-if-none-match and\n x-amz-copy-source-if-modified-since headers are present in the request and\n evaluate as follows, Amazon S3 returns the 412 Precondition Failed response\n code:
\n x-amz-copy-source-if-none-match condition evaluates to false
\n x-amz-copy-source-if-modified-since condition evaluates to\n true
All headers with the x-amz- prefix, including\n x-amz-copy-source, must be signed.
Amazon S3 automatically encrypts all new objects that are copied to an S3 bucket. When\n copying an object, if you don't specify encryption information in your copy\n request, the encryption setting of the target object is set to the default\n encryption configuration of the destination bucket. By default, all buckets have a\n base level of encryption configuration that uses server-side encryption with Amazon S3\n managed keys (SSE-S3). If the destination bucket has a default encryption\n configuration that uses server-side encryption with Key Management Service (KMS) keys\n (SSE-KMS), dual-layer server-side encryption with Amazon Web Services KMS keys (DSSE-KMS), or\n server-side encryption with customer-provided encryption keys (SSE-C), Amazon S3 uses\n the corresponding KMS key, or a customer-provided key to encrypt the target\n object copy.
\nWhen you perform a CopyObject operation, if you want to use a different type\n of encryption setting for the target object, you can use other appropriate\n encryption-related headers to encrypt the target object with a KMS key, an Amazon S3 managed\n key, or a customer-provided key. With server-side encryption, Amazon S3 encrypts your data as it\n writes your data to disks in its data centers and decrypts the data when you access it. If the\n encryption setting in your request is different from the default encryption configuration\n of the destination bucket, the encryption setting in your request takes precedence. If the\n source object for the copy is stored in Amazon S3 using SSE-C, you must provide the necessary\n encryption information in your request so that Amazon S3 can decrypt the object for copying. For\n more information about server-side encryption, see Using Server-Side\n Encryption.
If a target object uses SSE-KMS, you can enable an S3 Bucket Key for the\n object. For more information, see Amazon S3 Bucket Keys in the\n Amazon S3 User Guide.
\nWhen copying an object, you can optionally use headers to grant ACL-based permissions.\n By default, all objects are private. Only the owner has full access control. When adding a\n new object, you can grant permissions to individual Amazon Web Services accounts or to predefined groups\n that are defined by Amazon S3. These permissions are then added to the ACL on the object. For more\n information, see Access Control List (ACL) Overview and Managing ACLs Using the REST\n API.
\nIf the bucket that you're copying objects to uses the bucket owner enforced setting for\n S3 Object Ownership, ACLs are disabled and no longer affect permissions. Buckets that use\n this setting only accept PUT requests that don't specify an ACL or PUT requests that\n specify bucket owner full control ACLs, such as the bucket-owner-full-control\n canned ACL or an equivalent form of this ACL expressed in the XML format.
For more information, see Controlling ownership of\n objects and disabling ACLs in the Amazon S3 User Guide.
\nIf your bucket uses the bucket owner enforced setting for Object Ownership, all\n objects written to the bucket by any account will be owned by the bucket owner.
\nWhen copying an object, if it has a checksum, that checksum will be copied to the new\n object by default. When you copy the object over, you can optionally specify a different\n checksum algorithm to use with the x-amz-checksum-algorithm header.
You can use the CopyObject action to change the storage class of an object\n that is already stored in Amazon S3 by using the StorageClass parameter. For more\n information, see Storage Classes in the\n Amazon S3 User Guide.
If the source object's storage class is GLACIER, you must restore a copy of\n this object before you can use it as a source object for the copy operation. For\n more information, see RestoreObject. For\n more information, see Copying\n Objects.
\nBy default, x-amz-copy-source header identifies the current version of an object\n to copy. If the current version is a delete marker, Amazon S3 behaves as if the object was\n deleted. To copy a different version, use the versionId subresource.
If you enable versioning on the target bucket, Amazon S3 generates a unique version ID for\n the object being copied. This version ID is different from the version ID of the source\n object. Amazon S3 returns the version ID of the copied object in the\n x-amz-version-id response header in the response.
If you do not enable versioning or suspend it on the target bucket, the version ID that\n Amazon S3 generates is always null.
\nThe following operations are related to CopyObject:
Creates a copy of an object that is already stored in Amazon S3.
\nYou can store individual objects of up to 5 TB in Amazon S3. You create a copy of your\n object up to 5 GB in size in a single atomic action using this API. However, to copy an\n object greater than 5 GB, you must use the multipart upload Upload Part - Copy\n (UploadPartCopy) API. For more information, see Copy Object Using the\n REST Multipart Upload API.
\nAll copy requests must be authenticated. Additionally, you must have\n read access to the source object and write\n access to the destination bucket. For more information, see REST Authentication. Both the\n Region that you want to copy the object from and the Region that you want to copy the\n object to must be enabled for your account.
\nA copy request might return an error when Amazon S3 receives the copy request or while Amazon S3\n is copying the files. If the error occurs before the copy action starts, you receive a\n standard Amazon S3 error. If the error occurs during the copy operation, the error response is\n embedded in the 200 OK response. This means that a 200 OK\n response can contain either a success or an error. If you call the S3 API directly, make\n sure to design your application to parse the contents of the response and handle it\n appropriately. If you use Amazon Web Services SDKs, SDKs handle this condition. The SDKs detect the\n embedded error and apply error handling per your configuration settings (including\n automatically retrying the request as appropriate). If the condition persists, the SDKs\n throws an exception (or, for the SDKs that don't use exceptions, they return the\n error).
If the copy is successful, you receive a response with information about the copied\n object.
\nIf the request is an HTTP 1.1 request, the response is chunk encoded. If it were not,\n it would not contain the content-length, and you would need to read the entire\n body.
\nThe copy request charge is based on the storage class and Region that you specify for\n the destination object. The request can also result in a data retrieval charge for the\n source if the source storage class bills for data retrieval. For pricing information, see\n Amazon S3 pricing.
\nAmazon S3 transfer acceleration does not support cross-Region copies. If you request a\n cross-Region copy using a transfer acceleration endpoint, you get a 400 Bad\n Request error. For more information, see Transfer\n Acceleration.
When copying an object, you can preserve all metadata (the default) or specify\n new metadata. However, the access control list (ACL) is not preserved and is set\n to private for the user making the request. To override the default ACL setting,\n specify a new ACL when generating a copy request. For more information, see Using\n ACLs.
\nTo specify whether you want the object metadata copied from the source object\n or replaced with metadata provided in the request, you can optionally add the\n x-amz-metadata-directive header. When you grant permissions, you\n can use the s3:x-amz-metadata-directive condition key to enforce\n certain metadata behavior when objects are uploaded. For more information, see\n Specifying Conditions in a\n Policy in the Amazon S3 User Guide. For a complete list\n of Amazon S3-specific condition keys, see Actions, Resources, and Condition\n Keys for Amazon S3.
\n x-amz-website-redirect-location is unique to each object and\n must be specified in the request headers to copy the value.
To only copy an object under certain conditions, such as whether the\n Etag matches or whether the object was modified before or after a\n specified date, use the following request parameters:
\n x-amz-copy-source-if-match\n
\n x-amz-copy-source-if-none-match\n
\n x-amz-copy-source-if-unmodified-since\n
\n x-amz-copy-source-if-modified-since\n
If both the x-amz-copy-source-if-match and\n x-amz-copy-source-if-unmodified-since headers are present in the\n request and evaluate as follows, Amazon S3 returns 200 OK and copies the\n data:
\n x-amz-copy-source-if-match condition evaluates to\n true
\n x-amz-copy-source-if-unmodified-since condition evaluates to\n false
If both the x-amz-copy-source-if-none-match and\n x-amz-copy-source-if-modified-since headers are present in the\n request and evaluate as follows, Amazon S3 returns the 412 Precondition\n Failed response code:
\n x-amz-copy-source-if-none-match condition evaluates to\n false
\n x-amz-copy-source-if-modified-since condition evaluates to\n true
All headers with the x-amz- prefix, including\n x-amz-copy-source, must be signed.
Amazon S3 automatically encrypts all new objects that are copied to an S3 bucket.\n When copying an object, if you don't specify encryption information in your copy\n request, the encryption setting of the target object is set to the default\n encryption configuration of the destination bucket. By default, all buckets have a\n base level of encryption configuration that uses server-side encryption with Amazon S3\n managed keys (SSE-S3). If the destination bucket has a default encryption\n configuration that uses server-side encryption with Key Management Service (KMS) keys\n (SSE-KMS), dual-layer server-side encryption with Amazon Web Services KMS keys (DSSE-KMS), or\n server-side encryption with customer-provided encryption keys (SSE-C), Amazon S3 uses\n the corresponding KMS key, or a customer-provided key to encrypt the target\n object copy.
\nWhen you perform a CopyObject operation, if you want to use a\n different type of encryption setting for the target object, you can use other\n appropriate encryption-related headers to encrypt the target object with a\n KMS key, an Amazon S3 managed key, or a customer-provided key. With server-side\n encryption, Amazon S3 encrypts your data as it writes your data to disks in its data\n centers and decrypts the data when you access it. If the encryption setting in\n your request is different from the default encryption configuration of the\n destination bucket, the encryption setting in your request takes precedence. If\n the source object for the copy is stored in Amazon S3 using SSE-C, you must provide the\n necessary encryption information in your request so that Amazon S3 can decrypt the\n object for copying. For more information about server-side encryption, see Using\n Server-Side Encryption.
If a target object uses SSE-KMS, you can enable an S3 Bucket Key for the\n object. For more information, see Amazon S3 Bucket Keys in the\n Amazon S3 User Guide.
\nWhen copying an object, you can optionally use headers to grant ACL-based\n permissions. By default, all objects are private. Only the owner has full access\n control. When adding a new object, you can grant permissions to individual\n Amazon Web Services accounts or to predefined groups that are defined by Amazon S3. These permissions\n are then added to the ACL on the object. For more information, see Access Control\n List (ACL) Overview and Managing ACLs Using the REST\n API.
\nIf the bucket that you're copying objects to uses the bucket owner enforced\n setting for S3 Object Ownership, ACLs are disabled and no longer affect\n permissions. Buckets that use this setting only accept PUT requests\n that don't specify an ACL or PUT requests that specify bucket owner\n full control ACLs, such as the bucket-owner-full-control canned ACL\n or an equivalent form of this ACL expressed in the XML format.
For more information, see Controlling\n ownership of objects and disabling ACLs in the\n Amazon S3 User Guide.
\nIf your bucket uses the bucket owner enforced setting for Object Ownership,\n all objects written to the bucket by any account will be owned by the bucket\n owner.
\nWhen copying an object, if it has a checksum, that checksum will be copied to\n the new object by default. When you copy the object over, you can optionally\n specify a different checksum algorithm to use with the\n x-amz-checksum-algorithm header.
You can use the CopyObject action to change the storage class of\n an object that is already stored in Amazon S3 by using the StorageClass\n parameter. For more information, see Storage Classes in\n the Amazon S3 User Guide.
If the source object's storage class is GLACIER or\n DEEP_ARCHIVE, or the object's storage class is\n INTELLIGENT_TIERING and it's S3 Intelligent-Tiering access tier is\n Archive Access or Deep Archive Access, you must restore a copy of this object\n before you can use it as a source object for the copy operation. For more\n information, see RestoreObject. For\n more information, see Copying\n Objects.
\nBy default, x-amz-copy-source header identifies the current\n version of an object to copy. If the current version is a delete marker, Amazon S3\n behaves as if the object was deleted. To copy a different version, use the\n versionId subresource.
If you enable versioning on the target bucket, Amazon S3 generates a unique version\n ID for the object being copied. This version ID is different from the version ID\n of the source object. Amazon S3 returns the version ID of the copied object in the\n x-amz-version-id response header in the response.
If you do not enable versioning or suspend it on the target bucket, the version\n ID that Amazon S3 generates is always null.
\nThe following operations are related to CopyObject:
The name of the destination bucket.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The name of the destination bucket.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
By default, Amazon S3 uses the STANDARD Storage Class to store newly created objects. The\n STANDARD storage class provides high durability and high availability. Depending on\n performance needs, you can specify a different Storage Class. Amazon S3 on Outposts only uses\n the OUTPOSTS Storage Class. For more information, see Storage Classes in the\n Amazon S3 User Guide.
", + "smithy.api#documentation": "If the x-amz-storage-class header is not used, the copied object will be stored in the\n STANDARD Storage Class by default. The STANDARD storage class provides high durability and\n high availability. Depending on performance needs, you can specify a different Storage\n Class. Amazon S3 on Outposts only uses the OUTPOSTS Storage Class. For more information, see\n Storage\n Classes in the Amazon S3 User Guide.
Specifies the KMS key ID to use for object encryption. All GET and PUT requests for an\n object protected by KMS will fail if they're not made via SSL or using SigV4. For\n information about configuring any of the officially supported Amazon Web Services SDKs and Amazon Web Services CLI, see\n Specifying the\n Signature Version in Request Authentication in the\n Amazon S3 User Guide.
", + "smithy.api#documentation": "Specifies the KMS ID (Key ID, Key ARN, or Key Alias) to use for object encryption. All GET and PUT requests for an\n object protected by KMS will fail if they're not made via SSL or using SigV4. For\n information about configuring any of the officially supported Amazon Web Services SDKs and Amazon Web Services CLI, see\n Specifying the\n Signature Version in Request Authentication in the\n Amazon S3 User Guide.
", "smithy.api#httpHeader": "x-amz-server-side-encryption-aws-kms-key-id" } }, @@ -22375,16 +17282,19 @@ } ], "traits": { - "smithy.api#documentation": "Creates a new S3 bucket. To create a bucket, you must register with Amazon S3 and have a\n valid Amazon Web Services Access Key ID to authenticate requests. Anonymous requests are never allowed to\n create buckets. By creating the bucket, you become the bucket owner.
\nNot every string is an acceptable bucket name. For information about bucket naming\n restrictions, see Bucket naming\n rules.
\nIf you want to create an Amazon S3 on Outposts bucket, see Create Bucket.
\nBy default, the bucket is created in the US East (N. Virginia) Region. You can\n optionally specify a Region in the request body. You might choose a Region to optimize\n latency, minimize costs, or address regulatory requirements. For example, if you reside in\n Europe, you will probably find it advantageous to create buckets in the Europe (Ireland)\n Region. For more information, see Accessing a\n bucket.
\nIf you send your create bucket request to the s3.amazonaws.com endpoint,\n the request goes to the us-east-1 Region. Accordingly, the signature calculations in\n Signature Version 4 must use us-east-1 as the Region, even if the location constraint in\n the request specifies another Region where the bucket is to be created. If you create a\n bucket in a Region other than US East (N. Virginia), your application must be able to\n handle 307 redirect. For more information, see Virtual hosting of\n buckets.
In addition to s3:CreateBucket, the following permissions are required when\n your CreateBucket request includes specific headers:
\n Access control lists (ACLs) - If your CreateBucket request\n specifies access control list (ACL) permissions and the ACL is public-read, public-read-write,\n authenticated-read, or if you specify access permissions explicitly through any other\n ACL, both s3:CreateBucket and s3:PutBucketAcl permissions\n are needed. If the ACL for the CreateBucket request is private or if the request doesn't\n specify any ACLs, only s3:CreateBucket permission is needed.
\n Object Lock - If ObjectLockEnabledForBucket is set to true in your\n CreateBucket request,\n s3:PutBucketObjectLockConfiguration and\n s3:PutBucketVersioning permissions are required.
\n S3 Object Ownership - If your CreateBucket request includes the x-amz-object-ownership header, then the\n s3:PutBucketOwnershipControls permission is required. By default, ObjectOwnership is set to BucketOWnerEnforced and ACLs are disabled. We recommend keeping\n ACLs disabled, except in uncommon use cases where you must control access for each object individually. If you want to change the ObjectOwnership setting, you can use the \n x-amz-object-ownership header in your CreateBucket request to set the ObjectOwnership setting of your choice.\n For more information about S3 Object Ownership, see Controlling object\n ownership in the Amazon S3 User Guide.
\n S3 Block Public Access - If your specific use case requires granting public access to your S3 resources, you can disable Block Public Access. You can create a new bucket with Block Public Access enabled, then separately call the \n DeletePublicAccessBlock\n API. To use this operation, you must have the\n s3:PutBucketPublicAccessBlock permission. By default, all Block\n Public Access settings are enabled for new buckets. To avoid inadvertent exposure of\n your resources, we recommend keeping the S3 Block Public Access settings enabled. For more information about S3 Block Public Access, see Blocking public\n access to your Amazon S3 storage in the Amazon S3 User Guide.
If your CreateBucket request sets BucketOwnerEnforced for Amazon S3 Object Ownership\n and specifies a bucket ACL that provides access to an external Amazon Web Services account, your request fails with a 400 error and returns the InvalidBucketAcLWithObjectOwnership error code. For more information,\n see Setting Object\n Ownership on an existing bucket in the Amazon S3 User Guide.
The following operations are related to CreateBucket:
\n PutObject\n
\n\n DeleteBucket\n
\nCreates a new S3 bucket. To create a bucket, you must register with Amazon S3 and have a\n valid Amazon Web Services Access Key ID to authenticate requests. Anonymous requests are never allowed to\n create buckets. By creating the bucket, you become the bucket owner.
\nNot every string is an acceptable bucket name. For information about bucket naming\n restrictions, see Bucket naming\n rules.
\nIf you want to create an Amazon S3 on Outposts bucket, see Create Bucket.
\nBy default, the bucket is created in the US East (N. Virginia) Region. You can\n optionally specify a Region in the request body. To constrain the bucket creation to a\n specific Region, you can use \n LocationConstraint\n condition key. You might choose a Region to\n optimize latency, minimize costs, or address regulatory requirements. For example, if you\n reside in Europe, you will probably find it advantageous to create buckets in the Europe\n (Ireland) Region. For more information, see Accessing a\n bucket.
If you send your create bucket request to the s3.amazonaws.com endpoint,\n the request goes to the us-east-1 Region. Accordingly, the signature\n calculations in Signature Version 4 must use us-east-1 as the Region, even\n if the location constraint in the request specifies another Region where the bucket is\n to be created. If you create a bucket in a Region other than US East (N. Virginia), your\n application must be able to handle 307 redirect. For more information, see Virtual hosting of\n buckets.
In addition to s3:CreateBucket, the following permissions are\n required when your CreateBucket request includes specific\n headers:
\n Access control lists (ACLs) - If your\n CreateBucket request specifies access control list (ACL)\n permissions and the ACL is public-read, public-read-write,\n authenticated-read, or if you specify access permissions explicitly through\n any other ACL, both s3:CreateBucket and\n s3:PutBucketAcl permissions are needed. If the ACL for the\n CreateBucket request is private or if the request doesn't\n specify any ACLs, only s3:CreateBucket permission is needed.\n
\n Object Lock - If\n ObjectLockEnabledForBucket is set to true in your\n CreateBucket request,\n s3:PutBucketObjectLockConfiguration and\n s3:PutBucketVersioning permissions are required.
\n S3 Object Ownership - If your\n CreateBucket request includes the\n x-amz-object-ownership header, then the\n s3:PutBucketOwnershipControls permission is required. By\n default, ObjectOwnership is set to\n BucketOWnerEnforced and ACLs are disabled. We recommend\n keeping ACLs disabled, except in uncommon use cases where you must control\n access for each object individually. If you want to change the\n ObjectOwnership setting, you can use the\n x-amz-object-ownership header in your\n CreateBucket request to set the ObjectOwnership\n setting of your choice. For more information about S3 Object Ownership, see\n Controlling\n object ownership in the\n Amazon S3 User Guide.
\n S3 Block Public Access - If your\n specific use case requires granting public access to your S3 resources, you\n can disable Block Public Access. You can create a new bucket with Block\n Public Access enabled, then separately call the \n DeletePublicAccessBlock\n API. To use this operation, you must have the\n s3:PutBucketPublicAccessBlock permission. By default, all\n Block Public Access settings are enabled for new buckets. To avoid\n inadvertent exposure of your resources, we recommend keeping the S3 Block\n Public Access settings enabled. For more information about S3 Block Public\n Access, see Blocking\n public access to your Amazon S3 storage in the\n Amazon S3 User Guide.
If your CreateBucket request sets BucketOwnerEnforced for\n Amazon S3 Object Ownership and specifies a bucket ACL that provides access to an external\n Amazon Web Services account, your request fails with a 400 error and returns the\n InvalidBucketAcLWithObjectOwnership error code. For more information,\n see Setting Object\n Ownership on an existing bucket in the Amazon S3 User Guide.\n
The following operations are related to CreateBucket:
\n PutObject\n
\n\n DeleteBucket\n
\nThis action initiates a multipart upload and returns an upload ID. This upload ID is\n used to associate all of the parts in the specific multipart upload. You specify this\n upload ID in each of your subsequent upload part requests (see UploadPart). You also include this\n upload ID in the final request to either complete or abort the multipart upload\n request.
\nFor more information about multipart uploads, see Multipart Upload Overview.
\nIf you have configured a lifecycle rule to abort incomplete multipart uploads, the\n upload must complete within the number of days specified in the bucket lifecycle\n configuration. Otherwise, the incomplete multipart upload becomes eligible for an abort\n action and Amazon S3 aborts the multipart upload. For more information, see Aborting Incomplete Multipart Uploads Using a Bucket Lifecycle Configuration.
\nFor information about the permissions required to use the multipart upload API, see\n Multipart\n Upload and Permissions.
\nFor request signing, multipart upload is just a series of regular requests. You initiate\n a multipart upload, send one or more requests to upload parts, and then complete the\n multipart upload process. You sign each request individually. There is nothing special\n about signing multipart upload requests. For more information about signing, see Authenticating Requests (Amazon Web Services Signature Version 4).
\nAfter you initiate a multipart upload and upload one or more parts, to stop being\n charged for storing the uploaded parts, you must either complete or abort the multipart\n upload. Amazon S3 frees up the space used to store the parts and stop charging you for\n storing them only after you either complete or abort a multipart upload.
\nServer-side encryption is for data encryption at rest. Amazon S3 encrypts your data as it\n writes it to disks in its data centers and decrypts it when you access it. Amazon S3\n automatically encrypts all new objects that are uploaded to an S3 bucket. When doing a\n multipart upload, if you don't specify encryption information in your request, the\n encryption setting of the uploaded parts is set to the default encryption configuration of\n the destination bucket. By default, all buckets have a base level of encryption\n configuration that uses server-side encryption with Amazon S3 managed keys (SSE-S3). If the\n destination bucket has a default encryption configuration that uses server-side encryption\n with an Key Management Service (KMS) key (SSE-KMS), or a customer-provided encryption key (SSE-C),\n Amazon S3 uses the corresponding KMS key, or a customer-provided key to encrypt the uploaded\n parts. When you perform a CreateMultipartUpload operation, if you want to use a different\n type of encryption setting for the uploaded parts, you can request that Amazon S3 encrypts the\n object with a KMS key, an Amazon S3 managed key, or a customer-provided key. If the encryption\n setting in your request is different from the default encryption configuration of the\n destination bucket, the encryption setting in your request takes precedence. If you choose\n to provide your own encryption key, the request headers you provide in UploadPart\n and UploadPartCopy requests must match the headers you used in the request to\n initiate the upload by using CreateMultipartUpload. You can request that Amazon S3\n save the uploaded parts encrypted with server-side encryption with an Amazon S3 managed key\n (SSE-S3), an Key Management Service (KMS) key (SSE-KMS), or a customer-provided encryption key\n (SSE-C).
To perform a multipart upload with encryption by using an Amazon Web Services KMS key, the requester\n must have permission to the kms:Decrypt and kms:GenerateDataKey*\n actions on the key. These permissions are required because Amazon S3 must decrypt and read data\n from the encrypted file parts before it completes the multipart upload. For more\n information, see Multipart upload API\n and permissions and Protecting data using\n server-side encryption with Amazon Web Services KMS in the\n Amazon S3 User Guide.
If your Identity and Access Management (IAM) user or role is in the same Amazon Web Services account as the KMS key,\n then you must have these permissions on the key policy. If your IAM user or role belongs\n to a different account than the key, then you must have the permissions on both the key\n policy and your IAM user or role.
\nFor more information, see Protecting Data Using Server-Side\n Encryption.
\nWhen copying an object, you can optionally specify the accounts or groups that\n should be granted specific permissions on the new object. There are two ways to\n grant the permissions using the request headers:
\nSpecify a canned ACL with the x-amz-acl request header. For\n more information, see Canned\n ACL.
Specify access permissions explicitly with the\n x-amz-grant-read, x-amz-grant-read-acp,\n x-amz-grant-write-acp, and\n x-amz-grant-full-control headers. These parameters map to\n the set of permissions that Amazon S3 supports in an ACL. For more information,\n see Access Control List (ACL) Overview.
You can use either a canned ACL or specify access permissions explicitly. You\n cannot do both.
\nAmazon S3 encrypts data\n by using server-side encryption with an Amazon S3 managed key (SSE-S3) by default. Server-side encryption is for data encryption at rest. Amazon S3 encrypts\n your data as it writes it to disks in its data centers and decrypts it when you\n access it. You can request that Amazon S3 encrypts\n data at rest by using server-side encryption with other key options. The option you use depends on\n whether you want to use KMS keys (SSE-KMS) or provide your own encryption keys\n (SSE-C).
\nUse KMS keys (SSE-KMS) that include the Amazon Web Services managed key\n (aws/s3) and KMS customer managed keys stored in Key Management Service (KMS) – If you\n want Amazon Web Services to manage the keys used to encrypt data, specify the following\n headers in the request.
\n x-amz-server-side-encryption\n
\n x-amz-server-side-encryption-aws-kms-key-id\n
\n x-amz-server-side-encryption-context\n
If you specify x-amz-server-side-encryption:aws:kms, but\n don't provide x-amz-server-side-encryption-aws-kms-key-id,\n Amazon S3 uses the Amazon Web Services managed key (aws/s3 key) in KMS to\n protect the data.
All GET and PUT requests for an object protected\n by KMS fail if you don't make them by using Secure Sockets Layer (SSL),\n Transport Layer Security (TLS), or Signature Version 4.
For more information about server-side encryption with KMS keys\n (SSE-KMS), see Protecting Data\n Using Server-Side Encryption with KMS keys.
\nUse customer-provided encryption keys (SSE-C) – If you want to manage\n your own encryption keys, provide all the following headers in the\n request.
\n\n x-amz-server-side-encryption-customer-algorithm\n
\n x-amz-server-side-encryption-customer-key\n
\n x-amz-server-side-encryption-customer-key-MD5\n
For more information about server-side encryption with customer-provided\n encryption keys (SSE-C), see \n Protecting data using server-side encryption with customer-provided\n encryption keys (SSE-C).
\nYou also can use the following access control–related headers with this\n operation. By default, all objects are private. Only the owner has full access\n control. When adding a new object, you can grant permissions to individual\n Amazon Web Services accounts or to predefined groups defined by Amazon S3. These permissions are then\n added to the access control list (ACL) on the object. For more information, see\n Using ACLs. With this operation, you can grant access permissions\n using one of the following two methods:
\nSpecify a canned ACL (x-amz-acl) — Amazon S3 supports a set of\n predefined ACLs, known as canned ACLs. Each canned ACL\n has a predefined set of grantees and permissions. For more information, see\n Canned\n ACL.
Specify access permissions explicitly — To explicitly grant access\n permissions to specific Amazon Web Services accounts or groups, use the following headers.\n Each header maps to specific permissions that Amazon S3 supports in an ACL. For\n more information, see Access Control List (ACL)\n Overview. In the header, you specify a list of grantees who get\n the specific permission. To grant permissions explicitly, use:
\n\n x-amz-grant-read\n
\n x-amz-grant-write\n
\n x-amz-grant-read-acp\n
\n x-amz-grant-write-acp\n
\n x-amz-grant-full-control\n
You specify each grantee as a type=value pair, where the type is one of\n the following:
\n\n id – if the value specified is the canonical user ID\n of an Amazon Web Services account
\n uri – if you are granting permissions to a predefined\n group
\n emailAddress – if the value specified is the email\n address of an Amazon Web Services account
Using email addresses to specify a grantee is only supported in the following Amazon Web Services Regions:
\nUS East (N. Virginia)
\nUS West (N. California)
\nUS West (Oregon)
\nAsia Pacific (Singapore)
\nAsia Pacific (Sydney)
\nAsia Pacific (Tokyo)
\nEurope (Ireland)
\nSouth America (São Paulo)
\nFor a list of all the Amazon S3 supported Regions and endpoints, see Regions and Endpoints in the Amazon Web Services General Reference.
\nFor example, the following x-amz-grant-read header grants the Amazon Web Services accounts identified by account IDs permissions to read object data and its metadata:
\n x-amz-grant-read: id=\"11112222333\", id=\"444455556666\" \n
The following operations are related to CreateMultipartUpload:
\n UploadPart\n
\n\n AbortMultipartUpload\n
\n\n ListParts\n
\n\n ListMultipartUploads\n
\nThis action initiates a multipart upload and returns an upload ID. This upload ID is\n used to associate all of the parts in the specific multipart upload. You specify this\n upload ID in each of your subsequent upload part requests (see UploadPart). You also include this\n upload ID in the final request to either complete or abort the multipart upload\n request.
\nFor more information about multipart uploads, see Multipart Upload Overview.
\nIf you have configured a lifecycle rule to abort incomplete multipart uploads, the\n upload must complete within the number of days specified in the bucket lifecycle\n configuration. Otherwise, the incomplete multipart upload becomes eligible for an abort\n action and Amazon S3 aborts the multipart upload. For more information, see Aborting Incomplete Multipart Uploads Using a Bucket Lifecycle\n Configuration.
\nFor information about the permissions required to use the multipart upload API, see\n Multipart\n Upload and Permissions.
\nFor request signing, multipart upload is just a series of regular requests. You initiate\n a multipart upload, send one or more requests to upload parts, and then complete the\n multipart upload process. You sign each request individually. There is nothing special\n about signing multipart upload requests. For more information about signing, see Authenticating Requests (Amazon Web Services Signature Version 4).
\nAfter you initiate a multipart upload and upload one or more parts, to stop being\n charged for storing the uploaded parts, you must either complete or abort the multipart\n upload. Amazon S3 frees up the space used to store the parts and stop charging you for\n storing them only after you either complete or abort a multipart upload.
\nServer-side encryption is for data encryption at rest. Amazon S3 encrypts your data as it\n writes it to disks in its data centers and decrypts it when you access it. Amazon S3\n automatically encrypts all new objects that are uploaded to an S3 bucket. When doing a\n multipart upload, if you don't specify encryption information in your request, the\n encryption setting of the uploaded parts is set to the default encryption configuration of\n the destination bucket. By default, all buckets have a base level of encryption\n configuration that uses server-side encryption with Amazon S3 managed keys (SSE-S3). If the\n destination bucket has a default encryption configuration that uses server-side encryption\n with an Key Management Service (KMS) key (SSE-KMS), or a customer-provided encryption key (SSE-C),\n Amazon S3 uses the corresponding KMS key, or a customer-provided key to encrypt the uploaded\n parts. When you perform a CreateMultipartUpload operation, if you want to use a different\n type of encryption setting for the uploaded parts, you can request that Amazon S3 encrypts the\n object with a KMS key, an Amazon S3 managed key, or a customer-provided key. If the encryption\n setting in your request is different from the default encryption configuration of the\n destination bucket, the encryption setting in your request takes precedence. If you choose\n to provide your own encryption key, the request headers you provide in UploadPart\n and UploadPartCopy requests must match the headers you used in the request to\n initiate the upload by using CreateMultipartUpload. You can request that Amazon S3\n save the uploaded parts encrypted with server-side encryption with an Amazon S3 managed key\n (SSE-S3), an Key Management Service (KMS) key (SSE-KMS), or a customer-provided encryption key\n (SSE-C).
To perform a multipart upload with encryption by using an Amazon Web Services KMS key, the requester\n must have permission to the kms:Decrypt and kms:GenerateDataKey*\n actions on the key. These permissions are required because Amazon S3 must decrypt and read data\n from the encrypted file parts before it completes the multipart upload. For more\n information, see Multipart upload API\n and permissions and Protecting data using\n server-side encryption with Amazon Web Services KMS in the\n Amazon S3 User Guide.
If your Identity and Access Management (IAM) user or role is in the same Amazon Web Services account as the KMS key,\n then you must have these permissions on the key policy. If your IAM user or role belongs\n to a different account than the key, then you must have the permissions on both the key\n policy and your IAM user or role.
\nFor more information, see Protecting Data Using Server-Side\n Encryption.
\nWhen copying an object, you can optionally specify the accounts or groups that\n should be granted specific permissions on the new object. There are two ways to\n grant the permissions using the request headers:
\nSpecify a canned ACL with the x-amz-acl request header. For\n more information, see Canned\n ACL.
Specify access permissions explicitly with the\n x-amz-grant-read, x-amz-grant-read-acp,\n x-amz-grant-write-acp, and\n x-amz-grant-full-control headers. These parameters map to\n the set of permissions that Amazon S3 supports in an ACL. For more information,\n see Access Control List (ACL) Overview.
You can use either a canned ACL or specify access permissions explicitly. You\n cannot do both.
\nAmazon S3 encrypts data by using server-side encryption with an Amazon S3 managed key\n (SSE-S3) by default. Server-side encryption is for data encryption at rest. Amazon S3\n encrypts your data as it writes it to disks in its data centers and decrypts it\n when you access it. You can request that Amazon S3 encrypts data at rest by using\n server-side encryption with other key options. The option you use depends on\n whether you want to use KMS keys (SSE-KMS) or provide your own encryption keys\n (SSE-C).
\nUse KMS keys (SSE-KMS) that include the Amazon Web Services managed key\n (aws/s3) and KMS customer managed keys stored in Key Management Service (KMS) –\n If you want Amazon Web Services to manage the keys used to encrypt data, specify the\n following headers in the request.
\n x-amz-server-side-encryption\n
\n x-amz-server-side-encryption-aws-kms-key-id\n
\n x-amz-server-side-encryption-context\n
If you specify x-amz-server-side-encryption:aws:kms, but\n don't provide x-amz-server-side-encryption-aws-kms-key-id,\n Amazon S3 uses the Amazon Web Services managed key (aws/s3 key) in KMS to\n protect the data.
All GET and PUT requests for an object\n protected by KMS fail if you don't make them by using Secure Sockets\n Layer (SSL), Transport Layer Security (TLS), or Signature Version\n 4.
For more information about server-side encryption with KMS keys\n (SSE-KMS), see Protecting Data\n Using Server-Side Encryption with KMS keys.
\nUse customer-provided encryption keys (SSE-C) – If you want to manage\n your own encryption keys, provide all the following headers in the\n request.
\n\n x-amz-server-side-encryption-customer-algorithm\n
\n x-amz-server-side-encryption-customer-key\n
\n x-amz-server-side-encryption-customer-key-MD5\n
For more information about server-side encryption with customer-provided\n encryption keys (SSE-C), see \n Protecting data using server-side encryption with customer-provided\n encryption keys (SSE-C).
\nYou also can use the following access control–related headers with this\n operation. By default, all objects are private. Only the owner has full access\n control. When adding a new object, you can grant permissions to individual\n Amazon Web Services accounts or to predefined groups defined by Amazon S3. These permissions are then\n added to the access control list (ACL) on the object. For more information, see\n Using ACLs. With this operation, you can grant access permissions\n using one of the following two methods:
\nSpecify a canned ACL (x-amz-acl) — Amazon S3 supports a set of\n predefined ACLs, known as canned ACLs. Each canned ACL\n has a predefined set of grantees and permissions. For more information, see\n Canned\n ACL.
Specify access permissions explicitly — To explicitly grant access\n permissions to specific Amazon Web Services accounts or groups, use the following headers.\n Each header maps to specific permissions that Amazon S3 supports in an ACL. For\n more information, see Access Control List (ACL)\n Overview. In the header, you specify a list of grantees who get\n the specific permission. To grant permissions explicitly, use:
\n\n x-amz-grant-read\n
\n x-amz-grant-write\n
\n x-amz-grant-read-acp\n
\n x-amz-grant-write-acp\n
\n x-amz-grant-full-control\n
You specify each grantee as a type=value pair, where the type is one of\n the following:
\n\n id – if the value specified is the canonical user ID\n of an Amazon Web Services account
\n uri – if you are granting permissions to a predefined\n group
\n emailAddress – if the value specified is the email\n address of an Amazon Web Services account
Using email addresses to specify a grantee is only supported in the following Amazon Web Services Regions:
\nUS East (N. Virginia)
\nUS West (N. California)
\nUS West (Oregon)
\nAsia Pacific (Singapore)
\nAsia Pacific (Sydney)
\nAsia Pacific (Tokyo)
\nEurope (Ireland)
\nSouth America (São Paulo)
\nFor a list of all the Amazon S3 supported Regions and endpoints, see Regions and Endpoints in the Amazon Web Services General Reference.
\nFor example, the following x-amz-grant-read header grants the Amazon Web Services accounts identified by account IDs permissions to read object data and its metadata:
\n x-amz-grant-read: id=\"11112222333\", id=\"444455556666\" \n
The following operations are related to CreateMultipartUpload:
\n UploadPart\n
\n\n AbortMultipartUpload\n
\n\n ListParts\n
\n\n ListMultipartUploads\n
\nIf the bucket has a lifecycle rule configured with an action to abort incomplete\n multipart uploads and the prefix in the lifecycle rule matches the object name in the\n request, the response includes this header. The header indicates when the initiated\n multipart upload becomes eligible for an abort operation. For more information, see \n Aborting Incomplete Multipart Uploads Using a Bucket Lifecycle Configuration.
\nThe response also includes the x-amz-abort-rule-id header that provides the\n ID of the lifecycle configuration rule that defines this action.
If the bucket has a lifecycle rule configured with an action to abort incomplete\n multipart uploads and the prefix in the lifecycle rule matches the object name in the\n request, the response includes this header. The header indicates when the initiated\n multipart upload becomes eligible for an abort operation. For more information, see \n Aborting Incomplete Multipart Uploads Using a Bucket Lifecycle\n Configuration.
\nThe response also includes the x-amz-abort-rule-id header that provides the\n ID of the lifecycle configuration rule that defines this action.
The name of the bucket to which the multipart upload was initiated. Does not return the\n access point ARN or access point alias if used.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The name of the bucket to which the multipart upload was initiated. Does not return the\n access point ARN or access point alias if used.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
The name of the bucket to which to initiate the upload
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The name of the bucket to which to initiate the upload
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Specifies the ID of the symmetric encryption customer managed key to use for object encryption.\n All GET and PUT requests for an object protected by KMS will fail if they're not made via\n SSL or using SigV4. For information about configuring any of the officially supported Amazon Web Services\n SDKs and Amazon Web Services CLI, see Specifying the Signature Version in Request Authentication\n in the Amazon S3 User Guide.
", + "smithy.api#documentation": "Specifies the ID (Key ID, Key ARN, or Key Alias) of the symmetric encryption customer managed key to use for object encryption.\n All GET and PUT requests for an object protected by KMS will fail if they're not made via\n SSL or using SigV4. For information about configuring any of the officially supported Amazon Web Services\n SDKs and Amazon Web Services CLI, see Specifying the Signature Version in Request Authentication\n in the Amazon S3 User Guide.
", "smithy.api#httpHeader": "x-amz-server-side-encryption-aws-kms-key-id" } }, @@ -23076,7 +17986,7 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "This implementation of the DELETE action resets the default encryption for the\n bucket as server-side encryption with Amazon S3 managed keys (SSE-S3). For information about the\n bucket default encryption feature, see Amazon S3 Bucket Default Encryption\n in the Amazon S3 User Guide.
\nTo use this operation, you must have permissions to perform the\n s3:PutEncryptionConfiguration action. The bucket owner has this permission\n by default. The bucket owner can grant this permission to others. For more information\n about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to your Amazon S3 Resources in the\n Amazon S3 User Guide.
The following operations are related to DeleteBucketEncryption:
\n PutBucketEncryption\n
\n\n GetBucketEncryption\n
\nThis implementation of the DELETE action resets the default encryption for the bucket as\n server-side encryption with Amazon S3 managed keys (SSE-S3). For information about the bucket\n default encryption feature, see Amazon S3 Bucket Default Encryption\n in the Amazon S3 User Guide.
\nTo use this operation, you must have permissions to perform the\n s3:PutEncryptionConfiguration action. The bucket owner has this permission\n by default. The bucket owner can grant this permission to others. For more information\n about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to your Amazon S3 Resources in the\n Amazon S3 User Guide.
The following operations are related to DeleteBucketEncryption:
\n PutBucketEncryption\n
\n\n GetBucketEncryption\n
\nThis implementation of the DELETE action uses the policy subresource to delete the\n policy of a specified bucket. If you are using an identity other than the root user of the\n Amazon Web Services account that owns the bucket, the calling identity must have the\n DeleteBucketPolicy permissions on the specified bucket and belong to the\n bucket owner's account to use this operation.
If you don't have DeleteBucketPolicy permissions, Amazon S3 returns a 403\n Access Denied error. If you have the correct permissions, but you're not using an\n identity that belongs to the bucket owner's account, Amazon S3 returns a 405 Method Not\n Allowed error.
To ensure that bucket owners don't inadvertently lock themselves out of their own\n buckets, the root principal in a bucket owner's Amazon Web Services account can perform the\n GetBucketPolicy, PutBucketPolicy, and\n DeleteBucketPolicy API actions, even if their bucket policy explicitly\n denies the root principal's access. Bucket owner root principals can only be blocked from performing \n these API actions by VPC endpoint policies and Amazon Web Services Organizations policies.
For more information about bucket policies, see Using Bucket Policies and\n UserPolicies.
\nThe following operations are related to DeleteBucketPolicy\n
\n CreateBucket\n
\n\n DeleteObject\n
\nThis implementation of the DELETE action uses the policy subresource to delete the\n policy of a specified bucket. If you are using an identity other than the root user of the\n Amazon Web Services account that owns the bucket, the calling identity must have the\n DeleteBucketPolicy permissions on the specified bucket and belong to the\n bucket owner's account to use this operation.
If you don't have DeleteBucketPolicy permissions, Amazon S3 returns a 403\n Access Denied error. If you have the correct permissions, but you're not using an\n identity that belongs to the bucket owner's account, Amazon S3 returns a 405 Method Not\n Allowed error.
To ensure that bucket owners don't inadvertently lock themselves out of their own\n buckets, the root principal in a bucket owner's Amazon Web Services account can perform the\n GetBucketPolicy, PutBucketPolicy, and\n DeleteBucketPolicy API actions, even if their bucket policy explicitly\n denies the root principal's access. Bucket owner root principals can only be blocked\n from performing these API actions by VPC endpoint policies and Amazon Web Services Organizations\n policies.
For more information about bucket policies, see Using Bucket Policies and\n UserPolicies.
\nThe following operations are related to DeleteBucketPolicy\n
\n CreateBucket\n
\n\n DeleteObject\n
\nRemoves the null version (if there is one) of an object and inserts a delete marker,\n which becomes the latest version of the object. If there isn't a null version, Amazon S3 does\n not remove any objects but will still respond that the command was successful.
\nTo remove a specific version, you must use the version Id subresource. Using this\n subresource permanently deletes the version. If the object deleted is a delete marker, Amazon S3\n sets the response header, x-amz-delete-marker, to true.
If the object you want to delete is in a bucket where the bucket versioning\n configuration is MFA Delete enabled, you must include the x-amz-mfa request\n header in the DELETE versionId request. Requests that include\n x-amz-mfa must use HTTPS.
For more information about MFA Delete, see Using MFA Delete. To see sample\n requests that use versioning, see Sample\n Request.
\nYou can delete objects by explicitly calling DELETE Object or configure its lifecycle\n (PutBucketLifecycle) to enable Amazon S3 to remove them for you. If you want to block\n users or accounts from removing or deleting objects from your bucket, you must deny them\n the s3:DeleteObject, s3:DeleteObjectVersion, and\n s3:PutLifeCycleConfiguration actions.
The following action is related to DeleteObject:
\n PutObject\n
\nSpecifies whether the versioned object that was permanently deleted was (true) or was\n not (false) a delete marker.
", + "smithy.api#documentation": "Indicates whether the specified object version that was permanently deleted was (true) or was\n not (false) a delete marker before deletion. In a simple DELETE, this header indicates whether (true) or\n not (false) the current version of the object is a delete marker.
", "smithy.api#httpHeader": "x-amz-delete-marker" } }, @@ -23733,7 +18642,7 @@ "Bucket": { "target": "com.amazonaws.s3#BucketName", "traits": { - "smithy.api#documentation": "The bucket name of the bucket containing the object.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name of the bucket containing the object.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Removes the entire tag set from the specified object. For more information about\n managing object tags, see Object Tagging.
\nTo use this operation, you must have permission to perform the\n s3:DeleteObjectTagging action.
To delete tags of a specific object version, add the versionId query\n parameter in the request. You will need permission for the\n s3:DeleteObjectVersionTagging action.
The following operations are related to DeleteObjectTagging:
\n PutObjectTagging\n
\n\n GetObjectTagging\n
\nThe bucket name containing the objects from which to remove the tags.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name containing the objects from which to remove the tags.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
This action enables you to delete multiple objects from a bucket using a single HTTP\n request. If you know the object keys that you want to delete, then this action provides a\n suitable alternative to sending individual delete requests, reducing per-request\n overhead.
\nThe request contains a list of up to 1000 keys that you want to delete. In the XML, you\n provide the object key names, and optionally, version IDs if you want to delete a specific\n version of the object from a versioning-enabled bucket. For each key, Amazon S3 performs a\n delete action and returns the result of that delete, success, or failure, in the response.\n Note that if the object specified in the request is not found, Amazon S3 returns the result as\n deleted.
\nThe action supports two modes for the response: verbose and quiet. By default, the\n action uses verbose mode in which the response includes the result of deletion of each key\n in your request. In quiet mode the response includes only keys where the delete action\n encountered an error. For a successful deletion, the action does not return any information\n about the delete in the response body.
\nWhen performing this action on an MFA Delete enabled bucket, that attempts to delete any\n versioned objects, you must include an MFA token. If you do not provide one, the entire\n request will fail, even if there are non-versioned objects you are trying to delete. If you\n provide an invalid token, whether there are versioned keys in the request or not, the\n entire Multi-Object Delete request will fail. For information about MFA Delete, see MFA\n Delete.
\nFinally, the Content-MD5 header is required for all Multi-Object Delete requests. Amazon S3 uses the header value to ensure that your request body has not been altered in\n transit.
\nThe following operations are related to DeleteObjects:
\n UploadPart\n
\n\n ListParts\n
\n\n AbortMultipartUpload\n
\nThis action enables you to delete multiple objects from a bucket using a single HTTP\n request. If you know the object keys that you want to delete, then this action provides a\n suitable alternative to sending individual delete requests, reducing per-request\n overhead.
\nThe request contains a list of up to 1000 keys that you want to delete. In the XML, you\n provide the object key names, and optionally, version IDs if you want to delete a specific\n version of the object from a versioning-enabled bucket. For each key, Amazon S3 performs a\n delete action and returns the result of that delete, success, or failure, in the response.\n Note that if the object specified in the request is not found, Amazon S3 returns the result as\n deleted.
