From ce7f8ed3a13babfb4b0522a4f719bb18e979368d Mon Sep 17 00:00:00 2001 From: aws-sdk-python-automation Date: Wed, 19 Apr 2023 18:11:43 +0000 Subject: [PATCH 1/3] Update to latest models --- .../api-change-comprehend-41173.json | 5 + .../next-release/api-change-ecs-57936.json | 5 + .../next-release/api-change-ram-22635.json | 5 + .../next-release/api-change-rds-21090.json | 5 + .../next-release/api-change-s3-73959.json | 5 + .../api-change-s3control-66568.json | 5 + .../api-change-secretsmanager-54677.json | 5 + .../data/comprehend/2017-11-27/service-2.json | 87 +- botocore/data/ecs/2014-11-13/service-2.json | 15 +- .../ram/2018-01-04/endpoint-rule-set-1.json | 436 ++++--- botocore/data/ram/2018-01-04/service-2.json | 1006 ++++++++++++++--- botocore/data/rds/2014-10-31/service-2.json | 32 +- botocore/data/s3/2006-03-01/service-2.json | 212 ++-- .../2018-08-20/endpoint-rule-set-1.json | 114 ++ .../secretsmanager/2017-10-17/service-2.json | 18 +- .../comprehend/endpoint-tests-1.json | 146 +-- .../endpoint-rules/ram/endpoint-tests-1.json | 369 +++--- .../s3control/endpoint-tests-1.json | 127 +++ .../secretsmanager/endpoint-tests-1.json | 50 + .../securityhub/endpoint-tests-1.json | 228 ++-- 20 files changed, 2066 insertions(+), 809 deletions(-) create mode 100644 .changes/next-release/api-change-comprehend-41173.json create mode 100644 .changes/next-release/api-change-ecs-57936.json create mode 100644 .changes/next-release/api-change-ram-22635.json create mode 100644 .changes/next-release/api-change-rds-21090.json create mode 100644 .changes/next-release/api-change-s3-73959.json create mode 100644 .changes/next-release/api-change-s3control-66568.json create mode 100644 .changes/next-release/api-change-secretsmanager-54677.json diff --git a/.changes/next-release/api-change-comprehend-41173.json b/.changes/next-release/api-change-comprehend-41173.json new file mode 100644 index 0000000000..34b458e361 --- /dev/null +++ b/.changes/next-release/api-change-comprehend-41173.json @@ -0,0 +1,5 @@ +{ + "type": "api-change", + "category": "``comprehend``", + "description": "This release supports native document models for custom classification, in addition to plain-text models. You train native document models using documents (PDF, Word, images) in their native format." +} diff --git a/.changes/next-release/api-change-ecs-57936.json b/.changes/next-release/api-change-ecs-57936.json new file mode 100644 index 0000000000..5255488dff --- /dev/null +++ b/.changes/next-release/api-change-ecs-57936.json @@ -0,0 +1,5 @@ +{ + "type": "api-change", + "category": "``ecs``", + "description": "This release supports the Account Setting \"TagResourceAuthorization\" that allows for enhanced Tagging security controls." +} diff --git a/.changes/next-release/api-change-ram-22635.json b/.changes/next-release/api-change-ram-22635.json new file mode 100644 index 0000000000..0b4608afa7 --- /dev/null +++ b/.changes/next-release/api-change-ram-22635.json @@ -0,0 +1,5 @@ +{ + "type": "api-change", + "category": "``ram``", + "description": "This release adds support for customer managed permissions. Customer managed permissions enable customers to author and manage tailored permissions for resources shared using RAM." +} diff --git a/.changes/next-release/api-change-rds-21090.json b/.changes/next-release/api-change-rds-21090.json new file mode 100644 index 0000000000..c48a83d364 --- /dev/null +++ b/.changes/next-release/api-change-rds-21090.json @@ -0,0 +1,5 @@ +{ + "type": "api-change", + "category": "``rds``", + "description": "Adds support for the ImageId parameter of CreateCustomDBEngineVersion to RDS Custom for Oracle" +} diff --git a/.changes/next-release/api-change-s3-73959.json b/.changes/next-release/api-change-s3-73959.json new file mode 100644 index 0000000000..52ab9f2aec --- /dev/null +++ b/.changes/next-release/api-change-s3-73959.json @@ -0,0 +1,5 @@ +{ + "type": "api-change", + "category": "``s3``", + "description": "Provides support for \"Snow\" Storage class." +} diff --git a/.changes/next-release/api-change-s3control-66568.json b/.changes/next-release/api-change-s3control-66568.json new file mode 100644 index 0000000000..cb9a9b90bd --- /dev/null +++ b/.changes/next-release/api-change-s3control-66568.json @@ -0,0 +1,5 @@ +{ + "type": "api-change", + "category": "``s3control``", + "description": "Provides support for overriding endpoint when region is \"snow\". This will enable bucket APIs for Amazon S3 Compatible storage on Snow Family devices." +} diff --git a/.changes/next-release/api-change-secretsmanager-54677.json b/.changes/next-release/api-change-secretsmanager-54677.json new file mode 100644 index 0000000000..4cfcfab432 --- /dev/null +++ b/.changes/next-release/api-change-secretsmanager-54677.json @@ -0,0 +1,5 @@ +{ + "type": "api-change", + "category": "``secretsmanager``", + "description": "Documentation updates for Secrets Manager" +} diff --git a/botocore/data/comprehend/2017-11-27/service-2.json b/botocore/data/comprehend/2017-11-27/service-2.json index a3cef06d18..1d081bb790 100644 --- a/botocore/data/comprehend/2017-11-27/service-2.json +++ b/botocore/data/comprehend/2017-11-27/service-2.json @@ -183,7 +183,7 @@ {"shape":"KmsKeyValidationException"}, {"shape":"InternalServerException"} ], - "documentation":"

Creates a new document classifier that you can use to categorize documents. To create a classifier, you provide a set of training documents that labeled with the categories that you want to use. After the classifier is trained you can use it to categorize a set of labeled documents into the categories. For more information, see Document Classification in the Comprehend Developer Guide.

" + "documentation":"

Creates a new document classifier that you can use to categorize documents. To create a classifier, you provide a set of training documents that are labeled with the categories that you want to use. For more information, see Training classifier models in the Comprehend Developer Guide.

" }, "CreateEndpoint":{ "name":"CreateEndpoint", @@ -1037,6 +1037,7 @@ {"shape":"ResourceUnavailableException"}, {"shape":"KmsKeyValidationException"}, {"shape":"TooManyTagsException"}, + {"shape":"ResourceInUseException"}, {"shape":"InternalServerException"} ], "documentation":"

Starts an asynchronous document classification job. Use the DescribeDocumentClassificationJob operation to track the progress of the job.

" @@ -1054,6 +1055,7 @@ {"shape":"TooManyRequestsException"}, {"shape":"KmsKeyValidationException"}, {"shape":"TooManyTagsException"}, + {"shape":"ResourceInUseException"}, {"shape":"InternalServerException"} ], "documentation":"

Starts an asynchronous dominant language detection job for a collection of documents. Use the operation to track the status of a job.

" @@ -1073,6 +1075,7 @@ {"shape":"ResourceUnavailableException"}, {"shape":"KmsKeyValidationException"}, {"shape":"TooManyTagsException"}, + {"shape":"ResourceInUseException"}, {"shape":"InternalServerException"} ], "documentation":"

Starts an asynchronous entity detection job for a collection of documents. Use the operation to track the status of a job.

This API can be used for either standard entity detection or custom entity recognition. In order to be used for custom entity recognition, the optional EntityRecognizerArn must be used in order to provide access to the recognizer being used to detect the custom entity.

" @@ -1090,6 +1093,7 @@ {"shape":"TooManyRequestsException"}, {"shape":"KmsKeyValidationException"}, {"shape":"TooManyTagsException"}, + {"shape":"ResourceInUseException"}, {"shape":"InternalServerException"} ], "documentation":"

Starts an asynchronous event detection job for a collection of documents.

" @@ -1124,6 +1128,7 @@ {"shape":"TooManyRequestsException"}, {"shape":"KmsKeyValidationException"}, {"shape":"TooManyTagsException"}, + {"shape":"ResourceInUseException"}, {"shape":"InternalServerException"} ], "documentation":"

Starts an asynchronous key phrase detection job for a collection of documents. Use the operation to track the status of a job.

" @@ -1141,6 +1146,7 @@ {"shape":"TooManyRequestsException"}, {"shape":"KmsKeyValidationException"}, {"shape":"TooManyTagsException"}, + {"shape":"ResourceInUseException"}, {"shape":"InternalServerException"} ], "documentation":"

Starts an asynchronous PII entity detection job for a collection of documents.

" @@ -1158,6 +1164,7 @@ {"shape":"TooManyRequestsException"}, {"shape":"KmsKeyValidationException"}, {"shape":"TooManyTagsException"}, + {"shape":"ResourceInUseException"}, {"shape":"InternalServerException"} ], "documentation":"

Starts an asynchronous sentiment detection job for a collection of documents. Use the operation to track the status of a job.

" @@ -1175,6 +1182,7 @@ {"shape":"TooManyRequestsException"}, {"shape":"KmsKeyValidationException"}, {"shape":"TooManyTagsException"}, + {"shape":"ResourceInUseException"}, {"shape":"InternalServerException"} ], "documentation":"

Starts an asynchronous targeted sentiment detection job for a collection of documents. Use the DescribeTargetedSentimentDetectionJob operation to track the status of a job.

" @@ -1192,6 +1200,7 @@ {"shape":"TooManyRequestsException"}, {"shape":"KmsKeyValidationException"}, {"shape":"TooManyTagsException"}, + {"shape":"ResourceInUseException"}, {"shape":"InternalServerException"} ], "documentation":"

Starts an asynchronous topic detection job. Use the DescribeTopicDetectionJob operation to track the status of a job.

" @@ -1982,6 +1991,10 @@ "Errors":{ "shape":"ListOfErrors", "documentation":"

Page-level errors that the system detected while processing the input document. The field is empty if the system encountered no errors.

" + }, + "Warnings":{ + "shape":"ListOfWarnings", + "documentation":"

Warnings detected while processing the input document. The response includes a warning if there is a mismatch between the input document type and the model type associated with the endpoint that you specified. The response can also include warnings for individual pages that have a mismatch.

The field is empty if the system generated no warnings.

" } }, "sensitive":true @@ -2140,7 +2153,7 @@ }, "OutputDataConfig":{ "shape":"DocumentClassifierOutputDataConfig", - "documentation":"

Enables the addition of output results configuration parameters for custom classifier jobs.

" + "documentation":"

Specifies the location for the output files from a custom classifier job. This parameter is required for a request that creates a native classifier model.

" }, "ClientRequestToken":{ "shape":"ClientRequestTokenString", @@ -3359,6 +3372,28 @@ "AUGMENTED_MANIFEST" ] }, + "DocumentClassifierDocumentTypeFormat":{ + "type":"string", + "enum":[ + "PLAIN_TEXT_DOCUMENT", + "SEMI_STRUCTURED_DOCUMENT" + ] + }, + "DocumentClassifierDocuments":{ + "type":"structure", + "required":["S3Uri"], + "members":{ + "S3Uri":{ + "shape":"S3Uri", + "documentation":"

The S3 URI location of the training documents specified in the S3Uri CSV file.

" + }, + "TestS3Uri":{ + "shape":"S3Uri", + "documentation":"

The S3 URI location of the test documents included in the TestS3Uri CSV file. This field is not required if you do not specify a test CSV file.

" + } + }, + "documentation":"

The location of the training documents. This parameter is required in a request to create a native classifier model.

" + }, "DocumentClassifierEndpointArn":{ "type":"string", "max":256, @@ -3408,7 +3443,16 @@ "AugmentedManifests":{ "shape":"DocumentClassifierAugmentedManifestsList", "documentation":"

A list of augmented manifest files that provide training data for your custom model. An augmented manifest file is a labeled dataset that is produced by Amazon SageMaker Ground Truth.

This parameter is required if you set DataFormat to AUGMENTED_MANIFEST.

" - } + }, + "DocumentType":{ + "shape":"DocumentClassifierDocumentTypeFormat", + "documentation":"

The type of input documents for training the model. Provide plain-text documents to create a plain-text model, and provide semi-structured documents to create a native model.

" + }, + "Documents":{ + "shape":"DocumentClassifierDocuments", + "documentation":"

The S3 location of the training documents. This parameter is required in a request to create a native classifier model.

" + }, + "DocumentReaderConfig":{"shape":"DocumentReaderConfig"} }, "documentation":"

The input properties for training a document classifier.

For more information on how the input file is formatted, see Preparing training data in the Comprehend Developer Guide.

" }, @@ -3424,7 +3468,7 @@ "members":{ "S3Uri":{ "shape":"S3Uri", - "documentation":"

When you use the OutputDataConfig object while creating a custom classifier, you specify the Amazon S3 location where you want to write the confusion matrix. The URI must be in the same Region as the API endpoint that you are calling. The location is used as the prefix for the actual location of this output file.

When the custom classifier job is finished, the service creates the output file in a directory specific to the job. The S3Uri field contains the location of the output file, called output.tar.gz. It is a compressed archive that contains the confusion matrix.

" + "documentation":"

When you use the OutputDataConfig object while creating a custom classifier, you specify the Amazon S3 location where you want to write the confusion matrix and other output files. The URI must be in the same Region as the API endpoint that you are calling. The location is used as the prefix for the actual location of this output file.

When the custom classifier job is finished, the service creates the output file in a directory specific to the job. The S3Uri field contains the location of the output file, called output.tar.gz. It is a compressed archive that contains the confusion matrix.

" }, "KmsKeyId":{ "shape":"KmsKeyId", @@ -3435,7 +3479,7 @@ "documentation":"

The Amazon S3 prefix for the data lake location of the flywheel statistics.

" } }, - "documentation":"

Provides output results configuration parameters for custom classifier jobs.

" + "documentation":"

Provide the location for output data from a custom classifier job. This field is mandatory if you are training a native classifier model.

" }, "DocumentClassifierProperties":{ "type":"structure", @@ -3450,7 +3494,7 @@ }, "Status":{ "shape":"ModelStatus", - "documentation":"

The status of the document classifier. If the status is TRAINED the classifier is ready to use. If the status is FAILED you can see additional information about why the classifier wasn't trained in the Message field.

" + "documentation":"

The status of the document classifier. If the status is TRAINED the classifier is ready to use. If the status is TRAINED_WITH_WARNINGS the classifier training succeeded, but you should review the warnings returned in the CreateDocumentClassifier response.

If the status is FAILED you can see additional information about why the classifier wasn't trained in the Message field.

" }, "Message":{ "shape":"AnyLengthString", @@ -3624,7 +3668,7 @@ "documentation":"

Specifies the type of Amazon Textract features to apply. If you chose TEXTRACT_ANALYZE_DOCUMENT as the read action, you must specify one or both of the following values:

" } }, - "documentation":"

Provides configuration parameters to override the default actions for extracting text from PDF documents and image files.

By default, Amazon Comprehend performs the following actions to extract text from files, based on the input file type:

DocumentReaderConfig does not apply to plain text files or Word files.

For image files and PDF documents, you can override these default actions using the fields listed below. For more information, see Setting text extraction options.

" + "documentation":"

Provides configuration parameters to override the default actions for extracting text from PDF documents and image files.

By default, Amazon Comprehend performs the following actions to extract text from files, based on the input file type:

DocumentReaderConfig does not apply to plain text files or Word files.

For image files and PDF documents, you can override these default actions using the fields listed below. For more information, see Setting text extraction options in the Comprehend Developer Guide.

" }, "DocumentType":{ "type":"string", @@ -5515,6 +5559,10 @@ "type":"list", "member":{"shape":"TargetedSentimentEntity"} }, + "ListOfWarnings":{ + "type":"list", + "member":{"shape":"WarningsListItem"} + }, "ListPiiEntitiesDetectionJobsRequest":{ "type":"structure", "members":{ @@ -5731,6 +5779,13 @@ "INTERNAL_SERVER_ERROR" ] }, + "PageBasedWarningCode":{ + "type":"string", + "enum":[ + "INFERENCING_PLAINTEXT_WITH_NATIVE_TRAINED_MODEL", + "INFERENCING_NATIVE_DOCUMENT_WITH_PLAINTEXT_TRAINED_MODEL" + ] + }, "PartOfSpeechTag":{ "type":"structure", "members":{ @@ -7554,6 +7609,24 @@ } }, "documentation":"

Configuration parameters for an optional private Virtual Private Cloud (VPC) containing the resources you are using for the job. For more information, see Amazon VPC.

" + }, + "WarningsListItem":{ + "type":"structure", + "members":{ + "Page":{ + "shape":"Integer", + "documentation":"

Page number in the input document.

" + }, + "WarnCode":{ + "shape":"PageBasedWarningCode", + "documentation":"

The type of warning.

" + }, + "WarnMessage":{ + "shape":"String", + "documentation":"

Text message associated with the warning.

" + } + }, + "documentation":"

The system identified one of the following warnings while processing the input document:

" } }, "documentation":"

Amazon Comprehend is an Amazon Web Services service for gaining insight into the content of documents. Use these actions to determine the topics contained in your documents, the topics they discuss, the predominant sentiment expressed in them, the predominant language used, and more.

" diff --git a/botocore/data/ecs/2014-11-13/service-2.json b/botocore/data/ecs/2014-11-13/service-2.json index 6934ed9c84..640d4d59b3 100644 --- a/botocore/data/ecs/2014-11-13/service-2.json +++ b/botocore/data/ecs/2014-11-13/service-2.json @@ -571,7 +571,7 @@ {"shape":"ClientException"}, {"shape":"InvalidParameterException"} ], - "documentation":"

Modifies an account setting. Account settings are set on a per-Region basis.

If you change the root user account setting, the default settings are reset for users and roles that do not have specified individual account settings. For more information, see Account Settings in the Amazon Elastic Container Service Developer Guide.

When serviceLongArnFormat, taskLongArnFormat, or containerInstanceLongArnFormat are specified, the Amazon Resource Name (ARN) and resource ID format of the resource type for a specified user, role, or the root user for an account is affected. The opt-in and opt-out account setting must be set for each Amazon ECS resource separately. The ARN and resource ID format of a resource is defined by the opt-in status of the user or role that created the resource. You must turn on this setting to use Amazon ECS features such as resource tagging.

When awsvpcTrunking is specified, the elastic network interface (ENI) limit for any new container instances that support the feature is changed. If awsvpcTrunking is turned on, any new container instances that support the feature are launched have the increased ENI limits available to them. For more information, see Elastic Network Interface Trunking in the Amazon Elastic Container Service Developer Guide.

When containerInsights is specified, the default setting indicating whether Amazon Web Services CloudWatch Container Insights is turned on for your clusters is changed. If containerInsights is turned on, any new clusters that are created will have Container Insights turned on unless you disable it during cluster creation. For more information, see CloudWatch Container Insights in the Amazon Elastic Container Service Developer Guide.

" + "documentation":"

Modifies an account setting. Account settings are set on a per-Region basis.

If you change the root user account setting, the default settings are reset for users and roles that do not have specified individual account settings. For more information, see Account Settings in the Amazon Elastic Container Service Developer Guide.

When serviceLongArnFormat, taskLongArnFormat, or containerInstanceLongArnFormat are specified, the Amazon Resource Name (ARN) and resource ID format of the resource type for a specified user, role, or the root user for an account is affected. The opt-in and opt-out account setting must be set for each Amazon ECS resource separately. The ARN and resource ID format of a resource is defined by the opt-in status of the user or role that created the resource. You must turn on this setting to use Amazon ECS features such as resource tagging.

When awsvpcTrunking is specified, the elastic network interface (ENI) limit for any new container instances that support the feature is changed. If awsvpcTrunking is turned on, any new container instances that support the feature are launched have the increased ENI limits available to them. For more information, see Elastic Network Interface Trunking in the Amazon Elastic Container Service Developer Guide.

When containerInsights is specified, the default setting indicating whether Amazon Web Services CloudWatch Container Insights is turned on for your clusters is changed. If containerInsights is turned on, any new clusters that are created will have Container Insights turned on unless you disable it during cluster creation. For more information, see CloudWatch Container Insights in the Amazon Elastic Container Service Developer Guide.

Amazon ECS is introducing tagging authorization for resource creation. Users must have permissions for actions that create the resource, such as ecsCreateCluster. If tags are specified when you create a resource, Amazon Web Services performs additional authorization to verify if users or roles have permissions to create tags. Therefore, you must grant explicit permissions to use the ecs:TagResource action. For more information, see Grant permission to tag resources on creation in the Amazon ECS Developer Guide.

" }, "PutAccountSettingDefault":{ "name":"PutAccountSettingDefault", @@ -2970,7 +2970,7 @@ "documentation":"

The total amount, in GiB, of ephemeral storage to set for the task. The minimum supported value is 21 GiB and the maximum supported value is 200 GiB.

" } }, - "documentation":"

The amount of ephemeral storage to allocate for the task. This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on Fargate. For more information, see Fargate task storage in the Amazon ECS User Guide for Fargate.

For tasks using the Fargate launch type, the task requires the following platforms:

" + "documentation":"

The amount of ephemeral storage to allocate for the task. This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on Fargate. For more information, see Fargate task storage in the Amazon ECS User Guide for Fargate.

For tasks using the Fargate launch type, the task requires the following platforms:

" }, "ExecuteCommandConfiguration":{ "type":"structure", @@ -4321,7 +4321,7 @@ "members":{ "name":{ "shape":"SettingName", - "documentation":"

The resource name for which to modify the account setting. If serviceLongArnFormat is specified, the ARN for your Amazon ECS services is affected. If taskLongArnFormat is specified, the ARN and resource ID for your Amazon ECS tasks is affected. If containerInstanceLongArnFormat is specified, the ARN and resource ID for your Amazon ECS container instances is affected. If awsvpcTrunking is specified, the ENI limit for your Amazon ECS container instances is affected. If containerInsights is specified, the default setting for Amazon Web Services CloudWatch Container Insights for your clusters is affected.

When you specify fargateFIPSMode for the name and enabled for the value, Fargate uses FIPS-140 compliant cryptographic algorithms on your tasks. For more information about FIPS-140 compliance with Fargate, see Amazon Web Services Fargate Federal Information Processing Standard (FIPS) 140-2 compliance in the Amazon Elastic Container Service Developer Guide.

" + "documentation":"

The resource name for which to modify the account setting. If serviceLongArnFormat is specified, the ARN for your Amazon ECS services is affected. If taskLongArnFormat is specified, the ARN and resource ID for your Amazon ECS tasks is affected. If containerInstanceLongArnFormat is specified, the ARN and resource ID for your Amazon ECS container instances is affected. If awsvpcTrunking is specified, the ENI limit for your Amazon ECS container instances is affected. If containerInsights is specified, the default setting for Amazon Web Services CloudWatch Container Insights for your clusters is affected. If tagResourceAuthorization is specified, the opt-in option for tagging resources on creation is affected. For information about the opt-in timeline, see Tagging authorization timeline in the Amazon ECS Developer Guide.

When you specify fargateFIPSMode for the name and enabled for the value, Fargate uses FIPS-140 compliant cryptographic algorithms on your tasks. For more information about FIPS-140 compliance with Fargate, see Amazon Web Services Fargate Federal Information Processing Standard (FIPS) 140-2 compliance in the Amazon Elastic Container Service Developer Guide.

" }, "value":{ "shape":"String", @@ -4347,7 +4347,7 @@ "members":{ "name":{ "shape":"SettingName", - "documentation":"

The Amazon ECS resource name for which to modify the account setting. If serviceLongArnFormat is specified, the ARN for your Amazon ECS services is affected. If taskLongArnFormat is specified, the ARN and resource ID for your Amazon ECS tasks is affected. If containerInstanceLongArnFormat is specified, the ARN and resource ID for your Amazon ECS container instances is affected. If awsvpcTrunking is specified, the elastic network interface (ENI) limit for your Amazon ECS container instances is affected. If containerInsights is specified, the default setting for Amazon Web Services CloudWatch Container Insights for your clusters is affected. If fargateFIPSMode is specified, Fargate FIPS 140 compliance is affected.

" + "documentation":"

The Amazon ECS resource name for which to modify the account setting. If serviceLongArnFormat is specified, the ARN for your Amazon ECS services is affected. If taskLongArnFormat is specified, the ARN and resource ID for your Amazon ECS tasks is affected. If containerInstanceLongArnFormat is specified, the ARN and resource ID for your Amazon ECS container instances is affected. If awsvpcTrunking is specified, the elastic network interface (ENI) limit for your Amazon ECS container instances is affected. If containerInsights is specified, the default setting for Amazon Web Services CloudWatch Container Insights for your clusters is affected. If fargateFIPSMode is specified, Fargate FIPS 140 compliance is affected. If tagResourceAuthorization is specified, the opt-in option for tagging resources on creation is affected. For information about the opt-in timeline, see Tagging authorization timeline in the Amazon ECS Developer Guide.

" }, "value":{ "shape":"String", @@ -4541,7 +4541,7 @@ }, "ephemeralStorage":{ "shape":"EphemeralStorage", - "documentation":"

The amount of ephemeral storage to allocate for the task. This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on Fargate. For more information, see Fargate task storage in the Amazon ECS User Guide for Fargate.

For tasks using the Fargate launch type, the task requires the following platforms:

" + "documentation":"

The amount of ephemeral storage to allocate for the task. This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on Fargate. For more information, see Fargate task storage in the Amazon ECS User Guide for Fargate.

For tasks using the Fargate launch type, the task requires the following platforms:

" }, "runtimePlatform":{ "shape":"RuntimePlatform", @@ -5154,7 +5154,8 @@ "containerInstanceLongArnFormat", "awsvpcTrunking", "containerInsights", - "fargateFIPSMode" + "fargateFIPSMode", + "tagResourceAuthorization" ] }, "Settings":{ @@ -5196,7 +5197,7 @@ }, "enableExecuteCommand":{ "shape":"Boolean", - "documentation":"

Whether or not the execute command functionality is turned on for the task. If true, this enables execute command functionality on all containers in the task.

" + "documentation":"

Whether or not the execute command functionality is turned on for the task. If true, this turns on the execute command functionality on all containers in the task.

" }, "group":{ "shape":"String", diff --git a/botocore/data/ram/2018-01-04/endpoint-rule-set-1.json b/botocore/data/ram/2018-01-04/endpoint-rule-set-1.json index 8c3a83052a..a5e436f21b 100644 --- a/botocore/data/ram/2018-01-04/endpoint-rule-set-1.json +++ b/botocore/data/ram/2018-01-04/endpoint-rule-set-1.json @@ -3,7 +3,7 @@ "parameters": { "Region": { "builtIn": "AWS::Region", - "required": true, + "required": false, "documentation": "The AWS region used to dispatch the request.", "type": "String" }, @@ -32,13 +32,12 @@ { "conditions": [ { - "fn": "aws.partition", + "fn": "isSet", "argv": [ { - "ref": "Region" + "ref": "Endpoint" } - ], - "assign": "PartitionResult" + ] } ], "type": "tree", @@ -46,14 +45,20 @@ { "conditions": [ { - "fn": "isSet", + "fn": "booleanEquals", "argv": [ { - "ref": "Endpoint" - } + "ref": "UseFIPS" + }, + true ] } ], + "error": "Invalid Configuration: FIPS and custom endpoint are not supported", + "type": "error" + }, + { + "conditions": [], "type": "tree", "rules": [ { @@ -62,67 +67,42 @@ "fn": "booleanEquals", "argv": [ { - "ref": "UseFIPS" + "ref": "UseDualStack" }, true ] } ], - "error": "Invalid Configuration: FIPS and custom endpoint are not supported", + "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", "type": "error" }, { "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - } - ], - "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", - "type": "error" + "endpoint": { + "url": { + "ref": "Endpoint" }, - { - "conditions": [], - "endpoint": { - "url": { - "ref": "Endpoint" - }, - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } - ] + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] - }, + } + ] + }, + { + "conditions": [], + "type": "tree", + "rules": [ { "conditions": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - true - ] - }, - { - "fn": "booleanEquals", + "fn": "isSet", "argv": [ { - "ref": "UseDualStack" - }, - true + "ref": "Region" + } ] } ], @@ -131,179 +111,240 @@ { "conditions": [ { - "fn": "booleanEquals", + "fn": "aws.partition", "argv": [ - true, { - "fn": "getAttr", + "ref": "Region" + } + ], + "assign": "PartitionResult" + } + ], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "booleanEquals", "argv": [ { - "ref": "PartitionResult" + "ref": "UseFIPS" }, - "supportsFIPS" + true ] - } - ] - }, - { - "fn": "booleanEquals", - "argv": [ - true, + }, { - "fn": "getAttr", + "fn": "booleanEquals", "argv": [ { - "ref": "PartitionResult" + "ref": "UseDualStack" }, - "supportsDualStack" + true ] } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], + ], "type": "tree", "rules": [ + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + true, + { + "fn": "getAttr", + "argv": [ + { + "ref": "PartitionResult" + }, + "supportsFIPS" + ] + } + ] + }, + { + "fn": "booleanEquals", + "argv": [ + true, + { + "fn": "getAttr", + "argv": [ + { + "ref": "PartitionResult" + }, + "supportsDualStack" + ] + } + ] + } + ], + "type": "tree", + "rules": [ + { + "conditions": [], + "type": "tree", + "rules": [ + { + "conditions": [], + "endpoint": { + "url": "https://ram-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" + } + ] + } + ] + }, { "conditions": [], - "endpoint": { - "url": "https://ram-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" + "error": "FIPS and DualStack are enabled, but this partition does not support one or both", + "type": "error" } ] - } - ] - }, - { - "conditions": [], - "error": "FIPS and DualStack are enabled, but this partition does not support one or both", - "type": "error" - } - ] - }, - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ { - "fn": "booleanEquals", - "argv": [ - true, + "conditions": [ { - "fn": "getAttr", + "fn": "booleanEquals", "argv": [ { - "ref": "PartitionResult" + "ref": "UseFIPS" }, - "supportsFIPS" + true ] } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], + ], "type": "tree", "rules": [ { "conditions": [ { - "fn": "stringEquals", + "fn": "booleanEquals", "argv": [ - "aws-us-gov", + true, { "fn": "getAttr", "argv": [ { "ref": "PartitionResult" }, - "name" + "supportsFIPS" ] } ] } ], - "endpoint": { - "url": "https://ram.{Region}.amazonaws.com", - "properties": {}, - "headers": {} - }, - "type": "endpoint" + "type": "tree", + "rules": [ + { + "conditions": [], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "stringEquals", + "argv": [ + "aws-us-gov", + { + "fn": "getAttr", + "argv": [ + { + "ref": "PartitionResult" + }, + "name" + ] + } + ] + } + ], + "endpoint": { + "url": "https://ram.{Region}.amazonaws.com", + "properties": {}, + "headers": {} + }, + "type": "endpoint" + }, + { + "conditions": [], + "endpoint": { + "url": "https://ram-fips.{Region}.{PartitionResult#dnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" + } + ] + } + ] }, { "conditions": [], - "endpoint": { - "url": "https://ram-fips.{Region}.{PartitionResult#dnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" + "error": "FIPS is enabled but this partition does not support FIPS", + "type": "error" } ] - } - ] - }, - { - "conditions": [], - "error": "FIPS is enabled but this partition does not support FIPS", - "type": "error" - } - ] - }, - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ { - "fn": "booleanEquals", - "argv": [ - true, + "conditions": [ { - "fn": "getAttr", + "fn": "booleanEquals", "argv": [ { - "ref": "PartitionResult" + "ref": "UseDualStack" }, - "supportsDualStack" + true ] } + ], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + true, + { + "fn": "getAttr", + "argv": [ + { + "ref": "PartitionResult" + }, + "supportsDualStack" + ] + } + ] + } + ], + "type": "tree", + "rules": [ + { + "conditions": [], + "type": "tree", + "rules": [ + { + "conditions": [], + "endpoint": { + "url": "https://ram.{Region}.{PartitionResult#dualStackDnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" + } + ] + } + ] + }, + { + "conditions": [], + "error": "DualStack is enabled but this partition does not support DualStack", + "type": "error" + } ] - } - ], - "type": "tree", - "rules": [ + }, { "conditions": [], "type": "tree", @@ -311,7 +352,7 @@ { "conditions": [], "endpoint": { - "url": "https://ram.{Region}.{PartitionResult#dualStackDnsSuffix}", + "url": "https://ram.{Region}.{PartitionResult#dnsSuffix}", "properties": {}, "headers": {} }, @@ -320,66 +361,13 @@ ] } ] - }, - { - "conditions": [], - "error": "DualStack is enabled but this partition does not support DualStack", - "type": "error" } ] }, { "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "stringEquals", - "argv": [ - { - "ref": "Region" - }, - "us-gov-east-1" - ] - } - ], - "endpoint": { - "url": "https://ram.us-gov-east-1.amazonaws.com", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - }, - { - "conditions": [ - { - "fn": "stringEquals", - "argv": [ - { - "ref": "Region" - }, - "us-gov-west-1" - ] - } - ], - "endpoint": { - "url": "https://ram.us-gov-west-1.amazonaws.com", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - }, - { - "conditions": [], - "endpoint": { - "url": "https://ram.{Region}.{PartitionResult#dnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } - ] + "error": "Invalid Configuration: Missing Region", + "type": "error" } ] } diff --git a/botocore/data/ram/2018-01-04/service-2.json b/botocore/data/ram/2018-01-04/service-2.json index cd40ed9244..970c6dbc3d 100644 --- a/botocore/data/ram/2018-01-04/service-2.json +++ b/botocore/data/ram/2018-01-04/service-2.json @@ -78,6 +78,50 @@ ], "documentation":"

Adds or replaces the RAM permission for a resource type included in a resource share. You can have exactly one permission associated with each resource type in the resource share. You can add a new RAM permission only if there are currently no resources of that resource type currently in the resource share.

" }, + "CreatePermission":{ + "name":"CreatePermission", + "http":{ + "method":"POST", + "requestUri":"/createpermission" + }, + "input":{"shape":"CreatePermissionRequest"}, + "output":{"shape":"CreatePermissionResponse"}, + "errors":[ + {"shape":"InvalidParameterException"}, + {"shape":"InvalidPolicyException"}, + {"shape":"OperationNotPermittedException"}, + {"shape":"ServerInternalException"}, + {"shape":"ServiceUnavailableException"}, + {"shape":"PermissionAlreadyExistsException"}, + {"shape":"MalformedPolicyTemplateException"}, + {"shape":"InvalidClientTokenException"}, + {"shape":"PermissionLimitExceededException"}, + {"shape":"IdempotentParameterMismatchException"} + ], + "documentation":"

Creates a customer managed permission for a specified resource type that you can attach to resource shares. It is created in the Amazon Web Services Region in which you call the operation.

" + }, + "CreatePermissionVersion":{ + "name":"CreatePermissionVersion", + "http":{ + "method":"POST", + "requestUri":"/createpermissionversion" + }, + "input":{"shape":"CreatePermissionVersionRequest"}, + "output":{"shape":"CreatePermissionVersionResponse"}, + "errors":[ + {"shape":"InvalidParameterException"}, + {"shape":"InvalidPolicyException"}, + {"shape":"ServerInternalException"}, + {"shape":"ServiceUnavailableException"}, + {"shape":"UnknownResourceException"}, + {"shape":"MalformedPolicyTemplateException"}, + {"shape":"MalformedArnException"}, + {"shape":"InvalidClientTokenException"}, + {"shape":"IdempotentParameterMismatchException"}, + {"shape":"PermissionVersionsLimitExceededException"} + ], + "documentation":"

Creates a new version of the specified customer managed permission. The new version is automatically set as the default version of the customer managed permission. New resource shares automatically use the default permission. Existing resource shares continue to use their original permission versions, but you can use ReplacePermissionAssociations to update them.

If the specified customer managed permission already has the maximum of 5 versions, then you must delete one of the existing versions before you can create a new one.

" + }, "CreateResourceShare":{ "name":"CreateResourceShare", "http":{ @@ -101,6 +145,45 @@ ], "documentation":"

Creates a resource share. You can provide a list of the Amazon Resource Names (ARNs) for the resources that you want to share, a list of principals you want to share the resources with, and the permissions to grant those principals.

Sharing a resource makes it available for use by principals outside of the Amazon Web Services account that created the resource. Sharing doesn't change any permissions or quotas that apply to the resource in the account that created it.

" }, + "DeletePermission":{ + "name":"DeletePermission", + "http":{ + "method":"DELETE", + "requestUri":"/deletepermission" + }, + "input":{"shape":"DeletePermissionRequest"}, + "output":{"shape":"DeletePermissionResponse"}, + "errors":[ + {"shape":"MalformedArnException"}, + {"shape":"ServerInternalException"}, + {"shape":"ServiceUnavailableException"}, + {"shape":"OperationNotPermittedException"}, + {"shape":"UnknownResourceException"}, + {"shape":"InvalidClientTokenException"}, + {"shape":"IdempotentParameterMismatchException"} + ], + "documentation":"

Deletes the specified customer managed permission in the Amazon Web Services Region in which you call this operation. You can delete a customer managed permission only if it isn't attached to any resource share. The operation deletes all versions associated with the customer managed permission.

