AWS IoT Update: This release adds support to register a CA certificate without having to provide a verification certificate. This also allows multiple AWS accounts to register the same CA in the same region.

AWS · AWS · commit 7807ec56734b · 2022-07-07T18:07:32.000Z
diff --git a/.changes/next-release/feature-AWSIoT-a004149.json b/.changes/next-release/feature-AWSIoT-a004149.json
@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "AWS IoT",
+    "contributor": "",
+    "description": "This release adds support to register a CA certificate without having to provide a verification certificate. This also allows multiple AWS accounts to register the same CA in the same region."
+}
diff --git a/services/iot/src/main/resources/codegen-resources/service-2.json b/services/iot/src/main/resources/codegen-resources/service-2.json
@@ -3224,7 +3224,7 @@
         {"shape":"ServiceUnavailableException"},
         {"shape":"InternalFailureException"}
       ],
-      "documentation":"<p>Registers a CA certificate with IoT. This CA certificate can then be used to sign device certificates, which can be then registered with IoT. You can register up to 10 CA certificates per Amazon Web Services account that have the same subject field. This enables you to have up to 10 certificate authorities sign your device certificates. If you have more than one CA certificate registered, make sure you pass the CA certificate when you register your device certificates with the <a>RegisterCertificate</a> action.</p> <p>Requires permission to access the <a href=\"https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions\">RegisterCACertificate</a> action.</p>"
+      "documentation":"<p>Registers a CA certificate with Amazon Web Services IoT Core. There is no limit to the number of CA certificates you can register in your Amazon Web Services account. You can register up to 10 CA certificates with the same <code>CA subject field</code> per Amazon Web Services account.</p> <p>Requires permission to access the <a href=\"https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions\">RegisterCACertificate</a> action.</p>"
     },
     "RegisterCertificate":{
       "name":"RegisterCertificate",
@@ -3245,7 +3245,7 @@
         {"shape":"ServiceUnavailableException"},
         {"shape":"InternalFailureException"}
       ],
-      "documentation":"<p>Registers a device certificate with IoT. If you have more than one CA certificate that has the same subject field, you must specify the CA certificate that was used to sign the device certificate being registered.</p> <p>Requires permission to access the <a href=\"https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions\">RegisterCertificate</a> action.</p>"
+      "documentation":"<p>Registers a device certificate with IoT in the same <a href=\"https://docs.aws.amazon.com/iot/latest/apireference/API_CertificateDescription.html#iot-Type-CertificateDescription-certificateMode\">certificate mode</a> as the signing CA. If you have more than one CA certificate that has the same subject field, you must specify the CA certificate that was used to sign the device certificate being registered.</p> <p>Requires permission to access the <a href=\"https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions\">RegisterCertificate</a> action.</p>"
     },
     "RegisterCertificateWithoutCA":{
       "name":"RegisterCertificateWithoutCA",
@@ -5663,6 +5663,10 @@
         "validity":{
           "shape":"CertificateValidity",
           "documentation":"<p>When the CA certificate is valid.</p>"
+        },
+        "certificateMode":{
+          "shape":"CertificateMode",
+          "documentation":"<p>The mode of the CA. </p> <p>All the device certificates that are registered using this CA will be registered in the same mode as the CA. For more information about certificate mode for device certificates, see <a href=\"https://docs.aws.amazon.com/iot/latest/apireference/API_CertificateDescription.html#iot-Type-CertificateDescription-certificateMode\">certificate mode</a>.</p>"
         }
       },
       "documentation":"<p>Describes a CA certificate.</p>"
@@ -5857,7 +5861,7 @@
         },
         "certificateMode":{
           "shape":"CertificateMode",
-          "documentation":"<p>The mode of the certificate.</p>"
+          "documentation":"<p>The mode of the certificate.</p> <p> <code>DEFAULT</code>: A certificate in <code>DEFAULT</code> mode is either generated by Amazon Web Services IoT Core or registered with an issuer certificate authority (CA) in <code>DEFAULT</code> mode. Devices with certificates in <code>DEFAULT</code> mode aren't required to send the Server Name Indication (SNI) extension when connecting to Amazon Web Services IoT Core. However, to use features such as custom domains and VPC endpoints, we recommend that you use the SNI extension when connecting to Amazon Web Services IoT Core.</p> <p> <code>SNI_ONLY</code>: A certificate in <code>SNI_ONLY</code> mode is registered without an issuer CA. Devices with certificates in <code>SNI_ONLY</code> mode must send the SNI extension when connecting to Amazon Web Services IoT Core. </p>"
         },
         "creationDate":{
           "shape":"DateType",
@@ -5936,7 +5940,7 @@
         },
         "certificateMode":{
           "shape":"CertificateMode",
-          "documentation":"<p>The mode of the certificate.</p>"
+          "documentation":"<p>The mode of the certificate.</p> <p> <code>DEFAULT</code>: A certificate in <code>DEFAULT</code> mode is either generated by Amazon Web Services IoT Core or registered with an issuer certificate authority (CA) in <code>DEFAULT</code> mode. Devices with certificates in <code>DEFAULT</code> mode aren't required to send the Server Name Indication (SNI) extension when connecting to Amazon Web Services IoT Core. However, to use features such as custom domains and VPC endpoints, we recommend that you use the SNI extension when connecting to Amazon Web Services IoT Core.</p> <p> <code>SNI_ONLY</code>: A certificate in <code>SNI_ONLY</code> mode is registered without an issuer CA. Devices with certificates in <code>SNI_ONLY</code> mode must send the SNI extension when connecting to Amazon Web Services IoT Core. </p> <p>For more information about the value for SNI extension, see <a href=\"https://docs.aws.amazon.com/iot/latest/developerguide/transport-security.html\">Transport security in IoT</a>.</p>"
