This release introduces the new API 'AssumeRoot', which returns short-term credentials that you can use to perform privileged tasks.

Author: aws-sdk-dotnet-automation

docgenerator/AWSSDKDocSamples/SecurityToken.GeneratedSamples.extra.xml

@@ -57,6 +57,25 @@
             </example>
         </value>
     </doc>
+    <doc>
+        <members>
+            <member name="M:Amazon.SecurityToken.IAmazonSecurityTokenService.AssumeRoot(Amazon.SecurityToken.Model.AssumeRootRequest)" />
+            <member name="M:Amazon.SecurityToken.AmazonSecurityTokenServiceClient.AssumeRoot(Amazon.SecurityToken.Model.AssumeRootRequest)" />
+            <member name="T:Amazon.SecurityToken.Model.AssumeRootRequest" />
+            <member name="T:Amazon.SecurityToken.Model.AssumeRootResponse" />
+        </members>
+        <value>
+            <example>
+                <para>
+                    The following command retrieves a set of short-term credentials you can use to unlock an S3 bucket for a member account by removing the bucket policy.
+                </para>
+                <code
+                    title="To launch a privileged session"
+                    source=".\AWSSDKDocSamples\SecurityToken\SecurityToken.GeneratedSamples.cs"
+                    region="to-launch-a-privileged-session-1731335424565" />
+            </example>
+        </value>
+    </doc>
     <doc>
         <members>
             <member name="M:Amazon.SecurityToken.IAmazonSecurityTokenService.DecodeAuthorizationMessage(Amazon.SecurityToken.Model.DecodeAuthorizationMessageRequest)" />

docgenerator/AWSSDKDocSamples/SecurityToken/SecurityToken.GeneratedSamples.cs

@@ -99,6 +99,24 @@ public void SecurityTokenServiceAssumeRoleWithWebIdentity()
             #endregion
         }
 
+        public void SecurityTokenServiceAssumeRoot()
+        {
+            #region to-launch-a-privileged-session-1731335424565
+
+            var client = new AmazonSecurityTokenServiceClient();
+            var response = client.AssumeRoot(new AssumeRootRequest 
+            {
+                DurationSeconds = 900,
+                TargetPrincipal = "111122223333",
+                TaskPolicyArn = new PolicyDescriptorType { Arn = "arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicy" }
+            });
+
+            Credentials credentials = response.Credentials;
+            string sourceIdentity = response.SourceIdentity;
+
+            #endregion
+        }
+
         public void SecurityTokenServiceDecodeAuthorizationMessage()
         {
             #region to-decode-information-about-an-authorization-status-of-a-request-1480533854499

