The response to each PartiQL statement in the batch.
" + "smithy.api#documentation": "The response to each PartiQL statement in the batch. The values of the list are \n ordered according to the ordering of the request statements.
" } }, "ConsumedCapacity": { @@ -920,6 +920,12 @@ "traits": { "smithy.api#documentation": "The error message associated with the PartiQL batch response.
" } + }, + "Item": { + "target": "com.amazonaws.dynamodb#AttributeMap", + "traits": { + "smithy.api#documentation": "The item which caused the condition check to fail. This will be set if ReturnValuesOnConditionCheckFailure is specified as ALL_OLD.
The read consistency of the PartiQL batch request.
" } + }, + "ReturnValuesOnConditionCheckFailure": { + "target": "com.amazonaws.dynamodb#ReturnValuesOnConditionCheckFailure", + "traits": { + "smithy.api#documentation": "An optional parameter that returns the item attributes for a PartiQL batch request\n operation that failed a condition check.
\nThere is no additional cost associated with requesting a return value aside from the\n small network and processing overhead of receiving a larger response. No read capacity\n units are consumed.
" + } } }, "traits": { @@ -1465,6 +1477,12 @@ "traits": { "smithy.api#documentation": "The conditional request failed.
" } + }, + "Item": { + "target": "com.amazonaws.dynamodb#AttributeMap", + "traits": { + "smithy.api#documentation": "Item which caused the ConditionalCheckFailedException.
One or more values that can be substituted in an expression.
\nUse the : (colon) character in an expression to\n dereference an attribute value. For example, suppose that you wanted to check whether\n the value of the ProductStatus attribute was one of the following:
\n\n Available | Backordered | Discontinued\n
You would first need to specify ExpressionAttributeValues as\n follows:
\n { \":avail\":{\"S\":\"Available\"}, \":back\":{\"S\":\"Backordered\"},\n \":disc\":{\"S\":\"Discontinued\"} }\n
You could then use these values in an expression, such as this:
\n\n ProductStatus IN (:avail, :back, :disc)\n
For more information on expression attribute values, see Condition Expressions in the Amazon DynamoDB Developer\n Guide.
" } + }, + "ReturnValuesOnConditionCheckFailure": { + "target": "com.amazonaws.dynamodb#ReturnValuesOnConditionCheckFailure", + "traits": { + "smithy.api#documentation": "An optional parameter that returns the item attributes for a DeleteItem\n operation that failed a condition check.
There is no additional cost associated with requesting a return value aside from the\n small network and processing overhead of receiving a larger response. No read capacity\n units are consumed.
" + } } }, "traits": { @@ -2684,7 +2708,7 @@ "target": "com.amazonaws.dynamodb#DescribeEndpointsResponse" }, "traits": { - "smithy.api#documentation": "Returns the regional endpoint information. This action must be included in your VPC \n endpoint policies, or access to the DescribeEndpoints API will be denied. For more information \n on policy permissions, please see Internetwork traffic privacy.
" + "smithy.api#documentation": "Returns the regional endpoint information. For more information \n on policy permissions, please see Internetwork traffic privacy.
" } }, "com.amazonaws.dynamodb#DescribeEndpointsRequest": { @@ -4781,6 +4805,12 @@ "traits": { "smithy.api#documentation": "The maximum number of items to evaluate (not necessarily the number of matching\n items). If DynamoDB processes the number of items up to the limit while processing the\n results, it stops the operation and returns the matching values up to that point, along\n with a key in LastEvaluatedKey to apply in a subsequent operation so you\n can pick up where you left off. Also, if the processed dataset size exceeds 1 MB before\n DynamoDB reaches this limit, it stops the operation and returns the matching values up\n to the limit, and a key in LastEvaluatedKey to apply in a subsequent\n operation to continue the operation.
An optional parameter that returns the item attributes for an\n ExecuteStatement operation that failed a condition check.
There is no additional cost associated with requesting a return value aside from the\n small network and processing overhead of receiving a larger response. No read capacity\n units are consumed.
" + } } }, "traits": { @@ -7477,6 +7507,12 @@ "traits": { "smithy.api#documentation": "The parameter values.
" } + }, + "ReturnValuesOnConditionCheckFailure": { + "target": "com.amazonaws.dynamodb#ReturnValuesOnConditionCheckFailure", + "traits": { + "smithy.api#documentation": "An optional parameter that returns the item attributes for a PartiQL\n ParameterizedStatement operation that failed a condition check.
There is no additional cost associated with requesting a return value aside from the\n small network and processing overhead of receiving a larger response. No read capacity\n units are consumed.
" + } } }, "traits": { @@ -7920,6 +7956,12 @@ "traits": { "smithy.api#documentation": "One or more values that can be substituted in an expression.
\nUse the : (colon) character in an expression to\n dereference an attribute value. For example, suppose that you wanted to check whether\n the value of the ProductStatus attribute was one of the following:
\n\n Available | Backordered | Discontinued\n
You would first need to specify ExpressionAttributeValues as\n follows:
\n { \":avail\":{\"S\":\"Available\"}, \":back\":{\"S\":\"Backordered\"},\n \":disc\":{\"S\":\"Discontinued\"} }\n
You could then use these values in an expression, such as this:
\n\n ProductStatus IN (:avail, :back, :disc)\n
For more information on expression attribute values, see Condition Expressions in the Amazon DynamoDB Developer\n Guide.
" } + }, + "ReturnValuesOnConditionCheckFailure": { + "target": "com.amazonaws.dynamodb#ReturnValuesOnConditionCheckFailure", + "traits": { + "smithy.api#documentation": "An optional parameter that returns the item attributes for a PutItem\n operation that failed a condition check.
There is no additional cost associated with requesting a return value aside from the\n small network and processing overhead of receiving a larger response. No read capacity\n units are consumed.
" + } } }, "traits": { @@ -9444,7 +9486,7 @@ "aws.api#clientDiscoveredEndpoint": { "required": false }, - "smithy.api#documentation": "The Scan operation returns one or more items and item attributes by\n accessing every item in a table or a secondary index. To have DynamoDB return fewer\n items, you can provide a FilterExpression operation.
If the total number of scanned items exceeds the maximum dataset size limit of 1 MB,\n the scan stops and results are returned to the user as a LastEvaluatedKey\n value to continue the scan in a subsequent operation. The results also include the\n number of items exceeding the limit. A scan can result in no table data meeting the\n filter criteria.
A single Scan operation reads up to the maximum number of items set (if\n using the Limit parameter) or a maximum of 1 MB of data and then apply any\n filtering to the results using FilterExpression. If\n LastEvaluatedKey is present in the response, you need to paginate the\n result set. For more information, see Paginating the\n Results in the Amazon DynamoDB Developer Guide.
\n Scan operations proceed sequentially; however, for faster performance on\n a large table or secondary index, applications can request a parallel Scan\n operation by providing the Segment and TotalSegments\n parameters. For more information, see Parallel\n Scan in the Amazon DynamoDB Developer Guide.
\n Scan uses eventually consistent reads when accessing the data in a table;\n therefore, the result set might not include the changes to data in the table immediately\n before the operation began. If you need a consistent copy of the data, as of the time\n that the Scan begins, you can set the ConsistentRead parameter\n to true.
The Scan operation returns one or more items and item attributes by\n accessing every item in a table or a secondary index. To have DynamoDB return fewer\n items, you can provide a FilterExpression operation.
If the total size of scanned items exceeds the maximum dataset size limit of 1 MB,\n the scan completes and results are returned to the user. The LastEvaluatedKey \n value is also returned and the requestor can use the LastEvaluatedKey to continue \n the scan in a subsequent operation. Each scan response also includes number of items that were \n scanned (ScannedCount) as part of the request. If using a FilterExpression, a scan result \n can result in no items meeting the criteria and the Count will result in zero. If \n you did not use a FilterExpression in the scan request, then Count is \n the same as ScannedCount.
\n Count and ScannedCount only return the count of items specific to a \n single scan request and, unless the table is less than 1MB, do not represent the total number \n of items in the table.\n
A single Scan operation first reads up to the maximum number of items set (if\n using the Limit parameter) or a maximum of 1 MB of data and then applies any\n filtering to the results if a FilterExpression is provided. If\n LastEvaluatedKey is present in the response, pagination is required to complete the\n full table scan. For more information, see Paginating the\n Results in the Amazon DynamoDB Developer Guide.
\n Scan operations proceed sequentially; however, for faster performance on\n a large table or secondary index, applications can request a parallel Scan\n operation by providing the Segment and TotalSegments\n parameters. For more information, see Parallel\n Scan in the Amazon DynamoDB Developer Guide.
By default, a Scan uses eventually consistent reads when accessing the items in a table. \n Therefore, the results from an eventually consistent Scan may not include the latest item \n changes at the time the scan iterates through each item in the table. If you require a strongly consistent \n read of each item as the scan iterates through the items in the table, you can set the ConsistentRead \n parameter to true. Strong consistency only relates to the consistency of the read at the item level.
\n DynamoDB does not provide snapshot isolation for a scan operation when the ConsistentRead \n parameter is set to true. Thus, a DynamoDB scan operation does not guarantee that all reads in a scan \n see a consistent snapshot of the table when the scan operation was requested.\n
Use ReturnValuesOnConditionCheckFailure to get the item attributes if the\n Update condition fails. For\n ReturnValuesOnConditionCheckFailure, the valid values are: NONE,\n ALL_OLD, UPDATED_OLD, ALL_NEW, UPDATED_NEW.
Use ReturnValuesOnConditionCheckFailure to get the item attributes if the\n Update condition fails. For\n ReturnValuesOnConditionCheckFailure, the valid values are: NONE and\n ALL_OLD.
One or more values that can be substituted in an expression.
\nUse the : (colon) character in an expression to\n dereference an attribute value. For example, suppose that you wanted to check whether\n the value of the ProductStatus attribute was one of the following:
\n Available | Backordered | Discontinued\n
You would first need to specify ExpressionAttributeValues as\n follows:
\n { \":avail\":{\"S\":\"Available\"}, \":back\":{\"S\":\"Backordered\"},\n \":disc\":{\"S\":\"Discontinued\"} }\n
You could then use these values in an expression, such as this:
\n\n ProductStatus IN (:avail, :back, :disc)\n
For more information on expression attribute values, see Condition Expressions in the Amazon DynamoDB Developer\n Guide.
" } + }, + "ReturnValuesOnConditionCheckFailure": { + "target": "com.amazonaws.dynamodb#ReturnValuesOnConditionCheckFailure", + "traits": { + "smithy.api#documentation": "An optional parameter that returns the item attributes for an UpdateItem operation that failed a\n condition check.
There is no additional cost associated with requesting a return value aside from the\n small network and processing overhead of receiving a larger response. No read capacity\n units are consumed.
" + } } }, "traits": { diff --git a/aws/sdk/aws-models/ec2.json b/aws/sdk/aws-models/ec2.json index 4d35d56d54a90ff66504566931f254972243fcae..43911fdd00d76f8515172bb6afbc5b45e77268f1 100644 --- a/aws/sdk/aws-models/ec2.json +++ b/aws/sdk/aws-models/ec2.json @@ -1535,7 +1535,20 @@ "target": "com.amazonaws.ec2#AllocateAddressResult" }, "traits": { - "smithy.api#documentation": "Allocates an Elastic IP address to your Amazon Web Services account. After you allocate the Elastic IP address you can associate \n it with an instance or network interface. After you release an Elastic IP address, it is released to the IP address \n pool and can be allocated to a different Amazon Web Services account.
\nYou can allocate an Elastic IP address from an address pool owned by Amazon Web Services or from an address pool created \n from a public IPv4 address range that you have brought to Amazon Web Services for use with your Amazon Web Services resources using bring your own \n IP addresses (BYOIP). For more information, see Bring Your Own IP Addresses (BYOIP) in the Amazon Elastic Compute Cloud User Guide.
\nIf you release an Elastic IP address, you might be able to recover it. You cannot recover\n an Elastic IP address that you released after it is allocated to another Amazon Web Services account. To attempt to recover an Elastic IP address that you released, specify\n it in this operation.
\nFor more information, see Elastic IP Addresses in the Amazon Elastic Compute Cloud User Guide.
\nYou can allocate a carrier IP address which is a public IP address from a telecommunication carrier, \n to a network interface which resides in a subnet in a Wavelength Zone (for example an EC2 instance).
" + "smithy.api#documentation": "Allocates an Elastic IP address to your Amazon Web Services account. After you allocate the Elastic IP address you can associate \n it with an instance or network interface. After you release an Elastic IP address, it is released to the IP address \n pool and can be allocated to a different Amazon Web Services account.
\nYou can allocate an Elastic IP address from an address pool owned by Amazon Web Services or from an address pool created \n from a public IPv4 address range that you have brought to Amazon Web Services for use with your Amazon Web Services resources using bring your own \n IP addresses (BYOIP). For more information, see Bring Your Own IP Addresses (BYOIP) in the Amazon Elastic Compute Cloud User Guide.
\nIf you release an Elastic IP address, you might be able to recover it. You cannot recover\n an Elastic IP address that you released after it is allocated to another Amazon Web Services account. To attempt to recover an Elastic IP address that you released, specify\n it in this operation.
\nFor more information, see Elastic IP Addresses in the Amazon Elastic Compute Cloud User Guide.
\nYou can allocate a carrier IP address which is a public IP address from a telecommunication carrier, \n to a network interface which resides in a subnet in a Wavelength Zone (for example an EC2 instance).
", + "smithy.api#examples": [ + { + "title": "To allocate an Elastic IP address", + "documentation": "This example allocates an Elastic IP address.", + "output": { + "PublicIp": "203.0.113.0", + "AllocationId": "eipalloc-64d5890a", + "PublicIpv4Pool": "amazon", + "NetworkBorderGroup": "us-east-1", + "Domain": "vpc" + } + } + ] } }, "com.amazonaws.ec2#AllocateAddressRequest": { @@ -1726,8 +1739,7 @@ "aws.protocols#ec2QueryName": "Quantity", "smithy.api#clientOptional": {}, "smithy.api#default": 0, - "smithy.api#documentation": "The number of Dedicated Hosts to allocate to your account with these\n parameters.
", - "smithy.api#required": {}, + "smithy.api#documentation": "The number of Dedicated Hosts to allocate to your account with these parameters. If you are \n allocating the Dedicated Hosts on an Outpost, and you specify AssetIds, \n you can omit this parameter. In this case, Amazon EC2 allocates a Dedicated Host on each \n specified hardware asset. If you specify both AssetIds and \n Quantity, then the value that you specify for \n Quantity must be equal to the number of asset IDs specified.
", "smithy.api#xmlName": "quantity" } }, @@ -1747,7 +1759,7 @@ "OutpostArn": { "target": "com.amazonaws.ec2#String", "traits": { - "smithy.api#documentation": "The Amazon Resource Name (ARN) of the Amazon Web Services Outpost on which to allocate\n the Dedicated Host.
" + "smithy.api#documentation": "The Amazon Resource Name (ARN) of the Amazon Web Services Outpost on which to allocate\n the Dedicated Host. If you specify OutpostArn, you can \n optionally specify AssetIds.
\nIf you are allocating the Dedicated Host in a Region, omit this parameter.
" } }, "HostMaintenance": { @@ -1755,6 +1767,13 @@ "traits": { "smithy.api#documentation": "Indicates whether to enable or disable host maintenance for the Dedicated Host. For\n more information, see Host\n maintenance in the Amazon EC2 User Guide.
" } + }, + "AssetIds": { + "target": "com.amazonaws.ec2#AssetIdList", + "traits": { + "smithy.api#documentation": "The IDs of the Outpost hardware assets on which to allocate the Dedicated Hosts. Targeting \n specific hardware assets on an Outpost can help to minimize latency between your workloads. \n This parameter is supported only if you specify OutpostArn. \n If you are allocating the Dedicated Hosts in a Region, omit this parameter.
\nIf you specify this parameter, you can omit Quantity. \n In this case, Amazon EC2 allocates a Dedicated Host on each specified hardware \n asset.
\nIf you specify both AssetIds and \n Quantity, then the value for \n Quantity must be equal to the number of asset IDs \n specified.
\nAssigns one or more private IPv4 addresses to a private NAT gateway. For more information, see Work with NAT gateways in the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Assigns one or more private IPv4 addresses to a private NAT gateway. For more information, see \n Work with NAT gateways in the Amazon VPC User Guide.
" } }, "com.amazonaws.ec2#AssignPrivateNatGatewayAddressRequest": { @@ -5880,7 +5872,7 @@ "target": "com.amazonaws.ec2#NatGatewayId", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The NAT gateway ID.
", + "smithy.api#documentation": "The ID of the NAT gateway.
", "smithy.api#required": {} } }, @@ -5919,7 +5911,7 @@ "target": "com.amazonaws.ec2#NatGatewayId", "traits": { "aws.protocols#ec2QueryName": "NatGatewayId", - "smithy.api#documentation": "The NAT gateway ID.
", + "smithy.api#documentation": "The ID of the NAT gateway.
", "smithy.api#xmlName": "natGatewayId" } }, @@ -5970,7 +5962,20 @@ "target": "com.amazonaws.ec2#AssociateAddressResult" }, "traits": { - "smithy.api#documentation": "Associates an Elastic IP address, or carrier IP address (for instances that are in\n subnets in Wavelength Zones) with an instance or a network interface. Before you can use an\n Elastic IP address, you must allocate it to your account.
\nIf the Elastic IP address is already\n associated with a different instance, it is disassociated from that instance and associated\n with the specified instance. If you associate an Elastic IP address with an instance that has\n an existing Elastic IP address, the existing address is disassociated from the instance, but\n remains allocated to your account.
\n[Subnets in Wavelength Zones] You can associate an IP address from the telecommunication\n carrier to the instance or network interface.
\nYou cannot associate an Elastic IP address with an interface in a different network border group.
\nThis is an idempotent operation. If you perform the operation more than once, Amazon EC2\n doesn't return an error, and you may be charged for each time the Elastic IP address is\n remapped to the same instance. For more information, see the Elastic IP\n Addresses section of Amazon EC2\n Pricing.
\nAssociates an Elastic IP address, or carrier IP address (for instances that are in\n subnets in Wavelength Zones) with an instance or a network interface. Before you can use an\n Elastic IP address, you must allocate it to your account.
\nIf the Elastic IP address is already\n associated with a different instance, it is disassociated from that instance and associated\n with the specified instance. If you associate an Elastic IP address with an instance that has\n an existing Elastic IP address, the existing address is disassociated from the instance, but\n remains allocated to your account.
\n[Subnets in Wavelength Zones] You can associate an IP address from the telecommunication\n carrier to the instance or network interface.
\nYou cannot associate an Elastic IP address with an interface in a different network border group.
\nThis is an idempotent operation. If you perform the operation more than once, Amazon EC2\n doesn't return an error, and you may be charged for each time the Elastic IP address is\n remapped to the same instance. For more information, see the Elastic IP\n Addresses section of Amazon EC2\n Pricing.
\nAssociates a set of DHCP options (that you've previously created) with the specified VPC, or associates no DHCP options with the VPC.
\nAfter you associate the options with the VPC, any existing instances and all new instances that you launch in that VPC use the options. You don't need to restart or relaunch the instances. They automatically pick up the changes within a few hours, depending on how frequently the instance renews its DHCP lease. You can explicitly renew the lease using the operating system on the instance.
\nFor more information, see DHCP options sets\n in the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Associates a set of DHCP options (that you've previously created) with the specified VPC, or associates no DHCP options with the VPC.
\nAfter you associate the options with the VPC, any existing instances and all new instances that you launch in that VPC use the options. You don't need to restart or relaunch the instances. They automatically pick up the changes within a few hours, depending on how frequently the instance renews its DHCP lease. You can explicitly renew the lease using the operating system on the instance.
\nFor more information, see DHCP options sets\n in the Amazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To associate a DHCP options set with a VPC", + "documentation": "This example associates the specified DHCP options set with the specified VPC.", + "input": { + "DhcpOptionsId": "dopt-d9070ebb", + "VpcId": "vpc-a01106c2" + } + } + ] } }, "com.amazonaws.ec2#AssociateDhcpOptionsRequest": { @@ -6257,7 +6272,30 @@ "target": "com.amazonaws.ec2#AssociateIamInstanceProfileResult" }, "traits": { - "smithy.api#documentation": "Associates an IAM instance profile with a running or stopped instance. You cannot\n associate more than one IAM instance profile with an instance.
" + "smithy.api#documentation": "Associates an IAM instance profile with a running or stopped instance. You cannot\n associate more than one IAM instance profile with an instance.
", + "smithy.api#examples": [ + { + "title": "To associate an IAM instance profile with an instance", + "documentation": "This example associates an IAM instance profile named admin-role with the specified instance.", + "input": { + "IamInstanceProfile": { + "Name": "admin-role" + }, + "InstanceId": "i-123456789abcde123" + }, + "output": { + "IamInstanceProfileAssociation": { + "InstanceId": "i-123456789abcde123", + "State": "associating", + "AssociationId": "iip-assoc-0e7736511a163c209", + "IamInstanceProfile": { + "Id": "AIPAJBLK7RKJKWDXVHIEC", + "Arn": "arn:aws:iam::123456789012:instance-profile/admin-role" + } + } + } + } + ] } }, "com.amazonaws.ec2#AssociateIamInstanceProfileRequest": { @@ -6443,7 +6481,7 @@ "target": "com.amazonaws.ec2#AssociateNatGatewayAddressResult" }, "traits": { - "smithy.api#documentation": "Associates Elastic IP addresses (EIPs) and private IPv4 addresses with a public NAT gateway. For more information, see Work with NAT gateways in the Amazon Virtual Private Cloud User Guide.
\nBy default, you can associate up to 2 Elastic IP addresses per public NAT gateway. You can increase the limit by requesting a quota adjustment. For more information, see Elastic IP address quotas in the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Associates Elastic IP addresses (EIPs) and private IPv4 addresses with a public NAT gateway. For more information, \n see Work with NAT gateways in the Amazon VPC User Guide.
\nBy default, you can associate up to 2 Elastic IP addresses per public NAT gateway. You can increase the limit by requesting a quota adjustment. For more information, see Elastic IP address quotas in the Amazon VPC User Guide.
" } }, "com.amazonaws.ec2#AssociateNatGatewayAddressRequest": { @@ -6453,7 +6491,7 @@ "target": "com.amazonaws.ec2#NatGatewayId", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The NAT gateway ID.
", + "smithy.api#documentation": "The ID of the NAT gateway.
", "smithy.api#required": {} } }, @@ -6493,7 +6531,7 @@ "target": "com.amazonaws.ec2#NatGatewayId", "traits": { "aws.protocols#ec2QueryName": "NatGatewayId", - "smithy.api#documentation": "The NAT gateway ID.
", + "smithy.api#documentation": "The ID of the NAT gateway.
", "smithy.api#xmlName": "natGatewayId" } }, @@ -6519,7 +6557,7 @@ "target": "com.amazonaws.ec2#AssociateRouteTableResult" }, "traits": { - "smithy.api#documentation": "Associates a subnet in your VPC or an internet gateway or virtual private gateway\n attached to your VPC with a route table in your VPC. This association causes traffic\n from the subnet or gateway to be routed according to the routes in the route table. The\n action returns an association ID, which you need in order to disassociate the route\n table later. A route table can be associated with multiple subnets.
\nFor more information, see Route tables in the\n Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Associates a subnet in your VPC or an internet gateway or virtual private gateway\n attached to your VPC with a route table in your VPC. This association causes traffic\n from the subnet or gateway to be routed according to the routes in the route table. The\n action returns an association ID, which you need in order to disassociate the route\n table later. A route table can be associated with multiple subnets.
\nFor more information, see Route tables in the\n Amazon VPC User Guide.
" } }, "com.amazonaws.ec2#AssociateRouteTableRequest": { @@ -6940,7 +6978,7 @@ "target": "com.amazonaws.ec2#AssociateVpcCidrBlockResult" }, "traits": { - "smithy.api#documentation": "Associates a CIDR block with your VPC. You can associate a secondary IPv4 CIDR block,\n an Amazon-provided IPv6 CIDR block, or an IPv6 CIDR block from an IPv6 address pool that\n you provisioned through bring your own IP addresses (BYOIP). The IPv6 CIDR block size is fixed\n at /56.
\nYou must specify one of the following in the request: an IPv4 CIDR block, an IPv6\n pool, or an Amazon-provided IPv6 CIDR block.
\nFor more information about associating CIDR blocks with your VPC and applicable\n restrictions, see VPC and subnet sizing in the\n Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Associates a CIDR block with your VPC. You can associate a secondary IPv4 CIDR block,\n an Amazon-provided IPv6 CIDR block, or an IPv6 CIDR block from an IPv6 address pool that\n you provisioned through bring your own IP addresses (BYOIP). The IPv6 CIDR block size is fixed\n at /56.
\nYou must specify one of the following in the request: an IPv4 CIDR block, an IPv6\n pool, or an Amazon-provided IPv6 CIDR block.
\nFor more information about associating CIDR blocks with your VPC and applicable\n restrictions, see IP addressing for your VPCs and subnets \n in the Amazon VPC User Guide.
" } }, "com.amazonaws.ec2#AssociateVpcCidrBlockRequest": { @@ -7272,7 +7310,7 @@ "target": "com.amazonaws.ec2#AttachClassicLinkVpcResult" }, "traits": { - "smithy.api#documentation": "We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nLinks an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's\n\t\t\tsecurity groups. You cannot link an EC2-Classic instance to more than one VPC at a time. You\n\t\t\tcan only link an instance that's in the running state. An instance is\n\t\t\tautomatically unlinked from a VPC when it's stopped - you can link it to the VPC again when\n\t\t\tyou restart it.
After you've linked an instance, you cannot change the VPC security groups that are associated with it. To change the security groups, you must first unlink the instance, and then link it again.
\nLinking your instance to a VPC is sometimes referred to as attaching your instance.
" + "smithy.api#documentation": "This action is deprecated.
\nLinks an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC\n\t\t\tsecurity groups. You cannot link an EC2-Classic instance to more than one VPC at a time. You\n\t\t\tcan only link an instance that's in the running state. An instance is\n\t\t\tautomatically unlinked from a VPC when it's stopped - you can link it to the VPC again when\n\t\t\tyou restart it.
After you've linked an instance, you cannot change the VPC security groups that are associated with it. To change the security groups, you must first unlink the instance, and then link it again.
\nLinking your instance to a VPC is sometimes referred to as attaching your instance.
" } }, "com.amazonaws.ec2#AttachClassicLinkVpcRequest": { @@ -7292,7 +7330,7 @@ "target": "com.amazonaws.ec2#GroupIdStringList", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The ID of one or more of the VPC's security groups. You cannot specify security groups from a different VPC.
", + "smithy.api#documentation": "The IDs of the security groups. You cannot specify security groups from a different VPC.
", "smithy.api#required": {}, "smithy.api#xmlName": "SecurityGroupId" } @@ -7302,7 +7340,7 @@ "traits": { "aws.protocols#ec2QueryName": "InstanceId", "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The ID of an EC2-Classic instance to link to the ClassicLink-enabled VPC.
", + "smithy.api#documentation": "The ID of the EC2-Classic instance.
", "smithy.api#required": {}, "smithy.api#xmlName": "instanceId" } @@ -7312,7 +7350,7 @@ "traits": { "aws.protocols#ec2QueryName": "VpcId", "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The ID of a ClassicLink-enabled VPC.
", + "smithy.api#documentation": "The ID of the ClassicLink-enabled VPC.
", "smithy.api#required": {}, "smithy.api#xmlName": "vpcId" } @@ -7349,7 +7387,7 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Attaches an internet gateway or a virtual private gateway to a VPC, enabling connectivity between the internet and\n\t\t\tthe VPC. For more information about your VPC and internet gateway, see the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Attaches an internet gateway or a virtual private gateway to a VPC, enabling connectivity \n\t\t between the internet and the VPC. For more information, see Internet gateways in the \n\t\t Amazon VPC User Guide.
" } }, "com.amazonaws.ec2#AttachInternetGatewayRequest": { @@ -7577,7 +7615,25 @@ "target": "com.amazonaws.ec2#VolumeAttachment" }, "traits": { - "smithy.api#documentation": "Attaches an EBS volume to a running or stopped instance and exposes it to the instance\n with the specified device name.
\nEncrypted EBS volumes must be attached to instances that support Amazon EBS encryption. For\n more information, see Amazon EBS encryption in the Amazon Elastic Compute Cloud User Guide.
\nAfter you attach an EBS volume, you must make it available. For more information, see \n Make an EBS volume available for use.
\nIf a volume has an Amazon Web Services Marketplace product code:
\nThe volume can be attached only to a stopped instance.
\nAmazon Web Services Marketplace product codes are copied from the volume to the instance.
\nYou must be subscribed to the product.
\nThe instance type and operating system of the instance must support the product. For\n example, you can't detach a volume from a Windows instance and attach it to a Linux\n instance.
\nFor more information, see Attach an Amazon EBS volume to an instance in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Attaches an EBS volume to a running or stopped instance and exposes it to the instance\n with the specified device name.
\nEncrypted EBS volumes must be attached to instances that support Amazon EBS encryption. For\n more information, see Amazon EBS encryption in the Amazon Elastic Compute Cloud User Guide.
\nAfter you attach an EBS volume, you must make it available. For more information, see \n Make an EBS volume available for use.
\nIf a volume has an Amazon Web Services Marketplace product code:
\nThe volume can be attached only to a stopped instance.
\nAmazon Web Services Marketplace product codes are copied from the volume to the instance.
\nYou must be subscribed to the product.
\nThe instance type and operating system of the instance must support the product. For\n example, you can't detach a volume from a Windows instance and attach it to a Linux\n instance.
\nFor more information, see Attach an Amazon EBS volume to an instance in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To attach a volume to an instance", + "documentation": "This example attaches a volume (``vol-1234567890abcdef0``) to an instance (``i-01474ef662b89480``) as ``/dev/sdf``.", + "input": { + "VolumeId": "vol-1234567890abcdef0", + "InstanceId": "i-01474ef662b89480", + "Device": "/dev/sdf" + }, + "output": { + "AttachTime": "2016-08-29T18:52:32.724Z", + "InstanceId": "i-01474ef662b89480", + "VolumeId": "vol-1234567890abcdef0", + "State": "attaching", + "Device": "/dev/sdf" + } + } + ] } }, "com.amazonaws.ec2#AttachVolumeRequest": { @@ -7956,7 +8012,7 @@ "target": "com.amazonaws.ec2#AuthorizeSecurityGroupEgressResult" }, "traits": { - "smithy.api#documentation": "[VPC only] Adds the specified outbound (egress) rules to a security group for use with a VPC.
\nAn outbound rule permits instances to send traffic to the specified IPv4 or IPv6 CIDR\n address ranges, or to the instances that are associated with the specified source\n security groups. When specifying an outbound rule for your security group in a VPC, the\n IpPermissions must include a destination for the traffic.
You specify a protocol for each rule (for example, TCP). \n For the TCP and UDP protocols, you must also specify the destination port or port range. \n For the ICMP protocol, you must also specify the ICMP type and code. \n You can use -1 for the type or code to mean all types or all codes.
\nRule changes are propagated to affected instances as quickly as possible. However, a small delay might occur.
\nFor information about VPC security group quotas, see Amazon VPC quotas.
" + "smithy.api#documentation": "Adds the specified outbound (egress) rules to a security group for use with a VPC.
\nAn outbound rule permits instances to send traffic to the specified IPv4 or IPv6 CIDR\n address ranges, or to the instances that are associated with the specified source\n security groups. When specifying an outbound rule for your security group in a VPC, the\n IpPermissions must include a destination for the traffic.
You specify a protocol for each rule (for example, TCP). \n For the TCP and UDP protocols, you must also specify the destination port or port range. \n For the ICMP protocol, you must also specify the ICMP type and code. \n You can use -1 for the type or code to mean all types or all codes.
\nRule changes are propagated to affected instances as quickly as possible. However, a small delay might occur.
\nFor information about VPC security group quotas, see Amazon VPC quotas.
" } }, "com.amazonaws.ec2#AuthorizeSecurityGroupEgressRequest": { @@ -8089,7 +8145,30 @@ "target": "com.amazonaws.ec2#AuthorizeSecurityGroupIngressResult" }, "traits": { - "smithy.api#documentation": "Adds the specified inbound (ingress) rules to a security group.
\nAn inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 CIDR\n address range, or from the instances that are associated with the specified destination security \n groups. When specifying an inbound rule for your security group in a VPC, the\n IpPermissions must include a source for the traffic.
You specify a protocol for each rule (for example, TCP). \n For TCP and UDP, you must also specify the destination port or port range. \n For ICMP/ICMPv6, you must also specify the ICMP/ICMPv6 type and code. \n You can use -1 to mean all types or all codes.
\nRule changes are propagated to instances within the security group as quickly as possible. \n However, a small delay might occur.
\nFor more information about VPC security group quotas, see Amazon VPC quotas.
\nWe are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nAdds the specified inbound (ingress) rules to a security group.
\nAn inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 CIDR\n address range, or from the instances that are associated with the specified destination security \n groups. When specifying an inbound rule for your security group in a VPC, the\n IpPermissions must include a source for the traffic.
You specify a protocol for each rule (for example, TCP). \n For TCP and UDP, you must also specify the destination port or port range. \n For ICMP/ICMPv6, you must also specify the ICMP/ICMPv6 type and code. \n You can use -1 to mean all types or all codes.
\nRule changes are propagated to instances within the security group as quickly as possible. \n However, a small delay might occur.
\nFor more information about VPC security group quotas, see Amazon VPC quotas.
", + "smithy.api#examples": [ + { + "title": "To add a rule that allows inbound SSH traffic from an IPv4 address range", + "documentation": "This example enables inbound traffic on TCP port 22 (SSH). The rule includes a description to help you identify it later.", + "input": { + "GroupId": "sg-903004f8", + "IpPermissions": [ + { + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "IpRanges": [ + { + "CidrIp": "203.0.113.0/24", + "Description": "SSH access from the LA office" + } + ] + } + ] + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#AuthorizeSecurityGroupIngressRequest": { @@ -8118,7 +8197,7 @@ "GroupName": { "target": "com.amazonaws.ec2#SecurityGroupName", "traits": { - "smithy.api#documentation": "[EC2-Classic, default VPC] The name of the security group. You must specify either the\n security group ID or the security group name in the request. For security groups in a\n nondefault VPC, you must specify the security group ID.
" + "smithy.api#documentation": "[Default VPC] The name of the security group. You must specify either the\n security group ID or the security group name in the request. For security groups in a\n nondefault VPC, you must specify the security group ID.
" } }, "IpPermissions": { @@ -8130,19 +8209,19 @@ "IpProtocol": { "target": "com.amazonaws.ec2#String", "traits": { - "smithy.api#documentation": "The IP protocol name (tcp, udp, icmp) or number\n (see Protocol Numbers). To specify icmpv6, use a set of IP permissions.
[VPC only] Use -1 to specify all protocols. If you specify -1 or a \n protocol other than tcp, udp, or icmp, traffic on all ports \n is allowed, regardless of any ports you specify.
Alternatively, use a set of IP permissions to specify multiple rules and a description for the rule.
" + "smithy.api#documentation": "The IP protocol name (tcp, udp, icmp) or number\n (see Protocol Numbers). To specify icmpv6, use a set of IP permissions.
Use -1 to specify all protocols. If you specify -1 or a \n protocol other than tcp, udp, or icmp, traffic on all ports \n is allowed, regardless of any ports you specify.
Alternatively, use a set of IP permissions to specify multiple rules and a description for the rule.
" } }, "SourceSecurityGroupName": { "target": "com.amazonaws.ec2#String", "traits": { - "smithy.api#documentation": "[EC2-Classic, default VPC] The name of the source security group. You can't specify this parameter \n in combination with the following parameters: the CIDR IP address range, the start of the port range, \n the IP protocol, and the end of the port range. Creates rules that grant full ICMP, UDP, and TCP access. \n To create a rule with a specific IP protocol and port range, use a set of IP permissions instead. For \n EC2-VPC, the source security group must be in the same VPC.
" + "smithy.api#documentation": "[Default VPC] The name of the source security group. You can't specify this parameter \n in combination with the following parameters: the CIDR IP address range, the start of the port range, \n the IP protocol, and the end of the port range. Creates rules that grant full ICMP, UDP, and TCP access. \n To create a rule with a specific IP protocol and port range, use a set of IP permissions instead. \n The source security group must be in the same VPC.
" } }, "SourceSecurityGroupOwnerId": { "target": "com.amazonaws.ec2#String", "traits": { - "smithy.api#documentation": "[nondefault VPC] The Amazon Web Services account ID for the source security group, if the source security group is \n in a different account. You can't specify this parameter in combination with the following parameters: \n the CIDR IP address range, the IP protocol, the start of the port range, and the end of the port range. \n Creates rules that grant full ICMP, UDP, and TCP access. To create a rule with a specific IP protocol \n and port range, use a set of IP permissions instead.
" + "smithy.api#documentation": "[Nondefault VPC] The Amazon Web Services account ID for the source security group, if the source security group is \n in a different account. You can't specify this parameter in combination with the following parameters: \n the CIDR IP address range, the IP protocol, the start of the port range, and the end of the port range. \n Creates rules that grant full ICMP, UDP, and TCP access. To create a rule with a specific IP protocol \n and port range, use a set of IP permissions instead.
" } }, "ToPort": { @@ -8351,6 +8430,9 @@ "smithy.api#documentation": "Describes Availability Zones, Local Zones, and Wavelength Zones.
" } }, + "com.amazonaws.ec2#AvailabilityZoneId": { + "type": "string" + }, "com.amazonaws.ec2#AvailabilityZoneList": { "type": "list", "member": { @@ -8510,6 +8592,9 @@ "com.amazonaws.ec2#BareMetalFlag": { "type": "boolean" }, + "com.amazonaws.ec2#BaselineBandwidthInGbps": { + "type": "double" + }, "com.amazonaws.ec2#BaselineBandwidthInMbps": { "type": "integer" }, @@ -10938,7 +11023,7 @@ } }, "traits": { - "smithy.api#documentation": "Describes the ClassicLink DNS support status of a VPC.
" + "smithy.api#documentation": "Deprecated.
\nDescribes the ClassicLink DNS support status of a VPC.
" } }, "com.amazonaws.ec2#ClassicLinkDnsSupportList": { @@ -10957,7 +11042,7 @@ "target": "com.amazonaws.ec2#GroupIdentifierList", "traits": { "aws.protocols#ec2QueryName": "GroupSet", - "smithy.api#documentation": "A list of security groups.
", + "smithy.api#documentation": "The security groups.
", "smithy.api#xmlName": "groupSet" } }, @@ -10987,7 +11072,7 @@ } }, "traits": { - "smithy.api#documentation": "We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nDescribes a linked EC2-Classic instance.
" + "smithy.api#documentation": "Deprecated.
\nDescribes a linked EC2-Classic instance.
" } }, "com.amazonaws.ec2#ClassicLinkInstanceList": { @@ -12267,7 +12352,20 @@ "target": "com.amazonaws.ec2#ConfirmProductInstanceResult" }, "traits": { - "smithy.api#documentation": "Determines whether a product code is associated with an instance. This action can only\n be used by the owner of the product code. It is useful when a product code owner must\n verify whether another user's instance is eligible for support.
" + "smithy.api#documentation": "Determines whether a product code is associated with an instance. This action can only\n be used by the owner of the product code. It is useful when a product code owner must\n verify whether another user's instance is eligible for support.
", + "smithy.api#examples": [ + { + "title": "To confirm the product instance", + "documentation": "This example determines whether the specified product code is associated with the specified instance.", + "input": { + "ProductCode": "774F4FF8", + "InstanceId": "i-1234567890abcdef0" + }, + "output": { + "OwnerId": "123456789012" + } + } + ] } }, "com.amazonaws.ec2#ConfirmProductInstanceRequest": { @@ -12719,7 +12817,22 @@ "target": "com.amazonaws.ec2#CopyImageResult" }, "traits": { - "smithy.api#documentation": "Initiates the copy of an AMI. You can copy an AMI from one Region to another, or from a\n Region to an Outpost. You can't copy an AMI from an Outpost to a Region, from one Outpost\n to another, or within the same Outpost. To copy an AMI to another partition, see CreateStoreImageTask.
\nTo copy an AMI from one Region to another, specify the source Region using the \n \t\tSourceRegion parameter, and specify the \n \t\tdestination Region using its endpoint. Copies of encrypted backing snapshots for\n \t\tthe AMI are encrypted. Copies of unencrypted backing snapshots remain unencrypted, \n \t\tunless you set Encrypted during the copy operation. You cannot \n \t\tcreate an unencrypted copy of an encrypted backing snapshot.
To copy an AMI from a Region to an Outpost, specify the source Region using the \n \t\tSourceRegion parameter, and specify the \n \t\tARN of the destination Outpost using DestinationOutpostArn. \n \t\tBacking snapshots copied to an Outpost are encrypted by default using the default\n \t\tencryption key for the Region, or a different key that you specify in the request using \n \t\tKmsKeyId. Outposts do not support unencrypted \n \t\tsnapshots. For more information, \n \t\t\tAmazon EBS local snapshots on Outposts in the Amazon EC2 User Guide.
\nFor more information about the prerequisites and limits when copying an AMI, see Copy an AMI in the\n Amazon EC2 User Guide.
" + "smithy.api#documentation": "Initiates the copy of an AMI. You can copy an AMI from one Region to another, or from a\n Region to an Outpost. You can't copy an AMI from an Outpost to a Region, from one Outpost\n to another, or within the same Outpost. To copy an AMI to another partition, see CreateStoreImageTask.
\nTo copy an AMI from one Region to another, specify the source Region using the \n \t\tSourceRegion parameter, and specify the \n \t\tdestination Region using its endpoint. Copies of encrypted backing snapshots for\n \t\tthe AMI are encrypted. Copies of unencrypted backing snapshots remain unencrypted, \n \t\tunless you set Encrypted during the copy operation. You cannot \n \t\tcreate an unencrypted copy of an encrypted backing snapshot.
To copy an AMI from a Region to an Outpost, specify the source Region using the \n \t\tSourceRegion parameter, and specify the \n \t\tARN of the destination Outpost using DestinationOutpostArn. \n \t\tBacking snapshots copied to an Outpost are encrypted by default using the default\n \t\tencryption key for the Region, or a different key that you specify in the request using \n \t\tKmsKeyId. Outposts do not support unencrypted \n \t\tsnapshots. For more information, \n \t\t\tAmazon EBS local snapshots on Outposts in the Amazon EC2 User Guide.
\nFor more information about the prerequisites and limits when copying an AMI, see Copy an AMI in the\n Amazon EC2 User Guide.
", + "smithy.api#examples": [ + { + "title": "To copy an AMI to another region", + "documentation": "This example copies the specified AMI from the us-east-1 region to the current region.", + "input": { + "Description": "", + "Name": "My server", + "SourceImageId": "ami-5731123e", + "SourceRegion": "us-east-1" + }, + "output": { + "ImageId": "ami-438bea42" + } + } + ] } }, "com.amazonaws.ec2#CopyImageRequest": { @@ -12835,7 +12948,22 @@ "target": "com.amazonaws.ec2#CopySnapshotResult" }, "traits": { - "smithy.api#documentation": "Copies a point-in-time snapshot of an EBS volume and stores it in Amazon S3. You can copy a\n snapshot within the same Region, from one Region to another, or from a Region to an Outpost. \n You can't copy a snapshot from an Outpost to a Region, from one Outpost to another, or within \n the same Outpost.
\nYou can use the snapshot to create EBS volumes or Amazon Machine Images (AMIs).
\nWhen copying snapshots to a Region, copies of encrypted EBS snapshots remain encrypted. \n \tCopies of unencrypted snapshots remain unencrypted, unless you enable encryption for the \n \tsnapshot copy operation. By default, encrypted snapshot copies use the default Key Management Service (KMS) \n \tKMS key; however, you can specify a different KMS key. To copy an encrypted \n \tsnapshot that has been shared from another account, you must have permissions for the KMS key \n \tused to encrypt the snapshot.
\nSnapshots copied to an Outpost are encrypted by default using the default\n \t\tencryption key for the Region, or a different key that you specify in the request using \n \t\tKmsKeyId. Outposts do not support unencrypted \n \t\tsnapshots. For more information, \n \t\t\tAmazon EBS local snapshots on Outposts in the Amazon Elastic Compute Cloud User Guide.
\nSnapshots created by copying another snapshot have an arbitrary volume ID that should not\n be used for any purpose.
\nFor more information, see Copy an Amazon EBS snapshot in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Copies a point-in-time snapshot of an EBS volume and stores it in Amazon S3. You can copy a\n snapshot within the same Region, from one Region to another, or from a Region to an Outpost. \n You can't copy a snapshot from an Outpost to a Region, from one Outpost to another, or within \n the same Outpost.
\nYou can use the snapshot to create EBS volumes or Amazon Machine Images (AMIs).
\nWhen copying snapshots to a Region, copies of encrypted EBS snapshots remain encrypted. \n \tCopies of unencrypted snapshots remain unencrypted, unless you enable encryption for the \n \tsnapshot copy operation. By default, encrypted snapshot copies use the default Key Management Service (KMS) \n \tKMS key; however, you can specify a different KMS key. To copy an encrypted \n \tsnapshot that has been shared from another account, you must have permissions for the KMS key \n \tused to encrypt the snapshot.
\nSnapshots copied to an Outpost are encrypted by default using the default\n \t\tencryption key for the Region, or a different key that you specify in the request using \n \t\tKmsKeyId. Outposts do not support unencrypted \n \t\tsnapshots. For more information, \n \t\t\tAmazon EBS local snapshots on Outposts in the Amazon Elastic Compute Cloud User Guide.
\nSnapshots created by copying another snapshot have an arbitrary volume ID that should not\n be used for any purpose.
\nFor more information, see Copy an Amazon EBS snapshot in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To copy a snapshot", + "documentation": "This example copies a snapshot with the snapshot ID of ``snap-066877671789bd71b`` from the ``us-west-2`` region to the ``us-east-1`` region and adds a short description to identify the snapshot.", + "input": { + "SourceRegion": "us-west-2", + "SourceSnapshotId": "snap-066877671789bd71b", + "Description": "This is my copied snapshot.", + "DestinationRegion": "us-east-1" + }, + "output": { + "SnapshotId": "snap-066877671789bd71b" + } + } + ] } }, "com.amazonaws.ec2#CopySnapshotRequest": { @@ -13040,7 +13168,7 @@ "target": "com.amazonaws.ec2#AmdSevSnpSpecification", "traits": { "aws.protocols#ec2QueryName": "AmdSevSnp", - "smithy.api#documentation": "Indicates whether the instance is enabled for AMD SEV-SNP.
", + "smithy.api#documentation": "Indicates whether the instance is enabled for AMD SEV-SNP. For more information, see \n AMD SEV-SNP.
", "smithy.api#xmlName": "amdSevSnp" } } @@ -13071,7 +13199,7 @@ "AmdSevSnp": { "target": "com.amazonaws.ec2#AmdSevSnpSpecification", "traits": { - "smithy.api#documentation": "Indicates whether to enable the instance for AMD SEV-SNP. AMD SEV-SNP is supported \n with M6a, R6a, and C6a instance types only.
" + "smithy.api#documentation": "Indicates whether to enable the instance for AMD SEV-SNP. AMD SEV-SNP is supported \n with M6a, R6a, and C6a instance types only. For more information, see \n AMD SEV-SNP.
" } } }, @@ -13301,13 +13429,13 @@ } }, "AvailabilityZone": { - "target": "com.amazonaws.ec2#String", + "target": "com.amazonaws.ec2#AvailabilityZoneName", "traits": { "smithy.api#documentation": "The Availability Zone in which to create the Capacity Reservation.
" } }, "AvailabilityZoneId": { - "target": "com.amazonaws.ec2#String", + "target": "com.amazonaws.ec2#AvailabilityZoneId", "traits": { "smithy.api#documentation": "The ID of the Availability Zone in which to create the Capacity Reservation.
" } @@ -13863,7 +13991,27 @@ "target": "com.amazonaws.ec2#CreateCustomerGatewayResult" }, "traits": { - "smithy.api#documentation": "Provides information to Amazon Web Services about your customer gateway device. The\n customer gateway device is the appliance at your end of the VPN connection. You\n must provide the IP address of the customer gateway device’s external\n interface. The IP address must be static and can be behind a device performing network\n address translation (NAT).
\nFor devices that use Border Gateway Protocol (BGP), you can also provide the device's\n BGP Autonomous System Number (ASN). You can use an existing ASN assigned to your network.\n If you don't have an ASN already, you can use a private ASN. For more information, see \n Customer gateway \n options for your Site-to-Site VPN connection in the Amazon Web Services Site-to-Site VPN User Guide.
\nTo create more than one customer gateway with the same VPN type, IP address, and\n BGP ASN, specify a unique device name for each customer gateway. An identical request\n returns information about the existing customer gateway; it doesn't create a new customer\n gateway.
" + "smithy.api#documentation": "Provides information to Amazon Web Services about your customer gateway device. The\n customer gateway device is the appliance at your end of the VPN connection. You\n must provide the IP address of the customer gateway device’s external\n interface. The IP address must be static and can be behind a device performing network\n address translation (NAT).
\nFor devices that use Border Gateway Protocol (BGP), you can also provide the device's\n BGP Autonomous System Number (ASN). You can use an existing ASN assigned to your network.\n If you don't have an ASN already, you can use a private ASN. For more information, see \n Customer gateway \n options for your Site-to-Site VPN connection in the Amazon Web Services Site-to-Site VPN User Guide.
\nTo create more than one customer gateway with the same VPN type, IP address, and\n BGP ASN, specify a unique device name for each customer gateway. An identical request\n returns information about the existing customer gateway; it doesn't create a new customer\n gateway.
", + "smithy.api#examples": [ + { + "title": "To create a customer gateway", + "documentation": "This example creates a customer gateway with the specified IP address for its outside interface.", + "input": { + "Type": "ipsec.1", + "PublicIp": "12.1.2.3", + "BgpAsn": 65534 + }, + "output": { + "CustomerGateway": { + "CustomerGatewayId": "cgw-0e11f167", + "IpAddress": "12.1.2.3", + "State": "available", + "Type": "ipsec.1", + "BgpAsn": "65534" + } + } + } + ] } }, "com.amazonaws.ec2#CreateCustomerGatewayRequest": { @@ -13958,7 +14106,7 @@ "target": "com.amazonaws.ec2#CreateDefaultSubnetResult" }, "traits": { - "smithy.api#documentation": "Creates a default subnet with a size /20 IPv4 CIDR block in the\n specified Availability Zone in your default VPC. You can have only one default subnet\n per Availability Zone. For more information, see Creating a default\n subnet in the Amazon Virtual Private Cloud User Guide.
Creates a default subnet with a size /20 IPv4 CIDR block in the\n specified Availability Zone in your default VPC. You can have only one default subnet\n per Availability Zone. For more information, see Create a default\n subnet in the Amazon VPC User Guide.
Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet\n\t\t\tin each Availability Zone. For more information about the components of a default VPC,\n\t\t\tsee Default VPC and\n\t\t\tdefault subnets in the Amazon Virtual Private Cloud User Guide. You cannot\n\t\t\tspecify the components of the default VPC yourself.
If you deleted your previous default VPC, you can create a default VPC. You cannot have\n\t\t\tmore than one default VPC per Region.
\nIf your account supports EC2-Classic, you cannot use this action to create a default VPC\n\t\t\tin a Region that supports EC2-Classic. If you want a default VPC in a Region that\n\t\t\tsupports EC2-Classic, see \"I really want a default VPC for my existing EC2 account. Is\n\t\t\tthat possible?\" in the Default VPCs\n\t\t\tFAQ.
\nWe are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nCreates a default VPC with a size /16 IPv4 CIDR block and a default subnet\n\t\t\tin each Availability Zone. For more information about the components of a default VPC,\n\t\t\tsee Default VPCs \n\t\t in the Amazon VPC User Guide. You cannot specify the components of the \n\t\t default VPC yourself.
If you deleted your previous default VPC, you can create a default VPC. You cannot have\n\t\t\tmore than one default VPC per Region.
" } }, "com.amazonaws.ec2#CreateDefaultVpcRequest": { @@ -14062,7 +14210,42 @@ "target": "com.amazonaws.ec2#CreateDhcpOptionsResult" }, "traits": { - "smithy.api#documentation": "Creates a set of DHCP options for your VPC. After creating the set, you must\n\t\t\t\tassociate it with the VPC, causing all existing and new instances that you launch in\n\t\t\t\tthe VPC to use this set of DHCP options. The following are the individual DHCP\n\t\t\t\toptions you can specify. For more information about the options, see RFC 2132.
\n\n domain-name-servers - The IP addresses of up to four domain name\n servers, or AmazonProvidedDNS. The default DHCP option set specifies\n AmazonProvidedDNS. If specifying more than one domain name server, specify the\n IP addresses in a single parameter, separated by commas. To have your instance\n receive a custom DNS hostname as specified in domain-name, you must\n set domain-name-servers to a custom DNS server.
\n domain-name - If you're using AmazonProvidedDNS in\n us-east-1, specify ec2.internal. If you're using\n AmazonProvidedDNS in another Region, specify\n region.compute.internal (for example,\n ap-northeast-1.compute.internal). Otherwise, specify a domain\n name (for example, ExampleCompany.com). This value is used to complete\n unqualified DNS hostnames. Important: Some\n Linux operating systems accept multiple domain names separated by spaces.\n However, Windows and other Linux operating systems treat the value as a single\n domain, which results in unexpected behavior. If your DHCP options set is\n associated with a VPC that has instances with multiple operating systems,\n specify only one domain name.
\n ntp-servers - The IP addresses of up to four Network Time Protocol (NTP)\n servers.
\n netbios-name-servers - The IP addresses of up to four NetBIOS name\n servers.
\n netbios-node-type - The NetBIOS node type (1, 2, 4, or 8). We recommend that\n you specify 2 (broadcast and multicast are not currently supported). For more information\n about these node types, see RFC 2132.
Your VPC automatically starts out with a set of DHCP options that includes only a DNS\n\t\t\tserver that we provide (AmazonProvidedDNS). If you create a set of options, and if your\n\t\t\tVPC has an internet gateway, make sure to set the domain-name-servers\n\t\t\toption either to AmazonProvidedDNS or to a domain name server of your\n\t\t\tchoice. For more information, see DHCP options sets in the\n\t\t\tAmazon Virtual Private Cloud User Guide.
Creates a set of DHCP options for your VPC. After creating the set, you must\n\t\t\t\tassociate it with the VPC, causing all existing and new instances that you launch in\n\t\t\t\tthe VPC to use this set of DHCP options. The following are the individual DHCP\n\t\t\t\toptions you can specify. For more information about the options, see RFC 2132.
\n\n domain-name-servers - The IP addresses of up to four domain name\n servers, or AmazonProvidedDNS. The default DHCP option set specifies\n AmazonProvidedDNS. If specifying more than one domain name server, specify the\n IP addresses in a single parameter, separated by commas. To have your instance\n receive a custom DNS hostname as specified in domain-name, you must\n set domain-name-servers to a custom DNS server.
\n domain-name - If you're using AmazonProvidedDNS in\n us-east-1, specify ec2.internal. If you're using\n AmazonProvidedDNS in another Region, specify\n region.compute.internal (for example,\n ap-northeast-1.compute.internal). Otherwise, specify a domain\n name (for example, ExampleCompany.com). This value is used to complete\n unqualified DNS hostnames. Important: Some\n Linux operating systems accept multiple domain names separated by spaces.\n However, Windows and other Linux operating systems treat the value as a single\n domain, which results in unexpected behavior. If your DHCP options set is\n associated with a VPC that has instances with multiple operating systems,\n specify only one domain name.
\n ntp-servers - The IP addresses of up to four Network Time Protocol (NTP)\n servers.
\n netbios-name-servers - The IP addresses of up to four NetBIOS name\n servers.
\n netbios-node-type - The NetBIOS node type (1, 2, 4, or 8). We recommend that\n you specify 2 (broadcast and multicast are not currently supported). For more information\n about these node types, see RFC 2132.
Your VPC automatically starts out with a set of DHCP options that includes only a DNS\n\t\t\tserver that we provide (AmazonProvidedDNS). If you create a set of options, and if your\n\t\t\tVPC has an internet gateway, make sure to set the domain-name-servers\n\t\t\toption either to AmazonProvidedDNS or to a domain name server of your\n\t\t\tchoice. For more information, see DHCP options sets in the\n\t\t\tAmazon VPC User Guide.
Launches an EC2 Fleet.
\nYou can create a single EC2 Fleet that includes multiple launch specifications that vary by\n instance type, AMI, Availability Zone, or subnet.
\nFor more information, see EC2 Fleet in the Amazon EC2 User Guide.
" + "smithy.api#documentation": "Creates an EC2 Fleet that contains the configuration information for On-Demand Instances and Spot Instances.\n Instances are launched immediately if there is available capacity.
\nA single EC2 Fleet can include multiple launch specifications that vary by instance type,\n AMI, Availability Zone, or subnet.
\nFor more information, see EC2 Fleet in the Amazon EC2 User Guide.
" } }, "com.amazonaws.ec2#CreateFleetError": { @@ -14527,7 +14710,7 @@ "LogFormat": { "target": "com.amazonaws.ec2#String", "traits": { - "smithy.api#documentation": "The fields to include in the flow log record. List the fields in the order in which\n they should appear. If you omit this parameter, the flow log is created using the\n default format. If you specify this parameter, you must include at least one\n field. For more information about the available fields, see Flow log\n records in the Amazon VPC User Guide or Transit Gateway Flow Log\n records in the Amazon Web Services Transit Gateway Guide.
\nSpecify the fields using the ${field-id} format, separated by spaces. For\n the CLI, surround this parameter value with single quotes on Linux or\n double quotes on Windows.
The fields to include in the flow log record. List the fields in the order in which\n they should appear. If you omit this parameter, the flow log is created using the\n default format. If you specify this parameter, you must include at least one\n field. For more information about the available fields, see Flow log\n records in the Amazon VPC User Guide or Transit Gateway Flow Log\n records in the Amazon Web Services Transit Gateway Guide.
\nSpecify the fields using the ${field-id} format, separated by spaces.
Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance \n \tthat is either running or stopped.
\nBy default, when Amazon EC2 creates the new AMI, it reboots the instance so that it can \n\t\t\t\t\ttake snapshots of the attached volumes while data is at rest, in order to ensure a consistent \n\t\t\t\t\tstate. You can set the NoReboot parameter to true in the API request, \n\t\t\t\t\tor use the --no-reboot option in the CLI to prevent Amazon EC2 from shutting down and \n\t\t\t\t\trebooting the instance.
If you choose to bypass the shutdown and reboot process by setting the NoReboot \n\t\t\t\t\tparameter to true in the API request, or by using the --no-reboot option \n\t\t\t\t\tin the CLI, we can't guarantee the file system integrity of the created image.
If you customized your instance with instance store volumes or Amazon EBS volumes in addition to the root device volume, the \n \tnew AMI contains block device mapping information for those volumes. When you launch an instance from this new AMI, \n \tthe instance automatically launches with those additional volumes.
\nFor more information, see Create an Amazon EBS-backed Linux\n AMI in the Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance \n \tthat is either running or stopped.
\nIf you customized your instance with instance store volumes or Amazon EBS volumes in addition to the root device volume, the \n \tnew AMI contains block device mapping information for those volumes. When you launch an instance from this new AMI, \n \tthe instance automatically launches with those additional volumes.
\nFor more information, see Create an Amazon EBS-backed Linux\n AMI in the Amazon Elastic Compute Cloud User Guide.
" } }, "com.amazonaws.ec2#CreateImageRequest": { @@ -14746,7 +14929,7 @@ "aws.protocols#ec2QueryName": "NoReboot", "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "By default, when Amazon EC2 creates the new AMI, it reboots the instance so that it can \n\t\t\t\t\ttake snapshots of the attached volumes while data is at rest, in order to ensure a consistent \n\t\t\t\t\tstate. You can set the NoReboot parameter to true in the API request, \n\t\t\t\t\tor use the --no-reboot option in the CLI to prevent Amazon EC2 from shutting down and \n\t\t\t\t\trebooting the instance.
If you choose to bypass the shutdown and reboot process by setting the NoReboot \n\t\t\t\t\tparameter to true in the API request, or by using the --no-reboot option \n\t\t\t\t\tin the CLI, we can't guarantee the file system integrity of the created image.
Default: false (follow standard reboot process)
Indicates whether or not the instance should be automatically rebooted before creating \n the image. Specify one of the following values:
\n\n true - The instance is not rebooted before creating the image. This \n creates crash-consistent snapshots that include only the data that has been written \n to the volumes at the time the snapshots are created. Buffered data and data in \n memory that has not yet been written to the volumes is not included in the snapshots.
\n false - The instance is rebooted before creating the image. This \n ensures that all buffered data and data in memory is written to the volumes before the \n snapshots are created.
Default: false\n
Creates an EC2 Instance Connect Endpoint.
\nAn EC2 Instance Connect Endpoint allows you to connect to a resource, without\n requiring the resource to have a public IPv4 address. For more information, see Connect to your resources without requiring a public IPv4 address using EC2\n Instance Connect Endpoint in the Amazon EC2 User\n Guide.
" + "smithy.api#documentation": "Creates an EC2 Instance Connect Endpoint.
\nAn EC2 Instance Connect Endpoint allows you to connect to an instance, without\n requiring the instance to have a public IPv4 address. For more information, see Connect to your instances without requiring a public IPv4 address using EC2\n Instance Connect Endpoint in the Amazon EC2 User\n Guide.
" } }, "com.amazonaws.ec2#CreateInstanceConnectEndpointRequest": { @@ -14946,7 +15129,7 @@ "target": "com.amazonaws.ec2#CreateInstanceExportTaskResult" }, "traits": { - "smithy.api#documentation": "Exports a running or stopped instance to an Amazon S3 bucket.
\nFor information about the supported operating systems, image formats, and known limitations\n for the types of instances you can export, see Exporting an instance as a VM Using VM Import/Export\n in the VM Import/Export User Guide.
" + "smithy.api#documentation": "Exports a running or stopped instance to an Amazon S3 bucket.
\nFor information about the prerequisites for your Amazon S3 bucket, supported operating systems,\n image formats, and known limitations for the types of instances you can export, see Exporting an instance as a VM Using VM\n Import/Export in the VM Import/Export User Guide.
" } }, "com.amazonaws.ec2#CreateInstanceExportTaskRequest": { @@ -15027,7 +15210,20 @@ "target": "com.amazonaws.ec2#CreateInternetGatewayResult" }, "traits": { - "smithy.api#documentation": "Creates an internet gateway for use with a VPC. After creating the internet gateway,\n\t\t\tyou attach it to a VPC using AttachInternetGateway.
\nFor more information about your VPC and internet gateway, see the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Creates an internet gateway for use with a VPC. After creating the internet gateway,\n\t\t\tyou attach it to a VPC using AttachInternetGateway.
\nFor more information, see Internet gateways in the \n Amazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To create an Internet gateway", + "documentation": "This example creates an Internet gateway.", + "output": { + "InternetGateway": { + "Tags": [], + "InternetGatewayId": "igw-c0a643a9", + "Attachments": [] + } + } + } + ] } }, "com.amazonaws.ec2#CreateInternetGatewayRequest": { @@ -15445,7 +15641,16 @@ "target": "com.amazonaws.ec2#KeyPair" }, "traits": { - "smithy.api#documentation": "Creates an ED25519 or 2048-bit RSA key pair with the specified name and in the\n specified PEM or PPK format. Amazon EC2 stores the public key and displays the private\n key for you to save to a file. The private key is returned as an unencrypted PEM encoded\n PKCS#1 private key or an unencrypted PPK formatted private key for use with PuTTY. If a\n key with the specified name already exists, Amazon EC2 returns an error.
\nThe key pair returned to you is available only in the Amazon Web Services Region in which you create it.\n If you prefer, you can create your own key pair using a third-party tool and upload it\n to any Region using ImportKeyPair.
\nYou can have up to 5,000 key pairs per Amazon Web Services Region.
\nFor more information, see Amazon EC2 key pairs in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Creates an ED25519 or 2048-bit RSA key pair with the specified name and in the\n specified PEM or PPK format. Amazon EC2 stores the public key and displays the private\n key for you to save to a file. The private key is returned as an unencrypted PEM encoded\n PKCS#1 private key or an unencrypted PPK formatted private key for use with PuTTY. If a\n key with the specified name already exists, Amazon EC2 returns an error.
\nThe key pair returned to you is available only in the Amazon Web Services Region in which you create it.\n If you prefer, you can create your own key pair using a third-party tool and upload it\n to any Region using ImportKeyPair.
\nYou can have up to 5,000 key pairs per Amazon Web Services Region.
\nFor more information, see Amazon EC2 key pairs in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a key pair", + "documentation": "This example creates a key pair named my-key-pair.", + "input": { + "KeyName": "my-key-pair" + } + } + ] } }, "com.amazonaws.ec2#CreateKeyPairRequest": { @@ -15502,7 +15707,50 @@ "target": "com.amazonaws.ec2#CreateLaunchTemplateResult" }, "traits": { - "smithy.api#documentation": "Creates a launch template.
\nA launch template contains the parameters to launch an instance. When you launch an\n instance using RunInstances, you can specify a launch template instead\n of providing the launch parameters in the request. For more information, see Launch\n an instance from a launch template in the\n Amazon Elastic Compute Cloud User Guide.
\nIf you want to clone an existing launch template as the basis for creating a new\n launch template, you can use the Amazon EC2 console. The API, SDKs, and CLI do not support\n cloning a template. For more information, see Create a launch template from an existing launch template in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Creates a launch template.
\nA launch template contains the parameters to launch an instance. When you launch an\n instance using RunInstances, you can specify a launch template instead\n of providing the launch parameters in the request. For more information, see Launch\n an instance from a launch template in the\n Amazon Elastic Compute Cloud User Guide.
\nIf you want to clone an existing launch template as the basis for creating a new\n launch template, you can use the Amazon EC2 console. The API, SDKs, and CLI do not support\n cloning a template. For more information, see Create a launch template from an existing launch template in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a launch template", + "documentation": "This example creates a launch template that specifies the subnet in which to launch the instance, assigns a public IP address and an IPv6 address to the instance, and creates a tag for the instance.", + "input": { + "LaunchTemplateName": "my-template", + "VersionDescription": "WebVersion1", + "LaunchTemplateData": { + "NetworkInterfaces": [ + { + "AssociatePublicIpAddress": true, + "DeviceIndex": 0, + "Ipv6AddressCount": 1, + "SubnetId": "subnet-7b16de0c" + } + ], + "ImageId": "ami-8c1be5f6", + "InstanceType": "t2.small", + "TagSpecifications": [ + { + "ResourceType": "instance", + "Tags": [ + { + "Key": "Name", + "Value": "webserver" + } + ] + } + ] + } + }, + "output": { + "LaunchTemplate": { + "LatestVersionNumber": 1, + "LaunchTemplateId": "lt-01238c059e3466abc", + "LaunchTemplateName": "my-template", + "DefaultVersionNumber": 1, + "CreatedBy": "arn:aws:iam::123456789012:root", + "CreateTime": "2017-11-27T09:13:24.000Z" + } + } + } + ] } }, "com.amazonaws.ec2#CreateLaunchTemplateRequest": { @@ -15589,7 +15837,48 @@ "target": "com.amazonaws.ec2#CreateLaunchTemplateVersionResult" }, "traits": { - "smithy.api#documentation": "Creates a new version of a launch template. You can specify an existing version of\n launch template from which to base the new version.
\nLaunch template versions are numbered in the order in which they are created. You\n cannot specify, change, or replace the numbering of launch template versions.
\nLaunch templates are immutable; after you create a launch template, you can't modify\n it. Instead, you can create a new version of the launch template that includes any\n changes you require.
\nFor more information, see Modify a launch template (manage launch template versions) in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Creates a new version of a launch template. You can specify an existing version of\n launch template from which to base the new version.
\nLaunch template versions are numbered in the order in which they are created. You\n cannot specify, change, or replace the numbering of launch template versions.
\nLaunch templates are immutable; after you create a launch template, you can't modify\n it. Instead, you can create a new version of the launch template that includes any\n changes you require.
\nFor more information, see Modify a launch template (manage launch template versions) in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a launch template version", + "documentation": "This example creates a new launch template version based on version 1 of the specified launch template and specifies a different AMI ID.", + "input": { + "LaunchTemplateId": "lt-0abcd290751193123", + "SourceVersion": "1", + "VersionDescription": "WebVersion2", + "LaunchTemplateData": { + "ImageId": "ami-c998b6b2" + } + }, + "output": { + "LaunchTemplateVersion": { + "VersionDescription": "WebVersion2", + "LaunchTemplateId": "lt-0abcd290751193123", + "LaunchTemplateName": "my-template", + "VersionNumber": 2, + "CreatedBy": "arn:aws:iam::123456789012:root", + "LaunchTemplateData": { + "ImageId": "ami-c998b6b2", + "InstanceType": "t2.micro", + "NetworkInterfaces": [ + { + "Ipv6Addresses": [ + { + "Ipv6Address": "2001:db8:1234:1a00::123" + } + ], + "DeviceIndex": 0, + "SubnetId": "subnet-7b16de0c", + "AssociatePublicIpAddress": true + } + ] + }, + "DefaultVersion": false, + "CreateTime": "2017-12-01T13:35:46.000Z" + } + } + } + ] } }, "com.amazonaws.ec2#CreateLaunchTemplateVersionRequest": { @@ -16052,7 +16341,31 @@ "target": "com.amazonaws.ec2#CreateNatGatewayResult" }, "traits": { - "smithy.api#documentation": "Creates a NAT gateway in the specified subnet. This action creates a network interface\n in the specified subnet with a private IP address from the IP address range of the\n subnet. You can create either a public NAT gateway or a private NAT gateway.
\nWith a public NAT gateway, internet-bound traffic from a private subnet can be routed\n to the NAT gateway, so that instances in a private subnet can connect to the internet.
\nWith a private NAT gateway, private communication is routed across VPCs and on-premises\n networks through a transit gateway or virtual private gateway. Common use cases include\n running large workloads behind a small pool of allowlisted IPv4 addresses, preserving\n private IPv4 addresses, and communicating between overlapping networks.
\nFor more information, see NAT gateways in the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Creates a NAT gateway in the specified subnet. This action creates a network interface\n in the specified subnet with a private IP address from the IP address range of the\n subnet. You can create either a public NAT gateway or a private NAT gateway.
\nWith a public NAT gateway, internet-bound traffic from a private subnet can be routed\n to the NAT gateway, so that instances in a private subnet can connect to the internet.
\nWith a private NAT gateway, private communication is routed across VPCs and on-premises\n networks through a transit gateway or virtual private gateway. Common use cases include\n running large workloads behind a small pool of allowlisted IPv4 addresses, preserving\n private IPv4 addresses, and communicating between overlapping networks.
\nFor more information, see NAT gateways in the Amazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a NAT gateway", + "documentation": "This example creates a NAT gateway in subnet subnet-1a2b3c4d and associates an Elastic IP address with the allocation ID eipalloc-37fc1a52 with the NAT gateway.", + "input": { + "SubnetId": "subnet-1a2b3c4d", + "AllocationId": "eipalloc-37fc1a52" + }, + "output": { + "NatGateway": { + "NatGatewayAddresses": [ + { + "AllocationId": "eipalloc-37fc1a52" + } + ], + "VpcId": "vpc-1122aabb", + "State": "pending", + "NatGatewayId": "nat-08d48af2a8e83edfd", + "SubnetId": "subnet-1a2b3c4d", + "CreateTime": "2015-12-17T12:45:26.732Z" + } + } + } + ] } }, "com.amazonaws.ec2#CreateNatGatewayRequest": { @@ -16109,14 +16422,14 @@ "SecondaryAllocationIds": { "target": "com.amazonaws.ec2#AllocationIdList", "traits": { - "smithy.api#documentation": "Secondary EIP allocation IDs. For more information about secondary addresses, see Create a NAT gateway in the Amazon Virtual Private Cloud User Guide.
", + "smithy.api#documentation": "Secondary EIP allocation IDs. For more information, see Create a NAT gateway \n in the Amazon VPC User Guide.
", "smithy.api#xmlName": "SecondaryAllocationId" } }, "SecondaryPrivateIpAddresses": { "target": "com.amazonaws.ec2#IpList", "traits": { - "smithy.api#documentation": "Secondary private IPv4 addresses. For more information about secondary addresses, see Create a NAT gateway in the Amazon Virtual Private Cloud User Guide.
", + "smithy.api#documentation": "Secondary private IPv4 addresses. For more information about secondary addresses, see Create a NAT gateway in the Amazon VPC User Guide.
", "smithy.api#xmlName": "SecondaryPrivateIpAddress" } }, @@ -16125,7 +16438,7 @@ "traits": { "smithy.api#clientOptional": {}, "smithy.api#default": 0, - "smithy.api#documentation": "[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. For more information about secondary addresses, see Create a NAT gateway in the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. \n For more information about secondary addresses, see Create a NAT gateway \n in the Amazon VPC User Guide.
" } } }, @@ -16166,7 +16479,7 @@ "target": "com.amazonaws.ec2#CreateNetworkAclResult" }, "traits": { - "smithy.api#documentation": "Creates a network ACL in a VPC. Network ACLs provide an optional layer of security (in addition to security groups) for the instances in your VPC.
\nFor more information, see Network ACLs in the\n\t\t\t\tAmazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Creates a network ACL in a VPC. Network ACLs provide an optional layer of security (in addition to security groups) for the instances in your VPC.
\nFor more information, see Network ACLs in the\n\t\t\t\tAmazon VPC User Guide.
" } }, "com.amazonaws.ec2#CreateNetworkAclEntry": { @@ -16178,7 +16491,7 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Creates an entry (a rule) in a network ACL with the specified rule number. Each network ACL has a set of numbered ingress rules \n\t\t and a separate set of numbered egress rules. When determining whether a packet should be allowed in or out of a subnet associated \n\t\t with the ACL, we process the entries in the ACL according to the rule numbers, in ascending order. Each network ACL has a set of \n\t\t ingress rules and a separate set of egress rules.
\nWe recommend that you leave room between the rule numbers (for example, 100, 110, 120, ...), and not number them one right after the \n\t\t other (for example, 101, 102, 103, ...). This makes it easier to add a rule between existing ones without having to renumber the rules.
\nAfter you add an entry, you can't modify it; you must either replace it, or create an entry and delete the old one.
\nFor more information about network ACLs, see Network ACLs in the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Creates an entry (a rule) in a network ACL with the specified rule number. Each network ACL has a set of numbered ingress rules \n\t\t and a separate set of numbered egress rules. When determining whether a packet should be allowed in or out of a subnet associated \n\t\t with the ACL, we process the entries in the ACL according to the rule numbers, in ascending order. Each network ACL has a set of \n\t\t ingress rules and a separate set of egress rules.
\nWe recommend that you leave room between the rule numbers (for example, 100, 110, 120, ...), and not number them one right after the \n\t\t other (for example, 101, 102, 103, ...). This makes it easier to add a rule between existing ones without having to renumber the rules.
\nAfter you add an entry, you can't modify it; you must either replace it, or create an entry and delete the old one.
\nFor more information about network ACLs, see Network ACLs \n in the Amazon VPC User Guide.
" } }, "com.amazonaws.ec2#CreateNetworkAclEntryRequest": { @@ -16746,6 +17059,14 @@ "smithy.api#documentation": "Unique, case-sensitive identifier that you provide to ensure the idempotency of the request. For more information, see Ensuring Idempotency.
", "smithy.api#idempotencyToken": {} } + }, + "EnablePrimaryIpv6": { + "target": "com.amazonaws.ec2#Boolean", + "traits": { + "smithy.api#clientOptional": {}, + "smithy.api#default": false, + "smithy.api#documentation": "If you’re creating a network interface in a dual-stack or IPv6-only subnet, you have\n the option to assign a primary IPv6 IP address. A primary IPv6 address is an IPv6 GUA\n address associated with an ENI that you have enabled to use a primary IPv6 address. Use this option if the instance that\n this ENI will be attached to relies on its IPv6 address not changing. Amazon Web Services\n will automatically assign an IPv6 address associated with the ENI attached to your\n instance to be the primary IPv6 address. Once you enable an IPv6 GUA address to be a\n primary IPv6, you cannot disable it. When you enable an IPv6 GUA address to be a primary\n IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is\n terminated or the network interface is detached. If you have multiple IPv6 addresses\n associated with an ENI attached to your instance and you enable a primary IPv6 address,\n the first IPv6 GUA address associated with the ENI becomes the primary IPv6\n address.
" + } } }, "traits": { @@ -16785,7 +17106,18 @@ "target": "com.amazonaws.ec2#CreatePlacementGroupResult" }, "traits": { - "smithy.api#documentation": "Creates a placement group in which to launch instances. The strategy of the placement\n group determines how the instances are organized within the group.
\nA cluster placement group is a logical grouping of instances within a\n single Availability Zone that benefit from low network latency, high network throughput.\n A spread placement group places instances on distinct hardware. A\n partition placement group places groups of instances in different\n partitions, where instances in one partition do not share the same hardware with\n instances in another partition.
For more information, see Placement groups in the\n Amazon EC2 User Guide.
" + "smithy.api#documentation": "Creates a placement group in which to launch instances. The strategy of the placement\n group determines how the instances are organized within the group.
\nA cluster placement group is a logical grouping of instances within a\n single Availability Zone that benefit from low network latency, high network throughput.\n A spread placement group places instances on distinct hardware. A\n partition placement group places groups of instances in different\n partitions, where instances in one partition do not share the same hardware with\n instances in another partition.
For more information, see Placement groups in the\n Amazon EC2 User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a placement group", + "documentation": "This example creates a placement group with the specified name.", + "input": { + "GroupName": "my-cluster", + "Strategy": "cluster" + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#CreatePlacementGroupRequest": { @@ -17157,7 +17489,7 @@ "target": "com.amazonaws.ec2#CreateRouteResult" }, "traits": { - "smithy.api#documentation": "Creates a route in a route table within a VPC.
\nYou must specify either a destination CIDR block or a prefix list ID. You must also specify \n exactly one of the resources from the parameter list.
\nWhen determining how to route traffic, we use the route with the most specific match.\n For example, traffic is destined for the IPv4 address 192.0.2.3, and the\n route table includes the following two IPv4 routes:
\n 192.0.2.0/24 (goes to some target A)
\n 192.0.2.0/28 (goes to some target B)
Both routes apply to the traffic destined for 192.0.2.3. However, the second route\n\t\t\t\tin the list covers a smaller number of IP addresses and is therefore more specific,\n\t\t\t\tso we use that route to determine where to target the traffic.
For more information about route tables, see Route tables in the\n Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Creates a route in a route table within a VPC.
\nYou must specify either a destination CIDR block or a prefix list ID. You must also specify \n exactly one of the resources from the parameter list.
\nWhen determining how to route traffic, we use the route with the most specific match.\n For example, traffic is destined for the IPv4 address 192.0.2.3, and the\n route table includes the following two IPv4 routes:
\n 192.0.2.0/24 (goes to some target A)
\n 192.0.2.0/28 (goes to some target B)
Both routes apply to the traffic destined for 192.0.2.3. However, the second route\n\t\t\t\tin the list covers a smaller number of IP addresses and is therefore more specific,\n\t\t\t\tso we use that route to determine where to target the traffic.
For more information about route tables, see Route tables in the\n Amazon VPC User Guide.
" } }, "com.amazonaws.ec2#CreateRouteRequest": { @@ -17315,7 +17647,7 @@ "target": "com.amazonaws.ec2#CreateRouteTableResult" }, "traits": { - "smithy.api#documentation": "Creates a route table for the specified VPC. After you create a route table, you can add routes and associate the table with a subnet.
\nFor more information, see Route tables in the\n\t\t\t\tAmazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Creates a route table for the specified VPC. After you create a route table, you can add routes and associate the table with a subnet.
\nFor more information, see Route tables in the\n\t\t\t\tAmazon VPC User Guide.
" } }, "com.amazonaws.ec2#CreateRouteTableRequest": { @@ -17378,7 +17710,21 @@ "target": "com.amazonaws.ec2#CreateSecurityGroupResult" }, "traits": { - "smithy.api#documentation": "Creates a security group.
\nA security group acts as a virtual firewall for your instance to control inbound and outbound traffic.\n For more information, see\n\t\t\t\tAmazon EC2 security groups in \n\t\t\t\tthe Amazon Elastic Compute Cloud User Guide and \n\t\t\t\tSecurity groups for your VPC in the\n\t\t\t\tAmazon Virtual Private Cloud User Guide.
\nWhen you create a security group, you specify a friendly name of your choice. You can have a security group for use in EC2-Classic with the same name as a security group for use in a VPC. However, you can't have two security groups for use in EC2-Classic with the same name or two security groups for use in a VPC with the same name.
\nYou have a default security group for use in EC2-Classic and a default security group for use in your VPC. If you don't specify a security group when you launch an instance, the instance is launched into the appropriate default security group. A default security group includes a default rule that grants instances unrestricted network access to each other.
\nYou can add or remove rules from your security groups using \n\t\t\t\t\tAuthorizeSecurityGroupIngress,\n\t\t\t\t\tAuthorizeSecurityGroupEgress,\n\t\t\t\t\tRevokeSecurityGroupIngress, and\n\t\t\t\t\tRevokeSecurityGroupEgress.
\nFor more information about VPC security group limits, see Amazon VPC Limits.
\nWe are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nCreates a security group.
\nA security group acts as a virtual firewall for your instance to control inbound and outbound traffic.\n For more information, see\n\t\t\t\tAmazon EC2 security groups in \n\t\t\t\tthe Amazon Elastic Compute Cloud User Guide and \n\t\t\t\tSecurity groups for your VPC in the\n\t\t\t\tAmazon Virtual Private Cloud User Guide.
\nWhen you create a security group, you specify a friendly name of your choice. \n You can't have two security groups for the same VPC with the same name.
\nYou have a default security group for use in your VPC. If you don't specify a security group \n when you launch an instance, the instance is launched into the appropriate default security group. \n A default security group includes a default rule that grants instances unrestricted network access \n to each other.
\nYou can add or remove rules from your security groups using \n\t\t\t\t\tAuthorizeSecurityGroupIngress,\n\t\t\t\t\tAuthorizeSecurityGroupEgress,\n\t\t\t\t\tRevokeSecurityGroupIngress, and\n\t\t\t\t\tRevokeSecurityGroupEgress.
\nFor more information about VPC security group limits, see Amazon VPC Limits.
", + "smithy.api#examples": [ + { + "title": "To create a security group for a VPC", + "documentation": "This example creates a security group for the specified VPC.", + "input": { + "Description": "My security group", + "GroupName": "my-security-group", + "VpcId": "vpc-1a2b3c4d" + }, + "output": { + "GroupId": "sg-903004f8" + } + } + ] } }, "com.amazonaws.ec2#CreateSecurityGroupRequest": { @@ -17388,7 +17734,7 @@ "target": "com.amazonaws.ec2#String", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "A description for the security group.
\nConstraints: Up to 255 characters in length
\nConstraints for EC2-Classic: ASCII characters
\nConstraints for EC2-VPC: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*
", + "smithy.api#documentation": "A description for the security group.
\nConstraints: Up to 255 characters in length
\nValid characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*
", "smithy.api#required": {}, "smithy.api#xmlName": "GroupDescription" } @@ -17397,14 +17743,14 @@ "target": "com.amazonaws.ec2#String", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The name of the security group.
\nConstraints: Up to 255 characters in length. Cannot start with\n sg-.
Constraints for EC2-Classic: ASCII characters
\nConstraints for EC2-VPC: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*
", + "smithy.api#documentation": "The name of the security group.
\nConstraints: Up to 255 characters in length. Cannot start with sg-.
Valid characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*
", "smithy.api#required": {} } }, "VpcId": { "target": "com.amazonaws.ec2#VpcId", "traits": { - "smithy.api#documentation": "[EC2-VPC] The ID of the VPC. Required for EC2-VPC.
" + "smithy.api#documentation": "The ID of the VPC. Required for a nondefault VPC.
" } }, "TagSpecifications": { @@ -17462,7 +17808,27 @@ "target": "com.amazonaws.ec2#Snapshot" }, "traits": { - "smithy.api#documentation": "Creates a snapshot of an EBS volume and stores it in Amazon S3. You can use snapshots for\n \tbackups, to make copies of EBS volumes, and to save data before shutting down an\n \tinstance.
\nYou can create snapshots of volumes in a Region and volumes on an Outpost. If you \n \tcreate a snapshot of a volume in a Region, the snapshot must be stored in the same \n \tRegion as the volume. If you create a snapshot of a volume on an Outpost, the snapshot \n \tcan be stored on the same Outpost as the volume, or in the Region for that Outpost.
\nWhen a snapshot is created, any Amazon Web Services Marketplace product codes that are associated with the\n source volume are propagated to the snapshot.
\nYou can take a snapshot of an attached volume that is in use. However, snapshots only\n capture data that has been written to your Amazon EBS volume at the time the snapshot command is\n issued; this might exclude any data that has been cached by any applications or the operating\n system. If you can pause any file systems on the volume long enough to take a snapshot, your\n snapshot should be complete. However, if you cannot pause all file writes to the volume, you\n should unmount the volume from within the instance, issue the snapshot command, and then\n remount the volume to ensure a consistent and complete snapshot. You may remount and use your\n volume while the snapshot status is pending.
When you create a snapshot for an EBS volume that serves as a root device, we recommend \n that you stop the instance before taking the snapshot.
\nSnapshots that are taken from encrypted volumes are automatically encrypted. Volumes that\n are created from encrypted snapshots are also automatically encrypted. Your encrypted volumes\n and any associated snapshots always remain protected.
\nYou can tag your snapshots during creation. For more information, see Tag your Amazon EC2\n resources in the Amazon Elastic Compute Cloud User Guide.
\nFor more information, see Amazon Elastic Block Store and Amazon EBS encryption in the Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Creates a snapshot of an EBS volume and stores it in Amazon S3. You can use snapshots for\n \tbackups, to make copies of EBS volumes, and to save data before shutting down an\n \tinstance.
\nYou can create snapshots of volumes in a Region and volumes on an Outpost. If you \n \tcreate a snapshot of a volume in a Region, the snapshot must be stored in the same \n \tRegion as the volume. If you create a snapshot of a volume on an Outpost, the snapshot \n \tcan be stored on the same Outpost as the volume, or in the Region for that Outpost.
\nWhen a snapshot is created, any Amazon Web Services Marketplace product codes that are associated with the\n source volume are propagated to the snapshot.
\nYou can take a snapshot of an attached volume that is in use. However, snapshots only\n capture data that has been written to your Amazon EBS volume at the time the snapshot command is\n issued; this might exclude any data that has been cached by any applications or the operating\n system. If you can pause any file systems on the volume long enough to take a snapshot, your\n snapshot should be complete. However, if you cannot pause all file writes to the volume, you\n should unmount the volume from within the instance, issue the snapshot command, and then\n remount the volume to ensure a consistent and complete snapshot. You may remount and use your\n volume while the snapshot status is pending.
When you create a snapshot for an EBS volume that serves as a root device, we recommend \n that you stop the instance before taking the snapshot.
\nSnapshots that are taken from encrypted volumes are automatically encrypted. Volumes that\n are created from encrypted snapshots are also automatically encrypted. Your encrypted volumes\n and any associated snapshots always remain protected.
\nYou can tag your snapshots during creation. For more information, see Tag your Amazon EC2\n resources in the Amazon Elastic Compute Cloud User Guide.
\nFor more information, see Amazon Elastic Block Store and Amazon EBS encryption in the Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a snapshot", + "documentation": "This example creates a snapshot of the volume with a volume ID of ``vol-1234567890abcdef0`` and a short description to identify the snapshot.", + "input": { + "VolumeId": "vol-1234567890abcdef0", + "Description": "This is my root volume snapshot." + }, + "output": { + "Description": "This is my root volume snapshot.", + "Tags": [], + "VolumeId": "vol-1234567890abcdef0", + "State": "pending", + "VolumeSize": 8, + "StartTime": "2014-02-28T21:06:01.000Z", + "OwnerId": "012345678910", + "SnapshotId": "snap-066877671789bd71b" + } + } + ] } }, "com.amazonaws.ec2#CreateSnapshotRequest": { @@ -17729,7 +18095,27 @@ "target": "com.amazonaws.ec2#CreateSubnetResult" }, "traits": { - "smithy.api#documentation": "Creates a subnet in the specified VPC. For an IPv4 only subnet, specify an IPv4 CIDR block.\n If the VPC has an IPv6 CIDR block, you can create an IPv6 only subnet or a dual stack subnet instead.\n For an IPv6 only subnet, specify an IPv6 CIDR block. For a dual stack subnet, specify both\n an IPv4 CIDR block and an IPv6 CIDR block.
\nA subnet CIDR block must not overlap the CIDR block of an existing subnet in the VPC.\n After you create a subnet, you can't change its CIDR block.
\nThe allowed size for an IPv4 subnet is between a /28 netmask (16 IP addresses) and \n a /16 netmask (65,536 IP addresses). Amazon Web Services reserves both the first four and \n the last IPv4 address in each subnet's CIDR block. They're not available for your use.
\nIf you've associated an IPv6 CIDR block with your VPC, you can associate an IPv6 CIDR block \n with a subnet when you create it. The allowed block size for an IPv6 subnet is a /64 netmask.
\nIf you add more than one subnet to a VPC, they're set up in a star topology with a\n logical router in the middle.
\nWhen you stop an instance in a subnet, it retains its private IPv4 address. It's\n therefore possible to have a subnet with no running instances (they're all stopped), but\n no remaining IP addresses available.
\nFor more information, see Subnets in the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Creates a subnet in the specified VPC. For an IPv4 only subnet, specify an IPv4 CIDR block.\n If the VPC has an IPv6 CIDR block, you can create an IPv6 only subnet or a dual stack subnet instead.\n For an IPv6 only subnet, specify an IPv6 CIDR block. For a dual stack subnet, specify both\n an IPv4 CIDR block and an IPv6 CIDR block.
\nA subnet CIDR block must not overlap the CIDR block of an existing subnet in the VPC.\n After you create a subnet, you can't change its CIDR block.
\nThe allowed size for an IPv4 subnet is between a /28 netmask (16 IP addresses) and \n a /16 netmask (65,536 IP addresses). Amazon Web Services reserves both the first four and \n the last IPv4 address in each subnet's CIDR block. They're not available for your use.
\nIf you've associated an IPv6 CIDR block with your VPC, you can associate an IPv6 CIDR block \n with a subnet when you create it. The allowed block size for an IPv6 subnet is a /64 netmask.
\nIf you add more than one subnet to a VPC, they're set up in a star topology with a\n logical router in the middle.
\nWhen you stop an instance in a subnet, it retains its private IPv4 address. It's\n therefore possible to have a subnet with no running instances (they're all stopped), but\n no remaining IP addresses available.
\nFor more information, see Subnets in the Amazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a subnet", + "documentation": "This example creates a subnet in the specified VPC with the specified CIDR block. We recommend that you let us select an Availability Zone for you.", + "input": { + "VpcId": "vpc-a01106c2", + "CidrBlock": "10.0.1.0/24" + }, + "output": { + "Subnet": { + "VpcId": "vpc-a01106c2", + "CidrBlock": "10.0.1.0/24", + "State": "pending", + "AvailabilityZone": "us-west-2c", + "SubnetId": "subnet-9d4a7b6c", + "AvailableIpAddressCount": 251 + } + } + } + ] } }, "com.amazonaws.ec2#CreateSubnetCidrReservation": { @@ -17741,7 +18127,7 @@ "target": "com.amazonaws.ec2#CreateSubnetCidrReservationResult" }, "traits": { - "smithy.api#documentation": "Creates a subnet CIDR reservation. For information about subnet CIDR reservations, see Subnet CIDR reservations in the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Creates a subnet CIDR reservation. For more information, see Subnet CIDR reservations \n in the Amazon Virtual Private Cloud User Guide and Assign prefixes \n to network interfaces in the Amazon Elastic Compute Cloud User Guide.
" } }, "com.amazonaws.ec2#CreateSubnetCidrReservationRequest": { @@ -17767,14 +18153,14 @@ "target": "com.amazonaws.ec2#SubnetCidrReservationType", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The type of reservation.
\nThe following are valid values:
\n\n prefix: The Amazon EC2\n Prefix\n Delegation feature assigns the IP addresses to network interfaces that are\n associated with an instance. For information about Prefix\n Delegation,\n see Prefix Delegation\n for Amazon EC2 network interfaces in the\n Amazon Elastic Compute Cloud User Guide.
\n explicit: You manually assign the IP addresses to resources that\n reside in your subnet.
The type of reservation. The reservation type determines how the reserved IP addresses are \n assigned to resources.
\n\n prefix - Amazon Web Services assigns the reserved IP addresses to \n network interfaces.
\n explicit - You assign the reserved IP addresses to network interfaces.
The\n description\n to assign to the subnet CIDR reservation.
" + "smithy.api#documentation": "The description to assign to the subnet CIDR reservation.
" } }, "DryRun": { @@ -17826,7 +18212,7 @@ "AvailabilityZone": { "target": "com.amazonaws.ec2#String", "traits": { - "smithy.api#documentation": "The Availability Zone or Local Zone for the subnet.
\nDefault: Amazon Web Services selects one for you. If you create more than one subnet in your VPC, we \n do not necessarily select a different zone for each subnet.
\nTo create a subnet in a Local Zone, set this value to the Local Zone ID, for example\n us-west-2-lax-1a. For information about the Regions that support Local Zones, \n see Available Regions in the Amazon Elastic Compute Cloud User Guide.
To create a subnet in an Outpost, set this value to the Availability Zone for the\n Outpost and specify the Outpost ARN.
" + "smithy.api#documentation": "The Availability Zone or Local Zone for the subnet.
\nDefault: Amazon Web Services selects one for you. If you create more than one subnet in your VPC, we \n do not necessarily select a different zone for each subnet.
\nTo create a subnet in a Local Zone, set this value to the Local Zone ID, for example\n us-west-2-lax-1a. For information about the Regions that support Local Zones, \n see Local Zones locations.
To create a subnet in an Outpost, set this value to the Availability Zone for the\n Outpost and specify the Outpost ARN.
" } }, "AvailabilityZoneId": { @@ -18198,7 +18584,7 @@ "traits": { "smithy.api#clientOptional": {}, "smithy.api#default": 0, - "smithy.api#documentation": "The number of bytes in each packet to mirror. These are bytes after the VXLAN header. Do\n not specify this parameter when you want to mirror the entire packet. To mirror a subset of\n the packet, set this to the length (in bytes) that you want to mirror. For example, if you\n set this value to 100, then the first 100 bytes that meet the filter criteria are copied to\n the target.
\nIf you do not want to mirror the entire packet, use the PacketLength parameter to specify the number of bytes in each packet to mirror.
The number of bytes in each packet to mirror. These are bytes after the VXLAN header. Do\n not specify this parameter when you want to mirror the entire packet. To mirror a subset of\n the packet, set this to the length (in bytes) that you want to mirror. For example, if you\n set this value to 100, then the first 100 bytes that meet the filter criteria are copied to\n the target.
\nIf you do not want to mirror the entire packet, use the PacketLength parameter to specify the number of bytes in each packet to mirror.
For sessions with Network Load Balancer (NLB) Traffic Mirror targets the default PacketLength will be set to 8500. Valid values are 1-8500. Setting a PacketLength greater than 8500 will result in an error response.
Creates an EBS volume that can be attached to an instance in the same Availability Zone.
\nYou can create a new empty volume or restore a volume from an EBS snapshot.\n Any Amazon Web Services Marketplace product codes from the snapshot are propagated to the volume.
\nYou can create encrypted volumes. Encrypted volumes must be attached to instances that \n support Amazon EBS encryption. Volumes that are created from encrypted snapshots are also automatically \n encrypted. For more information, see Amazon EBS encryption\n in the Amazon Elastic Compute Cloud User Guide.
\nYou can tag your volumes during creation. For more information, see Tag your Amazon EC2\n resources in the Amazon Elastic Compute Cloud User Guide.
\nFor more information, see Create an Amazon EBS volume in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Creates an EBS volume that can be attached to an instance in the same Availability Zone.
\nYou can create a new empty volume or restore a volume from an EBS snapshot.\n Any Amazon Web Services Marketplace product codes from the snapshot are propagated to the volume.
\nYou can create encrypted volumes. Encrypted volumes must be attached to instances that \n support Amazon EBS encryption. Volumes that are created from encrypted snapshots are also automatically \n encrypted. For more information, see Amazon EBS encryption\n in the Amazon Elastic Compute Cloud User Guide.
