RAM *** Client ====== class RAM.Client A low-level client representing AWS Resource Access Manager (RAM) This is the *Resource Access Manager API Reference*. This documentation provides descriptions and syntax for each of the actions and data types in RAM. RAM is a service that helps you securely share your Amazon Web Services resources to other Amazon Web Services accounts. If you use Organizations to manage your accounts, then you can share your resources with your entire organization or to organizational units (OUs). For supported resource types, you can also share resources with individual Identity and Access Management (IAM) roles and users. To learn more about RAM, see the following resources: * Resource Access Manager product page * Resource Access Manager User Guide import boto3 client = boto3.client('ram') These are the available methods: * accept_resource_share_invitation * associate_resource_share * associate_resource_share_permission * can_paginate * close * create_permission * create_permission_version * create_resource_share * delete_permission * delete_permission_version * delete_resource_share * disassociate_resource_share * disassociate_resource_share_permission * enable_sharing_with_aws_organization * get_paginator * get_permission * get_resource_policies * get_resource_share_associations * get_resource_share_invitations * get_resource_shares * get_waiter * list_pending_invitation_resources * list_permission_associations * list_permission_versions * list_permissions * list_principals * list_replace_permission_associations_work * list_resource_share_permissions * list_resource_types * list_resources * promote_permission_created_from_policy * promote_resource_share_created_from_policy * reject_resource_share_invitation * replace_permission_associations * set_default_permission_version * tag_resource * untag_resource * update_resource_share Paginators ========== Paginators are available on a client instance via the "get_paginator" method. For more detailed instructions and examples on the usage of paginators, see the paginators user guide. The available paginators are: * GetResourcePolicies * GetResourceShareAssociations * GetResourceShareInvitations * GetResourceShares * ListPrincipals * ListResources RAM / Paginator / GetResourceShareInvitations GetResourceShareInvitations *************************** class RAM.Paginator.GetResourceShareInvitations paginator = client.get_paginator('get_resource_share_invitations') paginate(**kwargs) Creates an iterator that will paginate through responses from "RAM.Client.get_resource_share_invitations()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( resourceShareInvitationArns=[ 'string', ], resourceShareArns=[ 'string', ], PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **resourceShareInvitationArns** (*list*) -- Specifies the Amazon Resource Names (ARNs) of the resource share invitations you want information about. * *(string) --* * **resourceShareArns** (*list*) -- Specifies that you want details about invitations only for the resource shares described by this list of Amazon Resource Names (ARNs) * *(string) --* * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'resourceShareInvitations': [ { 'resourceShareInvitationArn': 'string', 'resourceShareName': 'string', 'resourceShareArn': 'string', 'senderAccountId': 'string', 'receiverAccountId': 'string', 'invitationTimestamp': datetime(2015, 1, 1), 'status': 'PENDING'|'ACCEPTED'|'REJECTED'|'EXPIRED', 'resourceShareAssociations': [ { 'resourceShareArn': 'string', 'resourceShareName': 'string', 'associatedEntity': 'string', 'associationType': 'PRINCIPAL'|'RESOURCE', 'status': 'ASSOCIATING'|'ASSOCIATED'|'FAILED'|'DISASSOCIATING'|'DISASSOCIATED', 'statusMessage': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'external': True|False }, ], 'receiverArn': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **resourceShareInvitations** *(list) --* An array of objects that contain the details about the invitations. * *(dict) --* Describes an invitation for an Amazon Web Services account to join a resource share. * **resourceShareInvitationArn** *(string) --* The Amazon Resource Name (ARN) of the invitation. * **resourceShareName** *(string) --* The name of the resource share. * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of the resource share * **senderAccountId** *(string) --* The ID of the Amazon Web Services account that sent the invitation. * **receiverAccountId** *(string) --* The ID of the Amazon Web Services account that received the invitation. * **invitationTimestamp** *(datetime) --* The date and time when the invitation was sent. * **status** *(string) --* The current status of the invitation. * **resourceShareAssociations** *(list) --* To view the resources associated with a pending resource share invitation, use ListPendingInvitationResources. * *(dict) --* Describes an association between a resource share and either a principal or a resource. * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of the resource share. * **resourceShareName** *(string) --* The name of the resource share. * **associatedEntity** *(string) --* The associated entity. This can be either of the following: * For a resource association, this is the Amazon Resource Name (ARN) of the resource. * For principal associations, this is one of the following: * The ID of an Amazon Web Services account * The Amazon Resource Name (ARN) of an organization in Organizations * The