generator/ServiceModels/sts/sts-2011-06-15.api.json

@@ -5,12 +5,14 @@
     "endpointPrefix":"sts",
     "globalEndpoint":"sts.amazonaws.com",
     "protocol":"query",
+    "protocols":["query"],
     "serviceAbbreviation":"AWS STS",
     "serviceFullName":"AWS Security Token Service",
     "serviceId":"STS",
     "signatureVersion":"v4",
     "uid":"sts-2011-06-15",
-    "xmlNamespace":"https://sts.amazonaws.com/doc/2011-06-15/"
+    "xmlNamespace":"https://sts.amazonaws.com/doc/2011-06-15/",
+    "auth":["aws.auth#sigv4"]
   },
   "operations":{
     "AssumeRole":{
@@ -72,6 +74,22 @@
         {"shape":"RegionDisabledException"}
       ]
     },
+    "AssumeRoot":{
+      "name":"AssumeRoot",
+      "http":{
+        "method":"POST",
+        "requestUri":"/"
+      },
+      "input":{"shape":"AssumeRootRequest"},
+      "output":{
+        "shape":"AssumeRootResponse",
+        "resultWrapper":"AssumeRootResult"
+      },
+      "errors":[
+        {"shape":"RegionDisabledException"},
+        {"shape":"ExpiredTokenException"}
+      ]
+    },
     "DecodeAuthorizationMessage":{
       "name":"DecodeAuthorizationMessage",
       "http":{
@@ -234,6 +252,25 @@
         "SourceIdentity":{"shape":"sourceIdentityType"}
       }
     },
+    "AssumeRootRequest":{
+      "type":"structure",
+      "required":[
+        "TargetPrincipal",
+        "TaskPolicyArn"
+      ],
+      "members":{
+        "TargetPrincipal":{"shape":"TargetPrincipalType"},
+        "TaskPolicyArn":{"shape":"PolicyDescriptorType"},
+        "DurationSeconds":{"shape":"RootDurationSecondsType"}
+      }
+    },
+    "AssumeRootResponse":{
+      "type":"structure",
+      "members":{
+        "Credentials":{"shape":"Credentials"},
+        "SourceIdentity":{"shape":"sourceIdentityType"}
+      }
+    },
     "AssumedRoleUser":{
       "type":"structure",
       "required":[
@@ -460,6 +497,11 @@
       },
       "exception":true
     },
+    "RootDurationSecondsType":{
+      "type":"integer",
+      "max":900,
+      "min":0
+    },
     "SAMLAssertionType":{
       "type":"string",
       "max":100000,
@@ -479,6 +521,11 @@
         "Value":{"shape":"tagValueType"}
       }
     },
+    "TargetPrincipalType":{
+      "type":"string",
+      "max":2048,
+      "min":12
+    },
     "accessKeyIdType":{
       "type":"string",
       "max":128,

generator/ServiceModels/sts/sts-2011-06-15.docs.json

@@ -125,6 +125,35 @@
         "title": "To assume a role as an OpenID Connect-federated user"
       }
     ],
+    "AssumeRoot": [
+      {
+        "input": {
+          "DurationSeconds": 900,
+          "TargetPrincipal": "111122223333",
+          "TaskPolicyArn": {
+            "arn": "arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicy"
+          }
+        },
+        "output": {
+          "Credentials": {
+            "AccessKeyId": "ASIAJEXAMPLEXEG2JICEA",
+            "Expiration": "2024-11-15T00:05:07Z",
+            "SecretAccessKey": "9drTJvcXLB89EXAMPLELB8923FB892xMFI",
+            "SessionToken": "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU="
+          },
+          "SourceIdentity": "Alice"
+        },
+        "comments": {
+          "input": {
+          },
+          "output": {
+          }
+        },
+        "description": "The following command retrieves a set of short-term credentials you can use to unlock an S3 bucket for a member account by removing the bucket policy.",
+        "id": "to-launch-a-privileged-session-1731335424565",
+        "title": "To launch a privileged session"
+      }
+    ],
     "DecodeAuthorizationMessage": [
       {
         "input": {

generator/ServiceModels/sts/sts-2011-06-15.examples.json

@@ -142,6 +142,22 @@
     <min>6</min>
     <max>255</max>
   </property-value-rule>
+  <property-value-rule>
+    <property>Amazon.SecurityToken.Model.AssumeRootRequest.DurationSeconds</property>
+    <min>0</min>
+    <max>900</max>
+  </property-value-rule>
+  <property-value-rule>
+    <property>Amazon.SecurityToken.Model.AssumeRootRequest.TargetPrincipal</property>
+    <min>12</min>
+    <max>2048</max>
+  </property-value-rule>
+  <property-value-rule>
+    <property>Amazon.SecurityToken.Model.AssumeRootResponse.SourceIdentity</property>
+    <min>2</min>
+    <max>64</max>
+    <pattern>[\w+=,.@-]*</pattern>
+  </property-value-rule>
   <property-value-rule>
     <property>Amazon.SecurityToken.Model.DecodeAuthorizationMessageRequest.EncodedMessage</property>
     <min>1</min>

