Get the Term content associated with a single report.
" }, + "ListCustomerAgreements":{ + "name":"ListCustomerAgreements", + "http":{ + "method":"GET", + "requestUri":"/v1/customer-agreement/list", + "responseCode":200 + }, + "input":{"shape":"ListCustomerAgreementsRequest"}, + "output":{"shape":"ListCustomerAgreementsResponse"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"AccessDeniedException"}, + {"shape":"InternalServerException"}, + {"shape":"ValidationException"} + ], + "documentation":"List active customer-agreements applicable to calling identity.
" + }, "ListReports":{ "name":"ListReports", "http":{ @@ -164,6 +181,20 @@ }, "documentation":"Account settings for the customer.
" }, + "AgreementTerms":{ + "type":"list", + "member":{"shape":"LongStringAttribute"}, + "max":10, + "min":0 + }, + "AgreementType":{ + "type":"string", + "enum":[ + "CUSTOM", + "DEFAULT", + "MODIFIED" + ] + }, "ConflictException":{ "type":"structure", "required":[ @@ -189,6 +220,80 @@ }, "exception":true }, + "CustomerAgreementIdAttribute":{ + "type":"string", + "pattern":"customer-agreement-[a-zA-Z0-9]{16}" + }, + "CustomerAgreementList":{ + "type":"list", + "member":{"shape":"CustomerAgreementSummary"} + }, + "CustomerAgreementState":{ + "type":"string", + "enum":[ + "ACTIVE", + "CUSTOMER_TERMINATED", + "AWS_TERMINATED" + ] + }, + "CustomerAgreementSummary":{ + "type":"structure", + "members":{ + "name":{ + "shape":"LongStringAttribute", + "documentation":"Name of the customer-agreement resource.
" + }, + "arn":{ + "shape":"LongStringAttribute", + "documentation":"ARN of the customer-agreement resource.
" + }, + "id":{ + "shape":"CustomerAgreementIdAttribute", + "documentation":"Identifier of the customer-agreement resource.
" + }, + "agreementArn":{ + "shape":"LongStringAttribute", + "documentation":"ARN of the agreement resource the customer-agreement resource represents.
" + }, + "awsAccountId":{ + "shape":"ShortStringAttribute", + "documentation":"AWS account Id that owns the resource.
" + }, + "organizationArn":{ + "shape":"LongStringAttribute", + "documentation":"ARN of the organization that owns the resource.
" + }, + "effectiveStart":{ + "shape":"TimestampAttribute", + "documentation":"Timestamp indicating when the agreement became effective.
" + }, + "effectiveEnd":{ + "shape":"TimestampAttribute", + "documentation":"Timestamp indicating when the agreement was terminated.
" + }, + "state":{ + "shape":"CustomerAgreementState", + "documentation":"State of the resource.
" + }, + "description":{ + "shape":"LongStringAttribute", + "documentation":"Description of the resource.
" + }, + "acceptanceTerms":{ + "shape":"AgreementTerms", + "documentation":"Terms required to accept the agreement resource.
" + }, + "terminateTerms":{ + "shape":"AgreementTerms", + "documentation":"Terms required to terminate the customer-agreement resource.
" + }, + "type":{ + "shape":"AgreementType", + "documentation":"Type of the customer-agreement resource.
" + } + }, + "documentation":"Summary for customer-agreement resource.
" + }, "GetAccountSettingsRequest":{ "type":"structure", "members":{ @@ -326,6 +431,37 @@ "fault":true, "retryable":{"throttling":false} }, + "ListCustomerAgreementsRequest":{ + "type":"structure", + "members":{ + "maxResults":{ + "shape":"MaxResultsAttribute", + "documentation":"Maximum number of resources to return in the paginated response.
", + "location":"querystring", + "locationName":"maxResults" + }, + "nextToken":{ + "shape":"NextTokenAttribute", + "documentation":"Pagination token to request the next page of resources.
", + "location":"querystring", + "locationName":"nextToken" + } + } + }, + "ListCustomerAgreementsResponse":{ + "type":"structure", + "required":["customerAgreements"], + "members":{ + "customerAgreements":{ + "shape":"CustomerAgreementList", + "documentation":"List of customer-agreement resources.
" + }, + "nextToken":{ + "shape":"NextTokenAttribute", + "documentation":"Pagination token to request the next page of resources.
" + } + } + }, "ListReportsRequest":{ "type":"structure", "members":{ diff --git a/botocore/data/cloudtrail/2013-11-01/service-2.json b/botocore/data/cloudtrail/2013-11-01/service-2.json index c40007a132..524d093523 100644 --- a/botocore/data/cloudtrail/2013-11-01/service-2.json +++ b/botocore/data/cloudtrail/2013-11-01/service-2.json @@ -1349,7 +1349,7 @@ "documentation":"Contains all selector statements in an advanced event selector.
" } }, - "documentation":"Advanced event selectors let you create fine-grained selectors for CloudTrail management, data, and network activity events. They help you control costs by logging only those events that are important to you. For more information about configuring advanced event selectors, see the Logging data events, Logging network activity events, and Logging management events topics in the CloudTrail User Guide.
You cannot apply both event selectors and advanced event selectors to a trail.
Supported CloudTrail event record fields for management events
eventCategory (required)
eventSource
readOnly
The following additional fields are available for event data stores:
eventName
eventType
sessionCredentialFromConsole
userIdentity.arn
Supported CloudTrail event record fields for data events
eventCategory (required)
resources.type (required)
readOnly
eventName
resources.ARN
The following additional fields are available for event data stores:
eventSource
eventType
sessionCredentialFromConsole
userIdentity.arn
Supported CloudTrail event record fields for network activity events
Network activity events is in preview release for CloudTrail and is subject to change.
eventCategory (required)
eventSource (required)
eventName
errorCode - The only valid value for errorCode is VpceAccessDenied.
vpcEndpointId
For event data stores for CloudTrail Insights events, Config configuration items, Audit Manager evidence, or events outside of Amazon Web Services, the only supported field is eventCategory.
Advanced event selectors let you create fine-grained selectors for CloudTrail management, data, and network activity events. They help you control costs by logging only those events that are important to you. For more information about configuring advanced event selectors, see the Logging data events, Logging network activity events, and Logging management events topics in the CloudTrail User Guide.
You cannot apply both event selectors and advanced event selectors to a trail.
For information about configurable advanced event selector fields, see AdvancedEventSelector in the CloudTrailUser Guide.
" }, "AdvancedEventSelectors":{ "type":"list", @@ -1361,7 +1361,7 @@ "members":{ "Field":{ "shape":"SelectorField", - "documentation":"A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, Config configuration items, Audit Manager evidence, or events outside of Amazon Web Services, the field is used only for selecting events as filtering is not supported.
For CloudTrail management events, supported fields include eventCategory (required), eventSource, and readOnly. The following additional fields are available for event data stores: eventName, eventType, sessionCredentialFromConsole, and userIdentity.arn.
For CloudTrail data events, supported fields include eventCategory (required), resources.type (required), eventName, readOnly, and resources.ARN. The following additional fields are available for event data stores: eventSource, eventType, sessionCredentialFromConsole, and userIdentity.arn.
For CloudTrail network activity events, supported fields include eventCategory (required), eventSource (required), eventName, errorCode, and vpcEndpointId.
For event data stores for CloudTrail Insights events, Config configuration items, Audit Manager evidence, or events outside of Amazon Web Services, the only supported field is eventCategory.
readOnly - This is an optional field that is only used for management events and data events. This field can be set to Equals with a value of true or false. If you do not add this field, CloudTrail logs both read and write events. A value of true logs only read events. A value of false logs only write events.
eventSource - This field is only used for management events, data events (for event data stores only), and network activity events.
For management events for trails, this is an optional field that can be set to NotEquals kms.amazonaws.com to exclude KMS management events, or NotEquals rdsdata.amazonaws.com to exclude RDS management events.
For management and data events for event data stores, you can use it to include or exclude any event source and can use any operator.
For network activity events, this is a required field that only uses the Equals operator. Set this field to the event source for which you want to log network activity events. If you want to log network activity events for multiple event sources, you must create a separate field selector for each event source.
The following are valid values for network activity events:
cloudtrail.amazonaws.com
ec2.amazonaws.com
kms.amazonaws.com
secretsmanager.amazonaws.com
eventName - This is an optional field that is only used for data events, management events (for event data stores only), and network activity events. You can use any operator with eventName. You can use it to filter in or filter out specific events. You can have multiple values for this field, separated by commas.
eventCategory - This field is required and must be set to Equals.
For CloudTrail management events, the value must be Management.
For CloudTrail data events, the value must be Data.
For CloudTrail network activity events, the value must be NetworkActivity.
The following are used only for event data stores:
For CloudTrail Insights events, the value must be Insight.
For Config configuration items, the value must be ConfigurationItem.
For Audit Manager evidence, the value must be Evidence.
For events outside of Amazon Web Services, the value must be ActivityAuditLog.
eventType - This is an optional field available only for event data stores, which is used to filter management and data events on the event type. For information about available event types, see CloudTrail record contents in the CloudTrail user guide.
errorCode - This field is only used to filter CloudTrail network activity events and is optional. This is the error code to filter on. Currently, the only valid errorCode is VpceAccessDenied. errorCode can only use the Equals operator.
sessionCredentialFromConsole - This is an optional field available only for event data stores, which is used to filter management and data events based on whether the events originated from an Amazon Web Services Management Console session. sessionCredentialFromConsole can only use the Equals and NotEquals operators.
resources.type - This field is required for CloudTrail data events. resources.type can only use the Equals operator.
For a list of available resource types for data events, see Data events in the CloudTrail User Guide.
You can have only one resources.type field per selector. To log events on more than one resource type, add another selector.
resources.ARN - The resources.ARN is an optional field for data events. You can use any operator with resources.ARN, but if you use Equals or NotEquals, the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the StartsWith operator, and include only the bucket ARN as the matching value.
For information about filtering data events on the resources.ARN field, see Filtering data events by resources.ARN in the CloudTrail User Guide.
You can't use the resources.ARN field to filter resource types that do not have ARNs.
userIdentity.arn - This is an optional field available only for event data stores, which is used to filter management and data events on the userIdentity ARN. You can use any operator with userIdentity.arn. For more information on the userIdentity element, see CloudTrail userIdentity element in the CloudTrail User Guide.
vpcEndpointId - This field is only used to filter CloudTrail network activity events and is optional. This field identifies the VPC endpoint that the request passed through. You can use any operator with vpcEndpointId.
A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, Config configuration items, Audit Manager evidence, or events outside of Amazon Web Services, the field is used only for selecting events as filtering is not supported.
For more information, see AdvancedFieldSelector in the CloudTrailUser Guide.
" }, "Equals":{ "shape":"Operator", diff --git a/botocore/data/cognito-idp/2016-04-18/service-2.json b/botocore/data/cognito-idp/2016-04-18/service-2.json index fe6dac1fed..dbc18432f6 100644 --- a/botocore/data/cognito-idp/2016-04-18/service-2.json +++ b/botocore/data/cognito-idp/2016-04-18/service-2.json @@ -30,7 +30,7 @@ {"shape":"UserImportInProgressException"}, {"shape":"InternalErrorException"} ], - "documentation":"Adds additional user attributes to the user pool schema.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Adds additional user attributes to the user pool schema. Custom attributes can be mutable or immutable and have a custom: or dev: prefix. For more information, see Custom attributes.
You can also create custom attributes in the Schema parameter of CreateUserPool and UpdateUserPool. You can't delete custom attributes after you create them.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
This IAM-authenticated API operation confirms user sign-up as an administrator. Unlike ConfirmSignUp, your IAM credentials authorize user account confirmation. No confirmation code is required.
This request sets a user account active in a user pool that requires confirmation of new user accounts before they can sign in. You can configure your user pool to not send confirmation codes to new users and instead confirm them with this API operation on the back end.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Confirms user sign-up as an administrator. Unlike ConfirmSignUp, your IAM credentials authorize user account confirmation. No confirmation code is required.
This request sets a user account active in a user pool that requires confirmation of new user accounts before they can sign in. You can configure your user pool to not send confirmation codes to new users and instead confirm them with this API operation on the back end.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
To configure your user pool to require administrative confirmation of users, set AllowAdminCreateUserOnly to true in a CreateUserPool or UpdateUserPool request.
Deletes a user as an administrator. Works on any user.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Deletes a user profile in your user pool.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Deletes the user attributes in a user pool as an administrator. Works on any user.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Deletes attribute values from a user. This operation doesn't affect tokens for existing user sessions. The next ID token that the user receives will no longer have this attribute.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Deactivates a user and revokes all access tokens for the user. A deactivated user can't sign in, but still appears in the responses to GetUser and ListUsers API requests.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Deactivates a user profile and revokes all access tokens for the user. A deactivated user can't sign in, but still appears in the responses to ListUsers API requests.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Enables the specified user as an administrator. Works on any user.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Activate sign-in for a user profile that previously had sign-in access disabled.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Forgets the device, as an administrator.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Forgets, or deletes, a remembered device from a user's profile. After you forget the device, the user can no longer complete device authentication with that device and when applicable, must submit MFA codes again. For more information, see Working with devices.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Gets the device, as an administrator.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Given the device key, returns details for a user' device. For more information, see Working with devices.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Gets the specified user by user name in a user pool as an administrator. Works on any user. This operation contributes to your monthly active user (MAU) count for the purpose of billing.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Given the username, returns details about a user profile in a user pool. This operation contributes to your monthly active user (MAU) count for the purpose of billing. You can specify alias attributes in the Username parameter.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Initiates the authentication flow, as an administrator.
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.
If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Starts sign-in for applications with a server-side component, for example a traditional web application. This operation specifies the authentication flow that you'd like to begin. The authentication flow that you specify must be supported in your app client configuration. For more information about authentication flows, see Authentication flows.
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.
If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Lists a user's registered devices.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Lists a user's registered devices. Remembered devices are used in authentication services where you offer a \"Remember me\" option for users who you want to permit to sign in without MFA from a trusted device. Users can bypass MFA while your application performs device SRP authentication on the back end. For more information, see Working with devices.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Lists the groups that a user belongs to.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Lists the groups that a user belongs to. User pool groups are identifiers that you can reference from the contents of ID and access tokens, and set preferred IAM roles for identity-pool authentication. For more information, see Adding groups to a user pool.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
A history of user activity and any risks detected as part of Amazon Cognito advanced security.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Requests a history of user activity and any risks detected as part of Amazon Cognito threat protection. For more information, see Viewing user event history.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Removes the specified user from the specified group.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Given a username and a group name. removes them from the group. User pool groups are identifiers that you can reference from the contents of ID and access tokens, and set preferred IAM roles for identity-pool authentication. For more information, see Adding groups to a user pool.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Resets the specified user's password in a user pool as an administrator. Works on any user.
To use this API operation, your user pool must have self-service account recovery configured. Use AdminSetUserPassword if you manage passwords as an administrator.
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.
If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.
Deactivates a user's password, requiring them to change it. If a user tries to sign in after the API is called, Amazon Cognito responds with a PasswordResetRequiredException error. Your app must then perform the actions that reset your user's password: the forgot-password flow. In addition, if the user pool has phone verification selected and a verified phone number exists for the user, or if email verification is selected and a verified email exists for the user, calling this API will also result in sending a message to the end user with the code to change their password.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Resets the specified user's password in a user pool. This operation doesn't change the user's password, but sends a password-reset code. This operation is the administrative authentication API equivalent to ForgotPassword.
This operation deactivates a user's password, requiring them to change it. If a user tries to sign in after the API request, Amazon Cognito responds with a PasswordResetRequiredException error. Your app must then complete the forgot-password flow by prompting the user for their code and a new password, then submitting those values in a ConfirmForgotPassword request. In addition, if the user pool has phone verification selected and a verified phone number exists for the user, or if email verification is selected and a verified email exists for the user, calling this API will also result in sending a message to the end user with the code to change their password.
To use this API operation, your user pool must have self-service account recovery configured. Use AdminSetUserPassword if you manage passwords as an administrator.
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.
If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Sets the user's multi-factor authentication (MFA) preference, including which MFA options are activated, and if any are preferred. Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are activated. If multiple options are activated and no preference is set, a challenge to choose an MFA option will be returned during sign-in.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Sets the user's multi-factor authentication (MFA) preference, including which MFA options are activated, and if any are preferred. Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are activated. If multiple options are activated and no preference is set, a challenge to choose an MFA option will be returned during sign-in.
This operation doesn't reset an existing TOTP MFA for a user. To register a new TOTP factor for a user, make an AssociateSoftwareToken request. For more information, see TOTP software token MFA.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Sets the specified user's password in a user pool as an administrator. Works on any user.
The password can be temporary or permanent. If it is temporary, the user status enters the FORCE_CHANGE_PASSWORD state. When the user next tries to sign in, the InitiateAuth/AdminInitiateAuth response will contain the NEW_PASSWORD_REQUIRED challenge. If the user doesn't sign in before it expires, the user won't be able to sign in, and an administrator must reset their password.
Once the user has set a new password, or the password is permanent, the user status is set to Confirmed.
AdminSetUserPassword can set a password for the user profile that Amazon Cognito creates for third-party federated users. When you set a password, the federated user's status changes from EXTERNAL_PROVIDER to CONFIRMED. A user in this state can sign in as a federated user, and initiate authentication flows in the API like a linked native user. They can also modify their password and attributes in token-authenticated API requests like ChangePassword and UpdateUserAttributes. As a best security practice and to keep users in sync with your external IdP, don't set passwords on federated user profiles. To set up a federated user for native sign-in with a linked native user, refer to Linking federated users to an existing user profile.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Sets the specified user's password in a user pool. This operation administratively sets a temporary or permanent password for a user. With this operation, you can bypass self-service password changes and permit immediate sign-in with the password that you set. To do this, set Permanent to true.
You can also set a new temporary password in this request, send it to a user, and require them to choose a new password on their next sign-in. To do this, set Permanent to false.
If the password is temporary, the user's Status becomes FORCE_CHANGE_PASSWORD. When the user next tries to sign in, the InitiateAuth or AdminInitiateAuth response includes the NEW_PASSWORD_REQUIRED challenge. If the user doesn't sign in before the temporary password expires, they can no longer sign in and you must repeat this operation to set a temporary or permanent password for them.
After the user sets a new password, or if you set a permanent password, their status becomes Confirmed.
AdminSetUserPassword can set a password for the user profile that Amazon Cognito creates for third-party federated users. When you set a password, the federated user's status changes from EXTERNAL_PROVIDER to CONFIRMED. A user in this state can sign in as a federated user, and initiate authentication flows in the API like a linked native user. They can also modify their password and attributes in token-authenticated API requests like ChangePassword and UpdateUserAttributes. As a best security practice and to keep users in sync with your external IdP, don't set passwords on federated user profiles. To set up a federated user for native sign-in with a linked native user, refer to Linking federated users to an existing user profile.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Provides feedback for an authentication event indicating if it was from a valid user. This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito advanced security.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Provides feedback for an authentication event indicating if it was from a valid user. This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito threat protection. To train the threat-protection model to recognize trusted and untrusted sign-in characteristics, configure threat protection in audit-only mode and provide a mechanism for users or administrators to submit feedback. Your feedback can tell Amazon Cognito that a risk rating was assigned at a level you don't agree with.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Updates the device status as an administrator.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Updates the status of a user's device so that it is marked as remembered or not remembered for the purpose of device authentication. Device authentication is a \"remember me\" mechanism that silently completes sign-in from trusted devices with a device key instead of a user-provided MFA code. This operation changes the status of a device without deleting it, so you can enable it again later. For more information about device authentication, see Working with devices.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.
If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.
Updates the specified user's attributes, including developer attributes, as an administrator. Works on any user. To delete an attribute from your user, submit the attribute in your API request with a blank value.
For custom attributes, you must prepend the custom: prefix to the attribute name.
In addition to updating user attributes, this API can also be used to mark phone and email as verified.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.
If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.
Updates the specified user's attributes. To delete an attribute from your user, submit the attribute in your API request with a blank value.
For custom attributes, you must prepend the custom: prefix to the attribute name.
This operation can set a user's email address or phone number as verified and permit immediate sign-in in user pools that require verification of these attributes. To do this, set the email_verified or phone_number_verified attribute to true.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user. Call this operation with your administrative credentials when your user signs out of your app. This results in the following behavior.
Amazon Cognito no longer accepts token-authorized user operations that you authorize with a signed-out user's access tokens. For more information, see Using the Amazon Cognito user pools API and user pool endpoints.
Amazon Cognito returns an Access Token has been revoked error when your app attempts to authorize a user pools API request with a revoked access token that contains the scope aws.cognito.signin.user.admin.
Amazon Cognito no longer accepts a signed-out user's ID token in a GetId request to an identity pool with ServerSideTokenCheck enabled for its user pool IdP configuration in CognitoIdentityProvider.
Amazon Cognito no longer accepts a signed-out user's refresh tokens in refresh requests.
Other requests might be valid until your user's token expires.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user. Call this operation with your administrative credentials when your user signs out of your app. This results in the following behavior.
Amazon Cognito no longer accepts token-authorized user operations that you authorize with a signed-out user's access tokens. For more information, see Using the Amazon Cognito user pools API and user pool endpoints.
Amazon Cognito returns an Access Token has been revoked error when your app attempts to authorize a user pools API request with a revoked access token that contains the scope aws.cognito.signin.user.admin.
Amazon Cognito no longer accepts a signed-out user's ID token in a GetId request to an identity pool with ServerSideTokenCheck enabled for its user pool IdP configuration in CognitoIdentityProvider.
Amazon Cognito no longer accepts a signed-out user's refresh tokens in refresh requests.
Other requests might be valid until your user's token expires. This operation doesn't clear the managed login session cookie. To clear the session for a user who signed in with managed login or the classic hosted UI, direct their browser session to the logout endpoint.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Begins setup of time-based one-time password (TOTP) multi-factor authentication (MFA) for a user, with a unique private key that Amazon Cognito generates and returns in the API response. You can authorize an AssociateSoftwareToken request with either the user's access token, or a session string from a challenge response that you received from Amazon Cognito.
Amazon Cognito disassociates an existing software token when you verify the new token in a VerifySoftwareToken API request. If you don't verify the software token and your user pool doesn't require MFA, the user can then authenticate with user name and password credentials alone. If your user pool requires TOTP MFA, Amazon Cognito generates an MFA_SETUP or SOFTWARE_TOKEN_SETUP challenge each time your user signs in. Complete setup with AssociateSoftwareToken and VerifySoftwareToken.
After you set up software token MFA for your user, Amazon Cognito generates a SOFTWARE_TOKEN_MFA challenge when they authenticate. Respond to this challenge with your user's TOTP.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.
