2025/11/18 - AWS Identity and Access Management - 8 new api methods
Changes Added the AssociateDelegationRequest, GetDelegationRequest, AcceptDelegationRequest, RejectDelegatonRequest, ListDelegationRequests, UpdateDelegationRequest, SendDelegationToken and GetHumanReadableSummary APIs for the IAM temporary delegation feature.
Associates a delegation request with the current identity.
If the partner that created the delegation request has specified the owner account during creation, only an identity from that owner account can call the AssociateDelegationRequest API for the specified delegation request. Once the AssociateDelegationRequest API call is successful, the ARN of the current calling identity will be stored as the ownerId of the request.
If the partner that created the delegation request has not specified the owner account during creation, any caller from any account can call the AssociateDelegationRequest API for the delegation request. Once this API call is successful, the ARN of the current calling identity will be stored as the ownerId and the Amazon Web Services account ID of the current calling identity will be stored as the ownerAccount of the request.
For more details, see Managing Permissions for Delegation Requests.
See also: AWS API Documentation
Request Syntax
client.associate_delegation_request(
DelegationRequestId='string'
)
string
[REQUIRED]
The unique identifier of the delegation request to associate.
None
Accepts a delegation request, granting the requested temporary access.
Once the delegation request is accepted, it is eligible to send the exchange token to the partner. The SendDelegationToken API has to be explicitly called to send the delegation token.
At the time of acceptance, IAM records the details and the state of the identity that called this API. This is the identity that gets mapped to the delegated credential.
An accepted request may be rejected before the exchange token is sent to the partner.
See also: AWS API Documentation
Request Syntax
client.accept_delegation_request(
DelegationRequestId='string'
)
string
[REQUIRED]
The unique identifier of the delegation request to accept.
None
Updates an existing delegation request with additional information. When the delegation request is updated, it reaches the PENDING_APPROVAL state.
Once a delegation request has an owner, that owner gets a default permission to update the delegation request. For more details, see Managing Permissions for Delegation Requests.
See also: AWS API Documentation
Request Syntax
client.update_delegation_request(
DelegationRequestId='string',
Notes='string'
)
string
[REQUIRED]
The unique identifier of the delegation request to update.
string
Additional notes or comments to add to the delegation request.
None
Sends the exchange token for an accepted delegation request.
The exchange token is sent to the partner via an asynchronous notification channel, established by the partner.
The delegation request must be in the ACCEPTED state when calling this API. After the SendDelegationToken API call is successful, the request transitions to a FINALIZED state and cannot be rolled back. However, a user may reject an accepted request before the SendDelegationToken API is called.
For more details, see Managing Permissions for Delegation Requests.
See also: AWS API Documentation
Request Syntax
client.send_delegation_token(
DelegationRequestId='string'
)
string
[REQUIRED]
The unique identifier of the delegation request for which to send the token.
None
Retrieves information about a specific delegation request.
If a delegation request has no owner or owner account, GetDelegationRequest for that delegation request can be called by any account. If the owner account is assigned but there is no owner id, only identities within that owner account can call GetDelegationRequest for the delegation request. Once the delegation request is fully owned, the owner of the request gets a default permission to get that delegation request. For more details, see Managing Permissions for Delegation Requests.
See also: AWS API Documentation
Request Syntax
client.get_delegation_request(
DelegationRequestId='string',
DelegationPermissionCheck=True|False
)
string
[REQUIRED]
The unique identifier of the delegation request to retrieve.
boolean
Specifies whether to perform a permission check for the delegation request.
If set to true, the GetDelegationRequest API call will start a permission check process. This process calculates whether the caller has sufficient permissions to cover the asks from this delegation request.
Setting this parameter to true does not guarantee an answer in the response. See the PermissionCheckStatus and the PermissionCheckResult response attributes for further details.
dict
Response Syntax
{
'DelegationRequest': {
'DelegationRequestId': 'string',
'OwnerAccountId': 'string',
'Description': 'string',
'RequestMessage': 'string',
'Permissions': {
'PolicyTemplateArn': 'string',
'Parameters': [
{
'Name': 'string',
'Values': [
'string',
],
'Type': 'string'|'stringList'
},
]
},
'PermissionPolicy': 'string',
'RolePermissionRestrictionArns': [
'string',
],
'OwnerId': 'string',
'ApproverId': 'string',
'State': 'UNASSIGNED'|'ASSIGNED'|'PENDING_APPROVAL'|'FINALIZED'|'ACCEPTED'|'REJECTED'|'EXPIRED',
'RequestorId': 'string',
'RequestorName': 'string',
'CreateDate': datetime(2015, 1, 1),
'SessionDuration': 123,
'RedirectUrl': 'string',
'Notes': 'string',
'RejectionReason': 'string',
'OnlySendByOwner': True|False,
'UpdatedTime': datetime(2015, 1, 1)
},
'PermissionCheckStatus': 'COMPLETE'|'IN_PROGRESS'|'FAILED',
'PermissionCheckResult': 'ALLOWED'|'DENIED'|'UNSURE'
}
Response Structure
(dict) --
DelegationRequest (dict) --
The delegation request object containing all details about the request.
