feat(client-iam): For CreateOpenIDConnectProvider API, the ThumbprintList parameter is no longer required.

Author: awstools

clients/client-iam/src/commands/CreateInstanceProfileCommand.ts

@@ -29,7 +29,7 @@ export interface CreateInstanceProfileCommandOutput extends CreateInstanceProfil
 /**
  * <p> Creates a new instance profile. For information about instance profiles, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html">Using
  *                 roles for applications on Amazon EC2</a> in the
- *                 <i>IAM User Guide</i>, and <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profile">Instance profiles</a> in the <i>Amazon EC2 User Guide</i>.</p>
+ *             <i>IAM User Guide</i>, and <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profile">Instance profiles</a> in the <i>Amazon EC2 User Guide</i>.</p>
  *          <p> For information about the number of instance profiles you can create, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html">IAM object
  *                 quotas</a> in the <i>IAM User Guide</i>.</p>
  * @example

clients/client-iam/src/commands/CreateOpenIDConnectProviderCommand.ts

@@ -60,11 +60,11 @@ export interface CreateOpenIDConnectProviderCommandOutput
  *             Amazon Web Services.</p>
  *          <note>
  *             <p>Amazon Web Services secures communication with some OIDC identity providers (IdPs) through our library
- *       of trusted root certificate authorities (CAs) instead of using a certificate thumbprint to
- *       verify your IdP server certificate. In these cases, your legacy thumbprint remains in your
- *       configuration, but is no longer used for validation. These OIDC IdPs include Auth0, GitHub,
- *       GitLab, Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS)
- *       endpoint.</p>
+ *           of trusted root certificate authorities (CAs) instead of using a certificate thumbprint to
+ *           verify your IdP server certificate. In these cases, your legacy thumbprint remains in your
+ *           configuration, but is no longer used for validation. These OIDC IdPs include Auth0, GitHub,
+ *           GitLab, Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS)
+ *           endpoint.</p>
  *          </note>
  *          <note>
  *             <p>The trust for the OIDC provider is derived from the IAM provider that this
@@ -82,7 +82,7 @@ export interface CreateOpenIDConnectProviderCommandOutput
  *   ClientIDList: [ // clientIDListType
  *     "STRING_VALUE",
  *   ],
- *   ThumbprintList: [ // thumbprintListType // required
+ *   ThumbprintList: [ // thumbprintListType
  *     "STRING_VALUE",
  *   ],
  *   Tags: [ // tagListType
@@ -128,6 +128,9 @@ export interface CreateOpenIDConnectProviderCommandOutput
  *  <p>The request was rejected because it attempted to create resources beyond the current
  *       Amazon Web Services account limits. The error message describes the limit exceeded.</p>
  *
+ * @throws {@link OpenIdIdpCommunicationErrorException} (client fault)
+ *  <p>The request failed because IAM cannot connect to the OpenID Connect identity provider URL.</p>
+ *
  * @throws {@link ServiceFailureException} (server fault)
  *  <p>The request processing has failed because of an unknown error, exception or
  *       failure.</p>

clients/client-iam/src/commands/DeleteRoleCommand.ts

@@ -47,8 +47,8 @@ export interface DeleteRoleCommandOutput extends __MetadataBearer {}
  *             </li>
  *          </ul>
  *          <important>
- *             <p>Make sure that you do not have any Amazon EC2 instances running with the role you
- *                 are about to delete. Deleting a role or instance profile that is associated with a
+ *             <p>Make sure that you do not have any Amazon EC2 instances running with the role you are
+ *                 about to delete. Deleting a role or instance profile that is associated with a
  *                 running instance will break any applications running on the instance.</p>
  *          </important>
  * @example

clients/client-iam/src/commands/RemoveRoleFromInstanceProfileCommand.ts

@@ -30,12 +30,12 @@ export interface RemoveRoleFromInstanceProfileCommandInput extends RemoveRoleFro
 export interface RemoveRoleFromInstanceProfileCommandOutput extends __MetadataBearer {}
 