\nYou can tag your volumes during creation. For more information, see Tag your Amazon EC2\n resources in the Amazon Elastic Compute Cloud User Guide.
\nFor more information, see Create an Amazon EBS volume in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a new volume", + "documentation": "This example creates an 80 GiB General Purpose (SSD) volume in the Availability Zone ``us-east-1a``.", + "input": { + "AvailabilityZone": "us-east-1a", + "Size": 80, + "VolumeType": "gp2" + }, + "output": { + "AvailabilityZone": "us-east-1a", + "Encrypted": false, + "VolumeType": "gp2", + "VolumeId": "vol-6b60b7c7", + "State": "creating", + "Iops": 240, + "SnapshotId": "", + "CreateTime": "2016-08-29T18:52:32.724Z", + "Size": 80 + } + } + ] } }, "com.amazonaws.ec2#CreateVolumePermission": { @@ -19820,7 +20228,7 @@ "target": "com.amazonaws.ec2#AvailabilityZoneName", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The Availability Zone in which to create the volume.
", + "smithy.api#documentation": "The ID of the Availability Zone in which to create the volume. For example, us-east-1a.
Creates a VPC with the specified CIDR blocks. For more information, see\n\t VPC CIDR blocks in the Amazon Virtual Private Cloud User Guide.
\nYou can optionally request an IPv6 CIDR block for the VPC. You can request an Amazon-provided \n IPv6 CIDR block from Amazon's pool of IPv6 addresses, or an IPv6 CIDR block from an IPv6 address \n pool that you provisioned through bring your own IP addresses (BYOIP).
\nBy default, each instance that you launch in the VPC has the default DHCP options, which\n\t\t\tinclude only a default DNS server that we provide (AmazonProvidedDNS). For more\n\t\t\tinformation, see DHCP option sets in the Amazon Virtual Private Cloud User Guide.
\nYou can specify the instance tenancy value for the VPC when you create it. You can't change\n this value for the VPC after you create it. For more information, see Dedicated Instances in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Creates a VPC with the specified CIDR blocks. For more information, see IP addressing for your VPCs and subnets in the \n Amazon VPC User Guide.
\nYou can optionally request an IPv6 CIDR block for the VPC. You can request an Amazon-provided \n IPv6 CIDR block from Amazon's pool of IPv6 addresses, or an IPv6 CIDR block from an IPv6 address \n pool that you provisioned through bring your own IP addresses (BYOIP).
\nBy default, each instance that you launch in the VPC has the default DHCP options, which\n\t\t\tinclude only a default DNS server that we provide (AmazonProvidedDNS). For more\n\t\t\tinformation, see DHCP option sets in the Amazon VPC User Guide.
\nYou can specify the instance tenancy value for the VPC when you create it. You can't change\n this value for the VPC after you create it. For more information, see Dedicated Instances in the\n Amazon EC2 User Guide.
", + "smithy.api#examples": [ + { + "title": "To create a VPC", + "documentation": "This example creates a VPC with the specified CIDR block.", + "input": { + "CidrBlock": "10.0.0.0/16" + }, + "output": { + "Vpc": { + "InstanceTenancy": "default", + "State": "pending", + "VpcId": "vpc-a01106c2", + "CidrBlock": "10.0.0.0/16", + "DhcpOptionsId": "dopt-7a8b9c2d" + } + } + } + ] } }, "com.amazonaws.ec2#CreateVpcEndpoint": { @@ -19940,7 +20366,7 @@ "target": "com.amazonaws.ec2#CreateVpcEndpointResult" }, "traits": { - "smithy.api#documentation": "Creates a VPC endpoint for a specified service. An endpoint enables you to create a\n private connection between your VPC and the service. The service may be provided by Amazon Web Services,\n an Amazon Web Services Marketplace Partner, or another Amazon Web Services account. For more information, \n see the Amazon Web Services PrivateLink Guide.
" + "smithy.api#documentation": "Creates a VPC endpoint. A VPC endpoint provides a private connection between the\n specified VPC and the specified endpoint service. You can use an endpoint service\n provided by Amazon Web Services, an Amazon Web Services Marketplace Partner, or another\n Amazon Web Services account. For more information, see the Amazon Web Services PrivateLink User Guide.
" } }, "com.amazonaws.ec2#CreateVpcEndpointConnectionNotification": { @@ -20050,7 +20476,7 @@ "target": "com.amazonaws.ec2#VpcId", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The ID of the VPC for the endpoint.
", + "smithy.api#documentation": "The ID of the VPC.
", "smithy.api#required": {} } }, @@ -20058,7 +20484,7 @@ "target": "com.amazonaws.ec2#String", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The service name.
", + "smithy.api#documentation": "The name of the endpoint service.
", "smithy.api#required": {} } }, @@ -21311,7 +21737,16 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified customer gateway. You must delete the VPN connection before you\n can delete the customer gateway.
" + "smithy.api#documentation": "Deletes the specified customer gateway. You must delete the VPN connection before you\n can delete the customer gateway.
", + "smithy.api#examples": [ + { + "title": "To delete a customer gateway", + "documentation": "This example deletes the specified customer gateway.", + "input": { + "CustomerGatewayId": "cgw-0e11f167" + } + } + ] } }, "com.amazonaws.ec2#DeleteCustomerGatewayRequest": { @@ -21350,7 +21785,16 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified set of DHCP options. You must disassociate the set of DHCP options before you can delete it. You can disassociate the set of DHCP options by associating either a new set of options or the default set of options with the VPC.
" + "smithy.api#documentation": "Deletes the specified set of DHCP options. You must disassociate the set of DHCP options before you can delete it. You can disassociate the set of DHCP options by associating either a new set of options or the default set of options with the VPC.
", + "smithy.api#examples": [ + { + "title": "To delete a DHCP options set", + "documentation": "This example deletes the specified DHCP options set.", + "input": { + "DhcpOptionsId": "dopt-d9070ebb" + } + } + ] } }, "com.amazonaws.ec2#DeleteDhcpOptionsRequest": { @@ -22115,7 +22559,16 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified key pair, by removing the public key from Amazon EC2.
" + "smithy.api#documentation": "Deletes the specified key pair, by removing the public key from Amazon EC2.
", + "smithy.api#examples": [ + { + "title": "To delete a key pair", + "documentation": "This example deletes the specified key pair.", + "input": { + "KeyName": "my-key-pair" + } + } + ] } }, "com.amazonaws.ec2#DeleteKeyPairRequest": { @@ -22157,7 +22610,26 @@ "target": "com.amazonaws.ec2#DeleteLaunchTemplateResult" }, "traits": { - "smithy.api#documentation": "Deletes a launch template. Deleting a launch template deletes all of its\n versions.
" + "smithy.api#documentation": "Deletes a launch template. Deleting a launch template deletes all of its\n versions.
", + "smithy.api#examples": [ + { + "title": "To delete a launch template", + "documentation": "This example deletes the specified launch template.", + "input": { + "LaunchTemplateId": "lt-0abcd290751193123" + }, + "output": { + "LaunchTemplate": { + "LatestVersionNumber": 2, + "LaunchTemplateId": "lt-0abcd290751193123", + "LaunchTemplateName": "my-template", + "DefaultVersionNumber": 2, + "CreatedBy": "arn:aws:iam::123456789012:root", + "CreateTime": "2017-11-23T16:46:25.000Z" + } + } + } + ] } }, "com.amazonaws.ec2#DeleteLaunchTemplateRequest": { @@ -22213,7 +22685,29 @@ "target": "com.amazonaws.ec2#DeleteLaunchTemplateVersionsResult" }, "traits": { - "smithy.api#documentation": "Deletes one or more versions of a launch template. You cannot delete the default\n version of a launch template; you must first assign a different version as the default.\n If the default version is the only version for the launch template, you must delete the\n entire launch template using DeleteLaunchTemplate.
" + "smithy.api#documentation": "Deletes one or more versions of a launch template.
\nYou can't delete the default version of a launch template; you must first assign a\n different version as the default. If the default version is the only version for the\n launch template, you must delete the entire launch template using DeleteLaunchTemplate.
\nYou can delete up to 200 launch template versions in a single request. To delete more\n than 200 versions in a single request, use DeleteLaunchTemplate, which\n deletes the launch template and all of its versions.
\nFor more information, see Delete a launch template version in the EC2 User\n Guide.
", + "smithy.api#examples": [ + { + "title": "To delete a launch template version", + "documentation": "This example deletes the specified launch template version.", + "input": { + "LaunchTemplateId": "lt-0abcd290751193123", + "Versions": [ + "1" + ] + }, + "output": { + "SuccessfullyDeletedLaunchTemplateVersions": [ + { + "LaunchTemplateName": "my-template", + "VersionNumber": 1, + "LaunchTemplateId": "lt-0abcd290751193123" + } + ], + "UnsuccessfullyDeletedLaunchTemplateVersions": [] + } + } + ] } }, "com.amazonaws.ec2#DeleteLaunchTemplateVersionsRequest": { @@ -22243,7 +22737,7 @@ "target": "com.amazonaws.ec2#VersionStringList", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The version numbers of one or more launch template versions to delete.
", + "smithy.api#documentation": "The version numbers of one or more launch template versions to delete. You can specify\n up to 200 launch template version numbers.
", "smithy.api#required": {}, "smithy.api#xmlName": "LaunchTemplateVersion" } @@ -22652,7 +23146,19 @@ "target": "com.amazonaws.ec2#DeleteNatGatewayResult" }, "traits": { - "smithy.api#documentation": "Deletes the specified NAT gateway. Deleting a public NAT gateway disassociates its Elastic IP address, \n but does not release the address from your account. Deleting a NAT gateway does not delete any NAT gateway \n routes in your route tables.
" + "smithy.api#documentation": "Deletes the specified NAT gateway. Deleting a public NAT gateway disassociates its Elastic IP address, \n but does not release the address from your account. Deleting a NAT gateway does not delete any NAT gateway \n routes in your route tables.
", + "smithy.api#examples": [ + { + "title": "To delete a NAT gateway", + "documentation": "This example deletes the specified NAT gateway.", + "input": { + "NatGatewayId": "nat-04ae55e711cec5680" + }, + "output": { + "NatGatewayId": "nat-04ae55e711cec5680" + } + } + ] } }, "com.amazonaws.ec2#DeleteNatGatewayRequest": { @@ -23439,7 +23945,17 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes a security group.
\nIf you attempt to delete a security group that is associated with an instance, or is\n\t\t\t referenced by another security group, the operation fails with\n\t\t\t\tInvalidGroup.InUse in EC2-Classic or\n\t\t\t\tDependencyViolation in EC2-VPC.
We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nDeletes a security group.
\nIf you attempt to delete a security group that is associated with an instance or network interface or is\n\t\t\t referenced by another security group, the operation fails with\n\t\t\t\tDependencyViolation.
The ID of the security group. Required for a nondefault VPC.
" + "smithy.api#documentation": "The ID of the security group.
" } }, "GroupName": { "target": "com.amazonaws.ec2#SecurityGroupName", "traits": { - "smithy.api#documentation": "[EC2-Classic, default VPC] The name of the security group. You can specify either the\n security group name or the security group ID. For security groups in a nondefault VPC,\n you must specify the security group ID.
" + "smithy.api#documentation": "[Default VPC] The name of the security group. You can specify either the\n security group name or the security group ID. For security groups in a nondefault VPC,\n you must specify the security group ID.
" } }, "DryRun": { @@ -23481,7 +23997,17 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified snapshot.
\nWhen you make periodic snapshots of a volume, the snapshots are incremental, and only the\n blocks on the device that have changed since your last snapshot are saved in the new snapshot.\n When you delete a snapshot, only the data not needed for any other snapshot is removed. So\n regardless of which prior snapshots have been deleted, all active snapshots will have access\n to all the information needed to restore the volume.
\nYou cannot delete a snapshot of the root device of an EBS volume used by a registered AMI.\n You must first de-register the AMI before you can delete the snapshot.
\nFor more information, see Delete an Amazon EBS snapshot in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Deletes the specified snapshot.
\nWhen you make periodic snapshots of a volume, the snapshots are incremental, and only the\n blocks on the device that have changed since your last snapshot are saved in the new snapshot.\n When you delete a snapshot, only the data not needed for any other snapshot is removed. So\n regardless of which prior snapshots have been deleted, all active snapshots will have access\n to all the information needed to restore the volume.
\nYou cannot delete a snapshot of the root device of an EBS volume used by a registered AMI.\n You must first de-register the AMI before you can delete the snapshot.
\nFor more information, see Delete an Amazon EBS snapshot in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To delete a snapshot", + "documentation": "This example deletes a snapshot with the snapshot ID of ``snap-1234567890abcdef0``. If the command succeeds, no output is returned.", + "input": { + "SnapshotId": "snap-1234567890abcdef0" + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#DeleteSnapshotRequest": { @@ -23519,7 +24045,13 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the data feed for Spot Instances.
" + "smithy.api#documentation": "Deletes the data feed for Spot Instances.
", + "smithy.api#examples": [ + { + "title": "To cancel a Spot Instance data feed subscription", + "documentation": "This example deletes a Spot data feed subscription for the account." + } + ] } }, "com.amazonaws.ec2#DeleteSpotDatafeedSubscriptionRequest": { @@ -23550,7 +24082,16 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified subnet. You must terminate all running instances in the subnet before you can delete the subnet.
" + "smithy.api#documentation": "Deletes the specified subnet. You must terminate all running instances in the subnet before you can delete the subnet.
", + "smithy.api#examples": [ + { + "title": "To delete a subnet", + "documentation": "This example deletes the specified subnet.", + "input": { + "SubnetId": "subnet-9d4a7b6c" + } + } + ] } }, "com.amazonaws.ec2#DeleteSubnetCidrReservation": { @@ -24720,7 +25261,17 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified EBS volume. The volume must be in the available state\n (not attached to an instance).
The volume can remain in the deleting state for several minutes.
For more information, see Delete an Amazon EBS volume in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Deletes the specified EBS volume. The volume must be in the available state\n (not attached to an instance).
The volume can remain in the deleting state for several minutes.
For more information, see Delete an Amazon EBS volume in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To delete a volume", + "documentation": "This example deletes an available volume with the volume ID of ``vol-049df61146c4d7901``. If the command succeeds, no output is returned.", + "input": { + "VolumeId": "vol-049df61146c4d7901" + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#DeleteVolumeRequest": { @@ -24758,7 +25309,16 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Deletes the specified VPC. You must detach or delete all gateways and resources that are associated with the VPC before you can delete it. For example, you must terminate all instances running in the VPC, delete all security groups associated with the VPC (except the default one), delete all route tables associated with the VPC (except the default one), and so on.
" + "smithy.api#documentation": "Deletes the specified VPC. You must detach or delete all gateways and resources that are associated with the VPC before you can delete it. For example, you must terminate all instances running in the VPC, delete all security groups associated with the VPC (except the default one), delete all route tables associated with the VPC (except the default one), and so on.
", + "smithy.api#examples": [ + { + "title": "To delete a VPC", + "documentation": "This example deletes the specified VPC.", + "input": { + "VpcId": "vpc-a01106c2" + } + } + ] } }, "com.amazonaws.ec2#DeleteVpcEndpointConnectionNotifications": { @@ -25553,7 +26113,33 @@ "target": "com.amazonaws.ec2#DescribeAccountAttributesResult" }, "traits": { - "smithy.api#documentation": "Describes attributes of your Amazon Web Services account. The following are the supported account attributes:
\n\n supported-platforms: Indicates whether your account can launch instances\n into EC2-Classic and EC2-VPC, or only into EC2-VPC.
\n default-vpc: The ID of the default VPC for your account, or\n none.
\n max-instances: This attribute is no longer supported. The returned\n value does not reflect your actual vCPU limit for running On-Demand Instances.\n For more information, see On-Demand Instance Limits in the\n Amazon Elastic Compute Cloud User Guide.
\n vpc-max-security-groups-per-interface: The maximum number of security groups\n that you can assign to a network interface.
\n max-elastic-ips: The maximum number of Elastic IP addresses that you can\n allocate for use with EC2-Classic.
\n vpc-max-elastic-ips: The maximum number of Elastic IP addresses that you can\n allocate for use with EC2-VPC.
We are retiring EC2-Classic on August 15, 2022. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon EC2 User Guide.
\nDescribes attributes of your Amazon Web Services account. The following are the supported account attributes:
\n\n default-vpc: The ID of the default VPC for your account, or none.
\n max-instances: This attribute is no longer supported. The returned\n value does not reflect your actual vCPU limit for running On-Demand Instances.\n For more information, see On-Demand Instance Limits in the\n Amazon Elastic Compute Cloud User Guide.
\n max-elastic-ips: The maximum number of Elastic IP addresses that you can allocate.
\n supported-platforms: This attribute is deprecated.
\n vpc-max-elastic-ips: The maximum number of Elastic IP addresses that you can allocate.
\n vpc-max-security-groups-per-interface: The maximum number of security groups\n that you can assign to a network interface.
Describes the specified Elastic IP addresses or all of your Elastic IP addresses.
" + "smithy.api#documentation": "Describes the specified Elastic IP addresses or all of your Elastic IP addresses.
", + "smithy.api#examples": [ + { + "title": "To describe your Elastic IP addresses", + "documentation": "This example describes your Elastic IP addresses.", + "output": { + "Addresses": [ + { + "InstanceId": "i-1234567890abcdef0", + "PublicIp": "198.51.100.0", + "Domain": "standard" + }, + { + "Domain": "vpc", + "InstanceId": "i-1234567890abcdef0", + "NetworkInterfaceId": "eni-12345678", + "AssociationId": "eipassoc-12345678", + "NetworkInterfaceOwnerId": "123456789012", + "PublicIp": "203.0.113.0", + "AllocationId": "eipalloc-12345678", + "PrivateIpAddress": "10.0.1.241" + } + ] + } + } + ] } }, "com.amazonaws.ec2#DescribeAddressesAttribute": { @@ -25902,7 +26513,41 @@ "target": "com.amazonaws.ec2#DescribeAvailabilityZonesResult" }, "traits": { - "smithy.api#documentation": "Describes the Availability Zones, Local Zones, and Wavelength Zones that are available to\n you. If there is an event impacting a zone, you can use this request to view the state and any\n provided messages for that zone.
\nFor more information about Availability Zones, Local Zones, and Wavelength Zones, see\n Regions and zones \n in the Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Describes the Availability Zones, Local Zones, and Wavelength Zones that are available to\n you. If there is an event impacting a zone, you can use this request to view the state and any\n provided messages for that zone.
\nFor more information about Availability Zones, Local Zones, and Wavelength Zones, see\n Regions and zones \n in the Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe your Availability Zones", + "documentation": "This example describes the Availability Zones that are available to you. The response includes Availability Zones only for the current region.", + "output": { + "AvailabilityZones": [ + { + "State": "available", + "RegionName": "us-east-1", + "Messages": [], + "ZoneName": "us-east-1b" + }, + { + "State": "available", + "RegionName": "us-east-1", + "Messages": [], + "ZoneName": "us-east-1c" + }, + { + "State": "available", + "RegionName": "us-east-1", + "Messages": [], + "ZoneName": "us-east-1d" + }, + { + "State": "available", + "RegionName": "us-east-1", + "Messages": [], + "ZoneName": "us-east-1e" + } + ] + } + } + ] } }, "com.amazonaws.ec2#DescribeAvailabilityZonesRequest": { @@ -26504,7 +27149,7 @@ "target": "com.amazonaws.ec2#DescribeClassicLinkInstancesResult" }, "traits": { - "smithy.api#documentation": "Describes one or more of your linked EC2-Classic instances. This request only returns\n\t\t\tinformation about EC2-Classic instances linked to a VPC through ClassicLink. You cannot\n\t\t\tuse this request to return information about other instances.
\nWe are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nThis action is deprecated.
\nDescribes one or more of your linked EC2-Classic instances. This request only returns\n\t\t\tinformation about EC2-Classic instances linked to a VPC through ClassicLink. You cannot\n\t\t\tuse this request to return information about other instances.
", "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -26529,7 +27174,7 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n group-id - The ID of a VPC security group that's associated with the instance.
\n instance-id - The ID of the instance.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC to which the instance is\n\t\t\t\t\tlinked.
\n vpc-id - The ID of the VPC that the instance is linked to.
The filters.
\n\n group-id - The ID of a VPC security group that's associated with the instance.
\n instance-id - The ID of the instance.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC to which the instance is linked.
One or more instance IDs. Must be instances linked to a VPC through ClassicLink.
", + "smithy.api#documentation": "The instance IDs. Must be instances linked to a VPC through ClassicLink.
", "smithy.api#xmlName": "InstanceId" } }, @@ -27313,6 +27958,28 @@ }, "traits": { "smithy.api#documentation": "Describes one or more of your VPN customer gateways.
\nFor more information, see Amazon Web Services Site-to-Site VPN in the Amazon Web Services Site-to-Site VPN\n User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe a customer gateway", + "documentation": "This example describes the specified customer gateway.", + "input": { + "CustomerGatewayIds": [ + "cgw-0e11f167" + ] + }, + "output": { + "CustomerGateways": [ + { + "CustomerGatewayId": "cgw-0e11f167", + "IpAddress": "12.1.2.3", + "State": "available", + "Type": "ipsec.1", + "BgpAsn": "65534" + } + ] + } + } + ], "smithy.waiters#waitable": { "CustomerGatewayAvailable": { "acceptors": [ @@ -27411,7 +28078,38 @@ "target": "com.amazonaws.ec2#DescribeDhcpOptionsResult" }, "traits": { - "smithy.api#documentation": "Describes one or more of your DHCP options sets.
\nFor more information, see DHCP options sets in the\n\t\t\t\tAmazon Virtual Private Cloud User Guide.
", + "smithy.api#documentation": "Describes one or more of your DHCP options sets.
\nFor more information, see DHCP options sets in the\n\t\t\t\tAmazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe a DHCP options set", + "documentation": "This example describes the specified DHCP options set.", + "input": { + "DhcpOptionsIds": [ + "dopt-d9070ebb" + ] + }, + "output": { + "DhcpOptions": [ + { + "DhcpConfigurations": [ + { + "Values": [ + { + "Value": "10.2.5.2" + }, + { + "Value": "10.2.5.1" + } + ], + "Key": "domain-name-servers" + } + ], + "DhcpOptionsId": "dopt-d9070ebb" + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -27443,7 +28141,7 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n dhcp-options-id - The ID of a DHCP options set.
\n key - The key for one of the options (for example, domain-name).
\n value - The value for one of the options.
\n owner-id - The ID of the Amazon Web Services account that owns the DHCP options set.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
The filters.
\n\n dhcp-options-id - The ID of a DHCP options set.
\n key - The key for one of the options (for example, domain-name).
\n value - The value for one of the options.
\n owner-id - The ID of the Amazon Web Services account that owns the DHCP options set.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
One or more egress-only internet gateway IDs.
", + "smithy.api#documentation": "The IDs of the egress-only internet gateways.
", "smithy.api#xmlName": "EgressOnlyInternetGatewayId" } }, @@ -27563,7 +28261,7 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
The filters.
\n\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
Describes your IAM instance profile associations.
", + "smithy.api#examples": [ + { + "title": "To describe an IAM instance profile association", + "documentation": "This example describes the specified IAM instance profile association.", + "input": { + "AssociationIds": [ + "iip-assoc-0db249b1f25fa24b8" + ] + }, + "output": { + "IamInstanceProfileAssociations": [ + { + "InstanceId": "i-09eb09efa73ec1dee", + "State": "associated", + "AssociationId": "iip-assoc-0db249b1f25fa24b8", + "IamInstanceProfile": { + "Id": "AIPAJVQN4F5WVLGCJDRGM", + "Arn": "arn:aws:iam::123456789012:instance-profile/admin-role" + } + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -29346,7 +30068,25 @@ "target": "com.amazonaws.ec2#ImageAttribute" }, "traits": { - "smithy.api#documentation": "Describes the specified attribute of the specified AMI. You can specify only one attribute at a time.
" + "smithy.api#documentation": "Describes the specified attribute of the specified AMI. You can specify only one attribute at a time.
", + "smithy.api#examples": [ + { + "title": "To describe the launch permissions for an AMI", + "documentation": "This example describes the launch permissions for the specified AMI.", + "input": { + "Attribute": "launchPermission", + "ImageId": "ami-5731123e" + }, + "output": { + "ImageId": "ami-5731123e", + "LaunchPermissions": [ + { + "UserId": "123456789012" + } + ] + } + } + ] } }, "com.amazonaws.ec2#DescribeImageAttributeRequest": { @@ -29394,6 +30134,48 @@ }, "traits": { "smithy.api#documentation": "Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.
\nThe images available to you include public images, private images that you own, and private images owned by other \n Amazon Web Services accounts for which you have explicit launch permissions.
\nRecently deregistered images appear in the returned results for a short interval and then\n return empty results. After all instances that reference a deregistered AMI are terminated,\n specifying the ID of the image will eventually return an error indicating that the AMI ID\n cannot be found.
", + "smithy.api#examples": [ + { + "title": "To describe an AMI", + "documentation": "This example describes the specified AMI.", + "input": { + "ImageIds": [ + "ami-5731123e" + ] + }, + "output": { + "Images": [ + { + "VirtualizationType": "paravirtual", + "Name": "My server", + "Hypervisor": "xen", + "ImageId": "ami-5731123e", + "RootDeviceType": "ebs", + "State": "available", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/sda1", + "Ebs": { + "DeleteOnTermination": true, + "SnapshotId": "snap-1234567890abcdef0", + "VolumeSize": 8, + "VolumeType": "standard" + } + } + ], + "Architecture": "x86_64", + "ImageLocation": "123456789012/My server", + "KernelId": "aki-88aa75e1", + "OwnerId": "123456789012", + "RootDeviceName": "/dev/sda1", + "Public": false, + "ImageType": "machine", + "Description": "An AMI for my server" + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -29466,7 +30248,7 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "The filters.
\n\n architecture - The image architecture (i386 |\n x86_64 | arm64).
\n block-device-mapping.delete-on-termination - A Boolean value that indicates\n \twhether the Amazon EBS volume is deleted on instance termination.
\n block-device-mapping.device-name - The device name specified in the block device mapping (for\n example, /dev/sdh or xvdh).
\n block-device-mapping.snapshot-id - The ID of the snapshot used for the Amazon EBS\n volume.
\n block-device-mapping.volume-size - The volume size of the Amazon EBS volume, in GiB.
\n block-device-mapping.volume-type - The volume type of the Amazon EBS volume\n (io1 | io2 | gp2 | gp3 | sc1\n | st1 | standard).
\n block-device-mapping.encrypted - A Boolean that indicates whether the Amazon EBS volume is encrypted.
\n creation-date - The time when the image was created, in the ISO 8601\n format in the UTC time zone (YYYY-MM-DDThh:mm:ss.sssZ), for example,\n 2021-09-29T11:04:43.305Z. You can use a wildcard (*), for\n example, 2021-09-29T*, which matches an entire day.
\n description - The description of the image (provided during image\n creation).
\n ena-support - A Boolean that indicates whether enhanced networking\n with ENA is enabled.
\n hypervisor - The hypervisor type (ovm |\n xen).
\n image-id - The ID of the image.
\n image-type - The image type (machine | kernel |\n ramdisk).
\n is-public - A Boolean that indicates whether the image is public.
\n kernel-id - The kernel ID.
\n manifest-location - The location of the image manifest.
\n name - The name of the AMI (provided during image creation).
\n owner-alias - The owner alias (amazon | aws-marketplace). \n The valid aliases are defined in an Amazon-maintained list. This is not the Amazon Web Services account alias that can be \n \tset using the IAM console. We recommend that you use the Owner \n \trequest parameter instead of this filter.
\n owner-id - The Amazon Web Services account ID of the owner. We recommend that you use the \n \t\tOwner request parameter instead of this filter.
\n platform - The platform. The only supported value is windows.
\n product-code - The product code.
\n product-code.type - The type of the product code (marketplace).
\n ramdisk-id - The RAM disk ID.
\n root-device-name - The device name of the root device volume (for example, /dev/sda1).
\n root-device-type - The type of the root device volume (ebs |\n instance-store).
\n state - The state of the image (available | pending\n | failed).
\n state-reason-code - The reason code for the state change.
\n state-reason-message - The message for the state change.
\n sriov-net-support - A value of simple indicates\n that enhanced networking with the Intel 82599 VF interface is enabled.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n virtualization-type - The virtualization type (paravirtual |\n hvm).
The filters.
\n\n architecture - The image architecture (i386 | x86_64 | \n arm64 | x86_64_mac | arm64_mac).
\n block-device-mapping.delete-on-termination - A Boolean value that indicates\n \twhether the Amazon EBS volume is deleted on instance termination.
\n block-device-mapping.device-name - The device name specified in the block device mapping (for\n example, /dev/sdh or xvdh).
\n block-device-mapping.snapshot-id - The ID of the snapshot used for the Amazon EBS\n volume.
\n block-device-mapping.volume-size - The volume size of the Amazon EBS volume, in GiB.
\n block-device-mapping.volume-type - The volume type of the Amazon EBS volume\n (io1 | io2 | gp2 | gp3 | sc1\n | st1 | standard).
\n block-device-mapping.encrypted - A Boolean that indicates whether the Amazon EBS volume is encrypted.
\n creation-date - The time when the image was created, in the ISO 8601\n format in the UTC time zone (YYYY-MM-DDThh:mm:ss.sssZ), for example,\n 2021-09-29T11:04:43.305Z. You can use a wildcard (*), for\n example, 2021-09-29T*, which matches an entire day.
\n description - The description of the image (provided during image\n creation).
\n ena-support - A Boolean that indicates whether enhanced networking\n with ENA is enabled.
\n hypervisor - The hypervisor type (ovm |\n xen).
\n image-id - The ID of the image.
\n image-type - The image type (machine | kernel |\n ramdisk).
\n is-public - A Boolean that indicates whether the image is public.
\n kernel-id - The kernel ID.
\n manifest-location - The location of the image manifest.
\n name - The name of the AMI (provided during image creation).
\n owner-alias - The owner alias (amazon | aws-marketplace). \n The valid aliases are defined in an Amazon-maintained list. This is not the Amazon Web Services account alias that can be \n \tset using the IAM console. We recommend that you use the Owner \n \trequest parameter instead of this filter.
\n owner-id - The Amazon Web Services account ID of the owner. We recommend that you use the \n \t\tOwner request parameter instead of this filter.
\n platform - The platform. The only supported value is windows.
\n product-code - The product code.
\n product-code.type - The type of the product code (marketplace).
\n ramdisk-id - The RAM disk ID.
\n root-device-name - The device name of the root device volume (for example, /dev/sda1).
\n root-device-type - The type of the root device volume (ebs |\n instance-store).
\n state - The state of the image (available | pending\n | failed).
\n state-reason-code - The reason code for the state change.
\n state-reason-message - The message for the state change.
\n sriov-net-support - A value of simple indicates\n that enhanced networking with the Intel 82599 VF interface is enabled.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n virtualization-type - The virtualization type (paravirtual |\n hvm).
Describes the status of the specified instances or all of your instances. By default,\n only running instances are described, unless you specifically indicate to return the\n status of all instances.
\nInstance status includes the following components:
\n\n Status checks - Amazon EC2 performs status\n checks on running EC2 instances to identify hardware and software issues. For\n more information, see Status checks for your instances and Troubleshoot\n instances with failed status checks in the Amazon EC2 User\n Guide.
\n\n Scheduled events - Amazon EC2 can schedule\n events (such as reboot, stop, or terminate) for your instances related to\n hardware issues, software updates, or system maintenance. For more information,\n see Scheduled events for your instances in the Amazon EC2 User\n Guide.
\n\n Instance state - You can manage your instances\n from the moment you launch them through their termination. For more information,\n see Instance\n lifecycle in the Amazon EC2 User Guide.
\nOne or more filters. Filter names and values are case-sensitive.
\n\n auto-recovery-supported - Indicates whether Amazon CloudWatch action based recovery is supported (true | false).
\n bare-metal - Indicates whether it is a bare metal instance type (true | false).
\n burstable-performance-supported - Indicates whether it is a burstable\n performance instance type (true | false).
\n current-generation - Indicates whether this instance type is the latest\n generation instance type of an instance family (true | false).
\n ebs-info.ebs-optimized-info.baseline-bandwidth-in-mbps - The baseline\n bandwidth performance for an EBS-optimized instance type, in Mbps.
\n ebs-info.ebs-optimized-info.baseline-iops - The baseline input/output storage\n operations per second for an EBS-optimized instance type.
\n ebs-info.ebs-optimized-info.baseline-throughput-in-mbps - The baseline\n throughput performance for an EBS-optimized instance type, in MB/s.
\n ebs-info.ebs-optimized-info.maximum-bandwidth-in-mbps - The maximum bandwidth\n performance for an EBS-optimized instance type, in Mbps.
\n ebs-info.ebs-optimized-info.maximum-iops - The maximum input/output storage\n operations per second for an EBS-optimized instance type.
\n ebs-info.ebs-optimized-info.maximum-throughput-in-mbps - The maximum\n throughput performance for an EBS-optimized instance type, in MB/s.
\n ebs-info.ebs-optimized-support - Indicates whether the instance type is\n EBS-optimized (supported | unsupported |\n default).
\n ebs-info.encryption-support - Indicates whether EBS encryption is supported\n (supported | unsupported).
\n ebs-info.nvme-support - Indicates whether non-volatile memory express (NVMe)\n is supported for EBS volumes (required | supported | unsupported).
\n free-tier-eligible - Indicates whether the instance type is eligible to use\n in the free tier (true | false).
\n hibernation-supported - Indicates whether On-Demand hibernation is supported (true | false).
\n hypervisor - The hypervisor (nitro | xen).
\n instance-storage-info.disk.count - The number of local disks.
\n instance-storage-info.disk.size-in-gb - The storage size of each instance storage disk, in\n GB.
\n instance-storage-info.disk.type - The storage technology for the local\n instance storage disks (hdd | ssd).
\n instance-storage-info.encryption-support - Indicates whether data is encrypted at rest \n (required | supported | unsupported).
\n instance-storage-info.nvme-support - Indicates whether non-volatile memory\n express (NVMe) is supported for instance store (required | supported |\n unsupported).
\n instance-storage-info.total-size-in-gb - The total amount of storage available from all local\n instance storage, in GB.
\n instance-storage-supported - Indicates whether the instance type has local\n instance storage (true | false).
\n instance-type - The instance type (for example c5.2xlarge or\n c5*).
\n memory-info.size-in-mib - The memory size.
\n network-info.efa-info.maximum-efa-interfaces - The maximum number of Elastic \n Fabric Adapters (EFAs) per instance.
\n network-info.efa-supported - Indicates whether the instance type supports\n Elastic Fabric Adapter (EFA) (true | false).
\n network-info.ena-support - Indicates whether Elastic Network Adapter (ENA) is\n supported or required (required | supported |\n unsupported).
\n network-info.encryption-in-transit-supported - Indicates whether the instance type \n automatically encrypts in-transit traffic between instances (true | false).
\n network-info.ipv4-addresses-per-interface - The maximum number of private IPv4 addresses per\n network interface.
\n network-info.ipv6-addresses-per-interface - The maximum number of private IPv6 addresses per\n network interface.
\n network-info.ipv6-supported - Indicates whether the instance type supports IPv6 (true | false).
\n network-info.maximum-network-cards - The maximum number of network cards per\n instance.
\n network-info.maximum-network-interfaces - The maximum number of network interfaces per instance.
\n network-info.network-performance - The network performance (for example, \"25\n Gigabit\").
\n processor-info.supported-architecture - The CPU architecture\n (arm64 | i386 | x86_64).
\n processor-info.sustained-clock-speed-in-ghz - The CPU clock speed, in GHz.
\n supported-boot-mode - The boot mode (legacy-bios |\n uefi).
\n supported-root-device-type - The root device type (ebs |\n instance-store).
\n supported-usage-class - The usage class (on-demand |\n spot).
\n supported-virtualization-type - The virtualization type (hvm |\n paravirtual).
\n vcpu-info.default-cores - The default number of cores for the instance type.
\n vcpu-info.default-threads-per-core - The default number of threads per core for the instance\n type.
\n vcpu-info.default-vcpus - The default number of vCPUs for the instance type.
\n vcpu-info.valid-cores - The number of cores that can be configured for the instance type.
\n vcpu-info.valid-threads-per-core - The number of threads per core that can be configured for the instance type.\n For example, \"1\" or \"1,2\".
One or more filters. Filter names and values are case-sensitive.
\n\n auto-recovery-supported - Indicates whether Amazon CloudWatch action based recovery is supported (true | false).
\n bare-metal - Indicates whether it is a bare metal instance type (true | false).
\n burstable-performance-supported - Indicates whether the instance type is a \n burstable performance T instance type (true | false).
\n current-generation - Indicates whether this instance type is the latest\n generation instance type of an instance family (true | false).
\n ebs-info.ebs-optimized-info.baseline-bandwidth-in-mbps - The baseline\n bandwidth performance for an EBS-optimized instance type, in Mbps.
\n ebs-info.ebs-optimized-info.baseline-iops - The baseline input/output storage\n operations per second for an EBS-optimized instance type.
\n ebs-info.ebs-optimized-info.baseline-throughput-in-mbps - The baseline\n throughput performance for an EBS-optimized instance type, in MB/s.
\n ebs-info.ebs-optimized-info.maximum-bandwidth-in-mbps - The maximum bandwidth\n performance for an EBS-optimized instance type, in Mbps.
\n ebs-info.ebs-optimized-info.maximum-iops - The maximum input/output storage\n operations per second for an EBS-optimized instance type.
\n ebs-info.ebs-optimized-info.maximum-throughput-in-mbps - The maximum\n throughput performance for an EBS-optimized instance type, in MB/s.
\n ebs-info.ebs-optimized-support - Indicates whether the instance type is\n EBS-optimized (supported | unsupported |\n default).
\n ebs-info.encryption-support - Indicates whether EBS encryption is supported\n (supported | unsupported).
\n ebs-info.nvme-support - Indicates whether non-volatile memory express (NVMe)\n is supported for EBS volumes (required | supported | unsupported).
\n free-tier-eligible - Indicates whether the instance type is eligible to use\n in the free tier (true | false).
\n hibernation-supported - Indicates whether On-Demand hibernation is supported (true | false).
\n hypervisor - The hypervisor (nitro | xen).
\n instance-storage-info.disk.count - The number of local disks.
\n instance-storage-info.disk.size-in-gb - The storage size of each instance storage disk, in\n GB.
\n instance-storage-info.disk.type - The storage technology for the local\n instance storage disks (hdd | ssd).
\n instance-storage-info.encryption-support - Indicates whether data is encrypted at rest \n (required | supported | unsupported).
\n instance-storage-info.nvme-support - Indicates whether non-volatile memory\n express (NVMe) is supported for instance store (required | supported |\n unsupported).
\n instance-storage-info.total-size-in-gb - The total amount of storage available from all local\n instance storage, in GB.
\n instance-storage-supported - Indicates whether the instance type has local\n instance storage (true | false).
\n instance-type - The instance type (for example c5.2xlarge or\n c5*).
\n memory-info.size-in-mib - The memory size.
\n network-info.efa-info.maximum-efa-interfaces - The maximum number of Elastic \n Fabric Adapters (EFAs) per instance.
\n network-info.efa-supported - Indicates whether the instance type supports\n Elastic Fabric Adapter (EFA) (true | false).
\n network-info.ena-support - Indicates whether Elastic Network Adapter (ENA) is\n supported or required (required | supported |\n unsupported).
\n network-info.encryption-in-transit-supported - Indicates whether the instance type \n automatically encrypts in-transit traffic between instances (true | false).
\n network-info.ipv4-addresses-per-interface - The maximum number of private IPv4 addresses per\n network interface.
\n network-info.ipv6-addresses-per-interface - The maximum number of private IPv6 addresses per\n network interface.
\n network-info.ipv6-supported - Indicates whether the instance type supports IPv6 (true | false).
\n network-info.maximum-network-cards - The maximum number of network cards per\n instance.
\n network-info.maximum-network-interfaces - The maximum number of network interfaces per instance.
\n network-info.network-performance - The network performance (for example, \"25\n Gigabit\").
\n nitro-enclaves-support - Indicates whether Nitro Enclaves is supported (supported |\n unsupported).
\n nitro-tpm-support - Indicates whether NitroTPM is supported (supported |\n unsupported).
\n nitro-tpm-info.supported-versions - The supported NitroTPM version (2.0).
\n processor-info.supported-architecture - The CPU architecture\n (arm64 | i386 | x86_64).
\n processor-info.sustained-clock-speed-in-ghz - The CPU clock speed, in GHz.
\n processor-info.supported-features - The supported CPU features (amd-sev-snp).
\n supported-boot-mode - The boot mode (legacy-bios |\n uefi).
\n supported-root-device-type - The root device type (ebs |\n instance-store).
\n supported-usage-class - The usage class (on-demand |\n spot).
\n supported-virtualization-type - The virtualization type (hvm |\n paravirtual).
\n vcpu-info.default-cores - The default number of cores for the instance type.
\n vcpu-info.default-threads-per-core - The default number of threads per core for the instance\n type.
\n vcpu-info.default-vcpus - The default number of vCPUs for the instance type.
\n vcpu-info.valid-cores - The number of cores that can be configured for the instance type.
\n vcpu-info.valid-threads-per-core - The number of threads per core that can be configured for the instance type.\n For example, \"1\" or \"1,2\".
Describes the specified instances or all instances.
\nIf you specify instance IDs, the output includes information for only the specified\n instances. If you specify filters, the output includes information for only those\n instances that meet the filter criteria. If you do not specify instance IDs or filters,\n the output includes information for all instances, which can affect performance. We\n recommend that you use pagination to ensure that the operation returns quickly and\n successfully.
\nIf you specify an instance ID that is not valid, an error is returned. If you specify\n an instance that you do not own, it is not included in the output.
\nRecently terminated instances might appear in the returned results. This interval is\n usually less than one hour.
\nIf you describe instances in the rare case where an Availability Zone is experiencing\n a service disruption and you specify instance IDs that are in the affected zone, or do\n not specify any instance IDs at all, the call fails. If you describe instances and\n specify only instance IDs that are in an unaffected zone, the call works\n normally.
", + "smithy.api#examples": [ + { + "title": "To describe an Amazon EC2 instance", + "documentation": "This example describes the specified instance.", + "input": { + "InstanceIds": [ + "i-1234567890abcdef0" + ] + }, + "output": {} + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -30584,7 +31419,7 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "The filters.
\n\n affinity - The affinity setting for an instance running on a\n Dedicated Host (default | host).
\n architecture - The instance architecture (i386 |\n x86_64 | arm64).
\n availability-zone - The Availability Zone of the instance.
\n block-device-mapping.attach-time - The attach time for an EBS\n volume mapped to the instance, for example,\n 2010-09-15T17:15:20.000Z.
\n block-device-mapping.delete-on-termination - A Boolean that\n indicates whether the EBS volume is deleted on instance termination.
\n block-device-mapping.device-name - The device name specified in the\n block device mapping (for example, /dev/sdh or\n xvdh).
\n block-device-mapping.status - The status for the EBS volume\n (attaching | attached | detaching |\n detached).
\n block-device-mapping.volume-id - The volume ID of the EBS\n volume.
\n capacity-reservation-id - The ID of the Capacity Reservation into which the\n instance was launched.
\n client-token - The idempotency token you provided when you launched\n the instance.
\n dns-name - The public DNS name of the instance.
\n hibernation-options.configured - A Boolean that indicates whether\n the instance is enabled for hibernation. A value of true means that\n the instance is enabled for hibernation.
\n host-id - The ID of the Dedicated Host on which the instance is\n running, if applicable.
\n hypervisor - The hypervisor type of the instance\n (ovm | xen). The value xen is used\n for both Xen and Nitro hypervisors.
\n iam-instance-profile.arn - The instance profile associated with\n the instance. Specified as an ARN.
\n image-id - The ID of the image used to launch the\n instance.
\n instance-id - The ID of the instance.
\n instance-lifecycle - Indicates whether this is a Spot Instance or\n a Scheduled Instance (spot | scheduled).
\n instance-state-code - The state of the instance, as a 16-bit\n unsigned integer. The high byte is used for internal purposes and should be\n ignored. The low byte is set based on the state represented. The valid values\n are: 0 (pending), 16 (running), 32 (shutting-down), 48 (terminated), 64\n (stopping), and 80 (stopped).
\n instance-state-name - The state of the instance\n (pending | running | shutting-down |\n terminated | stopping |\n stopped).
\n instance-type - The type of instance (for example,\n t2.micro).
\n instance.group-id - The ID of the security group for the\n instance.
\n instance.group-name - The name of the security group for the\n instance.
\n ip-address - The public IPv4 address of the instance.
\n kernel-id - The kernel ID.
\n key-name - The name of the key pair used when the instance was\n launched.
\n launch-index - When launching multiple instances, this is the\n index for the instance in the launch group (for example, 0, 1, 2, and so on).\n
\n launch-time - The time when the instance was launched, in the ISO\n 8601 format in the UTC time zone (YYYY-MM-DDThh:mm:ss.sssZ), for example,\n 2021-09-29T11:04:43.305Z. You can use a wildcard\n (*), for example, 2021-09-29T*, which matches an\n entire day.
\n metadata-options.http-tokens - The metadata request authorization\n state (optional | required)
\n metadata-options.http-put-response-hop-limit - The HTTP metadata\n request put response hop limit (integer, possible values 1 to\n 64)
\n metadata-options.http-endpoint - The status of access to the HTTP\n metadata endpoint on your instance (enabled |\n disabled)
\n metadata-options.instance-metadata-tags - The status of access to\n instance tags from the instance metadata (enabled |\n disabled)
\n monitoring-state - Indicates whether detailed monitoring is\n enabled (disabled | enabled).
\n network-interface.addresses.private-ip-address - The private IPv4\n address associated with the network interface.
\n network-interface.addresses.primary - Specifies whether the IPv4\n address of the network interface is the primary private IPv4 address.
\n network-interface.addresses.association.public-ip - The ID of the\n association of an Elastic IP address (IPv4) with a network interface.
\n network-interface.addresses.association.ip-owner-id - The owner\n ID of the private IPv4 address associated with the network interface.
\n network-interface.association.public-ip - The address of the\n Elastic IP address (IPv4) bound to the network interface.
\n network-interface.association.ip-owner-id - The owner of the\n Elastic IP address (IPv4) associated with the network interface.
\n network-interface.association.allocation-id - The allocation ID\n returned when you allocated the Elastic IP address (IPv4) for your network\n interface.
\n network-interface.association.association-id - The association ID\n returned when the network interface was associated with an IPv4 address.
\n network-interface.attachment.attachment-id - The ID of the\n interface attachment.
\n network-interface.attachment.instance-id - The ID of the instance\n to which the network interface is attached.
\n network-interface.attachment.instance-owner-id - The owner ID of\n the instance to which the network interface is attached.
\n network-interface.attachment.device-index - The device index to\n which the network interface is attached.
\n network-interface.attachment.status - The status of the\n attachment (attaching | attached |\n detaching | detached).
\n network-interface.attachment.attach-time - The time that the\n network interface was attached to an instance.
\n network-interface.attachment.delete-on-termination - Specifies\n whether the attachment is deleted when an instance is terminated.
\n network-interface.availability-zone - The Availability Zone for\n the network interface.
\n network-interface.description - The description of the network\n interface.
\n network-interface.group-id - The ID of a security group\n associated with the network interface.
\n network-interface.group-name - The name of a security group\n associated with the network interface.
\n network-interface.ipv6-addresses.ipv6-address - The IPv6 address\n associated with the network interface.
\n network-interface.mac-address - The MAC address of the network\n interface.
\n network-interface.network-interface-id - The ID of the network\n interface.
\n network-interface.owner-id - The ID of the owner of the network\n interface.
\n network-interface.private-dns-name - The private DNS name of the\n network interface.
\n network-interface.requester-id - The requester ID for the network\n interface.
\n network-interface.requester-managed - Indicates whether the\n network interface is being managed by Amazon Web Services.
\n network-interface.status - The status of the network interface\n (available) | in-use).
\n network-interface.source-dest-check - Whether the network\n interface performs source/destination checking. A value of true\n means that checking is enabled, and false means that checking is\n disabled. The value must be false for the network interface to\n perform network address translation (NAT) in your VPC.
\n network-interface.subnet-id - The ID of the subnet for the\n network interface.
\n network-interface.vpc-id - The ID of the VPC for the network\n interface.
\n outpost-arn - The Amazon Resource Name (ARN) of the\n Outpost.
\n owner-id - The Amazon Web Services account ID of the instance\n owner.
\n placement-group-name - The name of the placement group for the\n instance.
\n placement-partition-number - The partition in which the instance is\n located.
\n platform - The platform. To list only Windows instances, use\n windows.
\n private-dns-name - The private IPv4 DNS name of the\n instance.
\n private-ip-address - The private IPv4 address of the\n instance.
\n product-code - The product code associated with the AMI used to\n launch the instance.
\n product-code.type - The type of product code (devpay |\n marketplace).
\n ramdisk-id - The RAM disk ID.
\n reason - The reason for the current state of the instance (for\n example, shows \"User Initiated [date]\" when you stop or terminate the instance).\n Similar to the state-reason-code filter.
\n requester-id - The ID of the entity that launched the instance on\n your behalf (for example, Amazon Web Services Management Console, Auto Scaling, and so\n on).
\n reservation-id - The ID of the instance's reservation. A\n reservation ID is created any time you launch an instance. A reservation ID has\n a one-to-one relationship with an instance launch request, but can be associated\n with more than one instance if you launch multiple instances using the same\n launch request. For example, if you launch one instance, you get one reservation\n ID. If you launch ten instances using the same launch request, you also get one\n reservation ID.
\n root-device-name - The device name of the root device volume (for\n example, /dev/sda1).
\n root-device-type - The type of the root device volume\n (ebs | instance-store).
\n source-dest-check - Indicates whether the instance performs\n source/destination checking. A value of true means that checking is\n enabled, and false means that checking is disabled. The value must\n be false for the instance to perform network address translation\n (NAT) in your VPC.
\n spot-instance-request-id - The ID of the Spot Instance\n request.
\n state-reason-code - The reason code for the state change.
\n state-reason-message - A message that describes the state\n change.
\n subnet-id - The ID of the subnet for the instance.
\n tag: - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value.\n For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources that have a tag with a specific key, regardless of the tag value.
\n tenancy - The tenancy of an instance (dedicated |\n default | host).
\n virtualization-type - The virtualization type of the instance\n (paravirtual | hvm).
\n vpc-id - The ID of the VPC that the instance is running in.
The filters.
\n\n affinity - The affinity setting for an instance running on a\n Dedicated Host (default | host).
\n architecture - The instance architecture (i386 |\n x86_64 | arm64).
\n availability-zone - The Availability Zone of the instance.
\n block-device-mapping.attach-time - The attach time for an EBS\n volume mapped to the instance, for example,\n 2022-09-15T17:15:20.000Z.
\n block-device-mapping.delete-on-termination - A Boolean that\n indicates whether the EBS volume is deleted on instance termination.
\n block-device-mapping.device-name - The device name specified in\n the block device mapping (for example, /dev/sdh or\n xvdh).
\n block-device-mapping.status - The status for the EBS volume\n (attaching | attached | detaching |\n detached).
\n block-device-mapping.volume-id - The volume ID of the EBS\n volume.
\n boot-mode - The boot mode that was specified by the AMI\n (legacy-bios | uefi |\n uefi-preferred).
\n capacity-reservation-id - The ID of the Capacity Reservation into which the\n instance was launched.
\n capacity-reservation-specification.capacity-reservation-preference\n - The instance's Capacity Reservation preference (open | none).
\n capacity-reservation-specification.capacity-reservation-target.capacity-reservation-id\n - The ID of the targeted Capacity Reservation.
\n capacity-reservation-specification.capacity-reservation-target.capacity-reservation-resource-group-arn\n - The ARN of the targeted Capacity Reservation group.
\n client-token - The idempotency token you provided when you\n launched the instance.
\n current-instance-boot-mode - The boot mode that is used to launch\n the instance at launch or start (legacy-bios |\n uefi).
\n dns-name - The public DNS name of the instance.
\n ebs-optimized - A Boolean that indicates whether the instance is\n optimized for Amazon EBS I/O.
\n ena-support - A Boolean that indicates whether the instance is\n enabled for enhanced networking with ENA.
\n enclave-options.enabled - A Boolean that indicates whether the\n instance is enabled for Amazon Web Services Nitro Enclaves.
\n hibernation-options.configured - A Boolean that indicates whether\n the instance is enabled for hibernation. A value of true means that\n the instance is enabled for hibernation.
\n host-id - The ID of the Dedicated Host on which the instance is\n running, if applicable.
\n hypervisor - The hypervisor type of the instance\n (ovm | xen). The value xen is used\n for both Xen and Nitro hypervisors.
\n iam-instance-profile.arn - The instance profile associated with\n the instance. Specified as an ARN.
\n iam-instance-profile.id - The instance profile associated with\n the instance. Specified as an ID.
\n iam-instance-profile.name - The instance profile associated with\n the instance. Specified as an name.
\n image-id - The ID of the image used to launch the\n instance.
\n instance-id - The ID of the instance.
\n instance-lifecycle - Indicates whether this is a Spot Instance or\n a Scheduled Instance (spot | scheduled).
\n instance-state-code - The state of the instance, as a 16-bit\n unsigned integer. The high byte is used for internal purposes and should be\n ignored. The low byte is set based on the state represented. The valid values\n are: 0 (pending), 16 (running), 32 (shutting-down), 48 (terminated), 64\n (stopping), and 80 (stopped).
\n instance-state-name - The state of the instance\n (pending | running | shutting-down |\n terminated | stopping |\n stopped).
\n instance-type - The type of instance (for example,\n t2.micro).
\n instance.group-id - The ID of the security group for the\n instance.
\n instance.group-name - The name of the security group for the\n instance.
\n ip-address - The public IPv4 address of the instance.
\n ipv6-address - The IPv6 address of the instance.
\n kernel-id - The kernel ID.
\n key-name - The name of the key pair used when the instance was\n launched.
\n launch-index - When launching multiple instances, this is the\n index for the instance in the launch group (for example, 0, 1, 2, and so on).\n
\n launch-time - The time when the instance was launched, in the ISO\n 8601 format in the UTC time zone (YYYY-MM-DDThh:mm:ss.sssZ), for example,\n 2021-09-29T11:04:43.305Z. You can use a wildcard\n (*), for example, 2021-09-29T*, which matches an\n entire day.
\n license-pool -
\n maintenance-options.auto-recovery - The current automatic\n recovery behavior of the instance (disabled | default).
\n metadata-options.http-endpoint - The status of access to the HTTP\n metadata endpoint on your instance (enabled |\n disabled)
\n metadata-options.http-protocol-ipv4 - Indicates whether the IPv4\n endpoint is enabled (disabled | enabled).
\n metadata-options.http-protocol-ipv6 - Indicates whether the IPv6\n endpoint is enabled (disabled | enabled).
\n metadata-options.http-put-response-hop-limit - The HTTP metadata\n request put response hop limit (integer, possible values 1 to\n 64)
\n metadata-options.http-tokens - The metadata request authorization\n state (optional | required)
\n metadata-options.instance-metadata-tags - The status of access to\n instance tags from the instance metadata (enabled |\n disabled)
\n metadata-options.state - The state of the metadata option changes\n (pending | applied).
\n monitoring-state - Indicates whether detailed monitoring is\n enabled (disabled | enabled).
\n network-interface.addresses.primary - Specifies whether the IPv4\n address of the network interface is the primary private IPv4 address.
\n network-interface.addresses.private-ip-address - The private IPv4\n address associated with the network interface.
\n network-interface.addresses.association.public-ip - The ID of the\n association of an Elastic IP address (IPv4) with a network interface.
\n network-interface.addresses.association.ip-owner-id - The owner\n ID of the private IPv4 address associated with the network interface.
\n network-interface.association.public-ip - The address of the\n Elastic IP address (IPv4) bound to the network interface.
\n network-interface.association.ip-owner-id - The owner of the\n Elastic IP address (IPv4) associated with the network interface.
\n network-interface.association.allocation-id - The allocation ID\n returned when you allocated the Elastic IP address (IPv4) for your network\n interface.
\n network-interface.association.association-id - The association ID\n returned when the network interface was associated with an IPv4 address.
\n network-interface.attachment.attachment-id - The ID of the\n interface attachment.
\n network-interface.attachment.instance-id - The ID of the instance\n to which the network interface is attached.
\n network-interface.attachment.instance-owner-id - The owner ID of\n the instance to which the network interface is attached.
\n network-interface.attachment.device-index - The device index to\n which the network interface is attached.
\n network-interface.attachment.status - The status of the\n attachment (attaching | attached |\n detaching | detached).
\n network-interface.attachment.attach-time - The time that the\n network interface was attached to an instance.
\n network-interface.attachment.delete-on-termination - Specifies\n whether the attachment is deleted when an instance is terminated.
\n network-interface.availability-zone - The Availability Zone for\n the network interface.
\n network-interface.description - The description of the network\n interface.
\n network-interface.group-id - The ID of a security group\n associated with the network interface.
\n network-interface.group-name - The name of a security group\n associated with the network interface.
\n network-interface.ipv6-addresses.ipv6-address - The IPv6 address\n associated with the network interface.
\n network-interface.mac-address - The MAC address of the network\n interface.
\n network-interface.network-interface-id - The ID of the network\n interface.
\n network-interface.owner-id - The ID of the owner of the network\n interface.
\n network-interface.private-dns-name - The private DNS name of the\n network interface.
\n network-interface.requester-id - The requester ID for the network\n interface.
\n network-interface.requester-managed - Indicates whether the\n network interface is being managed by Amazon Web Services.
\n network-interface.status - The status of the network interface\n (available) | in-use).
\n network-interface.source-dest-check - Whether the network\n interface performs source/destination checking. A value of true\n means that checking is enabled, and false means that checking is\n disabled. The value must be false for the network interface to\n perform network address translation (NAT) in your VPC.
\n network-interface.subnet-id - The ID of the subnet for the\n network interface.
\n network-interface.vpc-id - The ID of the VPC for the network\n interface.
\n outpost-arn - The Amazon Resource Name (ARN) of the\n Outpost.
\n owner-id - The Amazon Web Services account ID of the instance\n owner.
\n placement-group-name - The name of the placement group for the\n instance.
\n placement-partition-number - The partition in which the instance is\n located.
\n platform - The platform. To list only Windows instances, use\n windows.
\n platform-details - The platform (Linux/UNIX |\n Red Hat BYOL Linux | Red Hat Enterprise Linux |\n Red Hat Enterprise Linux with HA | Red Hat Enterprise\n Linux with SQL Server Standard and HA | Red Hat Enterprise\n Linux with SQL Server Enterprise and HA | Red Hat Enterprise\n Linux with SQL Server Standard | Red Hat Enterprise Linux with\n SQL Server Web | Red Hat Enterprise Linux with SQL Server\n Enterprise | SQL Server Enterprise | SQL Server\n Standard | SQL Server Web | SUSE Linux |\n Ubuntu Pro | Windows | Windows BYOL |\n Windows with SQL Server Enterprise | Windows with SQL\n Server Standard | Windows with SQL Server Web).
\n private-dns-name - The private IPv4 DNS name of the\n instance.
\n private-dns-name-options.enable-resource-name-dns-a-record - A\n Boolean that indicates whether to respond to DNS queries for instance hostnames\n with DNS A records.
\n private-dns-name-options.enable-resource-name-dns-aaaa-record - A\n Boolean that indicates whether to respond to DNS queries for instance hostnames\n with DNS AAAA records.
\n private-dns-name-options.hostname-type - The type of hostname\n (ip-name | resource-name).
\n private-ip-address - The private IPv4 address of the\n instance.
\n product-code - The product code associated with the AMI used to\n launch the instance.
\n product-code.type - The type of product code (devpay\n | marketplace).
\n ramdisk-id - The RAM disk ID.
\n reason - The reason for the current state of the instance (for\n example, shows \"User Initiated [date]\" when you stop or terminate the instance).\n Similar to the state-reason-code filter.
\n requester-id - The ID of the entity that launched the instance on\n your behalf (for example, Amazon Web Services Management Console, Auto Scaling, and so\n on).
\n reservation-id - The ID of the instance's reservation. A\n reservation ID is created any time you launch an instance. A reservation ID has\n a one-to-one relationship with an instance launch request, but can be associated\n with more than one instance if you launch multiple instances using the same\n launch request. For example, if you launch one instance, you get one reservation\n ID. If you launch ten instances using the same launch request, you also get one\n reservation ID.
\n root-device-name - The device name of the root device volume (for\n example, /dev/sda1).
\n root-device-type - The type of the root device volume\n (ebs | instance-store).
\n source-dest-check - Indicates whether the instance performs\n source/destination checking. A value of true means that checking is\n enabled, and false means that checking is disabled. The value must\n be false for the instance to perform network address translation\n (NAT) in your VPC.
\n spot-instance-request-id - The ID of the Spot Instance\n request.
\n state-reason-code - The reason code for the state change.
\n state-reason-message - A message that describes the state\n change.
\n subnet-id - The ID of the subnet for the instance.
\n tag: - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value.\n For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources that have a tag with a specific key, regardless of the tag value.
\n tenancy - The tenancy of an instance (dedicated |\n default | host).
\n tpm-support - Indicates if the instance is configured for\n NitroTPM support (v2.0).
\n usage-operation - The usage operation value for the instance\n (RunInstances | RunInstances:00g0 |\n RunInstances:0010 | RunInstances:1010 |\n RunInstances:1014 | RunInstances:1110 |\n RunInstances:0014 | RunInstances:0210 |\n RunInstances:0110 | RunInstances:0100 |\n RunInstances:0004 | RunInstances:0200 |\n RunInstances:000g | RunInstances:0g00 |\n RunInstances:0002 | RunInstances:0800 |\n RunInstances:0102 | RunInstances:0006 |\n RunInstances:0202).
\n usage-operation-update-time - The time that the usage operation\n was last updated, for example, 2022-09-15T17:15:20.000Z.
\n virtualization-type - The virtualization type of the instance\n (paravirtual | hvm).
\n vpc-id - The ID of the VPC that the instance is running in.
Describes one or more of your internet gateways.
", + "smithy.api#examples": [ + { + "title": "To describe the Internet gateway for a VPC", + "documentation": "This example describes the Internet gateway for the specified VPC.", + "input": { + "Filters": [ + { + "Name": "attachment.vpc-id", + "Values": [ + "vpc-a01106c2" + ] + } + ] + }, + "output": { + "InternetGateways": [ + { + "Tags": [], + "InternetGatewayId": "igw-c0a643a9", + "Attachments": [ + { + "State": "attached", + "VpcId": "vpc-a01106c2" + } + ] + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -30712,7 +31577,7 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n attachment.state - The current state of the attachment between the gateway\n and the VPC (available). Present only if a VPC is attached.
\n attachment.vpc-id - The ID of an attached VPC.
\n internet-gateway-id - The ID of the Internet gateway.
\n owner-id - The ID of the Amazon Web Services account that owns the internet gateway.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
The filters.
\n\n attachment.state - The current state of the attachment between the gateway\n and the VPC (available). Present only if a VPC is attached.
\n attachment.vpc-id - The ID of an attached VPC.
\n internet-gateway-id - The ID of the Internet gateway.
\n owner-id - The ID of the Amazon Web Services account that owns the internet gateway.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
One or more internet gateway IDs.
\nDefault: Describes all your internet gateways.
", + "smithy.api#documentation": "The IDs of the internet gateways.
\nDefault: Describes all your internet gateways.
", "smithy.api#xmlName": "internetGatewayId" } }, @@ -31303,6 +32168,25 @@ }, "traits": { "smithy.api#documentation": "Describes the specified key pairs or all of your key pairs.
\nFor more information about key pairs, see Amazon EC2 key pairs \n\t\t\t\tin the Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To display a key pair", + "documentation": "This example displays the fingerprint for the specified key.", + "input": { + "KeyNames": [ + "my-key-pair" + ] + }, + "output": { + "KeyPairs": [ + { + "KeyName": "my-key-pair", + "KeyFingerprint": "1f:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f" + } + ] + } + } + ], "smithy.api#suppress": [ "WaitableTraitInvalidErrorType" ], @@ -31404,6 +32288,66 @@ }, "traits": { "smithy.api#documentation": "Describes one or more versions of a specified launch template. You can describe all\n versions, individual versions, or a range of versions. You can also describe all the\n latest versions or all the default versions of all the launch templates in your\n account.
", + "smithy.api#examples": [ + { + "title": "To describe the versions for a launch template", + "documentation": "This example describes the versions for the specified launch template.", + "input": { + "LaunchTemplateId": "068f72b72934aff71" + }, + "output": { + "LaunchTemplateVersions": [ + { + "LaunchTemplateId": "lt-068f72b72934aff71", + "LaunchTemplateName": "Webservers", + "VersionNumber": 2, + "CreatedBy": "arn:aws:iam::123456789102:root", + "LaunchTemplateData": { + "KeyName": "kp-us-east", + "ImageId": "ami-6057e21a", + "InstanceType": "t2.medium", + "NetworkInterfaces": [ + { + "SubnetId": "subnet-1a2b3c4d", + "DeviceIndex": 0, + "Groups": [ + "sg-7c227019" + ] + } + ] + }, + "DefaultVersion": false, + "CreateTime": "2017-11-20T13:12:32.000Z" + }, + { + "LaunchTemplateId": "lt-068f72b72934aff71", + "LaunchTemplateName": "Webservers", + "VersionNumber": 1, + "CreatedBy": "arn:aws:iam::123456789102:root", + "LaunchTemplateData": { + "UserData": "", + "KeyName": "kp-us-east", + "ImageId": "ami-aabbcc11", + "InstanceType": "t2.medium", + "NetworkInterfaces": [ + { + "SubnetId": "subnet-7b16de0c", + "DeviceIndex": 0, + "DeleteOnTermination": false, + "Groups": [ + "sg-7c227019" + ], + "AssociatePublicIpAddress": true + } + ] + }, + "DefaultVersion": true, + "CreateTime": "2017-11-20T12:52:33.000Z" + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -31522,6 +32466,29 @@ }, "traits": { "smithy.api#documentation": "Describes one or more launch templates.
", + "smithy.api#examples": [ + { + "title": "To describe a launch template", + "documentation": "This example describes the specified launch template.", + "input": { + "LaunchTemplateIds": [ + "lt-01238c059e3466abc" + ] + }, + "output": { + "LaunchTemplates": [ + { + "LatestVersionNumber": 1, + "LaunchTemplateName": "my-template", + "LaunchTemplateId": "lt-01238c059e3466abc", + "CreatedBy": "arn:aws:iam::123456789012:root", + "CreateTime": "2018-01-16T04:32:57.000Z", + "DefaultVersionNumber": 1 + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -32227,6 +33194,20 @@ }, "traits": { "smithy.api#documentation": "This action is deprecated.
\nDescribes your Elastic IP addresses that are being moved from or being restored to the EC2-Classic platform. \n This request does not return information about any other Elastic IP addresses in your account.
", + "smithy.api#examples": [ + { + "title": "To describe your moving addresses", + "documentation": "This example describes all of your moving Elastic IP addresses.", + "output": { + "MovingAddressStatuses": [ + { + "PublicIp": "198.51.100.0", + "MoveStatus": "movingToVpc" + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -32331,6 +33312,41 @@ }, "traits": { "smithy.api#documentation": "Describes one or more of your NAT gateways.
", + "smithy.api#examples": [ + { + "title": "To describe a NAT gateway", + "documentation": "This example describes the NAT gateway for the specified VPC.", + "input": { + "Filter": [ + { + "Name": "vpc-id", + "Values": [ + "vpc-1a2b3c4d" + ] + } + ] + }, + "output": { + "NatGateways": [ + { + "NatGatewayAddresses": [ + { + "PublicIp": "198.11.222.333", + "NetworkInterfaceId": "eni-9dec76cd", + "AllocationId": "eipalloc-89c620ec", + "PrivateIp": "10.0.0.149" + } + ], + "VpcId": "vpc-1a2b3c4d", + "State": "available", + "NatGatewayId": "nat-05dba92075d71c408", + "SubnetId": "subnet-847e4dc2", + "CreateTime": "2015-12-01T12:26:55.983Z" + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -32440,7 +33456,7 @@ "Filter": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n nat-gateway-id - The ID of the NAT gateway.
\n state - The state of the NAT gateway (pending |\n failed | available | deleting | deleted).
\n subnet-id - The ID of the subnet in which the NAT gateway resides.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC in which the NAT gateway resides.
The filters.
\n\n nat-gateway-id - The ID of the NAT gateway.
\n state - The state of the NAT gateway (pending |\n failed | available | deleting | deleted).
\n subnet-id - The ID of the subnet in which the NAT gateway resides.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC in which the NAT gateway resides.
One or more NAT gateway IDs.
", + "smithy.api#documentation": "The IDs of the NAT gateways.
", "smithy.api#xmlName": "NatGatewayId" } }, @@ -32502,7 +33518,51 @@ "target": "com.amazonaws.ec2#DescribeNetworkAclsResult" }, "traits": { - "smithy.api#documentation": "Describes one or more of your network ACLs.
\nFor more information, see Network ACLs in the\n\t\t\t\tAmazon Virtual Private Cloud User Guide.
", + "smithy.api#documentation": "Describes one or more of your network ACLs.
\nFor more information, see Network ACLs in the\n\t\t\t\tAmazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe a network ACL", + "documentation": "This example describes the specified network ACL.", + "input": { + "NetworkAclIds": [ + "acl-5fb85d36" + ] + }, + "output": { + "NetworkAcls": [ + { + "Associations": [ + { + "SubnetId": "subnet-65ea5f08", + "NetworkAclId": "acl-9aeb5ef7", + "NetworkAclAssociationId": "aclassoc-66ea5f0b" + } + ], + "NetworkAclId": "acl-5fb85d36", + "VpcId": "vpc-a01106c2", + "Tags": [], + "Entries": [ + { + "CidrBlock": "0.0.0.0/0", + "RuleNumber": 32767, + "Protocol": "-1", + "Egress": true, + "RuleAction": "deny" + }, + { + "CidrBlock": "0.0.0.0/0", + "RuleNumber": 32767, + "Protocol": "-1", + "Egress": false, + "RuleAction": "deny" + } + ], + "IsDefault": false + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -32527,7 +33587,7 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n association.association-id - The ID of an association ID for the ACL.
\n association.network-acl-id - The ID of the network ACL involved in the association.
\n association.subnet-id - The ID of the subnet involved in the association.
\n default - Indicates whether the ACL is the default network ACL for the VPC.
\n entry.cidr - The IPv4 CIDR range specified in the entry.
\n entry.icmp.code - The ICMP code specified in the entry, if any.
\n entry.icmp.type - The ICMP type specified in the entry, if any.
\n entry.ipv6-cidr - The IPv6 CIDR range specified in the entry.
\n entry.port-range.from - The start of the port range specified in the entry.
\n entry.port-range.to - The end of the port range specified in the entry.
\n entry.protocol - The protocol specified in the entry (tcp | udp | icmp or a protocol number).
\n entry.rule-action - Allows or denies the matching traffic (allow | deny).
\n entry.egress - A Boolean that indicates the type of rule. Specify true \n\t\t for egress rules, or false for ingress rules.
\n entry.rule-number - The number of an entry (in other words, rule) in\n the set of ACL entries.
\n network-acl-id - The ID of the network ACL.
\n owner-id - The ID of the Amazon Web Services account that owns the network ACL.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC for the network ACL.
The filters.
\n\n association.association-id - The ID of an association ID for the ACL.
\n association.network-acl-id - The ID of the network ACL involved in the association.
\n association.subnet-id - The ID of the subnet involved in the association.
\n default - Indicates whether the ACL is the default network ACL for the VPC.
\n entry.cidr - The IPv4 CIDR range specified in the entry.
\n entry.icmp.code - The ICMP code specified in the entry, if any.
\n entry.icmp.type - The ICMP type specified in the entry, if any.
\n entry.ipv6-cidr - The IPv6 CIDR range specified in the entry.
\n entry.port-range.from - The start of the port range specified in the entry.
\n entry.port-range.to - The end of the port range specified in the entry.
\n entry.protocol - The protocol specified in the entry (tcp | udp | icmp or a protocol number).
\n entry.rule-action - Allows or denies the matching traffic (allow | deny).
\n entry.egress - A Boolean that indicates the type of rule. Specify true \n\t\t for egress rules, or false for ingress rules.
\n entry.rule-number - The number of an entry (in other words, rule) in\n the set of ACL entries.
\n network-acl-id - The ID of the network ACL.
\n owner-id - The ID of the Amazon Web Services account that owns the network ACL.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC for the network ACL.
One or more network ACL IDs.
\nDefault: Describes all your network ACLs.
", + "smithy.api#documentation": "The IDs of the network ACLs.
\nDefault: Describes all your network ACLs.
", "smithy.api#xmlName": "NetworkAclId" } }, @@ -33169,6 +34229,70 @@ }, "traits": { "smithy.api#documentation": "Describes one or more of your network interfaces.
", + "smithy.api#examples": [ + { + "title": "To describe a network interface", + "documentation": "", + "input": { + "NetworkInterfaceIds": [ + "eni-e5aa89a3" + ] + }, + "output": { + "NetworkInterfaces": [ + { + "Status": "in-use", + "MacAddress": "02:2f:8f:b0:cf:75", + "SourceDestCheck": true, + "VpcId": "vpc-a01106c2", + "Description": "my network interface", + "Association": { + "PublicIp": "203.0.113.12", + "AssociationId": "eipassoc-0fbb766a", + "PublicDnsName": "ec2-203-0-113-12.compute-1.amazonaws.com", + "IpOwnerId": "123456789012" + }, + "NetworkInterfaceId": "eni-e5aa89a3", + "PrivateIpAddresses": [ + { + "PrivateDnsName": "ip-10-0-1-17.ec2.internal", + "Association": { + "PublicIp": "203.0.113.12", + "AssociationId": "eipassoc-0fbb766a", + "PublicDnsName": "ec2-203-0-113-12.compute-1.amazonaws.com", + "IpOwnerId": "123456789012" + }, + "Primary": true, + "PrivateIpAddress": "10.0.1.17" + } + ], + "RequesterManaged": false, + "PrivateDnsName": "ip-10-0-1-17.ec2.internal", + "AvailabilityZone": "us-east-1d", + "Attachment": { + "Status": "attached", + "DeviceIndex": 1, + "AttachTime": "2013-11-30T23:36:42.000Z", + "InstanceId": "i-1234567890abcdef0", + "DeleteOnTermination": false, + "AttachmentId": "eni-attach-66c4350a", + "InstanceOwnerId": "123456789012" + }, + "Groups": [ + { + "GroupName": "default", + "GroupId": "sg-8637d3e3" + } + ], + "SubnetId": "subnet-b61f49f0", + "OwnerId": "123456789012", + "TagSet": [], + "PrivateIpAddress": "10.0.1.17" + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -33615,7 +34739,61 @@ "target": "com.amazonaws.ec2#DescribeRegionsResult" }, "traits": { - "smithy.api#documentation": "Describes the Regions that are enabled for your account, or all Regions.
\nFor a list of the Regions supported by Amazon EC2, see \n Amazon Elastic Compute Cloud endpoints and quotas.
\nFor information about enabling and disabling Regions for your account, see Managing Amazon Web Services Regions in the Amazon Web Services General Reference.
" + "smithy.api#documentation": "Describes the Regions that are enabled for your account, or all Regions.
\nFor a list of the Regions supported by Amazon EC2, see \n Amazon Elastic Compute Cloud endpoints and quotas.
\nFor information about enabling and disabling Regions for your account, see Managing Amazon Web Services Regions in the Amazon Web Services General Reference.
", + "smithy.api#examples": [ + { + "title": "To describe your regions", + "documentation": "This example describes all the regions that are available to you.", + "output": { + "Regions": [ + { + "Endpoint": "ec2.ap-south-1.amazonaws.com", + "RegionName": "ap-south-1" + }, + { + "Endpoint": "ec2.eu-west-1.amazonaws.com", + "RegionName": "eu-west-1" + }, + { + "Endpoint": "ec2.ap-southeast-1.amazonaws.com", + "RegionName": "ap-southeast-1" + }, + { + "Endpoint": "ec2.ap-southeast-2.amazonaws.com", + "RegionName": "ap-southeast-2" + }, + { + "Endpoint": "ec2.eu-central-1.amazonaws.com", + "RegionName": "eu-central-1" + }, + { + "Endpoint": "ec2.ap-northeast-2.amazonaws.com", + "RegionName": "ap-northeast-2" + }, + { + "Endpoint": "ec2.ap-northeast-1.amazonaws.com", + "RegionName": "ap-northeast-1" + }, + { + "Endpoint": "ec2.us-east-1.amazonaws.com", + "RegionName": "us-east-1" + }, + { + "Endpoint": "ec2.sa-east-1.amazonaws.com", + "RegionName": "sa-east-1" + }, + { + "Endpoint": "ec2.us-west-1.amazonaws.com", + "RegionName": "us-west-1" + }, + { + "Endpoint": "ec2.us-west-2.amazonaws.com", + "RegionName": "us-west-2" + } + ] + } + } + ] } }, "com.amazonaws.ec2#DescribeRegionsRequest": { @@ -34155,7 +35333,42 @@ "target": "com.amazonaws.ec2#DescribeRouteTablesResult" }, "traits": { - "smithy.api#documentation": "Describes one or more of your route tables.
\nEach subnet in your VPC must be associated with a route table. If a subnet is not explicitly associated with any route table, it is implicitly associated with the main route table. This command does not return the subnet ID for implicit associations.
\nFor more information, see Route tables in the\n\t\t\t\tAmazon Virtual Private Cloud User Guide.
", + "smithy.api#documentation": "Describes one or more of your route tables.
\nEach subnet in your VPC must be associated with a route table. If a subnet is not explicitly associated with any route table, it is implicitly associated with the main route table. This command does not return the subnet ID for implicit associations.
\nFor more information, see Route tables in the\n\t\t\t\tAmazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe a route table", + "documentation": "This example describes the specified route table.", + "input": { + "RouteTableIds": [ + "rtb-1f382e7d" + ] + }, + "output": { + "RouteTables": [ + { + "Associations": [ + { + "RouteTableAssociationId": "rtbassoc-d8ccddba", + "Main": true, + "RouteTableId": "rtb-1f382e7d" + } + ], + "RouteTableId": "rtb-1f382e7d", + "VpcId": "vpc-a01106c2", + "PropagatingVgws": [], + "Tags": [], + "Routes": [ + { + "GatewayId": "local", + "DestinationCidrBlock": "10.0.0.0/16", + "State": "active" + } + ] + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -34180,7 +35393,7 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n association.route-table-association-id - The ID of an association\n ID for the route table.
\n association.route-table-id - The ID of the route table involved in\n the association.
\n association.subnet-id - The ID of the subnet involved in the\n association.
\n association.main - Indicates whether the route table is the main\n route table for the VPC (true | false). Route tables\n that do not have an association ID are not returned in the response.
\n owner-id - The ID of the Amazon Web Services account that owns the route table.
\n route-table-id - The ID of the route table.
\n route.destination-cidr-block - The IPv4 CIDR range specified in a\n route in the table.
\n route.destination-ipv6-cidr-block - The IPv6 CIDR range specified in a route in the route table.
\n route.destination-prefix-list-id - The ID (prefix) of the Amazon Web Service\n specified in a route in the table.
\n route.egress-only-internet-gateway-id - The ID of an\n egress-only Internet gateway specified in a route in the route table.
\n route.gateway-id - The ID of a gateway specified in a route in the table.
\n route.instance-id - The ID of an instance specified in a route in the table.
\n route.nat-gateway-id - The ID of a NAT gateway.
\n route.transit-gateway-id - The ID of a transit gateway.
\n route.origin - Describes how the route was created. \n CreateRouteTable indicates that the route was automatically\n created when the route table was created; CreateRoute indicates\n that the route was manually added to the route table;\n EnableVgwRoutePropagation indicates that the route was\n propagated by route propagation.
\n route.state - The state of a route in the route table\n (active | blackhole). The blackhole state\n indicates that the route's target isn't available (for example, the specified\n gateway isn't attached to the VPC, the specified NAT instance has been\n terminated, and so on).
\n route.vpc-peering-connection-id - The ID of a VPC peering\n\t\t connection specified in a route in the table.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC for the route table.
The filters.
\n\n association.route-table-association-id - The ID of an association\n ID for the route table.
\n association.route-table-id - The ID of the route table involved in\n the association.
\n association.subnet-id - The ID of the subnet involved in the\n association.
\n association.main - Indicates whether the route table is the main\n route table for the VPC (true | false). Route tables\n that do not have an association ID are not returned in the response.
\n owner-id - The ID of the Amazon Web Services account that owns the route table.
\n route-table-id - The ID of the route table.
\n route.destination-cidr-block - The IPv4 CIDR range specified in a\n route in the table.
\n route.destination-ipv6-cidr-block - The IPv6 CIDR range specified in a route in the route table.
\n route.destination-prefix-list-id - The ID (prefix) of the Amazon Web Service\n specified in a route in the table.
\n route.egress-only-internet-gateway-id - The ID of an\n egress-only Internet gateway specified in a route in the route table.
\n route.gateway-id - The ID of a gateway specified in a route in the table.
\n route.instance-id - The ID of an instance specified in a route in the table.
\n route.nat-gateway-id - The ID of a NAT gateway.
\n route.transit-gateway-id - The ID of a transit gateway.
\n route.origin - Describes how the route was created. \n CreateRouteTable indicates that the route was automatically\n created when the route table was created; CreateRoute indicates\n that the route was manually added to the route table;\n EnableVgwRoutePropagation indicates that the route was\n propagated by route propagation.
\n route.state - The state of a route in the route table\n (active | blackhole). The blackhole state\n indicates that the route's target isn't available (for example, the specified\n gateway isn't attached to the VPC, the specified NAT instance has been\n terminated, and so on).
\n route.vpc-peering-connection-id - The ID of a VPC peering\n\t\t connection specified in a route in the table.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC for the route table.
One or more route table IDs.
\nDefault: Describes all your route tables.
", + "smithy.api#documentation": "The IDs of the route tables.
\nDefault: Describes all your route tables.
", "smithy.api#xmlName": "RouteTableId" } }, @@ -34471,7 +35684,27 @@ "target": "com.amazonaws.ec2#DescribeSecurityGroupReferencesResult" }, "traits": { - "smithy.api#documentation": "[VPC only] Describes the VPCs on the other side of a VPC peering connection that are referencing the security groups you've specified in this request.
" + "smithy.api#documentation": "Describes the VPCs on the other side of a VPC peering connection that are referencing the security groups you've specified in this request.
", + "smithy.api#examples": [ + { + "title": "To describe security group references", + "documentation": "This example describes the security group references for the specified security group.", + "input": { + "GroupId": [ + "sg-903004f8" + ] + }, + "output": { + "SecurityGroupReferenceSet": [ + { + "ReferencingVpcId": "vpc-1a2b3c4d", + "GroupId": "sg-903004f8", + "VpcPeeringConnectionId": "pcx-b04deed9" + } + ] + } + } + ] } }, "com.amazonaws.ec2#DescribeSecurityGroupReferencesRequest": { @@ -34619,7 +35852,19 @@ "target": "com.amazonaws.ec2#DescribeSecurityGroupsResult" }, "traits": { - "smithy.api#documentation": "Describes the specified security groups or all of your security groups.
\nA security group is for use with instances either in the EC2-Classic platform \n\t\t\t\tor in a specific VPC. For more information, see\n\t\t\t\tAmazon EC2 security groups in \n\t\t\t\tthe Amazon Elastic Compute Cloud User Guide and \n\t\t\t\tSecurity groups for your VPC in the\n\t\t\t\tAmazon Virtual Private Cloud User Guide.
\nWe are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nDescribes the specified security groups or all of your security groups.
", + "smithy.api#examples": [ + { + "title": "To describe a security group", + "documentation": "This example describes the specified security group.", + "input": { + "GroupIds": [ + "sg-903004f8" + ] + }, + "output": {} + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -34684,7 +35929,7 @@ "GroupNames": { "target": "com.amazonaws.ec2#GroupNameStringList", "traits": { - "smithy.api#documentation": "[EC2-Classic and default VPC only] The names of the security groups. You can specify either\n\t\t\tthe security group name or the security group ID. For security groups in a nondefault VPC, use\n\t\t\tthe group-name filter to describe security groups by name.
Default: Describes all of your security groups.
", + "smithy.api#documentation": "[Default VPC] The names of the security groups. You can specify either\n\t\t\tthe security group name or the security group ID.
\nDefault: Describes all of your security groups.
", "smithy.api#xmlName": "GroupName" } }, @@ -34750,7 +35995,21 @@ "target": "com.amazonaws.ec2#DescribeSnapshotAttributeResult" }, "traits": { - "smithy.api#documentation": "Describes the specified attribute of the specified snapshot. You can specify only one\n attribute at a time.
\nFor more information about EBS snapshots, see Amazon EBS snapshots in the Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Describes the specified attribute of the specified snapshot. You can specify only one\n attribute at a time.
\nFor more information about EBS snapshots, see Amazon EBS snapshots in the Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe snapshot attributes", + "documentation": "This example describes the ``createVolumePermission`` attribute on a snapshot with the snapshot ID of ``snap-066877671789bd71b``.", + "input": { + "SnapshotId": "snap-066877671789bd71b", + "Attribute": "createVolumePermission" + }, + "output": { + "SnapshotId": "snap-066877671789bd71b", + "CreateVolumePermissions": [] + } + } + ] } }, "com.amazonaws.ec2#DescribeSnapshotAttributeRequest": { @@ -34909,6 +36168,32 @@ }, "traits": { "smithy.api#documentation": "Describes the specified EBS snapshots available to you or all of the EBS snapshots\n available to you.
\nThe snapshots available to you include public snapshots, private snapshots that you own,\n and private snapshots owned by other Amazon Web Services accounts for which you have explicit create volume\n permissions.
\nThe create volume permissions fall into the following categories:
\n\n public: The owner of the snapshot granted create volume\n permissions for the snapshot to the all group. All Amazon Web Services accounts have create\n volume permissions for these snapshots.
\n explicit: The owner of the snapshot granted create volume\n permissions to a specific Amazon Web Services account.
\n\n implicit: An Amazon Web Services account has implicit create volume permissions\n for all snapshots it owns.
\nThe list of snapshots returned can be filtered by specifying snapshot IDs, snapshot\n owners, or Amazon Web Services accounts with create volume permissions. If no options are specified, \n Amazon EC2 returns all snapshots for which you have create volume permissions.
\nIf you specify one or more snapshot IDs, only snapshots that have the specified IDs are\n returned. If you specify an invalid snapshot ID, an error is returned. If you specify a\n snapshot ID for which you do not have access, it is not included in the returned\n results.
\nIf you specify one or more snapshot owners using the OwnerIds option, only\n snapshots from the specified owners and for which you have access are returned. The results\n can include the Amazon Web Services account IDs of the specified owners, amazon for snapshots\n owned by Amazon, or self for snapshots that you own.
If you specify a list of restorable users, only snapshots with create snapshot permissions\n for those users are returned. You can specify Amazon Web Services account IDs (if you own the snapshots),\n self for snapshots for which you own or have explicit permissions, or\n all for public snapshots.
If you are describing a long list of snapshots, we recommend that you paginate the output to make the\n list more manageable. For more information, see Pagination.
\nTo get the state of fast snapshot restores for a snapshot, use DescribeFastSnapshotRestores.
\nFor more information about EBS snapshots, see Amazon EBS snapshots in the Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe a snapshot", + "documentation": "This example describes a snapshot with the snapshot ID of ``snap-1234567890abcdef0``.", + "input": { + "SnapshotIds": [ + "snap-1234567890abcdef0" + ] + }, + "output": { + "Snapshots": [ + { + "Description": "This is my snapshot.", + "VolumeId": "vol-049df61146c4d7901", + "State": "completed", + "VolumeSize": 8, + "Progress": "100%", + "StartTime": "2014-02-28T21:28:32.000Z", + "SnapshotId": "snap-1234567890abcdef0", + "OwnerId": "012345678910" + } + ], + "NextToken": "" + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -35037,7 +36322,21 @@ "target": "com.amazonaws.ec2#DescribeSpotDatafeedSubscriptionResult" }, "traits": { - "smithy.api#documentation": "Describes the data feed for Spot Instances. For more information, see Spot\n Instance data feed in the Amazon EC2 User Guide for Linux Instances.
" + "smithy.api#documentation": "Describes the data feed for Spot Instances. For more information, see Spot\n Instance data feed in the Amazon EC2 User Guide for Linux Instances.
", + "smithy.api#examples": [ + { + "title": "To describe the datafeed for your AWS account", + "documentation": "This example describes the Spot Instance datafeed subscription for your AWS account.", + "output": { + "SpotDatafeedSubscription": { + "OwnerId": "123456789012", + "Prefix": "spotdata", + "Bucket": "my-s3-bucket", + "State": "Active" + } + } + } + ] } }, "com.amazonaws.ec2#DescribeSpotDatafeedSubscriptionRequest": { @@ -35324,6 +36623,60 @@ }, "traits": { "smithy.api#documentation": "Describes your Spot Fleet requests.
\nSpot Fleet requests are deleted 48 hours after they are canceled and their instances\n are terminated.
", + "smithy.api#examples": [ + { + "title": "To describe a Spot fleet request", + "documentation": "This example describes the specified Spot fleet request.", + "input": { + "SpotFleetRequestIds": [ + "sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE" + ] + }, + "output": { + "SpotFleetRequestConfigs": [ + { + "SpotFleetRequestId": "sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE", + "SpotFleetRequestConfig": { + "TargetCapacity": 20, + "LaunchSpecifications": [ + { + "EbsOptimized": false, + "NetworkInterfaces": [ + { + "SubnetId": "subnet-a61dafcf", + "DeviceIndex": 0, + "DeleteOnTermination": false, + "AssociatePublicIpAddress": true, + "SecondaryPrivateIpAddressCount": 0 + } + ], + "InstanceType": "cc2.8xlarge", + "ImageId": "ami-1a2b3c4d" + }, + { + "EbsOptimized": false, + "NetworkInterfaces": [ + { + "SubnetId": "subnet-a61dafcf", + "DeviceIndex": 0, + "DeleteOnTermination": false, + "AssociatePublicIpAddress": true, + "SecondaryPrivateIpAddressCount": 0 + } + ], + "InstanceType": "r3.8xlarge", + "ImageId": "ami-1a2b3c4d" + } + ], + "SpotPrice": "0.05", + "IamFleetRole": "arn:aws:iam::123456789012:role/my-spot-fleet-role" + }, + "SpotFleetRequestState": "active" + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -35412,6 +36765,58 @@ }, "traits": { "smithy.api#documentation": "Describes the specified Spot Instance requests.
\nYou can use DescribeSpotInstanceRequests to find a running Spot Instance by\n examining the response. If the status of the Spot Instance is fulfilled, the\n instance ID appears in the response and contains the identifier of the instance.\n Alternatively, you can use DescribeInstances\n with a filter to look for instances where the instance lifecycle is\n spot.
We recommend that you set MaxResults to a value between 5 and 1000 to\n limit the number of items returned. This paginates the output, which makes the list\n more manageable and returns the items faster. If the list of items exceeds your\n MaxResults value, then that number of items is returned along with a\n NextToken value that can be passed to a subsequent\n DescribeSpotInstanceRequests request to retrieve the remaining\n items.
Spot Instance requests are deleted four hours after they are canceled and their instances are\n terminated.
", + "smithy.api#examples": [ + { + "title": "To describe a Spot Instance request", + "documentation": "This example describes the specified Spot Instance request.", + "input": { + "SpotInstanceRequestIds": [ + "sir-08b93456" + ] + }, + "output": { + "SpotInstanceRequests": [ + { + "Status": { + "UpdateTime": "2014-04-30T18:16:21.000Z", + "Code": "fulfilled", + "Message": "Your Spot request is fulfilled." + }, + "ProductDescription": "Linux/UNIX", + "InstanceId": "i-1234567890abcdef0", + "SpotInstanceRequestId": "sir-08b93456", + "State": "active", + "LaunchedAvailabilityZone": "us-west-1b", + "LaunchSpecification": { + "ImageId": "ami-7aba833f", + "KeyName": "my-key-pair", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/sda1", + "Ebs": { + "DeleteOnTermination": true, + "VolumeType": "standard", + "VolumeSize": 8 + } + } + ], + "EbsOptimized": false, + "SecurityGroups": [ + { + "GroupName": "my-security-group", + "GroupId": "sg-e38f24a7" + } + ], + "InstanceType": "m1.small" + }, + "Type": "one-time", + "CreateTime": "2014-04-30T18:14:55.000Z", + "SpotPrice": "0.010000" + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -35578,6 +36983,40 @@ }, "traits": { "smithy.api#documentation": "Describes the Spot price history. For more information, see Spot Instance pricing history in the\n Amazon EC2 User Guide for Linux Instances.
\nWhen you specify a start and end time, the operation returns the prices of the\n instance types within that time range. It also returns the last price change before the\n start time, which is the effective price as of the start time.
", + "smithy.api#examples": [ + { + "title": "To describe Spot price history for Linux/UNIX (Amazon VPC)", + "documentation": "This example returns the Spot Price history for m1.xlarge, Linux/UNIX (Amazon VPC) instances for a particular day in January.", + "input": { + "StartTime": "2014-01-06T07:08:09.05Z", + "EndTime": "2014-01-06T08:09:10.05Z", + "InstanceTypes": [ + "m1.xlarge" + ], + "ProductDescriptions": [ + "Linux/UNIX (Amazon VPC)" + ] + }, + "output": { + "SpotPriceHistory": [ + { + "Timestamp": "2014-01-06T04:32:53.000Z", + "ProductDescription": "Linux/UNIX (Amazon VPC)", + "InstanceType": "m1.xlarge", + "SpotPrice": "0.080000", + "AvailabilityZone": "us-west-1a" + }, + { + "Timestamp": "2014-01-05T11:28:26.000Z", + "ProductDescription": "Linux/UNIX (Amazon VPC)", + "InstanceType": "m1.xlarge", + "SpotPrice": "0.080000", + "AvailabilityZone": "us-west-1c" + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -35702,7 +37141,7 @@ "target": "com.amazonaws.ec2#DescribeStaleSecurityGroupsResult" }, "traits": { - "smithy.api#documentation": "[VPC only] Describes the stale security group rules for security groups in a specified VPC. \n Rules are stale when they reference a deleted security group in the same VPC or in a peer VPC, \n or if they reference a security group in a peer VPC for which the VPC peering connection has \n been deleted.
", + "smithy.api#documentation": "Describes the stale security group rules for security groups in a specified VPC. \n Rules are stale when they reference a deleted security group in the same VPC or in a peer VPC, \n or if they reference a security group in a peer VPC for which the VPC peering connection has \n been deleted.
", "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -35807,6 +37246,43 @@ "outputToken": "NextToken", "items": "StoreImageTaskResults", "pageSize": "MaxResults" + }, + "smithy.waiters#waitable": { + "StoreImageTaskComplete": { + "acceptors": [ + { + "state": "success", + "matcher": { + "output": { + "path": "StoreImageTaskResults[].StoreTaskState", + "expected": "Completed", + "comparator": "allStringEquals" + } + } + }, + { + "state": "failure", + "matcher": { + "output": { + "path": "StoreImageTaskResults[].StoreTaskState", + "expected": "Failed", + "comparator": "anyStringEquals" + } + } + }, + { + "state": "retry", + "matcher": { + "output": { + "path": "StoreImageTaskResults[].StoreTaskState", + "expected": "InProgress", + "comparator": "anyStringEquals" + } + } + } + ], + "minDelay": 5 + } } } }, @@ -35897,7 +37373,37 @@ "target": "com.amazonaws.ec2#DescribeSubnetsResult" }, "traits": { - "smithy.api#documentation": "Describes one or more of your subnets.
\nFor more information, see Your VPC and subnets in the\n\t\t\t\tAmazon Virtual Private Cloud User Guide.
", + "smithy.api#documentation": "Describes one or more of your subnets.
\nFor more information, see Subnets in the\n\t\t\t\tAmazon VPC User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe the subnets for a VPC", + "documentation": "This example describes the subnets for the specified VPC.", + "input": { + "Filters": [ + { + "Name": "vpc-id", + "Values": [ + "vpc-a01106c2" + ] + } + ] + }, + "output": { + "Subnets": [ + { + "VpcId": "vpc-a01106c2", + "CidrBlock": "10.0.1.0/24", + "MapPublicIpOnLaunch": false, + "DefaultForAz": false, + "State": "available", + "AvailabilityZone": "us-east-1c", + "SubnetId": "subnet-9d4a7b6c", + "AvailableIpAddressCount": 251 + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -35939,14 +37445,14 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n availability-zone - The Availability Zone for the subnet. You can also use\n availabilityZone as the filter name.