generator/ServiceModels/sts/sts-2011-06-15.normal.json

@@ -36,8 +36,8 @@ namespace Amazon.SecurityToken.Model
     /// secret access key, and a security token. Typically, you use <c>AssumeRole</c> within
     /// your account or for cross-account access. For a comparison of <c>AssumeRole</c> with
     /// other API operations that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting
-    /// Temporary Security Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing
-    /// the Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.
+    /// Temporary Security Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html">Compare
+    /// STS credentials</a> in the <i>IAM User Guide</i>.
     /// 
     ///  
     /// <para>
@@ -52,17 +52,17 @@ namespace Amazon.SecurityToken.Model
     /// </para>
     ///  
     /// <para>
-    /// (Optional) You can pass inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session
-    /// policies</a> to this operation. You can pass a single JSON policy document to use
-    /// as an inline session policy. You can also specify up to 10 managed policy Amazon Resource
-    /// Names (ARNs) to use as managed session policies. The plaintext that you use for both
-    /// inline and managed session policies can't exceed 2,048 characters. Passing policies
-    /// to this operation returns new temporary credentials. The resulting session's permissions
-    /// are the intersection of the role's identity-based policy and the session policies.
-    /// You can use the role's temporary credentials in subsequent Amazon Web Services API
-    /// calls to access resources in the account that owns the role. You cannot use session
-    /// policies to grant more permissions than those allowed by the identity-based policy
-    /// of the role that is being assumed. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
+    /// (Optional) You can pass inline or managed session policies to this operation. You
+    /// can pass a single JSON policy document to use as an inline session policy. You can
+    /// also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed
+    /// session policies. The plaintext that you use for both inline and managed session policies
+    /// can't exceed 2,048 characters. Passing policies to this operation returns new temporary
+    /// credentials. The resulting session's permissions are the intersection of the role's
+    /// identity-based policy and the session policies. You can use the role's temporary credentials
+    /// in subsequent Amazon Web Services API calls to access resources in the account that
+    /// owns the role. You cannot use session policies to grant more permissions than those
+    /// allowed by the identity-based policy of the role that is being assumed. For more information,
+    /// see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
     /// Policies</a> in the <i>IAM User Guide</i>.
     /// </para>
     ///  
@@ -196,8 +196,8 @@ public partial class AssumeRoleRequest : AmazonSecurityTokenServiceRequest
         /// on the maximum session duration setting for your role. However, if you assume a role
         /// using role chaining and provide a <c>DurationSeconds</c> parameter value greater than
         /// one hour, the operation fails. To learn how to view the maximum value for your role,
-        /// see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session">View
-        /// the Maximum Session Duration Setting for a Role</a> in the <i>IAM User Guide</i>.
+        /// see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration">Update
+        /// the maximum session duration for a role</a>.
         /// </para>
         ///  
         /// <para>
@@ -293,7 +293,11 @@ internal bool IsSetExternalId()
         /// The <c>PackedPolicySize</c> response element indicates by percentage how close the
         /// policies and tags for your request are to the upper size limit.
         /// </para>
-        ///  </note>
+        ///  </note> 
+        /// <para>
+        /// For more information about role session permissions, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
+        /// policies</a>.
+        /// </para>
         /// </summary>
         [AWSProperty(Min=1)]
         public string Policy
@@ -419,6 +423,14 @@ internal bool IsSetRoleArn()
         /// </para>
         ///  
         /// <para>
+        /// For security purposes, administrators can view this field in <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds">CloudTrail
+        /// logs</a> to help identify who performed an action in Amazon Web Services. Your administrator
+        /// might require that you specify your user name as the session name when you assume
+        /// the role. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname">
+        /// <c>sts:RoleSessionName</c> </a>.
+        /// </para>
+        ///  
+        /// <para>
         /// The regex used to validate this parameter is a string of characters consisting of
         /// upper- and lower-case alphanumeric characters with no spaces. You can also include
         /// underscores or any of the following characters: =,.@-
@@ -470,16 +482,18 @@ internal bool IsSetSerialNumber()
         /// Gets and sets the property SourceIdentity. 
         /// <para>
         /// The source identity specified by the principal that is calling the <c>AssumeRole</c>
-        /// operation.
+        /// operation. The source identity value persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining">chained
+        /// role</a> sessions.
         /// </para>
         ///  
         /// <para>
         /// You can require users to specify a source identity when they assume a role. You do
-        /// this by using the <c>sts:SourceIdentity</c> condition key in a role trust policy.
-        /// You can use source identity information in CloudTrail logs to determine who took actions
-        /// with a role. You can use the <c>aws:SourceIdentity</c> condition key to further control
-        /// access to Amazon Web Services resources based on the value of source identity. For
-        /// more information about using source identity, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html">Monitor
+        /// this by using the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceidentity">
+        /// <c>sts:SourceIdentity</c> </a> condition key in a role trust policy. You can use source
+        /// identity information in CloudTrail logs to determine who took actions with a role.
+        /// You can use the <c>aws:SourceIdentity</c> condition key to further control access
+        /// to Amazon Web Services resources based on the value of source identity. For more information
+        /// about using source identity, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html">Monitor
         /// and control actions taken with assumed roles</a> in the <i>IAM User Guide</i>.
         /// </para>
         ///  
@@ -599,8 +613,8 @@ internal bool IsSetTokenCode()
         /// </para>
         ///  
         /// <para>
-        /// This parameter is optional. When you set session tags as transitive, the session policy
-        /// and session tags packed binary limit is not affected.
+        /// This parameter is optional. The transitive status of a session tag does not impact
+        /// its packed binary size.
         /// </para>
         ///  
         /// <para>

