Amazon.IdentityManagement.Model

This data type is used as a response element in the CreateAccessKey and ListAccessKeys actions.

This data type is used as a response element in the GetAccessKeyLastUsed action.

This data type is used as a response element in the ListAccessKeys action.

This action is idempotent; it does not fail or return an error if you add an existing client ID to the provider.

An attached policy is a managed policy that has been attached to a user, group, or role. This data type is used as a response element in the ListAttachedGroupPolicies, ListAttachedRolePolicies, ListAttachedUserPolicies, and GetAccountAuthorizationDetails actions.

For more information about managed policies, refer to Managed Policies and Inline Policies in the Using IAM guide.

You use this API to attach a managed policy to a group. To embed an inline policy in a group, use PutGroupPolicy.

For more information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

When you attach a managed policy to a role, the managed policy is used as the role's access (permissions) policy. You cannot use a managed policy as the role's trust policy. The role's trust policy is created at the same time as the role, using CreateRole. You can update a role's trust policy using UpdateAssumeRolePolicy.

Use this API to attach a managed policy to a role. To embed an inline policy in a role, use PutRolePolicy. For more information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

You use this API to attach a managed policy to a user. To embed an inline policy in a user, use PutUserPolicy.

For more information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

To change the password for a different user, see UpdateLoginProfile. For more information about modifying passwords, see Managing Passwords in the IAM User Guide.

This data type is used as an input parameter to SimulatePolicy.

If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request. Because this action works for access keys under the AWS account, you can use this action to manage root credentials even if the AWS account has no associated users.

For information about limits on the number of keys you can create, see Limitations on IAM Entities in the IAM User Guide.

For information about the number of groups you can create, see Limitations on IAM Entities in the IAM User Guide.

For information about the number of instance profiles you can create, see Limitations on IAM Entities in the IAM User Guide.

The OIDC provider that you create with this operation can be used as a principal in a role's trust policy to establish a trust relationship between AWS and the OIDC provider.

When you create the IAM OIDC provider, you specify the URL of the OIDC identity provider (IdP) to trust, a list of client IDs (also known as audiences) that identify the application or applications that are allowed to authenticate using the OIDC provider, and a list of thumbprints of the server certificate(s) that the IdP uses. You get all of this information from the OIDC IdP that you want to use for access to AWS.

This operation creates a policy version with a version identifier of v1 and sets v1 as the policy's default version. For more information about policy versions, see Versioning for Managed Policies in the IAM User Guide.

For more information about managed policies in general, refer to Managed Policies and Inline Policies in the IAM User Guide.

Optionally, you can set the new version as the policy's default version. The default version is the operative version; that is, the version that is in effect for the IAM users, groups, and roles that the policy is attached to.

For more information about managed policy versions, see Versioning for Managed Policies in the IAM User Guide.

The SAML provider that you create with this operation can be used as a principal in a role's trust policy to establish a trust relationship between AWS and a SAML identity provider. You can create an IAM role that supports Web-based single sign-on (SSO) to the AWS Management Console or one that supports API access to AWS.

When you create the SAML provider, you upload an a SAML metadata document that you get from your IdP and that includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP.

For more information, see Enabling SAML 2.0 Federated Users to Access the AWS Management Console and About SAML 2.0-based Federation in the IAM User Guide.

For information about limitations on the number of users you can create, see Limitations on IAM Entities in the IAM User Guide.

For information about limits on the number of MFA devices you can create, see Limitations on Entities in the Using IAM guide.

For more information about creating and working with virtual MFA devices, go to Using a Virtual MFA Device in the Using IAM guide.

If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request. Because this action works for access keys under the AWS account, you can use this action to manage root credentials even if the AWS account has no associated users.

A group can also have managed policies attached to it. To detach a managed policy from a group, use DetachGroupPolicy. For more information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

For more information about instance profiles, go to About Instance Profiles.

Deleting an OIDC provider does not update any roles that reference the provider as a principal in their trust policies. Any attempt to assume a role that references a provider that has been deleted will fail.

This action is idempotent; it does not fail or return an error if you call the action for a provider that was already deleted.

