SDK for PHP 3.x

Client: Aws\RolesAnywhere\RolesAnywhereClient
Service ID: rolesanywhere
Version: 2018-05-10

This page describes the parameters and results for the operations of the IAM Roles Anywhere (2018-05-10), and shows how to use the Aws\RolesAnywhere\RolesAnywhereClient object to call the described operations. This documentation is specific to the 2018-05-10 API version of the service.

Operation Summary

Each of the following operations can be created from a client using $client->getCommand('CommandName'), where "CommandName" is the name of one of the following operations. Note: a command is a value that encapsulates an operation and the parameters used to create an HTTP request.

You can also create and send a command immediately using the magic methods available on a client object: $client->commandName(/* parameters */). You can send the command asynchronously (returning a promise) by appending the word "Async" to the operation name: $client->commandNameAsync(/* parameters */).

CreateProfile ( array $params = [] )
Creates a profile, a list of the roles that Roles Anywhere service is trusted to assume.
CreateTrustAnchor ( array $params = [] )
Creates a trust anchor to establish trust between IAM Roles Anywhere and your certificate authority (CA).
DeleteAttributeMapping ( array $params = [] )
Delete an entry from the attribute mapping rules enforced by a given profile.
DeleteCrl ( array $params = [] )
Deletes a certificate revocation list (CRL).
DeleteProfile ( array $params = [] )
Deletes a profile.
DeleteTrustAnchor ( array $params = [] )
Deletes a trust anchor.
DisableCrl ( array $params = [] )
Disables a certificate revocation list (CRL).
DisableProfile ( array $params = [] )
Disables a profile.
DisableTrustAnchor ( array $params = [] )
Disables a trust anchor.
EnableCrl ( array $params = [] )
Enables a certificate revocation list (CRL).
EnableProfile ( array $params = [] )
Enables temporary credential requests for a profile.
EnableTrustAnchor ( array $params = [] )
Enables a trust anchor.
GetCrl ( array $params = [] )
Gets a certificate revocation list (CRL).
GetProfile ( array $params = [] )
Gets a profile.
GetSubject ( array $params = [] )
Gets a subject, which associates a certificate identity with authentication attempts.
GetTrustAnchor ( array $params = [] )
Gets a trust anchor.
ImportCrl ( array $params = [] )
Imports the certificate revocation list (CRL).
ListCrls ( array $params = [] )
Lists all certificate revocation lists (CRL) in the authenticated account and Amazon Web Services Region.
ListProfiles ( array $params = [] )
Lists all profiles in the authenticated account and Amazon Web Services Region.
ListSubjects ( array $params = [] )
Lists the subjects in the authenticated account and Amazon Web Services Region.
ListTagsForResource ( array $params = [] )
Lists the tags attached to the resource.
ListTrustAnchors ( array $params = [] )
Lists the trust anchors in the authenticated account and Amazon Web Services Region.
PutAttributeMapping ( array $params = [] )
Put an entry in the attribute mapping rules that will be enforced by a given profile.
PutNotificationSettings ( array $params = [] )
Attaches a list of notification settings to a trust anchor.
ResetNotificationSettings ( array $params = [] )
Resets the custom notification setting to IAM Roles Anywhere default setting.
TagResource ( array $params = [] )
Attaches tags to a resource.
UntagResource ( array $params = [] )
Removes tags from the resource.
UpdateCrl ( array $params = [] )
Updates the certificate revocation list (CRL).
UpdateProfile ( array $params = [] )
Updates a profile, a list of the roles that IAM Roles Anywhere service is trusted to assume.
UpdateTrustAnchor ( array $params = [] )
Updates a trust anchor.

Paginators

Paginators handle automatically iterating over paginated API results. Paginators are associated with specific API operations, and they accept the parameters that the corresponding API operation accepts. You can get a paginator from a client class using getPaginator($paginatorName, $operationParameters). This client supports the following paginators:

ListCrls
ListProfiles
ListSubjects
ListTrustAnchors

Operations

CreateProfile

$result = $client->createProfile([/* ... */]);
$promise = $client->createProfileAsync([/* ... */]);

Creates a profile, a list of the roles that Roles Anywhere service is trusted to assume. You use profiles to intersect permissions with IAM managed policies.

Required permissions: rolesanywhere:CreateProfile.

Parameter Syntax

$result = $client->createProfile([
    'acceptRoleSessionName' => true || false,
    'durationSeconds' => <integer>,
    'enabled' => true || false,
    'managedPolicyArns' => ['<string>', ...],
    'name' => '<string>', // REQUIRED
    'requireInstanceProperties' => true || false,
    'roleArns' => ['<string>', ...], // REQUIRED
    'sessionPolicy' => '<string>',
    'tags' => [
        [
            'key' => '<string>', // REQUIRED
            'value' => '<string>', // REQUIRED
        ],
        // ...
    ],
]);

Parameter Details

Members
acceptRoleSessionName
Type: boolean

Used to determine if a custom role session name will be accepted in a temporary credential request.

durationSeconds
Type: int

Used to determine how long sessions vended using this profile are valid for. See the Expiration section of the CreateSession API documentation page for more details. In requests, if this value is not provided, the default value will be 3600.

enabled
Type: boolean

Specifies whether the profile is enabled.

managedPolicyArns
Type: Array of strings

A list of managed policy ARNs that apply to the vended session credentials.

name
Required: Yes
Type: string

The name of the profile.

requireInstanceProperties
Type: boolean

Specifies whether instance properties are required in temporary credential requests with this profile.

roleArns
Required: Yes
Type: Array of strings

A list of IAM roles that this profile can assume in a temporary credential request.

sessionPolicy
Type: string

A session policy that applies to the trust boundary of the vended session credentials.

tags
Type: Array of Tag structures

The tags to attach to the profile.

Result Syntax

[
    'profile' => [
        'acceptRoleSessionName' => true || false,
        'attributeMappings' => [
            [
                'certificateField' => 'x509Subject|x509Issuer|x509SAN',
                'mappingRules' => [
                    [
                        'specifier' => '<string>',
                    ],
                    // ...
                ],
            ],
            // ...
        ],
        'createdAt' => <DateTime>,
        'createdBy' => '<string>',
        'durationSeconds' => <integer>,
        'enabled' => true || false,
        'managedPolicyArns' => ['<string>', ...],
        'name' => '<string>',
        'profileArn' => '<string>',
        'profileId' => '<string>',
        'requireInstanceProperties' => true || false,
        'roleArns' => ['<string>', ...],
        'sessionPolicy' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
profile
Type: ProfileDetail structure

The state of the profile after a read or write operation.

Errors

ValidationException:

Validation exception error.

AccessDeniedException:

You do not have sufficient access to perform this action.