sdk/code-analysis/ServiceAnalysis/SecurityToken/Generated/PropertyValueRules.xml

@@ -36,8 +36,8 @@ namespace Amazon.SecurityToken.Model
     /// an enterprise identity store or directory to role-based Amazon Web Services access
     /// without user-specific credentials or configuration. For a comparison of <c>AssumeRoleWithSAML</c>
     /// with the other API operations that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting
-    /// Temporary Security Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing
-    /// the Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.
+    /// Temporary Security Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html">Compare
+    /// STS credentials</a> in the <i>IAM User Guide</i>.
     /// 
     ///  
     /// <para>
@@ -275,6 +275,11 @@ internal bool IsSetDurationSeconds()
         /// character to the end of the valid character list (\u0020 through \u00FF). It can also
         /// include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) characters.
         /// </para>
+        ///  
+        /// <para>
+        /// For more information about role session permissions, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
+        /// policies</a>.
+        /// </para>
         ///  <note> 
         /// <para>
         /// An Amazon Web Services conversion compresses the passed inline session policy, managed

sdk/src/Services/SecurityToken/Generated/Model/AssumeRoleRequest.cs

@@ -194,15 +194,17 @@ internal bool IsSetPackedPolicySize()
         /// <summary>
         /// Gets and sets the property SourceIdentity. 
         /// <para>
-        /// The value in the <c>SourceIdentity</c> attribute in the SAML assertion. 
+        /// The value in the <c>SourceIdentity</c> attribute in the SAML assertion. The source
+        /// identity value persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining">chained
+        /// role</a> sessions.
         /// </para>
         ///  
         /// <para>
         /// You can require users to set a source identity value when they assume a role. You
         /// do this by using the <c>sts:SourceIdentity</c> condition key in a role trust policy.
         /// That way, actions that are taken with the role are associated with that user. After
         /// the source identity is set, the value cannot be changed. It is present in the request
-        /// for all actions that are taken by the role and persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining">chained
+        /// for all actions that are taken by the role and persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts">chained
         /// role</a> sessions. You can configure your SAML identity provider to use an attribute
         /// associated with your users, like user name or email, as the source identity when calling
         /// <c>AssumeRoleWithSAML</c>. You do this by adding an attribute to the SAML assertion.