\nThe action supports two modes for the response: verbose and quiet. By default, the\n action uses verbose mode in which the response includes the result of deletion of each key\n in your request. In quiet mode the response includes only keys where the delete action\n encountered an error. For a successful deletion, the action does not return any information\n about the delete in the response body.
\nWhen performing this action on an MFA Delete enabled bucket, that attempts to delete any\n versioned objects, you must include an MFA token. If you do not provide one, the entire\n request will fail, even if there are non-versioned objects you are trying to delete. If you\n provide an invalid token, whether there are versioned keys in the request or not, the\n entire Multi-Object Delete request will fail. For information about MFA Delete, see MFA\n Delete.
\nFinally, the Content-MD5 header is required for all Multi-Object Delete requests. Amazon S3\n uses the header value to ensure that your request body has not been altered in\n transit.
\nThe following operations are related to DeleteObjects:
\n UploadPart\n
\n\n ListParts\n
\n\n AbortMultipartUpload\n
\nThe bucket name containing the objects to delete.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name containing the objects to delete.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Specifies whether the versioned object that was permanently deleted was (true) or was\n not (false) a delete marker. In a simple DELETE, this header indicates whether (true) or\n not (false) a delete marker was created.
" + "smithy.api#documentation": "Indicates whether the specified object version that was permanently deleted was (true) or was\n not (false) a delete marker before deletion. In a simple DELETE, this header indicates whether (true) or\n not (false) the current version of the object is a delete marker.
" } }, "DeleteMarkerVersionId": { @@ -24155,7 +19097,7 @@ } }, "traits": { - "smithy.api#documentation": "Requests Amazon S3 to encode the object keys in the response and specifies the encoding\n method to use. An object key may contain any Unicode character; however, XML 1.0 parser\n cannot parse some characters, such as characters with an ASCII value from 0 to 10. For\n characters that are not supported in XML 1.0, you can add this parameter to request that\n Amazon S3 encode the keys in the response.
" + "smithy.api#documentation": "Requests Amazon S3 to encode the object keys in the response and specifies the encoding\n method to use. An object key can contain any Unicode character; however, the XML 1.0 parser\n cannot parse some characters, such as characters with an ASCII value from 0 to 10. For\n characters that are not supported in XML 1.0, you can add this parameter to request that\n Amazon S3 encode the keys in the response.
" } }, "com.amazonaws.s3#Encryption": { @@ -24628,7 +19570,7 @@ "target": "com.amazonaws.s3#GetBucketAccelerateConfigurationOutput" }, "traits": { - "smithy.api#documentation": "This implementation of the GET action uses the accelerate subresource to\n return the Transfer Acceleration state of a bucket, which is either Enabled or\n Suspended. Amazon S3 Transfer Acceleration is a bucket-level feature that\n enables you to perform faster data transfers to and from Amazon S3.
To use this operation, you must have permission to perform the\n s3:GetAccelerateConfiguration action. The bucket owner has this permission\n by default. The bucket owner can grant this permission to others. For more information\n about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to your Amazon S3 Resources in the\n Amazon S3 User Guide.
You set the Transfer Acceleration state of an existing bucket to Enabled or\n Suspended by using the PutBucketAccelerateConfiguration operation.
A GET accelerate request does not return a state value for a bucket that\n has no transfer acceleration state. A bucket has no Transfer Acceleration state if a state\n has never been set on the bucket.
For more information about transfer acceleration, see Transfer Acceleration in\n the Amazon S3 User Guide.
\nThe following operations are related to GetBucketAccelerateConfiguration:
This implementation of the GET action uses the accelerate subresource to\n return the Transfer Acceleration state of a bucket, which is either Enabled or\n Suspended. Amazon S3 Transfer Acceleration is a bucket-level feature that\n enables you to perform faster data transfers to and from Amazon S3.
To use this operation, you must have permission to perform the\n s3:GetAccelerateConfiguration action. The bucket owner has this permission\n by default. The bucket owner can grant this permission to others. For more information\n about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to your Amazon S3 Resources in the\n Amazon S3 User Guide.
You set the Transfer Acceleration state of an existing bucket to Enabled or\n Suspended by using the PutBucketAccelerateConfiguration operation.
A GET accelerate request does not return a state value for a bucket that\n has no transfer acceleration state. A bucket has no Transfer Acceleration state if a state\n has never been set on the bucket.
For more information about transfer acceleration, see Transfer Acceleration in\n the Amazon S3 User Guide.
\nThe following operations are related to\n GetBucketAccelerateConfiguration:
This implementation of the GET action returns an analytics configuration (identified by\n the analytics configuration ID) from the bucket.
\nTo use this operation, you must have permissions to perform the\n s3:GetAnalyticsConfiguration action. The bucket owner has this permission\n by default. The bucket owner can grant this permission to others. For more information\n about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to Your Amazon S3 Resources in the\n Amazon S3 User Guide.
For information about Amazon S3 analytics feature, see Amazon S3 Analytics – Storage Class\n Analysis in the Amazon S3 User Guide.
\nThe following operations are related to GetBucketAnalyticsConfiguration:
This implementation of the GET action returns an analytics configuration (identified by\n the analytics configuration ID) from the bucket.
\nTo use this operation, you must have permissions to perform the\n s3:GetAnalyticsConfiguration action. The bucket owner has this permission\n by default. The bucket owner can grant this permission to others. For more information\n about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to Your Amazon S3 Resources in the\n Amazon S3 User Guide.
For information about Amazon S3 analytics feature, see Amazon S3 Analytics – Storage Class\n Analysis in the Amazon S3 User Guide.
\nThe following operations are related to\n GetBucketAnalyticsConfiguration:
Returns the policy of a specified bucket. If you are using an identity other than the\n root user of the Amazon Web Services account that owns the bucket, the calling identity must have the\n GetBucketPolicy permissions on the specified bucket and belong to the\n bucket owner's account in order to use this operation.
If you don't have GetBucketPolicy permissions, Amazon S3 returns a 403\n Access Denied error. If you have the correct permissions, but you're not using an\n identity that belongs to the bucket owner's account, Amazon S3 returns a 405 Method Not\n Allowed error.
To ensure that bucket owners don't inadvertently lock themselves out of their own\n buckets, the root principal in a bucket owner's Amazon Web Services account can perform the\n GetBucketPolicy, PutBucketPolicy, and\n DeleteBucketPolicy API actions, even if their bucket policy explicitly\n denies the root principal's access. Bucket owner root principals can only be blocked from performing \n these API actions by VPC endpoint policies and Amazon Web Services Organizations policies.
To use this API operation against an access point, provide the alias of the access point in place of the bucket name.
\nTo use this API operation against an Object Lambda access point, provide the alias of the Object Lambda access point in place of the bucket name. \nIf the Object Lambda access point alias in a request is not valid, the error code InvalidAccessPointAliasError is returned. \nFor more information about InvalidAccessPointAliasError, see List of\n Error Codes.
For more information about bucket policies, see Using Bucket Policies and User\n Policies.
\nThe following action is related to GetBucketPolicy:
\n GetObject\n
\nReturns the policy of a specified bucket. If you are using an identity other than the\n root user of the Amazon Web Services account that owns the bucket, the calling identity must have the\n GetBucketPolicy permissions on the specified bucket and belong to the\n bucket owner's account in order to use this operation.
If you don't have GetBucketPolicy permissions, Amazon S3 returns a 403\n Access Denied error. If you have the correct permissions, but you're not using an\n identity that belongs to the bucket owner's account, Amazon S3 returns a 405 Method Not\n Allowed error.
To ensure that bucket owners don't inadvertently lock themselves out of their own\n buckets, the root principal in a bucket owner's Amazon Web Services account can perform the\n GetBucketPolicy, PutBucketPolicy, and\n DeleteBucketPolicy API actions, even if their bucket policy explicitly\n denies the root principal's access. Bucket owner root principals can only be blocked\n from performing these API actions by VPC endpoint policies and Amazon Web Services Organizations\n policies.
To use this API operation against an access point, provide the alias of the access point in place of the bucket name.
\nTo use this API operation against an Object Lambda access point, provide the alias of the Object Lambda access point in place of the bucket name. \nIf the Object Lambda access point alias in a request is not valid, the error code InvalidAccessPointAliasError is returned. \nFor more information about InvalidAccessPointAliasError, see List of\n Error Codes.
For more information about bucket policies, see Using Bucket Policies and User\n Policies.
\nThe following action is related to GetBucketPolicy:
\n GetObject\n
\nRetrieves objects from Amazon S3. To use GET, you must have READ\n access to the object. If you grant READ access to the anonymous user, you can\n return the object without using an authorization header.
An Amazon S3 bucket has no directory hierarchy such as you would find in a typical computer\n file system. You can, however, create a logical hierarchy by using object key names that\n imply a folder structure. For example, instead of naming an object sample.jpg,\n you can name it photos/2006/February/sample.jpg.
To get an object from such a logical hierarchy, specify the full key name for the object\n in the GET operation. For a virtual hosted-style request example, if you have\n the object photos/2006/February/sample.jpg, specify the resource as\n /photos/2006/February/sample.jpg. For a path-style request example, if you\n have the object photos/2006/February/sample.jpg in the bucket named\n examplebucket, specify the resource as\n /examplebucket/photos/2006/February/sample.jpg. For more information about\n request types, see HTTP Host\n Header Bucket Specification.
For more information about returning the ACL of an object, see GetObjectAcl.
\nIf the object you are retrieving is stored in the S3 Glacier Flexible Retrieval or\n S3 Glacier Deep Archive storage class, or S3 Intelligent-Tiering Archive or\n S3 Intelligent-Tiering Deep Archive tiers, before you can retrieve the object you must first restore a\n copy using RestoreObject. Otherwise, this action returns an\n InvalidObjectState error. For information about restoring archived objects,\n see Restoring\n Archived Objects.
Encryption request headers, like x-amz-server-side-encryption, should not\n be sent for GET requests if your object uses server-side encryption with Key Management Service (KMS)\n keys (SSE-KMS), dual-layer server-side encryption with Amazon Web Services KMS keys (DSSE-KMS), or\n server-side encryption with Amazon S3 managed encryption keys (SSE-S3). If your object does use\n these types of keys, you’ll get an HTTP 400 Bad Request error.
If you encrypt an object by using server-side encryption with customer-provided\n encryption keys (SSE-C) when you store the object in Amazon S3, then when you GET the object,\n you must use the following headers:
\n\n x-amz-server-side-encryption-customer-algorithm\n
\n x-amz-server-side-encryption-customer-key\n
\n x-amz-server-side-encryption-customer-key-MD5\n
For more information about SSE-C, see Server-Side Encryption\n (Using Customer-Provided Encryption Keys).
\nAssuming you have the relevant permission to read object tags, the response also returns\n the x-amz-tagging-count header that provides the count of number of tags\n associated with the object. You can use GetObjectTagging to retrieve\n the tag set associated with an object.
You need the relevant read object (or version) permission for this operation. For more\n information, see Specifying Permissions in a\n Policy. If the object that you request doesn’t exist, the error that Amazon S3 returns depends\n on whether you also have the s3:ListBucket permission.
If you have the s3:ListBucket permission on the bucket, Amazon S3\n returns an HTTP status code 404 (Not Found) error.
If you don’t have the s3:ListBucket permission, Amazon S3 returns an\n HTTP status code 403 (\"access denied\") error.
By default, the GET action returns the current version of an object. To return a\n different version, use the versionId subresource.
If you supply a versionId, you need the\n s3:GetObjectVersion permission to access a specific version of an\n object. If you request a specific version, you do not need to have the\n s3:GetObject permission. If you request the current version\n without a specific version ID, only s3:GetObject permission is\n required. s3:GetObjectVersion permission won't be required.
If the current version of the object is a delete marker, Amazon S3 behaves as if the\n object was deleted and includes x-amz-delete-marker: true in the\n response.
For more information about versioning, see PutBucketVersioning.
\nThere are times when you want to override certain response header values in a GET\n response. For example, you might override the Content-Disposition response\n header value in your GET request.
You can override values for a set of response headers using the following query\n parameters. These response header values are sent only on a successful request, that is,\n when status code 200 OK is returned. The set of headers you can override using these\n parameters is a subset of the headers that Amazon S3 accepts when you create an object. The\n response headers that you can override for the GET response are Content-Type,\n Content-Language, Expires, Cache-Control,\n Content-Disposition, and Content-Encoding. To override these\n header values in the GET response, you use the following request parameters.
You must sign the request, either using an Authorization header or a presigned URL,\n when using these parameters. They cannot be used with an unsigned (anonymous)\n request.
\n\n response-content-type\n
\n response-content-language\n
\n response-expires\n
\n response-cache-control\n
\n response-content-disposition\n
\n response-content-encoding\n
If both of the If-Match and If-Unmodified-Since headers are\n present in the request as follows: If-Match condition evaluates to\n true, and; If-Unmodified-Since condition evaluates to\n false; then, S3 returns 200 OK and the data requested.
If both of the If-None-Match and If-Modified-Since headers are\n present in the request as follows: If-None-Match condition evaluates to\n false, and; If-Modified-Since condition evaluates to\n true; then, S3 returns 304 Not Modified response code.
For more information about conditional requests, see RFC 7232.
\nThe following operations are related to GetObject:
\n ListBuckets\n
\n\n GetObjectAcl\n
\nRetrieves objects from Amazon S3. To use GET, you must have READ\n access to the object. If you grant READ access to the anonymous user, you can\n return the object without using an authorization header.
An Amazon S3 bucket has no directory hierarchy such as you would find in a typical computer\n file system. You can, however, create a logical hierarchy by using object key names that\n imply a folder structure. For example, instead of naming an object sample.jpg,\n you can name it photos/2006/February/sample.jpg.
To get an object from such a logical hierarchy, specify the full key name for the object\n in the GET operation. For a virtual hosted-style request example, if you have\n the object photos/2006/February/sample.jpg, specify the resource as\n /photos/2006/February/sample.jpg. For a path-style request example, if you\n have the object photos/2006/February/sample.jpg in the bucket named\n examplebucket, specify the resource as\n /examplebucket/photos/2006/February/sample.jpg. For more information about\n request types, see HTTP Host\n Header Bucket Specification.
For more information about returning the ACL of an object, see GetObjectAcl.
\nIf the object you are retrieving is stored in the S3 Glacier Flexible Retrieval or\n S3 Glacier Deep Archive storage class, or S3 Intelligent-Tiering Archive or\n S3 Intelligent-Tiering Deep Archive tiers, before you can retrieve the object you must first restore a\n copy using RestoreObject. Otherwise, this action returns an\n InvalidObjectState error. For information about restoring archived objects,\n see Restoring\n Archived Objects.
Encryption request headers, like x-amz-server-side-encryption, should not\n be sent for GET requests if your object uses server-side encryption with Key Management Service (KMS)\n keys (SSE-KMS), dual-layer server-side encryption with Amazon Web Services KMS keys (DSSE-KMS), or\n server-side encryption with Amazon S3 managed encryption keys (SSE-S3). If your object does use\n these types of keys, you’ll get an HTTP 400 Bad Request error.
If you encrypt an object by using server-side encryption with customer-provided\n encryption keys (SSE-C) when you store the object in Amazon S3, then when you GET the object,\n you must use the following headers:
\n\n x-amz-server-side-encryption-customer-algorithm\n
\n x-amz-server-side-encryption-customer-key\n
\n x-amz-server-side-encryption-customer-key-MD5\n
For more information about SSE-C, see Server-Side Encryption\n (Using Customer-Provided Encryption Keys).
\nAssuming you have the relevant permission to read object tags, the response also returns\n the x-amz-tagging-count header that provides the count of number of tags\n associated with the object. You can use GetObjectTagging to retrieve\n the tag set associated with an object.
You need the relevant read object (or version) permission for this operation.\n For more information, see Specifying Permissions in\n a Policy. If the object that you request doesn’t exist, the error that\n Amazon S3 returns depends on whether you also have the s3:ListBucket\n permission.
If you have the s3:ListBucket permission on the bucket, Amazon S3\n returns an HTTP status code 404 (Not Found) error.
If you don’t have the s3:ListBucket permission, Amazon S3 returns an\n HTTP status code 403 (\"access denied\") error.
By default, the GET action returns the current version of an\n object. To return a different version, use the versionId\n subresource.
If you supply a versionId, you need the\n s3:GetObjectVersion permission to access a specific\n version of an object. If you request a specific version, you do not need\n to have the s3:GetObject permission. If you request the\n current version without a specific version ID, only\n s3:GetObject permission is required.\n s3:GetObjectVersion permission won't be required.
If the current version of the object is a delete marker, Amazon S3 behaves\n as if the object was deleted and includes x-amz-delete-marker:\n true in the response.
For more information about versioning, see PutBucketVersioning.
\nThere are times when you want to override certain response header values in a\n GET response. For example, you might override the\n Content-Disposition response header value in your GET\n request.
You can override values for a set of response headers using the following query\n parameters. These response header values are sent only on a successful request,\n that is, when status code 200 OK is returned. The set of headers you can override\n using these parameters is a subset of the headers that Amazon S3 accepts when you\n create an object. The response headers that you can override for the\n GET response are Content-Type,\n Content-Language, Expires,\n Cache-Control, Content-Disposition, and\n Content-Encoding. To override these header values in the\n GET response, you use the following request parameters.
You must sign the request, either using an Authorization header or a\n presigned URL, when using these parameters. They cannot be used with an\n unsigned (anonymous) request.
\n\n response-content-type\n
\n response-content-language\n
\n response-expires\n
\n response-cache-control\n
\n response-content-disposition\n
\n response-content-encoding\n
If both of the If-Match and If-Unmodified-Since\n headers are present in the request as follows: If-Match condition\n evaluates to true, and; If-Unmodified-Since condition\n evaluates to false; then, S3 returns 200 OK and the data requested.
If both of the If-None-Match and If-Modified-Since\n headers are present in the request as follows: If-None-Match\n condition evaluates to false, and; If-Modified-Since\n condition evaluates to true; then, S3 returns 304 Not Modified\n response code.
For more information about conditional requests, see RFC 7232.
\nThe following operations are related to GetObject:
\n ListBuckets\n
\n\n GetObjectAcl\n
\nRetrieves all the metadata from an object without returning the object itself. This\n action is useful if you're interested only in an object's metadata. To use\n GetObjectAttributes, you must have READ access to the object.
\n GetObjectAttributes combines the functionality of HeadObject\n and ListParts. All of the data returned with each of those individual calls\n can be returned with a single call to GetObjectAttributes.
If you encrypt an object by using server-side encryption with customer-provided\n encryption keys (SSE-C) when you store the object in Amazon S3, then when you retrieve the\n metadata from the object, you must use the following headers:
\n\n x-amz-server-side-encryption-customer-algorithm\n
\n x-amz-server-side-encryption-customer-key\n
\n x-amz-server-side-encryption-customer-key-MD5\n
For more information about SSE-C, see Server-Side Encryption\n (Using Customer-Provided Encryption Keys) in the\n Amazon S3 User Guide.
\nEncryption request headers, such as x-amz-server-side-encryption,\n should not be sent for GET requests if your object uses server-side encryption\n with Amazon Web Services KMS keys stored in Amazon Web Services Key Management Service (SSE-KMS) or\n server-side encryption with Amazon S3 managed keys (SSE-S3). If your object does use\n these types of keys, you'll get an HTTP 400 Bad Request error.
The last modified property in this case is the creation date of the\n object.
\nConsider the following when using request headers:
\n If both of the If-Match and If-Unmodified-Since headers\n are present in the request as follows, then Amazon S3 returns the HTTP status code\n 200 OK and the data requested:
\n If-Match condition evaluates to true.
\n If-Unmodified-Since condition evaluates to\n false.
If both of the If-None-Match and If-Modified-Since\n headers are present in the request as follows, then Amazon S3 returns the HTTP status code\n 304 Not Modified:
\n If-None-Match condition evaluates to false.
\n If-Modified-Since condition evaluates to\n true.
For more information about conditional requests, see RFC 7232.
\nThe permissions that you need to use this operation depend on whether the bucket is\n versioned. If the bucket is versioned, you need both the s3:GetObjectVersion\n and s3:GetObjectVersionAttributes permissions for this operation. If the\n bucket is not versioned, you need the s3:GetObject and\n s3:GetObjectAttributes permissions. For more information, see Specifying\n Permissions in a Policy in the Amazon S3 User Guide. If the\n object that you request does not exist, the error Amazon S3 returns depends on whether you also\n have the s3:ListBucket permission.
If you have the s3:ListBucket permission on the bucket, Amazon S3 returns\n an HTTP status code 404 Not Found (\"no such key\") error.
If you don't have the s3:ListBucket permission, Amazon S3 returns an HTTP\n status code 403 Forbidden (\"access denied\") error.
The following actions are related to GetObjectAttributes:
\n GetObject\n
\n\n GetObjectAcl\n
\n\n GetObjectLegalHold\n
\n\n GetObjectRetention\n
\n\n GetObjectTagging\n
\n\n HeadObject\n
\n\n ListParts\n
\nRetrieves all the metadata from an object without returning the object itself. This\n action is useful if you're interested only in an object's metadata. To use\n GetObjectAttributes, you must have READ access to the object.
\n GetObjectAttributes combines the functionality of HeadObject\n and ListParts. All of the data returned with each of those individual calls\n can be returned with a single call to GetObjectAttributes.
If you encrypt an object by using server-side encryption with customer-provided\n encryption keys (SSE-C) when you store the object in Amazon S3, then when you retrieve the\n metadata from the object, you must use the following headers:
\n\n x-amz-server-side-encryption-customer-algorithm\n
\n x-amz-server-side-encryption-customer-key\n
\n x-amz-server-side-encryption-customer-key-MD5\n
For more information about SSE-C, see Server-Side Encryption\n (Using Customer-Provided Encryption Keys) in the\n Amazon S3 User Guide.
\nEncryption request headers, such as x-amz-server-side-encryption,\n should not be sent for GET requests if your object uses server-side encryption\n with Amazon Web Services KMS keys stored in Amazon Web Services Key Management Service (SSE-KMS) or\n server-side encryption with Amazon S3 managed keys (SSE-S3). If your object does use\n these types of keys, you'll get an HTTP 400 Bad Request error.
The last modified property in this case is the creation date of the\n object.
\nConsider the following when using request headers:
\n If both of the If-Match and If-Unmodified-Since headers\n are present in the request as follows, then Amazon S3 returns the HTTP status code\n 200 OK and the data requested:
\n If-Match condition evaluates to true.
\n If-Unmodified-Since condition evaluates to\n false.
If both of the If-None-Match and If-Modified-Since\n headers are present in the request as follows, then Amazon S3 returns the HTTP status code\n 304 Not Modified:
\n If-None-Match condition evaluates to false.
\n If-Modified-Since condition evaluates to\n true.
For more information about conditional requests, see RFC 7232.
\nThe permissions that you need to use this operation depend on whether the\n bucket is versioned. If the bucket is versioned, you need both the\n s3:GetObjectVersion and s3:GetObjectVersionAttributes\n permissions for this operation. If the bucket is not versioned, you need the\n s3:GetObject and s3:GetObjectAttributes permissions.\n For more information, see Specifying Permissions in\n a Policy in the Amazon S3 User Guide. If the object\n that you request does not exist, the error Amazon S3 returns depends on whether you\n also have the s3:ListBucket permission.
If you have the s3:ListBucket permission on the bucket, Amazon S3\n returns an HTTP status code 404 Not Found (\"no such key\")\n error.
If you don't have the s3:ListBucket permission, Amazon S3 returns\n an HTTP status code 403 Forbidden (\"access denied\")\n error.
The following actions are related to GetObjectAttributes:
\n GetObject\n
\n\n GetObjectAcl\n
\n\n GetObjectLegalHold\n
\n\n GetObjectRetention\n
\n\n GetObjectTagging\n
\n\n HeadObject\n
\n\n ListParts\n
\nThe name of the bucket that contains the object.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The name of the bucket that contains the object.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
An XML header that specifies the fields at the root level that you want returned in the\n response. Fields that you do not specify are not returned.
", + "smithy.api#documentation": "Specifies the fields at the root level that you want returned in the response. Fields\n that you do not specify are not returned.
", "smithy.api#httpHeader": "x-amz-object-attributes", "smithy.api#required": {} } @@ -26814,7 +21756,7 @@ "Bucket": { "target": "com.amazonaws.s3#BucketName", "traits": { - "smithy.api#documentation": "The bucket name containing the object.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen using an Object Lambda access point the hostname takes the form AccessPointName-AccountId.s3-object-lambda.Region.amazonaws.com.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name containing the object.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen using an Object Lambda access point the hostname takes the form AccessPointName-AccountId.s3-object-lambda.Region.amazonaws.com.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
The bucket name containing the object for which to get the tagging information.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name containing the object for which to get the tagging information.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
This action is useful to determine if a bucket exists and you have permission to access\n it. The action returns a 200 OK if the bucket exists and you have permission\n to access it.
If the bucket does not exist or you do not have permission to access it, the\n HEAD request returns a generic 400 Bad Request, 403\n Forbidden or 404 Not Found code. A message body is not included, so\n you cannot determine the exception beyond these error codes.
To use this operation, you must have permissions to perform the\n s3:ListBucket action. The bucket owner has this permission by default and\n can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to Your Amazon S3 Resources.
To use this API operation against an access point, you must provide the alias of the access point in place of the\n bucket name or specify the access point ARN. When using the access point ARN, you must direct requests to\n the access point hostname. The access point hostname takes the form\n AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com.\n When using the Amazon Web Services SDKs, you provide the ARN in place of the bucket name. For more\n information, see Using access points.
\nTo use this API operation against an Object Lambda access point, provide the alias of the Object Lambda access point in place of the bucket name. \nIf the Object Lambda access point alias in a request is not valid, the error code InvalidAccessPointAliasError is returned. \nFor more information about InvalidAccessPointAliasError, see List of\n Error Codes.
This action is useful to determine if a bucket exists and you have permission to access\n it. The action returns a 200 OK if the bucket exists and you have permission\n to access it.
If the bucket does not exist or you do not have permission to access it, the\n HEAD request returns a generic 400 Bad Request, 403\n Forbidden or 404 Not Found code. A message body is not included, so\n you cannot determine the exception beyond these error codes.
To use this operation, you must have permissions to perform the\n s3:ListBucket action. The bucket owner has this permission by default and\n can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to Your Amazon S3 Resources.
To use this API operation against an access point, you must provide the alias of the access point in\n place of the bucket name or specify the access point ARN. When using the access point ARN, you must direct\n requests to the access point hostname. The access point hostname takes the form\n AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com.\n When using the Amazon Web Services SDKs, you provide the ARN in place of the bucket name. For more\n information, see Using access points.
\nTo use this API operation against an Object Lambda access point, provide the alias of the Object Lambda access point in place of the bucket name. \nIf the Object Lambda access point alias in a request is not valid, the error code InvalidAccessPointAliasError is returned. \nFor more information about InvalidAccessPointAliasError, see List of\n Error Codes.
The bucket name.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with an Object Lambda access point, provide the alias of the Object Lambda access point in place of the bucket name. \n If the Object Lambda access point alias in a request is not valid, the error code InvalidAccessPointAliasError is returned. \n For more information about InvalidAccessPointAliasError, see List of\n Error Codes.
When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with an Object Lambda access point, provide the alias of the Object Lambda access point in place of the\n bucket name. If the Object Lambda access point alias in a request is not valid, the error code\n InvalidAccessPointAliasError is returned. For more information about\n InvalidAccessPointAliasError, see List of Error\n Codes.
When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
The HEAD action retrieves metadata from an object without returning the object itself.\n This action is useful if you're only interested in an object's metadata. To use HEAD, you\n must have READ access to the object.
A HEAD request has the same options as a GET action on an\n object. The response is identical to the GET response except that there is no\n response body. Because of this, if the HEAD request generates an error, it\n returns a generic 400 Bad Request, 403 Forbidden or 404 Not\n Found code. It is not possible to retrieve the exact exception beyond these error\n codes.
If you encrypt an object by using server-side encryption with customer-provided\n encryption keys (SSE-C) when you store the object in Amazon S3, then when you retrieve the\n metadata from the object, you must use the following headers:
\n\n x-amz-server-side-encryption-customer-algorithm\n
\n x-amz-server-side-encryption-customer-key\n
\n x-amz-server-side-encryption-customer-key-MD5\n
For more information about SSE-C, see Server-Side Encryption\n (Using Customer-Provided Encryption Keys).
\nEncryption request headers, like x-amz-server-side-encryption,\n should not be sent for GET requests if your object uses server-side\n encryption with Key Management Service (KMS) keys (SSE-KMS), dual-layer server-side\n encryption with Amazon Web Services KMS keys (DSSE-KMS), or server-side encryption with Amazon S3\n managed encryption keys (SSE-S3). If your object does use these types of keys,\n you’ll get an HTTP 400 Bad Request error.
The last modified property in this case is the creation date of the\n object.
\nRequest headers are limited to 8 KB in size. For more information, see Common\n Request Headers.
\nConsider the following when using request headers:
\n Consideration 1 – If both of the If-Match and\n If-Unmodified-Since headers are present in the request as\n follows:
\n If-Match condition evaluates to true, and;
\n If-Unmodified-Since condition evaluates to\n false;
Then Amazon S3 returns 200 OK and the data requested.
Consideration 2 – If both of the If-None-Match and\n If-Modified-Since headers are present in the request as\n follows:
\n If-None-Match condition evaluates to false,\n and;
\n If-Modified-Since condition evaluates to\n true;
Then Amazon S3 returns the 304 Not Modified response code.
For more information about conditional requests, see RFC 7232.
\nYou need the relevant read object (or version) permission for this operation. For more\n information, see Actions, resources, and condition keys for Amazon S3. \n If the object you request doesn't exist, the error that Amazon S3 returns depends\n on whether you also have the s3:ListBucket permission.
\nIf you have the s3:ListBucket permission on the bucket, Amazon S3 returns\n an HTTP status code 404 error.
If you don’t have the s3:ListBucket permission, Amazon S3 returns an HTTP\n status code 403 error.
The following actions are related to HeadObject:
\n GetObject\n
\n\n GetObjectAttributes\n
\nThe HEAD action retrieves metadata from an object without returning the\n object itself. This action is useful if you're only interested in an object's metadata. To\n use HEAD, you must have READ access to the object.
A HEAD request has the same options as a GET action on an\n object. The response is identical to the GET response except that there is no\n response body. Because of this, if the HEAD request generates an error, it\n returns a generic 400 Bad Request, 403 Forbidden or 404 Not\n Found code. It is not possible to retrieve the exact exception beyond these error\n codes.
If you encrypt an object by using server-side encryption with customer-provided\n encryption keys (SSE-C) when you store the object in Amazon S3, then when you retrieve the\n metadata from the object, you must use the following headers:
\n\n x-amz-server-side-encryption-customer-algorithm\n
\n x-amz-server-side-encryption-customer-key\n
\n x-amz-server-side-encryption-customer-key-MD5\n
For more information about SSE-C, see Server-Side Encryption\n (Using Customer-Provided Encryption Keys).
\nEncryption request headers, like x-amz-server-side-encryption,\n should not be sent for GET requests if your object uses server-side\n encryption with Key Management Service (KMS) keys (SSE-KMS), dual-layer server-side\n encryption with Amazon Web Services KMS keys (DSSE-KMS), or server-side encryption with Amazon S3\n managed encryption keys (SSE-S3). If your object does use these types of keys,\n you’ll get an HTTP 400 Bad Request error.
The last modified property in this case is the creation date of the\n object.
\nRequest headers are limited to 8 KB in size. For more information, see Common\n Request Headers.
\nConsider the following when using request headers:
\n Consideration 1 – If both of the If-Match and\n If-Unmodified-Since headers are present in the request as\n follows:
\n If-Match condition evaluates to true, and;
\n If-Unmodified-Since condition evaluates to\n false;
Then Amazon S3 returns 200 OK and the data requested.
Consideration 2 – If both of the If-None-Match and\n If-Modified-Since headers are present in the request as\n follows:
\n If-None-Match condition evaluates to false,\n and;
\n If-Modified-Since condition evaluates to\n true;
Then Amazon S3 returns the 304 Not Modified response code.
For more information about conditional requests, see RFC 7232.
\nYou need the relevant read object (or version) permission for this operation.\n For more information, see Actions, resources, and condition\n keys for Amazon S3. If the object you request doesn't exist, the error that\n Amazon S3 returns depends on whether you also have the s3:ListBucket permission.
\nIf you have the s3:ListBucket permission on the bucket, Amazon S3\n returns an HTTP status code 404 error.
If you don’t have the s3:ListBucket permission, Amazon S3 returns\n an HTTP status code 403 error.
The following actions are related to HeadObject:
\n GetObject\n
\n\n GetObjectAttributes\n
\nThe name of the bucket containing the object.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The name of the bucket containing the object.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Indicates at what date the object is to be moved or deleted. The date value must conform to the ISO 8601 format. \n The time is always midnight UTC.
" + "smithy.api#documentation": "Indicates at what date the object is to be moved or deleted. The date value must conform\n to the ISO 8601 format. The time is always midnight UTC.
" } }, "Days": { @@ -28847,7 +23807,7 @@ "ContinuationToken": { "target": "com.amazonaws.s3#Token", "traits": { - "smithy.api#documentation": "The ContinuationToken that represents a placeholder from where this request should\n begin.
", + "smithy.api#documentation": "The ContinuationToken that represents a placeholder from where this request\n should begin.
The marker used to continue an inventory configuration listing that has been truncated.\n Use the NextContinuationToken from a previously truncated list response to continue the\n listing. The continuation token is an opaque value that Amazon S3 understands.
", + "smithy.api#documentation": "The marker used to continue an inventory configuration listing that has been truncated.\n Use the NextContinuationToken from a previously truncated list response to\n continue the listing. The continuation token is an opaque value that Amazon S3\n understands.
The marker that is used to continue a metrics configuration listing that has been\n truncated. Use the NextContinuationToken from a previously truncated list response to\n continue the listing. The continuation token is an opaque value that Amazon S3\n understands.
", + "smithy.api#documentation": "The marker that is used to continue a metrics configuration listing that has been\n truncated. Use the NextContinuationToken from a previously truncated list\n response to continue the listing. The continuation token is an opaque value that Amazon S3\n understands.
Encoding type used by Amazon S3 to encode object keys in the response.
\nIf you specify encoding-type request parameter, Amazon S3 includes this element\n in the response, and returns encoded key name values in the following response\n elements:
\n Delimiter, KeyMarker, Prefix,\n NextKeyMarker, Key.
Encoding type used by Amazon S3 to encode object keys in the response.
\nIf you specify the encoding-type request parameter, Amazon S3 includes this\n element in the response, and returns encoded key name values in the following response\n elements:
\n Delimiter, KeyMarker, Prefix,\n NextKeyMarker, Key.
The name of the bucket to which the multipart upload was initiated.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The name of the bucket to which the multipart upload was initiated.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Together with upload-id-marker, this parameter specifies the multipart upload after\n which listing should begin.
\nIf upload-id-marker is not specified, only the keys lexicographically\n greater than the specified key-marker will be included in the list.
If upload-id-marker is specified, any multipart uploads for a key equal to\n the key-marker might also be included, provided those multipart uploads have\n upload IDs lexicographically greater than the specified\n upload-id-marker.
Together with upload-id-marker, this parameter specifies the multipart\n upload after which listing should begin.
If upload-id-marker is not specified, only the keys lexicographically\n greater than the specified key-marker will be included in the list.
If upload-id-marker is specified, any multipart uploads for a key equal to\n the key-marker might also be included, provided those multipart uploads have\n upload IDs lexicographically greater than the specified\n upload-id-marker.
Lists in-progress uploads only for those keys that begin with the specified prefix. You\n can use prefixes to separate a bucket into different grouping of keys. (You can think of\n using prefix to make groups in the same way you'd use a folder in a file system.)
", + "smithy.api#documentation": "Lists in-progress uploads only for those keys that begin with the specified prefix. You\n can use prefixes to separate a bucket into different grouping of keys. (You can think of\n using prefix to make groups in the same way that you'd use a folder in a file\n system.)
Returns metadata about all versions of the objects in a bucket. You can also use request\n parameters as selection criteria to return metadata about a subset of all the object\n versions.
\n To use this operation, you must have permissions to perform the\n s3:ListBucketVersions action. Be aware of the name difference.
A 200 OK response can contain valid or invalid XML. Make sure to design your\n application to parse the contents of the response and handle it appropriately.
\nTo use this operation, you must have READ access to the bucket.
\nThis action is not supported by Amazon S3 on Outposts.
\nThe following operations are related to ListObjectVersions:
\n ListObjectsV2\n
\n\n GetObject\n
\n\n PutObject\n
\n\n DeleteObject\n
\nReturns metadata about all versions of the objects in a bucket. You can also use request\n parameters as selection criteria to return metadata about a subset of all the object\n versions.
\n To use this operation, you must have permission to perform the\n s3:ListBucketVersions action. Be aware of the name difference.
A 200 OK response can contain valid or invalid XML. Make sure to design\n your application to parse the contents of the response and handle it\n appropriately.
To use this operation, you must have READ access to the bucket.
\nThis action is not supported by Amazon S3 on Outposts.
\nThe following operations are related to ListObjectVersions:
\n ListObjectsV2\n
\n\n GetObject\n
\n\n PutObject\n
\n\n DeleteObject\n
\nA flag that indicates whether Amazon S3 returned all of the results that satisfied the search\n criteria. If your results were truncated, you can make a follow-up paginated request using\n the NextKeyMarker and NextVersionIdMarker response parameters as a starting place in\n another request to return the rest of the results.
" + "smithy.api#documentation": "A flag that indicates whether Amazon S3 returned all of the results that satisfied the search\n criteria. If your results were truncated, you can make a follow-up paginated request by\n using the NextKeyMarker and NextVersionIdMarker response\n parameters as a starting place in another request to return the rest of the results.
When the number of responses exceeds the value of MaxKeys,\n NextVersionIdMarker specifies the first object version not returned that\n satisfies the search criteria. Use this value for the version-id-marker request parameter\n in a subsequent request.
When the number of responses exceeds the value of MaxKeys,\n NextVersionIdMarker specifies the first object version not returned that\n satisfies the search criteria. Use this value for the version-id-marker\n request parameter in a subsequent request.
The delimiter grouping the included keys. A delimiter is a character that you specify to\n group keys. All keys that contain the same string between the prefix and the first\n occurrence of the delimiter are grouped under a single result element in\n CommonPrefixes. These groups are counted as one result against the max-keys\n limitation. These keys are not returned elsewhere in the response.
The delimiter grouping the included keys. A delimiter is a character that you specify to\n group keys. All keys that contain the same string between the prefix and the first\n occurrence of the delimiter are grouped under a single result element in\n CommonPrefixes. These groups are counted as one result against the\n max-keys limitation. These keys are not returned elsewhere in the\n response.
Encoding type used by Amazon S3 to encode object key names in the XML response.
\nIf you specify encoding-type request parameter, Amazon S3 includes this element in the\n response, and returns encoded key name values in the following response elements:
\n\n KeyMarker, NextKeyMarker, Prefix, Key, and Delimiter.
Encoding type used by Amazon S3 to encode object key names in the XML response.
\nIf you specify the encoding-type request parameter, Amazon S3 includes this\n element in the response, and returns encoded key name values in the following response\n elements:
\n KeyMarker, NextKeyMarker, Prefix, Key, and Delimiter.
A delimiter is a character that you specify to group keys. All keys that contain the\n same string between the prefix and the first occurrence of the delimiter are\n grouped under a single result element in CommonPrefixes. These groups are counted as one\n result against the max-keys limitation. These keys are not returned elsewhere in the\n response.
A delimiter is a character that you specify to group keys. All keys that contain the\n same string between the prefix and the first occurrence of the delimiter are\n grouped under a single result element in CommonPrefixes. These groups are\n counted as one result against the max-keys limitation. These keys are not\n returned elsewhere in the response.
Sets the maximum number of keys returned in the response. By default the action returns\n up to 1,000 key names. The response might contain fewer keys but will never contain more.\n If additional keys satisfy the search criteria, but were not returned because max-keys was\n exceeded, the response contains
Sets the maximum number of keys returned in the response. By default, the action returns\n up to 1,000 key names. The response might contain fewer keys but will never contain more.\n If additional keys satisfy the search criteria, but were not returned because\n max-keys was exceeded, the response contains\n key-marker and version-id-marker.
Use this parameter to select only those keys that begin with the specified prefix. You\n can use prefixes to separate a bucket into different groupings of keys. (You can think of\n using prefix to make groups in the same way you'd use a folder in a file system.) You can\n use prefix with delimiter to roll up numerous objects into a single result under\n CommonPrefixes.
", + "smithy.api#documentation": "Use this parameter to select only those keys that begin with the specified prefix. You\n can use prefixes to separate a bucket into different groupings of keys. (You can think of\n using prefix to make groups in the same way that you'd use a folder in a file\n system.) You can use prefix with delimiter to roll up numerous\n objects into a single result under CommonPrefixes.
Specifies the optional fields that you want returned in the response. Fields that you do\n not specify are not returned.
", + "smithy.api#httpHeader": "x-amz-optional-object-attributes" + } } }, "traits": { @@ -29632,7 +24599,7 @@ "NextMarker": { "target": "com.amazonaws.s3#NextMarker", "traits": { - "smithy.api#documentation": "When response is truncated (the IsTruncated element value in the response is true), you\n can use the key name in this field as marker in the subsequent request to get next set of\n objects. Amazon S3 lists objects in alphabetical order Note: This element is returned only if\n you have delimiter request parameter specified. If response does not include the NextMarker\n and it is truncated, you can use the value of the last Key in the response as the marker in\n the subsequent request to get the next set of object keys.
" + "smithy.api#documentation": "When the response is truncated (the IsTruncated element value in the\n response is true), you can use the key name in this field as the\n marker parameter in the subsequent request to get the next set of objects.\n Amazon S3 lists objects in alphabetical order.
This element is returned only if you have the delimiter request\n parameter specified. If the response does not include the NextMarker\n element and it is truncated, you can use the value of the last Key element\n in the response as the marker parameter in the subsequent request to get\n the next set of object keys.
All of the keys (up to 1,000) rolled up in a common prefix count as a single return when\n calculating the number of returns.
\nA response can contain CommonPrefixes only if you specify a delimiter.
\nCommonPrefixes contains all (if there are any) keys between Prefix and the next\n occurrence of the string specified by the delimiter.
\nCommonPrefixes lists keys that act like subdirectories in the directory specified by\n Prefix.
\nFor example, if the prefix is notes/ and the delimiter is a slash (/) as in\n notes/summer/july, the common prefix is notes/summer/. All of the keys that roll up into a\n common prefix count as a single return when calculating the number of returns.
", + "smithy.api#documentation": "All of the keys (up to 1,000) rolled up in a common prefix count as a single return when\n calculating the number of returns.
\nA response can contain CommonPrefixes only if you specify a\n delimiter.
\n CommonPrefixes contains all (if there are any) keys between\n Prefix and the next occurrence of the string specified by the\n delimiter.
\n CommonPrefixes lists keys that act like subdirectories in the directory\n specified by Prefix.
For example, if the prefix is notes/ and the delimiter is a slash\n (/), as in notes/summer/july, the common prefix is\n notes/summer/. All of the keys that roll up into a common prefix count as a\n single return when calculating the number of returns.
The name of the bucket containing the objects.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The name of the bucket containing the objects.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
A delimiter is a character you use to group keys.
", + "smithy.api#documentation": "A delimiter is a character that you use to group keys.
", "smithy.api#httpQuery": "delimiter" } }, @@ -29722,7 +24689,7 @@ "Marker": { "target": "com.amazonaws.s3#Marker", "traits": { - "smithy.api#documentation": "Marker is where you want Amazon S3 to start listing from. Amazon S3 starts listing after\n this specified key. Marker can be any key in the bucket.
", + "smithy.api#documentation": "Marker is where you want Amazon S3 to start listing from. Amazon S3 starts listing after this\n specified key. Marker can be any key in the bucket.
", "smithy.api#httpQuery": "marker" } }, @@ -29730,7 +24697,7 @@ "target": "com.amazonaws.s3#MaxKeys", "traits": { "smithy.api#default": 0, - "smithy.api#documentation": "Sets the maximum number of keys returned in the response. By default the action returns\n up to 1,000 key names. The response might contain fewer keys but will never contain more.\n
", + "smithy.api#documentation": "Sets the maximum number of keys returned in the response. By default, the action returns\n up to 1,000 key names. The response might contain fewer keys but will never contain more.\n
", "smithy.api#httpQuery": "max-keys" } }, @@ -29754,6 +24721,13 @@ "smithy.api#documentation": "The account ID of the expected bucket owner. If the bucket is owned by a different account, the request fails with the HTTP status code 403 Forbidden (access denied).
Specifies the optional fields that you want returned in the response. Fields that you do\n not specify are not returned.
", + "smithy.api#httpHeader": "x-amz-optional-object-attributes" + } } }, "traits": { @@ -29774,7 +24748,7 @@ } ], "traits": { - "smithy.api#documentation": "Returns some or all (up to 1,000) of the objects in a bucket with each request. You can\n use the request parameters as selection criteria to return a subset of the objects in a\n bucket. A 200 OK response can contain valid or invalid XML. Make sure to\n design your application to parse the contents of the response and handle it appropriately.\n Objects are returned sorted in an ascending order of the respective key names in the list.\n For more information about listing objects, see Listing object keys\n programmatically\n
To use this operation, you must have READ access to the bucket.
\nTo use this action in an Identity and Access Management (IAM) policy, you must have permissions to perform\n the s3:ListBucket action. The bucket owner has this permission by default and\n can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to Your Amazon S3 Resources.
This section describes the latest revision of this action. We recommend that you use\n this revised API for application development. For backward compatibility, Amazon S3 continues\n to support the prior version of this API, ListObjects.
\nTo get a list of your buckets, see ListBuckets.
\nThe following operations are related to ListObjectsV2:
\n GetObject\n
\n\n PutObject\n
\n\n CreateBucket\n
\nReturns some or all (up to 1,000) of the objects in a bucket with each request. You can\n use the request parameters as selection criteria to return a subset of the objects in a\n bucket. A 200 OK response can contain valid or invalid XML. Make sure to\n design your application to parse the contents of the response and handle it appropriately.\n Objects are returned sorted in an ascending order of the respective key names in the list.\n For more information about listing objects, see Listing object keys\n programmatically in the Amazon S3 User Guide.
To use this operation, you must have READ access to the bucket.
\nTo use this action in an Identity and Access Management (IAM) policy, you must have permission to perform\n the s3:ListBucket action. The bucket owner has this permission by default and\n can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to Your Amazon S3 Resources in the\n Amazon S3 User Guide.
This section describes the latest revision of this action. We recommend that you use\n this revised API operation for application development. For backward compatibility, Amazon S3\n continues to support the prior version of this API operation, ListObjects.
