AWS Identity and Access Management

2021/02/12 - AWS Identity and Access Management - 18 new 16 updated api methods

Changes  AWS Identity and Access Management now supports tagging for the following resources: customer managed policies, identity providers, instance profiles, server certificates, and virtual MFA devices.

TagInstanceProfile (new) Link ¶

Adds one or more tags to an IAM instance profile. If a tag with the same key name already exists, then that tag is overwritten with the new value.

Each tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:

  • Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject . Or search for all resources with the key name Cost Center and the value 41200 .

  • Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only an IAM instance profile that has a specified tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide .

Note

  • If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

  • AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

See also: AWS API Documentation

Request Syntax

client.tag_instance_profile(
    InstanceProfileName='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type InstanceProfileName

string

param InstanceProfileName

[REQUIRED]

The name of the IAM instance profile to which you want to add tags.

This parameter accepts (through its regex pattern ) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-

type Tags

list

param Tags

[REQUIRED]

The list of tags that you want to attach to the IAM instance profile. Each tag consists of a key name and an associated value.

  • (dict) --

    A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

    • Key (string) -- [REQUIRED]

      The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

    • Value (string) -- [REQUIRED]

      The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

      Note

      AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

returns

None

ListPolicyTags (new) Link ¶

Lists the tags that are attached to the specified IAM customer managed policy. The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.list_policy_tags(
    PolicyArn='string',
    Marker='string',
    MaxItems=123
)
type PolicyArn

string

param PolicyArn

[REQUIRED]

The ARN of the IAM customer managed policy whose tags you want to see.

This parameter accepts (through its regex pattern ) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-

type Marker

string

param Marker

Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.

type MaxItems

integer

param MaxItems

(Optional) Use this only when paginating results to indicate the maximum number of items that you want in the response. If additional items exist beyond the maximum that you specify, the IsTruncated response element is true .

If you do not include this parameter, it defaults to 100. Note that IAM might return fewer results, even when more results are available. In that case, the IsTruncated response element returns true , and Marker contains a value to include in the subsequent call that tells the service where to continue from.

rtype

dict

returns

Response Syntax

{
    'Tags': [
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    'IsTruncated': True|False,
    'Marker': 'string'
}

Response Structure

  • (dict) --

    • Tags (list) --

      The list of tags that are currently attached to the IAM customer managed policy. Each tag consists of a key name and an associated value. If no tags are attached to the specified resource, the response contains an empty list.

      • (dict) --

        A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

        • Key (string) --

          The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

        • Value (string) --

          The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

          Note

          AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

    • IsTruncated (boolean) --

      A flag that indicates whether there are more items to return. If your results were truncated, you can use the Marker request parameter to make a subsequent pagination request that retrieves more items. Note that IAM might return fewer than the MaxItems number of results even when more results are available. Check IsTruncated after every call to ensure that you receive all of your results.

    • Marker (string) --

      When IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.

ListServerCertificateTags (new) Link ¶

Lists the tags that are attached to the specified IAM server certificate. The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

Note

For certificates in a Region supported by AWS Certificate Manager (ACM), we recommend that you don't use IAM server certificates. Instead, use ACM to provision, manage, and deploy your server certificates. For more information about IAM server certificates, Working with server certificates in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.list_server_certificate_tags(
    ServerCertificateName='string',
    Marker='string',
    MaxItems=123
)
type ServerCertificateName

string

param ServerCertificateName

[REQUIRED]

The name of the IAM server certificate whose tags you want to see.

This parameter accepts (through its regex pattern ) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-

type Marker

string

param Marker

Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.

type MaxItems

integer

param MaxItems

(Optional) Use this only when paginating results to indicate the maximum number of items that you want in the response. If additional items exist beyond the maximum that you specify, the IsTruncated response element is true .

If you do not include this parameter, it defaults to 100. Note that IAM might return fewer results, even when more results are available. In that case, the IsTruncated response element returns true , and Marker contains a value to include in the subsequent call that tells the service where to continue from.

rtype

dict

returns

Response Syntax

{
    'Tags': [
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    'IsTruncated': True|False,
    'Marker': 'string'
}

Response Structure

  • (dict) --

    • Tags (list) --

      The list of tags that are currently attached to the IAM server certificate. Each tag consists of a key name and an associated value. If no tags are attached to the specified resource, the response contains an empty list.

      • (dict) --

        A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

        • Key (string) --

          The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

        • Value (string) --

          The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

          Note

          AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

    • IsTruncated (boolean) --

      A flag that indicates whether there are more items to return. If your results were truncated, you can use the Marker request parameter to make a subsequent pagination request that retrieves more items. Note that IAM might return fewer than the MaxItems number of results even when more results are available. Check IsTruncated after every call to ensure that you receive all of your results.

    • Marker (string) --

      When IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.

ListInstanceProfileTags (new) Link ¶

Lists the tags that are attached to the specified IAM instance profile. The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.list_instance_profile_tags(
    InstanceProfileName='string',
    Marker='string',
    MaxItems=123
)
type InstanceProfileName

string

param InstanceProfileName

[REQUIRED]

The name of the IAM instance profile whose tags you want to see.

This parameter accepts (through its regex pattern ) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-

type Marker

string

param Marker

Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.

type MaxItems

integer

param MaxItems

(Optional) Use this only when paginating results to indicate the maximum number of items that you want in the response. If additional items exist beyond the maximum that you specify, the IsTruncated response element is true .

If you do not include this parameter, it defaults to 100. Note that IAM might return fewer results, even when more results are available. In that case, the IsTruncated response element returns true , and Marker contains a value to include in the subsequent call that tells the service where to continue from.

rtype

dict

returns

Response Syntax

{
    'Tags': [
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    'IsTruncated': True|False,
    'Marker': 'string'
}

Response Structure

  • (dict) --

    • Tags (list) --

      The list of tags that are currently attached to the IAM instance profile. Each tag consists of a key name and an associated value. If no tags are attached to the specified resource, the response contains an empty list.

      • (dict) --

        A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

        • Key (string) --

          The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

        • Value (string) --

          The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

          Note

          AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

    • IsTruncated (boolean) --

      A flag that indicates whether there are more items to return. If your results were truncated, you can use the Marker request parameter to make a subsequent pagination request that retrieves more items. Note that IAM might return fewer than the MaxItems number of results even when more results are available. Check IsTruncated after every call to ensure that you receive all of your results.

    • Marker (string) --

      When IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.

TagOpenIDConnectProvider (new) Link ¶

Adds one or more tags to an OpenID Connect (OIDC)-compatible identity provider. For more information about these providers, see About web identity federation . If a tag with the same key name already exists, then that tag is overwritten with the new value.

A tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:

  • Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject . Or search for all resources with the key name Cost Center and the value 41200 .

  • Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only an OIDC provider that has a specified tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide .

Note

  • If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

  • AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

See also: AWS API Documentation

Request Syntax

client.tag_open_id_connect_provider(
    OpenIDConnectProviderArn='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type OpenIDConnectProviderArn

string

param OpenIDConnectProviderArn

[REQUIRED]

The ARN of the OIDC identity provider in IAM to which you want to add tags.

This parameter accepts (through its regex pattern ) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-

type Tags

list

param Tags

[REQUIRED]

The list of tags that you want to attach to the OIDC identity provider in IAM. Each tag consists of a key name and an associated value.

  • (dict) --

    A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

    • Key (string) -- [REQUIRED]

      The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

    • Value (string) -- [REQUIRED]

      The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

      Note

      AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

returns

None

ListOpenIDConnectProviderTags (new) Link ¶

Lists the tags that are attached to the specified OpenID Connect (OIDC)-compatible identity provider. The returned list of tags is sorted by tag key. For more information, see About web identity federation .

For more information about tagging, see Tagging IAM resources in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.list_open_id_connect_provider_tags(
    OpenIDConnectProviderArn='string',
    Marker='string',
    MaxItems=123
)
type OpenIDConnectProviderArn

string

param OpenIDConnectProviderArn

[REQUIRED]

The ARN of the OpenID Connect (OIDC) identity provider whose tags you want to see.

This parameter accepts (through its regex pattern ) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-

type Marker

string

param Marker

Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.

type MaxItems

integer

param MaxItems

(Optional) Use this only when paginating results to indicate the maximum number of items that you want in the response. If additional items exist beyond the maximum that you specify, the IsTruncated response element is true .

If you do not include this parameter, it defaults to 100. Note that IAM might return fewer results, even when more results are available. In that case, the IsTruncated response element returns true , and Marker contains a value to include in the subsequent call that tells the service where to continue from.

rtype

dict

returns

Response Syntax

{
    'Tags': [
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    'IsTruncated': True|False,
    'Marker': 'string'
}

Response Structure

  • (dict) --

    • Tags (list) --

      The list of tags that are currently attached to the OpenID Connect (OIDC) identity provider. Each tag consists of a key name and an associated value. If no tags are attached to the specified resource, the response contains an empty list.

      • (dict) --

        A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

        • Key (string) --

          The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

        • Value (string) --

          The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

          Note

          AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

    • IsTruncated (boolean) --

      A flag that indicates whether there are more items to return. If your results were truncated, you can use the Marker request parameter to make a subsequent pagination request that retrieves more items. Note that IAM might return fewer than the MaxItems number of results even when more results are available. Check IsTruncated after every call to ensure that you receive all of your results.

    • Marker (string) --

      When IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.

TagServerCertificate (new) Link ¶

Adds one or more tags to an IAM server certificate. If a tag with the same key name already exists, then that tag is overwritten with the new value.

Note

For certificates in a Region supported by AWS Certificate Manager (ACM), we recommend that you don't use IAM server certificates. Instead, use ACM to provision, manage, and deploy your server certificates. For more information about IAM server certificates, Working with server certificates in the IAM User Guide .

A tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:

  • Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject . Or search for all resources with the key name Cost Center and the value 41200 .

  • Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only a server certificate that has a specified tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide .

  • Cost allocation - Use tags to help track which individuals and teams are using which AWS resources.

Note

  • If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

  • AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

See also: AWS API Documentation

Request Syntax

client.tag_server_certificate(
    ServerCertificateName='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type ServerCertificateName

string

param ServerCertificateName

[REQUIRED]

The name of the IAM server certificate to which you want to add tags.

This parameter accepts (through its regex pattern ) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-

type Tags

list

param Tags

[REQUIRED]

The list of tags that you want to attach to the IAM server certificate. Each tag consists of a key name and an associated value.

  • (dict) --

    A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

    • Key (string) -- [REQUIRED]

      The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

    • Value (string) -- [REQUIRED]

      The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

      Note

      AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

returns

None

ListSAMLProviderTags (new) Link ¶

Lists the tags that are attached to the specified Security Assertion Markup Language (SAML) identity provider. The returned list of tags is sorted by tag key. For more information, see About SAML 2.0-based federation .

For more information about tagging, see Tagging IAM resources in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.list_saml_provider_tags(
    SAMLProviderArn='string',
    Marker='string',
    MaxItems=123
)
type SAMLProviderArn

string

param SAMLProviderArn

[REQUIRED]

The ARN of the Security Assertion Markup Language (SAML) identity provider whose tags you want to see.

This parameter accepts (through its regex pattern ) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-

type Marker

string

param Marker

Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.

type MaxItems

integer

param MaxItems

(Optional) Use this only when paginating results to indicate the maximum number of items that you want in the response. If additional items exist beyond the maximum that you specify, the IsTruncated response element is true .

If you do not include this parameter, it defaults to 100. Note that IAM might return fewer results, even when more results are available. In that case, the IsTruncated response element returns true , and Marker contains a value to include in the subsequent call that tells the service where to continue from.

rtype

dict

returns

Response Syntax

{
    'Tags': [
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    'IsTruncated': True|False,
    'Marker': 'string'
}

Response Structure

  • (dict) --

    • Tags (list) --

      The list of tags that are currently attached to the Security Assertion Markup Language (SAML) identity provider. Each tag consists of a key name and an associated value. If no tags are attached to the specified resource, the response contains an empty list.

      • (dict) --

        A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

        • Key (string) --

          The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

        • Value (string) --

          The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

          Note

          AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

    • IsTruncated (boolean) --

      A flag that indicates whether there are more items to return. If your results were truncated, you can use the Marker request parameter to make a subsequent pagination request that retrieves more items. Note that IAM might return fewer than the MaxItems number of results even when more results are available. Check IsTruncated after every call to ensure that you receive all of your results.

    • Marker (string) --

      When IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.

UntagServerCertificate (new) Link ¶

Removes the specified tags from the IAM server certificate. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

Note

For certificates in a Region supported by AWS Certificate Manager (ACM), we recommend that you don't use IAM server certificates. Instead, use ACM to provision, manage, and deploy your server certificates. For more information about IAM server certificates, Working with server certificates in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.untag_server_certificate(
    ServerCertificateName='string',
    TagKeys=[
        'string',
    ]
)
type ServerCertificateName

string

param ServerCertificateName

[REQUIRED]

The name of the IAM server certificate from which you want to remove tags.