\n availability-zone-id - The ID of the Availability Zone for the subnet.\n You can also use availabilityZoneId as the filter name.
\n available-ip-address-count - The number of IPv4 addresses in the\n subnet that are available.
\n cidr-block - The IPv4 CIDR block of the subnet. The CIDR block\n you specify must exactly match the subnet's CIDR block for information to be\n returned for the subnet. You can also use cidr or\n cidrBlock as the filter names.
\n customer-owned-ipv4-pool - The customer-owned IPv4 address pool\n associated with the subnet.
\n default-for-az - Indicates whether this is the default subnet for\n the Availability Zone (true | false). You can also use\n defaultForAz as the filter name.
\n enable-dns64 - Indicates whether DNS queries made to the\n Amazon-provided DNS Resolver in this subnet should return synthetic IPv6\n addresses for IPv4-only destinations.
\n enable-lni-at-device-index - Indicates the device position for\n local network interfaces in this subnet. For example, 1 indicates\n local network interfaces in this subnet are the secondary network interface\n (eth1).
\n ipv6-cidr-block-association.ipv6-cidr-block - An IPv6 CIDR\n block associated with the subnet.
\n ipv6-cidr-block-association.association-id - An association ID\n for an IPv6 CIDR block associated with the subnet.
\n ipv6-cidr-block-association.state - The state of an IPv6 CIDR\n block associated with the subnet.
\n ipv6-native - Indicates whether this is an IPv6 only subnet\n (true | false).
\n map-customer-owned-ip-on-launch - Indicates whether a network\n interface created in this subnet (including a network interface created by RunInstances) receives a customer-owned IPv4 address.
\n map-public-ip-on-launch - Indicates whether instances launched in\n this subnet receive a public IPv4 address.
\n outpost-arn - The Amazon Resource Name (ARN) of the Outpost.
\n owner-id - The ID of the Amazon Web Services account that owns the\n subnet.
\n private-dns-name-options-on-launch.hostname-type - The type of\n hostname to assign to instances in the subnet at launch. For IPv4-only and\n dual-stack (IPv4 and IPv6) subnets, an instance DNS name can be based on the\n instance IPv4 address (ip-name) or the instance ID (resource-name). For IPv6\n only subnets, an instance DNS name must be based on the instance ID\n (resource-name).
\n private-dns-name-options-on-launch.enable-resource-name-dns-a-record\n - Indicates whether to respond to DNS queries for instance hostnames with DNS A\n records.
\n private-dns-name-options-on-launch.enable-resource-name-dns-aaaa-record\n - Indicates whether to respond to DNS queries for instance hostnames with DNS\n AAAA records.
\n state - The state of the subnet (pending | available).
\n subnet-arn - The Amazon Resource Name (ARN) of the subnet.
\n subnet-id - The ID of the subnet.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC for the subnet.
The filters.
\n\n availability-zone - The Availability Zone for the subnet. You can also use\n availabilityZone as the filter name.
\n availability-zone-id - The ID of the Availability Zone for the subnet.\n You can also use availabilityZoneId as the filter name.
\n available-ip-address-count - The number of IPv4 addresses in the\n subnet that are available.
\n cidr-block - The IPv4 CIDR block of the subnet. The CIDR block\n you specify must exactly match the subnet's CIDR block for information to be\n returned for the subnet. You can also use cidr or\n cidrBlock as the filter names.
\n customer-owned-ipv4-pool - The customer-owned IPv4 address pool\n associated with the subnet.
\n default-for-az - Indicates whether this is the default subnet for\n the Availability Zone (true | false). You can also use\n defaultForAz as the filter name.
\n enable-dns64 - Indicates whether DNS queries made to the\n Amazon-provided DNS Resolver in this subnet should return synthetic IPv6\n addresses for IPv4-only destinations.
\n enable-lni-at-device-index - Indicates the device position for\n local network interfaces in this subnet. For example, 1 indicates\n local network interfaces in this subnet are the secondary network interface\n (eth1).
\n ipv6-cidr-block-association.ipv6-cidr-block - An IPv6 CIDR\n block associated with the subnet.
\n ipv6-cidr-block-association.association-id - An association ID\n for an IPv6 CIDR block associated with the subnet.
\n ipv6-cidr-block-association.state - The state of an IPv6 CIDR\n block associated with the subnet.
\n ipv6-native - Indicates whether this is an IPv6 only subnet\n (true | false).
\n map-customer-owned-ip-on-launch - Indicates whether a network\n interface created in this subnet (including a network interface created by RunInstances) receives a customer-owned IPv4 address.
\n map-public-ip-on-launch - Indicates whether instances launched in\n this subnet receive a public IPv4 address.
\n outpost-arn - The Amazon Resource Name (ARN) of the Outpost.
\n owner-id - The ID of the Amazon Web Services account that owns the\n subnet.
\n private-dns-name-options-on-launch.hostname-type - The type of\n hostname to assign to instances in the subnet at launch. For IPv4-only and\n dual-stack (IPv4 and IPv6) subnets, an instance DNS name can be based on the\n instance IPv4 address (ip-name) or the instance ID (resource-name). For IPv6\n only subnets, an instance DNS name must be based on the instance ID\n (resource-name).
\n private-dns-name-options-on-launch.enable-resource-name-dns-a-record\n - Indicates whether to respond to DNS queries for instance hostnames with DNS A\n records.
\n private-dns-name-options-on-launch.enable-resource-name-dns-aaaa-record\n - Indicates whether to respond to DNS queries for instance hostnames with DNS\n AAAA records.
\n state - The state of the subnet (pending | available).
\n subnet-arn - The Amazon Resource Name (ARN) of the subnet.
\n subnet-id - The ID of the subnet.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC for the subnet.
One or more subnet IDs.
\nDefault: Describes all your subnets.
", + "smithy.api#documentation": "The IDs of the subnets.
\nDefault: Describes all your subnets.
", "smithy.api#xmlName": "SubnetId" } }, @@ -36013,6 +37519,38 @@ }, "traits": { "smithy.api#documentation": "Describes the specified tags for your EC2 resources.
\nFor more information about tags, see Tag your Amazon EC2 resources in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe the tags for a single resource", + "documentation": "This example describes the tags for the specified instance.", + "input": { + "Filters": [ + { + "Name": "resource-id", + "Values": [ + "i-1234567890abcdef8" + ] + } + ] + }, + "output": { + "Tags": [ + { + "ResourceType": "instance", + "ResourceId": "i-1234567890abcdef8", + "Value": "test", + "Key": "Stack" + }, + { + "ResourceType": "instance", + "ResourceId": "i-1234567890abcdef8", + "Value": "Beta Server", + "Key": "Name" + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -37799,7 +39337,23 @@ "target": "com.amazonaws.ec2#DescribeVolumeAttributeResult" }, "traits": { - "smithy.api#documentation": "Describes the specified attribute of the specified volume. You can specify only one\n attribute at a time.
\nFor more information about EBS volumes, see Amazon EBS volumes in the Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Describes the specified attribute of the specified volume. You can specify only one\n attribute at a time.
\nFor more information about EBS volumes, see Amazon EBS volumes in the Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe a volume attribute", + "documentation": "This example describes the ``autoEnableIo`` attribute of the volume with the ID ``vol-049df61146c4d7901``.", + "input": { + "VolumeId": "vol-049df61146c4d7901", + "Attribute": "autoEnableIO" + }, + "output": { + "AutoEnableIO": { + "Value": false + }, + "VolumeId": "vol-049df61146c4d7901" + } + } + ] } }, "com.amazonaws.ec2#DescribeVolumeAttributeRequest": { @@ -37878,6 +39432,40 @@ }, "traits": { "smithy.api#documentation": "Describes the status of the specified volumes. Volume status provides the result of the\n checks performed on your volumes to determine events that can impair the performance of your\n volumes. The performance of a volume can be affected if an issue occurs on the volume's\n underlying host. If the volume's underlying host experiences a power outage or system issue,\n after the system is restored, there could be data inconsistencies on the volume. Volume events\n notify you if this occurs. Volume actions notify you if any action needs to be taken in\n response to the event.
\nThe DescribeVolumeStatus operation provides the following information about\n the specified volumes:
\n Status: Reflects the current status of the volume. The possible\n values are ok, impaired , warning, or\n insufficient-data. If all checks pass, the overall status of the volume is\n ok. If the check fails, the overall status is impaired. If the\n status is insufficient-data, then the checks might still be taking place on your\n volume at the time. We recommend that you retry the request. For more information about volume\n status, see Monitor the status of your volumes in the\n Amazon Elastic Compute Cloud User Guide.
\n Events: Reflect the cause of a volume status and might require you to\n take action. For example, if your volume returns an impaired status, then the\n volume event might be potential-data-inconsistency. This means that your volume\n has been affected by an issue with the underlying host, has all I/O operations disabled, and\n might have inconsistent data.
\n Actions: Reflect the actions you might have to take in response to an\n event. For example, if the status of the volume is impaired and the volume event\n shows potential-data-inconsistency, then the action shows\n enable-volume-io. This means that you may want to enable the I/O operations for\n the volume by calling the EnableVolumeIO action and then check the volume\n for data consistency.
Volume status is based on the volume status checks, and does not reflect the volume state.\n Therefore, volume status does not indicate volumes in the error state (for\n example, when a volume is incapable of accepting I/O.)
Describes the specified EBS volumes or all of your EBS volumes.
\nIf you are describing a long list of volumes, we recommend that you paginate the output to make the list\n more manageable. For more information, see Pagination.
\nFor more information about EBS volumes, see Amazon EBS volumes in the Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To describe all volumes", + "documentation": "This example describes all of your volumes in the default region.", + "output": { + "Volumes": [ + { + "AvailabilityZone": "us-east-1a", + "Attachments": [ + { + "AttachTime": "2013-12-18T22:35:00.000Z", + "InstanceId": "i-1234567890abcdef0", + "VolumeId": "vol-049df61146c4d7901", + "State": "attached", + "DeleteOnTermination": true, + "Device": "/dev/sda1" + } + ], + "VolumeType": "standard", + "VolumeId": "vol-049df61146c4d7901", + "State": "in-use", + "SnapshotId": "snap-1234567890abcdef0", + "CreateTime": "2013-12-18T22:35:00.084Z", + "Size": 8 + } + ], + "NextToken": "" + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -38219,7 +39837,23 @@ "target": "com.amazonaws.ec2#DescribeVpcAttributeResult" }, "traits": { - "smithy.api#documentation": "Describes the specified attribute of the specified VPC. You can specify only one attribute at a time.
" + "smithy.api#documentation": "Describes the specified attribute of the specified VPC. You can specify only one attribute at a time.
", + "smithy.api#examples": [ + { + "title": "To describe the enableDnsSupport attribute", + "documentation": "This example describes the enableDnsSupport attribute. This attribute indicates whether DNS resolution is enabled for the VPC. If this attribute is true, the Amazon DNS server resolves DNS hostnames for your instances to their corresponding IP addresses; otherwise, it does not.", + "input": { + "VpcId": "vpc-a01106c2", + "Attribute": "enableDnsSupport" + }, + "output": { + "VpcId": "vpc-a01106c2", + "EnableDnsSupport": { + "Value": true + } + } + } + ] } }, "com.amazonaws.ec2#DescribeVpcAttributeRequest": { @@ -38305,7 +39939,7 @@ "target": "com.amazonaws.ec2#DescribeVpcClassicLinkResult" }, "traits": { - "smithy.api#documentation": "Describes the ClassicLink status of one or more VPCs.
\nWe are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nThis action is deprecated.
\nDescribes the ClassicLink status of the specified VPCs.
" } }, "com.amazonaws.ec2#DescribeVpcClassicLinkDnsSupport": { @@ -38317,7 +39951,7 @@ "target": "com.amazonaws.ec2#DescribeVpcClassicLinkDnsSupportResult" }, "traits": { - "smithy.api#documentation": "We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nDescribes the ClassicLink DNS support status of one or more VPCs. If enabled, the DNS\n hostname of a linked EC2-Classic instance resolves to its private IP address when\n addressed from an instance in the VPC to which it's linked. Similarly, the DNS hostname\n of an instance in a VPC resolves to its private IP address when addressed from a linked\n EC2-Classic instance. For more information, see ClassicLink in the Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#documentation": "This action is deprecated.
\nDescribes the ClassicLink DNS support status of one or more VPCs. If enabled, the DNS\n hostname of a linked EC2-Classic instance resolves to its private IP address when\n addressed from an instance in the VPC to which it's linked. Similarly, the DNS hostname\n of an instance in a VPC resolves to its private IP address when addressed from a linked\n EC2-Classic instance.
", "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -38369,7 +40003,7 @@ "VpcIds": { "target": "com.amazonaws.ec2#VpcClassicLinkIdList", "traits": { - "smithy.api#documentation": "One or more VPC IDs.
", + "smithy.api#documentation": "The IDs of the VPCs.
", "smithy.api#xmlName": "VpcIds" } } @@ -38408,7 +40042,7 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n is-classic-link-enabled - Whether the VPC is enabled for ClassicLink\n\t\t\t\t\t (true | false).
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
The filters.
\n\n is-classic-link-enabled - Whether the VPC is enabled for ClassicLink\n\t\t\t\t\t (true | false).
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
One or more VPCs for which you want to describe the ClassicLink status.
", + "smithy.api#documentation": "The VPCs for which you want to describe the ClassicLink status.
", "smithy.api#xmlName": "VpcId" } } @@ -38441,7 +40075,7 @@ "target": "com.amazonaws.ec2#VpcClassicLinkList", "traits": { "aws.protocols#ec2QueryName": "VpcSet", - "smithy.api#documentation": "The ClassicLink status of one or more VPCs.
", + "smithy.api#documentation": "The ClassicLink status of the VPCs.
", "smithy.api#xmlName": "vpcSet" } } @@ -39038,7 +40672,7 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n accepter-vpc-info.cidr-block - The IPv4 CIDR block of the accepter\n VPC.
\n accepter-vpc-info.owner-id - The ID of the Amazon Web Services account that owns the\n accepter VPC.
\n accepter-vpc-info.vpc-id - The ID of the accepter VPC.
\n expiration-time - The expiration date and time for the VPC peering\n connection.
\n requester-vpc-info.cidr-block - The IPv4 CIDR block of the\n requester's VPC.
\n requester-vpc-info.owner-id - The ID of the Amazon Web Services account that owns the\n requester VPC.
\n requester-vpc-info.vpc-id - The ID of the requester VPC.
\n status-code - The status of the VPC peering connection\n (pending-acceptance | failed |\n expired | provisioning | active |\n deleting | deleted |\n rejected).
\n status-message - A message that provides more information about the status\n of the VPC peering connection, if applicable.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-peering-connection-id - The ID of the VPC peering connection.
The filters.
\n\n accepter-vpc-info.cidr-block - The IPv4 CIDR block of the accepter\n VPC.
\n accepter-vpc-info.owner-id - The ID of the Amazon Web Services account that owns the\n accepter VPC.
\n accepter-vpc-info.vpc-id - The ID of the accepter VPC.
\n expiration-time - The expiration date and time for the VPC peering\n connection.
\n requester-vpc-info.cidr-block - The IPv4 CIDR block of the\n requester's VPC.
\n requester-vpc-info.owner-id - The ID of the Amazon Web Services account that owns the\n requester VPC.
\n requester-vpc-info.vpc-id - The ID of the requester VPC.
\n status-code - The status of the VPC peering connection\n (pending-acceptance | failed |\n expired | provisioning | active |\n deleting | deleted |\n rejected).
\n status-message - A message that provides more information about the status\n of the VPC peering connection, if applicable.
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-peering-connection-id - The ID of the VPC peering connection.
One or more VPC peering connection IDs.
\nDefault: Describes all your VPC peering connections.
", + "smithy.api#documentation": "The IDs of the VPC peering connections.
\nDefault: Describes all your VPC peering connections.
", "smithy.api#xmlName": "VpcPeeringConnectionId" } }, @@ -39112,6 +40746,35 @@ }, "traits": { "smithy.api#documentation": "Describes one or more of your VPCs.
", + "smithy.api#examples": [ + { + "title": "To describe a VPC", + "documentation": "This example describes the specified VPC.", + "input": { + "VpcIds": [ + "vpc-a01106c2" + ] + }, + "output": { + "Vpcs": [ + { + "VpcId": "vpc-a01106c2", + "InstanceTenancy": "default", + "Tags": [ + { + "Value": "MyVPC", + "Key": "Name" + } + ], + "State": "available", + "DhcpOptionsId": "dopt-7a8b9c2d", + "CidrBlock": "10.0.0.0/16", + "IsDefault": false + } + ] + } + } + ], "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -39173,14 +40836,14 @@ "Filters": { "target": "com.amazonaws.ec2#FilterList", "traits": { - "smithy.api#documentation": "One or more filters.
\n\n cidr - The primary IPv4 CIDR block of the VPC. The CIDR block you\n specify must exactly match the VPC's CIDR block for information to be returned\n for the VPC. Must contain the slash followed by one or two digits (for example,\n /28).
\n cidr-block-association.cidr-block - An IPv4 CIDR block associated with the\n VPC.
\n cidr-block-association.association-id - The association ID for\n an IPv4 CIDR block associated with the VPC.
\n cidr-block-association.state - The state of an IPv4 CIDR block\n associated with the VPC.
\n dhcp-options-id - The ID of a set of DHCP options.
\n ipv6-cidr-block-association.ipv6-cidr-block - An IPv6 CIDR\n block associated with the VPC.
\n ipv6-cidr-block-association.ipv6-pool - The ID of the IPv6 address pool from which the IPv6 CIDR block is allocated.
\n ipv6-cidr-block-association.association-id - The association\n ID for an IPv6 CIDR block associated with the VPC.
\n ipv6-cidr-block-association.state - The state of an IPv6 CIDR\n block associated with the VPC.
\n is-default - Indicates whether the VPC is the default VPC.
\n owner-id - The ID of the Amazon Web Services account that owns the VPC.
\n state - The state of the VPC (pending | available).
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC.
The filters.
\n\n cidr - The primary IPv4 CIDR block of the VPC. The CIDR block you\n specify must exactly match the VPC's CIDR block for information to be returned\n for the VPC. Must contain the slash followed by one or two digits (for example,\n /28).
\n cidr-block-association.cidr-block - An IPv4 CIDR block associated with the\n VPC.
\n cidr-block-association.association-id - The association ID for\n an IPv4 CIDR block associated with the VPC.
\n cidr-block-association.state - The state of an IPv4 CIDR block\n associated with the VPC.
\n dhcp-options-id - The ID of a set of DHCP options.
\n ipv6-cidr-block-association.ipv6-cidr-block - An IPv6 CIDR\n block associated with the VPC.
\n ipv6-cidr-block-association.ipv6-pool - The ID of the IPv6 address pool from which the IPv6 CIDR block is allocated.
\n ipv6-cidr-block-association.association-id - The association\n ID for an IPv6 CIDR block associated with the VPC.
\n ipv6-cidr-block-association.state - The state of an IPv6 CIDR\n block associated with the VPC.
\n is-default - Indicates whether the VPC is the default VPC.
\n owner-id - The ID of the Amazon Web Services account that owns the VPC.
\n state - The state of the VPC (pending | available).
\n tag:Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
\n tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
\n vpc-id - The ID of the VPC.
One or more VPC IDs.
\nDefault: Describes all your VPCs.
", + "smithy.api#documentation": "The IDs of the VPCs.
\nDefault: Describes all your VPCs.
", "smithy.api#xmlName": "VpcId" } }, @@ -39515,7 +41178,7 @@ "target": "com.amazonaws.ec2#DetachClassicLinkVpcResult" }, "traits": { - "smithy.api#documentation": "We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nUnlinks (detaches) a linked EC2-Classic instance from a VPC. After the instance has been unlinked, the VPC security groups are no longer associated with it. An instance is automatically unlinked from a VPC when it's stopped.
" + "smithy.api#documentation": "This action is deprecated.
\nUnlinks (detaches) a linked EC2-Classic instance from a VPC. After the instance has been unlinked, \n\t\t the VPC security groups are no longer associated with it. An instance is automatically unlinked from \n\t\t a VPC when it's stopped.
" } }, "com.amazonaws.ec2#DetachClassicLinkVpcRequest": { @@ -39759,7 +41422,23 @@ "target": "com.amazonaws.ec2#VolumeAttachment" }, "traits": { - "smithy.api#documentation": "Detaches an EBS volume from an instance. Make sure to unmount any file systems on the\n device within your operating system before detaching the volume. Failure to do so can result\n in the volume becoming stuck in the busy state while detaching. If this happens,\n detachment can be delayed indefinitely until you unmount the volume, force detachment, reboot\n the instance, or all three. If an EBS volume is the root device of an instance, it can't be\n detached while the instance is running. To detach the root volume, stop the instance\n first.
When a volume with an Amazon Web Services Marketplace product code is detached from an instance, the\n product code is no longer associated with the instance.
\nFor more information, see Detach an Amazon EBS volume in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Detaches an EBS volume from an instance. Make sure to unmount any file systems on the\n device within your operating system before detaching the volume. Failure to do so can result\n in the volume becoming stuck in the busy state while detaching. If this happens,\n detachment can be delayed indefinitely until you unmount the volume, force detachment, reboot\n the instance, or all three. If an EBS volume is the root device of an instance, it can't be\n detached while the instance is running. To detach the root volume, stop the instance\n first.
When a volume with an Amazon Web Services Marketplace product code is detached from an instance, the\n product code is no longer associated with the instance.
\nFor more information, see Detach an Amazon EBS volume in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To detach a volume from an instance", + "documentation": "This example detaches the volume (``vol-049df61146c4d7901``) from the instance it is attached to.", + "input": { + "VolumeId": "vol-1234567890abcdef0" + }, + "output": { + "AttachTime": "2014-02-27T19:23:06.000Z", + "InstanceId": "i-1234567890abcdef0", + "VolumeId": "vol-049df61146c4d7901", + "State": "detaching", + "Device": "/dev/sdb" + } + } + ] } }, "com.amazonaws.ec2#DetachVolumeRequest": { @@ -39920,7 +41599,7 @@ "target": "com.amazonaws.ec2#DhcpConfigurationValueList", "traits": { "aws.protocols#ec2QueryName": "ValueSet", - "smithy.api#documentation": "One or more values for the DHCP option.
", + "smithy.api#documentation": "The values for the DHCP option.
", "smithy.api#xmlName": "valueSet" } } @@ -39954,7 +41633,7 @@ "target": "com.amazonaws.ec2#DhcpConfigurationList", "traits": { "aws.protocols#ec2QueryName": "DhcpConfigurationSet", - "smithy.api#documentation": "One or more DHCP options in the set.
", + "smithy.api#documentation": "The DHCP options in the set.
", "smithy.api#xmlName": "dhcpConfigurationSet" } }, @@ -39984,7 +41663,7 @@ } }, "traits": { - "smithy.api#documentation": "Describes a set of DHCP options.
" + "smithy.api#documentation": "The set of DHCP options.
" } }, "com.amazonaws.ec2#DhcpOptionsId": { @@ -40824,7 +42503,17 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Disables a virtual private gateway (VGW) from propagating routes to a specified route\n table of a VPC.
" + "smithy.api#documentation": "Disables a virtual private gateway (VGW) from propagating routes to a specified route\n table of a VPC.
", + "smithy.api#examples": [ + { + "title": "To disable route propagation", + "documentation": "This example disables the specified virtual private gateway from propagating static routes to the specified route table.", + "input": { + "RouteTableId": "rtb-22574640", + "GatewayId": "vgw-9a4cacf3" + } + } + ] } }, "com.amazonaws.ec2#DisableVgwRoutePropagationRequest": { @@ -40869,7 +42558,7 @@ "target": "com.amazonaws.ec2#DisableVpcClassicLinkResult" }, "traits": { - "smithy.api#documentation": "Disables ClassicLink for a VPC. You cannot disable ClassicLink for a VPC that has EC2-Classic instances linked to it.
\nWe are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nThis action is deprecated.
\nDisables ClassicLink for a VPC. You cannot disable ClassicLink for a VPC that has EC2-Classic instances\n linked to it.
" } }, "com.amazonaws.ec2#DisableVpcClassicLinkDnsSupport": { @@ -40881,7 +42570,7 @@ "target": "com.amazonaws.ec2#DisableVpcClassicLinkDnsSupportResult" }, "traits": { - "smithy.api#documentation": "Disables ClassicLink DNS support for a VPC. If disabled, DNS hostnames resolve to\n\t\t\tpublic IP addresses when addressed between a linked EC2-Classic instance and instances\n\t\t\tin the VPC to which it's linked. For more information, see ClassicLink in the\n\t\t\t\tAmazon Elastic Compute Cloud User Guide.
\nYou must specify a VPC ID in the request.
\nWe are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nThis action is deprecated.
\nDisables ClassicLink DNS support for a VPC. If disabled, DNS hostnames resolve to\n\t\t\tpublic IP addresses when addressed between a linked EC2-Classic instance and instances\n\t\t\tin the VPC to which it's linked.
\nYou must specify a VPC ID in the request.
" } }, "com.amazonaws.ec2#DisableVpcClassicLinkDnsSupportRequest": { @@ -40972,7 +42661,16 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Disassociates an Elastic IP address from the instance or network interface it's associated with.
\nThis is an idempotent operation. If you perform the operation more than once, Amazon EC2 doesn't return an error.
" + "smithy.api#documentation": "Disassociates an Elastic IP address from the instance or network interface it's associated with.
\nThis is an idempotent operation. If you perform the operation more than once, Amazon EC2 doesn't return an error.
", + "smithy.api#examples": [ + { + "title": "To disassociate an Elastic IP address", + "documentation": "This example disassociates an Elastic IP address from an instance.", + "input": { + "AssociationId": "eipassoc-2bebb745" + } + } + ] } }, "com.amazonaws.ec2#DisassociateAddressRequest": { @@ -41144,7 +42842,27 @@ "target": "com.amazonaws.ec2#DisassociateIamInstanceProfileResult" }, "traits": { - "smithy.api#documentation": "Disassociates an IAM instance profile from a running or stopped instance.
\nUse DescribeIamInstanceProfileAssociations to get the association\n ID.
" + "smithy.api#documentation": "Disassociates an IAM instance profile from a running or stopped instance.
\nUse DescribeIamInstanceProfileAssociations to get the association\n ID.
", + "smithy.api#examples": [ + { + "title": "To disassociate an IAM instance profile", + "documentation": "This example disassociates the specified IAM instance profile from an instance.", + "input": { + "AssociationId": "iip-assoc-05020b59952902f5f" + }, + "output": { + "IamInstanceProfileAssociation": { + "InstanceId": "i-123456789abcde123", + "State": "disassociating", + "AssociationId": "iip-assoc-05020b59952902f5f", + "IamInstanceProfile": { + "Id": "AIPAI5IVIHMFFYY2DKV5Y", + "Arn": "arn:aws:iam::123456789012:instance-profile/admin-role" + } + } + } + } + ] } }, "com.amazonaws.ec2#DisassociateIamInstanceProfileRequest": { @@ -41300,7 +43018,7 @@ "target": "com.amazonaws.ec2#DisassociateNatGatewayAddressResult" }, "traits": { - "smithy.api#documentation": "Disassociates secondary Elastic IP addresses (EIPs) from a public NAT gateway. You cannot disassociate your primary EIP. For more information, see Edit secondary IP address associations in the Amazon Virtual Private Cloud User Guide.
\nWhile disassociating is in progress, you cannot associate/disassociate additional EIPs while the connections are being drained. You are, however, allowed to delete the NAT gateway.
\nAn EIP will only be released at the end of MaxDrainDurationSeconds. The EIPs stay\n associated and support the existing connections but do not support any new connections\n (new connections are distributed across the remaining associated EIPs). As the existing\n connections drain out, the EIPs (and the corresponding private IPs mapped to them) get\n released.
" + "smithy.api#documentation": "Disassociates secondary Elastic IP addresses (EIPs) from a public NAT gateway. \n You cannot disassociate your primary EIP. For more information, see Edit secondary IP address associations in the Amazon VPC User Guide.
\nWhile disassociating is in progress, you cannot associate/disassociate additional EIPs while the connections are being drained. You are, however, allowed to delete the NAT gateway.
\nAn EIP is released only at the end of MaxDrainDurationSeconds. It stays\n associated and supports the existing connections but does not support any new connections\n (new connections are distributed across the remaining associated EIPs). As the existing\n connections drain out, the EIPs (and the corresponding private IP addresses mapped to them) \n are released.
" } }, "com.amazonaws.ec2#DisassociateNatGatewayAddressRequest": { @@ -41310,7 +43028,7 @@ "target": "com.amazonaws.ec2#NatGatewayId", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The NAT gateway ID.
", + "smithy.api#documentation": "The ID of the NAT gateway.
", "smithy.api#required": {} } }, @@ -41351,7 +43069,7 @@ "target": "com.amazonaws.ec2#NatGatewayId", "traits": { "aws.protocols#ec2QueryName": "NatGatewayId", - "smithy.api#documentation": "The NAT gateway ID.
", + "smithy.api#documentation": "The ID of the NAT gateway.
", "smithy.api#xmlName": "natGatewayId" } }, @@ -41377,7 +43095,7 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Disassociates a subnet or gateway from a route table.
\nAfter you perform this action, the subnet no longer uses the routes in the route table.\n\t\t\t\tInstead, it uses the routes in the VPC's main route table. For more information\n\t\t\t\tabout route tables, see Route\n\t\t\t\ttables in the Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Disassociates a subnet or gateway from a route table.
\nAfter you perform this action, the subnet no longer uses the routes in the route table.\n\t\t\t\tInstead, it uses the routes in the VPC's main route table. For more information\n\t\t\t\tabout route tables, see Route\n\t\t\t\ttables in the Amazon VPC User Guide.
" } }, "com.amazonaws.ec2#DisassociateRouteTableRequest": { @@ -42309,7 +44027,7 @@ "target": "com.amazonaws.ec2#String", "traits": { "aws.protocols#ec2QueryName": "OutpostArn", - "smithy.api#documentation": "The ARN of the Outpost on which the snapshot is stored.
\nThis parameter is only supported on BlockDeviceMapping objects called by\n \n CreateImage.
The ARN of the Outpost on which the snapshot is stored.
\nThis parameter is not supported when using CreateImage.
", "smithy.api#xmlName": "outpostArn" } }, @@ -44071,7 +45789,17 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Enables a virtual private gateway (VGW) to propagate routes to the specified route\n table of a VPC.
" + "smithy.api#documentation": "Enables a virtual private gateway (VGW) to propagate routes to the specified route\n table of a VPC.
", + "smithy.api#examples": [ + { + "title": "To enable route propagation", + "documentation": "This example enables the specified virtual private gateway to propagate static routes to the specified route table.", + "input": { + "RouteTableId": "rtb-22574640", + "GatewayId": "vgw-9a4cacf3" + } + } + ] } }, "com.amazonaws.ec2#EnableVgwRoutePropagationRequest": { @@ -44156,7 +45884,7 @@ "target": "com.amazonaws.ec2#EnableVpcClassicLinkResult" }, "traits": { - "smithy.api#documentation": "We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nEnables a VPC for ClassicLink. You can then link EC2-Classic instances to your\n\t\t\tClassicLink-enabled VPC to allow communication over private IP addresses. You cannot\n\t\t\tenable your VPC for ClassicLink if any of your VPC route tables have existing routes for\n\t\t\taddress ranges within the 10.0.0.0/8 IP address range, excluding local\n\t\t\troutes for VPCs in the 10.0.0.0/16 and 10.1.0.0/16 IP address\n\t\t\tranges. For more information, see ClassicLink in the\n\t\t\t\tAmazon Elastic Compute Cloud User Guide.
This action is deprecated.
\nEnables a VPC for ClassicLink. You can then link EC2-Classic instances to your\n\t\t\tClassicLink-enabled VPC to allow communication over private IP addresses. You cannot\n\t\t\tenable your VPC for ClassicLink if any of your VPC route tables have existing routes for\n\t\t\taddress ranges within the 10.0.0.0/8 IP address range, excluding local\n\t\t\troutes for VPCs in the 10.0.0.0/16 and 10.1.0.0/16 IP address\n\t\t\tranges.
We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nEnables a VPC to support DNS hostname resolution for ClassicLink. If enabled, the DNS\n\t\t\thostname of a linked EC2-Classic instance resolves to its private IP address when\n\t\t\taddressed from an instance in the VPC to which it's linked. Similarly, the DNS hostname\n\t\t\tof an instance in a VPC resolves to its private IP address when addressed from a linked\n\t\t\tEC2-Classic instance. For more information, see ClassicLink in the\n\t\t\t\tAmazon Elastic Compute Cloud User Guide.
\nYou must specify a VPC ID in the request.
" + "smithy.api#documentation": "This action is deprecated.
\nEnables a VPC to support DNS hostname resolution for ClassicLink. If enabled, the DNS\n\t\t\thostname of a linked EC2-Classic instance resolves to its private IP address when\n\t\t\taddressed from an instance in the VPC to which it's linked. Similarly, the DNS hostname\n\t\t\tof an instance in a VPC resolves to its private IP address when addressed from a linked\n\t\t\tEC2-Classic instance.
\nYou must specify a VPC ID in the request.
" } }, "com.amazonaws.ec2#EnableVpcClassicLinkDnsSupportRequest": { @@ -44465,7 +46193,7 @@ "min": 1, "max": 30 }, - "smithy.api#pattern": "^[a-zA-Z0-9\\.\\*]+$" + "smithy.api#pattern": "^[a-zA-Z0-9\\.\\*\\-]+$" } }, "com.amazonaws.ec2#ExcludedInstanceTypeSet": { @@ -46719,7 +48447,7 @@ "target": "com.amazonaws.ec2#ImageId", "traits": { "aws.protocols#ec2QueryName": "ImageId", - "smithy.api#documentation": "The ID of the AMI. An AMI is required to launch an instance. The AMI ID must be specified here or in the launch template.
", + "smithy.api#documentation": "The ID of the AMI. An AMI is required to launch an instance. This parameter is only\n available for fleets of type instant. For fleets of type maintain\n and request, you must specify the AMI ID in the launch template.
The ID of the AMI. An AMI is required to launch an instance. The AMI ID must be specified here or in the launch template.
" + "smithy.api#documentation": "The ID of the AMI. An AMI is required to launch an instance. This parameter is only\n available for fleets of type instant. For fleets of type maintain\n and request, you must specify the AMI ID in the launch template.
Gets the console output for the specified instance. For Linux instances, the instance\n console output displays the exact console output that would normally be displayed on a\n physical monitor attached to a computer. For Windows instances, the instance console\n output includes the last three system event log errors.
\nBy default, the console output returns buffered information that was posted shortly\n after an instance transition state (start, stop, reboot, or terminate). This information\n is available for at least one hour after the most recent post. Only the most recent 64\n KB of console output is available.
\nYou can optionally retrieve the latest serial console output at any time during the\n instance lifecycle. This option is supported on instance types that use the Nitro\n hypervisor.
\nFor more information, see Instance\n console output in the Amazon EC2 User Guide.
" + "smithy.api#documentation": "Gets the console output for the specified instance. For Linux instances, the instance\n console output displays the exact console output that would normally be displayed on a\n physical monitor attached to a computer. For Windows instances, the instance console\n output includes the last three system event log errors.
\nBy default, the console output returns buffered information that was posted shortly\n after an instance transition state (start, stop, reboot, or terminate). This information\n is available for at least one hour after the most recent post. Only the most recent 64\n KB of console output is available.
\nYou can optionally retrieve the latest serial console output at any time during the\n instance lifecycle. This option is supported on instance types that use the Nitro\n hypervisor.
\nFor more information, see Instance\n console output in the Amazon EC2 User Guide.
", + "smithy.api#examples": [ + { + "title": "To get the console output", + "documentation": "This example gets the console output for the specified instance.", + "input": { + "InstanceId": "i-1234567890abcdef0" + }, + "output": { + "InstanceId": "i-1234567890abcdef0", + "Output": "...", + "Timestamp": "2018-05-25T21:23:53.000Z" + } + } + ] } }, "com.amazonaws.ec2#GetConsoleOutputRequest": { @@ -48436,6 +50178,14 @@ "smithy.api#documentation": "Indicates whether encryption by default is enabled.
", "smithy.api#xmlName": "ebsEncryptionByDefault" } + }, + "SseType": { + "target": "com.amazonaws.ec2#SSEType", + "traits": { + "aws.protocols#ec2QueryName": "SseType", + "smithy.api#documentation": "Reserved for future use.
", + "smithy.api#xmlName": "sseType" + } } }, "traits": { @@ -48451,7 +50201,7 @@ "target": "com.amazonaws.ec2#GetFlowLogsIntegrationTemplateResult" }, "traits": { - "smithy.api#documentation": "Generates a CloudFormation template that streamlines and automates the integration of VPC flow logs \n with Amazon Athena. This make it easier for you to query and gain insights from VPC flow logs data. \n Based on the information that you provide, we configure resources in the template to do the following:
\nCreate a table in Athena that maps fields to a custom log format
\nCreate a Lambda function that updates the table with new partitions on a daily, weekly, or\n monthly basis
\nCreate a table partitioned between two timestamps in the past
\nCreate a set of named queries in Athena that you can use to get started quickly
\nGenerates a CloudFormation template that streamlines and automates the integration of VPC flow logs \n with Amazon Athena. This make it easier for you to query and gain insights from VPC flow logs data. \n Based on the information that you provide, we configure resources in the template to do the following:
\nCreate a table in Athena that maps fields to a custom log format
\nCreate a Lambda function that updates the table with new partitions on a daily, weekly, or\n monthly basis
\nCreate a table partitioned between two timestamps in the past
\nCreate a set of named queries in Athena that you can use to get started quickly
\n\n GetFlowLogsIntegrationTemplate does not support integration between\n Amazon Web Services Transit Gateway Flow Logs and Amazon Athena.
Retrieves the configuration data of the specified instance. You can use this data to\n create a launch template.
\nThis action calls on other describe actions to get instance information. Depending on\n your instance configuration, you may need to allow the following actions in your IAM\n policy: DescribeSpotInstanceRequests,\n DescribeInstanceCreditSpecifications, DescribeVolumes,\n DescribeInstanceAttribute, and DescribeElasticGpus. Or,\n you can allow describe* depending on your instance requirements.
Retrieves the configuration data of the specified instance. You can use this data to\n create a launch template.
\nThis action calls on other describe actions to get instance information. Depending on\n your instance configuration, you may need to allow the following actions in your IAM\n policy: DescribeSpotInstanceRequests,\n DescribeInstanceCreditSpecifications, DescribeVolumes,\n DescribeInstanceAttribute, and DescribeElasticGpus. Or,\n you can allow describe* depending on your instance requirements.
If this parameter is set to true, your instance is enabled for\n hibernation; otherwise, it is not enabled for hibernation.
If true, your instance is enabled for hibernation; otherwise, it is not\n enabled for hibernation.
Indicates whether your instance is configured for hibernation. This parameter is valid\n only if the instance meets the hibernation\n prerequisites. For more information, see Hibernate your instance in the\n Amazon EC2 User Guide.
" + "smithy.api#documentation": "Indicates whether your instance is configured for hibernation. This parameter is valid\n only if the instance meets the hibernation\n prerequisites. For more information, see Hibernate your instance in the\n Amazon EC2 User Guide.
" } }, "com.amazonaws.ec2#HibernationOptionsRequest": { @@ -51446,12 +53255,12 @@ "traits": { "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "If you set this parameter to true, your instance is enabled for\n hibernation.
Default: false\n
Set to true to enable your instance for hibernation.
Default: false\n
Indicates whether your instance is configured for hibernation. This parameter is valid\n only if the instance meets the hibernation\n prerequisites. For more information, see Hibernate your instance in the\n Amazon EC2 User Guide.
" + "smithy.api#documentation": "Indicates whether your instance is configured for hibernation. This parameter is valid\n only if the instance meets the hibernation\n prerequisites. For more information, see Hibernate your instance in the\n Amazon EC2 User Guide.
" } }, "com.amazonaws.ec2#HistoryRecord": { @@ -51692,6 +53501,14 @@ "smithy.api#documentation": "Indicates whether host maintenance is enabled or disabled for the Dedicated\n Host.
", "smithy.api#xmlName": "hostMaintenance" } + }, + "AssetId": { + "target": "com.amazonaws.ec2#AssetId", + "traits": { + "aws.protocols#ec2QueryName": "AssetId", + "smithy.api#documentation": "The ID of the Outpost hardware asset on which the Dedicated Host is allocated.
", + "smithy.api#xmlName": "assetId" + } } }, "traits": { @@ -53250,7 +55067,7 @@ "KmsKeyId": { "target": "com.amazonaws.ec2#KmsKeyId", "traits": { - "smithy.api#documentation": "An identifier for the symmetric KMS key to use when creating the\n encrypted AMI. This parameter is only required if you want to use a non-default KMS key; if this\n parameter is not specified, the default KMS key for EBS is used. If a KmsKeyId is\n specified, the Encrypted flag must also be set.
The KMS key identifier may be provided in any of the following formats:
\nKey ID
\nKey alias. The alias ARN contains the arn:aws:kms namespace, followed by the Region of the key, the Amazon Web Services account ID of the key owner, the alias namespace, and then the key alias. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias.
ARN using key ID. The ID ARN contains the arn:aws:kms namespace, followed by the Region of the key, the Amazon Web Services account ID of the key owner, the key namespace, and then the key ID. For example, arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef.
ARN using key alias. The alias ARN contains the arn:aws:kms namespace, followed by the Region of the key, the Amazon Web Services account ID of the key owner, the alias namespace, and then the key alias. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias.
Amazon Web Services parses KmsKeyId asynchronously, meaning that the action you call may appear to complete even\n though you provided an invalid identifier. This action will eventually report failure.
The specified KMS key must exist in the Region that the AMI is being copied to.
\nAmazon EBS does not support asymmetric KMS keys.
" + "smithy.api#documentation": "An identifier for the symmetric KMS key to use when creating the\n encrypted AMI. This parameter is only required if you want to use a non-default KMS key; if this\n parameter is not specified, the default KMS key for EBS is used. If a KmsKeyId is\n specified, the Encrypted flag must also be set.
The KMS key identifier may be provided in any of the following formats:
\nKey ID
\nKey alias
\nARN using key ID. The ID ARN contains the arn:aws:kms namespace, followed by the Region of the key, the Amazon Web Services account ID of the key owner, the key namespace, and then the key ID. For example, arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef.
ARN using key alias. The alias ARN contains the arn:aws:kms namespace, followed by the Region of the key, the Amazon Web Services account ID of the key owner, the alias namespace, and then the key alias. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias.
Amazon Web Services parses KmsKeyId asynchronously, meaning that the action you call may appear to complete even\n though you provided an invalid identifier. This action will eventually report failure.
The specified KMS key must exist in the Region that the AMI is being copied to.
\nAmazon EBS does not support asymmetric KMS keys.
" } }, "LicenseType": { @@ -53262,7 +55079,7 @@ "Platform": { "target": "com.amazonaws.ec2#String", "traits": { - "smithy.api#documentation": "The operating system of the virtual machine.
\nValid values: Windows | Linux\n
The operating system of the virtual machine. If you import a VM that is compatible with\n Unified Extensible Firmware Interface (UEFI) using an EBS snapshot, you must specify a value for\n the platform.
\nValid values: Windows | Linux\n
Creates an import instance task using metadata from the specified disk image.
\nThis API action supports only single-volume VMs. To import multi-volume VMs, use ImportImage\n instead.
\nThis API action is not supported by the Command Line Interface (CLI). For \n information about using the Amazon EC2 CLI, which is deprecated, see\n Importing a VM to Amazon EC2 in the Amazon EC2 CLI Reference PDF file.
\nFor information about the import manifest referenced by this API action, see VM Import Manifest.
" + "smithy.api#documentation": "We recommend that you use the \n ImportImage\n \n API. For more information, see Importing a VM as an image using VM\n Import/Export in the VM Import/Export User Guide.
Creates an import instance task using metadata from the specified disk image.
\nThis API action is not supported by the Command Line Interface (CLI). For\n information about using the Amazon EC2 CLI, which is deprecated, see Importing\n a VM to Amazon EC2 in the Amazon EC2 CLI Reference PDF file.
\nThis API action supports only single-volume VMs. To import multi-volume VMs, use ImportImage\n instead.
\nFor information about the import manifest referenced by this API action, see VM Import Manifest.
" } }, "com.amazonaws.ec2#ImportInstanceLaunchSpecification": { @@ -54049,7 +55866,7 @@ "KmsKeyId": { "target": "com.amazonaws.ec2#KmsKeyId", "traits": { - "smithy.api#documentation": "An identifier for the symmetric KMS key to use when creating the\n encrypted snapshot. This parameter is only required if you want to use a non-default KMS key; if this\n parameter is not specified, the default KMS key for EBS is used. If a KmsKeyId is\n specified, the Encrypted flag must also be set.
The KMS key identifier may be provided in any of the following formats:
\nKey ID
\nKey alias. The alias ARN contains the arn:aws:kms namespace, followed by the Region of the key, the Amazon Web Services account ID of the key owner, the alias namespace, and then the key alias. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias.
ARN using key ID. The ID ARN contains the arn:aws:kms namespace, followed by the Region of the key, the Amazon Web Services account ID of the key owner, the key namespace, and then the key ID. For example, arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef.
ARN using key alias. The alias ARN contains the arn:aws:kms namespace, followed by the Region of the key, the Amazon Web Services account ID of the key owner, the alias namespace, and then the key alias. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias.
Amazon Web Services parses KmsKeyId asynchronously, meaning that the action you call may appear to complete even\n though you provided an invalid identifier. This action will eventually report failure.
The specified KMS key must exist in the Region that the snapshot is being copied to.
\nAmazon EBS does not support asymmetric KMS keys.
" + "smithy.api#documentation": "An identifier for the symmetric KMS key to use when creating the\n encrypted snapshot. This parameter is only required if you want to use a non-default KMS key; if this\n parameter is not specified, the default KMS key for EBS is used. If a KmsKeyId is\n specified, the Encrypted flag must also be set.
The KMS key identifier may be provided in any of the following formats:
\nKey ID
\nKey alias
\nARN using key ID. The ID ARN contains the arn:aws:kms namespace, followed by the Region of the key, the Amazon Web Services account ID of the key owner, the key namespace, and then the key ID. For example, arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef.
ARN using key alias. The alias ARN contains the arn:aws:kms namespace, followed by the Region of the key, the Amazon Web Services account ID of the key owner, the alias namespace, and then the key alias. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias.
Amazon Web Services parses KmsKeyId asynchronously, meaning that the action you call may appear to complete even\n though you provided an invalid identifier. This action will eventually report failure.
The specified KMS key must exist in the Region that the snapshot is being copied to.
\nAmazon EBS does not support asymmetric KMS keys.
" } }, "RoleName": { @@ -54327,6 +56144,14 @@ "smithy.api#documentation": "Describes the Inference accelerators for the instance type.
", "smithy.api#xmlName": "accelerators" } + }, + "TotalInferenceMemoryInMiB": { + "target": "com.amazonaws.ec2#totalInferenceMemory", + "traits": { + "aws.protocols#ec2QueryName": "TotalInferenceMemoryInMiB", + "smithy.api#documentation": "The total size of the memory for the inference accelerators for the instance type, in MiB.
", + "smithy.api#xmlName": "totalInferenceMemoryInMiB" + } } }, "traits": { @@ -54362,6 +56187,14 @@ "smithy.api#documentation": "The manufacturer of the Inference accelerator.
", "smithy.api#xmlName": "manufacturer" } + }, + "MemoryInfo": { + "target": "com.amazonaws.ec2#InferenceDeviceMemoryInfo", + "traits": { + "aws.protocols#ec2QueryName": "MemoryInfo", + "smithy.api#documentation": "Describes the memory available to the inference accelerator.
", + "smithy.api#xmlName": "memoryInfo" + } } }, "traits": { @@ -54377,6 +56210,25 @@ "com.amazonaws.ec2#InferenceDeviceManufacturerName": { "type": "string" }, + "com.amazonaws.ec2#InferenceDeviceMemoryInfo": { + "type": "structure", + "members": { + "SizeInMiB": { + "target": "com.amazonaws.ec2#InferenceDeviceMemorySize", + "traits": { + "aws.protocols#ec2QueryName": "SizeInMiB", + "smithy.api#documentation": "The size of the memory available to the inference accelerator, in MiB.
", + "smithy.api#xmlName": "sizeInMiB" + } + } + }, + "traits": { + "smithy.api#documentation": "Describes the memory available to the inference accelerator.
" + } + }, + "com.amazonaws.ec2#InferenceDeviceMemorySize": { + "type": "integer" + }, "com.amazonaws.ec2#InferenceDeviceName": { "type": "string" }, @@ -55902,6 +57754,16 @@ "smithy.api#documentation": "The IPv6 address.
", "smithy.api#xmlName": "ipv6Address" } + }, + "IsPrimaryIpv6": { + "target": "com.amazonaws.ec2#Boolean", + "traits": { + "aws.protocols#ec2QueryName": "IsPrimaryIpv6", + "smithy.api#clientOptional": {}, + "smithy.api#default": false, + "smithy.api#documentation": "Determines if an IPv6 address associated with a network interface is the primary IPv6 address. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. \n For more information, see RunInstances.
", + "smithy.api#xmlName": "isPrimaryIpv6" + } } }, "traits": { @@ -56706,6 +58568,14 @@ "smithy.api#default": 0, "smithy.api#documentation": "The number of IPv6 delegated prefixes to be automatically assigned to the network interface. \n You cannot use this option if you use the Ipv6Prefix option.
The primary IPv6 address of the network interface. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. For more information about primary IPv6 addresses, see RunInstances.
" + } } }, "traits": { @@ -56967,7 +58837,7 @@ } }, "traits": { - "smithy.api#documentation": "The attributes for the instance types. When you specify instance attributes, Amazon EC2 will\n identify instance types with these attributes.
\nWhen you specify multiple attributes, you get instance types that satisfy all of the\n specified attributes. If you specify multiple values for an attribute, you get instance\n types that satisfy any of the specified values.
\nTo limit the list of instance types from which Amazon EC2 can identify matching instance types, \n you can use one of the following parameters, but not both in the same request:
\n\n AllowedInstanceTypes - The instance types to include in the list. All \n other instance types are ignored, even if they match your specified attributes.
\n ExcludedInstanceTypes - The instance types to exclude from the list, \n even if they match your specified attributes.
You must specify VCpuCount and MemoryMiB. All other attributes\n are optional. Any unspecified optional attribute is set to its default.
For more information, see Attribute-based instance type selection for EC2 Fleet, Attribute-based instance type selection for Spot Fleet, and Spot\n placement score in the Amazon EC2 User Guide.
" + "smithy.api#documentation": "The attributes for the instance types. When you specify instance attributes, Amazon EC2 will\n identify instance types with these attributes.
\nYou must specify VCpuCount and MemoryMiB. All other attributes\n are optional. Any unspecified optional attribute is set to its default.
When you specify multiple attributes, you get instance types that satisfy all of the\n specified attributes. If you specify multiple values for an attribute, you get instance\n types that satisfy any of the specified values.
\nTo limit the list of instance types from which Amazon EC2 can identify matching instance types, \n you can use one of the following parameters, but not both in the same request:
\n\n AllowedInstanceTypes - The instance types to include in the list. All \n other instance types are ignored, even if they match your specified attributes.
\n ExcludedInstanceTypes - The instance types to exclude from the list, \n even if they match your specified attributes.
If you specify InstanceRequirements, you can't specify\n InstanceType.
Attribute-based instance type selection is only supported when using Auto Scaling\n groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in\n the launch instance\n wizard or with the RunInstances API, you\n can't specify InstanceRequirements.
For more information, see Attribute-based instance type selection for EC2 Fleet, Attribute-based instance type selection for Spot Fleet, and Spot\n placement score in the Amazon EC2 User Guide.
" } }, "com.amazonaws.ec2#InstanceRequirementsRequest": { @@ -57119,7 +58989,7 @@ "NetworkBandwidthGbps": { "target": "com.amazonaws.ec2#NetworkBandwidthGbpsRequest", "traits": { - "smithy.api#documentation": "The minimum and maximum amount of network bandwidth, in gigabits per second (Gbps).
\nDefault: No minimum or maximum limits
" + "smithy.api#documentation": "The minimum and maximum amount of baseline network bandwidth, in gigabits per second \n (Gbps). For more information, see Amazon EC2 instance network bandwidth in the Amazon EC2 User Guide.
\nDefault: No minimum or maximum limits
" } }, "AllowedInstanceTypes": { @@ -57131,7 +59001,7 @@ } }, "traits": { - "smithy.api#documentation": "The attributes for the instance types. When you specify instance attributes, Amazon EC2 will\n identify instance types with these attributes.
\nWhen you specify multiple attributes, you get instance types that satisfy all of the\n specified attributes. If you specify multiple values for an attribute, you get instance\n types that satisfy any of the specified values.
\nTo limit the list of instance types from which Amazon EC2 can identify matching instance types, \n you can use one of the following parameters, but not both in the same request:
\n\n AllowedInstanceTypes - The instance types to include in the list. All \n other instance types are ignored, even if they match your specified attributes.
\n ExcludedInstanceTypes - The instance types to exclude from the list, \n even if they match your specified attributes.
You must specify VCpuCount and MemoryMiB. All other attributes\n are optional. Any unspecified optional attribute is set to its default.
For more information, see Attribute-based instance type selection for EC2 Fleet, Attribute-based instance type selection for Spot Fleet, and Spot\n placement score in the Amazon EC2 User Guide.
" + "smithy.api#documentation": "The attributes for the instance types. When you specify instance attributes, Amazon EC2 will\n identify instance types with these attributes.
\nYou must specify VCpuCount and MemoryMiB. All other attributes\n are optional. Any unspecified optional attribute is set to its default.
When you specify multiple attributes, you get instance types that satisfy all of the\n specified attributes. If you specify multiple values for an attribute, you get instance\n types that satisfy any of the specified values.
\nTo limit the list of instance types from which Amazon EC2 can identify matching instance types, \n you can use one of the following parameters, but not both in the same request:
\n\n AllowedInstanceTypes - The instance types to include in the list. All \n other instance types are ignored, even if they match your specified attributes.
\n ExcludedInstanceTypes - The instance types to exclude from the list, \n even if they match your specified attributes.
If you specify InstanceRequirements, you can't specify\n InstanceType.
Attribute-based instance type selection is only supported when using Auto Scaling\n groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in\n the launch instance\n wizard, or with the RunInstances API or\n AWS::EC2::Instance Amazon Web Services CloudFormation resource, you can't specify\n InstanceRequirements.
For more information, see Attribute-based instance type selection for EC2 Fleet, Attribute-based instance type selection for Spot Fleet, and Spot\n placement score in the Amazon EC2 User Guide.
" } }, "com.amazonaws.ec2#InstanceRequirementsWithMetadataRequest": { @@ -61525,6 +63395,162 @@ "traits": { "smithy.api#enumValue": "i4g.16xlarge" } + }, + "hpc7g_4xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "hpc7g.4xlarge" + } + }, + "hpc7g_8xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "hpc7g.8xlarge" + } + }, + "hpc7g_16xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "hpc7g.16xlarge" + } + }, + "c7gn_medium": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gn.medium" + } + }, + "c7gn_large": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gn.large" + } + }, + "c7gn_xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gn.xlarge" + } + }, + "c7gn_2xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gn.2xlarge" + } + }, + "c7gn_4xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gn.4xlarge" + } + }, + "c7gn_8xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gn.8xlarge" + } + }, + "c7gn_12xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gn.12xlarge" + } + }, + "c7gn_16xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "c7gn.16xlarge" + } + }, + "p5_48xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "p5.48xlarge" + } + }, + "m7i_large": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i.large" + } + }, + "m7i_xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i.xlarge" + } + }, + "m7i_2xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i.2xlarge" + } + }, + "m7i_4xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i.4xlarge" + } + }, + "m7i_8xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i.8xlarge" + } + }, + "m7i_12xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i.12xlarge" + } + }, + "m7i_16xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i.16xlarge" + } + }, + "m7i_24xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i.24xlarge" + } + }, + "m7i_48xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i.48xlarge" + } + }, + "m7i_flex_large": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i-flex.large" + } + }, + "m7i_flex_xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i-flex.xlarge" + } + }, + "m7i_flex_2xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i-flex.2xlarge" + } + }, + "m7i_flex_4xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i-flex.4xlarge" + } + }, + "m7i_flex_8xlarge": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "m7i-flex.8xlarge" + } } } }, @@ -61712,7 +63738,7 @@ "target": "com.amazonaws.ec2#BurstablePerformanceFlag", "traits": { "aws.protocols#ec2QueryName": "BurstablePerformanceSupported", - "smithy.api#documentation": "Indicates whether the instance type is a burstable performance instance type.
", + "smithy.api#documentation": "Indicates whether the instance type is a burstable performance T instance \n type. For more information, see Burstable \n performance instances.
", "smithy.api#xmlName": "burstablePerformanceSupported" } }, @@ -61739,6 +63765,30 @@ "smithy.api#documentation": "The supported boot modes. For more information, see Boot modes in the\n Amazon EC2 User Guide.
", "smithy.api#xmlName": "supportedBootModes" } + }, + "NitroEnclavesSupport": { + "target": "com.amazonaws.ec2#NitroEnclavesSupport", + "traits": { + "aws.protocols#ec2QueryName": "NitroEnclavesSupport", + "smithy.api#documentation": "Indicates whether Nitro Enclaves is supported.
", + "smithy.api#xmlName": "nitroEnclavesSupport" + } + }, + "NitroTpmSupport": { + "target": "com.amazonaws.ec2#NitroTpmSupport", + "traits": { + "aws.protocols#ec2QueryName": "NitroTpmSupport", + "smithy.api#documentation": "Indicates whether NitroTPM is supported.
", + "smithy.api#xmlName": "nitroTpmSupport" + } + }, + "NitroTpmInfo": { + "target": "com.amazonaws.ec2#NitroTpmInfo", + "traits": { + "aws.protocols#ec2QueryName": "NitroTpmInfo", + "smithy.api#documentation": "Describes the supported NitroTPM versions for the instance type.
", + "smithy.api#xmlName": "nitroTpmInfo" + } } }, "traits": { @@ -62006,7 +64056,7 @@ } }, "traits": { - "smithy.api#documentation": "Describes the attachment of a VPC to an internet gateway or an egress-only internet\n\t\t\tgateway.
" + "smithy.api#documentation": "Describes the attachment of a VPC to an internet gateway or an egress-only internet gateway.
" } }, "com.amazonaws.ec2#InternetGatewayAttachmentList": { @@ -62107,7 +64157,7 @@ "target": "com.amazonaws.ec2#String", "traits": { "aws.protocols#ec2QueryName": "IpProtocol", - "smithy.api#documentation": "The IP protocol name (tcp, udp, icmp, icmpv6) \n or number (see Protocol Numbers).
[VPC only] Use -1 to specify all protocols. When authorizing\n security group rules, specifying -1 or a protocol number other than\n tcp, udp, icmp, or icmpv6 allows\n traffic on all ports, regardless of any port range you specify. For tcp,\n udp, and icmp, you must specify a port range. For icmpv6,\n the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
The IP protocol name (tcp, udp, icmp, icmpv6) \n or number (see Protocol Numbers).
Use -1 to specify all protocols. When authorizing\n security group rules, specifying -1 or a protocol number other than\n tcp, udp, icmp, or icmpv6 allows\n traffic on all ports, regardless of any port range you specify. For tcp,\n udp, and icmp, you must specify a port range. For icmpv6,\n the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
[VPC only] The IPv6 ranges.
", + "smithy.api#documentation": "The IPv6 ranges.
", "smithy.api#xmlName": "ipv6Ranges" } }, @@ -62131,7 +64181,7 @@ "target": "com.amazonaws.ec2#PrefixListIdList", "traits": { "aws.protocols#ec2QueryName": "PrefixListIds", - "smithy.api#documentation": "[VPC only] The prefix list IDs.
", + "smithy.api#documentation": "The prefix list IDs.
", "smithy.api#xmlName": "prefixListIds" } }, @@ -64598,7 +66648,7 @@ } }, "traits": { - "smithy.api#documentation": "[EC2-VPC only] Describes an IPv6 range.
" + "smithy.api#documentation": "Describes an IPv6 range.
" } }, "com.amazonaws.ec2#Ipv6RangeList": { @@ -65293,7 +67343,7 @@ "target": "com.amazonaws.ec2#FleetLaunchTemplateSpecification", "traits": { "aws.protocols#ec2QueryName": "LaunchTemplateSpecification", - "smithy.api#documentation": "The launch template.
", + "smithy.api#documentation": "The launch template to use. Make sure that the launch template does not contain the\n NetworkInterfaceId parameter because you can't specify a network interface\n ID in a Spot Fleet.
Indicates whether the instance is enabled for \n AMD SEV-SNP.
", + "smithy.api#documentation": "Indicates whether the instance is enabled for AMD SEV-SNP. For more information, see \n AMD SEV-SNP.
", "smithy.api#xmlName": "amdSevSnp" } } @@ -65377,7 +67427,7 @@ "AmdSevSnp": { "target": "com.amazonaws.ec2#AmdSevSnpSpecification", "traits": { - "smithy.api#documentation": "Indicates whether to enable the instance for AMD SEV-SNP. AMD SEV-SNP is supported \n with M6a, R6a, and C6a instance types only.
" + "smithy.api#documentation": "Indicates whether to enable the instance for AMD SEV-SNP. AMD SEV-SNP is supported \n with M6a, R6a, and C6a instance types only. For more information, see \n AMD SEV-SNP.
" } } }, @@ -66204,6 +68254,16 @@ "smithy.api#documentation": "The number of IPv6 prefixes that Amazon Web Services automatically assigned to the network\n interface.
", "smithy.api#xmlName": "ipv6PrefixCount" } + }, + "PrimaryIpv6": { + "target": "com.amazonaws.ec2#Boolean", + "traits": { + "aws.protocols#ec2QueryName": "PrimaryIpv6", + "smithy.api#clientOptional": {}, + "smithy.api#default": false, + "smithy.api#documentation": "The primary IPv6 address of the network interface. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. For more information about primary IPv6 addresses, see RunInstances.
", + "smithy.api#xmlName": "primaryIpv6" + } } }, "traits": { @@ -66356,6 +68416,14 @@ "smithy.api#default": 0, "smithy.api#documentation": "The number of IPv6 prefixes to be automatically assigned to the network interface. You\n cannot use this option if you use the Ipv6Prefix option.
The primary IPv6 address of the network interface. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. For more information about primary IPv6 addresses, see RunInstances.
" + } } }, "traits": { @@ -69538,7 +71606,24 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Modifies the specified attribute of the specified AMI. You can specify only one attribute at a time.
\nTo specify the attribute, you can use the Attribute parameter, or one of the following parameters: \n Description, ImdsSupport, or LaunchPermission.
Images with an Amazon Web Services Marketplace product code cannot be made public.
\nTo enable the SriovNetSupport enhanced networking attribute of an image, enable SriovNetSupport on an instance \n and create an AMI from the instance.
" + "smithy.api#documentation": "Modifies the specified attribute of the specified AMI. You can specify only one attribute at a time.
\nTo specify the attribute, you can use the Attribute parameter, or one of the following parameters: \n Description, ImdsSupport, or LaunchPermission.
Images with an Amazon Web Services Marketplace product code cannot be made public.
\nTo enable the SriovNetSupport enhanced networking attribute of an image, enable SriovNetSupport on an instance \n and create an AMI from the instance.
", + "smithy.api#examples": [ + { + "title": "To make an AMI public", + "documentation": "This example makes the specified AMI public.", + "input": { + "ImageId": "ami-5731123e", + "LaunchPermission": { + "Add": [ + { + "Group": "all" + } + ] + } + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#ModifyImageAttributeRequest": { @@ -70182,7 +72267,7 @@ "HttpProtocolIpv6": { "target": "com.amazonaws.ec2#InstanceMetadataProtocolState", "traits": { - "smithy.api#documentation": "Enables or disables the IPv6 endpoint for the instance metadata service. This setting\n applies only if you have enabled the HTTP metadata endpoint.
" + "smithy.api#documentation": "Enables or disables the IPv6 endpoint for the instance metadata service. \n Applies only if you enabled the HTTP metadata endpoint.
" } }, "InstanceMetadataTags": { @@ -70271,7 +72356,7 @@ "target": "com.amazonaws.ec2#HostTenancy", "traits": { "aws.protocols#ec2QueryName": "Tenancy", - "smithy.api#documentation": "The tenancy for the instance.
\nFor T3 instances, you can't change the tenancy from dedicated to\n host, or from host to dedicated.\n Attempting to make one of these unsupported tenancy changes results in the\n InvalidTenancy error code.
The tenancy for the instance.
\nFor T3 instances, you must launch the instance on a Dedicated Host to use a\n tenancy of host. You can't change the tenancy from\n host to dedicated or default.\n Attempting to make one of these unsupported tenancy changes results in an\n InvalidRequest error code.
The ARN of the host resource group in which to place the instance.
" + "smithy.api#documentation": "The ARN of the host resource group in which to place the instance. The instance must\n have a tenancy of host to specify this parameter.
Modifies a launch template. You can specify which version of the launch template to\n set as the default version. When launching an instance, the default version applies when\n a launch template version is not specified.
" + "smithy.api#documentation": "Modifies a launch template. You can specify which version of the launch template to\n set as the default version. When launching an instance, the default version applies when\n a launch template version is not specified.
", + "smithy.api#examples": [ + { + "title": "To change the default version of a launch template", + "documentation": "This example specifies version 2 as the default version of the specified launch template.", + "input": { + "LaunchTemplateId": "lt-0abcd290751193123", + "DefaultVersion": "2" + }, + "output": { + "LaunchTemplate": { + "LatestVersionNumber": 2, + "LaunchTemplateId": "lt-0abcd290751193123", + "LaunchTemplateName": "WebServers", + "DefaultVersionNumber": 2, + "CreatedBy": "arn:aws:iam::123456789012:root", + "CreateTime": "2017-12-01T13:35:46.000Z" + } + } + } + ] } }, "com.amazonaws.ec2#ModifyLaunchTemplateRequest": { @@ -71027,6 +73132,14 @@ "traits": { "smithy.api#documentation": "Updates the ENA Express configuration for the network interface that’s attached to the\n\t\t\tinstance.
" } + }, + "EnablePrimaryIpv6": { + "target": "com.amazonaws.ec2#Boolean", + "traits": { + "smithy.api#clientOptional": {}, + "smithy.api#default": false, + "smithy.api#documentation": "If you’re modifying a network interface in a dual-stack or IPv6-only subnet, you have\n the option to assign a primary IPv6 IP address. A primary IPv6 address is an IPv6 GUA\n address associated with an ENI that you have enabled to use a primary IPv6 address. Use\n this option if the instance that this ENI will be attached to relies on its IPv6 address\n not changing. Amazon Web Services will automatically assign an IPv6 address associated\n with the ENI attached to your instance to be the primary IPv6 address. Once you enable\n an IPv6 GUA address to be a primary IPv6, you cannot disable it. When you enable an IPv6\n GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6\n address until the instance is terminated or the network interface is detached. If you\n have multiple IPv6 addresses associated with an ENI attached to your instance and you\n enable a primary IPv6 address, the first IPv6 GUA address associated with the ENI\n becomes the primary IPv6 address.
" + } } }, "traits": { @@ -71246,7 +73359,22 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Adds or removes permission settings for the specified snapshot. You may add or remove\n specified Amazon Web Services account IDs from a snapshot's list of create volume permissions, but you cannot\n do both in a single operation. If you need to both add and remove account IDs for a snapshot,\n you must use multiple operations. You can make up to 500 modifications to a snapshot in a single operation.
\nEncrypted snapshots and snapshots with Amazon Web Services Marketplace product codes cannot be made\n public. Snapshots encrypted with your default KMS key cannot be shared with other accounts.
\nFor more information about modifying snapshot permissions, see Share a snapshot in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Adds or removes permission settings for the specified snapshot. You may add or remove\n specified Amazon Web Services account IDs from a snapshot's list of create volume permissions, but you cannot\n do both in a single operation. If you need to both add and remove account IDs for a snapshot,\n you must use multiple operations. You can make up to 500 modifications to a snapshot in a single operation.
\nEncrypted snapshots and snapshots with Amazon Web Services Marketplace product codes cannot be made\n public. Snapshots encrypted with your default KMS key cannot be shared with other accounts.
\nFor more information about modifying snapshot permissions, see Share a snapshot in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To modify a snapshot attribute", + "documentation": "This example modifies snapshot ``snap-1234567890abcdef0`` to remove the create volume permission for a user with the account ID ``123456789012``. If the command succeeds, no output is returned.", + "input": { + "SnapshotId": "snap-1234567890abcdef0", + "Attribute": "createVolumePermission", + "OperationType": "remove", + "UserIds": [ + "123456789012" + ] + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#ModifySnapshotAttributeRequest": { @@ -71471,7 +73599,19 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Modifies a subnet attribute. You can only modify one attribute at a time.
\nUse this action to modify subnets on Amazon Web Services Outposts.
\nTo modify a subnet on an Outpost rack, set both\n MapCustomerOwnedIpOnLaunch and\n CustomerOwnedIpv4Pool. These two parameters act as a single\n attribute.
To modify a subnet on an Outpost server, set either\n EnableLniAtDeviceIndex or\n DisableLniAtDeviceIndex.
For more information about Amazon Web Services Outposts, see the following:
\n\n Outpost servers\n
\n\n Outpost racks\n
\nModifies a subnet attribute. You can only modify one attribute at a time.
\nUse this action to modify subnets on Amazon Web Services Outposts.
\nTo modify a subnet on an Outpost rack, set both\n MapCustomerOwnedIpOnLaunch and\n CustomerOwnedIpv4Pool. These two parameters act as a single\n attribute.
To modify a subnet on an Outpost server, set either\n EnableLniAtDeviceIndex or\n DisableLniAtDeviceIndex.
For more information about Amazon Web Services Outposts, see the following:
\n\n Outpost servers\n
\n\n Outpost racks\n
\nThe number of bytes in each packet to mirror. These are bytes after the VXLAN header. To mirror a subset, set this to the length (in bytes) to mirror. For example, if you set this value to 100, then the first 100 bytes that meet the filter criteria are copied to the target. Do not specify this parameter when you want to mirror the entire packet.
" + "smithy.api#documentation": "The number of bytes in each packet to mirror. These are bytes after the VXLAN header. To mirror a subset, set this to the length (in bytes) to mirror. For example, if you set this value to 100, then the first 100 bytes that meet the filter criteria are copied to the target. Do not specify this parameter when you want to mirror the entire packet.
\nFor sessions with Network Load Balancer (NLB) traffic mirror targets, the default PacketLength will be set to 8500. Valid values are 1-8500. Setting a PacketLength greater than 8500 will result in an error response.
Modifies a volume attribute.
\nBy default, all I/O operations for the volume are suspended when the data on the volume is\n determined to be potentially inconsistent, to prevent undetectable, latent data corruption.\n The I/O access to the volume can be resumed by first enabling I/O access and then checking the\n data consistency on your volume.
\nYou can change the default behavior to resume I/O operations. We recommend that you change\n this only for boot volumes or for volumes that are stateless or disposable.
" + "smithy.api#documentation": "Modifies a volume attribute.
\nBy default, all I/O operations for the volume are suspended when the data on the volume is\n determined to be potentially inconsistent, to prevent undetectable, latent data corruption.\n The I/O access to the volume can be resumed by first enabling I/O access and then checking the\n data consistency on your volume.
\nYou can change the default behavior to resume I/O operations. We recommend that you change\n this only for boot volumes or for volumes that are stateless or disposable.
", + "smithy.api#examples": [ + { + "title": "To modify a volume attribute", + "documentation": "This example sets the ``autoEnableIo`` attribute of the volume with the ID ``vol-1234567890abcdef0`` to ``true``. If the command succeeds, no output is returned.", + "input": { + "DryRun": true, + "VolumeId": "vol-1234567890abcdef0", + "AutoEnableIO": { + "Value": true + } + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#ModifyVolumeAttributeRequest": { @@ -72920,7 +75074,19 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Modifies the specified attribute of the specified VPC.
" + "smithy.api#documentation": "Modifies the specified attribute of the specified VPC.
", + "smithy.api#examples": [ + { + "title": "To modify the enableDnsSupport attribute", + "documentation": "This example modifies the enableDnsSupport attribute. This attribute indicates whether DNS resolution is enabled for the VPC. If this attribute is true, the Amazon DNS server resolves DNS hostnames for instances in the VPC to their corresponding IP addresses; otherwise, it does not.", + "input": { + "VpcId": "vpc-a01106c2", + "EnableDnsSupport": { + "Value": false + } + } + } + ] } }, "com.amazonaws.ec2#ModifyVpcAttributeRequest": { @@ -73418,7 +75584,7 @@ "target": "com.amazonaws.ec2#ModifyVpcPeeringConnectionOptionsResult" }, "traits": { - "smithy.api#documentation": "We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nModifies the VPC peering connection options on one side of a VPC peering connection. You can do the following:
\nEnable/disable communication over the peering connection between an EC2-Classic instance that's linked to your VPC (using ClassicLink) and instances in the peer VPC.
\nEnable/disable communication over the peering connection between instances in your VPC and an EC2-Classic instance that's linked to the peer VPC.
\nEnable/disable the ability to resolve public DNS hostnames to private IP\n addresses when queried from instances in the peer VPC.
\nIf the peered VPCs are in the same Amazon Web Services account, you can enable DNS\n resolution for queries from the local VPC. This ensures that queries from the local VPC\n resolve to private IP addresses in the peer VPC. This option is not available if the\n peered VPCs are in different Amazon Web Services accounts or different Regions. For\n peered VPCs in different Amazon Web Services accounts, each Amazon Web Services account\n owner must initiate a separate request to modify the peering connection options. For\n inter-region peering connections, you must use the Region for the requester VPC to\n modify the requester VPC peering options and the Region for the accepter VPC to modify\n the accepter VPC peering options. To verify which VPCs are the accepter and the\n requester for a VPC peering connection, use the DescribeVpcPeeringConnections command.
" + "smithy.api#documentation": "Modifies the VPC peering connection options on one side of a VPC peering connection.
\nIf the peered VPCs are in the same Amazon Web Services account, you can enable DNS\n resolution for queries from the local VPC. This ensures that queries from the local VPC\n resolve to private IP addresses in the peer VPC. This option is not available if the\n peered VPCs are in different Amazon Web Services accounts or different Regions. For\n peered VPCs in different Amazon Web Services accounts, each Amazon Web Services account\n owner must initiate a separate request to modify the peering connection options. For\n inter-region peering connections, you must use the Region for the requester VPC to\n modify the requester VPC peering options and the Region for the accepter VPC to modify\n the accepter VPC peering options. To verify which VPCs are the accepter and the\n requester for a VPC peering connection, use the DescribeVpcPeeringConnections command.
" } }, "com.amazonaws.ec2#ModifyVpcPeeringConnectionOptionsRequest": { @@ -73490,7 +75656,7 @@ "target": "com.amazonaws.ec2#ModifyVpcTenancyResult" }, "traits": { - "smithy.api#documentation": "Modifies the instance tenancy attribute of the specified VPC. You can change the\n instance tenancy attribute of a VPC to default only. You cannot change the\n instance tenancy attribute to dedicated.
After you modify the tenancy of the VPC, any new instances that you launch into the\n VPC have a tenancy of default, unless you specify otherwise during launch.\n The tenancy of any existing instances in the VPC is not affected.
For more information, see Dedicated Instances in the\n\t\t\t\tAmazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Modifies the instance tenancy attribute of the specified VPC. You can change the\n instance tenancy attribute of a VPC to default only. You cannot change the\n instance tenancy attribute to dedicated.
After you modify the tenancy of the VPC, any new instances that you launch into the\n VPC have a tenancy of default, unless you specify otherwise during launch.\n The tenancy of any existing instances in the VPC is not affected.
For more information, see Dedicated Instances in the\n\t\t\t\tAmazon EC2 User Guide.
" } }, "com.amazonaws.ec2#ModifyVpcTenancyRequest": { @@ -73841,7 +76007,7 @@ } }, "PreSharedKey": { - "target": "com.amazonaws.ec2#String", + "target": "com.amazonaws.ec2#preSharedKey", "traits": { "smithy.api#documentation": "The pre-shared key (PSK) to establish initial authentication between the virtual\n private gateway and the customer gateway.
\nConstraints: Allowed characters are alphanumeric characters, periods (.), and\n underscores (_). Must be between 8 and 64 characters in length and cannot start with\n zero (0).
" } @@ -73971,7 +76137,8 @@ } }, "traits": { - "smithy.api#documentation": "The Amazon Web Services Site-to-Site VPN tunnel options to modify.
" + "smithy.api#documentation": "The Amazon Web Services Site-to-Site VPN tunnel options to modify.
", + "smithy.api#sensitive": {} } }, "com.amazonaws.ec2#MonitorInstances": { @@ -74575,7 +76742,7 @@ "target": "com.amazonaws.ec2#NetworkAclEntryList", "traits": { "aws.protocols#ec2QueryName": "EntrySet", - "smithy.api#documentation": "One or more entries (rules) in the network ACL.
", + "smithy.api#documentation": "The entries (rules) in the network ACL.
", "smithy.api#xmlName": "entrySet" } }, @@ -74857,6 +77024,22 @@ "smithy.api#documentation": "The maximum number of network interfaces for the network card.
", "smithy.api#xmlName": "maximumNetworkInterfaces" } + }, + "BaselineBandwidthInGbps": { + "target": "com.amazonaws.ec2#BaselineBandwidthInGbps", + "traits": { + "aws.protocols#ec2QueryName": "BaselineBandwidthInGbps", + "smithy.api#documentation": "The baseline network performance of the network card, in Gbps.
", + "smithy.api#xmlName": "baselineBandwidthInGbps" + } + }, + "PeakBandwidthInGbps": { + "target": "com.amazonaws.ec2#PeakBandwidthInGbps", + "traits": { + "aws.protocols#ec2QueryName": "PeakBandwidthInGbps", + "smithy.api#documentation": "The peak (burst) network performance of the network card, in Gbps.
", + "smithy.api#xmlName": "peakBandwidthInGbps" + } } }, "traits": { @@ -76057,6 +78240,16 @@ "smithy.api#documentation": "The IPv6 address.
", "smithy.api#xmlName": "ipv6Address" } + }, + "IsPrimaryIpv6": { + "target": "com.amazonaws.ec2#Boolean", + "traits": { + "aws.protocols#ec2QueryName": "IsPrimaryIpv6", + "smithy.api#clientOptional": {}, + "smithy.api#default": false, + "smithy.api#documentation": "Determines if an IPv6 address associated with a network interface is the primary IPv6 address. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. For more information, see ModifyNetworkInterfaceAttribute.
", + "smithy.api#xmlName": "isPrimaryIpv6" + } } }, "traits": { @@ -76418,7 +78611,7 @@ "Values": { "target": "com.amazonaws.ec2#ValueStringList", "traits": { - "smithy.api#documentation": "One or more values for the DHCP option.
", + "smithy.api#documentation": "The values for the DHCP option.
", "smithy.api#xmlName": "Value" } } @@ -76439,6 +78632,68 @@ "com.amazonaws.ec2#NextToken": { "type": "string" }, + "com.amazonaws.ec2#NitroEnclavesSupport": { + "type": "enum", + "members": { + "UNSUPPORTED": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "unsupported" + } + }, + "SUPPORTED": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "supported" + } + } + } + }, + "com.amazonaws.ec2#NitroTpmInfo": { + "type": "structure", + "members": { + "SupportedVersions": { + "target": "com.amazonaws.ec2#NitroTpmSupportedVersionsList", + "traits": { + "aws.protocols#ec2QueryName": "SupportedVersions", + "smithy.api#documentation": "Indicates the supported NitroTPM versions.
", + "smithy.api#xmlName": "supportedVersions" + } + } + }, + "traits": { + "smithy.api#documentation": "Describes the supported NitroTPM versions for the instance type.
" + } + }, + "com.amazonaws.ec2#NitroTpmSupport": { + "type": "enum", + "members": { + "UNSUPPORTED": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "unsupported" + } + }, + "SUPPORTED": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "supported" + } + } + } + }, + "com.amazonaws.ec2#NitroTpmSupportedVersionType": { + "type": "string" + }, + "com.amazonaws.ec2#NitroTpmSupportedVersionsList": { + "type": "list", + "member": { + "target": "com.amazonaws.ec2#NitroTpmSupportedVersionType", + "traits": { + "smithy.api#xmlName": "item" + } + } + }, "com.amazonaws.ec2#OccurrenceDayRequestSet": { "type": "list", "member": { @@ -77272,6 +79527,9 @@ "smithy.api#documentation": "Describes the data that identifies an Amazon FPGA image (AFI) on the PCI bus.
" } }, + "com.amazonaws.ec2#PeakBandwidthInGbps": { + "type": "double" + }, "com.amazonaws.ec2#PeeringAttachmentStatus": { "type": "structure", "members": { @@ -77315,7 +79573,7 @@ "aws.protocols#ec2QueryName": "AllowEgressFromLocalClassicLinkToRemoteVpc", "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "If true, enables outbound communication from an EC2-Classic instance that's linked to\n a local VPC using ClassicLink to instances in a peer VPC.
", + "smithy.api#documentation": "Deprecated.
", "smithy.api#xmlName": "allowEgressFromLocalClassicLinkToRemoteVpc" } }, @@ -77325,13 +79583,13 @@ "aws.protocols#ec2QueryName": "AllowEgressFromLocalVpcToRemoteClassicLink", "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "If true, enables outbound communication from instances in a local VPC to an\n EC2-Classic instance that's linked to a peer VPC using ClassicLink.
", + "smithy.api#documentation": "Deprecated.
", "smithy.api#xmlName": "allowEgressFromLocalVpcToRemoteClassicLink" } } }, "traits": { - "smithy.api#documentation": "We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nDescribes the VPC peering connection options.
" + "smithy.api#documentation": "Describes the VPC peering connection options.
" } }, "com.amazonaws.ec2#PeeringConnectionOptionsRequest": { @@ -77342,7 +79600,7 @@ "traits": { "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "If true, enables a local VPC to resolve public DNS hostnames to private IP addresses when queried from instances in the peer VPC.
" + "smithy.api#documentation": "If true, enables a local VPC to resolve public DNS hostnames to private IP addresses \n when queried from instances in the peer VPC.
" } }, "AllowEgressFromLocalClassicLinkToRemoteVpc": { @@ -77350,7 +79608,7 @@ "traits": { "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "If true, enables outbound communication from an EC2-Classic instance that's linked to\n a local VPC using ClassicLink to instances in a peer VPC.
" + "smithy.api#documentation": "Deprecated.
" } }, "AllowEgressFromLocalVpcToRemoteClassicLink": { @@ -77358,12 +79616,12 @@ "traits": { "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "If true, enables outbound communication from instances in a local VPC to an\n EC2-Classic instance that's linked to a peer VPC using ClassicLink.
" + "smithy.api#documentation": "Deprecated.
" } } }, "traits": { - "smithy.api#documentation": "We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nThe VPC peering connection options.
" + "smithy.api#documentation": "The VPC peering connection options.
" } }, "com.amazonaws.ec2#PeeringTgwInfo": { @@ -77913,7 +80171,7 @@ "com.amazonaws.ec2#PlacementGroupArn": { "type": "string", "traits": { - "smithy.api#pattern": "^arn:aws([a-z-]+)?:ec2:[a-z\\d-]+:\\d{12}:placement-group/([^\\s].+[^\\s]){1,255}$" + "smithy.api#pattern": "^arn:aws([a-z-]+)?:ec2:[a-z\\d-]+:\\d{12}:placement-group/^.{1,255}$" } }, "com.amazonaws.ec2#PlacementGroupId": { @@ -78877,7 +81135,7 @@ "target": "com.amazonaws.ec2#SupportedAdditionalProcessorFeatureList", "traits": { "aws.protocols#ec2QueryName": "SupportedFeatures", - "smithy.api#documentation": "Indicates whether the instance type supports AMD SEV-SNP. If the request returns \n amd-sev-snp, AMD SEV-SNP is supported. Otherwise, it is not supported.
Indicates whether the instance type supports AMD SEV-SNP. If the request returns \n amd-sev-snp, AMD SEV-SNP is supported. Otherwise, it is not supported. \n For more information, see \n AMD SEV-SNP.
Requests a reboot of the specified instances. This operation is asynchronous; it only\n queues a request to reboot the specified instances. The operation succeeds if the\n instances are valid and belong to you. Requests to reboot terminated instances are\n ignored.
\nIf an instance does not cleanly shut down within a few minutes, Amazon EC2 performs a\n hard reboot.
\nFor more information about troubleshooting, see Troubleshoot an unreachable\n instance in the Amazon EC2 User Guide.
" + "smithy.api#documentation": "Requests a reboot of the specified instances. This operation is asynchronous; it only\n queues a request to reboot the specified instances. The operation succeeds if the\n instances are valid and belong to you. Requests to reboot terminated instances are\n ignored.
\nIf an instance does not cleanly shut down within a few minutes, Amazon EC2 performs a\n hard reboot.
\nFor more information about troubleshooting, see Troubleshoot an unreachable\n instance in the Amazon EC2 User Guide.
", + "smithy.api#examples": [ + { + "title": "To reboot an EC2 instance", + "documentation": "This example reboots the specified EC2 instance.", + "input": { + "InstanceIds": [ + "i-1234567890abcdef5" + ] + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#RebootInstancesRequest": { @@ -80795,7 +83065,16 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Releases the specified Elastic IP address.
\n[Default VPC] Releasing an Elastic IP address automatically disassociates it\n\t\t\t\tfrom any instance that it's associated with. To disassociate an Elastic IP address without\n\t\t\t\treleasing it, use DisassociateAddress.
\n[Nondefault VPC] You must use DisassociateAddress to disassociate the Elastic IP address\n\t\t\t before you can release it. Otherwise, Amazon EC2 returns an error (InvalidIPAddress.InUse).
After releasing an Elastic IP address, it is released to the IP address pool. \n Be sure to update your DNS records and any servers or devices that communicate with the address. \n If you attempt to release an Elastic IP address that you already released, you'll get an\n AuthFailure error if the address is already allocated to another Amazon Web Services account.
After you release an Elastic IP address, you might be able to recover it.\n For more information, see AllocateAddress.
" + "smithy.api#documentation": "Releases the specified Elastic IP address.
\n[Default VPC] Releasing an Elastic IP address automatically disassociates it\n\t\t\t\tfrom any instance that it's associated with. To disassociate an Elastic IP address without\n\t\t\t\treleasing it, use DisassociateAddress.
\n[Nondefault VPC] You must use DisassociateAddress to disassociate the Elastic IP address\n\t\t\t before you can release it. Otherwise, Amazon EC2 returns an error (InvalidIPAddress.InUse).
After releasing an Elastic IP address, it is released to the IP address pool. \n Be sure to update your DNS records and any servers or devices that communicate with the address. \n If you attempt to release an Elastic IP address that you already released, you'll get an\n AuthFailure error if the address is already allocated to another Amazon Web Services account.
After you release an Elastic IP address, you might be able to recover it.\n For more information, see AllocateAddress.
", + "smithy.api#examples": [ + { + "title": "To release an Elastic IP address", + "documentation": "This example releases the specified Elastic IP address.", + "input": { + "AllocationId": "eipalloc-64d5890a" + } + } + ] } }, "com.amazonaws.ec2#ReleaseAddressRequest": { @@ -80897,7 +83176,7 @@ "target": "com.amazonaws.ec2#ReleaseIpamPoolAllocationResult" }, "traits": { - "smithy.api#documentation": "Release an allocation within an IPAM pool. The Region you use should be the IPAM pool locale. The locale is the Amazon Web Services Region where this IPAM pool is available for allocations. You can only use this action to release manual allocations. To remove an allocation for a resource without deleting the resource, set its monitored state to false using ModifyIpamResourceCidr. For more information, see Release an allocation in the Amazon VPC IPAM User Guide.\n
\nAll EC2 API actions follow an eventual consistency model.
\nRelease an allocation within an IPAM pool. The Region you use should be the IPAM pool locale. The locale is the Amazon Web Services Region where this IPAM pool is available for allocations. You can only use this action to release manual allocations. To remove an allocation for a resource without deleting the resource, set its monitored state to false using ModifyIpamResourceCidr. For more information, see Release an allocation in the Amazon VPC IPAM User Guide.\n
\nAll EC2 API actions follow an eventual consistency model.
\nChanges which network ACL a subnet is associated with. By default when you create a\n\t\t\tsubnet, it's automatically associated with the default network ACL. For more\n\t\t\tinformation, see Network\n\t\t\tACLs in the Amazon Virtual Private Cloud User Guide.
\nThis is an idempotent operation.
" + "smithy.api#documentation": "Changes which network ACL a subnet is associated with. By default when you create a\n\t\t\tsubnet, it's automatically associated with the default network ACL. For more\n\t\t\tinformation, see Network ACLs in the Amazon VPC User Guide.
\nThis is an idempotent operation.
" } }, "com.amazonaws.ec2#ReplaceNetworkAclAssociationRequest": { @@ -81139,7 +83418,7 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Replaces an entry (rule) in a network ACL. For more information, see Network ACLs in the\n\t\t\t\tAmazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Replaces an entry (rule) in a network ACL. For more information, see Network ACLs in the\n\t\t\t\tAmazon VPC User Guide.
" } }, "com.amazonaws.ec2#ReplaceNetworkAclEntryRequest": { @@ -81396,7 +83675,7 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Replaces an existing route within a route table in a VPC.
\nYou must specify either a destination CIDR block or a prefix list ID. You must also specify \n exactly one of the resources from the parameter list, or reset the local route to its default \n target.
\nFor more information, see Route tables in the\n Amazon Virtual Private Cloud User Guide.
" + "smithy.api#documentation": "Replaces an existing route within a route table in a VPC.
\nYou must specify either a destination CIDR block or a prefix list ID. You must also specify \n exactly one of the resources from the parameter list, or reset the local route to its default \n target.
\nFor more information, see Route tables in the\n Amazon VPC User Guide.
" } }, "com.amazonaws.ec2#ReplaceRouteRequest": { @@ -81544,7 +83823,7 @@ "target": "com.amazonaws.ec2#ReplaceRouteTableAssociationResult" }, "traits": { - "smithy.api#documentation": "Changes the route table associated with a given subnet, internet gateway, or virtual private gateway in a VPC. After the operation\n completes, the subnet or gateway uses the routes in the new route table. For more\n information about route tables, see Route\n tables in the Amazon Virtual Private Cloud User Guide.
\nYou can also use this operation to change which table is the main route table in the VPC. Specify the main route table's association ID and the route table ID of the new main route table.
" + "smithy.api#documentation": "Changes the route table associated with a given subnet, internet gateway, or virtual private gateway in a VPC. After the operation\n completes, the subnet or gateway uses the routes in the new route table. For more\n information about route tables, see Route\n tables in the Amazon VPC User Guide.
\nYou can also use this operation to change which table is the main route table in the VPC. Specify the main route table's association ID and the route table ID of the new main route table.
" } }, "com.amazonaws.ec2#ReplaceRouteTableAssociationRequest": { @@ -82193,7 +84472,7 @@ "InstanceRequirements": { "target": "com.amazonaws.ec2#InstanceRequirementsRequest", "traits": { - "smithy.api#documentation": "The attributes for the instance types. When you specify instance attributes, Amazon EC2 will\n identify instance types with these attributes.
\nIf you specify InstanceRequirements, you can't specify\n InstanceType.
The attributes for the instance types. When you specify instance attributes, Amazon EC2 will\n identify instance types with these attributes.
\nYou must specify VCpuCount and MemoryMiB. All other attributes\n are optional. Any unspecified optional attribute is set to its default.
When you specify multiple attributes, you get instance types that satisfy all of the\n specified attributes. If you specify multiple values for an attribute, you get instance\n types that satisfy any of the specified values.
\nTo limit the list of instance types from which Amazon EC2 can identify matching instance types, \n you can use one of the following parameters, but not both in the same request:
\n\n AllowedInstanceTypes - The instance types to include in the list. All \n other instance types are ignored, even if they match your specified attributes.
\n ExcludedInstanceTypes - The instance types to exclude from the list, \n even if they match your specified attributes.
If you specify InstanceRequirements, you can't specify\n InstanceType.
Attribute-based instance type selection is only supported when using Auto Scaling\n groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in\n the launch instance\n wizard, or with the RunInstances API or\n AWS::EC2::Instance Amazon Web Services CloudFormation resource, you can't specify InstanceRequirements.
For more information, see Attribute-based instance type selection for EC2 Fleet, Attribute-based instance type selection for Spot Fleet, and Spot\n placement score in the Amazon EC2 User Guide.
" } }, "PrivateDnsNameOptions": { @@ -82288,7 +84567,32 @@ "target": "com.amazonaws.ec2#RequestSpotInstancesResult" }, "traits": { - "smithy.api#documentation": "Creates a Spot Instance request.
\nFor more information, see Spot Instance requests in\n the Amazon EC2 User Guide for Linux Instances.
\nWe strongly discourage using the RequestSpotInstances API because it is a legacy\n API with no planned investment. For options for requesting Spot Instances, see\n Which\n is the best Spot request method to use? in the\n Amazon EC2 User Guide for Linux Instances.
\nCreates a Spot Instance request.
\nFor more information, see Spot Instance requests in\n the Amazon EC2 User Guide for Linux Instances.
\nWe strongly discourage using the RequestSpotInstances API because it is a legacy\n API with no planned investment. For options for requesting Spot Instances, see\n Which\n is the best Spot request method to use? in the\n Amazon EC2 User Guide for Linux Instances.
\nResets an attribute of an AMI to its default value.
" + "smithy.api#documentation": "Resets an attribute of an AMI to its default value.
", + "smithy.api#examples": [ + { + "title": "To reset the launchPermission attribute", + "documentation": "This example resets the launchPermission attribute for the specified AMI. By default, AMIs are private.", + "input": { + "Attribute": "launchPermission", + "ImageId": "ami-5731123e" + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#ResetImageAttributeName": { @@ -83854,7 +86169,18 @@ "target": "smithy.api#Unit" }, "traits": { - "smithy.api#documentation": "Resets permission settings for the specified snapshot.
\nFor more information about modifying snapshot permissions, see Share a snapshot in the\n Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Resets permission settings for the specified snapshot.
\nFor more information about modifying snapshot permissions, see Share a snapshot in the\n Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#examples": [ + { + "title": "To reset a snapshot attribute", + "documentation": "This example resets the create volume permissions for snapshot ``snap-1234567890abcdef0``. If the command succeeds, no output is returned.", + "input": { + "SnapshotId": "snap-1234567890abcdef0", + "Attribute": "createVolumePermission" + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#ResetSnapshotAttributeRequest": { @@ -85102,6 +87428,14 @@ "smithy.api#documentation": "The size of the volume, in GiB.
", "smithy.api#xmlName": "volumeSize" } + }, + "SseType": { + "target": "com.amazonaws.ec2#SSEType", + "traits": { + "aws.protocols#ec2QueryName": "SseType", + "smithy.api#documentation": "Reserved for future use.
", + "smithy.api#xmlName": "sseType" + } } }, "traits": { @@ -85298,7 +87632,7 @@ "target": "com.amazonaws.ec2#RevokeSecurityGroupEgressResult" }, "traits": { - "smithy.api#documentation": "[VPC only] Removes the specified outbound (egress) rules from a security group for EC2-VPC.\n This action does not apply to security groups for use in EC2-Classic.
\nYou can specify rules using either rule IDs or security group rule properties. If you use\n rule properties, the values that you specify (for example, ports) must match the existing rule's \n values exactly. Each rule has a protocol, from and to ports, and destination (CIDR range, \n security group, or prefix list). For the TCP and UDP protocols, you must also specify the \n destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type \n and code. If the security group rule has a description, you do not need to specify the description \n to revoke the rule.
\n[Default VPC] If the values you specify do not match the existing rule's values, no error is\n returned, and the output describes the security group rules that were not revoked.
\nAmazon Web Services recommends that you describe the security group to verify that the rules were removed.
\nRule changes are propagated to instances within the security group as quickly as possible. However, \n a small delay might occur.
" + "smithy.api#documentation": "Removes the specified outbound (egress) rules from the specified security group.