CreateTrustAnchor

$result = $client->createTrustAnchor([/* ... */]);
$promise = $client->createTrustAnchorAsync([/* ... */]);

Creates a trust anchor to establish trust between IAM Roles Anywhere and your certificate authority (CA). You can define a trust anchor as a reference to an Private Certificate Authority (Private CA) or by uploading a CA certificate. Your Amazon Web Services workloads can authenticate with the trust anchor using certificates issued by the CA in exchange for temporary Amazon Web Services credentials.

Required permissions: rolesanywhere:CreateTrustAnchor.

Parameter Syntax

$result = $client->createTrustAnchor([
    'enabled' => true || false,
    'name' => '<string>', // REQUIRED
    'notificationSettings' => [
        [
            'channel' => 'ALL',
            'enabled' => true || false, // REQUIRED
            'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY', // REQUIRED
            'threshold' => <integer>,
        ],
        // ...
    ],
    'source' => [ // REQUIRED
        'sourceData' => [
            'acmPcaArn' => '<string>',
            'x509CertificateData' => '<string>',
        ],
        'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY',
    ],
    'tags' => [
        [
            'key' => '<string>', // REQUIRED
            'value' => '<string>', // REQUIRED
        ],
        // ...
    ],
]);

Parameter Details

Members
enabled
Type: boolean

Specifies whether the trust anchor is enabled.

name
Required: Yes
Type: string

The name of the trust anchor.

notificationSettings
Type: Array of NotificationSetting structures

A list of notification settings to be associated to the trust anchor.

source
Required: Yes
Type: Source structure

The trust anchor type and its related certificate data.

tags
Type: Array of Tag structures

The tags to attach to the trust anchor.

Result Syntax

[
    'trustAnchor' => [
        'createdAt' => <DateTime>,
        'enabled' => true || false,
        'name' => '<string>',
        'notificationSettings' => [
            [
                'channel' => 'ALL',
                'configuredBy' => '<string>',
                'enabled' => true || false,
                'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY',
                'threshold' => <integer>,
            ],
            // ...
        ],
        'source' => [
            'sourceData' => [
                'acmPcaArn' => '<string>',
                'x509CertificateData' => '<string>',
            ],
            'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY',
        ],
        'trustAnchorArn' => '<string>',
        'trustAnchorId' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
trustAnchor
Required: Yes
Type: TrustAnchorDetail structure

The state of the trust anchor after a read or write operation.

Errors

ValidationException:

Validation exception error.

AccessDeniedException:

You do not have sufficient access to perform this action.

DeleteAttributeMapping

$result = $client->deleteAttributeMapping([/* ... */]);
$promise = $client->deleteAttributeMappingAsync([/* ... */]);

Delete an entry from the attribute mapping rules enforced by a given profile.

Parameter Syntax

$result = $client->deleteAttributeMapping([
    'certificateField' => 'x509Subject|x509Issuer|x509SAN', // REQUIRED
    'profileId' => '<string>', // REQUIRED
    'specifiers' => ['<string>', ...],
]);

Parameter Details

Members
certificateField
Required: Yes
Type: string

Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates.

profileId
Required: Yes
Type: string

The unique identifier of the profile.

specifiers
Type: Array of strings

A list of specifiers of a certificate field; for example, CN, OU, UID from a Subject.

Result Syntax

[
    'profile' => [
        'acceptRoleSessionName' => true || false,
        'attributeMappings' => [
            [
                'certificateField' => 'x509Subject|x509Issuer|x509SAN',
                'mappingRules' => [
                    [
                        'specifier' => '<string>',
                    ],
                    // ...
                ],
            ],
            // ...
        ],
        'createdAt' => <DateTime>,
        'createdBy' => '<string>',
        'durationSeconds' => <integer>,
        'enabled' => true || false,
        'managedPolicyArns' => ['<string>', ...],
        'name' => '<string>',
        'profileArn' => '<string>',
        'profileId' => '<string>',
        'requireInstanceProperties' => true || false,
        'roleArns' => ['<string>', ...],
        'sessionPolicy' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
profile
Required: Yes
Type: ProfileDetail structure

The state of the profile after a read or write operation.

Errors

ValidationException:

Validation exception error.

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

DeleteCrl

$result = $client->deleteCrl([/* ... */]);
$promise = $client->deleteCrlAsync([/* ... */]);

Deletes a certificate revocation list (CRL).

Required permissions: rolesanywhere:DeleteCrl.

Parameter Syntax

$result = $client->deleteCrl([
    'crlId' => '<string>', // REQUIRED
]);

Parameter Details

Members
crlId
Required: Yes
Type: string

The unique identifier of the certificate revocation list (CRL).

Result Syntax

[
    'crl' => [
        'createdAt' => <DateTime>,
        'crlArn' => '<string>',
        'crlData' => <string || resource || Psr\Http\Message\StreamInterface>,
        'crlId' => '<string>',
        'enabled' => true || false,
        'name' => '<string>',
        'trustAnchorArn' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
crl
Required: Yes
Type: CrlDetail structure

The state of the certificate revocation list (CRL) after a read or write operation.

Errors

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

DeleteProfile

$result = $client->deleteProfile([/* ... */]);
$promise = $client->deleteProfileAsync([/* ... */]);

Deletes a profile.

Required permissions: rolesanywhere:DeleteProfile.

Parameter Syntax

$result = $client->deleteProfile([
    'profileId' => '<string>', // REQUIRED
]);

Parameter Details

Members
profileId
Required: Yes
Type: string

The unique identifier of the profile.

Result Syntax

[
    'profile' => [
        'acceptRoleSessionName' => true || false,
        'attributeMappings' => [
            [
                'certificateField' => 'x509Subject|x509Issuer|x509SAN',
                'mappingRules' => [
                    [
                        'specifier' => '<string>',
                    ],
                    // ...
                ],
            ],
            // ...
        ],
        'createdAt' => <DateTime>,
        'createdBy' => '<string>',
        'durationSeconds' => <integer>,
        'enabled' => true || false,
        'managedPolicyArns' => ['<string>', ...],
        'name' => '<string>',
        'profileArn' => '<string>',
        'profileId' => '<string>',
        'requireInstanceProperties' => true || false,
        'roleArns' => ['<string>', ...],
        'sessionPolicy' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
profile
Type: ProfileDetail structure

The state of the profile after a read or write operation.

Errors

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

DeleteTrustAnchor

$result = $client->deleteTrustAnchor([/* ... */]);
$promise = $client->deleteTrustAnchorAsync([/* ... */]);

Deletes a trust anchor.

Required permissions: rolesanywhere:DeleteTrustAnchor.

Parameter Syntax

$result = $client->deleteTrustAnchor([
    'trustAnchorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
trustAnchorId
Required: Yes
Type: string

The unique identifier of the trust anchor.

