IAM Roles Anywhere 2018-05-10
- Client: Aws\RolesAnywhere\RolesAnywhereClient
- Service ID: rolesanywhere
- Version: 2018-05-10
This page describes the parameters and results for the operations of the IAM Roles Anywhere (2018-05-10), and shows how to use the Aws\RolesAnywhere\RolesAnywhereClient object to call the described operations. This documentation is specific to the 2018-05-10 API version of the service.
Operation Summary
Each of the following operations can be created from a client using
$client->getCommand('CommandName')
, where "CommandName" is the
name of one of the following operations. Note: a command is a value that
encapsulates an operation and the parameters used to create an HTTP request.
You can also create and send a command immediately using the magic methods
available on a client object: $client->commandName(/* parameters */)
.
You can send the command asynchronously (returning a promise) by appending the
word "Async" to the operation name: $client->commandNameAsync(/* parameters */)
.
- CreateProfile ( array $params = [] )
- Creates a profile, a list of the roles that Roles Anywhere service is trusted to assume.
- CreateTrustAnchor ( array $params = [] )
- Creates a trust anchor to establish trust between IAM Roles Anywhere and your certificate authority (CA).
- DeleteAttributeMapping ( array $params = [] )
- Delete an entry from the attribute mapping rules enforced by a given profile.
- DeleteCrl ( array $params = [] )
- Deletes a certificate revocation list (CRL).
- DeleteProfile ( array $params = [] )
- Deletes a profile.
- DeleteTrustAnchor ( array $params = [] )
- Deletes a trust anchor.
- DisableCrl ( array $params = [] )
- Disables a certificate revocation list (CRL).
- DisableProfile ( array $params = [] )
- Disables a profile.
- DisableTrustAnchor ( array $params = [] )
- Disables a trust anchor.
- EnableCrl ( array $params = [] )
- Enables a certificate revocation list (CRL).
- EnableProfile ( array $params = [] )
- Enables temporary credential requests for a profile.
- EnableTrustAnchor ( array $params = [] )
- Enables a trust anchor.
- GetCrl ( array $params = [] )
- Gets a certificate revocation list (CRL).
- GetProfile ( array $params = [] )
- Gets a profile.
- GetSubject ( array $params = [] )
- Gets a subject, which associates a certificate identity with authentication attempts.
- GetTrustAnchor ( array $params = [] )
- Gets a trust anchor.
- ImportCrl ( array $params = [] )
- Imports the certificate revocation list (CRL).
- ListCrls ( array $params = [] )
- Lists all certificate revocation lists (CRL) in the authenticated account and Amazon Web Services Region.
- ListProfiles ( array $params = [] )
- Lists all profiles in the authenticated account and Amazon Web Services Region.
- ListSubjects ( array $params = [] )
- Lists the subjects in the authenticated account and Amazon Web Services Region.
- ListTagsForResource ( array $params = [] )
- Lists the tags attached to the resource.
- ListTrustAnchors ( array $params = [] )
- Lists the trust anchors in the authenticated account and Amazon Web Services Region.
- PutAttributeMapping ( array $params = [] )
- Put an entry in the attribute mapping rules that will be enforced by a given profile.
- PutNotificationSettings ( array $params = [] )
- Attaches a list of notification settings to a trust anchor.
- ResetNotificationSettings ( array $params = [] )
- Resets the custom notification setting to IAM Roles Anywhere default setting.
- TagResource ( array $params = [] )
- Attaches tags to a resource.
- UntagResource ( array $params = [] )
- Removes tags from the resource.
- UpdateCrl ( array $params = [] )
- Updates the certificate revocation list (CRL).
- UpdateProfile ( array $params = [] )
- Updates a profile, a list of the roles that IAM Roles Anywhere service is trusted to assume.
- UpdateTrustAnchor ( array $params = [] )
- Updates a trust anchor.
Paginators
Paginators handle automatically iterating over paginated API results. Paginators are associated with specific API operations, and they accept the parameters that the corresponding API operation accepts. You can get a paginator from a client class using getPaginator($paginatorName, $operationParameters). This client supports the following paginators:
Operations
CreateProfile
$result = $client->createProfile
([/* ... */]); $promise = $client->createProfileAsync
([/* ... */]);
Creates a profile, a list of the roles that Roles Anywhere service is trusted to assume. You use profiles to intersect permissions with IAM managed policies.
Required permissions: rolesanywhere:CreateProfile
.
Parameter Syntax
$result = $client->createProfile([ 'acceptRoleSessionName' => true || false, 'durationSeconds' => <integer>, 'enabled' => true || false, 'managedPolicyArns' => ['<string>', ...], 'name' => '<string>', // REQUIRED 'requireInstanceProperties' => true || false, 'roleArns' => ['<string>', ...], // REQUIRED 'sessionPolicy' => '<string>', 'tags' => [ [ 'key' => '<string>', // REQUIRED 'value' => '<string>', // REQUIRED ], // ... ], ]);
Parameter Details
Members
- acceptRoleSessionName
-
- Type: boolean
Used to determine if a custom role session name will be accepted in a temporary credential request.
- durationSeconds
-
- Type: int
Used to determine how long sessions vended using this profile are valid for. See the
Expiration
section of the CreateSession API documentation page for more details. In requests, if this value is not provided, the default value will be 3600. - enabled
-
- Type: boolean
Specifies whether the profile is enabled.
- managedPolicyArns
-
- Type: Array of strings
A list of managed policy ARNs that apply to the vended session credentials.
- name
-
- Required: Yes
- Type: string
The name of the profile.
- requireInstanceProperties
-
- Type: boolean
Specifies whether instance properties are required in temporary credential requests with this profile.
- roleArns
-
- Required: Yes
- Type: Array of strings
A list of IAM roles that this profile can assume in a temporary credential request.
- sessionPolicy
-
- Type: string
A session policy that applies to the trust boundary of the vended session credentials.
- tags
-
- Type: Array of Tag structures
The tags to attach to the profile.
Result Syntax
[ 'profile' => [ 'acceptRoleSessionName' => true || false, 'attributeMappings' => [ [ 'certificateField' => 'x509Subject|x509Issuer|x509SAN', 'mappingRules' => [ [ 'specifier' => '<string>', ], // ... ], ], // ... ], 'createdAt' => <DateTime>, 'createdBy' => '<string>', 'durationSeconds' => <integer>, 'enabled' => true || false, 'managedPolicyArns' => ['<string>', ...], 'name' => '<string>', 'profileArn' => '<string>', 'profileId' => '<string>', 'requireInstanceProperties' => true || false, 'roleArns' => ['<string>', ...], 'sessionPolicy' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- profile
-
- Type: ProfileDetail structure
The state of the profile after a read or write operation.