ARN of an organizational unit (OU) in Organizations * The ARN of an IAM role * The ARN of an IAM user * **associationType** *(string) --* The type of entity included in this association. * **status** *(string) --* The current status of the association. * **statusMessage** *(string) --* A message about the status of the association. * **creationTime** *(datetime) --* The date and time when the association was created. * **lastUpdatedTime** *(datetime) --* The date and time when the association was last updated. * **external** *(boolean) --* Indicates whether the principal belongs to the same organization in Organizations as the Amazon Web Services account that owns the resource share. * **receiverArn** *(string) --* The Amazon Resource Name (ARN) of the IAM user or role that received the invitation. * **NextToken** *(string) --* A token to resume pagination. RAM / Paginator / GetResourceShareAssociations GetResourceShareAssociations **************************** class RAM.Paginator.GetResourceShareAssociations paginator = client.get_paginator('get_resource_share_associations') paginate(**kwargs) Creates an iterator that will paginate through responses from "RAM.Client.get_resource_share_associations()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( associationType='PRINCIPAL'|'RESOURCE', resourceShareArns=[ 'string', ], resourceArn='string', principal='string', associationStatus='ASSOCIATING'|'ASSOCIATED'|'FAILED'|'DISASSOCIATING'|'DISASSOCIATED', PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **associationType** (*string*) -- **[REQUIRED]** Specifies whether you want to retrieve the associations that involve a specified resource or principal. * "PRINCIPAL" – list the principals whose associations you want to see. * "RESOURCE" – list the resources whose associations you want to see. * **resourceShareArns** (*list*) -- Specifies a list of Amazon Resource Names (ARNs) of the resource share whose associations you want to retrieve. * *(string) --* * **resourceArn** (*string*) -- Specifies the Amazon Resource Name (ARN) of a resource whose resource shares you want to retrieve. You cannot specify this parameter if the association type is "PRINCIPAL". * **principal** (*string*) -- Specifies the ID of the principal whose resource shares you want to retrieve. This can be an Amazon Web Services account ID, an organization ID, an organizational unit ID, or the Amazon Resource Name (ARN) of an individual IAM role or user. You cannot specify this parameter if the association type is "RESOURCE". * **associationStatus** (*string*) -- Specifies that you want to retrieve only associations that have this status. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'resourceShareAssociations': [ { 'resourceShareArn': 'string', 'resourceShareName': 'string', 'associatedEntity': 'string', 'associationType': 'PRINCIPAL'|'RESOURCE', 'status': 'ASSOCIATING'|'ASSOCIATED'|'FAILED'|'DISASSOCIATING'|'DISASSOCIATED', 'statusMessage': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'external': True|False }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **resourceShareAssociations** *(list) --* An array of objects that contain the details about the associations. * *(dict) --* Describes an association between a resource share and either a principal or a resource. * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of the resource share. * **resourceShareName** *(string) --* The name of the resource share. * **associatedEntity** *(string) --* The associated entity. This can be either of the following: * For a resource association, this is the Amazon Resource Name (ARN) of the resource. * For principal associations, this is one of the following: * The ID of an Amazon Web Services account * The Amazon Resource Name (ARN) of an organization in Organizations * The ARN of an organizational unit (OU) in Organizations * The ARN of an IAM role * The ARN of an IAM user * **associationType** *(string) --* The type of entity included in this association. * **status** *(string) --* The current status of the association. * **statusMessage** *(string) --* A message about the status of the association. * **creationTime** *(datetime) --* The date and time when the association was created. * **lastUpdatedTime** *(datetime) --* The date and time when the association was last updated. * **external** *(boolean) --* Indicates whether the principal belongs to the same organization in Organizations as the Amazon Web Services account that owns the resource share. * **NextToken** *(string) --* A token to resume pagination. RAM / Paginator / ListResources ListResources ************* class RAM.Paginator.ListResources paginator = client.get_paginator('list_resources') paginate(**kwargs) Creates an iterator that will paginate through responses from "RAM.Client.list_resources()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( resourceOwner='SELF'|'OTHER-ACCOUNTS', principal='string', resourceType='string', resourceArns=[ 'string', ], resourceShareArns=[ 'string', ], resourceRegionScope='ALL'|'REGIONAL'|'GLOBAL', PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **resourceOwner** (*string*) -- **[REQUIRED]** Specifies that you want to list only the resource shares that match the following: * "SELF" – resources that your account shares with other accounts * "OTHER-ACCOUNTS" – resources that other accounts share with your account * **principal** (*string*) -- Specifies that you want to list only the resource