Begins setup of time-based one-time password (TOTP) multi-factor authentication (MFA) for a user, with a unique private key that Amazon Cognito generates and returns in the API response. You can authorize an AssociateSoftwareToken request with either the user's access token, or a session string from a challenge response that you received from Amazon Cognito.
Amazon Cognito disassociates an existing software token when you verify the new token in a VerifySoftwareToken API request. If you don't verify the software token and your user pool doesn't require MFA, the user can then authenticate with user name and password credentials alone. If your user pool requires TOTP MFA, Amazon Cognito generates an MFA_SETUP or SOFTWARE_TOKEN_SETUP challenge each time your user signs in. Complete setup with AssociateSoftwareToken and VerifySoftwareToken.
After you set up software token MFA for your user, Amazon Cognito generates a SOFTWARE_TOKEN_MFA challenge when they authenticate. Respond to this challenge with your user's TOTP.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.
Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.
Confirms tracking of the device. This API call is the call that begins device tracking. For more information about device authentication, see Working with user devices in your user pool.
Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.
Confirms a device that a user wants to remember. A remembered device is a \"Remember me on this device\" option for user pools that perform authentication with the device key of a trusted device in the back end, instead of a user-provided MFA code. For more information about device authentication, see Working with user devices in your user pool.
Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.
Allows a user to enter a confirmation code to reset a forgotten password.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.
This public API operation accepts a confirmation code that Amazon Cognito sent to a user and accepts a new password for that user.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.
This public API operation provides a code that Amazon Cognito sent to your user when they signed up in your user pool via the SignUp API operation. After your user enters their code, they confirm ownership of the email address or phone number that they provided, and their user account becomes active. Depending on your user pool configuration, your users will receive their confirmation code in an email or SMS message.
Local users who signed up in your user pool are the only type of user who can confirm sign-up with a code. Users who federate through an external identity provider (IdP) have already been confirmed by their IdP. Administrator-created users, users created with the AdminCreateUser API operation, confirm their accounts when they respond to their invitation email message and choose a password. They do not receive a confirmation code. Instead, they receive a temporary password.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.
This public API operation submits a code that Amazon Cognito sent to your user when they signed up in your user pool via the SignUp API operation. After your user enters their code, they confirm ownership of the email address or phone number that they provided, and their user account becomes active. Depending on your user pool configuration, your users will receive their confirmation code in an email or SMS message.
Local users who signed up in your user pool are the only type of user who can confirm sign-up with a code. Users who federate through an external identity provider (IdP) have already been confirmed by their IdP. Administrator-created users, users created with the AdminCreateUser API operation, confirm their accounts when they respond to their invitation email message and choose a password. They do not receive a confirmation code. Instead, they receive a temporary password.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.
Creates a new group in the specified user pool.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Creates a new group in the specified user pool. For more information about user pool groups see Adding groups to a user pool.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Adds a configuration and trust relationship between a third-party identity provider (IdP) and a user pool.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Adds a configuration and trust relationship between a third-party identity provider (IdP) and a user pool. Amazon Cognito accepts sign-in with third-party identity providers through managed login and OIDC relying-party libraries. For more information, see Third-party IdP sign-in.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Creates a new set of branding settings for a user pool style and associates it with an app client. This operation is the programmatic option for the creation of a new style in the branding designer.
Provides values for UI customization in a Settings JSON object and image files in an Assets array. To send the JSON object Document type parameter in Settings, you might need to update to the most recent version of your Amazon Web Services SDK.
This operation has a 2-megabyte request-size limit and include the CSS settings and image assets for your app client. Your branding settings might exceed 2MB in size. Amazon Cognito doesn't require that you pass all parameters in one request and preserves existing style settings that you don't specify. If your request is larger than 2MB, separate it into multiple requests, each with a size smaller than the limit.
For more information, see API and SDK operations for managed login branding
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Creates a new set of branding settings for a user pool style and associates it with an app client. This operation is the programmatic option for the creation of a new style in the branding designer.
Provides values for UI customization in a Settings JSON object and image files in an Assets array. To send the JSON object Document type parameter in Settings, you might need to update to the most recent version of your Amazon Web Services SDK. To create a new style with default settings, set UseCognitoProvidedValues to true and don't provide values for any other options.
This operation has a 2-megabyte request-size limit and include the CSS settings and image assets for your app client. Your branding settings might exceed 2MB in size. Amazon Cognito doesn't require that you pass all parameters in one request and preserves existing style settings that you don't specify. If your request is larger than 2MB, separate it into multiple requests, each with a size smaller than the limit.
As a best practice, modify the output of DescribeManagedLoginBrandingByClient into the request parameters for this operation. To get all settings, set ReturnMergedResources to true. For more information, see API and SDK operations for managed login branding.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Creates a new OAuth2.0 resource server and defines custom scopes within it.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Creates a new OAuth2.0 resource server and defines custom scopes within it. Resource servers are associated with custom scopes and machine-to-machine (M2M) authorization. For more information, see Access control with resource servers.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Creates a user import job.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Creates a user import job. You can import users into user pools from a comma-separated values (CSV) file without adding Amazon Cognito MAU costs to your Amazon Web Services bill. To generate a template for your import, see GetCSVHeader. To learn more about CSV import, see Importing users from a CSV file.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.
If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.
Creates a new Amazon Cognito user pool and sets the password policy for the pool.
If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.
If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.
Creates a new Amazon Cognito user pool. This operation sets basic and advanced configuration options. You can create a user pool in the Amazon Cognito console to your preferences and use the output of DescribeUserPool to generate requests from that baseline.
If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Creates the user pool client.
When you create a new user pool client, token revocation is automatically activated. For more information about revoking tokens, see RevokeToken.
If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Creates an app client in a user pool. This operation sets basic and advanced configuration options. You can create an app client in the Amazon Cognito console to your preferences and use the output of DescribeUserPoolClient to generate requests from that baseline.
New app clients activate token revocation by default. For more information about revoking tokens, see RevokeToken.
If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Creates a new domain for a user pool. The domain hosts user pool domain services like managed login, the hosted UI (classic), and the user pool authorization server.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
A user pool domain hosts managed login, an authorization server and web server for authentication in your application. This operation creates a new user pool prefix or custom domain and sets the managed login branding version. Set the branding version to 1 for hosted UI (classic) or 2 for managed login. When you choose a custom domain, you must provide an SSL certificate in the US East (N. Virginia) Amazon Web Services Region in your request.
Your prefix domain might take up to one minute to take effect. Your custom domain is online within five minutes, but it can take up to one hour to distribute your SSL certificate.
For more information about adding a custom domain to your user pool, see Configuring a user pool domain.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Deletes a group.
Calling this action requires developer credentials.
" + "documentation":"Deletes a group from the specified user pool. When you delete a group, that group no longer contributes to users' cognito:preferred_group or cognito:groups claims, and no longer influence access-control decision that are based on group membership. For more information about user pool groups, see Adding groups to a user pool.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Deletes an IdP for a user pool.
" + "documentation":"Deletes a user pool identity provider (IdP). After you delete an IdP, users can no longer sign in to your user pool through that IdP. For more information about user pool IdPs, see Third-party IdP sign-in.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Deletes a managed login branding style. When you delete a style, you delete the branding association for an app client and restore it to default settings.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Deletes a managed login branding style. When you delete a style, you delete the branding association for an app client. When an app client doesn't have a style assigned, your managed login pages for that app client are nonfunctional until you create a new style or switch the domain branding version.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Deletes a resource server.
" + "documentation":"Deletes a resource server. After you delete a resource server, users can no longer generate access tokens with scopes that are associate with that resource server.
Resource servers are associated with custom scopes and machine-to-machine (M2M) authorization. For more information, see Access control with resource servers.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Allows a user to delete their own user profile.
Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.
Self-deletes a user profile. A deleted user profile can no longer be used to sign in and can't be restored.
Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.
Deletes the attributes for a user.
Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.
Self-deletes attributes for a user. For example, your application can submit a request to this operation when a user wants to remove their birthdate attribute value.
Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.
Deletes the specified Amazon Cognito user pool.
" + "documentation":"Deletes a user pool. After you delete a user pool, users can no longer sign in to any associated applications.
" }, "DeleteUserPoolClient":{ "name":"DeleteUserPoolClient", @@ -1020,7 +1020,7 @@ {"shape":"ConcurrentModificationException"}, {"shape":"InternalErrorException"} ], - "documentation":"Allows the developer to delete the user pool client.
" + "documentation":"Deletes a user pool app client. After you delete an app client, users can no longer sign in to the associated application.
" }, "DeleteUserPoolDomain":{ "name":"DeleteUserPoolDomain", @@ -1036,7 +1036,7 @@ {"shape":"ResourceNotFoundException"}, {"shape":"InternalErrorException"} ], - "documentation":"Deletes a domain for a user pool.
" + "documentation":"Given a user pool ID and domain identifier, deletes a user pool domain. After you delete a user pool domain, your managed login pages and authorization server are no longer available.
" }, "DeleteWebAuthnCredential":{ "name":"DeleteWebAuthnCredential", @@ -1053,7 +1053,7 @@ {"shape":"NotAuthorizedException"}, {"shape":"ResourceNotFoundException"} ], - "documentation":"Deletes a registered passkey, or webauthN, device for the currently signed-in user.
Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.
Deletes a registered passkey, or webauthN, authenticator for the currently signed-in user.
Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.
Gets information about a specific IdP.
" + "documentation":"Given a user pool ID and identity provider (IdP) name, returns details about the IdP.
" }, "DescribeManagedLoginBranding":{ "name":"DescribeManagedLoginBranding", @@ -1089,7 +1089,7 @@ {"shape":"NotAuthorizedException"}, {"shape":"InternalErrorException"} ], - "documentation":"When given the ID of a managed login branding style, returns detailed information about the style.
" + "documentation":"Given the ID of a managed login branding style, returns detailed information about the style.
" }, "DescribeManagedLoginBrandingByClient":{ "name":"DescribeManagedLoginBrandingByClient", @@ -1106,7 +1106,7 @@ {"shape":"NotAuthorizedException"}, {"shape":"InternalErrorException"} ], - "documentation":"When given the ID of a user pool app client, returns detailed information about the style assigned to the app client.
" + "documentation":"Given the ID of a user pool app client, returns detailed information about the style assigned to the app client.
" }, "DescribeResourceServer":{ "name":"DescribeResourceServer", @@ -1123,7 +1123,7 @@ {"shape":"TooManyRequestsException"}, {"shape":"InternalErrorException"} ], - "documentation":"Describes a resource server.
" + "documentation":"Describes a resource server. For more information about resource servers, see Access control with resource servers.
" }, "DescribeRiskConfiguration":{ "name":"DescribeRiskConfiguration", @@ -1141,7 +1141,7 @@ {"shape":"UserPoolAddOnNotEnabledException"}, {"shape":"InternalErrorException"} ], - "documentation":"Describes the risk configuration.
" + "documentation":"Given an app client or user pool ID where threat protection is configured, describes the risk configuration. This operation returns details about adaptive authentication, compromised credentials, and IP-address allow- and denylists. For more information about threat protection, see Threat protection.
" }, "DescribeUserImportJob":{ "name":"DescribeUserImportJob", @@ -1158,7 +1158,7 @@ {"shape":"NotAuthorizedException"}, {"shape":"InternalErrorException"} ], - "documentation":"Describes the user import job.
" + "documentation":"Describes a user import job. For more information about user CSV import, see Importing users from a CSV file.
" }, "DescribeUserPool":{ "name":"DescribeUserPool", @@ -1176,7 +1176,7 @@ {"shape":"UserPoolTaggingException"}, {"shape":"InternalErrorException"} ], - "documentation":"Returns the configuration information and metadata of the specified user pool.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Given a user pool ID, returns configuration information. This operation is useful when you want to inspect an existing user pool and programmatically replicate the configuration to another user pool.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Client method for returning the configuration information and metadata of the specified user pool app client.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Given an app client ID, returns configuration information. This operation is useful when you want to inspect an existing app client and programmatically replicate the configuration to another app client. For more information about app clients, see App clients.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Gets information about a domain.
" + "documentation":"Given a user pool domain name, returns information about the domain configuration.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user. Call this operation when your user signs out of your app. This results in the following behavior.
Amazon Cognito no longer accepts token-authorized user operations that you authorize with a signed-out user's access tokens. For more information, see Using the Amazon Cognito user pools API and user pool endpoints.
Amazon Cognito returns an Access Token has been revoked error when your app attempts to authorize a user pools API request with a revoked access token that contains the scope aws.cognito.signin.user.admin.
Amazon Cognito no longer accepts a signed-out user's ID token in a GetId request to an identity pool with ServerSideTokenCheck enabled for its user pool IdP configuration in CognitoIdentityProvider.
Amazon Cognito no longer accepts a signed-out user's refresh tokens in refresh requests.
Other requests might be valid until your user's token expires.
Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.
Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user. Call this operation when your user signs out of your app. This results in the following behavior.
Amazon Cognito no longer accepts token-authorized user operations that you authorize with a signed-out user's access tokens. For more information, see Using the Amazon Cognito user pools API and user pool endpoints.
Amazon Cognito returns an Access Token has been revoked error when your app attempts to authorize a user pools API request with a revoked access token that contains the scope aws.cognito.signin.user.admin.
Amazon Cognito no longer accepts a signed-out user's ID token in a GetId request to an identity pool with ServerSideTokenCheck enabled for its user pool IdP configuration in CognitoIdentityProvider.
Amazon Cognito no longer accepts a signed-out user's refresh tokens in refresh requests.
Other requests might be valid until your user's token expires. This operation doesn't clear the managed login session cookie. To clear the session for a user who signed in with managed login or the classic hosted UI, direct their browser session to the logout endpoint.
Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.
Set the user's multi-factor authentication (MFA) method preference, including which MFA factors are activated and if any are preferred. Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are activated. If multiple options are activated and no preference is set, a challenge to choose an MFA option will be returned during sign-in. If an MFA type is activated for a user, the user will be prompted for MFA during all sign-in attempts unless device tracking is turned on and the device has been trusted. If you want MFA to be applied selectively based on the assessed risk level of sign-in attempts, deactivate MFA for users and turn on Adaptive Authentication for the user pool.
Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.
Set the user's multi-factor authentication (MFA) method preference, including which MFA factors are activated and if any are preferred. Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are activated. If multiple options are activated and no preference is set, a challenge to choose an MFA option will be returned during sign-in. If an MFA type is activated for a user, the user will be prompted for MFA during all sign-in attempts unless device tracking is turned on and the device has been trusted. If you want MFA to be applied selectively based on the assessed risk level of sign-in attempts, deactivate MFA for users and turn on Adaptive Authentication for the user pool.
This operation doesn't reset an existing TOTP MFA for a user. To register a new TOTP factor for a user, make an AssociateSoftwareToken request. For more information, see TOTP software token MFA.
Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.
Configures the branding settings for a user pool style. This operation is the programmatic option for the configuration of a style in the branding designer.
Provides values for UI customization in a Settings JSON object and image files in an Assets array.
This operation has a 2-megabyte request-size limit and include the CSS settings and image assets for your app client. Your branding settings might exceed 2MB in size. Amazon Cognito doesn't require that you pass all parameters in one request and preserves existing style settings that you don't specify. If your request is larger than 2MB, separate it into multiple requests, each with a size smaller than the limit.
For more information, see API and SDK operations for managed login branding.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Configures the branding settings for a user pool style. This operation is the programmatic option for the configuration of a style in the branding designer.
Provides values for UI customization in a Settings JSON object and image files in an Assets array.
This operation has a 2-megabyte request-size limit and include the CSS settings and image assets for your app client. Your branding settings might exceed 2MB in size. Amazon Cognito doesn't require that you pass all parameters in one request and preserves existing style settings that you don't specify. If your request is larger than 2MB, separate it into multiple requests, each with a size smaller than the limit.
As a best practice, modify the output of DescribeManagedLoginBrandingByClient into the request parameters for this operation. To get all settings, set ReturnMergedResources to true. For more information, see API and SDK operations for managed login branding
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Updates the Secure Sockets Layer (SSL) certificate for the custom domain for your user pool.
You can use this operation to provide the Amazon Resource Name (ARN) of a new certificate to Amazon Cognito. You can't use it to change the domain for a user pool.
A custom domain is used to host the Amazon Cognito hosted UI, which provides sign-up and sign-in pages for your application. When you set up a custom domain, you provide a certificate that you manage with Certificate Manager (ACM). When necessary, you can use this operation to change the certificate that you applied to your custom domain.
Usually, this is unnecessary following routine certificate renewal with ACM. When you renew your existing certificate in ACM, the ARN for your certificate remains the same, and your custom domain uses the new certificate automatically.
However, if you replace your existing certificate with a new one, ACM gives the new certificate a new ARN. To apply the new certificate to your custom domain, you must provide this ARN to Amazon Cognito.
When you add your new certificate in ACM, you must choose US East (N. Virginia) as the Amazon Web Services Region.
After you submit your request, Amazon Cognito requires up to 1 hour to distribute your new certificate to your custom domain.
For more information about adding a custom domain to your user pool, see Using Your Own Domain for the Hosted UI.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
A user pool domain hosts managed login, an authorization server and web server for authentication in your application. This operation updates the branding version for user pool domains between 1 for hosted UI (classic) and 2 for managed login. It also updates the SSL certificate for user pool custom domains.
Changes to the domain branding version take up to one minute to take effect for a prefix domain and up to five minutes for a custom domain.
This operation doesn't change the name of your user pool domain. To change your domain, delete it with DeleteUserPoolDomain and create a new domain with CreateUserPoolDomain.
You can pass the ARN of a new Certificate Manager certificate in this request. Typically, ACM certificates automatically renew and you user pool can continue to use the same ARN. But if you generate a new certificate for your custom domain name, replace the original configuration with the new ARN in this request.
ACM certificates for custom domains must be in the US East (N. Virginia) Amazon Web Services Region. After you submit your request, Amazon Cognito requires up to 1 hour to distribute your new certificate to your custom domain.
For more information about adding a custom domain to your user pool, see Configuring a user pool domain.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
The user pool ID for the user pool where you want to add custom attributes.
" + "documentation":"The ID of the user pool where you want to add custom attributes.
" }, "CustomAttributes":{ "shape":"CustomAttributesListType", - "documentation":"An array of custom attributes, such as Mutable and Name.
" + "documentation":"An array of custom attribute names and other properties. Sets the following characteristics:
The expected data type. Can be a string, a number, a date and time, or a boolean.
If true, you can grant app clients write access to the attribute value. If false, the attribute value can only be set up on sign-up or administrator creation of users.
The attribute name. For an attribute like custom:myAttribute, enter myAttribute for this field.
When true, users who sign up or are created must set a value for the attribute.
The minimum and maximum length of accepted values for a Number-type attribute.
The minimum and maximum length of accepted values for a String-type attribute.
This legacy option creates an attribute with a dev: prefix. You can only set the value of a developer-only attribute with administrative IAM credentials.
Represents the request to add custom attributes.
" @@ -2440,7 +2440,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool.
" + "documentation":"The ID of the user pool that contains the group that you want to add the user to.
" }, "Username":{ "shape":"UsernameType", @@ -2461,7 +2461,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for which you want to confirm user registration.
" + "documentation":"The ID of the user pool where you want to confirm a user's sign-up request.
" }, "Username":{ "shape":"UsernameType", @@ -2469,7 +2469,7 @@ }, "ClientMetadata":{ "shape":"ClientMetadataType", - "documentation":"A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
If your user pool configuration includes triggers, the AdminConfirmSignUp API action invokes the Lambda function that is specified for the post confirmation trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. In this payload, the clientMetadata attribute provides the data that you assigned to the ClientMetadata parameter in your AdminConfirmSignUp request. In your function code in Lambda, you can process the ClientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
If your user pool configuration includes triggers, the AdminConfirmSignUp API action invokes the Lambda function that is specified for the post confirmation trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. In this payload, the clientMetadata attribute provides the data that you assigned to the ClientMetadata parameter in your AdminConfirmSignUp request. In your function code in Lambda, you can process the ClientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, note that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't send sensitive information in this parameter.
Confirm a user's registration as a user pool administrator.
" @@ -2507,7 +2507,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool where the user will be created.
" + "documentation":"The ID of the user pool where you want to create a user.
" }, "Username":{ "shape":"UsernameType", @@ -2527,19 +2527,19 @@ }, "ForceAliasCreation":{ "shape":"ForceAliasCreation", - "documentation":"This parameter is used only if the phone_number_verified or email_verified attribute is set to True. Otherwise, it is ignored.
If this parameter is set to True and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias.
If this parameter is set to False, the API throws an AliasExistsException error if the alias already exists. The default value is False.
This parameter is used only if the phone_number_verified or email_verified attribute is set to True. Otherwise, it is ignored.
If this parameter is set to True and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, this request migrates the alias from the previous user to the newly-created user. The previous user will no longer be able to log in using that alias.
If this parameter is set to False, the API throws an AliasExistsException error if the alias already exists. The default value is False.
Set to RESEND to resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to SUPPRESS to suppress sending the message. You can specify only one value.
Set to RESEND to resend the invitation message to a user that already exists, and to reset the temporary-password duration with a new temporary password. Set to SUPPRESS to suppress sending the message. You can specify only one value.
Specify \"EMAIL\" if email will be used to send the welcome message. Specify \"SMS\" if the phone number will be used. The default value is \"SMS\". You can specify more than one value.
Specify EMAIL if email will be used to send the welcome message. Specify SMS if the phone number will be used. The default value is SMS. You can specify more than one value.
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned to the pre sign-up trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminCreateUser request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned to the pre sign-up trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a ClientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminCreateUser request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, note that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't send sensitive information in this parameter.
Creates a new user in the specified user pool.
" @@ -2549,7 +2549,7 @@ "members":{ "User":{ "shape":"UserType", - "documentation":"The newly created user.
" + "documentation":"The new user's profile details.
" } }, "documentation":"Represents the response from the server to the request to create the user.
" @@ -2569,7 +2569,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool where you want to delete user attributes.
" + "documentation":"The ID of the user pool where you want to delete user attributes.
" }, "Username":{ "shape":"UsernameType", @@ -2597,7 +2597,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool where you want to delete the user.
" + "documentation":"The ID of the user pool where you want to delete the user.
" }, "Username":{ "shape":"UsernameType", @@ -2615,11 +2615,11 @@ "members":{ "UserPoolId":{ "shape":"StringType", - "documentation":"The user pool ID for the user pool.
" + "documentation":"The ID of the user pool where you want to delete the user's linked identities.
" }, "User":{ "shape":"ProviderUserIdentifierType", - "documentation":"The user to be disabled.
" + "documentation":"The user profile that you want to delete a linked identity from.
" } } }, @@ -2637,7 +2637,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool where you want to disable the user.
" + "documentation":"The ID of the user pool where you want to disable the user.
" }, "Username":{ "shape":"UsernameType", @@ -2661,7 +2661,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool where you want to enable the user.
" + "documentation":"The ID of the user pool where you want to activate sign-in for the user.