Result Syntax

[
    'trustAnchor' => [
        'createdAt' => <DateTime>,
        'enabled' => true || false,
        'name' => '<string>',
        'notificationSettings' => [
            [
                'channel' => 'ALL',
                'configuredBy' => '<string>',
                'enabled' => true || false,
                'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY',
                'threshold' => <integer>,
            ],
            // ...
        ],
        'source' => [
            'sourceData' => [
                'acmPcaArn' => '<string>',
                'x509CertificateData' => '<string>',
            ],
            'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY',
        ],
        'trustAnchorArn' => '<string>',
        'trustAnchorId' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
trustAnchor
Required: Yes
Type: TrustAnchorDetail structure

The state of the trust anchor after a read or write operation.

Errors

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

DisableCrl

$result = $client->disableCrl([/* ... */]);
$promise = $client->disableCrlAsync([/* ... */]);

Disables a certificate revocation list (CRL).

Required permissions: rolesanywhere:DisableCrl.

Parameter Syntax

$result = $client->disableCrl([
    'crlId' => '<string>', // REQUIRED
]);

Parameter Details

Members
crlId
Required: Yes
Type: string

The unique identifier of the certificate revocation list (CRL).

Result Syntax

[
    'crl' => [
        'createdAt' => <DateTime>,
        'crlArn' => '<string>',
        'crlData' => <string || resource || Psr\Http\Message\StreamInterface>,
        'crlId' => '<string>',
        'enabled' => true || false,
        'name' => '<string>',
        'trustAnchorArn' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
crl
Required: Yes
Type: CrlDetail structure

The state of the certificate revocation list (CRL) after a read or write operation.

Errors

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

DisableProfile

$result = $client->disableProfile([/* ... */]);
$promise = $client->disableProfileAsync([/* ... */]);

Disables a profile. When disabled, temporary credential requests with this profile fail.

Required permissions: rolesanywhere:DisableProfile.

Parameter Syntax

$result = $client->disableProfile([
    'profileId' => '<string>', // REQUIRED
]);

Parameter Details

Members
profileId
Required: Yes
Type: string

The unique identifier of the profile.

Result Syntax

[
    'profile' => [
        'acceptRoleSessionName' => true || false,
        'attributeMappings' => [
            [
                'certificateField' => 'x509Subject|x509Issuer|x509SAN',
                'mappingRules' => [
                    [
                        'specifier' => '<string>',
                    ],
                    // ...
                ],
            ],
            // ...
        ],
        'createdAt' => <DateTime>,
        'createdBy' => '<string>',
        'durationSeconds' => <integer>,
        'enabled' => true || false,
        'managedPolicyArns' => ['<string>', ...],
        'name' => '<string>',
        'profileArn' => '<string>',
        'profileId' => '<string>',
        'requireInstanceProperties' => true || false,
        'roleArns' => ['<string>', ...],
        'sessionPolicy' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
profile
Type: ProfileDetail structure

The state of the profile after a read or write operation.

Errors

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

DisableTrustAnchor

$result = $client->disableTrustAnchor([/* ... */]);
$promise = $client->disableTrustAnchorAsync([/* ... */]);

Disables a trust anchor. When disabled, temporary credential requests specifying this trust anchor are unauthorized.

Required permissions: rolesanywhere:DisableTrustAnchor.

Parameter Syntax

$result = $client->disableTrustAnchor([
    'trustAnchorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
trustAnchorId
Required: Yes
Type: string

The unique identifier of the trust anchor.

Result Syntax

[
    'trustAnchor' => [
        'createdAt' => <DateTime>,
        'enabled' => true || false,
        'name' => '<string>',
        'notificationSettings' => [
            [
                'channel' => 'ALL',
                'configuredBy' => '<string>',
                'enabled' => true || false,
                'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY',
                'threshold' => <integer>,
            ],
            // ...
        ],
        'source' => [
            'sourceData' => [
                'acmPcaArn' => '<string>',
                'x509CertificateData' => '<string>',
            ],
            'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY',
        ],
        'trustAnchorArn' => '<string>',
        'trustAnchorId' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
trustAnchor
Required: Yes
Type: TrustAnchorDetail structure

The state of the trust anchor after a read or write operation.

Errors

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

EnableCrl

$result = $client->enableCrl([/* ... */]);
$promise = $client->enableCrlAsync([/* ... */]);

Enables a certificate revocation list (CRL). When enabled, certificates stored in the CRL are unauthorized to receive session credentials.

Required permissions: rolesanywhere:EnableCrl.

Parameter Syntax

$result = $client->enableCrl([
    'crlId' => '<string>', // REQUIRED
]);

Parameter Details

Members
crlId
Required: Yes
Type: string

The unique identifier of the certificate revocation list (CRL).

Result Syntax

[
    'crl' => [
        'createdAt' => <DateTime>,
        'crlArn' => '<string>',
        'crlData' => <string || resource || Psr\Http\Message\StreamInterface>,
        'crlId' => '<string>',
        'enabled' => true || false,
        'name' => '<string>',
        'trustAnchorArn' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
crl
Required: Yes
Type: CrlDetail structure

The state of the certificate revocation list (CRL) after a read or write operation.

Errors

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

EnableProfile

$result = $client->enableProfile([/* ... */]);
$promise = $client->enableProfileAsync([/* ... */]);

Enables temporary credential requests for a profile.

Required permissions: rolesanywhere:EnableProfile.

Parameter Syntax

$result = $client->enableProfile([
    'profileId' => '<string>', // REQUIRED
]);

Parameter Details

Members
profileId
Required: Yes
Type: string

The unique identifier of the profile.

Result Syntax

[
    'profile' => [
        'acceptRoleSessionName' => true || false,
        'attributeMappings' => [
            [
                'certificateField' => 'x509Subject|x509Issuer|x509SAN',
                'mappingRules' => [
                    [
                        'specifier' => '<string>',
                    ],
                    // ...
                ],
            ],
            // ...
        ],
        'createdAt' => <DateTime>,
        'createdBy' => '<string>',
        'durationSeconds' => <integer>,
        'enabled' => true || false,
        'managedPolicyArns' => ['<string>', ...],
        'name' => '<string>',
        'profileArn' => '<string>',
        'profileId' => '<string>',
        'requireInstanceProperties' => true || false,
        'roleArns' => ['<string>', ...],
        'sessionPolicy' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
profile
Type: ProfileDetail structure

The state of the profile after a read or write operation.

Errors

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

EnableTrustAnchor

$result = $client->enableTrustAnchor([/* ... */]);
$promise = $client->enableTrustAnchorAsync([/* ... */]);

Enables a trust anchor. When enabled, certificates in the trust anchor chain are authorized for trust validation.

Required permissions: rolesanywhere:EnableTrustAnchor.

Parameter Syntax

$result = $client->enableTrustAnchor([
    'trustAnchorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
trustAnchorId
Required: Yes
Type: string

The unique identifier of the trust anchor.