This parameter accepts (through its regex pattern ) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-

type TagKeys

list

param TagKeys

[REQUIRED]

A list of key names as a simple array of strings. The tags with matching keys are removed from the specified IAM server certificate.

  • (string) --

returns

None

UntagSAMLProvider (new) Link ¶

Removes the specified tags from the specified Security Assertion Markup Language (SAML) identity provider in IAM. For more information about these providers, see About web identity federation . For more information about tagging, see Tagging IAM resources in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.untag_saml_provider(
    SAMLProviderArn='string',
    TagKeys=[
        'string',
    ]
)
type SAMLProviderArn

string

param SAMLProviderArn

[REQUIRED]

The ARN of the SAML identity provider in IAM from which you want to remove tags.

This parameter accepts (through its regex pattern ) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-

type TagKeys

list

param TagKeys

[REQUIRED]

A list of key names as a simple array of strings. The tags with matching keys are removed from the specified SAML identity provider.

  • (string) --

returns

None

UntagOpenIDConnectProvider (new) Link ¶

Removes the specified tags from the specified OpenID Connect (OIDC)-compatible identity provider in IAM. For more information about OIDC providers, see About web identity federation . For more information about tagging, see Tagging IAM resources in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.untag_open_id_connect_provider(
    OpenIDConnectProviderArn='string',
    TagKeys=[
        'string',
    ]
)
type OpenIDConnectProviderArn

string

param OpenIDConnectProviderArn

[REQUIRED]

The ARN of the OIDC provider in IAM from which you want to remove tags.

This parameter accepts (through its regex pattern ) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-

type TagKeys

list

param TagKeys

[REQUIRED]

A list of key names as a simple array of strings. The tags with matching keys are removed from the specified OIDC provider.

  • (string) --

returns

None

TagMFADevice (new) Link ¶

Adds one or more tags to an IAM virtual multi-factor authentication (MFA) device. If a tag with the same key name already exists, then that tag is overwritten with the new value.

A tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:

  • Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject . Or search for all resources with the key name Cost Center and the value 41200 .

  • Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only an IAM virtual MFA device that has a specified tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide .

Note

  • If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

  • AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

See also: AWS API Documentation

Request Syntax

client.tag_mfa_device(
    SerialNumber='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type SerialNumber

string

param SerialNumber

[REQUIRED]

The unique identifier for the IAM virtual MFA device to which you want to add tags. For virtual MFA devices, the serial number is the same as the ARN.

This parameter accepts (through its regex pattern ) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-

type Tags

list

param Tags

[REQUIRED]

The list of tags that you want to attach to the IAM virtual MFA device. Each tag consists of a key name and an associated value.

  • (dict) --

    A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

    • Key (string) -- [REQUIRED]

      The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

    • Value (string) -- [REQUIRED]

      The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

      Note

      AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

returns

None

TagSAMLProvider (new) Link ¶

Adds one or more tags to a Security Assertion Markup Language (SAML) identity provider. For more information about these providers, see About SAML 2.0-based federation . If a tag with the same key name already exists, then that tag is overwritten with the new value.

A tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:

  • Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject . Or search for all resources with the key name Cost Center and the value 41200 .

  • Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only a SAML identity provider that has a specified tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide .

Note

  • If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

  • AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

See also: AWS API Documentation

Request Syntax

client.tag_saml_provider(
    SAMLProviderArn='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type SAMLProviderArn

string

param SAMLProviderArn

[REQUIRED]

The ARN of the SAML identity provider in IAM to which you want to add tags.

This parameter accepts (through its regex pattern ) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-

type Tags

list

param Tags

[REQUIRED]

The list of tags that you want to attach to the SAML identity provider in IAM. Each tag consists of a key name and an associated value.

  • (dict) --

    A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

    • Key (string) -- [REQUIRED]

      The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

    • Value (string) -- [REQUIRED]

      The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

      Note

      AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

returns

None

ListMFADeviceTags (new) Link ¶

Lists the tags that are attached to the specified IAM virtual multi-factor authentication (MFA) device. The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.list_mfa_device_tags(
    SerialNumber='string',
    Marker='string',
    MaxItems=123
)
type SerialNumber

string

param SerialNumber

[REQUIRED]

The unique identifier for the IAM virtual MFA device whose tags you want to see. For virtual MFA devices, the serial number is the same as the ARN.

This parameter accepts (through its regex pattern ) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-

type Marker

string

param Marker

Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.

type MaxItems

integer

param MaxItems

(Optional) Use this only when paginating results to indicate the maximum number of items that you want in the response. If additional items exist beyond the maximum that you specify, the IsTruncated response element is true .

If you do not include this parameter, it defaults to 100. Note that IAM might return fewer results, even when more results are available. In that case, the IsTruncated response element returns true , and Marker contains a value to include in the subsequent call that tells the service where to continue from.

rtype

dict

returns

Response Syntax

{
    'Tags': [
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    'IsTruncated': True|False,
    'Marker': 'string'
}

Response Structure

  • (dict) --

    • Tags (list) --

      The list of tags that are currently attached to the virtual MFA device. Each tag consists of a key name and an associated value. If no tags are attached to the specified resource, the response contains an empty list.

      • (dict) --

        A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

        • Key (string) --

          The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

        • Value (string) --

          The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

          Note

          AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

    • IsTruncated (boolean) --

      A flag that indicates whether there are more items to return. If your results were truncated, you can use the Marker request parameter to make a subsequent pagination request that retrieves more items. Note that IAM might return fewer than the MaxItems number of results even when more results are available. Check IsTruncated after every call to ensure that you receive all of your results.

    • Marker (string) --

      When IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.

UntagPolicy (new) Link ¶

Removes the specified tags from the customer managed policy. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.untag_policy(
    PolicyArn='string',
    TagKeys=[
        'string',
    ]
)
type PolicyArn

string

param PolicyArn

[REQUIRED]

The ARN of the IAM customer managed policy from which you want to remove tags.

This parameter accepts (through its regex pattern ) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-

type TagKeys

list

param TagKeys

[REQUIRED]

A list of key names as a simple array of strings. The tags with matching keys are removed from the specified policy.

  • (string) --

returns

None

UntagMFADevice (new) Link ¶

Removes the specified tags from the IAM virtual multi-factor authentication (MFA) device. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.untag_mfa_device(
    SerialNumber='string',
    TagKeys=[
        'string',
    ]
)
type SerialNumber

string

param SerialNumber

[REQUIRED]

The unique identifier for the IAM virtual MFA device from which you want to remove tags. For virtual MFA devices, the serial number is the same as the ARN.

This parameter accepts (through its regex pattern ) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-

type TagKeys

list

param TagKeys

[REQUIRED]

A list of key names as a simple array of strings. The tags with matching keys are removed from the specified instance profile.

  • (string) --

returns

None

UntagInstanceProfile (new) Link ¶

Removes the specified tags from the IAM instance profile. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.untag_instance_profile(
    InstanceProfileName='string',
    TagKeys=[
        'string',
    ]
)
type InstanceProfileName

string

param InstanceProfileName

[REQUIRED]

The name of the IAM instance profile from which you want to remove tags.

This parameter accepts (through its regex pattern ) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-

type TagKeys

list

param TagKeys

[REQUIRED]

A list of key names as a simple array of strings. The tags with matching keys are removed from the specified instance profile.

  • (string) --

returns

None

TagPolicy (new) Link ¶

Adds one or more tags to an IAM customer managed policy. If a tag with the same key name already exists, then that tag is overwritten with the new value.

A tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:

  • Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject . Or search for all resources with the key name Cost Center and the value 41200 .

  • Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only an IAM customer managed policy that has a specified tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide .

Note

  • If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

  • AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

See also: AWS API Documentation

Request Syntax

client.tag_policy(
    PolicyArn='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type PolicyArn

string

param PolicyArn

[REQUIRED]

The ARN of the IAM customer managed policy to which you want to add tags.

This parameter accepts (through its regex pattern ) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-

type Tags

list

param Tags

[REQUIRED]

The list of tags that you want to attach to the IAM customer managed policy. Each tag consists of a key name and an associated value.

  • (dict) --

    A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

    • Key (string) -- [REQUIRED]

      The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

    • Value (string) -- [REQUIRED]

      The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

      Note

      AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

returns

None

CreateInstanceProfile (updated) Link ¶
Changes (request, response)
Request
{'Tags': [{'Key': 'string', 'Value': 'string'}]}
Response
{'InstanceProfile': {'Tags': [{'Key': 'string', 'Value': 'string'}]}}

Creates a new instance profile. For information about instance profiles, see About instance profiles .

For information about the number of instance profiles you can create, see IAM object quotas in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.create_instance_profile(
    InstanceProfileName='string',
    Path='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type InstanceProfileName

string

param InstanceProfileName

[REQUIRED]

The name of the instance profile to create.

This parameter allows (through its regex pattern ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

type Path

string

param Path

The path to the instance profile. For more information about paths, see IAM Identifiers in the IAM User Guide .

This parameter is optional. If it is not included, it defaults to a slash (/).

This parameter allows (through its regex pattern ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! (\u0021 ) through the DEL character (\u007F ), including most punctuation characters, digits, and upper and lowercased letters.

type Tags

list

param Tags

A list of tags that you want to attach to the newly created IAM instance profile. Each tag consists of a key name and an associated value. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

Note

If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.

  • (dict) --

    A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

    • Key (string) -- [REQUIRED]

      The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

    • Value (string) -- [REQUIRED]

      The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

      Note

      AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

rtype

dict

returns

Response Syntax

{
    'InstanceProfile': {
        'Path': 'string',
        'InstanceProfileName': 'string',
        'InstanceProfileId': 'string',
        'Arn': 'string',
        'CreateDate': datetime(2015, 1, 1),
        'Roles': [
            {
                'Path': 'string',
                'RoleName': 'string',
                'RoleId': 'string',
                'Arn': 'string',
                'CreateDate': datetime(2015, 1, 1),
                'AssumeRolePolicyDocument': 'string',
                'Description': 'string',
                'MaxSessionDuration': 123,
                'PermissionsBoundary': {
                    'PermissionsBoundaryType': 'PermissionsBoundaryPolicy',
                    'PermissionsBoundaryArn': 'string'
                },
                'Tags': [
                    {
                        'Key': 'string',
                        'Value': 'string'
                    },
                ],
                'RoleLastUsed': {
                    'LastUsedDate': datetime(2015, 1, 1),
                    'Region': 'string'
                }
            },
        ],
        'Tags': [
            {
                'Key': 'string',
                'Value': 'string'
            },
        ]
    }
}

Response Structure

  • (dict) --

    Contains the response to a successful CreateInstanceProfile request.

    • InstanceProfile (dict) --

      A structure containing details about the new instance profile.

      • Path (string) --

        The path to the instance profile. For more information about paths, see IAM identifiers in the IAM User Guide .

      • InstanceProfileName (string) --

        The name identifying the instance profile.

      • InstanceProfileId (string) --

        The stable and unique string identifying the instance profile. For more information about IDs, see IAM identifiers in the IAM User Guide .

      • Arn (string) --

        The Amazon Resource Name (ARN) specifying the instance profile. For more information about ARNs and how to use them in policies, see IAM identifiers in the IAM User Guide .

      • CreateDate (datetime) --

        The date when the instance profile was created.

      • Roles (list) --

        The role associated with the instance profile.

        • (dict) --

          Contains information about an IAM role. This structure is returned as a response element in several API operations that interact with roles.

          • Path (string) --

            The path to the role. For more information about paths, see IAM identifiers in the IAM User Guide .

          • RoleName (string) --

            The friendly name that identifies the role.

          • RoleId (string) --

            The stable and unique string identifying the role. For more information about IDs, see IAM identifiers in the IAM User Guide .

          • Arn (string) --

            The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see IAM identifiers in the IAM User Guide guide.

          • CreateDate (datetime) --

            The date and time, in ISO 8601 date-time format , when the role was created.

          • AssumeRolePolicyDocument (string) --

            The policy that grants an entity permission to assume the role.

          • Description (string) --

            A description of the role that you provide.

          • MaxSessionDuration (integer) --

            The maximum session duration (in seconds) for the specified role. Anyone who uses the AWS CLI, or API to assume the role can specify the duration using the optional DurationSeconds API parameter or duration-seconds CLI parameter.

          • PermissionsBoundary (dict) --

            The ARN of the policy used to set the permissions boundary for the role.

            For more information about permissions boundaries, see Permissions boundaries for IAM identities in the IAM User Guide .

            • PermissionsBoundaryType (string) --

              The permissions boundary usage type that indicates what type of IAM resource is used as the permissions boundary for an entity. This data type can only have a value of Policy .