\nTo get a list of your buckets, see ListBuckets.
\nThe following operations are related to ListObjectsV2:
\n GetObject\n
\n\n PutObject\n
\n\n CreateBucket\n
\nSet to false if all of the results were returned. Set to true if more keys are available\n to return. If the number of results exceeds that specified by MaxKeys, all of the results\n might not be returned.
" + "smithy.api#documentation": "Set to false if all of the results were returned. Set to true\n if more keys are available to return. If the number of results exceeds that specified by\n MaxKeys, all of the results might not be returned.
The bucket name.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Causes keys that contain the same string between the prefix and the first occurrence of\n the delimiter to be rolled up into a single result element in the CommonPrefixes\n collection. These rolled-up keys are not returned elsewhere in the response. Each rolled-up\n result counts as only one return against the MaxKeys value.
Causes keys that contain the same string between the prefix and the first\n occurrence of the delimiter to be rolled up into a single result element in the\n CommonPrefixes collection. These rolled-up keys are not returned elsewhere\n in the response. Each rolled-up result counts as only one return against the\n MaxKeys value.
Sets the maximum number of keys returned in the response. By default the action returns\n up to 1,000 key names. The response might contain fewer keys but will never contain\n more.
" + "smithy.api#documentation": "Sets the maximum number of keys returned in the response. By default, the action returns\n up to 1,000 key names. The response might contain fewer keys but will never contain\n more.
" } }, "CommonPrefixes": { @@ -29839,20 +24813,20 @@ "EncodingType": { "target": "com.amazonaws.s3#EncodingType", "traits": { - "smithy.api#documentation": "Encoding type used by Amazon S3 to encode object key names in the XML response.
\nIf you specify the encoding-type request parameter, Amazon S3 includes this element in the\n response, and returns encoded key name values in the following response elements:
\n\n Delimiter, Prefix, Key, and StartAfter.
Encoding type used by Amazon S3 to encode object key names in the XML response.
\nIf you specify the encoding-type request parameter, Amazon S3 includes this\n element in the response, and returns encoded key name values in the following response\n elements:
\n Delimiter, Prefix, Key, and StartAfter.
KeyCount is the number of keys returned with this request. KeyCount will always be less\n than or equal to the MaxKeys field. Say you ask for 50 keys, your result will\n include 50 keys or fewer.
\n KeyCount is the number of keys returned with this request.\n KeyCount will always be less than or equal to the MaxKeys\n field. For example, if you ask for 50 keys, your result will include 50 keys or\n fewer.
If ContinuationToken was sent with the request, it is included in the response.
" + "smithy.api#documentation": " If ContinuationToken was sent with the request, it is included in the\n response.
Bucket name to list.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
Bucket name to list.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
A delimiter is a character you use to group keys.
", + "smithy.api#documentation": "A delimiter is a character that you use to group keys.
", "smithy.api#httpQuery": "delimiter" } }, @@ -29911,7 +24885,7 @@ "target": "com.amazonaws.s3#MaxKeys", "traits": { "smithy.api#default": 0, - "smithy.api#documentation": "Sets the maximum number of keys returned in the response. By default the action returns\n up to 1,000 key names. The response might contain fewer keys but will never contain\n more.
", + "smithy.api#documentation": "Sets the maximum number of keys returned in the response. By default, the action returns\n up to 1,000 key names. The response might contain fewer keys but will never contain\n more.
", "smithy.api#httpQuery": "max-keys" } }, @@ -29925,7 +24899,7 @@ "ContinuationToken": { "target": "com.amazonaws.s3#Token", "traits": { - "smithy.api#documentation": "ContinuationToken indicates Amazon S3 that the list is being continued on this bucket with a\n token. ContinuationToken is obfuscated and is not a real key.
", + "smithy.api#documentation": "\n ContinuationToken indicates to Amazon S3 that the list is being continued on\n this bucket with a token. ContinuationToken is obfuscated and is not a real\n key.
The owner field is not present in listV2 by default, if you want to return owner field\n with each key in the result then set the fetch owner field to true.
", + "smithy.api#documentation": "The owner field is not present in ListObjectsV2 by default. If you want to\n return the owner field with each key in the result, then set the FetchOwner\n field to true.
The account ID of the expected bucket owner. If the bucket is owned by a different account, the request fails with the HTTP status code 403 Forbidden (access denied).
Specifies the optional fields that you want returned in the response. Fields that you do\n not specify are not returned.
", + "smithy.api#httpHeader": "x-amz-optional-object-attributes" + } } }, "traits": { @@ -29992,7 +24973,7 @@ "AbortDate": { "target": "com.amazonaws.s3#AbortDate", "traits": { - "smithy.api#documentation": "If the bucket has a lifecycle rule configured with an action to abort incomplete\n multipart uploads and the prefix in the lifecycle rule matches the object name in the\n request, then the response includes this header indicating when the initiated multipart\n upload will become eligible for abort operation. For more information, see Aborting Incomplete Multipart Uploads Using a Bucket Lifecycle Configuration.
\nThe response will also include the x-amz-abort-rule-id header that will\n provide the ID of the lifecycle configuration rule that defines this action.
If the bucket has a lifecycle rule configured with an action to abort incomplete\n multipart uploads and the prefix in the lifecycle rule matches the object name in the\n request, then the response includes this header indicating when the initiated multipart\n upload will become eligible for abort operation. For more information, see Aborting Incomplete Multipart Uploads Using a Bucket Lifecycle\n Configuration.
\nThe response will also include the x-amz-abort-rule-id header that will\n provide the ID of the lifecycle configuration rule that defines this action.
When a list is truncated, this element specifies the last part in the list, as well as\n the value to use for the part-number-marker request parameter in a subsequent\n request.
" + "smithy.api#documentation": "When a list is truncated, this element specifies the last part in the list, as well as\n the value to use for the part-number-marker request parameter in a subsequent\n request.
The name of the bucket to which the parts are being uploaded.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The name of the bucket to which the parts are being uploaded.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Name of the Object.
" + "smithy.api#documentation": "Name of the object.
" } }, "Value": { "target": "com.amazonaws.s3#MetadataValue", "traits": { - "smithy.api#documentation": "Value of the Object.
" + "smithy.api#documentation": "Value of the object.
" } } }, @@ -30682,7 +25663,7 @@ } }, "traits": { - "smithy.api#documentation": "Specifies object key name filtering rules. For information about key name filtering, see\n Configuring event notifications using object key name filtering in the Amazon S3 User Guide.
" + "smithy.api#documentation": "Specifies object key name filtering rules. For information about key name filtering, see\n Configuring event\n notifications using object key name filtering in the\n Amazon S3 User Guide.
" } }, "com.amazonaws.s3#NotificationId": { @@ -30737,6 +25718,12 @@ "traits": { "smithy.api#documentation": "The owner of the object
" } + }, + "RestoreStatus": { + "target": "com.amazonaws.s3#RestoreStatus", + "traits": { + "smithy.api#documentation": "Specifies the restoration status of an object. Objects in certain storage classes must\n be restored before they can be retrieved. For more information about these storage classes\n and how to work with archived objects, see Working with archived\n objects in the Amazon S3 User Guide.
" + } } }, "traits": { @@ -31247,6 +26234,12 @@ "traits": { "smithy.api#documentation": "Specifies the owner of the object.
" } + }, + "RestoreStatus": { + "target": "com.amazonaws.s3#RestoreStatus", + "traits": { + "smithy.api#documentation": "Specifies the restoration status of an object. Objects in certain storage classes must\n be restored before they can be retrieved. For more information about these storage classes\n and how to work with archived objects, see Working with archived\n objects in the Amazon S3 User Guide.
" + } } }, "traits": { @@ -31273,6 +26266,23 @@ } } }, + "com.amazonaws.s3#OptionalObjectAttributes": { + "type": "enum", + "members": { + "RESTORE_STATUS": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "RestoreStatus" + } + } + } + }, + "com.amazonaws.s3#OptionalObjectAttributesList": { + "type": "list", + "member": { + "target": "com.amazonaws.s3#OptionalObjectAttributes" + } + }, "com.amazonaws.s3#OutputLocation": { "type": "structure", "members": { @@ -31723,7 +26733,7 @@ "requestAlgorithmMember": "ChecksumAlgorithm", "requestChecksumRequired": true }, - "smithy.api#documentation": "Sets the permissions on an existing bucket using access control lists (ACL). For more\n information, see Using ACLs. To set the ACL of a\n bucket, you must have WRITE_ACP permission.
You can use one of the following two ways to set a bucket's permissions:
\nSpecify the ACL in the request body
\nSpecify permissions using request headers
\nYou cannot specify access permission using both the body and the request\n headers.
\nDepending on your application needs, you may choose to set the ACL on a bucket using\n either the request body or the headers. For example, if you have an existing application\n that updates a bucket ACL using the request body, then you can continue to use that\n approach.
\nIf your bucket uses the bucket owner enforced setting for S3 Object Ownership, ACLs\n are disabled and no longer affect permissions. You must use policies to grant access to\n your bucket and the objects in it. Requests to set ACLs or update ACLs fail and return\n the AccessControlListNotSupported error code. Requests to read ACLs are\n still supported. For more information, see Controlling object\n ownership in the Amazon S3 User Guide.
You can set access permissions by using one of the following methods:
\nSpecify a canned ACL with the x-amz-acl request header. Amazon S3 supports\n a set of predefined ACLs, known as canned ACLs. Each canned ACL\n has a predefined set of grantees and permissions. Specify the canned ACL name as the\n value of x-amz-acl. If you use this header, you cannot use other access\n control-specific headers in your request. For more information, see Canned\n ACL.
Specify access permissions explicitly with the x-amz-grant-read,\n x-amz-grant-read-acp, x-amz-grant-write-acp, and\n x-amz-grant-full-control headers. When using these headers, you\n specify explicit access permissions and grantees (Amazon Web Services accounts or Amazon S3 groups) who\n will receive the permission. If you use these ACL-specific headers, you cannot use\n the x-amz-acl header to set a canned ACL. These parameters map to the\n set of permissions that Amazon S3 supports in an ACL. For more information, see Access Control\n List (ACL) Overview.
You specify each grantee as a type=value pair, where the type is one of the\n following:
\n\n id – if the value specified is the canonical user ID of an\n Amazon Web Services account
\n uri – if you are granting permissions to a predefined\n group
\n emailAddress – if the value specified is the email address of\n an Amazon Web Services account
Using email addresses to specify a grantee is only supported in the following Amazon Web Services Regions:
\nUS East (N. Virginia)
\nUS West (N. California)
\nUS West (Oregon)
\nAsia Pacific (Singapore)
\nAsia Pacific (Sydney)
\nAsia Pacific (Tokyo)
\nEurope (Ireland)
\nSouth America (São Paulo)
\nFor a list of all the Amazon S3 supported Regions and endpoints, see Regions and Endpoints in the Amazon Web Services General Reference.
\nFor example, the following x-amz-grant-write header grants create,\n overwrite, and delete objects permission to LogDelivery group predefined by Amazon S3 and\n two Amazon Web Services accounts identified by their email addresses.
\n x-amz-grant-write: uri=\"http://acs.amazonaws.com/groups/s3/LogDelivery\",\n id=\"111122223333\", id=\"555566667777\" \n
You can use either a canned ACL or specify access permissions explicitly. You cannot do\n both.
\nYou can specify the person (grantee) to whom you're assigning access rights (using\n request elements) in the following ways:
\nBy the person's ID:
\n\n
DisplayName is optional and ignored in the request
\nBy URI:
\n\n
By Email address:
\n\n
The grantee is resolved to the CanonicalUser and, in a response to a GET Object\n acl request, appears as the CanonicalUser.
\nUsing email addresses to specify a grantee is only supported in the following Amazon Web Services Regions:
\nUS East (N. Virginia)
\nUS West (N. California)
\nUS West (Oregon)
\nAsia Pacific (Singapore)
\nAsia Pacific (Sydney)
\nAsia Pacific (Tokyo)
\nEurope (Ireland)
\nSouth America (São Paulo)
\nFor a list of all the Amazon S3 supported Regions and endpoints, see Regions and Endpoints in the Amazon Web Services General Reference.
\nThe following operations are related to PutBucketAcl:
\n CreateBucket\n
\n\n DeleteBucket\n
\n\n GetObjectAcl\n
\nSets the permissions on an existing bucket using access control lists (ACL). For more\n information, see Using ACLs. To set the ACL of a\n bucket, you must have WRITE_ACP permission.
You can use one of the following two ways to set a bucket's permissions:
\nSpecify the ACL in the request body
\nSpecify permissions using request headers
\nYou cannot specify access permission using both the body and the request\n headers.
\nDepending on your application needs, you may choose to set the ACL on a bucket using\n either the request body or the headers. For example, if you have an existing application\n that updates a bucket ACL using the request body, then you can continue to use that\n approach.
\nIf your bucket uses the bucket owner enforced setting for S3 Object Ownership, ACLs\n are disabled and no longer affect permissions. You must use policies to grant access to\n your bucket and the objects in it. Requests to set ACLs or update ACLs fail and return\n the AccessControlListNotSupported error code. Requests to read ACLs are\n still supported. For more information, see Controlling object\n ownership in the Amazon S3 User Guide.
You can set access permissions by using one of the following methods:
\nSpecify a canned ACL with the x-amz-acl request header. Amazon S3\n supports a set of predefined ACLs, known as canned\n ACLs. Each canned ACL has a predefined set of grantees and\n permissions. Specify the canned ACL name as the value of\n x-amz-acl. If you use this header, you cannot use other\n access control-specific headers in your request. For more information, see\n Canned\n ACL.
Specify access permissions explicitly with the\n x-amz-grant-read, x-amz-grant-read-acp,\n x-amz-grant-write-acp, and\n x-amz-grant-full-control headers. When using these headers,\n you specify explicit access permissions and grantees (Amazon Web Services accounts or Amazon S3\n groups) who will receive the permission. If you use these ACL-specific\n headers, you cannot use the x-amz-acl header to set a canned\n ACL. These parameters map to the set of permissions that Amazon S3 supports in an\n ACL. For more information, see Access Control List (ACL)\n Overview.
You specify each grantee as a type=value pair, where the type is one of\n the following:
\n\n id – if the value specified is the canonical user ID\n of an Amazon Web Services account
\n uri – if you are granting permissions to a predefined\n group
\n emailAddress – if the value specified is the email\n address of an Amazon Web Services account
Using email addresses to specify a grantee is only supported in the following Amazon Web Services Regions:
\nUS East (N. Virginia)
\nUS West (N. California)
\nUS West (Oregon)
\nAsia Pacific (Singapore)
\nAsia Pacific (Sydney)
\nAsia Pacific (Tokyo)
\nEurope (Ireland)
\nSouth America (São Paulo)
\nFor a list of all the Amazon S3 supported Regions and endpoints, see Regions and Endpoints in the Amazon Web Services General Reference.
\nFor example, the following x-amz-grant-write header grants\n create, overwrite, and delete objects permission to LogDelivery group\n predefined by Amazon S3 and two Amazon Web Services accounts identified by their email\n addresses.
\n x-amz-grant-write:\n uri=\"http://acs.amazonaws.com/groups/s3/LogDelivery\", id=\"111122223333\",\n id=\"555566667777\" \n
You can use either a canned ACL or specify access permissions explicitly. You\n cannot do both.
\nYou can specify the person (grantee) to whom you're assigning access rights\n (using request elements) in the following ways:
\nBy the person's ID:
\n\n
DisplayName is optional and ignored in the request
\nBy URI:
\n\n
By Email address:
\n\n
The grantee is resolved to the CanonicalUser and, in a response to a GET\n Object acl request, appears as the CanonicalUser.
\nUsing email addresses to specify a grantee is only supported in the following Amazon Web Services Regions:
\nUS East (N. Virginia)
\nUS West (N. California)
\nUS West (Oregon)
\nAsia Pacific (Singapore)
\nAsia Pacific (Sydney)
\nAsia Pacific (Tokyo)
\nEurope (Ireland)
\nSouth America (São Paulo)
\nFor a list of all the Amazon S3 supported Regions and endpoints, see Regions and Endpoints in the Amazon Web Services General Reference.
\nThe following operations are related to PutBucketAcl:
\n CreateBucket\n
\n\n DeleteBucket\n
\n\n GetObjectAcl\n
\nSets an analytics configuration for the bucket (specified by the analytics configuration\n ID). You can have up to 1,000 analytics configurations per bucket.
\nYou can choose to have storage class analysis export analysis reports sent to a\n comma-separated values (CSV) flat file. See the DataExport request element.\n Reports are updated daily and are based on the object filters that you configure. When\n selecting data export, you specify a destination bucket and an optional destination prefix\n where the file is written. You can export the data to a destination bucket in a different\n account. However, the destination bucket must be in the same Region as the bucket that you\n are making the PUT analytics configuration to. For more information, see Amazon S3\n Analytics – Storage Class Analysis.
You must create a bucket policy on the destination bucket where the exported file is\n written to grant permissions to Amazon S3 to write objects to the bucket. For an example\n policy, see Granting Permissions for Amazon S3 Inventory and Storage Class Analysis.
\nTo use this operation, you must have permissions to perform the\n s3:PutAnalyticsConfiguration action. The bucket owner has this permission\n by default. The bucket owner can grant this permission to others. For more information\n about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to Your Amazon S3 Resources.
\n PutBucketAnalyticsConfiguration has the following special errors:
\n HTTP Error: HTTP 400 Bad Request\n
\n\n Code: InvalidArgument\n
\n\n Cause: Invalid argument.\n
\n\n HTTP Error: HTTP 400 Bad Request\n
\n\n Code: TooManyConfigurations\n
\n\n Cause: You are attempting to create a new configuration but have\n already reached the 1,000-configuration limit.\n
\n\n HTTP Error: HTTP 403 Forbidden\n
\n\n Code: AccessDenied\n
\n\n Cause: You are not the owner of the specified bucket, or you do\n not have the s3:PutAnalyticsConfiguration bucket permission to set the\n configuration on the bucket.\n
\nThe following operations are related to PutBucketAnalyticsConfiguration:
Sets an analytics configuration for the bucket (specified by the analytics configuration\n ID). You can have up to 1,000 analytics configurations per bucket.
\nYou can choose to have storage class analysis export analysis reports sent to a\n comma-separated values (CSV) flat file. See the DataExport request element.\n Reports are updated daily and are based on the object filters that you configure. When\n selecting data export, you specify a destination bucket and an optional destination prefix\n where the file is written. You can export the data to a destination bucket in a different\n account. However, the destination bucket must be in the same Region as the bucket that you\n are making the PUT analytics configuration to. For more information, see Amazon S3\n Analytics – Storage Class Analysis.
You must create a bucket policy on the destination bucket where the exported file is\n written to grant permissions to Amazon S3 to write objects to the bucket. For an example\n policy, see Granting Permissions for Amazon S3 Inventory and Storage Class Analysis.
\nTo use this operation, you must have permissions to perform the\n s3:PutAnalyticsConfiguration action. The bucket owner has this permission\n by default. The bucket owner can grant this permission to others. For more information\n about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to Your Amazon S3 Resources.
\n PutBucketAnalyticsConfiguration has the following special errors:
\n HTTP Error: HTTP 400 Bad Request\n
\n\n Code: InvalidArgument\n
\n\n Cause: Invalid argument.\n
\n\n HTTP Error: HTTP 400 Bad Request\n
\n\n Code: TooManyConfigurations\n
\n\n Cause: You are attempting to create a new configuration but have\n already reached the 1,000-configuration limit.\n
\n\n HTTP Error: HTTP 403 Forbidden\n
\n\n Code: AccessDenied\n
\n\n Cause: You are not the owner of the specified bucket, or you do\n not have the s3:PutAnalyticsConfiguration bucket permission to set the\n configuration on the bucket.\n
\nThe following operations are related to\n PutBucketAnalyticsConfiguration:
This action uses the encryption subresource to configure default encryption\n and Amazon S3 Bucket Keys for an existing bucket.
By default, all buckets have a default encryption configuration that uses server-side\n encryption with Amazon S3 managed keys (SSE-S3). You can optionally configure default encryption\n for a bucket by using server-side encryption with Key Management Service (KMS) keys (SSE-KMS),\n dual-layer server-side encryption with Amazon Web Services KMS keys (DSSE-KMS), or server-side\n encryption with customer-provided keys (SSE-C). If you specify default encryption by using\n SSE-KMS, you can also configure Amazon S3 Bucket Keys. For information about bucket default\n encryption, see Amazon S3 bucket default encryption\n in the Amazon S3 User Guide. For more information about S3 Bucket Keys, see\n Amazon S3 Bucket\n Keys in the Amazon S3 User Guide.
\nThis action requires Amazon Web Services Signature Version 4. For more information, see \n Authenticating Requests (Amazon Web Services Signature Version 4).
\nTo use this operation, you must have permission to perform the\n s3:PutEncryptionConfiguration action. The bucket owner has this permission\n by default. The bucket owner can grant this permission to others. For more information\n about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to Your Amazon S3 Resources in the\n Amazon S3 User Guide.
The following operations are related to PutBucketEncryption:
\n GetBucketEncryption\n
\nThis action uses the encryption subresource to configure default encryption\n and Amazon S3 Bucket Keys for an existing bucket.
By default, all buckets have a default encryption configuration that uses server-side\n encryption with Amazon S3 managed keys (SSE-S3). You can optionally configure default encryption\n for a bucket by using server-side encryption with Key Management Service (KMS) keys (SSE-KMS) or\n dual-layer server-side encryption with Amazon Web Services KMS keys (DSSE-KMS). If you specify default encryption by using\n SSE-KMS, you can also configure Amazon S3 Bucket\n Keys. If you use PutBucketEncryption to set your default bucket encryption to SSE-KMS, you should verify that your KMS key ID is correct. Amazon S3 does not validate the KMS key ID provided in PutBucketEncryption requests.
\nThis action requires Amazon Web Services Signature Version 4. For more information, see \n Authenticating Requests (Amazon Web Services Signature Version 4).
\nTo use this operation, you must have permission to perform the\n s3:PutEncryptionConfiguration action. The bucket owner has this permission\n by default. The bucket owner can grant this permission to others. For more information\n about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to Your Amazon S3 Resources in the\n Amazon S3 User Guide.
The following operations are related to PutBucketEncryption:
\n GetBucketEncryption\n
\nPuts a S3 Intelligent-Tiering configuration to the specified bucket. You can have up to\n 1,000 S3 Intelligent-Tiering configurations per bucket.
\nThe S3 Intelligent-Tiering storage class is designed to optimize storage costs by automatically moving data to the most cost-effective storage access tier, without performance impact or operational overhead. S3 Intelligent-Tiering delivers automatic cost savings in three low latency and high throughput access tiers. To get the lowest storage cost on data that can be accessed in minutes to hours, you can choose to activate additional archiving capabilities.
\nThe S3 Intelligent-Tiering storage class is the ideal storage class for data with unknown, changing, or unpredictable access patterns, independent of object size or retention period. If the size of an object is less than 128 KB, it is not monitored and not eligible for auto-tiering. Smaller objects can be stored, but they are always charged at the Frequent Access tier rates in the S3 Intelligent-Tiering storage class.
\nFor more information, see Storage class for automatically optimizing frequently and infrequently accessed objects.
\nOperations related to PutBucketIntelligentTieringConfiguration include:
You only need S3 Intelligent-Tiering enabled on a bucket if you want to automatically\n move objects stored in the S3 Intelligent-Tiering storage class to the Archive Access\n or Deep Archive Access tier.
\n\n PutBucketIntelligentTieringConfiguration has the following special errors:
\n Code: InvalidArgument
\n\n Cause: Invalid Argument
\n\n Code: TooManyConfigurations
\n\n Cause: You are attempting to create a new configuration\n but have already reached the 1,000-configuration limit.
\n\n Cause: You are not the owner of the specified bucket,\n or you do not have the s3:PutIntelligentTieringConfiguration\n bucket permission to set the configuration on the bucket.
Puts a S3 Intelligent-Tiering configuration to the specified bucket. You can have up to\n 1,000 S3 Intelligent-Tiering configurations per bucket.
\nThe S3 Intelligent-Tiering storage class is designed to optimize storage costs by automatically moving data to the most cost-effective storage access tier, without performance impact or operational overhead. S3 Intelligent-Tiering delivers automatic cost savings in three low latency and high throughput access tiers. To get the lowest storage cost on data that can be accessed in minutes to hours, you can choose to activate additional archiving capabilities.
\nThe S3 Intelligent-Tiering storage class is the ideal storage class for data with unknown, changing, or unpredictable access patterns, independent of object size or retention period. If the size of an object is less than 128 KB, it is not monitored and not eligible for auto-tiering. Smaller objects can be stored, but they are always charged at the Frequent Access tier rates in the S3 Intelligent-Tiering storage class.
\nFor more information, see Storage class for automatically optimizing frequently and infrequently accessed objects.
\nOperations related to PutBucketIntelligentTieringConfiguration include:
You only need S3 Intelligent-Tiering enabled on a bucket if you want to automatically\n move objects stored in the S3 Intelligent-Tiering storage class to the Archive Access\n or Deep Archive Access tier.
\n\n PutBucketIntelligentTieringConfiguration has the following special\n errors:
\n Code: InvalidArgument
\n\n Cause: Invalid Argument
\n\n Code: TooManyConfigurations
\n\n Cause: You are attempting to create a new configuration\n but have already reached the 1,000-configuration limit.
\n\n Cause: You are not the owner of the specified bucket, or\n you do not have the s3:PutIntelligentTieringConfiguration bucket\n permission to set the configuration on the bucket.
This implementation of the PUT action adds an inventory configuration\n (identified by the inventory ID) to the bucket. You can have up to 1,000 inventory\n configurations per bucket.
Amazon S3 inventory generates inventories of the objects in the bucket on a daily or weekly\n basis, and the results are published to a flat file. The bucket that is inventoried is\n called the source bucket, and the bucket where the inventory flat file\n is stored is called the destination bucket. The\n destination bucket must be in the same Amazon Web Services Region as the\n source bucket.
\nWhen you configure an inventory for a source bucket, you specify\n the destination bucket where you want the inventory to be stored, and\n whether to generate the inventory daily or weekly. You can also configure what object\n metadata to include and whether to inventory all object versions or only current versions.\n For more information, see Amazon S3 Inventory in the\n Amazon S3 User Guide.
\nYou must create a bucket policy on the destination bucket to\n grant permissions to Amazon S3 to write objects to the bucket in the defined location. For an\n example policy, see Granting Permissions for Amazon S3 Inventory and Storage Class Analysis.
\nTo use this operation, you must have permission to perform the\n s3:PutInventoryConfiguration action. The bucket owner has this permission\n by default and can grant this permission to others.
The s3:PutInventoryConfiguration permission allows a user to create an\n S3\n Inventory report that includes all object metadata fields available and to\n specify the destination bucket to store the inventory. A user with read access to objects\n in the destination bucket can also access all object metadata fields that are available in\n the inventory report.
To restrict access to an inventory report, see Restricting access to an Amazon S3 Inventory report in the\n Amazon S3 User Guide. For more information about the metadata fields\n available in S3 Inventory, see Amazon S3\n Inventory lists in the Amazon S3 User Guide. For more\n information about permissions, see Permissions related to bucket subresource operations and Identity and\n access management in Amazon S3 in the Amazon S3 User Guide.
\n\n PutBucketInventoryConfiguration has the following special errors:
\n Code: InvalidArgument
\n\n Cause: Invalid Argument
\n\n Code: TooManyConfigurations
\n\n Cause: You are attempting to create a new configuration\n but have already reached the 1,000-configuration limit.
\n\n Cause: You are not the owner of the specified bucket,\n or you do not have the s3:PutInventoryConfiguration bucket\n permission to set the configuration on the bucket.
The following operations are related to PutBucketInventoryConfiguration:
This implementation of the PUT action adds an inventory configuration\n (identified by the inventory ID) to the bucket. You can have up to 1,000 inventory\n configurations per bucket.
Amazon S3 inventory generates inventories of the objects in the bucket on a daily or weekly\n basis, and the results are published to a flat file. The bucket that is inventoried is\n called the source bucket, and the bucket where the inventory flat file\n is stored is called the destination bucket. The\n destination bucket must be in the same Amazon Web Services Region as the\n source bucket.
\nWhen you configure an inventory for a source bucket, you specify\n the destination bucket where you want the inventory to be stored, and\n whether to generate the inventory daily or weekly. You can also configure what object\n metadata to include and whether to inventory all object versions or only current versions.\n For more information, see Amazon S3 Inventory in the\n Amazon S3 User Guide.
\nYou must create a bucket policy on the destination bucket to\n grant permissions to Amazon S3 to write objects to the bucket in the defined location. For an\n example policy, see Granting Permissions for Amazon S3 Inventory and Storage Class Analysis.
\nTo use this operation, you must have permission to perform the\n s3:PutInventoryConfiguration action. The bucket owner has this\n permission by default and can grant this permission to others.
The s3:PutInventoryConfiguration permission allows a user to\n create an S3 Inventory\n report that includes all object metadata fields available and to specify the\n destination bucket to store the inventory. A user with read access to objects in\n the destination bucket can also access all object metadata fields that are\n available in the inventory report.
To restrict access to an inventory report, see Restricting access to an Amazon S3 Inventory report in the\n Amazon S3 User Guide. For more information about the metadata\n fields available in S3 Inventory, see Amazon S3 Inventory lists in the Amazon S3 User Guide. For\n more information about permissions, see Permissions related to bucket subresource operations and Identity and access management in Amazon S3 in the\n Amazon S3 User Guide.
\n\n PutBucketInventoryConfiguration has the following special errors:
\n Code: InvalidArgument
\n\n Cause: Invalid Argument
\n\n Code: TooManyConfigurations
\n\n Cause: You are attempting to create a new configuration\n but have already reached the 1,000-configuration limit.
\n\n Cause: You are not the owner of the specified bucket, or\n you do not have the s3:PutInventoryConfiguration bucket permission to\n set the configuration on the bucket.
The following operations are related to\n PutBucketInventoryConfiguration:
Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle\n configuration. Keep in mind that this will overwrite an existing lifecycle configuration,\n so if you want to retain any configuration details, they must be included in the new\n lifecycle configuration. For information about lifecycle configuration, see Managing\n your storage lifecycle.
\nBucket lifecycle configuration now supports specifying a lifecycle rule using an\n object key name prefix, one or more object tags, or a combination of both. Accordingly,\n this section describes the latest API. The previous version of the API supported\n filtering based only on an object key name prefix, which is supported for backward\n compatibility. For the related API description, see PutBucketLifecycle.
\nYou specify the lifecycle configuration in your request body. The lifecycle\n configuration is specified as XML consisting of one or more rules. An Amazon S3 Lifecycle\n configuration can have up to 1,000 rules. This limit is not adjustable. Each rule consists\n of the following:
\nA filter identifying a subset of objects to which the rule applies. The filter can\n be based on a key name prefix, object tags, or a combination of both.
\nA status indicating whether the rule is in effect.
\nOne or more lifecycle transition and expiration actions that you want Amazon S3 to\n perform on the objects identified by the filter. If the state of your bucket is\n versioning-enabled or versioning-suspended, you can have many versions of the same\n object (one current version and zero or more noncurrent versions). Amazon S3 provides\n predefined actions that you can specify for current and noncurrent object\n versions.
\nFor more information, see Object Lifecycle Management\n and Lifecycle Configuration Elements.
\nBy default, all Amazon S3 resources are private, including buckets, objects, and related\n subresources (for example, lifecycle configuration and website configuration). Only the\n resource owner (that is, the Amazon Web Services account that created it) can access the resource. The\n resource owner can optionally grant access permissions to others by writing an access\n policy. For this operation, a user must get the s3:PutLifecycleConfiguration\n permission.
You can also explicitly deny permissions. An explicit deny also supersedes any other\n permissions. If you want to block users or accounts from removing or deleting objects from\n your bucket, you must deny them permissions for the following actions:
\n\n s3:DeleteObject\n
\n s3:DeleteObjectVersion\n
\n s3:PutLifecycleConfiguration\n
For more information about permissions, see Managing Access Permissions to\n Your Amazon S3 Resources.
\nThe following operations are related to PutBucketLifecycleConfiguration:
Creates a new lifecycle configuration for the bucket or replaces an existing lifecycle\n configuration. Keep in mind that this will overwrite an existing lifecycle configuration,\n so if you want to retain any configuration details, they must be included in the new\n lifecycle configuration. For information about lifecycle configuration, see Managing\n your storage lifecycle.
\nBucket lifecycle configuration now supports specifying a lifecycle rule using an\n object key name prefix, one or more object tags, or a combination of both. Accordingly,\n this section describes the latest API. The previous version of the API supported\n filtering based only on an object key name prefix, which is supported for backward\n compatibility. For the related API description, see PutBucketLifecycle.
\nYou specify the lifecycle configuration in your request body. The lifecycle\n configuration is specified as XML consisting of one or more rules. An Amazon S3\n Lifecycle configuration can have up to 1,000 rules. This limit is not adjustable.\n Each rule consists of the following:
\nA filter identifying a subset of objects to which the rule applies. The\n filter can be based on a key name prefix, object tags, or a combination of\n both.
\nA status indicating whether the rule is in effect.
\nOne or more lifecycle transition and expiration actions that you want\n Amazon S3 to perform on the objects identified by the filter. If the state of\n your bucket is versioning-enabled or versioning-suspended, you can have many\n versions of the same object (one current version and zero or more noncurrent\n versions). Amazon S3 provides predefined actions that you can specify for current\n and noncurrent object versions.
\nFor more information, see Object Lifecycle\n Management and Lifecycle Configuration\n Elements.
\nBy default, all Amazon S3 resources are private, including buckets, objects, and\n related subresources (for example, lifecycle configuration and website\n configuration). Only the resource owner (that is, the Amazon Web Services account that created\n it) can access the resource. The resource owner can optionally grant access\n permissions to others by writing an access policy. For this operation, a user must\n get the s3:PutLifecycleConfiguration permission.
You can also explicitly deny permissions. An explicit deny also supersedes any\n other permissions. If you want to block users or accounts from removing or\n deleting objects from your bucket, you must deny them permissions for the\n following actions:
\n\n s3:DeleteObject\n
\n s3:DeleteObjectVersion\n
\n s3:PutLifecycleConfiguration\n
For more information about permissions, see Managing Access\n Permissions to Your Amazon S3 Resources.
\nThe following operations are related to\n PutBucketLifecycleConfiguration:
Set the logging parameters for a bucket and to specify permissions for who can view and\n modify the logging parameters. All logs are saved to buckets in the same Amazon Web Services Region as\n the source bucket. To set the logging status of a bucket, you must be the bucket\n owner.
\nThe bucket owner is automatically granted FULL_CONTROL to all logs. You use the\n Grantee request element to grant access to other people. The\n Permissions request element specifies the kind of access the grantee has to\n the logs.
If the target bucket for log delivery uses the bucket owner enforced setting for S3\n Object Ownership, you can't use the Grantee request element to grant access\n to others. Permissions can only be granted using policies. For more information, see\n Permissions for server access log delivery in the\n Amazon S3 User Guide.
You can specify the person (grantee) to whom you're assigning access rights (by using\n request elements) in the following ways:
\nBy the person's ID:
\n\n
\n DisplayName is optional and ignored in the request.
By Email address:
\n\n \n
The grantee is resolved to the CanonicalUser and, in a response to a GETObjectAcl\n request, appears as the CanonicalUser.
By URI:
\n\n
To enable logging, you use LoggingEnabled and its children request elements. To disable\n logging, you use an empty BucketLoggingStatus request element:
\n
For more information about server access logging, see Server Access Logging in the\n Amazon S3 User Guide.
\nFor more information about creating a bucket, see CreateBucket. For more\n information about returning the logging status of a bucket, see GetBucketLogging.
\nThe following operations are related to PutBucketLogging:
\n PutObject\n
\n\n DeleteBucket\n
\n\n CreateBucket\n
\n\n GetBucketLogging\n
\nSet the logging parameters for a bucket and to specify permissions for who can view and\n modify the logging parameters. All logs are saved to buckets in the same Amazon Web Services Region as\n the source bucket. To set the logging status of a bucket, you must be the bucket\n owner.
\nThe bucket owner is automatically granted FULL_CONTROL to all logs. You use the\n Grantee request element to grant access to other people. The\n Permissions request element specifies the kind of access the grantee has to\n the logs.
If the target bucket for log delivery uses the bucket owner enforced setting for S3\n Object Ownership, you can't use the Grantee request element to grant access\n to others. Permissions can only be granted using policies. For more information, see\n Permissions for server access log delivery in the\n Amazon S3 User Guide.
You can specify the person (grantee) to whom you're assigning access rights (by\n using request elements) in the following ways:
\nBy the person's ID:
\n\n
\n DisplayName is optional and ignored in the request.
By Email address:
\n\n \n
The grantee is resolved to the CanonicalUser and, in a\n response to a GETObjectAcl request, appears as the\n CanonicalUser.
By URI:
\n\n
To enable logging, you use LoggingEnabled and its children request\n elements. To disable logging, you use an empty BucketLoggingStatus request\n element:
\n
For more information about server access logging, see Server Access Logging in the\n Amazon S3 User Guide.
\nFor more information about creating a bucket, see CreateBucket. For more\n information about returning the logging status of a bucket, see GetBucketLogging.
\nThe following operations are related to PutBucketLogging:
\n PutObject\n
\n\n DeleteBucket\n
\n\n CreateBucket\n
\n\n GetBucketLogging\n
\nApplies an Amazon S3 bucket policy to an Amazon S3 bucket. If you are using an identity other than\n the root user of the Amazon Web Services account that owns the bucket, the calling identity must have the\n PutBucketPolicy permissions on the specified bucket and belong to the\n bucket owner's account in order to use this operation.
If you don't have PutBucketPolicy permissions, Amazon S3 returns a 403\n Access Denied error. If you have the correct permissions, but you're not using an\n identity that belongs to the bucket owner's account, Amazon S3 returns a 405 Method Not\n Allowed error.
To ensure that bucket owners don't inadvertently lock themselves out of their own\n buckets, the root principal in a bucket owner's Amazon Web Services account can perform the\n GetBucketPolicy, PutBucketPolicy, and\n DeleteBucketPolicy API actions, even if their bucket policy explicitly\n denies the root principal's access. Bucket owner root principals can only be blocked from performing \n these API actions by VPC endpoint policies and Amazon Web Services Organizations policies.
For more information, see Bucket policy\n examples.
\nThe following operations are related to PutBucketPolicy:
\n CreateBucket\n
\n\n DeleteBucket\n
\nApplies an Amazon S3 bucket policy to an Amazon S3 bucket. If you are using an identity other than\n the root user of the Amazon Web Services account that owns the bucket, the calling identity must have the\n PutBucketPolicy permissions on the specified bucket and belong to the\n bucket owner's account in order to use this operation.
If you don't have PutBucketPolicy permissions, Amazon S3 returns a 403\n Access Denied error. If you have the correct permissions, but you're not using an\n identity that belongs to the bucket owner's account, Amazon S3 returns a 405 Method Not\n Allowed error.
To ensure that bucket owners don't inadvertently lock themselves out of their own\n buckets, the root principal in a bucket owner's Amazon Web Services account can perform the\n GetBucketPolicy, PutBucketPolicy, and\n DeleteBucketPolicy API actions, even if their bucket policy explicitly\n denies the root principal's access. Bucket owner root principals can only be blocked\n from performing these API actions by VPC endpoint policies and Amazon Web Services Organizations\n policies.
For more information, see Bucket policy\n examples.
\nThe following operations are related to PutBucketPolicy:
\n CreateBucket\n
\n\n DeleteBucket\n
\nCreates a replication configuration or replaces an existing one. For more information,\n see Replication in the Amazon S3 User Guide.
\nSpecify the replication configuration in the request body. In the replication\n configuration, you provide the name of the destination bucket or buckets where you want\n Amazon S3 to replicate objects, the IAM role that Amazon S3 can assume to replicate objects on your\n behalf, and other relevant information.
\nA replication configuration must include at least one rule, and can contain a maximum of\n 1,000. Each rule identifies a subset of objects to replicate by filtering the objects in\n the source bucket. To choose additional subsets of objects to replicate, add a rule for\n each subset.
\nTo specify a subset of the objects in the source bucket to apply a replication rule to,\n add the Filter element as a child of the Rule element. You can filter objects based on an\n object key prefix, one or more object tags, or both. When you add the Filter element in the\n configuration, you must also add the following elements:\n DeleteMarkerReplication, Status, and\n Priority.
If you are using an earlier version of the replication configuration, Amazon S3 handles\n replication of delete markers differently. For more information, see Backward Compatibility.
\nFor information about enabling versioning on a bucket, see Using Versioning.
\nBy default, Amazon S3 doesn't replicate objects that are stored at rest using server-side\n encryption with KMS keys. To replicate Amazon Web Services KMS-encrypted objects, add the following:\n SourceSelectionCriteria, SseKmsEncryptedObjects,\n Status, EncryptionConfiguration, and\n ReplicaKmsKeyID. For information about replication configuration, see\n Replicating Objects\n Created with SSE Using KMS keys.
For information on PutBucketReplication errors, see List of\n replication-related error codes\n
To create a PutBucketReplication request, you must have\n s3:PutReplicationConfiguration permissions for the bucket.\n \n
By default, a resource owner, in this case the Amazon Web Services account that created the bucket,\n can perform this operation. The resource owner can also grant others permissions to perform\n the operation. For more information about permissions, see Specifying Permissions in a\n Policy and Managing Access Permissions to\n Your Amazon S3 Resources.
\nTo perform this operation, the user or role performing the action must have the\n iam:PassRole permission.
\nThe following operations are related to PutBucketReplication:
\n GetBucketReplication\n
\nCreates a replication configuration or replaces an existing one. For more information,\n see Replication in the Amazon S3 User Guide.
\nSpecify the replication configuration in the request body. In the replication\n configuration, you provide the name of the destination bucket or buckets where you want\n Amazon S3 to replicate objects, the IAM role that Amazon S3 can assume to replicate objects on your\n behalf, and other relevant information. You can invoke this request for a specific\n Amazon Web Services Region by using the \n \n aws:RequestedRegion\n condition key.
A replication configuration must include at least one rule, and can contain a maximum of\n 1,000. Each rule identifies a subset of objects to replicate by filtering the objects in\n the source bucket. To choose additional subsets of objects to replicate, add a rule for\n each subset.
\nTo specify a subset of the objects in the source bucket to apply a replication rule to,\n add the Filter element as a child of the Rule element. You can filter objects based on an\n object key prefix, one or more object tags, or both. When you add the Filter element in the\n configuration, you must also add the following elements:\n DeleteMarkerReplication, Status, and\n Priority.
If you are using an earlier version of the replication configuration, Amazon S3 handles\n replication of delete markers differently. For more information, see Backward Compatibility.
\nFor information about enabling versioning on a bucket, see Using Versioning.
\nBy default, Amazon S3 doesn't replicate objects that are stored at rest using\n server-side encryption with KMS keys. To replicate Amazon Web Services KMS-encrypted objects,\n add the following: SourceSelectionCriteria,\n SseKmsEncryptedObjects, Status,\n EncryptionConfiguration, and ReplicaKmsKeyID. For\n information about replication configuration, see Replicating\n Objects Created with SSE Using KMS keys.
For information on PutBucketReplication errors, see List of\n replication-related error codes\n
To create a PutBucketReplication request, you must have\n s3:PutReplicationConfiguration permissions for the bucket.\n \n
By default, a resource owner, in this case the Amazon Web Services account that created the\n bucket, can perform this operation. The resource owner can also grant others\n permissions to perform the operation. For more information about permissions, see\n Specifying Permissions in\n a Policy and Managing Access\n Permissions to Your Amazon S3 Resources.
\nTo perform this operation, the user or role performing the action must have\n the iam:PassRole\n permission.
\nThe following operations are related to PutBucketReplication:
\n GetBucketReplication\n
\nSets the tags for a bucket.
\nUse tags to organize your Amazon Web Services bill to reflect your own cost structure. To do this,\n sign up to get your Amazon Web Services account bill with tag key values included. Then, to see the cost\n of combined resources, organize your billing information according to resources with the\n same tag key values. For example, you can tag several resources with a specific application\n name, and then organize your billing information to see the total cost of that application\n across several services. For more information, see Cost Allocation and\n Tagging and Using Cost Allocation in Amazon S3 Bucket\n Tags.
\nWhen this operation sets the tags for a bucket, it will overwrite any current tags\n the bucket already has. You cannot use this operation to add tags to an existing list of\n tags.
\nTo use this operation, you must have permissions to perform the\n s3:PutBucketTagging action. The bucket owner has this permission by default\n and can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to Your Amazon S3 Resources.
\n PutBucketTagging has the following special errors:
Error code: InvalidTagError\n
Description: The tag provided was not a valid tag. This error can occur if\n the tag did not pass input validation. For information about tag restrictions,\n see User-Defined Tag Restrictions and Amazon Web Services-Generated Cost Allocation Tag Restrictions.
\nError code: MalformedXMLError\n
Description: The XML provided does not match the schema.
\nError code: OperationAbortedError \n
Description: A conflicting conditional action is currently in progress\n against this resource. Please try again.
\nError code: InternalError\n
Description: The service was unable to apply the provided tag to the\n bucket.
\nThe following operations are related to PutBucketTagging:
\n GetBucketTagging\n
\n\n DeleteBucketTagging\n
\nSets the tags for a bucket.
\nUse tags to organize your Amazon Web Services bill to reflect your own cost structure. To do this,\n sign up to get your Amazon Web Services account bill with tag key values included. Then, to see the cost\n of combined resources, organize your billing information according to resources with the\n same tag key values. For example, you can tag several resources with a specific application\n name, and then organize your billing information to see the total cost of that application\n across several services. For more information, see Cost Allocation and\n Tagging and Using Cost Allocation in Amazon S3\n Bucket Tags.
\nWhen this operation sets the tags for a bucket, it will overwrite any current tags\n the bucket already has. You cannot use this operation to add tags to an existing list of\n tags.
\nTo use this operation, you must have permissions to perform the\n s3:PutBucketTagging action. The bucket owner has this permission by default\n and can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to Your Amazon S3 Resources.
\n PutBucketTagging has the following special errors. For more Amazon S3 errors\n see, Error\n Responses.
\n InvalidTag - The tag provided was not a valid tag. This error\n can occur if the tag did not pass input validation. For more information, see Using\n Cost Allocation in Amazon S3 Bucket Tags.
\n MalformedXML - The XML provided does not match the\n schema.
\n OperationAborted - A conflicting conditional action is\n currently in progress against this resource. Please try again.
\n InternalError - The service was unable to apply the provided\n tag to the bucket.
The following operations are related to PutBucketTagging:
\n GetBucketTagging\n
\n\n DeleteBucketTagging\n
\nSets the versioning state of an existing bucket.
\nYou can set the versioning state with one of the following values:
\n\n Enabled—Enables versioning for the objects in the\n bucket. All objects added to the bucket receive a unique version ID.
\n\n Suspended—Disables versioning for the objects in the\n bucket. All objects added to the bucket receive the version ID null.