" + }, + "DeletePermissionVersion":{ + "name":"DeletePermissionVersion", + "http":{ + "method":"DELETE", + "requestUri":"/deletepermissionversion" + }, + "input":{"shape":"DeletePermissionVersionRequest"}, + "output":{"shape":"DeletePermissionVersionResponse"}, + "errors":[ + {"shape":"MalformedArnException"}, + {"shape":"InvalidParameterException"}, + {"shape":"ServerInternalException"}, + {"shape":"ServiceUnavailableException"}, + {"shape":"OperationNotPermittedException"}, + {"shape":"UnknownResourceException"}, + {"shape":"InvalidClientTokenException"}, + {"shape":"IdempotentParameterMismatchException"} + ], + "documentation":"

Deletes one version of a customer managed permission. The version you specify must not be attached to any resource share and must not be the default version for the permission.

If a customer managed permission has the maximum of 5 versions, then you must delete at least one version before you can create another.

" + }, "DeleteResourceShare":{ "name":"DeleteResourceShare", "http":{ @@ -120,7 +203,7 @@ {"shape":"ServerInternalException"}, {"shape":"ServiceUnavailableException"} ], - "documentation":"

Deletes the specified resource share. This doesn't delete any of the resources that were associated with the resource share; it only stops the sharing of those resources outside of the Amazon Web Services account that created them.

" + "documentation":"

Deletes the specified resource share.

This doesn't delete any of the resources that were associated with the resource share; it only stops the sharing of those resources through this resource share.

" }, "DisassociateResourceShare":{ "name":"DisassociateResourceShare", @@ -142,7 +225,7 @@ {"shape":"ServiceUnavailableException"}, {"shape":"UnknownResourceException"} ], - "documentation":"

Disassociates the specified principals or resources from the specified resource share.

" + "documentation":"

Removes the specified principals or resources from participating in the specified resource share.

" }, "DisassociateResourceSharePermission":{ "name":"DisassociateResourceSharePermission", @@ -162,7 +245,7 @@ {"shape":"OperationNotPermittedException"}, {"shape":"InvalidStateTransitionException"} ], - "documentation":"

Disassociates an RAM permission from a resource share. Permission changes take effect immediately. You can remove a RAM permission from a resource share only if there are currently no resources of the relevant resource type currently attached to the resource share.

" + "documentation":"

Removes a managed permission from a resource share. Permission changes take effect immediately. You can remove a managed permission from a resource share only if there are currently no resources of the relevant resource type currently attached to the resource share.

" }, "EnableSharingWithAwsOrganization":{ "name":"EnableSharingWithAwsOrganization", @@ -177,7 +260,7 @@ {"shape":"ServerInternalException"}, {"shape":"ServiceUnavailableException"} ], - "documentation":"

Enables resource sharing within your organization in Organizations. Calling this operation enables RAM to retrieve information about the organization and its structure. This lets you share resources with all of the accounts in an organization by specifying the organization's ID, or all of the accounts in an organizational unit (OU) by specifying the OU's ID. Until you enable sharing within the organization, you can specify only individual Amazon Web Services accounts, or for supported resource types, IAM users and roles.

You must call this operation from an IAM user or role in the organization's management account.

" + "documentation":"

Enables resource sharing within your organization in Organizations. This operation creates a service-linked role called AWSServiceRoleForResourceAccessManager that has the IAM managed policy named AWSResourceAccessManagerServiceRolePolicy attached. This role permits RAM to retrieve information about the organization and its structure. This lets you share resources with all of the accounts in the calling account's organization by specifying the organization ID, or all of the accounts in an organizational unit (OU) by specifying the OU ID. Until you enable sharing within the organization, you can specify only individual Amazon Web Services accounts, or for supported resource types, IAM roles and users.

You must call this operation from an IAM role or user in the organization's management account.

" }, "GetPermission":{ "name":"GetPermission", @@ -195,7 +278,7 @@ {"shape":"ServiceUnavailableException"}, {"shape":"OperationNotPermittedException"} ], - "documentation":"

Gets the contents of an RAM permission in JSON format.

" + "documentation":"

Retrieves the contents of a managed permission in JSON format.

" }, "GetResourcePolicies":{ "name":"GetResourcePolicies", @@ -232,7 +315,7 @@ {"shape":"ServerInternalException"}, {"shape":"ServiceUnavailableException"} ], - "documentation":"

Retrieves the resource and principal associations for resource shares that you own.

" + "documentation":"

Retrieves the lists of resources and principals that associated for resource shares that you own.

" }, "GetResourceShareInvitations":{ "name":"GetResourceShareInvitations", @@ -293,6 +376,23 @@ ], "documentation":"

Lists the resources in a resource share that is shared with you but for which the invitation is still PENDING. That means that you haven't accepted or rejected the invitation and the invitation hasn't expired.

" }, + "ListPermissionAssociations":{ + "name":"ListPermissionAssociations", + "http":{ + "method":"POST", + "requestUri":"/listpermissionassociations" + }, + "input":{"shape":"ListPermissionAssociationsRequest"}, + "output":{"shape":"ListPermissionAssociationsResponse"}, + "errors":[ + {"shape":"InvalidParameterException"}, + {"shape":"MalformedArnException"}, + {"shape":"InvalidNextTokenException"}, + {"shape":"ServerInternalException"}, + {"shape":"ServiceUnavailableException"} + ], + "documentation":"

Lists information about the managed permission and its associations to any resource shares that use this managed permission. This lets you see which resource shares use which versions of the specified managed permission.

" + }, "ListPermissionVersions":{ "name":"ListPermissionVersions", "http":{ @@ -347,6 +447,22 @@ ], "documentation":"

Lists the principals that you are sharing resources with or that are sharing resources with you.

" }, + "ListReplacePermissionAssociationsWork":{ + "name":"ListReplacePermissionAssociationsWork", + "http":{ + "method":"POST", + "requestUri":"/listreplacepermissionassociationswork" + }, + "input":{"shape":"ListReplacePermissionAssociationsWorkRequest"}, + "output":{"shape":"ListReplacePermissionAssociationsWorkResponse"}, + "errors":[ + {"shape":"ServerInternalException"}, + {"shape":"ServiceUnavailableException"}, + {"shape":"InvalidNextTokenException"}, + {"shape":"InvalidParameterException"} + ], + "documentation":"

Retrieves the current status of the asynchronous tasks performed by RAM when you perform the ReplacePermissionAssociationsWork operation.

" + }, "ListResourceSharePermissions":{ "name":"ListResourceSharePermissions", "http":{ @@ -401,6 +517,25 @@ ], "documentation":"

Lists the resources that you added to a resource share or the resources that are shared with you.

" }, + "PromotePermissionCreatedFromPolicy":{ + "name":"PromotePermissionCreatedFromPolicy", + "http":{ + "method":"POST", + "requestUri":"/promotepermissioncreatedfrompolicy" + }, + "input":{"shape":"PromotePermissionCreatedFromPolicyRequest"}, + "output":{"shape":"PromotePermissionCreatedFromPolicyResponse"}, + "errors":[ + {"shape":"MalformedArnException"}, + {"shape":"OperationNotPermittedException"}, + {"shape":"InvalidParameterException"}, + {"shape":"MissingRequiredParameterException"}, + {"shape":"ServerInternalException"}, + {"shape":"ServiceUnavailableException"}, + {"shape":"UnknownResourceException"} + ], + "documentation":"

When you attach a resource-based policy to a resource, RAM automatically creates a resource share of featureSet=CREATED_FROM_POLICY with a managed permission that has the same IAM permissions as the original resource-based policy. However, this type of managed permission is visible to only the resource share owner, and the associated resource share can't be modified by using RAM.

This operation creates a separate, fully manageable customer managed permission that has the same IAM permissions as the original resource-based policy. You can associate this customer managed permission to any resource shares.

Before you use PromoteResourceShareCreatedFromPolicy, you should first run this operation to ensure that you have an appropriate customer managed permission that can be associated with the promoted resource share.

" + }, "PromoteResourceShareCreatedFromPolicy":{ "name":"PromoteResourceShareCreatedFromPolicy", "http":{ @@ -417,9 +552,11 @@ {"shape":"MissingRequiredParameterException"}, {"shape":"ServerInternalException"}, {"shape":"ServiceUnavailableException"}, - {"shape":"UnknownResourceException"} + {"shape":"UnknownResourceException"}, + {"shape":"InvalidStateTransitionException"}, + {"shape":"UnmatchedPolicyPermissionException"} ], - "documentation":"

When you attach a resource-based permission policy to a resource, it automatically creates a resource share. However, resource shares created this way are visible only to the resource share owner, and the resource share can't be modified in RAM.

You can use this operation to promote the resource share to a full RAM resource share. When you promote a resource share, you can then manage the resource share in RAM and it becomes visible to all of the principals you shared it with.

" + "documentation":"

When you attach a resource-based policy to a resource, RAM automatically creates a resource share of featureSet=CREATED_FROM_POLICY with a managed permission that has the same IAM permissions as the original resource-based policy. However, this type of managed permission is visible to only the resource share owner, and the associated resource share can't be modified by using RAM.

This operation promotes the resource share to a STANDARD resource share that is fully manageable in RAM. When you promote a resource share, you can then manage the resource share in RAM and it becomes visible to all of the principals you shared it with.

Before you perform this operation, you should first run PromotePermissionCreatedFromPolicyto ensure that you have an appropriate customer managed permission that can be associated with this resource share after its is promoted. If this operation can't find a managed permission that exactly matches the existing CREATED_FROM_POLICY permission, then this operation fails.

" }, "RejectResourceShareInvitation":{ "name":"RejectResourceShareInvitation", @@ -443,6 +580,45 @@ ], "documentation":"

Rejects an invitation to a resource share from another Amazon Web Services account.

" }, + "ReplacePermissionAssociations":{ + "name":"ReplacePermissionAssociations", + "http":{ + "method":"POST", + "requestUri":"/replacepermissionassociations" + }, + "input":{"shape":"ReplacePermissionAssociationsRequest"}, + "output":{"shape":"ReplacePermissionAssociationsResponse"}, + "errors":[ + {"shape":"MalformedArnException"}, + {"shape":"InvalidParameterException"}, + {"shape":"ServerInternalException"}, + {"shape":"ServiceUnavailableException"}, + {"shape":"OperationNotPermittedException"}, + {"shape":"UnknownResourceException"}, + {"shape":"InvalidClientTokenException"}, + {"shape":"IdempotentParameterMismatchException"} + ], + "documentation":"

Updates all resource shares that use a managed permission to a different managed permission. This operation always applies the default version of the target managed permission. You can optionally specify that the update applies to only resource shares that currently use a specified version. This enables you to update to the latest version, without changing the which managed permission is used.

You can use this operation to update all of your resource shares to use the current default version of the permission by specifying the same value for the fromPermissionArn and toPermissionArn parameters.

You can use the optional fromPermissionVersion parameter to update only those resources that use a specified version of the managed permission to the new managed permission.

To successfully perform this operation, you must have permission to update the resource-based policy on all affected resource types.

" + }, + "SetDefaultPermissionVersion":{ + "name":"SetDefaultPermissionVersion", + "http":{ + "method":"POST", + "requestUri":"/setdefaultpermissionversion" + }, + "input":{"shape":"SetDefaultPermissionVersionRequest"}, + "output":{"shape":"SetDefaultPermissionVersionResponse"}, + "errors":[ + {"shape":"InvalidParameterException"}, + {"shape":"MalformedArnException"}, + {"shape":"ServerInternalException"}, + {"shape":"ServiceUnavailableException"}, + {"shape":"UnknownResourceException"}, + {"shape":"InvalidClientTokenException"}, + {"shape":"IdempotentParameterMismatchException"} + ], + "documentation":"

Designates the specified version number as the default version for the specified customer managed permission. New resource shares automatically use this new default permission. Existing resource shares continue to use their original permission version, but you can use ReplacePermissionAssociations to update them.

" + }, "TagResource":{ "name":"TagResource", "http":{ @@ -461,7 +637,7 @@ {"shape":"ServerInternalException"}, {"shape":"ServiceUnavailableException"} ], - "documentation":"

Adds the specified tag keys and values to the specified resource share. The tags are attached only to the resource share, not to the resources that are in the resource share.

" + "documentation":"

Adds the specified tag keys and values to a resource share or managed permission. If you choose a resource share, the tags are attached to only the resource share, not to the resources that are in the resource share.

The tags on a managed permission are the same for all versions of the managed permission.

" }, "UntagResource":{ "name":"UntagResource", @@ -472,11 +648,13 @@ "input":{"shape":"UntagResourceRequest"}, "output":{"shape":"UntagResourceResponse"}, "errors":[ + {"shape":"UnknownResourceException"}, {"shape":"InvalidParameterException"}, + {"shape":"MalformedArnException"}, {"shape":"ServerInternalException"}, {"shape":"ServiceUnavailableException"} ], - "documentation":"

Removes the specified tag key and value pairs from the specified resource share.

" + "documentation":"

Removes the specified tag key and value pairs from the specified resource share or managed permission.

" }, "UpdateResourceShare":{ "name":"UpdateResourceShare", @@ -507,11 +685,11 @@ "members":{ "resourceShareInvitationArn":{ "shape":"String", - "documentation":"

The Amazon Resoure Name (ARN) of the invitation that you want to accept.

" + "documentation":"

The Amazon Resource Name (ARN) of the invitation that you want to accept.

" }, "clientToken":{ "shape":"String", - "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

" + "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.

" } } }, @@ -537,23 +715,23 @@ "members":{ "resourceShareArn":{ "shape":"String", - "documentation":"

Specifies the Amazon Resoure Name (ARN) of the resource share to which you want to add or replace permissions.

" + "documentation":"

Specifies the Amazon Resource Name (ARN) of the resource share to which you want to add or replace permissions.

" }, "permissionArn":{ "shape":"String", - "documentation":"

Specifies the Amazon Resoure Name (ARN) of the RAM permission to associate with the resource share. To find the ARN for a permission, use either the ListPermissions operation or go to the Permissions library page in the RAM console and then choose the name of the permission. The ARN is displayed on the detail page.

" + "documentation":"

Specifies the Amazon Resource Name (ARN) of the RAM permission to associate with the resource share. To find the ARN for a permission, use either the ListPermissions operation or go to the Permissions library page in the RAM console and then choose the name of the permission. The ARN is displayed on the detail page.

" }, "replace":{ "shape":"Boolean", - "documentation":"

Specifies whether the specified permission should replace or add to the existing permission associated with the resource share. Use true to replace the current permissions. Use false to add the permission to the current permission. The default value is false.

A resource share can have only one permission per resource type. If a resource share already has a permission for the specified resource type and you don't set replace to true then the operation returns an error. This helps prevent accidental overwriting of a permission.

" + "documentation":"

Specifies whether the specified permission should replace the existing permission associated with the resource share. Use true to replace the current permissions. Use false to add the permission to a resource share that currently doesn't have a permission. The default value is false.

A resource share can have only one permission per resource type. If a resource share already has a permission for the specified resource type and you don't set replace to true then the operation returns an error. This helps prevent accidental overwriting of a permission.

" }, "clientToken":{ "shape":"String", - "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

" + "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.

" }, "permissionVersion":{ "shape":"Integer", - "documentation":"

Specifies the version of the RAM permission to associate with the resource share. If you don't specify this parameter, the operation uses the version designated as the default. You can use the ListPermissionVersions operation to discover the available versions of a permission.

" + "documentation":"

Specifies the version of the RAM permission to associate with the resource share. You can specify only the version that is currently set as the default version for the permission. If you also set the replace pararameter to true, then this operation updates an outdated version of the permission to the current default version.

You don't need to specify this parameter because the default behavior is to use the version that is currently set as the default version for the permission. This parameter is supported for backwards compatibility.

" } } }, @@ -576,7 +754,7 @@ "members":{ "resourceShareArn":{ "shape":"String", - "documentation":"

Specifies the Amazon Resoure Name (ARN) of the resource share that you want to add principals or resources to.

" + "documentation":"

Specifies the Amazon Resource Name (ARN) of the resource share that you want to add principals or resources to.

" }, "resourceArns":{ "shape":"ResourceArnList", @@ -584,11 +762,11 @@ }, "principals":{ "shape":"PrincipalArnOrIdList", - "documentation":"

Specifies a list of principals to whom you want to the resource share. This can be null if you want to add only resources.

What the principals can do with the resources in the share is determined by the RAM permissions that you associate with the resource share. See AssociateResourceSharePermission.

You can include the following values:

Not all resource types can be shared with IAM roles and users. For more information, see Sharing with IAM roles and users in the Resource Access Manager User Guide.

" + "documentation":"

Specifies a list of principals to whom you want to the resource share. This can be null if you want to add only resources.

What the principals can do with the resources in the share is determined by the RAM permissions that you associate with the resource share. See AssociateResourceSharePermission.

You can include the following values:

Not all resource types can be shared with IAM roles and users. For more information, see Sharing with IAM roles and users in the Resource Access Manager User Guide.

" }, "clientToken":{ "shape":"String", - "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

" + "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.

" } } }, @@ -605,7 +783,123 @@ } } }, + "AssociatedPermission":{ + "type":"structure", + "members":{ + "arn":{ + "shape":"String", + "documentation":"

The Amazon Resource Name (ARN) of the associated managed permission.

" + }, + "permissionVersion":{ + "shape":"String", + "documentation":"

The version of the permission currently associated with the resource share.

" + }, + "defaultVersion":{ + "shape":"Boolean", + "documentation":"

Indicates whether the associated resource share is using the default version of the permission.

" + }, + "resourceType":{ + "shape":"String", + "documentation":"

The resource type to which this permission applies.

" + }, + "status":{ + "shape":"String", + "documentation":"

The current status of the association between the permission and the resource share. The following are the possible values:

" + }, + "featureSet":{ + "shape":"PermissionFeatureSet", + "documentation":"

Indicates what features are available for this resource share. This parameter can have one of the following values:

" + }, + "lastUpdatedTime":{ + "shape":"DateTime", + "documentation":"

The date and time when the association between the permission and the resource share was last updated.

" + }, + "resourceShareArn":{ + "shape":"String", + "documentation":"

The Amazon Resource Name (ARN) of a resource share associated with this permission.

" + } + }, + "documentation":"

An object that describes a managed permission associated with a resource share.

" + }, + "AssociatedPermissionList":{ + "type":"list", + "member":{"shape":"AssociatedPermission"} + }, "Boolean":{"type":"boolean"}, + "CreatePermissionRequest":{ + "type":"structure", + "required":[ + "name", + "resourceType", + "policyTemplate" + ], + "members":{ + "name":{ + "shape":"PermissionName", + "documentation":"

Specifies the name of the customer managed permission. The name must be unique within the Amazon Web Services Region.

" + }, + "resourceType":{ + "shape":"String", + "documentation":"

Specifies the name of the resource type that this customer managed permission applies to.

The format is <service-code>:<resource-type> and is not case sensitive. For example, to specify an Amazon EC2 Subnet, you can use the string ec2:subnet. To see the list of valid values for this parameter, query the ListResourceTypes operation.

" + }, + "policyTemplate":{ + "shape":"Policy", + "documentation":"

A string in JSON format string that contains the following elements of a resource-based policy:

This template can't include either the Resource or Principal elements. Those are both filled in by RAM when it instantiates the resource-based policy on each resource shared using this managed permission. The Resource comes from the ARN of the specific resource that you are sharing. The Principal comes from the list of identities added to the resource share.

" + }, + "clientToken":{ + "shape":"String", + "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.

" + }, + "tags":{ + "shape":"TagList", + "documentation":"

Specifies a list of one or more tag key and value pairs to attach to the permission.

" + } + } + }, + "CreatePermissionResponse":{ + "type":"structure", + "members":{ + "permission":{ + "shape":"ResourceSharePermissionSummary", + "documentation":"

A structure with information about this customer managed permission.

" + }, + "clientToken":{ + "shape":"String", + "documentation":"

The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the clientToken request parameter of that later call. All other parameters must also have the same values that you used in the first call.

" + } + } + }, + "CreatePermissionVersionRequest":{ + "type":"structure", + "required":[ + "permissionArn", + "policyTemplate" + ], + "members":{ + "permissionArn":{ + "shape":"String", + "documentation":"

Specifies the Amazon Resource Name (ARN) of the customer managed permission you're creating a new version for.

" + }, + "policyTemplate":{ + "shape":"Policy", + "documentation":"

A string in JSON format string that contains the following elements of a resource-based policy:

This template can't include either the Resource or Principal elements. Those are both filled in by RAM when it instantiates the resource-based policy on each resource shared using this managed permission. The Resource comes from the ARN of the specific resource that you are sharing. The Principal comes from the list of identities added to the resource share.

" + }, + "clientToken":{ + "shape":"String", + "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.

" + } + } + }, + "CreatePermissionVersionResponse":{ + "type":"structure", + "members":{ + "permission":{"shape":"ResourceSharePermissionDetail"}, + "clientToken":{ + "shape":"String", + "documentation":"

The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the clientToken request parameter of that later call. All other parameters must also have the same values that you used in the first call.

" + } + } + }, "CreateResourceShareRequest":{ "type":"structure", "required":["name"], @@ -620,7 +914,7 @@ }, "principals":{ "shape":"PrincipalArnOrIdList", - "documentation":"

Specifies a list of one or more principals to associate with the resource share.

You can include the following values:

Not all resource types can be shared with IAM roles and users. For more information, see Sharing with IAM roles and users in the Resource Access Manager User Guide.

" + "documentation":"

Specifies a list of one or more principals to associate with the resource share.

You can include the following values:

Not all resource types can be shared with IAM roles and users. For more information, see Sharing with IAM roles and users in the Resource Access Manager User Guide.

" }, "tags":{ "shape":"TagList", @@ -632,7 +926,7 @@ }, "clientToken":{ "shape":"String", - "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

" + "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.

" }, "permissionArns":{ "shape":"PermissionArnList", @@ -654,19 +948,98 @@ } }, "DateTime":{"type":"timestamp"}, + "DeletePermissionRequest":{ + "type":"structure", + "required":["permissionArn"], + "members":{ + "permissionArn":{ + "shape":"String", + "documentation":"

Specifies the Amazon Resource Name (ARN) of the customer managed permission that you want to delete.

", + "location":"querystring", + "locationName":"permissionArn" + }, + "clientToken":{ + "shape":"String", + "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.

", + "location":"querystring", + "locationName":"clientToken" + } + } + }, + "DeletePermissionResponse":{ + "type":"structure", + "members":{ + "returnValue":{ + "shape":"Boolean", + "documentation":"

A boolean that indicates whether the delete operations succeeded.

" + }, + "clientToken":{ + "shape":"String", + "documentation":"

The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the clientToken request parameter of that later call. All other parameters must also have the same values that you used in the first call.

" + }, + "permissionStatus":{ + "shape":"PermissionStatus", + "documentation":"

This operation is performed asynchronously, and this response parameter indicates the current status.

" + } + } + }, + "DeletePermissionVersionRequest":{ + "type":"structure", + "required":[ + "permissionArn", + "permissionVersion" + ], + "members":{ + "permissionArn":{ + "shape":"String", + "documentation":"

Specifies the Amazon Resource Name (ARN) of the permission with the version you want to delete.

", + "location":"querystring", + "locationName":"permissionArn" + }, + "permissionVersion":{ + "shape":"Integer", + "documentation":"

Specifies the version number to delete.

You can't delete the default version for a customer managed permission.

You can't delete a version if it's the only version of the permission. You must either first create another version, or delete the permission completely.

You can't delete a version if it is attached to any resource shares. If the version is the default, you must first use SetDefaultPermissionVersion to set a different version as the default for the customer managed permission, and then use AssociateResourceSharePermission to update your resource shares to use the new default version.

", + "location":"querystring", + "locationName":"permissionVersion" + }, + "clientToken":{ + "shape":"String", + "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.

", + "location":"querystring", + "locationName":"clientToken" + } + } + }, + "DeletePermissionVersionResponse":{ + "type":"structure", + "members":{ + "returnValue":{ + "shape":"Boolean", + "documentation":"

A boolean value that indicates whether the operation is successful.

" + }, + "clientToken":{ + "shape":"String", + "documentation":"

The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the clientToken request parameter of that later call. All other parameters must also have the same values that you used in the first call.

" + }, + "permissionStatus":{ + "shape":"PermissionStatus", + "documentation":"

This operation is performed asynchronously, and this response parameter indicates the current status.

" + } + } + }, "DeleteResourceShareRequest":{ "type":"structure", "required":["resourceShareArn"], "members":{ "resourceShareArn":{ "shape":"String", - "documentation":"

Specifies the Amazon Resoure Name (ARN) of the resource share to delete.

", + "documentation":"

Specifies the Amazon Resource Name (ARN) of the resource share to delete.

", "location":"querystring", "locationName":"resourceShareArn" }, "clientToken":{ "shape":"String", - "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

", + "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.

", "location":"querystring", "locationName":"clientToken" } @@ -694,15 +1067,15 @@ "members":{ "resourceShareArn":{ "shape":"String", - "documentation":"

The Amazon Resoure Name (ARN) of the resource share from which you want to disassociate a permission.

" + "documentation":"

The Amazon Resource Name (ARN) of the resource share that you want to remove the managed permission from.

" }, "permissionArn":{ "shape":"String", - "documentation":"

The Amazon Resoure Name (ARN) of the permission to disassociate from the resource share. Changes to permissions take effect immediately.

" + "documentation":"

The Amazon Resource Name (ARN) of the managed permission to disassociate from the resource share. Changes to permissions take effect immediately.

" }, "clientToken":{ "shape":"String", - "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

" + "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.

" } } }, @@ -725,19 +1098,19 @@ "members":{ "resourceShareArn":{ "shape":"String", - "documentation":"

Specifies Amazon Resoure Name (ARN) of the resource share that you want to remove resources from.

" + "documentation":"

Specifies Amazon Resource Name (ARN) of the resource share that you want to remove resources or principals from.

" }, "resourceArns":{ "shape":"ResourceArnList", - "documentation":"

Specifies a list of Amazon Resource Names (ARNs) for one or more resources that you want to remove from the resource share. After the operation runs, these resources are no longer shared with principals outside of the Amazon Web Services account that created the resources.

" + "documentation":"

Specifies a list of Amazon Resource Names (ARNs) for one or more resources that you want to remove from the resource share. After the operation runs, these resources are no longer shared with principals associated with the resource share.

" }, "principals":{ "shape":"PrincipalArnOrIdList", - "documentation":"

Specifies a list of one or more principals that no longer are to have access to the resources in this resource share.

You can include the following values:

Not all resource types can be shared with IAM roles and users. For more information, see Sharing with IAM roles and users in the Resource Access Manager User Guide.

" + "documentation":"

Specifies a list of one or more principals that no longer are to have access to the resources in this resource share.

You can include the following values:

Not all resource types can be shared with IAM roles and users. For more information, see Sharing with IAM roles and users in the Resource Access Manager User Guide.

" }, "clientToken":{ "shape":"String", - "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

" + "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.

" } } }, @@ -746,7 +1119,7 @@ "members":{ "resourceShareAssociations":{ "shape":"ResourceShareAssociationList", - "documentation":"

An array of objects that contain information about the updated associations for this resource share.

" + "documentation":"

An array of objects with information about the updated associations for this resource share.

" }, "clientToken":{ "shape":"String", @@ -774,11 +1147,11 @@ "members":{ "permissionArn":{ "shape":"String", - "documentation":"

Specifies the Amazon Resoure Name (ARN) of the permission whose contents you want to retrieve. To find the ARN for a permission, use either the ListPermissions operation or go to the Permissions library page in the RAM console and then choose the name of the permission. The ARN is displayed on the detail page.

" + "documentation":"

Specifies the Amazon Resource Name (ARN) of the permission whose contents you want to retrieve. To find the ARN for a permission, use either the ListPermissions operation or go to the Permissions library page in the RAM console and then choose the name of the permission. The ARN is displayed on the detail page.

" }, "permissionVersion":{ "shape":"Integer", - "documentation":"

Specifies identifier for the version of the RAM permission to retrieve. If you don't specify this parameter, the operation retrieves the default version.

" + "documentation":"

Specifies the version number of the RAM permission to retrieve. If you don't specify this parameter, the operation retrieves the default version.

To see the list of available versions, use ListPermissionVersions.

" } } }, @@ -787,7 +1160,7 @@ "members":{ "permission":{ "shape":"ResourceSharePermissionDetail", - "documentation":"

An object that contains information about the permission.

" + "documentation":"

An object with details about the permission.

" } } }, @@ -832,7 +1205,7 @@ "members":{ "associationType":{ "shape":"ResourceShareAssociationType", - "documentation":"

Specifies whether you want to retrieve the associations that involve a specified resource or principal.

" + "documentation":"

Specifies whether you want to retrieve the associations that involve a specified resource or principal.

" }, "resourceShareArns":{ "shape":"ResourceShareArnList", @@ -840,15 +1213,15 @@ }, "resourceArn":{ "shape":"String", - "documentation":"

Specifies the Amazon Resoure Name (ARN) of the resource whose resource shares you want to retrieve.

You cannot specify this parameter if the association type is PRINCIPAL.

" + "documentation":"

Specifies the Amazon Resource Name (ARN) of a resource whose resource shares you want to retrieve.

You cannot specify this parameter if the association type is PRINCIPAL.

" }, "principal":{ "shape":"String", - "documentation":"

Specifies the ID of the principal whose resource shares you want to retrieve. This can be an Amazon Web Services account ID, an organization ID, an organizational unit ID, or the Amazon Resoure Name (ARN) of an individual IAM user or role.

You cannot specify this parameter if the association type is RESOURCE.

" + "documentation":"

Specifies the ID of the principal whose resource shares you want to retrieve. This can be an Amazon Web Services account ID, an organization ID, an organizational unit ID, or the Amazon Resource Name (ARN) of an individual IAM user or role.

You cannot specify this parameter if the association type is RESOURCE.

" }, "associationStatus":{ "shape":"ResourceShareAssociationStatus", - "documentation":"

Specifies that you want to retrieve only associations with this status.

" + "documentation":"

Specifies that you want to retrieve only associations that have this status.

" }, "nextToken":{ "shape":"String", @@ -941,7 +1314,11 @@ }, "permissionArn":{ "shape":"String", - "documentation":"

Specifies that you want to retrieve details of only those resource shares that use the RAM permission with this Amazon Resoure Name (ARN).

" + "documentation":"

Specifies that you want to retrieve details of only those resource shares that use the managed permission with this Amazon Resource Name (ARN).

" + }, + "permissionVersion":{ + "shape":"Integer", + "documentation":"

Specifies that you want to retrieve details for only those resource shares that use the specified version of the managed permission.

" } } }, @@ -964,7 +1341,7 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

The client token input parameter was matched one used with a previous call to the operation, but at least one of the other input parameters is different from the previous call.

", + "documentation":"

The operation failed because the client token input parameter matched one that was used with a previous call to the operation, but at least one of the other input parameters is different from the previous call.

", "error":{"httpStatusCode":400}, "exception":true }, @@ -975,7 +1352,7 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

The client token is not valid.

", + "documentation":"

The operation failed because the specified client token isn't valid.

", "error":{"httpStatusCode":400}, "exception":true }, @@ -985,7 +1362,7 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

The specified value for MaxResults is not valid.

", + "documentation":"

The operation failed because the specified value for MaxResults isn't valid.

", "error":{"httpStatusCode":400}, "exception":true }, @@ -995,7 +1372,7 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

The specified value for NextToken is not valid.

", + "documentation":"

The operation failed because the specified value for NextToken isn't valid. You must specify a value you received in the NextToken response of a previous call to this operation.

", "error":{"httpStatusCode":400}, "exception":true }, @@ -1005,7 +1382,17 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

A parameter is not valid.

", + "documentation":"

The operation failed because a parameter you specified isn't valid.

", + "error":{"httpStatusCode":400}, + "exception":true + }, + "InvalidPolicyException":{ + "type":"structure", + "required":["message"], + "members":{ + "message":{"shape":"String"} + }, + "documentation":"

The operation failed because a policy you specified isn't valid.

", "error":{"httpStatusCode":400}, "exception":true }, @@ -1015,7 +1402,7 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

The specified resource type is not valid.

", + "documentation":"

The operation failed because the specified resource type isn't valid.

", "error":{"httpStatusCode":400}, "exception":true }, @@ -1025,17 +1412,71 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

The requested state transition is not valid.

", + "documentation":"

The operation failed because the requested operation isn't valid for the resource share in its current state.

", "error":{"httpStatusCode":400}, "exception":true }, - "ListPendingInvitationResourcesRequest":{ + "ListPendingInvitationResourcesRequest":{ + "type":"structure", + "required":["resourceShareInvitationArn"], + "members":{ + "resourceShareInvitationArn":{ + "shape":"String", + "documentation":"

Specifies the Amazon Resource Name (ARN) of the invitation. You can use GetResourceShareInvitations to find the ARN of the invitation.

" + }, + "nextToken":{ + "shape":"String", + "documentation":"

Specifies that you want to receive the next page of results. Valid only if you received a NextToken response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's NextToken response to request the next page of results.

" + }, + "maxResults":{ + "shape":"MaxResults", + "documentation":"

Specifies the total number of results that you want included on each page of the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the number you specify, the NextToken response element is returned with a value (not null). Include the specified value as the NextToken request parameter in the next call to the operation to get the next part of the results. Note that the service might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.

" + }, + "resourceRegionScope":{ + "shape":"ResourceRegionScopeFilter", + "documentation":"

Specifies that you want the results to include only resources that have the specified scope.

The default value is ALL.

" + } + } + }, + "ListPendingInvitationResourcesResponse":{ + "type":"structure", + "members":{ + "resources":{ + "shape":"ResourceList", + "documentation":"

An array of objects that contain the information about the resources included the specified resource share.

" + }, + "nextToken":{ + "shape":"String", + "documentation":"

If present, this value indicates that more output is available than is included in the current response. Use this value in the NextToken request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the NextToken response element comes back as null. This indicates that this is the last page of results.

" + } + } + }, + "ListPermissionAssociationsRequest":{ "type":"structure", - "required":["resourceShareInvitationArn"], "members":{ - "resourceShareInvitationArn":{ + "permissionArn":{ + "shape":"String", + "documentation":"

Specifies the Amazon Resource Name (ARN) of the managed permission.

" + }, + "permissionVersion":{ + "shape":"Integer", + "documentation":"

Specifies that you want to list only those associations with resource shares that use this version of the managed permission. If you don't provide a value for this parameter, then the operation returns information about associations with resource shares that use any version of the managed permission.

" + }, + "associationStatus":{ + "shape":"ResourceShareAssociationStatus", + "documentation":"

Specifies that you want to list only those associations with resource shares that match this status.

" + }, + "resourceType":{ "shape":"String", - "documentation":"

Specifies the Amazon Resoure Name (ARN) of the invitation. You can use GetResourceShareInvitations to find the ARN of the invitation.

" + "documentation":"

Specifies that you want to list only those associations with resource shares that include at least one resource of this resource type.

" + }, + "featureSet":{ + "shape":"PermissionFeatureSet", + "documentation":"

Specifies that you want to list only those associations with resource shares that have a featureSet with this value.

" + }, + "defaultVersion":{ + "shape":"Boolean", + "documentation":"

When true, specifies that you want to list only those associations with resource shares that use the default version of the specified managed permission.

When false (the default value), lists associations with resource shares that use any version of the specified managed permission.

" }, "nextToken":{ "shape":"String", @@ -1044,19 +1485,15 @@ "maxResults":{ "shape":"MaxResults", "documentation":"

Specifies the total number of results that you want included on each page of the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the number you specify, the NextToken response element is returned with a value (not null). Include the specified value as the NextToken request parameter in the next call to the operation to get the next part of the results. Note that the service might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.

" - }, - "resourceRegionScope":{ - "shape":"ResourceRegionScopeFilter", - "documentation":"

Specifies that you want the results to include only resources that have the specified scope.

The default value is ALL.

" } } }, - "ListPendingInvitationResourcesResponse":{ + "ListPermissionAssociationsResponse":{ "type":"structure", "members":{ - "resources":{ - "shape":"ResourceList", - "documentation":"

An array of objects that contain the information about the resources included the specified resource share.

" + "permissions":{ + "shape":"AssociatedPermissionList", + "documentation":"

A structure with information about this customer managed permission.

" }, "nextToken":{ "shape":"String", @@ -1070,7 +1507,7 @@ "members":{ "permissionArn":{ "shape":"String", - "documentation":"

Specifies the Amazon Resoure Name (ARN) of the RAM permission whose versions you want to list. You can use the permissionVersion parameter on the AssociateResourceSharePermission operation to specify a non-default version to attach.

