Added support for App level authentication for QBusiness DataAccessor using AWS IAM Identity center Trusted Token issuer

Author: aws-sdk-dotnet-automation

generator/ServiceModels/qbusiness/qbusiness-2023-11-27.api.json

@@ -1711,6 +1711,7 @@
         },
         "statementId":{"shape":"StatementId"},
         "actions":{"shape":"QIamActions"},
+        "conditions":{"shape":"PermissionConditions"},
         "principal":{"shape":"PrincipalRoleArn"}
       }
     },
@@ -2474,6 +2475,7 @@
           "idempotencyToken":true
         },
         "displayName":{"shape":"DataAccessorName"},
+        "authenticationDetail":{"shape":"DataAccessorAuthenticationDetail"},
         "tags":{"shape":"Tags"}
       }
     },
@@ -2770,6 +2772,7 @@
         "dataAccessorArn":{"shape":"DataAccessorArn"},
         "idcApplicationArn":{"shape":"IdcApplicationArn"},
         "principal":{"shape":"PrincipalRoleArn"},
+        "authenticationDetail":{"shape":"DataAccessorAuthenticationDetail"},
         "createdAt":{"shape":"Timestamp"},
         "updatedAt":{"shape":"Timestamp"}
       }
@@ -2780,12 +2783,54 @@
       "min":0,
       "pattern":"arn:[a-z0-9-\\.]{1,63}:[a-z0-9-\\.]{0,63}:[a-z0-9-\\.]{0,63}:[a-z0-9-\\.]{0,63}:[^/].{0,1023}"
     },
+    "DataAccessorAuthenticationConfiguration":{
+      "type":"structure",
+      "members":{
+        "idcTrustedTokenIssuerConfiguration":{"shape":"DataAccessorIdcTrustedTokenIssuerConfiguration"}
+      },
+      "union":true
+    },
+    "DataAccessorAuthenticationDetail":{
+      "type":"structure",
+      "required":["authenticationType"],
+      "members":{
+        "authenticationType":{"shape":"DataAccessorAuthenticationType"},
+        "authenticationConfiguration":{"shape":"DataAccessorAuthenticationConfiguration"},
+        "externalIds":{"shape":"DataAccessorExternalIds"}
+      }
+    },
+    "DataAccessorAuthenticationType":{
+      "type":"string",
+      "enum":[
+        "AWS_IAM_IDC_TTI",
+        "AWS_IAM_IDC_AUTH_CODE"
+      ]
+    },
+    "DataAccessorExternalId":{
+      "type":"string",
+      "max":1000,
+      "min":1,
+      "pattern":"[a-zA-Z0-9][a-zA-Z0-9_-]*"
+    },
+    "DataAccessorExternalIds":{
+      "type":"list",
+      "member":{"shape":"DataAccessorExternalId"},
+      "max":1,
+      "min":1
+    },
     "DataAccessorId":{
       "type":"string",
       "max":36,
       "min":36,
       "pattern":"[a-zA-Z0-9][a-zA-Z0-9-]{35}"
     },
+    "DataAccessorIdcTrustedTokenIssuerConfiguration":{
+      "type":"structure",
+      "required":["idcTrustedTokenIssuerArn"],
+      "members":{
+        "idcTrustedTokenIssuerArn":{"shape":"IdcTrustedTokenIssuerArn"}
+      }
+    },
     "DataAccessorName":{
       "type":"string",
       "max":100,
@@ -3716,6 +3761,7 @@
         "idcApplicationArn":{"shape":"IdcApplicationArn"},
         "principal":{"shape":"PrincipalRoleArn"},
         "actionConfigurations":{"shape":"ActionConfigurationList"},
+        "authenticationDetail":{"shape":"DataAccessorAuthenticationDetail"},
         "createdAt":{"shape":"Timestamp"},
         "updatedAt":{"shape":"Timestamp"}
       }
@@ -4134,6 +4180,12 @@
         "roleArn":{"shape":"RoleArn"}
       }
     },
+    "IdcTrustedTokenIssuerArn":{
+      "type":"string",
+      "max":1284,
+      "min":0,
+      "pattern":"arn:aws:sso::[0-9]{12}:trustedTokenIssuer/(sso)?ins-[a-zA-Z0-9-.]{16}/tti-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}"
+    },
     "IdentityProviderConfiguration":{
       "type":"structure",
       "members":{
@@ -5276,6 +5328,45 @@
       "type":"string",
       "sensitive":true
     },
+    "PermissionCondition":{
+      "type":"structure",
+      "required":[
+        "conditionOperator",
+        "conditionKey",
+        "conditionValues"
+      ],
+      "members":{
+        "conditionOperator":{"shape":"PermissionConditionOperator"},
+        "conditionKey":{"shape":"PermissionConditionKey"},
+        "conditionValues":{"shape":"PermissionConditionValues"}
+      }
+    },
+    "PermissionConditionKey":{
+      "type":"string",
+      "pattern":"aws:PrincipalTag/qbusiness-dataaccessor:[a-zA-Z]+.*"
+    },
+    "PermissionConditionOperator":{
+      "type":"string",
+      "enum":["StringEquals"]
+    },
+    "PermissionConditionValue":{
+      "type":"string",
+      "max":1000,
+      "min":1,
+      "pattern":"[a-zA-Z0-9][a-zA-Z0-9_-]*"
+    },
+    "PermissionConditionValues":{
+      "type":"list",
+      "member":{"shape":"PermissionConditionValue"},
+      "max":1,
+      "min":1
+    },
+    "PermissionConditions":{
+      "type":"list",
+      "member":{"shape":"PermissionCondition"},
+      "max":10,
+      "min":1
+    },
     "PersonalizationConfiguration":{
       "type":"structure",
       "required":["personalizationControlMode"],
@@ -6304,6 +6395,7 @@
           "locationName":"dataAccessorId"
         },
         "actionConfigurations":{"shape":"ActionConfigurationList"},
+        "authenticationDetail":{"shape":"DataAccessorAuthenticationDetail"},
         "displayName":{"shape":"DataAccessorName"}
       }
     },