" }, "Username":{ "shape":"UsernameType", @@ -2686,7 +2686,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID.
" + "documentation":"The ID of the user pool where the device owner is a user.
" }, "Username":{ "shape":"UsernameType", @@ -2694,7 +2694,7 @@ }, "DeviceKey":{ "shape":"DeviceKeyType", - "documentation":"The device key.
" + "documentation":"The key ID of the device that you want to delete. You can get device keys in the response to an AdminListDevices request.
" } }, "documentation":"Sends the forgot device request, as an administrator.
" @@ -2709,11 +2709,11 @@ "members":{ "DeviceKey":{ "shape":"DeviceKeyType", - "documentation":"The device key.
" + "documentation":"The key of the device that you want to delete. You can get device IDs in the response to an AdminListDevices request.
" }, "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID.
" + "documentation":"The ID of the user pool where the device owner is a user.
" }, "Username":{ "shape":"UsernameType", @@ -2728,7 +2728,7 @@ "members":{ "Device":{ "shape":"DeviceType", - "documentation":"The device.
" + "documentation":"Details of the requested device. Includes device information, last-accessed and created dates, and the device key.
" } }, "documentation":"Gets the device response, as an administrator.
" @@ -2742,7 +2742,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool where you want to get information about the user.
" + "documentation":"The ID of the user pool where you want to get information about the user.
" }, "Username":{ "shape":"UsernameType", @@ -2761,11 +2761,11 @@ }, "UserAttributes":{ "shape":"AttributeListType", - "documentation":"An array of name-value pairs representing user attributes.
" + "documentation":"An array of name-value pairs of user attributes and their values, for example \"email\": \"testuser@example.com\".
The date the user was created.
" + "documentation":"The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a human-readable format like ISO 8601 or a Java Date object.
Indicates that the status is enabled.
Indicates whether the user is activated for sign-in. The AdminDisableUser and AdminEnableUser API operations deactivate and activate user sign-in, respectively.
" }, "UserStatus":{ "shape":"UserStatusType", - "documentation":"The user status. Can be one of the following:
UNCONFIRMED - User has been created but not confirmed.
CONFIRMED - User has been confirmed.
UNKNOWN - User status isn't known.
RESET_REQUIRED - User is confirmed, but the user must request a code and reset their password before they can sign in.
FORCE_CHANGE_PASSWORD - The user is confirmed and the user can sign in using a temporary password, but on first sign-in, the user must change their password to a new value before doing anything else.
The user's status. Can be one of the following:
UNCONFIRMED - User has been created but not confirmed.
CONFIRMED - User has been confirmed.
UNKNOWN - User status isn't known.
RESET_REQUIRED - User is confirmed, but the user must request a code and reset their password before they can sign in.
FORCE_CHANGE_PASSWORD - The user is confirmed and the user can sign in using a temporary password, but on first sign-in, the user must change their password to a new value before doing anything else.
EXTERNAL_PROVIDER - The user signed in with a third-party identity provider.
The user's preferred MFA setting.
" + "documentation":"The user's preferred MFA. Users can prefer SMS message, email message, or TOTP MFA.
" }, "UserMFASettingList":{ "shape":"UserMFASettingListType", - "documentation":"The MFA options that are activated for the user. The possible values in this list are SMS_MFA, EMAIL_OTP, and SOFTWARE_TOKEN_MFA.
The MFA options that are activated for the user. The possible values in this list are SMS_MFA, EMAIL_OTP, and SOFTWARE_TOKEN_MFA. You can change the MFA preference for users who have more than one available MFA factor with AdminSetUserMFAPreference or SetUserMFAPreference.
Represents the response from the server from the request to get the specified user as an administrator.
" @@ -2804,15 +2804,15 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The ID of the Amazon Cognito user pool.
" + "documentation":"The ID of the user pool where the user wants to sign in.
" }, "ClientId":{ "shape":"ClientIdType", - "documentation":"The app client ID.
" + "documentation":"The ID of the app client where the user wants to sign in.
" }, "AuthFlow":{ "shape":"AuthFlowType", - "documentation":"The authentication flow that you want to initiate. The AuthParameters that you must submit are linked to the flow that you submit. For example:
USER_AUTH: Request a preferred authentication type or review available authentication types. From the offered authentication types, select one in a challenge response and then authenticate with that method in an additional challenge response.
REFRESH_TOKEN_AUTH: Receive new ID and access tokens when you pass a REFRESH_TOKEN parameter with a valid refresh token as the value.
USER_SRP_AUTH: Receive secure remote password (SRP) variables for the next challenge, PASSWORD_VERIFIER, when you pass USERNAME and SRP_A parameters..
ADMIN_USER_PASSWORD_AUTH: Receive new tokens or the next challenge, for example SOFTWARE_TOKEN_MFA, when you pass USERNAME and PASSWORD parameters.
Valid values include the following:
The entry point for sign-in with passwords, one-time passwords, biometric devices, and security keys.
Username-password authentication with the Secure Remote Password (SRP) protocol. For more information, see Use SRP password verification in custom authentication flow.
Provide a valid refresh token and receive new ID and access tokens. For more information, see Using the refresh token.
Custom authentication with Lambda triggers. For more information, see Custom authentication challenge Lambda triggers.
Username-password authentication with the password sent directly in the request. For more information, see Admin authentication flow.
USER_PASSWORD_AUTH is a flow type of InitiateAuth and isn't valid for AdminInitiateAuth.
The authentication flow that you want to initiate. Each AuthFlow has linked AuthParameters that you must submit. The following are some example flows and their parameters.
USER_AUTH: Request a preferred authentication type or review available authentication types. From the offered authentication types, select one in a challenge response and then authenticate with that method in an additional challenge response.
REFRESH_TOKEN_AUTH: Receive new ID and access tokens when you pass a REFRESH_TOKEN parameter with a valid refresh token as the value.
USER_SRP_AUTH: Receive secure remote password (SRP) variables for the next challenge, PASSWORD_VERIFIER, when you pass USERNAME and SRP_A parameters..
ADMIN_USER_PASSWORD_AUTH: Receive new tokens or the next challenge, for example SOFTWARE_TOKEN_MFA, when you pass USERNAME and PASSWORD parameters.
All flows
The entry point for sign-in with passwords, one-time passwords, and WebAuthN authenticators.
Username-password authentication with the Secure Remote Password (SRP) protocol. For more information, see Use SRP password verification in custom authentication flow.
Provide a valid refresh token and receive new ID and access tokens. For more information, see Using the refresh token.
Custom authentication with Lambda triggers. For more information, see Custom authentication challenge Lambda triggers.
Username-password authentication with the password sent directly in the request. For more information, see Admin authentication flow.
USER_PASSWORD_AUTH is a flow type of InitiateAuth and isn't valid for AdminInitiateAuth.
A map of custom key-value pairs that you can provide as input for certain custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the AdminInitiateAuth API action, Amazon Cognito invokes the Lambda functions that are specified for various triggers. The ClientMetadata value is passed as input to the functions for only the following triggers:
Pre signup
Pre authentication
User migration
When Amazon Cognito invokes the functions for these triggers, it passes a JSON payload, which the function receives as input. This payload contains a validationData attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminInitiateAuth request. In your function code in Lambda, you can process the validationData value to enhance your workflow for your specific needs.
When you use the AdminInitiateAuth API action, Amazon Cognito also invokes the functions for the following triggers, but it doesn't provide the ClientMetadata value as input:
Post authentication
Custom message
Pre token generation
Create auth challenge
Define auth challenge
Custom email sender
Custom SMS sender
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
A map of custom key-value pairs that you can provide as input for certain custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the AdminInitiateAuth API action, Amazon Cognito invokes the Lambda functions that are specified for various triggers. The ClientMetadata value is passed as input to the functions for only the following triggers:
Pre signup
Pre authentication
User migration
When Amazon Cognito invokes the functions for these triggers, it passes a JSON payload, which the function receives as input. This payload contains a validationData attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminInitiateAuth request. In your function code in Lambda, you can process the validationData value to enhance your workflow for your specific needs.
When you use the AdminInitiateAuth API action, Amazon Cognito also invokes the functions for the following triggers, but it doesn't provide the ClientMetadata value as input:
Post authentication
Custom message
Pre token generation
Create auth challenge
Define auth challenge
Custom email sender
Custom SMS sender
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, note that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't send sensitive information in this parameter.
The analytics metadata for collecting Amazon Pinpoint metrics for AdminInitiateAuth calls.
The analytics metadata for collecting Amazon Pinpoint metrics.
" }, "ContextData":{ "shape":"ContextDataType", - "documentation":"Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.
" + "documentation":"Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.
For more information, see Collecting data for threat protection in applications.
" }, "Session":{ "shape":"SessionType", - "documentation":"The optional session ID from a ConfirmSignUp API request. You can sign in a user directly from the sign-up process with the USER_AUTH authentication flow.
The optional session ID from a ConfirmSignUp API request. You can sign in a user directly from the sign-up process with an AuthFlow of USER_AUTH and AuthParameters of EMAIL_OTP or SMS_OTP, depending on how your user pool sent the confirmation-code message.
Initiates the authorization request, as an administrator.
" @@ -2846,7 +2846,7 @@ }, "Session":{ "shape":"SessionType", - "documentation":"The session that should be passed both ways in challenge-response calls to the service. If AdminInitiateAuth or AdminRespondToAuthChallenge API call determines that the caller must pass another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next AdminRespondToAuthChallenge API call.
The session that must be passed to challenge-response requests. If an AdminInitiateAuth or AdminRespondToAuthChallenge API request determines that the caller must pass another challenge, Amazon Cognito returns a session ID and the parameters of the next challenge. Pass this session Id in the Session parameter of AdminRespondToAuthChallenge.
The result of the authentication response. This is only returned if the caller doesn't need to pass another challenge. If the caller does need to pass another challenge before it gets tokens, ChallengeName, ChallengeParameters, and Session are returned.
The outcome of successful authentication. This is only returned if the user pool has no additional challenges to return. If Amazon Cognito returns another challenge, the response includes ChallengeName, ChallengeParameters, and Session so that your user can answer the challenge.
Initiates the authentication response, as an administrator.
" @@ -2869,7 +2869,7 @@ "members":{ "UserPoolId":{ "shape":"StringType", - "documentation":"The user pool ID for the user pool.
" + "documentation":"The ID of the user pool where you want to link a federated identity.
" }, "DestinationUser":{ "shape":"ProviderUserIdentifierType", @@ -2895,7 +2895,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID.
" + "documentation":"The ID of the user pool where the device owner is a user.
" }, "Username":{ "shape":"UsernameType", @@ -2903,7 +2903,7 @@ }, "Limit":{ "shape":"QueryLimitType", - "documentation":"The limit of the devices request.
" + "documentation":"The maximum number of devices that you want Amazon Cognito to return in the response.
" }, "PaginationToken":{ "shape":"SearchPaginationTokenType", @@ -2917,7 +2917,7 @@ "members":{ "Devices":{ "shape":"DeviceListType", - "documentation":"The devices in the list of devices response.
" + "documentation":"An array of devices and their information. Each entry that's returned includes device information, last-accessed and created dates, and the device key.
" }, "PaginationToken":{ "shape":"SearchPaginationTokenType", @@ -2939,15 +2939,15 @@ }, "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool.
" + "documentation":"The ID of the user pool where you want to view a user's groups.
" }, "Limit":{ "shape":"QueryLimitType", - "documentation":"The limit of the request to list groups.
" + "documentation":"The maximum number of groups that you want Amazon Cognito to return in the response.
" }, "NextToken":{ "shape":"PaginationKey", - "documentation":"An identifier that was returned from the previous call to this operation, which can be used to return the next set of items in the list.
" + "documentation":"This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.
" } } }, @@ -2956,11 +2956,11 @@ "members":{ "Groups":{ "shape":"GroupListType", - "documentation":"The groups that the user belongs to.
" + "documentation":"An array of groups and information about them.
" }, "NextToken":{ "shape":"PaginationKey", - "documentation":"An identifier that was returned from the previous call to this operation, which can be used to return the next set of items in the list.
" + "documentation":"The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.
" } } }, @@ -2973,7 +2973,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID.
" + "documentation":"The Id of the user pool that contains the user profile with the logged events.
" }, "Username":{ "shape":"UsernameType", @@ -2985,7 +2985,7 @@ }, "NextToken":{ "shape":"PaginationKey", - "documentation":"A pagination token.
" + "documentation":"This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.
" } } }, @@ -2998,7 +2998,7 @@ }, "NextToken":{ "shape":"PaginationKey", - "documentation":"A pagination token.
" + "documentation":"The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.
" } } }, @@ -3012,7 +3012,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool.
" + "documentation":"The ID of the user pool that contains the group and the user that you want to remove.
" }, "Username":{ "shape":"UsernameType", @@ -3020,7 +3020,7 @@ }, "GroupName":{ "shape":"GroupNameType", - "documentation":"The group name.
" + "documentation":"The name of the group that you want to remove the user from, for example MyTestGroup.
The user pool ID for the user pool where you want to reset the user's password.
" + "documentation":"The ID of the user pool where you want to reset the user's password.
" }, "Username":{ "shape":"UsernameType", @@ -3041,7 +3041,7 @@ }, "ClientMetadata":{ "shape":"ClientMetadataType", - "documentation":"A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the AdminResetUserPassword API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminResetUserPassword request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. The AdminResetUserPassword API operation invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminResetUserPassword request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, note that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't send sensitive information in this parameter.
Represents the request to reset a user's password as an administrator.
" @@ -3062,15 +3062,15 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The ID of the Amazon Cognito user pool.
" + "documentation":"The ID of the user pool where you want to respond to an authentication challenge.
" }, "ClientId":{ "shape":"ClientIdType", - "documentation":"The app client ID.
" + "documentation":"The ID of the app client where you initiated sign-in.
" }, "ChallengeName":{ "shape":"ChallengeNameType", - "documentation":"The challenge name. For more information, see AdminInitiateAuth.
" + "documentation":"The name of the challenge that you are responding to. You can find more information about values for ChallengeName in the response parameters of AdminInitiateAuth.
The session that should be passed both ways in challenge-response calls to the service. If an InitiateAuth or RespondToAuthChallenge API call determines that the caller must pass another challenge, it returns a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call.
The session identifier that maintains the state of authentication requests and challenge responses. If an AdminInitiateAuth or AdminRespondToAuthChallenge API request results in a determination that your application must pass another challenge, Amazon Cognito returns a session with other challenge parameters. Send this session identifier, unmodified, to the next AdminRespondToAuthChallenge request.
Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.
" + "documentation":"Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.
For more information, see Collecting data for threat protection in applications.
" }, "ClientMetadata":{ "shape":"ClientMetadataType", - "documentation":"A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the AdminRespondToAuthChallenge API action, Amazon Cognito invokes any functions that you have assigned to the following triggers:
pre sign-up
custom message
post authentication
user migration
pre token generation
define auth challenge
create auth challenge
verify auth challenge response
When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute that provides the data that you assigned to the ClientMetadata parameter in your AdminRespondToAuthChallenge request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the AdminRespondToAuthChallenge API action, Amazon Cognito invokes any functions that you have assigned to the following triggers:
Pre sign-up
custom message
Post authentication
User migration
Pre token generation
Define auth challenge
Create auth challenge
Verify auth challenge response
When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute that provides the data that you assigned to the ClientMetadata parameter in your AdminRespondToAuthChallenge request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, note that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't send sensitive information in this parameter.
The request to respond to the authentication challenge, as an administrator.
" @@ -3100,19 +3100,19 @@ "members":{ "ChallengeName":{ "shape":"ChallengeNameType", - "documentation":"The name of the challenge. For more information, see AdminInitiateAuth.
" + "documentation":"The name of the challenge that you must next respond to. You can find more information about values for ChallengeName in the response parameters of AdminInitiateAuth.
The session that should be passed both ways in challenge-response calls to the service. If the caller must pass another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call.
The session identifier that maintains the state of authentication requests and challenge responses. If an AdminInitiateAuth or AdminRespondToAuthChallenge API request results in a determination that your application must pass another challenge, Amazon Cognito returns a session with other challenge parameters. Send this session identifier, unmodified, to the next AdminRespondToAuthChallenge request.
The challenge parameters. For more information, see AdminInitiateAuth.
" + "documentation":"The parameters that define your response to the next challenge. Take the values in ChallengeParameters and provide values for them in the ChallengeResponses of the next AdminRespondToAuthChallenge request.
The result returned by the server in response to the authentication request.
" + "documentation":"The outcome of a successful authentication process. After your application has passed all challenges, Amazon Cognito returns an AuthenticationResult with the JSON web tokens (JWTs) that indicate successful sign-in.
Responds to the authentication challenge, as an administrator.
" @@ -3161,7 +3161,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool where you want to set the user's password.
" + "documentation":"The ID of the user pool where you want to set the user's password.
" }, "Username":{ "shape":"UsernameType", @@ -3169,11 +3169,11 @@ }, "Password":{ "shape":"PasswordType", - "documentation":"The password for the user.
" + "documentation":"The new temporary or permanent password that you want to set for the user. You can't remove the password for a user who already has a password so that they can only sign in with passwordless methods. In this scenario, you must create a new user without a password.
" }, "Permanent":{ "shape":"BooleanType", - "documentation":" True if the password is permanent, False if it is temporary.
Set to true to set a password that the user can immediately sign in with. Set to false to set a temporary password that the user must change on their next sign-in.
The user pool ID.
" + "documentation":"The ID of the user pool where you want to submit authentication-event feedback.
" }, "Username":{ "shape":"UsernameType", @@ -3230,7 +3230,7 @@ }, "EventId":{ "shape":"EventIdType", - "documentation":"The authentication event ID.
" + "documentation":"The authentication event ID. To query authentication events for a user, see AdminListUserAuthEvents.
" }, "FeedbackValue":{ "shape":"FeedbackValueType", @@ -3253,7 +3253,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID.
" + "documentation":"The ID of the user pool where you want to change a user's device status.
" }, "Username":{ "shape":"UsernameType", @@ -3261,11 +3261,11 @@ }, "DeviceKey":{ "shape":"DeviceKeyType", - "documentation":"The device key.
" + "documentation":"The unique identifier, or device key, of the device that you want to update the status for.
" }, "DeviceRememberedStatus":{ "shape":"DeviceRememberedStatusType", - "documentation":"The status indicating whether a device has been remembered or not.
" + "documentation":"To enable device authentication with the specified device, set to remembered.To disable, set to not_remembered.
The request to update the device status, as an administrator.
" @@ -3286,7 +3286,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool where you want to update user attributes.
" + "documentation":"The ID of the user pool where you want to update user attributes.
" }, "Username":{ "shape":"UsernameType", @@ -3298,7 +3298,7 @@ }, "ClientMetadata":{ "shape":"ClientMetadataType", - "documentation":"A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the AdminUpdateUserAttributes API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminUpdateUserAttributes request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the AdminUpdateUserAttributes API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminUpdateUserAttributes request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, note that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't send sensitive information in this parameter.
Represents the request to update the user's attributes as an administrator.
" @@ -3318,7 +3318,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID.
" + "documentation":"The ID of the user pool where you want to sign out a user.
" }, "Username":{ "shape":"UsernameType", @@ -3505,11 +3505,11 @@ "members":{ "AccessToken":{ "shape":"TokenModelType", - "documentation":"A valid access token that Amazon Cognito issued to the user whose software token you want to generate.
" + "documentation":"A valid access token that Amazon Cognito issued to the user whose software token you want to generate. You can provide either an access token or a session ID in the request.
" }, "Session":{ "shape":"SessionType", - "documentation":"The session that should be passed both ways in challenge-response calls to the service. This allows authentication of the user as part of the MFA setup process.
" + "documentation":"The session identifier that maintains the state of authentication requests and challenge responses. In AssociateSoftwareToken, this is the session ID from a successful sign-in. You can provide either an access token or a session ID in the request.
A unique generated shared secret code that is used in the TOTP algorithm to generate a one-time code.
" + "documentation":"A unique generated shared secret code that is used by the TOTP algorithm to generate a one-time code.
" }, "Session":{ "shape":"SessionType", - "documentation":"The session that should be passed both ways in challenge-response calls to the service. This allows authentication of the user as part of the MFA setup process.
" + "documentation":"The session identifier that maintains the state of authentication requests and challenge responses. This session ID is valid for the next request in this flow, VerifySoftwareToken.
" } } }, @@ -3787,7 +3787,7 @@ }, "ProposedPassword":{ "shape":"PasswordType", - "documentation":"The new password.
" + "documentation":"A new password that you prompted the user to enter in your application.
" }, "AccessToken":{ "shape":"TokenModelType", @@ -3907,7 +3907,7 @@ "members":{ "AccessToken":{ "shape":"TokenModelType", - "documentation":"A valid access token that Amazon Cognito issued to the user whose passkey registration you want to verify.
" + "documentation":"A valid access token that Amazon Cognito issued to the user whose passkey registration you want to complete.
" }, "Credential":{ "shape":"Document", @@ -3989,7 +3989,7 @@ }, "DeviceKey":{ "shape":"DeviceKeyType", - "documentation":"The device key.
" + "documentation":"The unique identifier, or device key, of the device that you want to update the status for.
" }, "DeviceSecretVerifierConfig":{ "shape":"DeviceSecretVerifierConfigType", @@ -3997,20 +3997,20 @@ }, "DeviceName":{ "shape":"DeviceNameType", - "documentation":"The device name.
" + "documentation":"A friendly name for the device, for example MyMobilePhone.
Confirms the device request.
" + "documentation":"The confirm-device request.
" }, "ConfirmDeviceResponse":{ "type":"structure", "members":{ "UserConfirmationNecessary":{ "shape":"BooleanType", - "documentation":"Indicates whether the user confirmation must confirm the device response.
" + "documentation":"When true, your user must confirm that they want to remember the device. Prompt the user for an answer. You must then make an UpdateUserDevice request that sets the device to remembered or not_remembered.
When false, immediately sets the device as remembered and eligible for device authentication.
You can configure your user pool to always remember devices, in which case this response is false, or to allow users to opt in, in which case this response is true. Configure this option under Device tracking in the Sign-in menu of your user pool. You can also configure this option with the DeviceConfiguration parameter of a CreateUserPool or UpdateUserPool request.
Confirms the device response.
" + "documentation":"The confirm-device response.
" }, "ConfirmForgotPasswordRequest":{ "type":"structure", @@ -4023,7 +4023,7 @@ "members":{ "ClientId":{ "shape":"ClientIdType", - "documentation":"The app client ID of the app associated with the user pool.
" + "documentation":"The ID of the app client where the user wants to reset their password. This parameter is an identifier of the client application that users are resetting their password from, but this operation resets users' passwords for all app clients in the user pool.