Errors
- ValidationException:
Validation exception error.
- AccessDeniedException:
You do not have sufficient access to perform this action.
CreateTrustAnchor
$result = $client->createTrustAnchor
([/* ... */]); $promise = $client->createTrustAnchorAsync
([/* ... */]);
Creates a trust anchor to establish trust between IAM Roles Anywhere and your certificate authority (CA). You can define a trust anchor as a reference to an Private Certificate Authority (Private CA) or by uploading a CA certificate. Your Amazon Web Services workloads can authenticate with the trust anchor using certificates issued by the CA in exchange for temporary Amazon Web Services credentials.
Required permissions: rolesanywhere:CreateTrustAnchor
.
Parameter Syntax
$result = $client->createTrustAnchor([ 'enabled' => true || false, 'name' => '<string>', // REQUIRED 'notificationSettings' => [ [ 'channel' => 'ALL', 'enabled' => true || false, // REQUIRED 'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY', // REQUIRED 'threshold' => <integer>, ], // ... ], 'source' => [ // REQUIRED 'sourceData' => [ 'acmPcaArn' => '<string>', 'x509CertificateData' => '<string>', ], 'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY', ], 'tags' => [ [ 'key' => '<string>', // REQUIRED 'value' => '<string>', // REQUIRED ], // ... ], ]);
Parameter Details
Members
- enabled
-
- Type: boolean
Specifies whether the trust anchor is enabled.
- name
-
- Required: Yes
- Type: string
The name of the trust anchor.
- notificationSettings
-
- Type: Array of NotificationSetting structures
A list of notification settings to be associated to the trust anchor.
- source
-
- Required: Yes
- Type: Source structure
The trust anchor type and its related certificate data.
- tags
-
- Type: Array of Tag structures
The tags to attach to the trust anchor.
Result Syntax
[ 'trustAnchor' => [ 'createdAt' => <DateTime>, 'enabled' => true || false, 'name' => '<string>', 'notificationSettings' => [ [ 'channel' => 'ALL', 'configuredBy' => '<string>', 'enabled' => true || false, 'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY', 'threshold' => <integer>, ], // ... ], 'source' => [ 'sourceData' => [ 'acmPcaArn' => '<string>', 'x509CertificateData' => '<string>', ], 'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY', ], 'trustAnchorArn' => '<string>', 'trustAnchorId' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- trustAnchor
-
- Required: Yes
- Type: TrustAnchorDetail structure
The state of the trust anchor after a read or write operation.
Errors
- ValidationException:
Validation exception error.
- AccessDeniedException:
You do not have sufficient access to perform this action.
DeleteAttributeMapping
$result = $client->deleteAttributeMapping
([/* ... */]); $promise = $client->deleteAttributeMappingAsync
([/* ... */]);
Delete an entry from the attribute mapping rules enforced by a given profile.
Parameter Syntax
$result = $client->deleteAttributeMapping([ 'certificateField' => 'x509Subject|x509Issuer|x509SAN', // REQUIRED 'profileId' => '<string>', // REQUIRED 'specifiers' => ['<string>', ...], ]);
Parameter Details
Members
- certificateField
-
- Required: Yes
- Type: string
Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates.
- profileId
-
- Required: Yes
- Type: string
The unique identifier of the profile.
- specifiers
-
- Type: Array of strings
A list of specifiers of a certificate field; for example, CN, OU, UID from a Subject.
Result Syntax
[ 'profile' => [ 'acceptRoleSessionName' => true || false, 'attributeMappings' => [ [ 'certificateField' => 'x509Subject|x509Issuer|x509SAN', 'mappingRules' => [ [ 'specifier' => '<string>', ], // ... ], ], // ... ], 'createdAt' => <DateTime>, 'createdBy' => '<string>', 'durationSeconds' => <integer>, 'enabled' => true || false, 'managedPolicyArns' => ['<string>', ...], 'name' => '<string>', 'profileArn' => '<string>', 'profileId' => '<string>', 'requireInstanceProperties' => true || false, 'roleArns' => ['<string>', ...], 'sessionPolicy' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- profile
-
- Required: Yes
- Type: ProfileDetail structure
The state of the profile after a read or write operation.
Errors
- ValidationException:
Validation exception error.
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
DeleteCrl
$result = $client->deleteCrl
([/* ... */]); $promise = $client->deleteCrlAsync
([/* ... */]);
Deletes a certificate revocation list (CRL).
Required permissions: rolesanywhere:DeleteCrl
.
Parameter Syntax
$result = $client->deleteCrl([ 'crlId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- crlId
-
- Required: Yes
- Type: string
The unique identifier of the certificate revocation list (CRL).
Result Syntax
[ 'crl' => [ 'createdAt' => <DateTime>, 'crlArn' => '<string>', 'crlData' => <string || resource || Psr\Http\Message\StreamInterface>, 'crlId' => '<string>', 'enabled' => true || false, 'name' => '<string>', 'trustAnchorArn' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- crl
-
- Required: Yes
- Type: CrlDetail structure
The state of the certificate revocation list (CRL) after a read or write operation.
Errors
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
DeleteProfile
$result = $client->deleteProfile
([/* ... */]); $promise = $client->deleteProfileAsync
([/* ... */]);
Deletes a profile.
Required permissions: rolesanywhere:DeleteProfile
.
Parameter Syntax
$result = $client->deleteProfile([ 'profileId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- profileId
-
- Required: Yes
- Type: string
The unique identifier of the profile.
Result Syntax
[ 'profile' => [ 'acceptRoleSessionName' => true || false, 'attributeMappings' => [ [ 'certificateField' => 'x509Subject|x509Issuer|x509SAN', 'mappingRules' => [ [ 'specifier' => '<string>', ], // ... ], ], // ... ], 'createdAt' => <DateTime>, 'createdBy' => '<string>', 'durationSeconds' => <integer>, 'enabled' => true || false, 'managedPolicyArns' => ['<string>', ...], 'name' => '<string>', 'profileArn' => '<string>', 'profileId' => '<string>', 'requireInstanceProperties' => true || false, 'roleArns' => ['<string>', ...], 'sessionPolicy' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- profile
-
- Type: ProfileDetail structure
The state of the profile after a read or write operation.
Errors
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
DeleteTrustAnchor
$result = $client->deleteTrustAnchor
([/* ... */]); $promise = $client->deleteTrustAnchorAsync
([/* ... */]);
Deletes a trust anchor.
Required permissions: rolesanywhere:DeleteTrustAnchor
.
Parameter Syntax
$result = $client->deleteTrustAnchor([ 'trustAnchorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- trustAnchorId
-
- Required: Yes
- Type: string
The unique identifier of the trust anchor.