            • PermissionsBoundaryArn (string) --

              The ARN of the policy used to set the permissions boundary for the user or role.

          • Tags (list) --

            A list of tags that are attached to the role. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

            • (dict) --

              A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

              • Key (string) --

                The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

              • Value (string) --

                The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

                Note

                AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

          • RoleLastUsed (dict) --

            Contains information about the last time that an IAM role was used. This includes the date and time and the Region in which the role was last used. Activity is only reported for the trailing 400 days. This period can be shorter if your Region began supporting these features within the last year. The role might have been used more than 400 days ago. For more information, see Regions where data is tracked in the IAM User Guide .

            • LastUsedDate (datetime) --

              The date and time, in ISO 8601 date-time format that the role was last used.

              This field is null if the role has not been used within the IAM tracking period. For more information about the tracking period, see Regions where data is tracked in the IAM User Guide .

            • Region (string) --

              The name of the AWS Region in which the role was last used.

      • Tags (list) --

        A list of tags that are attached to the instance profile. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

        • (dict) --

          A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

          • Key (string) --

            The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

          • Value (string) --

            The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

            Note

            AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

CreateOpenIDConnectProvider (updated) Link ¶
Changes (both)
{'Tags': [{'Key': 'string', 'Value': 'string'}]}

Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC) .

The OIDC provider that you create with this operation can be used as a principal in a role's trust policy. Such a policy establishes a trust relationship between AWS and the OIDC provider.

When you create the IAM OIDC provider, you specify the following:

  • The URL of the OIDC identity provider (IdP) to trust

  • A list of client IDs (also known as audiences) that identify the application or applications that are allowed to authenticate using the OIDC provider

  • A list of thumbprints of one or more server certificates that the IdP uses

You get all of this information from the OIDC IdP that you want to use to access AWS.

Note

The trust for the OIDC provider is derived from the IAM provider that this operation creates. Therefore, it is best to limit access to the CreateOpenIDConnectProvider operation to highly privileged users.

See also: AWS API Documentation

Request Syntax

client.create_open_id_connect_provider(
    Url='string',
    ClientIDList=[
        'string',
    ],
    ThumbprintList=[
        'string',
    ],
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type Url

string

param Url

[REQUIRED]

The URL of the identity provider. The URL must begin with https:// and should correspond to the iss claim in the provider's OpenID Connect ID tokens. Per the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like https://server.example.org or https://example.com .

You cannot register the same provider multiple times in a single AWS account. If you try to submit a URL that has already been used for an OpenID Connect provider in the AWS account, you will get an error.

type ClientIDList

list

param ClientIDList

A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that's sent as the client_id parameter on OAuth requests.)

You can register multiple client IDs with the same provider. For example, you might have multiple applications that use the same OIDC provider. You cannot register more than 100 client IDs with a single IAM OIDC provider.

There is no defined format for a client ID. The CreateOpenIDConnectProviderRequest operation accepts client IDs up to 255 characters long.

  • (string) --

type ThumbprintList

list

param ThumbprintList

[REQUIRED]

A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificates. Typically this list includes only one entry. However, IAM lets you have up to five thumbprints for an OIDC provider. This lets you maintain multiple thumbprints if the identity provider is rotating certificates.

The server certificate thumbprint is the hex-encoded SHA-1 hash value of the X.509 certificate used by the domain where the OpenID Connect provider makes its keys available. It is always a 40-character string.

You must provide at least one thumbprint when creating an IAM OIDC provider. For example, assume that the OIDC provider is server.example.com and the provider stores its keys at https://keys.server.example.com/openid-connect. In that case, the thumbprint string would be the hex-encoded SHA-1 hash value of the certificate used by https://keys.server.example.com.

For more information about obtaining the OIDC provider's thumbprint, see Obtaining the thumbprint for an OpenID Connect provider in the IAM User Guide .

  • (string) --

    Contains a thumbprint for an identity provider's server certificate.

    The identity provider's server certificate thumbprint is the hex-encoded SHA-1 hash value of the self-signed X.509 certificate. This thumbprint is used by the domain where the OpenID Connect provider makes its keys available. The thumbprint is always a 40-character string.

type Tags

list

param Tags

A list of tags that you want to attach to the new IAM OpenID Connect (OIDC) provider. Each tag consists of a key name and an associated value. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

Note

If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.

  • (dict) --

    A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

    • Key (string) -- [REQUIRED]

      The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

    • Value (string) -- [REQUIRED]

      The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

      Note

      AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

rtype

dict

returns

Response Syntax

{
    'OpenIDConnectProviderArn': 'string',
    'Tags': [
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    Contains the response to a successful CreateOpenIDConnectProvider request.

    • OpenIDConnectProviderArn (string) --

      The Amazon Resource Name (ARN) of the new IAM OpenID Connect provider that is created. For more information, see OpenIDConnectProviderListEntry .

    • Tags (list) --

      A list of tags that are attached to the new IAM OIDC provider. The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

      • (dict) --

        A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

        • Key (string) --

          The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

        • Value (string) --

          The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

          Note

          AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

CreatePolicy (updated) Link ¶
Changes (request, response)
Request
{'Tags': [{'Key': 'string', 'Value': 'string'}]}
Response
{'Policy': {'Tags': [{'Key': 'string', 'Value': 'string'}]}}

Creates a new managed policy for your AWS account.

This operation creates a policy version with a version identifier of v1 and sets v1 as the policy's default version. For more information about policy versions, see Versioning for managed policies in the IAM User Guide .

For more information about managed policies in general, see Managed policies and inline policies in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.create_policy(
    PolicyName='string',
    Path='string',
    PolicyDocument='string',
    Description='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type PolicyName

string

param PolicyName

[REQUIRED]

The friendly name of the policy.

IAM user, group, role, and policy names must be unique within the account. Names are not distinguished by case. For example, you cannot create resources named both "MyResource" and "myresource".

type Path

string

param Path

The path for the policy.

For more information about paths, see IAM identifiers in the IAM User Guide .

This parameter is optional. If it is not included, it defaults to a slash (/).

This parameter allows (through its regex pattern ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! (\u0021 ) through the DEL character (\u007F ), including most punctuation characters, digits, and upper and lowercased letters.

type PolicyDocument

string

param PolicyDocument

[REQUIRED]

The JSON policy document that you want to use as the content for the new policy.

You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.

The regex pattern used to validate this parameter is a string of characters consisting of the following:

  • Any printable ASCII character ranging from the space character (\u0020 ) through the end of the ASCII character range

  • The printable characters in the Basic Latin and Latin-1 Supplement character set (through \u00FF )

  • The special characters tab (\u0009 ), line feed (\u000A ), and carriage return (\u000D )

type Description

string

param Description

A friendly description of the policy.

Typically used to store information about the permissions defined in the policy. For example, "Grants access to production DynamoDB tables."

The policy description is immutable. After a value is assigned, it cannot be changed.

type Tags

list

param Tags

A list of tags that you want to attach to the new IAM customer managed policy. Each tag consists of a key name and an associated value. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

Note

If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.

  • (dict) --

    A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

    • Key (string) -- [REQUIRED]

      The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

    • Value (string) -- [REQUIRED]

      The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

      Note

      AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

rtype

dict

returns

Response Syntax

{
    'Policy': {
        'PolicyName': 'string',
        'PolicyId': 'string',
        'Arn': 'string',
        'Path': 'string',
        'DefaultVersionId': 'string',
        'AttachmentCount': 123,
        'PermissionsBoundaryUsageCount': 123,
        'IsAttachable': True|False,
        'Description': 'string',
        'CreateDate': datetime(2015, 1, 1),
        'UpdateDate': datetime(2015, 1, 1),
        'Tags': [
            {
                'Key': 'string',
                'Value': 'string'
            },
        ]
    }
}

Response Structure

  • (dict) --

    Contains the response to a successful CreatePolicy request.

    • Policy (dict) --

      A structure containing details about the new policy.

      • PolicyName (string) --

        The friendly name (not ARN) identifying the policy.

      • PolicyId (string) --

        The stable and unique string identifying the policy.

        For more information about IDs, see IAM identifiers in the IAM User Guide .

      • Arn (string) --

        The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.

        For more information about ARNs, go to Amazon Resource Names (ARNs) in the AWS General Reference .

      • Path (string) --

        The path to the policy.

        For more information about paths, see IAM identifiers in the IAM User Guide .

      • DefaultVersionId (string) --

        The identifier for the version of the policy that is set as the default version.

      • AttachmentCount (integer) --

        The number of entities (users, groups, and roles) that the policy is attached to.

      • PermissionsBoundaryUsageCount (integer) --

        The number of entities (users and roles) for which the policy is used to set the permissions boundary.

        For more information about permissions boundaries, see Permissions boundaries for IAM identities in the IAM User Guide .

      • IsAttachable (boolean) --

        Specifies whether the policy can be attached to an IAM user, group, or role.

      • Description (string) --

        A friendly description of the policy.

        This element is included in the response to the GetPolicy operation. It is not included in the response to the ListPolicies operation.

      • CreateDate (datetime) --

        The date and time, in ISO 8601 date-time format , when the policy was created.

      • UpdateDate (datetime) --

        The date and time, in ISO 8601 date-time format , when the policy was last updated.

        When a policy has only one version, this field contains the date and time when the policy was created. When a policy has more than one version, this field contains the date and time when the most recent policy version was created.

      • Tags (list) --

        A list of tags that are attached to the instance profile. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

        • (dict) --

          A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

          • Key (string) --

            The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

          • Value (string) --

            The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

            Note

            AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

CreateSAMLProvider (updated) Link ¶
Changes (both)
{'Tags': [{'Key': 'string', 'Value': 'string'}]}

Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.

The SAML provider resource that you create with this operation can be used as a principal in an IAM role's trust policy. Such a policy can enable federated users who sign in using the SAML IdP to assume the role. You can create an IAM role that supports Web-based single sign-on (SSO) to the AWS Management Console or one that supports API access to AWS.

When you create the SAML provider resource, you upload a SAML metadata document that you get from your IdP. That document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that the IdP sends. You must generate the metadata document using the identity management software that is used as your organization's IdP.

Note

This operation requires Signature Version 4 .

For more information, see Enabling SAML 2.0 federated users to access the AWS Management Console and About SAML 2.0-based federation in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.create_saml_provider(
    SAMLMetadataDocument='string',
    Name='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type SAMLMetadataDocument

string

param SAMLMetadataDocument

[REQUIRED]

An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP.

For more information, see About SAML 2.0-based federation in the IAM User Guide

type Name

string

param Name

[REQUIRED]

The name of the provider to create.

This parameter allows (through its regex pattern ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

type Tags

list

param Tags

A list of tags that you want to attach to the new IAM SAML provider. Each tag consists of a key name and an associated value. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

Note

If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.

  • (dict) --

    A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

    • Key (string) -- [REQUIRED]

      The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

    • Value (string) -- [REQUIRED]

      The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

      Note

      AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

rtype

dict

returns

Response Syntax

{
    'SAMLProviderArn': 'string',
    'Tags': [
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    Contains the response to a successful CreateSAMLProvider request.

    • SAMLProviderArn (string) --

      The Amazon Resource Name (ARN) of the new SAML provider resource in IAM.

    • Tags (list) --

      A list of tags that are attached to the new IAM SAML provider. The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

      • (dict) --

        A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

        • Key (string) --

          The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

        • Value (string) --

          The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

          Note

          AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

CreateVirtualMFADevice (updated) Link ¶
Changes (request, response)
Request
{'Tags': [{'Key': 'string', 'Value': 'string'}]}
Response
{'VirtualMFADevice': {'Tags': [{'Key': 'string', 'Value': 'string'}]}}

Creates a new virtual MFA device for the AWS account. After creating the virtual MFA, use EnableMFADevice to attach the MFA device to an IAM user. For more information about creating and working with virtual MFA devices, see Using a virtual MFA device in the IAM User Guide .

For information about the maximum number of MFA devices you can create, see IAM and STS quotas in the IAM User Guide .

Warning

The seed information contained in the QR code and the Base32 string should be treated like any other secret access information. In other words, protect the seed information as you would your AWS access keys or your passwords. After you provision your virtual device, you should ensure that the information is destroyed following secure procedures.

See also: AWS API Documentation

Request Syntax

client.create_virtual_mfa_device(
    Path='string',
    VirtualMFADeviceName='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type Path

string

param Path

The path for the virtual MFA device. For more information about paths, see IAM identifiers in the IAM User Guide .

This parameter is optional. If it is not included, it defaults to a slash (/).

This parameter allows (through its regex pattern ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! (\u0021 ) through the DEL character (\u007F ), including most punctuation characters, digits, and upper and lowercased letters.

type VirtualMFADeviceName

string

param VirtualMFADeviceName

[REQUIRED]

The name of the virtual MFA device. Use with path to uniquely identify a virtual MFA device.