Before you can delete a managed policy, you must detach the policy from all users, groups, and roles that it is attached to, and you must delete all of the policy's versions. The following steps describe the process for deleting a managed policy:

1. Detach the policy from all users, groups, and roles that the policy is attached to, using the DetachUserPolicy, DetachGroupPolicy, or DetachRolePolicy APIs. To list all the users, groups, and roles that a policy is attached to, use ListEntitiesForPolicy.
2. Delete all versions of the policy using DeletePolicyVersion. To list the policy's versions, use ListPolicyVersions. You cannot use DeletePolicyVersion to delete the version that is marked as the default version. You delete the policy's default version in the next step of the process.
3. Delete the policy (this automatically deletes the policy's default version) using this API.

For information about managed policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

You cannot delete the default version of a policy using this API. To delete the default version of a policy, use DeletePolicy. To find out which version of a policy is marked as the default version, use ListPolicyVersions.

For information about versions for managed policies, refer to Versioning for Managed Policies in the IAM User Guide.

A role can also have managed policies attached to it. To detach a managed policy from a role, use DetachRolePolicy. For more information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

Deleting the provider does not update any roles that reference the SAML provider as a principal in their trust policies. Any attempt to assume a role that references a SAML provider that has been deleted will fail.

For more information about working with server certificates, including a list of AWS services that can use the server certificates that you manage with IAM, go to Working with Server Certificates in the IAM User Guide.

If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request. Because this action works for access keys under the AWS account, you can use this action to manage root credentials even if the AWS account has no associated users.

The SSH public key deleted by this action is used only for authenticating the associated IAM user to an AWS CodeCommit repository. For more information about using SSH keys to authenticate to an AWS CodeCommit repository, see Set up AWS CodeCommit for SSH Connections in the AWS CodeCommit User Guide.

A user can also have managed policies attached to it. To detach a managed policy from a user, use DetachUserPolicy. For more information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

A group can also have inline policies embedded with it. To delete an inline policy, use the DeleteGroupPolicy API. For information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

A role can also have inline policies embedded with it. To delete an inline policy, use the DeleteRolePolicy API. For information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

A user can also have inline policies embedded with it. To delete an inline policy, use the DeleteUserPolicy API. For information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

This data type is used by the return parameter of SimulatePolicy.

You can optionally filter the results using the Filter parameter. You can paginate the results using the MaxItems and Marker parameters.

For information about limitations on IAM entities, see Limitations on IAM Entities in the IAM User Guide.

Context keys are variables maintained by AWS and its services that provide details about the context of an API query request, and can be evaluated by using the Condition element of an IAM policy. Use GetContextKeysForCustomPolicy to understand what key names and values you must supply when you call SimulateCustomPolicy. Note that all parameters are shown in unencoded form here for clarity, but must be URL encoded to be included as a part of a real HTML request.

You can optionally include a list of one or more additional policies, specified as strings. If you want to include only a list of policies by string, use GetContextKeysForCustomPolicy instead.

Note: This API discloses information about the permissions granted to other users. If you do not want users to see other user's permissions, then consider allowing them to use GetContextKeysForCustomPolicy instead.

Context keys are variables maintained by AWS and its services that provide details about the context of an API query request, and can be evaluated by using the Condition element of an IAM policy. Use GetContextKeysForPrincipalPolicy to understand what key names and values you must supply when you call SimulatePrincipalPolicy.

A group can also have managed policies attached to it. To retrieve a managed policy document that is attached to a group, use GetPolicy to determine the policy's default version, then use GetPolicyVersion to retrieve the policy document.

For more information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

This API retrieves information about managed policies. To retrieve information about an inline policy that is embedded with a user, group, or role, use the GetUserPolicy, GetGroupPolicy, or GetRolePolicy API.

For more information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

To list the available versions for a policy, use ListPolicyVersions.

This API retrieves information about managed policies. To retrieve information about an inline policy that is embedded in a user, group, or role, use the GetUserPolicy, GetGroupPolicy, or GetRolePolicy API.

For more information about the types of policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

A role can also have managed policies attached to it. To retrieve a managed policy document that is attached to a role, use GetPolicy to determine the policy's default version, then use GetPolicyVersion to retrieve the policy document.