Result Syntax
[ 'trustAnchor' => [ 'createdAt' => <DateTime>, 'enabled' => true || false, 'name' => '<string>', 'notificationSettings' => [ [ 'channel' => 'ALL', 'configuredBy' => '<string>', 'enabled' => true || false, 'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY', 'threshold' => <integer>, ], // ... ], 'source' => [ 'sourceData' => [ 'acmPcaArn' => '<string>', 'x509CertificateData' => '<string>', ], 'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY', ], 'trustAnchorArn' => '<string>', 'trustAnchorId' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- trustAnchor
-
- Required: Yes
- Type: TrustAnchorDetail structure
The state of the trust anchor after a read or write operation.
Errors
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
DisableCrl
$result = $client->disableCrl
([/* ... */]); $promise = $client->disableCrlAsync
([/* ... */]);
Disables a certificate revocation list (CRL).
Required permissions: rolesanywhere:DisableCrl
.
Parameter Syntax
$result = $client->disableCrl([ 'crlId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- crlId
-
- Required: Yes
- Type: string
The unique identifier of the certificate revocation list (CRL).
Result Syntax
[ 'crl' => [ 'createdAt' => <DateTime>, 'crlArn' => '<string>', 'crlData' => <string || resource || Psr\Http\Message\StreamInterface>, 'crlId' => '<string>', 'enabled' => true || false, 'name' => '<string>', 'trustAnchorArn' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- crl
-
- Required: Yes
- Type: CrlDetail structure
The state of the certificate revocation list (CRL) after a read or write operation.
Errors
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
DisableProfile
$result = $client->disableProfile
([/* ... */]); $promise = $client->disableProfileAsync
([/* ... */]);
Disables a profile. When disabled, temporary credential requests with this profile fail.
Required permissions: rolesanywhere:DisableProfile
.
Parameter Syntax
$result = $client->disableProfile([ 'profileId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- profileId
-
- Required: Yes
- Type: string
The unique identifier of the profile.
Result Syntax
[ 'profile' => [ 'acceptRoleSessionName' => true || false, 'attributeMappings' => [ [ 'certificateField' => 'x509Subject|x509Issuer|x509SAN', 'mappingRules' => [ [ 'specifier' => '<string>', ], // ... ], ], // ... ], 'createdAt' => <DateTime>, 'createdBy' => '<string>', 'durationSeconds' => <integer>, 'enabled' => true || false, 'managedPolicyArns' => ['<string>', ...], 'name' => '<string>', 'profileArn' => '<string>', 'profileId' => '<string>', 'requireInstanceProperties' => true || false, 'roleArns' => ['<string>', ...], 'sessionPolicy' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- profile
-
- Type: ProfileDetail structure
The state of the profile after a read or write operation.
Errors
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
DisableTrustAnchor
$result = $client->disableTrustAnchor
([/* ... */]); $promise = $client->disableTrustAnchorAsync
([/* ... */]);
Disables a trust anchor. When disabled, temporary credential requests specifying this trust anchor are unauthorized.
Required permissions: rolesanywhere:DisableTrustAnchor
.
Parameter Syntax
$result = $client->disableTrustAnchor([ 'trustAnchorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- trustAnchorId
-
- Required: Yes
- Type: string
The unique identifier of the trust anchor.
Result Syntax
[ 'trustAnchor' => [ 'createdAt' => <DateTime>, 'enabled' => true || false, 'name' => '<string>', 'notificationSettings' => [ [ 'channel' => 'ALL', 'configuredBy' => '<string>', 'enabled' => true || false, 'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY', 'threshold' => <integer>, ], // ... ], 'source' => [ 'sourceData' => [ 'acmPcaArn' => '<string>', 'x509CertificateData' => '<string>', ], 'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY', ], 'trustAnchorArn' => '<string>', 'trustAnchorId' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- trustAnchor
-
- Required: Yes
- Type: TrustAnchorDetail structure
The state of the trust anchor after a read or write operation.
Errors
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
EnableCrl
$result = $client->enableCrl
([/* ... */]); $promise = $client->enableCrlAsync
([/* ... */]);
Enables a certificate revocation list (CRL). When enabled, certificates stored in the CRL are unauthorized to receive session credentials.
Required permissions: rolesanywhere:EnableCrl
.
Parameter Syntax
$result = $client->enableCrl([ 'crlId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- crlId
-
- Required: Yes
- Type: string
The unique identifier of the certificate revocation list (CRL).
Result Syntax
[ 'crl' => [ 'createdAt' => <DateTime>, 'crlArn' => '<string>', 'crlData' => <string || resource || Psr\Http\Message\StreamInterface>, 'crlId' => '<string>', 'enabled' => true || false, 'name' => '<string>', 'trustAnchorArn' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- crl
-
- Required: Yes
- Type: CrlDetail structure
The state of the certificate revocation list (CRL) after a read or write operation.
Errors
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
EnableProfile
$result = $client->enableProfile
([/* ... */]); $promise = $client->enableProfileAsync
([/* ... */]);
Enables temporary credential requests for a profile.
Required permissions: rolesanywhere:EnableProfile
.
Parameter Syntax
$result = $client->enableProfile([ 'profileId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- profileId
-
- Required: Yes
- Type: string
The unique identifier of the profile.
Result Syntax
[ 'profile' => [ 'acceptRoleSessionName' => true || false, 'attributeMappings' => [ [ 'certificateField' => 'x509Subject|x509Issuer|x509SAN', 'mappingRules' => [ [ 'specifier' => '<string>', ], // ... ], ], // ... ], 'createdAt' => <DateTime>, 'createdBy' => '<string>', 'durationSeconds' => <integer>, 'enabled' => true || false, 'managedPolicyArns' => ['<string>', ...], 'name' => '<string>', 'profileArn' => '<string>', 'profileId' => '<string>', 'requireInstanceProperties' => true || false, 'roleArns' => ['<string>', ...], 'sessionPolicy' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- profile
-
- Type: ProfileDetail structure
The state of the profile after a read or write operation.
Errors
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
EnableTrustAnchor
$result = $client->enableTrustAnchor
([/* ... */]); $promise = $client->enableTrustAnchorAsync
([/* ... */]);
Enables a trust anchor. When enabled, certificates in the trust anchor chain are authorized for trust validation.
Required permissions: rolesanywhere:EnableTrustAnchor
.
Parameter Syntax
$result = $client->enableTrustAnchor([ 'trustAnchorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- trustAnchorId
-
- Required: Yes
- Type: string
The unique identifier of the trust anchor.