generator/ServiceModels/qbusiness/qbusiness-2023-11-27.docs.json

@@ -1062,6 +1062,39 @@
         "GetDataAccessorResponse$dataAccessorArn": "<p>The Amazon Resource Name (ARN) of the data accessor.</p>"
       }
     },
+    "DataAccessorAuthenticationConfiguration": {
+      "base": "<p>A union type that contains the specific authentication configuration based on the authentication type selected.</p>",
+      "refs": {
+        "DataAccessorAuthenticationDetail$authenticationConfiguration": "<p>The specific authentication configuration based on the authentication type.</p>"
+      }
+    },
+    "DataAccessorAuthenticationDetail": {
+      "base": "<p>Contains the authentication configuration details for a data accessor. This structure defines how the ISV authenticates when accessing data through the data accessor.</p>",
+      "refs": {
+        "CreateDataAccessorRequest$authenticationDetail": "<p>The authentication configuration details for the data accessor. This specifies how the ISV will authenticate when accessing data through this data accessor.</p>",
+        "DataAccessor$authenticationDetail": "<p>The authentication configuration details for the data accessor. This specifies how the ISV authenticates when accessing data through this data accessor.</p>",
+        "GetDataAccessorResponse$authenticationDetail": "<p>The authentication configuration details for the data accessor. This specifies how the ISV authenticates when accessing data through this data accessor.</p>",
+        "UpdateDataAccessorRequest$authenticationDetail": "<p>The updated authentication configuration details for the data accessor. This specifies how the ISV will authenticate when accessing data through this data accessor.</p>"
+      }
+    },
+    "DataAccessorAuthenticationType": {
+      "base": "<p>The type of authentication mechanism used by the data accessor.</p>",
+      "refs": {
+        "DataAccessorAuthenticationDetail$authenticationType": "<p>The type of authentication to use for the data accessor. This determines how the ISV authenticates when accessing data. You can use one of two authentication types:</p> <ul> <li> <p> <code>AWS_IAM_IDC_TTI</code> - Authentication using IAM Identity Center Trusted Token Issuer (TTI). This authentication type allows the ISV to use a trusted token issuer to generate tokens for accessing the data.</p> </li> <li> <p> <code>AWS_IAM_IDC_AUTH_CODE</code> - Authentication using IAM Identity Center authorization code flow. This authentication type uses the standard OAuth 2.0 authorization code flow for authentication.</p> </li> </ul>"
+      }
+    },
+    "DataAccessorExternalId": {
+      "base": null,
+      "refs": {
+        "DataAccessorExternalIds$member": null
+      }
+    },
+    "DataAccessorExternalIds": {
+      "base": null,
+      "refs": {
+        "DataAccessorAuthenticationDetail$externalIds": "<p>A list of external identifiers associated with this authentication configuration. These are used to correlate the data accessor with external systems.</p>"
+      }
+    },
     "DataAccessorId": {
       "base": null,
       "refs": {
@@ -1073,6 +1106,12 @@
         "UpdateDataAccessorRequest$dataAccessorId": "<p>The unique identifier of the data accessor to update.</p>"
       }
     },
+    "DataAccessorIdcTrustedTokenIssuerConfiguration": {
+      "base": "<p>Configuration details for IAM Identity Center Trusted Token Issuer (TTI) authentication.</p>",
+      "refs": {