Result Syntax

[
    'trustAnchor' => [
        'createdAt' => <DateTime>,
        'enabled' => true || false,
        'name' => '<string>',
        'notificationSettings' => [
            [
                'channel' => 'ALL',
                'configuredBy' => '<string>',
                'enabled' => true || false,
                'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY',
                'threshold' => <integer>,
            ],
            // ...
        ],
        'source' => [
            'sourceData' => [
                'acmPcaArn' => '<string>',
                'x509CertificateData' => '<string>',
            ],
            'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY',
        ],
        'trustAnchorArn' => '<string>',
        'trustAnchorId' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
trustAnchor
Required: Yes
Type: TrustAnchorDetail structure

The state of the trust anchor after a read or write operation.

Errors

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

GetCrl

$result = $client->getCrl([/* ... */]);
$promise = $client->getCrlAsync([/* ... */]);

Gets a certificate revocation list (CRL).

Required permissions: rolesanywhere:GetCrl.

Parameter Syntax

$result = $client->getCrl([
    'crlId' => '<string>', // REQUIRED
]);

Parameter Details

Members
crlId
Required: Yes
Type: string

The unique identifier of the certificate revocation list (CRL).

Result Syntax

[
    'crl' => [
        'createdAt' => <DateTime>,
        'crlArn' => '<string>',
        'crlData' => <string || resource || Psr\Http\Message\StreamInterface>,
        'crlId' => '<string>',
        'enabled' => true || false,
        'name' => '<string>',
        'trustAnchorArn' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
crl
Required: Yes
Type: CrlDetail structure

The state of the certificate revocation list (CRL) after a read or write operation.

Errors

ResourceNotFoundException:

The resource could not be found.

GetProfile

$result = $client->getProfile([/* ... */]);
$promise = $client->getProfileAsync([/* ... */]);

Gets a profile.

Required permissions: rolesanywhere:GetProfile.

Parameter Syntax

$result = $client->getProfile([
    'profileId' => '<string>', // REQUIRED
]);

Parameter Details

Members
profileId
Required: Yes
Type: string

The unique identifier of the profile.

Result Syntax

[
    'profile' => [
        'acceptRoleSessionName' => true || false,
        'attributeMappings' => [
            [
                'certificateField' => 'x509Subject|x509Issuer|x509SAN',
                'mappingRules' => [
                    [
                        'specifier' => '<string>',
                    ],
                    // ...
                ],
            ],
            // ...
        ],
        'createdAt' => <DateTime>,
        'createdBy' => '<string>',
        'durationSeconds' => <integer>,
        'enabled' => true || false,
        'managedPolicyArns' => ['<string>', ...],
        'name' => '<string>',
        'profileArn' => '<string>',
        'profileId' => '<string>',
        'requireInstanceProperties' => true || false,
        'roleArns' => ['<string>', ...],
        'sessionPolicy' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
profile
Type: ProfileDetail structure

The state of the profile after a read or write operation.

Errors

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

GetSubject

$result = $client->getSubject([/* ... */]);
$promise = $client->getSubjectAsync([/* ... */]);

Gets a subject, which associates a certificate identity with authentication attempts. The subject stores auditing information such as the status of the last authentication attempt, the certificate data used in the attempt, and the last time the associated identity attempted authentication.

Required permissions: rolesanywhere:GetSubject.

Parameter Syntax

$result = $client->getSubject([
    'subjectId' => '<string>', // REQUIRED
]);

Parameter Details

Members
subjectId
Required: Yes
Type: string

The unique identifier of the subject.

Result Syntax

[
    'subject' => [
        'createdAt' => <DateTime>,
        'credentials' => [
            [
                'enabled' => true || false,
                'failed' => true || false,
                'issuer' => '<string>',
                'seenAt' => <DateTime>,
                'serialNumber' => '<string>',
                'x509CertificateData' => '<string>',
            ],
            // ...
        ],
        'enabled' => true || false,
        'instanceProperties' => [
            [
                'failed' => true || false,
                'properties' => ['<string>', ...],
                'seenAt' => <DateTime>,
            ],
            // ...
        ],
        'lastSeenAt' => <DateTime>,
        'subjectArn' => '<string>',
        'subjectId' => '<string>',
        'updatedAt' => <DateTime>,
        'x509Subject' => '<string>',
    ],
]

Result Details

Members
subject
Type: SubjectDetail structure

The state of the subject after a read or write operation.

Errors

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

GetTrustAnchor

$result = $client->getTrustAnchor([/* ... */]);
$promise = $client->getTrustAnchorAsync([/* ... */]);

Gets a trust anchor.

Required permissions: rolesanywhere:GetTrustAnchor.

Parameter Syntax

$result = $client->getTrustAnchor([
    'trustAnchorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
trustAnchorId
Required: Yes
Type: string

The unique identifier of the trust anchor.

Result Syntax

[
    'trustAnchor' => [
        'createdAt' => <DateTime>,
        'enabled' => true || false,
        'name' => '<string>',
        'notificationSettings' => [
            [
                'channel' => 'ALL',
                'configuredBy' => '<string>',
                'enabled' => true || false,
                'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY',
                'threshold' => <integer>,
            ],
            // ...
        ],
        'source' => [
            'sourceData' => [
                'acmPcaArn' => '<string>',
                'x509CertificateData' => '<string>',
            ],
            'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY',
        ],
        'trustAnchorArn' => '<string>',
        'trustAnchorId' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
trustAnchor
Required: Yes
Type: TrustAnchorDetail structure

The state of the trust anchor after a read or write operation.

Errors

ValidationException:

Validation exception error.

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

ImportCrl

$result = $client->importCrl([/* ... */]);
$promise = $client->importCrlAsync([/* ... */]);

Imports the certificate revocation list (CRL). A CRL is a list of certificates that have been revoked by the issuing certificate Authority (CA).In order to be properly imported, a CRL must be in PEM format. IAM Roles Anywhere validates against the CRL before issuing credentials.

Required permissions: rolesanywhere:ImportCrl.

Parameter Syntax

$result = $client->importCrl([
    'crlData' => <string || resource || Psr\Http\Message\StreamInterface>, // REQUIRED
    'enabled' => true || false,
    'name' => '<string>', // REQUIRED
    'tags' => [
        [
            'key' => '<string>', // REQUIRED
            'value' => '<string>', // REQUIRED
        ],
        // ...
    ],
    'trustAnchorArn' => '<string>', // REQUIRED
]);

Parameter Details

Members
crlData
Required: Yes
Type: blob (string|resource|Psr\Http\Message\StreamInterface)

The x509 v3 specified certificate revocation list (CRL).

enabled
Type: boolean

Specifies whether the certificate revocation list (CRL) is enabled.

name
Required: Yes
Type: string

The name of the certificate revocation list (CRL).

tags
Type: Array of Tag structures

A list of tags to attach to the certificate revocation list (CRL).

trustAnchorArn
Required: Yes
Type: string

The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for.