shares that are associated with the specified principal. * **resourceType** (*string*) -- Specifies that you want to list only the resource shares that include resources of the specified resource type. For valid values, query the ListResourceTypes operation. * **resourceArns** (*list*) -- Specifies that you want to list only the resource shares that include resources with the specified Amazon Resource Names (ARNs). * *(string) --* * **resourceShareArns** (*list*) -- Specifies that you want to list only resources in the resource shares identified by the specified Amazon Resource Names (ARNs). * *(string) --* * **resourceRegionScope** (*string*) -- Specifies that you want the results to include only resources that have the specified scope. * "ALL" – the results include both global and regional resources or resource types. * "GLOBAL" – the results include only global resources or resource types. * "REGIONAL" – the results include only regional resources or resource types. The default value is "ALL". * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'resources': [ { 'arn': 'string', 'type': 'string', 'resourceShareArn': 'string', 'resourceGroupArn': 'string', 'status': 'AVAILABLE'|'ZONAL_RESOURCE_INACCESSIBLE'|'LIMIT_EXCEEDED'|'UNAVAILABLE'|'PENDING', 'statusMessage': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'resourceRegionScope': 'REGIONAL'|'GLOBAL' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **resources** *(list) --* An array of objects that contain information about the resources. * *(dict) --* Describes a resource associated with a resource share in RAM. * **arn** *(string) --* The Amazon Resource Name (ARN) of the resource. * **type** *(string) --* The resource type. This takes the form of: "service- code": "resource-code", and is case-insensitive. For example, an Amazon EC2 Subnet would be represented by the string "ec2:subnet". * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of the resource share this resource is associated with. * **resourceGroupArn** *(string) --* The Amazon Resource Name (ARN) of the resource group. This value is available only if the resource is part of a resource group. * **status** *(string) --* The current status of the resource. * **statusMessage** *(string) --* A message about the status of the resource. * **creationTime** *(datetime) --* The date and time when the resource was associated with the resource share. * **lastUpdatedTime** *(datetime) --* The date an time when the association between the resource and the resource share was last updated. * **resourceRegionScope** *(string) --* Specifies the scope of visibility of this resource: * **REGIONAL** – The resource can be accessed only by using requests that target the Amazon Web Services Region in which the resource exists. * **GLOBAL** – The resource can be accessed from any Amazon Web Services Region. * **NextToken** *(string) --* A token to resume pagination. RAM / Paginator / GetResourceShares GetResourceShares ***************** class RAM.Paginator.GetResourceShares paginator = client.get_paginator('get_resource_shares') paginate(**kwargs) Creates an iterator that will paginate through responses from "RAM.Client.get_resource_shares()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( resourceShareArns=[ 'string', ], resourceShareStatus='PENDING'|'ACTIVE'|'FAILED'|'DELETING'|'DELETED', resourceOwner='SELF'|'OTHER-ACCOUNTS', name='string', tagFilters=[ { 'tagKey': 'string', 'tagValues': [ 'string', ] }, ], permissionArn='string', permissionVersion=123, PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **resourceShareArns** (*list*) -- Specifies the Amazon Resource Names (ARNs) of individual resource shares that you want information about. * *(string) --* * **resourceShareStatus** (*string*) -- Specifies that you want to retrieve details of only those resource shares that have this status. * **resourceOwner** (*string*) -- **[REQUIRED]** Specifies that you want to retrieve details of only those resource shares that match the following: * "SELF" – resource shares that your account shares with other accounts * "OTHER-ACCOUNTS" – resource shares that other accounts share with your account * **name** (*string*) -- Specifies the name of an individual resource share that you want to retrieve details about. * **tagFilters** (*list*) -- Specifies that you want to retrieve details of only those resource shares that match the specified tag keys and values. * *(dict) --* A tag key and optional list of possible values that you can use to filter results for tagged resources. * **tagKey** *(string) --* The tag key. This must have a valid string value and can't be empty. * **tagValues** *(list) --* A list of zero or more tag values. If no values are provided, then the filter matches any tag with the specified key, regardless of its value. * *(string) --* * **permissionArn** (*string*) -- Specifies that you want to retrieve details of only those resource shares that use the managed permission with this Amazon Resource Name (ARN). * **permissionVersion** (*integer*) -- Specifies that you want to retrieve details for only those resource shares that use the specified version of the managed permission. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'resourceShares': [ { 'resourceShareArn': 'string', 'name': 'string', 'owningAccountId': 'string', 'allowExternalPrincipals': True|False, 'status': 'PENDING'|'ACTIVE'|'FAILED'|'DELETING'|'DELETED', 'statusMessage': 'string', 'tags': [ { 'key': 'string', 'value': 'string' }, ], 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'featureSet': 'CREATED_FROM_POLICY'|'PROMOTING_TO_STANDARD'|'STANDARD' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **resourceShares** *(list) --* An array of objects that contain the information about the resource shares. * *(dict) --* Describes a resource share in RAM. * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of the resource share * **name** *(string) --* The name of the resource share. * **owningAccountId** *(string) --* The ID of the Amazon Web Services account that owns the resource share. * **allowExternalPrincipals** *(boolean) --* Indicates whether principals outside your organization in Organizations can be associated with a resource share. * "True" – the resource share can be shared with any Amazon Web Services account. * "False" – the resource share can be shared with only accounts in the same organization as the account that owns the resource share. * **status** *(string) --* The current status of the resource share. * **statusMessage** *(string) --* A message about the status of the resource share. * **tags** *(list) --* The tag key and value pairs attached to the resource share. * *(dict) --* A structure containing a tag. A tag is metadata that you can attach to your resources to help organize and categorize them. You can also use them to help you secure your resources. For more information, see Controlling access to Amazon Web Services resources using tags. For more information about tags, see Tagging Amazon Web Services resources in the *Amazon Web Services General Reference Guide*. * **key** *(string) --* The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive. * **value** *(string) --* The string value attached to the tag. The value can be an empty string. Key values are case sensitive. * **creationTime** *(datetime) --* The date and time when the resource share was created. * **lastUpdatedTime** *(datetime) --* The date and time when the resource share was last updated. * **featureSet** *(string) --* Indicates what features are available for this resource share. This parameter can have one of the following values: * **STANDARD** – A resource share that supports all functionality. These resource shares are visible to all principals you share the resource share with. You can modify these resource shares in RAM using the console or APIs. This resource share might have been created by RAM, or it might have been **CREATED_FROM_POLICY** and then promoted. * **CREATED_FROM_POLICY** – The customer manually shared a resource by attaching a resource-based policy. That policy did not match any existing managed permissions, so RAM created this customer managed permission automatically on the customer's behalf based on the attached policy document. This type of resource share is visible only to the Amazon Web Services account that created it. You can't modify it in RAM unless you promote it. For more information, see PromoteResourceShareCreatedFromPolicy. * **PROMOTING_TO_STANDARD** – This resource share was originally "CREATED_FROM_POLICY", but the customer ran the PromoteResourceShareCreatedFromPolicy and that operation is still in progress. This value changes to "STANDARD" when complete. * **NextToken** *(string) --* A token to resume pagination. RAM / Paginator / GetResourcePolicies GetResourcePolicies ******************* class RAM.Paginator.GetResourcePolicies paginator = client.get_paginator('get_resource_policies') paginate(**kwargs) Creates an iterator that will paginate through responses from "RAM.Client.get_resource_policies()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( resourceArns=[ 'string', ], principal='string', PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **resourceArns** (*list*) -- **[REQUIRED]** Specifies the Amazon Resource Names (ARNs) of the resources whose policies you want to retrieve. * *(string) --* * **principal** (*string*) -- Specifies the principal. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'policies': [ 'string', ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **policies** *(list) --* An array of resource policy documents in JSON format. * *(string) --* * **NextToken** *(string) --* A token to resume pagination. RAM / Paginator / ListPrincipals ListPrincipals ************** class RAM.Paginator.ListPrincipals paginator = client.get_paginator('list_principals') paginate(**kwargs) Creates an iterator that will paginate through responses from "RAM.Client.list_principals()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( resourceOwner='SELF'|'OTHER-ACCOUNTS', resourceArn='string', principals=[ 'string', ], resourceType='string', resourceShareArns=[ 'string', ], PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **resourceOwner** (*string*) -- **[REQUIRED]** Specifies that you want to list information for only resource shares that match the following: * "SELF" – principals that your account is sharing resources with * "OTHER-ACCOUNTS" – principals that are sharing resources with your account * **resourceArn** (*string*) -- Specifies that you want to list principal information for the resource share with the specified Amazon Resource Name (ARN). * **principals** (*list*) -- Specifies that you want to list information for only the listed principals. You can include the following values: * An Amazon Web Services account ID, for example: "123456789012" * An Amazon Resource