\nYou can specify rules using either rule IDs or security group rule properties. If you use\n rule properties, the values that you specify (for example, ports) must match the existing rule's \n values exactly. Each rule has a protocol, from and to ports, and destination (CIDR range, \n security group, or prefix list). For the TCP and UDP protocols, you must also specify the \n destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type \n and code. If the security group rule has a description, you do not need to specify the description \n to revoke the rule.
\nFor a default VPC, if the values you specify do not match the existing rule's values, no error is\n returned, and the output describes the security group rules that were not revoked.
\nAmazon Web Services recommends that you describe the security group to verify that the rules were removed.
\nRule changes are propagated to instances within the security group as quickly as possible. However, \n a small delay might occur.
" } }, "com.amazonaws.ec2#RevokeSecurityGroupEgressRequest": { @@ -85431,7 +87765,7 @@ "target": "com.amazonaws.ec2#RevokeSecurityGroupIngressResult" }, "traits": { - "smithy.api#documentation": "Removes the specified inbound (ingress) rules from a security group.
\nYou can specify rules using either rule IDs or security group rule properties. If you use\n rule properties, the values that you specify (for example, ports) must match the existing rule's \n values exactly. Each rule has a protocol, from and to ports, and source (CIDR range, \n security group, or prefix list). For the TCP and UDP protocols, you must also specify the \n destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type \n and code. If the security group rule has a description, you do not need to specify the description \n to revoke the rule.
\n[EC2-Classic, default VPC] If the values you specify do not match the existing rule's values, no error is\n returned, and the output describes the security group rules that were not revoked.
\nAmazon Web Services recommends that you describe the security group to verify that the rules were removed.
\nRule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.
\nWe are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nRemoves the specified inbound (ingress) rules from a security group.
\nYou can specify rules using either rule IDs or security group rule properties. If you use\n rule properties, the values that you specify (for example, ports) must match the existing rule's \n values exactly. Each rule has a protocol, from and to ports, and source (CIDR range, \n security group, or prefix list). For the TCP and UDP protocols, you must also specify the \n destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type \n and code. If the security group rule has a description, you do not need to specify the description \n to revoke the rule.
\nFor a default VPC, if the values you specify do not match the existing rule's values, no error is\n returned, and the output describes the security group rules that were not revoked.
\nAmazon Web Services recommends that you describe the security group to verify that the rules were removed.
\nRule changes are propagated to instances within the security group as quickly as possible. \n However, a small delay might occur.
" } }, "com.amazonaws.ec2#RevokeSecurityGroupIngressRequest": { @@ -85454,13 +87788,13 @@ "GroupId": { "target": "com.amazonaws.ec2#SecurityGroupId", "traits": { - "smithy.api#documentation": "The ID of the security group. You must specify either the security group ID or the\n security group name in the request. For security groups in a nondefault VPC, you must\n specify the security group ID.
" + "smithy.api#documentation": "The ID of the security group.
" } }, "GroupName": { "target": "com.amazonaws.ec2#SecurityGroupName", "traits": { - "smithy.api#documentation": "[EC2-Classic, default VPC] The name of the security group. You must specify either the\n security group ID or the security group name in the request. For security groups in a\n nondefault VPC, you must specify the security group ID.
" + "smithy.api#documentation": "[Default VPC] The name of the security group. You must specify either the\n security group ID or the security group name in the request. For security groups in a\n nondefault VPC, you must specify the security group ID.
" } }, "IpPermissions": { @@ -85478,13 +87812,13 @@ "SourceSecurityGroupName": { "target": "com.amazonaws.ec2#String", "traits": { - "smithy.api#documentation": "[EC2-Classic, default VPC] The name of the source security group. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the start of the port range, the IP protocol, and the end of the port range. For EC2-VPC, the source security group must be in the same VPC. To revoke a specific rule for an IP protocol and port range, use a set of IP permissions instead.
" + "smithy.api#documentation": "[Default VPC] The name of the source security group. You can't specify this parameter \n in combination with the following parameters: the CIDR IP address range, the start of the port range, \n the IP protocol, and the end of the port range. The source security group must be in the same VPC. \n To revoke a specific rule for an IP protocol and port range, use a set of IP permissions instead.
" } }, "SourceSecurityGroupOwnerId": { "target": "com.amazonaws.ec2#String", "traits": { - "smithy.api#documentation": "[EC2-Classic] The Amazon Web Services account ID of the source security group, if the source security group is in a different account. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the IP protocol, the start of the port range, and the end of the port range. To revoke a specific rule for an IP protocol and port range, use a set of IP permissions instead.
" + "smithy.api#documentation": "Not supported.
" } }, "ToPort": { @@ -86099,7 +88433,44 @@ "target": "com.amazonaws.ec2#Reservation" }, "traits": { - "smithy.api#documentation": "Launches the specified number of instances using an AMI for which you have\n permissions.
\nYou can specify a number of options, or leave the default options. The following rules\n apply:
\nIf you don't specify a subnet ID, we choose a default subnet from\n your default VPC for you. If you don't have a default VPC, you must specify a\n subnet ID in the request.
\nAll instances have a network interface with a primary private IPv4\n address. If you don't specify this address, we choose one from the IPv4 range of\n your subnet.
\nNot all instance types support IPv6 addresses. For more information, see\n Instance\n types.
\nIf you don't specify a security group ID, we use the default security group.\n For more information, see Security\n groups.
\nIf any of the AMIs have a product code attached for which the user has not\n subscribed, the request fails.
\nYou can create a launch template,\n which is a resource that contains the parameters to launch an instance. When you launch\n an instance using RunInstances, you can specify the launch template\n instead of specifying the launch parameters.
\nTo ensure faster instance launches, break up large requests into smaller batches. For\n example, create five separate launch requests for 100 instances each instead of one\n launch request for 500 instances.
\nAn instance is ready for you to use when it's in the running state. You\n can check the state of your instance using DescribeInstances. You can\n tag instances and EBS volumes during launch, after launch, or both. For more\n information, see CreateTags and Tagging your Amazon EC2\n resources.
Linux instances have access to the public key of the key pair at boot. You can use\n this key to provide secure access to the instance. Amazon EC2 public images use this\n feature to provide secure access without passwords. For more information, see Key\n pairs.
\nFor troubleshooting, see What to do if\n an instance immediately terminates, and Troubleshooting connecting to your instance.
" + "smithy.api#documentation": "Launches the specified number of instances using an AMI for which you have\n permissions.
\nYou can specify a number of options, or leave the default options. The following rules\n apply:
\nIf you don't specify a subnet ID, we choose a default subnet from\n your default VPC for you. If you don't have a default VPC, you must specify a\n subnet ID in the request.
\nAll instances have a network interface with a primary private IPv4\n address. If you don't specify this address, we choose one from the IPv4 range of\n your subnet.
\nNot all instance types support IPv6 addresses. For more information, see\n Instance\n types.
\nIf you don't specify a security group ID, we use the default security group.\n For more information, see Security\n groups.
\nIf any of the AMIs have a product code attached for which the user has not\n subscribed, the request fails.
\nYou can create a launch template,\n which is a resource that contains the parameters to launch an instance. When you launch\n an instance using RunInstances, you can specify the launch template\n instead of specifying the launch parameters.
\nTo ensure faster instance launches, break up large requests into smaller batches. For\n example, create five separate launch requests for 100 instances each instead of one\n launch request for 500 instances.
\nAn instance is ready for you to use when it's in the running state. You\n can check the state of your instance using DescribeInstances. You can\n tag instances and EBS volumes during launch, after launch, or both. For more\n information, see CreateTags and Tagging your Amazon EC2\n resources.
Linux instances have access to the public key of the key pair at boot. You can use\n this key to provide secure access to the instance. Amazon EC2 public images use this\n feature to provide secure access without passwords. For more information, see Key\n pairs.
\nFor troubleshooting, see What to do if\n an instance immediately terminates, and Troubleshooting connecting to your instance.
", + "smithy.api#examples": [ + { + "title": "To launch an instance", + "documentation": "This example launches an instance using the specified AMI, instance type, security group, subnet, block device mapping, and tags.", + "input": { + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/sdh", + "Ebs": { + "VolumeSize": 100 + } + } + ], + "ImageId": "ami-abc12345", + "InstanceType": "t2.micro", + "KeyName": "my-key-pair", + "MaxCount": 1, + "MinCount": 1, + "SecurityGroupIds": [ + "sg-1a2b3c4d" + ], + "SubnetId": "subnet-6e7f829e", + "TagSpecifications": [ + { + "ResourceType": "instance", + "Tags": [ + { + "Key": "Purpose", + "Value": "test" + } + ] + } + ] + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#RunInstancesMonitoringEnabled": { @@ -86140,7 +88511,7 @@ "InstanceType": { "target": "com.amazonaws.ec2#InstanceType", "traits": { - "smithy.api#documentation": "The instance type. For more information, see Instance types in the\n Amazon EC2 User Guide.
\nDefault: m1.small\n
The instance type. For more information, see Instance types in the\n Amazon EC2 User Guide.
" } }, "Ipv6AddressCount": { @@ -86364,7 +88735,7 @@ "HibernationOptions": { "target": "com.amazonaws.ec2#HibernationOptionsRequest", "traits": { - "smithy.api#documentation": "Indicates whether an instance is enabled for hibernation. For more information, see\n Hibernate\n your instance in the Amazon EC2 User Guide.
\nYou can't enable hibernation and Amazon Web Services Nitro Enclaves on the same\n instance.
" + "smithy.api#documentation": "Indicates whether an instance is enabled for hibernation. This parameter is valid only\n if the instance meets the hibernation\n prerequisites. For more information, see Hibernate your instance in the\n Amazon EC2 User Guide.
\nYou can't enable hibernation and Amazon Web Services Nitro Enclaves on the same\n instance.
" } }, "LicenseSpecifications": { @@ -86383,13 +88754,13 @@ "EnclaveOptions": { "target": "com.amazonaws.ec2#EnclaveOptionsRequest", "traits": { - "smithy.api#documentation": "Indicates whether the instance is enabled for Amazon Web Services Nitro Enclaves. For\n more information, see What is Amazon Web Services Nitro\n Enclaves? in the Amazon Web Services Nitro Enclaves User\n Guide.
\nYou can't enable Amazon Web Services Nitro Enclaves and hibernation on the same\n instance.
" + "smithy.api#documentation": "Indicates whether the instance is enabled for Amazon Web Services Nitro Enclaves. For\n more information, see What is Amazon Web Services Nitro\n Enclaves? in the Amazon Web Services Nitro Enclaves User\n Guide.
\nYou can't enable Amazon Web Services Nitro Enclaves and hibernation on the same\n instance.
" } }, "PrivateDnsNameOptions": { "target": "com.amazonaws.ec2#PrivateDnsNameOptionsRequest", "traits": { - "smithy.api#documentation": "The options for the instance hostname. The default values are inherited from the\n subnet.
" + "smithy.api#documentation": "The options for the instance hostname. \n The default values are inherited from the subnet.\n Applies only if creating a network interface, not attaching an existing one.
" } }, "MaintenanceOptions": { @@ -86405,6 +88776,14 @@ "smithy.api#default": false, "smithy.api#documentation": "Indicates whether an instance is enabled for stop protection. For more information,\n see Stop\n protection.
" } + }, + "EnablePrimaryIpv6": { + "target": "com.amazonaws.ec2#Boolean", + "traits": { + "smithy.api#clientOptional": {}, + "smithy.api#default": false, + "smithy.api#documentation": "If you’re launching an instance into a dual-stack or IPv6-only subnet, you can enable\n assigning a primary IPv6 address. A primary IPv6 address is an IPv6 GUA address\n associated with an ENI that you have enabled to use a primary IPv6 address. Use this\n option if an instance relies on its IPv6 address not changing. When you launch the\n instance, Amazon Web Services will automatically assign an IPv6 address associated with\n the ENI attached to your instance to be the primary IPv6 address. Once you enable an\n IPv6 GUA address to be a primary IPv6, you cannot disable it. When you enable an IPv6\n GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6\n address until the instance is terminated or the network interface is detached. If you\n have multiple IPv6 addresses associated with an ENI attached to your instance and you\n enable a primary IPv6 address, the first IPv6 GUA address associated with the ENI\n becomes the primary IPv6 address.
" + } } }, "traits": { @@ -86569,6 +88948,29 @@ "smithy.api#documentation": "Describes the storage parameters for Amazon S3 and Amazon S3 buckets for an instance store-backed AMI.
" } }, + "com.amazonaws.ec2#SSEType": { + "type": "enum", + "members": { + "sse_ebs": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "sse-ebs" + } + }, + "sse_kms": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "sse-kms" + } + }, + "none": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "none" + } + } + } + }, "com.amazonaws.ec2#ScheduledInstance": { "type": "structure", "members": { @@ -87653,7 +90055,7 @@ "target": "com.amazonaws.ec2#IpPermissionList", "traits": { "aws.protocols#ec2QueryName": "IpPermissionsEgress", - "smithy.api#documentation": "[VPC only] The outbound rules associated with the security group.
", + "smithy.api#documentation": "The outbound rules associated with the security group.
", "smithy.api#xmlName": "ipPermissionsEgress" } }, @@ -87669,7 +90071,7 @@ "target": "com.amazonaws.ec2#String", "traits": { "aws.protocols#ec2QueryName": "VpcId", - "smithy.api#documentation": "[VPC only] The ID of the VPC for the security group.
", + "smithy.api#documentation": "The ID of the VPC for the security group.
", "smithy.api#xmlName": "vpcId" } } @@ -88720,6 +91122,14 @@ "smithy.api#documentation": "Only for archived snapshots that are temporarily restored. Indicates the date and \n time when a temporarily restored snapshot will be automatically re-archived.
", "smithy.api#xmlName": "restoreExpiryTime" } + }, + "SseType": { + "target": "com.amazonaws.ec2#SSEType", + "traits": { + "aws.protocols#ec2QueryName": "SseType", + "smithy.api#documentation": "Reserved for future use.
", + "smithy.api#xmlName": "sseType" + } } }, "traits": { @@ -88980,6 +91390,14 @@ "smithy.api#documentation": "The ARN of the Outpost on which the snapshot is stored. For more information, see Amazon EBS local snapshots on Outposts in the \n \t\tAmazon Elastic Compute Cloud User Guide.
", "smithy.api#xmlName": "outpostArn" } + }, + "SseType": { + "target": "com.amazonaws.ec2#SSEType", + "traits": { + "aws.protocols#ec2QueryName": "SseType", + "smithy.api#documentation": "Reserved for future use.
", + "smithy.api#xmlName": "sseType" + } } }, "traits": { @@ -90173,6 +92591,12 @@ "traits": { "smithy.api#enumValue": "failed" } + }, + "disabled": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "disabled" + } } } }, @@ -90761,7 +93185,33 @@ "target": "com.amazonaws.ec2#StartInstancesResult" }, "traits": { - "smithy.api#documentation": "Starts an Amazon EBS-backed instance that you've previously stopped.
\nInstances that use Amazon EBS volumes as their root devices can be quickly stopped and\n started. When an instance is stopped, the compute resources are released and you are not\n billed for instance usage. However, your root partition Amazon EBS volume remains and\n continues to persist your data, and you are charged for Amazon EBS volume usage. You can\n restart your instance at any time. Every time you start your instance, Amazon EC2\n charges a one-minute minimum for instance usage, and thereafter charges per second for\n instance usage.
\nBefore stopping an instance, make sure it is in a state from which it can be\n restarted. Stopping an instance does not preserve data stored in RAM.
\nPerforming this operation on an instance that uses an instance store as its root\n device returns an error.
\nIf you attempt to start a T3 instance with host tenancy and the\n unlimted CPU credit option, the request fails. The\n unlimited CPU credit option is not supported on Dedicated Hosts. Before\n you start the instance, either change its CPU credit option to standard, or\n change its tenancy to default or dedicated.
For more information, see Stop and start your instance\n in the Amazon EC2 User Guide.
" + "smithy.api#documentation": "Starts an Amazon EBS-backed instance that you've previously stopped.
\nInstances that use Amazon EBS volumes as their root devices can be quickly stopped and\n started. When an instance is stopped, the compute resources are released and you are not\n billed for instance usage. However, your root partition Amazon EBS volume remains and\n continues to persist your data, and you are charged for Amazon EBS volume usage. You can\n restart your instance at any time. Every time you start your instance, Amazon EC2\n charges a one-minute minimum for instance usage, and thereafter charges per second for\n instance usage.
\nBefore stopping an instance, make sure it is in a state from which it can be\n restarted. Stopping an instance does not preserve data stored in RAM.
\nPerforming this operation on an instance that uses an instance store as its root\n device returns an error.
\nIf you attempt to start a T3 instance with host tenancy and the\n unlimted CPU credit option, the request fails. The\n unlimited CPU credit option is not supported on Dedicated Hosts. Before\n you start the instance, either change its CPU credit option to standard, or\n change its tenancy to default or dedicated.
For more information, see Stop and start your instance\n in the Amazon EC2 User Guide.
", + "smithy.api#examples": [ + { + "title": "To start a stopped EC2 instance", + "documentation": "This example starts the specified EC2 instance.", + "input": { + "InstanceIds": [ + "i-1234567890abcdef0" + ] + }, + "output": { + "StartingInstances": [ + { + "InstanceId": "i-1234567890abcdef0", + "CurrentState": { + "Code": 0, + "Name": "pending" + }, + "PreviousState": { + "Code": 80, + "Name": "stopped" + } + } + ] + } + } + ] } }, "com.amazonaws.ec2#StartInstancesRequest": { @@ -91196,7 +93646,33 @@ "target": "com.amazonaws.ec2#StopInstancesResult" }, "traits": { - "smithy.api#documentation": "Stops an Amazon EBS-backed instance. For more information, see Stop and start\n your instance in the Amazon EC2 User Guide.
\nYou can use the Stop action to hibernate an instance if the instance is enabled for\n hibernation and it meets the hibernation\n prerequisites. For more information, see Hibernate your instance in the\n Amazon EC2 User Guide.
\nWe don't charge usage for a stopped instance, or data transfer fees; however, your\n root partition Amazon EBS volume remains and continues to persist your data, and you are\n charged for Amazon EBS volume usage. Every time you start your instance, Amazon EC2\n charges a one-minute minimum for instance usage, and thereafter charges per second for\n instance usage.
\nYou can't stop or hibernate instance store-backed instances. You can't use the Stop\n action to hibernate Spot Instances, but you can specify that Amazon EC2 should hibernate\n Spot Instances when they are interrupted. For more information, see Hibernating interrupted Spot Instances in the\n Amazon EC2 User Guide.
\nWhen you stop or hibernate an instance, we shut it down. You can restart your instance\n at any time. Before stopping or hibernating an instance, make sure it is in a state from\n which it can be restarted. Stopping an instance does not preserve data stored in RAM,\n but hibernating an instance does preserve data stored in RAM. If an instance cannot\n hibernate successfully, a normal shutdown occurs.
\nStopping and hibernating an instance is different to rebooting or terminating it. For\n example, when you stop or hibernate an instance, the root device and any other devices\n attached to the instance persist. When you terminate an instance, the root device and\n any other devices attached during the instance launch are automatically deleted. For\n more information about the differences between rebooting, stopping, hibernating, and\n terminating instances, see Instance lifecycle\n in the Amazon EC2 User Guide.
\nWhen you stop an instance, we attempt to shut it down forcibly after a short while. If\n your instance appears stuck in the stopping state after a period of time, there may be\n an issue with the underlying host computer. For more information, see Troubleshoot\n stopping your instance in the Amazon EC2 User Guide.
" + "smithy.api#documentation": "Stops an Amazon EBS-backed instance. For more information, see Stop and start\n your instance in the Amazon EC2 User Guide.
\nYou can use the Stop action to hibernate an instance if the instance is enabled for\n hibernation and it meets the hibernation\n prerequisites. For more information, see Hibernate your instance in the\n Amazon EC2 User Guide.
\nWe don't charge usage for a stopped instance, or data transfer fees; however, your\n root partition Amazon EBS volume remains and continues to persist your data, and you are\n charged for Amazon EBS volume usage. Every time you start your instance, Amazon EC2\n charges a one-minute minimum for instance usage, and thereafter charges per second for\n instance usage.
\nYou can't stop or hibernate instance store-backed instances. You can't use the Stop\n action to hibernate Spot Instances, but you can specify that Amazon EC2 should hibernate\n Spot Instances when they are interrupted. For more information, see Hibernating interrupted Spot Instances in the\n Amazon EC2 User Guide.
\nWhen you stop or hibernate an instance, we shut it down. You can restart your instance\n at any time. Before stopping or hibernating an instance, make sure it is in a state from\n which it can be restarted. Stopping an instance does not preserve data stored in RAM,\n but hibernating an instance does preserve data stored in RAM. If an instance cannot\n hibernate successfully, a normal shutdown occurs.
\nStopping and hibernating an instance is different to rebooting or terminating it. For\n example, when you stop or hibernate an instance, the root device and any other devices\n attached to the instance persist. When you terminate an instance, the root device and\n any other devices attached during the instance launch are automatically deleted. For\n more information about the differences between rebooting, stopping, hibernating, and\n terminating instances, see Instance lifecycle\n in the Amazon EC2 User Guide.
\nWhen you stop an instance, we attempt to shut it down forcibly after a short while. If\n your instance appears stuck in the stopping state after a period of time, there may be\n an issue with the underlying host computer. For more information, see Troubleshoot\n stopping your instance in the Amazon EC2 User Guide.
", + "smithy.api#examples": [ + { + "title": "To stop a running EC2 instance", + "documentation": "This example stops the specified EC2 instance.", + "input": { + "InstanceIds": [ + "i-1234567890abcdef0" + ] + }, + "output": { + "StoppingInstances": [ + { + "InstanceId": "i-1234567890abcdef0", + "CurrentState": { + "Code": 64, + "Name": "stopping" + }, + "PreviousState": { + "Code": 16, + "Name": "running" + } + } + ] + } + } + ] } }, "com.amazonaws.ec2#StopInstancesRequest": { @@ -91748,7 +94224,7 @@ "target": "com.amazonaws.ec2#String", "traits": { "aws.protocols#ec2QueryName": "Description", - "smithy.api#documentation": "The\n description\n assigned to the subnet CIDR\n reservation.
", + "smithy.api#documentation": "The description assigned to the subnet CIDR reservation.
", "smithy.api#xmlName": "description" } }, @@ -92568,7 +95044,7 @@ } }, "ConnectionId": { - "target": "com.amazonaws.ec2#VpnConnectionId", + "target": "com.amazonaws.ec2#String", "traits": { "smithy.api#documentation": "The ID of the client connection to be terminated.
" } @@ -92674,7 +95150,33 @@ "target": "com.amazonaws.ec2#TerminateInstancesResult" }, "traits": { - "smithy.api#documentation": "Shuts down the specified instances. This operation is idempotent; if you terminate an\n instance more than once, each call succeeds.
\nIf you specify multiple instances and the request fails (for example, because of a\n single incorrect instance ID), none of the instances are terminated.
\nIf you terminate multiple instances across multiple Availability Zones, and one or\n more of the specified instances are enabled for termination protection, the request\n fails with the following results:
\nThe specified instances that are in the same Availability Zone as the\n protected instance are not terminated.
\nThe specified instances that are in different Availability Zones, where no\n other specified instances are protected, are successfully terminated.
\nFor example, say you have the following instances:
\nInstance A: us-east-1a; Not protected
Instance B: us-east-1a; Not protected
Instance C: us-east-1b; Protected
Instance D: us-east-1b; not protected
If you attempt to terminate all of these instances in the same request, the request\n reports failure with the following results:
\nInstance A and Instance B are successfully terminated because none of the\n specified instances in us-east-1a are enabled for termination\n protection.
Instance C and Instance D fail to terminate because at least one of the\n specified instances in us-east-1b (Instance C) is enabled for\n termination protection.
Terminated instances remain visible after termination (for approximately one\n hour).
\nBy default, Amazon EC2 deletes all EBS volumes that were attached when the instance\n launched. Volumes attached after instance launch continue running.
\nYou can stop, start, and terminate EBS-backed instances. You can only terminate\n instance store-backed instances. What happens to an instance differs if you stop it or\n terminate it. For example, when you stop an instance, the root device and any other\n devices attached to the instance persist. When you terminate an instance, any attached\n EBS volumes with the DeleteOnTermination block device mapping parameter set\n to true are automatically deleted. For more information about the\n differences between stopping and terminating instances, see Instance lifecycle\n in the Amazon EC2 User Guide.
For more information about troubleshooting, see Troubleshooting terminating your instance in the\n Amazon EC2 User Guide.
" + "smithy.api#documentation": "Shuts down the specified instances. This operation is idempotent; if you terminate an\n instance more than once, each call succeeds.
\nIf you specify multiple instances and the request fails (for example, because of a\n single incorrect instance ID), none of the instances are terminated.
\nIf you terminate multiple instances across multiple Availability Zones, and one or\n more of the specified instances are enabled for termination protection, the request\n fails with the following results:
\nThe specified instances that are in the same Availability Zone as the\n protected instance are not terminated.
\nThe specified instances that are in different Availability Zones, where no\n other specified instances are protected, are successfully terminated.
\nFor example, say you have the following instances:
\nInstance A: us-east-1a; Not protected
Instance B: us-east-1a; Not protected
Instance C: us-east-1b; Protected
Instance D: us-east-1b; not protected
If you attempt to terminate all of these instances in the same request, the request\n reports failure with the following results:
\nInstance A and Instance B are successfully terminated because none of the\n specified instances in us-east-1a are enabled for termination\n protection.
Instance C and Instance D fail to terminate because at least one of the\n specified instances in us-east-1b (Instance C) is enabled for\n termination protection.
Terminated instances remain visible after termination (for approximately one\n hour).
\nBy default, Amazon EC2 deletes all EBS volumes that were attached when the instance\n launched. Volumes attached after instance launch continue running.
\nYou can stop, start, and terminate EBS-backed instances. You can only terminate\n instance store-backed instances. What happens to an instance differs if you stop it or\n terminate it. For example, when you stop an instance, the root device and any other\n devices attached to the instance persist. When you terminate an instance, any attached\n EBS volumes with the DeleteOnTermination block device mapping parameter set\n to true are automatically deleted. For more information about the\n differences between stopping and terminating instances, see Instance lifecycle\n in the Amazon EC2 User Guide.
For more information about troubleshooting, see Troubleshooting terminating your instance in the\n Amazon EC2 User Guide.
", + "smithy.api#examples": [ + { + "title": "To terminate an EC2 instance", + "documentation": "This example terminates the specified EC2 instance.", + "input": { + "InstanceIds": [ + "i-1234567890abcdef0" + ] + }, + "output": { + "TerminatingInstances": [ + { + "InstanceId": "i-1234567890abcdef0", + "CurrentState": { + "Code": 32, + "Name": "shutting-down" + }, + "PreviousState": { + "Code": 16, + "Name": "running" + } + } + ] + } + } + ] } }, "com.amazonaws.ec2#TerminateInstancesRequest": { @@ -96580,7 +99082,7 @@ } }, "PreSharedKey": { - "target": "com.amazonaws.ec2#String", + "target": "com.amazonaws.ec2#preSharedKey", "traits": { "aws.protocols#ec2QueryName": "PreSharedKey", "smithy.api#documentation": "The pre-shared key (PSK) to establish initial authentication between the virtual\n private gateway and the customer gateway.
", @@ -96883,7 +99385,7 @@ "target": "com.amazonaws.ec2#UnassignPrivateNatGatewayAddressResult" }, "traits": { - "smithy.api#documentation": "Unassigns secondary private IPv4 addresses from a private NAT gateway. You cannot unassign your primary private IP. For more information, see Edit secondary IP address associations in the Amazon Virtual Private Cloud User Guide.
\nWhile unassigning is in progress, you cannot assign/unassign additional IP addresses while the connections are being drained. You are, however, allowed to delete the NAT gateway.
\nA private IP address will only be released at the end of MaxDrainDurationSeconds. The\n private IP addresses stay associated and support the existing connections but do not\n support any new connections (new connections are distributed across the remaining\n assigned private IP address). After the existing connections drain out, the private IP\n addresses get released.
\n \n " + "smithy.api#documentation": "Unassigns secondary private IPv4 addresses from a private NAT gateway. You cannot unassign your primary private IP. For more information, see Edit secondary IP address associations in the Amazon VPC User Guide.
\nWhile unassigning is in progress, you cannot assign/unassign additional IP addresses while the connections are being drained. You are, however, allowed to delete the NAT gateway.
\nA private IP address will only be released at the end of MaxDrainDurationSeconds. The\n private IP addresses stay associated and support the existing connections, but do not\n support any new connections (new connections are distributed across the remaining\n assigned private IP address). After the existing connections drain out, the private IP\n addresses are released.
\n \n " } }, "com.amazonaws.ec2#UnassignPrivateNatGatewayAddressRequest": { @@ -96893,7 +99395,7 @@ "target": "com.amazonaws.ec2#NatGatewayId", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "The NAT gateway ID.
", + "smithy.api#documentation": "The ID of the NAT gateway.
", "smithy.api#required": {} } }, @@ -96934,7 +99436,7 @@ "target": "com.amazonaws.ec2#NatGatewayId", "traits": { "aws.protocols#ec2QueryName": "NatGatewayId", - "smithy.api#documentation": "The NAT gateway ID.
", + "smithy.api#documentation": "The ID of the NAT gateway.
", "smithy.api#xmlName": "natGatewayId" } }, @@ -97196,7 +99698,30 @@ "target": "com.amazonaws.ec2#UpdateSecurityGroupRuleDescriptionsEgressResult" }, "traits": { - "smithy.api#documentation": "[VPC only] Updates the description of an egress (outbound) security group rule. You\n\t\t\tcan replace an existing description, or add a description to a rule that did not have one\n\t\t\tpreviously. You can remove a description for a security group rule by omitting the \n\t\t\tdescription parameter in the request.
" + "smithy.api#documentation": "Updates the description of an egress (outbound) security group rule. You\n\t\t\tcan replace an existing description, or add a description to a rule that did not have one\n\t\t\tpreviously. You can remove a description for a security group rule by omitting the \n\t\t\tdescription parameter in the request.
", + "smithy.api#examples": [ + { + "title": "To update an outbound security group rule description", + "documentation": "This example updates the description for the specified security group rule.", + "input": { + "GroupId": "sg-123abc12", + "IpPermissions": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "IpRanges": [ + { + "CidrIp": "203.0.113.0/24", + "Description": "Outbound HTTP access to server 2" + } + ] + } + ] + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#UpdateSecurityGroupRuleDescriptionsEgressRequest": { @@ -97219,7 +99744,7 @@ "GroupName": { "target": "com.amazonaws.ec2#SecurityGroupName", "traits": { - "smithy.api#documentation": "[Default VPC] The name of the security group. You must specify either the security group\n\t\t\tID or the security group name in the request.
" + "smithy.api#documentation": "[Default VPC] The name of the security group. You must specify either the security group\n\t\t\tID or the security group name.
" } }, "IpPermissions": { @@ -97267,7 +99792,30 @@ "target": "com.amazonaws.ec2#UpdateSecurityGroupRuleDescriptionsIngressResult" }, "traits": { - "smithy.api#documentation": "Updates the description of an ingress (inbound) security group rule. You can replace an\n\t\t\texisting description, or add a description to a rule that did not have one previously.\n\t\t You can remove a description for a security group rule by omitting the description \n\t\t parameter in the request.
" + "smithy.api#documentation": "Updates the description of an ingress (inbound) security group rule. You can replace an\n\t\t\texisting description, or add a description to a rule that did not have one previously.\n\t\t You can remove a description for a security group rule by omitting the description \n\t\t parameter in the request.
", + "smithy.api#examples": [ + { + "title": "To update an inbound security group rule description", + "documentation": "This example updates the description for the specified security group rule.", + "input": { + "GroupId": "sg-123abc12", + "IpPermissions": [ + { + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "IpRanges": [ + { + "CidrIp": "203.0.113.0/16", + "Description": "SSH access from the LA office" + } + ] + } + ] + }, + "output": {} + } + ] } }, "com.amazonaws.ec2#UpdateSecurityGroupRuleDescriptionsIngressRequest": { @@ -97290,7 +99838,7 @@ "GroupName": { "target": "com.amazonaws.ec2#SecurityGroupName", "traits": { - "smithy.api#documentation": "[EC2-Classic, default VPC] The name of the security group. You must specify either the\n security group ID or the security group name in the request. For security groups in a\n nondefault VPC, you must specify the security group ID.
" + "smithy.api#documentation": "[Default VPC] The name of the security group. You must specify either the\n security group ID or the security group name. For security groups in a\n nondefault VPC, you must specify the security group ID.
" } }, "IpPermissions": { @@ -97302,7 +99850,7 @@ "SecurityGroupRuleDescriptions": { "target": "com.amazonaws.ec2#SecurityGroupRuleDescriptionList", "traits": { - "smithy.api#documentation": "[VPC only] The description for the ingress security group rules. You must specify either\n a description or IP permissions.
", + "smithy.api#documentation": "The description for the ingress security group rules. You must specify either\n a description or IP permissions.
", "smithy.api#xmlName": "SecurityGroupRuleDescription" } } @@ -97448,7 +99996,7 @@ "target": "com.amazonaws.ec2#String", "traits": { "aws.protocols#ec2QueryName": "GroupName", - "smithy.api#documentation": "The name of the security group. In a request, use this parameter for a security group\n in EC2-Classic or a default VPC only. For a security group in a nondefault VPC, use the\n security group ID.
\nFor a referenced security group in another VPC, this value is not returned if the\n referenced security group is deleted.
", + "smithy.api#documentation": "[Default VPC] The name of the security group. For a security group in a nondefault VPC, \n use the security group ID.
\nFor a referenced security group in another VPC, this value is not returned if the\n referenced security group is deleted.
", "smithy.api#xmlName": "groupName" } }, @@ -97464,7 +100012,7 @@ "target": "com.amazonaws.ec2#String", "traits": { "aws.protocols#ec2QueryName": "UserId", - "smithy.api#documentation": "The ID of an Amazon Web Services account.
\nFor a referenced security group in another VPC, the account ID of the referenced\n security group is returned in the response. If the referenced security group is deleted,\n this value is not returned.
\n[EC2-Classic] Required when adding or removing rules that reference a security group\n in another Amazon Web Services account.
", + "smithy.api#documentation": "The ID of an Amazon Web Services account.
\nFor a referenced security group in another VPC, the account ID of the referenced\n security group is returned in the response. If the referenced security group is deleted,\n this value is not returned.
", "smithy.api#xmlName": "userId" } }, @@ -97486,7 +100034,7 @@ } }, "traits": { - "smithy.api#documentation": "Describes a security group and Amazon Web Services account ID pair.
\nWe are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nDescribes a security group and Amazon Web Services account ID pair.
" } }, "com.amazonaws.ec2#UserIdGroupPairList": { @@ -98444,10 +100992,24 @@ "traits": { "smithy.api#documentation": "Sends Verified Access logs to Kinesis.
" } + }, + "LogVersion": { + "target": "com.amazonaws.ec2#String", + "traits": { + "smithy.api#documentation": "\n\t\t The logging version to use.\n\t
\nValid values: ocsf-0.1 | ocsf-1.0.0-rc.2\n
\n\t\t Include trust data sent by trust providers into the logs. \n\t
" + } } }, "traits": { - "smithy.api#documentation": "Describes the destinations for Verified Access logs.
" + "smithy.api#documentation": "Options for Verified Access logs.
" } }, "com.amazonaws.ec2#VerifiedAccessLogS3Destination": { @@ -98561,10 +101123,28 @@ "smithy.api#documentation": "Kinesis logging destination.
", "smithy.api#xmlName": "kinesisDataFirehose" } + }, + "LogVersion": { + "target": "com.amazonaws.ec2#String", + "traits": { + "aws.protocols#ec2QueryName": "LogVersion", + "smithy.api#documentation": "\n Describes current setting for the logging version.\n
", + "smithy.api#xmlName": "logVersion" + } + }, + "IncludeTrustContext": { + "target": "com.amazonaws.ec2#Boolean", + "traits": { + "aws.protocols#ec2QueryName": "IncludeTrustContext", + "smithy.api#clientOptional": {}, + "smithy.api#default": false, + "smithy.api#documentation": "\n\t\t Describes current setting for including trust data into the logs.\n\t
", + "smithy.api#xmlName": "includeTrustContext" + } } }, "traits": { - "smithy.api#documentation": "Describes the destinations for Verified Access logs.
" + "smithy.api#documentation": "Describes the options for Verified Access logs.
" } }, "com.amazonaws.ec2#VerifiedAccessTrustProvider": { @@ -99009,6 +101589,14 @@ "smithy.api#documentation": "The throughput that the volume supports, in MiB/s.
", "smithy.api#xmlName": "throughput" } + }, + "SseType": { + "target": "com.amazonaws.ec2#SSEType", + "traits": { + "aws.protocols#ec2QueryName": "SseType", + "smithy.api#documentation": "Reserved for future use.
", + "smithy.api#xmlName": "sseType" + } } }, "traits": { @@ -100060,7 +102648,7 @@ } }, "traits": { - "smithy.api#documentation": "We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nDescribes whether a VPC is enabled for ClassicLink.
" + "smithy.api#documentation": "Deprecated.
\nDescribes whether a VPC is enabled for ClassicLink.
" } }, "com.amazonaws.ec2#VpcClassicLinkIdList": { @@ -100603,7 +103191,7 @@ "aws.protocols#ec2QueryName": "AllowDnsResolutionFromRemoteVpc", "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "Indicates whether a local VPC can resolve public DNS hostnames to private IP addresses when queried from instances in a peer VPC.
", + "smithy.api#documentation": "Indicates whether a local VPC can resolve public DNS hostnames to private IP addresses \n when queried from instances in a peer VPC.
", "smithy.api#xmlName": "allowDnsResolutionFromRemoteVpc" } }, @@ -100613,7 +103201,7 @@ "aws.protocols#ec2QueryName": "AllowEgressFromLocalClassicLinkToRemoteVpc", "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "Indicates whether a local ClassicLink connection can communicate with the peer VPC over the VPC peering connection.
", + "smithy.api#documentation": "Deprecated.
", "smithy.api#xmlName": "allowEgressFromLocalClassicLinkToRemoteVpc" } }, @@ -100623,13 +103211,13 @@ "aws.protocols#ec2QueryName": "AllowEgressFromLocalVpcToRemoteClassicLink", "smithy.api#clientOptional": {}, "smithy.api#default": false, - "smithy.api#documentation": "Indicates whether a local VPC can communicate with a ClassicLink connection in the peer VPC over the VPC peering connection.
", + "smithy.api#documentation": "Deprecated.
", "smithy.api#xmlName": "allowEgressFromLocalVpcToRemoteClassicLink" } } }, "traits": { - "smithy.api#documentation": "We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.
\nDescribes the VPC peering connection options.
" + "smithy.api#documentation": "Describes the VPC peering connection options.
" } }, "com.amazonaws.ec2#VpcPeeringConnectionStateReason": { @@ -100811,7 +103399,7 @@ "type": "structure", "members": { "CustomerGatewayConfiguration": { - "target": "com.amazonaws.ec2#String", + "target": "com.amazonaws.ec2#customerGatewayConfiguration", "traits": { "aws.protocols#ec2QueryName": "CustomerGatewayConfiguration", "smithy.api#documentation": "The configuration information for the VPN connection's customer gateway (in the native\n XML format). This element is always present in the CreateVpnConnection\n response; however, it's present in the DescribeVpnConnections response\n only if the VPN connection is in the pending or available\n state.
The pre-shared key (PSK) to establish initial authentication between the virtual\n private gateway and customer gateway.
\nConstraints: Allowed characters are alphanumeric characters, periods (.), and\n underscores (_). Must be between 8 and 64 characters in length and cannot start with\n zero (0).
" } @@ -101678,6 +104266,18 @@ } } }, + "com.amazonaws.ec2#customerGatewayConfiguration": { + "type": "string", + "traits": { + "smithy.api#sensitive": {} + } + }, + "com.amazonaws.ec2#preSharedKey": { + "type": "string", + "traits": { + "smithy.api#sensitive": {} + } + }, "com.amazonaws.ec2#scope": { "type": "enum", "members": { @@ -101709,6 +104309,9 @@ }, "com.amazonaws.ec2#totalGpuMemory": { "type": "integer" + }, + "com.amazonaws.ec2#totalInferenceMemory": { + "type": "integer" } } } diff --git a/aws/sdk/aws-models/ecs.json b/aws/sdk/aws-models/ecs.json index 51c17eda2f478e13fc8c6cc946099e43fd292c43..37ba5292c62fba1bfce19bdefa5556606045b6fd 100644 --- a/aws/sdk/aws-models/ecs.json +++ b/aws/sdk/aws-models/ecs.json @@ -332,52 +332,56 @@ "type": "error" }, { - "conditions": [], - "type": "tree", - "rules": [ + "conditions": [ { - "conditions": [ + "fn": "booleanEquals", + "argv": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - } - ], - "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", - "type": "error" - }, - { - "conditions": [], - "endpoint": { - "url": { - "ref": "Endpoint" + "ref": "UseDualStack" }, - "properties": {}, - "headers": {} - }, - "type": "endpoint" + true + ] } - ] + ], + "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", + "type": "error" + }, + { + "conditions": [], + "endpoint": { + "url": { + "ref": "Endpoint" + }, + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, { - "conditions": [], + "conditions": [ + { + "fn": "isSet", + "argv": [ + { + "ref": "Region" + } + ] + } + ], "type": "tree", "rules": [ { "conditions": [ { - "fn": "isSet", + "fn": "aws.partition", "argv": [ { "ref": "Region" } - ] + ], + "assign": "PartitionResult" } ], "type": "tree", @@ -385,13 +389,22 @@ { "conditions": [ { - "fn": "aws.partition", + "fn": "booleanEquals", "argv": [ { - "ref": "Region" - } - ], - "assign": "PartitionResult" + "ref": "UseFIPS" + }, + true + ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] } ], "type": "tree", @@ -401,224 +414,175 @@ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseFIPS" - }, - true + "fn": "getAttr", + "argv": [ + { + "ref": "PartitionResult" + }, + "supportsFIPS" + ] + } ] }, { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseDualStack" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsFIPS" - ] - } - ] - }, - { - "fn": "booleanEquals", - "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsDualStack" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ { - "conditions": [], - "endpoint": { - "url": "https://ecs-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsDualStack" ] } ] - }, + } + ], + "type": "tree", + "rules": [ { "conditions": [], - "error": "FIPS and DualStack are enabled, but this partition does not support one or both", - "type": "error" + "endpoint": { + "url": "https://ecs-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, + { + "conditions": [], + "error": "FIPS and DualStack are enabled, but this partition does not support one or both", + "type": "error" + } + ] + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" + }, + true + ] + } + ], + "type": "tree", + "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseFIPS" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsFIPS" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ { - "conditions": [], - "endpoint": { - "url": "https://ecs-fips.{Region}.{PartitionResult#dnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsFIPS" ] } ] - }, + } + ], + "type": "tree", + "rules": [ { "conditions": [], - "error": "FIPS is enabled but this partition does not support FIPS", - "type": "error" + "endpoint": { + "url": "https://ecs-fips.{Region}.{PartitionResult#dnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] }, + { + "conditions": [], + "error": "FIPS is enabled but this partition does not support FIPS", + "type": "error" + } + ] + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] + } + ], + "type": "tree", + "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseDualStack" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", + "fn": "getAttr", "argv": [ - true, { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsDualStack" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [], - "endpoint": { - "url": "https://ecs.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } + "ref": "PartitionResult" + }, + "supportsDualStack" ] } ] - }, - { - "conditions": [], - "error": "DualStack is enabled but this partition does not support DualStack", - "type": "error" } - ] - }, - { - "conditions": [], + ], "type": "tree", "rules": [ { "conditions": [], "endpoint": { - "url": "https://ecs.{Region}.{PartitionResult#dnsSuffix}", + "url": "https://ecs.{Region}.{PartitionResult#dualStackDnsSuffix}", "properties": {}, "headers": {} }, "type": "endpoint" } ] + }, + { + "conditions": [], + "error": "DualStack is enabled but this partition does not support DualStack", + "type": "error" } ] + }, + { + "conditions": [], + "endpoint": { + "url": "https://ecs.{Region}.{PartitionResult#dnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] - }, - { - "conditions": [], - "error": "Invalid Configuration: Missing Region", - "type": "error" } ] + }, + { + "conditions": [], + "error": "Invalid Configuration: Missing Region", + "type": "error" } ] }, @@ -1471,14 +1435,14 @@ "autoScalingGroupArn": { "target": "com.amazonaws.ecs#String", "traits": { - "smithy.api#documentation": "The Amazon Resource Name (ARN) that identifies the Auto Scaling group.
", + "smithy.api#documentation": "The Amazon Resource Name (ARN) that identifies the Auto Scaling group, or the Auto Scaling group name.
", "smithy.api#required": {} } }, "managedScaling": { "target": "com.amazonaws.ecs#ManagedScaling", "traits": { - "smithy.api#documentation": "The managed scaling settings for the Auto Scaling group capacity provider.
" + "smithy.api#documentation": "he managed scaling settings for the Auto Scaling group capacity provider.
" } }, "managedTerminationProtection": { @@ -2361,13 +2325,13 @@ "startTimeout": { "target": "com.amazonaws.ecs#BoxedInteger", "traits": { - "smithy.api#documentation": "Time duration (in seconds) to wait before giving up on resolving dependencies for a\n\t\t\tcontainer. For example, you specify two containers in a task definition with containerA\n\t\t\thaving a dependency on containerB reaching a COMPLETE,\n\t\t\tSUCCESS, or HEALTHY status. If a startTimeout\n\t\t\tvalue is specified for containerB and it doesn't reach the desired status within that\n\t\t\ttime then containerA gives up and not start. This results in the task transitioning to a\n\t\t\t\tSTOPPED state.
When the ECS_CONTAINER_START_TIMEOUT container agent configuration\n\t\t\t\tvariable is used, it's enforced independently from this start timeout value.
For tasks using the Fargate launch type, the task or service requires\n\t\t\tthe following platforms:
\nLinux platform version 1.3.0 or later.
Windows platform version 1.0.0 or later.
For tasks using the EC2 launch type, your container instances require at\n\t\t\tleast version 1.26.0 of the container agent to use a container start\n\t\t\ttimeout value. However, we recommend using the latest container agent version. For\n\t\t\tinformation about checking your agent version and updating to the latest version, see\n\t\t\t\tUpdating the Amazon ECS\n\t\t\t\tContainer Agent in the Amazon Elastic Container Service Developer Guide. If you're using an Amazon ECS-optimized Linux AMI,\n\t\t\tyour instance needs at least version 1.26.0-1 of the ecs-init\n\t\t\tpackage. If your container instances are launched from version 20190301 or\n\t\t\tlater, then they contain the required versions of the container agent and\n\t\t\t\tecs-init. For more information, see Amazon ECS-optimized Linux AMI\n\t\t\tin the Amazon Elastic Container Service Developer Guide.
Time duration (in seconds) to wait before giving up on resolving dependencies for a\n\t\t\tcontainer. For example, you specify two containers in a task definition with containerA\n\t\t\thaving a dependency on containerB reaching a COMPLETE,\n\t\t\tSUCCESS, or HEALTHY status. If a startTimeout\n\t\t\tvalue is specified for containerB and it doesn't reach the desired status within that\n\t\t\ttime then containerA gives up and not start. This results in the task transitioning to a\n\t\t\t\tSTOPPED state.
When the ECS_CONTAINER_START_TIMEOUT container agent configuration\n\t\t\t\tvariable is used, it's enforced independently from this start timeout value.
For tasks using the Fargate launch type, the task or service requires\n\t\t\tthe following platforms:
\nLinux platform version 1.3.0 or later.
Windows platform version 1.0.0 or later.
For tasks using the EC2 launch type, your container instances require at\n\t\t\tleast version 1.26.0 of the container agent to use a container start\n\t\t\ttimeout value. However, we recommend using the latest container agent version. For\n\t\t\tinformation about checking your agent version and updating to the latest version, see\n\t\t\t\tUpdating the Amazon ECS\n\t\t\t\tContainer Agent in the Amazon Elastic Container Service Developer Guide. If you're using an Amazon ECS-optimized Linux AMI,\n\t\t\tyour instance needs at least version 1.26.0-1 of the ecs-init\n\t\t\tpackage. If your container instances are launched from version 20190301 or\n\t\t\tlater, then they contain the required versions of the container agent and\n\t\t\t\tecs-init. For more information, see Amazon ECS-optimized Linux AMI\n\t\t\tin the Amazon Elastic Container Service Developer Guide.
The valid values are 2-120 seconds.
" } }, "stopTimeout": { "target": "com.amazonaws.ecs#BoxedInteger", "traits": { - "smithy.api#documentation": "Time duration (in seconds) to wait before the container is forcefully killed if it\n\t\t\tdoesn't exit normally on its own.
\nFor tasks using the Fargate launch type, the task or service requires\n\t\t\tthe following platforms:
\nLinux platform version 1.3.0 or later.
Windows platform version 1.0.0 or later.
The max stop timeout value is 120 seconds and if the parameter is not specified, the\n\t\t\tdefault value of 30 seconds is used.
\nFor tasks that use the EC2 launch type, if the stopTimeout\n\t\t\tparameter isn't specified, the value set for the Amazon ECS container agent configuration\n\t\t\tvariable ECS_CONTAINER_STOP_TIMEOUT is used. If neither the\n\t\t\t\tstopTimeout parameter or the ECS_CONTAINER_STOP_TIMEOUT\n\t\t\tagent configuration variable are set, then the default values of 30 seconds for Linux\n\t\t\tcontainers and 30 seconds on Windows containers are used. Your container instances\n\t\t\trequire at least version 1.26.0 of the container agent to use a container stop timeout\n\t\t\tvalue. However, we recommend using the latest container agent version. For information\n\t\t\tabout checking your agent version and updating to the latest version, see Updating the Amazon ECS Container Agent in the Amazon Elastic Container Service Developer Guide. If you're using\n\t\t\tan Amazon ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1 of the\n\t\t\t\tecs-init package. If your container instances are launched from version\n\t\t\t\t20190301 or later, then they contain the required versions of the\n\t\t\tcontainer agent and ecs-init. For more information, see Amazon ECS-optimized Linux AMI in the Amazon Elastic Container Service Developer Guide.
Time duration (in seconds) to wait before the container is forcefully killed if it\n\t\t\tdoesn't exit normally on its own.
\nFor tasks using the Fargate launch type, the task or service requires\n\t\t\tthe following platforms:
\nLinux platform version 1.3.0 or later.
Windows platform version 1.0.0 or later.
The max stop timeout value is 120 seconds and if the parameter is not specified, the\n\t\t\tdefault value of 30 seconds is used.
\nFor tasks that use the EC2 launch type, if the stopTimeout\n\t\t\tparameter isn't specified, the value set for the Amazon ECS container agent configuration\n\t\t\tvariable ECS_CONTAINER_STOP_TIMEOUT is used. If neither the\n\t\t\t\tstopTimeout parameter or the ECS_CONTAINER_STOP_TIMEOUT\n\t\t\tagent configuration variable are set, then the default values of 30 seconds for Linux\n\t\t\tcontainers and 30 seconds on Windows containers are used. Your container instances\n\t\t\trequire at least version 1.26.0 of the container agent to use a container stop timeout\n\t\t\tvalue. However, we recommend using the latest container agent version. For information\n\t\t\tabout checking your agent version and updating to the latest version, see Updating the Amazon ECS Container Agent in the Amazon Elastic Container Service Developer Guide. If you're using\n\t\t\tan Amazon ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1 of the\n\t\t\t\tecs-init package. If your container instances are launched from version\n\t\t\t\t20190301 or later, then they contain the required versions of the\n\t\t\tcontainer agent and ecs-init. For more information, see Amazon ECS-optimized Linux AMI in the Amazon Elastic Container Service Developer Guide.
The valid values are 2-120 seconds.
" } }, "hostname": { @@ -2483,6 +2447,12 @@ "traits": { "smithy.api#documentation": "The FireLens configuration for the container. This is used to specify and configure a\n\t\t\tlog router for container logs. For more information, see Custom Log Routing\n\t\t\tin the Amazon Elastic Container Service Developer Guide.
" } + }, + "credentialSpecs": { + "target": "com.amazonaws.ecs#StringList", + "traits": { + "smithy.api#documentation": "A list of ARNs in SSM or Amazon S3 to a credential spec\n\t\t\t\t(CredSpec) file that configures the container for Active Directory\n\t\t\tauthentication. We recommend that you use this parameter instead of the\n\t\t\t\tdockerSecurityOptions. The maximum number of ARNs is\n\t\t\t1.
There are two formats for each ARN.
\nYou use credentialspecdomainless:MyARN to provide a\n\t\t\t\t\t\t\tCredSpec with an additional section for a secret in Secrets Manager.\n\t\t\t\t\t\tYou provide the login credentials to the domain in the secret.
Each task that runs on any container instance can join different\n\t\t\t\t\t\tdomains.
\nYou can use this format without joining the container instance to a\n\t\t\t\t\t\tdomain.
\nYou use credentialspec:MyARN to provide a\n\t\t\t\t\t\t\tCredSpec for a single domain.
You must join the container instance to the domain before you start any\n\t\t\t\t\t\ttasks that use this task definition.
\nIn both formats, replace MyARN with the ARN in\n\t\t\tSSM or Amazon S3.
If you provide a credentialspecdomainless:MyARN, the\n\t\t\t\tcredspec must provide a ARN in Secrets Manager for a secret containing the\n\t\t\tusername, password, and the domain to connect to. For better security, the instance\n\t\t\tisn't joined to the domain for domainless authentication. Other applications on the\n\t\t\tinstance can't use the domainless credentials. You can use this parameter to run tasks\n\t\t\ton the same instance, even it the tasks need to join different domains. For more\n\t\t\tinformation, see Using gMSAs for Windows\n\t\t\t\tContainers and Using gMSAs for Linux\n\t\t\t\tContainers.
The overrides that are sent to a container. An empty container override can be passed\n\t\t\tin. An example of an empty container override is {\"containerOverrides\": [ ]\n\t\t\t\t}. If a non-empty container override is specified, the name\n\t\t\tparameter must be included.
The overrides that are sent to a container. An empty container override can be passed\n\t\t\tin. An example of an empty container override is {\"containerOverrides\": [ ]\n\t\t\t\t}. If a non-empty container override is specified, the name\n\t\t\tparameter must be included.
You can use Secrets Manager or Amazon Web Services Systems Manager Parameter Store to store the sensitive\n\t\t\tdata. For more information, see Retrieve secrets through environment variables in the Amazon ECS Developer Guide.
" } }, "com.amazonaws.ecs#ContainerOverrides": { @@ -2945,7 +2915,27 @@ } ], "traits": { - "smithy.api#documentation": "Creates a new Amazon ECS cluster. By default, your account receives a default\n\t\t\tcluster when you launch your first container instance. However, you can create your own\n\t\t\tcluster with a unique name with the CreateCluster action.
When you call the CreateCluster API operation, Amazon ECS attempts to\n\t\t\t\tcreate the Amazon ECS service-linked role for your account. This is so that it can manage\n\t\t\t\trequired resources in other Amazon Web Services services on your behalf. However, if the user\n\t\t\t\tthat makes the call doesn't have permissions to create the service-linked role, it\n\t\t\t\tisn't created. For more information, see Using\n\t\t\t\t\tservice-linked roles for Amazon ECS in the Amazon Elastic Container Service Developer Guide.
\nCreates a new Amazon ECS cluster. By default, your account receives a default\n\t\t\tcluster when you launch your first container instance. However, you can create your own\n\t\t\tcluster with a unique name with the CreateCluster action.
When you call the CreateCluster API operation, Amazon ECS attempts to\n\t\t\t\tcreate the Amazon ECS service-linked role for your account. This is so that it can manage\n\t\t\t\trequired resources in other Amazon Web Services services on your behalf. However, if the user\n\t\t\t\tthat makes the call doesn't have permissions to create the service-linked role, it\n\t\t\t\tisn't created. For more information, see Using\n\t\t\t\t\tservice-linked roles for Amazon ECS in the Amazon Elastic Container Service Developer Guide.
\nRuns and maintains your desired number of tasks from a specified task definition. If\n\t\t\tthe number of tasks running in a service drops below the desiredCount,\n\t\t\tAmazon ECS runs another copy of the task in the specified cluster. To update an existing\n\t\t\tservice, see the UpdateService action.
Starting April 15, 2023, Amazon Web Services will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
\nIn addition to maintaining the desired count of tasks in your service, you can\n\t\t\toptionally run your service behind one or more load balancers. The load balancers\n\t\t\tdistribute traffic across the tasks that are associated with the service. For more\n\t\t\tinformation, see Service load balancing in the Amazon Elastic Container Service Developer Guide.
\nTasks for services that don't use a load balancer are considered healthy if they're in\n\t\t\tthe RUNNING state. Tasks for services that use a load balancer are\n\t\t\tconsidered healthy if they're in the RUNNING state and are reported as\n\t\t\thealthy by the load balancer.
There are two service scheduler strategies available:
\n\n REPLICA - The replica scheduling strategy places and\n\t\t\t\t\tmaintains your desired number of tasks across your cluster. By default, the\n\t\t\t\t\tservice scheduler spreads tasks across Availability Zones. You can use task\n\t\t\t\t\tplacement strategies and constraints to customize task placement decisions. For\n\t\t\t\t\tmore information, see Service scheduler concepts in the Amazon Elastic Container Service Developer Guide.
\n DAEMON - The daemon scheduling strategy deploys exactly one\n\t\t\t\t\ttask on each active container instance that meets all of the task placement\n\t\t\t\t\tconstraints that you specify in your cluster. The service scheduler also\n\t\t\t\t\tevaluates the task placement constraints for running tasks. It also stops tasks\n\t\t\t\t\tthat don't meet the placement constraints. When using this strategy, you don't\n\t\t\t\t\tneed to specify a desired number of tasks, a task placement strategy, or use\n\t\t\t\t\tService Auto Scaling policies. For more information, see Service scheduler concepts in the Amazon Elastic Container Service Developer Guide.
You can optionally specify a deployment configuration for your service. The deployment\n\t\t\tis initiated by changing properties. For example, the deployment might be initiated by\n\t\t\tthe task definition or by your desired count of a service. This is done with an UpdateService operation. The default value for a replica service for\n\t\t\t\tminimumHealthyPercent is 100%. The default value for a daemon service\n\t\t\tfor minimumHealthyPercent is 0%.
If a service uses the ECS deployment controller, the minimum healthy\n\t\t\tpercent represents a lower limit on the number of tasks in a service that must remain in\n\t\t\tthe RUNNING state during a deployment. Specifically, it represents it as a\n\t\t\tpercentage of your desired number of tasks (rounded up to the nearest integer). This\n\t\t\thappens when any of your container instances are in the DRAINING state if\n\t\t\tthe service contains tasks using the EC2 launch type. Using this\n\t\t\tparameter, you can deploy without using additional cluster capacity. For example, if you\n\t\t\tset your service to have desired number of four tasks and a minimum healthy percent of\n\t\t\t50%, the scheduler might stop two existing tasks to free up cluster capacity before\n\t\t\tstarting two new tasks. If they're in the RUNNING state, tasks for services\n\t\t\tthat don't use a load balancer are considered healthy . If they're in the\n\t\t\t\tRUNNING state and reported as healthy by the load balancer, tasks for\n\t\t\tservices that do use a load balancer are considered healthy . The\n\t\t\tdefault value for minimum healthy percent is 100%.
If a service uses the ECS deployment controller, the maximum percent parameter represents an upper limit on the\n\t\t\tnumber of tasks in a service that are allowed in the RUNNING or\n\t\t\t\tPENDING state during a deployment. Specifically, it represents it as a\n\t\t\tpercentage of the desired number of tasks (rounded down to the nearest integer). This\n\t\t\thappens when any of your container instances are in the DRAINING state if\n\t\t\tthe service contains tasks using the EC2 launch type. Using this\n\t\t\tparameter, you can define the deployment batch size. For example, if your service has a\n\t\t\tdesired number of four tasks and a maximum percent value of 200%, the scheduler may\n\t\t\tstart four new tasks before stopping the four older tasks (provided that the cluster\n\t\t\tresources required to do this are available). The default value for maximum percent is\n\t\t\t200%.
If a service uses either the CODE_DEPLOY or EXTERNAL\n\t\t\tdeployment controller types and tasks that use the EC2 launch type, the\n\t\t\t\tminimum healthy percent and maximum percent values are used only to define the lower and upper limit\n\t\t\ton the number of the tasks in the service that remain in the RUNNING state.\n\t\t\tThis is while the container instances are in the DRAINING state. If the\n\t\t\ttasks in the service use the Fargate launch type, the minimum healthy\n\t\t\tpercent and maximum percent values aren't used. This is the case even if they're\n\t\t\tcurrently visible when describing your service.
When creating a service that uses the EXTERNAL deployment controller, you\n\t\t\tcan specify only parameters that aren't controlled at the task set level. The only\n\t\t\trequired parameter is the service name. You control your services using the CreateTaskSet operation. For more information, see Amazon ECS deployment types in the Amazon Elastic Container Service Developer Guide.
When the service scheduler launches new tasks, it determines task placement. For\n\t\t\tinformation about task placement and task placement strategies, see Amazon ECS\n\t\t\t\ttask placement in the Amazon Elastic Container Service Developer Guide.
" + "smithy.api#documentation": "Runs and maintains your desired number of tasks from a specified task definition. If\n\t\t\tthe number of tasks running in a service drops below the desiredCount,\n\t\t\tAmazon ECS runs another copy of the task in the specified cluster. To update an existing\n\t\t\tservice, see the UpdateService action.
Starting April 15, 2023, Amazon Web Services will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
\nIn addition to maintaining the desired count of tasks in your service, you can\n\t\t\toptionally run your service behind one or more load balancers. The load balancers\n\t\t\tdistribute traffic across the tasks that are associated with the service. For more\n\t\t\tinformation, see Service load balancing in the Amazon Elastic Container Service Developer Guide.
\nTasks for services that don't use a load balancer are considered healthy if they're in\n\t\t\tthe RUNNING state. Tasks for services that use a load balancer are\n\t\t\tconsidered healthy if they're in the RUNNING state and are reported as\n\t\t\thealthy by the load balancer.
There are two service scheduler strategies available:
\n\n REPLICA - The replica scheduling strategy places and\n\t\t\t\t\tmaintains your desired number of tasks across your cluster. By default, the\n\t\t\t\t\tservice scheduler spreads tasks across Availability Zones. You can use task\n\t\t\t\t\tplacement strategies and constraints to customize task placement decisions. For\n\t\t\t\t\tmore information, see Service scheduler concepts in the Amazon Elastic Container Service Developer Guide.
\n DAEMON - The daemon scheduling strategy deploys exactly one\n\t\t\t\t\ttask on each active container instance that meets all of the task placement\n\t\t\t\t\tconstraints that you specify in your cluster. The service scheduler also\n\t\t\t\t\tevaluates the task placement constraints for running tasks. It also stops tasks\n\t\t\t\t\tthat don't meet the placement constraints. When using this strategy, you don't\n\t\t\t\t\tneed to specify a desired number of tasks, a task placement strategy, or use\n\t\t\t\t\tService Auto Scaling policies. For more information, see Service scheduler concepts in the Amazon Elastic Container Service Developer Guide.
You can optionally specify a deployment configuration for your service. The deployment\n\t\t\tis initiated by changing properties. For example, the deployment might be initiated by\n\t\t\tthe task definition or by your desired count of a service. This is done with an UpdateService operation. The default value for a replica service for\n\t\t\t\tminimumHealthyPercent is 100%. The default value for a daemon service\n\t\t\tfor minimumHealthyPercent is 0%.
If a service uses the ECS deployment controller, the minimum healthy\n\t\t\tpercent represents a lower limit on the number of tasks in a service that must remain in\n\t\t\tthe RUNNING state during a deployment. Specifically, it represents it as a\n\t\t\tpercentage of your desired number of tasks (rounded up to the nearest integer). This\n\t\t\thappens when any of your container instances are in the DRAINING state if\n\t\t\tthe service contains tasks using the EC2 launch type. Using this\n\t\t\tparameter, you can deploy without using additional cluster capacity. For example, if you\n\t\t\tset your service to have desired number of four tasks and a minimum healthy percent of\n\t\t\t50%, the scheduler might stop two existing tasks to free up cluster capacity before\n\t\t\tstarting two new tasks. If they're in the RUNNING state, tasks for services\n\t\t\tthat don't use a load balancer are considered healthy . If they're in the\n\t\t\t\tRUNNING state and reported as healthy by the load balancer, tasks for\n\t\t\tservices that do use a load balancer are considered healthy . The\n\t\t\tdefault value for minimum healthy percent is 100%.
If a service uses the ECS deployment controller, the maximum percent parameter represents an upper limit on the\n\t\t\tnumber of tasks in a service that are allowed in the RUNNING or\n\t\t\t\tPENDING state during a deployment. Specifically, it represents it as a\n\t\t\tpercentage of the desired number of tasks (rounded down to the nearest integer). This\n\t\t\thappens when any of your container instances are in the DRAINING state if\n\t\t\tthe service contains tasks using the EC2 launch type. Using this\n\t\t\tparameter, you can define the deployment batch size. For example, if your service has a\n\t\t\tdesired number of four tasks and a maximum percent value of 200%, the scheduler may\n\t\t\tstart four new tasks before stopping the four older tasks (provided that the cluster\n\t\t\tresources required to do this are available). The default value for maximum percent is\n\t\t\t200%.
If a service uses either the CODE_DEPLOY or EXTERNAL\n\t\t\tdeployment controller types and tasks that use the EC2 launch type, the\n\t\t\t\tminimum healthy percent and maximum percent values are used only to define the lower and upper limit\n\t\t\ton the number of the tasks in the service that remain in the RUNNING state.\n\t\t\tThis is while the container instances are in the DRAINING state. If the\n\t\t\ttasks in the service use the Fargate launch type, the minimum healthy\n\t\t\tpercent and maximum percent values aren't used. This is the case even if they're\n\t\t\tcurrently visible when describing your service.
When creating a service that uses the EXTERNAL deployment controller, you\n\t\t\tcan specify only parameters that aren't controlled at the task set level. The only\n\t\t\trequired parameter is the service name. You control your services using the CreateTaskSet operation. For more information, see Amazon ECS deployment types in the Amazon Elastic Container Service Developer Guide.
When the service scheduler launches new tasks, it determines task placement. For\n\t\t\tinformation about task placement and task placement strategies, see Amazon ECS\n\t\t\t\ttask placement in the Amazon Elastic Container Service Developer Guide.
", + "smithy.api#examples": [ + { + "title": "To create a new service", + "documentation": "This example creates a service in your default region called ``ecs-simple-service``. The service uses the ``hello_world`` task definition and it maintains 10 copies of that task.", + "input": { + "serviceName": "ecs-simple-service", + "taskDefinition": "hello_world", + "desiredCount": 10 + }, + "output": { + "service": { + "clusterArn": "arn:aws:ecs:us-east-1:012345678910:cluster/default", + "createdAt": "2016-08-29T16:13:47.298Z", + "deploymentConfiguration": { + "maximumPercent": 200, + "minimumHealthyPercent": 100 + }, + "deployments": [ + { + "createdAt": "2016-08-29T16:13:47.298Z", + "desiredCount": 10, + "id": "ecs-svc/9223370564342348388", + "pendingCount": 0, + "runningCount": 0, + "status": "PRIMARY", + "taskDefinition": "arn:aws:ecs:us-east-1:012345678910:task-definition/hello_world:6", + "updatedAt": "2016-08-29T16:13:47.298Z" + }, + { + "createdAt": "2016-08-29T15:52:44.481Z", + "desiredCount": 0, + "id": "ecs-svc/9223370564343611322", + "pendingCount": 0, + "runningCount": 0, + "status": "ACTIVE", + "taskDefinition": "arn:aws:ecs:us-east-1:012345678910:task-definition/hello_world:6", + "updatedAt": "2016-08-29T16:11:38.941Z" + } + ], + "desiredCount": 10, + "events": [], + "loadBalancers": [], + "pendingCount": 0, + "runningCount": 0, + "serviceArn": "arn:aws:ecs:us-east-1:012345678910:service/ecs-simple-service", + "serviceName": "ecs-simple-service", + "status": "ACTIVE", + "taskDefinition": "arn:aws:ecs:us-east-1:012345678910:task-definition/hello_world:6" + } + } + } + ] } }, "com.amazonaws.ecs#CreateServiceRequest": { @@ -3175,13 +3217,13 @@ "target": "com.amazonaws.ecs#Boolean", "traits": { "smithy.api#default": false, - "smithy.api#documentation": "Specifies whether to turn on Amazon ECS managed tags for the tasks within the service. For\n\t\t\tmore information, see Tagging your Amazon ECS\n\t\t\t\tresources in the Amazon Elastic Container Service Developer Guide.
" + "smithy.api#documentation": "Specifies whether to turn on Amazon ECS managed tags for the tasks within the service. For\n\t\t\tmore information, see Tagging your Amazon ECS\n\t\t\t\tresources in the Amazon Elastic Container Service Developer Guide.
\nWhen you use Amazon ECS managed tags, you need to set the propagateTags\n\t\t\trequest parameter.
Specifies whether to propagate the tags from the task definition to the task. If no\n\t\t\tvalue is specified, the tags aren't propagated. Tags can only be propagated to the task\n\t\t\tduring task creation. To add tags to a task after task creation, use the TagResource API action.
" + "smithy.api#documentation": "Specifies whether to propagate the tags from the task definition to the task. If no\n\t\t\tvalue is specified, the tags aren't propagated. Tags can only be propagated to the task\n\t\t\tduring task creation. To add tags to a task after task creation, use the TagResource API action.
\nThe default is NONE.
The task definition for the tasks in the task set to use.
", + "smithy.api#documentation": "The task definition for the tasks in the task set to use. If a revision isn't specified, the\n\t\t\tlatest ACTIVE revision is used.
Disables an account setting for a specified user, role, or the root user for\n\t\t\tan account.
" + "smithy.api#documentation": "Disables an account setting for a specified user, role, or the root user for\n\t\t\tan account.
", + "smithy.api#examples": [ + { + "title": "To delete your account setting", + "documentation": "This example deletes the account setting for your user for the specified resource type.", + "input": { + "name": "serviceLongArnFormat" + }, + "output": { + "setting": { + "name": "serviceLongArnFormat", + "value": "enabled", + "principalArn": "arn:aws:iam::Deletes the specified cluster. The cluster transitions to the INACTIVE\n\t\t\tstate. Clusters with an INACTIVE status might remain discoverable in your\n\t\t\taccount for a period of time. However, this behavior is subject to change in the future.\n\t\t\tWe don't recommend that you rely on INACTIVE clusters persisting.
You must deregister all container instances from this cluster before you may delete\n\t\t\tit. You can list the container instances in a cluster with ListContainerInstances and deregister them with DeregisterContainerInstance.
" + "smithy.api#documentation": "Deletes the specified cluster. The cluster transitions to the INACTIVE\n\t\t\tstate. Clusters with an INACTIVE status might remain discoverable in your\n\t\t\taccount for a period of time. However, this behavior is subject to change in the future.\n\t\t\tWe don't recommend that you rely on INACTIVE clusters persisting.
You must deregister all container instances from this cluster before you may delete\n\t\t\tit. You can list the container instances in a cluster with ListContainerInstances and deregister them with DeregisterContainerInstance.
", + "smithy.api#examples": [ + { + "title": "To delete an empty cluster", + "documentation": "This example deletes an empty cluster in your default region.", + "input": { + "cluster": "my_cluster" + }, + "output": { + "cluster": { + "activeServicesCount": 0, + "clusterArn": "arn:aws:ecs:us-east-1:012345678910:cluster/my_cluster", + "clusterName": "my_cluster", + "pendingTasksCount": 0, + "registeredContainerInstancesCount": 0, + "runningTasksCount": 0, + "status": "INACTIVE" + } + } + } + ] } }, "com.amazonaws.ecs#DeleteClusterRequest": { @@ -3627,7 +3705,17 @@ } ], "traits": { - "smithy.api#documentation": "Deletes a specified service within a cluster. You can delete a service if you have no\n\t\t\trunning tasks in it and the desired task count is zero. If the service is actively\n\t\t\tmaintaining tasks, you can't delete it, and you must update the service to a desired\n\t\t\ttask count of zero. For more information, see UpdateService.
\nWhen you delete a service, if there are still running tasks that require cleanup,\n\t\t\t\tthe service status moves from ACTIVE to DRAINING, and the\n\t\t\t\tservice is no longer visible in the console or in the ListServices\n\t\t\t\tAPI operation. After all tasks have transitioned to either STOPPING or\n\t\t\t\t\tSTOPPED status, the service status moves from DRAINING\n\t\t\t\tto INACTIVE. Services in the DRAINING or\n\t\t\t\t\tINACTIVE status can still be viewed with the DescribeServices API operation. However, in the future,\n\t\t\t\t\tINACTIVE services may be cleaned up and purged from Amazon ECS record\n\t\t\t\tkeeping, and DescribeServices calls on those services return a\n\t\t\t\t\tServiceNotFoundException error.
If you attempt to create a new service with the same name as an existing service\n\t\t\t\tin either ACTIVE or DRAINING status, you receive an\n\t\t\t\terror.
Deletes a specified service within a cluster. You can delete a service if you have no\n\t\t\trunning tasks in it and the desired task count is zero. If the service is actively\n\t\t\tmaintaining tasks, you can't delete it, and you must update the service to a desired\n\t\t\ttask count of zero. For more information, see UpdateService.
\nWhen you delete a service, if there are still running tasks that require cleanup,\n\t\t\t\tthe service status moves from ACTIVE to DRAINING, and the\n\t\t\t\tservice is no longer visible in the console or in the ListServices\n\t\t\t\tAPI operation. After all tasks have transitioned to either STOPPING or\n\t\t\t\t\tSTOPPED status, the service status moves from DRAINING\n\t\t\t\tto INACTIVE. Services in the DRAINING or\n\t\t\t\t\tINACTIVE status can still be viewed with the DescribeServices API operation. However, in the future,\n\t\t\t\t\tINACTIVE services may be cleaned up and purged from Amazon ECS record\n\t\t\t\tkeeping, and DescribeServices calls on those services return a\n\t\t\t\t\tServiceNotFoundException error.
If you attempt to create a new service with the same name as an existing service\n\t\t\t\tin either ACTIVE or DRAINING status, you receive an\n\t\t\t\terror.
Deletes one or more task definitions.
\nYou must deregister a task definition revision before you delete it. For more information,\n\t\t\tsee DeregisterTaskDefinition.
\nWhen you delete a task definition revision, it is immediately transitions from the\n\t\tINACTIVE to DELETE_IN_PROGRESS. Existing tasks and services\n\t\tthat reference a DELETE_IN_PROGRESS task definition revision continue to run\n\t\twithout disruption. Existing services that reference a DELETE_IN_PROGRESS task\n\t\tdefinition revision can still scale up or down by modifying the service's desired\n\t\tcount.
You can't use a DELETE_IN_PROGRESS task definition revision to run new tasks\n\t\t\tor create new services. You also can't update an existing service to reference a\n\t\t\tDELETE_IN_PROGRESS task definition revision.
A task definition revision will stay in DELETE_IN_PROGRESS status until\n\t\t\tall the associated tasks and services have been terminated.
Deletes one or more task definitions.
\nYou must deregister a task definition revision before you delete it. For more information,\n\t\t\tsee DeregisterTaskDefinition.
\nWhen you delete a task definition revision, it is immediately transitions from the\n\t\tINACTIVE to DELETE_IN_PROGRESS. Existing tasks and services\n\t\tthat reference a DELETE_IN_PROGRESS task definition revision continue to run\n\t\twithout disruption. Existing services that reference a DELETE_IN_PROGRESS task\n\t\tdefinition revision can still scale up or down by modifying the service's desired\n\t\tcount.
You can't use a DELETE_IN_PROGRESS task definition revision to run new tasks\n\t\t\tor create new services. You also can't update an existing service to reference a\n\t\t\tDELETE_IN_PROGRESS task definition revision.
A task definition revision will stay in DELETE_IN_PROGRESS status until\n\t\t\tall the associated tasks and services have been terminated.
When you delete all INACTIVE task definition revisions, the task definition name is not displayed in the console and not returned in the API. If a task definition revisions are in the DELETE_IN_PROGRESS state, the task definition name is displayed in the console and returned in the API. The task definition name is retained by Amazon ECS and the revision is incremented the next time you create a task definition with that name.
The deployment circuit breaker can only be used for services using the rolling\n\t\t\t\tupdate (ECS) deployment type.
The deployment circuit breaker determines whether a\n\t\t\tservice deployment will fail if the service can't reach a steady state. If it is turned on, a\n\t\t\tservice deployment will transition to a failed state and stop launching new tasks. You\n\t\t\tcan also configure Amazon ECS to roll back your service to the last completed deployment\n\t\t\tafter a failure. For more information, see Rolling\n\t\t\t\tupdate in the Amazon Elastic Container Service Developer Guide.
" + "smithy.api#documentation": "The deployment circuit breaker can only be used for services using the rolling\n\t\t\t\tupdate (ECS) deployment type.
The deployment circuit breaker determines whether a\n\t\t\tservice deployment will fail if the service can't reach a steady state. If it is turned on, a\n\t\t\tservice deployment will transition to a failed state and stop launching new tasks. You\n\t\t\tcan also configure Amazon ECS to roll back your service to the last completed deployment\n\t\t\tafter a failure. For more information, see Rolling\n\t\t\t\tupdate in the Amazon Elastic Container Service Developer Guide.
\nFor more information about API failure reasons, see API failure reasons in the Amazon Elastic Container Service Developer Guide.
" } }, "com.amazonaws.ecs#DeploymentConfiguration": { @@ -4119,7 +4207,19 @@ } ], "traits": { - "smithy.api#documentation": "Deregisters an Amazon ECS container instance from the specified cluster. This instance is\n\t\t\tno longer available to run tasks.
\nIf you intend to use the container instance for some other purpose after\n\t\t\tderegistration, we recommend that you stop all of the tasks running on the container\n\t\t\tinstance before deregistration. That prevents any orphaned tasks from consuming\n\t\t\tresources.
\nDeregistering a container instance removes the instance from a cluster, but it doesn't\n\t\t\tterminate the EC2 instance. If you are finished using the instance, be sure to terminate\n\t\t\tit in the Amazon EC2 console to stop billing.
\nIf you terminate a running container instance, Amazon ECS automatically deregisters the\n\t\t\t\tinstance from your cluster (stopped container instances or instances with\n\t\t\t\tdisconnected agents aren't automatically deregistered when terminated).
\nDeregisters an Amazon ECS container instance from the specified cluster. This instance is\n\t\t\tno longer available to run tasks.
\nIf you intend to use the container instance for some other purpose after\n\t\t\tderegistration, we recommend that you stop all of the tasks running on the container\n\t\t\tinstance before deregistration. That prevents any orphaned tasks from consuming\n\t\t\tresources.
\nDeregistering a container instance removes the instance from a cluster, but it doesn't\n\t\t\tterminate the EC2 instance. If you are finished using the instance, be sure to terminate\n\t\t\tit in the Amazon EC2 console to stop billing.
\nIf you terminate a running container instance, Amazon ECS automatically deregisters the\n\t\t\t\tinstance from your cluster (stopped container instances or instances with\n\t\t\t\tdisconnected agents aren't automatically deregistered when terminated).
\nDescribes one or more of your clusters.
" + "smithy.api#documentation": "Describes one or more of your clusters.
", + "smithy.api#examples": [ + { + "title": "To describe a cluster", + "documentation": "This example provides a description of the specified cluster in your default region.", + "input": { + "clusters": [ + "default" + ] + }, + "output": { + "clusters": [ + { + "clusterName": "default", + "status": "ACTIVE", + "clusterArn": "arn:aws:ecs:us-east-1:aws_account_id:cluster/default" + } + ], + "failures": [] + } + } + ] } }, "com.amazonaws.ecs#DescribeClustersRequest": { @@ -4382,7 +4503,91 @@ } ], "traits": { - "smithy.api#documentation": "Describes one or more container instances. Returns metadata about each container\n\t\t\tinstance requested.
" + "smithy.api#documentation": "Describes one or more container instances. Returns metadata about each container\n\t\t\tinstance requested.
", + "smithy.api#examples": [ + { + "title": "To describe container instance", + "documentation": "This example provides a description of the specified container instance in your default region, using the container instance UUID as an identifier.", + "input": { + "cluster": "default", + "containerInstances": [ + "f2756532-8f13-4d53-87c9-aed50dc94cd7" + ] + }, + "output": { + "failures": [], + "containerInstances": [ + { + "status": "ACTIVE", + "registeredResources": [ + { + "doubleValue": 0.0, + "type": "INTEGER", + "longValue": 0, + "integerValue": 2048, + "name": "CPU" + }, + { + "doubleValue": 0.0, + "type": "INTEGER", + "longValue": 0, + "integerValue": 3768, + "name": "MEMORY" + }, + { + "name": "PORTS", + "longValue": 0, + "doubleValue": 0.0, + "stringSetValue": [ + "2376", + "22", + "51678", + "2375" + ], + "type": "STRINGSET", + "integerValue": 0 + } + ], + "ec2InstanceId": "i-807f3249", + "agentConnected": true, + "containerInstanceArn": "arn:aws:ecs:us-east-1:012345678910:container-instance/f2756532-8f13-4d53-87c9-aed50dc94cd7", + "pendingTasksCount": 0, + "remainingResources": [ + { + "doubleValue": 0.0, + "type": "INTEGER", + "longValue": 0, + "integerValue": 1948, + "name": "CPU" + }, + { + "doubleValue": 0.0, + "type": "INTEGER", + "longValue": 0, + "integerValue": 3668, + "name": "MEMORY" + }, + { + "name": "PORTS", + "longValue": 0, + "doubleValue": 0.0, + "stringSetValue": [ + "2376", + "22", + "80", + "51678", + "2375" + ], + "type": "STRINGSET", + "integerValue": 0 + } + ], + "runningTasksCount": 1 + } + ] + } + } + ] } }, "com.amazonaws.ecs#DescribeContainerInstancesRequest": { @@ -4456,6 +4661,57 @@ ], "traits": { "smithy.api#documentation": "Describes the specified services running in your cluster.
", + "smithy.api#examples": [ + { + "title": "To describe a service", + "documentation": "This example provides descriptive information about the service named ``ecs-simple-service``.", + "input": { + "services": [ + "ecs-simple-service" + ] + }, + "output": { + "failures": [], + "services": [ + { + "clusterArn": "arn:aws:ecs:us-east-1:012345678910:cluster/default", + "createdAt": "2016-08-29T16:25:52.130Z", + "deploymentConfiguration": { + "maximumPercent": 200, + "minimumHealthyPercent": 100 + }, + "deployments": [ + { + "createdAt": "2016-08-29T16:25:52.130Z", + "desiredCount": 1, + "id": "ecs-svc/9223370564341623665", + "pendingCount": 0, + "runningCount": 0, + "status": "PRIMARY", + "taskDefinition": "arn:aws:ecs:us-east-1:012345678910:task-definition/hello_world:6", + "updatedAt": "2016-08-29T16:25:52.130Z" + } + ], + "desiredCount": 1, + "events": [ + { + "createdAt": "2016-08-29T16:25:58.520Z", + "id": "38c285e5-d335-4b68-8b15-e46dedc8e88d", + "message": "(service ecs-simple-service) was unable to place a task because no container instance met all of its requirements. The closest matching (container-instance 3f4de1c5-ffdd-4954-af7e-75b4be0c8841) is already using a port required by your task. For more information, see the Troubleshooting section of the Amazon ECS Developer Guide." + } + ], + "loadBalancers": [], + "pendingCount": 0, + "runningCount": 0, + "serviceArn": "arn:aws:ecs:us-east-1:012345678910:service/ecs-simple-service", + "serviceName": "ecs-simple-service", + "status": "ACTIVE", + "taskDefinition": "arn:aws:ecs:us-east-1:012345678910:task-definition/hello_world:6" + } + ] + } + } + ], "smithy.waiters#waitable": { "ServicesInactive": { "acceptors": [ @@ -4597,7 +4853,61 @@ } ], "traits": { - "smithy.api#documentation": "Describes a task definition. You can specify a family and\n\t\t\t\trevision to find information about a specific task definition, or you\n\t\t\tcan simply specify the family to find the latest ACTIVE revision in that\n\t\t\tfamily.
You can only describe INACTIVE task definitions while an active task\n\t\t\t\tor service references them.
Describes a task definition. You can specify a family and\n\t\t\t\trevision to find information about a specific task definition, or you\n\t\t\tcan simply specify the family to find the latest ACTIVE revision in that\n\t\t\tfamily.
You can only describe INACTIVE task definitions while an active task\n\t\t\t\tor service references them.
Describes a specified task or tasks.
\nCurrently, stopped tasks appear in the returned results for at least one hour.
", + "smithy.api#documentation": "Describes a specified task or tasks.
\nCurrently, stopped tasks appear in the returned results for at least one hour.
\nIf you have tasks with tags, and then delete the cluster, the tagged tasks are\n\t\t\treturned in the response. If you create a new cluster with the same name as the deleted\n\t\t\tcluster, the tagged tasks are not included in the response.
", + "smithy.api#examples": [ + { + "title": "To describe a task", + "documentation": "This example provides a description of the specified task, using the task UUID as an identifier.", + "input": { + "tasks": [ + "c5cba4eb-5dad-405e-96db-71ef8eefe6a8" + ] + }, + "output": { + "failures": [], + "tasks": [ + { + "taskArn": "arn:aws:ecs:A list of files containing the environment variables to pass to a container. You can\n\t\t\tspecify up to ten environment files. The file must have a .env file\n\t\t\textension. Each line in an environment file should contain an environment variable in\n\t\t\t\tVARIABLE=VALUE format. Lines beginning with # are treated\n\t\t\tas comments and are ignored. For more information about the environment variable file\n\t\t\tsyntax, see Declare default\n\t\t\t\tenvironment variables in file.
If there are environment variables specified using the environment\n\t\t\tparameter in a container definition, they take precedence over the variables contained\n\t\t\twithin an environment file. If multiple environment files are specified that contain the\n\t\t\tsame variable, they're processed from the top down. We recommend that you use unique\n\t\t\tvariable names. For more information, see Specifying environment\n\t\t\t\tvariables in the Amazon Elastic Container Service Developer Guide.
This parameter is only supported for tasks hosted on Fargate using the\n\t\t\tfollowing platform versions:
\nLinux platform version 1.4.0 or later.
Windows platform version 1.0.0 or later.
A list of files containing the environment variables to pass to a container. You can\n\t\t\tspecify up to ten environment files. The file must have a .env file\n\t\t\textension. Each line in an environment file should contain an environment variable in\n\t\t\t\tVARIABLE=VALUE format. Lines beginning with # are treated\n\t\t\tas comments and are ignored. For more information about the environment variable file\n\t\t\tsyntax, see Declare default\n\t\t\t\tenvironment variables in file.
If there are environment variables specified using the environment\n\t\t\tparameter in a container definition, they take precedence over the variables contained\n\t\t\twithin an environment file. If multiple environment files are specified that contain the\n\t\t\tsame variable, they're processed from the top down. We recommend that you use unique\n\t\t\tvariable names. For more information, see Specifying environment\n\t\t\t\tvariables in the Amazon Elastic Container Service Developer Guide.
You must use the following platforms for the Fargate launch type:
\nLinux platform version 1.4.0 or later.
Windows platform version 1.0.0 or later.
Retrieves the protection status of tasks in an Amazon ECS service.
" + "smithy.api#documentation": "Retrieves the protection status of tasks in an Amazon ECS service.
", + "smithy.api#examples": [ + { + "title": "To get the protection status of a task", + "documentation": "In this example, we get the protection status for a single task.", + "input": { + "cluster": "test-task-protection", + "tasks": [ + "b8b1cf532d0e46ba8d44a40d1de16772" + ] + }, + "output": { + "protectedTasks": [ + { + "taskArn": "arn:aws:ecs:us-west-2:012345678910:task/b8b1cf532d0e46ba8d44a40d1de16772", + "protectionEnabled": true, + "expirationDate": "2022-11-02T06:56:32.553Z" + } + ], + "failures": [] + } + } + ] } }, "com.amazonaws.ecs#GetTaskProtectionRequest": { @@ -5672,7 +6051,7 @@ } }, "traits": { - "smithy.api#documentation": "An object representing a container health check. Health check parameters that are\n\t\t\tspecified in a container definition override any Docker health checks that exist in the\n\t\t\tcontainer image (such as those specified in a parent image or from the image's\n\t\t\tDockerfile). This configuration maps to the HEALTHCHECK parameter of docker run.
The Amazon ECS container agent only monitors and reports on the health checks specified\n\t\t\t\tin the task definition. Amazon ECS does not monitor Docker health checks that are\n\t\t\t\tembedded in a container image and not specified in the container definition. Health\n\t\t\t\tcheck parameters that are specified in a container definition override any Docker\n\t\t\t\thealth checks that exist in the container image.
\nYou can view the health status of both individual containers and a task with the\n\t\t\tDescribeTasks API operation or when viewing the task details in the console.
\nThe following describes the possible healthStatus values for a\n\t\t\tcontainer:
\n HEALTHY-The container health check has passed\n\t\t\t\t\tsuccessfully.
\n UNHEALTHY-The container health check has failed.
\n UNKNOWN-The container health check is being evaluated or\n\t\t\t\t\tthere's no container health check defined.
The following describes the possible healthStatus values for a task. The\n\t\t\tcontainer health check status of\n\t\t\tnon-essential containers don't have an effect on the health status of a task.
\n HEALTHY-All essential containers within the task have\n\t\t\t\t\tpassed their health checks.
\n UNHEALTHY-One or more essential containers have failed\n\t\t\t\t\ttheir health check.
\n UNKNOWN-The essential containers within the task are still\n\t\t\t\t\thaving their health checks evaluated, there are only nonessential containers\n\t\t\t\t\twith health checks defined, or there are no container health checks\n\t\t\t\t\tdefined.
If a task is run manually, and not as part of a service, the task will continue its\n\t\t\tlifecycle regardless of its health status. For tasks that are part of a service, if the\n\t\t\ttask reports as unhealthy then the task will be stopped and the service scheduler will\n\t\t\treplace it.
\nThe following are notes about container health check support:
\nContainer health checks require version 1.17.0 or greater of the Amazon ECS\n\t\t\t\t\tcontainer agent. For more information, see Updating the\n\t\t\t\t\t\tAmazon ECS container agent.
\nContainer health checks are supported for Fargate tasks if\n\t\t\t\t\tyou're using platform version 1.1.0 or greater. For more\n\t\t\t\t\tinformation, see Fargate\n\t\t\t\t\t\tplatform versions.
Container health checks aren't supported for tasks that are part of a service\n\t\t\t\t\tthat's configured to use a Classic Load Balancer.
\nAn object representing a container health check. Health check parameters that are\n\t\t\tspecified in a container definition override any Docker health checks that exist in the\n\t\t\tcontainer image (such as those specified in a parent image or from the image's\n\t\t\tDockerfile). This configuration maps to the HEALTHCHECK parameter of docker run.
The Amazon ECS container agent only monitors and reports on the health checks specified\n\t\t\t\tin the task definition. Amazon ECS does not monitor Docker health checks that are\n\t\t\t\tembedded in a container image and not specified in the container definition. Health\n\t\t\t\tcheck parameters that are specified in a container definition override any Docker\n\t\t\t\thealth checks that exist in the container image.
\nYou can view the health status of both individual containers and a task with the\n\t\t\tDescribeTasks API operation or when viewing the task details in the console.
\nThe health check is designed to make sure that your containers survive\n\t\t\tagent restarts, upgrades, or temporary unavailability.
\nThe following describes the possible healthStatus values for a\n\t\t\tcontainer:
\n HEALTHY-The container health check has passed\n\t\t\t\t\tsuccessfully.
\n UNHEALTHY-The container health check has failed.
\n UNKNOWN-The container health check is being evaluated or\n\t\t\t\t\tthere's no container health check defined.
The following describes the possible healthStatus values for a task. The\n\t\t\tcontainer health check status of\n\t\t\tnon-essential containers don't have an effect on the health status of a task.
\n HEALTHY-All essential containers within the task have\n\t\t\t\t\tpassed their health checks.
\n UNHEALTHY-One or more essential containers have failed\n\t\t\t\t\ttheir health check.
\n UNKNOWN-The essential containers within the task are still\n\t\t\t\t\thaving their health checks evaluated, there are only nonessential containers\n\t\t\t\t\twith health checks defined, or there are no container health checks\n\t\t\t\t\tdefined.
If a task is run manually, and not as part of a service, the task will continue its\n\t\t\tlifecycle regardless of its health status. For tasks that are part of a service, if the\n\t\t\ttask reports as unhealthy then the task will be stopped and the service scheduler will\n\t\t\treplace it.
\nThe following are notes about container health check support:
\nWhen the Amazon ECS agent cannot connect to the Amazon ECS service, the\n\t\t\t\t\tservice reports the container as UNHEALTHY.
The health check statuses are the \"last heard from\" response from the Amazon ECS agent. There\n\t\t\t\t\tare no assumptions made about the status of the container health checks.
\nContainer health checks require version 1.17.0 or greater of the Amazon ECS\n\t\t\t\t\tcontainer agent. For more information, see Updating the\n\t\t\t\t\t\tAmazon ECS container agent.
\nContainer health checks are supported for Fargate tasks if\n\t\t\t\t\tyou're using platform version 1.1.0 or greater. For more\n\t\t\t\t\tinformation, see Fargate\n\t\t\t\t\t\tplatform versions.
Container health checks aren't supported for tasks that are part of a service\n\t\t\t\t\tthat's configured to use a Classic Load Balancer.
\nLists the account settings for a specified principal.
", + "smithy.api#examples": [ + { + "title": "To view your effective account settings", + "documentation": "This example displays the effective account settings for your account.", + "input": { + "effectiveSettings": true + }, + "output": { + "settings": [ + { + "name": "containerInstanceLongArnFormat", + "value": "disabled", + "principalArn": "arn:aws:iam::Returns a list of existing clusters.
", + "smithy.api#examples": [ + { + "title": "To list your available clusters", + "documentation": "This example lists all of your available clusters in your default region.", + "output": { + "clusterArns": [ + "arn:aws:ecs:us-east-1:Returns a list of container instances in a specified cluster. You can filter the\n\t\t\tresults of a ListContainerInstances operation with cluster query language\n\t\t\tstatements inside the filter parameter. For more information, see Cluster Query Language in the Amazon Elastic Container Service Developer Guide.
Returns a list of services. You can filter the results by cluster, launch type, and\n\t\t\tscheduling strategy.
", + "smithy.api#examples": [ + { + "title": "To list the services in a cluster", + "documentation": "This example lists the services running in the default cluster for an account.", + "output": { + "serviceArns": [ + "arn:aws:ecs:us-east-1:012345678910:service/my-http-service" + ] + } + } + ], "smithy.api#paginated": { "inputToken": "nextToken", "outputToken": "nextToken", @@ -6575,7 +7020,24 @@ } ], "traits": { - "smithy.api#documentation": "List the tags for an Amazon ECS resource.
" + "smithy.api#documentation": "List the tags for an Amazon ECS resource.
", + "smithy.api#examples": [ + { + "title": "To list the tags for a cluster.", + "documentation": "This example lists the tags for the 'dev' cluster.", + "input": { + "resourceArn": "arn:aws:ecs:region:aws_account_id:cluster/dev" + }, + "output": { + "tags": [ + { + "key": "team", + "value": "dev" + } + ] + } + } + ] } }, "com.amazonaws.ecs#ListTagsForResourceRequest": { @@ -6628,6 +7090,20 @@ ], "traits": { "smithy.api#documentation": "Returns a list of task definition families that are registered to your account. This\n\t\t\tlist includes task definition families that no longer have any ACTIVE task\n\t\t\tdefinition revisions.
You can filter out task definition families that don't contain any ACTIVE\n\t\t\ttask definition revisions by setting the status parameter to\n\t\t\t\tACTIVE. You can also filter the results with the\n\t\t\t\tfamilyPrefix parameter.
Returns a list of task definitions that are registered to your account. You can filter\n\t\t\tthe results by family name with the familyPrefix parameter or by status\n\t\t\twith the status parameter.
Returns a list of tasks. You can filter the results by cluster, task definition\n\t\t\tfamily, container instance, launch type, what IAM principal started the task, or by the\n\t\t\tdesired status of the task.
\nRecently stopped tasks might appear in the returned results. Currently, stopped tasks\n\t\t\tappear in the returned results for at least one hour.