" + "documentation":"

Specifies the Amazon Resource Name (ARN) of the RAM permission whose versions you want to list. You can use the permissionVersion parameter on the AssociateResourceSharePermission operation to specify a non-default version to attach.

" }, "nextToken":{ "shape":"String", @@ -1100,7 +1537,7 @@ "members":{ "resourceType":{ "shape":"String", - "documentation":"

Specifies that you want to list permissions for only the specified resource type. For example, to list only permissions that apply to EC2 subnets, specify ec2:Subnet. You can use the ListResourceTypes operation to get the specific string required.

" + "documentation":"

Specifies that you want to list only those permissions that apply to the specified resource type. This parameter is not case sensitive.

For example, to list only permissions that apply to Amazon EC2 subnets, specify ec2:subnet. You can use the ListResourceTypes operation to get the specific string required.

" }, "nextToken":{ "shape":"String", @@ -1109,6 +1546,10 @@ "maxResults":{ "shape":"MaxResults", "documentation":"

Specifies the total number of results that you want included on each page of the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the number you specify, the NextToken response element is returned with a value (not null). Include the specified value as the NextToken request parameter in the next call to the operation to get the next part of the results. Note that the service might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.

" + }, + "permissionType":{ + "shape":"PermissionTypeFilter", + "documentation":"

Specifies that you want to list only permissions of this type:

If you don't specify this parameter, the default is All.

" } } }, @@ -1135,11 +1576,11 @@ }, "resourceArn":{ "shape":"String", - "documentation":"

Specifies that you want to list principal information for the resource share with the specified Amazon Resoure Name (ARN).

" + "documentation":"

Specifies that you want to list principal information for the resource share with the specified Amazon Resource Name (ARN).

" }, "principals":{ "shape":"PrincipalArnOrIdList", - "documentation":"

Specifies that you want to list information for only the listed principals.

You can include the following values:

Not all resource types can be shared with IAM roles and users. For more information, see Sharing with IAM roles and users in the Resource Access Manager User Guide.

" + "documentation":"

Specifies that you want to list information for only the listed principals.

You can include the following values:

Not all resource types can be shared with IAM roles and users. For more information, see Sharing with IAM roles and users in the Resource Access Manager User Guide.

" }, "resourceType":{ "shape":"String", @@ -1172,13 +1613,47 @@ } } }, + "ListReplacePermissionAssociationsWorkRequest":{ + "type":"structure", + "members":{ + "workIds":{ + "shape":"ReplacePermissionAssociationsWorkIdList", + "documentation":"

A list of IDs. These values come from the idfield of the replacePermissionAssociationsWorkstructure returned by the ReplacePermissionAssociations operation.

" + }, + "status":{ + "shape":"ReplacePermissionAssociationsWorkStatus", + "documentation":"

Specifies that you want to see only the details about requests with a status that matches this value.

" + }, + "nextToken":{ + "shape":"String", + "documentation":"

Specifies that you want to receive the next page of results. Valid only if you received a NextToken response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's NextToken response to request the next page of results.

" + }, + "maxResults":{ + "shape":"MaxResults", + "documentation":"

Specifies the total number of results that you want included on each page of the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the number you specify, the NextToken response element is returned with a value (not null). Include the specified value as the NextToken request parameter in the next call to the operation to get the next part of the results. Note that the service might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.

" + } + } + }, + "ListReplacePermissionAssociationsWorkResponse":{ + "type":"structure", + "members":{ + "replacePermissionAssociationsWorks":{ + "shape":"ReplacePermissionAssociationsWorkList", + "documentation":"

An array of data structures that provide details of the matching work IDs.

" + }, + "nextToken":{ + "shape":"String", + "documentation":"

If present, this value indicates that more output is available than is included in the current response. Use this value in the NextToken request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the NextToken response element comes back as null. This indicates that this is the last page of results.

" + } + } + }, "ListResourceSharePermissionsRequest":{ "type":"structure", "required":["resourceShareArn"], "members":{ "resourceShareArn":{ "shape":"String", - "documentation":"

Specifies the Amazon Resoure Name (ARN) of the resource share for which you want to retrieve the associated permissions.

" + "documentation":"

Specifies the Amazon Resource Name (ARN) of the resource share for which you want to retrieve the associated permissions.

" }, "nextToken":{ "shape":"String", @@ -1290,7 +1765,17 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

The format of an Amazon Resource Name (ARN) is not valid.

", + "documentation":"

The operation failed because the specified Amazon Resource Name (ARN) has a format that isn't valid.

", + "error":{"httpStatusCode":400}, + "exception":true + }, + "MalformedPolicyTemplateException":{ + "type":"structure", + "required":["message"], + "members":{ + "message":{"shape":"String"} + }, + "documentation":"

The operation failed because the policy template that you provided isn't valid.

", "error":{"httpStatusCode":400}, "exception":true }, @@ -1305,7 +1790,7 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

A required input parameter is missing.

", + "documentation":"

The operation failed because a required input parameter is missing.

", "error":{"httpStatusCode":400}, "exception":true }, @@ -1315,14 +1800,82 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

The requested operation is not permitted.

", + "documentation":"

The operation failed because the requested operation isn't permitted.

", "error":{"httpStatusCode":400}, "exception":true }, + "PermissionAlreadyExistsException":{ + "type":"structure", + "required":["message"], + "members":{ + "message":{"shape":"String"} + }, + "documentation":"

The operation failed because a permission with the specified name already exists in the requested Amazon Web Services Region. Choose a different name.

", + "error":{"httpStatusCode":409}, + "exception":true + }, "PermissionArnList":{ "type":"list", "member":{"shape":"String"} }, + "PermissionFeatureSet":{ + "type":"string", + "enum":[ + "CREATED_FROM_POLICY", + "PROMOTING_TO_STANDARD", + "STANDARD" + ] + }, + "PermissionLimitExceededException":{ + "type":"structure", + "required":["message"], + "members":{ + "message":{"shape":"String"} + }, + "documentation":"

The operation failed because it would exceed the maximum number of permissions you can create in each Amazon Web Services Region. To view the limits for your Amazon Web Services account, see the RAM page in the Service Quotas console.

", + "error":{"httpStatusCode":400}, + "exception":true + }, + "PermissionName":{ + "type":"string", + "max":36, + "min":1, + "pattern":"[\\w.-]*" + }, + "PermissionStatus":{ + "type":"string", + "enum":[ + "ATTACHABLE", + "UNATTACHABLE", + "DELETING", + "DELETED" + ] + }, + "PermissionType":{ + "type":"string", + "enum":[ + "CUSTOMER_MANAGED", + "AWS_MANAGED" + ] + }, + "PermissionTypeFilter":{ + "type":"string", + "enum":[ + "ALL", + "AWS_MANAGED", + "CUSTOMER_MANAGED" + ] + }, + "PermissionVersionsLimitExceededException":{ + "type":"structure", + "required":["message"], + "members":{ + "message":{"shape":"String"} + }, + "documentation":"

The operation failed because it would exceed the limit for the number of versions you can have for a permission. To view the limits for your Amazon Web Services account, see the RAM page in the Service Quotas console.

", + "error":{"httpStatusCode":400}, + "exception":true + }, "Policy":{"type":"string"}, "PolicyList":{ "type":"list", @@ -1333,11 +1886,11 @@ "members":{ "id":{ "shape":"String", - "documentation":"

The ID of the principal.

" + "documentation":"

The ID of the principal that can be associated with a resource share.

" }, "resourceShareArn":{ "shape":"String", - "documentation":"

The Amazon Resoure Name (ARN) of a resource share the principal is associated with.

" + "documentation":"

The Amazon Resource Name (ARN) of a resource share the principal is associated with.

" }, "creationTime":{ "shape":"DateTime", @@ -1345,11 +1898,11 @@ }, "lastUpdatedTime":{ "shape":"DateTime", - "documentation":"

The date and time when the association was last updated.

" + "documentation":"

The date and time when the association between the resource share and the principal was last updated.

" }, "external":{ "shape":"Boolean", - "documentation":"

Indicates whether the principal belongs to the same organization in Organizations as the Amazon Web Services account that owns the resource share.

" + "documentation":"

Indicates the relationship between the Amazon Web Services account the principal belongs to and the account that owns the resource share:

" } }, "documentation":"

Describes a principal for use with Resource Access Manager.

" @@ -1362,13 +1915,44 @@ "type":"list", "member":{"shape":"Principal"} }, + "PromotePermissionCreatedFromPolicyRequest":{ + "type":"structure", + "required":[ + "permissionArn", + "name" + ], + "members":{ + "permissionArn":{ + "shape":"String", + "documentation":"

Specifies the Amazon Resource Name (ARN) of the CREATED_FROM_POLICY permission that you want to promote. You can get this Amazon Resource Name (ARN) by calling the ListResourceSharePermissions operation.

" + }, + "name":{ + "shape":"String", + "documentation":"

Specifies a name for the promoted customer managed permission.

" + }, + "clientToken":{ + "shape":"String", + "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.

" + } + } + }, + "PromotePermissionCreatedFromPolicyResponse":{ + "type":"structure", + "members":{ + "permission":{"shape":"ResourceSharePermissionSummary"}, + "clientToken":{ + "shape":"String", + "documentation":"

The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the clientToken request parameter of that later call. All other parameters must also have the same values that you used in the first call.

" + } + } + }, "PromoteResourceShareCreatedFromPolicyRequest":{ "type":"structure", "required":["resourceShareArn"], "members":{ "resourceShareArn":{ "shape":"String", - "documentation":"

Specifies the Amazon Resoure Name (ARN) of the resource share to promote.

", + "documentation":"

Specifies the Amazon Resource Name (ARN) of the resource share to promote.

", "location":"querystring", "locationName":"resourceShareArn" } @@ -1389,11 +1973,11 @@ "members":{ "resourceShareInvitationArn":{ "shape":"String", - "documentation":"

Specifies the Amazon Resoure Name (ARN) of the invitation that you want to reject.

" + "documentation":"

Specifies the Amazon Resource Name (ARN) of the invitation that you want to reject.

" }, "clientToken":{ "shape":"String", - "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

" + "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.

" } } }, @@ -1410,24 +1994,120 @@ } } }, + "ReplacePermissionAssociationsRequest":{ + "type":"structure", + "required":[ + "fromPermissionArn", + "toPermissionArn" + ], + "members":{ + "fromPermissionArn":{ + "shape":"String", + "documentation":"

Specifies the Amazon Resource Name (ARN) of the managed permission that you want to replace.

" + }, + "fromPermissionVersion":{ + "shape":"Integer", + "documentation":"

Specifies that you want to updated the permissions for only those resource shares that use the specified version of the managed permission.

" + }, + "toPermissionArn":{ + "shape":"String", + "documentation":"

Specifies the ARN of the managed permission that you want to associate with resource shares in place of the one specified by fromPerssionArn and fromPermissionVersion.

The operation always associates the version that is currently the default for the specified managed permission.

" + }, + "clientToken":{ + "shape":"String", + "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.

" + } + } + }, + "ReplacePermissionAssociationsResponse":{ + "type":"structure", + "members":{ + "replacePermissionAssociationsWork":{ + "shape":"ReplacePermissionAssociationsWork", + "documentation":"

Specifies a data structure that you can use to track the asynchronous tasks that RAM performs to complete this operation. You can use the ListReplacePermissionAssociationsWork operation and pass the id value returned in this structure.

" + }, + "clientToken":{ + "shape":"String", + "documentation":"

The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the clientToken request parameter of that later call. All other parameters must also have the same values that you used in the first call.

" + } + } + }, + "ReplacePermissionAssociationsWork":{ + "type":"structure", + "members":{ + "id":{ + "shape":"String", + "documentation":"

The unique identifier for the background task associated with one ReplacePermissionAssociations request.

" + }, + "fromPermissionArn":{ + "shape":"String", + "documentation":"

The Amazon Resource Name (ARN) of the managed permission that this background task is replacing.

" + }, + "fromPermissionVersion":{ + "shape":"String", + "documentation":"

The version of the managed permission that this background task is replacing.

" + }, + "toPermissionArn":{ + "shape":"String", + "documentation":"

The ARN of the managed permission that this background task is associating with the resource shares in place of the managed permission and version specified in fromPermissionArn and fromPermissionVersion.

" + }, + "toPermissionVersion":{ + "shape":"String", + "documentation":"

The version of the managed permission that this background task is associating with the resource shares. This is always the version that is currently the default for this managed permission.

" + }, + "status":{ + "shape":"ReplacePermissionAssociationsWorkStatus", + "documentation":"

Specifies the current status of the background tasks for the specified ID. The output is one of the following strings:

" + }, + "statusMessage":{ + "shape":"String", + "documentation":"

Specifies the reason for a FAILED status. This field is present only when there status is FAILED.

" + }, + "creationTime":{ + "shape":"DateTime", + "documentation":"

The date and time when this asynchronous background task was created.

" + }, + "lastUpdatedTime":{ + "shape":"DateTime", + "documentation":"

The date and time when the status of this background task was last updated.

" + } + }, + "documentation":"

A structure that represents the background work that RAM performs when you invoke the ReplacePermissionAssociations operation.

" + }, + "ReplacePermissionAssociationsWorkIdList":{ + "type":"list", + "member":{"shape":"String"} + }, + "ReplacePermissionAssociationsWorkList":{ + "type":"list", + "member":{"shape":"ReplacePermissionAssociationsWork"} + }, + "ReplacePermissionAssociationsWorkStatus":{ + "type":"string", + "enum":[ + "IN_PROGRESS", + "COMPLETED", + "FAILED" + ] + }, "Resource":{ "type":"structure", "members":{ "arn":{ "shape":"String", - "documentation":"

The Amazon Resoure Name (ARN) of the resource.

" + "documentation":"

The Amazon Resource Name (ARN) of the resource.

" }, "type":{ "shape":"String", - "documentation":"

The resource type. This takes the form of: service-code:resource-code

" + "documentation":"

The resource type. This takes the form of: service-code:resource-code, and is case-insensitive. For example, an Amazon EC2 Subnet would be represented by the string ec2:subnet.

" }, "resourceShareArn":{ "shape":"String", - "documentation":"

The Amazon Resoure Name (ARN) of the resource share this resource is associated with.

" + "documentation":"

The Amazon Resource Name (ARN) of the resource share this resource is associated with.

" }, "resourceGroupArn":{ "shape":"String", - "documentation":"

The Amazon Resoure Name (ARN) of the resource group. This value is available only if the resource is part of a resource group.

" + "documentation":"

The Amazon Resource Name (ARN) of the resource group. This value is available only if the resource is part of a resource group.

" }, "status":{ "shape":"ResourceStatus", @@ -1443,7 +2123,7 @@ }, "lastUpdatedTime":{ "shape":"DateTime", - "documentation":"

The date an time when the association was last updated.

" + "documentation":"

The date an time when the association between the resource and the resource share was last updated.

" }, "resourceRegionScope":{ "shape":"ResourceRegionScope", @@ -1462,7 +2142,7 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

The specified Amazon Resource Name (ARN) was not found.

", + "documentation":"

The operation failed because the specified Amazon Resource Name (ARN) was not found.

", "error":{"httpStatusCode":400}, "exception":true }, @@ -1497,7 +2177,7 @@ "members":{ "resourceShareArn":{ "shape":"String", - "documentation":"

The Amazon Resoure Name (ARN) of the resource share

" + "documentation":"

The Amazon Resource Name (ARN) of the resource share

" }, "name":{ "shape":"String", @@ -1509,7 +2189,7 @@ }, "allowExternalPrincipals":{ "shape":"Boolean", - "documentation":"

Indicates whether principals outside your organization in Organizations can be associated with a resource share.

" + "documentation":"

Indicates whether principals outside your organization in Organizations can be associated with a resource share.

" }, "status":{ "shape":"ResourceShareStatus", @@ -1533,7 +2213,7 @@ }, "featureSet":{ "shape":"ResourceShareFeatureSet", - "documentation":"

Indicates how the resource share was created. Possible values include:

" + "documentation":"

Indicates what features are available for this resource share. This parameter can have one of the following values:

" } }, "documentation":"

Describes a resource share in RAM.

" @@ -1547,7 +2227,7 @@ "members":{ "resourceShareArn":{ "shape":"String", - "documentation":"

The Amazon Resoure Name (ARN) of the resource share.

" + "documentation":"

The Amazon Resource Name (ARN) of the resource share.

" }, "resourceShareName":{ "shape":"String", @@ -1555,7 +2235,7 @@ }, "associatedEntity":{ "shape":"String", - "documentation":"

The associated entity. This can be either of the following:

" + "documentation":"

The associated entity. This can be either of the following:

" }, "associationType":{ "shape":"ResourceShareAssociationType", @@ -1582,7 +2262,7 @@ "documentation":"

Indicates whether the principal belongs to the same organization in Organizations as the Amazon Web Services account that owns the resource share.

" } }, - "documentation":"

Describes an association with a resource share and either a principal or a resource.

" + "documentation":"

Describes an association between a resource share and either a principal or a resource.

" }, "ResourceShareAssociationList":{ "type":"list", @@ -1618,7 +2298,7 @@ "members":{ "resourceShareInvitationArn":{ "shape":"String", - "documentation":"

The Amazon Resoure Name (ARN) of the invitation.

" + "documentation":"

The Amazon Resource Name (ARN) of the invitation.

" }, "resourceShareName":{ "shape":"String", @@ -1626,7 +2306,7 @@ }, "resourceShareArn":{ "shape":"String", - "documentation":"

The Amazon Resoure Name (ARN) of the resource share

" + "documentation":"

The Amazon Resource Name (ARN) of the resource share

" }, "senderAccountId":{ "shape":"String", @@ -1652,7 +2332,7 @@ }, "receiverArn":{ "shape":"String", - "documentation":"

The Amazon Resoure Name (ARN) of the IAM user or role that received the invitation.

" + "documentation":"

The Amazon Resource Name (ARN) of the IAM user or role that received the invitation.

" } }, "documentation":"

Describes an invitation for an Amazon Web Services account to join a resource share.

" @@ -1663,7 +2343,7 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

The specified invitation was already accepted.

", + "documentation":"

The operation failed because the specified invitation was already accepted.

", "error":{"httpStatusCode":400}, "exception":true }, @@ -1673,7 +2353,7 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

The specified invitation was already rejected.

", + "documentation":"

The operation failed because the specified invitation was already rejected.

", "error":{"httpStatusCode":400}, "exception":true }, @@ -1687,7 +2367,7 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

The specified Amazon Resource Name (ARN) for an invitation was not found.

", + "documentation":"

The operation failed because the specified Amazon Resource Name (ARN) for an invitation was not found.

", "error":{"httpStatusCode":400}, "exception":true }, @@ -1697,7 +2377,7 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

The specified invitation is expired.

", + "documentation":"

The operation failed because the specified invitation is past its expiration date and time.

", "error":{"httpStatusCode":400}, "exception":true }, @@ -1720,7 +2400,7 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

This request would exceed the limit for resource shares for your account.

", + "documentation":"

The operation failed because it would exceed the limit for resource shares for your account. To view the limits for your Amazon Web Services account, see the RAM page in the Service Quotas console.

", "error":{"httpStatusCode":400}, "exception":true }, @@ -1733,15 +2413,15 @@ "members":{ "arn":{ "shape":"String", - "documentation":"

The Amazon Resoure Name (ARN) of this RAM permission.

" + "documentation":"

The Amazon Resource Name (ARN) of this RAM managed permission.

" }, "version":{ "shape":"String", - "documentation":"

The version of the permission represented in this structure.

" + "documentation":"

The version of the permission described in this response.

" }, "defaultVersion":{ "shape":"Boolean", - "documentation":"

Specifies whether the version of the permission represented in this structure is the default version for this permission.

" + "documentation":"

Specifies whether the version of the permission represented in this response is the default version for this permission.

" }, "name":{ "shape":"String", @@ -1765,10 +2445,26 @@ }, "isResourceTypeDefault":{ "shape":"Boolean", - "documentation":"

Specifies whether the version of the permission represented in this structure is the default version for all resources of this resource type.

" + "documentation":"

Specifies whether the version of the permission represented in this response is the default version for all resources of this resource type.

" + }, + "permissionType":{ + "shape":"PermissionType", + "documentation":"

The type of managed permission. This can be one of the following values:

" + }, + "featureSet":{ + "shape":"PermissionFeatureSet", + "documentation":"

Indicates what features are available for this resource share. This parameter can have one of the following values:

" + }, + "status":{ + "shape":"PermissionStatus", + "documentation":"

The current status of the association between the permission and the resource share. The following are the possible values:

" + }, + "tags":{ + "shape":"TagList", + "documentation":"

The tag key and value pairs attached to the resource share.

" } }, - "documentation":"

Information about an RAM permission.

" + "documentation":"

Information about a RAM managed permission.

" }, "ResourceSharePermissionList":{ "type":"list", @@ -1779,23 +2475,23 @@ "members":{ "arn":{ "shape":"String", - "documentation":"

The Amazon Resoure Name (ARN) of the permission you want information about.

" + "documentation":"

The Amazon Resource Name (ARN) of the permission you want information about.

" }, "version":{ "shape":"String", - "documentation":"

The version of the permission represented in this structure.

" + "documentation":"

The version of the permission associated with this resource share.

" }, "defaultVersion":{ "shape":"Boolean", - "documentation":"

Specifies whether the version of the permission represented in this structure is the default version for this permission.

" + "documentation":"

Specifies whether the version of the managed permission used by this resource share is the default version for this managed permission.

" }, "name":{ "shape":"String", - "documentation":"

The name of this permission.

" + "documentation":"

The name of this managed permission.

" }, "resourceType":{ "shape":"String", - "documentation":"

The type of resource to which this permission applies.

" + "documentation":"

The type of resource to which this permission applies. This takes the form of: service-code:resource-code, and is case-insensitive. For example, an Amazon EC2 Subnet would be represented by the string ec2:subnet.

" }, "status":{ "shape":"String", @@ -1811,10 +2507,22 @@ }, "isResourceTypeDefault":{ "shape":"Boolean", - "documentation":"

Specifies whether the version of the permission represented in this structure is the default version for all resources of this resource type.

" + "documentation":"

Specifies whether the managed permission associated with this resource share is the default managed permission for all resources of this resource type.

" + }, + "permissionType":{ + "shape":"PermissionType", + "documentation":"

The type of managed permission. This can be one of the following values:

" + }, + "featureSet":{ + "shape":"PermissionFeatureSet", + "documentation":"

Indicates what features are available for this resource share. This parameter can have one of the following values:

" + }, + "tags":{ + "shape":"TagList", + "documentation":"

A list of the tag key value pairs currently attached to the permission.

" } }, - "documentation":"

Information about an RAM permission that is associated with a resource share and any of its resources of a specified type.

" + "documentation":"

Information about an RAM permission.

" }, "ResourceShareStatus":{ "type":"string", @@ -1842,7 +2550,7 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

The service could not respond to the request due to an internal problem.

", + "documentation":"

The operation failed because the service could not respond to the request due to an internal problem. Try again later.

", "error":{"httpStatusCode":500}, "exception":true }, @@ -1851,7 +2559,7 @@ "members":{ "resourceType":{ "shape":"String", - "documentation":"

The type of the resource.

" + "documentation":"

The type of the resource. This takes the form of: service-code:resource-code, and is case-insensitive. For example, an Amazon EC2 Subnet would be represented by the string ec2:subnet.

" }, "serviceName":{ "shape":"String", @@ -1874,10 +2582,44 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

The service is not available.

", + "documentation":"

The operation failed because the service isn't available. Try again later.

", "error":{"httpStatusCode":503}, "exception":true }, + "SetDefaultPermissionVersionRequest":{ + "type":"structure", + "required":[ + "permissionArn", + "permissionVersion" + ], + "members":{ + "permissionArn":{ + "shape":"String", + "documentation":"

Specifies the Amazon Resource Name (ARN) of the customer managed permission whose default version you want to change.

" + }, + "permissionVersion":{ + "shape":"Integer", + "documentation":"

Specifies the version number that you want to designate as the default for customer managed permission. To see a list of all available version numbers, use ListPermissionVersions.

" + }, + "clientToken":{ + "shape":"String", + "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.

" + } + } + }, + "SetDefaultPermissionVersionResponse":{ + "type":"structure", + "members":{ + "returnValue":{ + "shape":"Boolean", + "documentation":"

A boolean value that indicates whether the operation was successful.

" + }, + "clientToken":{ + "shape":"String", + "documentation":"

The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the clientToken request parameter of that later call. All other parameters must also have the same values that you used in the first call.

" + } + } + }, "String":{"type":"string"}, "Tag":{ "type":"structure", @@ -1922,7 +2664,7 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

This request would exceed the limit for tags for your account.

", + "documentation":"

The operation failed because it would exceed the limit for tags for your Amazon Web Services account.

", "error":{"httpStatusCode":400}, "exception":true }, @@ -1936,24 +2678,25 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

The specified tag key is a reserved word and can't be used.

", + "documentation":"

The operation failed because the specified tag key is a reserved word and can't be used.

", "error":{"httpStatusCode":400}, "exception":true }, "TagResourceRequest":{ "type":"structure", - "required":[ - "resourceShareArn", - "tags" - ], + "required":["tags"], "members":{ "resourceShareArn":{ "shape":"String", - "documentation":"

Specifies the Amazon Resoure Name (ARN) of the resource share that you want to add tags to.

" + "documentation":"

Specifies the Amazon Resource Name (ARN) of the resource share that you want to add tags to. You must specify either resourceShareArn, or resourceArn, but not both.

" }, "tags":{ "shape":"TagList", "documentation":"

A list of one or more tag key and value pairs. The tag key must be present and not be an empty string. The tag value must be present but can be an empty string.

" + }, + "resourceArn":{ + "shape":"String", + "documentation":"

Specifies the Amazon Resource Name (ARN) of the managed permission that you want to add tags to. You must specify either resourceArn, or resourceShareArn, but not both.

" } } }, @@ -1973,7 +2716,7 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

You exceeded the rate at which you are allowed to perform this operation. Please try again later.

", + "documentation":"

The operation failed because it exceeded the rate at which you are allowed to perform this operation. Please try again later.

", "error":{"httpStatusCode":429}, "exception":true }, @@ -1983,24 +2726,35 @@ "members":{ "message":{"shape":"String"} }, - "documentation":"

A specified resource was not found.

", + "documentation":"

The operation failed because a specified resource couldn't be found.

", + "error":{"httpStatusCode":400}, + "exception":true + }, + "UnmatchedPolicyPermissionException":{ + "type":"structure", + "required":["message"], + "members":{ + "message":{"shape":"String"} + }, + "documentation":"

There isn't an existing managed permission defined in RAM that has the same IAM permissions as the resource-based policy attached to the resource. You should first run PromotePermissionCreatedFromPolicy to create that managed permission.

", "error":{"httpStatusCode":400}, "exception":true }, "UntagResourceRequest":{ "type":"structure", - "required":[ - "resourceShareArn", - "tagKeys" - ], + "required":["tagKeys"], "members":{ "resourceShareArn":{ "shape":"String", - "documentation":"

Specifies the Amazon Resoure Name (ARN) of the resource share that you want to remove tags from. The tags are removed from the resource share, not the resources in the resource share.

" + "documentation":"

Specifies the Amazon Resource Name (ARN) of the resource share that you want to remove tags from. The tags are removed from the resource share, not the resources in the resource share. You must specify either resourceShareArn, or resourceArn, but not both.

" }, "tagKeys":{ "shape":"TagKeyList", "documentation":"

Specifies a list of one or more tag keys that you want to remove.

" + }, + "resourceArn":{ + "shape":"String", + "documentation":"

Specifies the Amazon Resource Name (ARN) of the managed permission that you want to remove tags from. You must specify either resourceArn, or resourceShareArn, but not both.

" } } }, @@ -2015,7 +2769,7 @@ "members":{ "resourceShareArn":{ "shape":"String", - "documentation":"

Specifies the Amazon Resoure Name (ARN) of the resource share that you want to modify.

" + "documentation":"

Specifies the Amazon Resource Name (ARN) of the resource share that you want to modify.

" }, "name":{ "shape":"String", @@ -2027,7 +2781,7 @@ }, "clientToken":{ "shape":"String", - "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

" + "documentation":"

Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..

If you don't provide this value, then Amazon Web Services generates a random one for you.

If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.

" } } }, @@ -2045,5 +2799,5 @@ } } }, - "documentation":"

This is the Resource Access Manager API Reference. This documentation provides descriptions and syntax for each of the actions and data types in RAM. RAM is a service that helps you securely share your Amazon Web Services resources across Amazon Web Services accounts. If you have multiple Amazon Web Services accounts, you can use RAM to share those resources with other accounts. If you use Organizations to manage your accounts, then you share your resources with your organization or organizational units (OUs). For supported resource types, you can also share resources with individual Identity and Access Management (IAM) roles an users.

To learn more about RAM, see the following resources:

" + "documentation":"

This is the Resource Access Manager API Reference. This documentation provides descriptions and syntax for each of the actions and data types in RAM. RAM is a service that helps you securely share your Amazon Web Services resources to other Amazon Web Services accounts. If you use Organizations to manage your accounts, then you can share your resources with your entire organization or to organizational units (OUs). For supported resource types, you can also share resources with individual Identity and Access Management (IAM) roles and users.

To learn more about RAM, see the following resources:

" } diff --git a/botocore/data/rds/2014-10-31/service-2.json b/botocore/data/rds/2014-10-31/service-2.json index c048b64083..08b704555f 100644 --- a/botocore/data/rds/2014-10-31/service-2.json +++ b/botocore/data/rds/2014-10-31/service-2.json @@ -3606,7 +3606,7 @@ }, "ImageId":{ "shape":"String255", - "documentation":"

The ID of the AMI. An AMI ID is required to create a CEV for RDS Custom for SQL Server.

" + "documentation":"

The ID of the Amazon Machine Image (AMI). For RDS Custom for SQL Server, an AMI ID is required to create a CEV. For RDS Custom for Oracle, the default is the most recent AMI available, but you can specify an AMI ID that was used in a different Oracle CEV. Find the AMIs used by your CEVs by calling the DescribeDBEngineVersions operation.

" }, "KMSKeyId":{ "shape":"KmsKeyIdOrArn", @@ -3874,7 +3874,7 @@ }, "DBParameterGroupFamily":{ "shape":"String", - "documentation":"

The DB cluster parameter group family name. A DB cluster parameter group can be associated with one and only one DB cluster parameter group family, and can be applied only to a DB cluster running a database engine and engine version compatible with that DB cluster parameter group family.

Aurora MySQL

Example: aurora5.6, aurora-mysql5.7, aurora-mysql8.0

Aurora PostgreSQL

Example: aurora-postgresql9.6

RDS for MySQL

Example: mysql8.0

RDS for PostgreSQL

Example: postgres12

To list all of the available parameter group families for a DB engine, use the following command:

aws rds describe-db-engine-versions --query \"DBEngineVersions[].DBParameterGroupFamily\" --engine <engine>

For example, to list all of the available parameter group families for the Aurora PostgreSQL DB engine, use the following command:

aws rds describe-db-engine-versions --query \"DBEngineVersions[].DBParameterGroupFamily\" --engine aurora-postgresql

The output contains duplicates.

The following are the valid DB engine values:

" + "documentation":"

The DB cluster parameter group family name. A DB cluster parameter group can be associated with one and only one DB cluster parameter group family, and can be applied only to a DB cluster running a database engine and engine version compatible with that DB cluster parameter group family.

Aurora MySQL

Example: aurora-mysql5.7, aurora-mysql8.0

Aurora PostgreSQL

Example: aurora-postgresql14

RDS for MySQL

Example: mysql8.0

RDS for PostgreSQL

Example: postgres12

To list all of the available parameter group families for a DB engine, use the following command:

aws rds describe-db-engine-versions --query \"DBEngineVersions[].DBParameterGroupFamily\" --engine <engine>

For example, to list all of the available parameter group families for the Aurora PostgreSQL DB engine, use the following command:

aws rds describe-db-engine-versions --query \"DBEngineVersions[].DBParameterGroupFamily\" --engine aurora-postgresql

The output contains duplicates.

The following are the valid DB engine values:

" }, "Description":{ "shape":"String", @@ -3953,7 +3953,7 @@ }, "Engine":{ "shape":"String", - "documentation":"

The name of the database engine to be used for this instance.

Not every database engine is available for every Amazon Web Services Region.

Valid Values:

" + "documentation":"

The name of the database engine to be used for this instance.

Not every database engine is available for every Amazon Web Services Region.

Valid Values:

" }, "MasterUsername":{ "shape":"String", @@ -4339,7 +4339,7 @@ }, "DBParameterGroupFamily":{ "shape":"String", - "documentation":"

The DB parameter group family name. A DB parameter group can be associated with one and only one DB parameter group family, and can be applied only to a DB instance running a database engine and engine version compatible with that DB parameter group family.

To list all of the available parameter group families for a DB engine, use the following command:

aws rds describe-db-engine-versions --query \"DBEngineVersions[].DBParameterGroupFamily\" --engine <engine>

For example, to list all of the available parameter group families for the MySQL DB engine, use the following command:

aws rds describe-db-engine-versions --query \"DBEngineVersions[].DBParameterGroupFamily\" --engine mysql

The output contains duplicates.

The following are the valid DB engine values:

" + "documentation":"

The DB parameter group family name. A DB parameter group can be associated with one and only one DB parameter group family, and can be applied only to a DB instance running a database engine and engine version compatible with that DB parameter group family.

To list all of the available parameter group families for a DB engine, use the following command:

aws rds describe-db-engine-versions --query \"DBEngineVersions[].DBParameterGroupFamily\" --engine <engine>

For example, to list all of the available parameter group families for the MySQL DB engine, use the following command:

aws rds describe-db-engine-versions --query \"DBEngineVersions[].DBParameterGroupFamily\" --engine mysql

The output contains duplicates.

The following are the valid DB engine values:

" }, "Description":{ "shape":"String", @@ -6012,7 +6012,7 @@ }, "IAMDatabaseAuthenticationEnabled":{ "shape":"Boolean", - "documentation":"

True if mapping of Amazon Web Services Identity and Access Management (IAM) accounts to database accounts is enabled, and otherwise false.

IAM database authentication can be enabled for the following database engines

" + "documentation":"

True if mapping of Amazon Web Services Identity and Access Management (IAM) accounts to database accounts is enabled, and otherwise false.

IAM database authentication can be enabled for the following database engines:

" }, "PerformanceInsightsEnabled":{ "shape":"BooleanOptional", @@ -7989,7 +7989,7 @@ "members":{ "Engine":{ "shape":"String", - "documentation":"

The database engine to return.

Valid Values:

" + "documentation":"

The database engine to return.

Valid Values:

" }, "EngineVersion":{ "shape":"String", @@ -8491,7 +8491,7 @@ "members":{ "DBParameterGroupFamily":{ "shape":"String", - "documentation":"

The name of the DB parameter group family.

Valid Values:

" + "documentation":"

The name of the DB parameter group family.

Valid Values:

" }, "Filters":{ "shape":"FilterList", @@ -8705,7 +8705,7 @@ "members":{ "Engine":{ "shape":"String", - "documentation":"

The name of the engine to retrieve DB instance options for.

Valid Values:

" + "documentation":"

The name of the engine to retrieve DB instance options for.

Valid Values:

" }, "EngineVersion":{ "shape":"String", @@ -10346,7 +10346,7 @@ }, "EngineVersion":{ "shape":"String", - "documentation":"

The version number of the database engine to which you want to upgrade. Changing this parameter results in an outage. The change is applied during the next maintenance window unless ApplyImmediately is enabled.

If the cluster that you're modifying has one or more read replicas, all replicas must be running an engine version that's the same or later than the version you specify.

To list all of the available engine versions for Aurora MySQL version 2 (5.7-compatible) and version 3 (MySQL 8.0-compatible), use the following command:

aws rds describe-db-engine-versions --engine aurora-mysql --query \"DBEngineVersions[].EngineVersion\"

To list all of the available engine versions for MySQL 5.6-compatible Aurora, use the following command:

aws rds describe-db-engine-versions --engine aurora --query \"DBEngineVersions[].EngineVersion\"

To list all of the available engine versions for Aurora PostgreSQL, use the following command:

aws rds describe-db-engine-versions --engine aurora-postgresql --query \"DBEngineVersions[].EngineVersion\"

To list all of the available engine versions for RDS for MySQL, use the following command:

aws rds describe-db-engine-versions --engine mysql --query \"DBEngineVersions[].EngineVersion\"

To list all of the available engine versions for RDS for PostgreSQL, use the following command:

aws rds describe-db-engine-versions --engine postgres --query \"DBEngineVersions[].EngineVersion\"

Valid for: Aurora DB clusters and Multi-AZ DB clusters

" + "documentation":"

The version number of the database engine to which you want to upgrade. Changing this parameter results in an outage. The change is applied during the next maintenance window unless ApplyImmediately is enabled.