+        "DataAccessorAuthenticationConfiguration$idcTrustedTokenIssuerConfiguration": "<p>Configuration for IAM Identity Center Trusted Token Issuer (TTI) authentication used when the authentication type is <code>AWS_IAM_IDC_TTI</code>.</p>"
+      }
+    },
     "DataAccessorName": {
       "base": null,
       "refs": {
@@ -1918,6 +1957,12 @@
         "PluginAuthConfiguration$idcAuthConfiguration": "<p>Information about the IAM Identity Center Application used to configure authentication for a plugin.</p>"
       }
     },
+    "IdcTrustedTokenIssuerArn": {
+      "base": null,
+      "refs": {
+        "DataAccessorIdcTrustedTokenIssuerConfiguration$idcTrustedTokenIssuerArn": "<p>The Amazon Resource Name (ARN) of the IAM Identity Center Trusted Token Issuer that will be used for authentication.</p>"
+      }
+    },
     "IdentityProviderConfiguration": {
       "base": "<p>Provides information about the identity provider (IdP) used to authenticate end users of an Amazon Q Business web experience.</p>",
       "refs": {
@@ -2111,7 +2156,7 @@
     "LambdaArn": {
       "base": null,
       "refs": {
-        "HookConfiguration$lambdaArn": "<p>The Amazon Resource Name (ARN) of the Lambda function sduring ingestion. For more information, see <a href=\"https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/cde-lambda-operations.html\">Using Lambda functions for Amazon Q Business document enrichment</a>.</p>"
+        "HookConfiguration$lambdaArn": "<p>The Amazon Resource Name (ARN) of the Lambda function during ingestion. For more information, see <a href=\"https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/cde-lambda-operations.html\">Using Lambda functions for Amazon Q Business document enrichment</a>.</p>"
       }
     },
     "LicenseNotFoundException": {
@@ -2696,6 +2741,42 @@
         "APISchema$payload": "<p>The JSON or YAML-formatted payload defining the OpenAPI schema for a custom plugin. </p>"
       }
     },
+    "PermissionCondition": {
+      "base": "<p>Defines a condition that restricts when a permission is effective. Conditions allow you to control access based on specific attributes of the request.</p>",
+      "refs": {
+        "PermissionConditions$member": null
+      }
+    },
+    "PermissionConditionKey": {
+      "base": null,
+      "refs": {
+        "PermissionCondition$conditionKey": "<p>The key for the condition. This identifies the attribute that the condition applies to.</p>"
+      }
+    },
+    "PermissionConditionOperator": {
+      "base": null,
+      "refs": {
+        "PermissionCondition$conditionOperator": "<p>The operator to use for the condition evaluation. This determines how the condition values are compared.</p>"
+      }
+    },
+    "PermissionConditionValue": {
+      "base": null,
+      "refs": {
+        "PermissionConditionValues$member": null
+      }
+    },
+    "PermissionConditionValues": {
+      "base": null,
+      "refs": {
+        "PermissionCondition$conditionValues": "<p>The values to compare against using the specified condition operator.</p>"
+      }
+    },
+    "PermissionConditions": {
+      "base": null,
+      "refs": {
+        "AssociatePermissionRequest$conditions": "<p>The conditions that restrict when the permission is effective. These conditions can be used to limit the permission based on specific attributes of the request.</p>"
+      }
+    },
     "PersonalizationConfiguration": {
       "base": "<p>Configuration information about chat response personalization. For more information, see <a href=\"https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/personalizing-chat-responses.html\">Personalizing chat responses</a>.</p>",
       "refs": {