", + "smithy.api#documentation": "Returns a list of tasks. You can filter the results by cluster, task definition\n\t\t\tfamily, container instance, launch type, what IAM principal started the task, or by the\n\t\t\tdesired status of the task.
\nRecently stopped tasks might appear in the returned results.
", + "smithy.api#examples": [ + { + "title": "To list the tasks in a cluster", + "documentation": "This example lists all of the tasks in a cluster.", + "input": { + "cluster": "default" + }, + "output": { + "taskArns": [ + "arn:aws:ecs:us-east-1:012345678910:task/0cc43cdb-3bee-4407-9c26-c0e6ea5bee84", + "arn:aws:ecs:us-east-1:012345678910:task/6b809ef6-c67e-4467-921f-ee261c15a0a1" + ] + } + } + ], "smithy.api#paginated": { "inputToken": "nextToken", "outputToken": "nextToken", @@ -6898,13 +7405,13 @@ "targetGroupArn": { "target": "com.amazonaws.ecs#String", "traits": { - "smithy.api#documentation": "The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or\n\t\t\ttask set.
\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer. If you're using a\n\t\t\tClassic Load Balancer, omit the target group ARN.
\nFor services using the ECS deployment controller, you can specify one or\n\t\t\tmultiple target groups. For more information, see Registering multiple target groups with a service in\n\t\t\tthe Amazon Elastic Container Service Developer Guide.
For services using the CODE_DEPLOY deployment controller, you're required\n\t\t\tto define two target groups for the load balancer. For more information, see Blue/green deployment with CodeDeploy in the\n\t\t\tAmazon Elastic Container Service Developer Guide.
If your service's task definition uses the awsvpc network mode, you\n\t\t\t\tmust choose ip as the target type, not instance. Do this\n\t\t\t\twhen creating your target groups because tasks that use the awsvpc\n\t\t\t\tnetwork mode are associated with an elastic network interface, not an Amazon EC2\n\t\t\t\tinstance. This network mode is required for the Fargate launch\n\t\t\t\ttype.
The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or\n\t\t\ttask set.
\nA target group ARN is only specified when using an Application Load Balancer or Network Load Balancer.
\nFor services using the ECS deployment controller, you can specify one or\n\t\t\tmultiple target groups. For more information, see Registering multiple target groups with a service in\n\t\t\tthe Amazon Elastic Container Service Developer Guide.
For services using the CODE_DEPLOY deployment controller, you're required\n\t\t\tto define two target groups for the load balancer. For more information, see Blue/green deployment with CodeDeploy in the\n\t\t\tAmazon Elastic Container Service Developer Guide.
If your service's task definition uses the awsvpc network mode, you\n\t\t\t\tmust choose ip as the target type, not instance. Do this\n\t\t\t\twhen creating your target groups because tasks that use the awsvpc\n\t\t\t\tnetwork mode are associated with an elastic network interface, not an Amazon EC2\n\t\t\t\tinstance. This network mode is required for the Fargate launch\n\t\t\t\ttype.
The name of the load balancer to associate with the Amazon ECS service or task set.
\nA load balancer name is only specified when using a Classic Load Balancer. If you are using an Application Load Balancer\n\t\t\tor a Network Load Balancer the load balancer name parameter should be omitted.
" + "smithy.api#documentation": "The name of the load balancer to associate with the Amazon ECS service or task set.
\nIf you are using an Application Load Balancer or a Network Load Balancer the load balancer name parameter should be\n\t\t\tomitted.
" } }, "containerName": { @@ -6954,7 +7461,7 @@ } }, "traits": { - "smithy.api#documentation": "The log configuration for the container. This parameter maps to LogConfig\n\t\t\tin the Create a container section of the Docker Remote API and the\n\t\t\t\t--log-driver option to \n docker\n\t\t\t\t\trun\n .
By default, containers use the same logging driver that the Docker daemon uses.\n\t\t\tHowever, the container might use a different logging driver than the Docker daemon by\n\t\t\tspecifying a log driver configuration in the container definition. For more information\n\t\t\tabout the options for different supported log drivers, see Configure logging\n\t\t\t\tdrivers in the Docker documentation.
\nUnderstand the following when specifying a log configuration for your\n\t\t\tcontainers.
\nAmazon ECS currently supports a subset of the logging drivers available to the\n\t\t\t\t\tDocker daemon (shown in the valid values below). Additional log drivers may be\n\t\t\t\t\tavailable in future releases of the Amazon ECS container agent.
\nThis parameter requires version 1.18 of the Docker Remote API or greater on\n\t\t\t\t\tyour container instance.
\nFor tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must\n\t\t\t\t\tregister the available logging drivers with the\n\t\t\t\t\t\tECS_AVAILABLE_LOGGING_DRIVERS environment variable before\n\t\t\t\t\tcontainers placed on that instance can use these log configuration options. For\n\t\t\t\t\tmore information, see Amazon ECS container agent configuration in the\n\t\t\t\t\tAmazon Elastic Container Service Developer Guide.
For tasks that are on Fargate, because you don't have access to the\n\t\t\t\t\tunderlying infrastructure your tasks are hosted on, any additional software\n\t\t\t\t\tneeded must be installed outside of the task. For example, the Fluentd output\n\t\t\t\t\taggregators or a remote host running Logstash to send Gelf logs to.
\nThe log configuration for the container. This parameter maps to LogConfig\n\t\t\tin the Create a container section of the Docker Remote API and the\n\t\t\t\t--log-driver option to \n docker\n\t\t\t\t\trun\n .
By default, containers use the same logging driver that the Docker daemon uses.\n\t\t\tHowever, the container might use a different logging driver than the Docker daemon by\n\t\t\tspecifying a log driver configuration in the container definition. For more information\n\t\t\tabout the options for different supported log drivers, see Configure logging\n\t\t\t\tdrivers in the Docker documentation.
\nUnderstand the following when specifying a log configuration for your\n\t\t\tcontainers.
\nAmazon ECS currently supports a subset of the logging drivers available to the Docker daemon.\n\t\t\t\t\tAdditional log drivers may be available in future releases of the Amazon ECS\n\t\t\t\t\tcontainer agent.
\nFor tasks on Fargate, the supported log drivers are awslogs,\n\t\t\t\t\t\tsplunk, and awsfirelens.
For tasks hosted on Amazon EC2 instances, the supported log drivers are\n\t\t\t\t\t\tawslogs, fluentd, gelf,\n\t\t\t\t\t\tjson-file, journald,\n\t\t\t\t\t\tlogentries,syslog, splunk, and\n\t\t\t\t\t\tawsfirelens.
This parameter requires version 1.18 of the Docker Remote API or greater on\n\t\t\t\t\tyour container instance.
\nFor tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must\n\t\t\t\t\tregister the available logging drivers with the\n\t\t\t\t\t\tECS_AVAILABLE_LOGGING_DRIVERS environment variable before\n\t\t\t\t\tcontainers placed on that instance can use these log configuration options. For\n\t\t\t\t\tmore information, see Amazon ECS container agent configuration in the\n\t\t\t\t\tAmazon Elastic Container Service Developer Guide.
For tasks that are on Fargate, because you don't have access to the\n\t\t\t\t\tunderlying infrastructure your tasks are hosted on, any additional software\n\t\t\t\t\tneeded must be installed outside of the task. For example, the Fluentd output\n\t\t\t\t\taggregators or a remote host running Logstash to send Gelf logs to.
\nThe maximum number of Amazon EC2 instances that Amazon ECS will scale out at one time. The scale\n\t\t\tin process is not affected by this parameter. If this parameter is omitted, the default\n\t\t\tvalue of 1 is used.
The maximum number of Amazon EC2 instances that Amazon ECS will scale out at one time. The scale in\n\t\t\tprocess is not affected by this parameter. If this parameter is omitted, the default\n\t\t\tvalue of 10000 is used.
The port number on the container instance to reserve for your container.
\nIf you specify a containerPortRange, leave this field empty and the value of\n\t\t\tthe hostPort is set as follows:
For containers in a task with the awsvpc network mode, the\n\t\t\t\t\t\thostPort is set to the same value as the\n\t\t\t\t\t\tcontainerPort. This is a static mapping strategy.
For containers in a task with the bridge network mode, the Amazon ECS agent finds\n\t\t\t\t\topen ports on the host and automatically binds them to the container ports. This\n\t\t\t\t\tis a dynamic mapping strategy.
If you use containers in a task with the awsvpc or host\n\t\t\tnetwork mode, the hostPort can either be left blank or set to the same\n\t\t\tvalue as the containerPort.
If you use containers in a task with the bridge network mode, you can\n\t\t\tspecify a non-reserved host port for your container port mapping, or you can omit the\n\t\t\t\thostPort (or set it to 0) while specifying a\n\t\t\t\tcontainerPort and your container automatically receives a port in the\n\t\t\tephemeral port range for your container instance operating system and Docker\n\t\t\tversion.
The default ephemeral port range for Docker version 1.6.0 and later is listed on the\n\t\t\tinstance under /proc/sys/net/ipv4/ip_local_port_range. If this kernel\n\t\t\tparameter is unavailable, the default ephemeral port range from 49153 through 65535 is\n\t\t\tused. Do not attempt to specify a host port in the ephemeral port range as these are\n\t\t\treserved for automatic assignment. In general, ports below 32768 are outside of the\n\t\t\tephemeral port range.
The default reserved ports are 22 for SSH, the Docker ports 2375 and 2376, and the\n\t\t\tAmazon ECS container agent ports 51678-51680. Any host port that was previously specified in\n\t\t\ta running task is also reserved while the task is running. That is, after a task stops,\n\t\t\tthe host port is released. The current reserved ports are displayed in the\n\t\t\tremainingResources of DescribeContainerInstances\n\t\t\toutput. A container instance can have up to 100 reserved ports at a time. This number\n\t\t\tincludes the default reserved ports. Automatically assigned ports aren't included in the\n\t\t\t100 reserved ports quota.
The port number on the container instance to reserve for your container.
\nIf you specify a containerPortRange, leave this field empty and the value of\n\t\t\tthe hostPort is set as follows:
For containers in a task with the awsvpc network mode, the\n\t\t\t\t\t\thostPort is set to the same value as the\n\t\t\t\t\t\tcontainerPort. This is a static mapping strategy.
For containers in a task with the bridge network mode, the Amazon ECS agent finds\n\t\t\t\t\topen ports on the host and automatically binds them to the container ports. This\n\t\t\t\t\tis a dynamic mapping strategy.
If you use containers in a task with the awsvpc or host\n\t\t\tnetwork mode, the hostPort can either be left blank or set to the same\n\t\t\tvalue as the containerPort.
If you use containers in a task with the bridge network mode, you can\n\t\t\tspecify a non-reserved host port for your container port mapping, or you can omit the\n\t\t\t\thostPort (or set it to 0) while specifying a\n\t\t\t\tcontainerPort and your container automatically receives a port in the\n\t\t\tephemeral port range for your container instance operating system and Docker\n\t\t\tversion.
The default ephemeral port range for Docker version 1.6.0 and later is listed on the\n\t\t\tinstance under /proc/sys/net/ipv4/ip_local_port_range. If this kernel\n\t\t\tparameter is unavailable, the default ephemeral port range from 49153 through 65535\n\t\t\t(Linux) or 49152 through 65535 (Windows) is used. Do not attempt to specify a host port\n\t\t\tin the ephemeral port range as these are reserved for automatic assignment. In general,\n\t\t\tports below 32768 are outside of the ephemeral port range.
The default reserved ports are 22 for SSH, the Docker ports 2375 and 2376, and the\n\t\t\tAmazon ECS container agent ports 51678-51680. Any host port that was previously specified in\n\t\t\ta running task is also reserved while the task is running. That is, after a task stops,\n\t\t\tthe host port is released. The current reserved ports are displayed in the\n\t\t\tremainingResources of DescribeContainerInstances\n\t\t\toutput. A container instance can have up to 100 reserved ports at a time. This number\n\t\t\tincludes the default reserved ports. Automatically assigned ports aren't included in the\n\t\t\t100 reserved ports quota.
Modifies an account setting. Account settings are set on a per-Region basis.
\nIf you change the root user account setting, the default settings are reset for users\n\t\t\tand roles that do not have specified individual account settings. For more information,\n\t\t\tsee Account\n\t\t\t\tSettings in the Amazon Elastic Container Service Developer Guide.
\nWhen serviceLongArnFormat, taskLongArnFormat, or\n\t\t\t\tcontainerInstanceLongArnFormat are specified, the Amazon Resource Name\n\t\t\t(ARN) and resource ID format of the resource type for a specified user, role, or\n\t\t\tthe root user for an account is affected. The opt-in and opt-out account setting must be\n\t\t\tset for each Amazon ECS resource separately. The ARN and resource ID format of a resource\n\t\t\tis defined by the opt-in status of the user or role that created the resource. You\n\t\t\tmust turn on this setting to use Amazon ECS features such as resource tagging.
When awsvpcTrunking is specified, the elastic network interface (ENI)\n\t\t\tlimit for any new container instances that support the feature is changed. If\n\t\t\t\tawsvpcTrunking is turned on, any new container instances that support the\n\t\t\tfeature are launched have the increased ENI limits available to them. For more\n\t\t\tinformation, see Elastic Network\n\t\t\t\tInterface Trunking in the Amazon Elastic Container Service Developer Guide.
When containerInsights is specified, the default setting indicating whether\n\t\t\tAmazon Web Services CloudWatch Container Insights is turned on for your clusters is changed. If\n\t\t\t\tcontainerInsights is turned on, any new clusters that are created will\n\t\t\thave Container Insights turned on unless you disable it during cluster creation. For\n\t\t\tmore information, see CloudWatch\n\t\t\t\tContainer Insights in the Amazon Elastic Container Service Developer Guide.
Amazon ECS is introducing tagging authorization for resource creation. Users must have\n\t\t\tpermissions for actions that create the resource, such as ecsCreateCluster.\n\t\t\tIf tags are specified when you create a resource, Amazon Web Services performs additional\n\t\t\tauthorization to verify if users or roles have permissions to create tags. Therefore,\n\t\t\tyou must grant explicit permissions to use the ecs:TagResource action. For\n\t\t\tmore information, see Grant\n\t\t\t\tpermission to tag resources on creation in the Amazon ECS Developer\n\t\t\t\t\tGuide.
Modifies an account setting. Account settings are set on a per-Region basis.
\nIf you change the root user account setting, the default settings are reset for users\n\t\t\tand roles that do not have specified individual account settings. For more information,\n\t\t\tsee Account\n\t\t\t\tSettings in the Amazon Elastic Container Service Developer Guide.
\nWhen serviceLongArnFormat, taskLongArnFormat, or\n\t\t\t\tcontainerInstanceLongArnFormat are specified, the Amazon Resource Name\n\t\t\t(ARN) and resource ID format of the resource type for a specified user, role, or\n\t\t\tthe root user for an account is affected. The opt-in and opt-out account setting must be\n\t\t\tset for each Amazon ECS resource separately. The ARN and resource ID format of a resource\n\t\t\tis defined by the opt-in status of the user or role that created the resource. You\n\t\t\tmust turn on this setting to use Amazon ECS features such as resource tagging.
When awsvpcTrunking is specified, the elastic network interface (ENI)\n\t\t\tlimit for any new container instances that support the feature is changed. If\n\t\t\t\tawsvpcTrunking is turned on, any new container instances that support the\n\t\t\tfeature are launched have the increased ENI limits available to them. For more\n\t\t\tinformation, see Elastic Network\n\t\t\t\tInterface Trunking in the Amazon Elastic Container Service Developer Guide.
When containerInsights is specified, the default setting indicating whether\n\t\t\tAmazon Web Services CloudWatch Container Insights is turned on for your clusters is changed. If\n\t\t\t\tcontainerInsights is turned on, any new clusters that are created will\n\t\t\thave Container Insights turned on unless you disable it during cluster creation. For\n\t\t\tmore information, see CloudWatch\n\t\t\t\tContainer Insights in the Amazon Elastic Container Service Developer Guide.
Amazon ECS is introducing tagging authorization for resource creation. Users must have\n\t\t\tpermissions for actions that create the resource, such as ecsCreateCluster.\n\t\t\tIf tags are specified when you create a resource, Amazon Web Services performs additional\n\t\t\tauthorization to verify if users or roles have permissions to create tags. Therefore,\n\t\t\tyou must grant explicit permissions to use the ecs:TagResource action. For\n\t\t\tmore information, see Grant\n\t\t\t\tpermission to tag resources on creation in the Amazon ECS Developer\n\t\t\t\t\tGuide.
Modifies an account setting for all users on an account for whom no individual\n\t\t\taccount setting has been specified. Account settings are set on a per-Region\n\t\t\tbasis.
" + "smithy.api#documentation": "Modifies an account setting for all users on an account for whom no individual\n\t\t\taccount setting has been specified. Account settings are set on a per-Region\n\t\t\tbasis.
", + "smithy.api#examples": [ + { + "title": "To modify the default account settings for all IAM users or roles on an account", + "documentation": "This example modifies the default account setting for the specified resource for all IAM users or roles on an account. These changes apply to the entire AWS account, unless an IAM user or role explicitly overrides these settings for themselves.", + "input": { + "name": "serviceLongArnFormat", + "value": "enabled" + }, + "output": { + "setting": { + "name": "serviceLongArnFormat", + "value": "enabled", + "principalArn": "arn:aws:iam::Registers a new task definition from the supplied family and\n\t\t\t\tcontainerDefinitions. Optionally, you can add data volumes to your\n\t\t\tcontainers with the volumes parameter. For more information about task\n\t\t\tdefinition parameters and defaults, see Amazon ECS Task\n\t\t\t\tDefinitions in the Amazon Elastic Container Service Developer Guide.
You can specify a role for your task with the taskRoleArn parameter.\n\t\t\tWhen you specify a role for a task, its containers can then use the latest versions\n\t\t\tof the CLI or SDKs to make API requests to the Amazon Web Services services that are specified in\n\t\t\tthe policy that's associated with the role. For more information, see IAM\n\t\t\t\tRoles for Tasks in the Amazon Elastic Container Service Developer Guide.
You can specify a Docker networking mode for the containers in your task definition\n\t\t\twith the networkMode parameter. The available network modes correspond to\n\t\t\tthose described in Network\n\t\t\t\tsettings in the Docker run reference. If you specify the awsvpc\n\t\t\tnetwork mode, the task is allocated an elastic network interface, and you must specify a\n\t\t\t\tNetworkConfiguration when you create a service or run a task with\n\t\t\tthe task definition. For more information, see Task Networking\n\t\t\tin the Amazon Elastic Container Service Developer Guide.
Registers a new task definition from the supplied family and\n\t\t\t\tcontainerDefinitions. Optionally, you can add data volumes to your\n\t\t\tcontainers with the volumes parameter. For more information about task\n\t\t\tdefinition parameters and defaults, see Amazon ECS Task\n\t\t\t\tDefinitions in the Amazon Elastic Container Service Developer Guide.
You can specify a role for your task with the taskRoleArn parameter.\n\t\t\tWhen you specify a role for a task, its containers can then use the latest versions\n\t\t\tof the CLI or SDKs to make API requests to the Amazon Web Services services that are specified in\n\t\t\tthe policy that's associated with the role. For more information, see IAM\n\t\t\t\tRoles for Tasks in the Amazon Elastic Container Service Developer Guide.
You can specify a Docker networking mode for the containers in your task definition\n\t\t\twith the networkMode parameter. The available network modes correspond to\n\t\t\tthose described in Network\n\t\t\t\tsettings in the Docker run reference. If you specify the awsvpc\n\t\t\tnetwork mode, the task is allocated an elastic network interface, and you must specify a\n\t\t\t\tNetworkConfiguration when you create a service or run a task with\n\t\t\tthe task definition. For more information, see Task Networking\n\t\t\tin the Amazon Elastic Container Service Developer Guide.
Starts a new task using the specified task definition.
\nYou can allow Amazon ECS to place tasks for you, or you can customize how Amazon ECS places\n\t\t\ttasks using placement constraints and placement strategies. For more information, see\n\t\t\t\tScheduling Tasks in the Amazon Elastic Container Service Developer Guide.
\nAlternatively, you can use StartTask to use your own scheduler or\n\t\t\tplace tasks manually on specific container instances.
\nStarting April 15, 2023, Amazon Web Services will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
\nThe Amazon ECS API follows an eventual consistency model. This is because of the\n\t\t\tdistributed nature of the system supporting the API. This means that the result of an\n\t\t\tAPI command you run that affects your Amazon ECS resources might not be immediately visible\n\t\t\tto all subsequent commands you run. Keep this in mind when you carry out an API command\n\t\t\tthat immediately follows a previous API command.
\nTo manage eventual consistency, you can do the following:
\nConfirm the state of the resource before you run a command to modify it. Run\n\t\t\t\t\tthe DescribeTasks command using an exponential backoff algorithm to ensure that\n\t\t\t\t\tyou allow enough time for the previous command to propagate through the system.\n\t\t\t\t\tTo do this, run the DescribeTasks command repeatedly, starting with a couple of\n\t\t\t\t\tseconds of wait time and increasing gradually up to five minutes of wait\n\t\t\t\t\ttime.
\nAdd wait time between subsequent commands, even if the DescribeTasks command\n\t\t\t\t\treturns an accurate response. Apply an exponential backoff algorithm starting\n\t\t\t\t\twith a couple of seconds of wait time, and increase gradually up to about five\n\t\t\t\t\tminutes of wait time.
\nStarts a new task using the specified task definition.
\nYou can allow Amazon ECS to place tasks for you, or you can customize how Amazon ECS places\n\t\t\ttasks using placement constraints and placement strategies. For more information, see\n\t\t\t\tScheduling Tasks in the Amazon Elastic Container Service Developer Guide.
\nAlternatively, you can use StartTask to use your own scheduler or\n\t\t\tplace tasks manually on specific container instances.
\nStarting April 15, 2023, Amazon Web Services will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
\nThe Amazon ECS API follows an eventual consistency model. This is because of the\n\t\t\tdistributed nature of the system supporting the API. This means that the result of an\n\t\t\tAPI command you run that affects your Amazon ECS resources might not be immediately visible\n\t\t\tto all subsequent commands you run. Keep this in mind when you carry out an API command\n\t\t\tthat immediately follows a previous API command.
\nTo manage eventual consistency, you can do the following:
\nConfirm the state of the resource before you run a command to modify it. Run\n\t\t\t\t\tthe DescribeTasks command using an exponential backoff algorithm to ensure that\n\t\t\t\t\tyou allow enough time for the previous command to propagate through the system.\n\t\t\t\t\tTo do this, run the DescribeTasks command repeatedly, starting with a couple of\n\t\t\t\t\tseconds of wait time and increasing gradually up to five minutes of wait\n\t\t\t\t\ttime.
\nAdd wait time between subsequent commands, even if the DescribeTasks command\n\t\t\t\t\treturns an accurate response. Apply an exponential backoff algorithm starting\n\t\t\t\t\twith a couple of seconds of wait time, and increase gradually up to about five\n\t\t\t\t\tminutes of wait time.
\nAssociates the specified tags to a resource with the specified\n\t\t\t\tresourceArn. If existing tags on a resource aren't specified in the\n\t\t\trequest parameters, they aren't changed. When a resource is deleted, the tags that are\n\t\t\tassociated with that resource are deleted as well.
Associates the specified tags to a resource with the specified\n\t\t\t\tresourceArn. If existing tags on a resource aren't specified in the\n\t\t\trequest parameters, they aren't changed. When a resource is deleted, the tags that are\n\t\t\tassociated with that resource are deleted as well.
The stop code indicating why a task was stopped. The stoppedReason might\n\t\t\tcontain additional details.
The following are valid values:
\n\n TaskFailedToStart\n
\n EssentialContainerExited\n
\n UserInitiated\n
\n TerminationNotice\n
\n ServiceSchedulerInitiated\n
\n SpotInterruption\n
The stop code indicating why a task was stopped. The stoppedReason might\n\t\t\tcontain additional details.
For more information about stop code, see Stopped tasks error codes in the Amazon ECS User Guide.
\nThe following are valid values:
\n\n TaskFailedToStart\n
\n EssentialContainerExited\n
\n UserInitiated\n
\n TerminationNotice\n
\n ServiceSchedulerInitiated\n
\n SpotInterruption\n
The Unix timestamp for the time when the task stops. More specifically, it's for the\n\t\t\ttime when the task transitions from the RUNNING state to\n\t\t\t\tSTOPPED.
The Unix timestamp for the time when the task stops. More specifically, it's for the\n\t\t\ttime when the task transitions from the RUNNING state to\n\t\t\t\tSTOPPING.
The task launch types the task definition was validated against. For more information, see Amazon ECS launch types\n\t\t\tin the Amazon Elastic Container Service Developer Guide.
" + "smithy.api#documentation": "The task launch types the task definition was validated against. The valid values are\n\t\t\t\tEC2, FARGATE, and EXTERNAL. For more\n\t\t\tinformation, see Amazon ECS launch types\n\t\t\tin the Amazon Elastic Container Service Developer Guide.
Deletes specified tags from a resource.
" + "smithy.api#documentation": "Deletes specified tags from a resource.
", + "smithy.api#examples": [ + { + "title": "To untag a cluster.", + "documentation": "This example deletes the 'team' tag from the 'dev' cluster.", + "input": { + "resourceArn": "arn:aws:ecs:region:aws_account_id:cluster/dev", + "tagKeys": [ + "team" + ] + }, + "output": {} + } + ] } }, "com.amazonaws.ecs#UntagResourceRequest": { @@ -11432,7 +12087,18 @@ } ], "traits": { - "smithy.api#documentation": "Modifies the parameters of a service.
\nFor services using the rolling update (ECS) you can update the desired\n\t\t\tcount, deployment configuration, network configuration, load balancers, service\n\t\t\tregistries, enable ECS managed tags option, propagate tags option, task placement\n\t\t\tconstraints and strategies, and task definition. When you update any of these\n\t\t\tparameters, Amazon ECS starts new tasks with the new configuration.
For services using the blue/green (CODE_DEPLOY) deployment controller,\n\t\t\tonly the desired count, deployment configuration, health check grace period, task\n\t\t\tplacement constraints and strategies, enable ECS managed tags option, and propagate tags\n\t\t\tcan be updated using this API. If the network configuration, platform version, task\n\t\t\tdefinition, or load balancer need to be updated, create a new CodeDeploy deployment. For more\n\t\t\tinformation, see CreateDeployment in the CodeDeploy API Reference.
For services using an external deployment controller, you can update only the desired\n\t\t\tcount, task placement constraints and strategies, health check grace period, enable ECS\n\t\t\tmanaged tags option, and propagate tags option, using this API. If the launch type, load\n\t\t\tbalancer, network configuration, platform version, or task definition need to be\n\t\t\tupdated, create a new task set For more information, see CreateTaskSet.
\nYou can add to or subtract from the number of instantiations of a task definition in a\n\t\t\tservice by specifying the cluster that the service is running in and a new\n\t\t\t\tdesiredCount parameter.
If you have updated the Docker image of your application, you can create a new task\n\t\t\tdefinition with that image and deploy it to your service. The service scheduler uses the\n\t\t\tminimum healthy percent and maximum percent parameters (in the service's deployment\n\t\t\tconfiguration) to determine the deployment strategy.
\nIf your updated Docker image uses the same tag as what is in the existing task\n\t\t\t\tdefinition for your service (for example, my_image:latest), you don't\n\t\t\t\tneed to create a new revision of your task definition. You can update the service\n\t\t\t\tusing the forceNewDeployment option. The new tasks launched by the\n\t\t\t\tdeployment pull the current image/tag combination from your repository when they\n\t\t\t\tstart.
You can also update the deployment configuration of a service. When a deployment is\n\t\t\ttriggered by updating the task definition of a service, the service scheduler uses the\n\t\t\tdeployment configuration parameters, minimumHealthyPercent and\n\t\t\t\tmaximumPercent, to determine the deployment strategy.
If minimumHealthyPercent is below 100%, the scheduler can ignore\n\t\t\t\t\t\tdesiredCount temporarily during a deployment. For example, if\n\t\t\t\t\t\tdesiredCount is four tasks, a minimum of 50% allows the\n\t\t\t\t\tscheduler to stop two existing tasks before starting two new tasks. Tasks for\n\t\t\t\t\tservices that don't use a load balancer are considered healthy if they're in the\n\t\t\t\t\t\tRUNNING state. Tasks for services that use a load balancer are\n\t\t\t\t\tconsidered healthy if they're in the RUNNING state and are reported\n\t\t\t\t\tas healthy by the load balancer.
The maximumPercent parameter represents an upper limit on the\n\t\t\t\t\tnumber of running tasks during a deployment. You can use it to define the\n\t\t\t\t\tdeployment batch size. For example, if desiredCount is four tasks,\n\t\t\t\t\ta maximum of 200% starts four new tasks before stopping the four older tasks\n\t\t\t\t\t(provided that the cluster resources required to do this are available).
When UpdateService stops a task during a deployment, the equivalent\n\t\t\tof docker stop is issued to the containers running in the task. This\n\t\t\tresults in a SIGTERM and a 30-second timeout. After this,\n\t\t\t\tSIGKILL is sent and the containers are forcibly stopped. If the\n\t\t\tcontainer handles the SIGTERM gracefully and exits within 30 seconds from\n\t\t\treceiving it, no SIGKILL is sent.
When the service scheduler launches new tasks, it determines task placement in your\n\t\t\tcluster with the following logic.
\nDetermine which of the container instances in your cluster can support your\n\t\t\t\t\tservice's task definition. For example, they have the required CPU, memory,\n\t\t\t\t\tports, and container instance attributes.
\nBy default, the service scheduler attempts to balance tasks across\n\t\t\t\t\tAvailability Zones in this manner even though you can choose a different\n\t\t\t\t\tplacement strategy.
\nSort the valid container instances by the fewest number of running\n\t\t\t\t\t\t\ttasks for this service in the same Availability Zone as the instance.\n\t\t\t\t\t\t\tFor example, if zone A has one running service task and zones B and C\n\t\t\t\t\t\t\teach have zero, valid container instances in either zone B or C are\n\t\t\t\t\t\t\tconsidered optimal for placement.
\nPlace the new service task on a valid container instance in an optimal\n\t\t\t\t\t\t\tAvailability Zone (based on the previous steps), favoring container\n\t\t\t\t\t\t\tinstances with the fewest number of running tasks for this\n\t\t\t\t\t\t\tservice.
\nWhen the service scheduler stops running tasks, it attempts to maintain balance across\n\t\t\tthe Availability Zones in your cluster using the following logic:
\nSort the container instances by the largest number of running tasks for this\n\t\t\t\t\tservice in the same Availability Zone as the instance. For example, if zone A\n\t\t\t\t\thas one running service task and zones B and C each have two, container\n\t\t\t\t\tinstances in either zone B or C are considered optimal for termination.
\nStop the task on a container instance in an optimal Availability Zone (based\n\t\t\t\t\ton the previous steps), favoring container instances with the largest number of\n\t\t\t\t\trunning tasks for this service.
\nYou must have a service-linked role when you update any of the following service\n\t\t\t\tproperties. If you specified a custom role when you created the service, Amazon ECS\n\t\t\t\tautomatically replaces the roleARN associated with the service with the ARN of your\n\t\t\t\tservice-linked role. For more information, see Service-linked roles in the Amazon Elastic Container Service Developer Guide.
\n\n loadBalancers,\n
\n serviceRegistries\n
Modifies the parameters of a service.
\nFor services using the rolling update (ECS) you can update the desired\n\t\t\tcount, deployment configuration, network configuration, load balancers, service\n\t\t\tregistries, enable ECS managed tags option, propagate tags option, task placement\n\t\t\tconstraints and strategies, and task definition. When you update any of these\n\t\t\tparameters, Amazon ECS starts new tasks with the new configuration.
For services using the blue/green (CODE_DEPLOY) deployment controller,\n\t\t\tonly the desired count, deployment configuration, health check grace period, task\n\t\t\tplacement constraints and strategies, enable ECS managed tags option, and propagate tags\n\t\t\tcan be updated using this API. If the network configuration, platform version, task\n\t\t\tdefinition, or load balancer need to be updated, create a new CodeDeploy deployment. For more\n\t\t\tinformation, see CreateDeployment in the CodeDeploy API Reference.
For services using an external deployment controller, you can update only the desired\n\t\t\tcount, task placement constraints and strategies, health check grace period, enable ECS\n\t\t\tmanaged tags option, and propagate tags option, using this API. If the launch type, load\n\t\t\tbalancer, network configuration, platform version, or task definition need to be\n\t\t\tupdated, create a new task set For more information, see CreateTaskSet.
\nYou can add to or subtract from the number of instantiations of a task definition in a\n\t\t\tservice by specifying the cluster that the service is running in and a new\n\t\t\t\tdesiredCount parameter.
If you have updated the Docker image of your application, you can create a new task\n\t\t\tdefinition with that image and deploy it to your service. The service scheduler uses the\n\t\t\tminimum healthy percent and maximum percent parameters (in the service's deployment\n\t\t\tconfiguration) to determine the deployment strategy.
\nIf your updated Docker image uses the same tag as what is in the existing task\n\t\t\t\tdefinition for your service (for example, my_image:latest), you don't\n\t\t\t\tneed to create a new revision of your task definition. You can update the service\n\t\t\t\tusing the forceNewDeployment option. The new tasks launched by the\n\t\t\t\tdeployment pull the current image/tag combination from your repository when they\n\t\t\t\tstart.
You can also update the deployment configuration of a service. When a deployment is\n\t\t\ttriggered by updating the task definition of a service, the service scheduler uses the\n\t\t\tdeployment configuration parameters, minimumHealthyPercent and\n\t\t\t\tmaximumPercent, to determine the deployment strategy.
If minimumHealthyPercent is below 100%, the scheduler can ignore\n\t\t\t\t\t\tdesiredCount temporarily during a deployment. For example, if\n\t\t\t\t\t\tdesiredCount is four tasks, a minimum of 50% allows the\n\t\t\t\t\tscheduler to stop two existing tasks before starting two new tasks. Tasks for\n\t\t\t\t\tservices that don't use a load balancer are considered healthy if they're in the\n\t\t\t\t\t\tRUNNING state. Tasks for services that use a load balancer are\n\t\t\t\t\tconsidered healthy if they're in the RUNNING state and are reported\n\t\t\t\t\tas healthy by the load balancer.
The maximumPercent parameter represents an upper limit on the\n\t\t\t\t\tnumber of running tasks during a deployment. You can use it to define the\n\t\t\t\t\tdeployment batch size. For example, if desiredCount is four tasks,\n\t\t\t\t\ta maximum of 200% starts four new tasks before stopping the four older tasks\n\t\t\t\t\t(provided that the cluster resources required to do this are available).
When UpdateService stops a task during a deployment, the equivalent\n\t\t\tof docker stop is issued to the containers running in the task. This\n\t\t\tresults in a SIGTERM and a 30-second timeout. After this,\n\t\t\t\tSIGKILL is sent and the containers are forcibly stopped. If the\n\t\t\tcontainer handles the SIGTERM gracefully and exits within 30 seconds from\n\t\t\treceiving it, no SIGKILL is sent.
When the service scheduler launches new tasks, it determines task placement in your\n\t\t\tcluster with the following logic.
\nDetermine which of the container instances in your cluster can support your\n\t\t\t\t\tservice's task definition. For example, they have the required CPU, memory,\n\t\t\t\t\tports, and container instance attributes.
\nBy default, the service scheduler attempts to balance tasks across\n\t\t\t\t\tAvailability Zones in this manner even though you can choose a different\n\t\t\t\t\tplacement strategy.
\nSort the valid container instances by the fewest number of running\n\t\t\t\t\t\t\ttasks for this service in the same Availability Zone as the instance.\n\t\t\t\t\t\t\tFor example, if zone A has one running service task and zones B and C\n\t\t\t\t\t\t\teach have zero, valid container instances in either zone B or C are\n\t\t\t\t\t\t\tconsidered optimal for placement.
\nPlace the new service task on a valid container instance in an optimal\n\t\t\t\t\t\t\tAvailability Zone (based on the previous steps), favoring container\n\t\t\t\t\t\t\tinstances with the fewest number of running tasks for this\n\t\t\t\t\t\t\tservice.
\nWhen the service scheduler stops running tasks, it attempts to maintain balance across\n\t\t\tthe Availability Zones in your cluster using the following logic:
\nSort the container instances by the largest number of running tasks for this\n\t\t\t\t\tservice in the same Availability Zone as the instance. For example, if zone A\n\t\t\t\t\thas one running service task and zones B and C each have two, container\n\t\t\t\t\tinstances in either zone B or C are considered optimal for termination.
\nStop the task on a container instance in an optimal Availability Zone (based\n\t\t\t\t\ton the previous steps), favoring container instances with the largest number of\n\t\t\t\t\trunning tasks for this service.
\nYou must have a service-linked role when you update any of the following service\n\t\t\t\tproperties:
\n\n loadBalancers,
\n serviceRegistries\n
For more information about the role see the CreateService request parameter\n\t\t\t\t\n role\n .
Updates the protection status of a task. You can set protectionEnabled to\n\t\t\t\ttrue to protect your task from termination during scale-in events from\n\t\t\t\tService\n\t\t\t\tAutoscaling or deployments.
Task-protection, by default, expires after 2 hours at which point Amazon ECS clears the\n\t\t\t\tprotectionEnabled property making the task eligible for termination by\n\t\t\ta subsequent scale-in event.
You can specify a custom expiration period for task protection from 1 minute to up to\n\t\t\t2,880 minutes (48 hours). To specify the custom expiration period, set the\n\t\t\t\texpiresInMinutes property. The expiresInMinutes property\n\t\t\tis always reset when you invoke this operation for a task that already has\n\t\t\t\tprotectionEnabled set to true. You can keep extending the\n\t\t\tprotection expiration period of a task by invoking this operation repeatedly.
To learn more about Amazon ECS task protection, see Task scale-in\n\t\t\t\tprotection in the \n Amazon Elastic Container Service Developer Guide\n .
\nThis operation is only supported for tasks belonging to an Amazon ECS service. Invoking\n\t\t\t\tthis operation for a standalone task will result in an TASK_NOT_VALID\n\t\t\t\tfailure. For more information, see API failure\n\t\t\t\t\treasons.
If you prefer to set task protection from within the container, we recommend using\n\t\t\t\tthe Task scale-in protection endpoint.
\nUpdates the protection status of a task. You can set protectionEnabled to\n\t\t\t\ttrue to protect your task from termination during scale-in events from\n\t\t\t\tService\n\t\t\t\tAutoscaling or deployments.
Task-protection, by default, expires after 2 hours at which point Amazon ECS clears the\n\t\t\t\tprotectionEnabled property making the task eligible for termination by\n\t\t\ta subsequent scale-in event.
You can specify a custom expiration period for task protection from 1 minute to up to\n\t\t\t2,880 minutes (48 hours). To specify the custom expiration period, set the\n\t\t\t\texpiresInMinutes property. The expiresInMinutes property\n\t\t\tis always reset when you invoke this operation for a task that already has\n\t\t\t\tprotectionEnabled set to true. You can keep extending the\n\t\t\tprotection expiration period of a task by invoking this operation repeatedly.
To learn more about Amazon ECS task protection, see Task scale-in\n\t\t\t\tprotection in the \n Amazon Elastic Container Service Developer Guide\n .
\nThis operation is only supported for tasks belonging to an Amazon ECS service. Invoking\n\t\t\t\tthis operation for a standalone task will result in an TASK_NOT_VALID\n\t\t\t\tfailure. For more information, see API failure\n\t\t\t\t\treasons.
If you prefer to set task protection from within the container, we recommend using\n\t\t\t\tthe Task scale-in protection endpoint.
\nThe name of the volume. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. This name is referenced in the\n\t\t\t\tsourceVolume parameter of container definition\n\t\t\tmountPoints.
The name of the volume. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. This name is referenced in the\n\t\t\t\tsourceVolume parameter of container definition\n\t\t\tmountPoints.
This is required wwhen you use an Amazon EFS volume.
" } }, "host": { diff --git a/aws/sdk/aws-models/iam.json b/aws/sdk/aws-models/iam.json index 3f222206c623eb12b1bec2ad5ece45974c145ce2..d1b5c5e6220b86a98c7882e64b221b9e0fa4c6ca 100644 --- a/aws/sdk/aws-models/iam.json +++ b/aws/sdk/aws-models/iam.json @@ -222,6 +222,9 @@ { "target": "com.amazonaws.iam#GetLoginProfile" }, + { + "target": "com.amazonaws.iam#GetMFADevice" + }, { "target": "com.amazonaws.iam#GetOpenIDConnectProvider" }, @@ -2026,7 +2029,7 @@ } ], "traits": { - "smithy.api#documentation": "Adds the specified IAM role to the specified instance profile. An instance profile\n can contain only one role, and this quota cannot be increased. You can remove the\n existing role and then add a different role to an instance profile. You must then wait\n for the change to appear across all of Amazon Web Services because of eventual\n consistency. To force the change, you must disassociate the instance profile and then associate the\n instance profile, or you can stop your instance and then restart it.
\nThe caller of this operation must be granted the PassRole permission\n on the IAM role by a permissions policy.
For more information about roles, see Working with roles. For more\n information about instance profiles, see About instance\n profiles.
" + "smithy.api#documentation": "Adds the specified IAM role to the specified instance profile. An instance profile\n can contain only one role, and this quota cannot be increased. You can remove the\n existing role and then add a different role to an instance profile. You must then wait\n for the change to appear across all of Amazon Web Services because of eventual\n consistency. To force the change, you must disassociate the instance profile and then associate the\n instance profile, or you can stop your instance and then restart it.
\nThe caller of this operation must be granted the PassRole permission\n on the IAM role by a permissions policy.
For more information about roles, see IAM roles in the\n IAM User Guide. For more information about instance profiles,\n see Using\n instance profiles in the IAM User Guide.
" } }, "com.amazonaws.iam#AddRoleToInstanceProfileRequest": { @@ -2128,7 +2131,7 @@ } ], "traits": { - "smithy.api#documentation": "Attaches the specified managed policy to the specified IAM group.
\nYou use this operation to attach a managed policy to a group. To embed an inline\n policy in a group, use PutGroupPolicy.
\nAs a best practice, you can validate your IAM policies. \n To learn more, see Validating IAM policies \n in the IAM User Guide.
\nFor more information about policies, see Managed policies and inline\n policies in the IAM User Guide.
" + "smithy.api#documentation": "Attaches the specified managed policy to the specified IAM group.
\nYou use this operation to attach a managed policy to a group. To embed an inline\n policy in a group, use \n PutGroupPolicy\n .
As a best practice, you can validate your IAM policies. \n To learn more, see Validating IAM policies \n in the IAM User Guide.
\nFor more information about policies, see Managed policies and inline\n policies in the IAM User Guide.
" } }, "com.amazonaws.iam#AttachGroupPolicyRequest": { @@ -2182,7 +2185,7 @@ } ], "traits": { - "smithy.api#documentation": "Attaches the specified managed policy to the specified IAM role. When you attach a\n managed policy to a role, the managed policy becomes part of the role's permission\n (access) policy.
\nYou cannot use a managed policy as the role's trust policy. The role's trust\n policy is created at the same time as the role, using CreateRole.\n You can update a role's trust policy using UpdateAssumeRolePolicy.
\nUse this operation to attach a managed policy to a role. To embed\n an inline policy in a role, use PutRolePolicy. For more information\n about policies, see Managed policies and inline\n policies in the IAM User Guide.
\nAs a best practice, you can validate your IAM policies. \n To learn more, see Validating IAM policies \n in the IAM User Guide.
" + "smithy.api#documentation": "Attaches the specified managed policy to the specified IAM role. When you attach a\n managed policy to a role, the managed policy becomes part of the role's permission\n (access) policy.
\nYou cannot use a managed policy as the role's trust policy. The role's trust\n policy is created at the same time as the role, using \n CreateRole\n . You can update a role's trust policy using\n \n UpdateAssumerolePolicy\n .
Use this operation to attach a managed policy to a role. To embed\n an inline policy in a role, use \n PutRolePolicy\n . For more information about policies, see Managed\n policies and inline policies in the\n IAM User Guide.
As a best practice, you can validate your IAM policies. \n To learn more, see Validating IAM policies \n in the IAM User Guide.
" } }, "com.amazonaws.iam#AttachRolePolicyRequest": { @@ -2233,7 +2236,7 @@ } ], "traits": { - "smithy.api#documentation": "Attaches the specified managed policy to the specified user.
\nYou use this operation to attach a managed policy to a user. To\n embed an inline policy in a user, use PutUserPolicy.
\nAs a best practice, you can validate your IAM policies. \n To learn more, see Validating IAM policies \n in the IAM User Guide.
\nFor more information about policies, see Managed policies and inline\n policies in the IAM User Guide.
" + "smithy.api#documentation": "Attaches the specified managed policy to the specified user.
\nYou use this operation to attach a managed policy to a user. To\n embed an inline policy in a user, use \n PutUserPolicy\n .
As a best practice, you can validate your IAM policies. \n To learn more, see Validating IAM policies \n in the IAM User Guide.
\nFor more information about policies, see Managed policies and inline\n policies in the IAM User Guide.
" } }, "com.amazonaws.iam#AttachUserPolicyRequest": { @@ -2301,6 +2304,35 @@ "smithy.api#sensitive": {} } }, + "com.amazonaws.iam#CertificationKeyType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 128 + }, + "smithy.api#pattern": "^[\\u0020-\\u00FF]+$" + } + }, + "com.amazonaws.iam#CertificationMapType": { + "type": "map", + "key": { + "target": "com.amazonaws.iam#CertificationKeyType" + }, + "value": { + "target": "com.amazonaws.iam#CertificationValueType" + } + }, + "com.amazonaws.iam#CertificationValueType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 32 + }, + "smithy.api#pattern": "^[\\u0020-\\u00FF]+$" + } + }, "com.amazonaws.iam#ChangePassword": { "type": "operation", "input": { @@ -2843,7 +2875,7 @@ } ], "traits": { - "smithy.api#documentation": "Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC).
\nThe OIDC provider that you create with this operation can be used as a principal in a\n role's trust policy. Such a policy establishes a trust relationship between Amazon Web Services and\n the OIDC provider.
\nIf you are using an OIDC identity provider from Google, Facebook, or Amazon Cognito, you don't\n need to create a separate IAM identity provider. These OIDC identity providers are\n already built-in to Amazon Web Services and are available for your use. Instead, you can move directly\n to creating new roles using your identity provider. To learn more, see Creating\n a role for web identity or OpenID connect federation in the IAM\n User Guide.
\nWhen you create the IAM OIDC provider, you specify the following:
\nThe URL of the OIDC identity provider (IdP) to trust
\nA list of client IDs (also known as audiences) that identify the application\n or applications allowed to authenticate using the OIDC provider
\nA list of tags that are attached to the specified IAM OIDC provider
\nA list of thumbprints of one or more server certificates that the IdP\n uses
\nYou get all of this information from the OIDC IdP you want to use to access\n Amazon Web Services.
\nAmazon Web Services secures communication with some OIDC identity providers (IdPs) through our\n library of trusted certificate authorities (CAs) instead of using a certificate\n thumbprint to verify your IdP server certificate. These OIDC IdPs include Google, Auth0,\n and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS) endpoint. In these\n cases, your legacy thumbprint remains in your configuration, but is no longer used for\n validation.
\nThe trust for the OIDC provider is derived from the IAM provider that this\n operation creates. Therefore, it is best to limit access to the CreateOpenIDConnectProvider operation to highly privileged\n users.
\nCreates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC).
\nThe OIDC provider that you create with this operation can be used as a principal in a\n role's trust policy. Such a policy establishes a trust relationship between Amazon Web Services and\n the OIDC provider.
\nIf you are using an OIDC identity provider from Google, Facebook, or Amazon Cognito, you don't\n need to create a separate IAM identity provider. These OIDC identity providers are\n already built-in to Amazon Web Services and are available for your use. Instead, you can move directly\n to creating new roles using your identity provider. To learn more, see Creating\n a role for web identity or OpenID connect federation in the IAM\n User Guide.
\nWhen you create the IAM OIDC provider, you specify the following:
\nThe URL of the OIDC identity provider (IdP) to trust
\nA list of client IDs (also known as audiences) that identify the application\n or applications allowed to authenticate using the OIDC provider
\nA list of tags that are attached to the specified IAM OIDC provider
\nA list of thumbprints of one or more server certificates that the IdP\n uses
\nYou get all of this information from the OIDC IdP you want to use to access\n Amazon Web Services.
\nAmazon Web Services secures communication with some OIDC identity providers (IdPs) through our\n library of trusted root certificate authorities (CAs) instead of using a certificate\n thumbprint to verify your IdP server certificate. These OIDC IdPs include Auth0, GitHub,\n Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS) endpoint. In\n these cases, your legacy thumbprint remains in your configuration, but is no longer used\n for validation.
\nThe trust for the OIDC provider is derived from the IAM provider that this\n operation creates. Therefore, it is best to limit access to the CreateOpenIDConnectProvider operation to highly privileged\n users.
\nCreates a new role for your Amazon Web Services account. For more information about roles, see\n IAM\n roles. For information about quotas for role names and the number of roles\n you can create, see IAM and STS quotas in the\n IAM User Guide.
" + "smithy.api#documentation": "Creates a new role for your Amazon Web Services account.
\nFor more information about roles, see IAM roles in the\n IAM User Guide. For information about quotas for role names\n and the number of roles you can create, see IAM and STS quotas in the\n IAM User Guide.
" } }, "com.amazonaws.iam#CreateRoleRequest": { @@ -3853,7 +3885,7 @@ } ], "traits": { - "smithy.api#documentation": "Deletes the specified instance profile. The instance profile must not have an\n associated role.
\nMake sure that you do not have any Amazon EC2 instances running with the instance\n profile you are about to delete. Deleting a role or instance profile that is\n associated with a running instance will break any applications running on the\n instance.
\nFor more information about instance profiles, see About instance\n profiles.
" + "smithy.api#documentation": "Deletes the specified instance profile. The instance profile must not have an\n associated role.
\nMake sure that you do not have any Amazon EC2 instances running with the instance\n profile you are about to delete. Deleting a role or instance profile that is\n associated with a running instance will break any applications running on the\n instance.
\nFor more information about instance profiles, see Using\n instance profiles in the IAM User Guide.
" } }, "com.amazonaws.iam#DeleteInstanceProfileRequest": { @@ -5837,7 +5869,7 @@ } ], "traits": { - "smithy.api#documentation": "Retrieves information about the specified instance profile, including the instance\n profile's path, GUID, ARN, and role. For more information about instance profiles, see\n About\n instance profiles in the IAM User Guide.
", + "smithy.api#documentation": "Retrieves information about the specified instance profile, including the instance\n profile's path, GUID, ARN, and role. For more information about instance profiles, see\n Using\n instance profiles in the IAM User Guide.
", "smithy.waiters#waitable": { "InstanceProfileExists": { "acceptors": [ @@ -5941,6 +5973,80 @@ "smithy.api#output": {} } }, + "com.amazonaws.iam#GetMFADevice": { + "type": "operation", + "input": { + "target": "com.amazonaws.iam#GetMFADeviceRequest" + }, + "output": { + "target": "com.amazonaws.iam#GetMFADeviceResponse" + }, + "errors": [ + { + "target": "com.amazonaws.iam#NoSuchEntityException" + }, + { + "target": "com.amazonaws.iam#ServiceFailureException" + } + ], + "traits": { + "smithy.api#documentation": "Retrieves information about an MFA device for a specified user.
" + } + }, + "com.amazonaws.iam#GetMFADeviceRequest": { + "type": "structure", + "members": { + "SerialNumber": { + "target": "com.amazonaws.iam#serialNumberType", + "traits": { + "smithy.api#documentation": "Serial number that uniquely identifies the MFA device. For this API, we only accept\n FIDO security key ARNs.
", + "smithy.api#required": {} + } + }, + "UserName": { + "target": "com.amazonaws.iam#userNameType", + "traits": { + "smithy.api#documentation": "The friendly name identifying the user.
" + } + } + }, + "traits": { + "smithy.api#input": {} + } + }, + "com.amazonaws.iam#GetMFADeviceResponse": { + "type": "structure", + "members": { + "UserName": { + "target": "com.amazonaws.iam#userNameType", + "traits": { + "smithy.api#documentation": "The friendly name identifying the user.
" + } + }, + "SerialNumber": { + "target": "com.amazonaws.iam#serialNumberType", + "traits": { + "smithy.api#documentation": "Serial number that uniquely identifies the MFA device. For this API, we only accept\n FIDO security key ARNs.
", + "smithy.api#required": {} + } + }, + "EnableDate": { + "target": "com.amazonaws.iam#dateType", + "traits": { + "smithy.api#documentation": "The date that a specified user's MFA device was first enabled.
" + } + }, + "Certifications": { + "target": "com.amazonaws.iam#CertificationMapType", + "traits": { + "smithy.api#documentation": "The certifications of a specified user's MFA device. We currently provide FIPS-140-2,\n FIPS-140-3, and FIDO certification levels obtained from FIDO Alliance Metadata Service\n (MDS).
" + } + } + }, + "traits": { + "smithy.api#output": {} + } + }, "com.amazonaws.iam#GetOpenIDConnectProvider": { "type": "operation", "input": { @@ -6282,7 +6388,7 @@ } ], "traits": { - "smithy.api#documentation": "Retrieves information about the specified role, including the role's path, GUID, ARN,\n and the role's trust policy that grants permission to assume the role. For more\n information about roles, see Working with roles.
\nPolicies returned by this operation are URL-encoded compliant \n with RFC 3986. You can use a URL \n decoding method to convert the policy back to plain JSON text. For example, if you use Java, you \n can use the decode method of the java.net.URLDecoder utility class in \n the Java SDK. Other languages and SDKs provide similar functionality.
Retrieves information about the specified role, including the role's path, GUID, ARN,\n and the role's trust policy that grants permission to assume the role. For more\n information about roles, see IAM roles in the\n IAM User Guide.
\nPolicies returned by this operation are URL-encoded compliant \n with RFC 3986. You can use a URL \n decoding method to convert the policy back to plain JSON text. For example, if you use Java, you \n can use the decode method of the java.net.URLDecoder utility class in \n the Java SDK. Other languages and SDKs provide similar functionality.
Retrieves the specified inline policy document that is embedded with the specified\n IAM role.
\nPolicies returned by this operation are URL-encoded compliant \n with RFC 3986. You can use a URL \n decoding method to convert the policy back to plain JSON text. For example, if you use Java, you \n can use the decode method of the java.net.URLDecoder utility class in \n the Java SDK. Other languages and SDKs provide similar functionality.
An IAM role can also have managed policies attached to it. To retrieve a managed\n policy document that is attached to a role, use GetPolicy to determine\n the policy's default version, then use GetPolicyVersion to retrieve\n the policy document.
\nFor more information about policies, see Managed policies and inline\n policies in the IAM User Guide.
\nFor more information about roles, see Using roles to delegate permissions and\n federate identities.
" + "smithy.api#documentation": "Retrieves the specified inline policy document that is embedded with the specified\n IAM role.
\nPolicies returned by this operation are URL-encoded compliant \n with RFC 3986. You can use a URL \n decoding method to convert the policy back to plain JSON text. For example, if you use Java, you \n can use the decode method of the java.net.URLDecoder utility class in \n the Java SDK. Other languages and SDKs provide similar functionality.
An IAM role can also have managed policies attached to it. To retrieve a managed\n policy document that is attached to a role, use GetPolicy to determine\n the policy's default version, then use GetPolicyVersion to retrieve\n the policy document.
\nFor more information about policies, see Managed policies and inline\n policies in the IAM User Guide.
\nFor more information about roles, see IAM roles in the\n IAM User Guide.
" } }, "com.amazonaws.iam#GetRolePolicyRequest": { @@ -8082,7 +8188,13 @@ } ], "traits": { - "smithy.api#documentation": "Lists the tags that are attached to the specified IAM instance profile. The returned list of tags is sorted by tag key.\n For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
" + "smithy.api#documentation": "Lists the tags that are attached to the specified IAM instance profile. The returned list of tags is sorted by tag key.\n For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
", + "smithy.api#paginated": { + "inputToken": "Marker", + "outputToken": "Marker", + "items": "Tags", + "pageSize": "MaxItems" + } } }, "com.amazonaws.iam#ListInstanceProfileTagsRequest": { @@ -8154,7 +8266,7 @@ } ], "traits": { - "smithy.api#documentation": "Lists the instance profiles that have the specified path prefix. If there are none,\n the operation returns an empty list. For more information about instance profiles, see\n About\n instance profiles.
\nIAM resource-listing operations return a subset of the available \n attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for an instance profile, see GetInstanceProfile.
\nYou can paginate the results using the MaxItems and Marker\n parameters.
Lists the instance profiles that have the specified path prefix. If there are none,\n the operation returns an empty list. For more information about instance profiles, see\n Using\n instance profiles in the IAM User Guide.
\nIAM resource-listing operations return a subset of the available \n attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for an instance profile, see GetInstanceProfile.
\nYou can paginate the results using the MaxItems and Marker\n parameters.
Lists the instance profiles that have the specified associated IAM role. If there\n are none, the operation returns an empty list. For more information about instance\n profiles, go to About instance\n profiles.
\nYou can paginate the results using the MaxItems and Marker\n parameters.
Lists the instance profiles that have the specified associated IAM role. If there\n are none, the operation returns an empty list. For more information about instance\n profiles, go to Using\n instance profiles in the IAM User Guide.
\nYou can paginate the results using the MaxItems and Marker\n parameters.
Lists the tags that are attached to the specified IAM virtual multi-factor authentication (MFA) device. The returned list of tags is\n sorted by tag key. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
" + "smithy.api#documentation": "Lists the tags that are attached to the specified IAM virtual multi-factor authentication (MFA) device. The returned list of tags is\n sorted by tag key. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
", + "smithy.api#paginated": { + "inputToken": "Marker", + "outputToken": "Marker", + "items": "Tags", + "pageSize": "MaxItems" + } } }, "com.amazonaws.iam#ListMFADeviceTagsRequest": { @@ -8479,7 +8597,13 @@ } ], "traits": { - "smithy.api#documentation": "Lists the tags that are attached to the specified OpenID Connect (OIDC)-compatible\n identity provider. The returned list of tags is sorted by tag key. For more information, see About web identity\n federation.
\nFor more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
" + "smithy.api#documentation": "Lists the tags that are attached to the specified OpenID Connect (OIDC)-compatible\n identity provider. The returned list of tags is sorted by tag key. For more information, see About web identity\n federation.
\nFor more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
", + "smithy.api#paginated": { + "inputToken": "Marker", + "outputToken": "Marker", + "items": "Tags", + "pageSize": "MaxItems" + } } }, "com.amazonaws.iam#ListOpenIDConnectProviderTagsRequest": { @@ -8788,7 +8912,13 @@ } ], "traits": { - "smithy.api#documentation": "Lists the tags that are attached to the specified IAM customer managed policy.\n The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
" + "smithy.api#documentation": "Lists the tags that are attached to the specified IAM customer managed policy.\n The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
", + "smithy.api#paginated": { + "inputToken": "Marker", + "outputToken": "Marker", + "items": "Tags", + "pageSize": "MaxItems" + } } }, "com.amazonaws.iam#ListPolicyTagsRequest": { @@ -9029,7 +9159,13 @@ } ], "traits": { - "smithy.api#documentation": "Lists the tags that are attached to the specified role. The returned list of tags is\n sorted by tag key. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
" + "smithy.api#documentation": "Lists the tags that are attached to the specified role. The returned list of tags is\n sorted by tag key. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
", + "smithy.api#paginated": { + "inputToken": "Marker", + "outputToken": "Marker", + "items": "Tags", + "pageSize": "MaxItems" + } } }, "com.amazonaws.iam#ListRoleTagsRequest": { @@ -9101,7 +9237,7 @@ } ], "traits": { - "smithy.api#documentation": "Lists the IAM roles that have the specified path prefix. If there are none, the\n operation returns an empty list. For more information about roles, see Working with\n roles.
\nIAM resource-listing operations return a subset of the available \n attributes for the resource. This operation does not return the following attributes, even though they are an attribute of the returned object:
\nPermissionsBoundary
\nRoleLastUsed
\nTags
\nTo view all of the information for a role, see GetRole.
\nYou can paginate the results using the MaxItems and Marker\n parameters.
Lists the IAM roles that have the specified path prefix. If there are none, the\n operation returns an empty list. For more information about roles, see IAM roles in the\n IAM User Guide.
\nIAM resource-listing operations return a subset of the available \n attributes for the resource. This operation does not return the following attributes, even though they are an attribute of the returned object:
\nPermissionsBoundary
\nRoleLastUsed
\nTags
\nTo view all of the information for a role, see GetRole.
\nYou can paginate the results using the MaxItems and Marker\n parameters.
Lists the tags that are attached to the specified Security Assertion Markup Language\n (SAML) identity provider. The returned list of tags is sorted by tag key. For more information, see About SAML 2.0-based\n federation.
\nFor more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
" + "smithy.api#documentation": "Lists the tags that are attached to the specified Security Assertion Markup Language\n (SAML) identity provider. The returned list of tags is sorted by tag key. For more information, see About SAML 2.0-based\n federation.
\nFor more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
", + "smithy.api#paginated": { + "inputToken": "Marker", + "outputToken": "Marker", + "items": "Tags", + "pageSize": "MaxItems" + } } }, "com.amazonaws.iam#ListSAMLProviderTagsRequest": { @@ -9376,7 +9518,13 @@ } ], "traits": { - "smithy.api#documentation": "Lists the tags that are attached to the specified IAM server certificate. The\n returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
\nFor certificates in a Region supported by Certificate Manager (ACM), we\n recommend that you don't use IAM server certificates. Instead, use ACM to provision,\n manage, and deploy your server certificates. For more information about IAM server\n certificates, Working with server\n certificates in the IAM User Guide.
\nLists the tags that are attached to the specified IAM server certificate. The\n returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the\n IAM User Guide.
\nFor certificates in a Region supported by Certificate Manager (ACM), we\n recommend that you don't use IAM server certificates. Instead, use ACM to provision,\n manage, and deploy your server certificates. For more information about IAM server\n certificates, Working with server\n certificates in the IAM User Guide.
\nAdds or updates an inline policy document that is embedded in the specified IAM\n group.
\nA user can also have managed policies attached to it. To attach a managed policy to a\n group, use AttachGroupPolicy. To create a new managed policy, use\n CreatePolicy. For information about policies, see Managed\n policies and inline policies in the\n IAM User Guide.
\nFor information about the maximum number of inline policies that you can embed in a\n group, see IAM and STS quotas in the IAM User Guide.
\nBecause policy documents can be large, you should use POST rather than GET when\n calling PutGroupPolicy. For general information about using the Query\n API with IAM, see Making query requests in the\n IAM User Guide.
Adds or updates an inline policy document that is embedded in the specified IAM\n group.
\nA user can also have managed policies attached to it. To attach a managed policy to a\n group, use \n AttachGroupPolicy\n . To create a new managed policy, use\n \n CreatePolicy\n . For information about policies, see Managed\n policies and inline policies in the\n IAM User Guide.
For information about the maximum number of inline policies that you can embed in a\n group, see IAM and STS quotas in the IAM User Guide.
\nBecause policy documents can be large, you should use POST rather than GET when\n calling PutGroupPolicy. For general information about using the Query\n API with IAM, see Making query requests in the\n IAM User Guide.
The policy document.
\nYou must provide policies in JSON format in IAM. However, for CloudFormation templates\n formatted in YAML, you can provide the policy in JSON or YAML format. CloudFormation always\n converts a YAML policy to JSON format before submitting it to = IAM.
\nThe regex pattern \n used to validate this parameter is a string of characters consisting of the following:
\nAny printable ASCII \n character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set \n (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and \n carriage return (\\u000D)
The policy document.
\nYou must provide policies in JSON format in IAM. However, for CloudFormation templates\n formatted in YAML, you can provide the policy in JSON or YAML format. CloudFormation always\n converts a YAML policy to JSON format before submitting it to IAM.
\nThe regex pattern \n used to validate this parameter is a string of characters consisting of the following:
\nAny printable ASCII \n character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set \n (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and \n carriage return (\\u000D)
Adds or updates an inline policy document that is embedded in the specified IAM\n role.
\nWhen you embed an inline policy in a role, the inline policy is used as part of the\n role's access (permissions) policy. The role's trust policy is created at the same time\n as the role, using CreateRole. You can update a role's trust policy\n using UpdateAssumeRolePolicy. For more information about IAM roles,\n see Using roles to\n delegate permissions and federate identities.
\nA role can also have a managed policy attached to it. To attach a managed policy to a\n role, use AttachRolePolicy. To create a new managed policy, use CreatePolicy. For information about policies, see Managed\n policies and inline policies in the\n IAM User Guide.
\nFor information about the maximum number of inline policies that you can embed with a\n role, see IAM and STS quotas in the IAM User Guide.
\nBecause policy documents can be large, you should use POST rather than GET when\n calling PutRolePolicy. For general information about using the Query\n API with IAM, see Making query requests in the\n IAM User Guide.
Adds or updates an inline policy document that is embedded in the specified IAM\n role.
\nWhen you embed an inline policy in a role, the inline policy is used as part of the\n role's access (permissions) policy. The role's trust policy is created at the same time\n as the role, using \n CreateRole\n .\n You can update a role's trust policy using \n UpdateAssumeRolePolicy\n . For more information about roles,\n see IAM\n roles in the IAM User Guide.
A role can also have a managed policy attached to it. To attach a managed policy to a\n role, use \n AttachRolePolicy\n . To create a new managed policy, use\n \n CreatePolicy\n . For information about policies, see Managed\n policies and inline policies in the\n IAM User Guide.
For information about the maximum number of inline policies that you can embed with a\n role, see IAM and STS quotas in the IAM User Guide.
\nBecause policy documents can be large, you should use POST rather than GET when\n calling PutRolePolicy. For general information about using the Query\n API with IAM, see Making query requests in the\n IAM User Guide.
Adds or updates an inline policy document that is embedded in the specified IAM\n user.
\nAn IAM user can also have a managed policy attached to it. To attach a managed\n policy to a user, use AttachUserPolicy. To create a new managed\n policy, use CreatePolicy. For information about policies, see Managed\n policies and inline policies in the\n IAM User Guide.
\nFor information about the maximum number of inline policies that you can embed in a\n user, see IAM and STS quotas in the IAM User Guide.
\nBecause policy documents can be large, you should use POST rather than GET when\n calling PutUserPolicy. For general information about using the Query\n API with IAM, see Making query requests in the\n IAM User Guide.
Adds or updates an inline policy document that is embedded in the specified IAM\n user.
\nAn IAM user can also have a managed policy attached to it. To attach a managed\n policy to a user, use \n AttachUserPolicy\n . To create a new managed policy, use\n \n CreatePolicy\n . For information about policies, see Managed\n policies and inline policies in the\n IAM User Guide.
For information about the maximum number of inline policies that you can embed in a\n user, see IAM and STS quotas in the IAM User Guide.
\nBecause policy documents can be large, you should use POST rather than GET when\n calling PutUserPolicy. For general information about using the Query\n API with IAM, see Making query requests in the\n IAM User Guide.
Removes the specified IAM role from the specified EC2 instance profile.
\nMake sure that you do not have any Amazon EC2 instances running with the role you\n are about to remove from the instance profile. Removing a role from an instance\n profile that is associated with a running instance might break any applications\n running on the instance.
\nFor more information about IAM roles, see Working with roles. For more\n information about instance profiles, see About instance\n profiles.
" + "smithy.api#documentation": "Removes the specified IAM role from the specified EC2 instance profile.
\nMake sure that you do not have any Amazon EC2 instances running with the role you\n are about to remove from the instance profile. Removing a role from an instance\n profile that is associated with a running instance might break any applications\n running on the instance.
\nFor more information about roles, see IAM roles in the\n IAM User Guide. For more information about instance profiles,\n see Using\n instance profiles in the IAM User Guide.
" } }, "com.amazonaws.iam#RemoveRoleFromInstanceProfileRequest": { @@ -13622,7 +13770,7 @@ } ], "traits": { - "smithy.api#documentation": "Replaces the existing list of server certificate thumbprints associated with an OpenID\n Connect (OIDC) provider resource object with a new list of thumbprints.
\nThe list that you pass with this operation completely replaces the existing list of\n thumbprints. (The lists are not merged.)
\nTypically, you need to update a thumbprint only when the identity provider certificate\n changes, which occurs rarely. However, if the provider's certificate\n does change, any attempt to assume an IAM role that specifies\n the OIDC provider as a principal fails until the certificate thumbprint is\n updated.
\nAmazon Web Services secures communication with some OIDC identity providers (IdPs) through our\n library of trusted certificate authorities (CAs) instead of using a certificate\n thumbprint to verify your IdP server certificate. These OIDC IdPs include Google, Auth0,\n and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS) endpoint. In these\n cases, your legacy thumbprint remains in your configuration, but is no longer used for\n validation.
\nTrust for the OIDC provider is derived from the provider certificate and is\n validated by the thumbprint. Therefore, it is best to limit access to the\n UpdateOpenIDConnectProviderThumbprint operation to highly\n privileged users.
Replaces the existing list of server certificate thumbprints associated with an OpenID\n Connect (OIDC) provider resource object with a new list of thumbprints.
\nThe list that you pass with this operation completely replaces the existing list of\n thumbprints. (The lists are not merged.)
\nTypically, you need to update a thumbprint only when the identity provider certificate\n changes, which occurs rarely. However, if the provider's certificate\n does change, any attempt to assume an IAM role that specifies\n the OIDC provider as a principal fails until the certificate thumbprint is\n updated.
\nAmazon Web Services secures communication with some OIDC identity providers (IdPs) through our\n library of trusted root certificate authorities (CAs) instead of using a certificate\n thumbprint to verify your IdP server certificate. These OIDC IdPs include Auth0, GitHub,\n Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS) endpoint. In\n these cases, your legacy thumbprint remains in your configuration, but is no longer used\n for validation.
\nTrust for the OIDC provider is derived from the provider certificate and is\n validated by the thumbprint. Therefore, it is best to limit access to the\n UpdateOpenIDConnectProviderThumbprint operation to highly\n privileged users.
Creates a custom key store backed by a key store that you own and manage. When you use a\n KMS key in a custom key store for a cryptographic operation, the cryptographic operation is\n actually performed in your key store using your keys. KMS supports CloudHSM key stores\n backed by an CloudHSM cluster\n and external key stores backed by an external key store proxy and\n external key manager outside of Amazon Web Services.
\nThis operation is part of the custom key stores feature in KMS, which\ncombines the convenience and extensive integration of KMS with the isolation and control of a\nkey store that you own and manage.
\nBefore you create the custom key store, the required elements must be in place and\n operational. We recommend that you use the test tools that KMS provides to verify the\n configuration your external key store proxy. For details about the required elements and\n verification tests, see Assemble the prerequisites (for\n CloudHSM key stores) or Assemble the prerequisites (for\n external key stores) in the Key Management Service Developer Guide.
\nTo create a custom key store, use the following parameters.
\nTo create an CloudHSM key store, specify the CustomKeyStoreName,\n CloudHsmClusterId, KeyStorePassword, and\n TrustAnchorCertificate. The CustomKeyStoreType parameter is\n optional for CloudHSM key stores. If you include it, set it to the default value,\n AWS_CLOUDHSM. For help with failures, see Troubleshooting an CloudHSM key store in the\n Key Management Service Developer Guide.
To create an external key store, specify the CustomKeyStoreName and a\n CustomKeyStoreType of EXTERNAL_KEY_STORE. Also, specify values\n for XksProxyConnectivity, XksProxyAuthenticationCredential,\n XksProxyUriEndpoint, and XksProxyUriPath. If your\n XksProxyConnectivity value is VPC_ENDPOINT_SERVICE, specify\n the XksProxyVpcEndpointServiceName parameter. For help with failures, see\n Troubleshooting\n an external key store in the Key Management Service Developer Guide.
For external key stores:
\nSome external key managers provide a simpler method for creating an external key store.\n For details, see your external key manager documentation.
\nWhen creating an external key store in the KMS console, you can upload a JSON-based\n proxy configuration file with the desired values. You cannot use a proxy configuration\n with the CreateCustomKeyStore operation. However, you can use the values in\n the file to help you determine the correct values for the CreateCustomKeyStore\n parameters.
When the operation completes successfully, it returns the ID of the new custom key store.\n Before you can use your new custom key store, you need to use the ConnectCustomKeyStore operation to connect a new CloudHSM key store to its CloudHSM\n cluster, or to connect a new external key store to the external key store proxy for your\n external key manager. Even if you are not going to use your custom key store immediately, you\n might want to connect it to verify that all settings are correct and then disconnect it until\n you are ready to use it.
\nFor help with failures, see Troubleshooting a custom key store in the\n Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
\n\n Required permissions: kms:CreateCustomKeyStore (IAM policy).
\n\n Related operations:\n
\n\n DeleteCustomKeyStore\n
\n\n UpdateCustomKeyStore\n
\nCreates a custom key store backed by a key store that you own and manage. When you use a\n KMS key in a custom key store for a cryptographic operation, the cryptographic operation is\n actually performed in your key store using your keys. KMS supports CloudHSM key stores\n backed by an CloudHSM cluster\n and external key\n stores backed by an external key store proxy and external key manager outside of\n Amazon Web Services.
\nThis operation is part of the custom key stores feature in KMS, which\ncombines the convenience and extensive integration of KMS with the isolation and control of a\nkey store that you own and manage.
\nBefore you create the custom key store, the required elements must be in place and\n operational. We recommend that you use the test tools that KMS provides to verify the\n configuration your external key store proxy. For details about the required elements and\n verification tests, see Assemble the prerequisites (for\n CloudHSM key stores) or Assemble the prerequisites (for\n external key stores) in the Key Management Service Developer Guide.
\nTo create a custom key store, use the following parameters.
\nTo create an CloudHSM key store, specify the CustomKeyStoreName,\n CloudHsmClusterId, KeyStorePassword, and\n TrustAnchorCertificate. The CustomKeyStoreType parameter is\n optional for CloudHSM key stores. If you include it, set it to the default value,\n AWS_CLOUDHSM. For help with failures, see Troubleshooting an CloudHSM key store in the\n Key Management Service Developer Guide.
To create an external key store, specify the CustomKeyStoreName and a\n CustomKeyStoreType of EXTERNAL_KEY_STORE. Also, specify values\n for XksProxyConnectivity, XksProxyAuthenticationCredential,\n XksProxyUriEndpoint, and XksProxyUriPath. If your\n XksProxyConnectivity value is VPC_ENDPOINT_SERVICE, specify\n the XksProxyVpcEndpointServiceName parameter. For help with failures, see\n Troubleshooting\n an external key store in the Key Management Service Developer Guide.
For external key stores:
\nSome external key managers provide a simpler method for creating an external key store.\n For details, see your external key manager documentation.
\nWhen creating an external key store in the KMS console, you can upload a JSON-based\n proxy configuration file with the desired values. You cannot use a proxy configuration with\n the CreateCustomKeyStore operation. However, you can use the values in the file\n to help you determine the correct values for the CreateCustomKeyStore\n parameters.
When the operation completes successfully, it returns the ID of the new custom key store.\n Before you can use your new custom key store, you need to use the ConnectCustomKeyStore operation to connect a new CloudHSM key store to its CloudHSM\n cluster, or to connect a new external key store to the external key store proxy for your\n external key manager. Even if you are not going to use your custom key store immediately, you\n might want to connect it to verify that all settings are correct and then disconnect it until\n you are ready to use it.
\nFor help with failures, see Troubleshooting a custom key store in the\n Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
\n\n Required permissions: kms:CreateCustomKeyStore (IAM policy).
\n\n Related operations:\n
\n\n DeleteCustomKeyStore\n
\n\n UpdateCustomKeyStore\n
\nSpecifies the name of the Amazon VPC endpoint service for interface endpoints that is used to\n communicate with your external key store proxy (XKS proxy). This parameter is required when\n the value of CustomKeyStoreType is EXTERNAL_KEY_STORE and the value\n of XksProxyConnectivity is VPC_ENDPOINT_SERVICE.
The Amazon VPC endpoint service must fulfill all requirements for use with an external key\n store.
\n\n Uniqueness requirements:\n
\nExternal key stores with VPC_ENDPOINT_SERVICE connectivity can share an\n Amazon VPC, but each external key store must have its own VPC endpoint service and private DNS\n name.
Specifies the name of the Amazon VPC endpoint service for interface endpoints that is used to\n communicate with your external key store proxy (XKS proxy). This parameter is required when\n the value of CustomKeyStoreType is EXTERNAL_KEY_STORE and the value\n of XksProxyConnectivity is VPC_ENDPOINT_SERVICE.
The Amazon VPC endpoint service must fulfill all\n requirements for use with an external key store.
\n\n Uniqueness requirements:\n
\nExternal key stores with VPC_ENDPOINT_SERVICE connectivity can share an\n Amazon VPC, but each external key store must have its own VPC endpoint service and private DNS\n name.
Indicates how KMS communicates with the external key store proxy. This parameter is\n required for custom key stores with a CustomKeyStoreType of\n EXTERNAL_KEY_STORE.
If the external key store proxy uses a public endpoint, specify\n PUBLIC_ENDPOINT. If the external key store proxy uses a Amazon VPC\n endpoint service for communication with KMS, specify VPC_ENDPOINT_SERVICE. For\n help making this choice, see Choosing a connectivity option in the Key Management Service Developer Guide.
An Amazon VPC endpoint service keeps your communication with KMS in a private address space\n entirely within Amazon Web Services, but it requires more configuration, including establishing a Amazon VPC with multiple subnets, a VPC endpoint service, a network load balancer, and a\n verified private DNS name. A public endpoint is simpler to set up, but it might be slower and\n might not fulfill your security requirements. You might consider testing with a public\n endpoint, and then establishing a VPC endpoint service for production tasks. Note that this\n choice does not determine the location of the external key store proxy. Even if you choose a\n VPC endpoint service, the proxy can be hosted within the VPC or outside of Amazon Web Services such as in\n your corporate data center.
" + "smithy.api#documentation": "Indicates how KMS communicates with the external key store proxy. This parameter is\n required for custom key stores with a CustomKeyStoreType of\n EXTERNAL_KEY_STORE.
If the external key store proxy uses a public endpoint, specify\n PUBLIC_ENDPOINT. If the external key store proxy uses a Amazon VPC\n endpoint service for communication with KMS, specify VPC_ENDPOINT_SERVICE. For\n help making this choice, see Choosing a connectivity\n option in the Key Management Service Developer Guide.
An Amazon VPC endpoint service keeps your communication with KMS in a private address space\n entirely within Amazon Web Services, but it requires more configuration, including establishing a Amazon VPC with multiple subnets, a VPC endpoint service, a network load balancer, and a\n verified private DNS name. A public endpoint is simpler to set up, but it might be slower and\n might not fulfill your security requirements. You might consider testing with a public\n endpoint, and then establishing a VPC endpoint service for production tasks. Note that this\n choice does not determine the location of the external key store proxy. Even if you choose a\n VPC endpoint service, the proxy can be hosted within the VPC or outside of Amazon Web Services such as in\n your corporate data center.
" } } }, @@ -743,6 +743,9 @@ { "target": "com.amazonaws.kms#DisabledException" }, + { + "target": "com.amazonaws.kms#DryRunOperationException" + }, { "target": "com.amazonaws.kms#InvalidArnException" }, @@ -779,7 +782,7 @@ "GranteePrincipal": { "target": "com.amazonaws.kms#PrincipalIdType", "traits": { - "smithy.api#documentation": "The identity that gets the permissions specified in the grant.
\nTo specify the grantee principal, use the Amazon Resource Name (ARN) of an\n Amazon Web Services principal. Valid principals include Amazon Web Services accounts, IAM users, IAM roles,\n federated users, and assumed role users. For help with the ARN syntax for a principal, see\n IAM ARNs in the \n Identity and Access Management User Guide\n .
", + "smithy.api#documentation": "The identity that gets the permissions specified in the grant.
\nTo specify the grantee principal, use the Amazon Resource Name (ARN) of an Amazon Web Services\n principal. Valid principals include Amazon Web Services accounts, IAM users, IAM roles,\n federated users, and assumed role users. For help with the ARN syntax for a principal, see\n IAM ARNs in the \n Identity and Access Management User Guide\n .
", "smithy.api#required": {} } }, @@ -813,6 +816,12 @@ "traits": { "smithy.api#documentation": "A friendly name for the grant. Use this value to prevent the unintended creation of\n duplicate grants when retrying this request.
\nDo not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.
\nWhen this value is absent, all CreateGrant requests result in a new grant\n with a unique GrantId even if all the supplied parameters are identical. This can\n result in unintended duplicates when you retry the CreateGrant request.
When this value is present, you can retry a CreateGrant request with\n identical parameters; if the grant already exists, the original GrantId is\n returned without creating a new grant. Note that the returned grant token is unique with every\n CreateGrant request, even when a duplicate GrantId is returned.\n All grant tokens for the same grant ID can be used interchangeably.
Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" + } } }, "traits": { @@ -889,7 +898,7 @@ } ], "traits": { - "smithy.api#documentation": "Creates a unique customer managed KMS key in your Amazon Web Services account and Region.\n You can use a KMS key in cryptographic operations, such as encryption and signing. Some Amazon Web Services\n services let you use KMS keys that you create and manage to protect your service\n resources.
\nA KMS key is a logical representation of a cryptographic key. In addition to the key\n material used in cryptographic operations, a KMS key includes metadata, such as the key ID,\n key policy, creation date, description, and key state. For details, see Managing keys in the\n Key Management Service Developer Guide\n
\nUse the parameters of CreateKey to specify the type of KMS key, the source of\n its key material, its key policy, description, tags, and other properties.
KMS has replaced the term customer master key (CMK) with KMS key and KMS key. The concept has not changed. To prevent breaking changes, KMS is keeping some variations of this term.
\nTo create different types of KMS keys, use the following guidance:
\nBy default, CreateKey creates a symmetric encryption KMS key with key\n material that KMS generates. This is the basic and most widely used type of KMS key, and\n provides the best performance.
To create a symmetric encryption KMS key, you don't need to specify any parameters.\n The default value for KeySpec, SYMMETRIC_DEFAULT, the default\n value for KeyUsage, ENCRYPT_DECRYPT, and the default value for\n Origin, AWS_KMS, create a symmetric encryption KMS key with\n KMS key material.
If you need a key for basic encryption and decryption or you are creating a KMS key\n to protect your resources in an Amazon Web Services service, create a symmetric encryption KMS key.\n The key material in a symmetric encryption key never leaves KMS unencrypted. You can\n use a symmetric encryption KMS key to encrypt and decrypt data up to 4,096 bytes, but\n they are typically used to generate data keys and data keys pairs. For details, see\n GenerateDataKey and GenerateDataKeyPair.
\n\n
To create an asymmetric KMS key, use the KeySpec parameter to specify\n the type of key material in the KMS key. Then, use the KeyUsage parameter\n to determine whether the KMS key will be used to encrypt and decrypt or sign and verify.\n You can't change these properties after the KMS key is created.
Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, or an SM2 key pair (China Regions only). The private key in an asymmetric \n KMS key never leaves KMS unencrypted. However, you can use the GetPublicKey operation to download the public key\n so it can be used outside of KMS. KMS keys with RSA or SM2 key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both). \n KMS keys with ECC key pairs can be used only to sign and verify messages. \n For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
\n\n
To create an HMAC KMS key, set the KeySpec parameter to a key spec\n value for HMAC KMS keys. Then set the KeyUsage parameter to\n GENERATE_VERIFY_MAC. You must set the key usage even though\n GENERATE_VERIFY_MAC is the only valid key usage value for HMAC KMS keys.\n You can't change these properties after the KMS key is created.
HMAC KMS keys are symmetric keys that never leave KMS unencrypted. You can use\n HMAC keys to generate (GenerateMac) and verify (VerifyMac) HMAC codes for messages up to 4096 bytes.
\n\n
To create a multi-Region primary key in the local Amazon Web Services Region,\n use the MultiRegion parameter with a value of True. To create\n a multi-Region replica key, that is, a KMS key with the same key ID\n and key material as a primary key, but in a different Amazon Web Services Region, use the ReplicateKey operation. To change a replica key to a primary key, and its\n primary key to a replica key, use the UpdatePrimaryRegion\n operation.
You can create multi-Region KMS keys for all supported KMS key types: symmetric\n encryption KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, and asymmetric\n signing KMS keys. You can also create multi-Region keys with imported key material.\n However, you can't create multi-Region keys in a custom key store.
\nThis operation supports multi-Region keys, an KMS feature that lets you create multiple\n interoperable KMS keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key\n material, and other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt\n it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide.
\n\n
To import your own key material into a KMS key, begin by creating a KMS key with no\n key material. To do this, use the Origin parameter of\n CreateKey with a value of EXTERNAL. Next, use GetParametersForImport operation to get a public key and import token. Use\n the wrapping public key to encrypt your key material. Then, use ImportKeyMaterial with your import token to import the key material. For step-by-step instructions, see\n Importing Key Material in the \n Key Management Service Developer Guide\n .
You can import key material into KMS keys of all supported KMS key types: symmetric\n encryption KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, and asymmetric\n signing KMS keys. You can also create multi-Region keys with imported key material.\n However, you can't import key material into a KMS key in a custom key store.
\nTo create a multi-Region primary key with imported key material, use the\n Origin parameter of CreateKey with a value of\n EXTERNAL and the MultiRegion parameter with a value of\n True. To create replicas of the multi-Region primary key, use the ReplicateKey operation. For instructions, see Importing key material into\n multi-Region keys. For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide.
\n
A custom key store lets you protect your Amazon Web Services resources using keys in a backing key\n store that you own and manage. When you request a cryptographic operation with a KMS key\n in a custom key store, the operation is performed in the backing key store using its\n cryptographic keys.
\nKMS supports CloudHSM key stores backed by an CloudHSM cluster and external key stores backed by an\n external key manager outside of Amazon Web Services. When you create a KMS key in an CloudHSM key store,\n KMS generates an encryption key in the CloudHSM cluster and associates it with the KMS\n key. When you create a KMS key in an external key store, you specify an existing\n encryption key in the external key manager.
\nSome external key managers provide a simpler method for creating a KMS key in an\n external key store. For details, see your external key manager documentation.
\nBefore you create a KMS key in a custom key store, the ConnectionState\n of the key store must be CONNECTED. To connect the custom key store, use\n the ConnectCustomKeyStore operation. To find the\n ConnectionState, use the DescribeCustomKeyStores\n operation.
To create a KMS key in a custom key store, use the CustomKeyStoreId.\n Use the default KeySpec value, SYMMETRIC_DEFAULT, and the\n default KeyUsage value, ENCRYPT_DECRYPT to create a symmetric\n encryption key. No other key type is supported in a custom key store.
To create a KMS key in an CloudHSM key store, use the\n Origin parameter with a value of AWS_CLOUDHSM. The CloudHSM\n cluster that is associated with the custom key store must have at least two active HSMs\n in different Availability Zones in the Amazon Web Services Region.
To create a KMS key in an external key store, use the Origin parameter\n with a value of EXTERNAL_KEY_STORE and an XksKeyId parameter\n that identifies an existing external key.
Some external key managers provide a simpler method for creating a KMS key in an\n external key store. For details, see your external key manager documentation.
\n\n Cross-account use: No. You cannot use this operation to\n create a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:CreateKey (IAM policy). To use the\n Tags parameter, kms:TagResource (IAM policy). For examples and information about related\n permissions, see Allow a user to create\n KMS keys in the Key Management Service Developer Guide.
\n Related operations:\n
\n\n DescribeKey\n
\n\n ListKeys\n
\n\n ScheduleKeyDeletion\n
\nCreates a unique customer managed KMS key in your Amazon Web Services account and Region.\n You can use a KMS key in cryptographic operations, such as encryption and signing. Some Amazon Web Services\n services let you use KMS keys that you create and manage to protect your service\n resources.
\nA KMS key is a logical representation of a cryptographic key. In addition to the key\n material used in cryptographic operations, a KMS key includes metadata, such as the key ID,\n key policy, creation date, description, and key state. For details, see Managing keys in the\n Key Management Service Developer Guide\n
\nUse the parameters of CreateKey to specify the type of KMS key, the source of\n its key material, its key policy, description, tags, and other properties.
KMS has replaced the term customer master key (CMK) with KMS key and KMS key. The concept has not changed. To prevent breaking changes, KMS is keeping some variations of this term.
\nTo create different types of KMS keys, use the following guidance:
\nBy default, CreateKey creates a symmetric encryption KMS key with key\n material that KMS generates. This is the basic and most widely used type of KMS key, and\n provides the best performance.
To create a symmetric encryption KMS key, you don't need to specify any parameters.\n The default value for KeySpec, SYMMETRIC_DEFAULT, the default\n value for KeyUsage, ENCRYPT_DECRYPT, and the default value for\n Origin, AWS_KMS, create a symmetric encryption KMS key with\n KMS key material.
If you need a key for basic encryption and decryption or you are creating a KMS key\n to protect your resources in an Amazon Web Services service, create a symmetric encryption KMS key.\n The key material in a symmetric encryption key never leaves KMS unencrypted. You can\n use a symmetric encryption KMS key to encrypt and decrypt data up to 4,096 bytes, but\n they are typically used to generate data keys and data keys pairs. For details, see\n GenerateDataKey and GenerateDataKeyPair.
\n\n
To create an asymmetric KMS key, use the KeySpec parameter to specify\n the type of key material in the KMS key. Then, use the KeyUsage parameter\n to determine whether the KMS key will be used to encrypt and decrypt or sign and verify.\n You can't change these properties after the KMS key is created.
Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, or an\n SM2 key pair (China Regions only). The private key in an asymmetric KMS key never leaves\n KMS unencrypted. However, you can use the GetPublicKey operation to\n download the public key so it can be used outside of KMS. KMS keys with RSA or SM2 key\n pairs can be used to encrypt or decrypt data or sign and verify messages (but not both).\n KMS keys with ECC key pairs can be used only to sign and verify messages. For\n information about asymmetric KMS keys, see Asymmetric KMS keys in the\n Key Management Service Developer Guide.
\n\n
To create an HMAC KMS key, set the KeySpec parameter to a key spec\n value for HMAC KMS keys. Then set the KeyUsage parameter to\n GENERATE_VERIFY_MAC. You must set the key usage even though\n GENERATE_VERIFY_MAC is the only valid key usage value for HMAC KMS keys.\n You can't change these properties after the KMS key is created.
HMAC KMS keys are symmetric keys that never leave KMS unencrypted. You can use\n HMAC keys to generate (GenerateMac) and verify (VerifyMac) HMAC codes for messages up to 4096 bytes.
\n\n
To create a multi-Region primary key in the local Amazon Web Services Region,\n use the MultiRegion parameter with a value of True. To create\n a multi-Region replica key, that is, a KMS key with the same key ID\n and key material as a primary key, but in a different Amazon Web Services Region, use the ReplicateKey operation. To change a replica key to a primary key, and its\n primary key to a replica key, use the UpdatePrimaryRegion\n operation.
You can create multi-Region KMS keys for all supported KMS key types: symmetric\n encryption KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, and asymmetric\n signing KMS keys. You can also create multi-Region keys with imported key material.\n However, you can't create multi-Region keys in a custom key store.
\nThis operation supports multi-Region keys, an KMS feature that lets you create multiple\n interoperable KMS keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key\n material, and other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt\n it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide.
\n\n
To import your own key material into a KMS key, begin by creating a KMS key with no\n key material. To do this, use the Origin parameter of\n CreateKey with a value of EXTERNAL. Next, use GetParametersForImport operation to get a public key and import token. Use\n the wrapping public key to encrypt your key material. Then, use ImportKeyMaterial with your import token to import the key material. For\n step-by-step instructions, see Importing Key Material in the \n Key Management Service Developer Guide\n .
You can import key material into KMS keys of all supported KMS key types: symmetric\n encryption KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, and asymmetric\n signing KMS keys. You can also create multi-Region keys with imported key material.\n However, you can't import key material into a KMS key in a custom key store.
\nTo create a multi-Region primary key with imported key material, use the\n Origin parameter of CreateKey with a value of\n EXTERNAL and the MultiRegion parameter with a value of\n True. To create replicas of the multi-Region primary key, use the ReplicateKey operation. For instructions, see Importing key material into\n multi-Region keys. For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide.
\n
A custom key store lets you protect your Amazon Web Services resources using keys in a backing key\n store that you own and manage. When you request a cryptographic operation with a KMS key\n in a custom key store, the operation is performed in the backing key store using its\n cryptographic keys.
\nKMS supports CloudHSM key stores backed by an CloudHSM cluster and external key stores backed by an\n external key manager outside of Amazon Web Services. When you create a KMS key in an CloudHSM key store,\n KMS generates an encryption key in the CloudHSM cluster and associates it with the KMS\n key. When you create a KMS key in an external key store, you specify an existing\n encryption key in the external key manager.
\nSome external key managers provide a simpler method for creating a KMS key in an\n external key store. For details, see your external key manager documentation.
\nBefore you create a KMS key in a custom key store, the ConnectionState\n of the key store must be CONNECTED. To connect the custom key store, use\n the ConnectCustomKeyStore operation. To find the\n ConnectionState, use the DescribeCustomKeyStores\n operation.
To create a KMS key in a custom key store, use the CustomKeyStoreId.\n Use the default KeySpec value, SYMMETRIC_DEFAULT, and the\n default KeyUsage value, ENCRYPT_DECRYPT to create a symmetric\n encryption key. No other key type is supported in a custom key store.
To create a KMS key in an CloudHSM key store, use the\n Origin parameter with a value of AWS_CLOUDHSM. The CloudHSM\n cluster that is associated with the custom key store must have at least two active HSMs\n in different Availability Zones in the Amazon Web Services Region.
To create a KMS key in an external key store, use the\n Origin parameter with a value of EXTERNAL_KEY_STORE and an\n XksKeyId parameter that identifies an existing external key.
Some external key managers provide a simpler method for creating a KMS key in an\n external key store. For details, see your external key manager documentation.
\n\n Cross-account use: No. You cannot use this operation to\n create a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:CreateKey (IAM policy). To use the\n Tags parameter, kms:TagResource (IAM policy). For examples and information about related\n permissions, see Allow a user to create\n KMS keys in the Key Management Service Developer Guide.
\n Related operations:\n
\n\n DescribeKey\n
\n\n ListKeys\n
\n\n ScheduleKeyDeletion\n
\nA description of the KMS key. Use a description that helps you decide whether the KMS key is appropriate for a task. The\n default value is an empty string (no description).
\nDo not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.
\nTo set or change the description after the key is created, use UpdateKeyDescription.
" + "smithy.api#documentation": "A description of the KMS key. Use a description that helps you decide whether the KMS key\n is appropriate for a task. The default value is an empty string (no description).
\nDo not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.
\nTo set or change the description after the key is created, use UpdateKeyDescription.
" } }, "KeyUsage": { "target": "com.amazonaws.kms#KeyUsageType", "traits": { - "smithy.api#documentation": "Determines the cryptographic operations for which you can use the KMS key. The default value is\n ENCRYPT_DECRYPT. This parameter is optional when you are creating a symmetric\n encryption KMS key; otherwise, it is required. You can't change the KeyUsage\n value after the KMS key is created.
Select only one valid value.
\nFor symmetric encryption KMS keys, omit the parameter or specify\n ENCRYPT_DECRYPT.
For HMAC KMS keys (symmetric), specify GENERATE_VERIFY_MAC.
For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or\n SIGN_VERIFY.
For asymmetric KMS keys with ECC key material, specify\n SIGN_VERIFY.
For asymmetric KMS keys with SM2 key material (China Regions only), specify ENCRYPT_DECRYPT or\n SIGN_VERIFY.
Determines the cryptographic operations for which you can use the KMS key. The default value is\n ENCRYPT_DECRYPT. This parameter is optional when you are creating a symmetric\n encryption KMS key; otherwise, it is required. You can't change the KeyUsage\n value after the KMS key is created.
Select only one valid value.
\nFor symmetric encryption KMS keys, omit the parameter or specify\n ENCRYPT_DECRYPT.
For HMAC KMS keys (symmetric), specify GENERATE_VERIFY_MAC.
For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT or\n SIGN_VERIFY.
For asymmetric KMS keys with ECC key material, specify\n SIGN_VERIFY.
For asymmetric KMS keys with SM2 key material (China Regions only), specify\n ENCRYPT_DECRYPT or SIGN_VERIFY.
Specifies the type of KMS key to create. The default value,\n SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit AES-GCM key that is used for encryption and decryption, except in China Regions, \n where it creates a 128-bit symmetric key that uses SM4 encryption. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the \n Key Management Service Developer Guide\n .