Result Syntax
[ 'trustAnchor' => [ 'createdAt' => <DateTime>, 'enabled' => true || false, 'name' => '<string>', 'notificationSettings' => [ [ 'channel' => 'ALL', 'configuredBy' => '<string>', 'enabled' => true || false, 'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY', 'threshold' => <integer>, ], // ... ], 'source' => [ 'sourceData' => [ 'acmPcaArn' => '<string>', 'x509CertificateData' => '<string>', ], 'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY', ], 'trustAnchorArn' => '<string>', 'trustAnchorId' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- trustAnchor
-
- Required: Yes
- Type: TrustAnchorDetail structure
The state of the trust anchor after a read or write operation.
Errors
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
GetCrl
$result = $client->getCrl
([/* ... */]); $promise = $client->getCrlAsync
([/* ... */]);
Gets a certificate revocation list (CRL).
Required permissions: rolesanywhere:GetCrl
.
Parameter Syntax
$result = $client->getCrl([ 'crlId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- crlId
-
- Required: Yes
- Type: string
The unique identifier of the certificate revocation list (CRL).
Result Syntax
[ 'crl' => [ 'createdAt' => <DateTime>, 'crlArn' => '<string>', 'crlData' => <string || resource || Psr\Http\Message\StreamInterface>, 'crlId' => '<string>', 'enabled' => true || false, 'name' => '<string>', 'trustAnchorArn' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- crl
-
- Required: Yes
- Type: CrlDetail structure
The state of the certificate revocation list (CRL) after a read or write operation.
Errors
- ResourceNotFoundException:
The resource could not be found.
GetProfile
$result = $client->getProfile
([/* ... */]); $promise = $client->getProfileAsync
([/* ... */]);
Gets a profile.
Required permissions: rolesanywhere:GetProfile
.
Parameter Syntax
$result = $client->getProfile([ 'profileId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- profileId
-
- Required: Yes
- Type: string
The unique identifier of the profile.
Result Syntax
[ 'profile' => [ 'acceptRoleSessionName' => true || false, 'attributeMappings' => [ [ 'certificateField' => 'x509Subject|x509Issuer|x509SAN', 'mappingRules' => [ [ 'specifier' => '<string>', ], // ... ], ], // ... ], 'createdAt' => <DateTime>, 'createdBy' => '<string>', 'durationSeconds' => <integer>, 'enabled' => true || false, 'managedPolicyArns' => ['<string>', ...], 'name' => '<string>', 'profileArn' => '<string>', 'profileId' => '<string>', 'requireInstanceProperties' => true || false, 'roleArns' => ['<string>', ...], 'sessionPolicy' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- profile
-
- Type: ProfileDetail structure
The state of the profile after a read or write operation.
Errors
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
GetSubject
$result = $client->getSubject
([/* ... */]); $promise = $client->getSubjectAsync
([/* ... */]);
Gets a subject, which associates a certificate identity with authentication attempts. The subject stores auditing information such as the status of the last authentication attempt, the certificate data used in the attempt, and the last time the associated identity attempted authentication.
Required permissions: rolesanywhere:GetSubject
.
Parameter Syntax
$result = $client->getSubject([ 'subjectId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- subjectId
-
- Required: Yes
- Type: string
The unique identifier of the subject.
Result Syntax
[ 'subject' => [ 'createdAt' => <DateTime>, 'credentials' => [ [ 'enabled' => true || false, 'failed' => true || false, 'issuer' => '<string>', 'seenAt' => <DateTime>, 'serialNumber' => '<string>', 'x509CertificateData' => '<string>', ], // ... ], 'enabled' => true || false, 'instanceProperties' => [ [ 'failed' => true || false, 'properties' => ['<string>', ...], 'seenAt' => <DateTime>, ], // ... ], 'lastSeenAt' => <DateTime>, 'subjectArn' => '<string>', 'subjectId' => '<string>', 'updatedAt' => <DateTime>, 'x509Subject' => '<string>', ], ]
Result Details
Members
- subject
-
- Type: SubjectDetail structure
The state of the subject after a read or write operation.
Errors
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
GetTrustAnchor
$result = $client->getTrustAnchor
([/* ... */]); $promise = $client->getTrustAnchorAsync
([/* ... */]);
Gets a trust anchor.
Required permissions: rolesanywhere:GetTrustAnchor
.
Parameter Syntax
$result = $client->getTrustAnchor([ 'trustAnchorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- trustAnchorId
-
- Required: Yes
- Type: string
The unique identifier of the trust anchor.
Result Syntax
[ 'trustAnchor' => [ 'createdAt' => <DateTime>, 'enabled' => true || false, 'name' => '<string>', 'notificationSettings' => [ [ 'channel' => 'ALL', 'configuredBy' => '<string>', 'enabled' => true || false, 'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY', 'threshold' => <integer>, ], // ... ], 'source' => [ 'sourceData' => [ 'acmPcaArn' => '<string>', 'x509CertificateData' => '<string>', ], 'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY', ], 'trustAnchorArn' => '<string>', 'trustAnchorId' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- trustAnchor
-
- Required: Yes
- Type: TrustAnchorDetail structure
The state of the trust anchor after a read or write operation.
Errors
- ValidationException:
Validation exception error.
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
ImportCrl
$result = $client->importCrl
([/* ... */]); $promise = $client->importCrlAsync
([/* ... */]);
Imports the certificate revocation list (CRL). A CRL is a list of certificates that have been revoked by the issuing certificate Authority (CA).In order to be properly imported, a CRL must be in PEM format. IAM Roles Anywhere validates against the CRL before issuing credentials.
Required permissions: rolesanywhere:ImportCrl
.
Parameter Syntax
$result = $client->importCrl([ 'crlData' => <string || resource || Psr\Http\Message\StreamInterface>, // REQUIRED 'enabled' => true || false, 'name' => '<string>', // REQUIRED 'tags' => [ [ 'key' => '<string>', // REQUIRED 'value' => '<string>', // REQUIRED ], // ... ], 'trustAnchorArn' => '<string>', // REQUIRED ]);
Parameter Details
Members
- crlData
-
- Required: Yes
- Type: blob (string|resource|Psr\Http\Message\StreamInterface)
The x509 v3 specified certificate revocation list (CRL).
- enabled
-
- Type: boolean
Specifies whether the certificate revocation list (CRL) is enabled.
- name
-
- Required: Yes
- Type: string
The name of the certificate revocation list (CRL).
- tags
-
- Type: Array of Tag structures
A list of tags to attach to the certificate revocation list (CRL).
- trustAnchorArn
-
- Required: Yes
- Type: string
The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for.
Result Syntax
[ 'crl' => [ 'createdAt' => <DateTime>, 'crlArn' => '<string>', 'crlData' => <string || resource || Psr\Http\Message\StreamInterface>, 'crlId' => '<string>', 'enabled' => true || false, 'name' => '<string>', 'trustAnchorArn' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- crl
-
- Required: Yes
- Type: CrlDetail structure
The state of the certificate revocation list (CRL) after a read or write operation.
Errors
- ValidationException:
Validation exception error.
- AccessDeniedException:
You do not have sufficient access to perform this action.
ListCrls
$result = $client->listCrls
([/* ... */]); $promise = $client->listCrlsAsync
([/* ... */]);
Lists all certificate revocation lists (CRL) in the authenticated account and Amazon Web Services Region.
Required permissions: rolesanywhere:ListCrls
.
Parameter Syntax
$result = $client->listCrls([ 'nextToken' => '<string>', 'pageSize' => <integer>, ]);
Parameter Details
Members
- nextToken
-
- Type: string
A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value.
- pageSize
-
- Type: int
The number of resources in the paginated list.
Result Syntax
[ 'crls' => [ [ 'createdAt' => <DateTime>, 'crlArn' => '<string>', 'crlData' => <string || resource || Psr\Http\Message\StreamInterface>, 'crlId' => '<string>', 'enabled' => true || false, 'name' => '<string>', 'trustAnchorArn' => '<string>', 'updatedAt' => <DateTime>, ], // ... ], 'nextToken' => '<string>', ]
Result Details
Members
- crls
-
- Type: Array of CrlDetail structures
A list of certificate revocation lists (CRL).
- nextToken
-
- Type: string
A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value.
Errors
- ValidationException:
Validation exception error.
- AccessDeniedException:
You do not have sufficient access to perform this action.
ListProfiles
$result = $client->listProfiles
([/* ... */]); $promise = $client->listProfilesAsync
([/* ... */]);
Lists all profiles in the authenticated account and Amazon Web Services Region.
Required permissions: rolesanywhere:ListProfiles
.
Parameter Syntax
$result = $client->listProfiles([ 'nextToken' => '<string>', 'pageSize' => <integer>, ]);
Parameter Details
Members
- nextToken
-
- Type: string
A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value.
- pageSize
-
- Type: int
The number of resources in the paginated list.
Result Syntax
[ 'nextToken' => '<string>', 'profiles' => [ [ 'acceptRoleSessionName' => true || false, 'attributeMappings' => [ [ 'certificateField' => 'x509Subject|x509Issuer|x509SAN', 'mappingRules' => [ [ 'specifier' => '<string>', ], // ... ], ], // ... ], 'createdAt' => <DateTime>, 'createdBy' => '<string>', 'durationSeconds' => <integer>, 'enabled' => true || false, 'managedPolicyArns' => ['<string>', ...], 'name' => '<string>', 'profileArn' => '<string>', 'profileId' => '<string>', 'requireInstanceProperties' => true || false, 'roleArns' => ['<string>', ...], 'sessionPolicy' => '<string>', 'updatedAt' => <DateTime>, ], // ... ], ]
Result Details
Members
- nextToken
-
- Type: string
A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value.
- profiles
-
- Type: Array of ProfileDetail structures
A list of profiles.
Errors
- ValidationException:
Validation exception error.
- AccessDeniedException:
You do not have sufficient access to perform this action.
ListSubjects
$result = $client->listSubjects
([/* ... */]); $promise = $client->listSubjectsAsync
([/* ... */]);
Lists the subjects in the authenticated account and Amazon Web Services Region.
Required permissions: rolesanywhere:ListSubjects
.
Parameter Syntax
$result = $client->listSubjects([ 'nextToken' => '<string>', 'pageSize' => <integer>, ]);
Parameter Details
Members
- nextToken
-
- Type: string
A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value.
- pageSize
-
- Type: int
The number of resources in the paginated list.
Result Syntax
[ 'nextToken' => '<string>', 'subjects' => [ [ 'createdAt' => <DateTime>, 'enabled' => true || false, 'lastSeenAt' => <DateTime>, 'subjectArn' => '<string>', 'subjectId' => '<string>', 'updatedAt' => <DateTime>, 'x509Subject' => '<string>', ], // ... ], ]
Result Details
Members
- nextToken
-
- Type: string
A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value.
- subjects
-
- Type: Array of SubjectSummary structures
A list of subjects.
Errors
- ValidationException:
Validation exception error.
- AccessDeniedException:
You do not have sufficient access to perform this action.
ListTagsForResource
$result = $client->listTagsForResource
([/* ... */]); $promise = $client->listTagsForResourceAsync
([/* ... */]);
Lists the tags attached to the resource.
Required permissions: rolesanywhere:ListTagsForResource
.
Parameter Syntax
$result = $client->listTagsForResource([ 'resourceArn' => '<string>', // REQUIRED ]);
Parameter Details
Members
- resourceArn
-
- Required: Yes
- Type: string
The ARN of the resource.
Result Syntax
[ 'tags' => [ [ 'key' => '<string>', 'value' => '<string>', ], // ... ], ]
Result Details
Members
- tags
-
- Type: Array of Tag structures
A list of tags attached to the resource.
Errors
- ValidationException:
Validation exception error.
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
ListTrustAnchors
$result = $client->listTrustAnchors
([/* ... */]); $promise = $client->listTrustAnchorsAsync
([/* ... */]);
Lists the trust anchors in the authenticated account and Amazon Web Services Region.
Required permissions: rolesanywhere:ListTrustAnchors
.
Parameter Syntax
$result = $client->listTrustAnchors([ 'nextToken' => '<string>', 'pageSize' => <integer>, ]);
Parameter Details
Members
- nextToken
-
- Type: string
A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value.
- pageSize
-
- Type: int
The number of resources in the paginated list.
Result Syntax
[ 'nextToken' => '<string>', 'trustAnchors' => [ [ 'createdAt' => <DateTime>, 'enabled' => true || false, 'name' => '<string>', 'notificationSettings' => [ [ 'channel' => 'ALL', 'configuredBy' => '<string>', 'enabled' => true || false, 'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY', 'threshold' => <integer>, ], // ... ], 'source' => [ 'sourceData' => [ 'acmPcaArn' => '<string>', 'x509CertificateData' => '<string>', ], 'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY', ], 'trustAnchorArn' => '<string>', 'trustAnchorId' => '<string>', 'updatedAt' => <DateTime>, ], // ... ], ]
Result Details
Members
- nextToken
-
- Type: string
A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value.
- trustAnchors
-
- Type: Array of TrustAnchorDetail structures
A list of trust anchors.
Errors
- ValidationException:
Validation exception error.
- AccessDeniedException:
You do not have sufficient access to perform this action.
PutAttributeMapping
$result = $client->putAttributeMapping
([/* ... */]); $promise = $client->putAttributeMappingAsync
([/* ... */]);
Put an entry in the attribute mapping rules that will be enforced by a given profile. A mapping specifies a certificate field and one or more specifiers that have contextual meanings.
Parameter Syntax
$result = $client->putAttributeMapping([ 'certificateField' => 'x509Subject|x509Issuer|x509SAN', // REQUIRED 'mappingRules' => [ // REQUIRED [ 'specifier' => '<string>', // REQUIRED ], // ... ], 'profileId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- certificateField
-
- Required: Yes
- Type: string
Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates.
- mappingRules
-
- Required: Yes
- Type: Array of MappingRule structures
A list of mapping entries for every supported specifier or sub-field.
- profileId
-
- Required: Yes
- Type: string
The unique identifier of the profile.
Result Syntax
[ 'profile' => [ 'acceptRoleSessionName' => true || false, 'attributeMappings' => [ [ 'certificateField' => 'x509Subject|x509Issuer|x509SAN', 'mappingRules' => [ [ 'specifier' => '<string>', ], // ... ], ], // ... ], 'createdAt' => <DateTime>, 'createdBy' => '<string>', 'durationSeconds' => <integer>, 'enabled' => true || false, 'managedPolicyArns' => ['<string>', ...], 'name' => '<string>', 'profileArn' => '<string>', 'profileId' => '<string>', 'requireInstanceProperties' => true || false, 'roleArns' => ['<string>', ...], 'sessionPolicy' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- profile
-
- Required: Yes
- Type: ProfileDetail structure
The state of the profile after a read or write operation.
Errors
- ValidationException:
Validation exception error.
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
PutNotificationSettings
$result = $client->putNotificationSettings
([/* ... */]); $promise = $client->putNotificationSettingsAsync
([/* ... */]);
Attaches a list of notification settings to a trust anchor.
A notification setting includes information such as event name, threshold, status of the notification setting, and the channel to notify.
Required permissions: rolesanywhere:PutNotificationSettings
.
Parameter Syntax
$result = $client->putNotificationSettings([ 'notificationSettings' => [ // REQUIRED [ 'channel' => 'ALL', 'enabled' => true || false, // REQUIRED 'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY', // REQUIRED 'threshold' => <integer>, ], // ... ], 'trustAnchorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- notificationSettings
-
- Required: Yes
- Type: Array of NotificationSetting structures
A list of notification settings to be associated to the trust anchor.
- trustAnchorId
-
- Required: Yes
- Type: string
The unique identifier of the trust anchor.
Result Syntax
[ 'trustAnchor' => [ 'createdAt' => <DateTime>, 'enabled' => true || false, 'name' => '<string>', 'notificationSettings' => [ [ 'channel' => 'ALL', 'configuredBy' => '<string>', 'enabled' => true || false, 'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY', 'threshold' => <integer>, ], // ... ], 'source' => [ 'sourceData' => [ 'acmPcaArn' => '<string>', 'x509CertificateData' => '<string>', ], 'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY', ], 'trustAnchorArn' => '<string>', 'trustAnchorId' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- trustAnchor
-
- Required: Yes
- Type: TrustAnchorDetail structure
The state of the trust anchor after a read or write operation.
Errors
- ValidationException:
Validation exception error.
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
ResetNotificationSettings
$result = $client->resetNotificationSettings
([/* ... */]); $promise = $client->resetNotificationSettingsAsync
([/* ... */]);
Resets the custom notification setting to IAM Roles Anywhere default setting.
Required permissions: rolesanywhere:ResetNotificationSettings
.
Parameter Syntax
$result = $client->resetNotificationSettings([ 'notificationSettingKeys' => [ // REQUIRED [ 'channel' => 'ALL', 'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY', // REQUIRED ], // ... ], 'trustAnchorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- notificationSettingKeys
-
- Required: Yes
- Type: Array of NotificationSettingKey structures
A list of notification setting keys to reset. A notification setting key includes the event and the channel.
- trustAnchorId
-
- Required: Yes
- Type: string
The unique identifier of the trust anchor.
Result Syntax
[ 'trustAnchor' => [ 'createdAt' => <DateTime>, 'enabled' => true || false, 'name' => '<string>', 'notificationSettings' => [ [ 'channel' => 'ALL', 'configuredBy' => '<string>', 'enabled' => true || false, 'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY', 'threshold' => <integer>, ], // ... ], 'source' => [ 'sourceData' => [ 'acmPcaArn' => '<string>', 'x509CertificateData' => '<string>', ], 'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY', ], 'trustAnchorArn' => '<string>', 'trustAnchorId' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- trustAnchor
-
- Required: Yes
- Type: TrustAnchorDetail structure
The state of the trust anchor after a read or write operation.
Errors
- ValidationException:
Validation exception error.
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
TagResource
$result = $client->tagResource
([/* ... */]); $promise = $client->tagResourceAsync
([/* ... */]);
Attaches tags to a resource.
Required permissions: rolesanywhere:TagResource
.
Parameter Syntax
$result = $client->tagResource([ 'resourceArn' => '<string>', // REQUIRED 'tags' => [ // REQUIRED [ 'key' => '<string>', // REQUIRED 'value' => '<string>', // REQUIRED ], // ... ], ]);
Parameter Details
Members
- resourceArn
-
- Required: Yes
- Type: string
The ARN of the resource.
- tags
-
- Required: Yes
- Type: Array of Tag structures
The tags to attach to the resource.
Result Syntax
[]
Result Details
Errors
- ValidationException:
Validation exception error.
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
- TooManyTagsException:
Too many tags.
UntagResource
$result = $client->untagResource
([/* ... */]); $promise = $client->untagResourceAsync
([/* ... */]);
Removes tags from the resource.
Required permissions: rolesanywhere:UntagResource
.
Parameter Syntax
$result = $client->untagResource([ 'resourceArn' => '<string>', // REQUIRED 'tagKeys' => ['<string>', ...], // REQUIRED ]);
Parameter Details
Members
- resourceArn
-
- Required: Yes
- Type: string
The ARN of the resource.
- tagKeys
-
- Required: Yes
- Type: Array of strings
A list of keys. Tag keys are the unique identifiers of tags.
Result Syntax
[]
Result Details
Errors
- ValidationException:
Validation exception error.
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
UpdateCrl
$result = $client->updateCrl
([/* ... */]); $promise = $client->updateCrlAsync
([/* ... */]);
Updates the certificate revocation list (CRL). A CRL is a list of certificates that have been revoked by the issuing certificate authority (CA). IAM Roles Anywhere validates against the CRL before issuing credentials.
Required permissions: rolesanywhere:UpdateCrl
.
Parameter Syntax
$result = $client->updateCrl([ 'crlData' => <string || resource || Psr\Http\Message\StreamInterface>, 'crlId' => '<string>', // REQUIRED 'name' => '<string>', ]);
Parameter Details
Members
- crlData
-
- Type: blob (string|resource|Psr\Http\Message\StreamInterface)
The x509 v3 specified certificate revocation list (CRL).
- crlId
-
- Required: Yes
- Type: string
The unique identifier of the certificate revocation list (CRL).
- name
-
- Type: string
The name of the Crl.
Result Syntax
[ 'crl' => [ 'createdAt' => <DateTime>, 'crlArn' => '<string>', 'crlData' => <string || resource || Psr\Http\Message\StreamInterface>, 'crlId' => '<string>', 'enabled' => true || false, 'name' => '<string>', 'trustAnchorArn' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- crl
-
- Required: Yes
- Type: CrlDetail structure
The state of the certificate revocation list (CRL) after a read or write operation.
Errors
- ValidationException:
Validation exception error.
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
UpdateProfile
$result = $client->updateProfile
([/* ... */]); $promise = $client->updateProfileAsync
([/* ... */]);
Updates a profile, a list of the roles that IAM Roles Anywhere service is trusted to assume. You use profiles to intersect permissions with IAM managed policies.
Required permissions: rolesanywhere:UpdateProfile
.
Parameter Syntax
$result = $client->updateProfile([ 'acceptRoleSessionName' => true || false, 'durationSeconds' => <integer>, 'managedPolicyArns' => ['<string>', ...], 'name' => '<string>', 'profileId' => '<string>', // REQUIRED 'roleArns' => ['<string>', ...], 'sessionPolicy' => '<string>', ]);
Parameter Details
Members
- acceptRoleSessionName
-
- Type: boolean
Used to determine if a custom role session name will be accepted in a temporary credential request.
- durationSeconds
-
- Type: int
Used to determine how long sessions vended using this profile are valid for. See the
Expiration
section of the CreateSession API documentation page for more details. In requests, if this value is not provided, the default value will be 3600. - managedPolicyArns
-
- Type: Array of strings
A list of managed policy ARNs that apply to the vended session credentials.
- name
-
- Type: string
The name of the profile.
- profileId
-
- Required: Yes
- Type: string
The unique identifier of the profile.
- roleArns
-
- Type: Array of strings
A list of IAM roles that this profile can assume in a temporary credential request.
- sessionPolicy
-
- Type: string
A session policy that applies to the trust boundary of the vended session credentials.
Result Syntax
[ 'profile' => [ 'acceptRoleSessionName' => true || false, 'attributeMappings' => [ [ 'certificateField' => 'x509Subject|x509Issuer|x509SAN', 'mappingRules' => [ [ 'specifier' => '<string>', ], // ... ], ], // ... ], 'createdAt' => <DateTime>, 'createdBy' => '<string>', 'durationSeconds' => <integer>, 'enabled' => true || false, 'managedPolicyArns' => ['<string>', ...], 'name' => '<string>', 'profileArn' => '<string>', 'profileId' => '<string>', 'requireInstanceProperties' => true || false, 'roleArns' => ['<string>', ...], 'sessionPolicy' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- profile
-
- Type: ProfileDetail structure
The state of the profile after a read or write operation.
Errors
- ValidationException:
Validation exception error.
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
UpdateTrustAnchor
$result = $client->updateTrustAnchor
([/* ... */]); $promise = $client->updateTrustAnchorAsync
([/* ... */]);
Updates a trust anchor. You establish trust between IAM Roles Anywhere and your certificate authority (CA) by configuring a trust anchor. You can define a trust anchor as a reference to an Private Certificate Authority (Private CA) or by uploading a CA certificate. Your Amazon Web Services workloads can authenticate with the trust anchor using certificates issued by the CA in exchange for temporary Amazon Web Services credentials.
Required permissions: rolesanywhere:UpdateTrustAnchor
.
Parameter Syntax
$result = $client->updateTrustAnchor([ 'name' => '<string>', 'source' => [ 'sourceData' => [ 'acmPcaArn' => '<string>', 'x509CertificateData' => '<string>', ], 'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY', ], 'trustAnchorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- name
-
- Type: string
The name of the trust anchor.
- source
-
- Type: Source structure
The trust anchor type and its related certificate data.
- trustAnchorId
-
- Required: Yes
- Type: string
The unique identifier of the trust anchor.
Result Syntax
[ 'trustAnchor' => [ 'createdAt' => <DateTime>, 'enabled' => true || false, 'name' => '<string>', 'notificationSettings' => [ [ 'channel' => 'ALL', 'configuredBy' => '<string>', 'enabled' => true || false, 'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY', 'threshold' => <integer>, ], // ... ], 'source' => [ 'sourceData' => [ 'acmPcaArn' => '<string>', 'x509CertificateData' => '<string>', ], 'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY', ], 'trustAnchorArn' => '<string>', 'trustAnchorId' => '<string>', 'updatedAt' => <DateTime>, ], ]
Result Details
Members
- trustAnchor
-
- Required: Yes
- Type: TrustAnchorDetail structure
The state of the trust anchor after a read or write operation.
Errors
- ValidationException:
Validation exception error.
- ResourceNotFoundException:
The resource could not be found.
- AccessDeniedException:
You do not have sufficient access to perform this action.
Shapes
AccessDeniedException
Description
You do not have sufficient access to perform this action.
Members
- message
-
- Type: string
AttributeMapping
Description
A mapping applied to the authenticating end-entity certificate.
Members
- certificateField
-
- Type: string
Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates.
- mappingRules
-
- Type: Array of MappingRule structures
A list of mapping entries for every supported specifier or sub-field.
CredentialSummary
Description
A record of a presented X509 credential from a temporary credential request.
Members
- enabled
-
- Type: boolean
Indicates whether the credential is enabled.
- failed
-
- Type: boolean
Indicates whether the temporary credential request was successful.
- issuer
-
- Type: string
The fully qualified domain name of the issuing certificate for the presented end-entity certificate.
- seenAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The ISO-8601 time stamp of when the certificate was last used in a temporary credential request.
- serialNumber
-
- Type: string
The serial number of the certificate.
- x509CertificateData
-
- Type: string
The PEM-encoded data of the certificate.
CrlDetail
Description
The state of the certificate revocation list (CRL) after a read or write operation.
Members
- createdAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The ISO-8601 timestamp when the certificate revocation list (CRL) was created.
- crlArn
-
- Type: string
The ARN of the certificate revocation list (CRL).
- crlData
-
- Type: blob (string|resource|Psr\Http\Message\StreamInterface)
The state of the certificate revocation list (CRL) after a read or write operation.
- crlId
-
- Type: string
The unique identifier of the certificate revocation list (CRL).
- enabled
-
- Type: boolean
Indicates whether the certificate revocation list (CRL) is enabled.
- name
-
- Type: string
The name of the certificate revocation list (CRL).
- trustAnchorArn
-
- Type: string
The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for.
- updatedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The ISO-8601 timestamp when the certificate revocation list (CRL) was last updated.
InstanceProperty
Description
A key-value pair you set that identifies a property of the authenticating instance.
Members
- failed
-
- Type: boolean
Indicates whether the temporary credential request was successful.
- properties
-
- Type: Associative array of custom strings keys (InstancePropertyMapKeyString) to strings
A list of instanceProperty objects.
- seenAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The ISO-8601 time stamp of when the certificate was last used in a temporary credential request.
MappingRule
Description
A single mapping entry for each supported specifier or sub-field.
Members
- specifier
-
- Required: Yes
- Type: string
Specifier within a certificate field, such as CN, OU, or UID from the Subject field.
NotificationSetting
Description
Customizable notification settings that will be applied to notification events. IAM Roles Anywhere consumes these settings while notifying across multiple channels - CloudWatch metrics, EventBridge, and Health Dashboard.
Members
- channel
-
- Type: string
The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge, and Health Dashboard to notify for an event.
In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels.
- enabled
-
- Required: Yes
- Type: boolean
Indicates whether the notification setting is enabled.
- event
-
- Required: Yes
- Type: string
The event to which this notification setting is applied.
- threshold
-
- Type: int
The number of days before a notification event. This value is required for a notification setting that is enabled.
NotificationSettingDetail
Description
The state of a notification setting.
A notification setting includes information such as event name, threshold, status of the notification setting, and the channel to notify.
Members
- channel
-
- Type: string
The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge, and Health Dashboard to notify for an event.
In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels.
- configuredBy
-
- Type: string
The principal that configured the notification setting. For default settings configured by IAM Roles Anywhere, the value is
rolesanywhere.amazonaws.com
, and for customized notifications settings, it is the respective account ID. - enabled
-
- Required: Yes
- Type: boolean
Indicates whether the notification setting is enabled.
- event
-
- Required: Yes
- Type: string
The event to which this notification setting is applied.
- threshold
-
- Type: int
The number of days before a notification event.
NotificationSettingKey
Description
A notification setting key to reset. A notification setting key includes the event and the channel.
Members
- channel
-
- Type: string
The specified channel of notification.
- event
-
- Required: Yes
- Type: string
The notification setting event to reset.
ProfileDetail
Description
The state of the profile after a read or write operation.
Members
- acceptRoleSessionName
-
- Type: boolean
Used to determine if a custom role session name will be accepted in a temporary credential request.
- attributeMappings
-
- Type: Array of AttributeMapping structures
A mapping applied to the authenticating end-entity certificate.
- createdAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The ISO-8601 timestamp when the profile was created.
- createdBy
-
- Type: string
The Amazon Web Services account that created the profile.
- durationSeconds
-
- Type: int
Used to determine how long sessions vended using this profile are valid for. See the
Expiration
section of the CreateSession API documentation page for more details. In requests, if this value is not provided, the default value will be 3600. - enabled
-
- Type: boolean
Indicates whether the profile is enabled.
- managedPolicyArns
-
- Type: Array of strings
A list of managed policy ARNs that apply to the vended session credentials.
- name
-
- Type: string
The name of the profile.
- profileArn
-
- Type: string
The ARN of the profile.
- profileId
-
- Type: string
The unique identifier of the profile.
- requireInstanceProperties
-
- Type: boolean
Specifies whether instance properties are required in temporary credential requests with this profile.
- roleArns
-
- Type: Array of strings
A list of IAM roles that this profile can assume in a temporary credential request.
- sessionPolicy
-
- Type: string
A session policy that applies to the trust boundary of the vended session credentials.
- updatedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The ISO-8601 timestamp when the profile was last updated.
ResourceNotFoundException
Description
The resource could not be found.
Members
- message
-
- Type: string
Source
Description
The trust anchor type and its related certificate data.
Members
- sourceData
-
- Type: SourceData structure
The data field of the trust anchor depending on its type.
- sourceType
-
- Type: string
The type of the trust anchor.
SourceData
Description
The data field of the trust anchor depending on its type.
Members
- acmPcaArn
-
- Type: string
The root certificate of the Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type
AWS_ACM_PCA
. - x509CertificateData
-
- Type: string
The PEM-encoded data for the certificate anchor. Included for trust anchors of type
CERTIFICATE_BUNDLE
.
SubjectDetail
Description
The state of the subject after a read or write operation.
Members
- createdAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The ISO-8601 timestamp when the subject was created.
- credentials
-
- Type: Array of CredentialSummary structures
The temporary session credentials vended at the last authenticating call with this subject.
- enabled
-
- Type: boolean
The enabled status of the subject.
- instanceProperties
-
- Type: Array of InstanceProperty structures
The specified instance properties associated with the request.
- lastSeenAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The ISO-8601 timestamp of the last time this subject requested temporary session credentials.
- subjectArn
-
- Type: string
The ARN of the resource.
- subjectId
-
- Type: string
The id of the resource
- updatedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The ISO-8601 timestamp when the subject was last updated.
- x509Subject
-
- Type: string
The x509 principal identifier of the authenticating certificate.
SubjectSummary
Description
A summary representation of subjects.
Members
- createdAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The ISO-8601 time stamp of when the certificate was first used in a temporary credential request.
- enabled
-
- Type: boolean
The enabled status of the subject.
- lastSeenAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The ISO-8601 time stamp of when the certificate was last used in a temporary credential request.
- subjectArn
-
- Type: string
The ARN of the resource.
- subjectId
-
- Type: string
The id of the resource.
- updatedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The ISO-8601 timestamp when the subject was last updated.
- x509Subject
-
- Type: string
The x509 principal identifier of the authenticating certificate.
Tag
Description
A label that consists of a key and value you define.
Members
- key
-
- Required: Yes
- Type: string
The tag key.
- value
-
- Required: Yes
- Type: string
The tag value.
TooManyTagsException
Description
Too many tags.
Members
- message
-
- Type: string
TrustAnchorDetail
Description
The state of the trust anchor after a read or write operation.
Members
- createdAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The ISO-8601 timestamp when the trust anchor was created.
- enabled
-
- Type: boolean
Indicates whether the trust anchor is enabled.
- name
-
- Type: string
The name of the trust anchor.
- notificationSettings
-
- Type: Array of NotificationSettingDetail structures
A list of notification settings to be associated to the trust anchor.
- source
-
- Type: Source structure
The trust anchor type and its related certificate data.
- trustAnchorArn
-
- Type: string
The ARN of the trust anchor.
- trustAnchorId
-
- Type: string
The unique identifier of the trust anchor.
- updatedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The ISO-8601 timestamp when the trust anchor was last updated.
ValidationException
Description
Validation exception error.
Members
- message
-
- Type: string