 /**
- * <p>Removes the specified IAM role from the specified EC2 instance profile.</p>
+ * <p>Removes the specified IAM role from the specified Amazon EC2 instance profile.</p>
  *          <important>
- *             <p>Make sure that you do not have any Amazon EC2 instances running with the role you
- *                 are about to remove from the instance profile. Removing a role from an instance
- *                 profile that is associated with a running instance might break any applications
- *                 running on the instance.</p>
+ *             <p>Make sure that you do not have any Amazon EC2 instances running with the role you are
+ *                 about to remove from the instance profile. Removing a role from an instance profile
+ *                 that is associated with a running instance might break any applications running on
+ *                 the instance.</p>
  *          </important>
  *          <p> For more information about roles, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html">IAM roles</a> in the
  *                 <i>IAM User Guide</i>. For more information about instance profiles,

clients/client-iam/src/commands/UntagInstanceProfileCommand.ts

@@ -6,7 +6,7 @@ import { MetadataBearer as __MetadataBearer } from "@smithy/types";
 
 import { commonParams } from "../endpoint/EndpointParameters";
 import { IAMClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IAMClient";
-import { UntagInstanceProfileRequest } from "../models/models_0";
+import { UntagInstanceProfileRequest } from "../models/models_1";
 import { de_UntagInstanceProfileCommand, se_UntagInstanceProfileCommand } from "../protocols/Aws_query";
 
 /**

clients/client-iam/src/commands/UpdateOpenIDConnectProviderThumbprintCommand.ts

@@ -42,11 +42,11 @@ export interface UpdateOpenIDConnectProviderThumbprintCommandOutput extends __Me
  *             updated.</p>
  *          <note>
  *             <p>Amazon Web Services secures communication with some OIDC identity providers (IdPs) through our library
- *       of trusted root certificate authorities (CAs) instead of using a certificate thumbprint to
- *       verify your IdP server certificate. In these cases, your legacy thumbprint remains in your
- *       configuration, but is no longer used for validation. These OIDC IdPs include Auth0, GitHub,
- *       GitLab, Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS)
- *       endpoint.</p>
+ *           of trusted root certificate authorities (CAs) instead of using a certificate thumbprint to
+ *           verify your IdP server certificate. In these cases, your legacy thumbprint remains in your
+ *           configuration, but is no longer used for validation. These OIDC IdPs include Auth0, GitHub,
+ *           GitLab, Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS)
+ *           endpoint.</p>
  *          </note>
  *          <note>
  *             <p>Trust for the OIDC provider is derived from the provider certificate and is

clients/client-iam/src/models/models_0.ts

@@ -1220,11 +1220,13 @@ export interface CreateOpenIDConnectProviderRequest {
    *             provider's server certificates. Typically this list includes only one entry. However,
    *             IAM lets you have up to five thumbprints for an OIDC provider. This lets you maintain
    *             multiple thumbprints if the identity provider is rotating certificates.</p>
+   *          <p>This parameter is optional. If it is not included, IAM will retrieve and use the top
+   *             intermediate certificate authority (CA) thumbprint of the OpenID Connect identity
+   *             provider server certificate.</p>
    *          <p>The server certificate thumbprint is the hex-encoded SHA-1 hash value of the X.509
    *             certificate used by the domain where the OpenID Connect provider makes its keys
    *             available. It is always a 40-character string.</p>
-   *          <p>You must provide at least one thumbprint when creating an IAM OIDC provider. For
-   *             example, assume that the OIDC provider is <code>server.example.com</code> and the
+   *          <p>For example, assume that the OIDC provider is <code>server.example.com</code> and the
    *             provider stores its keys at https://keys.server.example.com/openid-connect. In that
    *             case, the thumbprint string would be the hex-encoded SHA-1 hash value of the certificate
    *             used by <code>https://keys.server.example.com.</code>
@@ -1234,7 +1236,7 @@ export interface CreateOpenIDConnectProviderRequest {
    *                 Guide</i>.</p>
    * @public
    */
-  ThumbprintList: string[] | undefined;
+  ThumbprintList?: string[];
 
   /**
    * <p>A list of tags that you want to attach to the new IAM OpenID Connect (OIDC) provider.
@@ -1272,6 +1274,26 @@ export interface CreateOpenIDConnectProviderResponse {
   Tags?: Tag[];
 }
 