Result Syntax

[
    'crl' => [
        'createdAt' => <DateTime>,
        'crlArn' => '<string>',
        'crlData' => <string || resource || Psr\Http\Message\StreamInterface>,
        'crlId' => '<string>',
        'enabled' => true || false,
        'name' => '<string>',
        'trustAnchorArn' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
crl
Required: Yes
Type: CrlDetail structure

The state of the certificate revocation list (CRL) after a read or write operation.

Errors

ValidationException:

Validation exception error.

AccessDeniedException:

You do not have sufficient access to perform this action.

ListCrls

$result = $client->listCrls([/* ... */]);
$promise = $client->listCrlsAsync([/* ... */]);

Lists all certificate revocation lists (CRL) in the authenticated account and Amazon Web Services Region.

Required permissions: rolesanywhere:ListCrls.

Parameter Syntax

$result = $client->listCrls([
    'nextToken' => '<string>',
    'pageSize' => <integer>,
]);

Parameter Details

Members
nextToken
Type: string

A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value.

pageSize
Type: int

The number of resources in the paginated list.

Result Syntax

[
    'crls' => [
        [
            'createdAt' => <DateTime>,
            'crlArn' => '<string>',
            'crlData' => <string || resource || Psr\Http\Message\StreamInterface>,
            'crlId' => '<string>',
            'enabled' => true || false,
            'name' => '<string>',
            'trustAnchorArn' => '<string>',
            'updatedAt' => <DateTime>,
        ],
        // ...
    ],
    'nextToken' => '<string>',
]

Result Details

Members
crls
Type: Array of CrlDetail structures

A list of certificate revocation lists (CRL).

nextToken
Type: string

A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value.

Errors

ValidationException:

Validation exception error.

AccessDeniedException:

You do not have sufficient access to perform this action.

ListProfiles

$result = $client->listProfiles([/* ... */]);
$promise = $client->listProfilesAsync([/* ... */]);

Lists all profiles in the authenticated account and Amazon Web Services Region.

Required permissions: rolesanywhere:ListProfiles.

Parameter Syntax

$result = $client->listProfiles([
    'nextToken' => '<string>',
    'pageSize' => <integer>,
]);

Parameter Details

Members
nextToken
Type: string

A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value.

pageSize
Type: int

The number of resources in the paginated list.

Result Syntax

[
    'nextToken' => '<string>',
    'profiles' => [
        [
            'acceptRoleSessionName' => true || false,
            'attributeMappings' => [
                [
                    'certificateField' => 'x509Subject|x509Issuer|x509SAN',
                    'mappingRules' => [
                        [
                            'specifier' => '<string>',
                        ],
                        // ...
                    ],
                ],
                // ...
            ],
            'createdAt' => <DateTime>,
            'createdBy' => '<string>',
            'durationSeconds' => <integer>,
            'enabled' => true || false,
            'managedPolicyArns' => ['<string>', ...],
            'name' => '<string>',
            'profileArn' => '<string>',
            'profileId' => '<string>',
            'requireInstanceProperties' => true || false,
            'roleArns' => ['<string>', ...],
            'sessionPolicy' => '<string>',
            'updatedAt' => <DateTime>,
        ],
        // ...
    ],
]

Result Details

Members
nextToken
Type: string

A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value.

profiles
Type: Array of ProfileDetail structures

A list of profiles.

Errors

ValidationException:

Validation exception error.

AccessDeniedException:

You do not have sufficient access to perform this action.

ListSubjects

$result = $client->listSubjects([/* ... */]);
$promise = $client->listSubjectsAsync([/* ... */]);

Lists the subjects in the authenticated account and Amazon Web Services Region.

Required permissions: rolesanywhere:ListSubjects.

Parameter Syntax

$result = $client->listSubjects([
    'nextToken' => '<string>',
    'pageSize' => <integer>,
]);

Parameter Details

Members
nextToken
Type: string

A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value.

pageSize
Type: int

The number of resources in the paginated list.

Result Syntax

[
    'nextToken' => '<string>',
    'subjects' => [
        [
            'createdAt' => <DateTime>,
            'enabled' => true || false,
            'lastSeenAt' => <DateTime>,
            'subjectArn' => '<string>',
            'subjectId' => '<string>',
            'updatedAt' => <DateTime>,
            'x509Subject' => '<string>',
        ],
        // ...
    ],
]

Result Details

Members
nextToken
Type: string

A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value.

subjects
Type: Array of SubjectSummary structures

A list of subjects.

Errors

ValidationException:

Validation exception error.

AccessDeniedException:

You do not have sufficient access to perform this action.

ListTagsForResource

$result = $client->listTagsForResource([/* ... */]);
$promise = $client->listTagsForResourceAsync([/* ... */]);

Lists the tags attached to the resource.

Required permissions: rolesanywhere:ListTagsForResource.

Parameter Syntax

$result = $client->listTagsForResource([
    'resourceArn' => '<string>', // REQUIRED
]);

Parameter Details

Members
resourceArn
Required: Yes
Type: string

The ARN of the resource.

Result Syntax

[
    'tags' => [
        [
            'key' => '<string>',
            'value' => '<string>',
        ],
        // ...
    ],
]

Result Details

Members
tags
Type: Array of Tag structures

A list of tags attached to the resource.

Errors

ValidationException:

Validation exception error.

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

ListTrustAnchors

$result = $client->listTrustAnchors([/* ... */]);
$promise = $client->listTrustAnchorsAsync([/* ... */]);

Lists the trust anchors in the authenticated account and Amazon Web Services Region.

Required permissions: rolesanywhere:ListTrustAnchors.

Parameter Syntax

$result = $client->listTrustAnchors([
    'nextToken' => '<string>',
    'pageSize' => <integer>,
]);

Parameter Details

Members
nextToken
Type: string

A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value.

pageSize
Type: int

The number of resources in the paginated list.

Result Syntax

[
    'nextToken' => '<string>',
    'trustAnchors' => [
        [
            'createdAt' => <DateTime>,
            'enabled' => true || false,
            'name' => '<string>',
            'notificationSettings' => [
                [
                    'channel' => 'ALL',
                    'configuredBy' => '<string>',
                    'enabled' => true || false,
                    'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY',
                    'threshold' => <integer>,
                ],
                // ...
            ],
            'source' => [
                'sourceData' => [
                    'acmPcaArn' => '<string>',
                    'x509CertificateData' => '<string>',
                ],
                'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY',
            ],
            'trustAnchorArn' => '<string>',
            'trustAnchorId' => '<string>',
            'updatedAt' => <DateTime>,
        ],
        // ...
    ],
]

Result Details

Members
nextToken
Type: string

A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value.

trustAnchors
Type: Array of TrustAnchorDetail structures

A list of trust anchors.