DelegationRequestId (string) --
The unique identifier for the delegation request.
OwnerAccountId (string) --
Amazon Web Services account ID of the owner of the delegation request.
Description (string) --
Description of the delegation request. This is a message that is provided by the Amazon Web Services partner that filed the delegation request.
RequestMessage (string) --
A custom message that is added to the delegation request by the partner.
This element is different from the Description element such that this is a request specific message injected by the partner. The Description is typically a generic explanation of what the delegation request is targeted to do.
Permissions (dict) --
Contains information about the permissions being delegated in a delegation request.
PolicyTemplateArn (string) --
This ARN maps to a pre-registered policy content for this partner. See the `partner onboarding documentation to understand how to create a delegation template.
Parameters (list) --
A list of policy parameters that define the scope and constraints of the delegated permissions.
(dict) --
Contains information about a policy parameter used to customize delegated permissions.
Name (string) --
The name of the policy parameter.
Values (list) --
The allowed values for the policy parameter.
(string) --
Type (string) --
The data type of the policy parameter value.
PermissionPolicy (string) --
JSON content of the associated permission policy of this delegation request.
RolePermissionRestrictionArns (list) --
If the PermissionPolicy includes role creation permissions, this element will include the list of permissions boundary policies associated with the role creation. See Permissions boundaries for IAM entities for more details about IAM permission boundaries.
(string) --
The Amazon Resource Name (ARN). ARNs are unique identifiers for Amazon Web Services resources.
For more information about ARNs, go to Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
OwnerId (string) --
ARN of the owner of this delegation request.
ApproverId (string) --
The Amazon Resource Name (ARN). ARNs are unique identifiers for Amazon Web Services resources.
For more information about ARNs, go to Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
State (string) --
The state of this delegation request.
See the Understanding the Request Lifecycle for an explanation of how these states are transitioned.
RequestorId (string) --
Identity of the requestor of this delegation request. This will be an Amazon Web Services account ID.
RequestorName (string) --
A friendly name of the requestor.
CreateDate (datetime) --
Creation date (timestamp) of this delegation request.
SessionDuration (integer) --
The life-time of the requested session credential.
RedirectUrl (string) --
A URL to be redirected to once the delegation request is approved. Partners provide this URL when creating the delegation request.
Notes (string) --
Notes added to this delegation request, if this request was updated via the UpdateDelegationRequest API.
RejectionReason (string) --
Reasons for rejecting this delegation request, if this request was rejected. See also RejectDelegationRequest API documentation.
OnlySendByOwner (boolean) --
A flag indicating whether the SendDelegationToken must be called by the owner of this delegation request. This is set by the requesting partner.
UpdatedTime (datetime) --
Last updated timestamp of the request.
PermissionCheckStatus (string) --
The status of the permission check for the delegation request.
This value indicates the status of the process to check whether the caller has sufficient permissions to cover the requested actions in the delegation request. Since this is an asynchronous process, there are three potential values:
IN_PROGRESS : The permission check process has started.
COMPLETED : The permission check process has completed. The PermissionCheckResult will include the result.
FAILED : The permission check process has failed.
PermissionCheckResult (string) --
The result of the permission check, indicating whether the caller has sufficient permissions to cover the requested permissions. This is an approximate result.
ALLOWED : The caller has sufficient permissions cover all the requested permissions.
DENIED : The caller does not have sufficient permissions to cover all the requested permissions.
UNSURE : It is not possible to determine whether the caller has all the permissions needed. This output is most likely for cases when the caller has permissions with conditions.
Lists delegation requests based on the specified criteria.
If a delegation request has no owner, even if it is assigned to a specific account, it will not be part of the ListDelegationRequests output for that account.
For more details, see Managing Permissions for Delegation Requests.
See also: AWS API Documentation
Request Syntax
client.list_delegation_requests(
OwnerId='string',
Marker='string',
MaxItems=123
)
string
The owner ID to filter delegation requests by.
string
Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.
integer
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM may return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
dict
Response Syntax
{
'DelegationRequests': [
{
'DelegationRequestId': 'string',
'OwnerAccountId': 'string',
'Description': 'string',
'RequestMessage': 'string',
'Permissions': {
'PolicyTemplateArn': 'string',
'Parameters': [
{
'Name': 'string',
'Values': [
'string',
],
'Type': 'string'|'stringList'
},
]
},
'PermissionPolicy': 'string',
'RolePermissionRestrictionArns': [
'string',
],
'OwnerId': 'string',
'ApproverId': 'string',
'State': 'UNASSIGNED'|'ASSIGNED'|'PENDING_APPROVAL'|'FINALIZED'|'ACCEPTED'|'REJECTED'|'EXPIRED',
'RequestorId': 'string',
'RequestorName': 'string',
'CreateDate': datetime(2015, 1, 1),
'SessionDuration': 123,
'RedirectUrl': 'string',
'Notes': 'string',
'RejectionReason': 'string',
'OnlySendByOwner': True|False,
'UpdatedTime': datetime(2015, 1, 1)
},
],
'Marker': 'string',
'isTruncated': True|False
}
Response Structure
(dict) --
DelegationRequests (list) --
A list of delegation requests that match the specified criteria.