         }
       },
       "documentation":"<p>Describes a certificate.</p>"
@@ -11393,7 +11397,10 @@
           "shape":"ParameterMap",
           "documentation":"<p>A key-value map that pairs the patterns that need to be replaced in a managed template job document schema. You can use the description of each key as a guidance to specify the inputs during runtime when creating a job.</p> <note> <p> <code>documentParameters</code> can only be used when creating jobs from Amazon Web Services managed templates. This parameter can't be used with custom job templates or to create jobs from them.</p> </note>"
         },
-        "isConcurrent":{"shape":"BooleanWrapperObject"}
+        "isConcurrent":{
+          "shape":"BooleanWrapperObject",
+          "documentation":"<p>Indicates whether a job is concurrent. Will be true when a job is rolling out new job executions or canceling previously created executions, otherwise false.</p>"
+        }
       },
       "documentation":"<p>The <code>Job</code> object contains details about a job.</p>"
     },
@@ -11677,7 +11684,10 @@
           "shape":"DateType",
           "documentation":"<p>The time, in seconds since the epoch, when the job completed.</p>"
         },
-        "isConcurrent":{"shape":"BooleanWrapperObject"}
+        "isConcurrent":{
+          "shape":"BooleanWrapperObject",
+          "documentation":"<p>Indicates whether a job is concurrent. Will be true when a job is rolling out new job executions or canceling previously created executions, otherwise false.</p>"
+        }
       },
       "documentation":"<p>The job summary.</p>"
     },
@@ -15067,7 +15077,7 @@
       "members":{
         "roleArn":{
           "shape":"RoleArn",
-          "documentation":"<p>The ARN of an IAM role that grants grants permission to download files from the S3 bucket where the job data/updates are stored. The role must also grant permission for IoT to download the files.</p>"
+          "documentation":"<p>The ARN of an IAM role that grants grants permission to download files from the S3 bucket where the job data/updates are stored. The role must also grant permission for IoT to download the files.</p> <important> <p>For information about addressing the confused deputy problem, see <a href=\"https://docs.aws.amazon.com/iot/latest/developerguide/cross-service-confused-deputy-prevention.html\">cross-service confused deputy prevention</a> in the <i>Amazon Web Services IoT Core developer guide</i>.</p> </important>"
         },
         "expiresInSec":{
           "shape":"ExpiresInSec",
@@ -15325,18 +15335,15 @@
     "Regex":{"type":"string"},
     "RegisterCACertificateRequest":{
       "type":"structure",
-      "required":[
-        "caCertificate",
-        "verificationCertificate"
-      ],
+      "required":["caCertificate"],
       "members":{
         "caCertificate":{
           "shape":"CertificatePem",
           "documentation":"<p>The CA certificate.</p>"
         },
         "verificationCertificate":{
           "shape":"CertificatePem",
-          "documentation":"<p>The private key verification certificate.</p>"
+          "documentation":"<p>The private key verification certificate. If <code>certificateMode</code> is <code>SNI_ONLY</code>, the <code>verificationCertificate</code> field must be empty. If <code>certificateMode</code> is <code>DEFAULT</code> or not provided, the <code>verificationCertificate</code> field must not be empty. </p>"
         },
         "setAsActive":{
           "shape":"SetAsActive",
@@ -15357,6 +15364,10 @@
         "tags":{
           "shape":"TagList",
           "documentation":"<p>Metadata which can be used to manage the CA certificate.</p> <note> <p>For URI Request parameters use format: ...key1=value1&amp;key2=value2...</p> <p>For the CLI command-line parameter use format: &amp;&amp;tags \"key1=value1&amp;key2=value2...\"</p> <p>For the cli-input-json file use format: \"tags\": \"key1=value1&amp;key2=value2...\"</p> </note>"
+        },
+        "certificateMode":{
+          "shape":"CertificateMode",
+          "documentation":"<p>Describes the certificate mode in which the Certificate Authority (CA) will be registered. If the <code>verificationCertificate</code> field is not provided, set <code>certificateMode</code> to be <code>SNI_ONLY</code>. If the <code>verificationCertificate</code> field is provided, set <code>certificateMode</code> to be <code>DEFAULT</code>. When <code>certificateMode</code> is not provided, it defaults to <code>DEFAULT</code>. All the device certificates that are registered using this CA will be registered in the same certificate mode as the CA. For more information about certificate mode for device certificates, see <a href=\"https://docs.aws.amazon.com/iot/latest/apireference/API_CertificateDescription.html#iot-Type-CertificateDescription-certificateMode\"> certificate mode</a>. </p>"
         }
       },
       "documentation":"<p>The input to the RegisterCACertificate operation.</p>"
@@ -16043,7 +16054,7 @@
         },
         "queryString":{
           "shape":"QueryString",
-          "documentation":"<p>The search query string.</p>"
+          "documentation":"<p>The search query string. For more information about the search query syntax, see <a href=\"https://docs.aws.amazon.com/iot/latest/developerguide/query-syntax.html\">Query syntax</a>.</p>"
         },
         "nextToken":{
           "shape":"NextToken",