The KeySpec determines whether the KMS key contains a symmetric key or an\n asymmetric key pair. It also determines the algorithms that the KMS key supports. You can't\n change the KeySpec after the KMS key is created. To further restrict the\n algorithms that can be used with the KMS key, use a condition key in its key policy or IAM\n policy. For more information, see kms:EncryptionAlgorithm, kms:MacAlgorithm or kms:Signing Algorithm in the \n Key Management Service Developer Guide\n .
\n Amazon Web Services services that\n are integrated with KMS use symmetric encryption KMS keys to protect your data.\n These services do not support asymmetric KMS keys or HMAC KMS keys.
\nKMS supports the following key specs for KMS keys:
\nSymmetric encryption key (default)
\n\n SYMMETRIC_DEFAULT\n
HMAC keys (symmetric)
\n\n HMAC_224\n
\n HMAC_256\n
\n HMAC_384\n
\n HMAC_512\n
Asymmetric RSA key pairs
\n\n RSA_2048\n
\n RSA_3072\n
\n RSA_4096\n
Asymmetric NIST-recommended elliptic curve key pairs
\n\n ECC_NIST_P256 (secp256r1)
\n ECC_NIST_P384 (secp384r1)
\n ECC_NIST_P521 (secp521r1)
Other asymmetric elliptic curve key pairs
\n\n ECC_SECG_P256K1 (secp256k1), commonly used for\n cryptocurrencies.
SM2 key pairs (China Regions only)
\n\n SM2\n
Specifies the type of KMS key to create. The default value,\n SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit AES-GCM key that is used for\n encryption and decryption, except in China Regions, where it creates a 128-bit symmetric key\n that uses SM4 encryption. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the \n Key Management Service Developer Guide\n .
The KeySpec determines whether the KMS key contains a symmetric key or an\n asymmetric key pair. It also determines the algorithms that the KMS key supports. You can't\n change the KeySpec after the KMS key is created. To further restrict the\n algorithms that can be used with the KMS key, use a condition key in its key policy or IAM\n policy. For more information, see kms:EncryptionAlgorithm, kms:MacAlgorithm or kms:Signing Algorithm in the \n Key Management Service Developer Guide\n .
\n Amazon Web Services services that\n are integrated with KMS use symmetric encryption KMS keys to protect your data.\n These services do not support asymmetric KMS keys or HMAC KMS keys.
\nKMS supports the following key specs for KMS keys:
\nSymmetric encryption key (default)
\n\n SYMMETRIC_DEFAULT\n
HMAC keys (symmetric)
\n\n HMAC_224\n
\n HMAC_256\n
\n HMAC_384\n
\n HMAC_512\n
Asymmetric RSA key pairs
\n\n RSA_2048\n
\n RSA_3072\n
\n RSA_4096\n
Asymmetric NIST-recommended elliptic curve key pairs
\n\n ECC_NIST_P256 (secp256r1)
\n ECC_NIST_P384 (secp384r1)
\n ECC_NIST_P521 (secp521r1)
Other asymmetric elliptic curve key pairs
\n\n ECC_SECG_P256K1 (secp256k1), commonly used for\n cryptocurrencies.
SM2 key pairs (China Regions only)
\n\n SM2\n
The source of the key material for the KMS key. You cannot change the origin after you\n create the KMS key. The default is AWS_KMS, which means that KMS creates the\n key material.
To create a\n KMS key with no key material (for imported key material), set this value to\n EXTERNAL. For more information about importing key material into KMS, see\n Importing Key\n Material in the Key Management Service Developer Guide. The EXTERNAL origin value is valid\n only for symmetric KMS keys.
To create a KMS key in an CloudHSM key store and create its key\n material in the associated CloudHSM cluster, set this value to AWS_CLOUDHSM. You\n must also use the CustomKeyStoreId parameter to identify the CloudHSM key store. The\n KeySpec value must be SYMMETRIC_DEFAULT.
To create a KMS key in\n an external key store, set this value to EXTERNAL_KEY_STORE. You must\n also use the CustomKeyStoreId parameter to identify the external key store and\n the XksKeyId parameter to identify the associated external key. The\n KeySpec value must be SYMMETRIC_DEFAULT.
The source of the key material for the KMS key. You cannot change the origin after you\n create the KMS key. The default is AWS_KMS, which means that KMS creates the\n key material.
To create a\n KMS key with no key material (for imported key material), set this value to\n EXTERNAL. For more information about importing key material into KMS, see\n Importing Key\n Material in the Key Management Service Developer Guide. The EXTERNAL origin value is valid\n only for symmetric KMS keys.
To create a KMS\n key in an CloudHSM key store and create its key material in the associated CloudHSM\n cluster, set this value to AWS_CLOUDHSM. You must also use the\n CustomKeyStoreId parameter to identify the CloudHSM key store. The\n KeySpec value must be SYMMETRIC_DEFAULT.
To create a KMS key in\n an external key store, set this value to EXTERNAL_KEY_STORE. You must\n also use the CustomKeyStoreId parameter to identify the external key store and\n the XksKeyId parameter to identify the associated external key. The\n KeySpec value must be SYMMETRIC_DEFAULT.
Creates the KMS key in the specified custom key store. The ConnectionState of\n the custom key store must be CONNECTED. To find the CustomKeyStoreID and\n ConnectionState use the DescribeCustomKeyStores operation.
This parameter is valid only for symmetric encryption KMS keys in a single Region. You\n cannot create any other type of KMS key in a custom key store.
\nWhen you create a KMS key in an CloudHSM key store, KMS generates a non-exportable 256-bit\n symmetric key in its associated CloudHSM cluster and associates it with the KMS key. When you\n create a KMS key in an external key store, you must use the XksKeyId parameter to specify an\n external key that serves as key material for the KMS key.
Creates the KMS key in the specified custom key store. The ConnectionState of\n the custom key store must be CONNECTED. To find the CustomKeyStoreID and\n ConnectionState use the DescribeCustomKeyStores operation.
This parameter is valid only for symmetric encryption KMS keys in a single Region. You\n cannot create any other type of KMS key in a custom key store.
\nWhen you create a KMS key in an CloudHSM key store, KMS generates a non-exportable 256-bit\n symmetric key in its associated CloudHSM cluster and associates it with the KMS key. When you\n create a KMS key in an external key store, you must use the XksKeyId parameter to\n specify an external key that serves as key material for the KMS key.
Describes the connection error. This field appears in the response only when the\n ConnectionState is FAILED.
Many failures can be resolved by updating the properties of the custom key store. To\n update a custom key store, disconnect it (DisconnectCustomKeyStore), correct\n the errors (UpdateCustomKeyStore), and try to connect again (ConnectCustomKeyStore). For additional help resolving these errors, see How to Fix a\n Connection Failure in Key Management Service Developer Guide.
\n\n All custom key stores:\n
\n\n INTERNAL_ERROR — KMS could not complete the request due to an\n internal error. Retry the request. For ConnectCustomKeyStore requests,\n disconnect the custom key store before trying to connect again.
\n NETWORK_ERRORS — Network errors are preventing KMS from\n connecting the custom key store to its backing key store.
\n CloudHSM key stores:\n
\n\n CLUSTER_NOT_FOUND — KMS cannot find the CloudHSM cluster with the\n specified cluster ID.
\n INSUFFICIENT_CLOUDHSM_HSMS — The associated CloudHSM cluster does not\n contain any active HSMs. To connect a custom key store to its CloudHSM cluster, the cluster\n must contain at least one active HSM.
\n INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET — At least one private subnet\n associated with the CloudHSM cluster doesn't have any available IP addresses. A CloudHSM key\n store connection requires one free IP address in each of the associated private subnets,\n although two are preferable. For details, see How to Fix a Connection\n Failure in the Key Management Service Developer Guide.
\n INVALID_CREDENTIALS — The KeyStorePassword for the\n custom key store doesn't match the current password of the kmsuser crypto\n user in the CloudHSM cluster. Before you can connect your custom key store to its CloudHSM\n cluster, you must change the kmsuser account password and update the\n KeyStorePassword value for the custom key store.
\n SUBNET_NOT_FOUND — A subnet in the CloudHSM cluster configuration was\n deleted. If KMS cannot find all of the subnets in the cluster configuration, attempts to\n connect the custom key store to the CloudHSM cluster fail. To fix this error, create a\n cluster from a recent backup and associate it with your custom key store. (This process\n creates a new cluster configuration with a VPC and private subnets.) For details, see\n How\n to Fix a Connection Failure in the Key Management Service Developer Guide.
\n USER_LOCKED_OUT — The kmsuser CU account is locked\n out of the associated CloudHSM cluster due to too many failed password attempts. Before you\n can connect your custom key store to its CloudHSM cluster, you must change the\n kmsuser account password and update the key store password value for the\n custom key store.
\n USER_LOGGED_IN — The kmsuser CU account is logged\n into the associated CloudHSM cluster. This prevents KMS from rotating the\n kmsuser account password and logging into the cluster. Before you can\n connect your custom key store to its CloudHSM cluster, you must log the kmsuser\n CU out of the cluster. If you changed the kmsuser password to log into the\n cluster, you must also and update the key store password value for the custom key store.\n For help, see How to Log Out and\n Reconnect in the Key Management Service Developer Guide.
\n USER_NOT_FOUND — KMS cannot find a kmsuser CU\n account in the associated CloudHSM cluster. Before you can connect your custom key store to\n its CloudHSM cluster, you must create a kmsuser CU account in the cluster, and\n then update the key store password value for the custom key store.
\n External key stores:\n
\n\n INVALID_CREDENTIALS — One or both of the\n XksProxyAuthenticationCredential values is not valid on the specified\n external key store proxy.
\n XKS_PROXY_ACCESS_DENIED — KMS requests are denied access to the\n external key store proxy. If the external key store proxy has authorization rules, verify\n that they permit KMS to communicate with the proxy on your behalf.
\n XKS_PROXY_INVALID_CONFIGURATION — A configuration error is\n preventing the external key store from connecting to its proxy. Verify the value of the\n XksProxyUriPath.
\n XKS_PROXY_INVALID_RESPONSE — KMS cannot interpret the response\n from the external key store proxy. If you see this connection error code repeatedly,\n notify your external key store proxy vendor.
\n XKS_PROXY_INVALID_TLS_CONFIGURATION — KMS cannot connect to the\n external key store proxy because the TLS configuration is invalid. Verify that the XKS\n proxy supports TLS 1.2 or 1.3. Also, verify that the TLS certificate is not expired, and\n that it matches the hostname in the XksProxyUriEndpoint value, and that it is\n signed by a certificate authority included in the Trusted Certificate Authorities\n list.
\n XKS_PROXY_NOT_REACHABLE — KMS can't communicate with your\n external key store proxy. Verify that the XksProxyUriEndpoint and\n XksProxyUriPath are correct. Use the tools for your external key store\n proxy to verify that the proxy is active and available on its network. Also, verify that\n your external key manager instances are operating properly. Connection attempts fail with\n this connection error code if the proxy reports that all external key manager instances\n are unavailable.
\n XKS_PROXY_TIMED_OUT — KMS can connect to the external key store\n proxy, but the proxy does not respond to KMS in the time allotted. If you see this\n connection error code repeatedly, notify your external key store proxy vendor.
\n XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATION — The Amazon VPC\n endpoint service configuration doesn't conform to the requirements for an KMS external\n key store.
The VPC endpoint service must be an endpoint service for interface endpoints in the caller's Amazon Web Services account.
\nIt must have a network load balancer (NLB) connected to at least two subnets, each in a different Availability Zone.
\nThe Allow principals list must include \n\t the KMS service principal for the Region, cks.kms., \n\t such as cks.kms.us-east-1.amazonaws.com.
It must not require acceptance of connection requests.
\nIt must have a private DNS name. The private DNS name for an external key store with VPC_ENDPOINT_SERVICE connectivity\n\t must be unique in its Amazon Web Services Region.
The domain of the private DNS name must have a verification status of\n\t verified.
The TLS certificate specifies the private DNS hostname at which the endpoint is reachable.
\n\n XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND — KMS can't find the VPC\n endpoint service that it uses to communicate with the external key store proxy. Verify\n that the XksProxyVpcEndpointServiceName is correct and the KMS service\n principal has service consumer permissions on the Amazon VPC endpoint service.
Describes the connection error. This field appears in the response only when the\n ConnectionState is FAILED.
Many failures can be resolved by updating the properties of the custom key store. To\n update a custom key store, disconnect it (DisconnectCustomKeyStore), correct\n the errors (UpdateCustomKeyStore), and try to connect again (ConnectCustomKeyStore). For additional help resolving these errors, see How to Fix a\n Connection Failure in Key Management Service Developer Guide.
\n\n All custom key stores:\n
\n\n INTERNAL_ERROR — KMS could not complete the request due to an\n internal error. Retry the request. For ConnectCustomKeyStore requests,\n disconnect the custom key store before trying to connect again.
\n NETWORK_ERRORS — Network errors are preventing KMS from\n connecting the custom key store to its backing key store.
\n CloudHSM key stores:\n
\n\n CLUSTER_NOT_FOUND — KMS cannot find the CloudHSM cluster with the\n specified cluster ID.
\n INSUFFICIENT_CLOUDHSM_HSMS — The associated CloudHSM cluster does not\n contain any active HSMs. To connect a custom key store to its CloudHSM cluster, the cluster\n must contain at least one active HSM.
\n INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET — At least one private\n subnet associated with the CloudHSM cluster doesn't have any available IP addresses. A CloudHSM\n key store connection requires one free IP address in each of the associated private\n subnets, although two are preferable. For details, see How to Fix a Connection\n Failure in the Key Management Service Developer Guide.
\n INVALID_CREDENTIALS — The KeyStorePassword for the\n custom key store doesn't match the current password of the kmsuser crypto\n user in the CloudHSM cluster. Before you can connect your custom key store to its CloudHSM\n cluster, you must change the kmsuser account password and update the\n KeyStorePassword value for the custom key store.
\n SUBNET_NOT_FOUND — A subnet in the CloudHSM cluster configuration was\n deleted. If KMS cannot find all of the subnets in the cluster configuration, attempts to\n connect the custom key store to the CloudHSM cluster fail. To fix this error, create a\n cluster from a recent backup and associate it with your custom key store. (This process\n creates a new cluster configuration with a VPC and private subnets.) For details, see\n How\n to Fix a Connection Failure in the Key Management Service Developer Guide.
\n USER_LOCKED_OUT — The kmsuser CU account is locked\n out of the associated CloudHSM cluster due to too many failed password attempts. Before you\n can connect your custom key store to its CloudHSM cluster, you must change the\n kmsuser account password and update the key store password value for the\n custom key store.
\n USER_LOGGED_IN — The kmsuser CU account is logged\n into the associated CloudHSM cluster. This prevents KMS from rotating the\n kmsuser account password and logging into the cluster. Before you can\n connect your custom key store to its CloudHSM cluster, you must log the kmsuser\n CU out of the cluster. If you changed the kmsuser password to log into the\n cluster, you must also and update the key store password value for the custom key store.\n For help, see How to Log Out and\n Reconnect in the Key Management Service Developer Guide.
\n USER_NOT_FOUND — KMS cannot find a kmsuser CU\n account in the associated CloudHSM cluster. Before you can connect your custom key store to\n its CloudHSM cluster, you must create a kmsuser CU account in the cluster, and\n then update the key store password value for the custom key store.
\n External key stores:\n
\n\n INVALID_CREDENTIALS — One or both of the\n XksProxyAuthenticationCredential values is not valid on the specified\n external key store proxy.
\n XKS_PROXY_ACCESS_DENIED — KMS requests are denied access to the\n external key store proxy. If the external key store proxy has authorization rules, verify\n that they permit KMS to communicate with the proxy on your behalf.
\n XKS_PROXY_INVALID_CONFIGURATION — A configuration error is\n preventing the external key store from connecting to its proxy. Verify the value of the\n XksProxyUriPath.
\n XKS_PROXY_INVALID_RESPONSE — KMS cannot interpret the response\n from the external key store proxy. If you see this connection error code repeatedly,\n notify your external key store proxy vendor.
\n XKS_PROXY_INVALID_TLS_CONFIGURATION — KMS cannot connect to the\n external key store proxy because the TLS configuration is invalid. Verify that the XKS\n proxy supports TLS 1.2 or 1.3. Also, verify that the TLS certificate is not expired, and\n that it matches the hostname in the XksProxyUriEndpoint value, and that it is\n signed by a certificate authority included in the Trusted Certificate Authorities list.
\n XKS_PROXY_NOT_REACHABLE — KMS can't communicate with your\n external key store proxy. Verify that the XksProxyUriEndpoint and\n XksProxyUriPath are correct. Use the tools for your external key store\n proxy to verify that the proxy is active and available on its network. Also, verify that\n your external key manager instances are operating properly. Connection attempts fail with\n this connection error code if the proxy reports that all external key manager instances\n are unavailable.
\n XKS_PROXY_TIMED_OUT — KMS can connect to the external key store\n proxy, but the proxy does not respond to KMS in the time allotted. If you see this\n connection error code repeatedly, notify your external key store proxy vendor.
\n XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATION — The Amazon VPC\n endpoint service configuration doesn't conform to the requirements for an KMS external\n key store.
The VPC endpoint service must be an endpoint service for interface endpoints in the caller's Amazon Web Services account.
\nIt must have a network load balancer (NLB) connected to at least two subnets, each in a different Availability Zone.
\nThe Allow principals list must include \n\t the KMS service principal for the Region, cks.kms., \n\t such as cks.kms.us-east-1.amazonaws.com.
It must not require acceptance of connection requests.
\nIt must have a private DNS name. The private DNS name for an external key store with VPC_ENDPOINT_SERVICE connectivity\n\t must be unique in its Amazon Web Services Region.
The domain of the private DNS name must have a verification status of\n\t verified.
The TLS certificate specifies the private DNS hostname at which the endpoint is reachable.
\n\n XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND — KMS can't find the VPC\n endpoint service that it uses to communicate with the external key store proxy. Verify\n that the XksProxyVpcEndpointServiceName is correct and the KMS service\n principal has service consumer permissions on the Amazon VPC endpoint service.
Decrypts ciphertext that was encrypted by a KMS key using any of the following\n operations:
\n\n Encrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\nYou can use this operation to decrypt ciphertext that was encrypted under a symmetric\n encryption KMS key or an asymmetric encryption KMS key. When the KMS key is asymmetric, you\n must specify the KMS key and the encryption algorithm that was used to encrypt the ciphertext.\n For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
\nThe Decrypt operation also decrypts ciphertext that was encrypted outside of\n KMS by the public key in an KMS asymmetric KMS key. However, it cannot decrypt symmetric\n ciphertext produced by other libraries, such as the Amazon Web Services Encryption SDK or Amazon S3 client-side encryption.\n These libraries return a ciphertext format that is incompatible with KMS.
If the ciphertext was encrypted under a symmetric encryption KMS key, the\n KeyId parameter is optional. KMS can get this information from metadata that\n it adds to the symmetric ciphertext blob. This feature adds durability to your implementation\n by ensuring that authorized users can decrypt ciphertext decades after it was encrypted, even\n if they've lost track of the key ID. However, specifying the KMS key is always recommended as\n a best practice. When you use the KeyId parameter to specify a KMS key, KMS\n only uses the KMS key you specify. If the ciphertext was encrypted under a different KMS key,\n the Decrypt operation fails. This practice ensures that you use the KMS key that\n you intend.
Whenever possible, use key policies to give users permission to call the\n Decrypt operation on a particular KMS key, instead of using &IAM; policies.\n Otherwise, you might create an &IAM; policy that gives the user Decrypt\n permission on all KMS keys. This user could decrypt ciphertext that was encrypted by KMS keys\n in other accounts if the key policy for the cross-account KMS key permits it. If you must use\n an IAM policy for Decrypt permissions, limit the user to particular KMS keys or\n particular trusted accounts. For details, see Best practices for IAM\n policies in the Key Management Service Developer Guide.
\n Decrypt also supports Amazon Web Services Nitro Enclaves, which provide an\n isolated compute environment in Amazon EC2. To call Decrypt for a Nitro enclave, use\n the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter to provide the\n attestation document for the enclave. Instead of the plaintext data, the response includes the\n plaintext data encrypted with the public key from the attestation document\n (CiphertextForRecipient).For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide..
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. If you use the KeyId\n parameter to identify a KMS key in a different Amazon Web Services account, specify the key ARN or the alias\n ARN of the KMS key.
\n Required permissions: kms:Decrypt (key policy)
\n\n Related operations:\n
\n\n Encrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\n\n ReEncrypt\n
\nDecrypts ciphertext that was encrypted by a KMS key using any of the following\n operations:
\n\n Encrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\nYou can use this operation to decrypt ciphertext that was encrypted under a symmetric\n encryption KMS key or an asymmetric encryption KMS key. When the KMS key is asymmetric, you\n must specify the KMS key and the encryption algorithm that was used to encrypt the ciphertext.\n For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
\nThe Decrypt operation also decrypts ciphertext that was encrypted outside of\n KMS by the public key in an KMS asymmetric KMS key. However, it cannot decrypt symmetric\n ciphertext produced by other libraries, such as the Amazon Web Services Encryption SDK or Amazon S3 client-side encryption.\n These libraries return a ciphertext format that is incompatible with KMS.
If the ciphertext was encrypted under a symmetric encryption KMS key, the\n KeyId parameter is optional. KMS can get this information from metadata that\n it adds to the symmetric ciphertext blob. This feature adds durability to your implementation\n by ensuring that authorized users can decrypt ciphertext decades after it was encrypted, even\n if they've lost track of the key ID. However, specifying the KMS key is always recommended as\n a best practice. When you use the KeyId parameter to specify a KMS key, KMS\n only uses the KMS key you specify. If the ciphertext was encrypted under a different KMS key,\n the Decrypt operation fails. This practice ensures that you use the KMS key that\n you intend.
Whenever possible, use key policies to give users permission to call the\n Decrypt operation on a particular KMS key, instead of using &IAM; policies.\n Otherwise, you might create an &IAM; policy that gives the user Decrypt\n permission on all KMS keys. This user could decrypt ciphertext that was encrypted by KMS keys\n in other accounts if the key policy for the cross-account KMS key permits it. If you must use\n an IAM policy for Decrypt permissions, limit the user to particular KMS keys or\n particular trusted accounts. For details, see Best practices for IAM\n policies in the Key Management Service Developer Guide.
\n Decrypt also supports Amazon Web Services Nitro Enclaves, which provide an\n isolated compute environment in Amazon EC2. To call Decrypt for a Nitro enclave, use\n the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter to provide the\n attestation document for the enclave. Instead of the plaintext data, the response includes the\n plaintext data encrypted with the public key from the attestation document\n (CiphertextForRecipient).For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide..
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. If you use the KeyId\n parameter to identify a KMS key in a different Amazon Web Services account, specify the key ARN or the alias\n ARN of the KMS key.
\n Required permissions: kms:Decrypt (key policy)
\n\n Related operations:\n
\n\n Encrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\n\n ReEncrypt\n
\nA signed attestation document from\n an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key.\n The only valid encryption algorithm is RSAES_OAEP_SHA_256.
This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this\n parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
\nWhen you use this parameter, instead of returning the plaintext data, KMS encrypts the\n plaintext data with the public key in the attestation document, and returns the resulting\n ciphertext in the CiphertextForRecipient field in the response. This ciphertext\n can be decrypted only with the private key in the enclave. The Plaintext field in\n the response is null or empty.
For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
" + "smithy.api#documentation": "A signed attestation document from\n an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key. The\n only valid encryption algorithm is RSAES_OAEP_SHA_256.
This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this\n parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
\nWhen you use this parameter, instead of returning the plaintext data, KMS encrypts the\n plaintext data with the public key in the attestation document, and returns the resulting\n ciphertext in the CiphertextForRecipient field in the response. This ciphertext\n can be decrypted only with the private key in the enclave. The Plaintext field in\n the response is null or empty.
For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
" + } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -1417,7 +1435,7 @@ "Plaintext": { "target": "com.amazonaws.kms#PlaintextType", "traits": { - "smithy.api#documentation": "Decrypted plaintext data. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.
\nIf the response includes the CiphertextForRecipient field, the\n Plaintext field is null or empty.
Decrypted plaintext data. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.
\nIf the response includes the CiphertextForRecipient field, the\n Plaintext field is null or empty.
Gets information about custom key stores in the account and Region.
\nThis operation is part of the custom key stores feature in KMS, which\ncombines the convenience and extensive integration of KMS with the isolation and control of a\nkey store that you own and manage.
\nBy default, this operation returns information about all custom key stores in the account\n and Region. To get only information about a particular custom key store, use either the\n CustomKeyStoreName or CustomKeyStoreId parameter (but not\n both).
To determine whether the custom key store is connected to its CloudHSM cluster or external\n key store proxy, use the ConnectionState element in the response. If an attempt\n to connect the custom key store failed, the ConnectionState value is\n FAILED and the ConnectionErrorCode element in the response\n indicates the cause of the failure. For help interpreting the\n ConnectionErrorCode, see CustomKeyStoresListEntry.
Custom key stores have a DISCONNECTED connection state if the key store has\n never been connected or you used the DisconnectCustomKeyStore operation to\n disconnect it. Otherwise, the connection state is CONNECTED. If your custom key store\n connection state is CONNECTED but you are having trouble using it, verify that\n the backing store is active and available. For an CloudHSM key store, verify that the associated\n CloudHSM cluster is active and contains the minimum number of HSMs required for the operation, if\n any. For an external key store, verify that the external key store proxy and its associated\n external key manager are reachable and enabled.
For help repairing your CloudHSM key store, see the Troubleshooting CloudHSM key stores. For help\n repairing your external key store, see the Troubleshooting external key stores. Both\n topics are in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
\n\n Required permissions: kms:DescribeCustomKeyStores (IAM policy)
\n\n Related operations:\n
\n\n CreateCustomKeyStore\n
\n\n DeleteCustomKeyStore\n
\n\n UpdateCustomKeyStore\n
\nGets information about custom key stores in the account and Region.
\nThis operation is part of the custom key stores feature in KMS, which\ncombines the convenience and extensive integration of KMS with the isolation and control of a\nkey store that you own and manage.
\nBy default, this operation returns information about all custom key stores in the account\n and Region. To get only information about a particular custom key store, use either the\n CustomKeyStoreName or CustomKeyStoreId parameter (but not\n both).
To determine whether the custom key store is connected to its CloudHSM cluster or external\n key store proxy, use the ConnectionState element in the response. If an attempt\n to connect the custom key store failed, the ConnectionState value is\n FAILED and the ConnectionErrorCode element in the response\n indicates the cause of the failure. For help interpreting the\n ConnectionErrorCode, see CustomKeyStoresListEntry.
Custom key stores have a DISCONNECTED connection state if the key store has\n never been connected or you used the DisconnectCustomKeyStore operation to\n disconnect it. Otherwise, the connection state is CONNECTED. If your custom key store\n connection state is CONNECTED but you are having trouble using it, verify that\n the backing store is active and available. For an CloudHSM key store, verify that the associated\n CloudHSM cluster is active and contains the minimum number of HSMs required for the operation, if\n any. For an external key store, verify that the external key store proxy and its associated\n external key manager are reachable and enabled.
For help repairing your CloudHSM key store, see the Troubleshooting CloudHSM key stores. For help\n repairing your external key store, see the Troubleshooting external key stores.\n Both topics are in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
\n\n Required permissions: kms:DescribeCustomKeyStores (IAM policy)
\n\n Related operations:\n
\n\n CreateCustomKeyStore\n
\n\n DeleteCustomKeyStore\n
\n\n UpdateCustomKeyStore\n
\n\n The request was rejected because the DryRun parameter was specified.\n
", + "smithy.api#error": "client", + "smithy.api#httpError": 412 + } + }, "com.amazonaws.kms#EnableKey": { "type": "operation", "input": { @@ -2016,6 +2051,9 @@ { "target": "com.amazonaws.kms#DisabledException" }, + { + "target": "com.amazonaws.kms#DryRunOperationException" + }, { "target": "com.amazonaws.kms#InvalidGrantTokenException" }, @@ -2036,7 +2074,7 @@ } ], "traits": { - "smithy.api#documentation": "Encrypts plaintext of up to 4,096 bytes using a KMS key. You can use a symmetric or\n asymmetric KMS key with a KeyUsage of ENCRYPT_DECRYPT.
You can use this operation to encrypt small amounts of arbitrary data, such as a personal\n identifier or database password, or other sensitive information. You don't need to use the\n Encrypt operation to encrypt a data key. The GenerateDataKey\n and GenerateDataKeyPair operations return a plaintext data key and an\n encrypted copy of that data key.
If you use a symmetric encryption KMS key, you can use an encryption context to add\n additional security to your encryption operation. If you specify an\n EncryptionContext when encrypting data, you must specify the same encryption\n context (a case-sensitive exact match) when decrypting the data. Otherwise, the request to\n decrypt fails with an InvalidCiphertextException. For more information, see\n Encryption\n Context in the Key Management Service Developer Guide.
If you specify an asymmetric KMS key, you must also specify the encryption algorithm. The\n algorithm must be compatible with the KMS key spec.
\nWhen you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt operation fails.
\nYou are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.
\nThe maximum size of the data that you can encrypt varies with the type of KMS key and the\n encryption algorithm that you choose.
\nSymmetric encryption KMS keys
\n\n SYMMETRIC_DEFAULT: 4096 bytes
\n RSA_2048\n
\n RSAES_OAEP_SHA_1: 214 bytes
\n RSAES_OAEP_SHA_256: 190 bytes
\n RSA_3072\n
\n RSAES_OAEP_SHA_1: 342 bytes
\n RSAES_OAEP_SHA_256: 318 bytes
\n RSA_4096\n
\n RSAES_OAEP_SHA_1: 470 bytes
\n RSAES_OAEP_SHA_256: 446 bytes
\n SM2PKE: 1024 bytes (China Regions only)
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes.\n To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:Encrypt (key policy)
\n\n Related operations:\n
\n\n Decrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\nEncrypts plaintext of up to 4,096 bytes using a KMS key. You can use a symmetric or\n asymmetric KMS key with a KeyUsage of ENCRYPT_DECRYPT.
You can use this operation to encrypt small amounts of arbitrary data, such as a personal\n identifier or database password, or other sensitive information. You don't need to use the\n Encrypt operation to encrypt a data key. The GenerateDataKey\n and GenerateDataKeyPair operations return a plaintext data key and an\n encrypted copy of that data key.
If you use a symmetric encryption KMS key, you can use an encryption context to add\n additional security to your encryption operation. If you specify an\n EncryptionContext when encrypting data, you must specify the same encryption\n context (a case-sensitive exact match) when decrypting the data. Otherwise, the request to\n decrypt fails with an InvalidCiphertextException. For more information, see\n Encryption\n Context in the Key Management Service Developer Guide.
If you specify an asymmetric KMS key, you must also specify the encryption algorithm. The\n algorithm must be compatible with the KMS key spec.
\nWhen you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt operation fails.
\nYou are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.
\nThe maximum size of the data that you can encrypt varies with the type of KMS key and the\n encryption algorithm that you choose.
\nSymmetric encryption KMS keys
\n\n SYMMETRIC_DEFAULT: 4096 bytes
\n RSA_2048\n
\n RSAES_OAEP_SHA_1: 214 bytes
\n RSAES_OAEP_SHA_256: 190 bytes
\n RSA_3072\n
\n RSAES_OAEP_SHA_1: 342 bytes
\n RSAES_OAEP_SHA_256: 318 bytes
\n RSA_4096\n
\n RSAES_OAEP_SHA_1: 470 bytes
\n RSAES_OAEP_SHA_256: 446 bytes
\n SM2PKE: 1024 bytes (China Regions only)
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:Encrypt (key policy)
\n\n Related operations:\n
\n\n Decrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\nSpecifies the encryption algorithm that KMS will use to encrypt the plaintext message.\n The algorithm must be compatible with the KMS key that you specify.
\nThis parameter is required only for asymmetric KMS keys. The default value,\n SYMMETRIC_DEFAULT, is the algorithm used for symmetric encryption KMS keys. If you are\n using an asymmetric KMS key, we recommend RSAES_OAEP_SHA_256.
The SM2PKE algorithm is only available in China Regions.
" + "smithy.api#documentation": "Specifies the encryption algorithm that KMS will use to encrypt the plaintext message.\n The algorithm must be compatible with the KMS key that you specify.
\nThis parameter is required only for asymmetric KMS keys. The default value,\n SYMMETRIC_DEFAULT, is the algorithm used for symmetric encryption KMS keys. If\n you are using an asymmetric KMS key, we recommend RSAES_OAEP_SHA_256.
The SM2PKE algorithm is only available in China Regions.
" + } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -2207,6 +2251,9 @@ { "target": "com.amazonaws.kms#DisabledException" }, + { + "target": "com.amazonaws.kms#DryRunOperationException" + }, { "target": "com.amazonaws.kms#InvalidGrantTokenException" }, @@ -2227,7 +2274,7 @@ } ], "traits": { - "smithy.api#documentation": "Returns a unique symmetric data key for use outside of KMS. This operation returns a\n plaintext copy of the data key and a copy that is encrypted under a symmetric encryption KMS\n key that you specify. The bytes in the plaintext key are random; they are not related \n to the caller or the KMS key. You can use the plaintext key to encrypt your data outside of KMS \n and store the encrypted data key with the encrypted data.
\nTo generate a data key, specify the symmetric encryption KMS key that will be used to\n encrypt the data key. You cannot use an asymmetric KMS key to encrypt data keys. To get the\n type of your KMS key, use the DescribeKey operation.
\nYou must also specify the length of the data key. Use either the KeySpec or \n NumberOfBytes parameters (but not both). For 128-bit and 256-bit data keys, use \n the KeySpec parameter.
To generate a 128-bit SM4 data key (China Regions only), specify a KeySpec value of\n AES_128 or a NumberOfBytes value of 16. The symmetric \n encryption key used in China Regions to encrypt your data key is an SM4 encryption key.
To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key pair, use\n the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operation. To get a cryptographically secure\n random byte string, use GenerateRandom.
\nYou can use an optional encryption context to add additional security to the encryption\n operation. If you specify an EncryptionContext, you must specify the same\n encryption context (a case-sensitive exact match) when decrypting the encrypted data key.\n Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the\n Key Management Service Developer Guide.
\n GenerateDataKey also supports Amazon Web Services Nitro Enclaves, which provide an\n isolated compute environment in Amazon EC2. To call GenerateDataKey for an Amazon Web Services Nitro\n enclave, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter\n to provide the attestation document for the enclave. GenerateDataKey returns a\n copy of the data key encrypted under the specified KMS key, as usual. But instead of a\n plaintext copy of the data key, the response includes a copy of the data key encrypted under\n the public key from the attestation document (CiphertextForRecipient).\n For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide..
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n How to use your data key\n
\nWe recommend that you use the following pattern to encrypt data locally in your\n application. You can write your own code or use a client-side encryption library, such as the\n Amazon Web Services Encryption SDK, the\n Amazon DynamoDB Encryption Client,\n or Amazon S3\n client-side encryption to do these tasks for you.
\nTo encrypt data outside of KMS:
\nUse the GenerateDataKey operation to get a data key.
Use the plaintext data key (in the Plaintext field of the response) to\n encrypt your data outside of KMS. Then erase the plaintext data key from memory.
Store the encrypted data key (in the CiphertextBlob field of the\n response) with the encrypted data.
To decrypt data outside of KMS:
\nUse the Decrypt operation to decrypt the encrypted data key. The\n operation returns a plaintext copy of the data key.
\nUse the plaintext data key to decrypt data outside of KMS, then erase the plaintext\n data key from memory.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GenerateDataKey (key policy)
\n\n Related operations:\n
\n\n Decrypt\n
\n\n Encrypt\n
\n\n GenerateDataKeyPair\n
\nReturns a unique symmetric data key for use outside of KMS. This operation returns a\n plaintext copy of the data key and a copy that is encrypted under a symmetric encryption KMS\n key that you specify. The bytes in the plaintext key are random; they are not related to the\n caller or the KMS key. You can use the plaintext key to encrypt your data outside of KMS and\n store the encrypted data key with the encrypted data.
\nTo generate a data key, specify the symmetric encryption KMS key that will be used to\n encrypt the data key. You cannot use an asymmetric KMS key to encrypt data keys. To get the\n type of your KMS key, use the DescribeKey operation.
\nYou must also specify the length of the data key. Use either the KeySpec or\n NumberOfBytes parameters (but not both). For 128-bit and 256-bit data keys, use\n the KeySpec parameter.
To generate a 128-bit SM4 data key (China Regions only), specify a KeySpec\n value of AES_128 or a NumberOfBytes value of 16. The\n symmetric encryption key used in China Regions to encrypt your data key is an SM4 encryption\n key.
To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key pair, use\n the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operation. To get a cryptographically secure\n random byte string, use GenerateRandom.
\nYou can use an optional encryption context to add additional security to the encryption\n operation. If you specify an EncryptionContext, you must specify the same\n encryption context (a case-sensitive exact match) when decrypting the encrypted data key.\n Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the\n Key Management Service Developer Guide.
\n GenerateDataKey also supports Amazon Web Services Nitro Enclaves, which provide an\n isolated compute environment in Amazon EC2. To call GenerateDataKey for an Amazon Web Services Nitro\n enclave, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter\n to provide the attestation document for the enclave. GenerateDataKey returns a\n copy of the data key encrypted under the specified KMS key, as usual. But instead of a\n plaintext copy of the data key, the response includes a copy of the data key encrypted under\n the public key from the attestation document (CiphertextForRecipient).\n For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide..
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n How to use your data key\n
\nWe recommend that you use the following pattern to encrypt data locally in your\n application. You can write your own code or use a client-side encryption library, such as the\n Amazon Web Services Encryption SDK, the\n Amazon DynamoDB Encryption Client,\n or Amazon S3\n client-side encryption to do these tasks for you.
\nTo encrypt data outside of KMS:
\nUse the GenerateDataKey operation to get a data key.
Use the plaintext data key (in the Plaintext field of the response) to\n encrypt your data outside of KMS. Then erase the plaintext data key from memory.
Store the encrypted data key (in the CiphertextBlob field of the\n response) with the encrypted data.
To decrypt data outside of KMS:
\nUse the Decrypt operation to decrypt the encrypted data key. The\n operation returns a plaintext copy of the data key.
\nUse the plaintext data key to decrypt data outside of KMS, then erase the plaintext\n data key from memory.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GenerateDataKey (key policy)
\n\n Related operations:\n
\n\n Decrypt\n
\n\n Encrypt\n
\n\n GenerateDataKeyPair\n
\nReturns a unique asymmetric data key pair for use outside of KMS. This operation returns\n a plaintext public key, a plaintext private key, and a copy of the private key that is\n encrypted under the symmetric encryption KMS key you specify. You can use the data key pair to\n perform asymmetric cryptography and implement digital signatures outside of KMS. The bytes\n in the keys are random; they not related to the caller or to the KMS key that is used to\n encrypt the private key.
\nYou can use the public key that GenerateDataKeyPair returns to encrypt data\n or verify a signature outside of KMS. Then, store the encrypted private key with the data.\n When you are ready to decrypt data or sign a message, you can use the Decrypt operation to decrypt the encrypted private key.
To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt\n the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a\n custom key store. To get the type and origin of your KMS key, use the DescribeKey operation.
\nUse the KeyPairSpec parameter to choose an RSA or Elliptic Curve (ECC) data\n key pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends that you use\n ECC key pairs for signing, and use RSA and SM2 key pairs for either encryption or signing, but not both.\n However, KMS cannot enforce any restrictions on the use of data key pairs outside of KMS.
If you are using the data key pair to encrypt data, or for any operation where you don't\n immediately need a private key, consider using the GenerateDataKeyPairWithoutPlaintext operation.\n GenerateDataKeyPairWithoutPlaintext returns a plaintext public key and an\n encrypted private key, but omits the plaintext private key that you need only to decrypt\n ciphertext or sign a message. Later, when you need to decrypt the data or sign a message, use\n the Decrypt operation to decrypt the encrypted private key in the data key\n pair.
\n GenerateDataKeyPair returns a unique data key pair for each request. The\n bytes in the keys are random; they are not related to the caller or the KMS key that is used\n to encrypt the private key. The public key is a DER-encoded X.509 SubjectPublicKeyInfo, as\n specified in RFC 5280. The private\n key is a DER-encoded PKCS8 PrivateKeyInfo, as specified in RFC 5958.
\n GenerateDataKeyPair also supports Amazon Web Services Nitro Enclaves, which provide an\n isolated compute environment in Amazon EC2. To call GenerateDataKeyPair for an Amazon Web Services Nitro\n enclave, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter\n to provide the attestation document for the enclave. GenerateDataKeyPair returns the public data key and a\n copy of the private data key encrypted under the specified KMS key, as usual. But instead of a\n plaintext copy of the private data key (PrivateKeyPlaintext), the response includes a copy of the private data key encrypted under\n the public key from the attestation document (CiphertextForRecipient).\n For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide..
You can use an optional encryption context to add additional security to the encryption\n operation. If you specify an EncryptionContext, you must specify the same\n encryption context (a case-sensitive exact match) when decrypting the encrypted data key.\n Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the\n Key Management Service Developer Guide.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GenerateDataKeyPair (key policy)
\n\n Related operations:\n
\n\n Decrypt\n
\n\n Encrypt\n
\n\n GenerateDataKey\n
\nReturns a unique asymmetric data key pair for use outside of KMS. This operation returns\n a plaintext public key, a plaintext private key, and a copy of the private key that is\n encrypted under the symmetric encryption KMS key you specify. You can use the data key pair to\n perform asymmetric cryptography and implement digital signatures outside of KMS. The bytes\n in the keys are random; they not related to the caller or to the KMS key that is used to\n encrypt the private key.
\nYou can use the public key that GenerateDataKeyPair returns to encrypt data\n or verify a signature outside of KMS. Then, store the encrypted private key with the data.\n When you are ready to decrypt data or sign a message, you can use the Decrypt operation to decrypt the encrypted private key.
To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt\n the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a\n custom key store. To get the type and origin of your KMS key, use the DescribeKey operation.
\nUse the KeyPairSpec parameter to choose an RSA or Elliptic Curve (ECC) data\n key pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends that\n you use ECC key pairs for signing, and use RSA and SM2 key pairs for either encryption or\n signing, but not both. However, KMS cannot enforce any restrictions on the use of data key\n pairs outside of KMS.
If you are using the data key pair to encrypt data, or for any operation where you don't\n immediately need a private key, consider using the GenerateDataKeyPairWithoutPlaintext operation.\n GenerateDataKeyPairWithoutPlaintext returns a plaintext public key and an\n encrypted private key, but omits the plaintext private key that you need only to decrypt\n ciphertext or sign a message. Later, when you need to decrypt the data or sign a message, use\n the Decrypt operation to decrypt the encrypted private key in the data key\n pair.
\n GenerateDataKeyPair returns a unique data key pair for each request. The\n bytes in the keys are random; they are not related to the caller or the KMS key that is used\n to encrypt the private key. The public key is a DER-encoded X.509 SubjectPublicKeyInfo, as\n specified in RFC 5280. The private\n key is a DER-encoded PKCS8 PrivateKeyInfo, as specified in RFC 5958.
\n GenerateDataKeyPair also supports Amazon Web Services Nitro Enclaves, which provide an\n isolated compute environment in Amazon EC2. To call GenerateDataKeyPair for an Amazon Web Services\n Nitro enclave, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient\n parameter to provide the attestation document for the enclave.\n GenerateDataKeyPair returns the public data key and a copy of the private data\n key encrypted under the specified KMS key, as usual. But instead of a plaintext copy of the\n private data key (PrivateKeyPlaintext), the response includes a copy of the\n private data key encrypted under the public key from the attestation document\n (CiphertextForRecipient). For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide..
You can use an optional encryption context to add additional security to the encryption\n operation. If you specify an EncryptionContext, you must specify the same\n encryption context (a case-sensitive exact match) when decrypting the encrypted data key.\n Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the\n Key Management Service Developer Guide.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GenerateDataKeyPair (key policy)
\n\n Related operations:\n
\n\n Decrypt\n
\n\n Encrypt\n
\n\n GenerateDataKey\n
\nA signed attestation document from\n an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key.\n The only valid encryption algorithm is RSAES_OAEP_SHA_256.
This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this\n parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
\nWhen you use this parameter, instead of returning a plaintext copy of the private data key, KMS encrypts\n the plaintext private data key under the public key in the attestation document, and returns the\n resulting ciphertext in the CiphertextForRecipient field in the response. This\n ciphertext can be decrypted only with the private key in the enclave. The\n CiphertextBlob field in the response contains a copy of the private data key encrypted\n under the KMS key specified by the KeyId parameter. The PrivateKeyPlaintext\n field in the response is null or empty.
For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
" + "smithy.api#documentation": "A signed attestation document from\n an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key. The\n only valid encryption algorithm is RSAES_OAEP_SHA_256.
This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this\n parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
\nWhen you use this parameter, instead of returning a plaintext copy of the private data\n key, KMS encrypts the plaintext private data key under the public key in the attestation\n document, and returns the resulting ciphertext in the CiphertextForRecipient\n field in the response. This ciphertext can be decrypted only with the private key in the\n enclave. The CiphertextBlob field in the response contains a copy of the private\n data key encrypted under the KMS key specified by the KeyId parameter. The\n PrivateKeyPlaintext field in the response is null or empty.
For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
" + } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -2323,7 +2379,7 @@ "PrivateKeyPlaintext": { "target": "com.amazonaws.kms#PlaintextType", "traits": { - "smithy.api#documentation": "The plaintext copy of the private key. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.
\nIf the response includes the CiphertextForRecipient field, the\n PrivateKeyPlaintext field is null or empty.
The plaintext copy of the private key. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.
\nIf the response includes the CiphertextForRecipient field, the\n PrivateKeyPlaintext field is null or empty.
The plaintext private data key encrypted with the public key from the Nitro enclave. This ciphertext can\n be decrypted only by using a private key in the Nitro enclave.
\nThis field is included in the response only when the Recipient parameter in\n the request includes a valid attestation document from an Amazon Web Services Nitro enclave.\n For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
The plaintext private data key encrypted with the public key from the Nitro enclave. This\n ciphertext can be decrypted only by using a private key in the Nitro enclave.
\nThis field is included in the response only when the Recipient parameter in\n the request includes a valid attestation document from an Amazon Web Services Nitro enclave.\n For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
Returns a unique asymmetric data key pair for use outside of KMS. This operation returns\n a plaintext public key and a copy of the private key that is encrypted under the symmetric\n encryption KMS key you specify. Unlike GenerateDataKeyPair, this operation\n does not return a plaintext private key. The bytes in the keys are random; they are not\n related to the caller or to the KMS key that is used to encrypt the private key.
\nYou can use the public key that GenerateDataKeyPairWithoutPlaintext returns\n to encrypt data or verify a signature outside of KMS. Then, store the encrypted private key\n with the data. When you are ready to decrypt data or sign a message, you can use the Decrypt operation to decrypt the encrypted private key.
To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt\n the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a\n custom key store. To get the type and origin of your KMS key, use the DescribeKey operation.
\nUse the KeyPairSpec parameter to choose an RSA or Elliptic Curve (ECC) data\n key pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends that you \n use ECC key pairs for signing, and use RSA and SM2 key pairs for either encryption or signing, but not\n both. However, KMS cannot enforce any restrictions on the use of data key pairs outside of KMS.
\n GenerateDataKeyPairWithoutPlaintext returns a unique data key pair for each\n request. The bytes in the key are not related to the caller or KMS key that is used to encrypt\n the private key. The public key is a DER-encoded X.509 SubjectPublicKeyInfo, as specified in\n RFC 5280.
You can use an optional encryption context to add additional security to the encryption\n operation. If you specify an EncryptionContext, you must specify the same\n encryption context (a case-sensitive exact match) when decrypting the encrypted data key.\n Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the\n Key Management Service Developer Guide.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GenerateDataKeyPairWithoutPlaintext (key\n policy)
\n\n Related operations:\n
\n\n Decrypt\n
\n\n Encrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\nReturns a unique asymmetric data key pair for use outside of KMS. This operation returns\n a plaintext public key and a copy of the private key that is encrypted under the symmetric\n encryption KMS key you specify. Unlike GenerateDataKeyPair, this operation\n does not return a plaintext private key. The bytes in the keys are random; they are not\n related to the caller or to the KMS key that is used to encrypt the private key.
\nYou can use the public key that GenerateDataKeyPairWithoutPlaintext returns\n to encrypt data or verify a signature outside of KMS. Then, store the encrypted private key\n with the data. When you are ready to decrypt data or sign a message, you can use the Decrypt operation to decrypt the encrypted private key.
To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt\n the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a\n custom key store. To get the type and origin of your KMS key, use the DescribeKey operation.
\nUse the KeyPairSpec parameter to choose an RSA or Elliptic Curve (ECC) data\n key pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends that\n you use ECC key pairs for signing, and use RSA and SM2 key pairs for either encryption or\n signing, but not both. However, KMS cannot enforce any restrictions on the use of data key\n pairs outside of KMS.
\n GenerateDataKeyPairWithoutPlaintext returns a unique data key pair for each\n request. The bytes in the key are not related to the caller or KMS key that is used to encrypt\n the private key. The public key is a DER-encoded X.509 SubjectPublicKeyInfo, as specified in\n RFC 5280.
You can use an optional encryption context to add additional security to the encryption\n operation. If you specify an EncryptionContext, you must specify the same\n encryption context (a case-sensitive exact match) when decrypting the encrypted data key.\n Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the\n Key Management Service Developer Guide.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GenerateDataKeyPairWithoutPlaintext (key\n policy)
\n\n Related operations:\n
\n\n Decrypt\n
\n\n Encrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\nA list of grant tokens.
\nUse a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the\n Key Management Service Developer Guide.
" } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" + } } }, "traits": { @@ -2499,7 +2564,13 @@ "Recipient": { "target": "com.amazonaws.kms#RecipientInfo", "traits": { - "smithy.api#documentation": "A signed attestation document from\n an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key.\n The only valid encryption algorithm is RSAES_OAEP_SHA_256.
This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this\n parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
\nWhen you use this parameter, instead of returning the plaintext data key, KMS encrypts\n the plaintext data key under the public key in the attestation document, and returns the\n resulting ciphertext in the CiphertextForRecipient field in the response. This\n ciphertext can be decrypted only with the private key in the enclave. The\n CiphertextBlob field in the response contains a copy of the data key encrypted\n under the KMS key specified by the KeyId parameter. The Plaintext\n field in the response is null or empty.
For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
" + "smithy.api#documentation": "A signed attestation document from\n an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key. The\n only valid encryption algorithm is RSAES_OAEP_SHA_256.
This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this\n parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
\nWhen you use this parameter, instead of returning the plaintext data key, KMS encrypts\n the plaintext data key under the public key in the attestation document, and returns the\n resulting ciphertext in the CiphertextForRecipient field in the response. This\n ciphertext can be decrypted only with the private key in the enclave. The\n CiphertextBlob field in the response contains a copy of the data key encrypted\n under the KMS key specified by the KeyId parameter. The Plaintext\n field in the response is null or empty.
For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
" + } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -2519,7 +2590,7 @@ "Plaintext": { "target": "com.amazonaws.kms#PlaintextType", "traits": { - "smithy.api#documentation": "The plaintext data key. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. Use this data key to encrypt your data outside of\n KMS. Then, remove it from memory as soon as possible.
\nIf the response includes the CiphertextForRecipient field, the\n Plaintext field is null or empty.
The plaintext data key. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. Use this data key to encrypt your data outside of\n KMS. Then, remove it from memory as soon as possible.
\nIf the response includes the CiphertextForRecipient field, the\n Plaintext field is null or empty.
The plaintext data key encrypted with the public key from the Nitro enclave. This ciphertext can\n be decrypted only by using a private key in the Nitro enclave.
\nThis field is included in the response only when the Recipient parameter in\n the request includes a valid attestation document from an Amazon Web Services Nitro enclave.\n For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
The plaintext data key encrypted with the public key from the Nitro enclave. This\n ciphertext can be decrypted only by using a private key in the Nitro enclave.
\nThis field is included in the response only when the Recipient parameter in\n the request includes a valid attestation document from an Amazon Web Services Nitro enclave.\n For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
Returns a unique symmetric data key for use outside of KMS. This operation returns a\n data key that is encrypted under a symmetric encryption KMS key that you specify. The bytes in\n the key are random; they are not related to the caller or to the KMS key.
\n\n GenerateDataKeyWithoutPlaintext is identical to the GenerateDataKey operation except that it does not return a plaintext copy of the\n data key.
This operation is useful for systems that need to encrypt data at some point, but not\n immediately. When you need to encrypt the data, you call the Decrypt\n operation on the encrypted copy of the key.
\nIt's also useful in distributed systems with different levels of trust. For example, you\n might store encrypted data in containers. One component of your system creates new containers\n and stores an encrypted data key with each container. Then, a different component puts the\n data into the containers. That component first decrypts the data key, uses the plaintext data\n key to encrypt data, puts the encrypted data into the container, and then destroys the\n plaintext data key. In this system, the component that creates the containers never sees the\n plaintext data key.
\nTo request an asymmetric data key pair, use the GenerateDataKeyPair or\n GenerateDataKeyPairWithoutPlaintext operations.
\nTo generate a data key, you must specify the symmetric encryption KMS key that is used to\n encrypt the data key. You cannot use an asymmetric KMS key or a key in a custom key store to generate a data key. To get the\n type of your KMS key, use the DescribeKey operation.
\nYou must also specify the length of the data key. Use either the KeySpec or \n NumberOfBytes parameters (but not both). For 128-bit and 256-bit data keys, use \n the KeySpec parameter.
To generate an SM4 data key (China Regions only), specify a KeySpec value of\n AES_128 or NumberOfBytes value of 16. The symmetric\n encryption key used in China Regions to encrypt your data key is an SM4 encryption key.
If the operation succeeds, you will find the encrypted copy of the data key in the\n CiphertextBlob field.
You can use an optional encryption context to add additional security to the encryption\n operation. If you specify an EncryptionContext, you must specify the same\n encryption context (a case-sensitive exact match) when decrypting the encrypted data key.\n Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the\n Key Management Service Developer Guide.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GenerateDataKeyWithoutPlaintext (key\n policy)
\n\n Related operations:\n
\n\n Decrypt\n
\n\n Encrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\nReturns a unique symmetric data key for use outside of KMS. This operation returns a\n data key that is encrypted under a symmetric encryption KMS key that you specify. The bytes in\n the key are random; they are not related to the caller or to the KMS key.
\n\n GenerateDataKeyWithoutPlaintext is identical to the GenerateDataKey operation except that it does not return a plaintext copy of the\n data key.
This operation is useful for systems that need to encrypt data at some point, but not\n immediately. When you need to encrypt the data, you call the Decrypt\n operation on the encrypted copy of the key.
\nIt's also useful in distributed systems with different levels of trust. For example, you\n might store encrypted data in containers. One component of your system creates new containers\n and stores an encrypted data key with each container. Then, a different component puts the\n data into the containers. That component first decrypts the data key, uses the plaintext data\n key to encrypt data, puts the encrypted data into the container, and then destroys the\n plaintext data key. In this system, the component that creates the containers never sees the\n plaintext data key.
\nTo request an asymmetric data key pair, use the GenerateDataKeyPair or\n GenerateDataKeyPairWithoutPlaintext operations.
\nTo generate a data key, you must specify the symmetric encryption KMS key that is used to\n encrypt the data key. You cannot use an asymmetric KMS key or a key in a custom key store to\n generate a data key. To get the type of your KMS key, use the DescribeKey\n operation.
\nYou must also specify the length of the data key. Use either the KeySpec or\n NumberOfBytes parameters (but not both). For 128-bit and 256-bit data keys, use\n the KeySpec parameter.
To generate an SM4 data key (China Regions only), specify a KeySpec value of\n AES_128 or NumberOfBytes value of 16. The symmetric\n encryption key used in China Regions to encrypt your data key is an SM4 encryption key.
If the operation succeeds, you will find the encrypted copy of the data key in the\n CiphertextBlob field.
You can use an optional encryption context to add additional security to the encryption\n operation. If you specify an EncryptionContext, you must specify the same\n encryption context (a case-sensitive exact match) when decrypting the encrypted data key.\n Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the\n Key Management Service Developer Guide.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GenerateDataKeyWithoutPlaintext (key\n policy)
\n\n Related operations:\n
\n\n Decrypt\n
\n\n Encrypt\n
\n\n GenerateDataKey\n
\n\n GenerateDataKeyPair\n
\nA list of grant tokens.
\nUse a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the\n Key Management Service Developer Guide.
" } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" + } } }, "traits": { @@ -2648,6 +2728,9 @@ { "target": "com.amazonaws.kms#DisabledException" }, + { + "target": "com.amazonaws.kms#DryRunOperationException" + }, { "target": "com.amazonaws.kms#InvalidGrantTokenException" }, @@ -2668,7 +2751,7 @@ } ], "traits": { - "smithy.api#documentation": "Generates a hash-based message authentication code (HMAC) for a message using an HMAC KMS key and a MAC algorithm that the key supports.\n HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry standards defined in RFC 2104.
\nYou can use value that GenerateMac returns in the VerifyMac operation to\n demonstrate that the original message has not changed. Also, because a secret key is used to\n create the hash, you can verify that the party that generated the hash has the required secret\n key. You can also use the raw result to implement HMAC-based algorithms such as key derivation\n functions. This operation is part of KMS support for HMAC KMS keys. For\n details, see HMAC keys in\n KMS in the \n Key Management Service Developer Guide\n .
\nBest practices recommend that you limit the time during which any signing mechanism,\n including an HMAC, is effective. This deters an attack where the actor uses a signed message\n to establish validity repeatedly or long after the message is superseded. HMAC tags do not\n include a timestamp, but you can include a timestamp in the token or message to help you\n detect when its time to refresh the HMAC.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GenerateMac (key policy)
\n\n Related operations: VerifyMac\n
" + "smithy.api#documentation": "Generates a hash-based message authentication code (HMAC) for a message using an HMAC KMS\n key and a MAC algorithm that the key supports. HMAC KMS keys and the HMAC algorithms that\n KMS uses conform to industry standards defined in RFC 2104.
\nYou can use value that GenerateMac returns in the VerifyMac operation to\n demonstrate that the original message has not changed. Also, because a secret key is used to\n create the hash, you can verify that the party that generated the hash has the required secret\n key. You can also use the raw result to implement HMAC-based algorithms such as key derivation\n functions. This operation is part of KMS support for HMAC KMS keys. For\n details, see HMAC keys in\n KMS in the \n Key Management Service Developer Guide\n .
\nBest practices recommend that you limit the time during which any signing mechanism,\n including an HMAC, is effective. This deters an attack where the actor uses a signed message\n to establish validity repeatedly or long after the message is superseded. HMAC tags do not\n include a timestamp, but you can include a timestamp in the token or message to help you\n detect when its time to refresh the HMAC.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GenerateMac (key policy)
\n\n Related operations: VerifyMac\n
" } }, "com.amazonaws.kms#GenerateMacRequest": { @@ -2700,6 +2783,12 @@ "traits": { "smithy.api#documentation": "A list of grant tokens.
\nUse a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the\n Key Management Service Developer Guide.
" } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" + } } }, "traits": { @@ -2712,7 +2801,7 @@ "Mac": { "target": "com.amazonaws.kms#CiphertextType", "traits": { - "smithy.api#documentation": "The hash-based message authentication code (HMAC) that was generated for the\n specified message, HMAC KMS key, and MAC algorithm.
\nThis is the standard, raw HMAC defined in RFC 2104.
" + "smithy.api#documentation": "The hash-based message authentication code (HMAC) that was generated for the specified\n message, HMAC KMS key, and MAC algorithm.
\nThis is the standard, raw HMAC defined in RFC 2104.
" } }, "MacAlgorithm": { @@ -2758,7 +2847,7 @@ } ], "traits": { - "smithy.api#documentation": "Returns a random byte string that is cryptographically secure.
\nYou must use the NumberOfBytes parameter to specify the length of the random\n byte string. There is no default value for string length.
By default, the random byte string is generated in KMS. To generate the byte string in\n the CloudHSM cluster associated with an CloudHSM key store, use the CustomKeyStoreId\n parameter.
\n GenerateRandom also supports Amazon Web Services Nitro Enclaves, which provide an\n isolated compute environment in Amazon EC2. To call GenerateRandom for a Nitro\n enclave, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter\n to provide the attestation document for the enclave. Instead of plaintext bytes, the response\n includes the plaintext bytes encrypted under the public key from the attestation document\n (CiphertextForRecipient).For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
For more information about entropy and random number generation, see\n Key Management Service Cryptographic Details.
\n\n Cross-account use: Not applicable.\n GenerateRandom does not use any account-specific resources, such as KMS\n keys.
\n Required permissions: kms:GenerateRandom (IAM policy)
" + "smithy.api#documentation": "Returns a random byte string that is cryptographically secure.
\nYou must use the NumberOfBytes parameter to specify the length of the random\n byte string. There is no default value for string length.
By default, the random byte string is generated in KMS. To generate the byte string in\n the CloudHSM cluster associated with an CloudHSM key store, use the CustomKeyStoreId\n parameter.
\n GenerateRandom also supports Amazon Web Services Nitro Enclaves, which provide an\n isolated compute environment in Amazon EC2. To call GenerateRandom for a Nitro\n enclave, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter\n to provide the attestation document for the enclave. Instead of plaintext bytes, the response\n includes the plaintext bytes encrypted under the public key from the attestation document\n (CiphertextForRecipient).For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
For more information about entropy and random number generation, see\n Key Management Service Cryptographic Details.
\n\n Cross-account use: Not applicable.\n GenerateRandom does not use any account-specific resources, such as KMS\n keys.
\n Required permissions: kms:GenerateRandom (IAM policy)
" } }, "com.amazonaws.kms#GenerateRandomRequest": { @@ -2773,13 +2862,13 @@ "CustomKeyStoreId": { "target": "com.amazonaws.kms#CustomKeyStoreIdType", "traits": { - "smithy.api#documentation": "Generates the random byte string in the CloudHSM cluster that is associated with the\n specified CloudHSM key store. To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
\nExternal key store IDs are not valid for this parameter. If you specify the ID of an\n external key store, GenerateRandom throws an\n UnsupportedOperationException.
Generates the random byte string in the CloudHSM cluster that is associated with the\n specified CloudHSM key store. To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
\nExternal key store IDs are not valid for this parameter. If you specify the ID of an\n external key store, GenerateRandom throws an\n UnsupportedOperationException.
A signed attestation document from\n an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key.\n The only valid encryption algorithm is RSAES_OAEP_SHA_256.
This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this\n parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
\nWhen you use this parameter, instead of returning plaintext bytes, KMS encrypts the\n plaintext bytes under the public key in the attestation document, and returns the resulting\n ciphertext in the CiphertextForRecipient field in the response. This ciphertext\n can be decrypted only with the private key in the enclave. The Plaintext field in\n the response is null or empty.
For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
" + "smithy.api#documentation": "A signed attestation document from\n an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key. The\n only valid encryption algorithm is RSAES_OAEP_SHA_256.
This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this\n parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
\nWhen you use this parameter, instead of returning plaintext bytes, KMS encrypts the\n plaintext bytes under the public key in the attestation document, and returns the resulting\n ciphertext in the CiphertextForRecipient field in the response. This ciphertext\n can be decrypted only with the private key in the enclave. The Plaintext field in\n the response is null or empty.
For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
" } } }, @@ -2793,13 +2882,13 @@ "Plaintext": { "target": "com.amazonaws.kms#PlaintextType", "traits": { - "smithy.api#documentation": "The random byte string. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.
\nIf the response includes the CiphertextForRecipient field, the\n Plaintext field is null or empty.
The random byte string. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.
\nIf the response includes the CiphertextForRecipient field, the\n Plaintext field is null or empty.
The plaintext random bytes encrypted with the public key from the Nitro enclave. This ciphertext can\n be decrypted only by using a private key in the Nitro enclave.
\nThis field is included in the response only when the Recipient parameter in\n the request includes a valid attestation document from an Amazon Web Services Nitro enclave.\n For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
The plaintext random bytes encrypted with the public key from the Nitro enclave. This\n ciphertext can be decrypted only by using a private key in the Nitro enclave.
\nThis field is included in the response only when the Recipient parameter in\n the request includes a valid attestation document from an Amazon Web Services Nitro enclave.\n For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
Returns the public key and an import token you need to import or reimport key material for\n a KMS key.
\nBy default, KMS keys are created with key material that KMS generates. This operation\n supports Importing key\n material, an advanced feature that lets you generate and import the cryptographic\n key material for a KMS key. For more information about importing key material into KMS, see\n Importing key\n material in the Key Management Service Developer Guide.
\nBefore calling GetParametersForImport, use the CreateKey\n operation with an Origin value of EXTERNAL to create a KMS key with\n no key material. You can import key material for a symmetric encryption KMS key, HMAC KMS key,\n asymmetric encryption KMS key, or asymmetric signing KMS key. You can also import key material\n into a multi-Region key of\n any supported type. However, you can't import key material into a KMS key in a custom key store. You can also use\n GetParametersForImport to get a public key and import token to reimport the original key material into a KMS key whose key material expired or was\n deleted.
\n GetParametersForImport returns the items that you need to import your key\n material.
The public key (or \"wrapping key\") of an RSA key pair that KMS generates.
\nYou will use this public key to encrypt (\"wrap\") your key material while it's in\n transit to KMS.
\nA import token that ensures that KMS can decrypt your key material and associate it with the correct KMS key.
\nThe public key and its import token are permanently linked and must be used together. Each\n public key and import token set is valid for 24 hours. The expiration date and time appear in\n the ParametersValidTo field in the GetParametersForImport response.\n You cannot use an expired public key or import token in an ImportKeyMaterial\n request. If your key and token expire, send another GetParametersForImport\n request.
\n GetParametersForImport requires the following information:
The key ID of the KMS key for which you are importing the key material.
\nThe key spec of the public key (\"wrapping key\") that you will use to encrypt your key\n material during import.
\nThe wrapping algorithm that you will use with the public key to encrypt your key\n material.
\nYou can use the same or a different public key spec and wrapping algorithm each time you\n import or reimport the same key material.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:GetParametersForImport (key policy)
\n\n Related operations:\n
\n\n ImportKeyMaterial\n
\nReturns the public key and an import token you need to import or reimport key material for\n a KMS key.
\nBy default, KMS keys are created with key material that KMS generates. This operation\n supports Importing key\n material, an advanced feature that lets you generate and import the cryptographic\n key material for a KMS key. For more information about importing key material into KMS, see\n Importing key\n material in the Key Management Service Developer Guide.
\nBefore calling GetParametersForImport, use the CreateKey\n operation with an Origin value of EXTERNAL to create a KMS key with\n no key material. You can import key material for a symmetric encryption KMS key, HMAC KMS key,\n asymmetric encryption KMS key, or asymmetric signing KMS key. You can also import key material\n into a multi-Region key of\n any supported type. However, you can't import key material into a KMS key in a custom key store. You can also use\n GetParametersForImport to get a public key and import token to reimport the original key\n material into a KMS key whose key material expired or was deleted.
\n GetParametersForImport returns the items that you need to import your key\n material.
The public key (or \"wrapping key\") of an RSA key pair that KMS generates.
\nYou will use this public key to encrypt (\"wrap\") your key material while it's in\n transit to KMS.
\nA import token that ensures that KMS can decrypt your key material and associate it\n with the correct KMS key.
\nThe public key and its import token are permanently linked and must be used together. Each\n public key and import token set is valid for 24 hours. The expiration date and time appear in\n the ParametersValidTo field in the GetParametersForImport response.\n You cannot use an expired public key or import token in an ImportKeyMaterial\n request. If your key and token expire, send another GetParametersForImport\n request.
\n GetParametersForImport requires the following information:
The key ID of the KMS key for which you are importing the key material.
\nThe key spec of the public key (\"wrapping key\") that you will use to encrypt your key\n material during import.
\nThe wrapping algorithm that you will use with the public key to encrypt your key\n material.
\nYou can use the same or a different public key spec and wrapping algorithm each time you\n import or reimport the same key material.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:GetParametersForImport (key policy)
\n\n Related operations:\n
\n\n ImportKeyMaterial\n
\nThe algorithm you will use with the RSA public key (PublicKey) in the\n response to protect your key material during import. For more information, see Select a wrapping algorithm in the Key Management Service Developer Guide.
For RSA_AES wrapping algorithms, you encrypt your key material with an AES key that you\n generate, then encrypt your AES key with the RSA public key from KMS. For RSAES wrapping\n algorithms, you encrypt your key material directly with the RSA public key from KMS.
\nThe wrapping algorithms that you can use depend on the type of key material that you are\n importing. To import an RSA private key, you must use an RSA_AES wrapping algorithm.
\n\n RSA_AES_KEY_WRAP_SHA_256 — Supported for wrapping RSA and ECC key\n material.
\n\n RSA_AES_KEY_WRAP_SHA_1 — Supported for wrapping RSA and ECC key material.
\n\n RSAES_OAEP_SHA_256 — Supported for all types of key material, except RSA key material (private key).
\nYou cannot use the RSAES_OAEP_SHA_256 wrapping algorithm with the RSA_2048 wrapping key spec to wrap \n ECC_NIST_P521 key material.
\n\n RSAES_OAEP_SHA_1 — Supported for all types of key material, except RSA key material (private\n key).
\nYou cannot use the RSAES_OAEP_SHA_1 wrapping algorithm with the RSA_2048 wrapping key spec to wrap \n ECC_NIST_P521 key material.
\n\n RSAES_PKCS1_V1_5 (Deprecated) — Supported only for symmetric encryption key\n material (and only in legacy mode).
\nThe algorithm you will use with the RSA public key (PublicKey) in the\n response to protect your key material during import. For more information, see Select a wrapping algorithm in the Key Management Service Developer Guide.
For RSA_AES wrapping algorithms, you encrypt your key material with an AES key that you\n generate, then encrypt your AES key with the RSA public key from KMS. For RSAES wrapping\n algorithms, you encrypt your key material directly with the RSA public key from KMS.
\nThe wrapping algorithms that you can use depend on the type of key material that you are\n importing. To import an RSA private key, you must use an RSA_AES wrapping algorithm.
\n\n RSA_AES_KEY_WRAP_SHA_256 — Supported for\n wrapping RSA and ECC key material.
\n\n RSA_AES_KEY_WRAP_SHA_1 — Supported for\n wrapping RSA and ECC key material.
\n\n RSAES_OAEP_SHA_256 — Supported for all types\n of key material, except RSA key material (private key).
\nYou cannot use the RSAES_OAEP_SHA_256 wrapping algorithm with the RSA_2048 wrapping\n key spec to wrap ECC_NIST_P521 key material.
\n\n RSAES_OAEP_SHA_1 — Supported for all types of\n key material, except RSA key material (private key).
\nYou cannot use the RSAES_OAEP_SHA_1 wrapping algorithm with the RSA_2048 wrapping key\n spec to wrap ECC_NIST_P521 key material.
\n\n RSAES_PKCS1_V1_5 (Deprecated) — Supported only\n for symmetric encryption key material (and only in legacy mode).
\nReturns the public key of an asymmetric KMS key. Unlike the private key of a asymmetric\n KMS key, which never leaves KMS unencrypted, callers with kms:GetPublicKey\n permission can download the public key of an asymmetric KMS key. You can share the public key\n to allow others to encrypt messages and verify signatures outside of KMS.\n For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
You do not need to download the public key. Instead, you can use the public key within\n KMS by calling the Encrypt, ReEncrypt, or Verify operations with the identifier of an asymmetric KMS key. When you use the\n public key within KMS, you benefit from the authentication, authorization, and logging that\n are part of every KMS operation. You also reduce of risk of encrypting data that cannot be\n decrypted. These features are not effective outside of KMS.
\nTo help you use the public key safely outside of KMS, GetPublicKey returns\n important information about the public key in the response, including:
\n KeySpec: The type of key material in the public key, such as\n RSA_4096 or ECC_NIST_P521.
\n KeyUsage: Whether the key is used for encryption or signing.
\n\n EncryptionAlgorithms or SigningAlgorithms: A list of the encryption algorithms or the signing\n algorithms for the key.
\nAlthough KMS cannot enforce these restrictions on external operations, it is crucial\n that you use this information to prevent the public key from being used improperly. For\n example, you can prevent a public signing key from being used encrypt data, or prevent a\n public key from being used with an encryption algorithm that is not supported by KMS. You\n can also avoid errors, such as using the wrong signing algorithm in a verification\n operation.
\nTo verify a signature outside of KMS with an SM2 public key (China Regions only), you must \n specify the distinguishing ID. By default, KMS uses 1234567812345678 as the \n distinguishing ID. For more information, see Offline verification\n with SM2 key pairs.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use:\n Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GetPublicKey (key policy)
\n\n Related operations: CreateKey\n
" + "smithy.api#documentation": "Returns the public key of an asymmetric KMS key. Unlike the private key of a asymmetric\n KMS key, which never leaves KMS unencrypted, callers with kms:GetPublicKey\n permission can download the public key of an asymmetric KMS key. You can share the public key\n to allow others to encrypt messages and verify signatures outside of KMS.\n For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
You do not need to download the public key. Instead, you can use the public key within\n KMS by calling the Encrypt, ReEncrypt, or Verify operations with the identifier of an asymmetric KMS key. When you use the\n public key within KMS, you benefit from the authentication, authorization, and logging that\n are part of every KMS operation. You also reduce of risk of encrypting data that cannot be\n decrypted. These features are not effective outside of KMS.
\nTo help you use the public key safely outside of KMS, GetPublicKey returns\n important information about the public key in the response, including:
\n KeySpec: The type of key material in the public key, such as\n RSA_4096 or ECC_NIST_P521.
\n KeyUsage: Whether the key is used for encryption or signing.
\n\n EncryptionAlgorithms or SigningAlgorithms: A list of the encryption algorithms or the signing\n algorithms for the key.
\nAlthough KMS cannot enforce these restrictions on external operations, it is crucial\n that you use this information to prevent the public key from being used improperly. For\n example, you can prevent a public signing key from being used encrypt data, or prevent a\n public key from being used with an encryption algorithm that is not supported by KMS. You\n can also avoid errors, such as using the wrong signing algorithm in a verification\n operation.
\nTo verify a signature outside of KMS with an SM2 public key (China Regions only), you\n must specify the distinguishing ID. By default, KMS uses 1234567812345678 as\n the distinguishing ID. For more information, see Offline\n verification with SM2 key pairs.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:GetPublicKey (key policy)
\n\n Related operations: CreateKey\n
" } }, "com.amazonaws.kms#GetPublicKeyRequest": { @@ -3421,7 +3510,7 @@ } ], "traits": { - "smithy.api#documentation": "Imports or reimports key material into an existing KMS key that was created without key\n material. ImportKeyMaterial also sets the expiration model and expiration date of\n the imported key material.
By default, KMS keys are created with key material that KMS generates. This operation\n supports Importing key\n material, an advanced feature that lets you generate and import the cryptographic\n key material for a KMS key. For more information about importing key material into KMS, see\n Importing key\n material in the Key Management Service Developer Guide.
\nAfter you successfully import key material into a KMS key, you can reimport\n the same key material into that KMS key, but you cannot import different key\n material. You might reimport key material to replace key material that expired or key material\n that you deleted. You might also reimport key material to change the expiration model or\n expiration date of the key material. Before reimporting key material, if necessary, call DeleteImportedKeyMaterial to delete the current imported key material.
\nEach time you import key material into KMS, you can determine whether\n (ExpirationModel) and when (ValidTo) the key material expires. To\n change the expiration of your key material, you must import it again, either by calling\n ImportKeyMaterial or using the import features of the\n KMS console.
Before calling ImportKeyMaterial:
Create or identify a KMS key with no key material. The KMS key must have an\n Origin value of EXTERNAL, which indicates that the KMS key is\n designed for imported key material.
To create an new KMS key for imported key material, call the CreateKey operation with an Origin value of EXTERNAL. You can create a\n symmetric encryption KMS key, HMAC KMS key, asymmetric encryption KMS key, or asymmetric\n signing KMS key. You can also import key material into a multi-Region key of any\n supported type. However, you can't import key material into a KMS key in a custom key store.
Use the DescribeKey operation to verify that the\n KeyState of the KMS key is PendingImport, which indicates that\n the KMS key has no key material.
If you are reimporting the same key material into an existing KMS key, you might need\n to call the DeleteImportedKeyMaterial to delete its existing key\n material.
\nCall the GetParametersForImport operation to get a public key and\n import token set for importing key material.
\nUse the public key in the GetParametersForImport response to encrypt\n your key material.
\n Then, in an ImportKeyMaterial request, you submit your encrypted key\n material and import token. When calling this operation, you must specify the following\n values:
The key ID or key ARN of the KMS key to associate with the imported key material. Its\n Origin must be EXTERNAL and its KeyState must be\n PendingImport. You cannot perform this operation on a KMS key in a custom key store, or on a KMS\n key in a different Amazon Web Services account. To get the Origin and KeyState\n of a KMS key, call DescribeKey.
The encrypted key material.
\nThe import token that GetParametersForImport returned. You must use\n a public key and token from the same GetParametersForImport response.
Whether the key material expires (ExpirationModel) and, if so, when\n (ValidTo). For help with this choice, see Setting an expiration time in the Key Management Service Developer Guide.
If you set an expiration date, KMS deletes the key material from the KMS key on the\n specified date, making the KMS key unusable. To use the KMS key in cryptographic\n operations again, you must reimport the same key material. However, you can delete and\n reimport the key material at any time, including before the key material expires. Each\n time you reimport, you can eliminate or reset the expiration time.
\nWhen this operation is successful, the key state of the KMS key changes from\n PendingImport to Enabled, and you can use the KMS key in\n cryptographic operations.
If this operation fails, use the exception to help determine the problem. If the error is\n related to the key material, the import token, or wrapping key, use GetParametersForImport to get a new public key and import token for the KMS key\n and repeat the import procedure. For help, see How To Import Key\n Material in the Key Management Service Developer Guide.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:ImportKeyMaterial (key policy)
\n\n Related operations:\n
\nImports or reimports key material into an existing KMS key that was created without key\n material. ImportKeyMaterial also sets the expiration model and expiration date of\n the imported key material.
By default, KMS keys are created with key material that KMS generates. This operation\n supports Importing key\n material, an advanced feature that lets you generate and import the cryptographic\n key material for a KMS key. For more information about importing key material into KMS, see\n Importing key\n material in the Key Management Service Developer Guide.
\nAfter you successfully import key material into a KMS key, you can reimport\n the same key material into that KMS key, but you cannot import different key\n material. You might reimport key material to replace key material that expired or key material\n that you deleted. You might also reimport key material to change the expiration model or\n expiration date of the key material. Before reimporting key material, if necessary, call DeleteImportedKeyMaterial to delete the current imported key material.
\nEach time you import key material into KMS, you can determine whether\n (ExpirationModel) and when (ValidTo) the key material expires. To\n change the expiration of your key material, you must import it again, either by calling\n ImportKeyMaterial or using the import features of the KMS console.
Before calling ImportKeyMaterial:
Create or identify a KMS key with no key material. The KMS key must have an\n Origin value of EXTERNAL, which indicates that the KMS key is\n designed for imported key material.
To create an new KMS key for imported key material, call the CreateKey operation with an Origin value of EXTERNAL. You can create a\n symmetric encryption KMS key, HMAC KMS key, asymmetric encryption KMS key, or asymmetric\n signing KMS key. You can also import key material into a multi-Region key of any\n supported type. However, you can't import key material into a KMS key in a custom key store.
Use the DescribeKey operation to verify that the\n KeyState of the KMS key is PendingImport, which indicates that\n the KMS key has no key material.
If you are reimporting the same key material into an existing KMS key, you might need\n to call the DeleteImportedKeyMaterial to delete its existing key\n material.
\nCall the GetParametersForImport operation to get a public key and\n import token set for importing key material.
\nUse the public key in the GetParametersForImport response to encrypt\n your key material.
\n Then, in an ImportKeyMaterial request, you submit your encrypted key\n material and import token. When calling this operation, you must specify the following\n values:
The key ID or key ARN of the KMS key to associate with the imported key material. Its\n Origin must be EXTERNAL and its KeyState must be\n PendingImport. You cannot perform this operation on a KMS key in a custom key store, or on a KMS\n key in a different Amazon Web Services account. To get the Origin and KeyState\n of a KMS key, call DescribeKey.
The encrypted key material.
\nThe import token that GetParametersForImport returned. You must use\n a public key and token from the same GetParametersForImport response.
Whether the key material expires (ExpirationModel) and, if so, when\n (ValidTo). For help with this choice, see Setting an expiration time in the Key Management Service Developer Guide.
If you set an expiration date, KMS deletes the key material from the KMS key on the\n specified date, making the KMS key unusable. To use the KMS key in cryptographic\n operations again, you must reimport the same key material. However, you can delete and\n reimport the key material at any time, including before the key material expires. Each\n time you reimport, you can eliminate or reset the expiration time.
\nWhen this operation is successful, the key state of the KMS key changes from\n PendingImport to Enabled, and you can use the KMS key in\n cryptographic operations.
If this operation fails, use the exception to help determine the problem. If the error is\n related to the key material, the import token, or wrapping key, use GetParametersForImport to get a new public key and import token for the KMS key\n and repeat the import procedure. For help, see How To Import Key\n Material in the Key Management Service Developer Guide.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:ImportKeyMaterial (key policy)
\n\n Related operations:\n
\nThe request was rejected because the state of the specified resource is not valid for this\n request.
\nThis exceptions means one of the following:
\nThe key state of the KMS key is not compatible with the operation.
\nTo find the key state, use the DescribeKey operation. For more\n information about which key states are compatible with each KMS operation, see\n Key states of KMS keys in the \n Key Management Service Developer Guide\n .
\nFor cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.
\nThe request was rejected because the state of the specified resource is not valid for this\n request.
\nThis exceptions means one of the following:
\nThe key state of the KMS key is not compatible with the operation.
\nTo find the key state, use the DescribeKey operation. For more\n information about which key states are compatible with each KMS operation, see\n Key states of KMS keys in the \n Key Management Service Developer Guide\n .
\nFor cryptographic operations on KMS keys in custom key stores, this exception\n represents a general failure with many possible causes. To identify the cause, see the\n error message that accompanies the exception.
\nInformation about the external key that is associated with a KMS key in an\n external key store.
\nFor more information, see \n External key in the Key Management Service Developer Guide.
" + "smithy.api#documentation": "Information about the external key that is associated with a KMS key in an external key\n store.
\nFor more information, see External key in the\n Key Management Service Developer Guide.
" } } }, @@ -5023,6 +5112,9 @@ { "target": "com.amazonaws.kms#DisabledException" }, + { + "target": "com.amazonaws.kms#DryRunOperationException" + }, { "target": "com.amazonaws.kms#IncorrectKeyException" }, @@ -5104,6 +5196,12 @@ "traits": { "smithy.api#documentation": "A list of grant tokens.
\nUse a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the\n Key Management Service Developer Guide.
" } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" + } } }, "traits": { @@ -5154,13 +5252,13 @@ "KeyEncryptionAlgorithm": { "target": "com.amazonaws.kms#KeyEncryptionMechanism", "traits": { - "smithy.api#documentation": "The encryption algorithm that KMS should use with the public key for an Amazon Web Services Nitro Enclave to encrypt plaintext \n values for the response. The only valid value is RSAES_OAEP_SHA_256.
The encryption algorithm that KMS should use with the public key for an Amazon Web Services Nitro\n Enclave to encrypt plaintext values for the response. The only valid value is\n RSAES_OAEP_SHA_256.
The attestation document for an Amazon Web Services Nitro Enclave. This document includes the enclave's public\n key.
" + "smithy.api#documentation": "The attestation document for an Amazon Web Services Nitro Enclave. This document includes the enclave's\n public key.
" } } }, @@ -5307,6 +5405,9 @@ { "target": "com.amazonaws.kms#DependencyTimeoutException" }, + { + "target": "com.amazonaws.kms#DryRunOperationException" + }, { "target": "com.amazonaws.kms#InvalidArnException" }, @@ -5350,6 +5451,12 @@ "traits": { "smithy.api#documentation": "Identifies the grant to retire. To get the grant ID, use CreateGrant,\n ListGrants, or ListRetirableGrants.
\nGrant ID Example -\n 0123456789012345678901234567890123456789012345678901234567890123
\nChecks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" + } } }, "traits": { @@ -5368,6 +5475,9 @@ { "target": "com.amazonaws.kms#DependencyTimeoutException" }, + { + "target": "com.amazonaws.kms#DryRunOperationException" + }, { "target": "com.amazonaws.kms#InvalidArnException" }, @@ -5404,6 +5514,12 @@ "smithy.api#documentation": "Identifies the grant to revoke. To get the grant ID, use CreateGrant,\n ListGrants, or ListRetirableGrants.
", "smithy.api#required": {} } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" + } } }, "traits": { @@ -5436,7 +5552,7 @@ } ], "traits": { - "smithy.api#documentation": "Schedules the deletion of a KMS key. By default, KMS applies a waiting period of 30\n days, but you can specify a waiting period of 7-30 days. When this operation is successful,\n the key state of the KMS key changes to PendingDeletion and the key can't be used\n in any cryptographic operations. It remains in this state for the duration of the waiting\n period. Before the waiting period ends, you can use CancelKeyDeletion to\n cancel the deletion of the KMS key. After the waiting period ends, KMS deletes the KMS key,\n its key material, and all KMS data associated with it, including all aliases that refer to\n it.
Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key\n is deleted, all data that was encrypted under the KMS key is unrecoverable. (The only\n exception is a multi-Region replica\n key, or an asymmetric or HMAC KMS key with imported key material[BUGBUG-link to\n importing-keys-managing.html#import-delete-key.) To prevent the use of a KMS key without\n deleting it, use DisableKey.
\nYou can schedule the deletion of a multi-Region primary key and its replica keys at any\n time. However, KMS will not delete a multi-Region primary key with existing replica keys. If\n you schedule the deletion of a primary key with replicas, its key state changes to\n PendingReplicaDeletion and it cannot be replicated or used in cryptographic\n operations. This status can continue indefinitely. When the last of its replicas keys is\n deleted (not just scheduled), the key state of the primary key changes to\n PendingDeletion and its waiting period (PendingWindowInDays)\n begins. For details, see Deleting multi-Region keys in the\n Key Management Service Developer Guide.
When KMS deletes\n a KMS key from an CloudHSM key store, it makes a best effort to delete the associated\n key material from the associated CloudHSM cluster. However, you might need to manually delete\n the orphaned key material from the cluster and its backups. Deleting a KMS key from an\n external key store has no effect on the associated external key. However, for both\n types of custom key stores, deleting a KMS key is destructive and irreversible. You cannot\n decrypt ciphertext encrypted under the KMS key by using only its associated external key or\n CloudHSM key. Also, you cannot recreate a KMS key in an external key store by creating a new KMS\n key with the same key material.
\nFor more information about scheduling a KMS key for deletion, see Deleting KMS keys in the\n Key Management Service Developer Guide.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:ScheduleKeyDeletion (key\n policy)
\n\n Related operations\n
\n\n CancelKeyDeletion\n
\n\n DisableKey\n
\nSchedules the deletion of a KMS key. By default, KMS applies a waiting period of 30\n days, but you can specify a waiting period of 7-30 days. When this operation is successful,\n the key state of the KMS key changes to PendingDeletion and the key can't be used\n in any cryptographic operations. It remains in this state for the duration of the waiting\n period. Before the waiting period ends, you can use CancelKeyDeletion to\n cancel the deletion of the KMS key. After the waiting period ends, KMS deletes the KMS key,\n its key material, and all KMS data associated with it, including all aliases that refer to\n it.
Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key\n is deleted, all data that was encrypted under the KMS key is unrecoverable. (The only\n exception is a multi-Region replica\n key, or an asymmetric or HMAC KMS\n key with imported key material.) To prevent the use of a KMS key without deleting\n it, use DisableKey.
\nYou can schedule the deletion of a multi-Region primary key and its replica keys at any\n time. However, KMS will not delete a multi-Region primary key with existing replica keys. If\n you schedule the deletion of a primary key with replicas, its key state changes to\n PendingReplicaDeletion and it cannot be replicated or used in cryptographic\n operations. This status can continue indefinitely. When the last of its replicas keys is\n deleted (not just scheduled), the key state of the primary key changes to\n PendingDeletion and its waiting period (PendingWindowInDays)\n begins. For details, see Deleting multi-Region keys in the\n Key Management Service Developer Guide.
When KMS deletes\n a KMS key from an CloudHSM key store, it makes a best effort to delete the associated\n key material from the associated CloudHSM cluster. However, you might need to manually delete\n the orphaned key material from the cluster and its backups. Deleting a KMS key from an\n external key store has no effect on the associated external key. However, for both\n types of custom key stores, deleting a KMS key is destructive and irreversible. You cannot\n decrypt ciphertext encrypted under the KMS key by using only its associated external key or\n CloudHSM key. Also, you cannot recreate a KMS key in an external key store by creating a new KMS\n key with the same key material.
\nFor more information about scheduling a KMS key for deletion, see Deleting KMS keys in the\n Key Management Service Developer Guide.
\nThe KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
\n\n Required permissions: kms:ScheduleKeyDeletion (key\n policy)
\n\n Related operations\n
\n\n CancelKeyDeletion\n
\n\n DisableKey\n
\nThe waiting period, specified in number of days. After the waiting period ends, KMS\n deletes the KMS key.
\nIf the KMS key is a multi-Region primary key with replica keys, the waiting period begins\n when the last of its replica keys is deleted. Otherwise, the waiting period begins\n immediately.
\nThis value is optional. If you include a value, it must be between 7 and 30, inclusive. If\n you do not include a value, it defaults to 30. You can use the \n kms:ScheduleKeyDeletionPendingWindowInDays\n \n condition key to further constrain the values that principals can specify in the \n PendingWindowInDays parameter.
The waiting period, specified in number of days. After the waiting period ends, KMS\n deletes the KMS key.
\nIf the KMS key is a multi-Region primary key with replica keys, the waiting period begins\n when the last of its replica keys is deleted. Otherwise, the waiting period begins\n immediately.
\nThis value is optional. If you include a value, it must be between 7 and 30, inclusive. If\n you do not include a value, it defaults to 30. You can use the \n kms:ScheduleKeyDeletionPendingWindowInDays\n condition key to further\n constrain the values that principals can specify in the PendingWindowInDays\n parameter.
Specifies the message or message digest to sign. Messages can be 0-4096 bytes. To sign a\n larger message, provide a message digest.
\nIf you provide a message digest, use the DIGEST value of MessageType to\n prevent the digest from being hashed again while signing.
Specifies the message or message digest to sign. Messages can be 0-4096 bytes. To sign a\n larger message, provide a message digest.
\nIf you provide a message digest, use the DIGEST value of\n MessageType to prevent the digest from being hashed again while signing.
Tells KMS whether the value of the Message parameter should be hashed\n as part of the signing algorithm. Use RAW for unhashed messages; use DIGEST\n for message digests, which are already hashed.
When the value of MessageType is RAW, KMS uses the standard\n signing algorithm, which begins with a hash function. When the value is DIGEST, KMS skips\n the hashing step in the signing algorithm.
Use the DIGEST value only when the value of the Message\n parameter is a message digest. If you use the DIGEST value with an unhashed message,\n the security of the signing operation can be compromised.
When the value of MessageTypeis DIGEST, the length\n of the Message value must match the length of hashed messages for the specified signing algorithm.
You can submit a message digest and omit the MessageType or specify\n RAW so the digest is hashed again while signing. However, this can cause verification failures when \n verifying with a system that assumes a single hash.
The hashing algorithm in that Sign uses is based on the SigningAlgorithm value.
Signing algorithms that end in SHA_256 use the SHA_256 hashing algorithm.
\nSigning algorithms that end in SHA_384 use the SHA_384 hashing algorithm.
\nSigning algorithms that end in SHA_512 use the SHA_512 hashing algorithm.
\nSM2DSA uses the SM3 hashing algorithm. For details, see Offline verification with SM2 key pairs.
\nTells KMS whether the value of the Message parameter should be hashed as\n part of the signing algorithm. Use RAW for unhashed messages; use\n DIGEST for message digests, which are already hashed.
When the value of MessageType is RAW, KMS uses the standard\n signing algorithm, which begins with a hash function. When the value is DIGEST,\n KMS skips the hashing step in the signing algorithm.
Use the DIGEST value only when the value of the Message\n parameter is a message digest. If you use the DIGEST value with an unhashed\n message, the security of the signing operation can be compromised.
When the value of MessageTypeis DIGEST, the length of the\n Message value must match the length of hashed messages for the specified\n signing algorithm.
You can submit a message digest and omit the MessageType or specify\n RAW so the digest is hashed again while signing. However, this can cause\n verification failures when verifying with a system that assumes a single hash.
The hashing algorithm in that Sign uses is based on the\n SigningAlgorithm value.
Signing algorithms that end in SHA_256 use the SHA_256 hashing algorithm.
\nSigning algorithms that end in SHA_384 use the SHA_384 hashing algorithm.
\nSigning algorithms that end in SHA_512 use the SHA_512 hashing algorithm.
\nSM2DSA uses the SM3 hashing algorithm. For details, see Offline\n verification with SM2 key pairs.
\nSpecifies the signing algorithm to use when signing the message.
\nChoose an algorithm that is compatible with the type and size of the specified asymmetric\n KMS key. When signing with RSA key pairs, RSASSA-PSS algorithms are preferred. We include\n RSASSA-PKCS1-v1_5 algorithms for compatibility with existing applications.
", + "smithy.api#documentation": "Specifies the signing algorithm to use when signing the message.
\nChoose an algorithm that is compatible with the type and size of the specified asymmetric\n KMS key. When signing with RSA key pairs, RSASSA-PSS algorithms are preferred. We include\n RSASSA-PKCS1-v1_5 algorithms for compatibility with existing applications.
", "smithy.api#required": {} } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" + } } }, "traits": { @@ -5773,7 +5898,7 @@ "Tags": { "target": "com.amazonaws.kms#TagList", "traits": { - "smithy.api#documentation": "One or more tags. Each tag consists of a tag key and a tag value. The tag value can be an empty (null)\n string.
\nDo not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.
\nYou cannot have more than one tag on a KMS key with the same tag key. If you specify an\n existing tag key with a different tag value, KMS replaces the current tag value with the\n specified one.
", + "smithy.api#documentation": "One or more tags. Each tag consists of a tag key and a tag value. The tag value can be an\n empty (null) string.
\nDo not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.
\nYou cannot have more than one tag on a KMS key with the same tag key. If you specify an\n existing tag key with a different tag value, KMS replaces the current tag value with the\n specified one.
", "smithy.api#required": {} } } @@ -7623,6 +7748,9 @@ { "target": "com.amazonaws.kms#DisabledException" }, + { + "target": "com.amazonaws.kms#DryRunOperationException" + }, { "target": "com.amazonaws.kms#InvalidGrantTokenException" }, @@ -7646,7 +7774,7 @@ } ], "traits": { - "smithy.api#documentation": "Verifies a digital signature that was generated by the Sign operation.
\n \nVerification confirms that an authorized user signed the message with the specified KMS\n key and signing algorithm, and the message hasn't changed since it was signed. If the\n signature is verified, the value of the SignatureValid field in the response is\n True. If the signature verification fails, the Verify operation\n fails with an KMSInvalidSignatureException exception.
A digital signature is generated by using the private key in an asymmetric KMS key. The\n signature is verified by using the public key in the same asymmetric KMS key.\n For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
\nTo use the Verify operation, specify the\n same asymmetric KMS key, message, and signing algorithm that were used to produce the\n signature. The message type does not need to be the same as the one used for signing, but it must \n indicate whether the value of the Message parameter should be\n hashed as part of the verification process.
You can also verify the digital signature by using the public key of the KMS key outside\n of KMS. Use the GetPublicKey operation to download the public key in the\n asymmetric KMS key and then use the public key to verify the signature outside of KMS. The\n advantage of using the Verify operation is that it is performed within KMS. As\n a result, it's easy to call, the operation is performed within the FIPS boundary, it is logged\n in CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use\n the KMS key to verify signatures.
To verify a signature outside of KMS with an SM2 public key (China Regions only), you must \n specify the distinguishing ID. By default, KMS uses 1234567812345678 as the \n distinguishing ID. For more information, see Offline verification\n with SM2 key pairs.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:Verify (key policy)
\n\n Related operations: Sign\n
" + "smithy.api#documentation": "Verifies a digital signature that was generated by the Sign operation.