If the cluster that you're modifying has one or more read replicas, all replicas must be running an engine version that's the same or later than the version you specify.

To list all of the available engine versions for Aurora MySQL, use the following command:

aws rds describe-db-engine-versions --engine aurora-mysql --query \"DBEngineVersions[].EngineVersion\"

To list all of the available engine versions for Aurora PostgreSQL, use the following command:

aws rds describe-db-engine-versions --engine aurora-postgresql --query \"DBEngineVersions[].EngineVersion\"

To list all of the available engine versions for RDS for MySQL, use the following command:

aws rds describe-db-engine-versions --engine mysql --query \"DBEngineVersions[].EngineVersion\"

To list all of the available engine versions for RDS for PostgreSQL, use the following command:

aws rds describe-db-engine-versions --engine postgres --query \"DBEngineVersions[].EngineVersion\"

Valid for: Aurora DB clusters and Multi-AZ DB clusters

" }, "AllowMajorVersionUpgrade":{ "shape":"Boolean", @@ -10989,7 +10989,7 @@ }, "EngineVersion":{ "shape":"String", - "documentation":"

The version number of the database engine to which you want to upgrade. Changing this parameter results in an outage. The change is applied during the next maintenance window unless ApplyImmediately is enabled.

To list all of the available engine versions for aurora (for MySQL 5.6-compatible Aurora), use the following command:

aws rds describe-db-engine-versions --engine aurora --query '*[]|[?SupportsGlobalDatabases == `true`].[EngineVersion]'

To list all of the available engine versions for aurora-mysql (for MySQL 5.7-compatible and MySQL 8.0-compatible Aurora), use the following command:

aws rds describe-db-engine-versions --engine aurora-mysql --query '*[]|[?SupportsGlobalDatabases == `true`].[EngineVersion]'

To list all of the available engine versions for aurora-postgresql, use the following command:

aws rds describe-db-engine-versions --engine aurora-postgresql --query '*[]|[?SupportsGlobalDatabases == `true`].[EngineVersion]'

" + "documentation":"

The version number of the database engine to which you want to upgrade. Changing this parameter results in an outage. The change is applied during the next maintenance window unless ApplyImmediately is enabled.

To list all of the available engine versions for aurora-mysql (for MySQL-based Aurora global databases), use the following command:

aws rds describe-db-engine-versions --engine aurora-mysql --query '*[]|[?SupportsGlobalDatabases == `true`].[EngineVersion]'

To list all of the available engine versions for aurora-postgresql (for PostgreSQL-based Aurora global databases), use the following command:

aws rds describe-db-engine-versions --engine aurora-postgresql --query '*[]|[?SupportsGlobalDatabases == `true`].[EngineVersion]'

" }, "AllowMajorVersionUpgrade":{ "shape":"BooleanOptional", @@ -12550,7 +12550,7 @@ }, "DBClusterParameterGroupName":{ "shape":"String", - "documentation":"

The name of the DB cluster parameter group to associate with the restored DB cluster. If this argument is omitted, default.aurora5.6 is used.

Constraints:

" + "documentation":"

The name of the DB cluster parameter group to associate with the restored DB cluster. If this argument is omitted, the default parameter group for the engine version is used.

Constraints:

" }, "VpcSecurityGroupIds":{ "shape":"VpcSecurityGroupIdList", @@ -12562,11 +12562,11 @@ }, "Engine":{ "shape":"String", - "documentation":"

The name of the database engine to be used for this DB cluster.

Valid Values: aurora-mysql (for MySQL 5.7-compatible and MySQL 8.0-compatible Aurora)

" + "documentation":"

The name of the database engine to be used for this DB cluster.

Valid Values: aurora-mysql (for Aurora MySQL)

" }, "EngineVersion":{ "shape":"String", - "documentation":"

The version number of the database engine to use.

To list all of the available engine versions for aurora-mysql (MySQL 5.7-compatible and MySQL 8.0-compatible Aurora), use the following command:

aws rds describe-db-engine-versions --engine aurora-mysql --query \"DBEngineVersions[].EngineVersion\"

Aurora MySQL

Examples: 5.7.mysql_aurora.2.07.1, 8.0.mysql_aurora.3.02.0

" + "documentation":"

The version number of the database engine to use.

To list all of the available engine versions for aurora-mysql (Aurora MySQL), use the following command:

aws rds describe-db-engine-versions --engine aurora-mysql --query \"DBEngineVersions[].EngineVersion\"

Aurora MySQL

Examples: 5.7.mysql_aurora.2.07.1, 8.0.mysql_aurora.3.02.0

" }, "Port":{ "shape":"IntegerOptional", @@ -12696,7 +12696,7 @@ }, "EngineVersion":{ "shape":"String", - "documentation":"

The version of the database engine to use for the new DB cluster. If you don't specify an engine version, the default version for the database engine in the Amazon Web Services Region is used.

To list all of the available engine versions for MySQL 5.7-compatible and MySQL 8.0-compatible Aurora, use the following command:

aws rds describe-db-engine-versions --engine aurora-mysql --query \"DBEngineVersions[].EngineVersion\"

To list all of the available engine versions for Aurora PostgreSQL, use the following command:

aws rds describe-db-engine-versions --engine aurora-postgresql --query \"DBEngineVersions[].EngineVersion\"

To list all of the available engine versions for RDS for MySQL, use the following command:

aws rds describe-db-engine-versions --engine mysql --query \"DBEngineVersions[].EngineVersion\"

To list all of the available engine versions for RDS for PostgreSQL, use the following command:

aws rds describe-db-engine-versions --engine postgres --query \"DBEngineVersions[].EngineVersion\"

Aurora MySQL

See Database engine updates for Amazon Aurora MySQL in the Amazon Aurora User Guide.

Aurora PostgreSQL

See Amazon Aurora PostgreSQL releases and engine versions in the Amazon Aurora User Guide.

MySQL

See Amazon RDS for MySQL in the Amazon RDS User Guide.

PostgreSQL

See Amazon RDS for PostgreSQL versions and extensions in the Amazon RDS User Guide.

Valid for: Aurora DB clusters and Multi-AZ DB clusters

" + "documentation":"

The version of the database engine to use for the new DB cluster. If you don't specify an engine version, the default version for the database engine in the Amazon Web Services Region is used.

To list all of the available engine versions for Aurora MySQL, use the following command:

aws rds describe-db-engine-versions --engine aurora-mysql --query \"DBEngineVersions[].EngineVersion\"

To list all of the available engine versions for Aurora PostgreSQL, use the following command:

aws rds describe-db-engine-versions --engine aurora-postgresql --query \"DBEngineVersions[].EngineVersion\"

To list all of the available engine versions for RDS for MySQL, use the following command:

aws rds describe-db-engine-versions --engine mysql --query \"DBEngineVersions[].EngineVersion\"

To list all of the available engine versions for RDS for PostgreSQL, use the following command:

aws rds describe-db-engine-versions --engine postgres --query \"DBEngineVersions[].EngineVersion\"

Aurora MySQL

See Database engine updates for Amazon Aurora MySQL in the Amazon Aurora User Guide.

Aurora PostgreSQL

See Amazon Aurora PostgreSQL releases and engine versions in the Amazon Aurora User Guide.

MySQL

See Amazon RDS for MySQL in the Amazon RDS User Guide.

PostgreSQL

See Amazon RDS for PostgreSQL versions and extensions in the Amazon RDS User Guide.

Valid for: Aurora DB clusters and Multi-AZ DB clusters

" }, "Port":{ "shape":"IntegerOptional", @@ -12740,7 +12740,7 @@ }, "EngineMode":{ "shape":"String", - "documentation":"

The DB engine mode of the DB cluster, either provisioned, serverless, parallelquery, global, or multimaster.

For more information, see CreateDBCluster.

Valid for: Aurora DB clusters only

" + "documentation":"

The DB engine mode of the DB cluster, either provisioned or serverless.

For more information, see CreateDBCluster.

Valid for: Aurora DB clusters only

" }, "ScalingConfiguration":{ "shape":"ScalingConfiguration", @@ -12809,7 +12809,7 @@ }, "RestoreType":{ "shape":"String", - "documentation":"

The type of restore to be performed. You can specify one of the following values:

Constraints: You can't specify copy-on-write if the engine version of the source DB cluster is earlier than 1.11.

If you don't specify a RestoreType value, then the new DB cluster is restored as a full copy of the source DB cluster.

Valid for: Aurora DB clusters and Multi-AZ DB clusters

" + "documentation":"

The type of restore to be performed. You can specify one of the following values:

If you don't specify a RestoreType value, then the new DB cluster is restored as a full copy of the source DB cluster.

Valid for: Aurora DB clusters and Multi-AZ DB clusters

" }, "SourceDBClusterIdentifier":{ "shape":"String", diff --git a/botocore/data/s3/2006-03-01/service-2.json b/botocore/data/s3/2006-03-01/service-2.json index 6815e9fac5..ebf46f595b 100644 --- a/botocore/data/s3/2006-03-01/service-2.json +++ b/botocore/data/s3/2006-03-01/service-2.json @@ -37,7 +37,7 @@ "input":{"shape":"CompleteMultipartUploadRequest"}, "output":{"shape":"CompleteMultipartUploadOutput"}, "documentationUrl":"http://docs.amazonwebservices.com/AmazonS3/latest/API/mpUploadComplete.html", - "documentation":"

Completes a multipart upload by assembling previously uploaded parts.

You first initiate the multipart upload and then upload all parts using the UploadPart operation. After successfully uploading all relevant parts of an upload, you call this action to complete the upload. Upon receiving this request, Amazon S3 concatenates all the parts in ascending order by part number to create a new object. In the Complete Multipart Upload request, you must provide the parts list. You must ensure that the parts list is complete. This action concatenates the parts that you provide in the list. For each part in the list, you must provide the part number and the ETag value, returned after that part was uploaded.

Processing of a Complete Multipart Upload request could take several minutes to complete. After Amazon S3 begins processing the request, it sends an HTTP response header that specifies a 200 OK response. While processing is in progress, Amazon S3 periodically sends white space characters to keep the connection from timing out. A request could fail after the initial 200 OK response has been sent. This means that a 200 OK response can contain either a success or an error. If you call the S3 API directly, make sure to design your application to parse the contents of the response and handle it appropriately. If you use Amazon Web Services SDKs, SDKs handle this condition. The SDKs detect the embedded error and apply error handling per your configuration settings (including automatically retrying the request as appropriate). If the condition persists, the SDKs throws an exception (or, for the SDKs that don't use exceptions, they return the error).

Note that if CompleteMultipartUpload fails, applications should be prepared to retry the failed requests. For more information, see Amazon S3 Error Best Practices.

You cannot use Content-Type: application/x-www-form-urlencoded with Complete Multipart Upload requests. Also, if you do not provide a Content-Type header, CompleteMultipartUpload returns a 200 OK response.

For more information about multipart uploads, see Uploading Objects Using Multipart Upload.

For information about permissions required to use the multipart upload API, see Multipart Upload and Permissions.

CompleteMultipartUpload has the following special errors:

The following operations are related to CompleteMultipartUpload:

" + "documentation":"

Completes a multipart upload by assembling previously uploaded parts.

You first initiate the multipart upload and then upload all parts using the UploadPart operation. After successfully uploading all relevant parts of an upload, you call this action to complete the upload. Upon receiving this request, Amazon S3 concatenates all the parts in ascending order by part number to create a new object. In the Complete Multipart Upload request, you must provide the parts list. You must ensure that the parts list is complete. This action concatenates the parts that you provide in the list. For each part in the list, you must provide the part number and the ETag value, returned after that part was uploaded.

Processing of a Complete Multipart Upload request could take several minutes to complete. After Amazon S3 begins processing the request, it sends an HTTP response header that specifies a 200 OK response. While processing is in progress, Amazon S3 periodically sends white space characters to keep the connection from timing out. Because a request could fail after the initial 200 OK response has been sent, it is important that you check the response body to determine whether the request succeeded.

Note that if CompleteMultipartUpload fails, applications should be prepared to retry the failed requests. For more information, see Amazon S3 Error Best Practices.

You cannot use Content-Type: application/x-www-form-urlencoded with Complete Multipart Upload requests. Also, if you do not provide a Content-Type header, CompleteMultipartUpload returns a 200 OK response.

For more information about multipart uploads, see Uploading Objects Using Multipart Upload.

For information about permissions required to use the multipart upload API, see Multipart Upload and Permissions.

CompleteMultipartUpload has the following special errors:

The following operations are related to CompleteMultipartUpload:

" }, "CopyObject":{ "name":"CopyObject", @@ -51,7 +51,7 @@ {"shape":"ObjectNotInActiveTierError"} ], "documentationUrl":"http://docs.amazonwebservices.com/AmazonS3/latest/API/RESTObjectCOPY.html", - "documentation":"

Creates a copy of an object that is already stored in Amazon S3.

You can store individual objects of up to 5 TB in Amazon S3. You create a copy of your object up to 5 GB in size in a single atomic action using this API. However, to copy an object greater than 5 GB, you must use the multipart upload Upload Part - Copy (UploadPartCopy) API. For more information, see Copy Object Using the REST Multipart Upload API.

All copy requests must be authenticated. Additionally, you must have read access to the source object and write access to the destination bucket. For more information, see REST Authentication. Both the Region that you want to copy the object from and the Region that you want to copy the object to must be enabled for your account.

A copy request might return an error when Amazon S3 receives the copy request or while Amazon S3 is copying the files. If the error occurs before the copy action starts, you receive a standard Amazon S3 error. If the error occurs during the copy operation, the error response is embedded in the 200 OK response. This means that a 200 OK response can contain either a success or an error. If you call the S3 API directly, make sure to design your application to parse the contents of the response and handle it appropriately. If you use Amazon Web Services SDKs, SDKs handle this condition. The SDKs detect the embedded error and apply error handling per your configuration settings (including automatically retrying the request as appropriate). If the condition persists, the SDKs throws an exception (or, for the SDKs that don't use exceptions, they return the error).

If the copy is successful, you receive a response with information about the copied object.

If the request is an HTTP 1.1 request, the response is chunk encoded. If it were not, it would not contain the content-length, and you would need to read the entire body.

The copy request charge is based on the storage class and Region that you specify for the destination object. For pricing information, see Amazon S3 pricing.

Amazon S3 transfer acceleration does not support cross-Region copies. If you request a cross-Region copy using a transfer acceleration endpoint, you get a 400 Bad Request error. For more information, see Transfer Acceleration.

Metadata

When copying an object, you can preserve all metadata (default) or specify new metadata. However, the ACL is not preserved and is set to private for the user making the request. To override the default ACL setting, specify a new ACL when generating a copy request. For more information, see Using ACLs.

To specify whether you want the object metadata copied from the source object or replaced with metadata provided in the request, you can optionally add the x-amz-metadata-directive header. When you grant permissions, you can use the s3:x-amz-metadata-directive condition key to enforce certain metadata behavior when objects are uploaded. For more information, see Specifying Conditions in a Policy in the Amazon S3 User Guide. For a complete list of Amazon S3-specific condition keys, see Actions, Resources, and Condition Keys for Amazon S3.

x-amz-website-redirect-location is unique to each object and must be specified in the request headers to copy the value.

x-amz-copy-source-if Headers

To only copy an object under certain conditions, such as whether the Etag matches or whether the object was modified before or after a specified date, use the following request parameters:

If both the x-amz-copy-source-if-match and x-amz-copy-source-if-unmodified-since headers are present in the request and evaluate as follows, Amazon S3 returns 200 OK and copies the data:

If both the x-amz-copy-source-if-none-match and x-amz-copy-source-if-modified-since headers are present in the request and evaluate as follows, Amazon S3 returns the 412 Precondition Failed response code:

All headers with the x-amz- prefix, including x-amz-copy-source, must be signed.

Server-side encryption

Amazon S3 automatically encrypts all new objects that are copied to an S3 bucket. When copying an object, if you don't specify encryption information in your copy request, the encryption setting of the target object is set to the default encryption configuration of the destination bucket. By default, all buckets have a base level of encryption configuration that uses server-side encryption with Amazon S3 managed keys (SSE-S3). If the destination bucket has a default encryption configuration that uses server-side encryption with an Key Management Service (KMS) key (SSE-KMS), or a customer-provided encryption key (SSE-C), Amazon S3 uses the corresponding KMS key, or a customer-provided key to encrypt the target object copy. When you perform a CopyObject operation, if you want to use a different type of encryption setting for the target object, you can use other appropriate encryption-related headers to encrypt the target object with a KMS key, an Amazon S3 managed key, or a customer-provided key. With server-side encryption, Amazon S3 encrypts your data as it writes it to disks in its data centers and decrypts the data when you access it. If the encryption setting in your request is different from the default encryption configuration of the destination bucket, the encryption setting in your request takes precedence. If the source object for the copy is stored in Amazon S3 using SSE-C, you must provide the necessary encryption information in your request so that Amazon S3 can decrypt the object for copying. For more information about server-side encryption, see Using Server-Side Encryption.

If a target object uses SSE-KMS, you can enable an S3 Bucket Key for the object. For more information, see Amazon S3 Bucket Keys in the Amazon S3 User Guide.

Access Control List (ACL)-Specific Request Headers

When copying an object, you can optionally use headers to grant ACL-based permissions. By default, all objects are private. Only the owner has full access control. When adding a new object, you can grant permissions to individual Amazon Web Services accounts or to predefined groups defined by Amazon S3. These permissions are then added to the ACL on the object. For more information, see Access Control List (ACL) Overview and Managing ACLs Using the REST API.

If the bucket that you're copying objects to uses the bucket owner enforced setting for S3 Object Ownership, ACLs are disabled and no longer affect permissions. Buckets that use this setting only accept PUT requests that don't specify an ACL or PUT requests that specify bucket owner full control ACLs, such as the bucket-owner-full-control canned ACL or an equivalent form of this ACL expressed in the XML format.

For more information, see Controlling ownership of objects and disabling ACLs in the Amazon S3 User Guide.

If your bucket uses the bucket owner enforced setting for Object Ownership, all objects written to the bucket by any account will be owned by the bucket owner.

Checksums

When copying an object, if it has a checksum, that checksum will be copied to the new object by default. When you copy the object over, you may optionally specify a different checksum algorithm to use with the x-amz-checksum-algorithm header.

Storage Class Options

You can use the CopyObject action to change the storage class of an object that is already stored in Amazon S3 using the StorageClass parameter. For more information, see Storage Classes in the Amazon S3 User Guide.

Versioning

By default, x-amz-copy-source identifies the current version of an object to copy. If the current version is a delete marker, Amazon S3 behaves as if the object was deleted. To copy a different version, use the versionId subresource.

If you enable versioning on the target bucket, Amazon S3 generates a unique version ID for the object being copied. This version ID is different from the version ID of the source object. Amazon S3 returns the version ID of the copied object in the x-amz-version-id response header in the response.

If you do not enable versioning or suspend it on the target bucket, the version ID that Amazon S3 generates is always null.

If the source object's storage class is GLACIER, you must restore a copy of this object before you can use it as a source object for the copy operation. For more information, see RestoreObject.

The following operations are related to CopyObject:

For more information, see Copying Objects.

", + "documentation":"

Creates a copy of an object that is already stored in Amazon S3.

You can store individual objects of up to 5 TB in Amazon S3. You create a copy of your object up to 5 GB in size in a single atomic action using this API. However, to copy an object greater than 5 GB, you must use the multipart upload Upload Part - Copy (UploadPartCopy) API. For more information, see Copy Object Using the REST Multipart Upload API.

All copy requests must be authenticated. Additionally, you must have read access to the source object and write access to the destination bucket. For more information, see REST Authentication. Both the Region that you want to copy the object from and the Region that you want to copy the object to must be enabled for your account.

A copy request might return an error when Amazon S3 receives the copy request or while Amazon S3 is copying the files. If the error occurs before the copy action starts, you receive a standard Amazon S3 error. If the error occurs during the copy operation, the error response is embedded in the 200 OK response. This means that a 200 OK response can contain either a success or an error. Design your application to parse the contents of the response and handle it appropriately.

If the copy is successful, you receive a response with information about the copied object.

If the request is an HTTP 1.1 request, the response is chunk encoded. If it were not, it would not contain the content-length, and you would need to read the entire body.

The copy request charge is based on the storage class and Region that you specify for the destination object. For pricing information, see Amazon S3 pricing.

Amazon S3 transfer acceleration does not support cross-Region copies. If you request a cross-Region copy using a transfer acceleration endpoint, you get a 400 Bad Request error. For more information, see Transfer Acceleration.

Metadata

When copying an object, you can preserve all metadata (default) or specify new metadata. However, the ACL is not preserved and is set to private for the user making the request. To override the default ACL setting, specify a new ACL when generating a copy request. For more information, see Using ACLs.

To specify whether you want the object metadata copied from the source object or replaced with metadata provided in the request, you can optionally add the x-amz-metadata-directive header. When you grant permissions, you can use the s3:x-amz-metadata-directive condition key to enforce certain metadata behavior when objects are uploaded. For more information, see Specifying Conditions in a Policy in the Amazon S3 User Guide. For a complete list of Amazon S3-specific condition keys, see Actions, Resources, and Condition Keys for Amazon S3.

x-amz-copy-source-if Headers

To only copy an object under certain conditions, such as whether the Etag matches or whether the object was modified before or after a specified date, use the following request parameters:

If both the x-amz-copy-source-if-match and x-amz-copy-source-if-unmodified-since headers are present in the request and evaluate as follows, Amazon S3 returns 200 OK and copies the data:

If both the x-amz-copy-source-if-none-match and x-amz-copy-source-if-modified-since headers are present in the request and evaluate as follows, Amazon S3 returns the 412 Precondition Failed response code:

All headers with the x-amz- prefix, including x-amz-copy-source, must be signed.

Server-side encryption

When you perform a CopyObject operation, you can optionally use the appropriate encryption-related headers to encrypt the object using server-side encryption with Amazon Web Services managed encryption keys (SSE-S3 or SSE-KMS) or a customer-provided encryption key. With server-side encryption, Amazon S3 encrypts your data as it writes it to disks in its data centers and decrypts the data when you access it. For more information about server-side encryption, see Using Server-Side Encryption.

If a target object uses SSE-KMS, you can enable an S3 Bucket Key for the object. For more information, see Amazon S3 Bucket Keys in the Amazon S3 User Guide.

Access Control List (ACL)-Specific Request Headers

When copying an object, you can optionally use headers to grant ACL-based permissions. By default, all objects are private. Only the owner has full access control. When adding a new object, you can grant permissions to individual Amazon Web Services accounts or to predefined groups defined by Amazon S3. These permissions are then added to the ACL on the object. For more information, see Access Control List (ACL) Overview and Managing ACLs Using the REST API.

If the bucket that you're copying objects to uses the bucket owner enforced setting for S3 Object Ownership, ACLs are disabled and no longer affect permissions. Buckets that use this setting only accept PUT requests that don't specify an ACL or PUT requests that specify bucket owner full control ACLs, such as the bucket-owner-full-control canned ACL or an equivalent form of this ACL expressed in the XML format.

For more information, see Controlling ownership of objects and disabling ACLs in the Amazon S3 User Guide.

If your bucket uses the bucket owner enforced setting for Object Ownership, all objects written to the bucket by any account will be owned by the bucket owner.

Checksums

When copying an object, if it has a checksum, that checksum will be copied to the new object by default. When you copy the object over, you may optionally specify a different checksum algorithm to use with the x-amz-checksum-algorithm header.

Storage Class Options

You can use the CopyObject action to change the storage class of an object that is already stored in Amazon S3 using the StorageClass parameter. For more information, see Storage Classes in the Amazon S3 User Guide.

Versioning

By default, x-amz-copy-source identifies the current version of an object to copy. If the current version is a delete marker, Amazon S3 behaves as if the object was deleted. To copy a different version, use the versionId subresource.

If you enable versioning on the target bucket, Amazon S3 generates a unique version ID for the object being copied. This version ID is different from the version ID of the source object. Amazon S3 returns the version ID of the copied object in the x-amz-version-id response header in the response.

If you do not enable versioning or suspend it on the target bucket, the version ID that Amazon S3 generates is always null.

If the source object's storage class is GLACIER, you must restore a copy of this object before you can use it as a source object for the copy operation. For more information, see RestoreObject.

The following operations are related to CopyObject:

For more information, see Copying Objects.

", "alias":"PutObjectCopy" }, "CreateBucket":{ @@ -82,7 +82,7 @@ "input":{"shape":"CreateMultipartUploadRequest"}, "output":{"shape":"CreateMultipartUploadOutput"}, "documentationUrl":"http://docs.amazonwebservices.com/AmazonS3/latest/API/mpUploadInitiate.html", - "documentation":"

This action initiates a multipart upload and returns an upload ID. This upload ID is used to associate all of the parts in the specific multipart upload. You specify this upload ID in each of your subsequent upload part requests (see UploadPart). You also include this upload ID in the final request to either complete or abort the multipart upload request.

For more information about multipart uploads, see Multipart Upload Overview.

If you have configured a lifecycle rule to abort incomplete multipart uploads, the upload must complete within the number of days specified in the bucket lifecycle configuration. Otherwise, the incomplete multipart upload becomes eligible for an abort action and Amazon S3 aborts the multipart upload. For more information, see Aborting Incomplete Multipart Uploads Using a Bucket Lifecycle Policy.

For information about the permissions required to use the multipart upload API, see Multipart Upload and Permissions.

For request signing, multipart upload is just a series of regular requests. You initiate a multipart upload, send one or more requests to upload parts, and then complete the multipart upload process. You sign each request individually. There is nothing special about signing multipart upload requests. For more information about signing, see Authenticating Requests (Amazon Web Services Signature Version 4).

After you initiate a multipart upload and upload one or more parts, to stop being charged for storing the uploaded parts, you must either complete or abort the multipart upload. Amazon S3 frees up the space used to store the parts and stop charging you for storing them only after you either complete or abort a multipart upload.

Server-side encryption is for data encryption at rest. Amazon S3 encrypts your data as it writes it to disks in its data centers and decrypts it when you access it. Amazon S3 automatically encrypts all new objects that are uploaded to an S3 bucket. When doing a multipart upload, if you don't specify encryption information in your request, the encryption setting of the uploaded parts is set to the default encryption configuration of the destination bucket. By default, all buckets have a base level of encryption configuration that uses server-side encryption with Amazon S3 managed keys (SSE-S3). If the destination bucket has a default encryption configuration that uses server-side encryption with an Key Management Service (KMS) key (SSE-KMS), or a customer-provided encryption key (SSE-C), Amazon S3 uses the corresponding KMS key, or a customer-provided key to encrypt the uploaded parts. When you perform a CreateMultipartUpload operation, if you want to use a different type of encryption setting for the uploaded parts, you can request that Amazon S3 encrypts the object with a KMS key, an Amazon S3 managed key, or a customer-provided key. If the encryption setting in your request is different from the default encryption configuration of the destination bucket, the encryption setting in your request takes precedence. If you choose to provide your own encryption key, the request headers you provide in UploadPart and UploadPartCopy requests must match the headers you used in the request to initiate the upload by using CreateMultipartUpload. you can request that Amazon S3 save the uploaded parts encrypted with server-side encryption with an Amazon S3 managed key (SSE-S3), an Key Management Service (KMS) key (SSE-KMS), or a customer-provided encryption key (SSE-C).

To perform a multipart upload with encryption by using an Amazon Web Services KMS key, the requester must have permission to the kms:Decrypt and kms:GenerateDataKey* actions on the key. These permissions are required because Amazon S3 must decrypt and read data from the encrypted file parts before it completes the multipart upload. For more information, see Multipart upload API and permissions and Protecting data using server-side encryption with Amazon Web Services KMS in the Amazon S3 User Guide.

If your Identity and Access Management (IAM) user or role is in the same Amazon Web Services account as the KMS key, then you must have these permissions on the key policy. If your IAM user or role belongs to a different account than the key, then you must have the permissions on both the key policy and your IAM user or role.

For more information, see Protecting Data Using Server-Side Encryption.

Access Permissions

When copying an object, you can optionally specify the accounts or groups that should be granted specific permissions on the new object. There are two ways to grant the permissions using the request headers:

  • Specify a canned ACL with the x-amz-acl request header. For more information, see Canned ACL.

  • Specify access permissions explicitly with the x-amz-grant-read, x-amz-grant-read-acp, x-amz-grant-write-acp, and x-amz-grant-full-control headers. These parameters map to the set of permissions that Amazon S3 supports in an ACL. For more information, see Access Control List (ACL) Overview.

You can use either a canned ACL or specify access permissions explicitly. You cannot do both.

Server-Side- Encryption-Specific Request Headers

Amazon S3 encrypts data by using server-side encryption with an Amazon S3 managed key (SSE-S3) by default. Server-side encryption is for data encryption at rest. Amazon S3 encrypts your data as it writes it to disks in its data centers and decrypts it when you access it. You can request that Amazon S3 encrypts data at rest by using server-side encryption with other key options. The option you use depends on whether you want to use KMS keys (SSE-KMS) or provide your own encryption keys (SSE-C).

  • Use KMS keys (SSE-KMS) that include the Amazon Web Services managed key (aws/s3) and KMS customer managed keys stored in Key Management Service (KMS) – If you want Amazon Web Services to manage the keys used to encrypt data, specify the following headers in the request.

    • x-amz-server-side-encryption

    • x-amz-server-side-encryption-aws-kms-key-id

    • x-amz-server-side-encryption-context

    If you specify x-amz-server-side-encryption:aws:kms, but don't provide x-amz-server-side-encryption-aws-kms-key-id, Amazon S3 uses the Amazon Web Services managed key (aws/s3 key) in KMS to protect the data.

    All GET and PUT requests for an object protected by KMS fail if you don't make them by using Secure Sockets Layer (SSL), Transport Layer Security (TLS), or Signature Version 4.

    For more information about server-side encryption with KMS keys (SSE-KMS), see Protecting Data Using Server-Side Encryption with KMS keys.

  • Use customer-provided encryption keys (SSE-C) – If you want to manage your own encryption keys, provide all the following headers in the request.

    • x-amz-server-side-encryption-customer-algorithm

    • x-amz-server-side-encryption-customer-key

    • x-amz-server-side-encryption-customer-key-MD5

    For more information about server-side encryption with customer-provided encryption keys (SSE-C), see Protecting data using server-side encryption with customer-provided encryption keys (SSE-C).

Access-Control-List (ACL)-Specific Request Headers

You also can use the following access control–related headers with this operation. By default, all objects are private. Only the owner has full access control. When adding a new object, you can grant permissions to individual Amazon Web Services accounts or to predefined groups defined by Amazon S3. These permissions are then added to the access control list (ACL) on the object. For more information, see Using ACLs. With this operation, you can grant access permissions using one of the following two methods:

  • Specify a canned ACL (x-amz-acl) — Amazon S3 supports a set of predefined ACLs, known as canned ACLs. Each canned ACL has a predefined set of grantees and permissions. For more information, see Canned ACL.

  • Specify access permissions explicitly — To explicitly grant access permissions to specific Amazon Web Services accounts or groups, use the following headers. Each header maps to specific permissions that Amazon S3 supports in an ACL. For more information, see Access Control List (ACL) Overview. In the header, you specify a list of grantees who get the specific permission. To grant permissions explicitly, use:

    • x-amz-grant-read

    • x-amz-grant-write

    • x-amz-grant-read-acp

    • x-amz-grant-write-acp

    • x-amz-grant-full-control

    You specify each grantee as a type=value pair, where the type is one of the following:

    • id – if the value specified is the canonical user ID of an Amazon Web Services account

    • uri – if you are granting permissions to a predefined group

    • emailAddress – if the value specified is the email address of an Amazon Web Services account

      Using email addresses to specify a grantee is only supported in the following Amazon Web Services Regions:

      • US East (N. Virginia)

      • US West (N. California)

      • US West (Oregon)

      • Asia Pacific (Singapore)

      • Asia Pacific (Sydney)

      • Asia Pacific (Tokyo)

      • Europe (Ireland)

      • South America (São Paulo)

      For a list of all the Amazon S3 supported Regions and endpoints, see Regions and Endpoints in the Amazon Web Services General Reference.

    For example, the following x-amz-grant-read header grants the Amazon Web Services accounts identified by account IDs permissions to read object data and its metadata:

    x-amz-grant-read: id=\"11112222333\", id=\"444455556666\"

The following operations are related to CreateMultipartUpload:

", + "documentation":"

This action initiates a multipart upload and returns an upload ID. This upload ID is used to associate all of the parts in the specific multipart upload. You specify this upload ID in each of your subsequent upload part requests (see UploadPart). You also include this upload ID in the final request to either complete or abort the multipart upload request.

For more information about multipart uploads, see Multipart Upload Overview.

If you have configured a lifecycle rule to abort incomplete multipart uploads, the upload must complete within the number of days specified in the bucket lifecycle configuration. Otherwise, the incomplete multipart upload becomes eligible for an abort action and Amazon S3 aborts the multipart upload. For more information, see Aborting Incomplete Multipart Uploads Using a Bucket Lifecycle Policy.

For information about the permissions required to use the multipart upload API, see Multipart Upload and Permissions.

For request signing, multipart upload is just a series of regular requests. You initiate a multipart upload, send one or more requests to upload parts, and then complete the multipart upload process. You sign each request individually. There is nothing special about signing multipart upload requests. For more information about signing, see Authenticating Requests (Amazon Web Services Signature Version 4).

After you initiate a multipart upload and upload one or more parts, to stop being charged for storing the uploaded parts, you must either complete or abort the multipart upload. Amazon S3 frees up the space used to store the parts and stop charging you for storing them only after you either complete or abort a multipart upload.

You can optionally request server-side encryption. For server-side encryption, Amazon S3 encrypts your data as it writes it to disks in its data centers and decrypts it when you access it. You can provide your own encryption key, or use Amazon Web Services KMS keys or Amazon S3-managed encryption keys. If you choose to provide your own encryption key, the request headers you provide in UploadPart and UploadPartCopy requests must match the headers you used in the request to initiate the upload by using CreateMultipartUpload.

To perform a multipart upload with encryption using an Amazon Web Services KMS key, the requester must have permission to the kms:Decrypt and kms:GenerateDataKey* actions on the key. These permissions are required because Amazon S3 must decrypt and read data from the encrypted file parts before it completes the multipart upload. For more information, see Multipart upload API and permissions in the Amazon S3 User Guide.

If your Identity and Access Management (IAM) user or role is in the same Amazon Web Services account as the KMS key, then you must have these permissions on the key policy. If your IAM user or role belongs to a different account than the key, then you must have the permissions on both the key policy and your IAM user or role.

For more information, see Protecting Data Using Server-Side Encryption.

Access Permissions

When copying an object, you can optionally specify the accounts or groups that should be granted specific permissions on the new object. There are two ways to grant the permissions using the request headers:

  • Specify a canned ACL with the x-amz-acl request header. For more information, see Canned ACL.

  • Specify access permissions explicitly with the x-amz-grant-read, x-amz-grant-read-acp, x-amz-grant-write-acp, and x-amz-grant-full-control headers. These parameters map to the set of permissions that Amazon S3 supports in an ACL. For more information, see Access Control List (ACL) Overview.

You can use either a canned ACL or specify access permissions explicitly. You cannot do both.

Server-Side- Encryption-Specific Request Headers

You can optionally tell Amazon S3 to encrypt data at rest using server-side encryption. Server-side encryption is for data encryption at rest. Amazon S3 encrypts your data as it writes it to disks in its data centers and decrypts it when you access it. The option you use depends on whether you want to use Amazon Web Services managed encryption keys or provide your own encryption key.

  • Use encryption keys managed by Amazon S3 or customer managed key stored in Amazon Web Services Key Management Service (Amazon Web Services KMS) – If you want Amazon Web Services to manage the keys used to encrypt data, specify the following headers in the request.

    • x-amz-server-side-encryption

    • x-amz-server-side-encryption-aws-kms-key-id

    • x-amz-server-side-encryption-context

    If you specify x-amz-server-side-encryption:aws:kms, but don't provide x-amz-server-side-encryption-aws-kms-key-id, Amazon S3 uses the Amazon Web Services managed key in Amazon Web Services KMS to protect the data.

    All GET and PUT requests for an object protected by Amazon Web Services KMS fail if you don't make them with SSL or by using SigV4.

    For more information about server-side encryption with KMS key (SSE-KMS), see Protecting Data Using Server-Side Encryption with KMS keys.

  • Use customer-provided encryption keys – If you want to manage your own encryption keys, provide all the following headers in the request.

    • x-amz-server-side-encryption-customer-algorithm

    • x-amz-server-side-encryption-customer-key

    • x-amz-server-side-encryption-customer-key-MD5

    For more information about server-side encryption with KMS keys (SSE-KMS), see Protecting Data Using Server-Side Encryption with KMS keys.