+/**
+ * <p>The request failed because IAM cannot connect to the OpenID Connect identity provider URL.</p>
+ * @public
+ */
+export class OpenIdIdpCommunicationErrorException extends __BaseException {
+  readonly name: "OpenIdIdpCommunicationErrorException" = "OpenIdIdpCommunicationErrorException";
+  readonly $fault: "client" = "client";
+  /**
+   * @internal
+   */
+  constructor(opts: __ExceptionOptionType<OpenIdIdpCommunicationErrorException, __BaseException>) {
+    super({
+      name: "OpenIdIdpCommunicationErrorException",
+      $fault: "client",
+      ...opts,
+    });
+    Object.setPrototypeOf(this, OpenIdIdpCommunicationErrorException.prototype);
+  }
+}
+
 /**
  * @public
  */
@@ -8391,12 +8413,11 @@ export interface SimulateCustomPolicyRequest {
    *             not match one of the following scenarios, then you can omit this parameter. The
    *             following list shows each of the supported scenario values and the resources that you
    *             must define to run the simulation.</p>
-   *          <p>Each of the EC2 scenarios requires that you specify instance, image, and security
+   *          <p>Each of the Amazon EC2 scenarios requires that you specify instance, image, and security
    *             group resources. If your scenario includes an EBS volume, then you must specify that
-   *             volume as a resource. If the EC2 scenario includes VPC, then you must supply the network
-   *             interface resource. If it includes an IP subnet, then you must specify the subnet
-   *             resource. For more information on the EC2 scenario options, see <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-platforms.html">Supported platforms</a> in the <i>Amazon EC2 User
-   *             Guide</i>.</p>
+   *             volume as a resource. If the Amazon EC2 scenario includes VPC, then you must supply the
+   *             network interface resource. If it includes an IP subnet, then you must specify the
+   *             subnet resource. For more information on the Amazon EC2 scenario options, see <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-platforms.html">Supported platforms</a> in the <i>Amazon EC2 User Guide</i>.</p>
    *          <ul>
    *             <li>
    *                <p>
@@ -8935,12 +8956,11 @@ export interface SimulatePrincipalPolicyRequest {
    *             not match one of the following scenarios, then you can omit this parameter. The
    *             following list shows each of the supported scenario values and the resources that you
    *             must define to run the simulation.</p>
-   *          <p>Each of the EC2 scenarios requires that you specify instance, image, and security
+   *          <p>Each of the Amazon EC2 scenarios requires that you specify instance, image, and security
    *             group resources. If your scenario includes an EBS volume, then you must specify that
-   *             volume as a resource. If the EC2 scenario includes VPC, then you must supply the network
-   *             interface resource. If it includes an IP subnet, then you must specify the subnet
-   *             resource. For more information on the EC2 scenario options, see <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-platforms.html">Supported platforms</a> in the <i>Amazon EC2 User
-   *             Guide</i>.</p>
+   *             volume as a resource. If the Amazon EC2 scenario includes VPC, then you must supply the
+   *             network interface resource. If it includes an IP subnet, then you must specify the
+   *             subnet resource. For more information on the Amazon EC2 scenario options, see <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-platforms.html">Supported platforms</a> in the <i>Amazon EC2 User Guide</i>.</p>
    *          <ul>
    *             <li>
    *                <p>
@@ -9153,26 +9173,6 @@ export interface TagUserRequest {
   Tags: Tag[] | undefined;
 }
 
-/**
- * @public
- */
-export interface UntagInstanceProfileRequest {
-  /**
-   * <p>The name of the IAM instance profile from which you want to remove tags.</p>
-   *          <p>This parameter allows (through its <a href="http://wikipedia.org/wiki/regex">regex pattern</a>) a string of characters consisting of upper and lowercase alphanumeric
-   *     characters with no spaces. You can also include any of the following characters: _+=,.@-</p>
-   * @public
-   */
-  InstanceProfileName: string | undefined;
-
-  /**
-   * <p>A list of key names as a simple array of strings. The tags with matching keys are
-   *       removed from the specified instance profile.</p>
-   * @public
-   */
-  TagKeys: string[] | undefined;
-}
-
 /**
  * @internal
  */

clients/client-iam/src/models/models_1.ts

@@ -5,6 +5,26 @@ import { IAMServiceException as __BaseException } from "./IAMServiceException";
 
 import { Role, ServerCertificateMetadata, SigningCertificate, SSHPublicKey, StatusType, Tag } from "./models_0";
 