\n \nVerification confirms that an authorized user signed the message with the specified KMS\n key and signing algorithm, and the message hasn't changed since it was signed. If the\n signature is verified, the value of the SignatureValid field in the response is\n True. If the signature verification fails, the Verify operation\n fails with an KMSInvalidSignatureException exception.
A digital signature is generated by using the private key in an asymmetric KMS key. The\n signature is verified by using the public key in the same asymmetric KMS key.\n For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
\nTo use the Verify operation, specify the same asymmetric KMS key, message,\n and signing algorithm that were used to produce the signature. The message type does not need\n to be the same as the one used for signing, but it must indicate whether the value of the\n Message parameter should be hashed as part of the verification process.
You can also verify the digital signature by using the public key of the KMS key outside\n of KMS. Use the GetPublicKey operation to download the public key in the\n asymmetric KMS key and then use the public key to verify the signature outside of KMS. The\n advantage of using the Verify operation is that it is performed within KMS. As\n a result, it's easy to call, the operation is performed within the FIPS boundary, it is logged\n in CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use\n the KMS key to verify signatures.
To verify a signature outside of KMS with an SM2 public key (China Regions only), you\n must specify the distinguishing ID. By default, KMS uses 1234567812345678 as\n the distinguishing ID. For more information, see Offline\n verification with SM2 key pairs.
The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.
\n\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.
\n Required permissions: kms:Verify (key policy)
\n\n Related operations: Sign\n
" } }, "com.amazonaws.kms#VerifyMac": { @@ -7661,6 +7789,9 @@ { "target": "com.amazonaws.kms#DisabledException" }, + { + "target": "com.amazonaws.kms#DryRunOperationException" + }, { "target": "com.amazonaws.kms#InvalidGrantTokenException" }, @@ -7723,6 +7854,12 @@ "traits": { "smithy.api#documentation": "A list of grant tokens.
\nUse a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the\n Key Management Service Developer Guide.
" } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" + } } }, "traits": { @@ -7769,14 +7906,14 @@ "Message": { "target": "com.amazonaws.kms#PlaintextType", "traits": { - "smithy.api#documentation": "Specifies the message that was signed. You can submit a raw message of up to 4096 bytes,\n or a hash digest of the message. If you submit a digest, use the MessageType parameter\n with a value of DIGEST.
If the message specified here is different from the message that was signed, the signature\n verification fails. A message and its hash digest are considered to be the same\n message.
", + "smithy.api#documentation": "Specifies the message that was signed. You can submit a raw message of up to 4096 bytes,\n or a hash digest of the message. If you submit a digest, use the MessageType\n parameter with a value of DIGEST.
If the message specified here is different from the message that was signed, the signature\n verification fails. A message and its hash digest are considered to be the same\n message.
", "smithy.api#required": {} } }, "MessageType": { "target": "com.amazonaws.kms#MessageType", "traits": { - "smithy.api#documentation": "Tells KMS whether the value of the Message parameter should be hashed\n as part of the signing algorithm. Use RAW for unhashed messages; use DIGEST\n for message digests, which are already hashed.
When the value of MessageType is RAW, KMS uses the standard\n signing algorithm, which begins with a hash function. When the value is DIGEST, KMS \n skips the hashing step in the signing algorithm.
Use the DIGEST value only when the value of the Message\n parameter is a message digest. If you use the DIGEST value with an unhashed message,\n the security of the verification operation can be compromised.
When the value of MessageTypeis DIGEST, the length\n of the Message value must match the length of hashed messages for the specified signing algorithm.
You can submit a message digest and omit the MessageType or specify\n RAW so the digest is hashed again while signing. However, if the signed message is hashed once\n while signing, but twice while verifying, verification fails, even when the message hasn't changed.
The hashing algorithm in that Verify uses is based on the SigningAlgorithm value.
Signing algorithms that end in SHA_256 use the SHA_256 hashing algorithm.
\nSigning algorithms that end in SHA_384 use the SHA_384 hashing algorithm.
\nSigning algorithms that end in SHA_512 use the SHA_512 hashing algorithm.
\nSM2DSA uses the SM3 hashing algorithm. For details, see Offline verification with SM2 key pairs.
\nTells KMS whether the value of the Message parameter should be hashed as\n part of the signing algorithm. Use RAW for unhashed messages; use\n DIGEST for message digests, which are already hashed.
When the value of MessageType is RAW, KMS uses the standard\n signing algorithm, which begins with a hash function. When the value is DIGEST,\n KMS skips the hashing step in the signing algorithm.
Use the DIGEST value only when the value of the Message\n parameter is a message digest. If you use the DIGEST value with an unhashed\n message, the security of the verification operation can be compromised.
When the value of MessageTypeis DIGEST, the length of the\n Message value must match the length of hashed messages for the specified\n signing algorithm.
You can submit a message digest and omit the MessageType or specify\n RAW so the digest is hashed again while signing. However, if the signed message\n is hashed once while signing, but twice while verifying, verification fails, even when the\n message hasn't changed.
The hashing algorithm in that Verify uses is based on the\n SigningAlgorithm value.
Signing algorithms that end in SHA_256 use the SHA_256 hashing algorithm.
\nSigning algorithms that end in SHA_384 use the SHA_384 hashing algorithm.
\nSigning algorithms that end in SHA_512 use the SHA_512 hashing algorithm.
\nSM2DSA uses the SM3 hashing algorithm. For details, see Offline\n verification with SM2 key pairs.
\nA list of grant tokens.
\nUse a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the\n Key Management Service Developer Guide.
" } + }, + "DryRun": { + "target": "com.amazonaws.kms#NullableBooleanType", + "traits": { + "smithy.api#documentation": "Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" + } } }, "traits": { @@ -7877,12 +8020,12 @@ "Id": { "target": "com.amazonaws.kms#XksKeyIdType", "traits": { - "smithy.api#documentation": "The ID of the external key in its external key manager. This is the ID that the external key store proxy uses to identify the external key.
" + "smithy.api#documentation": "The ID of the external key in its external key manager. This is the ID that the external\n key store proxy uses to identify the external key.
" } } }, "traits": { - "smithy.api#documentation": "Information about the external key that is associated with a KMS key in an\n external key store.
\nThis element appears in a CreateKey or DescribeKey\n response only for a KMS key in an external key store.
\nThe external key is a symmetric encryption key that is hosted by\n an external key manager outside of Amazon Web Services. When you use the KMS key in an external key store\n in a cryptographic operation, the cryptographic operation is performed in the\n external key manager using the specified external key. For more information, see External key in the Key Management Service Developer Guide.
" + "smithy.api#documentation": "Information about the external key that is\n associated with a KMS key in an external key store.
\nThis element appears in a CreateKey or DescribeKey\n response only for a KMS key in an external key store.
\nThe external key is a symmetric encryption key that is hosted by an\n external key manager outside of Amazon Web Services. When you use the KMS key in an external key store in a\n cryptographic operation, the cryptographic operation is performed in the external key manager\n using the specified external key. For more information, see External key in the\n Key Management Service Developer Guide.
" } }, "com.amazonaws.kms#XksKeyIdType": { @@ -7924,7 +8067,7 @@ "code": "XksKeyNotFoundException", "httpResponseCode": 400 }, - "smithy.api#documentation": "The request was rejected because the external key store proxy could not find the external key. This\n exception is thrown when the value of the XksKeyId parameter doesn't identify a\n key in the external key manager associated with the external key proxy.
Verify that the XksKeyId represents an existing key in the external key\n manager. Use the key identifier that the external key store proxy uses to identify the key.\n For details, see the documentation provided with your external key store proxy or key\n manager.
The request was rejected because the external key store proxy could not find the external\n key. This exception is thrown when the value of the XksKeyId parameter doesn't\n identify a key in the external key manager associated with the external key proxy.
Verify that the XksKeyId represents an existing key in the external key\n manager. Use the key identifier that the external key store proxy uses to identify the key.\n For details, see the documentation provided with your external key store proxy or key\n manager.
The part of the external key store proxy authentication credential\n that uniquely identifies the secret access key.
" + "smithy.api#documentation": "The part of the external key store proxy authentication credential that uniquely identifies the secret access\n key.
" } }, "UriEndpoint": { @@ -8145,7 +8288,7 @@ "code": "XksProxyUriUnreachableException", "httpResponseCode": 400 }, - "smithy.api#documentation": "KMS was unable to reach the specified XksProxyUriPath. The path must be\n reachable before you create the external key store or update its settings.
This exception is also thrown when the external key store proxy response to a GetHealthStatus\n request indicates that all external key manager instances are unavailable.
KMS was unable to reach the specified XksProxyUriPath. The path must be\n reachable before you create the external key store or update its settings.
This exception is also thrown when the external key store proxy response to a\n GetHealthStatus request indicates that all external key manager instances are\n unavailable.
The request was rejected because the Amazon VPC endpoint service configuration does not fulfill\n the requirements for an external key store proxy. For details, see the exception message and\n review the requirements for Amazon VPC endpoint service connectivity for an external key\n store.
", + "smithy.api#documentation": "The request was rejected because the Amazon VPC endpoint service configuration does not fulfill\n the requirements for an external key store proxy. For details, see the exception message and\n review the\n requirements for Amazon VPC endpoint service connectivity for an external key\n store.
", "smithy.api#error": "client", "smithy.api#httpError": 400 } diff --git a/aws/sdk/aws-models/lambda.json b/aws/sdk/aws-models/lambda.json index df1e4216396295c44edde192633ebd9d73be1f99..e3300f4f548b2370c0f0b80a453aa4899ec99fc7 100644 --- a/aws/sdk/aws-models/lambda.json +++ b/aws/sdk/aws-models/lambda.json @@ -2567,13 +2567,13 @@ "StartingPosition": { "target": "com.amazonaws.lambda#EventSourcePosition", "traits": { - "smithy.api#documentation": "The position in a stream from which to start reading. Required for Amazon Kinesis, Amazon\n DynamoDB, and Amazon MSK Streams sources. AT_TIMESTAMP is supported only for\n Amazon Kinesis streams and Amazon DocumentDB.
The position in a stream from which to start reading. Required for Amazon Kinesis and\n Amazon DynamoDB Stream event sources. AT_TIMESTAMP is supported only for\n Amazon Kinesis streams, Amazon DocumentDB, Amazon MSK, and self-managed Apache Kafka.
With StartingPosition set to AT_TIMESTAMP, the time from which to start\n reading.
With StartingPosition set to AT_TIMESTAMP, the time from which to start\n reading. StartingPositionTimestamp cannot be in the future.
Deletes a Lambda function. To delete a specific function version, use the Qualifier parameter.\n Otherwise, all versions and aliases are deleted.
To delete Lambda event source mappings that invoke a function, use DeleteEventSourceMapping. For Amazon Web Services and resources that invoke your function\n directly, delete the trigger in the service where you originally configured it.
", + "smithy.api#documentation": "Deletes a Lambda function. To delete a specific function version, use the Qualifier parameter.\n Otherwise, all versions and aliases are deleted. This doesn't require the user to have explicit\n permissions for DeleteAlias.
To delete Lambda event source mappings that invoke a function, use DeleteEventSourceMapping. For Amazon Web Services and resources that invoke your function\n directly, delete the trigger in the service where you originally configured it.
", "smithy.api#http": { "method": "DELETE", "uri": "/2015-03-31/functions/{FunctionName}", @@ -3912,13 +3915,13 @@ "StartingPosition": { "target": "com.amazonaws.lambda#EventSourcePosition", "traits": { - "smithy.api#documentation": "The position in a stream from which to start reading. Required for Amazon Kinesis, Amazon DynamoDB, and Amazon MSK stream sources. AT_TIMESTAMP is supported only for Amazon Kinesis\n streams and Amazon DocumentDB.
The position in a stream from which to start reading. Required for Amazon Kinesis and\n Amazon DynamoDB Stream event sources. AT_TIMESTAMP is supported only for\n Amazon Kinesis streams, Amazon DocumentDB, Amazon MSK, and self-managed Apache Kafka.
With StartingPosition set to AT_TIMESTAMP, the time from which to start\n reading.
With StartingPosition set to AT_TIMESTAMP, the time from which to start\n reading. StartingPositionTimestamp cannot be in the future.
The exception type.
" + } + }, + "Message": { + "target": "com.amazonaws.lambda#String", + "traits": { + "smithy.api#documentation": "The exception message.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Lambda has detected your function being invoked in a recursive loop with other Amazon Web Services resources and stopped your function's invocation.
", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, "com.amazonaws.lambda#RemoveLayerVersionPermission": { "type": "operation", "input": { @@ -9948,6 +9979,12 @@ "traits": { "smithy.api#enumValue": "ruby3.2" } + }, + "python311": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "python3.11" + } } } }, @@ -10131,7 +10168,7 @@ } }, "traits": { - "smithy.api#documentation": "The function's Lambda SnapStart setting. Set ApplyOn to PublishedVersions to create a\n snapshot of the initialized execution environment when you publish a function version.
SnapStart is supported with the java11 runtime. For more information, see\n Improving startup performance with Lambda\n SnapStart.
The function's Lambda SnapStart setting. Set ApplyOn to PublishedVersions to create a\n snapshot of the initialized execution environment when you publish a function version.
A complex type that contains information about the request to associate a VPC with a\n\t\t\tprivate hosted zone.
" + "smithy.api#documentation": "A complex type that contains information about the request to associate a VPC with a\n\t\t\tprivate hosted zone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#AssociateVPCWithHostedZoneResponse": { @@ -1795,7 +1802,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the\n\t\t\t\tAssociateVPCWithHostedZone request.
A complex type that contains the response information for the\n\t\t\t\tAssociateVPCWithHostedZone request.
Creates, changes, or deletes a resource record set, which contains authoritative DNS\n\t\t\tinformation for a specified domain name or subdomain name. For example, you can use\n\t\t\t\tChangeResourceRecordSets to create a resource record set that routes\n\t\t\ttraffic for test.example.com to a web server that has an IP address of\n\t\t\t192.0.2.44.
\n Deleting Resource Record Sets\n
\nTo delete a resource record set, you must specify all the same values that you\n\t\t\tspecified when you created it.
\n\n Change Batches and Transactional Changes\n
\nThe request body must include a document with a\n\t\t\t\tChangeResourceRecordSetsRequest element. The request body contains a\n\t\t\tlist of change items, known as a change batch. Change batches are considered\n\t\t\ttransactional changes. Route 53 validates the changes in the request and then either\n\t\t\tmakes all or none of the changes in the change batch request. This ensures that DNS\n\t\t\trouting isn't adversely affected by partial changes to the resource record sets in a\n\t\t\thosted zone.
For example, suppose a change batch request contains two changes: it deletes the\n\t\t\t\tCNAME resource record set for www.example.com and creates an alias\n\t\t\tresource record set for www.example.com. If validation for both records succeeds, Route\n\t\t\t53 deletes the first resource record set and creates the second resource record set in a\n\t\t\tsingle operation. If validation for either the DELETE or the\n\t\t\t\tCREATE action fails, then the request is canceled, and the original\n\t\t\t\tCNAME record continues to exist.
If you try to delete the same resource record set more than once in a single\n\t\t\t\tchange batch, Route 53 returns an InvalidChangeBatch error.
\n Traffic Flow\n
\nTo create resource record sets for complex routing configurations, use either the\n\t\t\ttraffic flow visual editor in the Route 53 console or the API actions for traffic\n\t\t\tpolicies and traffic policy instances. Save the configuration as a traffic policy, then\n\t\t\tassociate the traffic policy with one or more domain names (such as example.com) or\n\t\t\tsubdomain names (such as www.example.com), in the same hosted zone or in multiple hosted\n\t\t\tzones. You can roll back the updates if the new configuration isn't performing as\n\t\t\texpected. For more information, see Using Traffic Flow to Route\n\t\t\t\tDNS Traffic in the Amazon Route 53 Developer\n\t\t\tGuide.
\n\n Create, Delete, and Upsert\n
\nUse ChangeResourceRecordsSetsRequest to perform the following\n\t\t\tactions:
\n CREATE: Creates a resource record set that has the specified\n\t\t\t\t\tvalues.
\n DELETE: Deletes an existing resource record set that has the\n\t\t\t\t\tspecified values.
\n UPSERT: If a resource set exists Route 53 updates it with the\n\t\t\t\t\tvalues in the request.
\n Syntaxes for Creating, Updating, and Deleting Resource Record\n\t\t\t\tSets\n
\nThe syntax for a request depends on the type of resource record set that you want to\n\t\t\tcreate, delete, or update, such as weighted, alias, or failover. The XML elements in\n\t\t\tyour request must appear in the order listed in the syntax.
\nFor an example for each type of resource record set, see \"Examples.\"
\nDon't refer to the syntax in the \"Parameter Syntax\" section, which includes\n\t\t\tall of the elements for every kind of resource record set that you can create, delete,\n\t\t\tor update by using ChangeResourceRecordSets.
\n Change Propagation to Route 53 DNS Servers\n
\nWhen you submit a ChangeResourceRecordSets request, Route 53 propagates\n\t\t\tyour changes to all of the Route 53 authoritative DNS servers. While your changes are\n\t\t\tpropagating, GetChange returns a status of PENDING. When\n\t\t\tpropagation is complete, GetChange returns a status of INSYNC.\n\t\t\tChanges generally propagate to all Route 53 name servers within 60 seconds. For more\n\t\t\tinformation, see GetChange.
\n Limits on ChangeResourceRecordSets Requests\n
\nFor information about the limits on a ChangeResourceRecordSets request,\n\t\t\tsee Limits in the Amazon Route 53 Developer Guide.
Creates, changes, or deletes a resource record set, which contains authoritative DNS\n\t\t\tinformation for a specified domain name or subdomain name. For example, you can use\n\t\t\t\tChangeResourceRecordSets to create a resource record set that routes\n\t\t\ttraffic for test.example.com to a web server that has an IP address of\n\t\t\t192.0.2.44.
\n Deleting Resource Record Sets\n
\nTo delete a resource record set, you must specify all the same values that you\n\t\t\tspecified when you created it.
\n\n Change Batches and Transactional Changes\n
\nThe request body must include a document with a\n\t\t\t\tChangeResourceRecordSetsRequest element. The request body contains a\n\t\t\tlist of change items, known as a change batch. Change batches are considered\n\t\t\ttransactional changes. Route 53 validates the changes in the request and then either\n\t\t\tmakes all or none of the changes in the change batch request. This ensures that DNS\n\t\t\trouting isn't adversely affected by partial changes to the resource record sets in a\n\t\t\thosted zone.
For example, suppose a change batch request contains two changes: it deletes the\n\t\t\t\tCNAME resource record set for www.example.com and creates an alias\n\t\t\tresource record set for www.example.com. If validation for both records succeeds, Route\n\t\t\t53 deletes the first resource record set and creates the second resource record set in a\n\t\t\tsingle operation. If validation for either the DELETE or the\n\t\t\t\tCREATE action fails, then the request is canceled, and the original\n\t\t\t\tCNAME record continues to exist.
If you try to delete the same resource record set more than once in a single\n\t\t\t\tchange batch, Route 53 returns an InvalidChangeBatch error.
\n Traffic Flow\n
\nTo create resource record sets for complex routing configurations, use either the\n\t\t\ttraffic flow visual editor in the Route 53 console or the API actions for traffic\n\t\t\tpolicies and traffic policy instances. Save the configuration as a traffic policy, then\n\t\t\tassociate the traffic policy with one or more domain names (such as example.com) or\n\t\t\tsubdomain names (such as www.example.com), in the same hosted zone or in multiple hosted\n\t\t\tzones. You can roll back the updates if the new configuration isn't performing as\n\t\t\texpected. For more information, see Using Traffic Flow to Route\n\t\t\t\tDNS Traffic in the Amazon Route 53 Developer\n\t\t\tGuide.
\n\n Create, Delete, and Upsert\n
\nUse ChangeResourceRecordsSetsRequest to perform the following\n\t\t\tactions:
\n CREATE: Creates a resource record set that has the specified\n\t\t\t\t\tvalues.
\n DELETE: Deletes an existing resource record set that has the\n\t\t\t\t\tspecified values.
\n UPSERT: If a resource set exists Route 53 updates it with the\n\t\t\t\t\tvalues in the request.
\n Syntaxes for Creating, Updating, and Deleting Resource Record\n\t\t\t\tSets\n
\nThe syntax for a request depends on the type of resource record set that you want to\n\t\t\tcreate, delete, or update, such as weighted, alias, or failover. The XML elements in\n\t\t\tyour request must appear in the order listed in the syntax.
\nFor an example for each type of resource record set, see \"Examples.\"
\nDon't refer to the syntax in the \"Parameter Syntax\" section, which includes\n\t\t\tall of the elements for every kind of resource record set that you can create, delete,\n\t\t\tor update by using ChangeResourceRecordSets.
\n Change Propagation to Route 53 DNS Servers\n
\nWhen you submit a ChangeResourceRecordSets request, Route 53 propagates your\n\t\t\tchanges to all of the Route 53 authoritative DNS servers managing the hosted zone. While\n\t\t\tyour changes are propagating, GetChange returns a status of\n\t\t\t\tPENDING. When propagation is complete, GetChange returns a\n\t\t\tstatus of INSYNC. Changes generally propagate to all Route 53 name servers\n\t\t\tmanaging the hosted zone within 60 seconds. For more information, see GetChange.
\n Limits on ChangeResourceRecordSets Requests\n
\nFor information about the limits on a ChangeResourceRecordSets request,\n\t\t\tsee Limits in the Amazon Route 53 Developer Guide.
A complex type that contains change information for the resource record set.
" + "smithy.api#documentation": "A complex type that contains change information for the resource record set.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ChangeResourceRecordSetsResponse": { @@ -2052,7 +2067,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type containing the response for the request.
" + "smithy.api#documentation": "A complex type containing the response for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ChangeStatus": { @@ -2139,14 +2155,16 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the tags that you want to add, edit, or\n\t\t\tdelete.
" + "smithy.api#documentation": "A complex type that contains information about the tags that you want to add, edit, or\n\t\t\tdelete.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ChangeTagsForResourceResponse": { "type": "structure", "members": {}, "traits": { - "smithy.api#documentation": "Empty response for the request.
" + "smithy.api#documentation": "Empty response for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#Changes": { @@ -2700,6 +2718,12 @@ "traits": { "smithy.api#enumValue": "ap-southeast-4" } + }, + "il_central_1": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "il-central-1" + } } }, "traits": { @@ -2886,6 +2910,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#CreateCidrCollectionResponse": { @@ -2904,6 +2931,9 @@ "smithy.api#httpHeader": "Location" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#CreateHealthCheck": { @@ -2953,7 +2983,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the health check request information.
" + "smithy.api#documentation": "A complex type that contains the health check request information.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#CreateHealthCheckResponse": { @@ -2976,7 +3007,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type containing the response information for the new health check.
" + "smithy.api#documentation": "A complex type containing the response information for the new health check.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#CreateHostedZone": { @@ -3057,12 +3089,13 @@ "DelegationSetId": { "target": "com.amazonaws.route53#ResourceId", "traits": { - "smithy.api#documentation": "If you want to associate a reusable delegation set with this hosted zone, the ID that\n\t\t\t\tAmazon Route 53 assigned to the reusable delegation set when you created it.\n\t\t\tFor more information about reusable delegation sets, see CreateReusableDelegationSet.
" + "smithy.api#documentation": "If you want to associate a reusable delegation set with this hosted zone, the ID that\n\t\t\t\tAmazon Route 53 assigned to the reusable delegation set when you created it.\n\t\t\tFor more information about reusable delegation sets, see CreateReusableDelegationSet.
\nIf you are using a reusable delegation set to create a public hosted zone for a subdomain,\n\t\t\tmake sure that the parent hosted zone doesn't use one or more of the same name servers.\n\t\t\tIf you have overlapping nameservers, the operation will cause a\n\t\t\t\tConflictingDomainsExist error.
A complex type that contains information about the request to create a public or\n\t\t\tprivate hosted zone.
" + "smithy.api#documentation": "A complex type that contains information about the request to create a public or\n\t\t\tprivate hosted zone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#CreateHostedZoneResponse": { @@ -3105,7 +3138,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type containing the response information for the hosted zone.
" + "smithy.api#documentation": "A complex type containing the response information for the hosted zone.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#CreateKeySigningKey": { @@ -3195,6 +3229,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#CreateKeySigningKeyResponse": { @@ -3221,6 +3258,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#CreateQueryLoggingConfig": { @@ -3277,6 +3317,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#CreateQueryLoggingConfigResponse": { @@ -3297,6 +3340,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#CreateReusableDelegationSet": { @@ -3355,6 +3401,9 @@ "smithy.api#documentation": "If you want to mark the delegation set for an existing hosted zone as reusable, the ID\n\t\t\tfor that hosted zone.
" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#CreateReusableDelegationSetResponse": { @@ -3375,6 +3424,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#CreateTrafficPolicy": { @@ -3482,7 +3534,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the resource record sets that you want\n\t\t\tto create based on a specified traffic policy.
" + "smithy.api#documentation": "A complex type that contains information about the resource record sets that you want\n\t\t\tto create based on a specified traffic policy.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#CreateTrafficPolicyInstanceResponse": { @@ -3505,7 +3558,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the\n\t\t\t\tCreateTrafficPolicyInstance request.
A complex type that contains the response information for the\n\t\t\t\tCreateTrafficPolicyInstance request.
A complex type that contains information about the traffic policy that you want to\n\t\t\tcreate.
" + "smithy.api#documentation": "A complex type that contains information about the traffic policy that you want to\n\t\t\tcreate.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#CreateTrafficPolicyResponse": { @@ -3556,7 +3611,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the\n\t\t\t\tCreateTrafficPolicy request.
A complex type that contains the response information for the\n\t\t\t\tCreateTrafficPolicy request.
A complex type that contains information about the traffic policy that you want to\n\t\t\tcreate a new version for.
" + "smithy.api#documentation": "A complex type that contains information about the traffic policy that you want to\n\t\t\tcreate a new version for.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#CreateTrafficPolicyVersionResponse": { @@ -3642,7 +3699,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the\n\t\t\t\tCreateTrafficPolicyVersion request.
A complex type that contains the response information for the\n\t\t\t\tCreateTrafficPolicyVersion request.
A complex type that contains information about the request to authorize associating a\n\t\t\tVPC with your private hosted zone. Authorization is only required when a private hosted\n\t\t\tzone and a VPC were created by using different accounts.
" + "smithy.api#documentation": "A complex type that contains information about the request to authorize associating a\n\t\t\tVPC with your private hosted zone. Authorization is only required when a private hosted\n\t\t\tzone and a VPC were created by using different accounts.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#CreateVPCAssociationAuthorizationResponse": { @@ -3721,7 +3780,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information from a\n\t\t\t\tCreateVPCAssociationAuthorization request.
A complex type that contains the response information from a\n\t\t\t\tCreateVPCAssociationAuthorization request.
This action deletes a health check.
" + "smithy.api#documentation": "This action deletes a health check.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#DeleteHealthCheckResponse": { "type": "structure", "members": {}, "traits": { - "smithy.api#documentation": "An empty element.
" + "smithy.api#documentation": "An empty element.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#DeleteHostedZone": { @@ -4112,7 +4186,8 @@ } }, "traits": { - "smithy.api#documentation": "A request to delete a hosted zone.
" + "smithy.api#documentation": "A request to delete a hosted zone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#DeleteHostedZoneResponse": { @@ -4127,7 +4202,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to a DeleteHostedZone\n\t\t\trequest.
A complex type that contains the response to a DeleteHostedZone\n\t\t\trequest.
A request to delete a reusable delegation set.
" + "smithy.api#documentation": "A request to delete a reusable delegation set.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#DeleteReusableDelegationSetResponse": { "type": "structure", "members": {}, "traits": { - "smithy.api#documentation": "An empty element.
" + "smithy.api#documentation": "An empty element.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#DeleteTrafficPolicy": { @@ -4370,14 +4460,16 @@ } }, "traits": { - "smithy.api#documentation": "A request to delete a specified traffic policy instance.
" + "smithy.api#documentation": "A request to delete a specified traffic policy instance.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#DeleteTrafficPolicyInstanceResponse": { "type": "structure", "members": {}, "traits": { - "smithy.api#documentation": "An empty element.
" + "smithy.api#documentation": "An empty element.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#DeleteTrafficPolicyRequest": { @@ -4401,14 +4493,16 @@ } }, "traits": { - "smithy.api#documentation": "A request to delete a specified traffic policy version.
" + "smithy.api#documentation": "A request to delete a specified traffic policy version.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#DeleteTrafficPolicyResponse": { "type": "structure", "members": {}, "traits": { - "smithy.api#documentation": "An empty element.
" + "smithy.api#documentation": "An empty element.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#DeleteVPCAssociationAuthorization": { @@ -4465,14 +4559,16 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the request to remove authorization to\n\t\t\tassociate a VPC that was created by one Amazon Web Services account with a hosted zone\n\t\t\tthat was created with a different Amazon Web Services account.
" + "smithy.api#documentation": "A complex type that contains information about the request to remove authorization to\n\t\t\tassociate a VPC that was created by one Amazon Web Services account with a hosted zone\n\t\t\tthat was created with a different Amazon Web Services account.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#DeleteVPCAssociationAuthorizationResponse": { "type": "structure", "members": {}, "traits": { - "smithy.api#documentation": "Empty response for the request.
" + "smithy.api#documentation": "Empty response for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#Dimension": { @@ -4575,6 +4671,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#DisableHostedZoneDNSSECResponse": { @@ -4586,6 +4685,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#Disabled": { @@ -4654,7 +4756,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the VPC that you want to disassociate\n\t\t\tfrom a specified private hosted zone.
" + "smithy.api#documentation": "A complex type that contains information about the VPC that you want to disassociate\n\t\t\tfrom a specified private hosted zone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#DisassociateVPCFromHostedZoneResponse": { @@ -4669,7 +4772,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the disassociate\n\t\t\trequest.
" + "smithy.api#documentation": "A complex type that contains the response information for the disassociate\n\t\t\trequest.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#EnableHostedZoneDNSSEC": { @@ -4729,6 +4833,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#EnableHostedZoneDNSSECResponse": { @@ -4740,6 +4847,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#EnableSNI": { @@ -4951,7 +5061,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the request to create a hosted\n\t\t\tzone.
" + "smithy.api#documentation": "A complex type that contains information about the request to create a hosted\n\t\t\tzone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetAccountLimitResponse": { @@ -4974,7 +5085,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the requested limit.
" + "smithy.api#documentation": "A complex type that contains the requested limit.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#GetChange": { @@ -4994,7 +5106,7 @@ } ], "traits": { - "smithy.api#documentation": "Returns the current status of a change batch request. The status is one of the\n\t\t\tfollowing values:
\n\n PENDING indicates that the changes in this request have not\n\t\t\t\t\tpropagated to all Amazon Route 53 DNS servers. This is the initial status of all\n\t\t\t\t\tchange batch requests.
\n INSYNC indicates that the changes have propagated to all Route 53\n\t\t\t\t\tDNS servers.
Returns the current status of a change batch request. The status is one of the\n\t\t\tfollowing values:
\n\n PENDING indicates that the changes in this request have not\n\t\t\t\t\tpropagated to all Amazon Route 53 DNS servers managing the hosted zone. This is the initial status of all\n\t\t\t\t\tchange batch requests.
\n INSYNC indicates that the changes have propagated to all Route 53\n\t\t\t\t\tDNS servers managing the hosted zone.
The input for a GetChange request.
" + "smithy.api#documentation": "The input for a GetChange request.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetChangeResponse": { @@ -5047,7 +5160,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the ChangeInfo element.
A complex type that contains the ChangeInfo element.
Empty request.
" + "smithy.api#documentation": "Empty request.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetCheckerIpRangesResponse": { @@ -5086,7 +5201,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the CheckerIpRanges element.
A complex type that contains the CheckerIpRanges element.
A request for information about whether a specified geographic location is supported\n\t\t\tfor Amazon Route 53 geolocation resource record sets.
" + "smithy.api#documentation": "A request for information about whether a specified geographic location is supported\n\t\t\tfor Amazon Route 53 geolocation resource record sets.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetGeoLocationResponse": { @@ -5215,7 +5338,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the specified geolocation\n\t\t\tcode.
" + "smithy.api#documentation": "A complex type that contains the response information for the specified geolocation\n\t\t\tcode.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#GetHealthCheck": { @@ -5267,7 +5391,8 @@ "type": "structure", "members": {}, "traits": { - "smithy.api#documentation": "A request for the number of health checks that are associated with the current Amazon Web Services account.
" + "smithy.api#documentation": "A request for the number of health checks that are associated with the current Amazon Web Services account.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetHealthCheckCountResponse": { @@ -5282,7 +5407,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to a GetHealthCheckCount\n\t\t\trequest.
A complex type that contains the response to a GetHealthCheckCount\n\t\t\trequest.
A request for the reason that a health check failed most recently.
" + "smithy.api#documentation": "A request for the reason that a health check failed most recently.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetHealthCheckLastFailureReasonResponse": { @@ -5338,7 +5465,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to a\n\t\t\t\tGetHealthCheckLastFailureReason request.
A complex type that contains the response to a\n\t\t\t\tGetHealthCheckLastFailureReason request.
A request to get information about a specified health check.
" + "smithy.api#documentation": "A request to get information about a specified health check.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetHealthCheckResponse": { @@ -5369,7 +5498,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to a GetHealthCheck\n\t\t\trequest.
A complex type that contains the response to a GetHealthCheck\n\t\t\trequest.
A request to get the status for a health check.
" + "smithy.api#documentation": "A request to get the status for a health check.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetHealthCheckStatusResponse": { @@ -5425,7 +5556,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to a GetHealthCheck\n\t\t\trequest.
A complex type that contains the response to a GetHealthCheck\n\t\t\trequest.
A request to retrieve a count of all the hosted zones that are associated with the\n\t\t\tcurrent Amazon Web Services account.
" + "smithy.api#documentation": "A request to retrieve a count of all the hosted zones that are associated with the\n\t\t\tcurrent Amazon Web Services account.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetHostedZoneCountResponse": { @@ -5494,7 +5627,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to a GetHostedZoneCount\n\t\t\trequest.
A complex type that contains the response to a GetHostedZoneCount\n\t\t\trequest.
A complex type that contains information about the request to create a hosted\n\t\t\tzone.
" + "smithy.api#documentation": "A complex type that contains information about the request to create a hosted\n\t\t\tzone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetHostedZoneLimitResponse": { @@ -5569,7 +5704,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the requested limit.
" + "smithy.api#documentation": "A complex type that contains the requested limit.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#GetHostedZoneRequest": { @@ -5585,7 +5721,8 @@ } }, "traits": { - "smithy.api#documentation": "A request to get information about a specified hosted zone.
" + "smithy.api#documentation": "A request to get information about a specified hosted zone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetHostedZoneResponse": { @@ -5612,7 +5749,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contain the response to a GetHostedZone\n\t\t\trequest.
A complex type that contain the response to a GetHostedZone\n\t\t\trequest.
A complex type that contains information about the request to create a hosted\n\t\t\tzone.
" + "smithy.api#documentation": "A complex type that contains information about the request to create a hosted\n\t\t\tzone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetReusableDelegationSetLimitResponse": { @@ -5762,7 +5907,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the requested limit.
" + "smithy.api#documentation": "A complex type that contains the requested limit.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#GetReusableDelegationSetRequest": { @@ -5778,7 +5924,8 @@ } }, "traits": { - "smithy.api#documentation": "A request to get information about a specified reusable delegation set.
" + "smithy.api#documentation": "A request to get information about a specified reusable delegation set.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetReusableDelegationSetResponse": { @@ -5793,7 +5940,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to the GetReusableDelegationSet\n\t\t\trequest.
A complex type that contains the response to the GetReusableDelegationSet\n\t\t\trequest.
Request to get the number of traffic policy instances that are associated with the\n\t\t\tcurrent Amazon Web Services account.
" + "smithy.api#documentation": "Request to get the number of traffic policy instances that are associated with the\n\t\t\tcurrent Amazon Web Services account.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetTrafficPolicyInstanceCountResponse": { @@ -5882,7 +6031,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the resource record sets that Amazon\n\t\t\tRoute 53 created based on a specified traffic policy.
" + "smithy.api#documentation": "A complex type that contains information about the resource record sets that Amazon\n\t\t\tRoute 53 created based on a specified traffic policy.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#GetTrafficPolicyInstanceRequest": { @@ -5898,7 +6048,8 @@ } }, "traits": { - "smithy.api#documentation": "Gets information about a specified traffic policy instance.
" + "smithy.api#documentation": "Gets information about a specified traffic policy instance.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetTrafficPolicyInstanceResponse": { @@ -5913,7 +6064,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the resource record sets that Amazon\n\t\t\tRoute 53 created based on a specified traffic policy.
" + "smithy.api#documentation": "A complex type that contains information about the resource record sets that Amazon\n\t\t\tRoute 53 created based on a specified traffic policy.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#GetTrafficPolicyRequest": { @@ -5937,7 +6089,8 @@ } }, "traits": { - "smithy.api#documentation": "Gets information about a specific traffic policy version.
" + "smithy.api#documentation": "Gets information about a specific traffic policy version.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#GetTrafficPolicyResponse": { @@ -5952,7 +6105,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the request.
" + "smithy.api#documentation": "A complex type that contains the response information for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#HealthCheck": { @@ -7160,6 +7314,9 @@ "smithy.api#httpQuery": "maxresults" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#ListCidrBlocksResponse": { @@ -7177,6 +7334,9 @@ "smithy.api#documentation": "A complex type that contains information about the CIDR blocks.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#ListCidrCollections": { @@ -7224,6 +7384,9 @@ "smithy.api#httpQuery": "maxresults" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#ListCidrCollectionsResponse": { @@ -7241,6 +7404,9 @@ "smithy.api#documentation": "A complex type with information about the CIDR collection.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#ListCidrLocations": { @@ -7299,6 +7465,9 @@ "smithy.api#httpQuery": "maxresults" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#ListCidrLocationsResponse": { @@ -7316,6 +7485,9 @@ "smithy.api#documentation": "A complex type that contains information about the list of CIDR locations.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#ListGeoLocations": { @@ -7373,7 +7545,8 @@ } }, "traits": { - "smithy.api#documentation": "A request to get a list of geographic locations that Amazon Route 53 supports for\n\t\t\tgeolocation resource record sets.
" + "smithy.api#documentation": "A request to get a list of geographic locations that Amazon Route 53 supports for\n\t\t\tgeolocation resource record sets.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListGeoLocationsResponse": { @@ -7421,7 +7594,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type containing the response information for the request.
" + "smithy.api#documentation": "A complex type containing the response information for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListHealthChecks": { @@ -7474,7 +7648,8 @@ } }, "traits": { - "smithy.api#documentation": "A request to retrieve a list of the health checks that are associated with the current\n\t\t\t\tAmazon Web Services account.
" + "smithy.api#documentation": "A request to retrieve a list of the health checks that are associated with the current\n\t\t\t\tAmazon Web Services account.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListHealthChecksResponse": { @@ -7517,7 +7692,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to a ListHealthChecks\n\t\t\trequest.
A complex type that contains the response to a ListHealthChecks\n\t\t\trequest.
Retrieves a list of the public and private hosted zones that are associated with the\n\t\t\tcurrent Amazon Web Services account in ASCII order by domain name.
" + "smithy.api#documentation": "Retrieves a list of the public and private hosted zones that are associated with the\n\t\t\tcurrent Amazon Web Services account in ASCII order by domain name.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListHostedZonesByNameResponse": { @@ -7659,7 +7836,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the request.
" + "smithy.api#documentation": "A complex type that contains the response information for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListHostedZonesByVPC": { @@ -7722,7 +7900,8 @@ } }, "traits": { - "smithy.api#documentation": "Lists all the private hosted zones that a specified VPC is associated with, regardless\n\t\t\tof which Amazon Web Services account created the hosted zones.
" + "smithy.api#documentation": "Lists all the private hosted zones that a specified VPC is associated with, regardless\n\t\t\tof which Amazon Web Services account created the hosted zones.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListHostedZonesByVPCResponse": { @@ -7748,6 +7927,9 @@ "smithy.api#documentation": "The value that you will use for NextToken in the next\n\t\t\t\tListHostedZonesByVPC request.
A request to retrieve a list of the public and private hosted zones that are\n\t\t\tassociated with the current Amazon Web Services account.
" + "smithy.api#documentation": "A request to retrieve a list of the public and private hosted zones that are\n\t\t\tassociated with the current Amazon Web Services account.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListHostedZonesResponse": { @@ -7817,6 +8000,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.route53#ListQueryLoggingConfigs": { @@ -7877,6 +8063,9 @@ "smithy.api#httpQuery": "maxresults" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.route53#ListQueryLoggingConfigsResponse": { @@ -7895,6 +8084,9 @@ "smithy.api#documentation": "If a response includes the last of the query logging configurations that are\n\t\t\tassociated with the current Amazon Web Services account, NextToken doesn't\n\t\t\tappear in the response.
If a response doesn't include the last of the configurations, you can get more\n\t\t\tconfigurations by submitting another ListQueryLoggingConfigs request. Get the value of NextToken\n\t\t\tthat Amazon Route 53 returned in the previous response and include it in\n\t\t\t\tNextToken in the next request.
A request for the resource record sets that are associated with a specified hosted\n\t\t\tzone.
" + "smithy.api#documentation": "A request for the resource record sets that are associated with a specified hosted\n\t\t\tzone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListResourceRecordSetsResponse": { @@ -8011,7 +8204,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains list information for the resource record set.
" + "smithy.api#documentation": "A complex type that contains list information for the resource record set.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListReusableDelegationSets": { @@ -8055,7 +8249,8 @@ } }, "traits": { - "smithy.api#documentation": "A request to get a list of the reusable delegation sets that are associated with the\n\t\t\tcurrent Amazon Web Services account.
" + "smithy.api#documentation": "A request to get a list of the reusable delegation sets that are associated with the\n\t\t\tcurrent Amazon Web Services account.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListReusableDelegationSetsResponse": { @@ -8098,7 +8293,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the reusable delegation sets that are\n\t\t\tassociated with the current Amazon Web Services account.
" + "smithy.api#documentation": "A complex type that contains information about the reusable delegation sets that are\n\t\t\tassociated with the current Amazon Web Services account.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListTagsForResource": { @@ -8156,7 +8352,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type containing information about a request for a list of the tags that are\n\t\t\tassociated with an individual resource.
" + "smithy.api#documentation": "A complex type containing information about a request for a list of the tags that are\n\t\t\tassociated with an individual resource.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListTagsForResourceResponse": { @@ -8171,7 +8368,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the health checks or hosted zones for\n\t\t\twhich you want to list tags.
" + "smithy.api#documentation": "A complex type that contains information about the health checks or hosted zones for\n\t\t\twhich you want to list tags.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListTagsForResources": { @@ -8228,7 +8426,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the health checks or hosted zones for\n\t\t\twhich you want to list tags.
" + "smithy.api#documentation": "A complex type that contains information about the health checks or hosted zones for\n\t\t\twhich you want to list tags.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListTagsForResourcesResponse": { @@ -8243,7 +8442,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type containing tags for the specified resources.
" + "smithy.api#documentation": "A complex type containing tags for the specified resources.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListTrafficPolicies": { @@ -8287,7 +8487,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the information about the request to list the traffic\n\t\t\tpolicies that are associated with the current Amazon Web Services account.
" + "smithy.api#documentation": "A complex type that contains the information about the request to list the traffic\n\t\t\tpolicies that are associated with the current Amazon Web Services account.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListTrafficPoliciesResponse": { @@ -8324,7 +8525,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the request.
" + "smithy.api#documentation": "A complex type that contains the response information for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListTrafficPolicyInstances": { @@ -8414,7 +8616,8 @@ } }, "traits": { - "smithy.api#documentation": "A request for the traffic policy instances that you created in a specified hosted\n\t\t\tzone.
" + "smithy.api#documentation": "A request for the traffic policy instances that you created in a specified hosted\n\t\t\tzone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListTrafficPolicyInstancesByHostedZoneResponse": { @@ -8456,7 +8659,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the request.
" + "smithy.api#documentation": "A complex type that contains the response information for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListTrafficPolicyInstancesByPolicy": { @@ -8536,7 +8740,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the information about the request to list your traffic\n\t\t\tpolicy instances.
" + "smithy.api#documentation": "A complex type that contains the information about the request to list your traffic\n\t\t\tpolicy instances.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListTrafficPolicyInstancesByPolicyResponse": { @@ -8584,7 +8789,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the request.
" + "smithy.api#documentation": "A complex type that contains the response information for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListTrafficPolicyInstancesRequest": { @@ -8620,7 +8826,8 @@ } }, "traits": { - "smithy.api#documentation": "A request to get information about the traffic policy instances that you created by\n\t\t\tusing the current Amazon Web Services account.
" + "smithy.api#documentation": "A request to get information about the traffic policy instances that you created by\n\t\t\tusing the current Amazon Web Services account.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListTrafficPolicyInstancesResponse": { @@ -8668,7 +8875,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the request.
" + "smithy.api#documentation": "A complex type that contains the response information for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListTrafficPolicyVersions": { @@ -8723,7 +8931,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the information about the request to list your traffic\n\t\t\tpolicies.
" + "smithy.api#documentation": "A complex type that contains the information about the request to list your traffic\n\t\t\tpolicies.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListTrafficPolicyVersionsResponse": { @@ -8760,7 +8969,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the request.
" + "smithy.api#documentation": "A complex type that contains the response information for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#ListVPCAssociationAuthorizations": { @@ -8818,7 +9028,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about that can be associated with your hosted\n\t\t\tzone.
" + "smithy.api#documentation": "A complex type that contains information about that can be associated with your hosted\n\t\t\tzone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#ListVPCAssociationAuthorizationsResponse": { @@ -8846,7 +9057,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the request.
" + "smithy.api#documentation": "A complex type that contains the response information for the request.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#LocationSummaries": { @@ -9744,6 +9956,12 @@ "traits": { "smithy.api#enumValue": "ap-southeast-4" } + }, + "il_central_1": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "il-central-1" + } } }, "traits": { @@ -10147,7 +10365,7 @@ } ], "traits": { - "smithy.api#documentation": "Gets the value that Amazon Route 53 returns in response to a DNS request for a\n\t\t\tspecified record name and type. You can optionally specify the IP address of a DNS\n\t\t\tresolver, an EDNS0 client subnet IP address, and a subnet mask.
\nThis call only supports querying public hosted zones.
", + "smithy.api#documentation": "Gets the value that Amazon Route 53 returns in response to a DNS request for a\n\t\t\tspecified record name and type. You can optionally specify the IP address of a DNS\n\t\t\tresolver, an EDNS0 client subnet IP address, and a subnet mask.
\nThis call only supports querying public hosted zones.
\nThe TestDnsAnswer returns information similar to what you would expect from the answer\n\t\t\tsection of the dig command. Therefore, if you query for the name\n\t\t\tservers of a subdomain that point to the parent name servers, those will not be\n\t\t\treturned.
Gets the value that Amazon Route 53 returns in response to a DNS request for a\n\t\t\tspecified record name and type. You can optionally specify the IP address of a DNS\n\t\t\tresolver, an EDNS0 client subnet IP address, and a subnet mask.
" + "smithy.api#documentation": "Gets the value that Amazon Route 53 returns in response to a DNS request for a\n\t\t\tspecified record name and type. You can optionally specify the IP address of a DNS\n\t\t\tresolver, an EDNS0 client subnet IP address, and a subnet mask.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#TestDNSAnswerResponse": { @@ -10255,7 +10474,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to a TestDNSAnswer request.\n\t\t
A complex type that contains the response to a TestDNSAnswer request.\n\t\t
A complex type that contains information about a request to update a health\n\t\t\tcheck.
" + "smithy.api#documentation": "A complex type that contains information about a request to update a health\n\t\t\tcheck.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#UpdateHealthCheckResponse": { @@ -10849,7 +11070,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to the UpdateHealthCheck\n\t\t\trequest.
A complex type that contains the response to the UpdateHealthCheck\n\t\t\trequest.
A request to update the comment for a hosted zone.
" + "smithy.api#documentation": "A request to update the comment for a hosted zone.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#UpdateHostedZoneCommentResponse": { @@ -10914,7 +11137,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response to the UpdateHostedZoneComment\n\t\t\trequest.
A complex type that contains the response to the UpdateHostedZoneComment\n\t\t\trequest.
A complex type that contains information about the traffic policy that you want to\n\t\t\tupdate the comment for.
" + "smithy.api#documentation": "A complex type that contains information about the traffic policy that you want to\n\t\t\tupdate the comment for.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#UpdateTrafficPolicyCommentResponse": { @@ -10988,7 +11213,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains the response information for the traffic policy.
" + "smithy.api#documentation": "A complex type that contains the response information for the traffic policy.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#UpdateTrafficPolicyInstance": { @@ -11059,7 +11285,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the resource record sets that you want\n\t\t\tto update based on a specified traffic policy instance.
" + "smithy.api#documentation": "A complex type that contains information about the resource record sets that you want\n\t\t\tto update based on a specified traffic policy instance.
", + "smithy.api#input": {} } }, "com.amazonaws.route53#UpdateTrafficPolicyInstanceResponse": { @@ -11074,7 +11301,8 @@ } }, "traits": { - "smithy.api#documentation": "A complex type that contains information about the resource record sets that Amazon\n\t\t\tRoute 53 created based on a specified traffic policy.
" + "smithy.api#documentation": "A complex type that contains information about the resource record sets that Amazon\n\t\t\tRoute 53 created based on a specified traffic policy.
", + "smithy.api#output": {} } }, "com.amazonaws.route53#UsageCount": { @@ -11345,6 +11573,12 @@ "traits": { "smithy.api#enumValue": "ap-southeast-4" } + }, + "il_central_1": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "il-central-1" + } } }, "traits": { diff --git a/aws/sdk/aws-models/s3.json b/aws/sdk/aws-models/s3.json index f0227a4af82df327387802e426feab8a8700eb78..92a0e925980e642d08fb4241dc5a0de817a9de35 100644 --- a/aws/sdk/aws-models/s3.json +++ b/aws/sdk/aws-models/s3.json @@ -62,18 +62,6 @@ ], "traits": { "smithy.api#documentation": "This action aborts a multipart upload. After a multipart upload is aborted, no\n additional parts can be uploaded using that upload ID. The storage consumed by any\n previously uploaded parts will be freed. However, if any part uploads are currently in\n progress, those part uploads might or might not succeed. As a result, it might be necessary\n to abort a given multipart upload multiple times in order to completely free all storage\n consumed by all parts.
\nTo verify that all parts have been removed, so you don't get charged for the part\n storage, you should call the ListParts action and ensure that\n the parts list is empty.
\nFor information about permissions required to use the multipart upload, see Multipart Upload\n and Permissions.
\nThe following operations are related to AbortMultipartUpload:
\n UploadPart\n
\n\n ListParts\n
\n\n ListMultipartUploads\n
\nThe bucket name to which the upload was taking place.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name to which the upload was taking place.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
The name of the bucket that contains the newly created object. Does not return the access point\n ARN or access point alias if used.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The name of the bucket that contains the newly created object. Does not return the access point\n ARN or access point alias if used.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Name of the bucket to which the multipart upload was initiated.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
Name of the bucket to which the multipart upload was initiated.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Creates a copy of an object that is already stored in Amazon S3.
\nYou can store individual objects of up to 5 TB in Amazon S3. You create a copy of your\n object up to 5 GB in size in a single atomic action using this API. However, to copy an\n object greater than 5 GB, you must use the multipart upload Upload Part - Copy\n (UploadPartCopy) API. For more information, see Copy Object Using the\n REST Multipart Upload API.
\nAll copy requests must be authenticated. Additionally, you must have\n read access to the source object and write\n access to the destination bucket. For more information, see REST Authentication. Both the\n Region that you want to copy the object from and the Region that you want to copy the\n object to must be enabled for your account.
\nA copy request might return an error when Amazon S3 receives the copy request or while Amazon S3\n is copying the files. If the error occurs before the copy action starts, you receive a\n standard Amazon S3 error. If the error occurs during the copy operation, the error response is\n embedded in the 200 OK response. This means that a 200 OK\n response can contain either a success or an error. If you call the S3 API directly, make\n sure to design your application to parse the contents of the response and handle it\n appropriately. If you use Amazon Web Services SDKs, SDKs handle this condition. The SDKs detect the\n embedded error and apply error handling per your configuration settings (including\n automatically retrying the request as appropriate). If the condition persists, the SDKs\n throws an exception (or, for the SDKs that don't use exceptions, they return the\n error).
If the copy is successful, you receive a response with information about the copied\n object.
\nIf the request is an HTTP 1.1 request, the response is chunk encoded. If it were not,\n it would not contain the content-length, and you would need to read the entire\n body.
\nThe copy request charge is based on the storage class and Region that you specify for\n the destination object. For pricing information, see Amazon S3 pricing.
\nAmazon S3 transfer acceleration does not support cross-Region copies. If you request a\n cross-Region copy using a transfer acceleration endpoint, you get a 400 Bad\n Request error. For more information, see Transfer\n Acceleration.
When copying an object, you can preserve all metadata (the default) or specify new metadata.\n However, the access control list (ACL) is not preserved and is set to private for the user making the request. To\n override the default ACL setting, specify a new ACL when generating a copy request. For\n more information, see Using ACLs.
\nTo specify whether you want the object metadata copied from the source object or\n replaced with metadata provided in the request, you can optionally add the\n x-amz-metadata-directive header. When you grant permissions, you can use\n the s3:x-amz-metadata-directive condition key to enforce certain metadata\n behavior when objects are uploaded. For more information, see Specifying Conditions in a\n Policy in the Amazon S3 User Guide. For a complete list of\n Amazon S3-specific condition keys, see Actions, Resources, and Condition Keys for\n Amazon S3.
\n x-amz-website-redirect-location is unique to each object and must be\n specified in the request headers to copy the value.
To only copy an object under certain conditions, such as whether the Etag\n matches or whether the object was modified before or after a specified date, use the\n following request parameters:
\n x-amz-copy-source-if-match\n
\n x-amz-copy-source-if-none-match\n
\n x-amz-copy-source-if-unmodified-since\n
\n x-amz-copy-source-if-modified-since\n
If both the x-amz-copy-source-if-match and\n x-amz-copy-source-if-unmodified-since headers are present in the request\n and evaluate as follows, Amazon S3 returns 200 OK and copies the data:
\n x-amz-copy-source-if-match condition evaluates to true
\n x-amz-copy-source-if-unmodified-since condition evaluates to\n false
If both the x-amz-copy-source-if-none-match and\n x-amz-copy-source-if-modified-since headers are present in the request and\n evaluate as follows, Amazon S3 returns the 412 Precondition Failed response\n code:
\n x-amz-copy-source-if-none-match condition evaluates to false
\n x-amz-copy-source-if-modified-since condition evaluates to\n true
All headers with the x-amz- prefix, including\n x-amz-copy-source, must be signed.
Amazon S3 automatically encrypts all new objects that are copied to an S3 bucket. When\n copying an object, if you don't specify encryption information in your copy\n request, the encryption setting of the target object is set to the default\n encryption configuration of the destination bucket. By default, all buckets have a\n base level of encryption configuration that uses server-side encryption with Amazon S3\n managed keys (SSE-S3). If the destination bucket has a default encryption\n configuration that uses server-side encryption with Key Management Service (KMS) keys\n (SSE-KMS), dual-layer server-side encryption with Amazon Web Services KMS keys (DSSE-KMS), or\n server-side encryption with customer-provided encryption keys (SSE-C), Amazon S3 uses\n the corresponding KMS key, or a customer-provided key to encrypt the target\n object copy.
\nWhen you perform a CopyObject operation, if you want to use a different type\n of encryption setting for the target object, you can use other appropriate\n encryption-related headers to encrypt the target object with a KMS key, an Amazon S3 managed\n key, or a customer-provided key. With server-side encryption, Amazon S3 encrypts your data as it\n writes your data to disks in its data centers and decrypts the data when you access it. If the\n encryption setting in your request is different from the default encryption configuration\n of the destination bucket, the encryption setting in your request takes precedence. If the\n source object for the copy is stored in Amazon S3 using SSE-C, you must provide the necessary\n encryption information in your request so that Amazon S3 can decrypt the object for copying. For\n more information about server-side encryption, see Using Server-Side\n Encryption.
If a target object uses SSE-KMS, you can enable an S3 Bucket Key for the\n object. For more information, see Amazon S3 Bucket Keys in the\n Amazon S3 User Guide.
\nWhen copying an object, you can optionally use headers to grant ACL-based permissions.\n By default, all objects are private. Only the owner has full access control. When adding a\n new object, you can grant permissions to individual Amazon Web Services accounts or to predefined groups\n that are defined by Amazon S3. These permissions are then added to the ACL on the object. For more\n information, see Access Control List (ACL) Overview and Managing ACLs Using the REST\n API.
\nIf the bucket that you're copying objects to uses the bucket owner enforced setting for\n S3 Object Ownership, ACLs are disabled and no longer affect permissions. Buckets that use\n this setting only accept PUT requests that don't specify an ACL or PUT requests that\n specify bucket owner full control ACLs, such as the bucket-owner-full-control\n canned ACL or an equivalent form of this ACL expressed in the XML format.
For more information, see Controlling ownership of\n objects and disabling ACLs in the Amazon S3 User Guide.
\nIf your bucket uses the bucket owner enforced setting for Object Ownership, all\n objects written to the bucket by any account will be owned by the bucket owner.
\nWhen copying an object, if it has a checksum, that checksum will be copied to the new\n object by default. When you copy the object over, you can optionally specify a different\n checksum algorithm to use with the x-amz-checksum-algorithm header.
You can use the CopyObject action to change the storage class of an object\n that is already stored in Amazon S3 by using the StorageClass parameter. For more\n information, see Storage Classes in the\n Amazon S3 User Guide.
If the source object's storage class is GLACIER, you must restore a copy of\n this object before you can use it as a source object for the copy operation. For\n more information, see RestoreObject. For\n more information, see Copying\n Objects.
\nBy default, x-amz-copy-source header identifies the current version of an object\n to copy. If the current version is a delete marker, Amazon S3 behaves as if the object was\n deleted. To copy a different version, use the versionId subresource.
If you enable versioning on the target bucket, Amazon S3 generates a unique version ID for\n the object being copied. This version ID is different from the version ID of the source\n object. Amazon S3 returns the version ID of the copied object in the\n x-amz-version-id response header in the response.
If you do not enable versioning or suspend it on the target bucket, the version ID that\n Amazon S3 generates is always null.
\nThe following operations are related to CopyObject:
Creates a copy of an object that is already stored in Amazon S3.
\nYou can store individual objects of up to 5 TB in Amazon S3. You create a copy of your\n object up to 5 GB in size in a single atomic action using this API. However, to copy an\n object greater than 5 GB, you must use the multipart upload Upload Part - Copy\n (UploadPartCopy) API. For more information, see Copy Object Using the\n REST Multipart Upload API.
\nAll copy requests must be authenticated. Additionally, you must have\n read access to the source object and write\n access to the destination bucket. For more information, see REST Authentication. Both the\n Region that you want to copy the object from and the Region that you want to copy the\n object to must be enabled for your account.
\nA copy request might return an error when Amazon S3 receives the copy request or while Amazon S3\n is copying the files. If the error occurs before the copy action starts, you receive a\n standard Amazon S3 error. If the error occurs during the copy operation, the error response is\n embedded in the 200 OK response. This means that a 200 OK\n response can contain either a success or an error. If you call the S3 API directly, make\n sure to design your application to parse the contents of the response and handle it\n appropriately. If you use Amazon Web Services SDKs, SDKs handle this condition. The SDKs detect the\n embedded error and apply error handling per your configuration settings (including\n automatically retrying the request as appropriate). If the condition persists, the SDKs\n throws an exception (or, for the SDKs that don't use exceptions, they return the\n error).
If the copy is successful, you receive a response with information about the copied\n object.
\nIf the request is an HTTP 1.1 request, the response is chunk encoded. If it were not,\n it would not contain the content-length, and you would need to read the entire\n body.
\nThe copy request charge is based on the storage class and Region that you specify for\n the destination object. The request can also result in a data retrieval charge for the\n source if the source storage class bills for data retrieval. For pricing information, see\n Amazon S3 pricing.
\nAmazon S3 transfer acceleration does not support cross-Region copies. If you request a\n cross-Region copy using a transfer acceleration endpoint, you get a 400 Bad\n Request error. For more information, see Transfer\n Acceleration.
When copying an object, you can preserve all metadata (the default) or specify new metadata.\n However, the access control list (ACL) is not preserved and is set to private for the user making the request. To\n override the default ACL setting, specify a new ACL when generating a copy request. For\n more information, see Using ACLs.
\nTo specify whether you want the object metadata copied from the source object or\n replaced with metadata provided in the request, you can optionally add the\n x-amz-metadata-directive header. When you grant permissions, you can use\n the s3:x-amz-metadata-directive condition key to enforce certain metadata\n behavior when objects are uploaded. For more information, see Specifying Conditions in a\n Policy in the Amazon S3 User Guide. For a complete list of\n Amazon S3-specific condition keys, see Actions, Resources, and Condition Keys for\n Amazon S3.
\n x-amz-website-redirect-location is unique to each object and must be\n specified in the request headers to copy the value.
To only copy an object under certain conditions, such as whether the Etag\n matches or whether the object was modified before or after a specified date, use the\n following request parameters:
\n x-amz-copy-source-if-match\n
\n x-amz-copy-source-if-none-match\n
\n x-amz-copy-source-if-unmodified-since\n
\n x-amz-copy-source-if-modified-since\n
If both the x-amz-copy-source-if-match and\n x-amz-copy-source-if-unmodified-since headers are present in the request\n and evaluate as follows, Amazon S3 returns 200 OK and copies the data:
\n x-amz-copy-source-if-match condition evaluates to true
\n x-amz-copy-source-if-unmodified-since condition evaluates to\n false
If both the x-amz-copy-source-if-none-match and\n x-amz-copy-source-if-modified-since headers are present in the request and\n evaluate as follows, Amazon S3 returns the 412 Precondition Failed response\n code:
\n x-amz-copy-source-if-none-match condition evaluates to false
\n x-amz-copy-source-if-modified-since condition evaluates to\n true
All headers with the x-amz- prefix, including\n x-amz-copy-source, must be signed.
Amazon S3 automatically encrypts all new objects that are copied to an S3 bucket. When\n copying an object, if you don't specify encryption information in your copy\n request, the encryption setting of the target object is set to the default\n encryption configuration of the destination bucket. By default, all buckets have a\n base level of encryption configuration that uses server-side encryption with Amazon S3\n managed keys (SSE-S3). If the destination bucket has a default encryption\n configuration that uses server-side encryption with Key Management Service (KMS) keys\n (SSE-KMS), dual-layer server-side encryption with Amazon Web Services KMS keys (DSSE-KMS), or\n server-side encryption with customer-provided encryption keys (SSE-C), Amazon S3 uses\n the corresponding KMS key, or a customer-provided key to encrypt the target\n object copy.
\nWhen you perform a CopyObject operation, if you want to use a different type\n of encryption setting for the target object, you can use other appropriate\n encryption-related headers to encrypt the target object with a KMS key, an Amazon S3 managed\n key, or a customer-provided key. With server-side encryption, Amazon S3 encrypts your data as it\n writes your data to disks in its data centers and decrypts the data when you access it. If the\n encryption setting in your request is different from the default encryption configuration\n of the destination bucket, the encryption setting in your request takes precedence. If the\n source object for the copy is stored in Amazon S3 using SSE-C, you must provide the necessary\n encryption information in your request so that Amazon S3 can decrypt the object for copying. For\n more information about server-side encryption, see Using Server-Side\n Encryption.
If a target object uses SSE-KMS, you can enable an S3 Bucket Key for the\n object. For more information, see Amazon S3 Bucket Keys in the\n Amazon S3 User Guide.
\nWhen copying an object, you can optionally use headers to grant ACL-based permissions.\n By default, all objects are private. Only the owner has full access control. When adding a\n new object, you can grant permissions to individual Amazon Web Services accounts or to predefined groups\n that are defined by Amazon S3. These permissions are then added to the ACL on the object. For more\n information, see Access Control List (ACL) Overview and Managing ACLs Using the REST\n API.
\nIf the bucket that you're copying objects to uses the bucket owner enforced setting for\n S3 Object Ownership, ACLs are disabled and no longer affect permissions. Buckets that use\n this setting only accept PUT requests that don't specify an ACL or PUT requests that\n specify bucket owner full control ACLs, such as the bucket-owner-full-control\n canned ACL or an equivalent form of this ACL expressed in the XML format.
For more information, see Controlling ownership of\n objects and disabling ACLs in the Amazon S3 User Guide.
\nIf your bucket uses the bucket owner enforced setting for Object Ownership, all\n objects written to the bucket by any account will be owned by the bucket owner.
\nWhen copying an object, if it has a checksum, that checksum will be copied to the new\n object by default. When you copy the object over, you can optionally specify a different\n checksum algorithm to use with the x-amz-checksum-algorithm header.
You can use the CopyObject action to change the storage class of an object\n that is already stored in Amazon S3 by using the StorageClass parameter. For more\n information, see Storage Classes in the\n Amazon S3 User Guide.
If the source object's storage class is GLACIER, you must restore a copy of\n this object before you can use it as a source object for the copy operation. For\n more information, see RestoreObject. For\n more information, see Copying\n Objects.
\nBy default, x-amz-copy-source header identifies the current version of an object\n to copy. If the current version is a delete marker, Amazon S3 behaves as if the object was\n deleted. To copy a different version, use the versionId subresource.
If you enable versioning on the target bucket, Amazon S3 generates a unique version ID for\n the object being copied. This version ID is different from the version ID of the source\n object. Amazon S3 returns the version ID of the copied object in the\n x-amz-version-id response header in the response.
If you do not enable versioning or suspend it on the target bucket, the version ID that\n Amazon S3 generates is always null.
\nThe following operations are related to CopyObject:
The name of the destination bucket.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The name of the destination bucket.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Creates a new S3 bucket. To create a bucket, you must register with Amazon S3 and have a\n valid Amazon Web Services Access Key ID to authenticate requests. Anonymous requests are never allowed to\n create buckets. By creating the bucket, you become the bucket owner.
\nNot every string is an acceptable bucket name. For information about bucket naming\n restrictions, see Bucket naming\n rules.
\nIf you want to create an Amazon S3 on Outposts bucket, see Create Bucket.
\nBy default, the bucket is created in the US East (N. Virginia) Region. You can\n optionally specify a Region in the request body. You might choose a Region to optimize\n latency, minimize costs, or address regulatory requirements. For example, if you reside in\n Europe, you will probably find it advantageous to create buckets in the Europe (Ireland)\n Region. For more information, see Accessing a\n bucket.
\nIf you send your create bucket request to the s3.amazonaws.com endpoint,\n the request goes to the us-east-1 Region. Accordingly, the signature calculations in\n Signature Version 4 must use us-east-1 as the Region, even if the location constraint in\n the request specifies another Region where the bucket is to be created. If you create a\n bucket in a Region other than US East (N. Virginia), your application must be able to\n handle 307 redirect. For more information, see Virtual hosting of\n buckets.
In addition to s3:CreateBucket, the following permissions are required when\n your CreateBucket request includes specific headers:
\n Access control lists (ACLs) - If your CreateBucket request\n specifies access control list (ACL) permissions and the ACL is public-read, public-read-write,\n authenticated-read, or if you specify access permissions explicitly through any other\n ACL, both s3:CreateBucket and s3:PutBucketAcl permissions\n are needed. If the ACL for the CreateBucket request is private or if the request doesn't\n specify any ACLs, only s3:CreateBucket permission is needed.
\n Object Lock - If ObjectLockEnabledForBucket is set to true in your\n CreateBucket request,\n s3:PutBucketObjectLockConfiguration and\n s3:PutBucketVersioning permissions are required.
\n S3 Object Ownership - If your CreateBucket request includes the x-amz-object-ownership header, then the\n s3:PutBucketOwnershipControls permission is required. By default, ObjectOwnership is set to BucketOWnerEnforced and ACLs are disabled. We recommend keeping\n ACLs disabled, except in uncommon use cases where you must control access for each object individually. If you want to change the ObjectOwnership setting, you can use the \n x-amz-object-ownership header in your CreateBucket request to set the ObjectOwnership setting of your choice.\n For more information about S3 Object Ownership, see Controlling object\n ownership in the Amazon S3 User Guide.
\n S3 Block Public Access - If your specific use case requires granting public access to your S3 resources, you can disable Block Public Access. You can create a new bucket with Block Public Access enabled, then separately call the \n DeletePublicAccessBlock\n API. To use this operation, you must have the\n s3:PutBucketPublicAccessBlock permission. By default, all Block\n Public Access settings are enabled for new buckets. To avoid inadvertent exposure of\n your resources, we recommend keeping the S3 Block Public Access settings enabled. For more information about S3 Block Public Access, see Blocking public\n access to your Amazon S3 storage in the Amazon S3 User Guide.
If your CreateBucket request sets BucketOwnerEnforced for Amazon S3 Object Ownership\n and specifies a bucket ACL that provides access to an external Amazon Web Services account, your request fails with a 400 error and returns the InvalidBucketAcLWithObjectOwnership error code. For more information,\n see Setting Object\n Ownership on an existing bucket in the Amazon S3 User Guide.
The following operations are related to CreateBucket:
\n PutObject\n
\n\n DeleteBucket\n
\nThis action initiates a multipart upload and returns an upload ID. This upload ID is\n used to associate all of the parts in the specific multipart upload. You specify this\n upload ID in each of your subsequent upload part requests (see UploadPart). You also include this\n upload ID in the final request to either complete or abort the multipart upload\n request.
\nFor more information about multipart uploads, see Multipart Upload Overview.
\nIf you have configured a lifecycle rule to abort incomplete multipart uploads, the\n upload must complete within the number of days specified in the bucket lifecycle\n configuration. Otherwise, the incomplete multipart upload becomes eligible for an abort\n action and Amazon S3 aborts the multipart upload. For more information, see Aborting Incomplete Multipart Uploads Using a Bucket Lifecycle Configuration.
\nFor information about the permissions required to use the multipart upload API, see\n Multipart\n Upload and Permissions.
\nFor request signing, multipart upload is just a series of regular requests. You initiate\n a multipart upload, send one or more requests to upload parts, and then complete the\n multipart upload process. You sign each request individually. There is nothing special\n about signing multipart upload requests. For more information about signing, see Authenticating Requests (Amazon Web Services Signature Version 4).
\nAfter you initiate a multipart upload and upload one or more parts, to stop being\n charged for storing the uploaded parts, you must either complete or abort the multipart\n upload. Amazon S3 frees up the space used to store the parts and stop charging you for\n storing them only after you either complete or abort a multipart upload.
\nServer-side encryption is for data encryption at rest. Amazon S3 encrypts your data as it\n writes it to disks in its data centers and decrypts it when you access it. Amazon S3\n automatically encrypts all new objects that are uploaded to an S3 bucket. When doing a\n multipart upload, if you don't specify encryption information in your request, the\n encryption setting of the uploaded parts is set to the default encryption configuration of\n the destination bucket. By default, all buckets have a base level of encryption\n configuration that uses server-side encryption with Amazon S3 managed keys (SSE-S3). If the\n destination bucket has a default encryption configuration that uses server-side encryption\n with an Key Management Service (KMS) key (SSE-KMS), or a customer-provided encryption key (SSE-C),\n Amazon S3 uses the corresponding KMS key, or a customer-provided key to encrypt the uploaded\n parts. When you perform a CreateMultipartUpload operation, if you want to use a different\n type of encryption setting for the uploaded parts, you can request that Amazon S3 encrypts the\n object with a KMS key, an Amazon S3 managed key, or a customer-provided key. If the encryption\n setting in your request is different from the default encryption configuration of the\n destination bucket, the encryption setting in your request takes precedence. If you choose\n to provide your own encryption key, the request headers you provide in UploadPart\n and UploadPartCopy requests must match the headers you used in the request to\n initiate the upload by using CreateMultipartUpload. You can request that Amazon S3\n save the uploaded parts encrypted with server-side encryption with an Amazon S3 managed key\n (SSE-S3), an Key Management Service (KMS) key (SSE-KMS), or a customer-provided encryption key\n (SSE-C).
To perform a multipart upload with encryption by using an Amazon Web Services KMS key, the requester\n must have permission to the kms:Decrypt and kms:GenerateDataKey*\n actions on the key. These permissions are required because Amazon S3 must decrypt and read data\n from the encrypted file parts before it completes the multipart upload. For more\n information, see Multipart upload API\n and permissions and Protecting data using\n server-side encryption with Amazon Web Services KMS in the\n Amazon S3 User Guide.
If your Identity and Access Management (IAM) user or role is in the same Amazon Web Services account as the KMS key,\n then you must have these permissions on the key policy. If your IAM user or role belongs\n to a different account than the key, then you must have the permissions on both the key\n policy and your IAM user or role.
\nFor more information, see Protecting Data Using Server-Side\n Encryption.
\nWhen copying an object, you can optionally specify the accounts or groups that\n should be granted specific permissions on the new object. There are two ways to\n grant the permissions using the request headers:
\nSpecify a canned ACL with the x-amz-acl request header. For\n more information, see Canned\n ACL.
Specify access permissions explicitly with the\n x-amz-grant-read, x-amz-grant-read-acp,\n x-amz-grant-write-acp, and\n x-amz-grant-full-control headers. These parameters map to\n the set of permissions that Amazon S3 supports in an ACL. For more information,\n see Access Control List (ACL) Overview.
You can use either a canned ACL or specify access permissions explicitly. You\n cannot do both.
\nAmazon S3 encrypts data\n by using server-side encryption with an Amazon S3 managed key (SSE-S3) by default. Server-side encryption is for data encryption at rest. Amazon S3 encrypts\n your data as it writes it to disks in its data centers and decrypts it when you\n access it. You can request that Amazon S3 encrypts\n data at rest by using server-side encryption with other key options. The option you use depends on\n whether you want to use KMS keys (SSE-KMS) or provide your own encryption keys\n (SSE-C).
\nUse KMS keys (SSE-KMS) that include the Amazon Web Services managed key\n (aws/s3) and KMS customer managed keys stored in Key Management Service (KMS) – If you\n want Amazon Web Services to manage the keys used to encrypt data, specify the following\n headers in the request.
\n x-amz-server-side-encryption\n
\n x-amz-server-side-encryption-aws-kms-key-id\n
\n x-amz-server-side-encryption-context\n
If you specify x-amz-server-side-encryption:aws:kms, but\n don't provide x-amz-server-side-encryption-aws-kms-key-id,\n Amazon S3 uses the Amazon Web Services managed key (aws/s3 key) in KMS to\n protect the data.
All GET and PUT requests for an object protected\n by KMS fail if you don't make them by using Secure Sockets Layer (SSL),\n Transport Layer Security (TLS), or Signature Version 4.
For more information about server-side encryption with KMS keys\n (SSE-KMS), see Protecting Data\n Using Server-Side Encryption with KMS keys.
\nUse customer-provided encryption keys (SSE-C) – If you want to manage\n your own encryption keys, provide all the following headers in the\n request.
\n\n x-amz-server-side-encryption-customer-algorithm\n
\n x-amz-server-side-encryption-customer-key\n
\n x-amz-server-side-encryption-customer-key-MD5\n
For more information about server-side encryption with customer-provided\n encryption keys (SSE-C), see \n Protecting data using server-side encryption with customer-provided\n encryption keys (SSE-C).
\nYou also can use the following access control–related headers with this\n operation. By default, all objects are private. Only the owner has full access\n control. When adding a new object, you can grant permissions to individual\n Amazon Web Services accounts or to predefined groups defined by Amazon S3. These permissions are then\n added to the access control list (ACL) on the object. For more information, see\n Using ACLs. With this operation, you can grant access permissions\n using one of the following two methods:
\nSpecify a canned ACL (x-amz-acl) — Amazon S3 supports a set of\n predefined ACLs, known as canned ACLs. Each canned ACL\n has a predefined set of grantees and permissions. For more information, see\n Canned\n ACL.
Specify access permissions explicitly — To explicitly grant access\n permissions to specific Amazon Web Services accounts or groups, use the following headers.\n Each header maps to specific permissions that Amazon S3 supports in an ACL. For\n more information, see Access Control List (ACL)\n Overview. In the header, you specify a list of grantees who get\n the specific permission. To grant permissions explicitly, use:
\n\n x-amz-grant-read\n
\n x-amz-grant-write\n
\n x-amz-grant-read-acp\n
\n x-amz-grant-write-acp\n
\n x-amz-grant-full-control\n
You specify each grantee as a type=value pair, where the type is one of\n the following:
\n\n id – if the value specified is the canonical user ID\n of an Amazon Web Services account
\n uri – if you are granting permissions to a predefined\n group
\n emailAddress – if the value specified is the email\n address of an Amazon Web Services account
Using email addresses to specify a grantee is only supported in the following Amazon Web Services Regions:
\nUS East (N. Virginia)
\nUS West (N. California)
\nUS West (Oregon)
\nAsia Pacific (Singapore)
\nAsia Pacific (Sydney)
\nAsia Pacific (Tokyo)
\nEurope (Ireland)
\nSouth America (São Paulo)
\nFor a list of all the Amazon S3 supported Regions and endpoints, see Regions and Endpoints in the Amazon Web Services General Reference.
\nFor example, the following x-amz-grant-read header grants the Amazon Web Services accounts identified by account IDs permissions to read object data and its metadata:
\n x-amz-grant-read: id=\"11112222333\", id=\"444455556666\" \n
The following operations are related to CreateMultipartUpload:
\n UploadPart\n
\n\n AbortMultipartUpload\n
\n\n ListParts\n
\n\n ListMultipartUploads\n
\nThe name of the bucket to which the multipart upload was initiated. Does not return the\n access point ARN or access point alias if used.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The name of the bucket to which the multipart upload was initiated. Does not return the\n access point ARN or access point alias if used.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
The name of the bucket to which to initiate the upload
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The name of the bucket to which to initiate the upload
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Deletes the S3 bucket. All objects (including all object versions and delete markers) in\n the bucket must be deleted before the bucket itself can be deleted.
\nThe following operations are related to DeleteBucket:
\n CreateBucket\n
\n\n DeleteObject\n
\nDeletes the cors configuration information set for the bucket.
To use this operation, you must have permission to perform the\n s3:PutBucketCORS action. The bucket owner has this permission by default\n and can grant this permission to others.
For information about cors, see Enabling Cross-Origin Resource Sharing in\n the Amazon S3 User Guide.
\n Related Resources\n
\n\n PutBucketCors\n
\n\n RESTOPTIONSobject\n
\nDeletes the cors configuration information set for the bucket.
To use this operation, you must have permission to perform the\n s3:PutBucketCORS action. The bucket owner has this permission by default\n and can grant this permission to others.
For information about cors, see Enabling Cross-Origin Resource Sharing in\n the Amazon S3 User Guide.
\n Related Resources\n
\n\n PutBucketCors\n
\n\n RESTOPTIONSobject\n
\nDeletes the lifecycle configuration from the specified bucket. Amazon S3 removes all the\n lifecycle configuration rules in the lifecycle subresource associated with the bucket. Your\n objects never expire, and Amazon S3 no longer automatically deletes any objects on the basis of\n rules contained in the deleted lifecycle configuration.
\nTo use this operation, you must have permission to perform the\n s3:PutLifecycleConfiguration action. By default, the bucket owner has this\n permission and the bucket owner can grant this permission to others.
There is usually some time lag before lifecycle configuration deletion is fully\n propagated to all the Amazon S3 systems.
\nFor more information about the object expiration, see Elements to Describe Lifecycle Actions.
\nRelated actions include:
\nThis implementation of the DELETE action uses the policy subresource to delete the\n policy of a specified bucket. If you are using an identity other than the root user of the\n Amazon Web Services account that owns the bucket, the calling identity must have the\n DeleteBucketPolicy permissions on the specified bucket and belong to the\n bucket owner's account to use this operation.
If you don't have DeleteBucketPolicy permissions, Amazon S3 returns a 403\n Access Denied error. If you have the correct permissions, but you're not using an\n identity that belongs to the bucket owner's account, Amazon S3 returns a 405 Method Not\n Allowed error.
To ensure that bucket owners don't inadvertently lock themselves out of their own\n buckets, the root principal in a bucket owner's Amazon Web Services account can perform the\n GetBucketPolicy, PutBucketPolicy, and\n DeleteBucketPolicy API actions, even if their bucket policy explicitly\n denies the root principal's access. Bucket owner root principals can only be blocked from performing \n these API actions by VPC endpoint policies and Amazon Web Services Organizations policies.
For more information about bucket policies, see Using Bucket Policies and\n UserPolicies.
\nThe following operations are related to DeleteBucketPolicy\n
\n CreateBucket\n
\n\n DeleteObject\n
\nDeletes the replication configuration from the bucket.
\nTo use this operation, you must have permissions to perform the\n s3:PutReplicationConfiguration action. The bucket owner has these\n permissions by default and can grant it to others. For more information about permissions,\n see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to Your Amazon S3 Resources.
It can take a while for the deletion of a replication configuration to fully\n propagate.
\nFor information about replication configuration, see Replication in the\n Amazon S3 User Guide.
\nThe following operations are related to DeleteBucketReplication:
\n PutBucketReplication\n
\n\n GetBucketReplication\n
\nDeletes the tags from the bucket.
\nTo use this operation, you must have permission to perform the\n s3:PutBucketTagging action. By default, the bucket owner has this\n permission and can grant this permission to others.
The following operations are related to DeleteBucketTagging:
\n GetBucketTagging\n
\n\n PutBucketTagging\n
\nThis action removes the website configuration for a bucket. Amazon S3 returns a 200\n OK response upon successfully deleting a website configuration on the specified\n bucket. You will get a 200 OK response if the website configuration you are\n trying to delete does not exist on the bucket. Amazon S3 returns a 404 response if\n the bucket specified in the request does not exist.
This DELETE action requires the S3:DeleteBucketWebsite permission. By\n default, only the bucket owner can delete the website configuration attached to a bucket.\n However, bucket owners can grant other users permission to delete the website configuration\n by writing a bucket policy granting them the S3:DeleteBucketWebsite\n permission.
For more information about hosting websites, see Hosting Websites on Amazon S3.
\nThe following operations are related to DeleteBucketWebsite:
\n GetBucketWebsite\n
\n\n PutBucketWebsite\n
\nRemoves the null version (if there is one) of an object and inserts a delete marker,\n which becomes the latest version of the object. If there isn't a null version, Amazon S3 does\n not remove any objects but will still respond that the command was successful.
\nTo remove a specific version, you must use the version Id subresource. Using this\n subresource permanently deletes the version. If the object deleted is a delete marker, Amazon S3\n sets the response header, x-amz-delete-marker, to true.
If the object you want to delete is in a bucket where the bucket versioning\n configuration is MFA Delete enabled, you must include the x-amz-mfa request\n header in the DELETE versionId request. Requests that include\n x-amz-mfa must use HTTPS.
For more information about MFA Delete, see Using MFA Delete. To see sample\n requests that use versioning, see Sample\n Request.
\nYou can delete objects by explicitly calling DELETE Object or configure its lifecycle\n (PutBucketLifecycle) to enable Amazon S3 to remove them for you. If you want to block\n users or accounts from removing or deleting objects from your bucket, you must deny them\n the s3:DeleteObject, s3:DeleteObjectVersion, and\n s3:PutLifeCycleConfiguration actions.
The following action is related to DeleteObject:
\n PutObject\n
\nThe bucket name of the bucket containing the object.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name of the bucket containing the object.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Removes the entire tag set from the specified object. For more information about\n managing object tags, see Object Tagging.
\nTo use this operation, you must have permission to perform the\n s3:DeleteObjectTagging action.
To delete tags of a specific object version, add the versionId query\n parameter in the request. You will need permission for the\n s3:DeleteObjectVersionTagging action.
The following operations are related to DeleteObjectTagging:
\n PutObjectTagging\n
\n\n GetObjectTagging\n
\nThe bucket name containing the objects from which to remove the tags.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name containing the objects from which to remove the tags.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
The bucket name containing the objects to delete.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name containing the objects to delete.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Requests Amazon S3 to encode the object keys in the response and specifies the encoding\n method to use. An object key may contain any Unicode character; however, XML 1.0 parser\n cannot parse some characters, such as characters with an ASCII value from 0 to 10. For\n characters that are not supported in XML 1.0, you can add this parameter to request that\n Amazon S3 encode the keys in the response.
" + "smithy.api#documentation": "Requests Amazon S3 to encode the object keys in the response and specifies the encoding\n method to use. An object key can contain any Unicode character; however, the XML 1.0 parser\n cannot parse some characters, such as characters with an ASCII value from 0 to 10. For\n characters that are not supported in XML 1.0, you can add this parameter to request that\n Amazon S3 encode the keys in the response.
" } }, "com.amazonaws.s3#Encryption": { @@ -24830,31 +19690,6 @@ }, "traits": { "smithy.api#documentation": "Returns the Cross-Origin Resource Sharing (CORS) configuration information set for the\n bucket.
\n To use this operation, you must have permission to perform the\n s3:GetBucketCORS action. By default, the bucket owner has this permission\n and can grant it to others.
To use this API operation against an access point, provide the alias of the access point in place of the bucket name.
\nTo use this API operation against an Object Lambda access point, provide the alias of the Object Lambda access point in place of the bucket name. \nIf the Object Lambda access point alias in a request is not valid, the error code InvalidAccessPointAliasError is returned. \nFor more information about InvalidAccessPointAliasError, see List of\n Error Codes.
For more information about CORS, see Enabling Cross-Origin Resource\n Sharing.
\nThe following operations are related to GetBucketCors:
\n PutBucketCors\n
\n\n DeleteBucketCors\n
\nBucket lifecycle configuration now supports specifying a lifecycle rule using an\n object key name prefix, one or more object tags, or a combination of both. Accordingly,\n this section describes the latest API. The response describes the new filter element\n that you can use to specify a filter to select a subset of objects to which the rule\n applies. If you are using a previous version of the lifecycle configuration, it still\n works. For the earlier action, see GetBucketLifecycle.
\nReturns the lifecycle configuration information set on the bucket. For information about\n lifecycle configuration, see Object Lifecycle\n Management.
\nTo use this operation, you must have permission to perform the\n s3:GetLifecycleConfiguration action. The bucket owner has this permission,\n by default. The bucket owner can grant this permission to others. For more information\n about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to Your Amazon S3 Resources.
\n GetBucketLifecycleConfiguration has the following special error:
Error code: NoSuchLifecycleConfiguration\n
Description: The lifecycle configuration does not exist.
\nHTTP Status Code: 404 Not Found
\nSOAP Fault Code Prefix: Client
\nThe following operations are related to\n GetBucketLifecycleConfiguration:
\n GetBucketLifecycle\n
\n\n PutBucketLifecycle\n
\nReturns the Region the bucket resides in. You set the bucket's Region using the\n LocationConstraint request parameter in a CreateBucket\n request. For more information, see CreateBucket.
To use this API operation against an access point, provide the alias of the access point in place of the bucket name.
\nTo use this API operation against an Object Lambda access point, provide the alias of the Object Lambda access point in place of the bucket name. \nIf the Object Lambda access point alias in a request is not valid, the error code InvalidAccessPointAliasError is returned. \nFor more information about InvalidAccessPointAliasError, see List of\n Error Codes.
We recommend that you use HeadBucket to return the Region\n that a bucket resides in. For backward compatibility, Amazon S3 continues to support\n GetBucketLocation.
\nThe following operations are related to GetBucketLocation:
\n GetObject\n
\n\n CreateBucket\n
\nReturns the policy of a specified bucket. If you are using an identity other than the\n root user of the Amazon Web Services account that owns the bucket, the calling identity must have the\n GetBucketPolicy permissions on the specified bucket and belong to the\n bucket owner's account in order to use this operation.
If you don't have GetBucketPolicy permissions, Amazon S3 returns a 403\n Access Denied error. If you have the correct permissions, but you're not using an\n identity that belongs to the bucket owner's account, Amazon S3 returns a 405 Method Not\n Allowed error.
To ensure that bucket owners don't inadvertently lock themselves out of their own\n buckets, the root principal in a bucket owner's Amazon Web Services account can perform the\n GetBucketPolicy, PutBucketPolicy, and\n DeleteBucketPolicy API actions, even if their bucket policy explicitly\n denies the root principal's access. Bucket owner root principals can only be blocked from performing \n these API actions by VPC endpoint policies and Amazon Web Services Organizations policies.
To use this API operation against an access point, provide the alias of the access point in place of the bucket name.
\nTo use this API operation against an Object Lambda access point, provide the alias of the Object Lambda access point in place of the bucket name. \nIf the Object Lambda access point alias in a request is not valid, the error code InvalidAccessPointAliasError is returned. \nFor more information about InvalidAccessPointAliasError, see List of\n Error Codes.
For more information about bucket policies, see Using Bucket Policies and User\n Policies.
\nThe following action is related to GetBucketPolicy:
\n GetObject\n
\nReturns the replication configuration of a bucket.
\nIt can take a while to propagate the put or delete a replication configuration to\n all Amazon S3 systems. Therefore, a get request soon after put or delete can return a wrong\n result.
\nFor information about replication configuration, see Replication in the\n Amazon S3 User Guide.
\nThis action requires permissions for the s3:GetReplicationConfiguration\n action. For more information about permissions, see Using Bucket Policies and User\n Policies.
If you include the Filter element in a replication configuration, you must\n also include the DeleteMarkerReplication and Priority elements.\n The response also returns those elements.
For information about GetBucketReplication errors, see List of\n replication-related error codes\n
The following operations are related to GetBucketReplication:
\n PutBucketReplication\n
\nReturns the request payment configuration of a bucket. To use this version of the\n operation, you must be the bucket owner. For more information, see Requester Pays\n Buckets.
\nThe following operations are related to GetBucketRequestPayment:
\n ListObjects\n
\nReturns the tag set associated with the bucket.
\nTo use this operation, you must have permission to perform the\n s3:GetBucketTagging action. By default, the bucket owner has this\n permission and can grant this permission to others.
\n GetBucketTagging has the following special error:
Error code: NoSuchTagSet\n
Description: There is no tag set associated with the bucket.
\nThe following operations are related to GetBucketTagging:
\n PutBucketTagging\n
\n\n DeleteBucketTagging\n
\nReturns the versioning state of a bucket.
\nTo retrieve the versioning state of a bucket, you must be the bucket owner.
\nThis implementation also returns the MFA Delete status of the versioning state. If the\n MFA Delete status is enabled, the bucket owner must use an authentication\n device to change the versioning state of the bucket.
The following operations are related to GetBucketVersioning:
\n GetObject\n
\n\n PutObject\n
\n\n DeleteObject\n
\nReturns the website configuration for a bucket. To host website on Amazon S3, you can\n configure a bucket as website by adding a website configuration. For more information about\n hosting websites, see Hosting Websites on Amazon S3.
\nThis GET action requires the S3:GetBucketWebsite permission. By default,\n only the bucket owner can read the bucket website configuration. However, bucket owners can\n allow other users to read the website configuration by writing a bucket policy granting\n them the S3:GetBucketWebsite permission.
The following operations are related to GetBucketWebsite:
\n DeleteBucketWebsite\n
\n\n PutBucketWebsite\n
\nReturns the access control list (ACL) of an object. To use this operation, you must have\n s3:GetObjectAcl permissions or READ_ACP access to the object.\n For more information, see Mapping of ACL permissions and access policy permissions in the Amazon S3\n User Guide\n
This action is not supported by Amazon S3 on Outposts.
\nBy default, GET returns ACL information about the current version of an object. To\n return ACL information about a different version, use the versionId subresource.
\nIf your bucket uses the bucket owner enforced setting for S3 Object Ownership,\n requests to read ACLs are still supported and return the\n bucket-owner-full-control ACL with the owner being the account that\n created the bucket. For more information, see Controlling object\n ownership and disabling ACLs in the\n Amazon S3 User Guide.
The following operations are related to GetObjectAcl:
\n GetObject\n
\n\n GetObjectAttributes\n
\n\n DeleteObject\n
\n\n PutObject\n
\nThe name of the bucket that contains the object.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The name of the bucket that contains the object.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
An XML header that specifies the fields at the root level that you want returned in the\n response. Fields that you do not specify are not returned.
", + "smithy.api#documentation": "Specifies the fields at the root level that you want returned in the\n response. Fields that you do not specify are not returned.
", "smithy.api#httpHeader": "x-amz-object-attributes", "smithy.api#required": {} } @@ -26814,7 +21464,7 @@ "Bucket": { "target": "com.amazonaws.s3#BucketName", "traits": { - "smithy.api#documentation": "The bucket name containing the object.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen using an Object Lambda access point the hostname takes the form AccessPointName-AccountId.s3-object-lambda.Region.amazonaws.com.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name containing the object.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen using an Object Lambda access point the hostname takes the form AccessPointName-AccountId.s3-object-lambda.Region.amazonaws.com.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Returns the tag-set of an object. You send the GET request against the tagging\n subresource associated with the object.
\nTo use this operation, you must have permission to perform the\n s3:GetObjectTagging action. By default, the GET action returns information\n about current version of an object. For a versioned bucket, you can have multiple versions\n of an object in your bucket. To retrieve tags of any other version, use the versionId query\n parameter. You also need permission for the s3:GetObjectVersionTagging\n action.
By default, the bucket owner has this permission and can grant this permission to\n others.
\nFor information about the Amazon S3 object tagging feature, see Object Tagging.
\nThe following actions are related to GetObjectTagging:
\n DeleteObjectTagging\n
\n\n GetObjectAttributes\n
\n\n PutObjectTagging\n
\nThe bucket name containing the object for which to get the tagging information.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name containing the object for which to get the tagging information.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Returns torrent files from a bucket. BitTorrent can save you bandwidth when you're\n distributing large files.
\nYou can get torrent only for objects that are less than 5 GB in size, and that are\n not encrypted using server-side encryption with a customer-provided encryption\n key.
\nTo use GET, you must have READ access to the object.
\nThis action is not supported by Amazon S3 on Outposts.
\nThe following action is related to GetObjectTorrent:
\n GetObject\n
\nThis action is useful to determine if a bucket exists and you have permission to access\n it. The action returns a 200 OK if the bucket exists and you have permission\n to access it.
If the bucket does not exist or you do not have permission to access it, the\n HEAD request returns a generic 400 Bad Request, 403\n Forbidden or 404 Not Found code. A message body is not included, so\n you cannot determine the exception beyond these error codes.
To use this operation, you must have permissions to perform the\n s3:ListBucket action. The bucket owner has this permission by default and\n can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to Your Amazon S3 Resources.
To use this API operation against an access point, you must provide the alias of the access point in place of the\n bucket name or specify the access point ARN. When using the access point ARN, you must direct requests to\n the access point hostname. The access point hostname takes the form\n AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com.\n When using the Amazon Web Services SDKs, you provide the ARN in place of the bucket name. For more\n information, see Using access points.
\nTo use this API operation against an Object Lambda access point, provide the alias of the Object Lambda access point in place of the bucket name. \nIf the Object Lambda access point alias in a request is not valid, the error code InvalidAccessPointAliasError is returned. \nFor more information about InvalidAccessPointAliasError, see List of\n Error Codes.
The bucket name.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with an Object Lambda access point, provide the alias of the Object Lambda access point in place of the bucket name. \n If the Object Lambda access point alias in a request is not valid, the error code InvalidAccessPointAliasError is returned. \n For more information about InvalidAccessPointAliasError, see List of\n Error Codes.
When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with an Object Lambda access point, provide the alias of the Object Lambda access point in place of the bucket name. \n If the Object Lambda access point alias in a request is not valid, the error code InvalidAccessPointAliasError is returned. \n For more information about InvalidAccessPointAliasError, see List of\n Error Codes.
When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
The name of the bucket containing the object.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The name of the bucket containing the object.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
The ContinuationToken that represents a placeholder from where this request should\n begin.
", + "smithy.api#documentation": "The ContinuationToken that represents a placeholder from where this request\n should begin.
The marker used to continue an inventory configuration listing that has been truncated.\n Use the NextContinuationToken from a previously truncated list response to continue the\n listing. The continuation token is an opaque value that Amazon S3 understands.
", + "smithy.api#documentation": "The marker used to continue an inventory configuration listing that has been truncated.\n Use the NextContinuationToken from a previously truncated list response to\n continue the listing. The continuation token is an opaque value that Amazon S3\n understands.
The marker that is used to continue a metrics configuration listing that has been\n truncated. Use the NextContinuationToken from a previously truncated list response to\n continue the listing. The continuation token is an opaque value that Amazon S3\n understands.
", + "smithy.api#documentation": "The marker that is used to continue a metrics configuration listing that has been\n truncated. Use the NextContinuationToken from a previously truncated list\n response to continue the listing. The continuation token is an opaque value that Amazon S3\n understands.