\nIf the versioning state has never been set on a bucket, it has no versioning state; a\n GetBucketVersioning request does not return a versioning state value.
\nIn order to enable MFA Delete, you must be the bucket owner. If you are the bucket owner\n and want to enable MFA Delete in the bucket versioning configuration, you must include the\n x-amz-mfa request header and the Status and the\n MfaDelete request elements in a request to set the versioning state of the\n bucket.
If you have an object expiration lifecycle configuration in your non-versioned bucket and\n you want to maintain the same permanent delete behavior when you enable versioning, you\n must add a noncurrent expiration policy. The noncurrent expiration lifecycle configuration will\n manage the deletes of the noncurrent object versions in the version-enabled bucket. (A\n version-enabled bucket maintains one current and zero or more noncurrent object\n versions.) For more information, see Lifecycle and Versioning.
\nThe following operations are related to PutBucketVersioning:
\n CreateBucket\n
\n\n DeleteBucket\n
\n\n GetBucketVersioning\n
\nSets the versioning state of an existing bucket.
\nYou can set the versioning state with one of the following values:
\n\n Enabled—Enables versioning for the objects in the\n bucket. All objects added to the bucket receive a unique version ID.
\n\n Suspended—Disables versioning for the objects in the\n bucket. All objects added to the bucket receive the version ID null.
\nIf the versioning state has never been set on a bucket, it has no versioning state; a\n GetBucketVersioning request does not return a versioning state value.
\nIn order to enable MFA Delete, you must be the bucket owner. If you are the bucket owner\n and want to enable MFA Delete in the bucket versioning configuration, you must include the\n x-amz-mfa request header and the Status and the\n MfaDelete request elements in a request to set the versioning state of the\n bucket.
If you have an object expiration lifecycle configuration in your non-versioned bucket\n and you want to maintain the same permanent delete behavior when you enable versioning,\n you must add a noncurrent expiration policy. The noncurrent expiration lifecycle\n configuration will manage the deletes of the noncurrent object versions in the\n version-enabled bucket. (A version-enabled bucket maintains one current and zero or more\n noncurrent object versions.) For more information, see Lifecycle and Versioning.
\nThe following operations are related to PutBucketVersioning:
\n CreateBucket\n
\n\n DeleteBucket\n
\n\n GetBucketVersioning\n
\nSets the configuration of the website that is specified in the website\n subresource. To configure a bucket as a website, you can add this subresource on the bucket\n with website configuration information such as the file name of the index document and any\n redirect rules. For more information, see Hosting Websites on Amazon S3.
This PUT action requires the S3:PutBucketWebsite permission. By default,\n only the bucket owner can configure the website attached to a bucket; however, bucket\n owners can allow other users to set the website configuration by writing a bucket policy\n that grants them the S3:PutBucketWebsite permission.
To redirect all website requests sent to the bucket's website endpoint, you add a\n website configuration with the following elements. Because all requests are sent to another\n website, you don't need to provide index document name for the bucket.
\n\n WebsiteConfiguration\n
\n RedirectAllRequestsTo\n
\n HostName\n
\n Protocol\n
If you want granular control over redirects, you can use the following elements to add\n routing rules that describe conditions for redirecting requests and information about the\n redirect destination. In this case, the website configuration must provide an index\n document for the bucket, because some requests might not be redirected.
\n\n WebsiteConfiguration\n
\n IndexDocument\n
\n Suffix\n
\n ErrorDocument\n
\n Key\n
\n RoutingRules\n
\n RoutingRule\n
\n Condition\n
\n HttpErrorCodeReturnedEquals\n
\n KeyPrefixEquals\n
\n Redirect\n
\n Protocol\n
\n HostName\n
\n ReplaceKeyPrefixWith\n
\n ReplaceKeyWith\n
\n HttpRedirectCode\n
Amazon S3 has a limitation of 50 routing rules per website configuration. If you require more\n than 50 routing rules, you can use object redirect. For more information, see Configuring an\n Object Redirect in the Amazon S3 User Guide.
", + "smithy.api#documentation": "Sets the configuration of the website that is specified in the website\n subresource. To configure a bucket as a website, you can add this subresource on the bucket\n with website configuration information such as the file name of the index document and any\n redirect rules. For more information, see Hosting Websites on Amazon S3.
This PUT action requires the S3:PutBucketWebsite permission. By default,\n only the bucket owner can configure the website attached to a bucket; however, bucket\n owners can allow other users to set the website configuration by writing a bucket policy\n that grants them the S3:PutBucketWebsite permission.
To redirect all website requests sent to the bucket's website endpoint, you add a\n website configuration with the following elements. Because all requests are sent to another\n website, you don't need to provide index document name for the bucket.
\n\n WebsiteConfiguration\n
\n RedirectAllRequestsTo\n
\n HostName\n
\n Protocol\n
If you want granular control over redirects, you can use the following elements to add\n routing rules that describe conditions for redirecting requests and information about the\n redirect destination. In this case, the website configuration must provide an index\n document for the bucket, because some requests might not be redirected.
\n\n WebsiteConfiguration\n
\n IndexDocument\n
\n Suffix\n
\n ErrorDocument\n
\n Key\n
\n RoutingRules\n
\n RoutingRule\n
\n Condition\n
\n HttpErrorCodeReturnedEquals\n
\n KeyPrefixEquals\n
\n Redirect\n
\n Protocol\n
\n HostName\n
\n ReplaceKeyPrefixWith\n
\n ReplaceKeyWith\n
\n HttpRedirectCode\n
Amazon S3 has a limitation of 50 routing rules per website configuration. If you require more\n than 50 routing rules, you can use object redirect. For more information, see Configuring an\n Object Redirect in the Amazon S3 User Guide.
\nThe maximum request length is limited to 128 KB.
", "smithy.api#examples": [ { "title": "Set website configuration on a bucket", @@ -33123,16 +28133,15 @@ "smithy.api#documentation": "Adds an object to a bucket. You must have WRITE permissions on a bucket to add an object\n to it.
\nAmazon S3 never adds partial objects; if you receive a success response, Amazon S3 added the\n entire object to the bucket. You cannot use PutObject to only update a\n single piece of metadata for an existing object. You must put the entire object with\n updated metadata if you want to update some values.
Amazon S3 is a distributed system. If it receives multiple write requests for the same object\n simultaneously, it overwrites all but the last object written. To prevent objects from\n being deleted or overwritten, you can use Amazon S3 Object\n Lock.
\nTo ensure that data is not corrupted traversing the network, use the\n Content-MD5 header. When you use this header, Amazon S3 checks the object\n against the provided MD5 value and, if they do not match, returns an error. Additionally,\n you can calculate the MD5 while putting an object to Amazon S3 and compare the returned ETag to\n the calculated MD5 value.
To successfully complete the PutObject request, you must have the\n s3:PutObject in your IAM permissions.
To successfully change the objects acl of your PutObject request,\n you must have the s3:PutObjectAcl in your IAM permissions.
To successfully set the tag-set with your PutObject request, you\n must have the s3:PutObjectTagging in your IAM permissions.
The Content-MD5 header is required for any request to upload an\n object with a retention period configured using Amazon S3 Object Lock. For more\n information about Amazon S3 Object Lock, see Amazon S3 Object Lock\n Overview in the Amazon S3 User Guide.
You have four mutually exclusive options to protect data using server-side encryption in\n Amazon S3, depending on how you choose to manage the encryption keys. Specifically, the\n encryption key options are Amazon S3 managed keys (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or\n DSSE-KMS), and customer-provided keys (SSE-C). Amazon S3 encrypts data with server-side\n encryption by using Amazon S3 managed keys (SSE-S3) by default. You can optionally tell Amazon S3 to\n encrypt data at rest by using server-side encryption with other key options. For more\n information, see Using Server-Side\n Encryption.
\nWhen adding a new object, you can use headers to grant ACL-based permissions to\n individual Amazon Web Services accounts or to predefined groups defined by Amazon S3. These permissions are\n then added to the ACL on the object. By default, all objects are private. Only the owner\n has full access control. For more information, see Access Control List (ACL) Overview\n and Managing\n ACLs Using the REST API.
\nIf the bucket that you're uploading objects to uses the bucket owner enforced setting\n for S3 Object Ownership, ACLs are disabled and no longer affect permissions. Buckets that\n use this setting only accept PUT requests that don't specify an ACL or PUT requests that\n specify bucket owner full control ACLs, such as the bucket-owner-full-control\n canned ACL or an equivalent form of this ACL expressed in the XML format. PUT requests that\n contain other ACLs (for example, custom grants to certain Amazon Web Services accounts) fail and return a\n 400 error with the error code AccessControlListNotSupported.\n For more information, see Controlling ownership of\n objects and disabling ACLs in the Amazon S3 User Guide.
If your bucket uses the bucket owner enforced setting for Object Ownership, all\n objects written to the bucket by any account will be owned by the bucket owner.
\nBy default, Amazon S3 uses the STANDARD Storage Class to store newly created objects. The\n STANDARD storage class provides high durability and high availability. Depending on\n performance needs, you can specify a different Storage Class. Amazon S3 on Outposts only uses\n the OUTPOSTS Storage Class. For more information, see Storage Classes in the\n Amazon S3 User Guide.
\nIf you enable versioning for a bucket, Amazon S3 automatically generates a unique version ID\n for the object being stored. Amazon S3 returns this ID in the response. When you enable\n versioning for a bucket, if Amazon S3 receives multiple write requests for the same object\n simultaneously, it stores all of the objects. For more information about versioning, see\n Adding Objects to\n Versioning-Enabled Buckets. For information about returning the versioning state\n of a bucket, see GetBucketVersioning.
\nFor more information about related Amazon S3 APIs, see the following:
\n\n CopyObject\n
\n\n DeleteObject\n
\nUses the acl subresource to set the access control list (ACL) permissions\n for a new or existing object in an S3 bucket. You must have WRITE_ACP\n permission to set the ACL of an object. For more information, see What\n permissions can I grant? in the Amazon S3 User Guide.
This action is not supported by Amazon S3 on Outposts.
\nDepending on your application needs, you can choose to set the ACL on an object using\n either the request body or the headers. For example, if you have an existing application\n that updates a bucket ACL using the request body, you can continue to use that approach.\n For more information, see Access Control List (ACL) Overview\n in the Amazon S3 User Guide.
\nIf your bucket uses the bucket owner enforced setting for S3 Object Ownership, ACLs\n are disabled and no longer affect permissions. You must use policies to grant access to\n your bucket and the objects in it. Requests to set ACLs or update ACLs fail and return\n the AccessControlListNotSupported error code. Requests to read ACLs are\n still supported. For more information, see Controlling object\n ownership in the Amazon S3 User Guide.
You can set access permissions using one of the following methods:
\nSpecify a canned ACL with the x-amz-acl request header. Amazon S3 supports\n a set of predefined ACLs, known as canned ACLs. Each canned ACL has a predefined set\n of grantees and permissions. Specify the canned ACL name as the value of\n x-amz-acl. If you use this header, you cannot use other access\n control-specific headers in your request. For more information, see Canned\n ACL.
Specify access permissions explicitly with the x-amz-grant-read,\n x-amz-grant-read-acp, x-amz-grant-write-acp, and\n x-amz-grant-full-control headers. When using these headers, you\n specify explicit access permissions and grantees (Amazon Web Services accounts or Amazon S3 groups) who\n will receive the permission. If you use these ACL-specific headers, you cannot use\n x-amz-acl header to set a canned ACL. These parameters map to the set\n of permissions that Amazon S3 supports in an ACL. For more information, see Access Control\n List (ACL) Overview.
You specify each grantee as a type=value pair, where the type is one of the\n following:
\n\n id – if the value specified is the canonical user ID of an\n Amazon Web Services account
\n uri – if you are granting permissions to a predefined\n group
\n emailAddress – if the value specified is the email address of\n an Amazon Web Services account
Using email addresses to specify a grantee is only supported in the following Amazon Web Services Regions:
\nUS East (N. Virginia)
\nUS West (N. California)
\nUS West (Oregon)
\nAsia Pacific (Singapore)
\nAsia Pacific (Sydney)
\nAsia Pacific (Tokyo)
\nEurope (Ireland)
\nSouth America (São Paulo)
\nFor a list of all the Amazon S3 supported Regions and endpoints, see Regions and Endpoints in the Amazon Web Services General Reference.
\nFor example, the following x-amz-grant-read header grants list\n objects permission to the two Amazon Web Services accounts identified by their email\n addresses.
\n x-amz-grant-read: emailAddress=\"xyz@amazon.com\",\n emailAddress=\"abc@amazon.com\" \n
You can use either a canned ACL or specify access permissions explicitly. You cannot do\n both.
\nYou can specify the person (grantee) to whom you're assigning access rights (using\n request elements) in the following ways:
\nBy the person's ID:
\n\n
DisplayName is optional and ignored in the request.
\nBy URI:
\n\n
By Email address:
\n\n
The grantee is resolved to the CanonicalUser and, in a response to a GET Object\n acl request, appears as the CanonicalUser.
\nUsing email addresses to specify a grantee is only supported in the following Amazon Web Services Regions:
\nUS East (N. Virginia)
\nUS West (N. California)
\nUS West (Oregon)
\nAsia Pacific (Singapore)
\nAsia Pacific (Sydney)
\nAsia Pacific (Tokyo)
\nEurope (Ireland)
\nSouth America (São Paulo)
\nFor a list of all the Amazon S3 supported Regions and endpoints, see Regions and Endpoints in the Amazon Web Services General Reference.
\nThe ACL of an object is set at the object version level. By default, PUT sets the ACL of\n the current version of an object. To set the ACL of a different version, use the\n versionId subresource.
The following operations are related to PutObjectAcl:
\n CopyObject\n
\n\n GetObject\n
\nUses the acl subresource to set the access control list (ACL) permissions\n for a new or existing object in an S3 bucket. You must have WRITE_ACP\n permission to set the ACL of an object. For more information, see What\n permissions can I grant? in the Amazon S3 User Guide.
This action is not supported by Amazon S3 on Outposts.
\nDepending on your application needs, you can choose to set the ACL on an object using\n either the request body or the headers. For example, if you have an existing application\n that updates a bucket ACL using the request body, you can continue to use that approach.\n For more information, see Access Control List (ACL) Overview\n in the Amazon S3 User Guide.
\nIf your bucket uses the bucket owner enforced setting for S3 Object Ownership, ACLs\n are disabled and no longer affect permissions. You must use policies to grant access to\n your bucket and the objects in it. Requests to set ACLs or update ACLs fail and return\n the AccessControlListNotSupported error code. Requests to read ACLs are\n still supported. For more information, see Controlling object\n ownership in the Amazon S3 User Guide.
You can set access permissions using one of the following methods:
\nSpecify a canned ACL with the x-amz-acl request header. Amazon S3\n supports a set of predefined ACLs, known as canned ACLs. Each canned ACL has\n a predefined set of grantees and permissions. Specify the canned ACL name as\n the value of x-amz-acl. If you use this header, you cannot use\n other access control-specific headers in your request. For more information,\n see Canned\n ACL.
Specify access permissions explicitly with the\n x-amz-grant-read, x-amz-grant-read-acp,\n x-amz-grant-write-acp, and\n x-amz-grant-full-control headers. When using these headers,\n you specify explicit access permissions and grantees (Amazon Web Services accounts or Amazon S3\n groups) who will receive the permission. If you use these ACL-specific\n headers, you cannot use x-amz-acl header to set a canned ACL.\n These parameters map to the set of permissions that Amazon S3 supports in an ACL.\n For more information, see Access Control List (ACL)\n Overview.
You specify each grantee as a type=value pair, where the type is one of\n the following:
\n\n id – if the value specified is the canonical user ID\n of an Amazon Web Services account
\n uri – if you are granting permissions to a predefined\n group
\n emailAddress – if the value specified is the email\n address of an Amazon Web Services account
Using email addresses to specify a grantee is only supported in the following Amazon Web Services Regions:
\nUS East (N. Virginia)
\nUS West (N. California)
\nUS West (Oregon)
\nAsia Pacific (Singapore)
\nAsia Pacific (Sydney)
\nAsia Pacific (Tokyo)
\nEurope (Ireland)
\nSouth America (São Paulo)
\nFor a list of all the Amazon S3 supported Regions and endpoints, see Regions and Endpoints in the Amazon Web Services General Reference.
\nFor example, the following x-amz-grant-read header grants\n list objects permission to the two Amazon Web Services accounts identified by their email\n addresses.
\n x-amz-grant-read: emailAddress=\"xyz@amazon.com\",\n emailAddress=\"abc@amazon.com\" \n
You can use either a canned ACL or specify access permissions explicitly. You\n cannot do both.
\nYou can specify the person (grantee) to whom you're assigning access rights\n (using request elements) in the following ways:
\nBy the person's ID:
\n\n
DisplayName is optional and ignored in the request.
\nBy URI:
\n\n
By Email address:
\n\n
The grantee is resolved to the CanonicalUser and, in a response to a GET\n Object acl request, appears as the CanonicalUser.
\nUsing email addresses to specify a grantee is only supported in the following Amazon Web Services Regions:
\nUS East (N. Virginia)
\nUS West (N. California)
\nUS West (Oregon)
\nAsia Pacific (Singapore)
\nAsia Pacific (Sydney)
\nAsia Pacific (Tokyo)
\nEurope (Ireland)
\nSouth America (São Paulo)
\nFor a list of all the Amazon S3 supported Regions and endpoints, see Regions and Endpoints in the Amazon Web Services General Reference.
\nThe ACL of an object is set at the object version level. By default, PUT sets\n the ACL of the current version of an object. To set the ACL of a different\n version, use the versionId subresource.
The following operations are related to PutObjectAcl:
\n CopyObject\n
\n\n GetObject\n
\nKey for which the PUT action was initiated.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
Key for which the PUT action was initiated.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
If present, specifies the Amazon Web Services KMS Encryption Context to use for object encryption. The\n value of this header is a base64-encoded UTF-8 string holding JSON with the encryption\n context key-value pairs. This value is stored as object metadata and automatically gets passed\n on to Amazon Web Services KMS for future GetObject or CopyObject operations on\n this object.
If present, specifies the Amazon Web Services KMS Encryption Context to use for object encryption. The\n value of this header is a base64-encoded UTF-8 string holding JSON with the encryption\n context key-value pairs. This value is stored as object metadata and automatically gets\n passed on to Amazon Web Services KMS for future GetObject or CopyObject\n operations on this object.
The bucket name to which the PUT action was initiated.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name to which the PUT action was initiated.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
If x-amz-server-side-encryption has a valid value of aws:kms\n or aws:kms:dsse, this header specifies the ID of the Key Management Service (KMS)\n symmetric encryption customer managed key that was used for the object. If you specify\n x-amz-server-side-encryption:aws:kms or\n x-amz-server-side-encryption:aws:kms:dsse, but do not provide\n x-amz-server-side-encryption-aws-kms-key-id, Amazon S3 uses the Amazon Web Services managed key\n (aws/s3) to protect the data. If the KMS key does not exist in the same\n account that's issuing the command, you must use the full ARN and not just the ID.
If x-amz-server-side-encryption has a valid value of aws:kms\n or aws:kms:dsse, this header specifies the ID (Key ID, Key ARN, or Key Alias) of the Key Management Service (KMS)\n symmetric encryption customer managed key that was used for the object. If you specify\n x-amz-server-side-encryption:aws:kms or\n x-amz-server-side-encryption:aws:kms:dsse, but do not provide\n x-amz-server-side-encryption-aws-kms-key-id, Amazon S3 uses the Amazon Web Services managed key\n (aws/s3) to protect the data. If the KMS key does not exist in the same\n account that's issuing the command, you must use the full ARN and not just the ID.
Specifies the Amazon Web Services KMS Encryption Context to use for object encryption. The value of\n this header is a base64-encoded UTF-8 string holding JSON with the encryption context\n key-value pairs. This value is stored as object metadata and automatically gets passed on to\n Amazon Web Services KMS for future GetObject or CopyObject operations on this\n object.
Specifies the Amazon Web Services KMS Encryption Context to use for object encryption. The value of\n this header is a base64-encoded UTF-8 string holding JSON with the encryption context\n key-value pairs. This value is stored as object metadata and automatically gets passed on\n to Amazon Web Services KMS for future GetObject or CopyObject operations on\n this object.
Sets the supplied tag-set to an object that already exists in a bucket.
\nA tag is a key-value pair. You can associate tags with an object by sending a PUT\n request against the tagging subresource that is associated with the object. You can\n retrieve tags by sending a GET request. For more information, see GetObjectTagging.
\nFor tagging-related restrictions related to characters and encodings, see Tag\n Restrictions. Note that Amazon S3 limits the maximum number of tags to 10 tags per\n object.
\nTo use this operation, you must have permission to perform the\n s3:PutObjectTagging action. By default, the bucket owner has this\n permission and can grant this permission to others.
To put tags of any other version, use the versionId query parameter. You\n also need permission for the s3:PutObjectVersionTagging action.
For information about the Amazon S3 object tagging feature, see Object Tagging.
\n\n PutObjectTagging has the following special errors:
\n Code: InvalidTagError \n
\n\n Cause: The tag provided was not a valid tag. This error can occur\n if the tag did not pass input validation. For more information, see Object\n Tagging.\n
\n\n Code: MalformedXMLError \n
\n\n Cause: The XML provided does not match the schema.\n
\n\n Code: OperationAbortedError \n
\n\n Cause: A conflicting conditional action is currently in progress\n against this resource. Please try again.\n
\n\n Code: InternalError\n
\n\n Cause: The service was unable to apply the provided tag to the\n object.\n
\nThe following operations are related to PutObjectTagging:
\n GetObjectTagging\n
\n\n DeleteObjectTagging\n
\nSets the supplied tag-set to an object that already exists in a bucket. A tag is a\n key-value pair. For more information, see Object Tagging.
\nYou can associate tags with an object by sending a PUT request against the tagging\n subresource that is associated with the object. You can retrieve tags by sending a GET\n request. For more information, see GetObjectTagging.
\nFor tagging-related restrictions related to characters and encodings, see Tag\n Restrictions. Note that Amazon S3 limits the maximum number of tags to 10 tags per\n object.
\nTo use this operation, you must have permission to perform the\n s3:PutObjectTagging action. By default, the bucket owner has this\n permission and can grant this permission to others.
To put tags of any other version, use the versionId query parameter. You\n also need permission for the s3:PutObjectVersionTagging action.
\n PutObjectTagging has the following special errors. For more Amazon S3 errors\n see, Error\n Responses.
\n InvalidTag - The tag provided was not a valid tag. This error\n can occur if the tag did not pass input validation. For more information, see Object\n Tagging.
\n MalformedXML - The XML provided does not match the\n schema.
\n OperationAborted - A conflicting conditional action is\n currently in progress against this resource. Please try again.
\n InternalError - The service was unable to apply the provided\n tag to the object.
The following operations are related to PutObjectTagging:
\n GetObjectTagging\n
\n\n DeleteObjectTagging\n
\nThe bucket name containing the object.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name containing the object.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Creates or modifies the PublicAccessBlock configuration for an Amazon S3 bucket.\n To use this operation, you must have the s3:PutBucketPublicAccessBlock\n permission. For more information about Amazon S3 permissions, see Specifying Permissions in a\n Policy.
When Amazon S3 evaluates the PublicAccessBlock configuration for a bucket or\n an object, it checks the PublicAccessBlock configuration for both the\n bucket (or the bucket that contains the object) and the bucket owner's account. If the\n PublicAccessBlock configurations are different between the bucket and\n the account, Amazon S3 uses the most restrictive combination of the bucket-level and\n account-level settings.
For more information about when Amazon S3 considers a bucket or an object public, see The Meaning of \"Public\".
\nThe following operations are related to PutPublicAccessBlock:
\n GetPublicAccessBlock\n
\nCreates or modifies the PublicAccessBlock configuration for an Amazon S3 bucket.\n To use this operation, you must have the s3:PutBucketPublicAccessBlock\n permission. For more information about Amazon S3 permissions, see Specifying Permissions in a\n Policy.
When Amazon S3 evaluates the PublicAccessBlock configuration for a bucket or\n an object, it checks the PublicAccessBlock configuration for both the\n bucket (or the bucket that contains the object) and the bucket owner's account. If the\n PublicAccessBlock configurations are different between the bucket and\n the account, S3 uses the most restrictive combination of the bucket-level and\n account-level settings.
For more information about when Amazon S3 considers a bucket or an object public, see The Meaning of \"Public\".
\nThe following operations are related to PutPublicAccessBlock:
\n GetPublicAccessBlock\n
\nConfirms that the requester knows that they will be charged for the request. Bucket\n owners need not specify this parameter in their requests. For information about downloading\n objects from Requester Pays buckets, see Downloading Objects in\n Requester Pays Buckets in the Amazon S3 User Guide.
" + "smithy.api#documentation": "Confirms that the requester knows that they will be charged for the request. Bucket\n owners need not specify this parameter in their requests. If either the source or\n destination Amazon S3 bucket has Requester Pays enabled, the requester will pay for\n corresponding charges to copy the object. For information about downloading objects from\n Requester Pays buckets, see Downloading Objects in\n Requester Pays Buckets in the Amazon S3 User Guide.
" } }, "com.amazonaws.s3#RequestPaymentConfiguration": { @@ -34718,6 +29727,9 @@ "com.amazonaws.s3#Restore": { "type": "string" }, + "com.amazonaws.s3#RestoreExpiryDate": { + "type": "timestamp" + }, "com.amazonaws.s3#RestoreObject": { "type": "operation", "input": { @@ -34735,7 +29747,7 @@ "aws.protocols#httpChecksum": { "requestAlgorithmMember": "ChecksumAlgorithm" }, - "smithy.api#documentation": "Restores an archived copy of an object back into Amazon S3
\nThis action is not supported by Amazon S3 on Outposts.
\nThis action performs the following types of requests:
\n\n select - Perform a select query on an archived object
\n restore an archive - Restore an archived object
For more information about the S3 structure in the request body, see the\n following:
\n PutObject\n
\n\n Managing Access with ACLs in the\n Amazon S3 User Guide\n
\n\n Protecting Data Using\n Server-Side Encryption in the\n Amazon S3 User Guide\n
\nDefine the SQL expression for the SELECT type of restoration for your\n query in the request body's SelectParameters structure. You can use\n expressions like the following examples.
The following expression returns all records from the specified\n object.
\n\n SELECT * FROM Object\n
Assuming that you are not using any headers for data stored in the object,\n you can specify columns with positional headers.
\n\n SELECT s._1, s._2 FROM Object s WHERE s._3 > 100\n
If you have headers and you set the fileHeaderInfo in the\n CSV structure in the request body to USE, you can\n specify headers in the query. (If you set the fileHeaderInfo field\n to IGNORE, the first row is skipped for the query.) You cannot mix\n ordinal positions with header column names.
\n SELECT s.Id, s.FirstName, s.SSN FROM S3Object s\n
When making a select request, you can also do the following:
\nTo expedite your queries, specify the Expedited tier. For more\n information about tiers, see \"Restoring Archives,\" later in this topic.
Specify details about the data serialization format of both the input object that\n is being queried and the serialization of the CSV-encoded query results.
\nThe following are additional important facts about the select feature:
\nThe output results are new Amazon S3 objects. Unlike archive retrievals, they are\n stored until explicitly deleted-manually or through a lifecycle configuration.
\nYou can issue more than one select request on the same Amazon S3 object. Amazon S3 doesn't\n duplicate requests, so avoid issuing duplicate requests.
\n Amazon S3 accepts a select request even if the object has already been restored. A\n select request doesn’t return error response 409.
To use this operation, you must have permissions to perform the\n s3:RestoreObject action. The bucket owner has this permission by default\n and can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to Your Amazon S3 Resources in the\n Amazon S3 User Guide.
Objects that you archive to the S3 Glacier Flexible Retrieval Flexible Retrieval or\n S3 Glacier Deep Archive storage class, and S3 Intelligent-Tiering Archive or\n S3 Intelligent-Tiering Deep Archive tiers, are not accessible in real time. For objects in the\n S3 Glacier Flexible Retrieval Flexible Retrieval or S3 Glacier Deep Archive storage\n classes, you must first initiate a restore request, and then wait until a temporary copy of\n the object is available. If you want a permanent copy of the object, create a copy of it in\n the Amazon S3 Standard storage class in your S3 bucket. To access an archived object, you must\n restore the object for the duration (number of days) that you specify. For objects in the\n Archive Access or Deep Archive Access tiers of S3 Intelligent-Tiering, you must first\n initiate a restore request, and then wait until the object is moved into the Frequent\n Access tier.
\nTo restore a specific object version, you can provide a version ID. If you don't provide\n a version ID, Amazon S3 restores the current version.
\nWhen restoring an archived object, you can specify one of the following data access tier\n options in the Tier element of the request body:
\n Expedited - Expedited retrievals allow you to quickly access your\n data stored in the S3 Glacier Flexible Retrieval Flexible Retrieval storage class or\n S3 Intelligent-Tiering Archive tier when occasional urgent requests for restoring archives\n are required. For all but the largest archived objects (250 MB+), data accessed using\n Expedited retrievals is typically made available within 1–5 minutes. Provisioned\n capacity ensures that retrieval capacity for Expedited retrievals is available when\n you need it. Expedited retrievals and provisioned capacity are not available for\n objects stored in the S3 Glacier Deep Archive storage class or\n S3 Intelligent-Tiering Deep Archive tier.
\n Standard - Standard retrievals allow you to access any of your\n archived objects within several hours. This is the default option for retrieval\n requests that do not specify the retrieval option. Standard retrievals typically\n finish within 3–5 hours for objects stored in the S3 Glacier Flexible Retrieval Flexible\n Retrieval storage class or S3 Intelligent-Tiering Archive tier. They typically finish within\n 12 hours for objects stored in the S3 Glacier Deep Archive storage class or\n S3 Intelligent-Tiering Deep Archive tier. Standard retrievals are free for objects stored in\n S3 Intelligent-Tiering.
\n Bulk - Bulk retrievals free for objects stored in the S3 Glacier\n Flexible Retrieval and S3 Intelligent-Tiering storage classes, enabling you to\n retrieve large amounts, even petabytes, of data at no cost. Bulk retrievals typically\n finish within 5–12 hours for objects stored in the S3 Glacier Flexible Retrieval\n Flexible Retrieval storage class or S3 Intelligent-Tiering Archive tier. Bulk retrievals are\n also the lowest-cost retrieval option when restoring objects from\n S3 Glacier Deep Archive. They typically finish within 48 hours for objects\n stored in the S3 Glacier Deep Archive storage class or S3 Intelligent-Tiering Deep Archive\n tier.
For more information about archive retrieval options and provisioned capacity for\n Expedited data access, see Restoring Archived Objects in\n the Amazon S3 User Guide.
You can use Amazon S3 restore speed upgrade to change the restore speed to a faster speed\n while it is in progress. For more information, see Upgrading the speed of an in-progress restore in the\n Amazon S3 User Guide.
\nTo get the status of object restoration, you can send a HEAD request.\n Operations return the x-amz-restore header, which provides information about\n the restoration status, in the response. You can use Amazon S3 event notifications to notify you\n when a restore is initiated or completed. For more information, see Configuring Amazon S3\n Event Notifications in the Amazon S3 User Guide.
After restoring an archived object, you can update the restoration period by reissuing\n the request with a new period. Amazon S3 updates the restoration period relative to the current\n time and charges only for the request-there are no data transfer charges. You cannot\n update the restoration period when Amazon S3 is actively processing your current restore request\n for the object.
\nIf your bucket has a lifecycle configuration with a rule that includes an expiration\n action, the object expiration overrides the life span that you specify in a restore\n request. For example, if you restore an object copy for 10 days, but the object is\n scheduled to expire in 3 days, Amazon S3 deletes the object in 3 days. For more information\n about lifecycle configuration, see PutBucketLifecycleConfiguration and Object Lifecycle Management\n in Amazon S3 User Guide.
\nA successful action returns either the 200 OK or 202 Accepted\n status code.
If the object is not previously restored, then Amazon S3 returns 202\n Accepted in the response.
If the object is previously restored, Amazon S3 returns 200 OK in the\n response.
Special errors:
\n\n Code: RestoreAlreadyInProgress\n
\n\n Cause: Object restore is already in progress. (This error does not\n apply to SELECT type requests.)\n
\n\n HTTP Status Code: 409 Conflict\n
\n\n SOAP Fault Code Prefix: Client\n
\n\n Code: GlacierExpeditedRetrievalNotAvailable\n
\n\n Cause: expedited retrievals are currently not available. Try again\n later. (Returned if there is insufficient capacity to process the Expedited\n request. This error applies only to Expedited retrievals and not to\n S3 Standard or Bulk retrievals.)\n
\n\n HTTP Status Code: 503\n
\n\n SOAP Fault Code Prefix: N/A\n
\nThe following operations are related to RestoreObject:
Restores an archived copy of an object back into Amazon S3
\nThis action is not supported by Amazon S3 on Outposts.
\nThis action performs the following types of requests:
\n\n select - Perform a select query on an archived object
\n restore an archive - Restore an archived object
For more information about the S3 structure in the request body, see the\n following:
\n PutObject\n
\n\n Managing Access with ACLs in the\n Amazon S3 User Guide\n
\n\n Protecting Data Using Server-Side Encryption in the\n Amazon S3 User Guide\n
\nDefine the SQL expression for the SELECT type of restoration for your query\n in the request body's SelectParameters structure. You can use expressions like\n the following examples.
The following expression returns all records from the specified object.
\n\n SELECT * FROM Object\n
Assuming that you are not using any headers for data stored in the object, you can\n specify columns with positional headers.
\n\n SELECT s._1, s._2 FROM Object s WHERE s._3 > 100\n
If you have headers and you set the fileHeaderInfo in the\n CSV structure in the request body to USE, you can\n specify headers in the query. (If you set the fileHeaderInfo field to\n IGNORE, the first row is skipped for the query.) You cannot mix\n ordinal positions with header column names.
\n SELECT s.Id, s.FirstName, s.SSN FROM S3Object s\n
When making a select request, you can also do the following:
\nTo expedite your queries, specify the Expedited tier. For more\n information about tiers, see \"Restoring Archives,\" later in this topic.
Specify details about the data serialization format of both the input object that\n is being queried and the serialization of the CSV-encoded query results.
\nThe following are additional important facts about the select feature:
\nThe output results are new Amazon S3 objects. Unlike archive retrievals, they are\n stored until explicitly deleted-manually or through a lifecycle configuration.
\nYou can issue more than one select request on the same Amazon S3 object. Amazon S3 doesn't\n duplicate requests, so avoid issuing duplicate requests.
\n Amazon S3 accepts a select request even if the object has already been restored. A\n select request doesn’t return error response 409.
To use this operation, you must have permissions to perform the\n s3:RestoreObject action. The bucket owner has this permission by\n default and can grant this permission to others. For more information about\n permissions, see Permissions Related to Bucket Subresource Operations and Managing Access Permissions to Your Amazon S3 Resources in the\n Amazon S3 User Guide.
Objects that you archive to the S3 Glacier Flexible Retrieval Flexible Retrieval\n or S3 Glacier Deep Archive storage class, and S3 Intelligent-Tiering Archive or\n S3 Intelligent-Tiering Deep Archive tiers, are not accessible in real time. For objects in the\n S3 Glacier Flexible Retrieval Flexible Retrieval or S3 Glacier Deep Archive\n storage classes, you must first initiate a restore request, and then wait until a\n temporary copy of the object is available. If you want a permanent copy of the\n object, create a copy of it in the Amazon S3 Standard storage class in your S3 bucket.\n To access an archived object, you must restore the object for the duration (number\n of days) that you specify. For objects in the Archive Access or Deep Archive\n Access tiers of S3 Intelligent-Tiering, you must first initiate a restore request,\n and then wait until the object is moved into the Frequent Access tier.
\nTo restore a specific object version, you can provide a version ID. If you\n don't provide a version ID, Amazon S3 restores the current version.
\nWhen restoring an archived object, you can specify one of the following data\n access tier options in the Tier element of the request body:
\n Expedited - Expedited retrievals allow you to quickly access\n your data stored in the S3 Glacier Flexible Retrieval Flexible Retrieval\n storage class or S3 Intelligent-Tiering Archive tier when occasional urgent requests\n for restoring archives are required. For all but the largest archived\n objects (250 MB+), data accessed using Expedited retrievals is typically\n made available within 1–5 minutes. Provisioned capacity ensures that\n retrieval capacity for Expedited retrievals is available when you need it.\n Expedited retrievals and provisioned capacity are not available for objects\n stored in the S3 Glacier Deep Archive storage class or\n S3 Intelligent-Tiering Deep Archive tier.
\n Standard - Standard retrievals allow you to access any of\n your archived objects within several hours. This is the default option for\n retrieval requests that do not specify the retrieval option. Standard\n retrievals typically finish within 3–5 hours for objects stored in the\n S3 Glacier Flexible Retrieval Flexible Retrieval storage class or\n S3 Intelligent-Tiering Archive tier. They typically finish within 12 hours for\n objects stored in the S3 Glacier Deep Archive storage class or\n S3 Intelligent-Tiering Deep Archive tier. Standard retrievals are free for objects stored\n in S3 Intelligent-Tiering.
\n Bulk - Bulk retrievals free for objects stored in the\n S3 Glacier Flexible Retrieval and S3 Intelligent-Tiering storage classes,\n enabling you to retrieve large amounts, even petabytes, of data at no cost.\n Bulk retrievals typically finish within 5–12 hours for objects stored in the\n S3 Glacier Flexible Retrieval Flexible Retrieval storage class or\n S3 Intelligent-Tiering Archive tier. Bulk retrievals are also the lowest-cost\n retrieval option when restoring objects from\n S3 Glacier Deep Archive. They typically finish within 48 hours for\n objects stored in the S3 Glacier Deep Archive storage class or\n S3 Intelligent-Tiering Deep Archive tier.
For more information about archive retrieval options and provisioned capacity\n for Expedited data access, see Restoring Archived\n Objects in the Amazon S3 User Guide.
You can use Amazon S3 restore speed upgrade to change the restore speed to a faster\n speed while it is in progress. For more information, see Upgrading the speed of an in-progress restore in the\n Amazon S3 User Guide.
\nTo get the status of object restoration, you can send a HEAD\n request. Operations return the x-amz-restore header, which provides\n information about the restoration status, in the response. You can use Amazon S3 event\n notifications to notify you when a restore is initiated or completed. For more\n information, see Configuring Amazon S3 Event\n Notifications in the Amazon S3 User Guide.
After restoring an archived object, you can update the restoration period by\n reissuing the request with a new period. Amazon S3 updates the restoration period\n relative to the current time and charges only for the request-there are no\n data transfer charges. You cannot update the restoration period when Amazon S3 is\n actively processing your current restore request for the object.
\nIf your bucket has a lifecycle configuration with a rule that includes an\n expiration action, the object expiration overrides the life span that you specify\n in a restore request. For example, if you restore an object copy for 10 days, but\n the object is scheduled to expire in 3 days, Amazon S3 deletes the object in 3 days.\n For more information about lifecycle configuration, see PutBucketLifecycleConfiguration and Object Lifecycle\n Management in Amazon S3 User Guide.
\nA successful action returns either the 200 OK or 202\n Accepted status code.
If the object is not previously restored, then Amazon S3 returns 202\n Accepted in the response.
If the object is previously restored, Amazon S3 returns 200 OK in\n the response.
Special errors:
\n\n Code: RestoreAlreadyInProgress\n
\n\n Cause: Object restore is already in progress. (This error\n does not apply to SELECT type requests.)\n
\n\n HTTP Status Code: 409 Conflict\n
\n\n SOAP Fault Code Prefix: Client\n
\n\n Code: GlacierExpeditedRetrievalNotAvailable\n
\n\n Cause: expedited retrievals are currently not available.\n Try again later. (Returned if there is insufficient capacity to\n process the Expedited request. This error applies only to Expedited\n retrievals and not to S3 Standard or Bulk retrievals.)\n
\n\n HTTP Status Code: 503\n
\n\n SOAP Fault Code Prefix: N/A\n
\nThe following operations are related to RestoreObject:
The bucket name containing the object to restore.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name containing the object to restore.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Specifies whether the object is currently being restored. If the object restoration is\n in progress, the header returns the value TRUE. For example:
\n x-amz-optional-object-attributes: IsRestoreInProgress=\"true\"\n
If the object restoration has completed, the header returns the value\n FALSE. For example:
\n x-amz-optional-object-attributes: IsRestoreInProgress=\"false\",\n RestoreExpiryDate=\"2012-12-21T00:00:00.000Z\"\n
If the object hasn't been restored, there is no header response.
" + } + }, + "RestoreExpiryDate": { + "target": "com.amazonaws.s3#RestoreExpiryDate", + "traits": { + "smithy.api#documentation": "Indicates when the restored copy will expire. This value is populated only if the object\n has already been restored. For example:
\n\n x-amz-optional-object-attributes: IsRestoreInProgress=\"false\",\n RestoreExpiryDate=\"2012-12-21T00:00:00.000Z\"\n
Specifies the restoration status of an object. Objects in certain storage classes must\n be restored before they can be retrieved. For more information about these storage classes\n and how to work with archived objects, see Working with archived\n objects in the Amazon S3 User Guide.
" + } + }, "com.amazonaws.s3#Role": { "type": "string" }, @@ -35089,7 +30122,7 @@ "target": "com.amazonaws.s3#SelectObjectContentOutput" }, "traits": { - "smithy.api#documentation": "This action filters the contents of an Amazon S3 object based on a simple structured query\n language (SQL) statement. In the request, along with the SQL expression, you must also\n specify a data serialization format (JSON, CSV, or Apache Parquet) of the object. Amazon S3 uses\n this format to parse object data into records, and returns only records that match the\n specified SQL expression. You must also specify the data serialization format for the\n response.
\nThis action is not supported by Amazon S3 on Outposts.
\nFor more information about Amazon S3 Select, see Selecting Content from\n Objects and SELECT\n Command in the Amazon S3 User Guide.
\n \nYou must have s3:GetObject permission for this operation. Amazon S3 Select does\n not support anonymous access. For more information about permissions, see Specifying\n Permissions in a Policy in the Amazon S3 User Guide.
You can use Amazon S3 Select to query objects that have the following format\n properties:
\n\n CSV, JSON, and Parquet - Objects must be in CSV, JSON, or\n Parquet format.
\n\n UTF-8 - UTF-8 is the only encoding type Amazon S3 Select\n supports.
\n\n GZIP or BZIP2 - CSV and JSON files can be compressed using\n GZIP or BZIP2. GZIP and BZIP2 are the only compression formats that Amazon S3 Select\n supports for CSV and JSON files. Amazon S3 Select supports columnar compression for\n Parquet using GZIP or Snappy. Amazon S3 Select does not support whole-object compression\n for Parquet objects.
\n\n Server-side encryption - Amazon S3 Select supports querying\n objects that are protected with server-side encryption.
\nFor objects that are encrypted with customer-provided encryption keys (SSE-C), you\n must use HTTPS, and you must use the headers that are documented in the GetObject. For more information about SSE-C, see Server-Side\n Encryption (Using Customer-Provided Encryption Keys) in the\n Amazon S3 User Guide.
\nFor objects that are encrypted with Amazon S3 managed keys (SSE-S3) and Amazon Web Services KMS keys\n (SSE-KMS), server-side encryption is handled transparently, so you don't need to\n specify anything. For more information about server-side encryption, including SSE-S3\n and SSE-KMS, see Protecting Data Using\n Server-Side Encryption in the Amazon S3 User Guide.
\nGiven the response size is unknown, Amazon S3 Select streams the response as a series of\n messages and includes a Transfer-Encoding header with chunked as\n its value in the response. For more information, see Appendix: SelectObjectContent\n Response.
The SelectObjectContent action does not support the following\n GetObject functionality. For more information, see GetObject.
\n Range: Although you can specify a scan range for an Amazon S3 Select request\n (see SelectObjectContentRequest - ScanRange in the request parameters),\n you cannot specify the range of bytes of an object to return.
The GLACIER, DEEP_ARCHIVE, and REDUCED_REDUNDANCY storage classes, or the ARCHIVE_ACCESS and \n DEEP_ARCHIVE_ACCESS access tiers of \n the INTELLIGENT_TIERING storage class: You cannot query objects in \n the GLACIER, DEEP_ARCHIVE, or REDUCED_REDUNDANCY storage classes, nor objects in the \n ARCHIVE_ACCESS or \n DEEP_ARCHIVE_ACCESS access tiers of \n the INTELLIGENT_TIERING storage class. For\n more information about storage classes, see Using Amazon S3 storage\n classes in the Amazon S3 User Guide.
For a list of special errors for this operation, see List of\n SELECT Object Content Error Codes\n
\nThe following operations are related to SelectObjectContent:
\n GetObject\n
\nThis action filters the contents of an Amazon S3 object based on a simple structured query\n language (SQL) statement. In the request, along with the SQL expression, you must also\n specify a data serialization format (JSON, CSV, or Apache Parquet) of the object. Amazon S3 uses\n this format to parse object data into records, and returns only records that match the\n specified SQL expression. You must also specify the data serialization format for the\n response.
\nThis action is not supported by Amazon S3 on Outposts.
\nFor more information about Amazon S3 Select, see Selecting Content from\n Objects and SELECT\n Command in the Amazon S3 User Guide.
\n \nYou must have s3:GetObject permission for this operation. Amazon S3\n Select does not support anonymous access. For more information about permissions,\n see Specifying Permissions in\n a Policy in the Amazon S3 User Guide.
You can use Amazon S3 Select to query objects that have the following format\n properties:
\n\n CSV, JSON, and Parquet - Objects must be in CSV,\n JSON, or Parquet format.
\n\n UTF-8 - UTF-8 is the only encoding type Amazon S3 Select\n supports.
\n\n GZIP or BZIP2 - CSV and JSON files can be compressed\n using GZIP or BZIP2. GZIP and BZIP2 are the only compression formats that\n Amazon S3 Select supports for CSV and JSON files. Amazon S3 Select supports columnar\n compression for Parquet using GZIP or Snappy. Amazon S3 Select does not support\n whole-object compression for Parquet objects.
\n\n Server-side encryption - Amazon S3 Select supports\n querying objects that are protected with server-side encryption.
\nFor objects that are encrypted with customer-provided encryption keys\n (SSE-C), you must use HTTPS, and you must use the headers that are\n documented in the GetObject. For more\n information about SSE-C, see Server-Side Encryption (Using Customer-Provided Encryption Keys)\n in the Amazon S3 User Guide.
\nFor objects that are encrypted with Amazon S3 managed keys (SSE-S3) and\n Amazon Web Services KMS keys (SSE-KMS), server-side encryption is handled transparently,\n so you don't need to specify anything. For more information about\n server-side encryption, including SSE-S3 and SSE-KMS, see Protecting Data Using Server-Side Encryption in the\n Amazon S3 User Guide.
\nGiven the response size is unknown, Amazon S3 Select streams the response as a\n series of messages and includes a Transfer-Encoding header with\n chunked as its value in the response. For more information, see\n Appendix:\n SelectObjectContent\n Response.