Errors

ValidationException:

Validation exception error.

AccessDeniedException:

You do not have sufficient access to perform this action.

PutAttributeMapping

$result = $client->putAttributeMapping([/* ... */]);
$promise = $client->putAttributeMappingAsync([/* ... */]);

Put an entry in the attribute mapping rules that will be enforced by a given profile. A mapping specifies a certificate field and one or more specifiers that have contextual meanings.

Parameter Syntax

$result = $client->putAttributeMapping([
    'certificateField' => 'x509Subject|x509Issuer|x509SAN', // REQUIRED
    'mappingRules' => [ // REQUIRED
        [
            'specifier' => '<string>', // REQUIRED
        ],
        // ...
    ],
    'profileId' => '<string>', // REQUIRED
]);

Parameter Details

Members
certificateField
Required: Yes
Type: string

Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates.

mappingRules
Required: Yes
Type: Array of MappingRule structures

A list of mapping entries for every supported specifier or sub-field.

profileId
Required: Yes
Type: string

The unique identifier of the profile.

Result Syntax

[
    'profile' => [
        'acceptRoleSessionName' => true || false,
        'attributeMappings' => [
            [
                'certificateField' => 'x509Subject|x509Issuer|x509SAN',
                'mappingRules' => [
                    [
                        'specifier' => '<string>',
                    ],
                    // ...
                ],
            ],
            // ...
        ],
        'createdAt' => <DateTime>,
        'createdBy' => '<string>',
        'durationSeconds' => <integer>,
        'enabled' => true || false,
        'managedPolicyArns' => ['<string>', ...],
        'name' => '<string>',
        'profileArn' => '<string>',
        'profileId' => '<string>',
        'requireInstanceProperties' => true || false,
        'roleArns' => ['<string>', ...],
        'sessionPolicy' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
profile
Required: Yes
Type: ProfileDetail structure

The state of the profile after a read or write operation.

Errors

ValidationException:

Validation exception error.

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

PutNotificationSettings

$result = $client->putNotificationSettings([/* ... */]);
$promise = $client->putNotificationSettingsAsync([/* ... */]);

Attaches a list of notification settings to a trust anchor.

A notification setting includes information such as event name, threshold, status of the notification setting, and the channel to notify.

Required permissions: rolesanywhere:PutNotificationSettings.

Parameter Syntax

$result = $client->putNotificationSettings([
    'notificationSettings' => [ // REQUIRED
        [
            'channel' => 'ALL',
            'enabled' => true || false, // REQUIRED
            'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY', // REQUIRED
            'threshold' => <integer>,
        ],
        // ...
    ],
    'trustAnchorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
notificationSettings
Required: Yes
Type: Array of NotificationSetting structures

A list of notification settings to be associated to the trust anchor.

trustAnchorId
Required: Yes
Type: string

The unique identifier of the trust anchor.

Result Syntax

[
    'trustAnchor' => [
        'createdAt' => <DateTime>,
        'enabled' => true || false,
        'name' => '<string>',
        'notificationSettings' => [
            [
                'channel' => 'ALL',
                'configuredBy' => '<string>',
                'enabled' => true || false,
                'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY',
                'threshold' => <integer>,
            ],
            // ...
        ],
        'source' => [
            'sourceData' => [
                'acmPcaArn' => '<string>',
                'x509CertificateData' => '<string>',
            ],
            'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY',
        ],
        'trustAnchorArn' => '<string>',
        'trustAnchorId' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
trustAnchor
Required: Yes
Type: TrustAnchorDetail structure

The state of the trust anchor after a read or write operation.

Errors

ValidationException:

Validation exception error.

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

ResetNotificationSettings

$result = $client->resetNotificationSettings([/* ... */]);
$promise = $client->resetNotificationSettingsAsync([/* ... */]);

Resets the custom notification setting to IAM Roles Anywhere default setting.

Required permissions: rolesanywhere:ResetNotificationSettings.

Parameter Syntax

$result = $client->resetNotificationSettings([
    'notificationSettingKeys' => [ // REQUIRED
        [
            'channel' => 'ALL',
            'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY', // REQUIRED
        ],
        // ...
    ],
    'trustAnchorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
notificationSettingKeys
Required: Yes
Type: Array of NotificationSettingKey structures

A list of notification setting keys to reset. A notification setting key includes the event and the channel.

trustAnchorId
Required: Yes
Type: string

The unique identifier of the trust anchor.

Result Syntax

[
    'trustAnchor' => [
        'createdAt' => <DateTime>,
        'enabled' => true || false,
        'name' => '<string>',
        'notificationSettings' => [
            [
                'channel' => 'ALL',
                'configuredBy' => '<string>',
                'enabled' => true || false,
                'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY',
                'threshold' => <integer>,
            ],
            // ...
        ],
        'source' => [
            'sourceData' => [
                'acmPcaArn' => '<string>',
                'x509CertificateData' => '<string>',
            ],
            'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY',
        ],
        'trustAnchorArn' => '<string>',
        'trustAnchorId' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
trustAnchor
Required: Yes
Type: TrustAnchorDetail structure

The state of the trust anchor after a read or write operation.

Errors

ValidationException:

Validation exception error.

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

TagResource

$result = $client->tagResource([/* ... */]);
$promise = $client->tagResourceAsync([/* ... */]);

Attaches tags to a resource.

Required permissions: rolesanywhere:TagResource.

Parameter Syntax

$result = $client->tagResource([
    'resourceArn' => '<string>', // REQUIRED
    'tags' => [ // REQUIRED
        [
            'key' => '<string>', // REQUIRED
            'value' => '<string>', // REQUIRED
        ],
        // ...
    ],
]);

Parameter Details

Members
resourceArn
Required: Yes
Type: string

The ARN of the resource.

tags
Required: Yes
Type: Array of Tag structures

The tags to attach to the resource.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

ValidationException:

Validation exception error.

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

TooManyTagsException:

Too many tags.

UntagResource

$result = $client->untagResource([/* ... */]);
$promise = $client->untagResourceAsync([/* ... */]);

Removes tags from the resource.

Required permissions: rolesanywhere:UntagResource.

Parameter Syntax

$result = $client->untagResource([
    'resourceArn' => '<string>', // REQUIRED
    'tagKeys' => ['<string>', ...], // REQUIRED
]);

Parameter Details

Members
resourceArn
Required: Yes
Type: string

The ARN of the resource.

tagKeys
Required: Yes
Type: Array of strings

A list of keys. Tag keys are the unique identifiers of tags.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

ValidationException:

Validation exception error.