For more information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

For more information about roles, go to Using Roles to Delegate Permissions and Federate Identities.

For more information about working with server certificates, including a list of AWS services that can use the server certificates that you manage with IAM, go to Working with Server Certificates in the IAM User Guide.

The SSH public key retrieved by this action is used only for authenticating the associated IAM user to an AWS CodeCommit repository. For more information about using SSH keys to authenticate to an AWS CodeCommit repository, see Set up AWS CodeCommit for SSH Connections in the AWS CodeCommit User Guide.

A user can also have managed policies attached to it. To retrieve a managed policy document that is attached to a user, use GetPolicy to determine the policy's default version, then use GetPolicyVersion to retrieve the policy document.

For more information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID used to sign the request.

This data type is used as a response element in the following actions:

• CreateGroup
• GetGroup
• ListGroups

This data type is used as a response element in the GetAccountAuthorizationDetails action.

This data type is used as a response element in the following actions:

• CreateInstanceProfile

• GetInstanceProfile

• ListInstanceProfiles

• ListInstanceProfilesForRole

Although each user is limited to a small number of keys, you can still paginate the results using the MaxItems and Marker parameters.

If the UserName field is not specified, the UserName is determined implicitly based on the AWS access key ID used to sign the request. Because this action works for access keys under the AWS account, you can use this action to manage root credentials even if the AWS account has no associated users.

A group can also have inline policies embedded with it. To list the inline policies for a group, use the ListGroupPolicies API. For information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

You can paginate the results using the MaxItems and Marker parameters. You can use the PathPrefix parameter to limit the list of policies to only those matching the specified path prefix. If there are no policies attached to the specified group (or none that match the specified path prefix), the action returns an empty list.

A role can also have inline policies embedded with it. To list the inline policies for a role, use the ListRolePolicies API. For information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

You can paginate the results using the MaxItems and Marker parameters. You can use the PathPrefix parameter to limit the list of policies to only those matching the specified path prefix. If there are no policies attached to the specified role (or none that match the specified path prefix), the action returns an empty list.

A user can also have inline policies embedded with it. To list the inline policies for a user, use the ListUserPolicies API. For information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

You can paginate the results using the MaxItems and Marker parameters. You can use the PathPrefix parameter to limit the list of policies to only those matching the specified path prefix. If there are no policies attached to the specified group (or none that match the specified path prefix), the action returns an empty list.

You can use the optional EntityFilter parameter to limit the results to a particular type of entity (users, groups, or roles). For example, to list only the roles that are attached to the specified policy, set EntityFilter to Role.

You can paginate the results using the MaxItems and Marker parameters.

A group can also have managed policies attached to it. To list the managed policies that are attached to a group, use ListAttachedGroupPolicies. For more information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

You can paginate the results using the MaxItems and Marker parameters. If there are no inline policies embedded with the specified group, the action returns an empty list.

You can paginate the results using the MaxItems and Marker parameters.

You can paginate the results using the MaxItems and Marker parameters.

You can paginate the results using the MaxItems and Marker parameters.

You can paginate the results using the MaxItems and Marker parameters.

You can paginate the results using the MaxItems and Marker parameters.

You can filter the list of policies that is returned using the optional OnlyAttached, Scope, and PathPrefix parameters. For example, to list only the customer managed policies in your AWS account, set Scope to Local. To list only AWS managed policies, set Scope to AWS.

You can paginate the results using the MaxItems and Marker parameters.

For more information about managed policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

For more information about managed policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

A role can also have managed policies attached to it. To list the managed policies that are attached to a role, use ListAttachedRolePolicies. For more information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

You can paginate the results using the MaxItems and Marker parameters. If there are no inline policies embedded with the specified role, the action returns an empty list.

You can paginate the results using the MaxItems and Marker parameters.

You can paginate the results using the MaxItems and Marker parameters.

For more information about working with server certificates, including a list of AWS services that can use the server certificates that you manage with IAM, go to Working with Server Certificates in the IAM User Guide.

Although each user is limited to a small number of signing certificates, you can still paginate the results using the MaxItems and Marker parameters.