" }, "SecretHash":{ "shape":"SecretHashType", @@ -4035,7 +4035,7 @@ }, "ConfirmationCode":{ "shape":"ConfirmationCodeType", - "documentation":"The confirmation code from your user's request to reset their password. For more information, see ForgotPassword.
" + "documentation":"The confirmation code that your user pool sent in response to an AdminResetUserPassword or a ForgotPassword request.
" }, "Password":{ "shape":"PasswordType", @@ -4047,11 +4047,11 @@ }, "UserContextData":{ "shape":"UserContextDataType", - "documentation":"Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.
" + "documentation":"Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.
For more information, see Collecting data for threat protection in applications.
" }, "ClientMetadata":{ "shape":"ClientMetadataType", - "documentation":"A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the ConfirmForgotPassword API action, Amazon Cognito invokes the function that is assigned to the post confirmation trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your ConfirmForgotPassword request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the ConfirmForgotPassword API action, Amazon Cognito invokes the function that is assigned to the post confirmation trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your ConfirmForgotPassword request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, note that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't send sensitive information in this parameter.
The request representing the confirmation for a password reset.
" @@ -4076,7 +4076,7 @@ }, "SecretHash":{ "shape":"SecretHashType", - "documentation":"A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.
" + "documentation":"A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message. For more information about SecretHash, see Computing secret hash values.
The confirmation code sent by a user's request to confirm registration.
" + "documentation":"The confirmation code that your user pool sent in response to the SignUp request.
Boolean to be specified to force user confirmation irrespective of existing alias. By default set to False. If this parameter is set to True and the phone number/email used for sign up confirmation already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user being confirmed. If set to False, the API will throw an AliasExistsException error.
When true, forces user confirmation despite any existing aliases. Defaults to false. A value of true migrates the alias from an existing user to the new user if an existing user already has the phone number or email address as an alias.
Say, for example, that an existing user has an email attribute of bob@example.com and email is an alias in your user pool. If the new user also has an email of bob@example.com and your ConfirmSignUp response sets ForceAliasCreation to true, the new user can sign in with a username of bob@example.com and the existing user can no longer do so.
If false and an attribute belongs to an existing alias, this request returns an AliasExistsException error.
For more information about sign-in aliases, see Customizing sign-in attributes.
" }, "AnalyticsMetadata":{ "shape":"AnalyticsMetadataType", @@ -4096,11 +4096,11 @@ }, "UserContextData":{ "shape":"UserContextDataType", - "documentation":"Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.
" + "documentation":"Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.
For more information, see Collecting data for threat protection in applications.
" }, "ClientMetadata":{ "shape":"ClientMetadataType", - "documentation":"A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the ConfirmSignUp API action, Amazon Cognito invokes the function that is assigned to the post confirmation trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your ConfirmSignUp request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the ConfirmSignUp API action, Amazon Cognito invokes the function that is assigned to the post confirmation trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your ConfirmSignUp request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, note that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't send sensitive information in this parameter.
You can automatically sign users in with the one-time password that they provided in a successful ConfirmSignUp request. To do this, pass the Session parameter from the ConfirmSignUp response in the Session parameter of an InitiateAuth or AdminInitiateAuth request.
A session identifier that you can use to immediately sign in the confirmed user. You can automatically sign users in with the one-time password that they provided in a successful ConfirmSignUp request. To do this, pass the Session parameter from this response in the Session parameter of an InitiateAuth or AdminInitiateAuth request.
Represents the response from the server for the registration confirmation.
" @@ -4166,19 +4166,19 @@ "members":{ "GroupName":{ "shape":"GroupNameType", - "documentation":"The name of the group. Must be unique.
" + "documentation":"A name for the group. This name must be unique in your user pool.
" }, "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool.
" + "documentation":"The ID of the user pool where you want to create a user group.
" }, "Description":{ "shape":"DescriptionType", - "documentation":"A string containing the description of the group.
" + "documentation":"A description of the group that you're creating.
" }, "RoleArn":{ "shape":"ArnType", - "documentation":"The role Amazon Resource Name (ARN) for the group.
" + "documentation":"The Amazon Resource Name (ARN) for the IAM role that you want to associate with the group. A group role primarily declares a preferred role for the credentials that you get from an identity pool. Amazon Cognito ID tokens have a cognito:preferred_role claim that presents the highest-precedence group that a user belongs to. Both ID and access tokens also contain a cognito:groups claim that list all the groups that a user is a member of.
The group object for the group.
" + "documentation":"The response object for a created group.
" } } }, @@ -4206,15 +4206,15 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID.
" + "documentation":"The Id of the user pool where you want to create an IdP.
" }, "ProviderName":{ "shape":"ProviderNameTypeV2", - "documentation":"The IdP name.
" + "documentation":"The name that you want to assign to the IdP. You can pass the identity provider name in the identity_provider query parameter of requests to the Authorize endpoint to silently redirect to sign-in with the associated IdP.
The IdP type.
" + "documentation":"The type of IdP that you want to add. Amazon Cognito supports OIDC, SAML 2.0, Login With Amazon, Sign In With Apple, Google, and Facebook IdPs.
" }, "ProviderDetails":{ "shape":"ProviderDetailsType", @@ -4222,11 +4222,11 @@ }, "AttributeMapping":{ "shape":"AttributeMappingType", - "documentation":"A mapping of IdP attributes to standard and custom user pool attributes.
" + "documentation":"A mapping of IdP attributes to standard and custom user pool attributes. Specify a user pool attribute as the key of the key-value pair, and the IdP attribute claim name as the value.
" }, "IdpIdentifiers":{ "shape":"IdpIdentifiersListType", - "documentation":"A list of IdP identifiers.
" + "documentation":"An array of IdP identifiers, for example \"IdPIdentifiers\": [ \"MyIdP\", \"MyIdP2\" ]. Identifiers are friendly names that you can pass in the idp_identifier query parameter of requests to the Authorize endpoint to silently redirect to sign-in with the associated IdP. Identifiers in a domain format also enable the use of email-address matching with SAML providers.
The newly created IdP object.
" + "documentation":"The details of the new user pool IdP.
" } } }, @@ -4257,7 +4257,7 @@ }, "UseCognitoProvidedValues":{ "shape":"BooleanType", - "documentation":"When true, applies the default branding style options. This option reverts to default style options that are managed by Amazon Cognito. You can modify them later in the branding designer.
When you specify true for this option, you must also omit values for Settings and Assets in the request.
When true, applies the default branding style options. These default options are managed by Amazon Cognito. You can modify them later in the branding designer.
When you specify true for this option, you must also omit values for Settings and Assets in the request.
The user pool ID for the user pool.
" + "documentation":"The ID of the user pool where you want to create a resource server.
" }, "Identifier":{ "shape":"ResourceServerIdentifierType", @@ -4300,7 +4300,7 @@ }, "Scopes":{ "shape":"ResourceServerScopeListType", - "documentation":"A list of scopes. Each scope is a key-value map with the keys name and description.
A list of custom scopes. Each scope is a key-value map with the keys ScopeName and ScopeDescription. The name of a custom scope is a combination of ScopeName and the resource server Name in this request, for example MyResourceServerName/MyScopeName.
The newly created resource server.
" + "documentation":"The details of the new resource server.
" } } }, @@ -4324,15 +4324,15 @@ "members":{ "JobName":{ "shape":"UserImportJobNameType", - "documentation":"The job name for the user import job.
" + "documentation":"A friendly name for the user import job.
" }, "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool that the users are being imported into.
" + "documentation":"The ID of the user pool that you want to import users into.
" }, "CloudWatchLogsRoleArn":{ "shape":"ArnType", - "documentation":"The role ARN for the Amazon CloudWatch Logs Logging role for the user import job.
" + "documentation":"You must specify an IAM role that has permission to log import-job results to Amazon CloudWatch Logs. This parameter is the ARN of that role.
" } }, "documentation":"Represents the request to create the user import job.
" @@ -4342,7 +4342,7 @@ "members":{ "UserImportJob":{ "shape":"UserImportJobType", - "documentation":"The job object that represents the user import job.
" + "documentation":"The details of the user import job.
" } }, "documentation":"Represents the response from the server to the request to create the user import job.
" @@ -4356,15 +4356,15 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool where you want to create a user pool client.
" + "documentation":"The ID of the user pool where you want to create an app client.
" }, "ClientName":{ "shape":"ClientNameType", - "documentation":"The client name for the user pool client you would like to create.
" + "documentation":"A friendly name for the app client that you want to create.
" }, "GenerateSecret":{ "shape":"GenerateSecret", - "documentation":"Boolean to specify whether you want to generate a secret for the user pool client being created.
" + "documentation":"When true, generates a client secret for the app client. Client secrets are used with server-side and machine-to-machine applications. For more information, see App client types.
The units in which the validity times are represented. The default unit for RefreshToken is days, and default for ID and access tokens are hours.
" + "documentation":"The units that validity times are represented in. The default unit for refresh tokens is days, and the default for ID and access tokens are hours.
" }, "ReadAttributes":{ "shape":"ClientPermissionListType", @@ -4396,19 +4396,19 @@ }, "SupportedIdentityProviders":{ "shape":"SupportedIdentityProvidersListType", - "documentation":"A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: COGNITO, Facebook, Google, SignInWithApple, and LoginWithAmazon. You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example MySAMLIdP or MyOIDCIdP.
This setting applies to providers that you can access with the hosted UI and OAuth 2.0 authorization server. The removal of COGNITO from this list doesn't prevent authentication operations for local users with the user pools API in an Amazon Web Services SDK. The only way to prevent API-based authentication is to block access with a WAF rule.
A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: COGNITO, Facebook, Google, SignInWithApple, and LoginWithAmazon. You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example MySAMLIdP or MyOIDCIdP.
This setting applies to providers that you can access with managed login. The removal of COGNITO from this list doesn't prevent authentication operations for local users with the user pools API in an Amazon Web Services SDK. The only way to prevent API-based authentication is to block access with a WAF rule.
A list of allowed redirect (callback) URLs for the IdPs.
A redirect URI must:
Be an absolute URI.
Be registered with the authorization server.
Not include a fragment component.
See OAuth 2.0 - Redirection Endpoint.
Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
App callback URLs such as myapp://example are also supported.
" + "documentation":"A list of allowed redirect (callback) URLs for the IdPs.
A redirect URI must:
Be an absolute URI.
Be registered with the authorization server. Amazon Cognito doesn't accept authorization requests with redirect_uri values that aren't in the list of CallbackURLs that you provide in this parameter.
Not include a fragment component.
See OAuth 2.0 - Redirection Endpoint.
Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
App callback URLs such as myapp://example are also supported.
" }, "LogoutURLs":{ "shape":"LogoutURLsListType", - "documentation":"A list of allowed logout URLs for the IdPs.
" + "documentation":"A list of allowed logout URLs for managed login authentication. For more information, see Logout endpoint.
" }, "DefaultRedirectURI":{ "shape":"RedirectUrlType", - "documentation":"The default redirect URI. In app clients with one assigned IdP, replaces redirect_uri in authentication requests. Must be in the CallbackURLs list.
A redirect URI must:
Be an absolute URI.
Be registered with the authorization server.
Not include a fragment component.
For more information, see Default redirect URI.
Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
App callback URLs such as myapp://example are also supported.
" + "documentation":"The default redirect URI. In app clients with one assigned IdP, replaces redirect_uri in authentication requests. Must be in the CallbackURLs list.
The allowed OAuth scopes. Possible values provided by OAuth are phone, email, openid, and profile. Possible values provided by Amazon Web Services are aws.cognito.signin.user.admin. Custom scopes created in Resource Servers are also supported.
The OAuth 2.0 scopes that you want to permit your app client to authorize. Scopes govern access control to user pool self-service API operations, user data from the userInfo endpoint, and third-party APIs. Possible values provided by OAuth are phone, email, openid, and profile. Possible values provided by Amazon Web Services are aws.cognito.signin.user.admin. Custom scopes created in Resource Servers are also supported.
The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign.
In Amazon Web Services Regions where Amazon Pinpoint isn't available, user pools only support sending events to Amazon Pinpoint projects in Amazon Web Services Region us-east-1. In Regions where Amazon Pinpoint is available, user pools support sending events to Amazon Pinpoint projects within that same Region.
The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign.
In Amazon Web Services Regions where Amazon Pinpoint isn't available, user pools might not have access to analytics or might be configurable with campaigns in the US East (N. Virginia) Region. For more information, see Using Amazon Pinpoint analytics.
" }, "PreventUserExistenceErrors":{ "shape":"PreventUserExistenceErrorTypes", @@ -4450,7 +4450,7 @@ "members":{ "UserPoolClient":{ "shape":"UserPoolClientType", - "documentation":"The user pool client that was just created.
" + "documentation":"The details of the new app client.
" } }, "documentation":"Represents the response from the server to create a user pool client.
" @@ -4464,7 +4464,7 @@ "members":{ "Domain":{ "shape":"DomainType", - "documentation":"The domain string. For custom domains, this is the fully-qualified domain name, such as auth.example.com. For Amazon Cognito prefix domains, this is the prefix alone, such as auth.
The domain string. For custom domains, this is the fully-qualified domain name, such as auth.example.com. For prefix domains, this is the prefix alone, such as myprefix. A prefix value of myprefix for a user pool in the us-east-1 Region results in a domain of myprefix.auth.us-east-1.amazoncognito.com.
The version of managed login branding that you want to apply to your domain. A value of 1 indicates hosted UI (classic) branding and a version of 2 indicates managed login branding.
Managed login requires that your user pool be configured for any feature plan other than Lite.
The version of managed login branding that you want to apply to your domain. A value of 1 indicates hosted UI (classic) and a version of 2 indicates managed login.
Managed login requires that your user pool be configured for any feature plan other than Lite.
The configuration for a custom domain that hosts the sign-up and sign-in webpages for your application.
Provide this parameter only if you want to use a custom domain for your user pool. Otherwise, you can exclude this parameter and use the Amazon Cognito hosted domain instead.
For more information about the hosted domain and custom domains, see Configuring a User Pool Domain.
" + "documentation":"The configuration for a custom domain. Configures your domain with an Certificate Manager certificate in the us-east-1 Region.
Provide this parameter only if you want to use a custom domain for your user pool. Otherwise, you can exclude this parameter and use a prefix domain instead.
For more information about the hosted domain and custom domains, see Configuring a User Pool Domain.
" } } }, @@ -4485,7 +4485,7 @@ "members":{ "ManagedLoginVersion":{ "shape":"WrappedIntegerType", - "documentation":"The version of managed login branding applied your domain. A value of 1 indicates hosted UI (classic) branding and a version of 2 indicates managed login branding.
The version of managed login branding applied your domain. A value of 1 indicates hosted UI (classic) and a version of 2 indicates managed login.
A string used to name the user pool.
" + "documentation":"A friendlhy name for your user pool.
" }, "Policies":{ "shape":"UserPoolPolicyType", - "documentation":"The policies associated with the new user pool.
" + "documentation":"The password policy and sign-in policy in the user pool. The password policy sets options like password complexity requirements and password history. The sign-in policy sets the options available to applications in choice-based authentication.
" }, "DeletionProtection":{ "shape":"DeletionProtectionType", @@ -4515,15 +4515,15 @@ }, "AutoVerifiedAttributes":{ "shape":"VerifiedAttributesListType", - "documentation":"The attributes to be auto-verified. Possible values: email, phone_number.
" + "documentation":"The attributes that you want your user pool to automatically verify. Possible values: email, phone_number. For more information see Verifying contact information at sign-up.
" }, "AliasAttributes":{ "shape":"AliasAttributesListType", - "documentation":"Attributes supported as an alias for this user pool. Possible values: phone_number, email, or preferred_username.
" + "documentation":"Attributes supported as an alias for this user pool. Possible values: phone_number, email, or preferred_username. For more information about alias attributes, see Customizing sign-in attributes.
" }, "UsernameAttributes":{ "shape":"UsernameAttributesListType", - "documentation":"Specifies whether a user can use an email address or phone number as a username when they sign up.
" + "documentation":"Specifies whether a user can use an email address or phone number as a username when they sign up. For more information, see Customizing sign-in attributes.
" }, "SmsVerificationMessage":{ "shape":"SmsVerificationMessageType", @@ -4547,7 +4547,7 @@ }, "MfaConfiguration":{ "shape":"UserPoolMfaType", - "documentation":"Specifies MFA configuration details.
" + "documentation":"Sets multi-factor authentication (MFA) to be on, off, or optional. When ON, all users must set up MFA before they can sign in. When OPTIONAL, your application must make a client-side determination of whether a user wants to register an MFA device. For user pools with adaptive authentication with threat protection, choose OPTIONAL.
The device-remembering configuration for a user pool. A null value indicates that you have deactivated device remembering in your user pool.
When you provide a value for any DeviceConfiguration field, you activate the Amazon Cognito device-remembering feature.
The device-remembering configuration for a user pool. Device remembering or device tracking is a \"Remember me on this device\" option for user pools that perform authentication with the device key of a trusted device in the back end, instead of a user-provided MFA code. For more information about device authentication, see Working with user devices in your user pool. A null value indicates that you have deactivated device remembering in your user pool.
When you provide a value for any DeviceConfiguration field, you activate the Amazon Cognito device-remembering feature. For more infor
The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your Amazon Web Services account through Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the Amazon Web Services Region that you want, the Amazon Cognito user pool uses an Identity and Access Management (IAM) role in your Amazon Web Services account.
" + "documentation":"The SMS configuration with the settings that your Amazon Cognito user pool must use to send an SMS message from your Amazon Web Services account through Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the Amazon Web Services Region that you want, the Amazon Cognito user pool uses an Identity and Access Management (IAM) role in your Amazon Web Services account. For more information see SMS message settings.
" }, "UserPoolTags":{ "shape":"UserPoolTagsType", @@ -4571,11 +4571,11 @@ }, "AdminCreateUserConfig":{ "shape":"AdminCreateUserConfigType", - "documentation":"The configuration for AdminCreateUser requests.
The configuration for AdminCreateUser requests. Includes the template for the invitation message for new users, the duration of temporary passwords, and permitting self-service sign-up.
" }, "Schema":{ "shape":"SchemaAttributesListType", - "documentation":"An array of schema attributes for the new user pool. These attributes can be standard or custom attributes.
" + "documentation":"An array of attributes for the new user pool. You can add custom attributes and modify the properties of default attributes. The specifications in this parameter set the required attributes in your user pool. For more information, see Working with user attributes.
" }, "UserPoolAddOns":{ "shape":"UserPoolAddOnsType", @@ -4583,7 +4583,7 @@ }, "UsernameConfiguration":{ "shape":"UsernameConfigurationType", - "documentation":"Case sensitivity on the username input for the selected sign-in option. When case sensitivity is set to False (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, username, USERNAME, or UserName, or for email, email@example.com or EMaiL@eXamplE.Com. For most use cases, set case sensitivity to False (case insensitive) as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user.
This configuration is immutable after you set it. For more information, see UsernameConfigurationType.
" + "documentation":"Sets the case sensitivity option for sign-in usernames. When CaseSensitive is false (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, username, USERNAME, or UserName, or for email, email@example.com or EMaiL@eXamplE.Com. For most use cases, set case sensitivity to false as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user.
When CaseSensitive is true (case sensitive), Amazon Cognito interprets USERNAME and UserName as distinct users.
This configuration is immutable after you set it.
" }, "AccountRecoverySetting":{ "shape":"AccountRecoverySettingType", @@ -4601,7 +4601,7 @@ "members":{ "UserPool":{ "shape":"UserPoolType", - "documentation":"A container for the user pool details.
" + "documentation":"The details of the created user pool.
" } }, "documentation":"Represents the response from the server for the request to create a user pool.
" @@ -4690,11 +4690,11 @@ "members":{ "GroupName":{ "shape":"GroupNameType", - "documentation":"The name of the group.
" + "documentation":"The name of the group that you want to delete.
" }, "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool.
" + "documentation":"The ID of the user pool where you want to delete the group.
" } } }, @@ -4707,11 +4707,11 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID.
" + "documentation":"The ID of the user pool where you want to delete the identity provider.
" }, "ProviderName":{ "shape":"ProviderNameType", - "documentation":"The IdP name.
" + "documentation":"The name of the IdP that you want to delete.
" } } }, @@ -4741,11 +4741,11 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool that hosts the resource server.
" + "documentation":"The ID of the user pool where you want to delete the resource server.
" }, "Identifier":{ "shape":"ResourceServerIdentifierType", - "documentation":"The identifier for the resource server.
" + "documentation":"The identifier of the resource server that you want to delete.
" } } }, @@ -4758,7 +4758,7 @@ "members":{ "UserAttributeNames":{ "shape":"AttributeNameListType", - "documentation":"An array of strings representing the user attribute names you want to delete.
For custom attributes, you must prependattach the custom: prefix to the front of the attribute name.
An array of strings representing the user attribute names you want to delete.
For custom attributes, you must prepend the custom: prefix to the attribute name, for example custom:department.
The user pool ID for the user pool where you want to delete the client.
" + "documentation":"The ID of the user pool where you want to delete the client.
" }, "ClientId":{ "shape":"ClientIdType", - "documentation":"The app client ID of the app associated with the user pool.
" + "documentation":"The ID of the user pool app client that you want to delete.
" } }, "documentation":"Represents the request to delete a user pool client.
" @@ -4800,11 +4800,11 @@ "members":{ "Domain":{ "shape":"DomainType", - "documentation":"The domain string. For custom domains, this is the fully-qualified domain name, such as auth.example.com. For Amazon Cognito prefix domains, this is the prefix alone, such as auth.
The domain that you want to delete. For custom domains, this is the fully-qualified domain name, such as auth.example.com. For Amazon Cognito prefix domains, this is the prefix alone, such as auth.
The user pool ID.
" + "documentation":"The ID of the user pool where you want to delete the domain.
" } } }, @@ -4819,7 +4819,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool you want to delete.
" + "documentation":"The ID of the user pool that you want to delete.
" } }, "documentation":"Represents the request to delete a user pool.
" @@ -4844,11 +4844,11 @@ "members":{ "AccessToken":{ "shape":"TokenModelType", - "documentation":"A valid access token that Amazon Cognito issued to the user whose passkey you want to delete.
" + "documentation":"A valid access token that Amazon Cognito issued to the user whose passkey credential you want to delete.
" }, "CredentialId":{ "shape":"StringType", - "documentation":"The unique identifier of the passkey that you want to delete. Look up registered devices with ListWebAuthnCredentials.
" + "documentation":"The unique identifier of the passkey that you want to delete. Look up registered devices with ListWebAuthnCredentials.
" } } }, @@ -4884,11 +4884,11 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID.
" + "documentation":"The ID of the user pool that has the IdP that you want to describe..
" }, "ProviderName":{ "shape":"ProviderNameType", - "documentation":"The IdP name.
" + "documentation":"The name of the IdP that you want to describe.