This parameter allows (through its regex pattern ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

type Tags

list

param Tags

A list of tags that you want to attach to the new IAM virtual MFA device. Each tag consists of a key name and an associated value. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

Note

If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.

  • (dict) --

    A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

    • Key (string) -- [REQUIRED]

      The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

    • Value (string) -- [REQUIRED]

      The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

      Note

      AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

rtype

dict

returns

Response Syntax

{
    'VirtualMFADevice': {
        'SerialNumber': 'string',
        'Base32StringSeed': b'bytes',
        'QRCodePNG': b'bytes',
        'User': {
            'Path': 'string',
            'UserName': 'string',
            'UserId': 'string',
            'Arn': 'string',
            'CreateDate': datetime(2015, 1, 1),
            'PasswordLastUsed': datetime(2015, 1, 1),
            'PermissionsBoundary': {
                'PermissionsBoundaryType': 'PermissionsBoundaryPolicy',
                'PermissionsBoundaryArn': 'string'
            },
            'Tags': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ]
        },
        'EnableDate': datetime(2015, 1, 1),
        'Tags': [
            {
                'Key': 'string',
                'Value': 'string'
            },
        ]
    }
}

Response Structure

  • (dict) --

    Contains the response to a successful CreateVirtualMFADevice request.

    • VirtualMFADevice (dict) --

      A structure containing details about the new virtual MFA device.

      • SerialNumber (string) --

        The serial number associated with VirtualMFADevice .

      • Base32StringSeed (bytes) --

        The base32 seed defined as specified in RFC3548 . The Base32StringSeed is base64-encoded.

      • QRCodePNG (bytes) --

        A QR code PNG image that encodes otpauth://totp/$virtualMFADeviceName@$AccountName?secret=$Base32String where $virtualMFADeviceName is one of the create call arguments. AccountName is the user name if set (otherwise, the account ID otherwise), and Base32String is the seed in base32 format. The Base32String value is base64-encoded.

      • User (dict) --

        The IAM user associated with this virtual MFA device.

        • Path (string) --

          The path to the user. For more information about paths, see IAM identifiers in the IAM User Guide .

          The ARN of the policy used to set the permissions boundary for the user.

        • UserName (string) --

          The friendly name identifying the user.

        • UserId (string) --

          The stable and unique string identifying the user. For more information about IDs, see IAM identifiers in the IAM User Guide .

        • Arn (string) --

          The Amazon Resource Name (ARN) that identifies the user. For more information about ARNs and how to use ARNs in policies, see IAM Identifiers in the IAM User Guide .

        • CreateDate (datetime) --

          The date and time, in ISO 8601 date-time format , when the user was created.

        • PasswordLastUsed (datetime) --

          The date and time, in ISO 8601 date-time format , when the user's password was last used to sign in to an AWS website. For a list of AWS websites that capture a user's last sign-in time, see the Credential reports topic in the IAM User Guide . If a password is used more than once in a five-minute span, only the first use is returned in this field. If the field is null (no value), then it indicates that they never signed in with a password. This can be because:

          • The user never had a password.

          • A password exists but has not been used since IAM started tracking this information on October 20, 2014.

          A null value does not mean that the user never had a password. Also, if the user does not currently have a password but had one in the past, then this field contains the date and time the most recent password was used.

          This value is returned only in the GetUser and ListUsers operations.

        • PermissionsBoundary (dict) --

          For more information about permissions boundaries, see Permissions boundaries for IAM identities in the IAM User Guide .

          • PermissionsBoundaryType (string) --

            The permissions boundary usage type that indicates what type of IAM resource is used as the permissions boundary for an entity. This data type can only have a value of Policy .

          • PermissionsBoundaryArn (string) --

            The ARN of the policy used to set the permissions boundary for the user or role.

        • Tags (list) --

          A list of tags that are associated with the user. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

          • (dict) --

            A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

            • Key (string) --

              The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

            • Value (string) --

              The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

              Note

              AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

      • EnableDate (datetime) --

        The date and time on which the virtual MFA device was enabled.

      • Tags (list) --

        A list of tags that are attached to the virtual MFA device. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

        • (dict) --

          A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

          • Key (string) --

            The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

          • Value (string) --

            The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

            Note

            AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

GetAccountAuthorizationDetails (updated) Link ¶
Changes (response)
{'RoleDetailList': {'InstanceProfileList': {'Tags': [{'Key': 'string',
                                                      'Value': 'string'}]}}}

Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another. Use this operation to obtain a snapshot of the configuration of IAM permissions (users, groups, roles, and policies) in your account.

Note

Policies returned by this operation are URL-encoded compliant with RFC 3986 . You can use a URL decoding method to convert the policy back to plain JSON text. For example, if you use Java, you can use the decode method of the java.net.URLDecoder utility class in the Java SDK. Other languages and SDKs provide similar functionality.

You can optionally filter the results using the Filter parameter. You can paginate the results using the MaxItems and Marker parameters.

See also: AWS API Documentation

Request Syntax

client.get_account_authorization_details(
    Filter=[
        'User'|'Role'|'Group'|'LocalManagedPolicy'|'AWSManagedPolicy',
    ],
    MaxItems=123,
    Marker='string'
)
type Filter

list

param Filter

A list of entity types used to filter the results. Only the entities that match the types you specify are included in the output. Use the value LocalManagedPolicy to include customer managed policies.

The format for this parameter is a comma-separated (if more than one) list of strings. Each string value in the list must be one of the valid values listed below.

  • (string) --

type MaxItems

integer

param MaxItems

Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true .

If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true , and Marker contains a value to include in the subsequent call that tells the service where to continue from.

type Marker

string

param Marker

Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.

rtype

dict

returns

Response Syntax

{
    'UserDetailList': [
        {
            'Path': 'string',
            'UserName': 'string',
            'UserId': 'string',
            'Arn': 'string',
            'CreateDate': datetime(2015, 1, 1),
            'UserPolicyList': [
                {
                    'PolicyName': 'string',
                    'PolicyDocument': 'string'
                },
            ],
            'GroupList': [
                'string',
            ],
            'AttachedManagedPolicies': [
                {
                    'PolicyName': 'string',
                    'PolicyArn': 'string'
                },
            ],
            'PermissionsBoundary': {
                'PermissionsBoundaryType': 'PermissionsBoundaryPolicy',
                'PermissionsBoundaryArn': 'string'
            },
            'Tags': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ]
        },
    ],
    'GroupDetailList': [
        {
            'Path': 'string',
            'GroupName': 'string',
            'GroupId': 'string',
            'Arn': 'string',
            'CreateDate': datetime(2015, 1, 1),
            'GroupPolicyList': [
                {
                    'PolicyName': 'string',
                    'PolicyDocument': 'string'
                },
            ],
            'AttachedManagedPolicies': [
                {
                    'PolicyName': 'string',
                    'PolicyArn': 'string'
                },
            ]
        },
    ],
    'RoleDetailList': [
        {
            'Path': 'string',
            'RoleName': 'string',
            'RoleId': 'string',
            'Arn': 'string',
            'CreateDate': datetime(2015, 1, 1),
            'AssumeRolePolicyDocument': 'string',
            'InstanceProfileList': [
                {
                    'Path': 'string',
                    'InstanceProfileName': 'string',
                    'InstanceProfileId': 'string',
                    'Arn': 'string',
                    'CreateDate': datetime(2015, 1, 1),
                    'Roles': [
                        {
                            'Path': 'string',
                            'RoleName': 'string',
                            'RoleId': 'string',
                            'Arn': 'string',
                            'CreateDate': datetime(2015, 1, 1),
                            'AssumeRolePolicyDocument': 'string',
                            'Description': 'string',
                            'MaxSessionDuration': 123,
                            'PermissionsBoundary': {
                                'PermissionsBoundaryType': 'PermissionsBoundaryPolicy',
                                'PermissionsBoundaryArn': 'string'
                            },
                            'Tags': [
                                {
                                    'Key': 'string',
                                    'Value': 'string'
                                },
                            ],
                            'RoleLastUsed': {
                                'LastUsedDate': datetime(2015, 1, 1),
                                'Region': 'string'
                            }
                        },
                    ],
                    'Tags': [
                        {
                            'Key': 'string',
                            'Value': 'string'
                        },
                    ]
                },
            ],
            'RolePolicyList': [
                {
                    'PolicyName': 'string',
                    'PolicyDocument': 'string'
                },
            ],
            'AttachedManagedPolicies': [
                {
                    'PolicyName': 'string',
                    'PolicyArn': 'string'
                },
            ],
            'PermissionsBoundary': {
                'PermissionsBoundaryType': 'PermissionsBoundaryPolicy',
                'PermissionsBoundaryArn': 'string'
            },
            'Tags': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ],
            'RoleLastUsed': {
                'LastUsedDate': datetime(2015, 1, 1),
                'Region': 'string'
            }
        },
    ],
    'Policies': [
        {
            'PolicyName': 'string',
            'PolicyId': 'string',
            'Arn': 'string',
            'Path': 'string',
            'DefaultVersionId': 'string',
            'AttachmentCount': 123,
            'PermissionsBoundaryUsageCount': 123,
            'IsAttachable': True|False,
            'Description': 'string',
            'CreateDate': datetime(2015, 1, 1),
            'UpdateDate': datetime(2015, 1, 1),
            'PolicyVersionList': [
                {
                    'Document': 'string',
                    'VersionId': 'string',
                    'IsDefaultVersion': True|False,
                    'CreateDate': datetime(2015, 1, 1)
                },
            ]
        },
    ],
    'IsTruncated': True|False,
    'Marker': 'string'
}

Response Structure

  • (dict) --

    Contains the response to a successful GetAccountAuthorizationDetails request.

    • UserDetailList (list) --

      A list containing information about IAM users.

      • (dict) --

        Contains information about an IAM user, including all the user's policies and all the IAM groups the user is in.

        This data type is used as a response element in the GetAccountAuthorizationDetails operation.

        • Path (string) --

          The path to the user. For more information about paths, see IAM identifiers in the IAM User Guide .

        • UserName (string) --

          The friendly name identifying the user.

        • UserId (string) --

          The stable and unique string identifying the user. For more information about IDs, see IAM identifiers in the IAM User Guide .

        • Arn (string) --

          The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.

          For more information about ARNs, go to Amazon Resource Names (ARNs) in the AWS General Reference .

        • CreateDate (datetime) --

          The date and time, in ISO 8601 date-time format , when the user was created.

        • UserPolicyList (list) --

          A list of the inline policies embedded in the user.

          • (dict) --

            Contains information about an IAM policy, including the policy document.

            This data type is used as a response element in the GetAccountAuthorizationDetails operation.

            • PolicyName (string) --

              The name of the policy.

            • PolicyDocument (string) --

              The policy document.

        • GroupList (list) --

          A list of IAM groups that the user is in.

          • (string) --

        • AttachedManagedPolicies (list) --

          A list of the managed policies attached to the user.

          • (dict) --

            Contains information about an attached policy.

            An attached policy is a managed policy that has been attached to a user, group, or role. This data type is used as a response element in the ListAttachedGroupPolicies , ListAttachedRolePolicies , ListAttachedUserPolicies , and GetAccountAuthorizationDetails operations.

            For more information about managed policies, refer to Managed policies and inline policies in the IAM User Guide .

            • PolicyName (string) --

              The friendly name of the attached policy.

            • PolicyArn (string) --

              The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.

              For more information about ARNs, go to Amazon Resource Names (ARNs) in the AWS General Reference .

        • PermissionsBoundary (dict) --

          The ARN of the policy used to set the permissions boundary for the user.

          For more information about permissions boundaries, see Permissions boundaries for IAM identities in the IAM User Guide .

          • PermissionsBoundaryType (string) --

            The permissions boundary usage type that indicates what type of IAM resource is used as the permissions boundary for an entity. This data type can only have a value of Policy .

          • PermissionsBoundaryArn (string) --

            The ARN of the policy used to set the permissions boundary for the user or role.

        • Tags (list) --

          A list of tags that are associated with the user. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

          • (dict) --

            A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

            • Key (string) --

              The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

            • Value (string) --

              The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

              Note

              AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

    • GroupDetailList (list) --

      A list containing information about IAM groups.

      • (dict) --

        Contains information about an IAM group, including all of the group's policies.

        This data type is used as a response element in the GetAccountAuthorizationDetails operation.

        • Path (string) --

          The path to the group. For more information about paths, see IAM identifiers in the IAM User Guide .

        • GroupName (string) --

          The friendly name that identifies the group.

        • GroupId (string) --

          The stable and unique string identifying the group. For more information about IDs, see IAM identifiers in the IAM User Guide .

        • Arn (string) --

          The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.

          For more information about ARNs, go to Amazon Resource Names (ARNs) in the AWS General Reference .