Access-Control-List (ACL)-Specific Request Headers

You also can use the following access control–related headers with this operation. By default, all objects are private. Only the owner has full access control. When adding a new object, you can grant permissions to individual Amazon Web Services accounts or to predefined groups defined by Amazon S3. These permissions are then added to the access control list (ACL) on the object. For more information, see Using ACLs. With this operation, you can grant access permissions using one of the following two methods:

  • Specify a canned ACL (x-amz-acl) — Amazon S3 supports a set of predefined ACLs, known as canned ACLs. Each canned ACL has a predefined set of grantees and permissions. For more information, see Canned ACL.

  • Specify access permissions explicitly — To explicitly grant access permissions to specific Amazon Web Services accounts or groups, use the following headers. Each header maps to specific permissions that Amazon S3 supports in an ACL. For more information, see Access Control List (ACL) Overview. In the header, you specify a list of grantees who get the specific permission. To grant permissions explicitly, use:

    • x-amz-grant-read

    • x-amz-grant-write

    • x-amz-grant-read-acp

    • x-amz-grant-write-acp

    • x-amz-grant-full-control

    You specify each grantee as a type=value pair, where the type is one of the following:

    • id – if the value specified is the canonical user ID of an Amazon Web Services account

    • uri – if you are granting permissions to a predefined group

    • emailAddress – if the value specified is the email address of an Amazon Web Services account

      Using email addresses to specify a grantee is only supported in the following Amazon Web Services Regions:

      • US East (N. Virginia)

      • US West (N. California)

      • US West (Oregon)

      • Asia Pacific (Singapore)

      • Asia Pacific (Sydney)

      • Asia Pacific (Tokyo)

      • Europe (Ireland)

      • South America (São Paulo)

      For a list of all the Amazon S3 supported Regions and endpoints, see Regions and Endpoints in the Amazon Web Services General Reference.

    For example, the following x-amz-grant-read header grants the Amazon Web Services accounts identified by account IDs permissions to read object data and its metadata:

    x-amz-grant-read: id=\"11112222333\", id=\"444455556666\"

The following operations are related to CreateMultipartUpload:

", "alias":"InitiateMultipartUpload" }, "DeleteBucket":{ @@ -125,7 +125,7 @@ "responseCode":204 }, "input":{"shape":"DeleteBucketEncryptionRequest"}, - "documentation":"

This implementation of the DELETE action resets the default encryption for the bucket as server-side encryption with Amazon S3 managed keys (SSE-S3). For information about the bucket default encryption feature, see Amazon S3 Bucket Default Encryption in the Amazon S3 User Guide.

To use this operation, you must have permissions to perform the s3:PutEncryptionConfiguration action. The bucket owner has this permission by default. The bucket owner can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing Access Permissions to your Amazon S3 Resources in the Amazon S3 User Guide.

Related Resources

" + "documentation":"

This implementation of the DELETE action removes default encryption from the bucket. For information about the Amazon S3 default encryption feature, see Amazon S3 Default Bucket Encryption in the Amazon S3 User Guide.

To use this operation, you must have permissions to perform the s3:PutEncryptionConfiguration action. The bucket owner has this permission by default. The bucket owner can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing Access Permissions to your Amazon S3 Resources in the Amazon S3 User Guide.

Related Resources

" }, "DeleteBucketIntelligentTieringConfiguration":{ "name":"DeleteBucketIntelligentTieringConfiguration", @@ -231,7 +231,7 @@ "input":{"shape":"DeleteObjectRequest"}, "output":{"shape":"DeleteObjectOutput"}, "documentationUrl":"http://docs.amazonwebservices.com/AmazonS3/latest/API/RESTObjectDELETE.html", - "documentation":"

Removes the null version (if there is one) of an object and inserts a delete marker, which becomes the latest version of the object. If there isn't a null version, Amazon S3 does not remove any objects but will still respond that the command was successful.

To remove a specific version, you must use the version Id subresource. Using this subresource permanently deletes the version. If the object deleted is a delete marker, Amazon S3 sets the response header, x-amz-delete-marker, to true.

If the object you want to delete is in a bucket where the bucket versioning configuration is MFA Delete enabled, you must include the x-amz-mfa request header in the DELETE versionId request. Requests that include x-amz-mfa must use HTTPS.

For more information about MFA Delete, see Using MFA Delete. To see sample requests that use versioning, see Sample Request.

You can delete objects by explicitly calling DELETE Object or configure its lifecycle (PutBucketLifecycle) to enable Amazon S3 to remove them for you. If you want to block users or accounts from removing or deleting objects from your bucket, you must deny them the s3:DeleteObject, s3:DeleteObjectVersion, and s3:PutLifeCycleConfiguration actions.

The following action is related to DeleteObject:

" + "documentation":"

Removes the null version (if there is one) of an object and inserts a delete marker, which becomes the latest version of the object. If there isn't a null version, Amazon S3 does not remove any objects but will still respond that the command was successful.

To remove a specific version, you must be the bucket owner and you must use the version Id subresource. Using this subresource permanently deletes the version. If the object deleted is a delete marker, Amazon S3 sets the response header, x-amz-delete-marker, to true.

If the object you want to delete is in a bucket where the bucket versioning configuration is MFA Delete enabled, you must include the x-amz-mfa request header in the DELETE versionId request. Requests that include x-amz-mfa must use HTTPS.

For more information about MFA Delete, see Using MFA Delete. To see sample requests that use versioning, see Sample Request.

You can delete objects by explicitly calling DELETE Object or configure its lifecycle (PutBucketLifecycle) to enable Amazon S3 to remove them for you. If you want to block users or accounts from removing or deleting objects from your bucket, you must deny them the s3:DeleteObject, s3:DeleteObjectVersion, and s3:PutLifeCycleConfiguration actions.

The following action is related to DeleteObject:

" }, "DeleteObjectTagging":{ "name":"DeleteObjectTagging", @@ -242,7 +242,7 @@ }, "input":{"shape":"DeleteObjectTaggingRequest"}, "output":{"shape":"DeleteObjectTaggingOutput"}, - "documentation":"

Removes the entire tag set from the specified object. For more information about managing object tags, see Object Tagging.

To use this operation, you must have permission to perform the s3:DeleteObjectTagging action.

To delete tags of a specific object version, add the versionId query parameter in the request. You will need permission for the s3:DeleteObjectVersionTagging action.

The following operations are related to DeleteObjectTagging:

" + "documentation":"

Removes the entire tag set from the specified object. For more information about managing object tags, see Object Tagging.

To use this operation, you must have permission to perform the s3:DeleteObjectTagging action.

To delete tags of a specific object version, add the versionId query parameter in the request. You will need permission for the s3:DeleteObjectVersionTagging action.

The following operations are related to DeleteBucketMetricsConfiguration:

" }, "DeleteObjects":{ "name":"DeleteObjects", @@ -289,7 +289,7 @@ "input":{"shape":"GetBucketAclRequest"}, "output":{"shape":"GetBucketAclOutput"}, "documentationUrl":"http://docs.amazonwebservices.com/AmazonS3/latest/API/RESTBucketGETacl.html", - "documentation":"

This implementation of the GET action uses the acl subresource to return the access control list (ACL) of a bucket. To use GET to return the ACL of the bucket, you must have READ_ACP access to the bucket. If READ_ACP permission is granted to the anonymous user, you can return the ACL of the bucket without using an authorization header.

To use this API against an access point, provide the alias of the access point in place of the bucket name.

If your bucket uses the bucket owner enforced setting for S3 Object Ownership, requests to read ACLs are still supported and return the bucket-owner-full-control ACL with the owner being the account that created the bucket. For more information, see Controlling object ownership and disabling ACLs in the Amazon S3 User Guide.

Related Resources

" + "documentation":"

This implementation of the GET action uses the acl subresource to return the access control list (ACL) of a bucket. To use GET to return the ACL of the bucket, you must have READ_ACP access to the bucket. If READ_ACP permission is granted to the anonymous user, you can return the ACL of the bucket without using an authorization header.

If your bucket uses the bucket owner enforced setting for S3 Object Ownership, requests to read ACLs are still supported and return the bucket-owner-full-control ACL with the owner being the account that created the bucket. For more information, see Controlling object ownership and disabling ACLs in the Amazon S3 User Guide.

Related Resources

" }, "GetBucketAnalyticsConfiguration":{ "name":"GetBucketAnalyticsConfiguration", @@ -310,7 +310,7 @@ "input":{"shape":"GetBucketCorsRequest"}, "output":{"shape":"GetBucketCorsOutput"}, "documentationUrl":"http://docs.amazonwebservices.com/AmazonS3/latest/API/RESTBucketGETcors.html", - "documentation":"

Returns the Cross-Origin Resource Sharing (CORS) configuration information set for the bucket.

To use this operation, you must have permission to perform the s3:GetBucketCORS action. By default, the bucket owner has this permission and can grant it to others.

To use this API against an access point, provide the alias of the access point in place of the bucket name.

For more information about CORS, see Enabling Cross-Origin Resource Sharing.

The following operations are related to GetBucketCors:

" + "documentation":"

Returns the Cross-Origin Resource Sharing (CORS) configuration information set for the bucket.

To use this operation, you must have permission to perform the s3:GetBucketCORS action. By default, the bucket owner has this permission and can grant it to others.

For more information about CORS, see Enabling Cross-Origin Resource Sharing.

The following operations are related to GetBucketCors:

" }, "GetBucketEncryption":{ "name":"GetBucketEncryption", @@ -320,7 +320,7 @@ }, "input":{"shape":"GetBucketEncryptionRequest"}, "output":{"shape":"GetBucketEncryptionOutput"}, - "documentation":"

Returns the default encryption configuration for an Amazon S3 bucket. By default, all buckets have a default encryption configuration that uses server-side encryption with Amazon S3 managed keys (SSE-S3). For information about the bucket default encryption feature, see Amazon S3 Bucket Default Encryption in the Amazon S3 User Guide.

To use this operation, you must have permission to perform the s3:GetEncryptionConfiguration action. The bucket owner has this permission by default. The bucket owner can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing Access Permissions to Your Amazon S3 Resources.

The following operations are related to GetBucketEncryption:

" + "documentation":"

Returns the default encryption configuration for an Amazon S3 bucket. If the bucket does not have a default encryption configuration, GetBucketEncryption returns ServerSideEncryptionConfigurationNotFoundError.

For information about the Amazon S3 default encryption feature, see Amazon S3 Default Bucket Encryption.

To use this operation, you must have permission to perform the s3:GetEncryptionConfiguration action. The bucket owner has this permission by default. The bucket owner can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing Access Permissions to Your Amazon S3 Resources.

The following operations are related to GetBucketEncryption:

" }, "GetBucketIntelligentTieringConfiguration":{ "name":"GetBucketIntelligentTieringConfiguration", @@ -373,7 +373,7 @@ "input":{"shape":"GetBucketLocationRequest"}, "output":{"shape":"GetBucketLocationOutput"}, "documentationUrl":"http://docs.amazonwebservices.com/AmazonS3/latest/API/RESTBucketGETlocation.html", - "documentation":"

Returns the Region the bucket resides in. You set the bucket's Region using the LocationConstraint request parameter in a CreateBucket request. For more information, see CreateBucket.

To use this implementation of the operation, you must be the bucket owner.

To use this API against an access point, provide the alias of the access point in place of the bucket name.

For requests made using Amazon Web Services Signature Version 4 (SigV4), we recommend that you use HeadBucket to return the bucket Region instead of GetBucketLocation.

The following operations are related to GetBucketLocation:

" + "documentation":"

Returns the Region the bucket resides in. You set the bucket's Region using the LocationConstraint request parameter in a CreateBucket request. For more information, see CreateBucket.

To use this implementation of the operation, you must be the bucket owner.

To use this API against an access point, provide the alias of the access point in place of the bucket name.

The following operations are related to GetBucketLocation:

" }, "GetBucketLogging":{ "name":"GetBucketLogging", @@ -384,7 +384,7 @@ "input":{"shape":"GetBucketLoggingRequest"}, "output":{"shape":"GetBucketLoggingOutput"}, "documentationUrl":"http://docs.amazonwebservices.com/AmazonS3/latest/API/RESTBucketGETlogging.html", - "documentation":"

Returns the logging status of a bucket and the permissions users have to view and modify that status.

The following operations are related to GetBucketLogging:

" + "documentation":"

Returns the logging status of a bucket and the permissions users have to view and modify that status. To use GET, you must be the bucket owner.

The following operations are related to GetBucketLogging:

" }, "GetBucketMetricsConfiguration":{ "name":"GetBucketMetricsConfiguration", @@ -416,7 +416,7 @@ }, "input":{"shape":"GetBucketNotificationConfigurationRequest"}, "output":{"shape":"NotificationConfiguration"}, - "documentation":"

Returns the notification configuration of a bucket.

If notifications are not enabled on the bucket, the action returns an empty NotificationConfiguration element.

By default, you must be the bucket owner to read the notification configuration of a bucket. However, the bucket owner can use a bucket policy to grant permission to other users to read this configuration with the s3:GetBucketNotification permission.

To use this API against an access point, provide the alias of the access point in place of the bucket name.

For more information about setting and reading the notification configuration on a bucket, see Setting Up Notification of Bucket Events. For more information about bucket policies, see Using Bucket Policies.

The following action is related to GetBucketNotification:

" + "documentation":"

Returns the notification configuration of a bucket.

If notifications are not enabled on the bucket, the action returns an empty NotificationConfiguration element.

By default, you must be the bucket owner to read the notification configuration of a bucket. However, the bucket owner can use a bucket policy to grant permission to other users to read this configuration with the s3:GetBucketNotification permission.

For more information about setting and reading the notification configuration on a bucket, see Setting Up Notification of Bucket Events. For more information about bucket policies, see Using Bucket Policies.

The following action is related to GetBucketNotification:

" }, "GetBucketOwnershipControls":{ "name":"GetBucketOwnershipControls", @@ -437,7 +437,7 @@ "input":{"shape":"GetBucketPolicyRequest"}, "output":{"shape":"GetBucketPolicyOutput"}, "documentationUrl":"http://docs.amazonwebservices.com/AmazonS3/latest/API/RESTBucketGETpolicy.html", - "documentation":"

Returns the policy of a specified bucket. If you are using an identity other than the root user of the Amazon Web Services account that owns the bucket, the calling identity must have the GetBucketPolicy permissions on the specified bucket and belong to the bucket owner's account in order to use this operation.

If you don't have GetBucketPolicy permissions, Amazon S3 returns a 403 Access Denied error. If you have the correct permissions, but you're not using an identity that belongs to the bucket owner's account, Amazon S3 returns a 405 Method Not Allowed error.

As a security precaution, the root user of the Amazon Web Services account that owns a bucket can always use this operation, even if the policy explicitly denies the root user the ability to perform this action.

To use this API against an access point, provide the alias of the access point in place of the bucket name.

For more information about bucket policies, see Using Bucket Policies and User Policies.

The following action is related to GetBucketPolicy:

" + "documentation":"

Returns the policy of a specified bucket. If you are using an identity other than the root user of the Amazon Web Services account that owns the bucket, the calling identity must have the GetBucketPolicy permissions on the specified bucket and belong to the bucket owner's account in order to use this operation.

If you don't have GetBucketPolicy permissions, Amazon S3 returns a 403 Access Denied error. If you have the correct permissions, but you're not using an identity that belongs to the bucket owner's account, Amazon S3 returns a 405 Method Not Allowed error.

As a security precaution, the root user of the Amazon Web Services account that owns a bucket can always use this operation, even if the policy explicitly denies the root user the ability to perform this action.

For more information about bucket policies, see Using Bucket Policies and User Policies.

The following action is related to GetBucketPolicy:

" }, "GetBucketPolicyStatus":{ "name":"GetBucketPolicyStatus", @@ -516,7 +516,7 @@ {"shape":"InvalidObjectState"} ], "documentationUrl":"http://docs.amazonwebservices.com/AmazonS3/latest/API/RESTObjectGET.html", - "documentation":"

Retrieves objects from Amazon S3. To use GET, you must have READ access to the object. If you grant READ access to the anonymous user, you can return the object without using an authorization header.

An Amazon S3 bucket has no directory hierarchy such as you would find in a typical computer file system. You can, however, create a logical hierarchy by using object key names that imply a folder structure. For example, instead of naming an object sample.jpg, you can name it photos/2006/February/sample.jpg.

To get an object from such a logical hierarchy, specify the full key name for the object in the GET operation. For a virtual hosted-style request example, if you have the object photos/2006/February/sample.jpg, specify the resource as /photos/2006/February/sample.jpg. For a path-style request example, if you have the object photos/2006/February/sample.jpg in the bucket named examplebucket, specify the resource as /examplebucket/photos/2006/February/sample.jpg. For more information about request types, see HTTP Host Header Bucket Specification.

For more information about returning the ACL of an object, see GetObjectAcl.

If the object you are retrieving is stored in the S3 Glacier or S3 Glacier Deep Archive storage class, or S3 Intelligent-Tiering Archive or S3 Intelligent-Tiering Deep Archive tiers, before you can retrieve the object you must first restore a copy using RestoreObject. Otherwise, this action returns an InvalidObjectState error. For information about restoring archived objects, see Restoring Archived Objects.

Encryption request headers, like x-amz-server-side-encryption, should not be sent for GET requests if your object uses server-side encryption with KMS keys (SSE-KMS) or server-side encryption with Amazon S3–managed encryption keys (SSE-S3). If your object does use these types of keys, you’ll get an HTTP 400 BadRequest error.

If you encrypt an object by using server-side encryption with customer-provided encryption keys (SSE-C) when you store the object in Amazon S3, then when you GET the object, you must use the following headers:

For more information about SSE-C, see Server-Side Encryption (Using Customer-Provided Encryption Keys).

Assuming you have the relevant permission to read object tags, the response also returns the x-amz-tagging-count header that provides the count of number of tags associated with the object. You can use GetObjectTagging to retrieve the tag set associated with an object.

Permissions

You need the relevant read object (or version) permission for this operation. For more information, see Specifying Permissions in a Policy. If the object you request does not exist, the error Amazon S3 returns depends on whether you also have the s3:ListBucket permission.

Versioning

By default, the GET action returns the current version of an object. To return a different version, use the versionId subresource.

For more information about versioning, see PutBucketVersioning.

Overriding Response Header Values

There are times when you want to override certain response header values in a GET response. For example, you might override the Content-Disposition response header value in your GET request.

You can override values for a set of response headers using the following query parameters. These response header values are sent only on a successful request, that is, when status code 200 OK is returned. The set of headers you can override using these parameters is a subset of the headers that Amazon S3 accepts when you create an object. The response headers that you can override for the GET response are Content-Type, Content-Language, Expires, Cache-Control, Content-Disposition, and Content-Encoding. To override these header values in the GET response, you use the following request parameters.

You must sign the request, either using an Authorization header or a presigned URL, when using these parameters. They cannot be used with an unsigned (anonymous) request.

Additional Considerations about Request Headers

If both of the If-Match and If-Unmodified-Since headers are present in the request as follows: If-Match condition evaluates to true, and; If-Unmodified-Since condition evaluates to false; then, S3 returns 200 OK and the data requested.

If both of the If-None-Match and If-Modified-Since headers are present in the request as follows: If-None-Match condition evaluates to false, and; If-Modified-Since condition evaluates to true; then, S3 returns 304 Not Modified response code.

For more information about conditional requests, see RFC 7232.

The following operations are related to GetObject:

", + "documentation":"

Retrieves objects from Amazon S3. To use GET, you must have READ access to the object. If you grant READ access to the anonymous user, you can return the object without using an authorization header.

An Amazon S3 bucket has no directory hierarchy such as you would find in a typical computer file system. You can, however, create a logical hierarchy by using object key names that imply a folder structure. For example, instead of naming an object sample.jpg, you can name it photos/2006/February/sample.jpg.

To get an object from such a logical hierarchy, specify the full key name for the object in the GET operation. For a virtual hosted-style request example, if you have the object photos/2006/February/sample.jpg, specify the resource as /photos/2006/February/sample.jpg. For a path-style request example, if you have the object photos/2006/February/sample.jpg in the bucket named examplebucket, specify the resource as /examplebucket/photos/2006/February/sample.jpg. For more information about request types, see HTTP Host Header Bucket Specification.

For more information about returning the ACL of an object, see GetObjectAcl.

If the object you are retrieving is stored in the S3 Glacier or S3 Glacier Deep Archive storage class, or S3 Intelligent-Tiering Archive or S3 Intelligent-Tiering Deep Archive tiers, before you can retrieve the object you must first restore a copy using RestoreObject. Otherwise, this action returns an InvalidObjectStateError error. For information about restoring archived objects, see Restoring Archived Objects.

Encryption request headers, like x-amz-server-side-encryption, should not be sent for GET requests if your object uses server-side encryption with KMS keys (SSE-KMS) or server-side encryption with Amazon S3–managed encryption keys (SSE-S3). If your object does use these types of keys, you’ll get an HTTP 400 BadRequest error.

If you encrypt an object by using server-side encryption with customer-provided encryption keys (SSE-C) when you store the object in Amazon S3, then when you GET the object, you must use the following headers:

For more information about SSE-C, see Server-Side Encryption (Using Customer-Provided Encryption Keys).

Assuming you have the relevant permission to read object tags, the response also returns the x-amz-tagging-count header that provides the count of number of tags associated with the object. You can use GetObjectTagging to retrieve the tag set associated with an object.

Permissions

You need the relevant read object (or version) permission for this operation. For more information, see Specifying Permissions in a Policy. If the object you request does not exist, the error Amazon S3 returns depends on whether you also have the s3:ListBucket permission.

Versioning

By default, the GET action returns the current version of an object. To return a different version, use the versionId subresource.

For more information about versioning, see PutBucketVersioning.

Overriding Response Header Values

There are times when you want to override certain response header values in a GET response. For example, you might override the Content-Disposition response header value in your GET request.

You can override values for a set of response headers using the following query parameters. These response header values are sent only on a successful request, that is, when status code 200 OK is returned. The set of headers you can override using these parameters is a subset of the headers that Amazon S3 accepts when you create an object. The response headers that you can override for the GET response are Content-Type, Content-Language, Expires, Cache-Control, Content-Disposition, and Content-Encoding. To override these header values in the GET response, you use the following request parameters.

You must sign the request, either using an Authorization header or a presigned URL, when using these parameters. They cannot be used with an unsigned (anonymous) request.

Additional Considerations about Request Headers

If both of the If-Match and If-Unmodified-Since headers are present in the request as follows: If-Match condition evaluates to true, and; If-Unmodified-Since condition evaluates to false; then, S3 returns 200 OK and the data requested.

If both of the If-None-Match and If-Modified-Since headers are present in the request as follows: If-None-Match condition evaluates to false, and; If-Modified-Since condition evaluates to true; then, S3 returns 304 Not Modified response code.

For more information about conditional requests, see RFC 7232.

The following operations are related to GetObject:

", "httpChecksum":{ "requestValidationModeMember":"ChecksumMode", "responseAlgorithms":[ @@ -552,7 +552,7 @@ "errors":[ {"shape":"NoSuchKey"} ], - "documentation":"

Retrieves all the metadata from an object without returning the object itself. This action is useful if you're interested only in an object's metadata. To use GetObjectAttributes, you must have READ access to the object.

GetObjectAttributes combines the functionality of HeadObject and ListParts. All of the data returned with each of those individual calls can be returned with a single call to GetObjectAttributes.

If you encrypt an object by using server-side encryption with customer-provided encryption keys (SSE-C) when you store the object in Amazon S3, then when you retrieve the metadata from the object, you must use the following headers:

For more information about SSE-C, see Server-Side Encryption (Using Customer-Provided Encryption Keys) in the Amazon S3 User Guide.

Consider the following when using request headers:

For more information about conditional requests, see RFC 7232.

Permissions

The permissions that you need to use this operation depend on whether the bucket is versioned. If the bucket is versioned, you need both the s3:GetObjectVersion and s3:GetObjectVersionAttributes permissions for this operation. If the bucket is not versioned, you need the s3:GetObject and s3:GetObjectAttributes permissions. For more information, see Specifying Permissions in a Policy in the Amazon S3 User Guide. If the object that you request does not exist, the error Amazon S3 returns depends on whether you also have the s3:ListBucket permission.

The following actions are related to GetObjectAttributes:

" + "documentation":"

Retrieves all the metadata from an object without returning the object itself. This action is useful if you're interested only in an object's metadata. To use GetObjectAttributes, you must have READ access to the object.

GetObjectAttributes combines the functionality of GetObjectAcl, GetObjectLegalHold, GetObjectLockConfiguration, GetObjectRetention, GetObjectTagging, HeadObject, and ListParts. All of the data returned with each of those individual calls can be returned with a single call to GetObjectAttributes.

If you encrypt an object by using server-side encryption with customer-provided encryption keys (SSE-C) when you store the object in Amazon S3, then when you retrieve the metadata from the object, you must use the following headers:

For more information about SSE-C, see Server-Side Encryption (Using Customer-Provided Encryption Keys) in the Amazon S3 User Guide.

Consider the following when using request headers:

For more information about conditional requests, see RFC 7232.

Permissions

The permissions that you need to use this operation depend on whether the bucket is versioned. If the bucket is versioned, you need both the s3:GetObjectVersion and s3:GetObjectVersionAttributes permissions for this operation. If the bucket is not versioned, you need the s3:GetObject and s3:GetObjectAttributes permissions. For more information, see Specifying Permissions in a Policy in the Amazon S3 User Guide. If the object that you request does not exist, the error Amazon S3 returns depends on whether you also have the s3:ListBucket permission.

The following actions are related to GetObjectAttributes:

" }, "GetObjectLegalHold":{ "name":"GetObjectLegalHold", @@ -603,7 +603,7 @@ "input":{"shape":"GetObjectTorrentRequest"}, "output":{"shape":"GetObjectTorrentOutput"}, "documentationUrl":"http://docs.amazonwebservices.com/AmazonS3/latest/API/RESTObjectGETtorrent.html", - "documentation":"

Returns torrent files from a bucket. BitTorrent can save you bandwidth when you're distributing large files.

You can get torrent only for objects that are less than 5 GB in size, and that are not encrypted using server-side encryption with a customer-provided encryption key.

To use GET, you must have READ access to the object.

This action is not supported by Amazon S3 on Outposts.

The following action is related to GetObjectTorrent:

" + "documentation":"

Returns torrent files from a bucket. BitTorrent can save you bandwidth when you're distributing large files. For more information about BitTorrent, see Using BitTorrent with Amazon S3.

You can get torrent only for objects that are less than 5 GB in size, and that are not encrypted using server-side encryption with a customer-provided encryption key.

To use GET, you must have READ access to the object.

This action is not supported by Amazon S3 on Outposts.

The following action is related to GetObjectTorrent:

" }, "GetPublicAccessBlock":{ "name":"GetPublicAccessBlock", @@ -626,7 +626,7 @@ {"shape":"NoSuchBucket"} ], "documentationUrl":"http://docs.amazonwebservices.com/AmazonS3/latest/API/RESTBucketHEAD.html", - "documentation":"

This action is useful to determine if a bucket exists and you have permission to access it. The action returns a 200 OK if the bucket exists and you have permission to access it.

If the bucket does not exist or you do not have permission to access it, the HEAD request returns a generic 400 Bad Request, 403 Forbidden or 404 Not Found code. A message body is not included, so you cannot determine the exception beyond these error codes.

To use this operation, you must have permissions to perform the s3:ListBucket action. The bucket owner has this permission by default and can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing Access Permissions to Your Amazon S3 Resources.

To use this API against an access point, you must provide the alias of the access point in place of the bucket name or specify the access point ARN. When using the access point ARN, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using the Amazon Web Services SDKs, you provide the ARN in place of the bucket name. For more information see, Using access points.

" + "documentation":"

This action is useful to determine if a bucket exists and you have permission to access it. The action returns a 200 OK if the bucket exists and you have permission to access it.

If the bucket does not exist or you do not have permission to access it, the HEAD request returns a generic 404 Not Found or 403 Forbidden code. A message body is not included, so you cannot determine the exception beyond these error codes.

To use this operation, you must have permissions to perform the s3:ListBucket action. The bucket owner has this permission by default and can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing Access Permissions to Your Amazon S3 Resources.

To use this API against an access point, you must provide the alias of the access point in place of the bucket name or specify the access point ARN. When using the access point ARN, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using the Amazon Web Services SDKs, you provide the ARN in place of the bucket name. For more information see, Using access points.

" }, "HeadObject":{ "name":"HeadObject", @@ -640,7 +640,7 @@ {"shape":"NoSuchKey"} ], "documentationUrl":"http://docs.amazonwebservices.com/AmazonS3/latest/API/RESTObjectHEAD.html", - "documentation":"

The HEAD action retrieves metadata from an object without returning the object itself. This action is useful if you're only interested in an object's metadata. To use HEAD, you must have READ access to the object.

A HEAD request has the same options as a GET action on an object. The response is identical to the GET response except that there is no response body. Because of this, if the HEAD request generates an error, it returns a generic 400 Bad Request, 403 Forbidden or 404 Not Found code. It is not possible to retrieve the exact exception beyond these error codes.

If you encrypt an object by using server-side encryption with customer-provided encryption keys (SSE-C) when you store the object in Amazon S3, then when you retrieve the metadata from the object, you must use the following headers:

For more information about SSE-C, see Server-Side Encryption (Using Customer-Provided Encryption Keys).

Request headers are limited to 8 KB in size. For more information, see Common Request Headers.

Consider the following when using request headers:

For more information about conditional requests, see RFC 7232.

Permissions

You need the relevant read object (or version) permission for this operation. For more information, see Specifying Permissions in a Policy. If the object you request does not exist, the error Amazon S3 returns depends on whether you also have the s3:ListBucket permission.

The following actions are related to HeadObject:

" + "documentation":"

The HEAD action retrieves metadata from an object without returning the object itself. This action is useful if you're only interested in an object's metadata. To use HEAD, you must have READ access to the object.

A HEAD request has the same options as a GET action on an object. The response is identical to the GET response except that there is no response body. Because of this, if the HEAD request generates an error, it returns a generic 404 Not Found or 403 Forbidden code. It is not possible to retrieve the exact exception beyond these error codes.

If you encrypt an object by using server-side encryption with customer-provided encryption keys (SSE-C) when you store the object in Amazon S3, then when you retrieve the metadata from the object, you must use the following headers:

For more information about SSE-C, see Server-Side Encryption (Using Customer-Provided Encryption Keys).

Request headers are limited to 8 KB in size. For more information, see Common Request Headers.

Consider the following when using request headers:

For more information about conditional requests, see RFC 7232.

Permissions

You need the relevant read object (or version) permission for this operation. For more information, see Specifying Permissions in a Policy. If the object you request does not exist, the error Amazon S3 returns depends on whether you also have the s3:ListBucket permission.

The following actions are related to HeadObject:

" }, "ListBucketAnalyticsConfigurations":{ "name":"ListBucketAnalyticsConfigurations", @@ -690,7 +690,7 @@ }, "output":{"shape":"ListBucketsOutput"}, "documentationUrl":"http://docs.amazonwebservices.com/AmazonS3/latest/API/RESTServiceGET.html", - "documentation":"

Returns a list of all buckets owned by the authenticated sender of the request. To use this operation, you must have the s3:ListAllMyBuckets permission.

For information about Amazon S3 buckets, see Creating, configuring, and working with Amazon S3 buckets.

", + "documentation":"

Returns a list of all buckets owned by the authenticated sender of the request. To use this operation, you must have the s3:ListAllMyBuckets permission.

", "alias":"GetService" }, "ListMultipartUploads":{ @@ -776,7 +776,7 @@ }, "input":{"shape":"PutBucketAclRequest"}, "documentationUrl":"http://docs.amazonwebservices.com/AmazonS3/latest/API/RESTBucketPUTacl.html", - "documentation":"

Sets the permissions on an existing bucket using access control lists (ACL). For more information, see Using ACLs. To set the ACL of a bucket, you must have WRITE_ACP permission.

You can use one of the following two ways to set a bucket's permissions:

You cannot specify access permission using both the body and the request headers.

Depending on your application needs, you may choose to set the ACL on a bucket using either the request body or the headers. For example, if you have an existing application that updates a bucket ACL using the request body, then you can continue to use that approach.

If your bucket uses the bucket owner enforced setting for S3 Object Ownership, ACLs are disabled and no longer affect permissions. You must use policies to grant access to your bucket and the objects in it. Requests to set ACLs or update ACLs fail and return the AccessControlListNotSupported error code. Requests to read ACLs are still supported. For more information, see Controlling object ownership in the Amazon S3 User Guide.

Access Permissions

You can set access permissions using one of the following methods:

You can use either a canned ACL or specify access permissions explicitly. You cannot do both.

Grantee Values

You can specify the person (grantee) to whom you're assigning access rights (using request elements) in the following ways:

Related Resources

", + "documentation":"

Sets the permissions on an existing bucket using access control lists (ACL). For more information, see Using ACLs. To set the ACL of a bucket, you must have WRITE_ACP permission.

You can use one of the following two ways to set a bucket's permissions:

You cannot specify access permission using both the body and the request headers.

Depending on your application needs, you may choose to set the ACL on a bucket using either the request body or the headers. For example, if you have an existing application that updates a bucket ACL using the request body, then you can continue to use that approach.

If your bucket uses the bucket owner enforced setting for S3 Object Ownership, ACLs are disabled and no longer affect permissions. You must use policies to grant access to your bucket and the objects in it. Requests to set ACLs or update ACLs fail and return the AccessControlListNotSupported error code. Requests to read ACLs are still supported. For more information, see Controlling object ownership in the Amazon S3 User Guide.

Access Permissions

You can set access permissions using one of the following methods:

You can use either a canned ACL or specify access permissions explicitly. You cannot do both.

Grantee Values

You can specify the person (grantee) to whom you're assigning access rights (using request elements) in the following ways:

Related Resources

", "httpChecksum":{ "requestAlgorithmMember":"ChecksumAlgorithm", "requestChecksumRequired":true @@ -812,7 +812,7 @@ "requestUri":"/{Bucket}?encryption" }, "input":{"shape":"PutBucketEncryptionRequest"}, - "documentation":"

This action uses the encryption subresource to configure default encryption and Amazon S3 Bucket Keys for an existing bucket.

By default, all buckets have a default encryption configuration that uses server-side encryption with Amazon S3 managed keys (SSE-S3). You can optionally configure default encryption for a bucket by using server-side encryption with an Amazon Web Services KMS key (SSE-KMS) or a customer-provided key (SSE-C). If you specify default encryption by using SSE-KMS, you can also configure Amazon S3 Bucket Keys. For information about bucket default encryption, see Amazon S3 bucket default encryption in the Amazon S3 User Guide. For more information about S3 Bucket Keys, see Amazon S3 Bucket Keys in the Amazon S3 User Guide.

This action requires Amazon Web Services Signature Version 4. For more information, see Authenticating Requests (Amazon Web Services Signature Version 4).

To use this operation, you must have permissions to perform the s3:PutEncryptionConfiguration action. The bucket owner has this permission by default. The bucket owner can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing Access Permissions to Your Amazon S3 Resources in the Amazon S3 User Guide.

Related Resources

", + "documentation":"

This action uses the encryption subresource to configure default encryption and Amazon S3 Bucket Key for an existing bucket.

Default encryption for a bucket can use server-side encryption with Amazon S3-managed keys (SSE-S3) or customer managed keys (SSE-KMS). If you specify default encryption using SSE-KMS, you can also configure Amazon S3 Bucket Key. When the default encryption is SSE-KMS, if you upload an object to the bucket and do not specify the KMS key to use for encryption, Amazon S3 uses the default Amazon Web Services managed KMS key for your account. For information about default encryption, see Amazon S3 default bucket encryption in the Amazon S3 User Guide. For more information about S3 Bucket Keys, see Amazon S3 Bucket Keys in the Amazon S3 User Guide.

This action requires Amazon Web Services Signature Version 4. For more information, see Authenticating Requests (Amazon Web Services Signature Version 4).

To use this operation, you must have permissions to perform the s3:PutEncryptionConfiguration action. The bucket owner has this permission by default. The bucket owner can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing Access Permissions to Your Amazon S3 Resources in the Amazon S3 User Guide.

Related Resources

", "httpChecksum":{ "requestAlgorithmMember":"ChecksumAlgorithm", "requestChecksumRequired":true @@ -834,7 +834,7 @@ "requestUri":"/{Bucket}?inventory" }, "input":{"shape":"PutBucketInventoryConfigurationRequest"}, - "documentation":"

This implementation of the PUT action adds an inventory configuration (identified by the inventory ID) to the bucket. You can have up to 1,000 inventory configurations per bucket.

Amazon S3 inventory generates inventories of the objects in the bucket on a daily or weekly basis, and the results are published to a flat file. The bucket that is inventoried is called the source bucket, and the bucket where the inventory flat file is stored is called the destination bucket. The destination bucket must be in the same Amazon Web Services Region as the source bucket.