Returns a list of all buckets owned by the authenticated sender of the request. To use\n this operation, you must have the s3:ListAllMyBuckets permission.
For information about Amazon S3 buckets, see Creating, configuring, and\n working with Amazon S3 buckets.
", - "smithy.api#examples": [ - { - "title": "To list all buckets", - "documentation": "The following example returns all the buckets owned by the sender of this request.", - "output": { - "Owner": { - "DisplayName": "own-display-name", - "ID": "examplee7a2f25102679df27bb0ae12b3f85be6f290b936c4393484be31" - }, - "Buckets": [ - { - "CreationDate": "2012-02-15T21:03:02.000Z", - "Name": "examplebucket" - }, - { - "CreationDate": "2011-07-24T19:33:50.000Z", - "Name": "examplebucket2" - }, - { - "CreationDate": "2010-12-17T00:56:49.000Z", - "Name": "examplebucket3" - } - ] - } - } - ], "smithy.api#http": { "method": "GET", "uri": "/", @@ -29271,7 +23870,7 @@ "EncodingType": { "target": "com.amazonaws.s3#EncodingType", "traits": { - "smithy.api#documentation": "Encoding type used by Amazon S3 to encode object keys in the response.
\nIf you specify encoding-type request parameter, Amazon S3 includes this element\n in the response, and returns encoded key name values in the following response\n elements:
\n Delimiter, KeyMarker, Prefix,\n NextKeyMarker, Key.
Encoding type used by Amazon S3 to encode object keys in the response.
\nIf you specify the encoding-type request parameter, Amazon S3 includes this\n element in the response, and returns encoded key name values in the following response\n elements:
\n Delimiter, KeyMarker, Prefix,\n NextKeyMarker, Key.
The name of the bucket to which the multipart upload was initiated.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The name of the bucket to which the multipart upload was initiated.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Together with upload-id-marker, this parameter specifies the multipart upload after\n which listing should begin.
\nIf upload-id-marker is not specified, only the keys lexicographically\n greater than the specified key-marker will be included in the list.
If upload-id-marker is specified, any multipart uploads for a key equal to\n the key-marker might also be included, provided those multipart uploads have\n upload IDs lexicographically greater than the specified\n upload-id-marker.
Together with upload-id-marker, this parameter specifies the multipart\n upload after which listing should begin.
If upload-id-marker is not specified, only the keys lexicographically\n greater than the specified key-marker will be included in the list.
If upload-id-marker is specified, any multipart uploads for a key equal to\n the key-marker might also be included, provided those multipart uploads have\n upload IDs lexicographically greater than the specified\n upload-id-marker.
Lists in-progress uploads only for those keys that begin with the specified prefix. You\n can use prefixes to separate a bucket into different grouping of keys. (You can think of\n using prefix to make groups in the same way you'd use a folder in a file system.)
", + "smithy.api#documentation": "Lists in-progress uploads only for those keys that begin with the specified prefix. You\n can use prefixes to separate a bucket into different grouping of keys. (You can think of\n using prefix to make groups in the same way that you'd use a folder in a file\n system.)
Returns metadata about all versions of the objects in a bucket. You can also use request\n parameters as selection criteria to return metadata about a subset of all the object\n versions.
\n To use this operation, you must have permissions to perform the\n s3:ListBucketVersions action. Be aware of the name difference.
A 200 OK response can contain valid or invalid XML. Make sure to design your\n application to parse the contents of the response and handle it appropriately.
\nTo use this operation, you must have READ access to the bucket.
\nThis action is not supported by Amazon S3 on Outposts.
\nThe following operations are related to ListObjectVersions:
\n ListObjectsV2\n
\n\n GetObject\n
\n\n PutObject\n
\n\n DeleteObject\n
\nReturns metadata about all versions of the objects in a bucket. You can also use request\n parameters as selection criteria to return metadata about a subset of all the object\n versions.
\n To use this operation, you must have permission to perform the\n s3:ListBucketVersions action. Be aware of the name difference.
A 200 OK response can contain valid or invalid XML. Make sure to design\n your application to parse the contents of the response and handle it\n appropriately.
To use this operation, you must have READ access to the bucket.
\nThis action is not supported by Amazon S3 on Outposts.
\nThe following operations are related to ListObjectVersions:
\n ListObjectsV2\n
\n\n GetObject\n
\n\n PutObject\n
\n\n DeleteObject\n
\nA flag that indicates whether Amazon S3 returned all of the results that satisfied the search\n criteria. If your results were truncated, you can make a follow-up paginated request using\n the NextKeyMarker and NextVersionIdMarker response parameters as a starting place in\n another request to return the rest of the results.
" + "smithy.api#documentation": "A flag that indicates whether Amazon S3 returned all of the results that satisfied the search\n criteria. If your results were truncated, you can make a follow-up paginated request by\n using the NextKeyMarker and NextVersionIdMarker response\n parameters as a starting place in another request to return the rest of the results.
When the number of responses exceeds the value of MaxKeys,\n NextVersionIdMarker specifies the first object version not returned that\n satisfies the search criteria. Use this value for the version-id-marker request parameter\n in a subsequent request.
When the number of responses exceeds the value of MaxKeys,\n NextVersionIdMarker specifies the first object version not returned that\n satisfies the search criteria. Use this value for the version-id-marker\n request parameter in a subsequent request.
The delimiter grouping the included keys. A delimiter is a character that you specify to\n group keys. All keys that contain the same string between the prefix and the first\n occurrence of the delimiter are grouped under a single result element in\n CommonPrefixes. These groups are counted as one result against the max-keys\n limitation. These keys are not returned elsewhere in the response.
The delimiter grouping the included keys. A delimiter is a character that you specify to\n group keys. All keys that contain the same string between the prefix and the first\n occurrence of the delimiter are grouped under a single result element in\n CommonPrefixes. These groups are counted as one result against the\n max-keys limitation. These keys are not returned elsewhere in the\n response.
Encoding type used by Amazon S3 to encode object key names in the XML response.
\nIf you specify encoding-type request parameter, Amazon S3 includes this element in the\n response, and returns encoded key name values in the following response elements:
\n\n KeyMarker, NextKeyMarker, Prefix, Key, and Delimiter.
Encoding type used by Amazon S3 to encode object key names in the XML response.
\nIf you specify the encoding-type request parameter, Amazon S3 includes this\n element in the response, and returns encoded key name values in the following response\n elements:
\n KeyMarker, NextKeyMarker, Prefix, Key, and Delimiter.
A delimiter is a character that you specify to group keys. All keys that contain the\n same string between the prefix and the first occurrence of the delimiter are\n grouped under a single result element in CommonPrefixes. These groups are counted as one\n result against the max-keys limitation. These keys are not returned elsewhere in the\n response.
A delimiter is a character that you specify to group keys. All keys that contain the\n same string between the prefix and the first occurrence of the delimiter are\n grouped under a single result element in CommonPrefixes. These groups are\n counted as one result against the max-keys limitation. These keys are not\n returned elsewhere in the response.
Sets the maximum number of keys returned in the response. By default the action returns\n up to 1,000 key names. The response might contain fewer keys but will never contain more.\n If additional keys satisfy the search criteria, but were not returned because max-keys was\n exceeded, the response contains
Sets the maximum number of keys returned in the response. By default, the action returns\n up to 1,000 key names. The response might contain fewer keys but will never contain more.\n If additional keys satisfy the search criteria, but were not returned because\n max-keys was exceeded, the response contains\n key-marker and version-id-marker.
Use this parameter to select only those keys that begin with the specified prefix. You\n can use prefixes to separate a bucket into different groupings of keys. (You can think of\n using prefix to make groups in the same way you'd use a folder in a file system.) You can\n use prefix with delimiter to roll up numerous objects into a single result under\n CommonPrefixes.
", + "smithy.api#documentation": "Use this parameter to select only those keys that begin with the specified prefix. You\n can use prefixes to separate a bucket into different groupings of keys. (You can think of\n using prefix to make groups in the same way that you'd use a folder in a file\n system.) You can use prefix with delimiter to roll up numerous\n objects into a single result under CommonPrefixes.
Specifies the optional fields that you want returned in the response.\n Fields that you do not specify are not returned.
", + "smithy.api#httpHeader": "x-amz-optional-object-attributes" + } } }, "traits": { @@ -29632,7 +24198,7 @@ "NextMarker": { "target": "com.amazonaws.s3#NextMarker", "traits": { - "smithy.api#documentation": "When response is truncated (the IsTruncated element value in the response is true), you\n can use the key name in this field as marker in the subsequent request to get next set of\n objects. Amazon S3 lists objects in alphabetical order Note: This element is returned only if\n you have delimiter request parameter specified. If response does not include the NextMarker\n and it is truncated, you can use the value of the last Key in the response as the marker in\n the subsequent request to get the next set of object keys.
" + "smithy.api#documentation": "When the response is truncated (the IsTruncated element value in the\n response is true), you can use the key name in this field as the\n marker parameter in the subsequent request to get the next set of objects.\n Amazon S3 lists objects in alphabetical order.
This element is returned only if you have the delimiter request\n parameter specified. If the response does not include the NextMarker\n element and it is truncated, you can use the value of the last Key element\n in the response as the marker parameter in the subsequent request to get\n the next set of object keys.
All of the keys (up to 1,000) rolled up in a common prefix count as a single return when\n calculating the number of returns.
\nA response can contain CommonPrefixes only if you specify a delimiter.
\nCommonPrefixes contains all (if there are any) keys between Prefix and the next\n occurrence of the string specified by the delimiter.
\nCommonPrefixes lists keys that act like subdirectories in the directory specified by\n Prefix.
\nFor example, if the prefix is notes/ and the delimiter is a slash (/) as in\n notes/summer/july, the common prefix is notes/summer/. All of the keys that roll up into a\n common prefix count as a single return when calculating the number of returns.
", + "smithy.api#documentation": "All of the keys (up to 1,000) rolled up in a common prefix count as a single return when\n calculating the number of returns.
\nA response can contain CommonPrefixes only if you specify a\n delimiter.
\n CommonPrefixes contains all (if there are any) keys between\n Prefix and the next occurrence of the string specified by the\n delimiter.
\n CommonPrefixes lists keys that act like subdirectories in the directory\n specified by Prefix.
For example, if the prefix is notes/ and the delimiter is a slash\n (/), as in notes/summer/july, the common prefix is\n notes/summer/. All of the keys that roll up into a common prefix count as a\n single return when calculating the number of returns.
The name of the bucket containing the objects.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The name of the bucket containing the objects.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
A delimiter is a character you use to group keys.
", + "smithy.api#documentation": "A delimiter is a character that you use to group keys.
", "smithy.api#httpQuery": "delimiter" } }, @@ -29730,7 +24296,7 @@ "target": "com.amazonaws.s3#MaxKeys", "traits": { "smithy.api#default": 0, - "smithy.api#documentation": "Sets the maximum number of keys returned in the response. By default the action returns\n up to 1,000 key names. The response might contain fewer keys but will never contain more.\n
", + "smithy.api#documentation": "Sets the maximum number of keys returned in the response. By default, the action returns\n up to 1,000 key names. The response might contain fewer keys but will never contain more.
", "smithy.api#httpQuery": "max-keys" } }, @@ -29754,6 +24320,13 @@ "smithy.api#documentation": "The account ID of the expected bucket owner. If the bucket is owned by a different account, the request fails with the HTTP status code 403 Forbidden (access denied).
Specifies the optional fields that you want returned in the response.\n Fields that you do not specify are not returned.
", + "smithy.api#httpHeader": "x-amz-optional-object-attributes" + } } }, "traits": { @@ -29774,7 +24347,7 @@ } ], "traits": { - "smithy.api#documentation": "Returns some or all (up to 1,000) of the objects in a bucket with each request. You can\n use the request parameters as selection criteria to return a subset of the objects in a\n bucket. A 200 OK response can contain valid or invalid XML. Make sure to\n design your application to parse the contents of the response and handle it appropriately.\n Objects are returned sorted in an ascending order of the respective key names in the list.\n For more information about listing objects, see Listing object keys\n programmatically\n
To use this operation, you must have READ access to the bucket.
\nTo use this action in an Identity and Access Management (IAM) policy, you must have permissions to perform\n the s3:ListBucket action. The bucket owner has this permission by default and\n can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to Your Amazon S3 Resources.
This section describes the latest revision of this action. We recommend that you use\n this revised API for application development. For backward compatibility, Amazon S3 continues\n to support the prior version of this API, ListObjects.
\nTo get a list of your buckets, see ListBuckets.
\nThe following operations are related to ListObjectsV2:
\n GetObject\n
\n\n PutObject\n
\n\n CreateBucket\n
\nReturns some or all (up to 1,000) of the objects in a bucket with each request. You can\n use the request parameters as selection criteria to return a subset of the objects in a\n bucket. A 200 OK response can contain valid or invalid XML. Make sure to\n design your application to parse the contents of the response and handle it appropriately.\n Objects are returned sorted in an ascending order of the respective key names in the list.\n For more information about listing objects, see Listing object keys\n programmatically in the Amazon S3 User Guide.
To use this operation, you must have READ access to the bucket.
\nTo use this action in an Identity and Access Management (IAM) policy, you must have permission to perform\n the s3:ListBucket action. The bucket owner has this permission by default and\n can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to Your Amazon S3 Resources in the\n Amazon S3 User Guide.
This section describes the latest revision of this action. We recommend that you use\n this revised API operation for application development. For backward compatibility, Amazon S3\n continues to support the prior version of this API operation, ListObjects.
\nTo get a list of your buckets, see ListBuckets.
\nThe following operations are related to ListObjectsV2:
\n GetObject\n
\n\n PutObject\n
\n\n CreateBucket\n
\nSet to false if all of the results were returned. Set to true if more keys are available\n to return. If the number of results exceeds that specified by MaxKeys, all of the results\n might not be returned.
" + "smithy.api#documentation": "Set to false if all of the results were returned. Set to true\n if more keys are available to return. If the number of results exceeds that specified by\n MaxKeys, all of the results might not be returned.
The bucket name.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Causes keys that contain the same string between the prefix and the first occurrence of\n the delimiter to be rolled up into a single result element in the CommonPrefixes\n collection. These rolled-up keys are not returned elsewhere in the response. Each rolled-up\n result counts as only one return against the MaxKeys value.
Causes keys that contain the same string between the prefix and the first\n occurrence of the delimiter to be rolled up into a single result element in the\n CommonPrefixes collection. These rolled-up keys are not returned elsewhere\n in the response. Each rolled-up result counts as only one return against the\n MaxKeys value.
Sets the maximum number of keys returned in the response. By default the action returns\n up to 1,000 key names. The response might contain fewer keys but will never contain\n more.
" + "smithy.api#documentation": "Sets the maximum number of keys returned in the response. By default, the action returns\n up to 1,000 key names. The response might contain fewer keys but will never contain\n more.
" } }, "CommonPrefixes": { @@ -29839,20 +24412,20 @@ "EncodingType": { "target": "com.amazonaws.s3#EncodingType", "traits": { - "smithy.api#documentation": "Encoding type used by Amazon S3 to encode object key names in the XML response.
\nIf you specify the encoding-type request parameter, Amazon S3 includes this element in the\n response, and returns encoded key name values in the following response elements:
\n\n Delimiter, Prefix, Key, and StartAfter.
Encoding type used by Amazon S3 to encode object key names in the XML response.
\nIf you specify the encoding-type request parameter, Amazon S3 includes this\n element in the response, and returns encoded key name values in the following response\n elements:
\n Delimiter, Prefix, Key, and StartAfter.
KeyCount is the number of keys returned with this request. KeyCount will always be less\n than or equal to the MaxKeys field. Say you ask for 50 keys, your result will\n include 50 keys or fewer.
\n KeyCount is the number of keys returned with this request.\n KeyCount will always be less than or equal to the MaxKeys\n field. For example, if you ask for 50 keys, your result will include 50 keys or\n fewer.
If ContinuationToken was sent with the request, it is included in the response.
" + "smithy.api#documentation": " If ContinuationToken was sent with the request, it is included in the\n response.
Bucket name to list.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
Bucket name to list.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
A delimiter is a character you use to group keys.
", + "smithy.api#documentation": "A delimiter is a character that you use to group keys.
", "smithy.api#httpQuery": "delimiter" } }, @@ -29911,7 +24484,7 @@ "target": "com.amazonaws.s3#MaxKeys", "traits": { "smithy.api#default": 0, - "smithy.api#documentation": "Sets the maximum number of keys returned in the response. By default the action returns\n up to 1,000 key names. The response might contain fewer keys but will never contain\n more.
", + "smithy.api#documentation": "Sets the maximum number of keys returned in the response. By default, the action returns\n up to 1,000 key names. The response might contain fewer keys but will never contain\n more.
", "smithy.api#httpQuery": "max-keys" } }, @@ -29925,7 +24498,7 @@ "ContinuationToken": { "target": "com.amazonaws.s3#Token", "traits": { - "smithy.api#documentation": "ContinuationToken indicates Amazon S3 that the list is being continued on this bucket with a\n token. ContinuationToken is obfuscated and is not a real key.
", + "smithy.api#documentation": "\n ContinuationToken indicates to Amazon S3 that the list is being continued on\n this bucket with a token. ContinuationToken is obfuscated and is not a real\n key.
The owner field is not present in listV2 by default, if you want to return owner field\n with each key in the result then set the fetch owner field to true.
", + "smithy.api#documentation": "The owner field is not present in ListObjectsV2 by default. If you want to\n return the owner field with each key in the result, then set the FetchOwner\n field to true.
The account ID of the expected bucket owner. If the bucket is owned by a different account, the request fails with the HTTP status code 403 Forbidden (access denied).
Specifies the optional fields that you want returned in the response.\n Fields that you do not specify are not returned.
", + "smithy.api#httpHeader": "x-amz-optional-object-attributes" + } } }, "traits": { @@ -30030,7 +24610,7 @@ "NextPartNumberMarker": { "target": "com.amazonaws.s3#NextPartNumberMarker", "traits": { - "smithy.api#documentation": "When a list is truncated, this element specifies the last part in the list, as well as\n the value to use for the part-number-marker request parameter in a subsequent\n request.
" + "smithy.api#documentation": "When a list is truncated, this element specifies the last part in the list, as well as\n the value to use for the part-number-marker request parameter in a subsequent\n request.
The name of the bucket to which the parts are being uploaded.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The name of the bucket to which the parts are being uploaded.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Name of the Object.
" + "smithy.api#documentation": "Name of the object.
" } }, "Value": { "target": "com.amazonaws.s3#MetadataValue", "traits": { - "smithy.api#documentation": "Value of the Object.
" + "smithy.api#documentation": "Value of the object.
" } } }, @@ -30737,6 +25317,12 @@ "traits": { "smithy.api#documentation": "The owner of the object
" } + }, + "RestoreStatus": { + "target": "com.amazonaws.s3#RestoreStatus", + "traits": { + "smithy.api#documentation": "Specifies the restoration status of an object. Objects in certain storage classes must be restored\n before they can be retrieved. For more information about these storage classes and how to work with\n archived objects, see \n Working with archived objects in the Amazon S3 User Guide.
" + } } }, "traits": { @@ -31247,6 +25833,12 @@ "traits": { "smithy.api#documentation": "Specifies the owner of the object.
" } + }, + "RestoreStatus": { + "target": "com.amazonaws.s3#RestoreStatus", + "traits": { + "smithy.api#documentation": "Specifies the restoration status of an object. Objects in certain storage classes must be restored\n before they can be retrieved. For more information about these storage classes and how to work with\n archived objects, see \n Working with archived objects in the Amazon S3 User Guide.
" + } } }, "traits": { @@ -31273,6 +25865,23 @@ } } }, + "com.amazonaws.s3#OptionalObjectAttributes": { + "type": "enum", + "members": { + "RESTORE_STATUS": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "RestoreStatus" + } + } + } + }, + "com.amazonaws.s3#OptionalObjectAttributesList": { + "type": "list", + "member": { + "target": "com.amazonaws.s3#OptionalObjectAttributes" + } + }, "com.amazonaws.s3#OutputLocation": { "type": "structure", "members": { @@ -31724,17 +26333,6 @@ "requestChecksumRequired": true }, "smithy.api#documentation": "Sets the permissions on an existing bucket using access control lists (ACL). For more\n information, see Using ACLs. To set the ACL of a\n bucket, you must have WRITE_ACP permission.
You can use one of the following two ways to set a bucket's permissions:
\nSpecify the ACL in the request body
\nSpecify permissions using request headers
\nYou cannot specify access permission using both the body and the request\n headers.
\nDepending on your application needs, you may choose to set the ACL on a bucket using\n either the request body or the headers. For example, if you have an existing application\n that updates a bucket ACL using the request body, then you can continue to use that\n approach.
\nIf your bucket uses the bucket owner enforced setting for S3 Object Ownership, ACLs\n are disabled and no longer affect permissions. You must use policies to grant access to\n your bucket and the objects in it. Requests to set ACLs or update ACLs fail and return\n the AccessControlListNotSupported error code. Requests to read ACLs are\n still supported. For more information, see Controlling object\n ownership in the Amazon S3 User Guide.
You can set access permissions by using one of the following methods:
\nSpecify a canned ACL with the x-amz-acl request header. Amazon S3 supports\n a set of predefined ACLs, known as canned ACLs. Each canned ACL\n has a predefined set of grantees and permissions. Specify the canned ACL name as the\n value of x-amz-acl. If you use this header, you cannot use other access\n control-specific headers in your request. For more information, see Canned\n ACL.
Specify access permissions explicitly with the x-amz-grant-read,\n x-amz-grant-read-acp, x-amz-grant-write-acp, and\n x-amz-grant-full-control headers. When using these headers, you\n specify explicit access permissions and grantees (Amazon Web Services accounts or Amazon S3 groups) who\n will receive the permission. If you use these ACL-specific headers, you cannot use\n the x-amz-acl header to set a canned ACL. These parameters map to the\n set of permissions that Amazon S3 supports in an ACL. For more information, see Access Control\n List (ACL) Overview.
You specify each grantee as a type=value pair, where the type is one of the\n following:
\n\n id – if the value specified is the canonical user ID of an\n Amazon Web Services account
\n uri – if you are granting permissions to a predefined\n group
\n emailAddress – if the value specified is the email address of\n an Amazon Web Services account
Using email addresses to specify a grantee is only supported in the following Amazon Web Services Regions:
\nUS East (N. Virginia)
\nUS West (N. California)
\nUS West (Oregon)
\nAsia Pacific (Singapore)
\nAsia Pacific (Sydney)
\nAsia Pacific (Tokyo)
\nEurope (Ireland)
\nSouth America (São Paulo)
\nFor a list of all the Amazon S3 supported Regions and endpoints, see Regions and Endpoints in the Amazon Web Services General Reference.
\nFor example, the following x-amz-grant-write header grants create,\n overwrite, and delete objects permission to LogDelivery group predefined by Amazon S3 and\n two Amazon Web Services accounts identified by their email addresses.
\n x-amz-grant-write: uri=\"http://acs.amazonaws.com/groups/s3/LogDelivery\",\n id=\"111122223333\", id=\"555566667777\" \n
You can use either a canned ACL or specify access permissions explicitly. You cannot do\n both.
\nYou can specify the person (grantee) to whom you're assigning access rights (using\n request elements) in the following ways:
\nBy the person's ID:
\n\n
DisplayName is optional and ignored in the request
\nBy URI:
\n\n
By Email address:
\n\n
The grantee is resolved to the CanonicalUser and, in a response to a GET Object\n acl request, appears as the CanonicalUser.
\nUsing email addresses to specify a grantee is only supported in the following Amazon Web Services Regions:
\nUS East (N. Virginia)
\nUS West (N. California)
\nUS West (Oregon)
\nAsia Pacific (Singapore)
\nAsia Pacific (Sydney)
\nAsia Pacific (Tokyo)
\nEurope (Ireland)
\nSouth America (São Paulo)
\nFor a list of all the Amazon S3 supported Regions and endpoints, see Regions and Endpoints in the Amazon Web Services General Reference.
\nThe following operations are related to PutBucketAcl:
\n CreateBucket\n
\n\n DeleteBucket\n
\n\n GetObjectAcl\n
\nSets the cors configuration for your bucket. If the configuration exists,\n Amazon S3 replaces it.
To use this operation, you must be allowed to perform the s3:PutBucketCORS\n action. By default, the bucket owner has this permission and can grant it to others.
You set this configuration on a bucket so that the bucket can service cross-origin\n requests. For example, you might want to enable a request whose origin is\n http://www.example.com to access your Amazon S3 bucket at\n my.example.bucket.com by using the browser's XMLHttpRequest\n capability.
To enable cross-origin resource sharing (CORS) on a bucket, you add the\n cors subresource to the bucket. The cors subresource is an XML\n document in which you configure rules that identify origins and the HTTP methods that can\n be executed on your bucket. The document is limited to 64 KB in size.
When Amazon S3 receives a cross-origin request (or a pre-flight OPTIONS request) against a\n bucket, it evaluates the cors configuration on the bucket and uses the first\n CORSRule rule that matches the incoming browser request to enable a\n cross-origin request. For a rule to match, the following conditions must be met:
The request's Origin header must match AllowedOrigin\n elements.
The request method (for example, GET, PUT, HEAD, and so on) or the\n Access-Control-Request-Method header in case of a pre-flight\n OPTIONS request must be one of the AllowedMethod\n elements.
Every header specified in the Access-Control-Request-Headers request\n header of a pre-flight request must match an AllowedHeader element.\n
For more information about CORS, go to Enabling Cross-Origin Resource Sharing in\n the Amazon S3 User Guide.
\nThe following operations are related to PutBucketCors:
\n GetBucketCors\n
\n\n DeleteBucketCors\n
\n\n RESTOPTIONSobject\n
\nCreates a new lifecycle configuration for the bucket or replaces an existing lifecycle\n configuration. Keep in mind that this will overwrite an existing lifecycle configuration,\n so if you want to retain any configuration details, they must be included in the new\n lifecycle configuration. For information about lifecycle configuration, see Managing\n your storage lifecycle.
\nBucket lifecycle configuration now supports specifying a lifecycle rule using an\n object key name prefix, one or more object tags, or a combination of both. Accordingly,\n this section describes the latest API. The previous version of the API supported\n filtering based only on an object key name prefix, which is supported for backward\n compatibility. For the related API description, see PutBucketLifecycle.
\nYou specify the lifecycle configuration in your request body. The lifecycle\n configuration is specified as XML consisting of one or more rules. An Amazon S3 Lifecycle\n configuration can have up to 1,000 rules. This limit is not adjustable. Each rule consists\n of the following:
\nA filter identifying a subset of objects to which the rule applies. The filter can\n be based on a key name prefix, object tags, or a combination of both.
\nA status indicating whether the rule is in effect.
\nOne or more lifecycle transition and expiration actions that you want Amazon S3 to\n perform on the objects identified by the filter. If the state of your bucket is\n versioning-enabled or versioning-suspended, you can have many versions of the same\n object (one current version and zero or more noncurrent versions). Amazon S3 provides\n predefined actions that you can specify for current and noncurrent object\n versions.
\nFor more information, see Object Lifecycle Management\n and Lifecycle Configuration Elements.
\nBy default, all Amazon S3 resources are private, including buckets, objects, and related\n subresources (for example, lifecycle configuration and website configuration). Only the\n resource owner (that is, the Amazon Web Services account that created it) can access the resource. The\n resource owner can optionally grant access permissions to others by writing an access\n policy. For this operation, a user must get the s3:PutLifecycleConfiguration\n permission.
You can also explicitly deny permissions. An explicit deny also supersedes any other\n permissions. If you want to block users or accounts from removing or deleting objects from\n your bucket, you must deny them permissions for the following actions:
\n\n s3:DeleteObject\n
\n s3:DeleteObjectVersion\n
\n s3:PutLifecycleConfiguration\n
For more information about permissions, see Managing Access Permissions to\n Your Amazon S3 Resources.
\nThe following operations are related to PutBucketLifecycleConfiguration:
Set the logging parameters for a bucket and to specify permissions for who can view and\n modify the logging parameters. All logs are saved to buckets in the same Amazon Web Services Region as\n the source bucket. To set the logging status of a bucket, you must be the bucket\n owner.
\nThe bucket owner is automatically granted FULL_CONTROL to all logs. You use the\n Grantee request element to grant access to other people. The\n Permissions request element specifies the kind of access the grantee has to\n the logs.
If the target bucket for log delivery uses the bucket owner enforced setting for S3\n Object Ownership, you can't use the Grantee request element to grant access\n to others. Permissions can only be granted using policies. For more information, see\n Permissions for server access log delivery in the\n Amazon S3 User Guide.
You can specify the person (grantee) to whom you're assigning access rights (by using\n request elements) in the following ways:
\nBy the person's ID:
\n\n
\n DisplayName is optional and ignored in the request.
By Email address:
\n\n \n
The grantee is resolved to the CanonicalUser and, in a response to a GETObjectAcl\n request, appears as the CanonicalUser.
By URI:
\n\n
To enable logging, you use LoggingEnabled and its children request elements. To disable\n logging, you use an empty BucketLoggingStatus request element:
\n
For more information about server access logging, see Server Access Logging in the\n Amazon S3 User Guide.
\nFor more information about creating a bucket, see CreateBucket. For more\n information about returning the logging status of a bucket, see GetBucketLogging.
\nThe following operations are related to PutBucketLogging:
\n PutObject\n
\n\n DeleteBucket\n
\n\n CreateBucket\n
\n\n GetBucketLogging\n
\nEnables notifications of specified events for a bucket. For more information about event\n notifications, see Configuring Event\n Notifications.
\nUsing this API, you can replace an existing notification configuration. The\n configuration is an XML file that defines the event types that you want Amazon S3 to publish and\n the destination where you want Amazon S3 to publish an event notification when it detects an\n event of the specified type.
\nBy default, your bucket has no event notifications configured. That is, the notification\n configuration will be an empty NotificationConfiguration.
\n
\n \n
This action replaces the existing notification configuration with the configuration you\n include in the request body.
\nAfter Amazon S3 receives this request, it first verifies that any Amazon Simple Notification\n Service (Amazon SNS) or Amazon Simple Queue Service (Amazon SQS) destination exists, and\n that the bucket owner has permission to publish to it by sending a test notification. In\n the case of Lambda destinations, Amazon S3 verifies that the Lambda function permissions\n grant Amazon S3 permission to invoke the function from the Amazon S3 bucket. For more information,\n see Configuring Notifications for Amazon S3 Events.
\nYou can disable notifications by adding the empty NotificationConfiguration\n element.
\nFor more information about the number of event notification configurations that you can\n create per bucket, see Amazon S3 service quotas in Amazon Web Services\n General Reference.
\nBy default, only the bucket owner can configure notifications on a bucket. However,\n bucket owners can use a bucket policy to grant permission to other users to set this\n configuration with the required s3:PutBucketNotification permission.
The PUT notification is an atomic operation. For example, suppose your notification\n configuration includes SNS topic, SQS queue, and Lambda function configurations. When\n you send a PUT request with this configuration, Amazon S3 sends test messages to your SNS\n topic. If the message fails, the entire PUT action will fail, and Amazon S3 will not add the\n configuration to your bucket.
\nIf the configuration in the request body includes only one\n TopicConfiguration specifying only the\n s3:ReducedRedundancyLostObject event type, the response will also include\n the x-amz-sns-test-message-id header containing the message ID of the test\n notification sent to the topic.
The following action is related to\n PutBucketNotificationConfiguration:
Applies an Amazon S3 bucket policy to an Amazon S3 bucket. If you are using an identity other than\n the root user of the Amazon Web Services account that owns the bucket, the calling identity must have the\n PutBucketPolicy permissions on the specified bucket and belong to the\n bucket owner's account in order to use this operation.
If you don't have PutBucketPolicy permissions, Amazon S3 returns a 403\n Access Denied error. If you have the correct permissions, but you're not using an\n identity that belongs to the bucket owner's account, Amazon S3 returns a 405 Method Not\n Allowed error.
To ensure that bucket owners don't inadvertently lock themselves out of their own\n buckets, the root principal in a bucket owner's Amazon Web Services account can perform the\n GetBucketPolicy, PutBucketPolicy, and\n DeleteBucketPolicy API actions, even if their bucket policy explicitly\n denies the root principal's access. Bucket owner root principals can only be blocked from performing \n these API actions by VPC endpoint policies and Amazon Web Services Organizations policies.
For more information, see Bucket policy\n examples.
\nThe following operations are related to PutBucketPolicy:
\n CreateBucket\n
\n\n DeleteBucket\n
\nCreates a replication configuration or replaces an existing one. For more information,\n see Replication in the Amazon S3 User Guide.
\nSpecify the replication configuration in the request body. In the replication\n configuration, you provide the name of the destination bucket or buckets where you want\n Amazon S3 to replicate objects, the IAM role that Amazon S3 can assume to replicate objects on your\n behalf, and other relevant information.
\nA replication configuration must include at least one rule, and can contain a maximum of\n 1,000. Each rule identifies a subset of objects to replicate by filtering the objects in\n the source bucket. To choose additional subsets of objects to replicate, add a rule for\n each subset.
\nTo specify a subset of the objects in the source bucket to apply a replication rule to,\n add the Filter element as a child of the Rule element. You can filter objects based on an\n object key prefix, one or more object tags, or both. When you add the Filter element in the\n configuration, you must also add the following elements:\n DeleteMarkerReplication, Status, and\n Priority.
If you are using an earlier version of the replication configuration, Amazon S3 handles\n replication of delete markers differently. For more information, see Backward Compatibility.
\nFor information about enabling versioning on a bucket, see Using Versioning.
\nBy default, Amazon S3 doesn't replicate objects that are stored at rest using server-side\n encryption with KMS keys. To replicate Amazon Web Services KMS-encrypted objects, add the following:\n SourceSelectionCriteria, SseKmsEncryptedObjects,\n Status, EncryptionConfiguration, and\n ReplicaKmsKeyID. For information about replication configuration, see\n Replicating Objects\n Created with SSE Using KMS keys.
For information on PutBucketReplication errors, see List of\n replication-related error codes\n
To create a PutBucketReplication request, you must have\n s3:PutReplicationConfiguration permissions for the bucket.\n \n
By default, a resource owner, in this case the Amazon Web Services account that created the bucket,\n can perform this operation. The resource owner can also grant others permissions to perform\n the operation. For more information about permissions, see Specifying Permissions in a\n Policy and Managing Access Permissions to\n Your Amazon S3 Resources.
\nTo perform this operation, the user or role performing the action must have the\n iam:PassRole permission.
\nThe following operations are related to PutBucketReplication:
\n GetBucketReplication\n
\nSets the request payment configuration for a bucket. By default, the bucket owner pays\n for downloads from the bucket. This configuration parameter enables the bucket owner (only)\n to specify that the person requesting the download will be charged for the download. For\n more information, see Requester Pays\n Buckets.
\nThe following operations are related to PutBucketRequestPayment:
\n CreateBucket\n
\nSets the tags for a bucket.
\nUse tags to organize your Amazon Web Services bill to reflect your own cost structure. To do this,\n sign up to get your Amazon Web Services account bill with tag key values included. Then, to see the cost\n of combined resources, organize your billing information according to resources with the\n same tag key values. For example, you can tag several resources with a specific application\n name, and then organize your billing information to see the total cost of that application\n across several services. For more information, see Cost Allocation and\n Tagging and Using Cost Allocation in Amazon S3 Bucket\n Tags.
\nWhen this operation sets the tags for a bucket, it will overwrite any current tags\n the bucket already has. You cannot use this operation to add tags to an existing list of\n tags.
\nTo use this operation, you must have permissions to perform the\n s3:PutBucketTagging action. The bucket owner has this permission by default\n and can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to Your Amazon S3 Resources.
\n PutBucketTagging has the following special errors:
Error code: InvalidTagError\n
Description: The tag provided was not a valid tag. This error can occur if\n the tag did not pass input validation. For information about tag restrictions,\n see User-Defined Tag Restrictions and Amazon Web Services-Generated Cost Allocation Tag Restrictions.
\nError code: MalformedXMLError\n
Description: The XML provided does not match the schema.
\nError code: OperationAbortedError \n
Description: A conflicting conditional action is currently in progress\n against this resource. Please try again.
\nError code: InternalError\n
Description: The service was unable to apply the provided tag to the\n bucket.
\nThe following operations are related to PutBucketTagging:
\n GetBucketTagging\n
\n\n DeleteBucketTagging\n
\nSets the versioning state of an existing bucket.
\nYou can set the versioning state with one of the following values:
\n\n Enabled—Enables versioning for the objects in the\n bucket. All objects added to the bucket receive a unique version ID.
\n\n Suspended—Disables versioning for the objects in the\n bucket. All objects added to the bucket receive the version ID null.
\nIf the versioning state has never been set on a bucket, it has no versioning state; a\n GetBucketVersioning request does not return a versioning state value.
\nIn order to enable MFA Delete, you must be the bucket owner. If you are the bucket owner\n and want to enable MFA Delete in the bucket versioning configuration, you must include the\n x-amz-mfa request header and the Status and the\n MfaDelete request elements in a request to set the versioning state of the\n bucket.
If you have an object expiration lifecycle configuration in your non-versioned bucket and\n you want to maintain the same permanent delete behavior when you enable versioning, you\n must add a noncurrent expiration policy. The noncurrent expiration lifecycle configuration will\n manage the deletes of the noncurrent object versions in the version-enabled bucket. (A\n version-enabled bucket maintains one current and zero or more noncurrent object\n versions.) For more information, see Lifecycle and Versioning.
\nThe following operations are related to PutBucketVersioning:
\n CreateBucket\n
\n\n DeleteBucket\n
\n\n GetBucketVersioning\n
\nSets the configuration of the website that is specified in the website\n subresource. To configure a bucket as a website, you can add this subresource on the bucket\n with website configuration information such as the file name of the index document and any\n redirect rules. For more information, see Hosting Websites on Amazon S3.
This PUT action requires the S3:PutBucketWebsite permission. By default,\n only the bucket owner can configure the website attached to a bucket; however, bucket\n owners can allow other users to set the website configuration by writing a bucket policy\n that grants them the S3:PutBucketWebsite permission.
To redirect all website requests sent to the bucket's website endpoint, you add a\n website configuration with the following elements. Because all requests are sent to another\n website, you don't need to provide index document name for the bucket.
\n\n WebsiteConfiguration\n
\n RedirectAllRequestsTo\n
\n HostName\n
\n Protocol\n
If you want granular control over redirects, you can use the following elements to add\n routing rules that describe conditions for redirecting requests and information about the\n redirect destination. In this case, the website configuration must provide an index\n document for the bucket, because some requests might not be redirected.
\n\n WebsiteConfiguration\n
\n IndexDocument\n
\n Suffix\n
\n ErrorDocument\n
\n Key\n
\n RoutingRules\n
\n RoutingRule\n
\n Condition\n
\n HttpErrorCodeReturnedEquals\n
\n KeyPrefixEquals\n
\n Redirect\n
\n Protocol\n
\n HostName\n
\n ReplaceKeyPrefixWith\n
\n ReplaceKeyWith\n
\n HttpRedirectCode\n
Amazon S3 has a limitation of 50 routing rules per website configuration. If you require more\n than 50 routing rules, you can use object redirect. For more information, see Configuring an\n Object Redirect in the Amazon S3 User Guide.
", - "smithy.api#examples": [ - { - "title": "Set website configuration on a bucket", - "documentation": "The following example adds website configuration to a bucket.", - "input": { - "Bucket": "examplebucket", - "ContentMD5": "", - "WebsiteConfiguration": { - "IndexDocument": { - "Suffix": "index.html" - }, - "ErrorDocument": { - "Key": "error.html" - } - } - } - } - ], "smithy.api#http": { "method": "PUT", "uri": "/{Bucket}?website", @@ -33121,22 +27508,6 @@ "requestAlgorithmMember": "ChecksumAlgorithm" }, "smithy.api#documentation": "Adds an object to a bucket. You must have WRITE permissions on a bucket to add an object\n to it.
\nAmazon S3 never adds partial objects; if you receive a success response, Amazon S3 added the\n entire object to the bucket. You cannot use PutObject to only update a\n single piece of metadata for an existing object. You must put the entire object with\n updated metadata if you want to update some values.
Amazon S3 is a distributed system. If it receives multiple write requests for the same object\n simultaneously, it overwrites all but the last object written. To prevent objects from\n being deleted or overwritten, you can use Amazon S3 Object\n Lock.
\nTo ensure that data is not corrupted traversing the network, use the\n Content-MD5 header. When you use this header, Amazon S3 checks the object\n against the provided MD5 value and, if they do not match, returns an error. Additionally,\n you can calculate the MD5 while putting an object to Amazon S3 and compare the returned ETag to\n the calculated MD5 value.
To successfully complete the PutObject request, you must have the\n s3:PutObject in your IAM permissions.
To successfully change the objects acl of your PutObject request,\n you must have the s3:PutObjectAcl in your IAM permissions.
To successfully set the tag-set with your PutObject request, you\n must have the s3:PutObjectTagging in your IAM permissions.
The Content-MD5 header is required for any request to upload an\n object with a retention period configured using Amazon S3 Object Lock. For more\n information about Amazon S3 Object Lock, see Amazon S3 Object Lock\n Overview in the Amazon S3 User Guide.
You have four mutually exclusive options to protect data using server-side encryption in\n Amazon S3, depending on how you choose to manage the encryption keys. Specifically, the\n encryption key options are Amazon S3 managed keys (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or\n DSSE-KMS), and customer-provided keys (SSE-C). Amazon S3 encrypts data with server-side\n encryption by using Amazon S3 managed keys (SSE-S3) by default. You can optionally tell Amazon S3 to\n encrypt data at rest by using server-side encryption with other key options. For more\n information, see Using Server-Side\n Encryption.
\nWhen adding a new object, you can use headers to grant ACL-based permissions to\n individual Amazon Web Services accounts or to predefined groups defined by Amazon S3. These permissions are\n then added to the ACL on the object. By default, all objects are private. Only the owner\n has full access control. For more information, see Access Control List (ACL) Overview\n and Managing\n ACLs Using the REST API.
\nIf the bucket that you're uploading objects to uses the bucket owner enforced setting\n for S3 Object Ownership, ACLs are disabled and no longer affect permissions. Buckets that\n use this setting only accept PUT requests that don't specify an ACL or PUT requests that\n specify bucket owner full control ACLs, such as the bucket-owner-full-control\n canned ACL or an equivalent form of this ACL expressed in the XML format. PUT requests that\n contain other ACLs (for example, custom grants to certain Amazon Web Services accounts) fail and return a\n 400 error with the error code AccessControlListNotSupported.\n For more information, see Controlling ownership of\n objects and disabling ACLs in the Amazon S3 User Guide.
If your bucket uses the bucket owner enforced setting for Object Ownership, all\n objects written to the bucket by any account will be owned by the bucket owner.
\nBy default, Amazon S3 uses the STANDARD Storage Class to store newly created objects. The\n STANDARD storage class provides high durability and high availability. Depending on\n performance needs, you can specify a different Storage Class. Amazon S3 on Outposts only uses\n the OUTPOSTS Storage Class. For more information, see Storage Classes in the\n Amazon S3 User Guide.
\nIf you enable versioning for a bucket, Amazon S3 automatically generates a unique version ID\n for the object being stored. Amazon S3 returns this ID in the response. When you enable\n versioning for a bucket, if Amazon S3 receives multiple write requests for the same object\n simultaneously, it stores all of the objects. For more information about versioning, see\n Adding Objects to\n Versioning-Enabled Buckets. For information about returning the versioning state\n of a bucket, see GetBucketVersioning.
\nFor more information about related Amazon S3 APIs, see the following:
\n\n CopyObject\n
\n\n DeleteObject\n
\nUses the acl subresource to set the access control list (ACL) permissions\n for a new or existing object in an S3 bucket. You must have WRITE_ACP\n permission to set the ACL of an object. For more information, see What\n permissions can I grant? in the Amazon S3 User Guide.
This action is not supported by Amazon S3 on Outposts.
\nDepending on your application needs, you can choose to set the ACL on an object using\n either the request body or the headers. For example, if you have an existing application\n that updates a bucket ACL using the request body, you can continue to use that approach.\n For more information, see Access Control List (ACL) Overview\n in the Amazon S3 User Guide.
\nIf your bucket uses the bucket owner enforced setting for S3 Object Ownership, ACLs\n are disabled and no longer affect permissions. You must use policies to grant access to\n your bucket and the objects in it. Requests to set ACLs or update ACLs fail and return\n the AccessControlListNotSupported error code. Requests to read ACLs are\n still supported. For more information, see Controlling object\n ownership in the Amazon S3 User Guide.
You can set access permissions using one of the following methods:
\nSpecify a canned ACL with the x-amz-acl request header. Amazon S3 supports\n a set of predefined ACLs, known as canned ACLs. Each canned ACL has a predefined set\n of grantees and permissions. Specify the canned ACL name as the value of\n x-amz-acl. If you use this header, you cannot use other access\n control-specific headers in your request. For more information, see Canned\n ACL.
Specify access permissions explicitly with the x-amz-grant-read,\n x-amz-grant-read-acp, x-amz-grant-write-acp, and\n x-amz-grant-full-control headers. When using these headers, you\n specify explicit access permissions and grantees (Amazon Web Services accounts or Amazon S3 groups) who\n will receive the permission. If you use these ACL-specific headers, you cannot use\n x-amz-acl header to set a canned ACL. These parameters map to the set\n of permissions that Amazon S3 supports in an ACL. For more information, see Access Control\n List (ACL) Overview.
You specify each grantee as a type=value pair, where the type is one of the\n following:
\n\n id – if the value specified is the canonical user ID of an\n Amazon Web Services account
\n uri – if you are granting permissions to a predefined\n group
\n emailAddress – if the value specified is the email address of\n an Amazon Web Services account
Using email addresses to specify a grantee is only supported in the following Amazon Web Services Regions:
\nUS East (N. Virginia)
\nUS West (N. California)
\nUS West (Oregon)
\nAsia Pacific (Singapore)
\nAsia Pacific (Sydney)
\nAsia Pacific (Tokyo)
\nEurope (Ireland)
\nSouth America (São Paulo)
\nFor a list of all the Amazon S3 supported Regions and endpoints, see Regions and Endpoints in the Amazon Web Services General Reference.
\nFor example, the following x-amz-grant-read header grants list\n objects permission to the two Amazon Web Services accounts identified by their email\n addresses.
\n x-amz-grant-read: emailAddress=\"xyz@amazon.com\",\n emailAddress=\"abc@amazon.com\" \n
You can use either a canned ACL or specify access permissions explicitly. You cannot do\n both.
\nYou can specify the person (grantee) to whom you're assigning access rights (using\n request elements) in the following ways:
\nBy the person's ID:
\n\n
DisplayName is optional and ignored in the request.
\nBy URI:
\n\n
By Email address:
\n\n
The grantee is resolved to the CanonicalUser and, in a response to a GET Object\n acl request, appears as the CanonicalUser.
\nUsing email addresses to specify a grantee is only supported in the following Amazon Web Services Regions:
\nUS East (N. Virginia)
\nUS West (N. California)
\nUS West (Oregon)
\nAsia Pacific (Singapore)
\nAsia Pacific (Sydney)
\nAsia Pacific (Tokyo)
\nEurope (Ireland)
\nSouth America (São Paulo)
\nFor a list of all the Amazon S3 supported Regions and endpoints, see Regions and Endpoints in the Amazon Web Services General Reference.
\nThe ACL of an object is set at the object version level. By default, PUT sets the ACL of\n the current version of an object. To set the ACL of a different version, use the\n versionId subresource.
The following operations are related to PutObjectAcl:
\n CopyObject\n
\n\n GetObject\n
\nKey for which the PUT action was initiated.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
Key for which the PUT action was initiated.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
The bucket name to which the PUT action was initiated.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name to which the PUT action was initiated.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Sets the supplied tag-set to an object that already exists in a bucket.
\nA tag is a key-value pair. You can associate tags with an object by sending a PUT\n request against the tagging subresource that is associated with the object. You can\n retrieve tags by sending a GET request. For more information, see GetObjectTagging.
\nFor tagging-related restrictions related to characters and encodings, see Tag\n Restrictions. Note that Amazon S3 limits the maximum number of tags to 10 tags per\n object.
\nTo use this operation, you must have permission to perform the\n s3:PutObjectTagging action. By default, the bucket owner has this\n permission and can grant this permission to others.
To put tags of any other version, use the versionId query parameter. You\n also need permission for the s3:PutObjectVersionTagging action.
For information about the Amazon S3 object tagging feature, see Object Tagging.
\n\n PutObjectTagging has the following special errors:
\n Code: InvalidTagError \n
\n\n Cause: The tag provided was not a valid tag. This error can occur\n if the tag did not pass input validation. For more information, see Object\n Tagging.\n
\n\n Code: MalformedXMLError \n
\n\n Cause: The XML provided does not match the schema.\n
\n\n Code: OperationAbortedError \n
\n\n Cause: A conflicting conditional action is currently in progress\n against this resource. Please try again.\n
\n\n Code: InternalError\n
\n\n Cause: The service was unable to apply the provided tag to the\n object.\n
\nThe following operations are related to PutObjectTagging:
\n GetObjectTagging\n
\n\n DeleteObjectTagging\n
\nThe bucket name containing the object.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name containing the object.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Restores an archived copy of an object back into Amazon S3
\nThis action is not supported by Amazon S3 on Outposts.
\nThis action performs the following types of requests:
\n\n select - Perform a select query on an archived object
\n restore an archive - Restore an archived object
For more information about the S3 structure in the request body, see the\n following:
\n PutObject\n
\n\n Managing Access with ACLs in the\n Amazon S3 User Guide\n
\n\n Protecting Data Using\n Server-Side Encryption in the\n Amazon S3 User Guide\n
\nDefine the SQL expression for the SELECT type of restoration for your\n query in the request body's SelectParameters structure. You can use\n expressions like the following examples.
The following expression returns all records from the specified\n object.
\n\n SELECT * FROM Object\n
Assuming that you are not using any headers for data stored in the object,\n you can specify columns with positional headers.
\n\n SELECT s._1, s._2 FROM Object s WHERE s._3 > 100\n
If you have headers and you set the fileHeaderInfo in the\n CSV structure in the request body to USE, you can\n specify headers in the query. (If you set the fileHeaderInfo field\n to IGNORE, the first row is skipped for the query.) You cannot mix\n ordinal positions with header column names.
\n SELECT s.Id, s.FirstName, s.SSN FROM S3Object s\n
When making a select request, you can also do the following:
\nTo expedite your queries, specify the Expedited tier. For more\n information about tiers, see \"Restoring Archives,\" later in this topic.
Specify details about the data serialization format of both the input object that\n is being queried and the serialization of the CSV-encoded query results.
\nThe following are additional important facts about the select feature:
\nThe output results are new Amazon S3 objects. Unlike archive retrievals, they are\n stored until explicitly deleted-manually or through a lifecycle configuration.
\nYou can issue more than one select request on the same Amazon S3 object. Amazon S3 doesn't\n duplicate requests, so avoid issuing duplicate requests.
\n Amazon S3 accepts a select request even if the object has already been restored. A\n select request doesn’t return error response 409.
To use this operation, you must have permissions to perform the\n s3:RestoreObject action. The bucket owner has this permission by default\n and can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing\n Access Permissions to Your Amazon S3 Resources in the\n Amazon S3 User Guide.
Objects that you archive to the S3 Glacier Flexible Retrieval Flexible Retrieval or\n S3 Glacier Deep Archive storage class, and S3 Intelligent-Tiering Archive or\n S3 Intelligent-Tiering Deep Archive tiers, are not accessible in real time. For objects in the\n S3 Glacier Flexible Retrieval Flexible Retrieval or S3 Glacier Deep Archive storage\n classes, you must first initiate a restore request, and then wait until a temporary copy of\n the object is available. If you want a permanent copy of the object, create a copy of it in\n the Amazon S3 Standard storage class in your S3 bucket. To access an archived object, you must\n restore the object for the duration (number of days) that you specify. For objects in the\n Archive Access or Deep Archive Access tiers of S3 Intelligent-Tiering, you must first\n initiate a restore request, and then wait until the object is moved into the Frequent\n Access tier.
\nTo restore a specific object version, you can provide a version ID. If you don't provide\n a version ID, Amazon S3 restores the current version.
\nWhen restoring an archived object, you can specify one of the following data access tier\n options in the Tier element of the request body:
\n Expedited - Expedited retrievals allow you to quickly access your\n data stored in the S3 Glacier Flexible Retrieval Flexible Retrieval storage class or\n S3 Intelligent-Tiering Archive tier when occasional urgent requests for restoring archives\n are required. For all but the largest archived objects (250 MB+), data accessed using\n Expedited retrievals is typically made available within 1–5 minutes. Provisioned\n capacity ensures that retrieval capacity for Expedited retrievals is available when\n you need it. Expedited retrievals and provisioned capacity are not available for\n objects stored in the S3 Glacier Deep Archive storage class or\n S3 Intelligent-Tiering Deep Archive tier.
\n Standard - Standard retrievals allow you to access any of your\n archived objects within several hours. This is the default option for retrieval\n requests that do not specify the retrieval option. Standard retrievals typically\n finish within 3–5 hours for objects stored in the S3 Glacier Flexible Retrieval Flexible\n Retrieval storage class or S3 Intelligent-Tiering Archive tier. They typically finish within\n 12 hours for objects stored in the S3 Glacier Deep Archive storage class or\n S3 Intelligent-Tiering Deep Archive tier. Standard retrievals are free for objects stored in\n S3 Intelligent-Tiering.
\n Bulk - Bulk retrievals free for objects stored in the S3 Glacier\n Flexible Retrieval and S3 Intelligent-Tiering storage classes, enabling you to\n retrieve large amounts, even petabytes, of data at no cost. Bulk retrievals typically\n finish within 5–12 hours for objects stored in the S3 Glacier Flexible Retrieval\n Flexible Retrieval storage class or S3 Intelligent-Tiering Archive tier. Bulk retrievals are\n also the lowest-cost retrieval option when restoring objects from\n S3 Glacier Deep Archive. They typically finish within 48 hours for objects\n stored in the S3 Glacier Deep Archive storage class or S3 Intelligent-Tiering Deep Archive\n tier.
For more information about archive retrieval options and provisioned capacity for\n Expedited data access, see Restoring Archived Objects in\n the Amazon S3 User Guide.
You can use Amazon S3 restore speed upgrade to change the restore speed to a faster speed\n while it is in progress. For more information, see Upgrading the speed of an in-progress restore in the\n Amazon S3 User Guide.
\nTo get the status of object restoration, you can send a HEAD request.\n Operations return the x-amz-restore header, which provides information about\n the restoration status, in the response. You can use Amazon S3 event notifications to notify you\n when a restore is initiated or completed. For more information, see Configuring Amazon S3\n Event Notifications in the Amazon S3 User Guide.
After restoring an archived object, you can update the restoration period by reissuing\n the request with a new period. Amazon S3 updates the restoration period relative to the current\n time and charges only for the request-there are no data transfer charges. You cannot\n update the restoration period when Amazon S3 is actively processing your current restore request\n for the object.
\nIf your bucket has a lifecycle configuration with a rule that includes an expiration\n action, the object expiration overrides the life span that you specify in a restore\n request. For example, if you restore an object copy for 10 days, but the object is\n scheduled to expire in 3 days, Amazon S3 deletes the object in 3 days. For more information\n about lifecycle configuration, see PutBucketLifecycleConfiguration and Object Lifecycle Management\n in Amazon S3 User Guide.
\nA successful action returns either the 200 OK or 202 Accepted\n status code.
If the object is not previously restored, then Amazon S3 returns 202\n Accepted in the response.
If the object is previously restored, Amazon S3 returns 200 OK in the\n response.
Special errors:
\n\n Code: RestoreAlreadyInProgress\n
\n\n Cause: Object restore is already in progress. (This error does not\n apply to SELECT type requests.)\n
\n\n HTTP Status Code: 409 Conflict\n
\n\n SOAP Fault Code Prefix: Client\n
\n\n Code: GlacierExpeditedRetrievalNotAvailable\n
\n\n Cause: expedited retrievals are currently not available. Try again\n later. (Returned if there is insufficient capacity to process the Expedited\n request. This error applies only to Expedited retrievals and not to\n S3 Standard or Bulk retrievals.)\n
\n\n HTTP Status Code: 503\n
\n\n SOAP Fault Code Prefix: N/A\n
\nThe following operations are related to RestoreObject:
The bucket name containing the object to restore.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name containing the object to restore.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Specifies whether the object is currently being restored. If the object restoration is\n in progress, the header returns the value TRUE. For example:
\n x-amz-optional-object-attributes: IsRestoreInProgress=\"true\"\n
If the object restoration has completed, the header returns the value FALSE. For example:
\n x-amz-optional-object-attributes: IsRestoreInProgress=\"false\", RestoreExpiryDate=\"2012-12-21T00:00:00.000Z\"\n
If the object hasn't been restored, there is no header response.
" + } + }, + "RestoreExpiryDate": { + "target": "com.amazonaws.s3#RestoreExpiryDate", + "traits": { + "smithy.api#documentation": "Indicates when the restored copy will expire. This value is populated only if the object\n has already been restored. For example:
\n\n x-amz-optional-object-attributes: IsRestoreInProgress=\"false\", RestoreExpiryDate=\"2012-12-21T00:00:00.000Z\"\n
Specifies the restoration status of an object. Objects in certain storage classes must be restored\n before they can be retrieved. For more information about these storage classes and how to work with\n archived objects, see \n Working with archived objects in the Amazon S3 User Guide.
" + } + }, "com.amazonaws.s3#Role": { "type": "string" }, @@ -36031,7 +30370,7 @@ "Bucket": { "target": "com.amazonaws.s3#BucketName", "traits": { - "smithy.api#documentation": "The bucket name.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The bucket name.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
The name of the bucket to which the multipart upload was initiated.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.
The name of the bucket to which the multipart upload was initiated.
\nWhen using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
\nWhen you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form \n AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts? in the Amazon S3 User Guide.
Returns a set of temporary security credentials that you can use to access Amazon Web Services\n resources. These temporary credentials consist of an access key ID, a secret access key,\n and a security token. Typically, you use AssumeRole within your account or for\n cross-account access. For a comparison of AssumeRole with other API operations\n that produce temporary credentials, see Requesting Temporary Security\n Credentials and Comparing the\n Amazon Web Services STS API operations in the IAM User Guide.
\n Permissions\n
\nThe temporary security credentials created by AssumeRole can be used to\n make API calls to any Amazon Web Services service with the following exception: You cannot call the\n Amazon Web Services STS GetFederationToken or GetSessionToken API\n operations.
(Optional) You can pass inline or managed session policies to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies. The plaintext that you use for both inline and managed session\n policies can't exceed 2,048 characters. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent Amazon Web Services API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\nWhen you create a role, you create two policies: a role trust policy that specifies\n who can assume the role, and a permissions policy that specifies\n what can be done with the role. You specify the trusted principal\n that is allowed to assume the role in the role trust policy.
\nTo assume a role from a different account, your Amazon Web Services account must be trusted by the\n role. The trust relationship is defined in the role's trust policy when the role is\n created. That trust policy states which accounts are allowed to delegate that access to\n users in the account.
\nA user who wants to access a role in a different account must also have permissions that\n are delegated from the account administrator. The administrator must attach a policy\n that allows the user to call AssumeRole for the ARN of the role in the other\n account.
To allow a user to assume a role in the same account, you can do either of the\n following:
\nAttach a policy to the user that allows the user to call AssumeRole\n (as long as the role's trust policy trusts the account).
Add the user as a principal directly in the role's trust policy.
\nYou can do either because the role’s trust policy acts as an IAM resource-based\n policy. When a resource-based policy grants access to a principal in the same account, no\n additional identity-based policy is required. For more information about trust policies and\n resource-based policies, see IAM Policies in the\n IAM User Guide.
\n\n Tags\n
\n(Optional) You can pass tag key-value pairs to your session. These tags are called\n session tags. For more information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nAn administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nYou can set the session tags as transitive. Transitive tags persist during role\n chaining. For more information, see Chaining Roles\n with Session Tags in the IAM User Guide.
\n\n Using MFA with AssumeRole\n
\n(Optional) You can include multi-factor authentication (MFA) information when you call\n AssumeRole. This is useful for cross-account scenarios to ensure that the\n user that assumes the role has been authenticated with an Amazon Web Services MFA device. In that\n scenario, the trust policy of the role being assumed includes a condition that tests for\n MFA authentication. If the caller does not include valid MFA information, the request to\n assume the role is denied. The condition in a trust policy that tests for MFA\n authentication might look like the following example.
\n \"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}\n
For more information, see Configuring MFA-Protected API Access\n in the IAM User Guide guide.
\nTo use MFA with AssumeRole, you pass values for the\n SerialNumber and TokenCode parameters. The\n SerialNumber value identifies the user's hardware or virtual MFA device.\n The TokenCode is the time-based one-time password (TOTP) that the MFA device\n produces.
Returns a set of temporary security credentials that you can use to access Amazon Web Services\n resources. These temporary credentials consist of an access key ID, a secret access key,\n and a security token. Typically, you use AssumeRole within your account or for\n cross-account access. For a comparison of AssumeRole with other API operations\n that produce temporary credentials, see Requesting Temporary Security\n Credentials and Comparing the\n Amazon Web Services STS API operations in the IAM User Guide.
\n Permissions\n
\nThe temporary security credentials created by AssumeRole can be used to\n make API calls to any Amazon Web Services service with the following exception: You cannot call the\n Amazon Web Services STS GetFederationToken or GetSessionToken API\n operations.
(Optional) You can pass inline or managed session policies to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies. The plaintext that you use for both inline and managed session\n policies can't exceed 2,048 characters. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent Amazon Web Services API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\nWhen you create a role, you create two policies: a role trust policy that specifies\n who can assume the role, and a permissions policy that specifies\n what can be done with the role. You specify the trusted principal\n that is allowed to assume the role in the role trust policy.
\nTo assume a role from a different account, your Amazon Web Services account must be trusted by the\n role. The trust relationship is defined in the role's trust policy when the role is\n created. That trust policy states which accounts are allowed to delegate that access to\n users in the account.
\nA user who wants to access a role in a different account must also have permissions that\n are delegated from the account administrator. The administrator must attach a policy that\n allows the user to call AssumeRole for the ARN of the role in the other\n account.
To allow a user to assume a role in the same account, you can do either of the\n following:
\nAttach a policy to the user that allows the user to call AssumeRole\n (as long as the role's trust policy trusts the account).
Add the user as a principal directly in the role's trust policy.
\nYou can do either because the role’s trust policy acts as an IAM resource-based\n policy. When a resource-based policy grants access to a principal in the same account, no\n additional identity-based policy is required. For more information about trust policies and\n resource-based policies, see IAM Policies in the\n IAM User Guide.
\n\n Tags\n
\n(Optional) You can pass tag key-value pairs to your session. These tags are called\n session tags. For more information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nAn administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nYou can set the session tags as transitive. Transitive tags persist during role\n chaining. For more information, see Chaining Roles\n with Session Tags in the IAM User Guide.
\n\n Using MFA with AssumeRole\n
\n(Optional) You can include multi-factor authentication (MFA) information when you call\n AssumeRole. This is useful for cross-account scenarios to ensure that the\n user that assumes the role has been authenticated with an Amazon Web Services MFA device. In that\n scenario, the trust policy of the role being assumed includes a condition that tests for\n MFA authentication. If the caller does not include valid MFA information, the request to\n assume the role is denied. The condition in a trust policy that tests for MFA\n authentication might look like the following example.
\n \"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}\n
For more information, see Configuring MFA-Protected API Access\n in the IAM User Guide guide.
\nTo use MFA with AssumeRole, you pass values for the\n SerialNumber and TokenCode parameters. The\n SerialNumber value identifies the user's hardware or virtual MFA device.\n The TokenCode is the time-based one-time password (TOTP) that the MFA device\n produces.
The source identity specified by the principal that is calling the\n AssumeRole operation.
You can require users to specify a source identity when they assume a role. You do this\n by using the sts:SourceIdentity condition key in a role trust policy. You can\n use source identity information in CloudTrail logs to determine who took actions with a role.\n You can use the aws:SourceIdentity condition key to further control access to\n Amazon Web Services resources based on the value of source identity. For more information about using\n source identity, see Monitor and control\n actions taken with assumed roles in the\n IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper-\n and lower-case alphanumeric characters with no spaces. You can also include underscores or\n any of the following characters: =,.@-. You cannot use a value that begins with the text\n aws:. This prefix is reserved for Amazon Web Services internal use.
Reserved for future use.
" + } } }, "traits": { @@ -2591,7 +2597,7 @@ } ], "traits": { - "smithy.api#documentation": "Returns a set of temporary security credentials for users who have been authenticated in\n a mobile or web application with a web identity provider. Example providers include the\n OAuth 2.0 providers Login with Amazon and Facebook, or any OpenID Connect-compatible\n identity provider such as Google or Amazon Cognito federated identities.
\nFor mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the\n Amazon Web Services SDK for iOS Developer Guide and the Amazon Web Services SDK for Android Developer Guide to uniquely\n identify a user. You can also supply the user with a consistent identity throughout the\n lifetime of an application.
\nTo learn more about Amazon Cognito, see Amazon Cognito identity pools in\n Amazon Cognito Developer Guide.
\nCalling AssumeRoleWithWebIdentity does not require the use of Amazon Web Services\n security credentials. Therefore, you can distribute an application (for example, on mobile\n devices) that requests temporary security credentials without including long-term Amazon Web Services\n credentials in the application. You also don't need to deploy server-based proxy services\n that use long-term Amazon Web Services credentials. Instead, the identity of the caller is validated by\n using a token from the web identity provider. For a comparison of\n AssumeRoleWithWebIdentity with the other API operations that produce\n temporary credentials, see Requesting Temporary Security\n Credentials and Comparing the\n Amazon Web Services STS API operations in the IAM User Guide.
The temporary security credentials returned by this API consist of an access key ID, a\n secret access key, and a security token. Applications can use these temporary security\n credentials to sign calls to Amazon Web Services service API operations.
\n\n Session Duration\n
\nBy default, the temporary security credentials created by\n AssumeRoleWithWebIdentity last for one hour. However, you can use the\n optional DurationSeconds parameter to specify the duration of your session.\n You can provide a value from 900 seconds (15 minutes) up to the maximum session duration\n setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how\n to view the maximum value for your role, see View the\n Maximum Session Duration Setting for a Role in the\n IAM User Guide. The maximum session duration limit applies when\n you use the AssumeRole* API operations or the assume-role* CLI\n commands. However the limit does not apply when you use those operations to create a\n console URL. For more information, see Using IAM Roles in the\n IAM User Guide.
\n Permissions\n
\nThe temporary security credentials created by AssumeRoleWithWebIdentity can\n be used to make API calls to any Amazon Web Services service with the following exception: you cannot\n call the STS GetFederationToken or GetSessionToken API\n operations.
(Optional) You can pass inline or managed session policies to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies. The plaintext that you use for both inline and managed session\n policies can't exceed 2,048 characters. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent Amazon Web Services API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\n\n Tags\n
\n(Optional) You can configure your IdP to pass attributes into your web identity token as\n session tags. Each session tag consists of a key name and an associated value. For more\n information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nYou can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128\n characters and the values can’t exceed 256 characters. For these and additional limits, see\n IAM\n and STS Character Limits in the IAM User Guide.
\nAn Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,\n and session tags into a packed binary format that has a separate limit. Your request can\n fail for this limit even if your plaintext meets the other requirements. The\n PackedPolicySize response element indicates by percentage how close the\n policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When\n you do, the session tag overrides the role tag with the same key.
\nAn administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nYou can set the session tags as transitive. Transitive tags persist during role\n chaining. For more information, see Chaining Roles\n with Session Tags in the IAM User Guide.
\n\n Identities\n
\nBefore your application can call AssumeRoleWithWebIdentity, you must have\n an identity token from a supported identity provider and create a role that the application\n can assume. The role that your application assumes must trust the identity provider that is\n associated with the identity token. In other words, the identity provider must be specified\n in the role's trust policy.
Calling AssumeRoleWithWebIdentity can result in an entry in your\n CloudTrail logs. The entry includes the Subject of\n the provided web identity token. We recommend that you avoid using any personally\n identifiable information (PII) in this field. For example, you could instead use a GUID\n or a pairwise identifier, as suggested\n in the OIDC specification.
For more information about how to use web identity federation and the\n AssumeRoleWithWebIdentity API, see the following resources:
\n Using Web Identity Federation API Operations for Mobile Apps and Federation Through a Web-based Identity Provider.
\n\n Web Identity Federation Playground. Walk through the process of\n authenticating through Login with Amazon, Facebook, or Google, getting temporary\n security credentials, and then using those credentials to make a request to Amazon Web Services.\n
\n\n Amazon Web Services SDK for iOS Developer Guide and Amazon Web Services SDK for Android Developer Guide. These toolkits\n contain sample apps that show how to invoke the identity providers. The toolkits then\n show how to use the information from these providers to get and use temporary\n security credentials.
\n\n Web Identity\n Federation with Mobile Applications. This article discusses web identity\n federation and shows an example of how to use web identity federation to get access\n to content in Amazon S3.
\nReturns a set of temporary security credentials for users who have been authenticated in\n a mobile or web application with a web identity provider. Example providers include the\n OAuth 2.0 providers Login with Amazon and Facebook, or any OpenID Connect-compatible\n identity provider such as Google or Amazon Cognito federated identities.
\nFor mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the\n Amazon Web Services SDK for iOS Developer Guide and the Amazon Web Services SDK for Android Developer Guide to uniquely\n identify a user. You can also supply the user with a consistent identity throughout the\n lifetime of an application.
\nTo learn more about Amazon Cognito, see Amazon Cognito identity\n pools in Amazon Cognito Developer Guide.
\nCalling AssumeRoleWithWebIdentity does not require the use of Amazon Web Services\n security credentials. Therefore, you can distribute an application (for example, on mobile\n devices) that requests temporary security credentials without including long-term Amazon Web Services\n credentials in the application. You also don't need to deploy server-based proxy services\n that use long-term Amazon Web Services credentials. Instead, the identity of the caller is validated by\n using a token from the web identity provider. For a comparison of\n AssumeRoleWithWebIdentity with the other API operations that produce\n temporary credentials, see Requesting Temporary Security\n Credentials and Comparing the\n Amazon Web Services STS API operations in the IAM User Guide.
The temporary security credentials returned by this API consist of an access key ID, a\n secret access key, and a security token. Applications can use these temporary security\n credentials to sign calls to Amazon Web Services service API operations.
\n\n Session Duration\n
\nBy default, the temporary security credentials created by\n AssumeRoleWithWebIdentity last for one hour. However, you can use the\n optional DurationSeconds parameter to specify the duration of your session.\n You can provide a value from 900 seconds (15 minutes) up to the maximum session duration\n setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how\n to view the maximum value for your role, see View the\n Maximum Session Duration Setting for a Role in the\n IAM User Guide. The maximum session duration limit applies when\n you use the AssumeRole* API operations or the assume-role* CLI\n commands. However the limit does not apply when you use those operations to create a\n console URL. For more information, see Using IAM Roles in the\n IAM User Guide.
\n Permissions\n
\nThe temporary security credentials created by AssumeRoleWithWebIdentity can\n be used to make API calls to any Amazon Web Services service with the following exception: you cannot\n call the STS GetFederationToken or GetSessionToken API\n operations.
(Optional) You can pass inline or managed session policies to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies. The plaintext that you use for both inline and managed session\n policies can't exceed 2,048 characters. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent Amazon Web Services API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\n\n Tags\n
\n(Optional) You can configure your IdP to pass attributes into your web identity token as\n session tags. Each session tag consists of a key name and an associated value. For more\n information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nYou can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128\n characters and the values can’t exceed 256 characters. For these and additional limits, see\n IAM\n and STS Character Limits in the IAM User Guide.
\nAn Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,\n and session tags into a packed binary format that has a separate limit. Your request can\n fail for this limit even if your plaintext meets the other requirements. The\n PackedPolicySize response element indicates by percentage how close the\n policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When\n you do, the session tag overrides the role tag with the same key.
\nAn administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nYou can set the session tags as transitive. Transitive tags persist during role\n chaining. For more information, see Chaining Roles\n with Session Tags in the IAM User Guide.
\n\n Identities\n
\nBefore your application can call AssumeRoleWithWebIdentity, you must have\n an identity token from a supported identity provider and create a role that the application\n can assume. The role that your application assumes must trust the identity provider that is\n associated with the identity token. In other words, the identity provider must be specified\n in the role's trust policy.
Calling AssumeRoleWithWebIdentity can result in an entry in your\n CloudTrail logs. The entry includes the Subject of\n the provided web identity token. We recommend that you avoid using any personally\n identifiable information (PII) in this field. For example, you could instead use a GUID\n or a pairwise identifier, as suggested\n in the OIDC specification.
For more information about how to use web identity federation and the\n AssumeRoleWithWebIdentity API, see the following resources:
\n Using Web Identity Federation API Operations for Mobile Apps and Federation Through a Web-based Identity Provider.
\n\n Web Identity Federation Playground. Walk through the process of\n authenticating through Login with Amazon, Facebook, or Google, getting temporary\n security credentials, and then using those credentials to make a request to Amazon Web Services.\n
\n\n Amazon Web Services SDK for iOS Developer Guide and Amazon Web Services SDK for Android Developer Guide. These toolkits\n contain sample apps that show how to invoke the identity providers. The toolkits then\n show how to use the information from these providers to get and use temporary\n security credentials.
\n\n Web Identity\n Federation with Mobile Applications. This article discusses web identity\n federation and shows an example of how to use web identity federation to get access\n to content in Amazon S3.
\nThe OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity\n provider. Your application must get this token by authenticating the user who is using your\n application with a web identity provider before the application makes an\n AssumeRoleWithWebIdentity call.
The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity\n provider. Your application must get this token by authenticating the user who is using your\n application with a web identity provider before the application makes an\n AssumeRoleWithWebIdentity call. Only tokens with RSA algorithms (RS256) are\n supported.
Returns the account identifier for the specified access key ID.
\nAccess keys consist of two parts: an access key ID (for example,\n AKIAIOSFODNN7EXAMPLE) and a secret access key (for example,\n wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). For more information about\n access keys, see Managing Access Keys for IAM\n Users in the IAM User Guide.
When you pass an access key ID to this operation, it returns the ID of the Amazon Web Services account\n to which the keys belong. Access key IDs beginning with AKIA are long-term\n credentials for an IAM user or the Amazon Web Services account root user. Access key IDs beginning with\n ASIA are temporary credentials that are created using STS operations. If\n the account in the response belongs to you, you can sign in as the root user and review\n your root user access keys. Then, you can pull a credentials report to\n learn which IAM user owns the keys. To learn who requested the temporary credentials for\n an ASIA access key, view the STS events in your CloudTrail logs in the\n IAM User Guide.
This operation does not indicate the state of the access key. The key might be active,\n inactive, or deleted. Active keys might not have permissions to perform an operation.\n Providing a deleted access key might return an error that the key doesn't exist.
" + "smithy.api#documentation": "Returns the account identifier for the specified access key ID.
\nAccess keys consist of two parts: an access key ID (for example,\n AKIAIOSFODNN7EXAMPLE) and a secret access key (for example,\n wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). For more information about\n access keys, see Managing Access Keys for IAM\n Users in the IAM User Guide.
When you pass an access key ID to this operation, it returns the ID of the Amazon Web Services account\n to which the keys belong. Access key IDs beginning with AKIA are long-term\n credentials for an IAM user or the Amazon Web Services account root user. Access key IDs\n beginning with ASIA are temporary credentials that are created using STS\n operations. If the account in the response belongs to you, you can sign in as the root user and review your root user access keys. Then, you can pull a credentials\n report to learn which IAM user owns the keys. To learn who\n requested the temporary credentials for an ASIA access key, view the STS\n events in your CloudTrail logs in the IAM User Guide.
This operation does not indicate the state of the access key. The key might be active,\n inactive, or deleted. Active keys might not have permissions to perform an operation.\n Providing a deleted access key might return an error that the key doesn't exist.
" } }, "com.amazonaws.sts#GetAccessKeyInfoRequest": { @@ -2895,7 +2901,7 @@ "target": "com.amazonaws.sts#GetCallerIdentityResponse" }, "traits": { - "smithy.api#documentation": "Returns details about the IAM user or role whose credentials are used to call the operation.
\nNo permissions are required to perform this operation. If an administrator\n attaches a policy to your identity that explicitly denies access to the\n sts:GetCallerIdentity action, you can still perform this operation.\n Permissions are not required because the same information is returned when access is denied. To view an example response, see I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice in the\n IAM User Guide.
Returns details about the IAM user or role whose credentials are used to\n call the operation.
\nNo permissions are required to perform this operation. If an administrator attaches a\n policy to your identity that explicitly denies access to the\n sts:GetCallerIdentity action, you can still perform this operation.\n Permissions are not required because the same information is returned when access is\n denied. To view an example response, see I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice in the\n IAM User Guide.
Returns a set of temporary security credentials (consisting of an access key ID, a\n secret access key, and a security token) for a user. A typical use is in a proxy\n application that gets temporary security credentials on behalf of distributed applications\n inside a corporate network.
\nYou must call the GetFederationToken operation\n using the long-term security credentials of an IAM user. As a result, this call is\n appropriate in contexts where those credentials can be safeguarded, usually in a\n server-based application. For a comparison of GetFederationToken with the\n other API operations that produce temporary credentials, see Requesting Temporary Security\n Credentials and Comparing the\n Amazon Web Services STS API operations in the IAM User Guide.
Although it is possible to call GetFederationToken using the security credentials of an\n Amazon Web Services account root user rather than an IAM user that you create for the purpose of a proxy application, we do not recommend it. For more information, see Safeguard your root user credentials and don't use them for everyday tasks in the\n IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using\n a web identity provider like Login with Amazon, Facebook, Google, or an OpenID\n Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or\n AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the\n IAM User Guide.
\n Session duration\n
\nThe temporary credentials are valid for the specified duration, from 900 seconds (15\n minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is\n 43,200 seconds (12 hours). Temporary credentials obtained by using the root user credentials have a maximum duration of 3,600 seconds (1 hour).
\n\n Permissions\n
\nYou can use the temporary credentials created by GetFederationToken in any\n Amazon Web Services service with the following exceptions:
You cannot call any IAM operations using the CLI or the Amazon Web Services API. This limitation does not apply to console sessions.
\nYou cannot call any STS operations except GetCallerIdentity.
You can use temporary credentials for single sign-on (SSO) to the console.
\nYou must pass an inline or managed session policy to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies. The plaintext that you use for both inline and managed session\n policies can't exceed 2,048 characters.
\nThough the session policy parameters are optional, if you do not pass a policy, then the\n resulting federated user session has no permissions. When you pass session policies, the\n session permissions are the intersection of the IAM user policies and the session\n policies that you pass. This gives you a way to further restrict the permissions for a\n federated user. You cannot use session policies to grant more permissions than those that\n are defined in the permissions policy of the IAM user. For more information, see Session\n Policies in the IAM User Guide. For information about\n using GetFederationToken to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If\n that policy specifically references the federated user session in the\n Principal element of the policy, the session has the permissions allowed by\n the policy. These permissions are granted in addition to the permissions granted by the\n session policies.
\n Tags\n
\n(Optional) You can pass tag key-value pairs to your session. These are called session\n tags. For more information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nYou can create a mobile-based or browser-based app that can authenticate users using\n a web identity provider like Login with Amazon, Facebook, Google, or an OpenID\n Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or\n AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the\n IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nTag key–value pairs are not case sensitive, but case is preserved. This means that you\n cannot have separate Department and department tag keys. Assume\n that the user that you are federating has the\n Department=Marketing tag and you pass the\n department=engineering session tag. Department\n and department are not saved as separate tags, and the session tag passed in\n the request takes precedence over the user tag.
Returns a set of temporary security credentials (consisting of an access key ID, a\n secret access key, and a security token) for a user. A typical use is in a proxy\n application that gets temporary security credentials on behalf of distributed applications\n inside a corporate network.
\nYou must call the GetFederationToken operation using the long-term security\n credentials of an IAM user. As a result, this call is appropriate in\n contexts where those credentials can be safeguarded, usually in a server-based application.\n For a comparison of GetFederationToken with the other API operations that\n produce temporary credentials, see Requesting Temporary Security\n Credentials and Comparing the\n Amazon Web Services STS API operations in the IAM User Guide.
Although it is possible to call GetFederationToken using the security\n credentials of an Amazon Web Services account root user rather than an IAM user that you\n create for the purpose of a proxy application, we do not recommend it. For more\n information, see Safeguard your root user credentials and don't use them for everyday tasks in the\n IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using\n a web identity provider like Login with Amazon, Facebook, Google, or an OpenID\n Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or\n AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the\n IAM User Guide.
\n Session duration\n
\nThe temporary credentials are valid for the specified duration, from 900 seconds (15\n minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is\n 43,200 seconds (12 hours). Temporary credentials obtained by using the root user\n credentials have a maximum duration of 3,600 seconds (1 hour).
\n\n Permissions\n
\nYou can use the temporary credentials created by GetFederationToken in any\n Amazon Web Services service with the following exceptions:
You cannot call any IAM operations using the CLI or the Amazon Web Services API. This\n limitation does not apply to console sessions.
\nYou cannot call any STS operations except GetCallerIdentity.
You can use temporary credentials for single sign-on (SSO) to the console.
\nYou must pass an inline or managed session policy to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies. The plaintext that you use for both inline and managed session\n policies can't exceed 2,048 characters.
\nThough the session policy parameters are optional, if you do not pass a policy, then the\n resulting federated user session has no permissions. When you pass session policies, the\n session permissions are the intersection of the IAM user policies and the\n session policies that you pass. This gives you a way to further restrict the permissions\n for a federated user. You cannot use session policies to grant more permissions than those\n that are defined in the permissions policy of the IAM user. For more\n information, see Session Policies in\n the IAM User Guide. For information about using\n GetFederationToken to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If\n that policy specifically references the federated user session in the\n Principal element of the policy, the session has the permissions allowed by\n the policy. These permissions are granted in addition to the permissions granted by the\n session policies.
\n Tags\n
\n(Optional) You can pass tag key-value pairs to your session. These are called session\n tags. For more information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nYou can create a mobile-based or browser-based app that can authenticate users using\n a web identity provider like Login with Amazon, Facebook, Google, or an OpenID\n Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or\n AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the\n IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nTag key–value pairs are not case sensitive, but case is preserved. This means that you\n cannot have separate Department and department tag keys. Assume\n that the user that you are federating has the\n Department=Marketing tag and you pass the\n department=engineering session tag. Department\n and department are not saved as separate tags, and the session tag passed in\n the request takes precedence over the user tag.
An IAM policy in JSON format that you want to use as an inline session policy.
\nYou must pass an inline or managed session policy to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies.
\nThis parameter is optional. However, if you do not pass any session policies, then the\n resulting federated user session has no permissions.
\nWhen you pass session policies, the session permissions are the intersection of the\n IAM user policies and the session policies that you pass. This gives you a way to further\n restrict the permissions for a federated user. You cannot use session policies to grant\n more permissions than those that are defined in the permissions policy of the IAM user.\n For more information, see Session Policies in\n the IAM User Guide.
\nThe resulting credentials can be used to access a resource that has a resource-based\n policy. If that policy specifically references the federated user session in the\n Principal element of the policy, the session has the permissions allowed by\n the policy. These permissions are granted in addition to the permissions that are granted\n by the session policies.
The plaintext that you use for both inline and managed session policies can't exceed\n 2,048 characters. The JSON policy characters can be any ASCII character from the space\n character to the end of the valid character list (\\u0020 through \\u00FF). It can also\n include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)\n characters.
\nAn Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,\n and session tags into a packed binary format that has a separate limit. Your request can\n fail for this limit even if your plaintext meets the other requirements. The\n PackedPolicySize response element indicates by percentage how close the\n policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
\nYou must pass an inline or managed session policy to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies.
\nThis parameter is optional. However, if you do not pass any session policies, then the\n resulting federated user session has no permissions.
\nWhen you pass session policies, the session permissions are the intersection of the\n IAM user policies and the session policies that you pass. This gives you\n a way to further restrict the permissions for a federated user. You cannot use session\n policies to grant more permissions than those that are defined in the permissions policy of\n the IAM user. For more information, see Session Policies in\n the IAM User Guide.
\nThe resulting credentials can be used to access a resource that has a resource-based\n policy. If that policy specifically references the federated user session in the\n Principal element of the policy, the session has the permissions allowed by\n the policy. These permissions are granted in addition to the permissions that are granted\n by the session policies.
The plaintext that you use for both inline and managed session policies can't exceed\n 2,048 characters. The JSON policy characters can be any ASCII character from the space\n character to the end of the valid character list (\\u0020 through \\u00FF). It can also\n include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)\n characters.
\nAn Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,\n and session tags into a packed binary format that has a separate limit. Your request can\n fail for this limit even if your plaintext meets the other requirements. The\n PackedPolicySize response element indicates by percentage how close the\n policies and tags for your request are to the upper size limit.
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a\n managed session policy. The policies must exist in the same account as the IAM user that\n is requesting federated access.
\nYou must pass an inline or managed session policy to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies. The plaintext that you use for both inline and managed session\n policies can't exceed 2,048 characters. You can provide up to 10 managed policy ARNs. For\n more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services\n Service Namespaces in the Amazon Web Services General Reference.
\nThis parameter is optional. However, if you do not pass any session policies, then the\n resulting federated user session has no permissions.
\nWhen you pass session policies, the session permissions are the intersection of the\n IAM user policies and the session policies that you pass. This gives you a way to further\n restrict the permissions for a federated user. You cannot use session policies to grant\n more permissions than those that are defined in the permissions policy of the IAM user.\n For more information, see Session Policies in\n the IAM User Guide.
\nThe resulting credentials can be used to access a resource that has a resource-based\n policy. If that policy specifically references the federated user session in the\n Principal element of the policy, the session has the permissions allowed by\n the policy. These permissions are granted in addition to the permissions that are granted\n by the session policies.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,\n and session tags into a packed binary format that has a separate limit. Your request can\n fail for this limit even if your plaintext meets the other requirements. The\n PackedPolicySize response element indicates by percentage how close the\n policies and tags for your request are to the upper size limit.
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a\n managed session policy. The policies must exist in the same account as the IAM user that is requesting federated access.
\nYou must pass an inline or managed session policy to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as\n managed session policies. The plaintext that you use for both inline and managed session\n policies can't exceed 2,048 characters. You can provide up to 10 managed policy ARNs. For\n more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services\n Service Namespaces in the Amazon Web Services General Reference.
\nThis parameter is optional. However, if you do not pass any session policies, then the\n resulting federated user session has no permissions.
\nWhen you pass session policies, the session permissions are the intersection of the\n IAM user policies and the session policies that you pass. This gives you\n a way to further restrict the permissions for a federated user. You cannot use session\n policies to grant more permissions than those that are defined in the permissions policy of\n the IAM user. For more information, see Session Policies in\n the IAM User Guide.
\nThe resulting credentials can be used to access a resource that has a resource-based\n policy. If that policy specifically references the federated user session in the\n Principal element of the policy, the session has the permissions allowed by\n the policy. These permissions are granted in addition to the permissions that are granted\n by the session policies.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,\n and session tags into a packed binary format that has a separate limit. Your request can\n fail for this limit even if your plaintext meets the other requirements. The\n PackedPolicySize response element indicates by percentage how close the\n policies and tags for your request are to the upper size limit.
The duration, in seconds, that the session should last. Acceptable durations for\n federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with\n 43,200 seconds (12 hours) as the default. Sessions obtained using root user\n credentials are restricted to a maximum of 3,600 seconds (one hour). If the specified\n duration is longer than one hour, the session obtained by using root user credentials\n defaults to one hour.
" + "smithy.api#documentation": "The duration, in seconds, that the session should last. Acceptable durations for\n federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with\n 43,200 seconds (12 hours) as the default. Sessions obtained using root user\n credentials are restricted to a maximum of 3,600 seconds (one hour). If the specified\n duration is longer than one hour, the session obtained by using root user\n credentials defaults to one hour.
" } }, "Tags": { @@ -3035,7 +3041,7 @@ } ], "traits": { - "smithy.api#documentation": "Returns a set of temporary credentials for an Amazon Web Services account or IAM user. The\n credentials consist of an access key ID, a secret access key, and a security token.\n Typically, you use GetSessionToken if you want to use MFA to protect\n programmatic calls to specific Amazon Web Services API operations like Amazon EC2 StopInstances.
MFA-enabled IAM users must call GetSessionToken and submit an MFA\n code that is associated with their MFA device. Using the temporary security credentials\n that the call returns, IAM users can then make programmatic calls to API\n operations that require MFA authentication. An incorrect MFA code causes the API to return an access denied error. For a comparison of GetSessionToken\n with the other API operations that produce temporary credentials, see Requesting\n Temporary Security Credentials and Comparing the\n Amazon Web Services STS API operations in the IAM User Guide.
No permissions are required for users to perform this operation. The purpose of the\n sts:GetSessionToken operation is to authenticate the user using MFA. You\n cannot use policies to control authentication operations. For more information, see\n Permissions for GetSessionToken in the\n IAM User Guide.
\n Session Duration\n
\nThe GetSessionToken operation must be called by using the long-term Amazon Web Services\n security credentials of an IAM user. Credentials that are\n created by IAM users are valid for the duration that you specify. This duration can range\n from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default\n of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900\n seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour.
\n Permissions\n
\nThe temporary security credentials created by GetSessionToken can be used\n to make API calls to any Amazon Web Services service with the following exceptions:
You cannot call any IAM API operations unless MFA authentication information is\n included in the request.
\nYou cannot call any STS API except\n AssumeRole or GetCallerIdentity.
The credentials that GetSessionToken returns are based on\n permissions associated with the IAM user whose credentials were used to call the operation. The\n temporary credentials have the same permissions as the IAM user.
Although it is possible to call GetSessionToken using the security credentials of an\n Amazon Web Services account root user rather than an IAM user, we do not recommend it. If\n GetSessionToken is called using root user credentials, the\n temporary credentials have root user permissions. For more information, see Safeguard your root user credentials and don't use them for everyday tasks in the\n IAM User Guide\n
For more information about using GetSessionToken to create temporary\n credentials, see Temporary\n Credentials for Users in Untrusted Environments in the\n IAM User Guide.
Returns a set of temporary credentials for an Amazon Web Services account or IAM user.\n The credentials consist of an access key ID, a secret access key, and a security token.\n Typically, you use GetSessionToken if you want to use MFA to protect\n programmatic calls to specific Amazon Web Services API operations like Amazon EC2\n StopInstances.
MFA-enabled IAM users must call GetSessionToken and submit\n an MFA code that is associated with their MFA device. Using the temporary security\n credentials that the call returns, IAM users can then make programmatic\n calls to API operations that require MFA authentication. An incorrect MFA code causes the\n API to return an access denied error. For a comparison of GetSessionToken with\n the other API operations that produce temporary credentials, see Requesting\n Temporary Security Credentials and Comparing the\n Amazon Web Services STS API operations in the IAM User Guide.
No permissions are required for users to perform this operation. The purpose of the\n sts:GetSessionToken operation is to authenticate the user using MFA. You\n cannot use policies to control authentication operations. For more information, see\n Permissions for GetSessionToken in the\n IAM User Guide.
\n Session Duration\n
\nThe GetSessionToken operation must be called by using the long-term Amazon Web Services\n security credentials of an IAM user. Credentials that are created by IAM users are valid for the duration that you specify. This duration can range\n from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default\n of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900\n seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour.
\n Permissions\n
\nThe temporary security credentials created by GetSessionToken can be used\n to make API calls to any Amazon Web Services service with the following exceptions:
You cannot call any IAM API operations unless MFA authentication information is\n included in the request.
\nYou cannot call any STS API except\n AssumeRole or GetCallerIdentity.
The credentials that GetSessionToken returns are based on permissions\n associated with the IAM user whose credentials were used to call the\n operation. The temporary credentials have the same permissions as the IAM user.
Although it is possible to call GetSessionToken using the security\n credentials of an Amazon Web Services account root user rather than an IAM user, we do\n not recommend it. If GetSessionToken is called using root user\n credentials, the temporary credentials have root user permissions. For more\n information, see Safeguard your root user credentials and don't use them for everyday tasks in the\n IAM User Guide\n
For more information about using GetSessionToken to create temporary\n credentials, see Temporary\n Credentials for Users in Untrusted Environments in the\n IAM User Guide.
The duration, in seconds, that the credentials should remain valid. Acceptable durations\n for IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours),\n with 43,200 seconds (12 hours) as the default. Sessions for Amazon Web Services account owners are\n restricted to a maximum of 3,600 seconds (one hour). If the duration is longer than one\n hour, the session for Amazon Web Services account owners defaults to one hour.
" + "smithy.api#documentation": "The duration, in seconds, that the credentials should remain valid. Acceptable durations\n for IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds\n (36 hours), with 43,200 seconds (12 hours) as the default. Sessions for Amazon Web Services account\n owners are restricted to a maximum of 3,600 seconds (one hour). If the duration is longer\n than one hour, the session for Amazon Web Services account owners defaults to one hour.
" } }, "SerialNumber": { "target": "com.amazonaws.sts#serialNumberType", "traits": { - "smithy.api#documentation": "The identification number of the MFA device that is associated with the IAM user who\n is making the GetSessionToken call. Specify this value if the IAM user has a\n policy that requires MFA authentication. The value is either the serial number for a\n hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a\n virtual device (such as arn:aws:iam::123456789012:mfa/user). You can find the\n device for an IAM user by going to the Amazon Web Services Management Console and viewing the user's security\n credentials.
The regex used to validate this parameter is a string of \n characters consisting of upper- and lower-case alphanumeric characters with no spaces. \n You can also include underscores or any of the following characters: =,.@:/-
" + "smithy.api#documentation": "The identification number of the MFA device that is associated with the IAM user who is making the GetSessionToken call. Specify this value\n if the IAM user has a policy that requires MFA authentication. The value is\n either the serial number for a hardware device (such as GAHT12345678) or an\n Amazon Resource Name (ARN) for a virtual device (such as\n arn:aws:iam::123456789012:mfa/user). You can find the device for an IAM user by going to the Amazon Web Services Management Console and viewing the user's security credentials.
The regex used to validate this parameter is a string of \n characters consisting of upper- and lower-case alphanumeric characters with no spaces. \n You can also include underscores or any of the following characters: =,.@:/-
" } }, "TokenCode": { "target": "com.amazonaws.sts#tokenCodeType", "traits": { - "smithy.api#documentation": "The value provided by the MFA device, if MFA is required. If any policy requires the\n IAM user to submit an MFA code, specify this value. If MFA authentication is required,\n the user must provide a code when requesting a set of temporary security credentials. A\n user who fails to provide the code receives an \"access denied\" response when requesting\n resources that require MFA authentication.
\nThe format for this parameter, as described by its regex pattern, is a sequence of six\n numeric digits.
" + "smithy.api#documentation": "The value provided by the MFA device, if MFA is required. If any policy requires the\n IAM user to submit an MFA code, specify this value. If MFA authentication\n is required, the user must provide a code when requesting a set of temporary security\n credentials. A user who fails to provide the code receives an \"access denied\" response when\n requesting resources that require MFA authentication.
\nThe format for this parameter, as described by its regex pattern, is a sequence of six\n numeric digits.
" } } }, @@ -3201,6 +3207,38 @@ "smithy.api#documentation": "A reference to the IAM managed policy that is passed as a session policy for a role\n session or a federated user session.
" } }, + "com.amazonaws.sts#ProvidedContext": { + "type": "structure", + "members": { + "ProviderArn": { + "target": "com.amazonaws.sts#arnType", + "traits": { + "smithy.api#documentation": "Reserved for future use.
" + } + }, + "ContextAssertion": { + "target": "com.amazonaws.sts#contextAssertionType", + "traits": { + "smithy.api#documentation": "Reserved for future use.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Reserved for future use.
" + } + }, + "com.amazonaws.sts#ProvidedContextsListType": { + "type": "list", + "member": { + "target": "com.amazonaws.sts#ProvidedContext" + }, + "traits": { + "smithy.api#length": { + "min": 0, + "max": 5 + } + } + }, "com.amazonaws.sts#RegionDisabledException": { "type": "structure", "members": { @@ -3305,6 +3343,15 @@ "smithy.api#sensitive": {} } }, + "com.amazonaws.sts#contextAssertionType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 4, + "max": 2048 + } + } + }, "com.amazonaws.sts#dateType": { "type": "timestamp" },