" } } }, @@ -4898,7 +4898,7 @@ "members":{ "IdentityProvider":{ "shape":"IdentityProviderType", - "documentation":"The identity provider details.
" + "documentation":"The details of the requested IdP.
" } } }, @@ -4971,7 +4971,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool that hosts the resource server.
" + "documentation":"The ID of the user pool that hosts the resource server.
" }, "Identifier":{ "shape":"ResourceServerIdentifierType", @@ -4985,7 +4985,7 @@ "members":{ "ResourceServer":{ "shape":"ResourceServerType", - "documentation":"The resource server.
" + "documentation":"The details of the requested resource server.
" } } }, @@ -4995,11 +4995,11 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID.
" + "documentation":"The ID of the user pool with the risk configuration that you want to inspect. You can apply default risk configuration at the user pool level and further customize it from user pool defaults at the app-client level. Specify ClientId to inspect client-level configuration, or UserPoolId to inspect pool-level configuration.
The app client ID.
" + "documentation":"The ID of the app client with the risk configuration that you want to inspect. You can apply default risk configuration at the user pool level and further customize it from user pool defaults at the app-client level. Specify ClientId to inspect client-level configuration, or UserPoolId to inspect pool-level configuration.
The risk configuration.
" + "documentation":"The details of the requested risk configuration.
" } } }, @@ -5022,11 +5022,11 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool that the users are being imported into.
" + "documentation":"The ID of the user pool that's associated with the import job.
" }, "JobId":{ "shape":"UserImportJobIdType", - "documentation":"The job ID for the user import job.
" + "documentation":"The Id of the user import job that you want to describe.
" } }, "documentation":"Represents the request to describe the user import job.
" @@ -5036,7 +5036,7 @@ "members":{ "UserImportJob":{ "shape":"UserImportJobType", - "documentation":"The job object that represents the user import job.
" + "documentation":"The details of the user import job.
" } }, "documentation":"Represents the response from the server to the request to describe the user import job.
" @@ -5050,11 +5050,11 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool you want to describe.
" + "documentation":"The ID of the user pool that contains the app client you want to describe.
" }, "ClientId":{ "shape":"ClientIdType", - "documentation":"The app client ID of the app associated with the user pool.
" + "documentation":"The ID of the app client that you want to describe.
" } }, "documentation":"Represents the request to describe a user pool client.
" @@ -5064,7 +5064,7 @@ "members":{ "UserPoolClient":{ "shape":"UserPoolClientType", - "documentation":"The user pool client from a server response to describe the user pool client.
" + "documentation":"The details of the request app client.
" } }, "documentation":"Represents the response from the server from a request to describe the user pool client.
" @@ -5075,7 +5075,7 @@ "members":{ "Domain":{ "shape":"DomainType", - "documentation":"The domain string. For custom domains, this is the fully-qualified domain name, such as auth.example.com. For Amazon Cognito prefix domains, this is the prefix alone, such as auth.
The domain that you want to describe. For custom domains, this is the fully-qualified domain name, such as auth.example.com. For Amazon Cognito prefix domains, this is the prefix alone, such as auth.
A domain description object containing information about the domain.
" + "documentation":"The details of the requested user pool domain.
" } } }, @@ -5094,7 +5094,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool you want to describe.
" + "documentation":"The ID of the user pool you want to describe.
" } }, "documentation":"Represents the request to describe the user pool.
" @@ -5104,7 +5104,7 @@ "members":{ "UserPool":{ "shape":"UserPoolType", - "documentation":"The container of metadata returned by the server to describe the pool.
" + "documentation":"The details of the requested user pool.
" } }, "documentation":"Represents the response to describe the user pool.
" @@ -5307,11 +5307,11 @@ "members":{ "Message":{ "shape":"EmailMfaMessageType", - "documentation":"The template for the email message that your user pool sends to users with an MFA code. The message must contain the {####} placeholder. In the message, Amazon Cognito replaces this placeholder with the code. If you don't provide this parameter, Amazon Cognito sends messages in the default format.
The template for the email message that your user pool sends to users with a code for MFA and sign-in with an email OTP. The message must contain the {####} placeholder. In the message, Amazon Cognito replaces this placeholder with the code. If you don't provide this parameter, Amazon Cognito sends messages in the default format.
The subject of the email message that your user pool sends to users with an MFA code.
" + "documentation":"The subject of the email message that your user pool sends to users with a code for MFA and email OTP sign-in.
" } }, "documentation":"Sets or shows user pool email message configuration for MFA. Includes the subject and body of the email message template for MFA messages. To activate this setting, advanced security features must be active in your user pool.
This data type is a request parameter of SetUserPoolMfaConfig and a response parameter of GetUserPoolMfaConfig.
" @@ -5594,11 +5594,11 @@ }, "SecretHash":{ "shape":"SecretHashType", - "documentation":"A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.
" + "documentation":"A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message. For more information about SecretHash, see Computing secret hash values.
Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.
" + "documentation":"Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.
For more information, see Collecting data for threat protection in applications.
" }, "Username":{ "shape":"UsernameType", @@ -5610,7 +5610,7 @@ }, "ClientMetadata":{ "shape":"ClientMetadataType", - "documentation":"A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the ForgotPassword API action, Amazon Cognito invokes any functions that are assigned to the following triggers: pre sign-up, custom message, and user migration. When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your ForgotPassword request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the ForgotPassword API action, Amazon Cognito invokes any functions that are assigned to the following triggers: pre sign-up, custom message, and user migration. When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your ForgotPassword request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, note that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't send sensitive information in this parameter.
Represents the request to reset a user's password.
" @@ -5632,7 +5632,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool that the users are to be imported into.
" + "documentation":"The ID of the user pool that the users are to be imported into.
" } }, "documentation":"Represents the request to get the header information of the CSV file for the user import job.
" @@ -5642,7 +5642,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool that the users are to be imported into.
" + "documentation":"The ID of the user pool that the users are to be imported into.
" }, "CSVHeader":{ "shape":"ListOfStringTypes", @@ -5690,7 +5690,7 @@ }, "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool.
" + "documentation":"The ID of the user pool.
" } } }, @@ -5776,7 +5776,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool.
" + "documentation":"The ID of the user pool.
" }, "ClientId":{ "shape":"ClientIdType", @@ -5811,7 +5811,7 @@ }, "ClientMetadata":{ "shape":"ClientMetadataType", - "documentation":"A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the GetUserAttributeVerificationCode API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your GetUserAttributeVerificationCode request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the GetUserAttributeVerificationCode API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your GetUserAttributeVerificationCode request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, note that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't send sensitive information in this parameter.
Represents the request to get user attribute verification.
" @@ -6106,7 +6106,7 @@ "members":{ "AuthFlow":{ "shape":"AuthFlowType", - "documentation":"The authentication flow that you want to initiate. The AuthParameters that you must submit are linked to the flow that you submit. For example:
USER_AUTH: Request a preferred authentication type or review available authentication types. From the offered authentication types, select one in a challenge response and then authenticate with that method in an additional challenge response.
REFRESH_TOKEN_AUTH: Receive new ID and access tokens when you pass a REFRESH_TOKEN parameter with a valid refresh token as the value.
USER_SRP_AUTH: Receive secure remote password (SRP) variables for the next challenge, PASSWORD_VERIFIER, when you pass USERNAME and SRP_A parameters.
USER_PASSWORD_AUTH: Receive new tokens or the next challenge, for example SOFTWARE_TOKEN_MFA, when you pass USERNAME and PASSWORD parameters.
Valid values include the following:
The entry point for sign-in with passwords, one-time passwords, biometric devices, and security keys.
Username-password authentication with the Secure Remote Password (SRP) protocol. For more information, see Use SRP password verification in custom authentication flow.
Provide a valid refresh token and receive new ID and access tokens. For more information, see Using the refresh token.
Custom authentication with Lambda triggers. For more information, see Custom authentication challenge Lambda triggers.
Username-password authentication with the password sent directly in the request. For more information, see Admin authentication flow.
ADMIN_USER_PASSWORD_AUTH is a flow type of AdminInitiateAuth and isn't valid for InitiateAuth. ADMIN_NO_SRP_AUTH is a legacy server-side username-password flow and isn't valid for InitiateAuth.
The authentication flow that you want to initiate. Each AuthFlow has linked AuthParameters that you must submit. The following are some example flows and their parameters.
USER_AUTH: Request a preferred authentication type or review available authentication types. From the offered authentication types, select one in a challenge response and then authenticate with that method in an additional challenge response.
REFRESH_TOKEN_AUTH: Receive new ID and access tokens when you pass a REFRESH_TOKEN parameter with a valid refresh token as the value.
USER_SRP_AUTH: Receive secure remote password (SRP) variables for the next challenge, PASSWORD_VERIFIER, when you pass USERNAME and SRP_A parameters.
USER_PASSWORD_AUTH: Receive new tokens or the next challenge, for example SOFTWARE_TOKEN_MFA, when you pass USERNAME and PASSWORD parameters.
All flows
The entry point for sign-in with passwords, one-time passwords, and WebAuthN authenticators.
Username-password authentication with the Secure Remote Password (SRP) protocol. For more information, see Use SRP password verification in custom authentication flow.
Provide a valid refresh token and receive new ID and access tokens. For more information, see Using the refresh token.
Custom authentication with Lambda triggers. For more information, see Custom authentication challenge Lambda triggers.
Username-password authentication with the password sent directly in the request. For more information, see Admin authentication flow.
ADMIN_USER_PASSWORD_AUTH is a flow type of AdminInitiateAuth and isn't valid for InitiateAuth. ADMIN_NO_SRP_AUTH is a legacy server-side username-password flow and isn't valid for InitiateAuth.
A map of custom key-value pairs that you can provide as input for certain custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the InitiateAuth API action, Amazon Cognito invokes the Lambda functions that are specified for various triggers. The ClientMetadata value is passed as input to the functions for only the following triggers:
Pre signup
Pre authentication
User migration
When Amazon Cognito invokes the functions for these triggers, it passes a JSON payload, which the function receives as input. This payload contains a validationData attribute, which provides the data that you assigned to the ClientMetadata parameter in your InitiateAuth request. In your function code in Lambda, you can process the validationData value to enhance your workflow for your specific needs.
When you use the InitiateAuth API action, Amazon Cognito also invokes the functions for the following triggers, but it doesn't provide the ClientMetadata value as input:
Post authentication
Custom message
Pre token generation
Create auth challenge
Define auth challenge
Custom email sender
Custom SMS sender
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
A map of custom key-value pairs that you can provide as input for certain custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the InitiateAuth API action, Amazon Cognito invokes the Lambda functions that are specified for various triggers. The ClientMetadata value is passed as input to the functions for only the following triggers:
Pre signup
Pre authentication
User migration
When Amazon Cognito invokes the functions for these triggers, it passes a JSON payload, which the function receives as input. This payload contains a validationData attribute, which provides the data that you assigned to the ClientMetadata parameter in your InitiateAuth request. In your function code in Lambda, you can process the validationData value to enhance your workflow for your specific needs.
When you use the InitiateAuth API action, Amazon Cognito also invokes the functions for the following triggers, but it doesn't provide the ClientMetadata value as input:
Post authentication
Custom message
Pre token generation
Create auth challenge
Define auth challenge
Custom email sender
Custom SMS sender
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, note that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't send sensitive information in this parameter.
Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.
" + "documentation":"Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.
For more information, see Collecting data for threat protection in applications.
" }, "Session":{ "shape":"SessionType", @@ -6376,7 +6376,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool.
" + "documentation":"The ID of the user pool.
" }, "Limit":{ "shape":"QueryLimitType", @@ -6453,7 +6453,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool.
" + "documentation":"The ID of the user pool.
" }, "MaxResults":{ "shape":"ListResourceServersLimitType", @@ -6507,7 +6507,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool that the users are being imported into.
" + "documentation":"The ID of the user pool that the users are being imported into.
" }, "MaxResults":{ "shape":"PoolQueryLimitType", @@ -6540,7 +6540,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool where you want to list user pool clients.
" + "documentation":"The ID of the user pool where you want to list user pool clients.
" }, "MaxResults":{ "shape":"QueryLimit", @@ -6605,7 +6605,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool.
" + "documentation":"The ID of the user pool.
" }, "GroupName":{ "shape":"GroupNameType", @@ -6640,7 +6640,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool on which the search should be performed.
" + "documentation":"The ID of the user pool on which the search should be performed.
" }, "AttributesToGet":{ "shape":"SearchedAttributeNamesListType", @@ -6829,7 +6829,7 @@ }, "UseCognitoProvidedValues":{ "shape":"BooleanType", - "documentation":"When true, applies the default branding style options. This option reverts to a \"blank\" style that you can modify later in the branding designer.
" + "documentation":"When true, applies the default branding style options. This option reverts to default style options that are managed by Amazon Cognito. You can modify them later in the branding designer.
When you specify true for this option, you must also omit values for Settings and Assets in the request.
A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.
" + "documentation":"A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message. For more information about SecretHash, see Computing secret hash values.
Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.
" + "documentation":"Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.
For more information, see Collecting data for threat protection in applications.
" }, "Username":{ "shape":"UsernameType", @@ -7276,7 +7276,7 @@ }, "ClientMetadata":{ "shape":"ClientMetadataType", - "documentation":"A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the ResendConfirmationCode API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your ResendConfirmationCode request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the ResendConfirmationCode API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your ResendConfirmationCode request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, note that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't send sensitive information in this parameter.
Represents the request to resend the confirmation code.
" @@ -7409,11 +7409,11 @@ }, "UserContextData":{ "shape":"UserContextDataType", - "documentation":"Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.
" + "documentation":"Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.
For more information, see Collecting data for threat protection in applications.
" }, "ClientMetadata":{ "shape":"ClientMetadataType", - "documentation":"A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the RespondToAuthChallenge API action, Amazon Cognito invokes any functions that are assigned to the following triggers: post authentication, pre token generation, define auth challenge, create auth challenge, and verify auth challenge. When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your RespondToAuthChallenge request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the RespondToAuthChallenge API action, Amazon Cognito invokes any functions that are assigned to the following triggers: post authentication, pre token generation, define auth challenge, create auth challenge, and verify auth challenge. When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your RespondToAuthChallenge request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, note that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't send sensitive information in this parameter.
The request to respond to an authentication challenge.
" @@ -7726,7 +7726,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool.
" + "documentation":"The ID of the user pool.
" }, "ClientId":{ "shape":"ClientIdType", @@ -7881,7 +7881,7 @@ }, "SecretHash":{ "shape":"SecretHashType", - "documentation":"A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.
" + "documentation":"A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message. For more information about SecretHash, see Computing secret hash values.
Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.
" + "documentation":"Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.
For more information, see Collecting data for threat protection in applications.
" }, "ClientMetadata":{ "shape":"ClientMetadataType", - "documentation":"A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the SignUp API action, Amazon Cognito invokes any functions that are assigned to the following triggers: pre sign-up, custom message, and post confirmation. When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your SignUp request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the SignUp API action, Amazon Cognito invokes any functions that are assigned to the following triggers: pre sign-up, custom message, and post confirmation. When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your SignUp request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, note that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't send sensitive information in this parameter.
Represents the request to register a user.
" @@ -8038,7 +8038,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool that the users are being imported into.
" + "documentation":"The ID of the user pool that the users are being imported into.
" }, "JobId":{ "shape":"UserImportJobIdType", @@ -8093,7 +8093,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool that the users are being imported into.
" + "documentation":"The ID of the user pool that the users are being imported into.
" }, "JobId":{ "shape":"UserImportJobIdType", @@ -8422,7 +8422,7 @@ }, "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool.
" + "documentation":"The ID of the user pool.
" }, "Description":{ "shape":"DescriptionType", @@ -8530,7 +8530,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool.
" + "documentation":"The ID of the user pool.
" }, "Identifier":{ "shape":"ResourceServerIdentifierType", @@ -8573,7 +8573,7 @@ }, "ClientMetadata":{ "shape":"ClientMetadataType", - "documentation":"A map of custom key-value pairs that you can provide as input for any custom workflows that this action initiates.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the UpdateUserAttributes API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your UpdateUserAttributes request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
A map of custom key-value pairs that you can provide as input for any custom workflows that this action initiates.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the UpdateUserAttributes API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your UpdateUserAttributes request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, note that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't send sensitive information in this parameter.
Represents the request to update user attributes.
" @@ -8597,7 +8597,7 @@ "members":{ "UserPoolId":{ "shape":"UserPoolIdType", - "documentation":"The user pool ID for the user pool where you want to update the user pool client.
" + "documentation":"The ID of the user pool where you want to update the user pool client.
" }, "ClientId":{ "shape":"ClientIdType", @@ -8637,7 +8637,7 @@ }, "SupportedIdentityProviders":{ "shape":"SupportedIdentityProvidersListType", - "documentation":"A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: COGNITO, Facebook, Google, SignInWithApple, and LoginWithAmazon. You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example MySAMLIdP or MyOIDCIdP.
This setting applies to providers that you can access with the hosted UI and OAuth 2.0 authorization server. The removal of COGNITO from this list doesn't prevent authentication operations for local users with the user pools API in an Amazon Web Services SDK. The only way to prevent API-based authentication is to block access with a WAF rule.
A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: COGNITO, Facebook, Google, SignInWithApple, and LoginWithAmazon. You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example MySAMLIdP or MyOIDCIdP.
This setting applies to providers that you can access with managed login. The removal of COGNITO from this list doesn't prevent authentication operations for local users with the user pools API in an Amazon Web Services SDK. The only way to prevent API-based authentication is to block access with a WAF rule.
The user pool ID for the user pool you want to update.
" + "documentation":"The ID of the user pool you want to update.
" }, "Policies":{ "shape":"UserPoolPolicyType", @@ -9101,7 +9101,7 @@ }, "SupportedIdentityProviders":{ "shape":"SupportedIdentityProvidersListType", - "documentation":"A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: COGNITO, Facebook, Google, SignInWithApple, and LoginWithAmazon. You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example MySAMLIdP or MyOIDCIdP.
This setting applies to providers that you can access with the hosted UI and OAuth 2.0 authorization server. The removal of COGNITO from this list doesn't prevent authentication operations for local users with the user pools API in an Amazon Web Services SDK. The only way to prevent API-based authentication is to block access with a WAF rule.
A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: COGNITO, Facebook, Google, SignInWithApple, and LoginWithAmazon. You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example MySAMLIdP or MyOIDCIdP.
This setting applies to providers that you can access with managed login. The removal of COGNITO from this list doesn't prevent authentication operations for local users with the user pools API in an Amazon Web Services SDK. The only way to prevent API-based authentication is to block access with a WAF rule.
Sets or displays your user-pool treatment for MFA with a passkey. You can override other MFA options and require passkey MFA, or you can set it as preferred. When passkey MFA is preferred, the hosted UI encourages users to register a passkey at sign-in.
" + "documentation":"When required, users can only register and sign in users with passkeys that are capable of user verification. When preferred, your user pool doesn't require the use of authenticators with user verification but encourages it.
Settings for multi-factor authentication (MFA) with passkey, or webauthN, biometric and security-key devices in a user pool. Configures the following:
Configuration at the user-pool level for whether you want to require passkey configuration as an MFA factor, or include it as a choice.
The user pool relying-party ID. This is the user pool domain that user's passkey providers should trust as a receiver of passkey authentication.
The providers that you want to allow as origins for passkey authentication.
This data type is a request parameter of SetUserPoolMfaConfig and a response parameter of GetUserPoolMfaConfig.
" @@ -9725,5 +9725,5 @@ "WrappedBooleanType":{"type":"boolean"}, "WrappedIntegerType":{"type":"integer"} }, - "documentation":"With the Amazon Cognito user pools API, you can configure user pools and authenticate users. To authenticate users from third-party identity providers (IdPs) in this API, you can link IdP users to native user profiles. Learn more about the authentication and authorization of federated users at Adding user pool sign-in through a third party and in the User pool federation endpoints and hosted UI reference.
This API reference provides detailed information about API operations and object types in Amazon Cognito.
Along with resource management operations, the Amazon Cognito user pools API includes classes of operations and authorization models for client-side and server-side authentication of users. You can interact with operations in the Amazon Cognito user pools API as any of the following subjects.
An administrator who wants to configure user pools, app clients, users, groups, or other user pool functions.
A server-side app, like a web application, that wants to use its Amazon Web Services privileges to manage, authenticate, or authorize a user.
A client-side app, like a mobile app, that wants to make unauthenticated requests to manage, authenticate, or authorize a user.
For more information, see Using the Amazon Cognito user pools API and user pool endpoints in the Amazon Cognito Developer Guide.
With your Amazon Web Services SDK, you can build the logic to support operational flows in every use case for this API. You can also make direct REST API requests to Amazon Cognito user pools service endpoints. The following links can get you started with the CognitoIdentityProvider client in other supported Amazon Web Services SDKs.
To get started with an Amazon Web Services SDK, see Tools to Build on Amazon Web Services. For example actions and scenarios, see Code examples for Amazon Cognito Identity Provider using Amazon Web Services SDKs.
" + "documentation":"With the Amazon Cognito user pools API, you can configure user pools and authenticate users. To authenticate users from third-party identity providers (IdPs) in this API, you can link IdP users to native user profiles. Learn more about the authentication and authorization of federated users at Adding user pool sign-in through a third party and in the User pool federation endpoints and hosted UI reference.
This API reference provides detailed information about API operations and object types in Amazon Cognito.
Along with resource management operations, the Amazon Cognito user pools API includes classes of operations and authorization models for client-side and server-side authentication of users. You can interact with operations in the Amazon Cognito user pools API as any of the following subjects.
An administrator who wants to configure user pools, app clients, users, groups, or other user pool functions.
A server-side app, like a web application, that wants to use its Amazon Web Services privileges to manage, authenticate, or authorize a user.
A client-side app, like a mobile app, that wants to make unauthenticated requests to manage, authenticate, or authorize a user.
For more information, see Using the Amazon Cognito user pools API and user pool endpoints in the Amazon Cognito Developer Guide.
With your Amazon Web Services SDK, you can build the logic to support operational flows in every use case for this API. You can also make direct REST API requests to Amazon Cognito user pools service endpoints. The following links can get you started with the CognitoIdentityProvider client in other supported Amazon Web Services SDKs.
To get started with an Amazon Web Services SDK, see Tools to Build on Amazon Web Services. For example actions and scenarios, see Code examples for Amazon Cognito Identity Provider using Amazon Web Services SDKs.
" } diff --git a/botocore/data/controlcatalog/2018-05-10/service-2.json b/botocore/data/controlcatalog/2018-05-10/service-2.json index 139fd5ad55..eaf2ab5760 100644 --- a/botocore/data/controlcatalog/2018-05-10/service-2.json +++ b/botocore/data/controlcatalog/2018-05-10/service-2.json @@ -384,7 +384,7 @@ "documentation":"A string that describes a control's implementation type.
" } }, - "documentation":"An object that describes the implementation type for a control.
Our ImplementationDetails Type format has three required segments:
SERVICE-PROVIDER::SERVICE-NAME::RESOURCE-NAME
For example, AWS::Config::ConfigRule or AWS::SecurityHub::SecurityControl resources have the format with three required segments.
Our ImplementationDetails Type format has an optional fourth segment, which is present for applicable implementation types. The format is as follows:
SERVICE-PROVIDER::SERVICE-NAME::RESOURCE-NAME::RESOURCE-TYPE-DESCRIPTION
For example, AWS::Organizations::Policy::SERVICE_CONTROL_POLICY or AWS::CloudFormation::Type::HOOK have the format with four segments.
Although the format is similar, the values for the Type field do not match any Amazon Web Services CloudFormation values, and we do not use CloudFormation to implement these controls.
An object that describes the implementation type for a control.
Our ImplementationDetails Type format has three required segments:
SERVICE-PROVIDER::SERVICE-NAME::RESOURCE-NAME
For example, AWS::Config::ConfigRule or AWS::SecurityHub::SecurityControl resources have the format with three required segments.
Our ImplementationDetails Type format has an optional fourth segment, which is present for applicable implementation types. The format is as follows:
SERVICE-PROVIDER::SERVICE-NAME::RESOURCE-NAME::RESOURCE-TYPE-DESCRIPTION
For example, AWS::Organizations::Policy::SERVICE_CONTROL_POLICY or AWS::CloudFormation::Type::HOOK have the format with four segments.
Although the format is similar, the values for the Type field do not match any Amazon Web Services CloudFormation values.
An optimal parameter that indicates the amount of attempts for the job. If not specified, this value defaults to the attempt of the latest job.
", "location":"querystring", "locationName":"attempt" + }, + "accessSystemProfileLogs":{ + "shape":"Boolean", + "documentation":"Allows access to system profile logs for Lake Formation-enabled jobs. Default is false.
", + "location":"querystring", + "locationName":"accessSystemProfileLogs" } } }, @@ -987,7 +993,7 @@ "type":"string", "max":1024, "min":1, - "pattern":"([a-z0-9]+[a-z0-9-.]*)\\/((?:[a-z0-9]+(?:[._-][a-z0-9]+)*\\/)*[a-z0-9]+(?:[._-][a-z0-9]+)*)(?:\\:([a-zA-Z0-9_][a-zA-Z0-9-._]{0,299})|@(sha256:[0-9a-f]{64}))" + "pattern":"([0-9]{12})\\.dkr\\.ecr\\.([a-z0-9-]+).([a-z0-9._-]+)\\/((?:[a-z0-9]+(?:[-._][a-z0-9]+)*/)*[a-z0-9]+(?:[-._][a-z0-9]+)*)(?::([a-zA-Z0-9_]+[a-zA-Z0-9-._]*)|@(sha256:[0-9a-f]{64}))" }, "InitScriptPath":{ "type":"string", diff --git a/botocore/data/endpoints.json b/botocore/data/endpoints.json index 79bb797e8a..93ffb541d3 100644 --- a/botocore/data/endpoints.json +++ b/botocore/data/endpoints.json @@ -6281,12 +6281,18 @@ }, "ca-central-1" : { "variants" : [ { + "hostname" : "dlm-fips.ca-central-1.api.aws", + "tags" : [ "dualstack", "fips" ] + }, { "hostname" : "dlm.ca-central-1.api.aws", "tags" : [ "dualstack" ] } ] }, "ca-west-1" : { "variants" : [ { + "hostname" : "dlm-fips.ca-west-1.api.aws", + "tags" : [ "dualstack", "fips" ] + }, { "hostname" : "dlm.ca-west-1.api.aws", "tags" : [ "dualstack" ] } ] @@ -6365,24 +6371,36 @@ }, "us-east-1" : { "variants" : [ { + "hostname" : "dlm-fips.us-east-1.api.aws", + "tags" : [ "dualstack", "fips" ] + }, { "hostname" : "dlm.us-east-1.api.aws", "tags" : [ "dualstack" ] } ] }, "us-east-2" : { "variants" : [ { + "hostname" : "dlm-fips.us-east-2.api.aws", + "tags" : [ "dualstack", "fips" ] + }, { "hostname" : "dlm.us-east-2.api.aws", "tags" : [ "dualstack" ] } ] }, "us-west-1" : { "variants" : [ { + "hostname" : "dlm-fips.us-west-1.api.aws", + "tags" : [ "dualstack", "fips" ] + }, { "hostname" : "dlm.us-west-1.api.aws", "tags" : [ "dualstack" ] } ] }, "us-west-2" : { "variants" : [ { + "hostname" : "dlm-fips.us-west-2.api.aws", + "tags" : [ "dualstack", "fips" ] + }, { "hostname" : "dlm.us-west-2.api.aws", "tags" : [ "dualstack" ] } ] @@ -21157,34 +21175,8 @@ "ap-southeast-3" : { }, "ap-southeast-4" : { }, "ap-southeast-5" : { }, - "ca-central-1" : { - "variants" : [ { - "hostname" : "streams.dynamodb-fips.ca-central-1.amazonaws.com", - "tags" : [ "fips" ] - } ] - }, - "ca-central-1-fips" : { - "credentialScope" : { - "region" : "ca-central-1" - }, - "deprecated" : true, - "hostname" : "streams.dynamodb-fips.ca-central-1.amazonaws.com", - "protocols" : [ "https" ] - }, - "ca-west-1" : { - "variants" : [ { - "hostname" : "streams.dynamodb-fips.ca-west-1.amazonaws.com", - "tags" : [ "fips" ] - } ] - }, - "ca-west-1-fips" : { - "credentialScope" : { - "region" : "ca-west-1" - }, - "deprecated" : true, - "hostname" : "streams.dynamodb-fips.ca-west-1.amazonaws.com", - "protocols" : [ "https" ] - }, + "ca-central-1" : { }, + "ca-west-1" : { }, "eu-central-1" : { }, "eu-central-2" : { }, "eu-north-1" : { }, @@ -21204,62 +21196,10 @@ "me-central-1" : { }, "me-south-1" : { }, "sa-east-1" : { }, - "us-east-1" : { - "variants" : [ { - "hostname" : "streams.dynamodb-fips.us-east-1.amazonaws.com", - "tags" : [ "fips" ] - } ] - }, - "us-east-1-fips" : { - "credentialScope" : { - "region" : "us-east-1" - }, - "deprecated" : true, - "hostname" : "streams.dynamodb-fips.us-east-1.amazonaws.com", - "protocols" : [ "https" ] - }, - "us-east-2" : { - "variants" : [ { - "hostname" : "streams.dynamodb-fips.us-east-2.amazonaws.com", - "tags" : [ "fips" ] - } ] - }, - "us-east-2-fips" : { - "credentialScope" : { - "region" : "us-east-2" - }, - "deprecated" : true, - "hostname" : "streams.dynamodb-fips.us-east-2.amazonaws.com", - "protocols" : [ "https" ] - }, - "us-west-1" : { - "variants" : [ { - "hostname" : "streams.dynamodb-fips.us-west-1.amazonaws.com", - "tags" : [ "fips" ] - } ] - }, - "us-west-1-fips" : { - "credentialScope" : { - "region" : "us-west-1" - }, - "deprecated" : true, - "hostname" : "streams.dynamodb-fips.us-west-1.amazonaws.com", - "protocols" : [ "https" ] - }, - "us-west-2" : { - "variants" : [ { - "hostname" : "streams.dynamodb-fips.us-west-2.amazonaws.com", - "tags" : [ "fips" ] - } ] - }, - "us-west-2-fips" : { - "credentialScope" : { - "region" : "us-west-2" - }, - "deprecated" : true, - "hostname" : "streams.dynamodb-fips.us-west-2.amazonaws.com", - "protocols" : [ "https" ] - } + "us-east-1" : { }, + "us-east-2" : { }, + "us-west-1" : { }, + "us-west-2" : { } } }, "sts" : { @@ -22353,6 +22293,7 @@ "ap-southeast-1" : { }, "ap-southeast-2" : { }, "ap-southeast-3" : { }, + "ap-southeast-4" : { }, "ca-central-1" : { }, "eu-central-1" : { }, "eu-central-2" : { }, @@ -26638,6 +26579,9 @@ "endpoints" : { "us-gov-east-1" : { "variants" : [ { + "hostname" : "dlm-fips.us-gov-east-1.api.aws", + "tags" : [ "dualstack", "fips" ] + }, { "hostname" : "dlm.us-gov-east-1.amazonaws.com", "tags" : [ "fips" ] } ] @@ -26651,6 +26595,9 @@ }, "us-gov-west-1" : { "variants" : [ { + "hostname" : "dlm-fips.us-gov-west-1.api.aws", + "tags" : [ "dualstack", "fips" ] + }, { "hostname" : "dlm.us-gov-west-1.amazonaws.com", "tags" : [ "fips" ] } ] @@ -30040,34 +29987,8 @@ } ] }, "endpoints" : { - "us-gov-east-1" : { - "variants" : [ { - "hostname" : "streams.dynamodb-fips.us-gov-east-1.amazonaws.com", - "tags" : [ "fips" ] - } ] - }, - "us-gov-east-1-fips" : { - "credentialScope" : { - "region" : "us-gov-east-1" - }, - "deprecated" : true, - "hostname" : "streams.dynamodb-fips.us-gov-east-1.amazonaws.com", - "protocols" : [ "https" ] - }, - "us-gov-west-1" : { - "variants" : [ { - "hostname" : "streams.dynamodb-fips.us-gov-west-1.amazonaws.com", - "tags" : [ "fips" ] - } ] - }, - "us-gov-west-1-fips" : { - "credentialScope" : { - "region" : "us-gov-west-1" - }, - "deprecated" : true, - "hostname" : "streams.dynamodb-fips.us-gov-west-1.amazonaws.com", - "protocols" : [ "https" ] - } + "us-gov-east-1" : { }, + "us-gov-west-1" : { } } }, "sts" : { @@ -30780,8 +30701,18 @@ }, "dlm" : { "endpoints" : { - "us-iso-east-1" : { }, - "us-iso-west-1" : { } + "us-iso-east-1" : { + "variants" : [ { + "hostname" : "dlm-fips.us-iso-east-1.api.aws.ic.gov", + "tags" : [ "dualstack", "fips" ] + } ] + }, + "us-iso-west-1" : { + "variants" : [ { + "hostname" : "dlm-fips.us-iso-west-1.api.aws.ic.gov", + "tags" : [ "dualstack", "fips" ] + } ] + } } }, "dms" : { @@ -31443,34 +31374,8 @@ } }, "endpoints" : { - "us-iso-east-1" : { - "variants" : [ { - "hostname" : "streams.dynamodb-fips.us-iso-east-1.c2s.ic.gov", - "tags" : [ "fips" ] - } ] - }, - "us-iso-east-1-fips" : { - "credentialScope" : { - "region" : "us-iso-east-1" - }, - "deprecated" : true, - "hostname" : "streams.dynamodb-fips.us-iso-east-1.c2s.ic.gov", - "protocols" : [ "https" ] - }, - "us-iso-west-1" : { - "variants" : [ { - "hostname" : "streams.dynamodb-fips.us-iso-west-1.c2s.ic.gov", - "tags" : [ "fips" ] - } ] - }, - "us-iso-west-1-fips" : { - "credentialScope" : { - "region" : "us-iso-west-1" - }, - "deprecated" : true, - "hostname" : "streams.dynamodb-fips.us-iso-west-1.c2s.ic.gov", - "protocols" : [ "https" ] - } + "us-iso-east-1" : { }, + "us-iso-west-1" : { } } }, "sts" : { @@ -31709,7 +31614,12 @@ }, "dlm" : { "endpoints" : { - "us-isob-east-1" : { } + "us-isob-east-1" : { + "variants" : [ { + "hostname" : "dlm-fips.us-isob-east-1.api.aws.scloud", + "tags" : [ "dualstack", "fips" ] + } ] + } } }, "dms" : { @@ -32191,20 +32101,7 @@ "protocols" : [ "http", "https" ] }, "endpoints" : { - "us-isob-east-1" : { - "variants" : [ { - "hostname" : "streams.dynamodb-fips.us-isob-east-1.sc2s.sgov.gov", - "tags" : [ "fips" ] - } ] - }, - "us-isob-east-1-fips" : { - "credentialScope" : { - "region" : "us-isob-east-1" - }, - "deprecated" : true, - "hostname" : "streams.dynamodb-fips.us-isob-east-1.sc2s.sgov.gov", - "protocols" : [ "https" ] - } + "us-isob-east-1" : { } } }, "sts" : { diff --git a/botocore/data/mgh/2017-05-31/endpoint-rule-set-1.json b/botocore/data/mgh/2017-05-31/endpoint-rule-set-1.json index 0881bf26b5..cf2fecfc19 100644 --- a/botocore/data/mgh/2017-05-31/endpoint-rule-set-1.json +++ b/botocore/data/mgh/2017-05-31/endpoint-rule-set-1.json @@ -32,38 +32,83 @@ { "conditions": [ { - "fn": "aws.partition", + "fn": "isSet", "argv": [ { - "ref": "Region" + "ref": "Endpoint" } - ], - "assign": "PartitionResult" + ] } ], - "type": "tree", "rules": [ { "conditions": [ { - "fn": "isSet", + "fn": "booleanEquals", "argv": [ { - "ref": "Endpoint" - } + "ref": "UseFIPS" + }, + true ] + } + ], + "error": "Invalid Configuration: FIPS and custom endpoint are not supported", + "type": "error" + }, + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] + } + ], + "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", + "type": "error" + }, + { + "conditions": [], + "endpoint": { + "url": { + "ref": "Endpoint" }, + "properties": {}, + "headers": {} + }, + "type": "endpoint" + } + ], + "type": "tree" + }, + { + "conditions": [ + { + "fn": "isSet", + "argv": [ { - "fn": "parseURL", + "ref": "Region" + } + ] + } + ], + "rules": [ + { + "conditions": [ + { + "fn": "aws.partition", "argv": [ { - "ref": "Endpoint" + "ref": "Region" } ], - "assign": "url" + "assign": "PartitionResult" } ], - "type": "tree", "rules": [ { "conditions": [ @@ -75,158 +120,103 @@ }, true ] + }, + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] } ], - "error": "Invalid Configuration: FIPS and custom endpoint are not supported", - "type": "error" - }, - { - "conditions": [], - "type": "tree", "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ + true, { - "ref": "UseDualStack" - }, - true + "fn": "getAttr", + "argv": [ + { + "ref": "PartitionResult" + }, + "supportsFIPS" + ] + } + ] + }, + { + "fn": "booleanEquals", + "argv": [ + true, + { + "fn": "getAttr", + "argv": [ + { + "ref": "PartitionResult" + }, + "supportsDualStack" + ] + } ] } ], - "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", - "type": "error" + "rules": [ + { + "conditions": [], + "endpoint": { + "url": "https://mgh-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" + } + ], + "type": "tree" }, { "conditions": [], - "endpoint": { - "url": { - "ref": "Endpoint" - }, - "properties": {}, - "headers": {} - }, - "type": "endpoint" + "error": "FIPS and DualStack are enabled, but this partition does not support one or both", + "type": "error" } - ] - } - ] - }, - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - true - ] + ], + "type": "tree" }, - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - } - ], - "type": "tree", - "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsFIPS" - ] - } - ] - }, - { - "fn": "booleanEquals", - "argv": [ - true, { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsDualStack" - ] - } + "ref": "UseFIPS" + }, + true ] } ], - "type": "tree", "rules": [ { - "conditions": [], - "endpoint": { - "url": "https://mgh-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } - ] - }, - { - "conditions": [], - "error": "FIPS and DualStack are enabled, but this partition does not support one or both", - "type": "error" - } - ] - }, - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - true, + "conditions": [ { - "fn": "getAttr", + "fn": "booleanEquals", "argv": [ { - "ref": "PartitionResult" + "fn": "getAttr", + "argv": [ + { + "ref": "PartitionResult" + }, + "supportsFIPS" + ] }, - "supportsFIPS" + true ] } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "type": "tree", + ], "rules": [ { "conditions": [], @@ -237,79 +227,88 @@ }, "type": "endpoint" } - ] + ], + "type": "tree" + }, + { + "conditions": [], + "error": "FIPS is enabled but this partition does not support FIPS", + "type": "error" } - ] + ], + "type": "tree" }, - { - "conditions": [], - "error": "FIPS is enabled but this partition does not support FIPS", - "type": "error" - } - ] - }, - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - } - ], - "type": "tree", - "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ - true, { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsDualStack" - ] - } + "ref": "UseDualStack" + }, + true ] } ], - "type": "tree", "rules": [ + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + true, + { + "fn": "getAttr", + "argv": [ + { + "ref": "PartitionResult" + }, + "supportsDualStack" + ] + } + ] + } + ], + "rules": [ + { + "conditions": [], + "endpoint": { + "url": "https://mgh.{Region}.{PartitionResult#dualStackDnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" + } + ], + "type": "tree" + }, { "conditions": [], - "endpoint": { - "url": "https://mgh.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" + "error": "DualStack is enabled but this partition does not support DualStack", + "type": "error" } - ] + ], + "type": "tree" }, { "conditions": [], - "error": "DualStack is enabled but this partition does not support DualStack", - "type": "error" + "endpoint": { + "url": "https://mgh.{Region}.{PartitionResult#dnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" } - ] - }, - { - "conditions": [], - "endpoint": { - "url": "https://mgh.{Region}.{PartitionResult#dnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" + ], + "type": "tree" } - ] + ], + "type": "tree" + }, + { + "conditions": [], + "error": "Invalid Configuration: Missing Region", + "type": "error" } ] } \ No newline at end of file diff --git a/botocore/data/mgh/2017-05-31/paginators-1.json b/botocore/data/mgh/2017-05-31/paginators-1.json index 97efd0a5a9..db029bfdb1 100644 --- a/botocore/data/mgh/2017-05-31/paginators-1.json +++ b/botocore/data/mgh/2017-05-31/paginators-1.json @@ -29,6 +29,18 @@ "limit_key": "MaxResults", "output_token": "NextToken", "result_key": "ApplicationStateList" + }, + "ListMigrationTaskUpdates": { + "input_token": "NextToken", + "limit_key": "MaxResults", + "output_token": "NextToken", + "result_key": "MigrationTaskUpdateList" + }, + "ListSourceResources": { + "input_token": "NextToken", + "limit_key": "MaxResults", + "output_token": "NextToken", + "result_key": "SourceResourceList" } } } diff --git a/botocore/data/mgh/2017-05-31/service-2.json b/botocore/data/mgh/2017-05-31/service-2.json index ba8a920735..8684b95f5f 100644 --- a/botocore/data/mgh/2017-05-31/service-2.json +++ b/botocore/data/mgh/2017-05-31/service-2.json @@ -5,11 +5,13 @@ "endpointPrefix":"mgh", "jsonVersion":"1.1", "protocol":"json", + "protocols":["json"], "serviceFullName":"AWS Migration Hub", "serviceId":"Migration Hub", "signatureVersion":"v4", "targetPrefix":"AWSMigrationHub", - "uid":"AWSMigrationHub-2017-05-31" + "uid":"AWSMigrationHub-2017-05-31", + "auth":["aws.auth#sigv4"] }, "operations":{ "AssociateCreatedArtifact":{ @@ -55,6 +57,26 @@ ], "documentation":"Associates a discovered resource ID from Application Discovery Service with a migration task.
" }, + "AssociateSourceResource":{ + "name":"AssociateSourceResource", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"AssociateSourceResourceRequest"}, + "output":{"shape":"AssociateSourceResourceResult"}, + "errors":[ + {"shape":"AccessDeniedException"}, + {"shape":"ThrottlingException"}, + {"shape":"InternalServerError"}, + {"shape":"ServiceUnavailableException"}, + {"shape":"DryRunOperation"}, + {"shape":"UnauthorizedOperation"}, + {"shape":"InvalidInputException"}, + {"shape":"ResourceNotFoundException"} + ], + "documentation":"Associates a source resource with a migration task. For example, the source resource can be a source server, an application, or a migration wave.
" + }, "CreateProgressUpdateStream":{ "name":"CreateProgressUpdateStream", "http":{ @@ -177,6 +199,26 @@ ], "documentation":"Disassociate an Application Discovery Service discovered resource from a migration task.
" }, + "DisassociateSourceResource":{ + "name":"DisassociateSourceResource", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"DisassociateSourceResourceRequest"}, + "output":{"shape":"DisassociateSourceResourceResult"}, + "errors":[ + {"shape":"AccessDeniedException"}, + {"shape":"ThrottlingException"}, + {"shape":"InternalServerError"}, + {"shape":"ServiceUnavailableException"}, + {"shape":"DryRunOperation"}, + {"shape":"UnauthorizedOperation"}, + {"shape":"InvalidInputException"}, + {"shape":"ResourceNotFoundException"} + ], + "documentation":"Removes the association between a source resource and a migration task.
" + }, "ImportMigrationTask":{ "name":"ImportMigrationTask", "http":{ @@ -254,6 +296,24 @@ ], "documentation":"Lists discovered resources associated with the given MigrationTask.
This is a paginated API that returns all the migration-task states for the specified MigrationTaskName and ProgressUpdateStream.
Lists progress update streams associated with the user account making this call.
" }, + "ListSourceResources":{ + "name":"ListSourceResources", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"ListSourceResourcesRequest"}, + "output":{"shape":"ListSourceResourcesResult"}, + "errors":[ + {"shape":"AccessDeniedException"}, + {"shape":"ThrottlingException"}, + {"shape":"InternalServerError"}, + {"shape":"ServiceUnavailableException"}, + {"shape":"InvalidInputException"}, + {"shape":"ResourceNotFoundException"} + ], + "documentation":"Lists all the source resource that are associated with the specified MigrationTaskName and ProgressUpdateStream.
The name of the progress-update stream, which is used for access control as well as a namespace for migration-task names that is implicitly linked to your AWS account. The progress-update stream must uniquely identify the migration tool as it is used for all updates made by the tool; however, it does not need to be unique for each AWS account because it is scoped to the AWS account.
" + }, + "MigrationTaskName":{ + "shape":"MigrationTaskName", + "documentation":"A unique identifier that references the migration task. Do not include sensitive data in this field.
" + }, + "SourceResource":{ + "shape":"SourceResource", + "documentation":"The source resource that you want to associate.
" + }, + "DryRun":{ + "shape":"DryRun", + "documentation":"This is an optional parameter that you can use to test whether the call will succeed. Set this parameter to true to verify that you have the permissions that are required to make the call, and that you have specified the other parameters in the call correctly.
The name of the progress-update stream, which is used for access control as well as a namespace for migration-task names that is implicitly linked to your AWS account. The progress-update stream must uniquely identify the migration tool as it is used for all updates made by the tool; however, it does not need to be unique for each AWS account because it is scoped to the AWS account.
" + }, + "MigrationTaskName":{ + "shape":"MigrationTaskName", + "documentation":"A unique identifier that references the migration task. Do not include sensitive data in this field.
" + }, + "SourceResourceName":{ + "shape":"SourceResourceName", + "documentation":"The name that was specified for the source resource.
" + }, + "DryRun":{ + "shape":"DryRun", + "documentation":"This is an optional parameter that you can use to test whether the call will succeed. Set this parameter to true to verify that you have the permissions that are required to make the call, and that you have specified the other parameters in the call correctly.
The name of the progress-update stream, which is used for access control as well as a namespace for migration-task names that is implicitly linked to your AWS account. The progress-update stream must uniquely identify the migration tool as it is used for all updates made by the tool; however, it does not need to be unique for each AWS account because it is scoped to the AWS account.
" + }, + "MigrationTaskName":{ + "shape":"MigrationTaskName", + "documentation":"A unique identifier that references the migration task. Do not include sensitive data in this field.
" + }, + "NextToken":{ + "shape":"Token", + "documentation":"If NextToken was returned by a previous call, there are more results available. The value of NextToken is a unique pagination token for each page. To retrieve the next page of results, specify the NextToken value that the previous call returned. Keep all other arguments unchanged. Each pagination token expires after 24 hours. Using an expired pagination token will return an HTTP 400 InvalidToken error.
The maximum number of results to include in the response. If more results exist than the value that you specify here for MaxResults, the response will include a token that you can use to retrieve the next set of results.
If the response includes a NextToken value, that means that there are more results available. The value of NextToken is a unique pagination token for each page. To retrieve the next page of results, call this API again and specify this NextToken value in the request. Keep all other arguments unchanged. Each pagination token expires after 24 hours. Using an expired pagination token will return an HTTP 400 InvalidToken error.
The list of migration-task updates.
" + } + } + }, "ListMigrationTasksRequest":{ "type":"structure", "members":{ @@ -912,6 +1090,44 @@ } } }, + "ListSourceResourcesRequest":{ + "type":"structure", + "required":[ + "ProgressUpdateStream", + "MigrationTaskName" + ], + "members":{ + "ProgressUpdateStream":{ + "shape":"ProgressUpdateStream", + "documentation":"The name of the progress-update stream, which is used for access control as well as a namespace for migration-task names that is implicitly linked to your AWS account. The progress-update stream must uniquely identify the migration tool as it is used for all updates made by the tool; however, it does not need to be unique for each AWS account because it is scoped to the AWS account.
" + }, + "MigrationTaskName":{ + "shape":"MigrationTaskName", + "documentation":"A unique identifier that references the migration task. Do not store confidential data in this field.
" + }, + "NextToken":{ + "shape":"Token", + "documentation":"If NextToken was returned by a previous call, there are more results available. The value of NextToken is a unique pagination token for each page. To retrieve the next page of results, specify the NextToken value that the previous call returned. Keep all other arguments unchanged. Each pagination token expires after 24 hours. Using an expired pagination token will return an HTTP 400 InvalidToken error.
The maximum number of results to include in the response. If more results exist than the value that you specify here for MaxResults, the response will include a token that you can use to retrieve the next set of results.
If the response includes a NextToken value, that means that there are more results available. The value of NextToken is a unique pagination token for each page. To retrieve the next page of results, call this API again and specify this NextToken value in the request. Keep all other arguments unchanged. Each pagination token expires after 24 hours. Using an expired pagination token will return an HTTP 400 InvalidToken error.
The list of source resources.
" + } + } + }, "MaxResults":{ "type":"integer", "box":true, @@ -930,6 +1146,12 @@ "max":10, "min":1 }, + "MaxResultsSourceResources":{ + "type":"integer", + "box":true, + "max":10, + "min":1 + }, "MigrationTask":{ "type":"structure", "members":{ @@ -996,6 +1218,25 @@ "type":"list", "member":{"shape":"MigrationTaskSummary"} }, + "MigrationTaskUpdate":{ + "type":"structure", + "members":{ + "UpdateDateTime":{ + "shape":"UpdateDateTime", + "documentation":"The timestamp for the update.
" + }, + "UpdateType":{ + "shape":"UpdateType", + "documentation":"The type of the update.
" + }, + "MigrationTaskState":{"shape":"Task"} + }, + "documentation":"A migration-task progress update.
" + }, + "MigrationTaskUpdateList":{ + "type":"list", + "member":{"shape":"MigrationTaskUpdate"} + }, "NextUpdateSeconds":{ "type":"integer", "min":0 @@ -1205,6 +1446,40 @@ "exception":true, "fault":true }, + "SourceResource":{ + "type":"structure", + "required":["Name"], + "members":{ + "Name":{ + "shape":"SourceResourceName", + "documentation":"This is the name that you want to use to identify the resource. If the resource is an AWS resource, we recommend that you set this parameter to the ARN of the resource.
" + }, + "Description":{ + "shape":"SourceResourceDescription", + "documentation":"A description that can be free-form text to record additional detail about the resource for clarity or later reference.
" + }, + "StatusDetail":{ + "shape":"StatusDetail", + "documentation":"A free-form description of the status of the resource.
" + } + }, + "documentation":"A source resource can be a source server, a migration wave, an application, or any other resource that you track.
" + }, + "SourceResourceDescription":{ + "type":"string", + "max":500, + "min":0, + "pattern":"^.{0,500}$" + }, + "SourceResourceList":{ + "type":"list", + "member":{"shape":"SourceResource"} + }, + "SourceResourceName":{ + "type":"string", + "max":1600, + "min":1 + }, "Status":{ "type":"string", "enum":[ @@ -1216,9 +1491,9 @@ }, "StatusDetail":{ "type":"string", - "max":500, + "max":2500, "min":0, - "pattern":"^.{0,500}$" + "pattern":"^.{0,2500}$" }, "Task":{ "type":"structure", @@ -1269,7 +1544,11 @@ "documentation":"Exception raised to indicate a request was not authorized when the DryRun flag is set to \"true\".
The AWS Migration Hub API methods help to obtain server and application migration status and integrate your resource-specific migration tool by providing a programmatic interface to Migration Hub.
Remember that you must set your AWS Migration Hub home region before you call any of these APIs, or a HomeRegionNotSetException error will be returned. Also, you must make the API calls while in your home region.
Creates an import job for a data destination.
" }, + "CreateMultiRegionEndpoint":{ + "name":"CreateMultiRegionEndpoint", + "http":{ + "method":"POST", + "requestUri":"/v2/email/multi-region-endpoints" + }, + "input":{"shape":"CreateMultiRegionEndpointRequest"}, + "output":{"shape":"CreateMultiRegionEndpointResponse"}, + "errors":[ + {"shape":"LimitExceededException"}, + {"shape":"TooManyRequestsException"}, + {"shape":"AlreadyExistsException"}, + {"shape":"BadRequestException"} + ], + "documentation":"Creates a multi-region endpoint (global-endpoint).
The primary region is going to be the AWS-Region where the operation is executed. The secondary region has to be provided in request's parameters. From the data flow standpoint there is no difference between primary and secondary regions - sending traffic will be split equally between the two. The primary region is the region where the resource has been created and where it can be managed.
" + }, "DeleteConfigurationSet":{ "name":"DeleteConfigurationSet", "http":{ @@ -389,6 +405,22 @@ ], "documentation":"Deletes an email template.
You can execute this operation no more than once per second.
" }, + "DeleteMultiRegionEndpoint":{ + "name":"DeleteMultiRegionEndpoint", + "http":{ + "method":"DELETE", + "requestUri":"/v2/email/multi-region-endpoints/{EndpointName}" + }, + "input":{"shape":"DeleteMultiRegionEndpointRequest"}, + "output":{"shape":"DeleteMultiRegionEndpointResponse"}, + "errors":[ + {"shape":"NotFoundException"}, + {"shape":"TooManyRequestsException"}, + {"shape":"BadRequestException"}, + {"shape":"ConcurrentModificationException"} + ], + "documentation":"Deletes a multi-region endpoint (global-endpoint).
Only multi-region endpoints (global-endpoints) whose primary region is the AWS-Region where operation is executed can be deleted.
" + }, "DeleteSuppressedDestination":{ "name":"DeleteSuppressedDestination", "http":{ @@ -703,6 +735,21 @@ ], "documentation":"Provides information about a specific message, including the from address, the subject, the recipient address, email tags, as well as events associated with the message.
You can execute this operation no more than once per second.
" }, + "GetMultiRegionEndpoint":{ + "name":"GetMultiRegionEndpoint", + "http":{ + "method":"GET", + "requestUri":"/v2/email/multi-region-endpoints/{EndpointName}" + }, + "input":{"shape":"GetMultiRegionEndpointRequest"}, + "output":{"shape":"GetMultiRegionEndpointResponse"}, + "errors":[ + {"shape":"NotFoundException"}, + {"shape":"TooManyRequestsException"}, + {"shape":"BadRequestException"} + ], + "documentation":"Displays the multi-region endpoint (global-endpoint) configuration.
Only multi-region endpoints (global-endpoints) whose primary region is the AWS-Region where operation is executed can be displayed.
" + }, "GetSuppressedDestination":{ "name":"GetSuppressedDestination", "http":{ @@ -875,6 +922,20 @@ ], "documentation":"Lists all of the import jobs.
" }, + "ListMultiRegionEndpoints":{ + "name":"ListMultiRegionEndpoints", + "http":{ + "method":"GET", + "requestUri":"/v2/email/multi-region-endpoints" + }, + "input":{"shape":"ListMultiRegionEndpointsRequest"}, + "output":{"shape":"ListMultiRegionEndpointsResponse"}, + "errors":[ + {"shape":"TooManyRequestsException"}, + {"shape":"BadRequestException"} + ], + "documentation":"List the multi-region endpoints (global-endpoints).
Only multi-region endpoints (global-endpoints) whose primary region is the AWS-Region where operation is executed will be listed.
" + }, "ListRecommendations":{ "name":"ListRecommendations", "http":{ @@ -2333,6 +2394,42 @@ }, "documentation":"An HTTP 200 response if the request succeeds, or an error message if the request fails.
" }, + "CreateMultiRegionEndpointRequest":{ + "type":"structure", + "required":[ + "EndpointName", + "Details" + ], + "members":{ + "EndpointName":{ + "shape":"EndpointName", + "documentation":"The name of the multi-region endpoint (global-endpoint).
" + }, + "Details":{ + "shape":"Details", + "documentation":"Contains details of a multi-region endpoint (global-endpoint) being created.
" + }, + "Tags":{ + "shape":"TagList", + "documentation":"An array of objects that define the tags (keys and values) to associate with the multi-region endpoint (global-endpoint).
" + } + }, + "documentation":"Represents a request to create a multi-region endpoint (global-endpoint).
" + }, + "CreateMultiRegionEndpointResponse":{ + "type":"structure", + "members":{ + "Status":{ + "shape":"Status", + "documentation":"A status of the multi-region endpoint (global-endpoint) right after the create request.
CREATING – The resource is being provisioned.
READY – The resource is ready to use.
FAILED – The resource failed to be provisioned.
DELETING – The resource is being deleted as requested.
The ID of the multi-region endpoint (global-endpoint).
" + } + }, + "documentation":"An HTTP 200 response if the request succeeds, or an error message if the request fails.
" + }, "CustomRedirectDomain":{ "type":"string", "documentation":"The domain to use for tracking open and click events.
" @@ -2666,6 +2763,29 @@ }, "documentation":"If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
" }, + "DeleteMultiRegionEndpointRequest":{ + "type":"structure", + "required":["EndpointName"], + "members":{ + "EndpointName":{ + "shape":"EndpointName", + "documentation":"The name of the multi-region endpoint (global-endpoint) to be deleted.
", + "location":"uri", + "locationName":"EndpointName" + } + }, + "documentation":"Represents a request to delete a multi-region endpoint (global-endpoint).
" + }, + "DeleteMultiRegionEndpointResponse":{ + "type":"structure", + "members":{ + "Status":{ + "shape":"Status", + "documentation":"A status of the multi-region endpoint (global-endpoint) right after the delete request.
CREATING – The resource is being provisioned.
READY – The resource is ready to use.
FAILED – The resource failed to be provisioned.
DELETING – The resource is being deleted as requested.
An HTTP 200 response if the request succeeds, or an error message if the request fails.
" + }, "DeleteSuppressedDestinationRequest":{ "type":"structure", "required":["EmailAddress"], @@ -2789,6 +2909,17 @@ }, "documentation":"An object that describes the recipients for an email.
Amazon SES does not support the SMTPUTF8 extension, as described in RFC6531. For this reason, the local part of a destination email address (the part of the email address that precedes the @ sign) may only contain 7-bit ASCII characters. If the domain part of an address (the part after the @ sign) contains non-ASCII characters, they must be encoded using Punycode, as described in RFC3492.
A list of route configuration details. Must contain exactly one route configuration.
" + } + }, + "documentation":"An object that contains configuration details of multi-region endpoint (global-endpoint).
" + }, "DiagnosticCode":{"type":"string"}, "DimensionName":{ "type":"string", @@ -3162,6 +3293,17 @@ }, "Enabled":{"type":"boolean"}, "EnabledWrapper":{"type":"boolean"}, + "EndpointId":{ + "type":"string", + "documentation":"The ID of the multi-region endpoint (global-endpoint).
" + }, + "EndpointName":{ + "type":"string", + "documentation":"The name of the multi-region endpoint (global-endpoint).
", + "max":64, + "min":1, + "pattern":"^[\\w\\-_]+$" + }, "EngagementEventType":{ "type":"string", "documentation":"The type of delivery events:
OPEN - Open event for emails including open trackers. Excludes opens for emails addressed to more than one recipient.
CLICK - Click event for emails including wrapped links. Excludes clicks for emails addressed to more than one recipient.
Information about a message.
" }, + "GetMultiRegionEndpointRequest":{ + "type":"structure", + "required":["EndpointName"], + "members":{ + "EndpointName":{ + "shape":"EndpointName", + "documentation":"The name of the multi-region endpoint (global-endpoint).
", + "location":"uri", + "locationName":"EndpointName" + } + }, + "documentation":"Represents a request to display the multi-region endpoint (global-endpoint).
" + }, + "GetMultiRegionEndpointResponse":{ + "type":"structure", + "members":{ + "EndpointName":{ + "shape":"EndpointName", + "documentation":"The name of the multi-region endpoint (global-endpoint).
" + }, + "EndpointId":{ + "shape":"EndpointId", + "documentation":"The ID of the multi-region endpoint (global-endpoint).
" + }, + "Routes":{ + "shape":"Routes", + "documentation":"Contains routes information for the multi-region endpoint (global-endpoint).
" + }, + "Status":{ + "shape":"Status", + "documentation":"The status of the multi-region endpoint (global-endpoint).
CREATING – The resource is being provisioned.
READY – The resource is ready to use.
FAILED – The resource failed to be provisioned.
DELETING – The resource is being deleted as requested.
The time stamp of when the multi-region endpoint (global-endpoint) was created.
" + }, + "LastUpdatedTimestamp":{ + "shape":"Timestamp", + "documentation":"The time stamp of when the multi-region endpoint (global-endpoint) was last updated.
" + } + }, + "documentation":"An HTTP 200 response if the request succeeds, or an error message if the request fails.
" + }, "GetSuppressedDestinationRequest":{ "type":"structure", "required":["EmailAddress"], @@ -4942,6 +5127,38 @@ }, "documentation":"An object used to specify a list or topic to which an email belongs, which will be used when a contact chooses to unsubscribe.
" }, + "ListMultiRegionEndpointsRequest":{ + "type":"structure", + "members":{ + "NextToken":{ + "shape":"NextTokenV2", + "documentation":"A token returned from a previous call to ListMultiRegionEndpoints to indicate the position in the list of multi-region endpoints (global-endpoints).
The number of results to show in a single call to ListMultiRegionEndpoints. If the number of results is larger than the number you specified in this parameter, the response includes a NextToken element that you can use to retrieve the next page of results.
Represents a request to list all the multi-region endpoints (global-endpoints) whose primary region is the AWS-Region where operation is executed.
" + }, + "ListMultiRegionEndpointsResponse":{ + "type":"structure", + "members":{ + "MultiRegionEndpoints":{ + "shape":"MultiRegionEndpoints", + "documentation":"An array that contains key multi-region endpoint (global-endpoint) properties.
" + }, + "NextToken":{ + "shape":"NextTokenV2", + "documentation":"A token indicating that there are additional multi-region endpoints (global-endpoints) available to be listed. Pass this token to a subsequent ListMultiRegionEndpoints call to retrieve the next page.
The following elements are returned by the service.
" + }, "ListOfContactLists":{ "type":"list", "member":{"shape":"ContactList"} @@ -5434,7 +5651,47 @@ }, "documentation":"An object that contains details about the data source for the metrics export.
" }, + "MultiRegionEndpoint":{ + "type":"structure", + "members":{ + "EndpointName":{ + "shape":"EndpointName", + "documentation":"The name of the multi-region endpoint (global-endpoint).
" + }, + "Status":{ + "shape":"Status", + "documentation":"The status of the multi-region endpoint (global-endpoint).
CREATING – The resource is being provisioned.
READY – The resource is ready to use.
FAILED – The resource failed to be provisioned.
DELETING – The resource is being deleted as requested.
The ID of the multi-region endpoint (global-endpoint).
" + }, + "Regions":{ + "shape":"Regions", + "documentation":"Primary and secondary regions between which multi-region endpoint splits sending traffic.
" + }, + "CreatedTimestamp":{ + "shape":"Timestamp", + "documentation":"The time stamp of when the multi-region endpoint (global-endpoint) was created.
" + }, + "LastUpdatedTimestamp":{ + "shape":"Timestamp", + "documentation":"The time stamp of when the multi-region endpoint (global-endpoint) was last updated.
" + } + }, + "documentation":"An object that contains multi-region endpoint (global-endpoint) properties.
" + }, + "MultiRegionEndpoints":{ + "type":"list", + "member":{"shape":"MultiRegionEndpoint"} + }, "NextToken":{"type":"string"}, + "NextTokenV2":{ + "type":"string", + "max":5000, + "min":1, + "pattern":"^^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, "NotFoundException":{ "type":"structure", "members":{ @@ -5462,6 +5719,11 @@ }, "documentation":"An object that contains information about email that was sent from the selected domain.
" }, + "PageSizeV2":{ + "type":"integer", + "max":1000, + "min":1 + }, "Percentage":{ "type":"double", "documentation":"An object that contains information about inbox placement percentages.
" @@ -6135,6 +6397,14 @@ "type":"list", "member":{"shape":"Recommendation"} }, + "Region":{ + "type":"string", + "documentation":"The name of an AWS-Region.
" + }, + "Regions":{ + "type":"list", + "member":{"shape":"Region"} + }, "RenderedEmailTemplate":{ "type":"string", "documentation":"The complete MIME message rendered by applying the data in the TemplateData parameter to the template specified in the TemplateName parameter.
" @@ -6204,6 +6474,38 @@ "DENIED" ] }, + "Route":{ + "type":"structure", + "required":["Region"], + "members":{ + "Region":{ + "shape":"Region", + "documentation":"The name of an AWS-Region.
" + } + }, + "documentation":"An object which contains an AWS-Region and routing status.
" + }, + "RouteDetails":{ + "type":"structure", + "required":["Region"], + "members":{ + "Region":{ + "shape":"Region", + "documentation":"The name of an AWS-Region to be a secondary region for the multi-region endpoint (global-endpoint).
" + } + }, + "documentation":"An object that contains route configuration. Includes secondary region name.
" + }, + "Routes":{ + "type":"list", + "member":{"shape":"Route"}, + "documentation":"A list of routes between which the traffic will be split when sending through the multi-region endpoint (global-endpoint).
" + }, + "RoutesDetails":{ + "type":"list", + "member":{"shape":"RouteDetails"}, + "documentation":"A list of route configuration details. Must contain exactly one route configuration.
" + }, "S3Url":{ "type":"string", "documentation":"An Amazon S3 URL in the format s3://<bucket_name>/<object> or a pre-signed URL.
", @@ -6282,6 +6584,11 @@ "ConfigurationSetName":{ "shape":"ConfigurationSetName", "documentation":"The name of the configuration set to use when sending the email.
" + }, + "EndpointId":{ + "shape":"EndpointId", + "documentation":"The ID of the multi-region endpoint (global-endpoint).
", + "contextParam":{"name":"EndpointId"} } }, "documentation":"Represents a request to send email messages to multiple destinations using Amazon SES. For more information, see the Amazon SES Developer Guide.
" @@ -6369,6 +6676,11 @@ "shape":"ConfigurationSetName", "documentation":"The name of the configuration set to use when sending the email.
" }, + "EndpointId":{ + "shape":"EndpointId", + "documentation":"The ID of the multi-region endpoint (global-endpoint).
", + "contextParam":{"name":"EndpointId"} + }, "ListManagementOptions":{ "shape":"ListManagementOptions", "documentation":"An object used to specify a list or topic to which an email belongs, which will be used when a contact chooses to unsubscribe.
" @@ -6439,6 +6751,16 @@ }, "documentation":"An object that defines an Amazon SNS destination for email events. You can use Amazon SNS to send notifications when certain email events occur.
" }, + "Status":{ + "type":"string", + "documentation":"The status of the multi-region endpoint (global-endpoint).
CREATING – The resource is being provisioned.
READY – The resource is ready to use.
FAILED – The resource failed to be provisioned.
DELETING – The resource is being deleted as requested.
Tags are composed of a Key/Value pairs. You can use tags to categorize and track your Timestream for InfluxDB resources.
", @@ -275,7 +276,7 @@ }, "password":{ "shape":"Password", - "documentation":"The password of the initial admin user created in InfluxDB. This password will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in AWS SecretManager in your account.
" + "documentation":"The password of the initial admin user created in InfluxDB. This password will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in Amazon Web Services SecretManager in your account.
" }, "organization":{ "shape":"Organization", @@ -328,6 +329,10 @@ "port":{ "shape":"Port", "documentation":"The port number on which InfluxDB accepts connections.
Valid Values: 1024-65535
Default: 8086
Constraints: The value can't be 2375-2376, 7788-7799, 8090, or 51678-51680
" + }, + "networkType":{ + "shape":"NetworkType", + "documentation":"Specifies whether the networkType of the Timestream for InfluxDB instance is IPV4, which can communicate over IPv4 protocol only, or DUAL, which can communicate over both IPv4 and IPv6 protocols.
" } } }, @@ -364,6 +369,10 @@ "shape":"Port", "documentation":"The port number on which InfluxDB accepts connections. The default value is 8086.
" }, + "networkType":{ + "shape":"NetworkType", + "documentation":"Specifies whether the networkType of the Timestream for InfluxDB instance is IPV4, which can communicate over IPv4 protocol only, or DUAL, which can communicate over both IPv4 and IPv6 protocols.
" + }, "dbInstanceType":{ "shape":"DbInstanceType", "documentation":"The Timestream for InfluxDB instance type that InfluxDB runs on.
" @@ -410,7 +419,7 @@ }, "influxAuthParametersSecretArn":{ "shape":"String", - "documentation":"The Amazon Resource Name (ARN) of the AWS Secrets Manager secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password.
" + "documentation":"The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password.
" } } }, @@ -503,7 +512,7 @@ }, "name":{ "shape":"DbInstanceName", - "documentation":"This customer-supplied name uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and AWS CLI commands.
" + "documentation":"This customer-supplied name uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and Amazon Web Services CLI commands.
" }, "arn":{ "shape":"Arn", @@ -521,6 +530,10 @@ "shape":"Port", "documentation":"The port number on which InfluxDB accepts connections.
" }, + "networkType":{ + "shape":"NetworkType", + "documentation":"Specifies whether the networkType of the Timestream for InfluxDB instance is IPV4, which can communicate over IPv4 protocol only, or DUAL, which can communicate over both IPv4 and IPv6 protocols.
" + }, "dbInstanceType":{ "shape":"DbInstanceType", "documentation":"The Timestream for InfluxDB instance type to run InfluxDB on.
" @@ -657,6 +670,10 @@ "shape":"Port", "documentation":"The port number on which InfluxDB accepts connections.
" }, + "networkType":{ + "shape":"NetworkType", + "documentation":"Specifies whether the networkType of the Timestream for InfluxDB instance is IPV4, which can communicate over IPv4 protocol only, or DUAL, which can communicate over both IPv4 and IPv6 protocols.
" + }, "dbInstanceType":{ "shape":"DbInstanceType", "documentation":"The Timestream for InfluxDB instance type that InfluxDB runs on.
" @@ -703,7 +720,7 @@ }, "influxAuthParametersSecretArn":{ "shape":"String", - "documentation":"The Amazon Resource Name (ARN) of the AWS Secrets Manager secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password.
" + "documentation":"The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password.
" } } }, @@ -789,6 +806,10 @@ "shape":"Port", "documentation":"The port number on which InfluxDB accepts connections.
" }, + "networkType":{ + "shape":"NetworkType", + "documentation":"Specifies whether the networkType of the Timestream for InfluxDB instance is IPV4, which can communicate over IPv4 protocol only, or DUAL, which can communicate over both IPv4 and IPv6 protocols.
" + }, "dbInstanceType":{ "shape":"DbInstanceType", "documentation":"The Timestream for InfluxDB instance type that InfluxDB runs on.
" @@ -835,7 +856,7 @@ }, "influxAuthParametersSecretArn":{ "shape":"String", - "documentation":"The Amazon Resource Name (ARN) of the AWS Secrets Manager secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password.
" + "documentation":"The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password.
" } } }, @@ -1236,6 +1257,13 @@ "max":100, "min":1 }, + "NetworkType":{ + "type":"string", + "enum":[ + "IPV4", + "DUAL" + ] + }, "NextToken":{ "type":"string", "min":1 @@ -1468,7 +1496,7 @@ }, "name":{ "shape":"DbInstanceName", - "documentation":"This customer-supplied name uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and AWS CLI commands.
" + "documentation":"This customer-supplied name uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and Amazon Web Services CLI commands.
" }, "arn":{ "shape":"Arn", @@ -1486,6 +1514,10 @@ "shape":"Port", "documentation":"The port number on which InfluxDB accepts connections.
" }, + "networkType":{ + "shape":"NetworkType", + "documentation":"Specifies whether the networkType of the Timestream for InfluxDB instance is IPV4, which can communicate over IPv4 protocol only, or DUAL, which can communicate over both IPv4 and IPv6 protocols.
" + }, "dbInstanceType":{ "shape":"DbInstanceType", "documentation":"The Timestream for InfluxDB instance type that InfluxDB runs on.
" @@ -1532,7 +1564,7 @@ }, "influxAuthParametersSecretArn":{ "shape":"String", - "documentation":"The Amazon Resource Name (ARN) of the AWS Secrets Manager secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password.
" + "documentation":"The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password.
" } } }, @@ -1590,5 +1622,5 @@ "min":1 } }, - "documentation":"Amazon Timestream for InfluxDB is a managed time-series database engine that makes it easy for application developers and DevOps teams to run InfluxDB databases on AWS for near real-time time-series applications using open-source APIs. With Amazon Timestream for InfluxDB, it is easy to set up, operate, and scale time-series workloads that can answer queries with single-digit millisecond query response time.
" + "documentation":"Amazon Timestream for InfluxDB is a managed time-series database engine that makes it easy for application developers and DevOps teams to run InfluxDB databases on Amazon Web Services for near real-time time-series applications using open-source APIs. With Amazon Timestream for InfluxDB, it is easy to set up, operate, and scale time-series workloads that can answer queries with single-digit millisecond query response time.
" } diff --git a/docs/source/conf.py b/docs/source/conf.py index db4163b31b..827a4de42f 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -59,7 +59,7 @@ # The short X.Y version. version = '1.35.' # The full version, including alpha/beta/rc tags. -release = '1.35.78' +release = '1.35.79' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff --git a/tests/functional/endpoint-rules/mgh/endpoint-tests-1.json b/tests/functional/endpoint-rules/mgh/endpoint-tests-1.json index c99eb4af56..3f01197299 100644 --- a/tests/functional/endpoint-rules/mgh/endpoint-tests-1.json +++ b/tests/functional/endpoint-rules/mgh/endpoint-tests-1.json @@ -1,42 +1,29 @@ { "testCases": [ { - "documentation": "For region eu-central-1 with FIPS enabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://mgh-fips.eu-central-1.api.aws" - } - }, - "params": { - "Region": "eu-central-1", - "UseDualStack": true, - "UseFIPS": true - } - }, - { - "documentation": "For region eu-central-1 with FIPS enabled and DualStack disabled", + "documentation": "For region ap-northeast-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://mgh-fips.eu-central-1.amazonaws.com" + "url": "https://mgh.ap-northeast-1.amazonaws.com" } }, "params": { - "Region": "eu-central-1", - "UseDualStack": false, - "UseFIPS": true + "Region": "ap-northeast-1", + "UseFIPS": false, + "UseDualStack": false } }, { - "documentation": "For region eu-central-1 with FIPS disabled and DualStack enabled", + "documentation": "For region ap-southeast-2 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://mgh.eu-central-1.api.aws" + "url": "https://mgh.ap-southeast-2.amazonaws.com" } }, "params": { - "Region": "eu-central-1", - "UseDualStack": true, - "UseFIPS": false + "Region": "ap-southeast-2", + "UseFIPS": false, + "UseDualStack": false } }, { @@ -48,47 +35,47 @@ }, "params": { "Region": "eu-central-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { - "documentation": "For region us-west-2 with FIPS enabled and DualStack enabled", + "documentation": "For region eu-west-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://mgh-fips.us-west-2.api.aws" + "url": "https://mgh.eu-west-1.amazonaws.com" } }, "params": { - "Region": "us-west-2", - "UseDualStack": true, - "UseFIPS": true + "Region": "eu-west-1", + "UseFIPS": false, + "UseDualStack": false } }, { - "documentation": "For region us-west-2 with FIPS enabled and DualStack disabled", + "documentation": "For region eu-west-2 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://mgh-fips.us-west-2.amazonaws.com" + "url": "https://mgh.eu-west-2.amazonaws.com" } }, "params": { - "Region": "us-west-2", - "UseDualStack": false, - "UseFIPS": true + "Region": "eu-west-2", + "UseFIPS": false, + "UseDualStack": false } }, { - "documentation": "For region us-west-2 with FIPS disabled and DualStack enabled", + "documentation": "For region us-east-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://mgh.us-west-2.api.aws" + "url": "https://mgh.us-east-1.amazonaws.com" } }, "params": { - "Region": "us-west-2", - "UseDualStack": true, - "UseFIPS": false + "Region": "us-east-1", + "UseFIPS": false, + "UseDualStack": false } }, { @@ -100,281 +87,273 @@ }, "params": { "Region": "us-west-2", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { - "documentation": "For region eu-west-2 with FIPS enabled and DualStack enabled", + "documentation": "For region us-east-1 with FIPS enabled and DualStack enabled", "expect": { "endpoint": { - "url": "https://mgh-fips.eu-west-2.api.aws" + "url": "https://mgh-fips.us-east-1.api.aws" } }, "params": { - "Region": "eu-west-2", - "UseDualStack": true, - "UseFIPS": true + "Region": "us-east-1", + "UseFIPS": true, + "UseDualStack": true } }, { - "documentation": "For region eu-west-2 with FIPS enabled and DualStack disabled", + "documentation": "For region us-east-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://mgh-fips.eu-west-2.amazonaws.com" + "url": "https://mgh-fips.us-east-1.amazonaws.com" } }, "params": { - "Region": "eu-west-2", - "UseDualStack": false, - "UseFIPS": true + "Region": "us-east-1", + "UseFIPS": true, + "UseDualStack": false } }, { - "documentation": "For region eu-west-2 with FIPS disabled and DualStack enabled", + "documentation": "For region us-east-1 with FIPS disabled and DualStack enabled", "expect": { "endpoint": { - "url": "https://mgh.eu-west-2.api.aws" + "url": "https://mgh.us-east-1.api.aws" } }, "params": { - "Region": "eu-west-2", - "UseDualStack": true, - "UseFIPS": false + "Region": "us-east-1", + "UseFIPS": false, + "UseDualStack": true } }, { - "documentation": "For region eu-west-2 with FIPS disabled and DualStack disabled", + "documentation": "For region cn-north-1 with FIPS enabled and DualStack enabled", "expect": { "endpoint": { - "url": "https://mgh.eu-west-2.amazonaws.com" + "url": "https://mgh-fips.cn-north-1.api.amazonwebservices.com.cn" } }, "params": { - "Region": "eu-west-2", - "UseDualStack": false, - "UseFIPS": false + "Region": "cn-north-1", + "UseFIPS": true, + "UseDualStack": true } }, { - "documentation": "For region eu-west-1 with FIPS enabled and DualStack enabled", + "documentation": "For region cn-north-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://mgh-fips.eu-west-1.api.aws" + "url": "https://mgh-fips.cn-north-1.amazonaws.com.cn" } }, "params": { - "Region": "eu-west-1", - "UseDualStack": true, - "UseFIPS": true + "Region": "cn-north-1", + "UseFIPS": true, + "UseDualStack": false } }, { - "documentation": "For region eu-west-1 with FIPS enabled and DualStack disabled", + "documentation": "For region cn-north-1 with FIPS disabled and DualStack enabled", "expect": { "endpoint": { - "url": "https://mgh-fips.eu-west-1.amazonaws.com" + "url": "https://mgh.cn-north-1.api.amazonwebservices.com.cn" } }, "params": { - "Region": "eu-west-1", - "UseDualStack": false, - "UseFIPS": true + "Region": "cn-north-1", + "UseFIPS": false, + "UseDualStack": true } }, { - "documentation": "For region eu-west-1 with FIPS disabled and DualStack enabled", + "documentation": "For region cn-north-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://mgh.eu-west-1.api.aws" + "url": "https://mgh.cn-north-1.amazonaws.com.cn" } }, "params": { - "Region": "eu-west-1", - "UseDualStack": true, - "UseFIPS": false + "Region": "cn-north-1", + "UseFIPS": false, + "UseDualStack": false } }, { - "documentation": "For region eu-west-1 with FIPS disabled and DualStack disabled", + "documentation": "For region us-gov-east-1 with FIPS enabled and DualStack enabled", "expect": { "endpoint": { - "url": "https://mgh.eu-west-1.amazonaws.com" + "url": "https://mgh-fips.us-gov-east-1.api.aws" } }, "params": { - "Region": "eu-west-1", - "UseDualStack": false, - "UseFIPS": false + "Region": "us-gov-east-1", + "UseFIPS": true, + "UseDualStack": true } }, { - "documentation": "For region ap-northeast-1 with FIPS enabled and DualStack enabled", + "documentation": "For region us-gov-east-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://mgh-fips.ap-northeast-1.api.aws" + "url": "https://mgh-fips.us-gov-east-1.amazonaws.com" } }, "params": { - "Region": "ap-northeast-1", - "UseDualStack": true, - "UseFIPS": true + "Region": "us-gov-east-1", + "UseFIPS": true, + "UseDualStack": false } }, { - "documentation": "For region ap-northeast-1 with FIPS enabled and DualStack disabled", + "documentation": "For region us-gov-east-1 with FIPS disabled and DualStack enabled", "expect": { "endpoint": { - "url": "https://mgh-fips.ap-northeast-1.amazonaws.com" + "url": "https://mgh.us-gov-east-1.api.aws" } }, "params": { - "Region": "ap-northeast-1", - "UseDualStack": false, - "UseFIPS": true + "Region": "us-gov-east-1", + "UseFIPS": false, + "UseDualStack": true } }, { - "documentation": "For region ap-northeast-1 with FIPS disabled and DualStack enabled", + "documentation": "For region us-gov-east-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://mgh.ap-northeast-1.api.aws" + "url": "https://mgh.us-gov-east-1.amazonaws.com" } }, "params": { - "Region": "ap-northeast-1", - "UseDualStack": true, - "UseFIPS": false + "Region": "us-gov-east-1", + "UseFIPS": false, + "UseDualStack": false } }, { - "documentation": "For region ap-northeast-1 with FIPS disabled and DualStack disabled", + "documentation": "For region us-iso-east-1 with FIPS enabled and DualStack enabled", "expect": { - "endpoint": { - "url": "https://mgh.ap-northeast-1.amazonaws.com" - } + "error": "FIPS and DualStack are enabled, but this partition does not support one or both" }, "params": { - "Region": "ap-northeast-1", - "UseDualStack": false, - "UseFIPS": false + "Region": "us-iso-east-1", + "UseFIPS": true, + "UseDualStack": true } }, { - "documentation": "For region ap-southeast-2 with FIPS enabled and DualStack enabled", + "documentation": "For region us-iso-east-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://mgh-fips.ap-southeast-2.api.aws" + "url": "https://mgh-fips.us-iso-east-1.c2s.ic.gov" } }, "params": { - "Region": "ap-southeast-2", - "UseDualStack": true, - "UseFIPS": true + "Region": "us-iso-east-1", + "UseFIPS": true, + "UseDualStack": false } }, { - "documentation": "For region ap-southeast-2 with FIPS enabled and DualStack disabled", + "documentation": "For region us-iso-east-1 with FIPS disabled and DualStack enabled", "expect": { - "endpoint": { - "url": "https://mgh-fips.ap-southeast-2.amazonaws.com" - } + "error": "DualStack is enabled but this partition does not support DualStack" }, "params": { - "Region": "ap-southeast-2", - "UseDualStack": false, - "UseFIPS": true + "Region": "us-iso-east-1", + "UseFIPS": false, + "UseDualStack": true } }, { - "documentation": "For region ap-southeast-2 with FIPS disabled and DualStack enabled", + "documentation": "For region us-iso-east-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://mgh.ap-southeast-2.api.aws" + "url": "https://mgh.us-iso-east-1.c2s.ic.gov" } }, "params": { - "Region": "ap-southeast-2", - "UseDualStack": true, - "UseFIPS": false + "Region": "us-iso-east-1", + "UseFIPS": false, + "UseDualStack": false } }, { - "documentation": "For region ap-southeast-2 with FIPS disabled and DualStack disabled", + "documentation": "For region us-isob-east-1 with FIPS enabled and DualStack enabled", "expect": { - "endpoint": { - "url": "https://mgh.ap-southeast-2.amazonaws.com" - } + "error": "FIPS and DualStack are enabled, but this partition does not support one or both" }, "params": { - "Region": "ap-southeast-2", - "UseDualStack": false, - "UseFIPS": false + "Region": "us-isob-east-1", + "UseFIPS": true, + "UseDualStack": true } }, { - "documentation": "For region us-east-1 with FIPS enabled and DualStack enabled", + "documentation": "For region us-isob-east-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://mgh-fips.us-east-1.api.aws" + "url": "https://mgh-fips.us-isob-east-1.sc2s.sgov.gov" } }, "params": { - "Region": "us-east-1", - "UseDualStack": true, - "UseFIPS": true + "Region": "us-isob-east-1", + "UseFIPS": true, + "UseDualStack": false } }, { - "documentation": "For region us-east-1 with FIPS enabled and DualStack disabled", + "documentation": "For region us-isob-east-1 with FIPS disabled and DualStack enabled", "expect": { - "endpoint": { - "url": "https://mgh-fips.us-east-1.amazonaws.com" - } + "error": "DualStack is enabled but this partition does not support DualStack" }, "params": { - "Region": "us-east-1", - "UseDualStack": false, - "UseFIPS": true + "Region": "us-isob-east-1", + "UseFIPS": false, + "UseDualStack": true } }, { - "documentation": "For region us-east-1 with FIPS disabled and DualStack enabled", + "documentation": "For region us-isob-east-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://mgh.us-east-1.api.aws" + "url": "https://mgh.us-isob-east-1.sc2s.sgov.gov" } }, "params": { - "Region": "us-east-1", - "UseDualStack": true, - "UseFIPS": false + "Region": "us-isob-east-1", + "UseFIPS": false, + "UseDualStack": false } }, { - "documentation": "For region us-east-1 with FIPS disabled and DualStack disabled", + "documentation": "For custom endpoint with region set and fips disabled and dualstack disabled", "expect": { "endpoint": { - "url": "https://mgh.us-east-1.amazonaws.com" + "url": "https://example.com" } }, "params": { "Region": "us-east-1", + "UseFIPS": false, "UseDualStack": false, - "UseFIPS": false + "Endpoint": "https://example.com" } }, { - "documentation": "For custom endpoint with fips disabled and dualstack disabled", + "documentation": "For custom endpoint with region not set and fips disabled and dualstack disabled", "expect": { "endpoint": { "url": "https://example.com" } }, "params": { - "Region": "us-east-1", - "UseDualStack": false, "UseFIPS": false, + "UseDualStack": false, "Endpoint": "https://example.com" } }, @@ -385,8 +364,8 @@ }, "params": { "Region": "us-east-1", - "UseDualStack": false, "UseFIPS": true, + "UseDualStack": false, "Endpoint": "https://example.com" } }, @@ -397,10 +376,16 @@ }, "params": { "Region": "us-east-1", - "UseDualStack": true, "UseFIPS": false, + "UseDualStack": true, "Endpoint": "https://example.com" } + }, + { + "documentation": "Missing region", + "expect": { + "error": "Invalid Configuration: Missing Region" + } } ], "version": "1.0" diff --git a/tests/functional/endpoint-rules/sesv2/endpoint-tests-1.json b/tests/functional/endpoint-rules/sesv2/endpoint-tests-1.json index fa4feb98bd..2cba42fcdf 100644 --- a/tests/functional/endpoint-rules/sesv2/endpoint-tests-1.json +++ b/tests/functional/endpoint-rules/sesv2/endpoint-tests-1.json @@ -594,6 +594,163 @@ "expect": { "error": "Invalid Configuration: Missing Region" } + }, + { + "documentation": "Valid EndpointId with dualstack and FIPS disabled. i.e, IPv4 Only stack with no FIPS", + "expect": { + "endpoint": { + "properties": { + "authSchemes": [ + { + "signingName": "ses", + "name": "sigv4a", + "signingRegionSet": [ + "*" + ] + } + ] + }, + "url": "https://abc123.456def.endpoints.email.amazonaws.com" + } + }, + "params": { + "EndpointId": "abc123.456def", + "UseDualStack": false, + "UseFIPS": false, + "Region": "us-east-1" + } + }, + { + "documentation": "Valid EndpointId with dualstack enabled", + "expect": { + "endpoint": { + "properties": { + "authSchemes": [ + { + "signingName": "ses", + "name": "sigv4a", + "signingRegionSet": [ + "*" + ] + } + ] + }, + "url": "https://abc123.456def.endpoints.email.api.aws" + } + }, + "params": { + "EndpointId": "abc123.456def", + "UseDualStack": true, + "UseFIPS": false, + "Region": "us-west-2" + } + }, + { + "documentation": "Valid EndpointId with FIPS set, dualstack disabled", + "expect": { + "error": "Invalid Configuration: FIPS is not supported with multi-region endpoints" + }, + "params": { + "EndpointId": "abc123.456def", + "UseDualStack": false, + "UseFIPS": true, + "Region": "ap-northeast-1" + } + }, + { + "documentation": "Valid EndpointId with both dualstack and FIPS enabled", + "expect": { + "error": "Invalid Configuration: FIPS is not supported with multi-region endpoints" + }, + "params": { + "EndpointId": "abc123.456def", + "UseDualStack": true, + "UseFIPS": true, + "Region": "ap-northeast-2" + } + }, + { + "documentation": "Regular regional request, without EndpointId", + "expect": { + "endpoint": { + "url": "https://email.eu-west-1.amazonaws.com" + } + }, + "params": { + "UseDualStack": false, + "Region": "eu-west-1" + } + }, + { + "documentation": "Invalid EndpointId (Invalid chars / format)", + "expect": { + "error": "EndpointId must be a valid host label" + }, + "params": { + "EndpointId": "badactor.com?foo=bar", + "UseDualStack": false, + "Region": "eu-west-2" + } + }, + { + "documentation": "Invalid EndpointId (Empty)", + "expect": { + "error": "EndpointId must be a valid host label" + }, + "params": { + "EndpointId": "", + "UseDualStack": false, + "Region": "ap-south-1" + } + }, + { + "documentation": "Valid EndpointId with custom sdk endpoint", + "expect": { + "endpoint": { + "properties": { + "authSchemes": [ + { + "signingName": "ses", + "name": "sigv4a", + "signingRegionSet": [ + "*" + ] + } + ] + }, + "url": "https://example.com" + } + }, + "params": { + "EndpointId": "abc123.456def", + "UseDualStack": false, + "Region": "us-east-1", + "Endpoint": "https://example.com" + } + }, + { + "documentation": "Valid EndpointId with custom sdk endpoint with FIPS enabled", + "expect": { + "error": "Invalid Configuration: FIPS is not supported with multi-region endpoints" + }, + "params": { + "EndpointId": "abc123.456def", + "UseDualStack": false, + "UseFIPS": true, + "Region": "us-east-1", + "Endpoint": "https://example.com" + } + }, + { + "documentation": "Valid EndpointId with DualStack enabled and partition does not support DualStack", + "expect": { + "error": "DualStack is enabled but this partition does not support DualStack" + }, + "params": { + "EndpointId": "abc123.456def", + "UseDualStack": true, + "Region": "us-isob-east-1" + } } ], "version": "1.0"