        • CreateDate (datetime) --

          The date and time, in ISO 8601 date-time format , when the group was created.

        • GroupPolicyList (list) --

          A list of the inline policies embedded in the group.

          • (dict) --

            Contains information about an IAM policy, including the policy document.

            This data type is used as a response element in the GetAccountAuthorizationDetails operation.

            • PolicyName (string) --

              The name of the policy.

            • PolicyDocument (string) --

              The policy document.

        • AttachedManagedPolicies (list) --

          A list of the managed policies attached to the group.

          • (dict) --

            Contains information about an attached policy.

            An attached policy is a managed policy that has been attached to a user, group, or role. This data type is used as a response element in the ListAttachedGroupPolicies , ListAttachedRolePolicies , ListAttachedUserPolicies , and GetAccountAuthorizationDetails operations.

            For more information about managed policies, refer to Managed policies and inline policies in the IAM User Guide .

            • PolicyName (string) --

              The friendly name of the attached policy.

            • PolicyArn (string) --

              The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.

              For more information about ARNs, go to Amazon Resource Names (ARNs) in the AWS General Reference .

    • RoleDetailList (list) --

      A list containing information about IAM roles.

      • (dict) --

        Contains information about an IAM role, including all of the role's policies.

        This data type is used as a response element in the GetAccountAuthorizationDetails operation.

        • Path (string) --

          The path to the role. For more information about paths, see IAM identifiers in the IAM User Guide .

        • RoleName (string) --

          The friendly name that identifies the role.

        • RoleId (string) --

          The stable and unique string identifying the role. For more information about IDs, see IAM identifiers in the IAM User Guide .

        • Arn (string) --

          The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.

          For more information about ARNs, go to Amazon Resource Names (ARNs) in the AWS General Reference .

        • CreateDate (datetime) --

          The date and time, in ISO 8601 date-time format , when the role was created.

        • AssumeRolePolicyDocument (string) --

          The trust policy that grants permission to assume the role.

        • InstanceProfileList (list) --

          A list of instance profiles that contain this role.

          • (dict) --

            Contains information about an instance profile.

            This data type is used as a response element in the following operations:

            • CreateInstanceProfile

            • GetInstanceProfile

            • ListInstanceProfiles

            • ListInstanceProfilesForRole

            • Path (string) --

              The path to the instance profile. For more information about paths, see IAM identifiers in the IAM User Guide .

            • InstanceProfileName (string) --

              The name identifying the instance profile.

            • InstanceProfileId (string) --

              The stable and unique string identifying the instance profile. For more information about IDs, see IAM identifiers in the IAM User Guide .

            • Arn (string) --

              The Amazon Resource Name (ARN) specifying the instance profile. For more information about ARNs and how to use them in policies, see IAM identifiers in the IAM User Guide .

            • CreateDate (datetime) --

              The date when the instance profile was created.

            • Roles (list) --

              The role associated with the instance profile.

              • (dict) --

                Contains information about an IAM role. This structure is returned as a response element in several API operations that interact with roles.

                • Path (string) --

                  The path to the role. For more information about paths, see IAM identifiers in the IAM User Guide .

                • RoleName (string) --

                  The friendly name that identifies the role.

                • RoleId (string) --

                  The stable and unique string identifying the role. For more information about IDs, see IAM identifiers in the IAM User Guide .

                • Arn (string) --

                  The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see IAM identifiers in the IAM User Guide guide.

                • CreateDate (datetime) --

                  The date and time, in ISO 8601 date-time format , when the role was created.

                • AssumeRolePolicyDocument (string) --

                  The policy that grants an entity permission to assume the role.

                • Description (string) --

                  A description of the role that you provide.

                • MaxSessionDuration (integer) --

                  The maximum session duration (in seconds) for the specified role. Anyone who uses the AWS CLI, or API to assume the role can specify the duration using the optional DurationSeconds API parameter or duration-seconds CLI parameter.

                • PermissionsBoundary (dict) --

                  The ARN of the policy used to set the permissions boundary for the role.

                  For more information about permissions boundaries, see Permissions boundaries for IAM identities in the IAM User Guide .

                  • PermissionsBoundaryType (string) --

                    The permissions boundary usage type that indicates what type of IAM resource is used as the permissions boundary for an entity. This data type can only have a value of Policy .

                  • PermissionsBoundaryArn (string) --

                    The ARN of the policy used to set the permissions boundary for the user or role.

                • Tags (list) --

                  A list of tags that are attached to the role. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

                  • (dict) --

                    A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

                    • Key (string) --

                      The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

                    • Value (string) --

                      The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

                      Note

                      AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

                • RoleLastUsed (dict) --

                  Contains information about the last time that an IAM role was used. This includes the date and time and the Region in which the role was last used. Activity is only reported for the trailing 400 days. This period can be shorter if your Region began supporting these features within the last year. The role might have been used more than 400 days ago. For more information, see Regions where data is tracked in the IAM User Guide .

                  • LastUsedDate (datetime) --

                    The date and time, in ISO 8601 date-time format that the role was last used.

                    This field is null if the role has not been used within the IAM tracking period. For more information about the tracking period, see Regions where data is tracked in the IAM User Guide .

                  • Region (string) --

                    The name of the AWS Region in which the role was last used.

            • Tags (list) --

              A list of tags that are attached to the instance profile. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

              • (dict) --

                A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

                • Key (string) --

                  The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

                • Value (string) --

                  The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

                  Note

                  AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

        • RolePolicyList (list) --

          A list of inline policies embedded in the role. These policies are the role's access (permissions) policies.

          • (dict) --

            Contains information about an IAM policy, including the policy document.

            This data type is used as a response element in the GetAccountAuthorizationDetails operation.

            • PolicyName (string) --

              The name of the policy.

            • PolicyDocument (string) --

              The policy document.

        • AttachedManagedPolicies (list) --

          A list of managed policies attached to the role. These policies are the role's access (permissions) policies.

          • (dict) --

            Contains information about an attached policy.

            An attached policy is a managed policy that has been attached to a user, group, or role. This data type is used as a response element in the ListAttachedGroupPolicies , ListAttachedRolePolicies , ListAttachedUserPolicies , and GetAccountAuthorizationDetails operations.

            For more information about managed policies, refer to Managed policies and inline policies in the IAM User Guide .

            • PolicyName (string) --

              The friendly name of the attached policy.

            • PolicyArn (string) --

              The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.

              For more information about ARNs, go to Amazon Resource Names (ARNs) in the AWS General Reference .

        • PermissionsBoundary (dict) --

          The ARN of the policy used to set the permissions boundary for the role.

          For more information about permissions boundaries, see Permissions boundaries for IAM identities in the IAM User Guide .

          • PermissionsBoundaryType (string) --

            The permissions boundary usage type that indicates what type of IAM resource is used as the permissions boundary for an entity. This data type can only have a value of Policy .

          • PermissionsBoundaryArn (string) --

            The ARN of the policy used to set the permissions boundary for the user or role.

        • Tags (list) --

          A list of tags that are attached to the role. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

          • (dict) --

            A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

            • Key (string) --

              The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

            • Value (string) --

              The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

              Note

              AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

        • RoleLastUsed (dict) --

          Contains information about the last time that an IAM role was used. This includes the date and time and the Region in which the role was last used. Activity is only reported for the trailing 400 days. This period can be shorter if your Region began supporting these features within the last year. The role might have been used more than 400 days ago. For more information, see Regions where data is tracked in the IAM User Guide .

          • LastUsedDate (datetime) --

            The date and time, in ISO 8601 date-time format that the role was last used.

            This field is null if the role has not been used within the IAM tracking period. For more information about the tracking period, see Regions where data is tracked in the IAM User Guide .

          • Region (string) --

            The name of the AWS Region in which the role was last used.

    • Policies (list) --

      A list containing information about managed policies.

      • (dict) --

        Contains information about a managed policy, including the policy's ARN, versions, and the number of principal entities (users, groups, and roles) that the policy is attached to.

        This data type is used as a response element in the GetAccountAuthorizationDetails operation.

        For more information about managed policies, see Managed policies and inline policies in the IAM User Guide .

        • PolicyName (string) --

          The friendly name (not ARN) identifying the policy.

        • PolicyId (string) --

          The stable and unique string identifying the policy.

          For more information about IDs, see IAM identifiers in the IAM User Guide .

        • Arn (string) --

          The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.

          For more information about ARNs, go to Amazon Resource Names (ARNs) in the AWS General Reference .

        • Path (string) --

          The path to the policy.

          For more information about paths, see IAM identifiers in the IAM User Guide .

        • DefaultVersionId (string) --

          The identifier for the version of the policy that is set as the default (operative) version.

          For more information about policy versions, see Versioning for managed policies in the IAM User Guide .

        • AttachmentCount (integer) --

          The number of principal entities (users, groups, and roles) that the policy is attached to.

        • PermissionsBoundaryUsageCount (integer) --

          The number of entities (users and roles) for which the policy is used as the permissions boundary.

          For more information about permissions boundaries, see Permissions boundaries for IAM identities in the IAM User Guide .

        • IsAttachable (boolean) --

          Specifies whether the policy can be attached to an IAM user, group, or role.

        • Description (string) --

          A friendly description of the policy.

        • CreateDate (datetime) --

          The date and time, in ISO 8601 date-time format , when the policy was created.

        • UpdateDate (datetime) --

          The date and time, in ISO 8601 date-time format , when the policy was last updated.

          When a policy has only one version, this field contains the date and time when the policy was created. When a policy has more than one version, this field contains the date and time when the most recent policy version was created.

        • PolicyVersionList (list) --

          A list containing information about the versions of the policy.

          • (dict) --

            Contains information about a version of a managed policy.

            This data type is used as a response element in the CreatePolicyVersion , GetPolicyVersion , ListPolicyVersions , and GetAccountAuthorizationDetails operations.

            For more information about managed policies, refer to Managed policies and inline policies in the IAM User Guide .

            • Document (string) --

              The policy document.

              The policy document is returned in the response to the GetPolicyVersion and GetAccountAuthorizationDetails operations. It is not returned in the response to the CreatePolicyVersion or ListPolicyVersions operations.

              The policy document returned in this structure is URL-encoded compliant with RFC 3986 . You can use a URL decoding method to convert the policy back to plain JSON text. For example, if you use Java, you can use the decode method of the java.net.URLDecoder utility class in the Java SDK. Other languages and SDKs provide similar functionality.

            • VersionId (string) --

              The identifier for the policy version.

              Policy version identifiers always begin with v (always lowercase). When a policy is created, the first policy version is v1 .

            • IsDefaultVersion (boolean) --

              Specifies whether the policy version is set as the policy's default version.

            • CreateDate (datetime) --

              The date and time, in ISO 8601 date-time format , when the policy version was created.

    • IsTruncated (boolean) --

      A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.

    • Marker (string) --

      When IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.

GetInstanceProfile (updated) Link ¶
Changes (response)
{'InstanceProfile': {'Tags': [{'Key': 'string', 'Value': 'string'}]}}

Retrieves information about the specified instance profile, including the instance profile's path, GUID, ARN, and role. For more information about instance profiles, see About instance profiles in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.get_instance_profile(
    InstanceProfileName='string'
)
type InstanceProfileName

string

param InstanceProfileName

[REQUIRED]

The name of the instance profile to get information about.

This parameter allows (through its regex pattern ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

rtype

dict

returns

Response Syntax

{
    'InstanceProfile': {
        'Path': 'string',
        'InstanceProfileName': 'string',
        'InstanceProfileId': 'string',
        'Arn': 'string',
        'CreateDate': datetime(2015, 1, 1),
        'Roles': [
            {
                'Path': 'string',
                'RoleName': 'string',
                'RoleId': 'string',
                'Arn': 'string',
                'CreateDate': datetime(2015, 1, 1),
                'AssumeRolePolicyDocument': 'string',
                'Description': 'string',
                'MaxSessionDuration': 123,
                'PermissionsBoundary': {
                    'PermissionsBoundaryType': 'PermissionsBoundaryPolicy',
                    'PermissionsBoundaryArn': 'string'
                },
                'Tags': [
                    {
                        'Key': 'string',
                        'Value': 'string'
                    },
                ],
                'RoleLastUsed': {
                    'LastUsedDate': datetime(2015, 1, 1),
                    'Region': 'string'
                }
            },
        ],
        'Tags': [
            {
                'Key': 'string',
                'Value': 'string'
            },
        ]
    }
}

Response Structure

  • (dict) --

    Contains the response to a successful GetInstanceProfile request.

    • InstanceProfile (dict) --

      A structure containing details about the instance profile.

      • Path (string) --

        The path to the instance profile. For more information about paths, see IAM identifiers in the IAM User Guide .

      • InstanceProfileName (string) --

        The name identifying the instance profile.