If the UserName field is not specified, the user name is determined implicitly based on the AWS access key ID used to sign the request. Because this action works for access keys under the AWS account, you can use this action to manage root credentials even if the AWS account has no associated users.

The SSH public keys returned by this action are used only for authenticating the IAM user to an AWS CodeCommit repository. For more information about using SSH keys to authenticate to an AWS CodeCommit repository, see Set up AWS CodeCommit for SSH Connections in the AWS CodeCommit User Guide.

Although each user is limited to a small number of keys, you can still paginate the results using the MaxItems and Marker parameters.

A user can also have managed policies attached to it. To list the managed policies that are attached to a user, use ListAttachedUserPolicies. For more information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

You can paginate the results using the MaxItems and Marker parameters. If there are no inline policies embedded with the specified user, the action returns an empty list.

You can paginate the results using the MaxItems and Marker parameters.

You can paginate the results using the MaxItems and Marker parameters.

This data type is used as a response element in the CreateLoginProfile and GetLoginProfile actions.

This data type is used as a response element in the CreatePolicy, GetPolicy, and ListPolicies actions.

For more information about managed policies, refer to Managed Policies and Inline Policies in the Using IAM guide.

This data type is used as a response element in the GetAccountAuthorizationDetails action.

For more information about managed policies, see Managed Policies and Inline Policies in the Using IAM guide.

This data type is used as a response element in the ListMFADevices action.

This data type is used as a response element in the GetAccountPasswordPolicy action.

This data type is used as a response element in the GetAccountAuthorizationDetails action.

This data type is used as a response element in the ListEntitiesForPolicy action.

For more information about managed policies, refer to Managed Policies and Inline Policies in the Using IAM guide.

This data type is used as a response element in the ListEntitiesForPolicy action.

For more information about managed policies, refer to Managed Policies and Inline Policies in the Using IAM guide.

This data type is used as a response element in the ListEntitiesForPolicy action.

For more information about managed policies, refer to Managed Policies and Inline Policies in the Using IAM guide.

This data type is used as a response element in the CreatePolicyVersion, GetPolicyVersion, ListPolicyVersions, and GetAccountAuthorizationDetails actions.

For more information about managed policies, refer to Managed Policies and Inline Policies in the Using IAM guide.

This data type is used as a member of the Statement type.

A user can also have managed policies attached to it. To attach a managed policy to a group, use AttachGroupPolicy. To create a new managed policy, use CreatePolicy. For information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

For information about limits on the number of inline policies that you can embed in a group, see Limitations on IAM Entities in the IAM User Guide.

When you embed an inline policy in a role, the inline policy is used as the role's access (permissions) policy. The role's trust policy is created at the same time as the role, using CreateRole. You can update a role's trust policy using UpdateAssumeRolePolicy. For more information about roles, go to Using Roles to Delegate Permissions and Federate Identities.

A role can also have a managed policy attached to it. To attach a managed policy to a role, use AttachRolePolicy. To create a new managed policy, use CreatePolicy. For information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

For information about limits on the number of inline policies that you can embed with a role, see Limitations on IAM Entities in the IAM User Guide.

A user can also have a managed policy attached to it. To attach a managed policy to a user, use AttachUserPolicy. To create a new managed policy, use CreatePolicy. For information about policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

For information about limits on the number of inline policies that you can embed in a user, see Limitations on IAM Entities in the IAM User Guide.

This action is idempotent; it does not fail or return an error if you try to remove a client ID that was removed previously.

For more information about roles, go to Working with Roles. For more information about instance profiles, go to About Instance Profiles.

This data type is used by a member of the EvaluationResult data type.

For more information about creating and working with virtual MFA devices, go to Using a Virtual MFA Device in the Using IAM guide.

This data type is used as a response element in the following actions:

• CreateRole

• GetRole

• ListRoles

This data type is used as a response element in the GetAccountAuthorizationDetails action.

This data type is used as a response element in the GetServerCertificate action.

This data type is used as a response element in the UploadServerCertificate and ListServerCertificates actions.

This action affects all users, groups, and roles that the policy is attached to. To list the users, groups, and roles that the policy is attached to, use the ListEntitiesForPolicy API.

For information about managed policies, refer to Managed Policies and Inline Policies in the IAM User Guide.

This data type is used as a response element in the UploadSigningCertificate and ListSigningCertificates actions.

The simulation does not perform the API actions; it only checks the authorization to determine if the simulated policies allow or deny the actions.

If you want to simulate existing policies attached to an IAM user, group, or role, use SimulatePrincipalPolicy instead.

Context keys are variables maintained by AWS and its services that provide details about the context of an API query request. You can use the Condition element of an IAM policy to evaluate context keys. To get the list of context keys that the policies require for correct simulation, use GetContextKeysForCustomPolicy.

If the output is long, you can use MaxItems and Marker parameters to paginate the results.

You can optionally include a list of one or more additional policies specified as strings to include in the simulation. If you want to simulate only policies specified as strings, use SimulateCustomPolicy instead.

You can also optionally include one resource-based policy to be evaluated with each of the resources included in the simulation.

The simulation does not perform the API actions, it only checks the authorization to determine if the simulated policies allow or deny the actions.

Note: This API discloses information about the permissions granted to other users. If you do not want users to see other user's permissions, then consider allowing them to use SimulateCustomPolicy instead.

Context keys are variables maintained by AWS and its services that provide details about the context of an API query request. You can use the Condition element of an IAM policy to evaluate context keys. To get the list of context keys that the policies require for correct simulation, use GetContextKeysForPrincipalPolicy.

If the output is long, you can use the MaxItems and Marker parameters to paginate the results.

This data type is used as a response element in the GetSSHPublicKey and UploadSSHPublicKey actions.

This data type is used as a response element in the ListSSHPublicKeys action.

This data type is used by the MatchedStatements member of the EvaluationResult type.

If the UserName field is not specified, the UserName is determined implicitly based on the AWS access key ID used to sign the request. Because this action works for access keys under the AWS account, you can use this action to manage root credentials even if the AWS account has no associated users.

For information about rotating keys, see Managing Keys and Certificates in the IAM User Guide.

For more information about using a password policy, see Managing an IAM Password Policy in the IAM User Guide.

Users can change their own passwords by calling ChangePassword. For more information about modifying passwords, see Managing Passwords in the IAM User Guide.

The list that you pass with this action completely replaces the existing list of thumbprints. (The lists are not merged.)

Typically, you need to update a thumbprint only when the identity provider's certificate changes, which occurs rarely. However, if the provider's certificate does change, any attempt to assume an IAM role that specifies the OIDC provider as a principal will fail until the certificate thumbprint is updated.

For more information about working with server certificates, including a list of AWS services that can use the server certificates that you manage with IAM, go to Working with Server Certificates in the IAM User Guide.

If the UserName field is not specified, the UserName is determined implicitly based on the AWS access key ID used to sign the request. Because this action works for access keys under the AWS account, you can use this action to manage root credentials even if the AWS account has no associated users.

The SSH public key affected by this action is used only for authenticating the associated IAM user to an AWS CodeCommit repository. For more information about using SSH keys to authenticate to an AWS CodeCommit repository, see Set up AWS CodeCommit for SSH Connections in the AWS CodeCommit User Guide.

For more information about working with server certificates, including a list of AWS services that can use the server certificates that you manage with IAM, go to Working with Server Certificates in the IAM User Guide.

For information about the number of server certificates you can upload, see Limitations on IAM Entities and Objects in the IAM User Guide.

If the UserName field is not specified, the user name is determined implicitly based on the AWS access key ID used to sign the request. Because this action works for access keys under the AWS account, you can use this action to manage root credentials even if the AWS account has no associated users.

The SSH public key uploaded by this action can be used only for authenticating the associated IAM user to an AWS CodeCommit repository. For more information about using SSH keys to authenticate to an AWS CodeCommit repository, see Set up AWS CodeCommit for SSH Connections in the AWS CodeCommit User Guide.

This data type is used as a response element in the following actions:

• CreateUser

• GetUser

• ListUsers

This data type is used as a response element in the GetAccountAuthorizationDetails action.