+/**
+ * @public
+ */
+export interface UntagInstanceProfileRequest {
+  /**
+   * <p>The name of the IAM instance profile from which you want to remove tags.</p>
+   *          <p>This parameter allows (through its <a href="http://wikipedia.org/wiki/regex">regex pattern</a>) a string of characters consisting of upper and lowercase alphanumeric
+   *     characters with no spaces. You can also include any of the following characters: _+=,.@-</p>
+   * @public
+   */
+  InstanceProfileName: string | undefined;
+
+  /**
+   * <p>A list of key names as a simple array of strings. The tags with matching keys are
+   *       removed from the specified instance profile.</p>
+   * @public
+   */
+  TagKeys: string[] | undefined;
+}
+
 /**
  * @public
  */
@@ -448,6 +468,10 @@ export interface UpdateRoleRequest {
    *             or the <code>assume-role*</code> CLI operations but does not apply when you use those
    *             operations to create a console URL. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html">Using IAM
    *                 roles</a> in the <i>IAM User Guide</i>.</p>
+   *          <note>
+   *             <p>IAM role credentials provided by Amazon EC2 instances assigned to the role are not
+   *                 subject to the specified maximum session duration.</p>
+   *          </note>
    * @public
    */
   MaxSessionDuration?: number;

clients/client-iam/src/protocols/Aws_query.ts

@@ -623,6 +623,7 @@ import {
   MFADevice,
   NoSuchEntityException,
   OpenIDConnectProviderListEntry,
+  OpenIdIdpCommunicationErrorException,
   OrganizationsDecisionDetail,
   PasswordPolicy,
   PasswordPolicyViolationException,
@@ -685,7 +686,6 @@ import {
   TrackedActionLastAccessed,
   UnmodifiableEntityException,
   UnrecognizedPublicKeyEncodingException,
-  UntagInstanceProfileRequest,
   User,
   UserDetail,
   VirtualMFADevice,
@@ -697,6 +697,7 @@ import {
   InvalidPublicKeyException,
   KeyPairMismatchException,
   MalformedCertificateException,
+  UntagInstanceProfileRequest,
   UntagMFADeviceRequest,
   UntagOpenIDConnectProviderRequest,
   UntagPolicyRequest,
@@ -6429,6 +6430,9 @@ const de_CommandError = async (output: __HttpResponse, context: __SerdeContext):
     case "ConcurrentModification":
     case "com.amazonaws.iam#ConcurrentModificationException":
       throw await de_ConcurrentModificationExceptionRes(parsedOutput, context);
+    case "OpenIdIdpCommunicationError":
+    case "com.amazonaws.iam#OpenIdIdpCommunicationErrorException":
+      throw await de_OpenIdIdpCommunicationErrorExceptionRes(parsedOutput, context);
     case "MalformedPolicyDocument":
     case "com.amazonaws.iam#MalformedPolicyDocumentException":
       throw await de_MalformedPolicyDocumentExceptionRes(parsedOutput, context);
@@ -6791,6 +6795,22 @@ const de_NoSuchEntityExceptionRes = async (
   return __decorateServiceException(exception, body);
 };
 
+/**
+ * deserializeAws_queryOpenIdIdpCommunicationErrorExceptionRes
+ */
+const de_OpenIdIdpCommunicationErrorExceptionRes = async (
+  parsedOutput: any,
+  context: __SerdeContext
+): Promise<OpenIdIdpCommunicationErrorException> => {
+  const body = parsedOutput.body;
+  const deserialized: any = de_OpenIdIdpCommunicationErrorException(body.Error, context);
+  const exception = new OpenIdIdpCommunicationErrorException({
+    $metadata: deserializeMetadata(parsedOutput),
+    ...deserialized,
+  });
+  return __decorateServiceException(exception, body);
+};
+
 /**
  * deserializeAws_queryPasswordPolicyViolationExceptionRes
  */
@@ -12148,6 +12168,20 @@ const de_OpenIDConnectProviderListType = (output: any, context: __SerdeContext):
     });
 };
 
+/**
+ * deserializeAws_queryOpenIdIdpCommunicationErrorException
+ */
+const de_OpenIdIdpCommunicationErrorException = (
+  output: any,
+  context: __SerdeContext
+): OpenIdIdpCommunicationErrorException => {
+  const contents: any = {};
+  if (output[_m] != null) {
+    contents[_m] = __expectString(output[_m]);
+  }
+  return contents;
+};
+
 /**
  * deserializeAws_queryOrganizationsDecisionDetail
  */