      • InstanceProfileId (string) --

        The stable and unique string identifying the instance profile. For more information about IDs, see IAM identifiers in the IAM User Guide .

      • Arn (string) --

        The Amazon Resource Name (ARN) specifying the instance profile. For more information about ARNs and how to use them in policies, see IAM identifiers in the IAM User Guide .

      • CreateDate (datetime) --

        The date when the instance profile was created.

      • Roles (list) --

        The role associated with the instance profile.

        • (dict) --

          Contains information about an IAM role. This structure is returned as a response element in several API operations that interact with roles.

          • Path (string) --

            The path to the role. For more information about paths, see IAM identifiers in the IAM User Guide .

          • RoleName (string) --

            The friendly name that identifies the role.

          • RoleId (string) --

            The stable and unique string identifying the role. For more information about IDs, see IAM identifiers in the IAM User Guide .

          • Arn (string) --

            The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see IAM identifiers in the IAM User Guide guide.

          • CreateDate (datetime) --

            The date and time, in ISO 8601 date-time format , when the role was created.

          • AssumeRolePolicyDocument (string) --

            The policy that grants an entity permission to assume the role.

          • Description (string) --

            A description of the role that you provide.

          • MaxSessionDuration (integer) --

            The maximum session duration (in seconds) for the specified role. Anyone who uses the AWS CLI, or API to assume the role can specify the duration using the optional DurationSeconds API parameter or duration-seconds CLI parameter.

          • PermissionsBoundary (dict) --

            The ARN of the policy used to set the permissions boundary for the role.

            For more information about permissions boundaries, see Permissions boundaries for IAM identities in the IAM User Guide .

            • PermissionsBoundaryType (string) --

              The permissions boundary usage type that indicates what type of IAM resource is used as the permissions boundary for an entity. This data type can only have a value of Policy .

            • PermissionsBoundaryArn (string) --

              The ARN of the policy used to set the permissions boundary for the user or role.

          • Tags (list) --

            A list of tags that are attached to the role. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

            • (dict) --

              A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

              • Key (string) --

                The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

              • Value (string) --

                The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

                Note

                AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

          • RoleLastUsed (dict) --

            Contains information about the last time that an IAM role was used. This includes the date and time and the Region in which the role was last used. Activity is only reported for the trailing 400 days. This period can be shorter if your Region began supporting these features within the last year. The role might have been used more than 400 days ago. For more information, see Regions where data is tracked in the IAM User Guide .

            • LastUsedDate (datetime) --

              The date and time, in ISO 8601 date-time format that the role was last used.

              This field is null if the role has not been used within the IAM tracking period. For more information about the tracking period, see Regions where data is tracked in the IAM User Guide .

            • Region (string) --

              The name of the AWS Region in which the role was last used.

      • Tags (list) --

        A list of tags that are attached to the instance profile. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

        • (dict) --

          A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

          • Key (string) --

            The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

          • Value (string) --

            The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

            Note

            AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

GetOpenIDConnectProvider (updated) Link ¶
Changes (response)
{'Tags': [{'Key': 'string', 'Value': 'string'}]}

Returns information about the specified OpenID Connect (OIDC) provider resource object in IAM.

See also: AWS API Documentation

Request Syntax

client.get_open_id_connect_provider(
    OpenIDConnectProviderArn='string'
)
type OpenIDConnectProviderArn

string

param OpenIDConnectProviderArn

[REQUIRED]

The Amazon Resource Name (ARN) of the OIDC provider resource object in IAM to get information for. You can get a list of OIDC provider resource ARNs by using the ListOpenIDConnectProviders operation.

For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference .

rtype

dict

returns

Response Syntax

{
    'Url': 'string',
    'ClientIDList': [
        'string',
    ],
    'ThumbprintList': [
        'string',
    ],
    'CreateDate': datetime(2015, 1, 1),
    'Tags': [
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    Contains the response to a successful GetOpenIDConnectProvider request.

    • Url (string) --

      The URL that the IAM OIDC provider resource object is associated with. For more information, see CreateOpenIDConnectProvider .

    • ClientIDList (list) --

      A list of client IDs (also known as audiences) that are associated with the specified IAM OIDC provider resource object. For more information, see CreateOpenIDConnectProvider .

      • (string) --

    • ThumbprintList (list) --

      A list of certificate thumbprints that are associated with the specified IAM OIDC provider resource object. For more information, see CreateOpenIDConnectProvider .

      • (string) --

        Contains a thumbprint for an identity provider's server certificate.

        The identity provider's server certificate thumbprint is the hex-encoded SHA-1 hash value of the self-signed X.509 certificate. This thumbprint is used by the domain where the OpenID Connect provider makes its keys available. The thumbprint is always a 40-character string.

    • CreateDate (datetime) --

      The date and time when the IAM OIDC provider resource object was created in the AWS account.

    • Tags (list) --

      A list of tags that are attached to the specified IAM OIDC provider. The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

      • (dict) --

        A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

        • Key (string) --

          The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

        • Value (string) --

          The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

          Note

          AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

GetPolicy (updated) Link ¶
Changes (response)
{'Policy': {'Tags': [{'Key': 'string', 'Value': 'string'}]}}

Retrieves information about the specified managed policy, including the policy's default version and the total number of IAM users, groups, and roles to which the policy is attached. To retrieve the list of the specific users, groups, and roles that the policy is attached to, use ListEntitiesForPolicy . This operation returns metadata about the policy. To retrieve the actual policy document for a specific version of the policy, use GetPolicyVersion .

This operation retrieves information about managed policies. To retrieve information about an inline policy that is embedded with an IAM user, group, or role, use GetUserPolicy , GetGroupPolicy , or GetRolePolicy .

For more information about policies, see Managed policies and inline policies in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.get_policy(
    PolicyArn='string'
)
type PolicyArn

string

param PolicyArn

[REQUIRED]

The Amazon Resource Name (ARN) of the managed policy that you want information about.

For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference .

rtype

dict

returns

Response Syntax

{
    'Policy': {
        'PolicyName': 'string',
        'PolicyId': 'string',
        'Arn': 'string',
        'Path': 'string',
        'DefaultVersionId': 'string',
        'AttachmentCount': 123,
        'PermissionsBoundaryUsageCount': 123,
        'IsAttachable': True|False,
        'Description': 'string',
        'CreateDate': datetime(2015, 1, 1),
        'UpdateDate': datetime(2015, 1, 1),
        'Tags': [
            {
                'Key': 'string',
                'Value': 'string'
            },
        ]
    }
}

Response Structure

  • (dict) --

    Contains the response to a successful GetPolicy request.

    • Policy (dict) --

      A structure containing details about the policy.

      • PolicyName (string) --

        The friendly name (not ARN) identifying the policy.

      • PolicyId (string) --

        The stable and unique string identifying the policy.

        For more information about IDs, see IAM identifiers in the IAM User Guide .

      • Arn (string) --

        The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.

        For more information about ARNs, go to Amazon Resource Names (ARNs) in the AWS General Reference .

      • Path (string) --

        The path to the policy.

        For more information about paths, see IAM identifiers in the IAM User Guide .

      • DefaultVersionId (string) --

        The identifier for the version of the policy that is set as the default version.

      • AttachmentCount (integer) --

        The number of entities (users, groups, and roles) that the policy is attached to.

      • PermissionsBoundaryUsageCount (integer) --

        The number of entities (users and roles) for which the policy is used to set the permissions boundary.

        For more information about permissions boundaries, see Permissions boundaries for IAM identities in the IAM User Guide .

      • IsAttachable (boolean) --

        Specifies whether the policy can be attached to an IAM user, group, or role.

      • Description (string) --

        A friendly description of the policy.

        This element is included in the response to the GetPolicy operation. It is not included in the response to the ListPolicies operation.

      • CreateDate (datetime) --

        The date and time, in ISO 8601 date-time format , when the policy was created.

      • UpdateDate (datetime) --

        The date and time, in ISO 8601 date-time format , when the policy was last updated.

        When a policy has only one version, this field contains the date and time when the policy was created. When a policy has more than one version, this field contains the date and time when the most recent policy version was created.

      • Tags (list) --

        A list of tags that are attached to the instance profile. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

        • (dict) --

          A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

          • Key (string) --

            The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

          • Value (string) --

            The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

            Note

            AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

GetSAMLProvider (updated) Link ¶
Changes (response)
{'Tags': [{'Key': 'string', 'Value': 'string'}]}

Returns the SAML provider metadocument that was uploaded when the IAM SAML provider resource object was created or updated.

Note

This operation requires Signature Version 4 .

See also: AWS API Documentation

Request Syntax

client.get_saml_provider(
    SAMLProviderArn='string'
)
type SAMLProviderArn

string

param SAMLProviderArn

[REQUIRED]

The Amazon Resource Name (ARN) of the SAML provider resource object in IAM to get information about.

For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference .

rtype

dict

returns

Response Syntax

{
    'SAMLMetadataDocument': 'string',
    'CreateDate': datetime(2015, 1, 1),
    'ValidUntil': datetime(2015, 1, 1),
    'Tags': [
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    Contains the response to a successful GetSAMLProvider request.

    • SAMLMetadataDocument (string) --

      The XML metadata document that includes information about an identity provider.

    • CreateDate (datetime) --

      The date and time when the SAML provider was created.

    • ValidUntil (datetime) --

      The expiration date and time for the SAML provider.

    • Tags (list) --

      A list of tags that are attached to the specified IAM SAML provider. The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

      • (dict) --

        A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

        • Key (string) --

          The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

        • Value (string) --

          The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

          Note

          AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

GetServerCertificate (updated) Link ¶
Changes (response)
{'ServerCertificate': {'Tags': [{'Key': 'string', 'Value': 'string'}]}}

Retrieves information about the specified server certificate stored in IAM.

For more information about working with server certificates, see Working with server certificates in the IAM User Guide . This topic includes a list of AWS services that can use the server certificates that you manage with IAM.

See also: AWS API Documentation

Request Syntax

client.get_server_certificate(
    ServerCertificateName='string'
)
type ServerCertificateName

string

param ServerCertificateName

[REQUIRED]

The name of the server certificate you want to retrieve information about.

This parameter allows (through its regex pattern ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

rtype

dict

returns

Response Syntax

{
    'ServerCertificate': {
        'ServerCertificateMetadata': {
            'Path': 'string',
            'ServerCertificateName': 'string',
            'ServerCertificateId': 'string',
            'Arn': 'string',
            'UploadDate': datetime(2015, 1, 1),
            'Expiration': datetime(2015, 1, 1)
        },
        'CertificateBody': 'string',
        'CertificateChain': 'string',
        'Tags': [
            {
                'Key': 'string',
                'Value': 'string'
            },
        ]
    }
}

Response Structure

  • (dict) --

    Contains the response to a successful GetServerCertificate request.

    • ServerCertificate (dict) --

      A structure containing details about the server certificate.

      • ServerCertificateMetadata (dict) --

        The meta information of the server certificate, such as its name, path, ID, and ARN.

        • Path (string) --

          The path to the server certificate. For more information about paths, see IAM identifiers in the IAM User Guide .

        • ServerCertificateName (string) --

          The name that identifies the server certificate.

        • ServerCertificateId (string) --

          The stable and unique string identifying the server certificate. For more information about IDs, see IAM identifiers in the IAM User Guide .

        • Arn (string) --

          The Amazon Resource Name (ARN) specifying the server certificate. For more information about ARNs and how to use them in policies, see IAM identifiers in the IAM User Guide .

        • UploadDate (datetime) --

          The date when the server certificate was uploaded.

        • Expiration (datetime) --

          The date on which the certificate is set to expire.

      • CertificateBody (string) --

        The contents of the public key certificate.

      • CertificateChain (string) --

        The contents of the public key certificate chain.

      • Tags (list) --

        A list of tags that are attached to the server certificate. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

        • (dict) --

          A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

          • Key (string) --

            The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

          • Value (string) --

            The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

            Note

            AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

ListInstanceProfiles (updated) Link ¶
Changes (response)
{'InstanceProfiles': {'Tags': [{'Key': 'string', 'Value': 'string'}]}}

Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list. For more information about instance profiles, see About instance profiles .

Note

IAM resource-listing operations return a subset of the available attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for an instance profile, see GetInstanceProfile .

You can paginate the results using the MaxItems and Marker parameters.

See also: AWS API Documentation

Request Syntax

client.list_instance_profiles(
    PathPrefix='string',
    Marker='string',
    MaxItems=123
)
type PathPrefix

string

param PathPrefix

The path prefix for filtering the results. For example, the prefix /application_abc/component_xyz/ gets all instance profiles whose path starts with /application_abc/component_xyz/ .

This parameter is optional. If it is not included, it defaults to a slash (/), listing all instance profiles. This parameter allows (through its regex pattern ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! (\u0021 ) through the DEL character (\u007F ), including most punctuation characters, digits, and upper and lowercased letters.

type Marker

string

param Marker

Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.

type MaxItems

integer

param MaxItems

Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true .