When you configure an inventory for a source bucket, you specify the destination bucket where you want the inventory to be stored, and whether to generate the inventory daily or weekly. You can also configure what object metadata to include and whether to inventory all object versions or only current versions. For more information, see Amazon S3 Inventory in the Amazon S3 User Guide.

You must create a bucket policy on the destination bucket to grant permissions to Amazon S3 to write objects to the bucket in the defined location. For an example policy, see Granting Permissions for Amazon S3 Inventory and Storage Class Analysis.

Permissions

To use this operation, you must have permission to perform the s3:PutInventoryConfiguration action. The bucket owner has this permission by default and can grant this permission to others.

The s3:PutInventoryConfiguration permission allows a user to create an S3 Inventory report that includes all object metadata fields available and to specify the destination bucket to store the inventory. A user with read access to objects in the destination bucket can also access all object metadata fields that are available in the inventory report.

To restrict access to an inventory report, see Restricting access to an Amazon S3 Inventory report in the Amazon S3 User Guide. For more information about the metadata fields available in S3 Inventory, see Amazon S3 Inventory lists in the Amazon S3 User Guide. For more information about permissions, see Permissions related to bucket subresource operations and Identity and access management in Amazon S3 in the Amazon S3 User Guide.

Special Errors

Related Resources

" + "documentation":"

This implementation of the PUT action adds an inventory configuration (identified by the inventory ID) to the bucket. You can have up to 1,000 inventory configurations per bucket.

Amazon S3 inventory generates inventories of the objects in the bucket on a daily or weekly basis, and the results are published to a flat file. The bucket that is inventoried is called the source bucket, and the bucket where the inventory flat file is stored is called the destination bucket. The destination bucket must be in the same Amazon Web Services Region as the source bucket.

When you configure an inventory for a source bucket, you specify the destination bucket where you want the inventory to be stored, and whether to generate the inventory daily or weekly. You can also configure what object metadata to include and whether to inventory all object versions or only current versions. For more information, see Amazon S3 Inventory in the Amazon S3 User Guide.

You must create a bucket policy on the destination bucket to grant permissions to Amazon S3 to write objects to the bucket in the defined location. For an example policy, see Granting Permissions for Amazon S3 Inventory and Storage Class Analysis.

To use this operation, you must have permissions to perform the s3:PutInventoryConfiguration action. The bucket owner has this permission by default and can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing Access Permissions to Your Amazon S3 Resources in the Amazon S3 User Guide.

Special Errors

Related Resources

" }, "PutBucketLifecycle":{ "name":"PutBucketLifecycle", @@ -1013,7 +1013,7 @@ "input":{"shape":"PutObjectRequest"}, "output":{"shape":"PutObjectOutput"}, "documentationUrl":"http://docs.amazonwebservices.com/AmazonS3/latest/API/RESTObjectPUT.html", - "documentation":"

Adds an object to a bucket. You must have WRITE permissions on a bucket to add an object to it.

Amazon S3 never adds partial objects; if you receive a success response, Amazon S3 added the entire object to the bucket. You cannot use PutObject to only update a single piece of metadata for an existing object. You must put the entire object with updated metadata if you want to update some values.

Amazon S3 is a distributed system. If it receives multiple write requests for the same object simultaneously, it overwrites all but the last object written. To prevent objects from being deleted or overwritten, you can use Amazon S3 Object Lock.

To ensure that data is not corrupted traversing the network, use the Content-MD5 header. When you use this header, Amazon S3 checks the object against the provided MD5 value and, if they do not match, returns an error. Additionally, you can calculate the MD5 while putting an object to Amazon S3 and compare the returned ETag to the calculated MD5 value.

You have three mutually exclusive options to protect data using server-side encryption in Amazon S3, depending on how you choose to manage the encryption keys. Specifically, the encryption key options are Amazon S3 managed keys (SSE-S3), Amazon Web Services KMS keys (SSE-KMS), and customer-provided keys (SSE-C). Amazon S3 encrypts data with server-side encryption by using Amazon S3 managed keys (SSE-S3) by default. You can optionally tell Amazon S3 to encrypt data at by rest using server-side encryption with other key options. For more information, see Using Server-Side Encryption.

When adding a new object, you can use headers to grant ACL-based permissions to individual Amazon Web Services accounts or to predefined groups defined by Amazon S3. These permissions are then added to the ACL on the object. By default, all objects are private. Only the owner has full access control. For more information, see Access Control List (ACL) Overview and Managing ACLs Using the REST API.

If the bucket that you're uploading objects to uses the bucket owner enforced setting for S3 Object Ownership, ACLs are disabled and no longer affect permissions. Buckets that use this setting only accept PUT requests that don't specify an ACL or PUT requests that specify bucket owner full control ACLs, such as the bucket-owner-full-control canned ACL or an equivalent form of this ACL expressed in the XML format. PUT requests that contain other ACLs (for example, custom grants to certain Amazon Web Services accounts) fail and return a 400 error with the error code AccessControlListNotSupported. For more information, see Controlling ownership of objects and disabling ACLs in the Amazon S3 User Guide.

If your bucket uses the bucket owner enforced setting for Object Ownership, all objects written to the bucket by any account will be owned by the bucket owner.

By default, Amazon S3 uses the STANDARD Storage Class to store newly created objects. The STANDARD storage class provides high durability and high availability. Depending on performance needs, you can specify a different Storage Class. Amazon S3 on Outposts only uses the OUTPOSTS Storage Class. For more information, see Storage Classes in the Amazon S3 User Guide.

If you enable versioning for a bucket, Amazon S3 automatically generates a unique version ID for the object being stored. Amazon S3 returns this ID in the response. When you enable versioning for a bucket, if Amazon S3 receives multiple write requests for the same object simultaneously, it stores all of the objects. For more information about versioning, see Adding Objects to Versioning Enabled Buckets. For information about returning the versioning state of a bucket, see GetBucketVersioning.

For more information about related Amazon S3 APIs, see the following:

", + "documentation":"

Adds an object to a bucket. You must have WRITE permissions on a bucket to add an object to it.

Amazon S3 never adds partial objects; if you receive a success response, Amazon S3 added the entire object to the bucket.

Amazon S3 is a distributed system. If it receives multiple write requests for the same object simultaneously, it overwrites all but the last object written. Amazon S3 does not provide object locking; if you need this, make sure to build it into your application layer or use versioning instead.

To ensure that data is not corrupted traversing the network, use the Content-MD5 header. When you use this header, Amazon S3 checks the object against the provided MD5 value and, if they do not match, returns an error. Additionally, you can calculate the MD5 while putting an object to Amazon S3 and compare the returned ETag to the calculated MD5 value.

Server-side Encryption

You can optionally request server-side encryption. With server-side encryption, Amazon S3 encrypts your data as it writes it to disks in its data centers and decrypts the data when you access it. You have the option to provide your own encryption key or use Amazon Web Services managed encryption keys (SSE-S3 or SSE-KMS). For more information, see Using Server-Side Encryption.

If you request server-side encryption using Amazon Web Services Key Management Service (SSE-KMS), you can enable an S3 Bucket Key at the object-level. For more information, see Amazon S3 Bucket Keys in the Amazon S3 User Guide.

Access Control List (ACL)-Specific Request Headers

You can use headers to grant ACL- based permissions. By default, all objects are private. Only the owner has full access control. When adding a new object, you can grant permissions to individual Amazon Web Services accounts or to predefined groups defined by Amazon S3. These permissions are then added to the ACL on the object. For more information, see Access Control List (ACL) Overview and Managing ACLs Using the REST API.

If the bucket that you're uploading objects to uses the bucket owner enforced setting for S3 Object Ownership, ACLs are disabled and no longer affect permissions. Buckets that use this setting only accept PUT requests that don't specify an ACL or PUT requests that specify bucket owner full control ACLs, such as the bucket-owner-full-control canned ACL or an equivalent form of this ACL expressed in the XML format. PUT requests that contain other ACLs (for example, custom grants to certain Amazon Web Services accounts) fail and return a 400 error with the error code AccessControlListNotSupported.

For more information, see Controlling ownership of objects and disabling ACLs in the Amazon S3 User Guide.

If your bucket uses the bucket owner enforced setting for Object Ownership, all objects written to the bucket by any account will be owned by the bucket owner.

Storage Class Options

By default, Amazon S3 uses the STANDARD Storage Class to store newly created objects. The STANDARD storage class provides high durability and high availability. Depending on performance needs, you can specify a different Storage Class. Amazon S3 on Outposts only uses the OUTPOSTS Storage Class. For more information, see Storage Classes in the Amazon S3 User Guide.

Versioning

If you enable versioning for a bucket, Amazon S3 automatically generates a unique version ID for the object being stored. Amazon S3 returns this ID in the response. When you enable versioning for a bucket, if Amazon S3 receives multiple write requests for the same object simultaneously, it stores all of the objects.

For more information about versioning, see Adding Objects to Versioning Enabled Buckets. For information about returning the versioning state of a bucket, see GetBucketVersioning.

Related Resources

", "httpChecksum":{ "requestAlgorithmMember":"ChecksumAlgorithm", "requestChecksumRequired":false @@ -1118,7 +1118,7 @@ {"shape":"ObjectAlreadyInActiveTierError"} ], "documentationUrl":"http://docs.amazonwebservices.com/AmazonS3/latest/API/RESTObjectRestore.html", - "documentation":"

Restores an archived copy of an object back into Amazon S3

This action is not supported by Amazon S3 on Outposts.

This action performs the following types of requests:

To use this operation, you must have permissions to perform the s3:RestoreObject action. The bucket owner has this permission by default and can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing Access Permissions to Your Amazon S3 Resources in the Amazon S3 User Guide.

For more information about the S3 structure in the request body, see the following:

When making a select request, you can also do the following:

The following are additional important facts about the select feature:

Restoring objects

Objects that you archive to the S3 Glacier Flexible Retrieval or S3 Glacier Deep Archive storage class, and S3 Intelligent-Tiering Archive or S3 Intelligent-Tiering Deep Archive tiers, are not accessible in real time. For objects in the S3 Glacier Flexible Retrieval or S3 Glacier Deep Archive storage classes, you must first initiate a restore request, and then wait until a temporary copy of the object is available. If you want a permanent copy of the object, create a copy of it in the Amazon S3 Standard storage class in your S3 bucket. To access an archived object, you must restore the object for the duration (number of days) that you specify. For objects in the Archive Access or Deep Archive Access tiers of S3 Intelligent-Tiering, you must first initiate a restore request, and then wait until the object is moved into the Frequent Access tier.

To restore a specific object version, you can provide a version ID. If you don't provide a version ID, Amazon S3 restores the current version.

When restoring an archived object, you can specify one of the following data access tier options in the Tier element of the request body:

For more information about archive retrieval options and provisioned capacity for Expedited data access, see Restoring Archived Objects in the Amazon S3 User Guide.

You can use Amazon S3 restore speed upgrade to change the restore speed to a faster speed while it is in progress. For more information, see Upgrading the speed of an in-progress restore in the Amazon S3 User Guide.

To get the status of object restoration, you can send a HEAD request. Operations return the x-amz-restore header, which provides information about the restoration status, in the response. You can use Amazon S3 event notifications to notify you when a restore is initiated or completed. For more information, see Configuring Amazon S3 Event Notifications in the Amazon S3 User Guide.

After restoring an archived object, you can update the restoration period by reissuing the request with a new period. Amazon S3 updates the restoration period relative to the current time and charges only for the request-there are no data transfer charges. You cannot update the restoration period when Amazon S3 is actively processing your current restore request for the object.

If your bucket has a lifecycle configuration with a rule that includes an expiration action, the object expiration overrides the life span that you specify in a restore request. For example, if you restore an object copy for 10 days, but the object is scheduled to expire in 3 days, Amazon S3 deletes the object in 3 days. For more information about lifecycle configuration, see PutBucketLifecycleConfiguration and Object Lifecycle Management in Amazon S3 User Guide.

Responses

A successful action returns either the 200 OK or 202 Accepted status code.

Special Errors

Related Resources

", + "documentation":"

Restores an archived copy of an object back into Amazon S3

This action is not supported by Amazon S3 on Outposts.

This action performs the following types of requests:

To use this operation, you must have permissions to perform the s3:RestoreObject action. The bucket owner has this permission by default and can grant this permission to others. For more information about permissions, see Permissions Related to Bucket Subresource Operations and Managing Access Permissions to Your Amazon S3 Resources in the Amazon S3 User Guide.

Querying Archives with Select Requests

You use a select type of request to perform SQL queries on archived objects. The archived objects that are being queried by the select request must be formatted as uncompressed comma-separated values (CSV) files. You can run queries and custom analytics on your archived data without having to restore your data to a hotter Amazon S3 tier. For an overview about select requests, see Querying Archived Objects in the Amazon S3 User Guide.

When making a select request, do the following:

For more information about using SQL with S3 Glacier Select restore, see SQL Reference for Amazon S3 Select and S3 Glacier Select in the Amazon S3 User Guide.

When making a select request, you can also do the following:

The following are additional important facts about the select feature:

Restoring objects

Objects that you archive to the S3 Glacier or S3 Glacier Deep Archive storage class, and S3 Intelligent-Tiering Archive or S3 Intelligent-Tiering Deep Archive tiers are not accessible in real time. For objects in Archive Access or Deep Archive Access tiers you must first initiate a restore request, and then wait until the object is moved into the Frequent Access tier. For objects in S3 Glacier or S3 Glacier Deep Archive storage classes you must first initiate a restore request, and then wait until a temporary copy of the object is available. To access an archived object, you must restore the object for the duration (number of days) that you specify.

To restore a specific object version, you can provide a version ID. If you don't provide a version ID, Amazon S3 restores the current version.

When restoring an archived object (or using a select request), you can specify one of the following data access tier options in the Tier element of the request body:

For more information about archive retrieval options and provisioned capacity for Expedited data access, see Restoring Archived Objects in the Amazon S3 User Guide.

You can use Amazon S3 restore speed upgrade to change the restore speed to a faster speed while it is in progress. For more information, see Upgrading the speed of an in-progress restore in the Amazon S3 User Guide.

To get the status of object restoration, you can send a HEAD request. Operations return the x-amz-restore header, which provides information about the restoration status, in the response. You can use Amazon S3 event notifications to notify you when a restore is initiated or completed. For more information, see Configuring Amazon S3 Event Notifications in the Amazon S3 User Guide.

After restoring an archived object, you can update the restoration period by reissuing the request with a new period. Amazon S3 updates the restoration period relative to the current time and charges only for the request-there are no data transfer charges. You cannot update the restoration period when Amazon S3 is actively processing your current restore request for the object.

If your bucket has a lifecycle configuration with a rule that includes an expiration action, the object expiration overrides the life span that you specify in a restore request. For example, if you restore an object copy for 10 days, but the object is scheduled to expire in 3 days, Amazon S3 deletes the object in 3 days. For more information about lifecycle configuration, see PutBucketLifecycleConfiguration and Object Lifecycle Management in Amazon S3 User Guide.

Responses

A successful action returns either the 200 OK or 202 Accepted status code.

Special Errors

Related Resources

", "alias":"PostObjectRestore", "httpChecksum":{ "requestAlgorithmMember":"ChecksumAlgorithm", @@ -1137,7 +1137,7 @@ "xmlNamespace":{"uri":"http://s3.amazonaws.com/doc/2006-03-01/"} }, "output":{"shape":"SelectObjectContentOutput"}, - "documentation":"

This action filters the contents of an Amazon S3 object based on a simple structured query language (SQL) statement. In the request, along with the SQL expression, you must also specify a data serialization format (JSON, CSV, or Apache Parquet) of the object. Amazon S3 uses this format to parse object data into records, and returns only records that match the specified SQL expression. You must also specify the data serialization format for the response.

This action is not supported by Amazon S3 on Outposts.

For more information about Amazon S3 Select, see Selecting Content from Objects and SELECT Command in the Amazon S3 User Guide.

Permissions

You must have s3:GetObject permission for this operation. Amazon S3 Select does not support anonymous access. For more information about permissions, see Specifying Permissions in a Policy in the Amazon S3 User Guide.

Object Data Formats

You can use Amazon S3 Select to query objects that have the following format properties:

Working with the Response Body

Given the response size is unknown, Amazon S3 Select streams the response as a series of messages and includes a Transfer-Encoding header with chunked as its value in the response. For more information, see Appendix: SelectObjectContent Response.

GetObject Support

The SelectObjectContent action does not support the following GetObject functionality. For more information, see GetObject.

Special Errors

For a list of special errors for this operation, see List of SELECT Object Content Error Codes

Related Resources

" + "documentation":"

This action filters the contents of an Amazon S3 object based on a simple structured query language (SQL) statement. In the request, along with the SQL expression, you must also specify a data serialization format (JSON, CSV, or Apache Parquet) of the object. Amazon S3 uses this format to parse object data into records, and returns only records that match the specified SQL expression. You must also specify the data serialization format for the response.

This action is not supported by Amazon S3 on Outposts.

For more information about Amazon S3 Select, see Selecting Content from Objects and SELECT Command in the Amazon S3 User Guide.

For more information about using SQL with Amazon S3 Select, see SQL Reference for Amazon S3 Select and S3 Glacier Select in the Amazon S3 User Guide.

Permissions

You must have s3:GetObject permission for this operation. Amazon S3 Select does not support anonymous access. For more information about permissions, see Specifying Permissions in a Policy in the Amazon S3 User Guide.

Object Data Formats

You can use Amazon S3 Select to query objects that have the following format properties:

Working with the Response Body

Given the response size is unknown, Amazon S3 Select streams the response as a series of messages and includes a Transfer-Encoding header with chunked as its value in the response. For more information, see Appendix: SelectObjectContent Response.

GetObject Support

The SelectObjectContent action does not support the following GetObject functionality. For more information, see GetObject.

Special Errors

For a list of special errors for this operation, see List of SELECT Object Content Error Codes

Related Resources

" }, "UploadPart":{ "name":"UploadPart", @@ -1148,7 +1148,7 @@ "input":{"shape":"UploadPartRequest"}, "output":{"shape":"UploadPartOutput"}, "documentationUrl":"http://docs.amazonwebservices.com/AmazonS3/latest/API/mpUploadUploadPart.html", - "documentation":"

Uploads a part in a multipart upload.

In this operation, you provide part data in your request. However, you have an option to specify your existing Amazon S3 object as a data source for the part you are uploading. To upload a part from an existing object, you use the UploadPartCopy operation.

You must initiate a multipart upload (see CreateMultipartUpload) before you can upload any part. In response to your initiate request, Amazon S3 returns an upload ID, a unique identifier, that you must include in your upload part request.

Part numbers can be any number from 1 to 10,000, inclusive. A part number uniquely identifies a part and also defines its position within the object being created. If you upload a new part using the same part number that was used with a previous part, the previously uploaded part is overwritten.

For information about maximum and minimum part sizes and other multipart upload specifications, see Multipart upload limits in the Amazon S3 User Guide.

To ensure that data is not corrupted when traversing the network, specify the Content-MD5 header in the upload part request. Amazon S3 checks the part data against the provided MD5 value. If they do not match, Amazon S3 returns an error.

If the upload request is signed with Signature Version 4, then Amazon Web Services S3 uses the x-amz-content-sha256 header as a checksum instead of Content-MD5. For more information see Authenticating Requests: Using the Authorization Header (Amazon Web Services Signature Version 4).

Note: After you initiate multipart upload and upload one or more parts, you must either complete or abort multipart upload in order to stop getting charged for storage of the uploaded parts. Only after you either complete or abort multipart upload, Amazon S3 frees up the parts storage and stops charging you for the parts storage.

For more information on multipart uploads, go to Multipart Upload Overview in the Amazon S3 User Guide .

For information on the permissions required to use the multipart upload API, go to Multipart Upload and Permissions in the Amazon S3 User Guide.

Server-side encryption is for data encryption at rest. Amazon S3 encrypts your data as it writes it to disks in its data centers and decrypts it when you access it. You have three mutually exclusive options to protect data using server-side encryption in Amazon S3, depending on how you choose to manage the encryption keys. Specifically, the encryption key options are Amazon S3 managed keys (SSE-S3), Amazon Web Services KMS keys (SSE-KMS), and Customer-Provided Keys (SSE-C). Amazon S3 encrypts data with server-side encryption using Amazon S3 managed keys (SSE-S3) by default. You can optionally tell Amazon S3 to encrypt data at rest using server-side encryption with other key options. The option you use depends on whether you want to use KMS keys (SSE-KMS) or provide your own encryption key (SSE-C). If you choose to provide your own encryption key, the request headers you provide in the request must match the headers you used in the request to initiate the upload by using CreateMultipartUpload. For more information, go to Using Server-Side Encryption in the Amazon S3 User Guide.

Server-side encryption is supported by the S3 Multipart Upload actions. Unless you are using a customer-provided encryption key (SSE-C), you don't need to specify the encryption parameters in each UploadPart request. Instead, you only need to specify the server-side encryption parameters in the initial Initiate Multipart request. For more information, see CreateMultipartUpload.

If you requested server-side encryption using a customer-provided encryption key (SSE-C) in your initiate multipart upload request, you must provide identical encryption information in each part upload using the following headers.

Special Errors

Related Resources

", + "documentation":"

Uploads a part in a multipart upload.

In this operation, you provide part data in your request. However, you have an option to specify your existing Amazon S3 object as a data source for the part you are uploading. To upload a part from an existing object, you use the UploadPartCopy operation.

You must initiate a multipart upload (see CreateMultipartUpload) before you can upload any part. In response to your initiate request, Amazon S3 returns an upload ID, a unique identifier, that you must include in your upload part request.

Part numbers can be any number from 1 to 10,000, inclusive. A part number uniquely identifies a part and also defines its position within the object being created. If you upload a new part using the same part number that was used with a previous part, the previously uploaded part is overwritten.

For information about maximum and minimum part sizes and other multipart upload specifications, see Multipart upload limits in the Amazon S3 User Guide.

To ensure that data is not corrupted when traversing the network, specify the Content-MD5 header in the upload part request. Amazon S3 checks the part data against the provided MD5 value. If they do not match, Amazon S3 returns an error.

If the upload request is signed with Signature Version 4, then Amazon Web Services S3 uses the x-amz-content-sha256 header as a checksum instead of Content-MD5. For more information see Authenticating Requests: Using the Authorization Header (Amazon Web Services Signature Version 4).

Note: After you initiate multipart upload and upload one or more parts, you must either complete or abort multipart upload in order to stop getting charged for storage of the uploaded parts. Only after you either complete or abort multipart upload, Amazon S3 frees up the parts storage and stops charging you for the parts storage.

For more information on multipart uploads, go to Multipart Upload Overview in the Amazon S3 User Guide .

For information on the permissions required to use the multipart upload API, go to Multipart Upload and Permissions in the Amazon S3 User Guide.

You can optionally request server-side encryption where Amazon S3 encrypts your data as it writes it to disks in its data centers and decrypts it for you when you access it. You have the option of providing your own encryption key, or you can use the Amazon Web Services managed encryption keys. If you choose to provide your own encryption key, the request headers you provide in the request must match the headers you used in the request to initiate the upload by using CreateMultipartUpload. For more information, go to Using Server-Side Encryption in the Amazon S3 User Guide.

Server-side encryption is supported by the S3 Multipart Upload actions. Unless you are using a customer-provided encryption key, you don't need to specify the encryption parameters in each UploadPart request. Instead, you only need to specify the server-side encryption parameters in the initial Initiate Multipart request. For more information, see CreateMultipartUpload.

If you requested server-side encryption using a customer-provided encryption key in your initiate multipart upload request, you must provide identical encryption information in each part upload using the following headers.

Special Errors

Related Resources

", "httpChecksum":{ "requestAlgorithmMember":"ChecksumAlgorithm", "requestChecksumRequired":false @@ -1214,7 +1214,7 @@ "members":{ "Bucket":{ "shape":"BucketName", - "documentation":"

The bucket name to which the upload was taking place.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

The bucket name to which the upload was taking place.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -1600,7 +1600,7 @@ }, "Comments":{ "shape":"Comments", - "documentation":"

A single character used to indicate that a row should be ignored when the character is present at the start of that row. You can specify any character to indicate a comment line. The default character is #.

Default: #

" + "documentation":"

A single character used to indicate that a row should be ignored when the character is present at the start of that row. You can specify any character to indicate a comment line.

" }, "QuoteEscapeCharacter":{ "shape":"QuoteEscapeCharacter", @@ -1748,7 +1748,7 @@ }, "Bucket":{ "shape":"BucketName", - "documentation":"

The name of the bucket that contains the newly created object. Does not return the access point ARN or access point alias if used.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

" + "documentation":"

The name of the bucket that contains the newly created object. Does not return the access point ARN or access point alias if used.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

" }, "Key":{ "shape":"ObjectKey", @@ -1782,7 +1782,7 @@ }, "ServerSideEncryption":{ "shape":"ServerSideEncryption", - "documentation":"

The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

", + "documentation":"

If you specified server-side encryption either with an Amazon S3-managed encryption key or an Amazon Web Services KMS key in your initiate multipart upload request, the response includes this header. It confirms the encryption algorithm that Amazon S3 used to encrypt the object.

", "location":"header", "locationName":"x-amz-server-side-encryption" }, @@ -1794,7 +1794,7 @@ }, "SSEKMSKeyId":{ "shape":"SSEKMSKeyId", - "documentation":"

If present, specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric encryption customer managed key that was used for the object.

", + "documentation":"

If present, specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric customer managed key that was used for the object.

", "location":"header", "locationName":"x-amz-server-side-encryption-aws-kms-key-id" }, @@ -1821,7 +1821,7 @@ "members":{ "Bucket":{ "shape":"BucketName", - "documentation":"

Name of the bucket to which the multipart upload was initiated.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

Name of the bucket to which the multipart upload was initiated.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -2010,7 +2010,7 @@ }, "ServerSideEncryption":{ "shape":"ServerSideEncryption", - "documentation":"

The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

", + "documentation":"

The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

", "location":"header", "locationName":"x-amz-server-side-encryption" }, @@ -2028,7 +2028,7 @@ }, "SSEKMSKeyId":{ "shape":"SSEKMSKeyId", - "documentation":"

If present, specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric encryption customer managed key that was used for the object.

", + "documentation":"

If present, specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric customer managed key that was used for the object.

", "location":"header", "locationName":"x-amz-server-side-encryption-aws-kms-key-id" }, @@ -2068,7 +2068,7 @@ }, "Bucket":{ "shape":"BucketName", - "documentation":"

The name of the destination bucket.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

The name of the destination bucket.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -2195,7 +2195,7 @@ }, "ServerSideEncryption":{ "shape":"ServerSideEncryption", - "documentation":"

The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

", + "documentation":"

The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

", "location":"header", "locationName":"x-amz-server-side-encryption" }, @@ -2207,7 +2207,7 @@ }, "WebsiteRedirectLocation":{ "shape":"WebsiteRedirectLocation", - "documentation":"

If the bucket is configured as a website, redirects requests for this object to another object in the same bucket or to an external URL. Amazon S3 stores the value of this header in the object metadata. This value is unique to each object and is not copied when using the x-amz-metadata-directive header. Instead, you may opt to provide this header in combination with the directive.

", + "documentation":"

If the bucket is configured as a website, redirects requests for this object to another object in the same bucket or to an external URL. Amazon S3 stores the value of this header in the object metadata.

", "location":"header", "locationName":"x-amz-website-redirect-location" }, @@ -2489,7 +2489,7 @@ }, "Bucket":{ "shape":"BucketName", - "documentation":"

The name of the bucket to which the multipart upload was initiated. Does not return the access point ARN or access point alias if used.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

The name of the bucket to which the multipart upload was initiated. Does not return the access point ARN or access point alias if used.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "locationName":"Bucket" }, "Key":{ @@ -2502,7 +2502,7 @@ }, "ServerSideEncryption":{ "shape":"ServerSideEncryption", - "documentation":"

The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

", + "documentation":"

The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

", "location":"header", "locationName":"x-amz-server-side-encryption" }, @@ -2520,7 +2520,7 @@ }, "SSEKMSKeyId":{ "shape":"SSEKMSKeyId", - "documentation":"

If present, specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric encryption customer managed key that was used for the object.

", + "documentation":"

If present, specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric customer managed key that was used for the object.

", "location":"header", "locationName":"x-amz-server-side-encryption-aws-kms-key-id" }, @@ -2564,7 +2564,7 @@ }, "Bucket":{ "shape":"BucketName", - "documentation":"

The name of the bucket to which to initiate the upload

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

The name of the bucket to which to initiate the upload

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -2643,7 +2643,7 @@ }, "ServerSideEncryption":{ "shape":"ServerSideEncryption", - "documentation":"

The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

", + "documentation":"

The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

", "location":"header", "locationName":"x-amz-server-side-encryption" }, @@ -2679,7 +2679,7 @@ }, "SSEKMSKeyId":{ "shape":"SSEKMSKeyId", - "documentation":"

Specifies the ID of the symmetric encryption customer managed key to use for object encryption. All GET and PUT requests for an object protected by Amazon Web Services KMS will fail if not made via SSL or using SigV4. For information about configuring using any of the officially supported Amazon Web Services SDKs and Amazon Web Services CLI, see Specifying the Signature Version in Request Authentication in the Amazon S3 User Guide.

", + "documentation":"

Specifies the ID of the symmetric customer managed key to use for object encryption. All GET and PUT requests for an object protected by Amazon Web Services KMS will fail if not made via SSL or using SigV4. For information about configuring using any of the officially supported Amazon Web Services SDKs and Amazon Web Services CLI, see Specifying the Signature Version in Request Authentication in the Amazon S3 User Guide.

", "location":"header", "locationName":"x-amz-server-side-encryption-aws-kms-key-id" }, @@ -2930,7 +2930,7 @@ }, "Id":{ "shape":"MetricsId", - "documentation":"

The ID used to identify the metrics configuration. The ID has a 64 character limit and can only contain letters, numbers, periods, dashes, and underscores.

", + "documentation":"

The ID used to identify the metrics configuration.

", "location":"querystring", "locationName":"id" }, @@ -3137,7 +3137,7 @@ "members":{ "Bucket":{ "shape":"BucketName", - "documentation":"

The bucket name of the bucket containing the object.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

The bucket name of the bucket containing the object.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -3199,7 +3199,7 @@ "members":{ "Bucket":{ "shape":"BucketName", - "documentation":"

The bucket name containing the objects from which to remove the tags.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

The bucket name containing the objects from which to remove the tags.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -3252,7 +3252,7 @@ "members":{ "Bucket":{ "shape":"BucketName", - "documentation":"

The bucket name containing the objects to delete.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

The bucket name containing the objects to delete.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -3393,11 +3393,11 @@ "members":{ "EncryptionType":{ "shape":"ServerSideEncryption", - "documentation":"

The server-side encryption algorithm used when storing job results in Amazon S3 (for example, AES256, aws:kms).

" + "documentation":"

The server-side encryption algorithm used when storing job results in Amazon S3 (for example, AES256, aws:kms).

" }, "KMSKeyId":{ "shape":"SSEKMSKeyId", - "documentation":"

If the encryption type is aws:kms, this optional value specifies the ID of the symmetric encryption customer managed key to use for encryption of job results. Amazon S3 only supports symmetric encryption KMS keys. For more information, see Asymmetric keys in Amazon Web Services KMS in the Amazon Web Services Key Management Service Developer Guide.

" + "documentation":"

If the encryption type is aws:kms, this optional value specifies the ID of the symmetric customer managed key to use for encryption of job results. Amazon S3 only supports symmetric keys. For more information, see Using symmetric and asymmetric keys in the Amazon Web Services Key Management Service Developer Guide.

" }, "KMSContext":{ "shape":"KMSContext", @@ -3411,7 +3411,7 @@ "members":{ "ReplicaKmsKeyID":{ "shape":"ReplicaKmsKeyID", - "documentation":"

Specifies the ID (Key ARN or Alias ARN) of the customer managed Amazon Web Services KMS key stored in Amazon Web Services Key Management Service (KMS) for the destination bucket. Amazon S3 uses this key to encrypt replica objects. Amazon S3 only supports symmetric encryption KMS keys. For more information, see Asymmetric keys in Amazon Web Services KMS in the Amazon Web Services Key Management Service Developer Guide.

" + "documentation":"

Specifies the ID (Key ARN or Alias ARN) of the customer managed Amazon Web Services KMS key stored in Amazon Web Services Key Management Service (KMS) for the destination bucket. Amazon S3 uses this key to encrypt replica objects. Amazon S3 only supports symmetric, customer managed KMS keys. For more information, see Using symmetric and asymmetric keys in the Amazon Web Services Key Management Service Developer Guide.

" } }, "documentation":"

Specifies encryption-related information for an Amazon S3 bucket that is a destination for replicated objects.

" @@ -3437,7 +3437,7 @@ }, "Code":{ "shape":"Code", - "documentation":"

The error code is a string that uniquely identifies an error condition. It is meant to be read and understood by programs that detect and handle errors by type.

Amazon S3 error codes

" + "documentation":"

The error code is a string that uniquely identifies an error condition. It is meant to be read and understood by programs that detect and handle errors by type.

Amazon S3 error codes

" }, "Message":{ "shape":"Message", @@ -3514,7 +3514,7 @@ "members":{ "Status":{ "shape":"ExistingObjectReplicationStatus", - "documentation":"

Specifies whether Amazon S3 replicates existing source bucket objects.

" + "documentation":"

" } }, "documentation":"

Optional configuration to replicate existing source bucket objects. For more information, see Replicating Existing Objects in the Amazon S3 User Guide.

" @@ -3946,7 +3946,7 @@ }, "Id":{ "shape":"MetricsId", - "documentation":"

The ID used to identify the metrics configuration. The ID has a 64 character limit and can only contain letters, numbers, periods, dashes, and underscores.

", + "documentation":"

The ID used to identify the metrics configuration.

", "location":"querystring", "locationName":"id" }, @@ -4368,7 +4368,7 @@ "members":{ "Bucket":{ "shape":"BucketName", - "documentation":"

The name of the bucket that contains the object.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

The name of the bucket that contains the object.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -4648,7 +4648,7 @@ }, "ServerSideEncryption":{ "shape":"ServerSideEncryption", - "documentation":"

The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

", + "documentation":"

The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

", "location":"header", "locationName":"x-amz-server-side-encryption" }, @@ -4672,7 +4672,7 @@ }, "SSEKMSKeyId":{ "shape":"SSEKMSKeyId", - "documentation":"

If present, specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric encryption customer managed key that was used for the object.

", + "documentation":"

If present, specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric customer managed key that was used for the object.

", "location":"header", "locationName":"x-amz-server-side-encryption-aws-kms-key-id" }, @@ -4741,7 +4741,7 @@ "members":{ "Bucket":{ "shape":"BucketName", - "documentation":"

The bucket name containing the object.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using an Object Lambda access point the hostname takes the form AccessPointName-AccountId.s3-object-lambda.Region.amazonaws.com.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

The bucket name containing the object.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using an Object Lambda access point the hostname takes the form AccessPointName-AccountId.s3-object-lambda.Region.amazonaws.com.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -4778,7 +4778,7 @@ }, "Range":{ "shape":"Range", - "documentation":"

Downloads the specified range bytes of an object. For more information about the HTTP Range header, see https://www.rfc-editor.org/rfc/rfc9110.html#name-range.

Amazon S3 doesn't support retrieving multiple ranges of data per GET request.

", + "documentation":"

Downloads the specified range bytes of an object. For more information about the HTTP Range header, see https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35.

Amazon S3 doesn't support retrieving multiple ranges of data per GET request.

", "location":"header", "locationName":"Range" }, @@ -4942,7 +4942,7 @@ "members":{ "Bucket":{ "shape":"BucketName", - "documentation":"

The bucket name containing the object for which to get the tagging information.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

The bucket name containing the object for which to get the tagging information.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -5126,7 +5126,7 @@ "members":{ "Bucket":{ "shape":"BucketName", - "documentation":"

The bucket name.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

The bucket name.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -5270,7 +5270,7 @@ }, "ServerSideEncryption":{ "shape":"ServerSideEncryption", - "documentation":"

The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

", + "documentation":"

If the object is stored using server-side encryption either with an Amazon Web Services KMS key or an Amazon S3-managed encryption key, the response includes this header with the value of the server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

", "location":"header", "locationName":"x-amz-server-side-encryption" }, @@ -5294,7 +5294,7 @@ }, "SSEKMSKeyId":{ "shape":"SSEKMSKeyId", - "documentation":"

If present, specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric encryption customer managed key that was used for the object.

", + "documentation":"

If present, specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric customer managed key that was used for the object.

