feat(client-iam): This release adds support for accepting encrypted SAML assertions. Customers can now configure their identity provider to encrypt the SAML assertions it sends to IAM.

Author: awstools

clients/client-iam/src/commands/AddRoleToInstanceProfileCommand.ts

@@ -38,6 +38,13 @@ export interface AddRoleToInstanceProfileCommandOutput extends __MetadataBearer
  *             <p>The caller of this operation must be granted the <code>PassRole</code> permission
  *                 on the IAM role by a permissions policy.</p>
  *          </note>
+ *          <important>
+ *             <p>When using the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#available-keys-for-iam">iam:AssociatedResourceArn</a> condition in a policy to restrict the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html">PassRole</a> IAM action, special considerations apply if the policy is
+ *                 intended to define access for the <code>AddRoleToInstanceProfile</code> action. In
+ *                 this case, you cannot specify a Region or instance ID in the EC2 instance ARN. The
+ *                 ARN value must be <code>arn:aws:ec2:*:CallerAccountId:instance/*</code>. Using any
+ *                 other ARN value may lead to unexpected evaluation results.</p>
+ *          </important>
  *          <p> For more information about roles, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html">IAM roles</a> in the
  *                 <i>IAM User Guide</i>. For more information about instance profiles,
  *             see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html">Using

clients/client-iam/src/commands/CreateSAMLProviderCommand.ts

@@ -6,7 +6,11 @@ import { MetadataBearer as __MetadataBearer } from "@smithy/types";
 
 import { commonParams } from "../endpoint/EndpointParameters";
 import { IAMClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IAMClient";
-import { CreateSAMLProviderRequest, CreateSAMLProviderResponse } from "../models/models_0";
+import {
+  CreateSAMLProviderRequest,
+  CreateSAMLProviderRequestFilterSensitiveLog,
+  CreateSAMLProviderResponse,
+} from "../models/models_0";
 import { de_CreateSAMLProviderCommand, se_CreateSAMLProviderCommand } from "../protocols/Aws_query";
 
 /**
@@ -61,6 +65,8 @@ export interface CreateSAMLProviderCommandOutput extends CreateSAMLProviderRespo
  *       Value: "STRING_VALUE", // required
  *     },
  *   ],
+ *   AssertionEncryptionMode: "Required" || "Allowed",
+ *   AddPrivateKey: "STRING_VALUE",
  * };
  * const command = new CreateSAMLProviderCommand(input);
  * const response = await client.send(command);
@@ -124,7 +130,7 @@ export class CreateSAMLProviderCommand extends $Command
   })
   .s("AWSIdentityManagementV20100508", "CreateSAMLProvider", {})
   .n("IAMClient", "CreateSAMLProviderCommand")
-  .f(void 0, void 0)
+  .f(CreateSAMLProviderRequestFilterSensitiveLog, void 0)
   .ser(se_CreateSAMLProviderCommand)
   .de(de_CreateSAMLProviderCommand)
   .build() {

clients/client-iam/src/commands/DisableOrganizationsRootCredentialsManagementCommand.ts

@@ -39,7 +39,7 @@ export interface DisableOrganizationsRootCredentialsManagementCommandOutput
 /**
  * <p>Disables the management of privileged root user credentials across member accounts in
  *             your organization. When you disable this feature, the management account and the
- *             delegated admininstrator for IAM can no longer manage root user credentials for member
+ *             delegated administrator for IAM can no longer manage root user credentials for member
  *             accounts in your organization.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
@@ -76,7 +76,7 @@ export interface DisableOrganizationsRootCredentialsManagementCommandOutput
  * @throws {@link OrganizationNotInAllFeaturesModeException} (client fault)
  *  <p>The request was rejected because your organization does not have All features enabled. For
  *       more information, see <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set">Available feature sets</a> in the <i>Organizations User
- *       Guide</i>.</p>
+ *           Guide</i>.</p>
  *
  * @throws {@link ServiceAccessNotEnabledException} (client fault)
  *  <p>The request was rejected because trusted access is not enabled for IAM in Organizations. For details, see IAM and Organizations in the <i>Organizations User Guide</i>.</p>

clients/client-iam/src/commands/DisableOrganizationsRootSessionsCommand.ts

@@ -35,7 +35,7 @@ export interface DisableOrganizationsRootSessionsCommandOutput
 /**
  * <p>Disables root user sessions for privileged tasks across member accounts in your
  *             organization. When you disable this feature, the management account and the delegated
- *             admininstrator for IAM can no longer perform privileged tasks on member accounts in
+ *             administrator for IAM can no longer perform privileged tasks on member accounts in
  *             your organization.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
@@ -72,7 +72,7 @@ export interface DisableOrganizationsRootSessionsCommandOutput
  * @throws {@link OrganizationNotInAllFeaturesModeException} (client fault)
  *  <p>The request was rejected because your organization does not have All features enabled. For
  *       more information, see <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set">Available feature sets</a> in the <i>Organizations User
- *       Guide</i>.</p>
+ *           Guide</i>.</p>
  *
  * @throws {@link ServiceAccessNotEnabledException} (client fault)
  *  <p>The request was rejected because trusted access is not enabled for IAM in Organizations. For details, see IAM and Organizations in the <i>Organizations User Guide</i>.</p>

clients/client-iam/src/commands/EnableOrganizationsRootCredentialsManagementCommand.ts