If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true , and Marker contains a value to include in the subsequent call that tells the service where to continue from.

rtype

dict

returns

Response Syntax

{
    'InstanceProfiles': [
        {
            'Path': 'string',
            'InstanceProfileName': 'string',
            'InstanceProfileId': 'string',
            'Arn': 'string',
            'CreateDate': datetime(2015, 1, 1),
            'Roles': [
                {
                    'Path': 'string',
                    'RoleName': 'string',
                    'RoleId': 'string',
                    'Arn': 'string',
                    'CreateDate': datetime(2015, 1, 1),
                    'AssumeRolePolicyDocument': 'string',
                    'Description': 'string',
                    'MaxSessionDuration': 123,
                    'PermissionsBoundary': {
                        'PermissionsBoundaryType': 'PermissionsBoundaryPolicy',
                        'PermissionsBoundaryArn': 'string'
                    },
                    'Tags': [
                        {
                            'Key': 'string',
                            'Value': 'string'
                        },
                    ],
                    'RoleLastUsed': {
                        'LastUsedDate': datetime(2015, 1, 1),
                        'Region': 'string'
                    }
                },
            ],
            'Tags': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ]
        },
    ],
    'IsTruncated': True|False,
    'Marker': 'string'
}

Response Structure

  • (dict) --

    Contains the response to a successful ListInstanceProfiles request.

    • InstanceProfiles (list) --

      A list of instance profiles.

      • (dict) --

        Contains information about an instance profile.

        This data type is used as a response element in the following operations:

        • CreateInstanceProfile

        • GetInstanceProfile

        • ListInstanceProfiles

        • ListInstanceProfilesForRole

        • Path (string) --

          The path to the instance profile. For more information about paths, see IAM identifiers in the IAM User Guide .

        • InstanceProfileName (string) --

          The name identifying the instance profile.

        • InstanceProfileId (string) --

          The stable and unique string identifying the instance profile. For more information about IDs, see IAM identifiers in the IAM User Guide .

        • Arn (string) --

          The Amazon Resource Name (ARN) specifying the instance profile. For more information about ARNs and how to use them in policies, see IAM identifiers in the IAM User Guide .

        • CreateDate (datetime) --

          The date when the instance profile was created.

        • Roles (list) --

          The role associated with the instance profile.

          • (dict) --

            Contains information about an IAM role. This structure is returned as a response element in several API operations that interact with roles.

            • Path (string) --

              The path to the role. For more information about paths, see IAM identifiers in the IAM User Guide .

            • RoleName (string) --

              The friendly name that identifies the role.

            • RoleId (string) --

              The stable and unique string identifying the role. For more information about IDs, see IAM identifiers in the IAM User Guide .

            • Arn (string) --

              The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see IAM identifiers in the IAM User Guide guide.

            • CreateDate (datetime) --

              The date and time, in ISO 8601 date-time format , when the role was created.

            • AssumeRolePolicyDocument (string) --

              The policy that grants an entity permission to assume the role.

            • Description (string) --

              A description of the role that you provide.

            • MaxSessionDuration (integer) --

              The maximum session duration (in seconds) for the specified role. Anyone who uses the AWS CLI, or API to assume the role can specify the duration using the optional DurationSeconds API parameter or duration-seconds CLI parameter.

            • PermissionsBoundary (dict) --

              The ARN of the policy used to set the permissions boundary for the role.

              For more information about permissions boundaries, see Permissions boundaries for IAM identities in the IAM User Guide .

              • PermissionsBoundaryType (string) --

                The permissions boundary usage type that indicates what type of IAM resource is used as the permissions boundary for an entity. This data type can only have a value of Policy .

              • PermissionsBoundaryArn (string) --

                The ARN of the policy used to set the permissions boundary for the user or role.

            • Tags (list) --

              A list of tags that are attached to the role. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

              • (dict) --

                A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

                • Key (string) --

                  The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

                • Value (string) --

                  The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

                  Note

                  AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

            • RoleLastUsed (dict) --

              Contains information about the last time that an IAM role was used. This includes the date and time and the Region in which the role was last used. Activity is only reported for the trailing 400 days. This period can be shorter if your Region began supporting these features within the last year. The role might have been used more than 400 days ago. For more information, see Regions where data is tracked in the IAM User Guide .

              • LastUsedDate (datetime) --

                The date and time, in ISO 8601 date-time format that the role was last used.

                This field is null if the role has not been used within the IAM tracking period. For more information about the tracking period, see Regions where data is tracked in the IAM User Guide .

              • Region (string) --

                The name of the AWS Region in which the role was last used.

        • Tags (list) --

          A list of tags that are attached to the instance profile. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

          • (dict) --

            A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

            • Key (string) --

              The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

            • Value (string) --

              The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

              Note

              AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

    • IsTruncated (boolean) --

      A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.

    • Marker (string) --

      When IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.

ListInstanceProfilesForRole (updated) Link ¶
Changes (response)
{'InstanceProfiles': {'Tags': [{'Key': 'string', 'Value': 'string'}]}}

Lists the instance profiles that have the specified associated IAM role. If there are none, the operation returns an empty list. For more information about instance profiles, go to About instance profiles .

You can paginate the results using the MaxItems and Marker parameters.

See also: AWS API Documentation

Request Syntax

client.list_instance_profiles_for_role(
    RoleName='string',
    Marker='string',
    MaxItems=123
)
type RoleName

string

param RoleName

[REQUIRED]

The name of the role to list instance profiles for.

This parameter allows (through its regex pattern ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

type Marker

string

param Marker

Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.

type MaxItems

integer

param MaxItems

Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true .

If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true , and Marker contains a value to include in the subsequent call that tells the service where to continue from.

rtype

dict

returns

Response Syntax

{
    'InstanceProfiles': [
        {
            'Path': 'string',
            'InstanceProfileName': 'string',
            'InstanceProfileId': 'string',
            'Arn': 'string',
            'CreateDate': datetime(2015, 1, 1),
            'Roles': [
                {
                    'Path': 'string',
                    'RoleName': 'string',
                    'RoleId': 'string',
                    'Arn': 'string',
                    'CreateDate': datetime(2015, 1, 1),
                    'AssumeRolePolicyDocument': 'string',
                    'Description': 'string',
                    'MaxSessionDuration': 123,
                    'PermissionsBoundary': {
                        'PermissionsBoundaryType': 'PermissionsBoundaryPolicy',
                        'PermissionsBoundaryArn': 'string'
                    },
                    'Tags': [
                        {
                            'Key': 'string',
                            'Value': 'string'
                        },
                    ],
                    'RoleLastUsed': {
                        'LastUsedDate': datetime(2015, 1, 1),
                        'Region': 'string'
                    }
                },
            ],
            'Tags': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ]
        },
    ],
    'IsTruncated': True|False,
    'Marker': 'string'
}

Response Structure

  • (dict) --

    Contains the response to a successful ListInstanceProfilesForRole request.

    • InstanceProfiles (list) --

      A list of instance profiles.

      • (dict) --

        Contains information about an instance profile.

        This data type is used as a response element in the following operations:

        • CreateInstanceProfile

        • GetInstanceProfile

        • ListInstanceProfiles

        • ListInstanceProfilesForRole

        • Path (string) --

          The path to the instance profile. For more information about paths, see IAM identifiers in the IAM User Guide .

        • InstanceProfileName (string) --

          The name identifying the instance profile.

        • InstanceProfileId (string) --

          The stable and unique string identifying the instance profile. For more information about IDs, see IAM identifiers in the IAM User Guide .

        • Arn (string) --

          The Amazon Resource Name (ARN) specifying the instance profile. For more information about ARNs and how to use them in policies, see IAM identifiers in the IAM User Guide .

        • CreateDate (datetime) --

          The date when the instance profile was created.

        • Roles (list) --

          The role associated with the instance profile.

          • (dict) --

            Contains information about an IAM role. This structure is returned as a response element in several API operations that interact with roles.

            • Path (string) --

              The path to the role. For more information about paths, see IAM identifiers in the IAM User Guide .

            • RoleName (string) --

              The friendly name that identifies the role.

            • RoleId (string) --

              The stable and unique string identifying the role. For more information about IDs, see IAM identifiers in the IAM User Guide .

            • Arn (string) --

              The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see IAM identifiers in the IAM User Guide guide.

            • CreateDate (datetime) --

              The date and time, in ISO 8601 date-time format , when the role was created.

            • AssumeRolePolicyDocument (string) --

              The policy that grants an entity permission to assume the role.

            • Description (string) --

              A description of the role that you provide.

            • MaxSessionDuration (integer) --

              The maximum session duration (in seconds) for the specified role. Anyone who uses the AWS CLI, or API to assume the role can specify the duration using the optional DurationSeconds API parameter or duration-seconds CLI parameter.

            • PermissionsBoundary (dict) --

              The ARN of the policy used to set the permissions boundary for the role.

              For more information about permissions boundaries, see Permissions boundaries for IAM identities in the IAM User Guide .

              • PermissionsBoundaryType (string) --

                The permissions boundary usage type that indicates what type of IAM resource is used as the permissions boundary for an entity. This data type can only have a value of Policy .

              • PermissionsBoundaryArn (string) --

                The ARN of the policy used to set the permissions boundary for the user or role.

            • Tags (list) --

              A list of tags that are attached to the role. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

              • (dict) --

                A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

                • Key (string) --

                  The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

                • Value (string) --

                  The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

                  Note

                  AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

            • RoleLastUsed (dict) --

              Contains information about the last time that an IAM role was used. This includes the date and time and the Region in which the role was last used. Activity is only reported for the trailing 400 days. This period can be shorter if your Region began supporting these features within the last year. The role might have been used more than 400 days ago. For more information, see Regions where data is tracked in the IAM User Guide .

              • LastUsedDate (datetime) --

                The date and time, in ISO 8601 date-time format that the role was last used.

                This field is null if the role has not been used within the IAM tracking period. For more information about the tracking period, see Regions where data is tracked in the IAM User Guide .

              • Region (string) --

                The name of the AWS Region in which the role was last used.

        • Tags (list) --

          A list of tags that are attached to the instance profile. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

          • (dict) --

            A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

            • Key (string) --

              The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

            • Value (string) --

              The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

              Note

              AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

    • IsTruncated (boolean) --

      A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.

    • Marker (string) --

      When IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.

ListPolicies (updated) Link ¶
Changes (response)
{'Policies': {'Tags': [{'Key': 'string', 'Value': 'string'}]}}

Lists all the managed policies that are available in your AWS account, including your own customer-defined managed policies and all AWS managed policies.

You can filter the list of policies that is returned using the optional OnlyAttached , Scope , and PathPrefix parameters. For example, to list only the customer managed policies in your AWS account, set Scope to Local . To list only AWS managed policies, set Scope to AWS .

You can paginate the results using the MaxItems and Marker parameters.

For more information about managed policies, see Managed policies and inline policies in the IAM User Guide .

Note

IAM resource-listing operations return a subset of the available attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for a customer manged policy, see GetPolicy .

See also: AWS API Documentation

Request Syntax

client.list_policies(
    Scope='All'|'AWS'|'Local',
    OnlyAttached=True|False,
    PathPrefix='string',
    PolicyUsageFilter='PermissionsPolicy'|'PermissionsBoundary',
    Marker='string',
    MaxItems=123
)
type Scope

string

param Scope

The scope to use for filtering the results.

To list only AWS managed policies, set Scope to AWS . To list only the customer managed policies in your AWS account, set Scope to Local .

This parameter is optional. If it is not included, or if it is set to All , all policies are returned.

type OnlyAttached

boolean

param OnlyAttached

A flag to filter the results to only the attached policies.

When OnlyAttached is true , the returned list contains only the policies that are attached to an IAM user, group, or role. When OnlyAttached is false , or when the parameter is not included, all policies are returned.

type PathPrefix

string

param PathPrefix

The path prefix for filtering the results. This parameter is optional. If it is not included, it defaults to a slash (/), listing all policies. This parameter allows (through its regex pattern ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! (\u0021 ) through the DEL character (\u007F ), including most punctuation characters, digits, and upper and lowercased letters.

type PolicyUsageFilter

string

param PolicyUsageFilter

The policy usage method to use for filtering the results.

To list only permissions policies, set PolicyUsageFilter to PermissionsPolicy . To list only the policies used to set permissions boundaries, set the value to PermissionsBoundary .

This parameter is optional. If it is not included, all policies are returned.

type Marker

string

param Marker

Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.

type MaxItems

integer

param MaxItems

Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true .