", "location":"header", "locationName":"x-amz-server-side-encryption-aws-kms-key-id" }, @@ -5356,7 +5356,7 @@ "members":{ "Bucket":{ "shape":"BucketName", - "documentation":"

The name of the bucket containing the object.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

The name of the bucket containing the object.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -5393,7 +5393,7 @@ }, "Range":{ "shape":"Range", - "documentation":"

HeadObject returns only the metadata for an object. If the Range is satisfiable, only the ContentLength is affected in the response. If the Range is not satisfiable, S3 returns a 416 - Requested Range Not Satisfiable error.

", + "documentation":"

Because HeadObject returns only the metadata for an object, this parameter has no effect.

", "location":"header", "locationName":"Range" }, @@ -5838,7 +5838,7 @@ "locationName":"Rule" } }, - "documentation":"

Container for lifecycle rules. You can add as many as 1000 rules.

For more information see, Managing your storage lifecycle in the Amazon S3 User Guide.

" + "documentation":"

Container for lifecycle rules. You can add as many as 1000 rules.

" }, "LifecycleExpiration":{ "type":"structure", @@ -5856,7 +5856,7 @@ "documentation":"

Indicates whether Amazon S3 will remove a delete marker with no noncurrent versions. If set to true, the delete marker will be expired; if set to false the policy takes no action. This cannot be specified with Days or Date in a Lifecycle Expiration Policy.

" } }, - "documentation":"

Container for the expiration for the lifecycle of the object.

For more information see, Managing your storage lifecycle in the Amazon S3 User Guide.

" + "documentation":"

Container for the expiration for the lifecycle of the object.

" }, "LifecycleRule":{ "type":"structure", @@ -5896,7 +5896,7 @@ "NoncurrentVersionExpiration":{"shape":"NoncurrentVersionExpiration"}, "AbortIncompleteMultipartUpload":{"shape":"AbortIncompleteMultipartUpload"} }, - "documentation":"

A lifecycle rule for individual objects in an Amazon S3 bucket.

For more information see, Managing your storage lifecycle in the Amazon S3 User Guide.

" + "documentation":"

A lifecycle rule for individual objects in an Amazon S3 bucket.

" }, "LifecycleRuleAndOperator":{ "type":"structure", @@ -6205,7 +6205,7 @@ "members":{ "Bucket":{ "shape":"BucketName", - "documentation":"

The name of the bucket to which the multipart upload was initiated.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

The name of the bucket to which the multipart upload was initiated.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -6417,7 +6417,7 @@ "members":{ "Bucket":{ "shape":"BucketName", - "documentation":"

The name of the bucket containing the objects.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

The name of the bucket containing the objects.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -6478,7 +6478,7 @@ }, "Name":{ "shape":"BucketName", - "documentation":"

The bucket name.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

" + "documentation":"

The bucket name.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

" }, "Prefix":{ "shape":"Prefix", @@ -6502,7 +6502,7 @@ }, "KeyCount":{ "shape":"KeyCount", - "documentation":"

KeyCount is the number of keys returned with this request. KeyCount will always be less than or equal to the MaxKeys field. Say you ask for 50 keys, your result will include 50 keys or fewer.

" + "documentation":"

KeyCount is the number of keys returned with this request. KeyCount will always be less than or equals to MaxKeys field. Say you ask for 50 keys, your result will include less than equals 50 keys

" }, "ContinuationToken":{ "shape":"Token", @@ -6524,7 +6524,7 @@ "members":{ "Bucket":{ "shape":"BucketName", - "documentation":"

Bucket name to list.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

Bucket name to list.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -6666,7 +6666,7 @@ "members":{ "Bucket":{ "shape":"BucketName", - "documentation":"

The name of the bucket to which the parts are being uploaded.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

The name of the bucket to which the parts are being uploaded.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -6840,7 +6840,7 @@ "members":{ "Id":{ "shape":"MetricsId", - "documentation":"

The ID used to identify the metrics configuration. The ID has a 64 character limit and can only contain letters, numbers, periods, dashes, and underscores.

" + "documentation":"

The ID used to identify the metrics configuration.

" }, "Filter":{ "shape":"MetricsFilter", @@ -7281,7 +7281,8 @@ "INTELLIGENT_TIERING", "DEEP_ARCHIVE", "OUTPOSTS", - "GLACIER_IR" + "GLACIER_IR", + "SNOW" ] }, "ObjectVersion":{ @@ -7365,7 +7366,7 @@ "members":{ "DisplayName":{ "shape":"DisplayName", - "documentation":"

Container for the display name of the owner. This value is only supported in the following Amazon Web Services Regions:

" + "documentation":"

Container for the display name of the owner.

" }, "ID":{ "shape":"ID", @@ -7749,7 +7750,7 @@ "members":{ "Bucket":{ "shape":"BucketName", - "documentation":"

Specifies default encryption for a bucket using server-side encryption with different key options. By default, all buckets have a default encryption configuration that uses server-side encryption with Amazon S3 managed keys (SSE-S3). You can optionally configure default encryption for a bucket by using server-side encryption with an Amazon Web Services KMS key (SSE-KMS) or a customer-provided key (SSE-C). For information about the bucket default encryption feature, see Amazon S3 Bucket Default Encryption in the Amazon S3 User Guide.

", + "documentation":"

Specifies default encryption for a bucket using server-side encryption with Amazon S3-managed keys (SSE-S3) or customer managed keys (SSE-KMS). For information about the Amazon S3 default encryption feature, see Amazon S3 Default Bucket Encryption in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -7974,7 +7975,7 @@ }, "Id":{ "shape":"MetricsId", - "documentation":"

The ID used to identify the metrics configuration. The ID has a 64 character limit and can only contain letters, numbers, periods, dashes, and underscores.

", + "documentation":"

The ID used to identify the metrics configuration.

", "location":"querystring", "locationName":"id" }, @@ -8444,7 +8445,7 @@ }, "Key":{ "shape":"ObjectKey", - "documentation":"

Key for which the PUT action was initiated.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

Key for which the PUT action was initiated.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "location":"uri", "locationName":"Key" }, @@ -8636,7 +8637,7 @@ }, "ServerSideEncryption":{ "shape":"ServerSideEncryption", - "documentation":"

The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

", + "documentation":"

If you specified server-side encryption either with an Amazon Web Services KMS key or Amazon S3-managed encryption key in your PUT request, the response includes this header. It confirms the encryption algorithm that Amazon S3 used to encrypt the object.

", "location":"header", "locationName":"x-amz-server-side-encryption" }, @@ -8660,13 +8661,13 @@ }, "SSEKMSKeyId":{ "shape":"SSEKMSKeyId", - "documentation":"

If x-amz-server-side-encryption is has a valid value of aws:kms, this header specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric encryption customer managed key that was used for the object.

", + "documentation":"

If x-amz-server-side-encryption is present and has the value of aws:kms, this header specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric customer managed key that was used for the object.

", "location":"header", "locationName":"x-amz-server-side-encryption-aws-kms-key-id" }, "SSEKMSEncryptionContext":{ "shape":"SSEKMSEncryptionContext", - "documentation":"

If present, specifies the Amazon Web Services KMS Encryption Context to use for object encryption. The value of this header is a base64-encoded UTF-8 string holding JSON with the encryption context key-value pairs. This value is stored as object metadata and automatically gets passed on to Amazon Web Services KMS for future GetObject or CopyObject operations on this object.

", + "documentation":"

If present, specifies the Amazon Web Services KMS Encryption Context to use for object encryption. The value of this header is a base64-encoded UTF-8 string holding JSON with the encryption context key-value pairs.

", "location":"header", "locationName":"x-amz-server-side-encryption-context" }, @@ -8703,7 +8704,7 @@ }, "Bucket":{ "shape":"BucketName", - "documentation":"

The bucket name to which the PUT action was initiated.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

The bucket name to which the PUT action was initiated.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -8716,13 +8717,13 @@ }, "ContentDisposition":{ "shape":"ContentDisposition", - "documentation":"

Specifies presentational information for the object. For more information, see https://www.rfc-editor.org/rfc/rfc6266#section-4.

", + "documentation":"

Specifies presentational information for the object. For more information, see http://www.w3.org/Protocols/rfc2616/rfc2616-sec19.html#sec19.5.1.

", "location":"header", "locationName":"Content-Disposition" }, "ContentEncoding":{ "shape":"ContentEncoding", - "documentation":"

Specifies what content encodings have been applied to the object and thus what decoding mechanisms must be applied to obtain the media-type referenced by the Content-Type header field. For more information, see https://www.rfc-editor.org/rfc/rfc9110.html#field.content-encoding.

", + "documentation":"

Specifies what content encodings have been applied to the object and thus what decoding mechanisms must be applied to obtain the media-type referenced by the Content-Type header field. For more information, see http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11.

", "location":"header", "locationName":"Content-Encoding" }, @@ -8734,7 +8735,7 @@ }, "ContentLength":{ "shape":"ContentLength", - "documentation":"

Size of the body in bytes. This parameter is useful when the size of the body cannot be determined automatically. For more information, see https://www.rfc-editor.org/rfc/rfc9110.html#name-content-length.

", + "documentation":"

Size of the body in bytes. This parameter is useful when the size of the body cannot be determined automatically. For more information, see http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13.

", "location":"header", "locationName":"Content-Length" }, @@ -8746,7 +8747,7 @@ }, "ContentType":{ "shape":"ContentType", - "documentation":"

A standard MIME type describing the format of the contents. For more information, see https://www.rfc-editor.org/rfc/rfc9110.html#name-content-type.

", + "documentation":"

A standard MIME type describing the format of the contents. For more information, see http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.17.

", "location":"header", "locationName":"Content-Type" }, @@ -8782,7 +8783,7 @@ }, "Expires":{ "shape":"Expires", - "documentation":"

The date and time at which the object is no longer cacheable. For more information, see https://www.rfc-editor.org/rfc/rfc7234#section-5.3.

", + "documentation":"

The date and time at which the object is no longer cacheable. For more information, see http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.21.

", "location":"header", "locationName":"Expires" }, @@ -8824,7 +8825,7 @@ }, "ServerSideEncryption":{ "shape":"ServerSideEncryption", - "documentation":"

The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

", + "documentation":"

The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

", "location":"header", "locationName":"x-amz-server-side-encryption" }, @@ -8860,13 +8861,13 @@ }, "SSEKMSKeyId":{ "shape":"SSEKMSKeyId", - "documentation":"

If x-amz-server-side-encryption has a valid value of aws:kms, this header specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric encryption customer managed key that was used for the object. If you specify x-amz-server-side-encryption:aws:kms, but do not provide x-amz-server-side-encryption-aws-kms-key-id, Amazon S3 uses the Amazon Web Services managed key to protect the data. If the KMS key does not exist in the same account issuing the command, you must use the full ARN and not just the ID.

", + "documentation":"

If x-amz-server-side-encryption is present and has the value of aws:kms, this header specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetrical customer managed key that was used for the object. If you specify x-amz-server-side-encryption:aws:kms, but do not provide x-amz-server-side-encryption-aws-kms-key-id, Amazon S3 uses the Amazon Web Services managed key to protect the data. If the KMS key does not exist in the same account issuing the command, you must use the full ARN and not just the ID.

", "location":"header", "locationName":"x-amz-server-side-encryption-aws-kms-key-id" }, "SSEKMSEncryptionContext":{ "shape":"SSEKMSEncryptionContext", - "documentation":"

Specifies the Amazon Web Services KMS Encryption Context to use for object encryption. The value of this header is a base64-encoded UTF-8 string holding JSON with the encryption context key-value pairs. This value is stored as object metadata and automatically gets passed on to Amazon Web Services KMS for future GetObject or CopyObject operations on this object.

", + "documentation":"

Specifies the Amazon Web Services KMS Encryption Context to use for object encryption. The value of this header is a base64-encoded UTF-8 string holding JSON with the encryption context key-value pairs.

", "location":"header", "locationName":"x-amz-server-side-encryption-context" }, @@ -9009,7 +9010,7 @@ "members":{ "Bucket":{ "shape":"BucketName", - "documentation":"

The bucket name containing the object.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

The bucket name containing the object.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -9283,7 +9284,7 @@ }, "ExistingObjectReplication":{ "shape":"ExistingObjectReplication", - "documentation":"

Optional configuration to replicate existing source bucket objects. For more information, see Replicating Existing Objects in the Amazon S3 User Guide.

" + "documentation":"

" }, "Destination":{ "shape":"Destination", @@ -9451,7 +9452,7 @@ "members":{ "Bucket":{ "shape":"BucketName", - "documentation":"

The bucket name containing the object to restore.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

The bucket name containing the object to restore.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -9654,7 +9655,7 @@ "members":{ "KeyId":{ "shape":"SSEKMSKeyId", - "documentation":"

Specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric encryption customer managed key to use for encrypting inventory reports.

" + "documentation":"

Specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric customer managed key to use for encrypting inventory reports.

" } }, "documentation":"

Specifies the use of SSE-KMS to encrypt delivered inventory reports.

", @@ -9846,7 +9847,7 @@ }, "KMSMasterKeyID":{ "shape":"SSEKMSKeyId", - "documentation":"

Amazon Web Services Key Management Service (KMS) customer Amazon Web Services KMS key ID to use for the default encryption. This parameter is allowed if and only if SSEAlgorithm is set to aws:kms.

You can specify the key ID or the Amazon Resource Name (ARN) of the KMS key. However, if you are using encryption with cross-account or Amazon Web Services service operations you must use a fully qualified KMS key ARN. For more information, see Using encryption for cross-account operations.

For example:

Amazon S3 only supports symmetric encryption KMS keys. For more information, see Asymmetric keys in Amazon Web Services KMS in the Amazon Web Services Key Management Service Developer Guide.

" + "documentation":"

Amazon Web Services Key Management Service (KMS) customer Amazon Web Services KMS key ID to use for the default encryption. This parameter is allowed if and only if SSEAlgorithm is set to aws:kms.

You can specify the key ID or the Amazon Resource Name (ARN) of the KMS key. However, if you are using encryption with cross-account or Amazon Web Services service operations you must use a fully qualified KMS key ARN. For more information, see Using encryption for cross-account operations.

For example:

Amazon S3 only supports symmetric KMS keys and not asymmetric KMS keys. For more information, see Using symmetric and asymmetric keys in the Amazon Web Services Key Management Service Developer Guide.

" } }, "documentation":"

Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an Amazon Web Services KMS key in your Amazon Web Services account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS. For more information, see PUT Bucket encryption in the Amazon S3 API Reference.

" @@ -9960,7 +9961,8 @@ "GLACIER", "DEEP_ARCHIVE", "OUTPOSTS", - "GLACIER_IR" + "GLACIER_IR", + "SNOW" ] }, "StorageClassAnalysis":{ @@ -10204,7 +10206,7 @@ }, "ServerSideEncryption":{ "shape":"ServerSideEncryption", - "documentation":"

The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

", + "documentation":"

The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

", "location":"header", "locationName":"x-amz-server-side-encryption" }, @@ -10222,7 +10224,7 @@ }, "SSEKMSKeyId":{ "shape":"SSEKMSKeyId", - "documentation":"

If present, specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric encryption customer managed key that was used for the object.

", + "documentation":"

If present, specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric customer managed key that was used for the object.

", "location":"header", "locationName":"x-amz-server-side-encryption-aws-kms-key-id" }, @@ -10252,7 +10254,7 @@ "members":{ "Bucket":{ "shape":"BucketName", - "documentation":"

The bucket name.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

The bucket name.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -10371,7 +10373,7 @@ "members":{ "ServerSideEncryption":{ "shape":"ServerSideEncryption", - "documentation":"

The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

", + "documentation":"

The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

", "location":"header", "locationName":"x-amz-server-side-encryption" }, @@ -10419,7 +10421,7 @@ }, "SSEKMSKeyId":{ "shape":"SSEKMSKeyId", - "documentation":"

If present, specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric encryption customer managed key was used for the object.

", + "documentation":"

If present, specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric customer managed key was used for the object.

", "location":"header", "locationName":"x-amz-server-side-encryption-aws-kms-key-id" }, @@ -10452,7 +10454,7 @@ }, "Bucket":{ "shape":"BucketName", - "documentation":"

The name of the bucket to which the multipart upload was initiated.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When you use this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts access point ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see What is S3 on Outposts in the Amazon S3 User Guide.

", + "documentation":"

The name of the bucket to which the multipart upload was initiated.

When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.

When using this action with Amazon S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.

", "contextParam":{"name":"Bucket"}, "location":"uri", "locationName":"Bucket" @@ -10797,7 +10799,7 @@ }, "ServerSideEncryption":{ "shape":"ServerSideEncryption", - "documentation":"

The server-side encryption algorithm used when storing requested object in Amazon S3 (for example, AES256, aws:kms).

", + "documentation":"

The server-side encryption algorithm used when storing requested object in Amazon S3 (for example, AES256, aws:kms).

", "location":"header", "locationName":"x-amz-fwd-header-x-amz-server-side-encryption" }, @@ -10809,7 +10811,7 @@ }, "SSEKMSKeyId":{ "shape":"SSEKMSKeyId", - "documentation":"

If present, specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric encryption customer managed key that was used for stored in Amazon S3 object.

", + "documentation":"

If present, specifies the ID of the Amazon Web Services Key Management Service (Amazon Web Services KMS) symmetric customer managed key that was used for stored in Amazon S3 object.

", "location":"header", "locationName":"x-amz-fwd-header-x-amz-server-side-encryption-aws-kms-key-id" }, diff --git a/botocore/data/s3control/2018-08-20/endpoint-rule-set-1.json b/botocore/data/s3control/2018-08-20/endpoint-rule-set-1.json index fb9bc2cbe4..ac2587dad9 100644 --- a/botocore/data/s3control/2018-08-20/endpoint-rule-set-1.json +++ b/botocore/data/s3control/2018-08-20/endpoint-rule-set-1.json @@ -81,6 +81,120 @@ "conditions": [], "type": "tree", "rules": [ + { + "conditions": [ + { + "fn": "stringEquals", + "argv": [ + { + "ref": "Region" + }, + "snow" + ] + }, + { + "fn": "isSet", + "argv": [ + { + "ref": "Endpoint" + } + ] + }, + { + "fn": "parseURL", + "argv": [ + { + "ref": "Endpoint" + } + ], + "assign": "url" + } + ], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "aws.partition", + "argv": [ + { + "ref": "Region" + } + ], + "assign": "partitionResult" + } + ], + "type": "tree", + "rules": [ + { + "conditions": [], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseDualStack" + }, + true + ] + } + ], + "error": "S3 Snow does not support Dual-stack", + "type": "error" + }, + { + "conditions": [], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" + }, + true + ] + } + ], + "error": "S3 Snow does not support FIPS", + "type": "error" + }, + { + "conditions": [], + "endpoint": { + "url": "{url#scheme}://{url#authority}", + "properties": { + "authSchemes": [ + { + "disableDoubleEncoding": true, + "name": "sigv4", + "signingName": "s3", + "signingRegion": "{Region}" + } + ] + }, + "headers": {} + }, + "type": "endpoint" + } + ] + } + ] + } + ] + }, + { + "conditions": [], + "error": "A valid partition could not be determined", + "type": "error" + } + ] + }, { "conditions": [ { diff --git a/botocore/data/secretsmanager/2017-10-17/service-2.json b/botocore/data/secretsmanager/2017-10-17/service-2.json index 4e0d4ddd12..8ac9bb5347 100644 --- a/botocore/data/secretsmanager/2017-10-17/service-2.json +++ b/botocore/data/secretsmanager/2017-10-17/service-2.json @@ -379,7 +379,7 @@ {"shape":"InternalServiceError"}, {"shape":"InvalidRequestException"} ], - "documentation":"

Validates that a resource policy does not grant a wide range of principals access to your secret. A resource-based policy is optional for secrets.

The API performs three checks when validating the policy:

Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information in request parameters because it might be logged. For more information, see Logging Secrets Manager events with CloudTrail.

Required permissions: secretsmanager:ValidateResourcePolicy. For more information, see IAM policy actions for Secrets Manager and Authentication and access control in Secrets Manager.

" + "documentation":"

Validates that a resource policy does not grant a wide range of principals access to your secret. A resource-based policy is optional for secrets.

The API performs three checks when validating the policy:

Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information in request parameters because it might be logged. For more information, see Logging Secrets Manager events with CloudTrail.

Required permissions: secretsmanager:ValidateResourcePolicy and secretsmanager:PutResourcePolicy. For more information, see IAM policy actions for Secrets Manager and Authentication and access control in Secrets Manager.

" } }, "shapes":{ @@ -465,7 +465,7 @@ }, "ForceOverwriteReplicaSecret":{ "shape":"BooleanType", - "documentation":"

Specifies whether to overwrite a secret with the same name in the destination Region.

" + "documentation":"

Specifies whether to overwrite a secret with the same name in the destination Region. By default, secrets aren't overwritten.

" } } }, @@ -532,12 +532,12 @@ }, "RecoveryWindowInDays":{ "shape":"RecoveryWindowInDaysType", - "documentation":"

The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can't use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don't use either, then Secrets Manager defaults to a 30 day recovery window.

", + "documentation":"

The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can't use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don't use either, then by default Secrets Manager uses a 30 day recovery window.

", "box":true }, "ForceDeleteWithoutRecovery":{ "shape":"BooleanType", - "documentation":"

Specifies whether to delete the secret without any recovery window. You can't use both this parameter and RecoveryWindowInDays in the same call. If you don't use either, then Secrets Manager defaults to a 30 day recovery window.

Secrets Manager performs the actual deletion with an asynchronous background process, so there might be a short delay before the secret is permanently deleted. If you delete a secret and then immediately create a secret with the same name, use appropriate back off and retry logic.

Use this parameter with caution. This parameter causes the operation to skip the normal recovery window before the permanent deletion that Secrets Manager would normally impose with the RecoveryWindowInDays parameter. If you delete a secret with the ForceDeleteWithoutRecovery parameter, then you have no opportunity to recover the secret. You lose the secret permanently.

", + "documentation":"

Specifies whether to delete the secret without any recovery window. You can't use both this parameter and RecoveryWindowInDays in the same call. If you don't use either, then by default Secrets Manager uses a 30 day recovery window.

Secrets Manager performs the actual deletion with an asynchronous background process, so there might be a short delay before the secret is permanently deleted. If you delete a secret and then immediately create a secret with the same name, use appropriate back off and retry logic.

Use this parameter with caution. This parameter causes the operation to skip the normal recovery window before the permanent deletion that Secrets Manager would normally impose with the RecoveryWindowInDays parameter. If you delete a secret with the ForceDeleteWithoutRecovery parameter, then you have no opportunity to recover the secret. You lose the secret permanently.

", "box":true } } @@ -930,7 +930,7 @@ }, "IncludeDeprecated":{ "shape":"BooleanType", - "documentation":"

Specifies whether to include versions of secrets that don't have any staging labels attached to them. Versions without staging labels are considered deprecated and are subject to deletion by Secrets Manager.

", + "documentation":"

Specifies whether to include versions of secrets that don't have any staging labels attached to them. Versions without staging labels are considered deprecated and are subject to deletion by Secrets Manager. By default, versions without staging labels aren't included.

", "box":true } } @@ -961,7 +961,7 @@ "members":{ "IncludePlannedDeletion":{ "shape":"BooleanType", - "documentation":"

Specifies whether to include secrets scheduled for deletion.

", + "documentation":"

Specifies whether to include secrets scheduled for deletion. By default, secrets scheduled for deletion aren't included.

", "box":true }, "MaxResults":{ @@ -1068,7 +1068,7 @@ }, "BlockPublicPolicy":{ "shape":"BooleanType", - "documentation":"

Specifies whether to block resource-based policies that allow broad access to the secret, for example those that use a wildcard for the principal.

", + "documentation":"

Specifies whether to block resource-based policies that allow broad access to the secret, for example those that use a wildcard for the principal. By default, public policies aren't blocked.

", "box":true } } @@ -1213,7 +1213,7 @@ }, "ForceOverwriteReplicaSecret":{ "shape":"BooleanType", - "documentation":"

Specifies whether to overwrite a secret with the same name in the destination Region.

" + "documentation":"

Specifies whether to overwrite a secret with the same name in the destination Region. By default, secrets aren't overwritten.

" } } }, @@ -1323,7 +1323,7 @@ }, "RotateImmediately":{ "shape":"BooleanType", - "documentation":"

Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. The rotation schedule is defined in RotateSecretRequest$RotationRules.

For secrets that use a Lambda rotation function to rotate, if you don't immediately rotate the secret, Secrets Manager tests the rotation configuration by running the testSecret step of the Lambda rotation function. The test creates an AWSPENDING version of the secret and then removes it.

If you don't specify this value, then by default, Secrets Manager rotates the secret immediately.

", + "documentation":"

Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. The rotation schedule is defined in RotateSecretRequest$RotationRules.

For secrets that use a Lambda rotation function to rotate, if you don't immediately rotate the secret, Secrets Manager tests the rotation configuration by running the testSecret step of the Lambda rotation function. The test creates an AWSPENDING version of the secret and then removes it.

By default, Secrets Manager rotates the secret immediately.