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

UpdateCrl

$result = $client->updateCrl([/* ... */]);
$promise = $client->updateCrlAsync([/* ... */]);

Updates the certificate revocation list (CRL). A CRL is a list of certificates that have been revoked by the issuing certificate authority (CA). IAM Roles Anywhere validates against the CRL before issuing credentials.

Required permissions: rolesanywhere:UpdateCrl.

Parameter Syntax

$result = $client->updateCrl([
    'crlData' => <string || resource || Psr\Http\Message\StreamInterface>,
    'crlId' => '<string>', // REQUIRED
    'name' => '<string>',
]);

Parameter Details

Members
crlData
Type: blob (string|resource|Psr\Http\Message\StreamInterface)

The x509 v3 specified certificate revocation list (CRL).

crlId
Required: Yes
Type: string

The unique identifier of the certificate revocation list (CRL).

name
Type: string

The name of the Crl.

Result Syntax

[
    'crl' => [
        'createdAt' => <DateTime>,
        'crlArn' => '<string>',
        'crlData' => <string || resource || Psr\Http\Message\StreamInterface>,
        'crlId' => '<string>',
        'enabled' => true || false,
        'name' => '<string>',
        'trustAnchorArn' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
crl
Required: Yes
Type: CrlDetail structure

The state of the certificate revocation list (CRL) after a read or write operation.

Errors

ValidationException:

Validation exception error.

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

UpdateProfile

$result = $client->updateProfile([/* ... */]);
$promise = $client->updateProfileAsync([/* ... */]);

Updates a profile, a list of the roles that IAM Roles Anywhere service is trusted to assume. You use profiles to intersect permissions with IAM managed policies.

Required permissions: rolesanywhere:UpdateProfile.

Parameter Syntax

$result = $client->updateProfile([
    'acceptRoleSessionName' => true || false,
    'durationSeconds' => <integer>,
    'managedPolicyArns' => ['<string>', ...],
    'name' => '<string>',
    'profileId' => '<string>', // REQUIRED
    'roleArns' => ['<string>', ...],
    'sessionPolicy' => '<string>',
]);

Parameter Details

Members
acceptRoleSessionName
Type: boolean

Used to determine if a custom role session name will be accepted in a temporary credential request.

durationSeconds
Type: int

Used to determine how long sessions vended using this profile are valid for. See the Expiration section of the CreateSession API documentation page for more details. In requests, if this value is not provided, the default value will be 3600.

managedPolicyArns
Type: Array of strings

A list of managed policy ARNs that apply to the vended session credentials.

name
Type: string

The name of the profile.

profileId
Required: Yes
Type: string

The unique identifier of the profile.

roleArns
Type: Array of strings

A list of IAM roles that this profile can assume in a temporary credential request.

sessionPolicy
Type: string

A session policy that applies to the trust boundary of the vended session credentials.

Result Syntax

[
    'profile' => [
        'acceptRoleSessionName' => true || false,
        'attributeMappings' => [
            [
                'certificateField' => 'x509Subject|x509Issuer|x509SAN',
                'mappingRules' => [
                    [
                        'specifier' => '<string>',
                    ],
                    // ...
                ],
            ],
            // ...
        ],
        'createdAt' => <DateTime>,
        'createdBy' => '<string>',
        'durationSeconds' => <integer>,
        'enabled' => true || false,
        'managedPolicyArns' => ['<string>', ...],
        'name' => '<string>',
        'profileArn' => '<string>',
        'profileId' => '<string>',
        'requireInstanceProperties' => true || false,
        'roleArns' => ['<string>', ...],
        'sessionPolicy' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
profile
Type: ProfileDetail structure

The state of the profile after a read or write operation.

Errors

ValidationException:

Validation exception error.

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

UpdateTrustAnchor

$result = $client->updateTrustAnchor([/* ... */]);
$promise = $client->updateTrustAnchorAsync([/* ... */]);

Updates a trust anchor. You establish trust between IAM Roles Anywhere and your certificate authority (CA) by configuring a trust anchor. You can define a trust anchor as a reference to an Private Certificate Authority (Private CA) or by uploading a CA certificate. Your Amazon Web Services workloads can authenticate with the trust anchor using certificates issued by the CA in exchange for temporary Amazon Web Services credentials.

Required permissions: rolesanywhere:UpdateTrustAnchor.

Parameter Syntax

$result = $client->updateTrustAnchor([
    'name' => '<string>',
    'source' => [
        'sourceData' => [
            'acmPcaArn' => '<string>',
            'x509CertificateData' => '<string>',
        ],
        'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY',
    ],
    'trustAnchorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
name
Type: string

The name of the trust anchor.

source
Type: Source structure

The trust anchor type and its related certificate data.

trustAnchorId
Required: Yes
Type: string

The unique identifier of the trust anchor.

Result Syntax

[
    'trustAnchor' => [
        'createdAt' => <DateTime>,
        'enabled' => true || false,
        'name' => '<string>',
        'notificationSettings' => [
            [
                'channel' => 'ALL',
                'configuredBy' => '<string>',
                'enabled' => true || false,
                'event' => 'CA_CERTIFICATE_EXPIRY|END_ENTITY_CERTIFICATE_EXPIRY',
                'threshold' => <integer>,
            ],
            // ...
        ],
        'source' => [
            'sourceData' => [
                'acmPcaArn' => '<string>',
                'x509CertificateData' => '<string>',
            ],
            'sourceType' => 'AWS_ACM_PCA|CERTIFICATE_BUNDLE|SELF_SIGNED_REPOSITORY',
        ],
        'trustAnchorArn' => '<string>',
        'trustAnchorId' => '<string>',
        'updatedAt' => <DateTime>,
    ],
]

Result Details

Members
trustAnchor
Required: Yes
Type: TrustAnchorDetail structure

The state of the trust anchor after a read or write operation.

Errors

ValidationException:

Validation exception error.

ResourceNotFoundException:

The resource could not be found.

AccessDeniedException:

You do not have sufficient access to perform this action.

Shapes

AccessDeniedException

Description

You do not have sufficient access to perform this action.

Members
message
Type: string

AttributeMapping

Description

A mapping applied to the authenticating end-entity certificate.

Members
certificateField
Type: string

Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates.

mappingRules
Type: Array of MappingRule structures

A list of mapping entries for every supported specifier or sub-field.

CredentialSummary

Description

A record of a presented X509 credential from a temporary credential request.

Members
enabled
Type: boolean

Indicates whether the credential is enabled.

failed
Type: boolean

Indicates whether the temporary credential request was successful.

issuer
Type: string

The fully qualified domain name of the issuing certificate for the presented end-entity certificate.

seenAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The ISO-8601 time stamp of when the certificate was last used in a temporary credential request.

serialNumber
Type: string

The serial number of the certificate.

x509CertificateData
Type: string

The PEM-encoded data of the certificate.