If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true , and Marker contains a value to include in the subsequent call that tells the service where to continue from.

rtype

dict

returns

Response Syntax

{
    'Policies': [
        {
            'PolicyName': 'string',
            'PolicyId': 'string',
            'Arn': 'string',
            'Path': 'string',
            'DefaultVersionId': 'string',
            'AttachmentCount': 123,
            'PermissionsBoundaryUsageCount': 123,
            'IsAttachable': True|False,
            'Description': 'string',
            'CreateDate': datetime(2015, 1, 1),
            'UpdateDate': datetime(2015, 1, 1),
            'Tags': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ]
        },
    ],
    'IsTruncated': True|False,
    'Marker': 'string'
}

Response Structure

  • (dict) --

    Contains the response to a successful ListPolicies request.

    • Policies (list) --

      A list of policies.

      • (dict) --

        Contains information about a managed policy.

        This data type is used as a response element in the CreatePolicy , GetPolicy , and ListPolicies operations.

        For more information about managed policies, refer to Managed policies and inline policies in the IAM User Guide .

        • PolicyName (string) --

          The friendly name (not ARN) identifying the policy.

        • PolicyId (string) --

          The stable and unique string identifying the policy.

          For more information about IDs, see IAM identifiers in the IAM User Guide .

        • Arn (string) --

          The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.

          For more information about ARNs, go to Amazon Resource Names (ARNs) in the AWS General Reference .

        • Path (string) --

          The path to the policy.

          For more information about paths, see IAM identifiers in the IAM User Guide .

        • DefaultVersionId (string) --

          The identifier for the version of the policy that is set as the default version.

        • AttachmentCount (integer) --

          The number of entities (users, groups, and roles) that the policy is attached to.

        • PermissionsBoundaryUsageCount (integer) --

          The number of entities (users and roles) for which the policy is used to set the permissions boundary.

          For more information about permissions boundaries, see Permissions boundaries for IAM identities in the IAM User Guide .

        • IsAttachable (boolean) --

          Specifies whether the policy can be attached to an IAM user, group, or role.

        • Description (string) --

          A friendly description of the policy.

          This element is included in the response to the GetPolicy operation. It is not included in the response to the ListPolicies operation.

        • CreateDate (datetime) --

          The date and time, in ISO 8601 date-time format , when the policy was created.

        • UpdateDate (datetime) --

          The date and time, in ISO 8601 date-time format , when the policy was last updated.

          When a policy has only one version, this field contains the date and time when the policy was created. When a policy has more than one version, this field contains the date and time when the most recent policy version was created.

        • Tags (list) --

          A list of tags that are attached to the instance profile. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

          • (dict) --

            A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

            • Key (string) --

              The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

            • Value (string) --

              The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

              Note

              AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

    • IsTruncated (boolean) --

      A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.

    • Marker (string) --

      When IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.

ListVirtualMFADevices (updated) Link ¶
Changes (response)
{'VirtualMFADevices': {'Tags': [{'Key': 'string', 'Value': 'string'}]}}

Lists the virtual MFA devices defined in the AWS account by assignment status. If you do not specify an assignment status, the operation returns a list of all virtual MFA devices. Assignment status can be Assigned , Unassigned , or Any .

Note

IAM resource-listing operations return a subset of the available attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for a virtual MFA device, see ListVirtualMFADevices .

You can paginate the results using the MaxItems and Marker parameters.

See also: AWS API Documentation

Request Syntax

client.list_virtual_mfa_devices(
    AssignmentStatus='Assigned'|'Unassigned'|'Any',
    Marker='string',
    MaxItems=123
)
type AssignmentStatus

string

param AssignmentStatus

The status (Unassigned or Assigned ) of the devices to list. If you do not specify an AssignmentStatus , the operation defaults to Any , which lists both assigned and unassigned virtual MFA devices.,

type Marker

string

param Marker

Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.

type MaxItems

integer

param MaxItems

Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true .

If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true , and Marker contains a value to include in the subsequent call that tells the service where to continue from.

rtype

dict

returns

Response Syntax

{
    'VirtualMFADevices': [
        {
            'SerialNumber': 'string',
            'Base32StringSeed': b'bytes',
            'QRCodePNG': b'bytes',
            'User': {
                'Path': 'string',
                'UserName': 'string',
                'UserId': 'string',
                'Arn': 'string',
                'CreateDate': datetime(2015, 1, 1),
                'PasswordLastUsed': datetime(2015, 1, 1),
                'PermissionsBoundary': {
                    'PermissionsBoundaryType': 'PermissionsBoundaryPolicy',
                    'PermissionsBoundaryArn': 'string'
                },
                'Tags': [
                    {
                        'Key': 'string',
                        'Value': 'string'
                    },
                ]
            },
            'EnableDate': datetime(2015, 1, 1),
            'Tags': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ]
        },
    ],
    'IsTruncated': True|False,
    'Marker': 'string'
}

Response Structure

  • (dict) --

    Contains the response to a successful ListVirtualMFADevices request.

    • VirtualMFADevices (list) --

      The list of virtual MFA devices in the current account that match the AssignmentStatus value that was passed in the request.

      • (dict) --

        Contains information about a virtual MFA device.

        • SerialNumber (string) --

          The serial number associated with VirtualMFADevice .

        • Base32StringSeed (bytes) --

          The base32 seed defined as specified in RFC3548 . The Base32StringSeed is base64-encoded.

        • QRCodePNG (bytes) --

          A QR code PNG image that encodes otpauth://totp/$virtualMFADeviceName@$AccountName?secret=$Base32String where $virtualMFADeviceName is one of the create call arguments. AccountName is the user name if set (otherwise, the account ID otherwise), and Base32String is the seed in base32 format. The Base32String value is base64-encoded.

        • User (dict) --

          The IAM user associated with this virtual MFA device.

          • Path (string) --

            The path to the user. For more information about paths, see IAM identifiers in the IAM User Guide .

            The ARN of the policy used to set the permissions boundary for the user.

          • UserName (string) --

            The friendly name identifying the user.

          • UserId (string) --

            The stable and unique string identifying the user. For more information about IDs, see IAM identifiers in the IAM User Guide .

          • Arn (string) --

            The Amazon Resource Name (ARN) that identifies the user. For more information about ARNs and how to use ARNs in policies, see IAM Identifiers in the IAM User Guide .

          • CreateDate (datetime) --

            The date and time, in ISO 8601 date-time format , when the user was created.

          • PasswordLastUsed (datetime) --

            The date and time, in ISO 8601 date-time format , when the user's password was last used to sign in to an AWS website. For a list of AWS websites that capture a user's last sign-in time, see the Credential reports topic in the IAM User Guide . If a password is used more than once in a five-minute span, only the first use is returned in this field. If the field is null (no value), then it indicates that they never signed in with a password. This can be because:

            • The user never had a password.

            • A password exists but has not been used since IAM started tracking this information on October 20, 2014.

            A null value does not mean that the user never had a password. Also, if the user does not currently have a password but had one in the past, then this field contains the date and time the most recent password was used.

            This value is returned only in the GetUser and ListUsers operations.

          • PermissionsBoundary (dict) --

            For more information about permissions boundaries, see Permissions boundaries for IAM identities in the IAM User Guide .

            • PermissionsBoundaryType (string) --

              The permissions boundary usage type that indicates what type of IAM resource is used as the permissions boundary for an entity. This data type can only have a value of Policy .

            • PermissionsBoundaryArn (string) --

              The ARN of the policy used to set the permissions boundary for the user or role.

          • Tags (list) --

            A list of tags that are associated with the user. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

            • (dict) --

              A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

              • Key (string) --

                The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

              • Value (string) --

                The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

                Note

                AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

        • EnableDate (datetime) --

          The date and time on which the virtual MFA device was enabled.

        • Tags (list) --

          A list of tags that are attached to the virtual MFA device. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

          • (dict) --

            A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

            • Key (string) --

              The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

            • Value (string) --

              The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

              Note

              AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

    • IsTruncated (boolean) --

      A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.

    • Marker (string) --

      When IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.

UploadServerCertificate (updated) Link ¶
Changes (both)
{'Tags': [{'Key': 'string', 'Value': 'string'}]}

Uploads a server certificate entity for the AWS account. The server certificate entity includes a public key certificate, a private key, and an optional certificate chain, which should all be PEM-encoded.

We recommend that you use AWS Certificate Manager to provision, manage, and deploy your server certificates. With ACM you can request a certificate, deploy it to AWS resources, and let ACM handle certificate renewals for you. Certificates provided by ACM are free. For more information about using ACM, see the AWS Certificate Manager User Guide .

For more information about working with server certificates, see Working with server certificates in the IAM User Guide . This topic includes a list of AWS services that can use the server certificates that you manage with IAM.

For information about the number of server certificates you can upload, see IAM and STS quotas in the IAM User Guide .

Note

Because the body of the public key certificate, private key, and the certificate chain can be large, you should use POST rather than GET when calling UploadServerCertificate . For information about setting up signatures and authorization through the API, see Signing AWS API requests in the AWS General Reference . For general information about using the Query API with IAM, see Calling the API by making HTTP query requests in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.upload_server_certificate(
    Path='string',
    ServerCertificateName='string',
    CertificateBody='string',
    PrivateKey='string',
    CertificateChain='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type Path

string

param Path

The path for the server certificate. For more information about paths, see IAM identifiers in the IAM User Guide .

This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its regex pattern ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! (\u0021 ) through the DEL character (\u007F ), including most punctuation characters, digits, and upper and lowercased letters.

Note

If you are uploading a server certificate specifically for use with Amazon CloudFront distributions, you must specify a path using the path parameter. The path must begin with /cloudfront and must include a trailing slash (for example, /cloudfront/test/ ).

type ServerCertificateName

string

param ServerCertificateName

[REQUIRED]

The name for the server certificate. Do not include the path in this value. The name of the certificate cannot contain any spaces.

This parameter allows (through its regex pattern ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

type CertificateBody

string

param CertificateBody

[REQUIRED]

The contents of the public key certificate in PEM-encoded format.

The regex pattern used to validate this parameter is a string of characters consisting of the following:

  • Any printable ASCII character ranging from the space character (\u0020 ) through the end of the ASCII character range

  • The printable characters in the Basic Latin and Latin-1 Supplement character set (through \u00FF )

  • The special characters tab (\u0009 ), line feed (\u000A ), and carriage return (\u000D )

type PrivateKey

string

param PrivateKey

[REQUIRED]

The contents of the private key in PEM-encoded format.

The regex pattern used to validate this parameter is a string of characters consisting of the following:

  • Any printable ASCII character ranging from the space character (\u0020 ) through the end of the ASCII character range

  • The printable characters in the Basic Latin and Latin-1 Supplement character set (through \u00FF )

  • The special characters tab (\u0009 ), line feed (\u000A ), and carriage return (\u000D )

type CertificateChain

string

param CertificateChain

The contents of the certificate chain. This is typically a concatenation of the PEM-encoded public key certificates of the chain.

The regex pattern used to validate this parameter is a string of characters consisting of the following:

  • Any printable ASCII character ranging from the space character (\u0020 ) through the end of the ASCII character range

  • The printable characters in the Basic Latin and Latin-1 Supplement character set (through \u00FF )

  • The special characters tab (\u0009 ), line feed (\u000A ), and carriage return (\u000D )

type Tags

list

param Tags

A list of tags that you want to attach to the new IAM server certificate resource. Each tag consists of a key name and an associated value. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

Note

If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.

  • (dict) --

    A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

    • Key (string) -- [REQUIRED]

      The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

    • Value (string) -- [REQUIRED]

      The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

      Note

      AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

rtype

dict

returns

Response Syntax

{
    'ServerCertificateMetadata': {
        'Path': 'string',
        'ServerCertificateName': 'string',
        'ServerCertificateId': 'string',
        'Arn': 'string',
        'UploadDate': datetime(2015, 1, 1),
        'Expiration': datetime(2015, 1, 1)
    },
    'Tags': [
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    Contains the response to a successful UploadServerCertificate request.

    • ServerCertificateMetadata (dict) --

      The meta information of the uploaded server certificate without its certificate body, certificate chain, and private key.

      • Path (string) --

        The path to the server certificate. For more information about paths, see IAM identifiers in the IAM User Guide .

      • ServerCertificateName (string) --

        The name that identifies the server certificate.

      • ServerCertificateId (string) --

        The stable and unique string identifying the server certificate. For more information about IDs, see IAM identifiers in the IAM User Guide .

      • Arn (string) --

        The Amazon Resource Name (ARN) specifying the server certificate. For more information about ARNs and how to use them in policies, see IAM identifiers in the IAM User Guide .

      • UploadDate (datetime) --

        The date when the server certificate was uploaded.

      • Expiration (datetime) --

        The date on which the certificate is set to expire.

    • Tags (list) --

      A list of tags that are attached to the new IAM server certificate. The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

      • (dict) --

        A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide .

        • Key (string) --

          The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.

        • Value (string) --

          The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources , Accounting , and Support . Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.

          Note

          AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.