(dict) --
Contains information about a delegation request, including its status, permissions, and associated metadata.
DelegationRequestId (string) --
The unique identifier for the delegation request.
OwnerAccountId (string) --
Amazon Web Services account ID of the owner of the delegation request.
Description (string) --
Description of the delegation request. This is a message that is provided by the Amazon Web Services partner that filed the delegation request.
RequestMessage (string) --
A custom message that is added to the delegation request by the partner.
This element is different from the Description element such that this is a request specific message injected by the partner. The Description is typically a generic explanation of what the delegation request is targeted to do.
Permissions (dict) --
Contains information about the permissions being delegated in a delegation request.
PolicyTemplateArn (string) --
This ARN maps to a pre-registered policy content for this partner. See the `partner onboarding documentation to understand how to create a delegation template.
Parameters (list) --
A list of policy parameters that define the scope and constraints of the delegated permissions.
(dict) --
Contains information about a policy parameter used to customize delegated permissions.
Name (string) --
The name of the policy parameter.
Values (list) --
The allowed values for the policy parameter.
(string) --
Type (string) --
The data type of the policy parameter value.
PermissionPolicy (string) --
JSON content of the associated permission policy of this delegation request.
RolePermissionRestrictionArns (list) --
If the PermissionPolicy includes role creation permissions, this element will include the list of permissions boundary policies associated with the role creation. See Permissions boundaries for IAM entities for more details about IAM permission boundaries.
(string) --
The Amazon Resource Name (ARN). ARNs are unique identifiers for Amazon Web Services resources.
For more information about ARNs, go to Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
OwnerId (string) --
ARN of the owner of this delegation request.
ApproverId (string) --
The Amazon Resource Name (ARN). ARNs are unique identifiers for Amazon Web Services resources.
For more information about ARNs, go to Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
State (string) --
The state of this delegation request.
See the Understanding the Request Lifecycle for an explanation of how these states are transitioned.
RequestorId (string) --
Identity of the requestor of this delegation request. This will be an Amazon Web Services account ID.
RequestorName (string) --
A friendly name of the requestor.
CreateDate (datetime) --
Creation date (timestamp) of this delegation request.
SessionDuration (integer) --
The life-time of the requested session credential.
RedirectUrl (string) --
A URL to be redirected to once the delegation request is approved. Partners provide this URL when creating the delegation request.
Notes (string) --
Notes added to this delegation request, if this request was updated via the UpdateDelegationRequest API.
RejectionReason (string) --
Reasons for rejecting this delegation request, if this request was rejected. See also RejectDelegationRequest API documentation.
OnlySendByOwner (boolean) --
A flag indicating whether the SendDelegationToken must be called by the owner of this delegation request. This is set by the requesting partner.
UpdatedTime (datetime) --
Last updated timestamp of the request.
Marker (string) --
When isTruncated is true, this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
isTruncated (boolean) --
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items.
Rejects a delegation request, denying the requested temporary access.
Once a request is rejected, it cannot be accepted or updated later. Rejected requests expire after 7 days.
When rejecting a request, an optional explanation can be added using the Notes request parameter.
For more details, see Managing Permissions for Delegation Requests.
See also: AWS API Documentation
Request Syntax
client.reject_delegation_request(
DelegationRequestId='string',
Notes='string'
)
string
[REQUIRED]
The unique identifier of the delegation request to reject.
string
Optional notes explaining the reason for rejecting the delegation request.
None
Retrieves a human readable summary for a given entity. At this time, the only supported entity type is delegation-request
This method uses a Large Language Model (LLM) to generate the summary.
If a delegation request has no owner or owner account, GetHumanReadableSummary for that delegation request can be called by any account. If the owner account is assigned but there is no owner id, only identities within that owner account can call GetHumanReadableSummary for the delegation request to retrieve a summary of that request. Once the delegation request is fully owned, the owner of the request gets a default permission to get that delegation request. For more details, read default permissions granted to delegation requests. These rules are identical to `GetDelegationRequest API behavior, such that a party who has permissions to call GetDelegationRequest for a given delegation request will always be able to retrieve the human readable summary for that request.
See also: AWS API Documentation
Request Syntax
client.get_human_readable_summary(
EntityArn='string',
Locale='string'
)
string
[REQUIRED]
Arn of the entity to be summarized. At this time, the only supported entity type is delegation-request
string
A string representing the locale to use for the summary generation. The supported locale strings are based on the Supported languages of the Amazon Web Services Management Console.
dict
Response Syntax
{
'SummaryContent': 'string',
'Locale': 'string',
'SummaryState': 'AVAILABLE'|'NOT_AVAILABLE'|'NOT_SUPPORTED'|'FAILED'
}
Response Structure
(dict) --
SummaryContent (string) --
Summary content in the specified locale. Summary content is non-empty only if the SummaryState is AVAILABLE.
Locale (string) --
The locale that this response was generated for. This maps to the input locale.
SummaryState (string) --
State of summary generation. This generation process is asynchronous and this attribute indicates the state of the generation process.