@@ -39,7 +39,7 @@ export interface EnableOrganizationsRootCredentialsManagementCommandOutput
 /**
  * <p>Enables the management of privileged root user credentials across member accounts in your
  *             organization. When you enable root credentials management for <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user-access-management">centralized root access</a>, the management account and the delegated
- *             admininstrator for IAM can manage root user credentials for member accounts in your
+ *             administrator for IAM can manage root user credentials for member accounts in your
  *             organization.</p>
  *          <p>Before you enable centralized root access, you must have an account configured with
  *             the following settings:</p>
@@ -49,7 +49,7 @@ export interface EnableOrganizationsRootCredentialsManagementCommandOutput
  *             </li>
  *             <li>
  *                <p>Enable trusted access for Identity and Access Management in Organizations. For details, see
- *                         <a href="https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-ra.html">IAM and Organizations</a> in the <i>Organizations User
+ *                         <a href="https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-iam.html">IAM and Organizations</a> in the <i>Organizations User
  *                         Guide</i>.</p>
  *             </li>
  *          </ul>
@@ -92,7 +92,7 @@ export interface EnableOrganizationsRootCredentialsManagementCommandOutput
  * @throws {@link OrganizationNotInAllFeaturesModeException} (client fault)
  *  <p>The request was rejected because your organization does not have All features enabled. For
  *       more information, see <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set">Available feature sets</a> in the <i>Organizations User
- *       Guide</i>.</p>
+ *           Guide</i>.</p>
  *
  * @throws {@link ServiceAccessNotEnabledException} (client fault)
  *  <p>The request was rejected because trusted access is not enabled for IAM in Organizations. For details, see IAM and Organizations in the <i>Organizations User Guide</i>.</p>

clients/client-iam/src/commands/EnableOrganizationsRootSessionsCommand.ts

@@ -87,7 +87,7 @@ export interface EnableOrganizationsRootSessionsCommandOutput
  * @throws {@link OrganizationNotInAllFeaturesModeException} (client fault)
  *  <p>The request was rejected because your organization does not have All features enabled. For
  *       more information, see <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set">Available feature sets</a> in the <i>Organizations User
- *       Guide</i>.</p>
+ *           Guide</i>.</p>
  *
  * @throws {@link ServiceAccessNotEnabledException} (client fault)
  *  <p>The request was rejected because trusted access is not enabled for IAM in Organizations. For details, see IAM and Organizations in the <i>Organizations User Guide</i>.</p>

clients/client-iam/src/commands/GetCredentialReportCommand.ts

@@ -58,7 +58,7 @@ export interface GetCredentialReportCommandOutput extends GetCredentialReportRes
  *  <p>The request was rejected because the most recent credential report has expired. To
  *       generate a new credential report, use <a>GenerateCredentialReport</a>. For more
  *       information about credential report expiration, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/credential-reports.html">Getting credential reports</a> in the
- *         <i>IAM User Guide</i>.</p>
+ *       <i>IAM User Guide</i>.</p>
  *
  * @throws {@link CredentialReportNotPresentException} (client fault)
  *  <p>The request was rejected because the credential report does not exist. To generate a

clients/client-iam/src/commands/GetSAMLProviderCommand.ts

@@ -45,6 +45,7 @@ export interface GetSAMLProviderCommandOutput extends GetSAMLProviderResponse, _
  * const command = new GetSAMLProviderCommand(input);
  * const response = await client.send(command);
  * // { // GetSAMLProviderResponse
+ * //   SAMLProviderUUID: "STRING_VALUE",
  * //   SAMLMetadataDocument: "STRING_VALUE",
  * //   CreateDate: new Date("TIMESTAMP"),
  * //   ValidUntil: new Date("TIMESTAMP"),
@@ -54,6 +55,13 @@ export interface GetSAMLProviderCommandOutput extends GetSAMLProviderResponse, _
  * //       Value: "STRING_VALUE", // required
  * //     },
  * //   ],
+ * //   AssertionEncryptionMode: "Required" || "Allowed",
+ * //   PrivateKeyList: [ // privateKeyList
+ * //     { // SAMLPrivateKey
+ * //       KeyId: "STRING_VALUE",
+ * //       Timestamp: new Date("TIMESTAMP"),
+ * //     },
+ * //   ],
  * // };
  *
  * ```

clients/client-iam/src/commands/ListAccountAliasesCommand.ts

@@ -29,9 +29,9 @@ export interface ListAccountAliasesCommandOutput extends ListAccountAliasesRespo
 
 /**
  * <p>Lists the account alias associated with the Amazon Web Services account (Note: you can have only
- *             one). For information about using an Amazon Web Services account alias, see <a href="https://docs.aws.amazon.com/signin/latest/userguide/CreateAccountAlias.html">Creating,
- *                 deleting, and listing an Amazon Web Services account alias</a> in the <i>Amazon Web Services Sign-In
- *                 User Guide</i>.</p>
+ *             one). For information about using an Amazon Web Services account alias, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html#CreateAccountAlias">Creating,
+ *                 deleting, and listing an Amazon Web Services account alias</a> in the
+ *                 <i>IAM User Guide</i>.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

clients/client-iam/src/commands/ListOrganizationsFeaturesCommand.ts

@@ -65,7 +65,7 @@ export interface ListOrganizationsFeaturesCommandOutput extends ListOrganization
  * @throws {@link OrganizationNotInAllFeaturesModeException} (client fault)
  *  <p>The request was rejected because your organization does not have All features enabled. For
  *       more information, see <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set">Available feature sets</a> in the <i>Organizations User
- *       Guide</i>.</p>
+ *           Guide</i>.</p>
  *
  * @throws {@link ServiceAccessNotEnabledException} (client fault)
  *  <p>The request was rejected because trusted access is not enabled for IAM in Organizations. For details, see IAM and Organizations in the <i>Organizations User Guide</i>.</p>

clients/client-iam/src/commands/UpdateSAMLProviderCommand.ts

@@ -6,7 +6,11 @@ import { MetadataBearer as __MetadataBearer } from "@smithy/types";
 
 import { commonParams } from "../endpoint/EndpointParameters";
 import { IAMClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IAMClient";
-import { UpdateSAMLProviderRequest, UpdateSAMLProviderResponse } from "../models/models_1";
+import {
+  UpdateSAMLProviderRequest,
+  UpdateSAMLProviderRequestFilterSensitiveLog,
+  UpdateSAMLProviderResponse,
+} from "../models/models_1";
 import { de_UpdateSAMLProviderCommand, se_UpdateSAMLProviderCommand } from "../protocols/Aws_query";
 
 /**
@@ -28,19 +32,21 @@ export interface UpdateSAMLProviderCommandInput extends UpdateSAMLProviderReques
 export interface UpdateSAMLProviderCommandOutput extends UpdateSAMLProviderResponse, __MetadataBearer {}
 
 /**
- * <p>Updates the metadata document for an existing SAML provider resource object.</p>
- *          <note>
- *             <p>This operation requires <a href="https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html">Signature Version 4</a>.</p>
- *          </note>
+ * <p>Updates the metadata document, SAML encryption settings, and private keys for an
+ *             existing SAML provider. To rotate private keys, add your new private key and then remove
+ *             the old key in a separate request.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
  * import { IAMClient, UpdateSAMLProviderCommand } from "@aws-sdk/client-iam"; // ES Modules import
  * // const { IAMClient, UpdateSAMLProviderCommand } = require("@aws-sdk/client-iam"); // CommonJS import
  * const client = new IAMClient(config);
  * const input = { // UpdateSAMLProviderRequest
- *   SAMLMetadataDocument: "STRING_VALUE", // required
+ *   SAMLMetadataDocument: "STRING_VALUE",
  *   SAMLProviderArn: "STRING_VALUE", // required
+ *   AssertionEncryptionMode: "Required" || "Allowed",
+ *   AddPrivateKey: "STRING_VALUE",
+ *   RemovePrivateKey: "STRING_VALUE",
  * };
  * const command = new UpdateSAMLProviderCommand(input);
  * const response = await client.send(command);
@@ -94,7 +100,7 @@ export class UpdateSAMLProviderCommand extends $Command
   })
   .s("AWSIdentityManagementV20100508", "UpdateSAMLProvider", {})
   .n("IAMClient", "UpdateSAMLProviderCommand")
-  .f(void 0, void 0)
+  .f(UpdateSAMLProviderRequestFilterSensitiveLog, void 0)
   .ser(se_UpdateSAMLProviderCommand)
   .de(de_UpdateSAMLProviderCommand)
   .build() {