The SelectObjectContent action does not support the following\n GetObject functionality. For more information, see GetObject.
\n Range: Although you can specify a scan range for an Amazon S3 Select\n request (see SelectObjectContentRequest - ScanRange in the request\n parameters), you cannot specify the range of bytes of an object to return.\n
The GLACIER, DEEP_ARCHIVE, and\n REDUCED_REDUNDANCY storage classes, or the\n ARCHIVE_ACCESS and DEEP_ARCHIVE_ACCESS access\n tiers of the INTELLIGENT_TIERING storage class: You cannot\n query objects in the GLACIER, DEEP_ARCHIVE, or\n REDUCED_REDUNDANCY storage classes, nor objects in the\n ARCHIVE_ACCESS or DEEP_ARCHIVE_ACCESS access\n tiers of the INTELLIGENT_TIERING storage class. For more\n information about storage classes, see Using Amazon S3\n storage classes in the\n Amazon S3 User Guide.
For a list of special errors for this operation, see List of SELECT Object Content Error Codes\n
\nThe following operations are related to SelectObjectContent:
\n GetObject\n
\nAmazon Web Services Key Management Service (KMS) customer Amazon Web Services KMS key ID to use for the default\n encryption. This parameter is allowed if and only if SSEAlgorithm is set to\n aws:kms.
You can specify the key ID or the Amazon Resource Name (ARN) of the KMS key. If you use\n a key ID, you can run into a LogDestination undeliverable error when creating a VPC flow\n log.
\nIf you are using encryption with cross-account or Amazon Web Services service operations you must use\n a fully qualified KMS key ARN. For more information, see Using encryption for cross-account operations.
\nKey ID: 1234abcd-12ab-34cd-56ef-1234567890ab\n
Key ARN:\n arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab\n
Amazon S3 only supports symmetric encryption KMS keys. For more information, see Asymmetric keys in Amazon Web Services KMS in the Amazon Web Services Key Management Service\n Developer Guide.
\nAmazon Web Services Key Management Service (KMS) customer Amazon Web Services KMS key ID to use for the default\n encryption. This parameter is allowed if and only if SSEAlgorithm is set to\n aws:kms.
You can specify the key ID, key alias, or the Amazon Resource Name (ARN) of the KMS\n key.
\nKey ID: 1234abcd-12ab-34cd-56ef-1234567890ab\n
Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab\n
Key Alias: alias/alias-name\n
If you use a key ID, you can run into a LogDestination undeliverable error when creating\n a VPC flow log.
\nIf you are using encryption with cross-account or Amazon Web Services service operations you must use\n a fully qualified KMS key ARN. For more information, see Using encryption for cross-account operations.
\nAmazon S3 only supports symmetric encryption KMS keys. For more information, see Asymmetric keys in Amazon Web Services KMS in the Amazon Web Services Key Management Service\n Developer Guide.
\nUploads a part by copying data from an existing object as data source. You specify the\n data source by adding the request header x-amz-copy-source in your request and\n a byte range by adding the request header x-amz-copy-source-range in your\n request.
For information about maximum and minimum part sizes and other multipart upload\n specifications, see Multipart upload limits in the Amazon S3 User Guide.
\nInstead of using an existing object as part data, you might use the UploadPart\n action and provide data in your request.
\nYou must initiate a multipart upload before you can upload any part. In response to your\n initiate request. Amazon S3 returns a unique identifier, the upload ID, that you must include in\n your upload part request.
\nFor more information about using the UploadPartCopy operation, see the\n following:
For conceptual information about multipart uploads, see Uploading\n Objects Using Multipart Upload in the\n Amazon S3 User Guide.
\nFor information about permissions required to use the multipart upload API, see\n Multipart Upload and Permissions in the\n Amazon S3 User Guide.
\nFor information about copying objects using a single atomic action vs. a multipart\n upload, see Operations on Objects in\n the Amazon S3 User Guide.
\nFor information about using server-side encryption with customer-provided\n encryption keys with the UploadPartCopy operation, see CopyObject and UploadPart.
Note the following additional considerations about the request headers\n x-amz-copy-source-if-match, x-amz-copy-source-if-none-match,\n x-amz-copy-source-if-unmodified-since, and\n x-amz-copy-source-if-modified-since:
\n
\n Consideration 1 - If both of the\n x-amz-copy-source-if-match and\n x-amz-copy-source-if-unmodified-since headers are present in the\n request as follows:
\n x-amz-copy-source-if-match condition evaluates to true,\n and;
\n x-amz-copy-source-if-unmodified-since condition evaluates to\n false;
Amazon S3 returns 200 OK and copies the data.\n
\n Consideration 2 - If both of the\n x-amz-copy-source-if-none-match and\n x-amz-copy-source-if-modified-since headers are present in the\n request as follows:
\n x-amz-copy-source-if-none-match condition evaluates to\n false, and;
\n x-amz-copy-source-if-modified-since condition evaluates to\n true;
Amazon S3 returns 412 Precondition Failed response code.\n
If your bucket has versioning enabled, you could have multiple versions of the same\n object. By default, x-amz-copy-source identifies the current version of the\n object to copy. If the current version is a delete marker and you don't specify a versionId\n in the x-amz-copy-source, Amazon S3 returns a 404 error, because the object does\n not exist. If you specify versionId in the x-amz-copy-source and the versionId\n is a delete marker, Amazon S3 returns an HTTP 400 error, because you are not allowed to specify\n a delete marker as a version for the x-amz-copy-source.
You can optionally specify a specific version of the source object to copy by adding the\n versionId subresource as shown in the following example:
\n x-amz-copy-source: /bucket/object?versionId=version id\n
\n Code: NoSuchUpload\n
\n\n Cause: The specified multipart upload does not exist. The upload\n ID might be invalid, or the multipart upload might have been aborted or\n completed.\n
\n\n HTTP Status Code: 404 Not Found\n
\n\n Code: InvalidRequest\n
\n\n Cause: The specified copy source is not supported as a byte-range\n copy source.\n
\n\n HTTP Status Code: 400 Bad Request\n
\nThe following operations are related to UploadPartCopy:
\n UploadPart\n
\n\n AbortMultipartUpload\n
\n\n ListParts\n
\n\n ListMultipartUploads\n
\nUploads a part by copying data from an existing object as data source. You specify the\n data source by adding the request header x-amz-copy-source in your request and\n a byte range by adding the request header x-amz-copy-source-range in your\n request.
For information about maximum and minimum part sizes and other multipart upload\n specifications, see Multipart upload limits in the Amazon S3 User Guide.
\nInstead of using an existing object as part data, you might use the UploadPart\n action and provide data in your request.
\nYou must initiate a multipart upload before you can upload any part. In response to your\n initiate request. Amazon S3 returns a unique identifier, the upload ID, that you must include in\n your upload part request.
\nFor more information about using the UploadPartCopy operation, see the\n following:
For conceptual information about multipart uploads, see Uploading\n Objects Using Multipart Upload in the\n Amazon S3 User Guide.
\nFor information about permissions required to use the multipart upload API, see\n Multipart Upload and Permissions in the\n Amazon S3 User Guide.
\nFor information about copying objects using a single atomic action vs. a multipart\n upload, see Operations on Objects in\n the Amazon S3 User Guide.
\nFor information about using server-side encryption with customer-provided\n encryption keys with the UploadPartCopy operation, see CopyObject and UploadPart.
Note the following additional considerations about the request headers\n x-amz-copy-source-if-match, x-amz-copy-source-if-none-match,\n x-amz-copy-source-if-unmodified-since, and\n x-amz-copy-source-if-modified-since:
\n
\n Consideration 1 - If both of the\n x-amz-copy-source-if-match and\n x-amz-copy-source-if-unmodified-since headers are present in the\n request as follows:
\n x-amz-copy-source-if-match condition evaluates to true,\n and;
\n x-amz-copy-source-if-unmodified-since condition evaluates to\n false;
Amazon S3 returns 200 OK and copies the data.\n
\n Consideration 2 - If both of the\n x-amz-copy-source-if-none-match and\n x-amz-copy-source-if-modified-since headers are present in the\n request as follows:
\n x-amz-copy-source-if-none-match condition evaluates to\n false, and;
\n x-amz-copy-source-if-modified-since condition evaluates to\n true;
Amazon S3 returns 412 Precondition Failed response code.\n
If your bucket has versioning enabled, you could have multiple versions of the\n same object. By default, x-amz-copy-source identifies the current\n version of the object to copy. If the current version is a delete marker and you\n don't specify a versionId in the x-amz-copy-source, Amazon S3 returns a\n 404 error, because the object does not exist. If you specify versionId in the\n x-amz-copy-source and the versionId is a delete marker, Amazon S3\n returns an HTTP 400 error, because you are not allowed to specify a delete marker\n as a version for the x-amz-copy-source.
You can optionally specify a specific version of the source object to copy by\n adding the versionId subresource as shown in the following\n example:
\n x-amz-copy-source: /bucket/object?versionId=version id\n
\n Code: NoSuchUpload\n
\n\n Cause: The specified multipart upload does not exist. The\n upload ID might be invalid, or the multipart upload might have been\n aborted or completed.\n
\n\n HTTP Status Code: 404 Not Found\n
\n\n Code: InvalidRequest\n
\n\n Cause: The specified copy source is not supported as a\n byte-range copy source.\n
\n\n HTTP Status Code: 400 Bad Request\n
\nThe following operations are related to UploadPartCopy:
\n UploadPart\n
\n\n AbortMultipartUpload\n
\n\n ListParts\n
\n\n ListMultipartUploads\n
\nThe bucket name.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
The name of the bucket to which the multipart upload was initiated.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The name of the bucket to which the multipart upload was initiated.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
If present, specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric\n encryption customer managed key that was used for stored in Amazon S3 object.
", + "smithy.api#documentation": "If present, specifies the ID (Key ID, Key ARN, or Key Alias) of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric\n encryption customer managed key that was used for stored in Amazon S3 object.
", "smithy.api#httpHeader": "x-amz-fwd-header-x-amz-server-side-encryption-aws-kms-key-id" } }, diff --git a/aws/sdk/aws-models/s3control.json b/aws/sdk/aws-models/s3control.json index 2944356a9674138276c37d40b544b4ef20a59a84..7b83470c3f301899c68c07b3adbd91ba9cee8b0d 100644 --- a/aws/sdk/aws-models/s3control.json +++ b/aws/sdk/aws-models/s3control.json @@ -232,6 +232,7 @@ "arnNamespace": "s3", "cloudFormationName": "S3Control", "cloudTrailEventSource": "s3control.amazonaws.com", + "docId": "s3control-2018-08-20", "endpointPrefix": "s3-control" }, "aws.auth#sigv4": { @@ -312,148 +313,265 @@ }, "rules": [ { - "conditions": [], + "conditions": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "Region" + } + ] + } + ], "type": "tree", "rules": [ { "conditions": [ { - "fn": "isSet", + "fn": "stringEquals", "argv": [ { "ref": "Region" + }, + "snow" + ] + }, + { + "fn": "isSet", + "argv": [ + { + "ref": "Endpoint" } ] + }, + { + "fn": "parseURL", + "argv": [ + { + "ref": "Endpoint" + } + ], + "assign": "url" } ], "type": "tree", "rules": [ { - "conditions": [], + "conditions": [ + { + "fn": "aws.partition", + "argv": [ + { + "ref": "Region" + } + ], + "assign": "partitionResult" + } + ], "type": "tree", "rules": [ { "conditions": [ { - "fn": "stringEquals", + "fn": "booleanEquals", "argv": [ { - "ref": "Region" + "ref": "UseDualStack" + }, + true + ] + } + ], + "error": "S3 Snow does not support DualStack", + "type": "error" + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" + }, + true + ] + } + ], + "error": "S3 Snow does not support FIPS", + "type": "error" + }, + { + "conditions": [], + "endpoint": { + "url": "{url#scheme}://{url#authority}", + "properties": { + "authSchemes": [ + { + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3", + "signingRegion": "{Region}" + } + ] + }, + "headers": {} + }, + "type": "endpoint" + } + ] + } + ] + }, + { + "conditions": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "OutpostId" + } + ] + } + ], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "aws.partition", + "argv": [ + { + "ref": "Region" + } + ], + "assign": "partitionResult" + } + ], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" }, - "snow" + true ] }, + { + "fn": "stringEquals", + "argv": [ + { + "fn": "getAttr", + "argv": [ + { + "ref": "partitionResult" + }, + "name" + ] + }, + "aws-cn" + ] + } + ], + "error": "Partition does not support FIPS", + "type": "error" + }, + { + "conditions": [ { "fn": "isSet", "argv": [ { - "ref": "Endpoint" + "ref": "RequiresAccountId" } ] }, { - "fn": "parseURL", + "fn": "booleanEquals", "argv": [ { - "ref": "Endpoint" + "ref": "RequiresAccountId" + }, + true + ] + }, + { + "fn": "not", + "argv": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "AccountId" + } + ] } - ], - "assign": "url" + ] } ], - "type": "tree", - "rules": [ + "error": "AccountId is required but not set", + "type": "error" + }, + { + "conditions": [ { - "conditions": [ + "fn": "isSet", + "argv": [ + { + "ref": "AccountId" + } + ] + }, + { + "fn": "not", + "argv": [ { - "fn": "aws.partition", + "fn": "isValidHostLabel", "argv": [ { - "ref": "Region" - } - ], - "assign": "partitionResult" + "ref": "AccountId" + }, + false + ] } - ], - "type": "tree", - "rules": [ + ] + } + ], + "error": "AccountId must only contain a-z, A-Z, 0-9 and `-`.", + "type": "error" + }, + { + "conditions": [ + { + "fn": "not", + "argv": [ { - "conditions": [], - "type": "tree", - "rules": [ + "fn": "isValidHostLabel", + "argv": [ { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - } - ], - "error": "S3 Snow does not support Dual-stack", - "type": "error" + "ref": "OutpostId" }, - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - true - ] - } - ], - "error": "S3 Snow does not support FIPS", - "type": "error" - }, - { - "conditions": [], - "endpoint": { - "url": "{url#scheme}://{url#authority}", - "properties": { - "authSchemes": [ - { - "disableDoubleEncoding": true, - "name": "sigv4", - "signingName": "s3", - "signingRegion": "{Region}" - } - ] - }, - "headers": {} - }, - "type": "endpoint" - } - ] - } + false ] } ] - }, - { - "conditions": [], - "error": "A valid partition could not be determined", - "type": "error" } - ] + ], + "error": "OutpostId must only contain a-z, A-Z, 0-9 and `-`.", + "type": "error" }, { "conditions": [ { - "fn": "isSet", + "fn": "isValidHostLabel", "argv": [ { - "ref": "OutpostId" - } + "ref": "Region" + }, + true ] } ], @@ -462,318 +580,716 @@ { "conditions": [ { - "fn": "aws.partition", + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] + } + ], + "error": "Invalid configuration: Outposts do not support dual-stack", + "type": "error" + }, + { + "conditions": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "Endpoint" + } + ] + }, + { + "fn": "parseURL", "argv": [ { - "ref": "Region" + "ref": "Endpoint" } ], - "assign": "partitionResult" + "assign": "url" } ], - "type": "tree", - "rules": [ + "endpoint": { + "url": "{url#scheme}://{url#authority}{url#path}", + "properties": { + "authSchemes": [ + { + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3-outposts", + "signingRegion": "{Region}" + } + ] + }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ { - "conditions": [], - "type": "tree", - "rules": [ + "fn": "booleanEquals", + "argv": [ { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - true - ] - }, - { - "fn": "stringEquals", - "argv": [ - { - "fn": "getAttr", - "argv": [ - { - "ref": "partitionResult" - }, - "name" - ] - }, - "aws-cn" - ] - } - ], - "error": "Partition does not support FIPS", - "type": "error" + "ref": "UseFIPS" }, + true + ] + } + ], + "endpoint": { + "url": "https://s3-outposts-fips.{Region}.{partitionResult#dnsSuffix}", + "properties": { + "authSchemes": [ { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "isSet", - "argv": [ - { - "ref": "RequiresAccountId" - } - ] - }, - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "RequiresAccountId" - }, - true - ] - }, - { - "fn": "not", - "argv": [ - { - "fn": "isSet", + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3-outposts", + "signingRegion": "{Region}" + } + ] + }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [], + "endpoint": { + "url": "https://s3-outposts.{Region}.{partitionResult#dnsSuffix}", + "properties": { + "authSchemes": [ + { + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3-outposts", + "signingRegion": "{Region}" + } + ] + }, + "headers": {} + }, + "type": "endpoint" + } + ] + }, + { + "conditions": [], + "error": "Invalid region: region was not a valid DNS name.", + "type": "error" + } + ] + } + ] + }, + { + "conditions": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "AccessPointName" + } + ] + }, + { + "fn": "aws.parseArn", + "argv": [ + { + "ref": "AccessPointName" + } + ], + "assign": "accessPointArn" + } + ], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "getAttr", + "argv": [ + { + "ref": "accessPointArn" + }, + "resourceId[0]" + ], + "assign": "arnType" + }, + { + "fn": "not", + "argv": [ + { + "fn": "stringEquals", + "argv": [ + { + "ref": "arnType" + }, + "" + ] + } + ] + } + ], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "stringEquals", + "argv": [ + { + "fn": "getAttr", + "argv": [ + { + "ref": "accessPointArn" + }, + "service" + ] + }, + "s3-outposts" + ] + } + ], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] + } + ], + "error": "Invalid configuration: Outpost Access Points do not support dual-stack", + "type": "error" + }, + { + "conditions": [ + { + "fn": "getAttr", + "argv": [ + { + "ref": "accessPointArn" + }, + "resourceId[1]" + ], + "assign": "outpostId" + } + ], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "isValidHostLabel", + "argv": [ + { + "ref": "outpostId" + }, + false + ] + } + ], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "UseArnRegion" + } + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseArnRegion" + }, + false + ] + }, + { + "fn": "not", + "argv": [ + { + "fn": "stringEquals", + "argv": [ + { + "fn": "getAttr", "argv": [ { - "ref": "AccountId" - } + "ref": "accessPointArn" + }, + "region" ] - } + }, + "{Region}" ] } + ] + } + ], + "error": "Invalid configuration: region from ARN `{accessPointArn#region}` does not match client region `{Region}` and UseArnRegion is `false`", + "type": "error" + }, + { + "conditions": [ + { + "fn": "aws.partition", + "argv": [ + { + "ref": "Region" + } ], - "error": "AccountId is required but not set", - "type": "error" - }, + "assign": "partitionResult" + } + ], + "type": "tree", + "rules": [ { - "conditions": [], - "type": "tree", - "rules": [ + "conditions": [ { - "conditions": [ + "fn": "aws.partition", + "argv": [ { - "fn": "isSet", + "fn": "getAttr", "argv": [ { - "ref": "AccountId" - } + "ref": "accessPointArn" + }, + "region" ] - }, + } + ], + "assign": "arnPartition" + } + ], + "type": "tree", + "rules": [ + { + "conditions": [ { - "fn": "not", + "fn": "stringEquals", "argv": [ { - "fn": "isValidHostLabel", + "fn": "getAttr", + "argv": [ + { + "ref": "arnPartition" + }, + "name" + ] + }, + { + "fn": "getAttr", "argv": [ { - "ref": "AccountId" + "ref": "partitionResult" }, - false + "name" ] } ] } ], - "error": "AccountId must only contain a-z, A-Z, 0-9 and `-`.", - "type": "error" - }, - { - "conditions": [], "type": "tree", "rules": [ { "conditions": [ { - "fn": "not", + "fn": "isValidHostLabel", "argv": [ { - "fn": "isValidHostLabel", + "fn": "getAttr", "argv": [ { - "ref": "OutpostId" + "ref": "accessPointArn" }, - false + "region" ] - } + }, + true ] } ], - "error": "OutpostId must only contain a-z, A-Z, 0-9 and `-`.", - "type": "error" - }, - { - "conditions": [], "type": "tree", "rules": [ { "conditions": [ { - "fn": "isValidHostLabel", + "fn": "not", "argv": [ { - "ref": "Region" - }, - true + "fn": "stringEquals", + "argv": [ + { + "fn": "getAttr", + "argv": [ + { + "ref": "accessPointArn" + }, + "accountId" + ] + }, + "" + ] + } ] } ], "type": "tree", "rules": [ { - "conditions": [], + "conditions": [ + { + "fn": "isValidHostLabel", + "argv": [ + { + "fn": "getAttr", + "argv": [ + { + "ref": "accessPointArn" + }, + "accountId" + ] + }, + false + ] + } + ], "type": "tree", "rules": [ { "conditions": [ { - "fn": "booleanEquals", + "fn": "isSet", + "argv": [ + { + "ref": "AccountId" + } + ] + }, + { + "fn": "not", "argv": [ { - "ref": "UseDualStack" - }, - true + "fn": "stringEquals", + "argv": [ + { + "ref": "AccountId" + }, + "{accessPointArn#accountId}" + ] + } ] } ], - "error": "Invalid configuration: Outposts do not support dual-stack", + "error": "Invalid ARN: the accountId specified in the ARN (`{accessPointArn#accountId}`) does not match the parameter (`{AccountId}`)", "type": "error" }, { - "conditions": [], + "conditions": [ + { + "fn": "getAttr", + "argv": [ + { + "ref": "accessPointArn" + }, + "resourceId[2]" + ], + "assign": "outpostType" + } + ], "type": "tree", "rules": [ { "conditions": [ { - "fn": "isSet", - "argv": [ - { - "ref": "Endpoint" - } - ] - }, - { - "fn": "parseURL", + "fn": "getAttr", "argv": [ { - "ref": "Endpoint" - } + "ref": "accessPointArn" + }, + "resourceId[3]" ], - "assign": "url" + "assign": "accessPointName" } ], - "endpoint": { - "url": "{url#scheme}://{url#authority}{url#path}", - "properties": { - "authSchemes": [ + "type": "tree", + "rules": [ + { + "conditions": [ { - "disableDoubleEncoding": true, - "name": "sigv4", - "signingName": "s3-outposts", - "signingRegion": "{Region}" - } - ] - }, - "headers": {} - }, - "type": "endpoint" - }, - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ + "fn": "stringEquals", + "argv": [ + { + "ref": "outpostType" + }, + "accesspoint" + ] + } + ], + "type": "tree", + "rules": [ { - "ref": "UseFIPS" + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" + }, + true + ] + } + ], + "endpoint": { + "url": "https://s3-outposts-fips.{accessPointArn#region}.{arnPartition#dnsSuffix}", + "properties": { + "authSchemes": [ + { + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3-outposts", + "signingRegion": "{accessPointArn#region}" + } + ] + }, + "headers": { + "x-amz-account-id": [ + "{accessPointArn#accountId}" + ], + "x-amz-outpost-id": [ + "{outpostId}" + ] + } + }, + "type": "endpoint" + }, + { + "conditions": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "Endpoint" + } + ] + }, + { + "fn": "parseURL", + "argv": [ + { + "ref": "Endpoint" + } + ], + "assign": "url" + } + ], + "endpoint": { + "url": "{url#scheme}://{url#authority}{url#path}", + "properties": { + "authSchemes": [ + { + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3-outposts", + "signingRegion": "{accessPointArn#region}" + } + ] + }, + "headers": { + "x-amz-account-id": [ + "{accessPointArn#accountId}" + ], + "x-amz-outpost-id": [ + "{outpostId}" + ] + } + }, + "type": "endpoint" }, - true - ] - } - ], - "endpoint": { - "url": "https://s3-outposts-fips.{Region}.{partitionResult#dnsSuffix}", - "properties": { - "authSchemes": [ { - "disableDoubleEncoding": true, - "name": "sigv4", - "signingName": "s3-outposts", - "signingRegion": "{Region}" + "conditions": [], + "endpoint": { + "url": "https://s3-outposts.{accessPointArn#region}.{arnPartition#dnsSuffix}", + "properties": { + "authSchemes": [ + { + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3-outposts", + "signingRegion": "{accessPointArn#region}" + } + ] + }, + "headers": { + "x-amz-account-id": [ + "{accessPointArn#accountId}" + ], + "x-amz-outpost-id": [ + "{outpostId}" + ] + } + }, + "type": "endpoint" } ] }, - "headers": {} - }, - "type": "endpoint" + { + "conditions": [], + "error": "Expected an outpost type `accesspoint`, found `{outpostType}`", + "type": "error" + } + ] }, { "conditions": [], - "endpoint": { - "url": "https://s3-outposts.{Region}.{partitionResult#dnsSuffix}", - "properties": { - "authSchemes": [ - { - "disableDoubleEncoding": true, - "name": "sigv4", - "signingName": "s3-outposts", - "signingRegion": "{Region}" - } - ] - }, - "headers": {} - }, - "type": "endpoint" + "error": "Invalid ARN: expected an access point name", + "type": "error" } ] + }, + { + "conditions": [], + "error": "Invalid ARN: Expected a 4-component resource", + "type": "error" } ] + }, + { + "conditions": [], + "error": "Invalid ARN: The account id may only contain a-z, A-Z, 0-9 and `-`. Found: `{accessPointArn#accountId}`", + "type": "error" } ] }, { "conditions": [], - "error": "Invalid region: region was not a valid DNS name.", + "error": "Invalid ARN: missing account ID", "type": "error" } ] + }, + { + "conditions": [], + "error": "Invalid region in ARN: `{accessPointArn#region}` (invalid DNS name)", + "type": "error" } ] + }, + { + "conditions": [], + "error": "Client was configured for partition `{partitionResult#name}` but ARN has `{arnPartition#name}`", + "type": "error" } ] } ] } ] + }, + { + "conditions": [], + "error": "Invalid ARN: The outpost Id must only contain a-z, A-Z, 0-9 and `-`., found: `{outpostId}`", + "type": "error" } ] }, { "conditions": [], - "error": "A valid partition could not be determined", + "error": "Invalid ARN: The Outpost Id was not set", "type": "error" } ] + } + ] + }, + { + "conditions": [], + "error": "Invalid ARN: No ARN type specified", + "type": "error" + } + ] + }, + { + "conditions": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "Bucket" + } + ] + }, + { + "fn": "aws.parseArn", + "argv": [ + { + "ref": "Bucket" + } + ], + "assign": "bucketArn" + } + ], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "getAttr", + "argv": [ + { + "ref": "bucketArn" + }, + "resourceId[0]" + ], + "assign": "arnType" }, { - "conditions": [ + "fn": "not", + "argv": [ { - "fn": "isSet", + "fn": "stringEquals", "argv": [ { - "ref": "AccessPointName" - } + "ref": "arnType" + }, + "" ] - }, + } + ] + } + ], + "type": "tree", + "rules": [ + { + "conditions": [ { - "fn": "aws.parseArn", + "fn": "stringEquals", "argv": [ { - "ref": "AccessPointName" - } - ], - "assign": "accessPointArn" + "fn": "getAttr", + "argv": [ + { + "ref": "bucketArn" + }, + "service" + ] + }, + "s3-outposts" + ] } ], "type": "tree", @@ -781,28 +1297,29 @@ { "conditions": [ { - "fn": "getAttr", + "fn": "booleanEquals", "argv": [ { - "ref": "accessPointArn" + "ref": "UseDualStack" }, - "resourceId[0]" - ], - "assign": "arnType" - }, + true + ] + } + ], + "error": "Invalid configuration: Outpost buckets do not support dual-stack", + "type": "error" + }, + { + "conditions": [ { - "fn": "not", + "fn": "getAttr", "argv": [ { - "fn": "stringEquals", - "argv": [ - { - "ref": "arnType" - }, - "" - ] - } - ] + "ref": "bucketArn" + }, + "resourceId[1]" + ], + "assign": "outpostId" } ], "type": "tree", @@ -810,18 +1327,12 @@ { "conditions": [ { - "fn": "stringEquals", + "fn": "isValidHostLabel", "argv": [ { - "fn": "getAttr", - "argv": [ - { - "ref": "accessPointArn" - }, - "service" - ] + "ref": "outpostId" }, - "s3-outposts" + false ] } ], @@ -829,40 +1340,107 @@ "rules": [ { "conditions": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "UseArnRegion" + } + ] + }, { "fn": "booleanEquals", "argv": [ { - "ref": "UseDualStack" + "ref": "UseArnRegion" }, - true + false + ] + }, + { + "fn": "not", + "argv": [ + { + "fn": "stringEquals", + "argv": [ + { + "fn": "getAttr", + "argv": [ + { + "ref": "bucketArn" + }, + "region" + ] + }, + "{Region}" + ] + } ] } ], - "error": "Invalid configuration: Outpost Access Points do not support dual-stack", + "error": "Invalid configuration: region from ARN `{bucketArn#region}` does not match client region `{Region}` and UseArnRegion is `false`", "type": "error" }, { - "conditions": [], + "conditions": [ + { + "fn": "aws.partition", + "argv": [ + { + "fn": "getAttr", + "argv": [ + { + "ref": "bucketArn" + }, + "region" + ] + } + ], + "assign": "arnPartition" + } + ], "type": "tree", "rules": [ { "conditions": [ { - "fn": "getAttr", + "fn": "aws.partition", "argv": [ { - "ref": "accessPointArn" - }, - "resourceId[1]" + "ref": "Region" + } ], - "assign": "outpostId" + "assign": "partitionResult" } ], "type": "tree", "rules": [ { - "conditions": [], + "conditions": [ + { + "fn": "stringEquals", + "argv": [ + { + "fn": "getAttr", + "argv": [ + { + "ref": "arnPartition" + }, + "name" + ] + }, + { + "fn": "getAttr", + "argv": [ + { + "ref": "partitionResult" + }, + "name" + ] + } + ] + } + ], "type": "tree", "rules": [ { @@ -871,522 +1449,439 @@ "fn": "isValidHostLabel", "argv": [ { - "ref": "outpostId" + "fn": "getAttr", + "argv": [ + { + "ref": "bucketArn" + }, + "region" + ] }, - false + true ] } ], "type": "tree", "rules": [ { - "conditions": [], - "type": "tree", - "rules": [ + "conditions": [ { - "conditions": [ + "fn": "not", + "argv": [ { - "fn": "isSet", + "fn": "stringEquals", "argv": [ { - "ref": "UseArnRegion" - } + "fn": "getAttr", + "argv": [ + { + "ref": "bucketArn" + }, + "accountId" + ] + }, + "" ] - }, + } + ] + } + ], + "type": "tree", + "rules": [ + { + "conditions": [ { - "fn": "booleanEquals", + "fn": "isValidHostLabel", "argv": [ { - "ref": "UseArnRegion" - }, + "fn": "getAttr", + "argv": [ + { + "ref": "bucketArn" + }, + "accountId" + ] + }, false ] - }, + } + ], + "type": "tree", + "rules": [ { - "fn": "not", - "argv": [ + "conditions": [ { - "fn": "stringEquals", + "fn": "isSet", "argv": [ { - "fn": "getAttr", + "ref": "AccountId" + } + ] + }, + { + "fn": "not", + "argv": [ + { + "fn": "stringEquals", "argv": [ { - "ref": "accessPointArn" + "ref": "AccountId" }, - "region" + "{bucketArn#accountId}" ] - }, - "{Region}" + } ] } - ] - } - ], - "error": "Invalid configuration: region from ARN `{accessPointArn#region}` does not match client region `{Region}` and UseArnRegion is `false`", - "type": "error" - }, - { - "conditions": [], - "type": "tree", - "rules": [ + ], + "error": "Invalid ARN: the accountId specified in the ARN (`{bucketArn#accountId}`) does not match the parameter (`{AccountId}`)", + "type": "error" + }, { "conditions": [ { - "fn": "aws.partition", + "fn": "getAttr", "argv": [ { - "ref": "Region" - } + "ref": "bucketArn" + }, + "resourceId[2]" ], - "assign": "partitionResult" + "assign": "outpostType" } ], "type": "tree", "rules": [ { - "conditions": [], + "conditions": [ + { + "fn": "getAttr", + "argv": [ + { + "ref": "bucketArn" + }, + "resourceId[3]" + ], + "assign": "bucketName" + } + ], "type": "tree", "rules": [ { "conditions": [ { - "fn": "aws.partition", + "fn": "stringEquals", "argv": [ { - "fn": "getAttr", + "ref": "outpostType" + }, + "bucket" + ] + } + ], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "booleanEquals", "argv": [ { - "ref": "accessPointArn" + "ref": "UseFIPS" }, - "region" + true ] } ], - "assign": "arnPartition" - } - ], - "type": "tree", - "rules": [ + "endpoint": { + "url": "https://s3-outposts-fips.{bucketArn#region}.{arnPartition#dnsSuffix}", + "properties": { + "authSchemes": [ + { + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3-outposts", + "signingRegion": "{bucketArn#region}" + } + ] + }, + "headers": { + "x-amz-account-id": [ + "{bucketArn#accountId}" + ], + "x-amz-outpost-id": [ + "{outpostId}" + ] + } + }, + "type": "endpoint" + }, { - "conditions": [], - "type": "tree", - "rules": [ + "conditions": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "Endpoint" + } + ] + }, { - "conditions": [ + "fn": "parseURL", + "argv": [ + { + "ref": "Endpoint" + } + ], + "assign": "url" + } + ], + "endpoint": { + "url": "{url#scheme}://{url#authority}{url#path}", + "properties": { + "authSchemes": [ { - "fn": "stringEquals", - "argv": [ - { - "fn": "getAttr", - "argv": [ - { - "ref": "arnPartition" - }, - "name" - ] - }, - { - "fn": "getAttr", - "argv": [ - { - "ref": "partitionResult" - }, - "name" - ] - } - ] + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3-outposts", + "signingRegion": "{bucketArn#region}" } + ] + }, + "headers": { + "x-amz-account-id": [ + "{bucketArn#accountId}" ], - "type": "tree", - "rules": [ + "x-amz-outpost-id": [ + "{outpostId}" + ] + } + }, + "type": "endpoint" + }, + { + "conditions": [], + "endpoint": { + "url": "https://s3-outposts.{bucketArn#region}.{arnPartition#dnsSuffix}", + "properties": { + "authSchemes": [ { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "isValidHostLabel", - "argv": [ - { - "fn": "getAttr", - "argv": [ - { - "ref": "accessPointArn" - }, - "region" - ] - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "not", - "argv": [ - { - "fn": "stringEquals", - "argv": [ - { - "fn": "getAttr", - "argv": [ - { - "ref": "accessPointArn" - }, - "accountId" - ] - }, - "" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "isValidHostLabel", - "argv": [ - { - "fn": "getAttr", - "argv": [ - { - "ref": "accessPointArn" - }, - "accountId" - ] - }, - false - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "isSet", - "argv": [ - { - "ref": "AccountId" - } - ] - }, - { - "fn": "not", - "argv": [ - { - "fn": "stringEquals", - "argv": [ - { - "ref": "AccountId" - }, - "{accessPointArn#accountId}" - ] - } - ] - } - ], - "error": "Invalid ARN: the accountId specified in the ARN (`{accessPointArn#accountId}`) does not match the parameter (`{AccountId}`)", - "type": "error" - }, - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "getAttr", - "argv": [ - { - "ref": "accessPointArn" - }, - "resourceId[2]" - ], - "assign": "outpostType" - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "getAttr", - "argv": [ - { - "ref": "accessPointArn" - }, - "resourceId[3]" - ], - "assign": "accessPointName" - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "stringEquals", - "argv": [ - { - "ref": "outpostType" - }, - "accesspoint" - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - true - ] - } - ], - "endpoint": { - "url": "https://s3-outposts-fips.{accessPointArn#region}.{arnPartition#dnsSuffix}", - "properties": { - "authSchemes": [ - { - "disableDoubleEncoding": true, - "name": "sigv4", - "signingName": "s3-outposts", - "signingRegion": "{accessPointArn#region}" - } - ] - }, - "headers": { - "x-amz-account-id": [ - "{accessPointArn#accountId}" - ], - "x-amz-outpost-id": [ - "{outpostId}" - ] - } - }, - "type": "endpoint" - }, - { - "conditions": [ - { - "fn": "isSet", - "argv": [ - { - "ref": "Endpoint" - } - ] - }, - { - "fn": "parseURL", - "argv": [ - { - "ref": "Endpoint" - } - ], - "assign": "url" - } - ], - "endpoint": { - "url": "{url#scheme}://{url#authority}{url#path}", - "properties": { - "authSchemes": [ - { - "disableDoubleEncoding": true, - "name": "sigv4", - "signingName": "s3-outposts", - "signingRegion": "{accessPointArn#region}" - } - ] - }, - "headers": { - "x-amz-account-id": [ - "{accessPointArn#accountId}" - ], - "x-amz-outpost-id": [ - "{outpostId}" - ] - } - }, - "type": "endpoint" - }, - { - "conditions": [], - "endpoint": { - "url": "https://s3-outposts.{accessPointArn#region}.{arnPartition#dnsSuffix}", - "properties": { - "authSchemes": [ - { - "disableDoubleEncoding": true, - "name": "sigv4", - "signingName": "s3-outposts", - "signingRegion": "{accessPointArn#region}" - } - ] - }, - "headers": { - "x-amz-account-id": [ - "{accessPointArn#accountId}" - ], - "x-amz-outpost-id": [ - "{outpostId}" - ] - } - }, - "type": "endpoint" - } - ] - } - ] - }, - { - "conditions": [], - "error": "Expected an outpost type `accesspoint`, found `{outpostType}`", - "type": "error" - } - ] - } - ] - }, - { - "conditions": [], - "error": "Invalid ARN: expected an access point name", - "type": "error" - } - ] - } - ] - }, - { - "conditions": [], - "error": "Invalid ARN: Expected a 4-component resource", - "type": "error" - } - ] - } - ] - } - ] - }, - { - "conditions": [], - "error": "Invalid ARN: The account id may only contain a-z, A-Z, 0-9 and `-`. Found: `{accessPointArn#accountId}`", - "type": "error" - } - ] - } - ] - }, - { - "conditions": [], - "error": "Invalid ARN: missing account ID", - "type": "error" - } - ] - } - ] - }, - { - "conditions": [], - "error": "Invalid region in ARN: `{accessPointArn#region}` (invalid DNS name)", - "type": "error" - } - ] + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3-outposts", + "signingRegion": "{bucketArn#region}" } ] }, - { - "conditions": [], - "error": "Client was configured for partition `{partitionResult#name}` but ARN has `{arnPartition#name}`", - "type": "error" + "headers": { + "x-amz-account-id": [ + "{bucketArn#accountId}" + ], + "x-amz-outpost-id": [ + "{outpostId}" + ] } - ] + }, + "type": "endpoint" } ] }, { "conditions": [], - "error": "Could not load partition for ARN region `{accessPointArn#region}`", + "error": "Invalid ARN: Expected an outpost type `bucket`, found `{outpostType}`", "type": "error" } ] + }, + { + "conditions": [], + "error": "Invalid ARN: expected a bucket name", + "type": "error" } ] }, { "conditions": [], - "error": "A valid partition could not be determined", + "error": "Invalid ARN: Expected a 4-component resource", "type": "error" } ] + }, + { + "conditions": [], + "error": "Invalid ARN: The account id may only contain a-z, A-Z, 0-9 and `-`. Found: `{bucketArn#accountId}`", + "type": "error" } ] + }, + { + "conditions": [], + "error": "Invalid ARN: missing account ID", + "type": "error" } ] }, { "conditions": [], - "error": "Invalid ARN: The outpost Id must only contain a-z, A-Z, 0-9 and `-`., found: `{outpostId}`", + "error": "Invalid region in ARN: `{bucketArn#region}` (invalid DNS name)", "type": "error" } ] + }, + { + "conditions": [], + "error": "Client was configured for partition `{partitionResult#name}` but ARN has `{arnPartition#name}`", + "type": "error" } ] - }, - { - "conditions": [], - "error": "Invalid ARN: The Outpost Id was not set", - "type": "error" } ] } ] + }, + { + "conditions": [], + "error": "Invalid ARN: The outpost Id must only contain a-z, A-Z, 0-9 and `-`., found: `{outpostId}`", + "type": "error" } ] }, { "conditions": [], - "error": "Invalid ARN: No ARN type specified", + "error": "Invalid ARN: The Outpost Id was not set", "type": "error" } ] + } + ] + }, + { + "conditions": [], + "error": "Invalid ARN: No ARN type specified", + "type": "error" + } + ] + }, + { + "conditions": [ + { + "fn": "aws.partition", + "argv": [ + { + "ref": "Region" + } + ], + "assign": "partitionResult" + } + ], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "isValidHostLabel", + "argv": [ + { + "ref": "Region" + }, + true + ] + } + ], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" + }, + true + ] + }, + { + "fn": "stringEquals", + "argv": [ + { + "fn": "getAttr", + "argv": [ + { + "ref": "partitionResult" + }, + "name" + ] + }, + "aws-cn" + ] + } + ], + "error": "Partition does not support FIPS", + "type": "error" + }, + { + "conditions": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "RequiresAccountId" + } + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "RequiresAccountId" + }, + true + ] + }, + { + "fn": "not", + "argv": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "AccountId" + } + ] + } + ] + } + ], + "error": "AccountId is required but not set", + "type": "error" + }, + { + "conditions": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "AccountId" + } + ] + }, + { + "fn": "not", + "argv": [ + { + "fn": "isValidHostLabel", + "argv": [ + { + "ref": "AccountId" + }, + false + ] + } + ] + } + ], + "error": "AccountId must only contain a-z, A-Z, 0-9 and `-`.", + "type": "error" }, { "conditions": [ @@ -1394,18 +1889,18 @@ "fn": "isSet", "argv": [ { - "ref": "Bucket" + "ref": "Endpoint" } ] }, { - "fn": "aws.parseArn", + "fn": "parseURL", "argv": [ { - "ref": "Bucket" + "ref": "Endpoint" } ], - "assign": "bucketArn" + "assign": "url" } ], "type": "tree", @@ -1413,1304 +1908,493 @@ { "conditions": [ { - "fn": "getAttr", + "fn": "booleanEquals", "argv": [ { - "ref": "bucketArn" + "ref": "UseDualStack" }, - "resourceId[0]" - ], - "assign": "arnType" + true + ] + } + ], + "error": "Invalid Configuration: DualStack and custom endpoint are not supported", + "type": "error" + }, + { + "conditions": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "RequiresAccountId" + } + ] }, { - "fn": "not", + "fn": "booleanEquals", "argv": [ { - "fn": "stringEquals", - "argv": [ - { - "ref": "arnType" - }, - "" - ] + "ref": "RequiresAccountId" + }, + true + ] + }, + { + "fn": "isSet", + "argv": [ + { + "ref": "AccountId" } ] } ], - "type": "tree", - "rules": [ - { - "conditions": [ + "endpoint": { + "url": "{url#scheme}://{AccountId}.{url#authority}{url#path}", + "properties": { + "authSchemes": [ { - "fn": "stringEquals", - "argv": [ - { - "fn": "getAttr", - "argv": [ - { - "ref": "bucketArn" - }, - "service" - ] - }, - "s3-outposts" - ] + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3", + "signingRegion": "{Region}" } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - } - ], - "error": "Invalid configuration: Outpost buckets do not support dual-stack", - "type": "error" - }, + ] + }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [], + "endpoint": { + "url": "{url#scheme}://{url#authority}{url#path}", + "properties": { + "authSchemes": [ { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "getAttr", - "argv": [ - { - "ref": "bucketArn" - }, - "resourceId[1]" - ], - "assign": "outpostId" - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "isValidHostLabel", - "argv": [ - { - "ref": "outpostId" - }, - false - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "isSet", - "argv": [ - { - "ref": "UseArnRegion" - } - ] - }, - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseArnRegion" - }, - false - ] - }, - { - "fn": "not", - "argv": [ - { - "fn": "stringEquals", - "argv": [ - { - "fn": "getAttr", - "argv": [ - { - "ref": "bucketArn" - }, - "region" - ] - }, - "{Region}" - ] - } - ] - } - ], - "error": "Invalid configuration: region from ARN `{bucketArn#region}` does not match client region `{Region}` and UseArnRegion is `false`", - "type": "error" - }, - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "aws.partition", - "argv": [ - { - "fn": "getAttr", - "argv": [ - { - "ref": "bucketArn" - }, - "region" - ] - } - ], - "assign": "arnPartition" - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "aws.partition", - "argv": [ - { - "ref": "Region" - } - ], - "assign": "partitionResult" - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "stringEquals", - "argv": [ - { - "fn": "getAttr", - "argv": [ - { - "ref": "arnPartition" - }, - "name" - ] - }, - { - "fn": "getAttr", - "argv": [ - { - "ref": "partitionResult" - }, - "name" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "isValidHostLabel", - "argv": [ - { - "fn": "getAttr", - "argv": [ - { - "ref": "bucketArn" - }, - "region" - ] - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "not", - "argv": [ - { - "fn": "stringEquals", - "argv": [ - { - "fn": "getAttr", - "argv": [ - { - "ref": "bucketArn" - }, - "accountId" - ] - }, - "" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "isValidHostLabel", - "argv": [ - { - "fn": "getAttr", - "argv": [ - { - "ref": "bucketArn" - }, - "accountId" - ] - }, - false - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "isSet", - "argv": [ - { - "ref": "AccountId" - } - ] - }, - { - "fn": "not", - "argv": [ - { - "fn": "stringEquals", - "argv": [ - { - "ref": "AccountId" - }, - "{bucketArn#accountId}" - ] - } - ] - } - ], - "error": "Invalid ARN: the accountId specified in the ARN (`{bucketArn#accountId}`) does not match the parameter (`{AccountId}`)", - "type": "error" - }, - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "getAttr", - "argv": [ - { - "ref": "bucketArn" - }, - "resourceId[2]" - ], - "assign": "outpostType" - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "getAttr", - "argv": [ - { - "ref": "bucketArn" - }, - "resourceId[3]" - ], - "assign": "bucketName" - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "stringEquals", - "argv": [ - { - "ref": "outpostType" - }, - "bucket" - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - true - ] - } - ], - "endpoint": { - "url": "https://s3-outposts-fips.{bucketArn#region}.{arnPartition#dnsSuffix}", - "properties": { - "authSchemes": [ - { - "disableDoubleEncoding": true, - "name": "sigv4", - "signingName": "s3-outposts", - "signingRegion": "{bucketArn#region}" - } - ] - }, - "headers": { - "x-amz-account-id": [ - "{bucketArn#accountId}" - ], - "x-amz-outpost-id": [ - "{outpostId}" - ] - } - }, - "type": "endpoint" - }, - { - "conditions": [ - { - "fn": "isSet", - "argv": [ - { - "ref": "Endpoint" - } - ] - }, - { - "fn": "parseURL", - "argv": [ - { - "ref": "Endpoint" - } - ], - "assign": "url" - } - ], - "endpoint": { - "url": "{url#scheme}://{url#authority}{url#path}", - "properties": { - "authSchemes": [ - { - "disableDoubleEncoding": true, - "name": "sigv4", - "signingName": "s3-outposts", - "signingRegion": "{bucketArn#region}" - } - ] - }, - "headers": { - "x-amz-account-id": [ - "{bucketArn#accountId}" - ], - "x-amz-outpost-id": [ - "{outpostId}" - ] - } - }, - "type": "endpoint" - }, - { - "conditions": [], - "endpoint": { - "url": "https://s3-outposts.{bucketArn#region}.{arnPartition#dnsSuffix}", - "properties": { - "authSchemes": [ - { - "disableDoubleEncoding": true, - "name": "sigv4", - "signingName": "s3-outposts", - "signingRegion": "{bucketArn#region}" - } - ] - }, - "headers": { - "x-amz-account-id": [ - "{bucketArn#accountId}" - ], - "x-amz-outpost-id": [ - "{outpostId}" - ] - } - }, - "type": "endpoint" - } - ] - } - ] - }, - { - "conditions": [], - "error": "Invalid ARN: Expected an outpost type `bucket`, found `{outpostType}`", - "type": "error" - } - ] - } - ] - }, - { - "conditions": [], - "error": "Invalid ARN: expected a bucket name", - "type": "error" - } - ] - } - ] - }, - { - "conditions": [], - "error": "Invalid ARN: Expected a 4-component resource", - "type": "error" - } - ] - } - ] - } - ] - }, - { - "conditions": [], - "error": "Invalid ARN: The account id may only contain a-z, A-Z, 0-9 and `-`. Found: `{bucketArn#accountId}`", - "type": "error" - } - ] - } - ] - }, - { - "conditions": [], - "error": "Invalid ARN: missing account ID", - "type": "error" - } - ] - } - ] - }, - { - "conditions": [], - "error": "Invalid region in ARN: `{bucketArn#region}` (invalid DNS name)", - "type": "error" - } - ] - } - ] - }, - { - "conditions": [], - "error": "Client was configured for partition `{partitionResult#name}` but ARN has `{arnPartition#name}`", - "type": "error" - } - ] - } - ] - }, - { - "conditions": [], - "error": "A valid partition could not be determined", - "type": "error" - } - ] - } - ] - }, - { - "conditions": [], - "error": "Could not load partition for ARN region `{bucketArn#region}`", - "type": "error" - } - ] - } - ] - } - ] - }, - { - "conditions": [], - "error": "Invalid ARN: The outpost Id must only contain a-z, A-Z, 0-9 and `-`., found: `{outpostId}`", - "type": "error" - } - ] - } - ] - }, - { - "conditions": [], - "error": "Invalid ARN: The Outpost Id was not set", - "type": "error" - } - ] + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3", + "signingRegion": "{Region}" } ] + }, + "headers": {} + }, + "type": "endpoint" + } + ] + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" + }, + true + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] + }, + { + "fn": "isSet", + "argv": [ + { + "ref": "RequiresAccountId" } ] }, { - "conditions": [], - "error": "Invalid ARN: No ARN type specified", - "type": "error" + "fn": "booleanEquals", + "argv": [ + { + "ref": "RequiresAccountId" + }, + true + ] + }, + { + "fn": "isSet", + "argv": [ + { + "ref": "AccountId" + } + ] } - ] + ], + "endpoint": { + "url": "https://{AccountId}.s3-control-fips.dualstack.{Region}.{partitionResult#dnsSuffix}", + "properties": { + "authSchemes": [ + { + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3", + "signingRegion": "{Region}" + } + ] + }, + "headers": {} + }, + "type": "endpoint" }, { - "conditions": [], - "type": "tree", - "rules": [ + "conditions": [ { - "conditions": [ + "fn": "booleanEquals", + "argv": [ { - "fn": "aws.partition", - "argv": [ - { - "ref": "Region" - } - ], - "assign": "partitionResult" + "ref": "UseFIPS" + }, + true + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] + } + ], + "endpoint": { + "url": "https://s3-control-fips.dualstack.{Region}.{partitionResult#dnsSuffix}", + "properties": { + "authSchemes": [ + { + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3", + "signingRegion": "{Region}" } - ], - "type": "tree", - "rules": [ + ] + }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "isValidHostLabel", - "argv": [ - { - "ref": "Region" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - true - ] - }, - { - "fn": "stringEquals", - "argv": [ - { - "fn": "getAttr", - "argv": [ - { - "ref": "partitionResult" - }, - "name" - ] - }, - "aws-cn" - ] - } - ], - "error": "Partition does not support FIPS", - "type": "error" - }, - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "isSet", - "argv": [ - { - "ref": "RequiresAccountId" - } - ] - }, - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "RequiresAccountId" - }, - true - ] - }, - { - "fn": "not", - "argv": [ - { - "fn": "isSet", - "argv": [ - { - "ref": "AccountId" - } - ] - } - ] - } - ], - "error": "AccountId is required but not set", - "type": "error" - }, - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "isSet", - "argv": [ - { - "ref": "AccountId" - } - ] - }, - { - "fn": "not", - "argv": [ - { - "fn": "isValidHostLabel", - "argv": [ - { - "ref": "AccountId" - }, - false - ] - } - ] - } - ], - "error": "AccountId must only contain a-z, A-Z, 0-9 and `-`.", - "type": "error" - }, - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "isSet", - "argv": [ - { - "ref": "Endpoint" - } - ] - }, - { - "fn": "parseURL", - "argv": [ - { - "ref": "Endpoint" - } - ], - "assign": "url" - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - } - ], - "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", - "type": "error" - }, - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "isSet", - "argv": [ - { - "ref": "RequiresAccountId" - } - ] - }, - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "RequiresAccountId" - }, - true - ] - }, - { - "fn": "isSet", - "argv": [ - { - "ref": "AccountId" - } - ] - } - ], - "endpoint": { - "url": "{url#scheme}://{AccountId}.{url#authority}{url#path}", - "properties": { - "authSchemes": [ - { - "disableDoubleEncoding": true, - "name": "sigv4", - "signingName": "s3", - "signingRegion": "{Region}" - } - ] - }, - "headers": {} - }, - "type": "endpoint" - }, - { - "conditions": [], - "endpoint": { - "url": "{url#scheme}://{url#authority}{url#path}", - "properties": { - "authSchemes": [ - { - "disableDoubleEncoding": true, - "name": "sigv4", - "signingName": "s3", - "signingRegion": "{Region}" - } - ] - }, - "headers": {} - }, - "type": "endpoint" - } - ] - } - ] - }, - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - true - ] - }, - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - }, - { - "fn": "isSet", - "argv": [ - { - "ref": "RequiresAccountId" - } - ] - }, - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "RequiresAccountId" - }, - true - ] - }, - { - "fn": "isSet", - "argv": [ - { - "ref": "AccountId" - } - ] - } - ], - "endpoint": { - "url": "https://{AccountId}.s3-control-fips.dualstack.{Region}.{partitionResult#dnsSuffix}", - "properties": { - "authSchemes": [ - { - "disableDoubleEncoding": true, - "name": "sigv4", - "signingName": "s3", - "signingRegion": "{Region}" - } - ] - }, - "headers": {} - }, - "type": "endpoint" - }, - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - true - ] - }, - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - } - ], - "endpoint": { - "url": "https://s3-control-fips.dualstack.{Region}.{partitionResult#dnsSuffix}", - "properties": { - "authSchemes": [ - { - "disableDoubleEncoding": true, - "name": "sigv4", - "signingName": "s3", - "signingRegion": "{Region}" - } - ] - }, - "headers": {} - }, - "type": "endpoint" - }, - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - true - ] - }, - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - false - ] - }, - { - "fn": "isSet", - "argv": [ - { - "ref": "RequiresAccountId" - } - ] - }, - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "RequiresAccountId" - }, - true - ] - }, - { - "fn": "isSet", - "argv": [ - { - "ref": "AccountId" - } - ] - } - ], - "endpoint": { - "url": "https://{AccountId}.s3-control-fips.{Region}.{partitionResult#dnsSuffix}", - "properties": { - "authSchemes": [ - { - "disableDoubleEncoding": true, - "name": "sigv4", - "signingName": "s3", - "signingRegion": "{Region}" - } - ] - }, - "headers": {} - }, - "type": "endpoint" - }, - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - true - ] - }, - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - false - ] - } - ], - "endpoint": { - "url": "https://s3-control-fips.{Region}.{partitionResult#dnsSuffix}", - "properties": { - "authSchemes": [ - { - "disableDoubleEncoding": true, - "name": "sigv4", - "signingName": "s3", - "signingRegion": "{Region}" - } - ] - }, - "headers": {} - }, - "type": "endpoint" - }, - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - false - ] - }, - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - }, - { - "fn": "isSet", - "argv": [ - { - "ref": "RequiresAccountId" - } - ] - }, - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "RequiresAccountId" - }, - true - ] - }, - { - "fn": "isSet", - "argv": [ - { - "ref": "AccountId" - } - ] - } - ], - "endpoint": { - "url": "https://{AccountId}.s3-control.dualstack.{Region}.{partitionResult#dnsSuffix}", - "properties": { - "authSchemes": [ - { - "disableDoubleEncoding": true, - "name": "sigv4", - "signingName": "s3", - "signingRegion": "{Region}" - } - ] - }, - "headers": {} - }, - "type": "endpoint" - }, - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - false - ] - }, - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - } - ], - "endpoint": { - "url": "https://s3-control.dualstack.{Region}.{partitionResult#dnsSuffix}", - "properties": { - "authSchemes": [ - { - "disableDoubleEncoding": true, - "name": "sigv4", - "signingName": "s3", - "signingRegion": "{Region}" - } - ] - }, - "headers": {} - }, - "type": "endpoint" - }, - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - false - ] - }, - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - false - ] - }, - { - "fn": "isSet", - "argv": [ - { - "ref": "RequiresAccountId" - } - ] - }, - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "RequiresAccountId" - }, - true - ] - }, - { - "fn": "isSet", - "argv": [ - { - "ref": "AccountId" - } - ] - } - ], - "endpoint": { - "url": "https://{AccountId}.s3-control.{Region}.{partitionResult#dnsSuffix}", - "properties": { - "authSchemes": [ - { - "disableDoubleEncoding": true, - "name": "sigv4", - "signingName": "s3", - "signingRegion": "{Region}" - } - ] - }, - "headers": {} - }, - "type": "endpoint" - }, - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - false - ] - }, - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - false - ] - } - ], - "endpoint": { - "url": "https://s3-control.{Region}.{partitionResult#dnsSuffix}", - "properties": { - "authSchemes": [ - { - "disableDoubleEncoding": true, - "name": "sigv4", - "signingName": "s3", - "signingRegion": "{Region}" - } - ] - }, - "headers": {} - }, - "type": "endpoint" - } - ] - } - ] - } - ] - } - ] - } - ] - } - ] - }, - { - "conditions": [], - "error": "Invalid region: region was not a valid DNS name.", - "type": "error" - } - ] + "ref": "UseFIPS" + }, + true + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + false + ] + }, + { + "fn": "isSet", + "argv": [ + { + "ref": "RequiresAccountId" + } + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "RequiresAccountId" + }, + true + ] + }, + { + "fn": "isSet", + "argv": [ + { + "ref": "AccountId" + } + ] + } + ], + "endpoint": { + "url": "https://{AccountId}.s3-control-fips.{Region}.{partitionResult#dnsSuffix}", + "properties": { + "authSchemes": [ + { + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3", + "signingRegion": "{Region}" + } + ] + }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" + }, + true + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + false + ] + } + ], + "endpoint": { + "url": "https://s3-control-fips.{Region}.{partitionResult#dnsSuffix}", + "properties": { + "authSchemes": [ + { + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3", + "signingRegion": "{Region}" + } + ] + }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" + }, + false + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] + }, + { + "fn": "isSet", + "argv": [ + { + "ref": "RequiresAccountId" + } + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "RequiresAccountId" + }, + true + ] + }, + { + "fn": "isSet", + "argv": [ + { + "ref": "AccountId" + } + ] + } + ], + "endpoint": { + "url": "https://{AccountId}.s3-control.dualstack.{Region}.{partitionResult#dnsSuffix}", + "properties": { + "authSchemes": [ + { + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3", + "signingRegion": "{Region}" + } + ] + }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" + }, + false + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] + } + ], + "endpoint": { + "url": "https://s3-control.dualstack.{Region}.{partitionResult#dnsSuffix}", + "properties": { + "authSchemes": [ + { + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3", + "signingRegion": "{Region}" + } + ] + }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" + }, + false + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + false + ] + }, + { + "fn": "isSet", + "argv": [ + { + "ref": "RequiresAccountId" } ] }, { - "conditions": [], - "error": "A valid partition could not be determined", - "type": "error" + "fn": "booleanEquals", + "argv": [ + { + "ref": "RequiresAccountId" + }, + true + ] + }, + { + "fn": "isSet", + "argv": [ + { + "ref": "AccountId" + } + ] } - ] + ], + "endpoint": { + "url": "https://{AccountId}.s3-control.{Region}.{partitionResult#dnsSuffix}", + "properties": { + "authSchemes": [ + { + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3", + "signingRegion": "{Region}" + } + ] + }, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" + }, + false + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + false + ] + } + ], + "endpoint": { + "url": "https://s3-control.{Region}.{partitionResult#dnsSuffix}", + "properties": { + "authSchemes": [ + { + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3", + "signingRegion": "{Region}" + } + ] + }, + "headers": {} + }, + "type": "endpoint" } ] + }, + { + "conditions": [], + "error": "Invalid region: region was not a valid DNS name.", + "type": "error" } ] - }, - { - "conditions": [], - "error": "Region must be set", - "type": "error" } ] + }, + { + "conditions": [], + "error": "Region must be set", + "type": "error" } ] }, @@ -3487,7 +3171,6 @@ ], "params": { "Bucket": "blah", - "Operation": "CreateBucket", "OutpostId": "123", "Region": "us-east-2", "RequiresAccountId": false, @@ -3527,7 +3210,6 @@ ], "params": { "Bucket": "blah", - "Operation": "CreateBucket", "OutpostId": "123", "Region": "us-east-2", "RequiresAccountId": false, @@ -3565,7 +3247,6 @@ ], "params": { "Bucket": "blah", - "Operation": "CreateBucket", "Region": "us-east-2", "RequiresAccountId": false, "UseDualStack": false, @@ -3596,14 +3277,13 @@ }, "operationName": "ListRegionalBuckets", "operationParams": { - "AccountId": "123", + "AccountId": "123456789012", "OutpostId": "op-123" } } ], "params": { - "AccountId": "123", - "Operation": "ListRegionalBuckets", + "AccountId": "123456789012", "OutpostId": "op-123", "Region": "us-east-2", "RequiresAccountId": true, @@ -3625,7 +3305,7 @@ } ] }, - "url": "https://123.s3-control.us-east-2.amazonaws.com" + "url": "https://123456789012.s3-control.us-east-2.amazonaws.com" } }, "operationInputs": [ @@ -3635,13 +3315,12 @@ }, "operationName": "ListRegionalBuckets", "operationParams": { - "AccountId": "123" + "AccountId": "123456789012" } } ], "params": { - "AccountId": "123", - "Operation": "ListRegionalBuckets", + "AccountId": "123456789012", "Region": "us-east-2", "RequiresAccountId": true, "UseDualStack": false, @@ -3673,14 +3352,13 @@ }, "operationName": "ListRegionalBuckets", "operationParams": { - "AccountId": "123", + "AccountId": "123456789012", "OutpostId": "op-123" } } ], "params": { - "AccountId": "123", - "Operation": "CreateBucket", + "AccountId": "123456789012", "OutpostId": "op-123", "Region": "us-east-2", "RequiresAccountId": true, @@ -3847,7 +3525,7 @@ { "documentation": "Account ID set inline and in ARN and they do not match@us-west-2", "expect": { - "error": "Invalid ARN: the accountId specified in the ARN (`123456789012`) does not match the parameter (`9999999`)" + "error": "Invalid ARN: the accountId specified in the ARN (`123456789012`) does not match the parameter (`999999999999`)" }, "operationInputs": [ { @@ -3857,14 +3535,14 @@ }, "operationName": "GetAccessPoint", "operationParams": { - "AccountId": "9999999", + "AccountId": "999999999999", "Name": "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:accesspoint:myaccesspoint" } } ], "params": { "AccessPointName": "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:accesspoint:myaccesspoint", - "AccountId": "9999999", + "AccountId": "999999999999", "Region": "us-west-2", "RequiresAccountId": true, "UseArnRegion": false, @@ -3906,7 +3584,6 @@ "AccessPointName": "apname", "AccountId": "123456789012", "Endpoint": "https://control.vpce-1a2b3c4d-5e6f.s3.us-west-2.vpce.amazonaws.com", - "Operation": "GetAccessPoint", "Region": "us-west-2", "RequiresAccountId": true, "UseDualStack": false, @@ -3955,7 +3632,6 @@ "AccessPointName": "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:accesspoint:myaccesspoint", "AccountId": "123456789012", "Endpoint": "https://beta.example.com", - "Operation": "GetAccessPoint", "Region": "us-west-2", "RequiresAccountId": true, "UseDualStack": false, @@ -3970,7 +3646,6 @@ "params": { "AccessPointName": "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:bucket:mybucket", "Endpoint": "beta.example.com", - "Operation": "GetAccessPoint", "Region": "us-west-2", "RequiresAccountId": true, "UseDualStack": false, @@ -3985,7 +3660,6 @@ "params": { "Bucket": "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:accesspoint:myaccesspoint", "Endpoint": "beta.example.com", - "Operation": "GetBucket", "Region": "us-west-2", "RequiresAccountId": true, "UseDualStack": false, @@ -4012,7 +3686,6 @@ "params": { "Bucket": "bucketname", "Endpoint": "https://beta.example.com", - "Operation": "CreateBucket", "OutpostId": "op-123", "Region": "us-west-2", "RequiresAccountId": false, @@ -4053,14 +3726,14 @@ }, "operationName": "GetBucket", "operationParams": { - "Bucket": "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:bucket:mybucket" + "Bucket": "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:bucket:mybucket", + "AccountId": "123456789012" } } ], "params": { "Bucket": "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:bucket:mybucket", "Endpoint": "https://beta.example.com", - "Operation": "GetBucket", "Region": "us-west-2", "RequiresAccountId": true, "UseDualStack": false, @@ -4092,15 +3765,14 @@ }, "operationName": "ListRegionalBuckets", "operationParams": { - "AccountId": "123", + "AccountId": "123456789012", "OutpostId": "op-123" } } ], "params": { - "AccountId": "123", + "AccountId": "123456789012", "Endpoint": "https://beta.example.com", - "Operation": "CreateBucket", "OutpostId": "op-123", "Region": "us-east-2", "RequiresAccountId": true, @@ -4134,15 +3806,14 @@ }, "operationName": "ListRegionalBuckets", "operationParams": { - "AccountId": "123", + "AccountId": "123456789012", "OutpostId": "op-123" } } ], "params": { - "AccountId": "123", + "AccountId": "123456789012", "Endpoint": "https://beta.example.com", - "Operation": "CreateBucket", "OutpostId": "op-123", "Region": "us-east-2", "RequiresAccountId": true, @@ -4184,7 +3855,6 @@ "params": { "Bucket": "blah", "Endpoint": "https://beta.example.com", - "Operation": "CreateBucket", "OutpostId": "123", "Region": "us-east-2", "RequiresAccountId": false, @@ -4200,7 +3870,6 @@ "params": { "AccessPointName": "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:accesspoint:myaccesspoint", "Endpoint": "https://beta.example.com", - "Operation": "GetAccessPoint", "Region": "us-west-2", "RequiresAccountId": true, "UseDualStack": true, @@ -4215,7 +3884,6 @@ "params": { "Bucket": "bucketname", "Endpoint": "https://beta.example.com", - "Operation": "CreateBucket", "OutpostId": "op-123", "Region": "us-west-2", "RequiresAccountId": false, @@ -4256,7 +3924,8 @@ "operationName": "CreateAccessPoint", "operationParams": { "Bucket": "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:bucket:mybucket", - "Name": "apname" + "Name": "apname", + "AccountId": "123456789012" } } ], @@ -4300,7 +3969,8 @@ }, "operationName": "GetBucket", "operationParams": { - "Bucket": "arn:aws:s3-outposts:us-east-1:123456789012:outpost:op-01234567890123456:bucket:mybucket" + "Bucket": "arn:aws:s3-outposts:us-east-1:123456789012:outpost:op-01234567890123456:bucket:mybucket", + "AccountId": "123456789012" } } ], @@ -4344,7 +4014,8 @@ }, "operationName": "GetBucket", "operationParams": { - "Bucket": "arn:aws-us-gov:s3-outposts:us-gov-east-1:123456789012:outpost:op-01234567890123456:bucket:mybucket" + "Bucket": "arn:aws-us-gov:s3-outposts:us-gov-east-1:123456789012:outpost:op-01234567890123456:bucket:mybucket", + "AccountId": "123456789012" } } ], @@ -4389,7 +4060,8 @@ }, "operationName": "GetBucket", "operationParams": { - "Bucket": "arn:aws-us-gov:s3-outposts:us-gov-west-1:123456789012:outpost:op-01234567890123456:bucket:mybucket" + "Bucket": "arn:aws-us-gov:s3-outposts:us-gov-west-1:123456789012:outpost:op-01234567890123456:bucket:mybucket", + "AccountId": "123456789012" } } ], @@ -4434,7 +4106,8 @@ }, "operationName": "GetBucket", "operationParams": { - "Bucket": "arn:aws:s3-outposts:us-east-2:123456789012:outpost:op-01234567890123456:bucket:mybucket" + "Bucket": "arn:aws:s3-outposts:us-east-2:123456789012:outpost:op-01234567890123456:bucket:mybucket", + "AccountId": "123456789012" } } ], @@ -4492,7 +4165,8 @@ "operationName": "CreateAccessPoint", "operationParams": { "Bucket": "arn:aws-cn:s3-outposts:cn-north-1:123456789012:outpost:op-01234567890123456:bucket:mybucket", - "Name": "apname" + "Name": "apname", + "AccountId": "123456789012" } } ], @@ -4536,7 +4210,8 @@ }, "operationName": "GetBucket", "operationParams": { - "Bucket": "arn:aws:s3-outposts:us-east-1:123456789012:outpost:op-01234567890123456:bucket:mybucket" + "Bucket": "arn:aws:s3-outposts:us-east-1:123456789012:outpost:op-01234567890123456:bucket:mybucket", + "AccountId": "123456789012" } } ], @@ -4580,7 +4255,8 @@ }, "operationName": "GetBucket", "operationParams": { - "Bucket": "arn:aws-us-gov:s3-outposts:us-gov-east-1:123456789012:outpost:op-01234567890123456:bucket:mybucket" + "Bucket": "arn:aws-us-gov:s3-outposts:us-gov-east-1:123456789012:outpost:op-01234567890123456:bucket:mybucket", + "AccountId": "123456789012" } } ], @@ -4625,7 +4301,8 @@ }, "operationName": "GetBucket", "operationParams": { - "Bucket": "arn:aws-us-gov:s3-outposts:us-gov-west-1:123456789012:outpost:op-01234567890123456:bucket:mybucket" + "Bucket": "arn:aws-us-gov:s3-outposts:us-gov-west-1:123456789012:outpost:op-01234567890123456:bucket:mybucket", + "AccountId": "123456789012" } } ], @@ -4670,7 +4347,8 @@ }, "operationName": "GetBucket", "operationParams": { - "Bucket": "arn:aws:s3-outposts:us-east-2:123456789012:outpost:op-01234567890123456:bucket:mybucket" + "Bucket": "arn:aws:s3-outposts:us-east-2:123456789012:outpost:op-01234567890123456:bucket:mybucket", + "AccountId": "123456789012" } } ], @@ -4728,7 +4406,8 @@ "operationName": "CreateAccessPoint", "operationParams": { "Bucket": "arn:aws:s3-outposts:af-south-1:123456789012:outpost:op-01234567890123456:bucket:mybucket", - "Name": "apname" + "Name": "apname", + "AccountId": "123456789012" } } ], @@ -4772,7 +4451,8 @@ }, "operationName": "GetBucket", "operationParams": { - "Bucket": "arn:aws:s3-outposts:us-east-1:123456789012:outpost:op-01234567890123456:bucket:mybucket" + "Bucket": "arn:aws:s3-outposts:us-east-1:123456789012:outpost:op-01234567890123456:bucket:mybucket", + "AccountId": "123456789012" } } ], @@ -4816,7 +4496,8 @@ }, "operationName": "GetBucket", "operationParams": { - "Bucket": "arn:aws-us-gov:s3-outposts:us-gov-east-1:123456789012:outpost:op-01234567890123456:bucket:mybucket" + "Bucket": "arn:aws-us-gov:s3-outposts:us-gov-east-1:123456789012:outpost:op-01234567890123456:bucket:mybucket", + "AccountId": "123456789012" } } ], @@ -4861,7 +4542,8 @@ }, "operationName": "GetBucket", "operationParams": { - "Bucket": "arn:aws-us-gov:s3-outposts:us-gov-west-1:123456789012:outpost:op-01234567890123456:bucket:mybucket" + "Bucket": "arn:aws-us-gov:s3-outposts:us-gov-west-1:123456789012:outpost:op-01234567890123456:bucket:mybucket", + "AccountId": "123456789012" } } ], @@ -4906,7 +4588,8 @@ }, "operationName": "GetBucket", "operationParams": { - "Bucket": "arn:aws:s3-outposts:us-east-2:123456789012:outpost:op-01234567890123456:bucket:mybucket" + "Bucket": "arn:aws:s3-outposts:us-east-2:123456789012:outpost:op-01234567890123456:bucket:mybucket", + "AccountId": "123456789012" } } ], @@ -5072,11 +4755,11 @@ } ] }, - "url": "https://1234567890-aBC.s3-control-fips.us-east-1.amazonaws.com" + "url": "https://123456789012.s3-control-fips.us-east-1.amazonaws.com" } }, "params": { - "AccountId": "1234567890-aBC", + "AccountId": "123456789012", "Region": "us-east-1", "RequiresAccountId": true, "UseDualStack": false, @@ -5217,7 +4900,7 @@ } ] }, - "url": "https://1234567890-aBC.s3-control.us-east-1.amazonaws.com" + "url": "https://123456789012.s3-control.us-east-1.amazonaws.com" } }, "operationInputs": [ @@ -5227,12 +4910,12 @@ }, "operationName": "ListRegionalBuckets", "operationParams": { - "AccountId": "1234567890-aBC" + "AccountId": "123456789012" } } ], "params": { - "AccountId": "1234567890-aBC", + "AccountId": "123456789012", "Region": "us-east-1", "RequiresAccountId": true, "UseDualStack": false, @@ -5277,7 +4960,7 @@ } ] }, - "url": "https://1234567890-aBC.s3-control-fips.us-east-1.amazonaws.com" + "url": "https://123456789012.s3-control-fips.us-east-1.amazonaws.com" } }, "operationInputs": [ @@ -5288,12 +4971,12 @@ }, "operationName": "ListRegionalBuckets", "operationParams": { - "AccountId": "1234567890-aBC" + "AccountId": "123456789012" } } ], "params": { - "AccountId": "1234567890-aBC", + "AccountId": "123456789012", "Region": "us-east-1", "RequiresAccountId": true, "UseDualStack": false, @@ -5314,7 +4997,7 @@ } ] }, - "url": "https://1234567890-aBC.s3-control-fips.dualstack.us-east-1.amazonaws.com" + "url": "https://123456789012.s3-control-fips.dualstack.us-east-1.amazonaws.com" } }, "operationInputs": [ @@ -5326,12 +5009,12 @@ }, "operationName": "ListRegionalBuckets", "operationParams": { - "AccountId": "1234567890-aBC" + "AccountId": "123456789012" } } ], "params": { - "AccountId": "1234567890-aBC", + "AccountId": "123456789012", "Region": "us-east-1", "RequiresAccountId": true, "UseDualStack": true, @@ -5352,7 +5035,7 @@ } ] }, - "url": "https://1234567890-aBC.example.com" + "url": "https://123456789012.example.com" } }, "operationInputs": [ @@ -5363,12 +5046,12 @@ }, "operationName": "ListRegionalBuckets", "operationParams": { - "AccountId": "1234567890-aBC" + "AccountId": "123456789012" } } ], "params": { - "AccountId": "1234567890-aBC", + "AccountId": "123456789012", "Region": "us-east-1", "RequiresAccountId": true, "Endpoint": "https://example.com" @@ -5420,7 +5103,7 @@ } }, { - "documentation": "account id with custom endpoint, fips and dualstack", + "documentation": "account id with custom endpoint, fips", "expect": { "endpoint": { "properties": { @@ -5433,7 +5116,7 @@ } ] }, - "url": "https://1234567890-aBC.example.com" + "url": "https://123456789012.example.com" } }, "operationInputs": [ @@ -5445,21 +5128,20 @@ }, "operationName": "ListRegionalBuckets", "operationParams": { - "AccountId": "1234567890-aBC" + "AccountId": "123456789012" } } ], "params": { - "AccountId": "1234567890-aBC", + "AccountId": "123456789012", "Region": "us-east-1", "RequiresAccountId": true, "Endpoint": "https://example.com", - "UseFIPS": true, - "UseDualstack": true + "UseFIPS": true } }, { - "documentation": "custom endpoint, fips and dualstack", + "documentation": "custom endpoint, fips", "expect": { "endpoint": { "properties": { @@ -5478,8 +5160,7 @@ "params": { "Region": "us-east-1", "Endpoint": "https://example.com", - "UseFIPS": true, - "UseDualstack": true + "UseFIPS": true } }, { @@ -5502,32 +5183,19 @@ "params": { "Region": "us-east-1", "Endpoint": "https://example.com", - "UseFIPS": true, - "UseDualstack": false + "UseFIPS": true } }, { - "documentation": "custom endpoint, dualstack", + "documentation": "custom endpoint, DualStack", "expect": { - "endpoint": { - "properties": { - "authSchemes": [ - { - "name": "sigv4", - "signingName": "s3", - "signingRegion": "us-east-1", - "disableDoubleEncoding": true - } - ] - }, - "url": "https://example.com" - } + "error": "Invalid Configuration: DualStack and custom endpoint are not supported" }, "params": { "Region": "us-east-1", "Endpoint": "https://example.com", "UseFIPS": false, - "UseDualstack": true + "UseDualStack": true } }, { @@ -5551,7 +5219,6 @@ "error": "AccountId is required but not set" }, "params": { - "Operation": "ListRegionalBuckets", "OutpostId": "op-123", "Region": "us-east-2", "RequiresAccountId": true, @@ -5578,7 +5245,6 @@ ], "params": { "AccountId": "/?invalid¬-host*label", - "Operation": "ListRegionalBuckets", "OutpostId": "op-123", "Region": "us-east-2", "RequiresAccountId": true, @@ -5659,7 +5325,6 @@ "AccessPointName": "apname", "Endpoint": "https://beta.example.com", "AccountId": "123456789012", - "Operation": "GetAccessPoint", "Region": "us-west-2", "RequiresAccountId": true, "UseDualStack": false, @@ -5694,7 +5359,6 @@ "params": { "AccessPointName": "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:accesspoint:myaccesspoint", "Endpoint": "https://beta.example.com", - "Operation": "GetAccessPoint", "Region": "us-west-2", "RequiresAccountId": true, "UseDualStack": false, @@ -5702,9 +5366,9 @@ } }, { - "documentation": "Dualstack + Custom endpoint is not supported(non-arn)", + "documentation": "DualStack + Custom endpoint is not supported(non-arn)", "expect": { - "error": "Invalid Configuration: Dualstack and custom endpoint are not supported" + "error": "Invalid Configuration: DualStack and custom endpoint are not supported" }, "operationInputs": [ { @@ -5724,7 +5388,6 @@ "AccessPointName": "apname", "Endpoint": "https://beta.example.com", "AccountId": "123456789012", - "Operation": "GetAccessPoint", "Region": "us-west-2", "RequiresAccountId": true, "UseDualStack": true, @@ -5745,14 +5408,14 @@ }, "operationName": "GetBucket", "operationParams": { - "Bucket": "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:bucket:mybucket" + "Bucket": "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:bucket:mybucket", + "AccountId": "123456789012" } } ], "params": { "Bucket": "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:bucket:mybucket", "Endpoint": "https://beta.example.com", - "Operation": "GetBucket", "Region": "us-west-2", "RequiresAccountId": true, "UseDualStack": true, @@ -5779,7 +5442,6 @@ ], "params": { "AccountId": "0123456789012", - "Operation": "ListRegionalBuckets", "OutpostId": "op-123", "Region": "cn-north-1", "RequiresAccountId": true, @@ -5806,7 +5468,6 @@ ], "params": { "AccountId": "0123456789012", - "Operation": "ListRegionalBuckets", "OutpostId": "?outpost/invalid+", "Region": "us-west-1", "RequiresAccountId": true, @@ -5834,7 +5495,6 @@ "error": "Invalid region: region was not a valid DNS name." }, "params": { - "Operation": "ListRegionalBuckets", "OutpostId": "op-123", "Region": "invalid-region 42", "AccountId": "0123456", @@ -5861,7 +5521,6 @@ } }, "params": { - "Operation": "ListRegionalBuckets", "OutpostId": "op-123", "Region": "us-west-2", "UseDualStack": false, @@ -5921,14 +5580,14 @@ }, "operationName": "GetBucket", "operationParams": { - "Bucket": "arn:aws:s3-outposts:us-east-1:123456789012:outpost:op-01234567890123456:bucket:mybucket" + "Bucket": "arn:aws:s3-outposts:us-east-1:123456789012:outpost:op-01234567890123456:bucket:mybucket", + "AccountId": "123456789012" } } ], "params": { "Bucket": "arn:aws:s3-outposts:us-east-1:123456789012:outpost:op-01234567890123456:bucket:mybucket", "Endpoint": "https://beta.example.com", - "Operation": "GetBucket", "Region": "us-west-2", "RequiresAccountId": true, "UseArnRegion": false, @@ -6024,7 +5683,8 @@ }, "operationName": "GetBucket", "operationParams": { - "Bucket": "arn:aws:s3-outposts:us-east-1:123456789012:outpost:op-01234567890123456:bucket:mybucket" + "Bucket": "arn:aws:s3-outposts:us-east-1:123456789012:outpost:op-01234567890123456:bucket:mybucket", + "AccountId": "123456789012" } } ], @@ -6049,13 +5709,13 @@ }, "operationName": "GetBucket", "operationParams": { - "Bucket": "arn:aws:s3-outposts:cn-north-1:123456789012:outpost:op-01234567890123456:bucket:mybucket" + "Bucket": "arn:aws:s3-outposts:cn-north-1:123456789012:outpost:op-01234567890123456:bucket:mybucket", + "AccountId": "123456789012" } } ], "params": { "Bucket": "arn:aws:s3-outposts:cn-north-1:123456789012:outpost:op-01234567890123456:bucket:mybucket", - "Operation": "GetBucket", "Region": "us-west-2", "RequiresAccountId": true, "UseArnRegion": true, @@ -6284,22 +5944,20 @@ "Bucket": "bucketName", "Endpoint": "https://10.0.1.12:433", "UseFIPS": true, - "UseDualStack": false, - "Accelerate": false + "UseDualStack": false } }, { - "documentation": "S3 Snow Control with Dual-stack enabled", + "documentation": "S3 Snow Control with Dualstack enabled", "expect": { - "error": "S3 Snow does not support Dual-stack" + "error": "S3 Snow does not support DualStack" }, "params": { "Region": "snow", "Bucket": "bucketName", "Endpoint": "https://10.0.1.12:433", "UseFIPS": false, - "UseDualStack": true, - "Accelerate": false + "UseDualStack": true } } ], @@ -7058,6 +6716,9 @@ "smithy.api#documentation": "The alias of the Object Lambda Access Point.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#CreateAccessPointRequest": { @@ -7131,6 +6792,9 @@ "smithy.api#documentation": "The name or alias of the access point.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#CreateBucket": { @@ -7276,6 +6940,9 @@ "smithy.api#documentation": "The Amazon Resource Name (ARN) of the bucket.
\nFor using this parameter with Amazon S3 on Outposts with the REST API, you must specify the name and the x-amz-outpost-id as well.
\nFor using this parameter with S3 on Outposts with the Amazon Web Services SDK and CLI, you must specify the ARN of the bucket accessed in the format arn:aws:s3-outposts:. For example, to access the bucket reports through Outpost my-outpost owned by account 123456789012 in Region us-west-2, use the URL encoding of arn:aws:s3-outposts:us-west-2:123456789012:outpost/my-outpost/bucket/reports. The value must be URL encoded.
The ID for this job. Amazon S3 generates this ID automatically and returns it after a\n successful Create Job request.
The request token associated with the request. You can use this token with DescribeMultiRegionAccessPointOperation to determine the status of asynchronous\n requests.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#CreationDate": { @@ -8098,7 +7771,10 @@ }, "com.amazonaws.s3control#DeleteJobTaggingResult": { "type": "structure", - "members": {} + "members": {}, + "traits": { + "smithy.api#output": {} + } }, "com.amazonaws.s3control#DeleteMarkerReplication": { "type": "structure", @@ -8217,6 +7893,9 @@ "smithy.api#documentation": "The request token associated with the request. You can use this token with DescribeMultiRegionAccessPointOperation to determine the status of asynchronous\n requests.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#DeletePublicAccessBlock": { @@ -8372,7 +8051,10 @@ }, "com.amazonaws.s3control#DeleteStorageLensConfigurationTaggingResult": { "type": "structure", - "members": {} + "members": {}, + "traits": { + "smithy.api#output": {} + } }, "com.amazonaws.s3control#DescribeJob": { "type": "operation", @@ -8450,6 +8132,9 @@ "smithy.api#documentation": "Contains the configuration parameters and status for the job specified in the\n Describe Job request.
A container element containing the details of the asynchronous operation.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#Destination": { @@ -8851,6 +8539,9 @@ "smithy.api#documentation": "Object Lambda Access Point configuration document.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#GetAccessPointForObjectLambda": { @@ -8933,6 +8624,9 @@ "smithy.api#documentation": "The alias of the Object Lambda Access Point.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#GetAccessPointPolicy": { @@ -9022,6 +8716,9 @@ "smithy.api#documentation": "Object Lambda Access Point resource policy document.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#GetAccessPointPolicyRequest": { @@ -9064,6 +8761,9 @@ "smithy.api#documentation": "The access point policy associated with the specified access point.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#GetAccessPointPolicyStatus": { @@ -9150,6 +8850,9 @@ "PolicyStatus": { "target": "com.amazonaws.s3control#PolicyStatus" } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#GetAccessPointPolicyStatusRequest": { @@ -9192,6 +8895,9 @@ "smithy.api#documentation": "Indicates the current policy status of the specified access point.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#GetAccessPointRequest": { @@ -9285,6 +8991,9 @@ "smithy.api#documentation": "The Amazon Web Services account ID associated with the S3 bucket associated with this access point.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#GetBucket": { @@ -9377,6 +9086,9 @@ "smithy.api#documentation": "Container for the lifecycle rule of the Outposts bucket.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#GetBucketPolicy": { @@ -9444,6 +9156,9 @@ "smithy.api#documentation": "The policy of the Outposts bucket.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#GetBucketReplication": { @@ -9511,6 +9226,9 @@ "smithy.api#documentation": "A container for one or more replication rules. A replication configuration must have at least one rule and you can add up to 100 rules. The maximum size of a\n replication configuration is 128 KB.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#GetBucketRequest": { @@ -9566,6 +9284,9 @@ "smithy.api#documentation": "The creation date of the Outposts bucket.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#GetBucketTagging": { @@ -9634,6 +9355,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#GetBucketVersioning": { @@ -9708,6 +9432,9 @@ "smithy.api#xmlName": "MfaDelete" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#GetJobTagging": { @@ -9783,6 +9510,9 @@ "smithy.api#documentation": "The set of tags associated with the S3 Batch Operations job.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#GetMultiRegionAccessPoint": { @@ -9874,6 +9604,9 @@ "smithy.api#documentation": "The policy associated with the specified Multi-Region Access Point.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#GetMultiRegionAccessPointPolicyStatus": { @@ -9936,6 +9669,9 @@ "Established": { "target": "com.amazonaws.s3control#PolicyStatus" } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#GetMultiRegionAccessPointRequest": { @@ -9975,6 +9711,9 @@ "smithy.api#documentation": "A container element containing the details of the requested Multi-Region Access Point.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#GetMultiRegionAccessPointRoutes": { @@ -10046,6 +9785,9 @@ "smithy.api#documentation": "The different routes that make up the route configuration. Active routes return a value\n of 100, and passive routes return a value of 0.
The tags of S3 Storage Lens configuration requested.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#GrantFullControl": { @@ -11420,6 +11168,9 @@ "smithy.api#documentation": "If the list has more access points than can be returned in one call to this API, this field\n contains a continuation token that you can provide in subsequent calls to this API to\n retrieve additional access points.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#ListAccessPointsRequest": { @@ -11482,6 +11233,9 @@ "smithy.api#documentation": "If the specified bucket has more access points than can be returned in one call to this API,\n this field contains a continuation token that you can provide in subsequent calls to this\n API to retrieve additional access points.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#ListJobs": { @@ -11582,6 +11336,9 @@ "smithy.api#documentation": "The list of current jobs and jobs that have ended within the last 30 days.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#ListMultiRegionAccessPoints": { @@ -11665,6 +11422,9 @@ "smithy.api#documentation": "If the specified bucket has more Multi-Region Access Points than can be returned in one call to this\n action, this field contains a continuation token. You can use this token tin subsequent\n calls to this action to retrieve additional Multi-Region Access Points.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#ListRegionalBuckets": { @@ -11757,6 +11517,9 @@ "smithy.api#documentation": "\n NextToken is sent when isTruncated is true, which means there\n are more buckets that can be listed. The next list requests to Amazon S3 can be continued with\n this NextToken. NextToken is obfuscated and is not a real\n key.
The request token associated with the request. You can use this token with DescribeMultiRegionAccessPointOperation to determine the status of asynchronous\n requests.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#PutPublicAccessBlock": { @@ -13731,7 +13503,10 @@ }, "com.amazonaws.s3control#PutStorageLensConfigurationTaggingResult": { "type": "structure", - "members": {} + "members": {}, + "traits": { + "smithy.api#output": {} + } }, "com.amazonaws.s3control#Region": { "type": "structure", @@ -15639,7 +15414,10 @@ }, "com.amazonaws.s3control#SubmitMultiRegionAccessPointRoutesResult": { "type": "structure", - "members": {} + "members": {}, + "traits": { + "smithy.api#output": {} + } }, "com.amazonaws.s3control#SuspendedCause": { "type": "string", @@ -15889,6 +15667,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#UpdateJobStatus": { @@ -15997,6 +15778,9 @@ "smithy.api#documentation": "The reason that the specified job's status was updated.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.s3control#VersioningConfiguration": { diff --git a/aws/sdk/aws-models/sso.json b/aws/sdk/aws-models/sso.json index 4f48553e765a20ce5ae79e96ae2866677d84d0dd..9804c2167318f2ca56a55185356f331eb580447a 100644 --- a/aws/sdk/aws-models/sso.json +++ b/aws/sdk/aws-models/sso.json @@ -154,6 +154,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.sso#GetRoleCredentialsResponse": { @@ -165,6 +168,9 @@ "smithy.api#documentation": "The credentials for the role that is assigned to the user.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.sso#InvalidRequestException": { @@ -252,6 +258,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.sso#ListAccountRolesResponse": { @@ -269,6 +278,9 @@ "smithy.api#documentation": "A paginated response with the list of roles and the next token if more results are\n available.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.sso#ListAccounts": { @@ -335,6 +347,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.sso#ListAccountsResponse": { @@ -352,6 +367,9 @@ "smithy.api#documentation": "A paginated response with the list of account information and the next token if more\n results are available.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.sso#Logout": { @@ -375,7 +393,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "Removes the locally stored SSO tokens from the client-side cache and sends an API call to\n the IAM Identity Center service to invalidate the corresponding server-side IAM Identity Center sign in\n session.
\n\nIf a user uses IAM Identity Center to access the AWS CLI, the user’s IAM Identity Center sign in session is\n used to obtain an IAM session, as specified in the corresponding IAM Identity Center permission set.\n More specifically, IAM Identity Center assumes an IAM role in the target account on behalf of the user,\n and the corresponding temporary AWS credentials are returned to the client.
\n\nAfter user logout, any existing IAM role sessions that were created by using IAM Identity Center\n permission sets continue based on the duration configured in the permission set.\n For more information, see User\n authentications in the IAM Identity Center User\n Guide.
\nRemoves the locally stored SSO tokens from the client-side cache and sends an API call to\n the IAM Identity Center service to invalidate the corresponding server-side IAM Identity Center sign in\n session.
\nIf a user uses IAM Identity Center to access the AWS CLI, the user’s IAM Identity Center sign in session is\n used to obtain an IAM session, as specified in the corresponding IAM Identity Center permission set.\n More specifically, IAM Identity Center assumes an IAM role in the target account on behalf of the user,\n and the corresponding temporary AWS credentials are returned to the client.
\nAfter user logout, any existing IAM role sessions that were created by using IAM Identity Center\n permission sets continue based on the duration configured in the permission set.\n For more information, see User\n authentications in the IAM Identity Center User\n Guide.
\nAWS IAM Identity Center (successor to AWS Single Sign-On) Portal is a web service that makes it easy for you to assign user access to\n IAM Identity Center resources such as the AWS access portal. Users can get AWS account applications and roles\n assigned to them and get federated into the application.
\n\nAlthough AWS Single Sign-On was renamed, the sso and\n identitystore API namespaces will continue to retain their original name for\n backward compatibility purposes. For more information, see IAM Identity Center rename.
This reference guide describes the IAM Identity Center Portal operations that you can call\n programatically and includes detailed information on data types and errors.
\n\nAWS provides SDKs that consist of libraries and sample code for various programming\n languages and platforms, such as Java, Ruby, .Net, iOS, or Android. The SDKs provide a\n convenient way to create programmatic access to IAM Identity Center and other AWS services. For more\n information about the AWS SDKs, including how to download and install them, see Tools for Amazon Web Services.
\nAWS IAM Identity Center (successor to AWS Single Sign-On) Portal is a web service that makes it easy for you to assign user access to\n IAM Identity Center resources such as the AWS access portal. Users can get AWS account applications and roles\n assigned to them and get federated into the application.
\nAlthough AWS Single Sign-On was renamed, the sso and\n identitystore API namespaces will continue to retain their original name for\n backward compatibility purposes. For more information, see IAM Identity Center rename.
This reference guide describes the IAM Identity Center Portal operations that you can call\n programatically and includes detailed information on data types and errors.
\nAWS provides SDKs that consist of libraries and sample code for various programming\n languages and platforms, such as Java, Ruby, .Net, iOS, or Android. The SDKs provide a\n convenient way to create programmatic access to IAM Identity Center and other AWS services. For more\n information about the AWS SDKs, including how to download and install them, see Tools for Amazon Web Services.
\nReturns a set of temporary security credentials that you can use to access Amazon Web Services\n resources. These temporary credentials consist of an access key ID, a secret access key,\n and a security token. Typically, you use AssumeRole within your account or for\n cross-account access. For a comparison of AssumeRole with other API operations\n that produce temporary credentials, see Requesting Temporary Security\n Credentials and Comparing the\n Amazon Web Services STS API operations in the IAM User Guide.
\n Permissions\n
\nThe temporary security credentials created by AssumeRole can be used to\n make API calls to any Amazon Web Services service with the following exception: You cannot call the\n Amazon Web Services STS GetFederationToken or GetSessionToken API\n operations.
(Optional) You can pass inline or managed session policies to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies. The plaintext that you use for both inline and managed session\n policies can't exceed 2,048 characters. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent Amazon Web Services API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\nWhen you create a role, you create two policies: a role trust policy that specifies\n who can assume the role, and a permissions policy that specifies\n what can be done with the role. You specify the trusted principal\n that is allowed to assume the role in the role trust policy.
\nTo assume a role from a different account, your Amazon Web Services account must be trusted by the\n role. The trust relationship is defined in the role's trust policy when the role is\n created. That trust policy states which accounts are allowed to delegate that access to\n users in the account.
\nA user who wants to access a role in a different account must also have permissions that\n are delegated from the account administrator. The administrator must attach a policy\n that allows the user to call AssumeRole for the ARN of the role in the other\n account.
To allow a user to assume a role in the same account, you can do either of the\n following:
\nAttach a policy to the user that allows the user to call AssumeRole\n (as long as the role's trust policy trusts the account).
Add the user as a principal directly in the role's trust policy.
\nYou can do either because the role’s trust policy acts as an IAM resource-based\n policy. When a resource-based policy grants access to a principal in the same account, no\n additional identity-based policy is required. For more information about trust policies and\n resource-based policies, see IAM Policies in the\n IAM User Guide.
\n\n Tags\n
\n(Optional) You can pass tag key-value pairs to your session. These tags are called\n session tags. For more information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nAn administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nYou can set the session tags as transitive. Transitive tags persist during role\n chaining. For more information, see Chaining Roles\n with Session Tags in the IAM User Guide.
\n\n Using MFA with AssumeRole\n
\n(Optional) You can include multi-factor authentication (MFA) information when you call\n AssumeRole. This is useful for cross-account scenarios to ensure that the\n user that assumes the role has been authenticated with an Amazon Web Services MFA device. In that\n scenario, the trust policy of the role being assumed includes a condition that tests for\n MFA authentication. If the caller does not include valid MFA information, the request to\n assume the role is denied. The condition in a trust policy that tests for MFA\n authentication might look like the following example.
\n \"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}\n
For more information, see Configuring MFA-Protected API Access\n in the IAM User Guide guide.
\nTo use MFA with AssumeRole, you pass values for the\n SerialNumber and TokenCode parameters. The\n SerialNumber value identifies the user's hardware or virtual MFA device.\n The TokenCode is the time-based one-time password (TOTP) that the MFA device\n produces.
Returns a set of temporary security credentials that you can use to access Amazon Web Services\n resources. These temporary credentials consist of an access key ID, a secret access key,\n and a security token. Typically, you use AssumeRole within your account or for\n cross-account access. For a comparison of AssumeRole with other API operations\n that produce temporary credentials, see Requesting Temporary Security\n Credentials and Comparing the\n Amazon Web Services STS API operations in the IAM User Guide.
\n Permissions\n
\nThe temporary security credentials created by AssumeRole can be used to\n make API calls to any Amazon Web Services service with the following exception: You cannot call the\n Amazon Web Services STS GetFederationToken or GetSessionToken API\n operations.
(Optional) You can pass inline or managed session policies to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies. The plaintext that you use for both inline and managed session\n policies can't exceed 2,048 characters. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent Amazon Web Services API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\nWhen you create a role, you create two policies: a role trust policy that specifies\n who can assume the role, and a permissions policy that specifies\n what can be done with the role. You specify the trusted principal\n that is allowed to assume the role in the role trust policy.
\nTo assume a role from a different account, your Amazon Web Services account must be trusted by the\n role. The trust relationship is defined in the role's trust policy when the role is\n created. That trust policy states which accounts are allowed to delegate that access to\n users in the account.
\nA user who wants to access a role in a different account must also have permissions that\n are delegated from the account administrator. The administrator must attach a policy that\n allows the user to call AssumeRole for the ARN of the role in the other\n account.
To allow a user to assume a role in the same account, you can do either of the\n following:
\nAttach a policy to the user that allows the user to call AssumeRole\n (as long as the role's trust policy trusts the account).
Add the user as a principal directly in the role's trust policy.
\nYou can do either because the role’s trust policy acts as an IAM resource-based\n policy. When a resource-based policy grants access to a principal in the same account, no\n additional identity-based policy is required. For more information about trust policies and\n resource-based policies, see IAM Policies in the\n IAM User Guide.
\n\n Tags\n
\n(Optional) You can pass tag key-value pairs to your session. These tags are called\n session tags. For more information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nAn administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nYou can set the session tags as transitive. Transitive tags persist during role\n chaining. For more information, see Chaining Roles\n with Session Tags in the IAM User Guide.
\n\n Using MFA with AssumeRole\n
\n(Optional) You can include multi-factor authentication (MFA) information when you call\n AssumeRole. This is useful for cross-account scenarios to ensure that the\n user that assumes the role has been authenticated with an Amazon Web Services MFA device. In that\n scenario, the trust policy of the role being assumed includes a condition that tests for\n MFA authentication. If the caller does not include valid MFA information, the request to\n assume the role is denied. The condition in a trust policy that tests for MFA\n authentication might look like the following example.
\n \"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}\n
For more information, see Configuring MFA-Protected API Access\n in the IAM User Guide guide.
\nTo use MFA with AssumeRole, you pass values for the\n SerialNumber and TokenCode parameters. The\n SerialNumber value identifies the user's hardware or virtual MFA device.\n The TokenCode is the time-based one-time password (TOTP) that the MFA device\n produces.
The source identity specified by the principal that is calling the\n AssumeRole operation.
You can require users to specify a source identity when they assume a role. You do this\n by using the sts:SourceIdentity condition key in a role trust policy. You can\n use source identity information in CloudTrail logs to determine who took actions with a role.\n You can use the aws:SourceIdentity condition key to further control access to\n Amazon Web Services resources based on the value of source identity. For more information about using\n source identity, see Monitor and control\n actions taken with assumed roles in the\n IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper-\n and lower-case alphanumeric characters with no spaces. You can also include underscores or\n any of the following characters: =,.@-. You cannot use a value that begins with the text\n aws:. This prefix is reserved for Amazon Web Services internal use.
Reserved for future use.
" + } } }, "traits": { @@ -2446,7 +2459,37 @@ } ], "traits": { - "smithy.api#documentation": "Returns a set of temporary security credentials for users who have been authenticated\n via a SAML authentication response. This operation provides a mechanism for tying an\n enterprise identity store or directory to role-based Amazon Web Services access without user-specific\n credentials or configuration. For a comparison of AssumeRoleWithSAML with the\n other API operations that produce temporary credentials, see Requesting Temporary Security\n Credentials and Comparing the\n Amazon Web Services STS API operations in the IAM User Guide.
The temporary security credentials returned by this operation consist of an access key\n ID, a secret access key, and a security token. Applications can use these temporary\n security credentials to sign calls to Amazon Web Services services.
\n\n Session Duration\n
\nBy default, the temporary security credentials created by\n AssumeRoleWithSAML last for one hour. However, you can use the optional\n DurationSeconds parameter to specify the duration of your session. Your\n role session lasts for the duration that you specify, or until the time specified in the\n SAML authentication response's SessionNotOnOrAfter value, whichever is\n shorter. You can provide a DurationSeconds value from 900 seconds (15 minutes)\n up to the maximum session duration setting for the role. This setting can have a value from\n 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the\n Maximum Session Duration Setting for a Role in the\n IAM User Guide. The maximum session duration limit applies when\n you use the AssumeRole* API operations or the assume-role* CLI\n commands. However the limit does not apply when you use those operations to create a\n console URL. For more information, see Using IAM Roles in the\n IAM User Guide.
\n Role chaining limits your CLI or Amazon Web Services API role\n session to a maximum of one hour. When you use the AssumeRole API operation\n to assume a role, you can specify the duration of your role session with the\n DurationSeconds parameter. You can specify a parameter value of up to\n 43200 seconds (12 hours), depending on the maximum session duration setting for your\n role. However, if you assume a role using role chaining and provide a\n DurationSeconds parameter value greater than one hour, the operation\n fails.
\n Permissions\n
\nThe temporary security credentials created by AssumeRoleWithSAML can be\n used to make API calls to any Amazon Web Services service with the following exception: you cannot call\n the STS GetFederationToken or GetSessionToken API\n operations.
(Optional) You can pass inline or managed session policies to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies. The plaintext that you use for both inline and managed session\n policies can't exceed 2,048 characters. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent Amazon Web Services API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\nCalling AssumeRoleWithSAML does not require the use of Amazon Web Services security\n credentials. The identity of the caller is validated by using keys in the metadata document\n that is uploaded for the SAML provider entity for your identity provider.
Calling AssumeRoleWithSAML can result in an entry in your CloudTrail logs.\n The entry includes the value in the NameID element of the SAML assertion.\n We recommend that you use a NameIDType that is not associated with any\n personally identifiable information (PII). For example, you could instead use the\n persistent identifier\n (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
\n Tags\n
\n(Optional) You can configure your IdP to pass attributes into your SAML assertion as\n session tags. Each session tag consists of a key name and an associated value. For more\n information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nYou can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128\n characters and the values can’t exceed 256 characters. For these and additional limits, see\n IAM\n and STS Character Limits in the IAM User Guide.
\nAn Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,\n and session tags into a packed binary format that has a separate limit. Your request can\n fail for this limit even if your plaintext meets the other requirements. The\n PackedPolicySize response element indicates by percentage how close the\n policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When\n you do, session tags override the role's tags with the same key.
\nAn administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nYou can set the session tags as transitive. Transitive tags persist during role\n chaining. For more information, see Chaining Roles\n with Session Tags in the IAM User Guide.
\n\n SAML Configuration\n
\nBefore your application can call AssumeRoleWithSAML, you must configure\n your SAML identity provider (IdP) to issue the claims required by Amazon Web Services. Additionally, you\n must use Identity and Access Management (IAM) to create a SAML provider entity in your Amazon Web Services account that\n represents your identity provider. You must also create an IAM role that specifies this\n SAML provider in its trust policy.
For more information, see the following resources:
\n\n About\n SAML 2.0-based Federation in the IAM User Guide.\n
\n\n Creating SAML Identity Providers in the\n IAM User Guide.
\n\n Configuring\n a Relying Party and Claims in the IAM User Guide.\n
\n\n Creating a Role for SAML 2.0 Federation in the\n IAM User Guide.
\nReturns a set of temporary security credentials for users who have been authenticated\n via a SAML authentication response. This operation provides a mechanism for tying an\n enterprise identity store or directory to role-based Amazon Web Services access without user-specific\n credentials or configuration. For a comparison of AssumeRoleWithSAML with the\n other API operations that produce temporary credentials, see Requesting Temporary Security\n Credentials and Comparing the\n Amazon Web Services STS API operations in the IAM User Guide.
The temporary security credentials returned by this operation consist of an access key\n ID, a secret access key, and a security token. Applications can use these temporary\n security credentials to sign calls to Amazon Web Services services.
\n\n Session Duration\n
\nBy default, the temporary security credentials created by\n AssumeRoleWithSAML last for one hour. However, you can use the optional\n DurationSeconds parameter to specify the duration of your session. Your\n role session lasts for the duration that you specify, or until the time specified in the\n SAML authentication response's SessionNotOnOrAfter value, whichever is\n shorter. You can provide a DurationSeconds value from 900 seconds (15 minutes)\n up to the maximum session duration setting for the role. This setting can have a value from\n 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the\n Maximum Session Duration Setting for a Role in the\n IAM User Guide. The maximum session duration limit applies when\n you use the AssumeRole* API operations or the assume-role* CLI\n commands. However the limit does not apply when you use those operations to create a\n console URL. For more information, see Using IAM Roles in the\n IAM User Guide.
\n Role chaining limits your CLI or Amazon Web Services API role\n session to a maximum of one hour. When you use the AssumeRole API operation\n to assume a role, you can specify the duration of your role session with the\n DurationSeconds parameter. You can specify a parameter value of up to\n 43200 seconds (12 hours), depending on the maximum session duration setting for your\n role. However, if you assume a role using role chaining and provide a\n DurationSeconds parameter value greater than one hour, the operation\n fails.
\n Permissions\n
\nThe temporary security credentials created by AssumeRoleWithSAML can be\n used to make API calls to any Amazon Web Services service with the following exception: you cannot call\n the STS GetFederationToken or GetSessionToken API\n operations.
(Optional) You can pass inline or managed session policies to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies. The plaintext that you use for both inline and managed session\n policies can't exceed 2,048 characters. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent Amazon Web Services API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\nCalling AssumeRoleWithSAML does not require the use of Amazon Web Services security\n credentials. The identity of the caller is validated by using keys in the metadata document\n that is uploaded for the SAML provider entity for your identity provider.
Calling AssumeRoleWithSAML can result in an entry in your CloudTrail logs.\n The entry includes the value in the NameID element of the SAML assertion.\n We recommend that you use a NameIDType that is not associated with any\n personally identifiable information (PII). For example, you could instead use the\n persistent identifier\n (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
\n Tags\n
\n(Optional) You can configure your IdP to pass attributes into your SAML assertion as\n session tags. Each session tag consists of a key name and an associated value. For more\n information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nYou can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128\n characters and the values can’t exceed 256 characters. For these and additional limits, see\n IAM\n and STS Character Limits in the IAM User Guide.
\nAn Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,\n and session tags into a packed binary format that has a separate limit. Your request can\n fail for this limit even if your plaintext meets the other requirements. The\n PackedPolicySize response element indicates by percentage how close the\n policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When\n you do, session tags override the role's tags with the same key.
\nAn administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nYou can set the session tags as transitive. Transitive tags persist during role\n chaining. For more information, see Chaining Roles\n with Session Tags in the IAM User Guide.
\n\n SAML Configuration\n
\nBefore your application can call AssumeRoleWithSAML, you must configure\n your SAML identity provider (IdP) to issue the claims required by Amazon Web Services. Additionally, you\n must use Identity and Access Management (IAM) to create a SAML provider entity in your Amazon Web Services account that\n represents your identity provider. You must also create an IAM role that specifies this\n SAML provider in its trust policy.
For more information, see the following resources:
\n\n About\n SAML 2.0-based Federation in the IAM User Guide.\n
\n\n Creating SAML Identity Providers in the\n IAM User Guide.
\n\n Configuring\n a Relying Party and Claims in the IAM User Guide.\n
\n\n Creating a Role for SAML 2.0 Federation in the\n IAM User Guide.
\nReturns a set of temporary security credentials for users who have been authenticated in\n a mobile or web application with a web identity provider. Example providers include the\n OAuth 2.0 providers Login with Amazon and Facebook, or any OpenID Connect-compatible\n identity provider such as Google or Amazon Cognito federated identities.
\nFor mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the\n Amazon Web Services SDK for iOS Developer Guide and the Amazon Web Services SDK for Android Developer Guide to uniquely\n identify a user. You can also supply the user with a consistent identity throughout the\n lifetime of an application.
\nTo learn more about Amazon Cognito, see Amazon Cognito identity pools in\n Amazon Cognito Developer Guide.
\nCalling AssumeRoleWithWebIdentity does not require the use of Amazon Web Services\n security credentials. Therefore, you can distribute an application (for example, on mobile\n devices) that requests temporary security credentials without including long-term Amazon Web Services\n credentials in the application. You also don't need to deploy server-based proxy services\n that use long-term Amazon Web Services credentials. Instead, the identity of the caller is validated by\n using a token from the web identity provider. For a comparison of\n AssumeRoleWithWebIdentity with the other API operations that produce\n temporary credentials, see Requesting Temporary Security\n Credentials and Comparing the\n Amazon Web Services STS API operations in the IAM User Guide.
The temporary security credentials returned by this API consist of an access key ID, a\n secret access key, and a security token. Applications can use these temporary security\n credentials to sign calls to Amazon Web Services service API operations.
\n\n Session Duration\n
\nBy default, the temporary security credentials created by\n AssumeRoleWithWebIdentity last for one hour. However, you can use the\n optional DurationSeconds parameter to specify the duration of your session.\n You can provide a value from 900 seconds (15 minutes) up to the maximum session duration\n setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how\n to view the maximum value for your role, see View the\n Maximum Session Duration Setting for a Role in the\n IAM User Guide. The maximum session duration limit applies when\n you use the AssumeRole* API operations or the assume-role* CLI\n commands. However the limit does not apply when you use those operations to create a\n console URL. For more information, see Using IAM Roles in the\n IAM User Guide.
\n Permissions\n
\nThe temporary security credentials created by AssumeRoleWithWebIdentity can\n be used to make API calls to any Amazon Web Services service with the following exception: you cannot\n call the STS GetFederationToken or GetSessionToken API\n operations.
(Optional) You can pass inline or managed session policies to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies. The plaintext that you use for both inline and managed session\n policies can't exceed 2,048 characters. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent Amazon Web Services API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\n\n Tags\n
\n(Optional) You can configure your IdP to pass attributes into your web identity token as\n session tags. Each session tag consists of a key name and an associated value. For more\n information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nYou can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128\n characters and the values can’t exceed 256 characters. For these and additional limits, see\n IAM\n and STS Character Limits in the IAM User Guide.
\nAn Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,\n and session tags into a packed binary format that has a separate limit. Your request can\n fail for this limit even if your plaintext meets the other requirements. The\n PackedPolicySize response element indicates by percentage how close the\n policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When\n you do, the session tag overrides the role tag with the same key.
\nAn administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nYou can set the session tags as transitive. Transitive tags persist during role\n chaining. For more information, see Chaining Roles\n with Session Tags in the IAM User Guide.
\n\n Identities\n
\nBefore your application can call AssumeRoleWithWebIdentity, you must have\n an identity token from a supported identity provider and create a role that the application\n can assume. The role that your application assumes must trust the identity provider that is\n associated with the identity token. In other words, the identity provider must be specified\n in the role's trust policy.
Calling AssumeRoleWithWebIdentity can result in an entry in your\n CloudTrail logs. The entry includes the Subject of\n the provided web identity token. We recommend that you avoid using any personally\n identifiable information (PII) in this field. For example, you could instead use a GUID\n or a pairwise identifier, as suggested\n in the OIDC specification.
For more information about how to use web identity federation and the\n AssumeRoleWithWebIdentity API, see the following resources:
\n Using Web Identity Federation API Operations for Mobile Apps and Federation Through a Web-based Identity Provider.
\n\n Web Identity Federation Playground. Walk through the process of\n authenticating through Login with Amazon, Facebook, or Google, getting temporary\n security credentials, and then using those credentials to make a request to Amazon Web Services.\n
\n\n Amazon Web Services SDK for iOS Developer Guide and Amazon Web Services SDK for Android Developer Guide. These toolkits\n contain sample apps that show how to invoke the identity providers. The toolkits then\n show how to use the information from these providers to get and use temporary\n security credentials.
\n\n Web Identity\n Federation with Mobile Applications. This article discusses web identity\n federation and shows an example of how to use web identity federation to get access\n to content in Amazon S3.
\nReturns a set of temporary security credentials for users who have been authenticated in\n a mobile or web application with a web identity provider. Example providers include the\n OAuth 2.0 providers Login with Amazon and Facebook, or any OpenID Connect-compatible\n identity provider such as Google or Amazon Cognito federated identities.
\nFor mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the\n Amazon Web Services SDK for iOS Developer Guide and the Amazon Web Services SDK for Android Developer Guide to uniquely\n identify a user. You can also supply the user with a consistent identity throughout the\n lifetime of an application.
\nTo learn more about Amazon Cognito, see Amazon Cognito identity\n pools in Amazon Cognito Developer Guide.
\nCalling AssumeRoleWithWebIdentity does not require the use of Amazon Web Services\n security credentials. Therefore, you can distribute an application (for example, on mobile\n devices) that requests temporary security credentials without including long-term Amazon Web Services\n credentials in the application. You also don't need to deploy server-based proxy services\n that use long-term Amazon Web Services credentials. Instead, the identity of the caller is validated by\n using a token from the web identity provider. For a comparison of\n AssumeRoleWithWebIdentity with the other API operations that produce\n temporary credentials, see Requesting Temporary Security\n Credentials and Comparing the\n Amazon Web Services STS API operations in the IAM User Guide.
The temporary security credentials returned by this API consist of an access key ID, a\n secret access key, and a security token. Applications can use these temporary security\n credentials to sign calls to Amazon Web Services service API operations.
\n\n Session Duration\n
\nBy default, the temporary security credentials created by\n AssumeRoleWithWebIdentity last for one hour. However, you can use the\n optional DurationSeconds parameter to specify the duration of your session.\n You can provide a value from 900 seconds (15 minutes) up to the maximum session duration\n setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how\n to view the maximum value for your role, see View the\n Maximum Session Duration Setting for a Role in the\n IAM User Guide. The maximum session duration limit applies when\n you use the AssumeRole* API operations or the assume-role* CLI\n commands. However the limit does not apply when you use those operations to create a\n console URL. For more information, see Using IAM Roles in the\n IAM User Guide.
\n Permissions\n
\nThe temporary security credentials created by AssumeRoleWithWebIdentity can\n be used to make API calls to any Amazon Web Services service with the following exception: you cannot\n call the STS GetFederationToken or GetSessionToken API\n operations.
(Optional) You can pass inline or managed session policies to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies. The plaintext that you use for both inline and managed session\n policies can't exceed 2,048 characters. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent Amazon Web Services API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\n\n Tags\n
\n(Optional) You can configure your IdP to pass attributes into your web identity token as\n session tags. Each session tag consists of a key name and an associated value. For more\n information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nYou can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128\n characters and the values can’t exceed 256 characters. For these and additional limits, see\n IAM\n and STS Character Limits in the IAM User Guide.
\nAn Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,\n and session tags into a packed binary format that has a separate limit. Your request can\n fail for this limit even if your plaintext meets the other requirements. The\n PackedPolicySize response element indicates by percentage how close the\n policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When\n you do, the session tag overrides the role tag with the same key.
\nAn administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nYou can set the session tags as transitive. Transitive tags persist during role\n chaining. For more information, see Chaining Roles\n with Session Tags in the IAM User Guide.
\n\n Identities\n
\nBefore your application can call AssumeRoleWithWebIdentity, you must have\n an identity token from a supported identity provider and create a role that the application\n can assume. The role that your application assumes must trust the identity provider that is\n associated with the identity token. In other words, the identity provider must be specified\n in the role's trust policy.
Calling AssumeRoleWithWebIdentity can result in an entry in your\n CloudTrail logs. The entry includes the Subject of\n the provided web identity token. We recommend that you avoid using any personally\n identifiable information (PII) in this field. For example, you could instead use a GUID\n or a pairwise identifier, as suggested\n in the OIDC specification.
For more information about how to use web identity federation and the\n AssumeRoleWithWebIdentity API, see the following resources:
\n Using Web Identity Federation API Operations for Mobile Apps and Federation Through a Web-based Identity Provider.
\n\n Web Identity Federation Playground. Walk through the process of\n authenticating through Login with Amazon, Facebook, or Google, getting temporary\n security credentials, and then using those credentials to make a request to Amazon Web Services.\n
\n\n Amazon Web Services SDK for iOS Developer Guide and Amazon Web Services SDK for Android Developer Guide. These toolkits\n contain sample apps that show how to invoke the identity providers. The toolkits then\n show how to use the information from these providers to get and use temporary\n security credentials.
\n\n Web Identity\n Federation with Mobile Applications. This article discusses web identity\n federation and shows an example of how to use web identity federation to get access\n to content in Amazon S3.
\nThe OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity\n provider. Your application must get this token by authenticating the user who is using your\n application with a web identity provider before the application makes an\n AssumeRoleWithWebIdentity call.
The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity\n provider. Your application must get this token by authenticating the user who is using your\n application with a web identity provider before the application makes an\n AssumeRoleWithWebIdentity call. Only tokens with RSA algorithms (RS256) are\n supported.
Decodes additional information about the authorization status of a request from an\n encoded message returned in response to an Amazon Web Services request.
\nFor example, if a user is not authorized to perform an operation that he or she has\n requested, the request returns a Client.UnauthorizedOperation response (an\n HTTP 403 response). Some Amazon Web Services operations additionally return an encoded message that can\n provide details about this authorization failure.
Only certain Amazon Web Services operations return an encoded authorization message. The\n documentation for an individual operation indicates whether that operation returns an\n encoded message in addition to returning an HTTP code.
\nThe message is encoded because the details of the authorization status can contain\n privileged information that the user who requested the operation should not see. To decode\n an authorization status message, a user must be granted permissions through an IAM policy to\n request the DecodeAuthorizationMessage\n (sts:DecodeAuthorizationMessage) action.
The decoded message includes the following type of information:
\nWhether the request was denied due to an explicit deny or due to the absence of an\n explicit allow. For more information, see Determining Whether a Request is Allowed or Denied in the\n IAM User Guide.
\nThe principal who made the request.
\nThe requested action.
\nThe requested resource.
\nThe values of condition keys in the context of the user's request.
\nDecodes additional information about the authorization status of a request from an\n encoded message returned in response to an Amazon Web Services request.
\nFor example, if a user is not authorized to perform an operation that he or she has\n requested, the request returns a Client.UnauthorizedOperation response (an\n HTTP 403 response). Some Amazon Web Services operations additionally return an encoded message that can\n provide details about this authorization failure.
Only certain Amazon Web Services operations return an encoded authorization message. The\n documentation for an individual operation indicates whether that operation returns an\n encoded message in addition to returning an HTTP code.
\nThe message is encoded because the details of the authorization status can contain\n privileged information that the user who requested the operation should not see. To decode\n an authorization status message, a user must be granted permissions through an IAM policy to\n request the DecodeAuthorizationMessage\n (sts:DecodeAuthorizationMessage) action.
The decoded message includes the following type of information:
\nWhether the request was denied due to an explicit deny or due to the absence of an\n explicit allow. For more information, see Determining Whether a Request is Allowed or Denied in the\n IAM User Guide.
\nThe principal who made the request.
\nThe requested action.
\nThe requested resource.
\nThe values of condition keys in the context of the user's request.
\nReturns the account identifier for the specified access key ID.
\nAccess keys consist of two parts: an access key ID (for example,\n AKIAIOSFODNN7EXAMPLE) and a secret access key (for example,\n wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). For more information about\n access keys, see Managing Access Keys for IAM\n Users in the IAM User Guide.
When you pass an access key ID to this operation, it returns the ID of the Amazon Web Services account\n to which the keys belong. Access key IDs beginning with AKIA are long-term\n credentials for an IAM user or the Amazon Web Services account root user. Access key IDs beginning with\n ASIA are temporary credentials that are created using STS operations. If\n the account in the response belongs to you, you can sign in as the root user and review\n your root user access keys. Then, you can pull a credentials report to\n learn which IAM user owns the keys. To learn who requested the temporary credentials for\n an ASIA access key, view the STS events in your CloudTrail logs in the\n IAM User Guide.
This operation does not indicate the state of the access key. The key might be active,\n inactive, or deleted. Active keys might not have permissions to perform an operation.\n Providing a deleted access key might return an error that the key doesn't exist.
" + "smithy.api#documentation": "Returns the account identifier for the specified access key ID.
\nAccess keys consist of two parts: an access key ID (for example,\n AKIAIOSFODNN7EXAMPLE) and a secret access key (for example,\n wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). For more information about\n access keys, see Managing Access Keys for IAM\n Users in the IAM User Guide.
When you pass an access key ID to this operation, it returns the ID of the Amazon Web Services account\n to which the keys belong. Access key IDs beginning with AKIA are long-term\n credentials for an IAM user or the Amazon Web Services account root user. Access key IDs\n beginning with ASIA are temporary credentials that are created using STS\n operations. If the account in the response belongs to you, you can sign in as the root user and review your root user access keys. Then, you can pull a credentials\n report to learn which IAM user owns the keys. To learn who\n requested the temporary credentials for an ASIA access key, view the STS\n events in your CloudTrail logs in the IAM User Guide.
This operation does not indicate the state of the access key. The key might be active,\n inactive, or deleted. Active keys might not have permissions to perform an operation.\n Providing a deleted access key might return an error that the key doesn't exist.
" } }, "com.amazonaws.sts#GetAccessKeyInfoRequest": { @@ -2895,7 +2980,18 @@ "target": "com.amazonaws.sts#GetCallerIdentityResponse" }, "traits": { - "smithy.api#documentation": "Returns details about the IAM user or role whose credentials are used to call the operation.
\nNo permissions are required to perform this operation. If an administrator\n attaches a policy to your identity that explicitly denies access to the\n sts:GetCallerIdentity action, you can still perform this operation.\n Permissions are not required because the same information is returned when access is denied. To view an example response, see I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice in the\n IAM User Guide.
Returns details about the IAM user or role whose credentials are used to\n call the operation.
\nNo permissions are required to perform this operation. If an administrator attaches a\n policy to your identity that explicitly denies access to the\n sts:GetCallerIdentity action, you can still perform this operation.\n Permissions are not required because the same information is returned when access is\n denied. To view an example response, see I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice in the\n IAM User Guide.
Returns a set of temporary security credentials (consisting of an access key ID, a\n secret access key, and a security token) for a user. A typical use is in a proxy\n application that gets temporary security credentials on behalf of distributed applications\n inside a corporate network.
\nYou must call the GetFederationToken operation\n using the long-term security credentials of an IAM user. As a result, this call is\n appropriate in contexts where those credentials can be safeguarded, usually in a\n server-based application. For a comparison of GetFederationToken with the\n other API operations that produce temporary credentials, see Requesting Temporary Security\n Credentials and Comparing the\n Amazon Web Services STS API operations in the IAM User Guide.
Although it is possible to call GetFederationToken using the security credentials of an\n Amazon Web Services account root user rather than an IAM user that you create for the purpose of a proxy application, we do not recommend it. For more information, see Safeguard your root user credentials and don't use them for everyday tasks in the\n IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using\n a web identity provider like Login with Amazon, Facebook, Google, or an OpenID\n Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or\n AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the\n IAM User Guide.
\n Session duration\n
\nThe temporary credentials are valid for the specified duration, from 900 seconds (15\n minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is\n 43,200 seconds (12 hours). Temporary credentials obtained by using the root user credentials have a maximum duration of 3,600 seconds (1 hour).
\n\n Permissions\n
\nYou can use the temporary credentials created by GetFederationToken in any\n Amazon Web Services service with the following exceptions:
You cannot call any IAM operations using the CLI or the Amazon Web Services API. This limitation does not apply to console sessions.
\nYou cannot call any STS operations except GetCallerIdentity.
You can use temporary credentials for single sign-on (SSO) to the console.
\nYou must pass an inline or managed session policy to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies. The plaintext that you use for both inline and managed session\n policies can't exceed 2,048 characters.
\nThough the session policy parameters are optional, if you do not pass a policy, then the\n resulting federated user session has no permissions. When you pass session policies, the\n session permissions are the intersection of the IAM user policies and the session\n policies that you pass. This gives you a way to further restrict the permissions for a\n federated user. You cannot use session policies to grant more permissions than those that\n are defined in the permissions policy of the IAM user. For more information, see Session\n Policies in the IAM User Guide. For information about\n using GetFederationToken to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If\n that policy specifically references the federated user session in the\n Principal element of the policy, the session has the permissions allowed by\n the policy. These permissions are granted in addition to the permissions granted by the\n session policies.
\n Tags\n
\n(Optional) You can pass tag key-value pairs to your session. These are called session\n tags. For more information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nYou can create a mobile-based or browser-based app that can authenticate users using\n a web identity provider like Login with Amazon, Facebook, Google, or an OpenID\n Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or\n AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the\n IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nTag key–value pairs are not case sensitive, but case is preserved. This means that you\n cannot have separate Department and department tag keys. Assume\n that the user that you are federating has the\n Department=Marketing tag and you pass the\n department=engineering session tag. Department\n and department are not saved as separate tags, and the session tag passed in\n the request takes precedence over the user tag.
Returns a set of temporary security credentials (consisting of an access key ID, a\n secret access key, and a security token) for a user. A typical use is in a proxy\n application that gets temporary security credentials on behalf of distributed applications\n inside a corporate network.
\nYou must call the GetFederationToken operation using the long-term security\n credentials of an IAM user. As a result, this call is appropriate in\n contexts where those credentials can be safeguarded, usually in a server-based application.\n For a comparison of GetFederationToken with the other API operations that\n produce temporary credentials, see Requesting Temporary Security\n Credentials and Comparing the\n Amazon Web Services STS API operations in the IAM User Guide.
Although it is possible to call GetFederationToken using the security\n credentials of an Amazon Web Services account root user rather than an IAM user that you\n create for the purpose of a proxy application, we do not recommend it. For more\n information, see Safeguard your root user credentials and don't use them for everyday tasks in the\n IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using\n a web identity provider like Login with Amazon, Facebook, Google, or an OpenID\n Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or\n AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the\n IAM User Guide.
\n Session duration\n
\nThe temporary credentials are valid for the specified duration, from 900 seconds (15\n minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is\n 43,200 seconds (12 hours). Temporary credentials obtained by using the root user\n credentials have a maximum duration of 3,600 seconds (1 hour).
\n\n Permissions\n
\nYou can use the temporary credentials created by GetFederationToken in any\n Amazon Web Services service with the following exceptions:
You cannot call any IAM operations using the CLI or the Amazon Web Services API. This\n limitation does not apply to console sessions.
\nYou cannot call any STS operations except GetCallerIdentity.
You can use temporary credentials for single sign-on (SSO) to the console.
\nYou must pass an inline or managed session policy to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies. The plaintext that you use for both inline and managed session\n policies can't exceed 2,048 characters.
\nThough the session policy parameters are optional, if you do not pass a policy, then the\n resulting federated user session has no permissions. When you pass session policies, the\n session permissions are the intersection of the IAM user policies and the\n session policies that you pass. This gives you a way to further restrict the permissions\n for a federated user. You cannot use session policies to grant more permissions than those\n that are defined in the permissions policy of the IAM user. For more\n information, see Session Policies in\n the IAM User Guide. For information about using\n GetFederationToken to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If\n that policy specifically references the federated user session in the\n Principal element of the policy, the session has the permissions allowed by\n the policy. These permissions are granted in addition to the permissions granted by the\n session policies.
\n Tags\n
\n(Optional) You can pass tag key-value pairs to your session. These are called session\n tags. For more information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nYou can create a mobile-based or browser-based app that can authenticate users using\n a web identity provider like Login with Amazon, Facebook, Google, or an OpenID\n Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or\n AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the\n IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nTag key–value pairs are not case sensitive, but case is preserved. This means that you\n cannot have separate Department and department tag keys. Assume\n that the user that you are federating has the\n Department=Marketing tag and you pass the\n department=engineering session tag. Department\n and department are not saved as separate tags, and the session tag passed in\n the request takes precedence over the user tag.
An IAM policy in JSON format that you want to use as an inline session policy.
\nYou must pass an inline or managed session policy to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies.
\nThis parameter is optional. However, if you do not pass any session policies, then the\n resulting federated user session has no permissions.
\nWhen you pass session policies, the session permissions are the intersection of the\n IAM user policies and the session policies that you pass. This gives you a way to further\n restrict the permissions for a federated user. You cannot use session policies to grant\n more permissions than those that are defined in the permissions policy of the IAM user.\n For more information, see Session Policies in\n the IAM User Guide.
\nThe resulting credentials can be used to access a resource that has a resource-based\n policy. If that policy specifically references the federated user session in the\n Principal element of the policy, the session has the permissions allowed by\n the policy. These permissions are granted in addition to the permissions that are granted\n by the session policies.
The plaintext that you use for both inline and managed session policies can't exceed\n 2,048 characters. The JSON policy characters can be any ASCII character from the space\n character to the end of the valid character list (\\u0020 through \\u00FF). It can also\n include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)\n characters.
\nAn Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,\n and session tags into a packed binary format that has a separate limit. Your request can\n fail for this limit even if your plaintext meets the other requirements. The\n PackedPolicySize response element indicates by percentage how close the\n policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
\nYou must pass an inline or managed session policy to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies.
\nThis parameter is optional. However, if you do not pass any session policies, then the\n resulting federated user session has no permissions.
\nWhen you pass session policies, the session permissions are the intersection of the\n IAM user policies and the session policies that you pass. This gives you\n a way to further restrict the permissions for a federated user. You cannot use session\n policies to grant more permissions than those that are defined in the permissions policy of\n the IAM user. For more information, see Session Policies in\n the IAM User Guide.
\nThe resulting credentials can be used to access a resource that has a resource-based\n policy. If that policy specifically references the federated user session in the\n Principal element of the policy, the session has the permissions allowed by\n the policy. These permissions are granted in addition to the permissions that are granted\n by the session policies.
The plaintext that you use for both inline and managed session policies can't exceed\n 2,048 characters. The JSON policy characters can be any ASCII character from the space\n character to the end of the valid character list (\\u0020 through \\u00FF). It can also\n include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)\n characters.
\nAn Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,\n and session tags into a packed binary format that has a separate limit. Your request can\n fail for this limit even if your plaintext meets the other requirements. The\n PackedPolicySize response element indicates by percentage how close the\n policies and tags for your request are to the upper size limit.
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a\n managed session policy. The policies must exist in the same account as the IAM user that\n is requesting federated access.
\nYou must pass an inline or managed session policy to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies. The plaintext that you use for both inline and managed session\n policies can't exceed 2,048 characters. You can provide up to 10 managed policy ARNs. For\n more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services\n Service Namespaces in the Amazon Web Services General Reference.
\nThis parameter is optional. However, if you do not pass any session policies, then the\n resulting federated user session has no permissions.
\nWhen you pass session policies, the session permissions are the intersection of the\n IAM user policies and the session policies that you pass. This gives you a way to further\n restrict the permissions for a federated user. You cannot use session policies to grant\n more permissions than those that are defined in the permissions policy of the IAM user.\n For more information, see Session Policies in\n the IAM User Guide.
\nThe resulting credentials can be used to access a resource that has a resource-based\n policy. If that policy specifically references the federated user session in the\n Principal element of the policy, the session has the permissions allowed by\n the policy. These permissions are granted in addition to the permissions that are granted\n by the session policies.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,\n and session tags into a packed binary format that has a separate limit. Your request can\n fail for this limit even if your plaintext meets the other requirements. The\n PackedPolicySize response element indicates by percentage how close the\n policies and tags for your request are to the upper size limit.
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a\n managed session policy. The policies must exist in the same account as the IAM user that is requesting federated access.
\nYou must pass an inline or managed session policy to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies. The plaintext that you use for both inline and managed session\n policies can't exceed 2,048 characters. You can provide up to 10 managed policy ARNs. For\n more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services\n Service Namespaces in the Amazon Web Services General Reference.
\nThis parameter is optional. However, if you do not pass any session policies, then the\n resulting federated user session has no permissions.
\nWhen you pass session policies, the session permissions are the intersection of the\n IAM user policies and the session policies that you pass. This gives you\n a way to further restrict the permissions for a federated user. You cannot use session\n policies to grant more permissions than those that are defined in the permissions policy of\n the IAM user. For more information, see Session Policies in\n the IAM User Guide.
\nThe resulting credentials can be used to access a resource that has a resource-based\n policy. If that policy specifically references the federated user session in the\n Principal element of the policy, the session has the permissions allowed by\n the policy. These permissions are granted in addition to the permissions that are granted\n by the session policies.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,\n and session tags into a packed binary format that has a separate limit. Your request can\n fail for this limit even if your plaintext meets the other requirements. The\n PackedPolicySize response element indicates by percentage how close the\n policies and tags for your request are to the upper size limit.
The duration, in seconds, that the session should last. Acceptable durations for\n federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with\n 43,200 seconds (12 hours) as the default. Sessions obtained using root user\n credentials are restricted to a maximum of 3,600 seconds (one hour). If the specified\n duration is longer than one hour, the session obtained by using root user credentials\n defaults to one hour.
" + "smithy.api#documentation": "The duration, in seconds, that the session should last. Acceptable durations for\n federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with\n 43,200 seconds (12 hours) as the default. Sessions obtained using root user\n credentials are restricted to a maximum of 3,600 seconds (one hour). If the specified\n duration is longer than one hour, the session obtained by using root user\n credentials defaults to one hour.
" } }, "Tags": { @@ -3035,7 +3165,26 @@ } ], "traits": { - "smithy.api#documentation": "Returns a set of temporary credentials for an Amazon Web Services account or IAM user. The\n credentials consist of an access key ID, a secret access key, and a security token.\n Typically, you use GetSessionToken if you want to use MFA to protect\n programmatic calls to specific Amazon Web Services API operations like Amazon EC2 StopInstances.
MFA-enabled IAM users must call GetSessionToken and submit an MFA\n code that is associated with their MFA device. Using the temporary security credentials\n that the call returns, IAM users can then make programmatic calls to API\n operations that require MFA authentication. An incorrect MFA code causes the API to return an access denied error. For a comparison of GetSessionToken\n with the other API operations that produce temporary credentials, see Requesting\n Temporary Security Credentials and Comparing the\n Amazon Web Services STS API operations in the IAM User Guide.
No permissions are required for users to perform this operation. The purpose of the\n sts:GetSessionToken operation is to authenticate the user using MFA. You\n cannot use policies to control authentication operations. For more information, see\n Permissions for GetSessionToken in the\n IAM User Guide.
\n Session Duration\n
\nThe GetSessionToken operation must be called by using the long-term Amazon Web Services\n security credentials of an IAM user. Credentials that are\n created by IAM users are valid for the duration that you specify. This duration can range\n from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default\n of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900\n seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour.
\n Permissions\n
\nThe temporary security credentials created by GetSessionToken can be used\n to make API calls to any Amazon Web Services service with the following exceptions:
You cannot call any IAM API operations unless MFA authentication information is\n included in the request.
\nYou cannot call any STS API except\n AssumeRole or GetCallerIdentity.
The credentials that GetSessionToken returns are based on\n permissions associated with the IAM user whose credentials were used to call the operation. The\n temporary credentials have the same permissions as the IAM user.
Although it is possible to call GetSessionToken using the security credentials of an\n Amazon Web Services account root user rather than an IAM user, we do not recommend it. If\n GetSessionToken is called using root user credentials, the\n temporary credentials have root user permissions. For more information, see Safeguard your root user credentials and don't use them for everyday tasks in the\n IAM User Guide\n
For more information about using GetSessionToken to create temporary\n credentials, see Temporary\n Credentials for Users in Untrusted Environments in the\n IAM User Guide.
Returns a set of temporary credentials for an Amazon Web Services account or IAM user.\n The credentials consist of an access key ID, a secret access key, and a security token.\n Typically, you use GetSessionToken if you want to use MFA to protect\n programmatic calls to specific Amazon Web Services API operations like Amazon EC2\n StopInstances.
MFA-enabled IAM users must call GetSessionToken and submit\n an MFA code that is associated with their MFA device. Using the temporary security\n credentials that the call returns, IAM users can then make programmatic\n calls to API operations that require MFA authentication. An incorrect MFA code causes the\n API to return an access denied error. For a comparison of GetSessionToken with\n the other API operations that produce temporary credentials, see Requesting\n Temporary Security Credentials and Comparing the\n Amazon Web Services STS API operations in the IAM User Guide.
No permissions are required for users to perform this operation. The purpose of the\n sts:GetSessionToken operation is to authenticate the user using MFA. You\n cannot use policies to control authentication operations. For more information, see\n Permissions for GetSessionToken in the\n IAM User Guide.
\n Session Duration\n
\nThe GetSessionToken operation must be called by using the long-term Amazon Web Services\n security credentials of an IAM user. Credentials that are created by IAM users are valid for the duration that you specify. This duration can range\n from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default\n of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900\n seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour.
\n Permissions\n
\nThe temporary security credentials created by GetSessionToken can be used\n to make API calls to any Amazon Web Services service with the following exceptions:
You cannot call any IAM API operations unless MFA authentication information is\n included in the request.
\nYou cannot call any STS API except\n AssumeRole or GetCallerIdentity.
The credentials that GetSessionToken returns are based on permissions\n associated with the IAM user whose credentials were used to call the\n operation. The temporary credentials have the same permissions as the IAM user.
Although it is possible to call GetSessionToken using the security\n credentials of an Amazon Web Services account root user rather than an IAM user, we do\n not recommend it. If GetSessionToken is called using root user\n credentials, the temporary credentials have root user permissions. For more\n information, see Safeguard your root user credentials and don't use them for everyday tasks in the\n IAM User Guide\n
For more information about using GetSessionToken to create temporary\n credentials, see Temporary\n Credentials for Users in Untrusted Environments in the\n IAM User Guide.
The duration, in seconds, that the credentials should remain valid. Acceptable durations\n for IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours),\n with 43,200 seconds (12 hours) as the default. Sessions for Amazon Web Services account owners are\n restricted to a maximum of 3,600 seconds (one hour). If the duration is longer than one\n hour, the session for Amazon Web Services account owners defaults to one hour.
" + "smithy.api#documentation": "The duration, in seconds, that the credentials should remain valid. Acceptable durations\n for IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds\n (36 hours), with 43,200 seconds (12 hours) as the default. Sessions for Amazon Web Services account\n owners are restricted to a maximum of 3,600 seconds (one hour). If the duration is longer\n than one hour, the session for Amazon Web Services account owners defaults to one hour.
" } }, "SerialNumber": { "target": "com.amazonaws.sts#serialNumberType", "traits": { - "smithy.api#documentation": "The identification number of the MFA device that is associated with the IAM user who\n is making the GetSessionToken call. Specify this value if the IAM user has a\n policy that requires MFA authentication. The value is either the serial number for a\n hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a\n virtual device (such as arn:aws:iam::123456789012:mfa/user). You can find the\n device for an IAM user by going to the Amazon Web Services Management Console and viewing the user's security\n credentials.
The regex used to validate this parameter is a string of \n characters consisting of upper- and lower-case alphanumeric characters with no spaces. \n You can also include underscores or any of the following characters: =,.@:/-
" + "smithy.api#documentation": "The identification number of the MFA device that is associated with the IAM user who is making the GetSessionToken call. Specify this value\n if the IAM user has a policy that requires MFA authentication. The value is\n either the serial number for a hardware device (such as GAHT12345678) or an\n Amazon Resource Name (ARN) for a virtual device (such as\n arn:aws:iam::123456789012:mfa/user). You can find the device for an IAM user by going to the Amazon Web Services Management Console and viewing the user's security credentials.
The regex used to validate this parameter is a string of \n characters consisting of upper- and lower-case alphanumeric characters with no spaces. \n You can also include underscores or any of the following characters: =,.@:/-
" } }, "TokenCode": { "target": "com.amazonaws.sts#tokenCodeType", "traits": { - "smithy.api#documentation": "The value provided by the MFA device, if MFA is required. If any policy requires the\n IAM user to submit an MFA code, specify this value. If MFA authentication is required,\n the user must provide a code when requesting a set of temporary security credentials. A\n user who fails to provide the code receives an \"access denied\" response when requesting\n resources that require MFA authentication.
\nThe format for this parameter, as described by its regex pattern, is a sequence of six\n numeric digits.
" + "smithy.api#documentation": "The value provided by the MFA device, if MFA is required. If any policy requires the\n IAM user to submit an MFA code, specify this value. If MFA authentication\n is required, the user must provide a code when requesting a set of temporary security\n credentials. A user who fails to provide the code receives an \"access denied\" response when\n requesting resources that require MFA authentication.
\nThe format for this parameter, as described by its regex pattern, is a sequence of six\n numeric digits.
" } } }, @@ -3201,6 +3350,38 @@ "smithy.api#documentation": "A reference to the IAM managed policy that is passed as a session policy for a role\n session or a federated user session.
" } }, + "com.amazonaws.sts#ProvidedContext": { + "type": "structure", + "members": { + "ProviderArn": { + "target": "com.amazonaws.sts#arnType", + "traits": { + "smithy.api#documentation": "Reserved for future use.
" + } + }, + "ContextAssertion": { + "target": "com.amazonaws.sts#contextAssertionType", + "traits": { + "smithy.api#documentation": "Reserved for future use.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Reserved for future use.
" + } + }, + "com.amazonaws.sts#ProvidedContextsListType": { + "type": "list", + "member": { + "target": "com.amazonaws.sts#ProvidedContext" + }, + "traits": { + "smithy.api#length": { + "min": 0, + "max": 5 + } + } + }, "com.amazonaws.sts#RegionDisabledException": { "type": "structure", "members": { @@ -3305,6 +3486,15 @@ "smithy.api#sensitive": {} } }, + "com.amazonaws.sts#contextAssertionType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 4, + "max": 2048 + } + } + }, "com.amazonaws.sts#dateType": { "type": "timestamp" }, diff --git a/aws/sdk/aws-models/timestream-query.json b/aws/sdk/aws-models/timestream-query.json index 29edeadd2a3d51040f0a0b96856091b722dd6140..13e1aea96af5180afd772694df1ec87b48161d32 100644 --- a/aws/sdk/aws-models/timestream-query.json +++ b/aws/sdk/aws-models/timestream-query.json @@ -98,6 +98,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.timestreamquery#CancelQueryResponse": { @@ -109,6 +112,9 @@ "smithy.api#documentation": " A CancellationMessage is returned when a CancelQuery\n request for the query specified by QueryId has already been issued.
The query string to run. Parameter\n names can be specified in the query string @ character followed by an\n identifier. The named Parameter @scheduled_runtime is reserved and can be used in the query to get the time at which the query is scheduled to run.
The timestamp calculated according to the ScheduleConfiguration parameter, will be the value of @scheduled_runtime paramater for each query run. \n For example, consider an instance of a scheduled query executing on 2021-12-01 00:00:00. For this instance, the @scheduled_runtime parameter is \n initialized to the timestamp 2021-12-01 00:00:00 when invoking the query.
The query string to run. Parameter\n names can be specified in the query string @ character followed by an\n identifier. The named Parameter @scheduled_runtime is reserved and can be used in the query to get the time at which the query is scheduled to run.
The timestamp calculated according to the ScheduleConfiguration parameter, will be the value of @scheduled_runtime paramater for each query run. \n For example, consider an instance of a scheduled query executing on 2021-12-01 00:00:00. For this instance, the @scheduled_runtime parameter is \n initialized to the timestamp 2021-12-01 00:00:00 when invoking the query.
Using a ClientToken makes the call to CreateScheduledQuery idempotent, in other words, making the same request repeatedly will produce the same result. Making \n multiple identical CreateScheduledQuery requests has the same effect as making a single request.\n\n
\n If CreateScheduledQuery is called without a ClientToken, the\n Query SDK generates a ClientToken on your behalf.
After 8 hours, any request with the same ClientToken is treated\n as a new request.
Using a ClientToken makes the call to CreateScheduledQuery idempotent, in other words, making the same request repeatedly will produce the same result. Making \n multiple identical CreateScheduledQuery requests has the same effect as making a single request.\n\n
\n If CreateScheduledQuery is called without a ClientToken, the\n Query SDK generates a ClientToken on your behalf.
After 8 hours, any request with the same ClientToken is treated\n as a new request.
The Amazon KMS key used to encrypt the scheduled query resource, at-rest. If the Amazon KMS\n key is not specified, the scheduled query resource will be encrypted with a Timestream\n owned Amazon KMS key. To specify a KMS key, use the key ID, key ARN, alias name, or alias\n ARN. When using an alias name, prefix the name with alias/\n
\nIf ErrorReportConfiguration uses SSE_KMS as encryption type, the same KmsKeyId is used to encrypt the error report at rest.
The Amazon KMS key used to encrypt the scheduled query resource, at-rest. If the Amazon KMS\n key is not specified, the scheduled query resource will be encrypted with a Timestream\n owned Amazon KMS key. To specify a KMS key, use the key ID, key ARN, alias name, or alias\n ARN. When using an alias name, prefix the name with alias/\n
\nIf ErrorReportConfiguration uses SSE_KMS as encryption type, the same KmsKeyId is used to encrypt the error report at rest.
DescribeEndpoints returns a list of available endpoints to make Timestream\n API calls against. This API is available through both Write and Query.
\nBecause the Timestream SDKs are designed to transparently work with the\n service’s architecture, including the management and mapping of the service endpoints,\n it is not recommended that you use this API unless:
\nYou are using VPC endpoints (Amazon Web Services PrivateLink) with Timestream\n \n
\nYour application uses a programming language that does not yet have SDK\n support
\nYou require better control over the client-side implementation
\nFor detailed information on how and when to use and implement DescribeEndpoints, see\n The Endpoint Discovery Pattern.
" + "smithy.api#documentation": "DescribeEndpoints returns a list of available endpoints to make Timestream\n API calls against. This API is available through both Write and Query.
\nBecause the Timestream SDKs are designed to transparently work with the\n service’s architecture, including the management and mapping of the service endpoints,\n it is not recommended that you use this API unless:
\nYou are using VPC endpoints (Amazon Web Services PrivateLink) with Timestream\n \n
\nYour application uses a programming language that does not yet have SDK\n support
\nYou require better control over the client-side implementation
\nFor detailed information on how and when to use and implement DescribeEndpoints, see\n The Endpoint Discovery Pattern.
" } }, "com.amazonaws.timestreamquery#DescribeEndpointsRequest": { "type": "structure", - "members": {} + "members": {}, + "traits": { + "smithy.api#input": {} + } }, "com.amazonaws.timestreamquery#DescribeEndpointsResponse": { "type": "structure", @@ -423,6 +441,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.timestreamquery#DescribeScheduledQuery": { @@ -470,6 +491,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.timestreamquery#DescribeScheduledQueryResponse": { @@ -482,6 +506,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.timestreamquery#DimensionMapping": { @@ -513,14 +540,14 @@ } }, "com.amazonaws.timestreamquery#DimensionValueType": { - "type": "string", - "traits": { - "smithy.api#enum": [ - { - "value": "VARCHAR", - "name": "VARCHAR" + "type": "enum", + "members": { + "VARCHAR": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "VARCHAR" } - ] + } } }, "com.amazonaws.timestreamquery#Double": { @@ -650,6 +677,9 @@ "smithy.api#idempotencyToken": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.timestreamquery#ExecutionStats": { @@ -754,6 +784,7 @@ "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", + "items": "ScheduledQueries", "pageSize": "MaxResults" } } @@ -773,6 +804,9 @@ "smithy.api#documentation": "A pagination token to resume pagination.
" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.timestreamquery#ListScheduledQueriesResponse": { @@ -791,6 +825,9 @@ "smithy.api#documentation": "A token to specify where to start paginating. This is the NextToken from a previously\n truncated response.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.timestreamquery#ListTagsForResource": { @@ -823,6 +860,7 @@ "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", + "items": "Tags", "pageSize": "MaxResults" } } @@ -849,6 +887,9 @@ "smithy.api#documentation": "A pagination token to resume pagination.
" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.timestreamquery#ListTagsForResourceResponse": { @@ -867,6 +908,9 @@ "smithy.api#documentation": "A pagination token to resume pagination with a subsequent call to\n ListTagsForResourceResponse.
By setting this value to true, Timestream will only validate that the\n query string is a valid Timestream query, and not store the prepared query for later\n use.
\n Query is a synchronous operation that enables you to run a query against\n your Amazon Timestream data. Query will time out after 60 seconds.\n You must update the default timeout in the SDK to support a timeout of 60 seconds. See\n the code\n sample for details.
Your query request will fail in the following cases:
\n If you submit a Query request with the same client token outside\n of the 5-minute idempotency window.
If you submit a Query request with the same client token, but\n change other parameters, within the 5-minute idempotency window.
If the size of the row (including the query metadata) exceeds 1 MB, then the\n query will fail with the following error message:
\n\n Query aborted as max page response size has been exceeded by the output\n result row\n
If the IAM principal of the query initiator and the result reader are not the\n same and/or the query initiator and the result reader do not have the same query\n string in the query requests, the query will fail with an Invalid\n pagination token error.
\n Query is a synchronous operation that enables you to run a query against\n your Amazon Timestream data. Query will time out after 60 seconds.\n You must update the default timeout in the SDK to support a timeout of 60 seconds. See\n the code\n sample for details.
Your query request will fail in the following cases:
\n If you submit a Query request with the same client token outside\n of the 5-minute idempotency window.
If you submit a Query request with the same client token, but\n change other parameters, within the 5-minute idempotency window.
If the size of the row (including the query metadata) exceeds 1 MB, then the\n query will fail with the following error message:
\n\n Query aborted as max page response size has been exceeded by the output\n result row\n
If the IAM principal of the query initiator and the result reader are not the\n same and/or the query initiator and the result reader do not have the same query\n string in the query requests, the query will fail with an Invalid\n pagination token error.
Unique, case-sensitive string of up to 64 ASCII characters specified when a\n Query request is made. Providing a ClientToken makes the\n call to Query\n idempotent. This means that running the same query repeatedly will\n produce the same result. In other words, making multiple identical Query\n requests has the same effect as making a single request. When using\n ClientToken in a query, note the following:
If the Query API is instantiated without a ClientToken, the\n Query SDK generates a ClientToken on your behalf.
If the Query invocation only contains the\n ClientToken but does not include a NextToken, that\n invocation of Query is assumed to be a new query run.
If the invocation contains NextToken, that particular invocation\n is assumed to be a subsequent invocation of a prior call to the Query API, and a\n result set is returned.
After 4 hours, any request with the same ClientToken is treated\n as a new request.
Unique, case-sensitive string of up to 64 ASCII characters specified when a\n Query request is made. Providing a ClientToken makes the\n call to Query\n idempotent. This means that running the same query repeatedly will\n produce the same result. In other words, making multiple identical Query\n requests has the same effect as making a single request. When using\n ClientToken in a query, note the following:
If the Query API is instantiated without a ClientToken, the\n Query SDK generates a ClientToken on your behalf.
If the Query invocation only contains the\n ClientToken but does not include a NextToken, that\n invocation of Query is assumed to be a new query run.
If the invocation contains NextToken, that particular invocation\n is assumed to be a subsequent invocation of a prior call to the Query API, and a\n result set is returned.
After 4 hours, any request with the same ClientToken is treated\n as a new request.
A pagination token used to return a set of results. When the Query API\n is invoked using NextToken, that particular invocation is assumed to be a\n subsequent invocation of a prior call to Query, and a result set is\n returned. However, if the Query invocation only contains the\n ClientToken, that invocation of Query is assumed to be a\n new query run.
Note the following when using NextToken in a query:
\nA pagination token can be used for up to five Query invocations,\n OR for a duration of up to 1 hour – whichever comes first.
Using the same NextToken will return the same set of records. To\n keep paginating through the result set, you must to use the most recent\n nextToken.
Suppose a Query invocation returns two NextToken\n values, TokenA and TokenB. If TokenB is\n used in a subsequent Query invocation, then TokenA is\n invalidated and cannot be reused.
To request a previous result set from a query after pagination has begun, you\n must re-invoke the Query API.
\nThe latest NextToken should be used to paginate until\n null is returned, at which point a new NextToken\n should be used.
If the IAM principal of the query initiator and the result reader are not the\n same and/or the query initiator and the result reader do not have the same query\n string in the query requests, the query will fail with an Invalid\n pagination token error.
A pagination token used to return a set of results. When the Query API\n is invoked using NextToken, that particular invocation is assumed to be a\n subsequent invocation of a prior call to Query, and a result set is\n returned. However, if the Query invocation only contains the\n ClientToken, that invocation of Query is assumed to be a\n new query run.
Note the following when using NextToken in a query:
\nA pagination token can be used for up to five Query invocations,\n OR for a duration of up to 1 hour – whichever comes first.
Using the same NextToken will return the same set of records. To\n keep paginating through the result set, you must to use the most recent\n nextToken.
Suppose a Query invocation returns two NextToken\n values, TokenA and TokenB. If TokenB is\n used in a subsequent Query invocation, then TokenA is\n invalidated and cannot be reused.
To request a previous result set from a query after pagination has begun, you\n must re-invoke the Query API.
\nThe latest NextToken should be used to paginate until\n null is returned, at which point a new NextToken\n should be used.
If the IAM principal of the query initiator and the result reader are not the\n same and/or the query initiator and the result reader do not have the same query\n string in the query requests, the query will fail with an Invalid\n pagination token error.
The total number of rows to be returned in the Query output. The initial\n run of Query with a MaxRows value specified will return the\n result set of the query in two cases:
The size of the result is less than 1MB.
The number of rows in the result set is less than the value of\n maxRows.
Otherwise, the initial invocation of Query only returns a\n NextToken, which can then be used in subsequent calls to fetch the\n result set. To resume pagination, provide the NextToken value in the\n subsequent command.
If the row size is large (e.g. a row has many columns), Timestream may return\n fewer rows to keep the response size from exceeding the 1 MB limit. If\n MaxRows is not provided, Timestream will send the necessary\n number of rows to meet the 1 MB limit.
The total number of rows to be returned in the Query output. The initial\n run of Query with a MaxRows value specified will return the\n result set of the query in two cases:
The size of the result is less than 1MB.
The number of rows in the result set is less than the value of\n maxRows.
Otherwise, the initial invocation of Query only returns a\n NextToken, which can then be used in subsequent calls to fetch the\n result set. To resume pagination, provide the NextToken value in the\n subsequent command.
If the row size is large (e.g. a row has many columns), Timestream may return\n fewer rows to keep the response size from exceeding the 1 MB limit. If\n MaxRows is not provided, Timestream will send the necessary\n number of rows to meet the 1 MB limit.
Information about the status of the query, including progress and bytes\n scanned.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.timestreamquery#QueryStatus": { @@ -1433,18 +1497,20 @@ } }, "com.amazonaws.timestreamquery#S3EncryptionOption": { - "type": "string", - "traits": { - "smithy.api#enum": [ - { - "value": "SSE_S3", - "name": "SSE_S3" - }, - { - "value": "SSE_KMS", - "name": "SSE_KMS" + "type": "enum", + "members": { + "SSE_S3": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "SSE_S3" } - ] + }, + "SSE_KMS": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "SSE_KMS" + } + } } }, "com.amazonaws.timestreamquery#S3ObjectKey": { @@ -1481,81 +1547,109 @@ } }, "com.amazonaws.timestreamquery#ScalarMeasureValueType": { - "type": "string", - "traits": { - "smithy.api#enum": [ - { - "value": "BIGINT", - "name": "BIGINT" - }, - { - "value": "BOOLEAN", - "name": "BOOLEAN" - }, - { - "value": "DOUBLE", - "name": "DOUBLE" - }, - { - "value": "VARCHAR", - "name": "VARCHAR" - }, - { - "value": "TIMESTAMP", - "name": "TIMESTAMP" + "type": "enum", + "members": { + "BIGINT": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "BIGINT" } - ] + }, + "BOOLEAN": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "BOOLEAN" + } + }, + "DOUBLE": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "DOUBLE" + } + }, + "VARCHAR": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "VARCHAR" + } + }, + "TIMESTAMP": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "TIMESTAMP" + } + } } }, "com.amazonaws.timestreamquery#ScalarType": { - "type": "string", - "traits": { - "smithy.api#enum": [ - { - "value": "VARCHAR", - "name": "VARCHAR" - }, - { - "value": "BOOLEAN", - "name": "BOOLEAN" - }, - { - "value": "BIGINT", - "name": "BIGINT" - }, - { - "value": "DOUBLE", - "name": "DOUBLE" - }, - { - "value": "TIMESTAMP", - "name": "TIMESTAMP" - }, - { - "value": "DATE", - "name": "DATE" - }, - { - "value": "TIME", - "name": "TIME" - }, - { - "value": "INTERVAL_DAY_TO_SECOND", - "name": "INTERVAL_DAY_TO_SECOND" - }, - { - "value": "INTERVAL_YEAR_TO_MONTH", - "name": "INTERVAL_YEAR_TO_MONTH" - }, - { - "value": "UNKNOWN", - "name": "UNKNOWN" - }, - { - "value": "INTEGER", - "name": "INTEGER" + "type": "enum", + "members": { + "VARCHAR": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "VARCHAR" } - ] + }, + "BOOLEAN": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "BOOLEAN" + } + }, + "BIGINT": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "BIGINT" + } + }, + "DOUBLE": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "DOUBLE" + } + }, + "TIMESTAMP": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "TIMESTAMP" + } + }, + "DATE": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "DATE" + } + }, + "TIME": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "TIME" + } + }, + "INTERVAL_DAY_TO_SECOND": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "INTERVAL_DAY_TO_SECOND" + } + }, + "INTERVAL_YEAR_TO_MONTH": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "INTERVAL_YEAR_TO_MONTH" + } + }, + "UNKNOWN": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "UNKNOWN" + } + }, + "INTEGER": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "INTEGER" + } + } } }, "com.amazonaws.timestreamquery#ScalarValue": { @@ -1771,26 +1865,32 @@ } }, "com.amazonaws.timestreamquery#ScheduledQueryRunStatus": { - "type": "string", - "traits": { - "smithy.api#enum": [ - { - "value": "AUTO_TRIGGER_SUCCESS", - "name": "AUTO_TRIGGER_SUCCESS" - }, - { - "value": "AUTO_TRIGGER_FAILURE", - "name": "AUTO_TRIGGER_FAILURE" - }, - { - "value": "MANUAL_TRIGGER_SUCCESS", - "name": "MANUAL_TRIGGER_SUCCESS" - }, - { - "value": "MANUAL_TRIGGER_FAILURE", - "name": "MANUAL_TRIGGER_FAILURE" + "type": "enum", + "members": { + "AUTO_TRIGGER_SUCCESS": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "AUTO_TRIGGER_SUCCESS" + } + }, + "AUTO_TRIGGER_FAILURE": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "AUTO_TRIGGER_FAILURE" + } + }, + "MANUAL_TRIGGER_SUCCESS": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "MANUAL_TRIGGER_SUCCESS" } - ] + }, + "MANUAL_TRIGGER_FAILURE": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "MANUAL_TRIGGER_FAILURE" + } + } } }, "com.amazonaws.timestreamquery#ScheduledQueryRunSummary": { @@ -1844,18 +1944,20 @@ } }, "com.amazonaws.timestreamquery#ScheduledQueryState": { - "type": "string", - "traits": { - "smithy.api#enum": [ - { - "value": "ENABLED", - "name": "ENABLED" - }, - { - "value": "DISABLED", - "name": "DISABLED" + "type": "enum", + "members": { + "ENABLED": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "ENABLED" + } + }, + "DISABLED": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "DISABLED" } - ] + } } }, "com.amazonaws.timestreamquery#SchemaName": { @@ -2049,11 +2151,17 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.timestreamquery#TagResourceResponse": { "type": "structure", - "members": {} + "members": {}, + "traits": { + "smithy.api#output": {} + } }, "com.amazonaws.timestreamquery#TagValue": { "type": "string", @@ -2274,7 +2382,7 @@ "name": "timestream" }, "aws.protocols#awsJson1_0": {}, - "smithy.api#documentation": "An encoded stream of audio blobs. Audio streams are encoded as either HTTP/2 or WebSocket \n data frames.
\nFor more information, see Transcribing streaming audio.
", + "smithy.api#documentation": "An encoded stream of audio blobs. Audio streams are encoded as either HTTP/2 or WebSocket \n data frames.
\nFor more information, see Transcribing streaming audio.
", "smithy.api#streaming": {} } }, @@ -915,7 +915,7 @@ "Confidence": { "target": "com.amazonaws.transcribestreaming#Confidence", "traits": { - "smithy.api#documentation": "The confidence score associated with the identified PHI entity in your audio.
\nConfidence scores are values between 0 and 1. A larger value indicates a higher\n probability that the identified entity correctly matches the entity spoken in your\n media.
" + "smithy.api#documentation": "The confidence score associated with the identified PHI entity in your audio.
\nConfidence scores are values between 0 and 1. A larger value indicates a higher\n probability that the identified entity correctly matches the entity spoken in your\n media.
" } } }, @@ -961,7 +961,7 @@ "Confidence": { "target": "com.amazonaws.transcribestreaming#Confidence", "traits": { - "smithy.api#documentation": "The confidence score associated with a word or phrase in your transcript.
\nConfidence scores are values between 0 and 1. A larger value indicates a higher\n probability that the identified item correctly matches the item spoken in your\n media.
" + "smithy.api#documentation": "The confidence score associated with a word or phrase in your transcript.
\nConfidence scores are values between 0 and 1. A larger value indicates a higher\n probability that the identified item correctly matches the item spoken in your\n media.
" } }, "Speaker": { @@ -1008,7 +1008,7 @@ "target": "com.amazonaws.transcribestreaming#Boolean", "traits": { "smithy.api#default": false, - "smithy.api#documentation": "Indicates if the segment is complete.
\nIf IsPartial is true, the segment is not complete. If\n IsPartial is false, the segment is complete.
Indicates if the segment is complete.
\nIf IsPartial is true, the segment is not complete. If\n IsPartial is false, the segment is complete.
The Result associated with a \n .
Contains a set of transcription results from one or more audio segments, along with\n additional information per your request parameters. This can include information relating to\n alternative transcriptions, channel identification, partial result stabilization, language \n identification, and other transcription-related data.
" + "smithy.api#documentation": "The Result associated with a \n .
Contains a set of transcription results from one or more audio segments, along with\n additional information per your request parameters. This can include information relating to\n alternative transcriptions, channel identification, partial result stabilization, language \n identification, and other transcription-related data.
" } }, "com.amazonaws.transcribestreaming#MedicalResultList": { @@ -1045,7 +1045,7 @@ } }, "traits": { - "smithy.api#documentation": "The MedicalTranscript associated with a \n .
\n MedicalTranscript contains Results, which contains a set of \n transcription results from one or more audio segments, along with additional information per your \n request parameters.
The MedicalTranscript associated with a \n .
\n MedicalTranscript contains Results, which contains a set of \n transcription results from one or more audio segments, along with additional information per your \n request parameters.
The MedicalTranscriptEvent associated with a \n MedicalTranscriptResultStream.
Contains a set of transcription results from one or more audio segments, along with additional \n information per your request parameters.
" + "smithy.api#documentation": "The MedicalTranscriptEvent associated with a \n MedicalTranscriptResultStream.
Contains a set of transcription results from one or more audio segments, along with additional \n information per your request parameters.
" } }, "com.amazonaws.transcribestreaming#MedicalTranscriptResultStream": { @@ -1068,7 +1068,7 @@ "TranscriptEvent": { "target": "com.amazonaws.transcribestreaming#MedicalTranscriptEvent", "traits": { - "smithy.api#documentation": "The MedicalTranscriptEvent associated with a \n MedicalTranscriptResultStream.
Contains a set of transcription results from one or more audio segments, along with \n additional information per your request parameters. This can include information relating to\n alternative transcriptions, channel identification, partial result stabilization, language \n identification, and other transcription-related data.
" + "smithy.api#documentation": "The MedicalTranscriptEvent associated with a \n MedicalTranscriptResultStream.
Contains a set of transcription results from one or more audio segments, along with \n additional information per your request parameters. This can include information relating to\n alternative transcriptions, channel identification, partial result stabilization, language \n identification, and other transcription-related data.
" } }, "BadRequestException": { @@ -1457,7 +1457,7 @@ "VocabularyFilterName": { "target": "com.amazonaws.transcribestreaming#VocabularyFilterName", "traits": { - "smithy.api#documentation": "Specify the name of the custom vocabulary filter that you want to use when processing your\n transcription. Note that vocabulary filter names are case sensitive.
\nIf the language of the specified custom vocabulary filter doesn't match the language identified in\n your media, the vocabulary filter is not applied to your transcription.
\nFor more information, see Using vocabulary filtering with unwanted \n words.
", + "smithy.api#documentation": "Specify the name of the custom vocabulary filter that you want to use when processing your\n transcription. Note that vocabulary filter names are case sensitive.
\nIf the language of the specified custom vocabulary filter doesn't match the language identified in\n your media, the vocabulary filter is not applied to your transcription.
\nFor more information, see Using vocabulary filtering with unwanted \n words.
", "smithy.api#httpHeader": "x-amzn-transcribe-vocabulary-filter-name" } }, @@ -1471,7 +1471,7 @@ "LanguageModelName": { "target": "com.amazonaws.transcribestreaming#ModelName", "traits": { - "smithy.api#documentation": "Specify the name of the custom language model that you want to use when processing your\n transcription. Note that language model names are case sensitive.
\nThe language of the specified language model must match the language code you specify\n in your transcription request. If the languages don't match, the custom language model isn't applied. \n There are no errors or warnings associated with a language mismatch.
\nFor more information, see Custom language models.
", + "smithy.api#documentation": "Specify the name of the custom language model that you want to use when processing your\n transcription. Note that language model names are case sensitive.
\nThe language of the specified language model must match the language code you specify\n in your transcription request. If the languages don't match, the custom language model isn't applied. \n There are no errors or warnings associated with a language mismatch.
\nFor more information, see Custom language models.
", "smithy.api#httpHeader": "x-amzn-transcribe-language-model-name" } }, @@ -1486,21 +1486,21 @@ "PartialResultsStability": { "target": "com.amazonaws.transcribestreaming#PartialResultsStability", "traits": { - "smithy.api#documentation": "Specify the level of stability to use when you enable partial results stabilization \n (EnablePartialResultsStabilization).
Low stability provides the highest accuracy. High stability transcribes faster, but with slightly\n lower accuracy.
\nFor more information, see Partial-result \n stabilization.
", + "smithy.api#documentation": "Specify the level of stability to use when you enable partial results stabilization \n (EnablePartialResultsStabilization).
Low stability provides the highest accuracy. High stability transcribes faster, but with slightly\n lower accuracy.
\nFor more information, see Partial-result \n stabilization.
", "smithy.api#httpHeader": "x-amzn-transcribe-partial-results-stability" } }, "ContentIdentificationType": { "target": "com.amazonaws.transcribestreaming#ContentIdentificationType", "traits": { - "smithy.api#documentation": "Labels all personally identifiable information (PII) identified in your transcript.
\nContent identification is performed at the segment level; PII specified in \n PiiEntityTypes is flagged upon complete transcription of an audio segment.
You can’t set ContentIdentificationType and ContentRedactionType\n in the same request. If you set both, your request returns a\n BadRequestException.
For more information, see Redacting or identifying personally identifiable\n information.
", + "smithy.api#documentation": "Labels all personally identifiable information (PII) identified in your transcript.
\nContent identification is performed at the segment level; PII specified in \n PiiEntityTypes is flagged upon complete transcription of an audio segment.
You can’t set ContentIdentificationType and ContentRedactionType\n in the same request. If you set both, your request returns a\n BadRequestException.
For more information, see Redacting or identifying personally identifiable\n information.
", "smithy.api#httpHeader": "x-amzn-transcribe-content-identification-type" } }, "ContentRedactionType": { "target": "com.amazonaws.transcribestreaming#ContentRedactionType", "traits": { - "smithy.api#documentation": "Redacts all personally identifiable information (PII) identified in your transcript.
\nContent redaction is performed at the segment level; PII specified in \n PiiEntityTypes is redacted upon complete transcription of an audio segment.
You can’t set ContentRedactionType and ContentIdentificationType\n in the same request. If you set both, your request returns a\n BadRequestException.
For more information, see Redacting or identifying personally identifiable\n information.
", + "smithy.api#documentation": "Redacts all personally identifiable information (PII) identified in your transcript.
\nContent redaction is performed at the segment level; PII specified in \n PiiEntityTypes is redacted upon complete transcription of an audio segment.
You can’t set ContentRedactionType and ContentIdentificationType\n in the same request. If you set both, your request returns a\n BadRequestException.
For more information, see Redacting or identifying personally identifiable\n information.
", "smithy.api#httpHeader": "x-amzn-transcribe-content-redaction-type" } }, @@ -1511,6 +1511,9 @@ "smithy.api#httpHeader": "x-amzn-transcribe-pii-entity-types" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.transcribestreaming#StartCallAnalyticsStreamTranscriptionResponse": { @@ -1622,6 +1625,9 @@ "smithy.api#httpHeader": "x-amzn-transcribe-pii-entity-types" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.transcribestreaming#StartMedicalStreamTranscription": { @@ -1650,7 +1656,7 @@ } ], "traits": { - "smithy.api#documentation": "Starts a bidirectional HTTP/2 or WebSocket stream where audio is streamed to \n Amazon Transcribe Medical and the transcription results are streamed to your\n application.
\nThe following parameters are required:
\n\n language-code\n
\n media-encoding\n
\n sample-rate\n
For more information on streaming with Amazon Transcribe Medical, see \n Transcribing\n streaming audio.
", + "smithy.api#documentation": "Starts a bidirectional HTTP/2 or WebSocket stream where audio is streamed to \n Amazon Transcribe Medical and the transcription results are streamed to your\n application.
\nThe following parameters are required:
\n\n language-code\n
\n media-encoding\n
\n sample-rate\n
For more information on streaming with Amazon Transcribe Medical, see \n Transcribing\n streaming audio.
", "smithy.api#http": { "method": "POST", "uri": "/medical-stream-transcription", @@ -1664,7 +1670,7 @@ "LanguageCode": { "target": "com.amazonaws.transcribestreaming#LanguageCode", "traits": { - "smithy.api#documentation": "Specify the language code that represents the language spoken in your audio.
\nAmazon Transcribe Medical only supports US English (en-US).
Specify the language code that represents the language spoken in your audio.
\nAmazon Transcribe Medical only supports US English (en-US).
Specify the encoding used for the input audio. Supported formats are:
\nFLAC
\nOPUS-encoded audio in an Ogg container
\nPCM (only signed 16-bit little-endian audio formats, which does not include\n WAV)
\nFor more information, see Media formats.
", + "smithy.api#documentation": "Specify the encoding used for the input audio. Supported formats are:
\nFLAC
\nOPUS-encoded audio in an Ogg container
\nPCM (only signed 16-bit little-endian audio formats, which does not include\n WAV)
\nFor more information, see Media formats.
", "smithy.api#httpHeader": "x-amzn-transcribe-media-encoding", "smithy.api#required": {} } @@ -1712,14 +1718,14 @@ "target": "com.amazonaws.transcribestreaming#Boolean", "traits": { "smithy.api#default": false, - "smithy.api#documentation": "Enables speaker partitioning (diarization) in your transcription output. Speaker\n partitioning labels the speech from individual speakers in your media file.
\nFor more information, see Partitioning speakers (diarization).
", + "smithy.api#documentation": "Enables speaker partitioning (diarization) in your transcription output. Speaker\n partitioning labels the speech from individual speakers in your media file.
\nFor more information, see Partitioning speakers (diarization).
", "smithy.api#httpHeader": "x-amzn-transcribe-show-speaker-label" } }, "SessionId": { "target": "com.amazonaws.transcribestreaming#SessionId", "traits": { - "smithy.api#documentation": "Specify a name for your transcription session. If you don't include this parameter in \n your request, Amazon Transcribe Medical generates an ID and returns it in the\n response.
\nYou can use a session ID to retry a streaming session.
", + "smithy.api#documentation": "Specify a name for your transcription session. If you don't include this parameter in \n your request, Amazon Transcribe Medical generates an ID and returns it in the\n response.
\nYou can use a session ID to retry a streaming session.
", "smithy.api#httpHeader": "x-amzn-transcribe-session-id" } }, @@ -1734,7 +1740,7 @@ "target": "com.amazonaws.transcribestreaming#Boolean", "traits": { "smithy.api#default": false, - "smithy.api#documentation": "Enables channel identification in multi-channel audio.
\nChannel identification transcribes the audio on each channel independently, then appends\n the output for each channel into one transcript.
\nIf you have multi-channel audio and do not enable channel identification, your audio is \n transcribed in a continuous manner and your transcript is not separated by channel.
\nFor more information, see Transcribing multi-channel audio.
", + "smithy.api#documentation": "Enables channel identification in multi-channel audio.
\nChannel identification transcribes the audio on each channel independently, then appends\n the output for each channel into one transcript.
\nIf you have multi-channel audio and do not enable channel identification, your audio is \n transcribed in a continuous manner and your transcript is not separated by channel.
\nFor more information, see Transcribing multi-channel audio.
", "smithy.api#httpHeader": "x-amzn-transcribe-enable-channel-identification" } }, @@ -1748,10 +1754,13 @@ "ContentIdentificationType": { "target": "com.amazonaws.transcribestreaming#MedicalContentIdentificationType", "traits": { - "smithy.api#documentation": "Labels all personal health information (PHI) identified in your transcript.
\nContent identification is performed at the segment level; PHI is flagged upon complete\n transcription of an audio segment.
\nFor more information, see Identifying personal health information (PHI) in a\n transcription.
", + "smithy.api#documentation": "Labels all personal health information (PHI) identified in your transcript.
\nContent identification is performed at the segment level; PHI is flagged upon complete\n transcription of an audio segment.
\nFor more information, see Identifying personal health information (PHI) in a\n transcription.
", "smithy.api#httpHeader": "x-amzn-transcribe-content-identification-type" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.transcribestreaming#StartMedicalStreamTranscriptionResponse": { @@ -1850,6 +1859,9 @@ "smithy.api#httpHeader": "x-amzn-transcribe-content-identification-type" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.transcribestreaming#StartStreamTranscription": { @@ -1929,7 +1941,7 @@ "AudioStream": { "target": "com.amazonaws.transcribestreaming#AudioStream", "traits": { - "smithy.api#documentation": "An encoded stream of audio blobs. Audio streams are encoded as either HTTP/2 or WebSocket \n data frames.
\nFor more information, see Transcribing streaming audio.
", + "smithy.api#documentation": "An encoded stream of audio blobs. Audio streams are encoded as either HTTP/2 or WebSocket \n data frames.
\nFor more information, see Transcribing streaming audio.
", "smithy.api#httpPayload": {}, "smithy.api#required": {} } @@ -1937,7 +1949,7 @@ "VocabularyFilterName": { "target": "com.amazonaws.transcribestreaming#VocabularyFilterName", "traits": { - "smithy.api#documentation": "Specify the name of the custom vocabulary filter that you want to use when processing your\n transcription. Note that vocabulary filter names are case sensitive.
\nIf the language of the specified custom vocabulary filter doesn't match the language identified in\n your media, the vocabulary filter is not applied to your transcription.
\nThis parameter is not intended for use with the\n IdentifyLanguage parameter. If you're including IdentifyLanguage\n in your request and want to use one or more vocabulary filters with your transcription, use\n the VocabularyFilterNames parameter instead.
For more information, see Using vocabulary filtering with unwanted \n words.
", + "smithy.api#documentation": "Specify the name of the custom vocabulary filter that you want to use when processing your\n transcription. Note that vocabulary filter names are case sensitive.
\nIf the language of the specified custom vocabulary filter doesn't match the language identified in\n your media, the vocabulary filter is not applied to your transcription.
\nThis parameter is not intended for use with the\n IdentifyLanguage parameter. If you're including IdentifyLanguage\n in your request and want to use one or more vocabulary filters with your transcription, use\n the VocabularyFilterNames parameter instead.
For more information, see Using vocabulary filtering with unwanted \n words.
", "smithy.api#httpHeader": "x-amzn-transcribe-vocabulary-filter-name" } }, @@ -1952,7 +1964,7 @@ "target": "com.amazonaws.transcribestreaming#Boolean", "traits": { "smithy.api#default": false, - "smithy.api#documentation": "Enables speaker partitioning (diarization) in your transcription output. Speaker partitioning \n labels the speech from individual speakers in your media file.
\nFor more information, see Partitioning speakers (diarization).
", + "smithy.api#documentation": "Enables speaker partitioning (diarization) in your transcription output. Speaker partitioning \n labels the speech from individual speakers in your media file.
\nFor more information, see Partitioning speakers (diarization).
", "smithy.api#httpHeader": "x-amzn-transcribe-show-speaker-label" } }, @@ -1960,7 +1972,7 @@ "target": "com.amazonaws.transcribestreaming#Boolean", "traits": { "smithy.api#default": false, - "smithy.api#documentation": "Enables channel identification in multi-channel audio.
\nChannel identification transcribes the audio on each channel independently, then appends the \n output for each channel into one transcript.
\nIf you have multi-channel audio and do not enable channel identification, your audio is \n transcribed in a continuous manner and your transcript is not separated by channel.
\nFor more information, see Transcribing multi-channel audio.
", + "smithy.api#documentation": "Enables channel identification in multi-channel audio.
\nChannel identification transcribes the audio on each channel independently, then appends the \n output for each channel into one transcript.
\nIf you have multi-channel audio and do not enable channel identification, your audio is \n transcribed in a continuous manner and your transcript is not separated by channel.
\nFor more information, see Transcribing multi-channel audio.
", "smithy.api#httpHeader": "x-amzn-transcribe-enable-channel-identification" } }, @@ -1982,21 +1994,21 @@ "PartialResultsStability": { "target": "com.amazonaws.transcribestreaming#PartialResultsStability", "traits": { - "smithy.api#documentation": "Specify the level of stability to use when you enable partial results stabilization \n (EnablePartialResultsStabilization).
Low stability provides the highest accuracy. High stability transcribes faster, but with slightly\n lower accuracy.
\nFor more information, see Partial-result \n stabilization.
", + "smithy.api#documentation": "Specify the level of stability to use when you enable partial results stabilization \n (EnablePartialResultsStabilization).
Low stability provides the highest accuracy. High stability transcribes faster, but with slightly\n lower accuracy.
\nFor more information, see Partial-result \n stabilization.
", "smithy.api#httpHeader": "x-amzn-transcribe-partial-results-stability" } }, "ContentIdentificationType": { "target": "com.amazonaws.transcribestreaming#ContentIdentificationType", "traits": { - "smithy.api#documentation": "Labels all personally identifiable information (PII) identified in your transcript.
\nContent identification is performed at the segment level; PII specified in \n PiiEntityTypes is flagged upon complete transcription of an audio segment.
You can’t set ContentIdentificationType and ContentRedactionType\n in the same request. If you set both, your request returns a\n BadRequestException.
For more information, see Redacting or identifying personally identifiable\n information.
", + "smithy.api#documentation": "Labels all personally identifiable information (PII) identified in your transcript.
\nContent identification is performed at the segment level; PII specified in \n PiiEntityTypes is flagged upon complete transcription of an audio segment.
You can’t set ContentIdentificationType and ContentRedactionType\n in the same request. If you set both, your request returns a\n BadRequestException.
For more information, see Redacting or identifying personally identifiable\n information.
", "smithy.api#httpHeader": "x-amzn-transcribe-content-identification-type" } }, "ContentRedactionType": { "target": "com.amazonaws.transcribestreaming#ContentRedactionType", "traits": { - "smithy.api#documentation": "Redacts all personally identifiable information (PII) identified in your transcript.
\nContent redaction is performed at the segment level; PII specified in \n PiiEntityTypes is redacted upon complete transcription of an audio segment.
You can’t set ContentRedactionType and ContentIdentificationType\n in the same request. If you set both, your request returns a\n BadRequestException.
For more information, see Redacting or identifying personally identifiable\n information.
", + "smithy.api#documentation": "Redacts all personally identifiable information (PII) identified in your transcript.
\nContent redaction is performed at the segment level; PII specified in \n PiiEntityTypes is redacted upon complete transcription of an audio segment.
You can’t set ContentRedactionType and ContentIdentificationType\n in the same request. If you set both, your request returns a\n BadRequestException.
For more information, see Redacting or identifying personally identifiable\n information.
", "smithy.api#httpHeader": "x-amzn-transcribe-content-redaction-type" } }, @@ -2010,7 +2022,7 @@ "LanguageModelName": { "target": "com.amazonaws.transcribestreaming#ModelName", "traits": { - "smithy.api#documentation": "Specify the name of the custom language model that you want to use when processing your\n transcription. Note that language model names are case sensitive.
\nThe language of the specified language model must match the language code you specify\n in your transcription request. If the languages don't match, the custom language model isn't applied. \n There are no errors or warnings associated with a language mismatch.
\nFor more information, see Custom language models.
", + "smithy.api#documentation": "Specify the name of the custom language model that you want to use when processing your\n transcription. Note that language model names are case sensitive.
\nThe language of the specified language model must match the language code you specify\n in your transcription request. If the languages don't match, the custom language model isn't applied. \n There are no errors or warnings associated with a language mismatch.
\nFor more information, see Custom language models.
", "smithy.api#httpHeader": "x-amzn-transcribe-language-model-name" } }, @@ -2018,7 +2030,7 @@ "target": "com.amazonaws.transcribestreaming#Boolean", "traits": { "smithy.api#default": false, - "smithy.api#documentation": "Enables automatic language identification for your transcription.
\nIf you include IdentifyLanguage, you can optionally include a list of \n language codes, using LanguageOptions, that you think may be present in \n your audio stream. Including language options can improve transcription accuracy.
You can also include a preferred language using PreferredLanguage. Adding a \n preferred language can help Amazon Transcribe identify the language faster than if you omit this \n parameter.
If you have multi-channel audio that contains different languages on each channel, and you've \n enabled channel identification, automatic language identification identifies the dominant language on \n each audio channel.
\nNote that you must include either LanguageCode or \n IdentifyLanguage in your request. If you include both parameters, your request\n fails.
Streaming language identification can't be combined with custom language models or \n redaction.
", + "smithy.api#documentation": "Enables automatic language identification for your transcription.
\nIf you include IdentifyLanguage, you can optionally include a list of \n language codes, using LanguageOptions, that you think may be present in \n your audio stream. Including language options can improve transcription accuracy.
You can also include a preferred language using PreferredLanguage. Adding a \n preferred language can help Amazon Transcribe identify the language faster than if you omit this \n parameter.
If you have multi-channel audio that contains different languages on each channel, and you've \n enabled channel identification, automatic language identification identifies the dominant language on \n each audio channel.
\nNote that you must include either LanguageCode or \n IdentifyLanguage in your request. If you include both parameters, your request\n fails.
Streaming language identification can't be combined with custom language models or \n redaction.
", "smithy.api#httpHeader": "x-amzn-transcribe-identify-language" } }, @@ -2039,17 +2051,20 @@ "VocabularyNames": { "target": "com.amazonaws.transcribestreaming#VocabularyNames", "traits": { - "smithy.api#documentation": "Specify the names of the custom vocabularies that you want to use when processing your\n transcription. Note that vocabulary names are case sensitive.
\nIf none of the languages of the specified custom vocabularies match the language identified in \n your media, your job fails.
\nThis parameter is only intended for use with the\n IdentifyLanguage parameter. If you're not\n including IdentifyLanguage in your request and want to use a custom vocabulary\n with your transcription, use the VocabularyName parameter instead.
For more information, see Custom vocabularies.
", + "smithy.api#documentation": "Specify the names of the custom vocabularies that you want to use when processing your\n transcription. Note that vocabulary names are case sensitive.
\nIf none of the languages of the specified custom vocabularies match the language identified in \n your media, your job fails.
\nThis parameter is only intended for use with the\n IdentifyLanguage parameter. If you're not\n including IdentifyLanguage in your request and want to use a custom vocabulary\n with your transcription, use the VocabularyName parameter instead.
For more information, see Custom vocabularies.
", "smithy.api#httpHeader": "x-amzn-transcribe-vocabulary-names" } }, "VocabularyFilterNames": { "target": "com.amazonaws.transcribestreaming#VocabularyFilterNames", "traits": { - "smithy.api#documentation": "Specify the names of the custom vocabulary filters that you want to use when processing\n your transcription. Note that vocabulary filter names are case sensitive.
\nIf none of the languages of the specified custom vocabulary filters match the language identified\n in your media, your job fails.
\nThis parameter is only intended for use with \n the IdentifyLanguage parameter. If you're not \n including IdentifyLanguage in your request and want to use a custom vocabulary filter \n with your transcription, use the VocabularyFilterName parameter instead.
For more information, see Using vocabulary filtering with unwanted \n words.
", + "smithy.api#documentation": "Specify the names of the custom vocabulary filters that you want to use when processing\n your transcription. Note that vocabulary filter names are case sensitive.
\nIf none of the languages of the specified custom vocabulary filters match the language identified\n in your media, your job fails.
\nThis parameter is only intended for use with \n the IdentifyLanguage parameter. If you're not \n including IdentifyLanguage in your request and want to use a custom vocabulary filter \n with your transcription, use the VocabularyFilterName parameter instead.
For more information, see Using vocabulary filtering with unwanted \n words.
", "smithy.api#httpHeader": "x-amzn-transcribe-vocabulary-filter-names" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.transcribestreaming#StartStreamTranscriptionResponse": { @@ -2220,6 +2235,9 @@ "smithy.api#httpHeader": "x-amzn-transcribe-vocabulary-filter-names" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.transcribestreaming#String": { @@ -2291,7 +2309,7 @@ "h2" ] }, - "smithy.api#documentation": "Amazon Transcribe streaming offers three main types of real-time transcription: \n Standard, Medical, and \n Call Analytics.
\n\n Standard transcriptions are the most common option. Refer\n to for details.
\n\n Medical transcriptions are tailored to medical professionals \n and incorporate medical terms. A common use case for this service is transcribing doctor-patient \n dialogue in real time, so doctors can focus on their patient instead of taking notes. Refer to\n for details.
\n\n Call Analytics transcriptions are designed for use with call\n center audio on two different channels; if you're looking for insight into customer service calls, use this \n option. Refer to for details.
\nAmazon Transcribe streaming offers three main types of real-time transcription: \n Standard, Medical, and \n Call Analytics.
\n\n Standard transcriptions are the most common option. Refer\n to for details.
\n\n Medical transcriptions are tailored to medical professionals \n and incorporate medical terms. A common use case for this service is transcribing doctor-patient \n dialogue in real time, so doctors can focus on their patient instead of taking notes. Refer to\n for details.
\n\n Call Analytics transcriptions are designed for use with call\n center audio on two different channels; if you're looking for insight into customer service calls, use this \n option. Refer to for details.
\n