", "box":true } } diff --git a/tests/functional/endpoint-rules/comprehend/endpoint-tests-1.json b/tests/functional/endpoint-rules/comprehend/endpoint-tests-1.json index a63e830fa0..c63e085f16 100644 --- a/tests/functional/endpoint-rules/comprehend/endpoint-tests-1.json +++ b/tests/functional/endpoint-rules/comprehend/endpoint-tests-1.json @@ -8,9 +8,9 @@ } }, "params": { + "Region": "ap-northeast-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-northeast-1" + "UseDualStack": false } }, { @@ -21,9 +21,9 @@ } }, "params": { + "Region": "ap-northeast-2", "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-northeast-2" + "UseDualStack": false } }, { @@ -34,9 +34,9 @@ } }, "params": { + "Region": "ap-south-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-south-1" + "UseDualStack": false } }, { @@ -47,9 +47,9 @@ } }, "params": { + "Region": "ap-southeast-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-southeast-1" + "UseDualStack": false } }, { @@ -60,9 +60,9 @@ } }, "params": { + "Region": "ap-southeast-2", "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-southeast-2" + "UseDualStack": false } }, { @@ -73,9 +73,9 @@ } }, "params": { + "Region": "ca-central-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "ca-central-1" + "UseDualStack": false } }, { @@ -86,9 +86,9 @@ } }, "params": { + "Region": "eu-central-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "eu-central-1" + "UseDualStack": false } }, { @@ -99,9 +99,9 @@ } }, "params": { + "Region": "eu-west-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "eu-west-1" + "UseDualStack": false } }, { @@ -112,9 +112,9 @@ } }, "params": { + "Region": "eu-west-2", "UseFIPS": false, - "UseDualStack": false, - "Region": "eu-west-2" + "UseDualStack": false } }, { @@ -125,9 +125,9 @@ } }, "params": { + "Region": "us-east-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "us-east-1" + "UseDualStack": false } }, { @@ -138,9 +138,9 @@ } }, "params": { + "Region": "us-east-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "us-east-1" + "UseDualStack": false } }, { @@ -151,9 +151,9 @@ } }, "params": { + "Region": "us-east-2", "UseFIPS": false, - "UseDualStack": false, - "Region": "us-east-2" + "UseDualStack": false } }, { @@ -164,9 +164,9 @@ } }, "params": { + "Region": "us-east-2", "UseFIPS": true, - "UseDualStack": false, - "Region": "us-east-2" + "UseDualStack": false } }, { @@ -177,9 +177,9 @@ } }, "params": { + "Region": "us-west-2", "UseFIPS": false, - "UseDualStack": false, - "Region": "us-west-2" + "UseDualStack": false } }, { @@ -190,9 +190,9 @@ } }, "params": { + "Region": "us-west-2", "UseFIPS": true, - "UseDualStack": false, - "Region": "us-west-2" + "UseDualStack": false } }, { @@ -203,9 +203,9 @@ } }, "params": { + "Region": "us-east-1", "UseFIPS": true, - "UseDualStack": true, - "Region": "us-east-1" + "UseDualStack": true } }, { @@ -216,9 +216,9 @@ } }, "params": { + "Region": "us-east-1", "UseFIPS": false, - "UseDualStack": true, - "Region": "us-east-1" + "UseDualStack": true } }, { @@ -229,9 +229,9 @@ } }, "params": { + "Region": "cn-north-1", "UseFIPS": true, - "UseDualStack": true, - "Region": "cn-north-1" + "UseDualStack": true } }, { @@ -242,9 +242,9 @@ } }, "params": { + "Region": "cn-north-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "cn-north-1" + "UseDualStack": false } }, { @@ -255,9 +255,9 @@ } }, "params": { + "Region": "cn-north-1", "UseFIPS": false, - "UseDualStack": true, - "Region": "cn-north-1" + "UseDualStack": true } }, { @@ -268,9 +268,9 @@ } }, "params": { + "Region": "cn-north-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "cn-north-1" + "UseDualStack": false } }, { @@ -281,9 +281,9 @@ } }, "params": { + "Region": "us-gov-west-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "us-gov-west-1" + "UseDualStack": false } }, { @@ -294,9 +294,9 @@ } }, "params": { + "Region": "us-gov-west-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "us-gov-west-1" + "UseDualStack": false } }, { @@ -307,9 +307,9 @@ } }, "params": { + "Region": "us-gov-east-1", "UseFIPS": true, - "UseDualStack": true, - "Region": "us-gov-east-1" + "UseDualStack": true } }, { @@ -320,9 +320,9 @@ } }, "params": { + "Region": "us-gov-east-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "us-gov-east-1" + "UseDualStack": false } }, { @@ -333,9 +333,9 @@ } }, "params": { + "Region": "us-gov-east-1", "UseFIPS": false, - "UseDualStack": true, - "Region": "us-gov-east-1" + "UseDualStack": true } }, { @@ -346,9 +346,9 @@ } }, "params": { + "Region": "us-gov-east-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "us-gov-east-1" + "UseDualStack": false } }, { @@ -359,9 +359,9 @@ } }, "params": { + "Region": "us-iso-east-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "us-iso-east-1" + "UseDualStack": false } }, { @@ -370,9 +370,9 @@ "error": "FIPS and DualStack are enabled, but this partition does not support one or both" }, "params": { + "Region": "us-iso-east-1", "UseFIPS": true, - "UseDualStack": true, - "Region": "us-iso-east-1" + "UseDualStack": true } }, { @@ -383,9 +383,9 @@ } }, "params": { + "Region": "us-iso-east-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "us-iso-east-1" + "UseDualStack": false } }, { @@ -394,9 +394,9 @@ "error": "DualStack is enabled but this partition does not support DualStack" }, "params": { + "Region": "us-iso-east-1", "UseFIPS": false, - "UseDualStack": true, - "Region": "us-iso-east-1" + "UseDualStack": true } }, { @@ -405,9 +405,9 @@ "error": "FIPS and DualStack are enabled, but this partition does not support one or both" }, "params": { + "Region": "us-isob-east-1", "UseFIPS": true, - "UseDualStack": true, - "Region": "us-isob-east-1" + "UseDualStack": true } }, { @@ -418,9 +418,9 @@ } }, "params": { + "Region": "us-isob-east-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "us-isob-east-1" + "UseDualStack": false } }, { @@ -429,9 +429,9 @@ "error": "DualStack is enabled but this partition does not support DualStack" }, "params": { + "Region": "us-isob-east-1", "UseFIPS": false, - "UseDualStack": true, - "Region": "us-isob-east-1" + "UseDualStack": true } }, { @@ -442,9 +442,9 @@ } }, "params": { + "Region": "us-isob-east-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "us-isob-east-1" + "UseDualStack": false } }, { @@ -455,9 +455,9 @@ } }, "params": { + "Region": "us-east-1", "UseFIPS": false, "UseDualStack": false, - "Region": "us-east-1", "Endpoint": "https://example.com" } }, @@ -480,9 +480,9 @@ "error": "Invalid Configuration: FIPS and custom endpoint are not supported" }, "params": { + "Region": "us-east-1", "UseFIPS": true, "UseDualStack": false, - "Region": "us-east-1", "Endpoint": "https://example.com" } }, @@ -492,9 +492,9 @@ "error": "Invalid Configuration: Dualstack and custom endpoint are not supported" }, "params": { + "Region": "us-east-1", "UseFIPS": false, "UseDualStack": true, - "Region": "us-east-1", "Endpoint": "https://example.com" } }, diff --git a/tests/functional/endpoint-rules/ram/endpoint-tests-1.json b/tests/functional/endpoint-rules/ram/endpoint-tests-1.json index ae93b72d73..ba2b34bc76 100644 --- a/tests/functional/endpoint-rules/ram/endpoint-tests-1.json +++ b/tests/functional/endpoint-rules/ram/endpoint-tests-1.json @@ -1,222 +1,209 @@ { "testCases": [ { - "documentation": "For region cn-north-1 with FIPS disabled and DualStack disabled", + "documentation": "For region af-south-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.cn-north-1.amazonaws.com.cn" + "url": "https://ram.af-south-1.amazonaws.com" } }, "params": { - "Region": "cn-north-1", + "Region": "af-south-1", "UseFIPS": false, "UseDualStack": false } }, { - "documentation": "For region cn-northwest-1 with FIPS disabled and DualStack disabled", + "documentation": "For region ap-east-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.cn-northwest-1.amazonaws.com.cn" + "url": "https://ram.ap-east-1.amazonaws.com" } }, "params": { - "Region": "cn-northwest-1", + "Region": "ap-east-1", "UseFIPS": false, "UseDualStack": false } }, { - "documentation": "For region cn-north-1 with FIPS enabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://ram-fips.cn-north-1.api.amazonwebservices.com.cn" - } - }, - "params": { - "Region": "cn-north-1", - "UseFIPS": true, - "UseDualStack": true - } - }, - { - "documentation": "For region cn-north-1 with FIPS enabled and DualStack disabled", + "documentation": "For region ap-northeast-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram-fips.cn-north-1.amazonaws.com.cn" + "url": "https://ram.ap-northeast-1.amazonaws.com" } }, "params": { - "Region": "cn-north-1", - "UseFIPS": true, + "Region": "ap-northeast-1", + "UseFIPS": false, "UseDualStack": false } }, { - "documentation": "For region cn-north-1 with FIPS disabled and DualStack enabled", + "documentation": "For region ap-northeast-2 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.cn-north-1.api.amazonwebservices.com.cn" + "url": "https://ram.ap-northeast-2.amazonaws.com" } }, "params": { - "Region": "cn-north-1", + "Region": "ap-northeast-2", "UseFIPS": false, - "UseDualStack": true + "UseDualStack": false } }, { - "documentation": "For region us-isob-east-1 with FIPS disabled and DualStack disabled", + "documentation": "For region ap-northeast-3 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.us-isob-east-1.sc2s.sgov.gov" + "url": "https://ram.ap-northeast-3.amazonaws.com" } }, "params": { - "Region": "us-isob-east-1", + "Region": "ap-northeast-3", "UseFIPS": false, "UseDualStack": false } }, { - "documentation": "For region us-isob-east-1 with FIPS enabled and DualStack disabled", + "documentation": "For region ap-south-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram-fips.us-isob-east-1.sc2s.sgov.gov" + "url": "https://ram.ap-south-1.amazonaws.com" } }, "params": { - "Region": "us-isob-east-1", - "UseFIPS": true, + "Region": "ap-south-1", + "UseFIPS": false, "UseDualStack": false } }, { - "documentation": "For region us-gov-east-1 with FIPS disabled and DualStack disabled", + "documentation": "For region ap-southeast-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.us-gov-east-1.amazonaws.com" + "url": "https://ram.ap-southeast-1.amazonaws.com" } }, "params": { - "Region": "us-gov-east-1", + "Region": "ap-southeast-1", "UseFIPS": false, "UseDualStack": false } }, { - "documentation": "For region us-gov-east-1 with FIPS enabled and DualStack disabled", + "documentation": "For region ap-southeast-2 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.us-gov-east-1.amazonaws.com" + "url": "https://ram.ap-southeast-2.amazonaws.com" } }, "params": { - "Region": "us-gov-east-1", - "UseFIPS": true, + "Region": "ap-southeast-2", + "UseFIPS": false, "UseDualStack": false } }, { - "documentation": "For region us-gov-west-1 with FIPS disabled and DualStack disabled", + "documentation": "For region ap-southeast-3 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.us-gov-west-1.amazonaws.com" + "url": "https://ram.ap-southeast-3.amazonaws.com" } }, "params": { - "Region": "us-gov-west-1", + "Region": "ap-southeast-3", "UseFIPS": false, "UseDualStack": false } }, { - "documentation": "For region us-gov-west-1 with FIPS enabled and DualStack disabled", + "documentation": "For region ca-central-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.us-gov-west-1.amazonaws.com" + "url": "https://ram.ca-central-1.amazonaws.com" } }, "params": { - "Region": "us-gov-west-1", - "UseFIPS": true, + "Region": "ca-central-1", + "UseFIPS": false, "UseDualStack": false } }, { - "documentation": "For region us-gov-east-1 with FIPS enabled and DualStack enabled", + "documentation": "For region ca-central-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram-fips.us-gov-east-1.api.aws" + "url": "https://ram-fips.ca-central-1.amazonaws.com" } }, "params": { - "Region": "us-gov-east-1", + "Region": "ca-central-1", "UseFIPS": true, - "UseDualStack": true + "UseDualStack": false } }, { - "documentation": "For region us-gov-east-1 with FIPS disabled and DualStack enabled", + "documentation": "For region eu-central-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.us-gov-east-1.api.aws" + "url": "https://ram.eu-central-1.amazonaws.com" } }, "params": { - "Region": "us-gov-east-1", + "Region": "eu-central-1", "UseFIPS": false, - "UseDualStack": true + "UseDualStack": false } }, { - "documentation": "For region us-east-2 with FIPS disabled and DualStack disabled", + "documentation": "For region eu-north-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.us-east-2.amazonaws.com" + "url": "https://ram.eu-north-1.amazonaws.com" } }, "params": { - "Region": "us-east-2", + "Region": "eu-north-1", "UseFIPS": false, "UseDualStack": false } }, { - "documentation": "For region us-east-2 with FIPS enabled and DualStack disabled", + "documentation": "For region eu-south-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram-fips.us-east-2.amazonaws.com" + "url": "https://ram.eu-south-1.amazonaws.com" } }, "params": { - "Region": "us-east-2", - "UseFIPS": true, + "Region": "eu-south-1", + "UseFIPS": false, "UseDualStack": false } }, { - "documentation": "For region eu-north-1 with FIPS disabled and DualStack disabled", + "documentation": "For region eu-west-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.eu-north-1.amazonaws.com" + "url": "https://ram.eu-west-1.amazonaws.com" } }, "params": { - "Region": "eu-north-1", + "Region": "eu-west-1", "UseFIPS": false, "UseDualStack": false } }, { - "documentation": "For region me-south-1 with FIPS disabled and DualStack disabled", + "documentation": "For region eu-west-2 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.me-south-1.amazonaws.com" + "url": "https://ram.eu-west-2.amazonaws.com" } }, "params": { - "Region": "me-south-1", + "Region": "eu-west-2", "UseFIPS": false, "UseDualStack": false } @@ -235,27 +222,27 @@ } }, { - "documentation": "For region eu-west-2 with FIPS disabled and DualStack disabled", + "documentation": "For region me-south-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.eu-west-2.amazonaws.com" + "url": "https://ram.me-south-1.amazonaws.com" } }, "params": { - "Region": "eu-west-2", + "Region": "me-south-1", "UseFIPS": false, "UseDualStack": false } }, { - "documentation": "For region eu-west-1 with FIPS disabled and DualStack disabled", + "documentation": "For region sa-east-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.eu-west-1.amazonaws.com" + "url": "https://ram.sa-east-1.amazonaws.com" } }, "params": { - "Region": "eu-west-1", + "Region": "sa-east-1", "UseFIPS": false, "UseDualStack": false } @@ -287,67 +274,54 @@ } }, { - "documentation": "For region ap-northeast-3 with FIPS disabled and DualStack disabled", - "expect": { - "endpoint": { - "url": "https://ram.ap-northeast-3.amazonaws.com" - } - }, - "params": { - "Region": "ap-northeast-3", - "UseFIPS": false, - "UseDualStack": false - } - }, - { - "documentation": "For region ap-northeast-2 with FIPS disabled and DualStack disabled", + "documentation": "For region us-east-2 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.ap-northeast-2.amazonaws.com" + "url": "https://ram.us-east-2.amazonaws.com" } }, "params": { - "Region": "ap-northeast-2", + "Region": "us-east-2", "UseFIPS": false, "UseDualStack": false } }, { - "documentation": "For region ap-northeast-1 with FIPS disabled and DualStack disabled", + "documentation": "For region us-east-2 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.ap-northeast-1.amazonaws.com" + "url": "https://ram-fips.us-east-2.amazonaws.com" } }, "params": { - "Region": "ap-northeast-1", - "UseFIPS": false, + "Region": "us-east-2", + "UseFIPS": true, "UseDualStack": false } }, { - "documentation": "For region ap-south-1 with FIPS disabled and DualStack disabled", + "documentation": "For region us-west-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.ap-south-1.amazonaws.com" + "url": "https://ram.us-west-1.amazonaws.com" } }, "params": { - "Region": "ap-south-1", + "Region": "us-west-1", "UseFIPS": false, "UseDualStack": false } }, { - "documentation": "For region af-south-1 with FIPS disabled and DualStack disabled", + "documentation": "For region us-west-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.af-south-1.amazonaws.com" + "url": "https://ram-fips.us-west-1.amazonaws.com" } }, "params": { - "Region": "af-south-1", - "UseFIPS": false, + "Region": "us-west-1", + "UseFIPS": true, "UseDualStack": false } }, @@ -378,170 +352,170 @@ } }, { - "documentation": "For region us-west-1 with FIPS disabled and DualStack disabled", + "documentation": "For region us-east-1 with FIPS enabled and DualStack enabled", "expect": { "endpoint": { - "url": "https://ram.us-west-1.amazonaws.com" + "url": "https://ram-fips.us-east-1.api.aws" } }, "params": { - "Region": "us-west-1", - "UseFIPS": false, - "UseDualStack": false + "Region": "us-east-1", + "UseFIPS": true, + "UseDualStack": true } }, { - "documentation": "For region us-west-1 with FIPS enabled and DualStack disabled", + "documentation": "For region us-east-1 with FIPS disabled and DualStack enabled", "expect": { "endpoint": { - "url": "https://ram-fips.us-west-1.amazonaws.com" + "url": "https://ram.us-east-1.api.aws" } }, "params": { - "Region": "us-west-1", - "UseFIPS": true, - "UseDualStack": false + "Region": "us-east-1", + "UseFIPS": false, + "UseDualStack": true } }, { - "documentation": "For region ca-central-1 with FIPS disabled and DualStack disabled", + "documentation": "For region cn-north-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.ca-central-1.amazonaws.com" + "url": "https://ram.cn-north-1.amazonaws.com.cn" } }, "params": { - "Region": "ca-central-1", + "Region": "cn-north-1", "UseFIPS": false, "UseDualStack": false } }, { - "documentation": "For region ca-central-1 with FIPS enabled and DualStack disabled", + "documentation": "For region cn-northwest-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram-fips.ca-central-1.amazonaws.com" + "url": "https://ram.cn-northwest-1.amazonaws.com.cn" } }, "params": { - "Region": "ca-central-1", - "UseFIPS": true, + "Region": "cn-northwest-1", + "UseFIPS": false, "UseDualStack": false } }, { - "documentation": "For region ap-southeast-3 with FIPS disabled and DualStack disabled", + "documentation": "For region cn-north-1 with FIPS enabled and DualStack enabled", "expect": { "endpoint": { - "url": "https://ram.ap-southeast-3.amazonaws.com" + "url": "https://ram-fips.cn-north-1.api.amazonwebservices.com.cn" } }, "params": { - "Region": "ap-southeast-3", - "UseFIPS": false, - "UseDualStack": false + "Region": "cn-north-1", + "UseFIPS": true, + "UseDualStack": true } }, { - "documentation": "For region ap-southeast-2 with FIPS disabled and DualStack disabled", + "documentation": "For region cn-north-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.ap-southeast-2.amazonaws.com" + "url": "https://ram-fips.cn-north-1.amazonaws.com.cn" } }, "params": { - "Region": "ap-southeast-2", - "UseFIPS": false, + "Region": "cn-north-1", + "UseFIPS": true, "UseDualStack": false } }, { - "documentation": "For region ap-southeast-1 with FIPS disabled and DualStack disabled", + "documentation": "For region cn-north-1 with FIPS disabled and DualStack enabled", "expect": { "endpoint": { - "url": "https://ram.ap-southeast-1.amazonaws.com" + "url": "https://ram.cn-north-1.api.amazonwebservices.com.cn" } }, "params": { - "Region": "ap-southeast-1", + "Region": "cn-north-1", "UseFIPS": false, - "UseDualStack": false + "UseDualStack": true } }, { - "documentation": "For region eu-central-1 with FIPS disabled and DualStack disabled", + "documentation": "For region us-gov-east-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.eu-central-1.amazonaws.com" + "url": "https://ram.us-gov-east-1.amazonaws.com" } }, "params": { - "Region": "eu-central-1", + "Region": "us-gov-east-1", "UseFIPS": false, "UseDualStack": false } }, { - "documentation": "For region eu-south-1 with FIPS disabled and DualStack disabled", + "documentation": "For region us-gov-east-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.eu-south-1.amazonaws.com" + "url": "https://ram.us-gov-east-1.amazonaws.com" } }, "params": { - "Region": "eu-south-1", - "UseFIPS": false, + "Region": "us-gov-east-1", + "UseFIPS": true, "UseDualStack": false } }, { - "documentation": "For region ap-east-1 with FIPS disabled and DualStack disabled", + "documentation": "For region us-gov-west-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.ap-east-1.amazonaws.com" + "url": "https://ram.us-gov-west-1.amazonaws.com" } }, "params": { - "Region": "ap-east-1", + "Region": "us-gov-west-1", "UseFIPS": false, "UseDualStack": false } }, { - "documentation": "For region sa-east-1 with FIPS disabled and DualStack disabled", + "documentation": "For region us-gov-west-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://ram.sa-east-1.amazonaws.com" + "url": "https://ram.us-gov-west-1.amazonaws.com" } }, "params": { - "Region": "sa-east-1", - "UseFIPS": false, + "Region": "us-gov-west-1", + "UseFIPS": true, "UseDualStack": false } }, { - "documentation": "For region us-east-1 with FIPS enabled and DualStack enabled", + "documentation": "For region us-gov-east-1 with FIPS enabled and DualStack enabled", "expect": { "endpoint": { - "url": "https://ram-fips.us-east-1.api.aws" + "url": "https://ram-fips.us-gov-east-1.api.aws" } }, "params": { - "Region": "us-east-1", + "Region": "us-gov-east-1", "UseFIPS": true, "UseDualStack": true } }, { - "documentation": "For region us-east-1 with FIPS disabled and DualStack enabled", + "documentation": "For region us-gov-east-1 with FIPS disabled and DualStack enabled", "expect": { "endpoint": { - "url": "https://ram.us-east-1.api.aws" + "url": "https://ram.us-gov-east-1.api.aws" } }, "params": { - "Region": "us-east-1", + "Region": "us-gov-east-1", "UseFIPS": false, "UseDualStack": true } @@ -559,6 +533,17 @@ "UseDualStack": false } }, + { + "documentation": "For region us-iso-east-1 with FIPS enabled and DualStack enabled", + "expect": { + "error": "FIPS and DualStack are enabled, but this partition does not support one or both" + }, + "params": { + "Region": "us-iso-east-1", + "UseFIPS": true, + "UseDualStack": true + } + }, { "documentation": "For region us-iso-east-1 with FIPS enabled and DualStack disabled", "expect": { @@ -573,7 +558,66 @@ } }, { - "documentation": "For custom endpoint with fips disabled and dualstack disabled", + "documentation": "For region us-iso-east-1 with FIPS disabled and DualStack enabled", + "expect": { + "error": "DualStack is enabled but this partition does not support DualStack" + }, + "params": { + "Region": "us-iso-east-1", + "UseFIPS": false, + "UseDualStack": true + } + }, + { + "documentation": "For region us-isob-east-1 with FIPS disabled and DualStack disabled", + "expect": { + "endpoint": { + "url": "https://ram.us-isob-east-1.sc2s.sgov.gov" + } + }, + "params": { + "Region": "us-isob-east-1", + "UseFIPS": false, + "UseDualStack": false + } + }, + { + "documentation": "For region us-isob-east-1 with FIPS enabled and DualStack enabled", + "expect": { + "error": "FIPS and DualStack are enabled, but this partition does not support one or both" + }, + "params": { + "Region": "us-isob-east-1", + "UseFIPS": true, + "UseDualStack": true + } + }, + { + "documentation": "For region us-isob-east-1 with FIPS enabled and DualStack disabled", + "expect": { + "endpoint": { + "url": "https://ram-fips.us-isob-east-1.sc2s.sgov.gov" + } + }, + "params": { + "Region": "us-isob-east-1", + "UseFIPS": true, + "UseDualStack": false + } + }, + { + "documentation": "For region us-isob-east-1 with FIPS disabled and DualStack enabled", + "expect": { + "error": "DualStack is enabled but this partition does not support DualStack" + }, + "params": { + "Region": "us-isob-east-1", + "UseFIPS": false, + "UseDualStack": true + } + }, + { + "documentation": "For custom endpoint with region set and fips disabled and dualstack disabled", "expect": { "endpoint": { "url": "https://example.com" @@ -586,6 +630,19 @@ "Endpoint": "https://example.com" } }, + { + "documentation": "For custom endpoint with region not set and fips disabled and dualstack disabled", + "expect": { + "endpoint": { + "url": "https://example.com" + } + }, + "params": { + "UseFIPS": false, + "UseDualStack": false, + "Endpoint": "https://example.com" + } + }, { "documentation": "For custom endpoint with fips enabled and dualstack disabled", "expect": { @@ -609,6 +666,12 @@ "UseDualStack": true, "Endpoint": "https://example.com" } + }, + { + "documentation": "Missing region", + "expect": { + "error": "Invalid Configuration: Missing Region" + } } ], "version": "1.0" diff --git a/tests/functional/endpoint-rules/s3control/endpoint-tests-1.json b/tests/functional/endpoint-rules/s3control/endpoint-tests-1.json index 249d60a4b6..afb8c27544 100644 --- a/tests/functional/endpoint-rules/s3control/endpoint-tests-1.json +++ b/tests/functional/endpoint-rules/s3control/endpoint-tests-1.json @@ -3458,6 +3458,133 @@ "UseDualStack": false, "UseFIPS": false } + }, + { + "documentation": "S3 Snow Control with bucket", + "expect": { + "endpoint": { + "properties": { + "authSchemes": [ + { + "name": "sigv4", + "signingName": "s3", + "signingRegion": "snow", + "disableDoubleEncoding": true + } + ] + }, + "url": "https://10.0.1.12:433" + } + }, + "params": { + "Region": "snow", + "Bucket": "bucketName", + "Endpoint": "https://10.0.1.12:433", + "UseFIPS": false, + "UseDualStack": false + } + }, + { + "documentation": "S3 Snow Control without bucket", + "expect": { + "endpoint": { + "properties": { + "authSchemes": [ + { + "name": "sigv4", + "signingName": "s3", + "signingRegion": "snow", + "disableDoubleEncoding": true + } + ] + }, + "url": "https://10.0.1.12:433" + } + }, + "params": { + "Region": "snow", + "Endpoint": "https://10.0.1.12:433", + "UseFIPS": false, + "UseDualStack": false + } + }, + { + "documentation": "S3 Snow Control with bucket and without port", + "expect": { + "endpoint": { + "properties": { + "authSchemes": [ + { + "name": "sigv4", + "signingName": "s3", + "signingRegion": "snow", + "disableDoubleEncoding": true + } + ] + }, + "url": "https://10.0.1.12" + } + }, + "params": { + "Region": "snow", + "Bucket": "bucketName", + "Endpoint": "https://10.0.1.12", + "UseFIPS": false, + "UseDualStack": false + } + }, + { + "documentation": "S3 Snow Control with bucket and with DNS", + "expect": { + "endpoint": { + "properties": { + "authSchemes": [ + { + "name": "sigv4", + "signingName": "s3", + "signingRegion": "snow", + "disableDoubleEncoding": true + } + ] + }, + "url": "http://s3snow.com" + } + }, + "params": { + "Region": "snow", + "Bucket": "bucketName", + "Endpoint": "http://s3snow.com", + "UseFIPS": false, + "UseDualStack": false + } + }, + { + "documentation": "S3 Snow Control with FIPS enabled", + "expect": { + "error": "S3 Snow does not support FIPS" + }, + "params": { + "Region": "snow", + "Bucket": "bucketName", + "Endpoint": "https://10.0.1.12:433", + "UseFIPS": true, + "UseDualStack": false, + "Accelerate": false + } + }, + { + "documentation": "S3 Snow Control with Dual-stack enabled", + "expect": { + "error": "S3 Snow does not support Dual-stack" + }, + "params": { + "Region": "snow", + "Bucket": "bucketName", + "Endpoint": "https://10.0.1.12:433", + "UseFIPS": false, + "UseDualStack": true, + "Accelerate": false + } } ], "version": "1.0" diff --git a/tests/functional/endpoint-rules/secretsmanager/endpoint-tests-1.json b/tests/functional/endpoint-rules/secretsmanager/endpoint-tests-1.json index ad06e6e3c6..f81865a4bb 100644 --- a/tests/functional/endpoint-rules/secretsmanager/endpoint-tests-1.json +++ b/tests/functional/endpoint-rules/secretsmanager/endpoint-tests-1.json @@ -533,6 +533,17 @@ "UseDualStack": false } }, + { + "documentation": "For region us-iso-east-1 with FIPS enabled and DualStack enabled", + "expect": { + "error": "FIPS and DualStack are enabled, but this partition does not support one or both" + }, + "params": { + "Region": "us-iso-east-1", + "UseFIPS": true, + "UseDualStack": true + } + }, { "documentation": "For region us-iso-east-1 with FIPS enabled and DualStack disabled", "expect": { @@ -546,6 +557,28 @@ "UseDualStack": false } }, + { + "documentation": "For region us-iso-east-1 with FIPS disabled and DualStack enabled", + "expect": { + "error": "DualStack is enabled but this partition does not support DualStack" + }, + "params": { + "Region": "us-iso-east-1", + "UseFIPS": false, + "UseDualStack": true + } + }, + { + "documentation": "For region us-isob-east-1 with FIPS enabled and DualStack enabled", + "expect": { + "error": "FIPS and DualStack are enabled, but this partition does not support one or both" + }, + "params": { + "Region": "us-isob-east-1", + "UseFIPS": true, + "UseDualStack": true + } + }, { "documentation": "For region us-isob-east-1 with FIPS enabled and DualStack disabled", "expect": { @@ -559,6 +592,17 @@ "UseDualStack": false } }, + { + "documentation": "For region us-isob-east-1 with FIPS disabled and DualStack enabled", + "expect": { + "error": "DualStack is enabled but this partition does not support DualStack" + }, + "params": { + "Region": "us-isob-east-1", + "UseFIPS": false, + "UseDualStack": true + } + }, { "documentation": "For region us-isob-east-1 with FIPS disabled and DualStack disabled", "expect": { @@ -622,6 +666,12 @@ "UseDualStack": true, "Endpoint": "https://example.com" } + }, + { + "documentation": "Missing region", + "expect": { + "error": "Invalid Configuration: Missing Region" + } } ], "version": "1.0" diff --git a/tests/functional/endpoint-rules/securityhub/endpoint-tests-1.json b/tests/functional/endpoint-rules/securityhub/endpoint-tests-1.json index ff107f7ff4..61093208ca 100644 --- a/tests/functional/endpoint-rules/securityhub/endpoint-tests-1.json +++ b/tests/functional/endpoint-rules/securityhub/endpoint-tests-1.json @@ -8,9 +8,9 @@ } }, "params": { + "Region": "af-south-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "af-south-1" + "UseDualStack": false } }, { @@ -21,9 +21,9 @@ } }, "params": { + "Region": "ap-east-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-east-1" + "UseDualStack": false } }, { @@ -34,9 +34,9 @@ } }, "params": { + "Region": "ap-northeast-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-northeast-1" + "UseDualStack": false } }, { @@ -47,9 +47,9 @@ } }, "params": { + "Region": "ap-northeast-2", "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-northeast-2" + "UseDualStack": false } }, { @@ -60,9 +60,9 @@ } }, "params": { + "Region": "ap-northeast-3", "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-northeast-3" + "UseDualStack": false } }, { @@ -73,9 +73,9 @@ } }, "params": { + "Region": "ap-south-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-south-1" + "UseDualStack": false } }, { @@ -86,9 +86,9 @@ } }, "params": { + "Region": "ap-southeast-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-southeast-1" + "UseDualStack": false } }, { @@ -99,9 +99,9 @@ } }, "params": { + "Region": "ap-southeast-2", "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-southeast-2" + "UseDualStack": false } }, { @@ -112,9 +112,9 @@ } }, "params": { + "Region": "ap-southeast-3", "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-southeast-3" + "UseDualStack": false } }, { @@ -125,9 +125,9 @@ } }, "params": { + "Region": "ca-central-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "ca-central-1" + "UseDualStack": false } }, { @@ -138,9 +138,9 @@ } }, "params": { + "Region": "eu-central-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "eu-central-1" + "UseDualStack": false } }, { @@ -151,9 +151,9 @@ } }, "params": { + "Region": "eu-north-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "eu-north-1" + "UseDualStack": false } }, { @@ -164,9 +164,9 @@ } }, "params": { + "Region": "eu-south-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "eu-south-1" + "UseDualStack": false } }, { @@ -177,9 +177,9 @@ } }, "params": { + "Region": "eu-west-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "eu-west-1" + "UseDualStack": false } }, { @@ -190,9 +190,9 @@ } }, "params": { + "Region": "eu-west-2", "UseFIPS": false, - "UseDualStack": false, - "Region": "eu-west-2" + "UseDualStack": false } }, { @@ -203,9 +203,9 @@ } }, "params": { + "Region": "eu-west-3", "UseFIPS": false, - "UseDualStack": false, - "Region": "eu-west-3" + "UseDualStack": false } }, { @@ -216,9 +216,9 @@ } }, "params": { + "Region": "me-south-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "me-south-1" + "UseDualStack": false } }, { @@ -229,9 +229,9 @@ } }, "params": { + "Region": "sa-east-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "sa-east-1" + "UseDualStack": false } }, { @@ -242,9 +242,9 @@ } }, "params": { + "Region": "us-east-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "us-east-1" + "UseDualStack": false } }, { @@ -255,9 +255,9 @@ } }, "params": { + "Region": "us-east-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "us-east-1" + "UseDualStack": false } }, { @@ -268,9 +268,9 @@ } }, "params": { + "Region": "us-east-2", "UseFIPS": false, - "UseDualStack": false, - "Region": "us-east-2" + "UseDualStack": false } }, { @@ -281,9 +281,9 @@ } }, "params": { + "Region": "us-east-2", "UseFIPS": true, - "UseDualStack": false, - "Region": "us-east-2" + "UseDualStack": false } }, { @@ -294,9 +294,9 @@ } }, "params": { + "Region": "us-west-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "us-west-1" + "UseDualStack": false } }, { @@ -307,9 +307,9 @@ } }, "params": { + "Region": "us-west-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "us-west-1" + "UseDualStack": false } }, { @@ -320,9 +320,9 @@ } }, "params": { + "Region": "us-west-2", "UseFIPS": false, - "UseDualStack": false, - "Region": "us-west-2" + "UseDualStack": false } }, { @@ -333,9 +333,9 @@ } }, "params": { + "Region": "us-west-2", "UseFIPS": true, - "UseDualStack": false, - "Region": "us-west-2" + "UseDualStack": false } }, { @@ -346,9 +346,9 @@ } }, "params": { + "Region": "us-east-1", "UseFIPS": true, - "UseDualStack": true, - "Region": "us-east-1" + "UseDualStack": true } }, { @@ -359,9 +359,9 @@ } }, "params": { + "Region": "us-east-1", "UseFIPS": false, - "UseDualStack": true, - "Region": "us-east-1" + "UseDualStack": true } }, { @@ -372,9 +372,9 @@ } }, "params": { + "Region": "cn-north-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "cn-north-1" + "UseDualStack": false } }, { @@ -385,9 +385,9 @@ } }, "params": { + "Region": "cn-northwest-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "cn-northwest-1" + "UseDualStack": false } }, { @@ -398,9 +398,9 @@ } }, "params": { + "Region": "cn-north-1", "UseFIPS": true, - "UseDualStack": true, - "Region": "cn-north-1" + "UseDualStack": true } }, { @@ -411,9 +411,9 @@ } }, "params": { + "Region": "cn-north-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "cn-north-1" + "UseDualStack": false } }, { @@ -424,9 +424,9 @@ } }, "params": { + "Region": "cn-north-1", "UseFIPS": false, - "UseDualStack": true, - "Region": "cn-north-1" + "UseDualStack": true } }, { @@ -437,9 +437,9 @@ } }, "params": { + "Region": "us-gov-east-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "us-gov-east-1" + "UseDualStack": false } }, { @@ -450,9 +450,9 @@ } }, "params": { + "Region": "us-gov-east-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "us-gov-east-1" + "UseDualStack": false } }, { @@ -463,9 +463,9 @@ } }, "params": { + "Region": "us-gov-west-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "us-gov-west-1" + "UseDualStack": false } }, { @@ -476,9 +476,9 @@ } }, "params": { + "Region": "us-gov-west-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "us-gov-west-1" + "UseDualStack": false } }, { @@ -489,9 +489,9 @@ } }, "params": { + "Region": "us-gov-east-1", "UseFIPS": true, - "UseDualStack": true, - "Region": "us-gov-east-1" + "UseDualStack": true } }, { @@ -502,9 +502,20 @@ } }, "params": { + "Region": "us-gov-east-1", "UseFIPS": false, - "UseDualStack": true, - "Region": "us-gov-east-1" + "UseDualStack": true + } + }, + { + "documentation": "For region us-iso-east-1 with FIPS enabled and DualStack enabled", + "expect": { + "error": "FIPS and DualStack are enabled, but this partition does not support one or both" + }, + "params": { + "Region": "us-iso-east-1", + "UseFIPS": true, + "UseDualStack": true } }, { @@ -515,9 +526,20 @@ } }, "params": { + "Region": "us-iso-east-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "us-iso-east-1" + "UseDualStack": false + } + }, + { + "documentation": "For region us-iso-east-1 with FIPS disabled and DualStack enabled", + "expect": { + "error": "DualStack is enabled but this partition does not support DualStack" + }, + "params": { + "Region": "us-iso-east-1", + "UseFIPS": false, + "UseDualStack": true } }, { @@ -528,9 +550,20 @@ } }, "params": { + "Region": "us-iso-east-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "us-iso-east-1" + "UseDualStack": false + } + }, + { + "documentation": "For region us-isob-east-1 with FIPS enabled and DualStack enabled", + "expect": { + "error": "FIPS and DualStack are enabled, but this partition does not support one or both" + }, + "params": { + "Region": "us-isob-east-1", + "UseFIPS": true, + "UseDualStack": true } }, { @@ -541,9 +574,20 @@ } }, "params": { + "Region": "us-isob-east-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "us-isob-east-1" + "UseDualStack": false + } + }, + { + "documentation": "For region us-isob-east-1 with FIPS disabled and DualStack enabled", + "expect": { + "error": "DualStack is enabled but this partition does not support DualStack" + }, + "params": { + "Region": "us-isob-east-1", + "UseFIPS": false, + "UseDualStack": true } }, { @@ -554,9 +598,9 @@ } }, "params": { + "Region": "us-isob-east-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "us-isob-east-1" + "UseDualStack": false } }, { @@ -567,9 +611,9 @@ } }, "params": { + "Region": "us-east-1", "UseFIPS": false, "UseDualStack": false, - "Region": "us-east-1", "Endpoint": "https://example.com" } }, @@ -592,9 +636,9 @@ "error": "Invalid Configuration: FIPS and custom endpoint are not supported" }, "params": { + "Region": "us-east-1", "UseFIPS": true, "UseDualStack": false, - "Region": "us-east-1", "Endpoint": "https://example.com" } }, @@ -604,11 +648,17 @@ "error": "Invalid Configuration: Dualstack and custom endpoint are not supported" }, "params": { + "Region": "us-east-1", "UseFIPS": false, "UseDualStack": true, - "Region": "us-east-1", "Endpoint": "https://example.com" } + }, + { + "documentation": "Missing region", + "expect": { + "error": "Invalid Configuration: Missing Region" + } } ], "version": "1.0" From 00fc04c3ff2869ee6efd4c08e2751be57c3d6e6a Mon Sep 17 00:00:00 2001 From: aws-sdk-python-automation Date: Wed, 19 Apr 2023 18:11:44 +0000 Subject: [PATCH 2/3] Update to latest partitions and endpoints --- botocore/data/endpoints.json | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/botocore/data/endpoints.json b/botocore/data/endpoints.json index 75b07320f0..be585fdf79 100644 --- a/botocore/data/endpoints.json +++ b/botocore/data/endpoints.json @@ -1839,8 +1839,10 @@ "ap-southeast-1" : { }, "ap-southeast-2" : { }, "ap-southeast-3" : { }, + "ap-southeast-4" : { }, "ca-central-1" : { }, "eu-central-1" : { }, + "eu-central-2" : { }, "eu-north-1" : { }, "eu-south-1" : { }, "eu-south-2" : { }, @@ -18960,9 +18962,29 @@ }, "endpoints" : { "us-gov-east-1" : { + "hostname" : "application-autoscaling.us-gov-east-1.amazonaws.com", + "protocols" : [ "http", "https" ], + "variants" : [ { + "hostname" : "application-autoscaling.us-gov-east-1.amazonaws.com", + "tags" : [ "fips" ] + } ] + }, + "us-gov-east-1-fips" : { + "deprecated" : true, + "hostname" : "application-autoscaling.us-gov-east-1.amazonaws.com", "protocols" : [ "http", "https" ] }, "us-gov-west-1" : { + "hostname" : "application-autoscaling.us-gov-west-1.amazonaws.com", + "protocols" : [ "http", "https" ], + "variants" : [ { + "hostname" : "application-autoscaling.us-gov-west-1.amazonaws.com", + "tags" : [ "fips" ] + } ] + }, + "us-gov-west-1-fips" : { + "deprecated" : true, + "hostname" : "application-autoscaling.us-gov-west-1.amazonaws.com", "protocols" : [ "http", "https" ] } } From 5eb63b0d65d96e203185b394ff95b6d776fb00ea Mon Sep 17 00:00:00 2001 From: aws-sdk-python-automation Date: Wed, 19 Apr 2023 18:11:48 +0000 Subject: [PATCH 3/3] Bumping version to 1.29.116 --- .changes/1.29.116.json | 37 +++++++++++++++++++ .../api-change-comprehend-41173.json | 5 --- .../next-release/api-change-ecs-57936.json | 5 --- .../next-release/api-change-ram-22635.json | 5 --- .../next-release/api-change-rds-21090.json | 5 --- .../next-release/api-change-s3-73959.json | 5 --- .../api-change-s3control-66568.json | 5 --- .../api-change-secretsmanager-54677.json | 5 --- CHANGELOG.rst | 12 ++++++ botocore/__init__.py | 2 +- docs/source/conf.py | 2 +- 11 files changed, 51 insertions(+), 37 deletions(-) create mode 100644 .changes/1.29.116.json delete mode 100644 .changes/next-release/api-change-comprehend-41173.json delete mode 100644 .changes/next-release/api-change-ecs-57936.json delete mode 100644 .changes/next-release/api-change-ram-22635.json delete mode 100644 .changes/next-release/api-change-rds-21090.json delete mode 100644 .changes/next-release/api-change-s3-73959.json delete mode 100644 .changes/next-release/api-change-s3control-66568.json delete mode 100644 .changes/next-release/api-change-secretsmanager-54677.json diff --git a/.changes/1.29.116.json b/.changes/1.29.116.json new file mode 100644 index 0000000000..d73a67cf10 --- /dev/null +++ b/.changes/1.29.116.json @@ -0,0 +1,37 @@ +[ + { + "category": "``comprehend``", + "description": "This release supports native document models for custom classification, in addition to plain-text models. You train native document models using documents (PDF, Word, images) in their native format.", + "type": "api-change" + }, + { + "category": "``ecs``", + "description": "This release supports the Account Setting \"TagResourceAuthorization\" that allows for enhanced Tagging security controls.", + "type": "api-change" + }, + { + "category": "``ram``", + "description": "This release adds support for customer managed permissions. Customer managed permissions enable customers to author and manage tailored permissions for resources shared using RAM.", + "type": "api-change" + }, + { + "category": "``rds``", + "description": "Adds support for the ImageId parameter of CreateCustomDBEngineVersion to RDS Custom for Oracle", + "type": "api-change" + }, + { + "category": "``s3``", + "description": "Provides support for \"Snow\" Storage class.", + "type": "api-change" + }, + { + "category": "``s3control``", + "description": "Provides support for overriding endpoint when region is \"snow\". This will enable bucket APIs for Amazon S3 Compatible storage on Snow Family devices.", + "type": "api-change" + }, + { + "category": "``secretsmanager``", + "description": "Documentation updates for Secrets Manager", + "type": "api-change" + } +] \ No newline at end of file diff --git a/.changes/next-release/api-change-comprehend-41173.json b/.changes/next-release/api-change-comprehend-41173.json deleted file mode 100644 index 34b458e361..0000000000 --- a/.changes/next-release/api-change-comprehend-41173.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "type": "api-change", - "category": "``comprehend``", - "description": "This release supports native document models for custom classification, in addition to plain-text models. You train native document models using documents (PDF, Word, images) in their native format." -} diff --git a/.changes/next-release/api-change-ecs-57936.json b/.changes/next-release/api-change-ecs-57936.json deleted file mode 100644 index 5255488dff..0000000000 --- a/.changes/next-release/api-change-ecs-57936.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "type": "api-change", - "category": "``ecs``", - "description": "This release supports the Account Setting \"TagResourceAuthorization\" that allows for enhanced Tagging security controls." -} diff --git a/.changes/next-release/api-change-ram-22635.json b/.changes/next-release/api-change-ram-22635.json deleted file mode 100644 index 0b4608afa7..0000000000 --- a/.changes/next-release/api-change-ram-22635.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "type": "api-change", - "category": "``ram``", - "description": "This release adds support for customer managed permissions. Customer managed permissions enable customers to author and manage tailored permissions for resources shared using RAM." -} diff --git a/.changes/next-release/api-change-rds-21090.json b/.changes/next-release/api-change-rds-21090.json deleted file mode 100644 index c48a83d364..0000000000 --- a/.changes/next-release/api-change-rds-21090.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "type": "api-change", - "category": "``rds``", - "description": "Adds support for the ImageId parameter of CreateCustomDBEngineVersion to RDS Custom for Oracle" -} diff --git a/.changes/next-release/api-change-s3-73959.json b/.changes/next-release/api-change-s3-73959.json deleted file mode 100644 index 52ab9f2aec..0000000000 --- a/.changes/next-release/api-change-s3-73959.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "type": "api-change", - "category": "``s3``", - "description": "Provides support for \"Snow\" Storage class." -} diff --git a/.changes/next-release/api-change-s3control-66568.json b/.changes/next-release/api-change-s3control-66568.json deleted file mode 100644 index cb9a9b90bd..0000000000 --- a/.changes/next-release/api-change-s3control-66568.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "type": "api-change", - "category": "``s3control``", - "description": "Provides support for overriding endpoint when region is \"snow\". This will enable bucket APIs for Amazon S3 Compatible storage on Snow Family devices." -} diff --git a/.changes/next-release/api-change-secretsmanager-54677.json b/.changes/next-release/api-change-secretsmanager-54677.json deleted file mode 100644 index 4cfcfab432..0000000000 --- a/.changes/next-release/api-change-secretsmanager-54677.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "type": "api-change", - "category": "``secretsmanager``", - "description": "Documentation updates for Secrets Manager" -} diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 40d486516b..7e3b11f1ab 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,6 +2,18 @@ CHANGELOG ========= +1.29.116 +======== + +* api-change:``comprehend``: This release supports native document models for custom classification, in addition to plain-text models. You train native document models using documents (PDF, Word, images) in their native format. +* api-change:``ecs``: This release supports the Account Setting "TagResourceAuthorization" that allows for enhanced Tagging security controls. +* api-change:``ram``: This release adds support for customer managed permissions. Customer managed permissions enable customers to author and manage tailored permissions for resources shared using RAM. +* api-change:``rds``: Adds support for the ImageId parameter of CreateCustomDBEngineVersion to RDS Custom for Oracle +* api-change:``s3``: Provides support for "Snow" Storage class. +* api-change:``s3control``: Provides support for overriding endpoint when region is "snow". This will enable bucket APIs for Amazon S3 Compatible storage on Snow Family devices. +* api-change:``secretsmanager``: Documentation updates for Secrets Manager + + 1.29.115 ======== diff --git a/botocore/__init__.py b/botocore/__init__.py index 3ef9b83360..2b555aae55 100644 --- a/botocore/__init__.py +++ b/botocore/__init__.py @@ -16,7 +16,7 @@ import os import re -__version__ = '1.29.115' +__version__ = '1.29.116' class NullHandler(logging.Handler): diff --git a/docs/source/conf.py b/docs/source/conf.py index fb9dc2182f..b9a26e9cb3 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -58,7 +58,7 @@ # The short X.Y version. version = '1.29.1' # The full version, including alpha/beta/rc tags. -release = '1.29.115' +release = '1.29.116' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages.