@@ -103,15 +103,16 @@ public interface AWSSecurityTokenService {
103103 * "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html"
104104 * >Requesting Temporary Security Credentials</a> and <a href=
105105 * "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison"
106- * >Comparing the STS API operations</a> in the <i>IAM User Guide</i>.
106+ * >Comparing the Amazon Web Services STS API operations</a> in the <i>IAM
107+ * User Guide</i>.
107108 * </p>
108109 * <p>
109110 * <b>Permissions</b>
110111 * </p>
111112 * <p>
112113 * The temporary security credentials created by <code>AssumeRole</code> can
113114 * be used to make API calls to any Amazon Web Services service with the
114- * following exception: You cannot call the STS
115+ * following exception: You cannot call the Amazon Web Services STS
115116 * <code>GetFederationToken</code> or <code>GetSessionToken</code> API
116117 * operations.
117118 * </p>
@@ -134,24 +135,34 @@ public interface AWSSecurityTokenService {
134135 * >Session Policies</a> in the <i>IAM User Guide</i>.
135136 * </p>
136137 * <p>
137- * To assume a role from a different account, your account must be trusted
138- * by the role. The trust relationship is defined in the role's trust policy
139- * when the role is created. That trust policy states which accounts are
140- * allowed to delegate that access to users in the account.
138+ * When you create a role, you create two policies: A role trust policy that
139+ * specifies <i>who</i> can assume the role and a permissions policy that
140+ * specifies <i>what</i> can be done with the role. You specify the trusted
141+ * principal who is allowed to assume the role in the role trust policy.
142+ * </p>
143+ * <p>
144+ * To assume a role from a different account, your Amazon Web Services
145+ * account must be trusted by the role. The trust relationship is defined in
146+ * the role's trust policy when the role is created. That trust policy
147+ * states which accounts are allowed to delegate that access to users in the
148+ * account.
141149 * </p>
142150 * <p>
143151 * A user who wants to access a role in a different account must also have
144152 * permissions that are delegated from the user account administrator. The
145153 * administrator must attach a policy that allows the user to call
146- * <code>AssumeRole</code> for the ARN of the role in the other account. If
147- * the user is in the same account as the role, then you can do either of
148- * the following:
154+ * <code>AssumeRole</code> for the ARN of the role in the other account.
155+ * </p>
156+ * <p>
157+ * To allow a user to assume a role in the same account, you can do either
158+ * of the following:
149159 * </p>
150160 * <ul>
151161 * <li>
152162 * <p>
153- * Attach a policy to the user (identical to the previous user in a
154- * different account).
163+ * Attach a policy to the user that allows the user to call
164+ * <code>AssumeRole</code> (as long as the role's trust policy trusts the
165+ * account).
155166 * </p>
156167 * </li>
157168 * <li>
@@ -161,10 +172,11 @@ public interface AWSSecurityTokenService {
161172 * </li>
162173 * </ul>
163174 * <p>
164- * In this case, the trust policy acts as an IAM resource-based policy.
165- * Users in the same account as the role do not need explicit permission to
166- * assume the role. For more information about trust policies and
167- * resource-based policies, see <a href=
175+ * You can do either because the role’s trust policy acts as an IAM
176+ * resource-based policy. When a resource-based policy grants access to a
177+ * principal in the same account, no additional identity-based policy is
178+ * required. For more information about trust policies and resource-based
179+ * policies, see <a href=
168180 * "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html"
169181 * >IAM Policies</a> in the <i>IAM User Guide</i>.
170182 * </p>
@@ -253,7 +265,8 @@ AssumeRoleResult assumeRole(AssumeRoleRequest assumeRoleRequest) throws AmazonCl
253265 * "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html"
254266 * >Requesting Temporary Security Credentials</a> and <a href=
255267 * "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison"
256- * >Comparing the STS API operations</a> in the <i>IAM User Guide</i>.
268+ * >Comparing the Amazon Web Services STS API operations</a> in the <i>IAM
269+ * User Guide</i>.
257270 * </p>
258271 * <p>
259272 * The temporary security credentials returned by this operation consist of
@@ -500,7 +513,8 @@ AssumeRoleWithSAMLResult assumeRoleWithSAML(AssumeRoleWithSAMLRequest assumeRole
500513 * "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html"
501514 * >Requesting Temporary Security Credentials</a> and <a href=
502515 * "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison"
503- * >Comparing the STS API operations</a> in the <i>IAM User Guide</i>.
516+ * >Comparing the Amazon Web Services STS API operations</a> in the <i>IAM
517+ * User Guide</i>.
504518 * </p>
505519 * <p>
506520 * The temporary security credentials returned by this API consist of an
@@ -722,10 +736,11 @@ AssumeRoleWithWebIdentityResult assumeRoleWithWebIdentity(
722736 * </note>
723737 * <p>
724738 * The message is encoded because the details of the authorization status
725- * can constitute privileged information that the user who requested the
739+ * can contain privileged information that the user who requested the
726740 * operation should not see. To decode an authorization status message, a
727- * user must be granted permissions via an IAM policy to request the
728- * <code>DecodeAuthorizationMessage</code> (
741+ * user must be granted permissions through an IAM <a href=
742+ * "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html"
743+ * >policy</a> to request the <code>DecodeAuthorizationMessage</code> (
729744 * <code>sts:DecodeAuthorizationMessage</code>) action.
730745 * </p>
731746 * <p>
@@ -877,7 +892,8 @@ GetCallerIdentityResult getCallerIdentity(GetCallerIdentityRequest getCallerIden
877892 * "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html"
878893 * >Requesting Temporary Security Credentials</a> and <a href=
879894 * "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison"
880- * >Comparing the STS API operations</a> in the <i>IAM User Guide</i>.