CrlDetail

Description

The state of the certificate revocation list (CRL) after a read or write operation.

Members
createdAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The ISO-8601 timestamp when the certificate revocation list (CRL) was created.

crlArn
Type: string

The ARN of the certificate revocation list (CRL).

crlData
Type: blob (string|resource|Psr\Http\Message\StreamInterface)

The state of the certificate revocation list (CRL) after a read or write operation.

crlId
Type: string

The unique identifier of the certificate revocation list (CRL).

enabled
Type: boolean

Indicates whether the certificate revocation list (CRL) is enabled.

name
Type: string

The name of the certificate revocation list (CRL).

trustAnchorArn
Type: string

The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for.

updatedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The ISO-8601 timestamp when the certificate revocation list (CRL) was last updated.

InstanceProperty

Description

A key-value pair you set that identifies a property of the authenticating instance.

Members
failed
Type: boolean

Indicates whether the temporary credential request was successful.

properties
Type: Associative array of custom strings keys (InstancePropertyMapKeyString) to strings

A list of instanceProperty objects.

seenAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The ISO-8601 time stamp of when the certificate was last used in a temporary credential request.

MappingRule

Description

A single mapping entry for each supported specifier or sub-field.

Members
specifier
Required: Yes
Type: string

Specifier within a certificate field, such as CN, OU, or UID from the Subject field.

NotificationSetting

Description

Customizable notification settings that will be applied to notification events. IAM Roles Anywhere consumes these settings while notifying across multiple channels - CloudWatch metrics, EventBridge, and Health Dashboard.

Members
channel
Type: string

The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge, and Health Dashboard to notify for an event.

In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels.

enabled
Required: Yes
Type: boolean

Indicates whether the notification setting is enabled.

event
Required: Yes
Type: string

The event to which this notification setting is applied.

threshold
Type: int

The number of days before a notification event. This value is required for a notification setting that is enabled.

NotificationSettingDetail

Description

The state of a notification setting.

A notification setting includes information such as event name, threshold, status of the notification setting, and the channel to notify.

Members
channel
Type: string

The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge, and Health Dashboard to notify for an event.

In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels.

configuredBy
Type: string

The principal that configured the notification setting. For default settings configured by IAM Roles Anywhere, the value is rolesanywhere.amazonaws.com, and for customized notifications settings, it is the respective account ID.

enabled
Required: Yes
Type: boolean

Indicates whether the notification setting is enabled.

event
Required: Yes
Type: string

The event to which this notification setting is applied.

threshold
Type: int

The number of days before a notification event.

NotificationSettingKey

Description

A notification setting key to reset. A notification setting key includes the event and the channel.

Members
channel
Type: string

The specified channel of notification.

event
Required: Yes
Type: string

The notification setting event to reset.

ProfileDetail

Description

The state of the profile after a read or write operation.

Members
acceptRoleSessionName
Type: boolean

Used to determine if a custom role session name will be accepted in a temporary credential request.

attributeMappings
Type: Array of AttributeMapping structures

A mapping applied to the authenticating end-entity certificate.

createdAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The ISO-8601 timestamp when the profile was created.

createdBy
Type: string

The Amazon Web Services account that created the profile.

durationSeconds
Type: int

Used to determine how long sessions vended using this profile are valid for. See the Expiration section of the CreateSession API documentation page for more details. In requests, if this value is not provided, the default value will be 3600.

enabled
Type: boolean

Indicates whether the profile is enabled.

managedPolicyArns
Type: Array of strings

A list of managed policy ARNs that apply to the vended session credentials.

name
Type: string

The name of the profile.

profileArn
Type: string

The ARN of the profile.

profileId
Type: string

The unique identifier of the profile.

requireInstanceProperties
Type: boolean

Specifies whether instance properties are required in temporary credential requests with this profile.

roleArns
Type: Array of strings

A list of IAM roles that this profile can assume in a temporary credential request.

sessionPolicy
Type: string

A session policy that applies to the trust boundary of the vended session credentials.

updatedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The ISO-8601 timestamp when the profile was last updated.

ResourceNotFoundException

Description

The resource could not be found.

Members
message
Type: string

Source

Description

The trust anchor type and its related certificate data.

Members
sourceData
Type: SourceData structure

The data field of the trust anchor depending on its type.

sourceType
Type: string

The type of the trust anchor.

SourceData

Description

The data field of the trust anchor depending on its type.

Members
acmPcaArn
Type: string

The root certificate of the Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type AWS_ACM_PCA.

x509CertificateData
Type: string

The PEM-encoded data for the certificate anchor. Included for trust anchors of type CERTIFICATE_BUNDLE.

SubjectDetail

Description

The state of the subject after a read or write operation.

Members
createdAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The ISO-8601 timestamp when the subject was created.

credentials
Type: Array of CredentialSummary structures

The temporary session credentials vended at the last authenticating call with this subject.

enabled
Type: boolean

The enabled status of the subject.

instanceProperties
Type: Array of InstanceProperty structures

The specified instance properties associated with the request.

lastSeenAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The ISO-8601 timestamp of the last time this subject requested temporary session credentials.

subjectArn
Type: string

The ARN of the resource.

subjectId
Type: string

The id of the resource

updatedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The ISO-8601 timestamp when the subject was last updated.

x509Subject
Type: string

The x509 principal identifier of the authenticating certificate.

SubjectSummary

Description

A summary representation of subjects.

Members
createdAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The ISO-8601 time stamp of when the certificate was first used in a temporary credential request.

enabled
Type: boolean

The enabled status of the subject.

lastSeenAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The ISO-8601 time stamp of when the certificate was last used in a temporary credential request.

subjectArn
Type: string

The ARN of the resource.

subjectId
Type: string

The id of the resource.

updatedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The ISO-8601 timestamp when the subject was last updated.

x509Subject
Type: string

The x509 principal identifier of the authenticating certificate.

Tag

Description

A label that consists of a key and value you define.

Members
key
Required: Yes
Type: string

The tag key.

value
Required: Yes
Type: string

The tag value.

TooManyTagsException

Description

Too many tags.

Members
message
Type: string

TrustAnchorDetail

Description

The state of the trust anchor after a read or write operation.

Members
createdAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The ISO-8601 timestamp when the trust anchor was created.

enabled
Type: boolean

Indicates whether the trust anchor is enabled.

name
Type: string

The name of the trust anchor.

notificationSettings
Type: Array of NotificationSettingDetail structures

A list of notification settings to be associated to the trust anchor.

source
Type: Source structure

The trust anchor type and its related certificate data.

trustAnchorArn
Type: string

The ARN of the trust anchor.

trustAnchorId
Type: string

The unique identifier of the trust anchor.

updatedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The ISO-8601 timestamp when the trust anchor was last updated.

ValidationException

Description

Validation exception error.

Members
message
Type: string