895+ * >Comparing the Amazon Web Services STS API operations</a> in the <i>IAM
896+ * User Guide</i>.
881897 * </p>
882898 * <note>
883899 * <p>
@@ -909,8 +925,8 @@ GetCallerIdentityResult getCallerIdentity(GetCallerIdentityRequest getCallerIden
909925 * The temporary credentials are valid for the specified duration, from 900
910926 * seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The
911927 * default session duration is 43,200 seconds (12 hours). Temporary
912- * credentials that are obtained by using Amazon Web Services account root
913- * user credentials have a maximum duration of 3,600 seconds (1 hour).
928+ * credentials obtained by using the Amazon Web Services account root user
929+ * credentials have a maximum duration of 3,600 seconds (1 hour).
914930 * </p>
915931 * <p>
916932 * <b>Permissions</b>
@@ -990,90 +1006,6 @@ GetCallerIdentityResult getCallerIdentity(GetCallerIdentityRequest getCallerIden
9901006 * </p>
9911007 * </note>
9921008 * <p>
993- * You can also call <code>GetFederationToken</code> using the security
994- * credentials of an Amazon Web Services account root user, but we do not
995- * recommend it. Instead, we recommend that you create an IAM user for the
996- * purpose of the proxy application. Then attach a policy to the IAM user
997- * that limits federated users to only the actions and resources that they
998- * need to access. For more information, see <a href=
999- * "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
1000- * >IAM Best Practices</a> in the <i>IAM User Guide</i>.
1001- * </p>
1002- * <p>
1003- * <b>Session duration</b>
1004- * </p>
1005- * <p>
1006- * The temporary credentials are valid for the specified duration, from 900
1007- * seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The
1008- * default session duration is 43,200 seconds (12 hours). Temporary
1009- * credentials that are obtained by using Amazon Web Services account root
1010- * user credentials have a maximum duration of 3,600 seconds (1 hour).
1011- * </p>
1012- * <p>
1013- * <b>Permissions</b>
1014- * </p>
1015- * <p>
1016- * You can use the temporary credentials created by
1017- * <code>GetFederationToken</code> in any Amazon Web Services service except
1018- * the following:
1019- * </p>
1020- * <ul>
1021- * <li>
1022- * <p>
1023- * You cannot call any IAM operations using the CLI or the Amazon Web
1024- * Services API.
1025- * </p>
1026- * </li>
1027- * <li>
1028- * <p>
1029- * You cannot call any STS operations except <code>GetCallerIdentity</code>.
1030- * </p>
1031- * </li>
1032- * </ul>
1033- * <p>
1034- * You must pass an inline or managed <a href=
1035- * "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session"
1036- * >session policy</a> to this operation. You can pass a single JSON policy
1037- * document to use as an inline session policy. You can also specify up to
1038- * 10 managed policies to use as managed session policies. The plain text
1039- * that you use for both inline and managed session policies can't exceed
1040- * 2,048 characters.
1041- * </p>
1042- * <p>
1043- * Though the session policy parameters are optional, if you do not pass a
1044- * policy, then the resulting federated user session has no permissions.
1045- * When you pass session policies, the session permissions are the
1046- * intersection of the IAM user policies and the session policies that you
1047- * pass. This gives you a way to further restrict the permissions for a
1048- * federated user. You cannot use session policies to grant more permissions
1049- * than those that are defined in the permissions policy of the IAM user.
1050- * For more information, see <a href=
1051- * "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session"
1052- * >Session Policies</a> in the <i>IAM User Guide</i>. For information about
1053- * using <code>GetFederationToken</code> to create temporary security
1054- * credentials, see <a href=
1055- * "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken"
1056- * >GetFederationToken—Federation Through a Custom Identity Broker</a>.
1057- * </p>
1058- * <p>
1059- * You can use the credentials to access a resource that has a
1060- * resource-based policy. If that policy specifically references the
1061- * federated user session in the <code>Principal</code> element of the
1062- * policy, the session has the permissions allowed by the policy. These
1063- * permissions are granted in addition to the permissions granted by the
1064- * session policies.
1065- * </p>
1066- * <p>
1067- * <b>Tags</b>
1068- * </p>
1069- * <p>
1070- * (Optional) You can pass tag key-value pairs to your session. These are
1071- * called session tags. For more information about session tags, see <a
1072- * href=
1073- * "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html"
1074- * >Passing Session Tags in STS</a> in the <i>IAM User Guide</i>.
1075- * </p>
1076- * <p>
10771009 * An administrator must grant you the permissions necessary to pass session
10781010 * tags. The administrator can also create granular permissions to allow you
10791011 * to pass only specific session tags. For more information, see <a href=
@@ -1127,7 +1059,8 @@ GetFederationTokenResult getFederationToken(GetFederationTokenRequest getFederat
11271059 * "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html"
11281060 * >Requesting Temporary Security Credentials</a> and <a href=
11291061 * "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison"
1130- * >Comparing the STS API operations</a> in the <i>IAM User Guide</i>.
1062+ * >Comparing the Amazon Web Services STS API operations</a> in the <i>IAM
1063+ * User Guide</i>.
11311064 * </p>
11321065 * <p>
11331066 * <b>Session Duration</b>
@@ -1226,7 +1159,8 @@ GetSessionTokenResult getSessionToken(GetSessionTokenRequest getSessionTokenRequ
12261159 * "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html"
12271160 * >Requesting Temporary Security Credentials</a> and <a href=
12281161 * "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison"
1229- * >Comparing the STS API operations</a> in the <i>IAM User Guide</i>.
1162+ * >Comparing the Amazon Web Services STS API operations</a> in the <i>IAM
1163+ * User Guide</i>.
12301164 * </p>
12311165 * <p>
12321166 * <b>Session Duration</b>
0 commit comments