Name (ARN) of an organization in Organizations, for example: "organizations::123456789012:organization/o-exampleorgid" * An ARN of an organizational unit (OU) in Organizations, for example: "organizations::123456789012:ou/o-exampleorgid/ou- examplerootid-exampleouid123" * An ARN of an IAM role, for example: "iam::123456789012:role/rolename" * An ARN of an IAM user, for example: "iam::123456789012user/username" Note: Not all resource types can be shared with IAM roles and users. For more information, see Sharing with IAM roles and users in the *Resource Access Manager User Guide*. * *(string) --* * **resourceType** (*string*) -- Specifies that you want to list information for only principals associated with resource shares that include the specified resource type. For a list of valid values, query the ListResourceTypes operation. * **resourceShareArns** (*list*) -- Specifies that you want to list information for only principals associated with the resource shares specified by a list the Amazon Resource Names (ARNs). * *(string) --* * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'principals': [ { 'id': 'string', 'resourceShareArn': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'external': True|False }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **principals** *(list) --* An array of objects that contain the details about the principals. * *(dict) --* Describes a principal for use with Resource Access Manager. * **id** *(string) --* The ID of the principal that can be associated with a resource share. * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of a resource share the principal is associated with. * **creationTime** *(datetime) --* The date and time when the principal was associated with the resource share. * **lastUpdatedTime** *(datetime) --* The date and time when the association between the resource share and the principal was last updated. * **external** *(boolean) --* Indicates the relationship between the Amazon Web Services account the principal belongs to and the account that owns the resource share: * "True" – The two accounts belong to same organization. * "False" – The two accounts do not belong to the same organization. * **NextToken** *(string) --* A token to resume pagination. RAM / Client / get_paginator get_paginator ************* RAM.Client.get_paginator(operation_name) Create a paginator for an operation. Parameters: **operation_name** (*string*) -- The operation name. This is the same name as the method name on the client. For example, if the method name is "create_foo", and you'd normally invoke the operation as "client.create_foo(**kwargs)", if the "create_foo" operation can be paginated, you can use the call "client.get_paginator("create_foo")". Raises: **OperationNotPageableError** -- Raised if the operation is not pageable. You can use the "client.can_paginate" method to check if an operation is pageable. Return type: "botocore.paginate.Paginator" Returns: A paginator object. RAM / Client / update_resource_share update_resource_share ********************* RAM.Client.update_resource_share(**kwargs) Modifies some of the properties of the specified resource share. See also: AWS API Documentation **Request Syntax** response = client.update_resource_share( resourceShareArn='string', name='string', allowExternalPrincipals=True|False, clientToken='string' ) Parameters: * **resourceShareArn** (*string*) -- **[REQUIRED]** Specifies the Amazon Resource Name (ARN) of the resource share that you want to modify. * **name** (*string*) -- If specified, the new name that you want to attach to the resource share. * **allowExternalPrincipals** (*boolean*) -- Specifies whether principals outside your organization in Organizations can be associated with a resource share. * **clientToken** (*string*) -- Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value.. If you don't provide this value, then Amazon Web Services generates a random one for you. If you retry the operation with the same "ClientToken", but with different parameters, the retry fails with an "IdempotentParameterMismatch" error. Return type: dict Returns: **Response Syntax** { 'resourceShare': { 'resourceShareArn': 'string', 'name': 'string', 'owningAccountId': 'string', 'allowExternalPrincipals': True|False, 'status': 'PENDING'|'ACTIVE'|'FAILED'|'DELETING'|'DELETED', 'statusMessage': 'string', 'tags': [ { 'key': 'string', 'value': 'string' }, ], 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'featureSet': 'CREATED_FROM_POLICY'|'PROMOTING_TO_STANDARD'|'STANDARD' }, 'clientToken': 'string' } **Response Structure** * *(dict) --* * **resourceShare** *(dict) --* Information about the resource share. * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of the resource share * **name** *(string) --* The name of the resource share. * **owningAccountId** *(string) --* The ID of the Amazon Web Services account that owns the resource share. * **allowExternalPrincipals** *(boolean) --* Indicates whether principals outside your organization in Organizations can be associated with a resource share. * "True" – the resource share can be shared with any Amazon Web Services account. * "False" – the resource share can be shared with only accounts in the same organization as the account that owns the resource share. * **status** *(string) --* The current status of the resource share. * **statusMessage** *(string) --* A message about the status of the resource share. * **tags** *(list) --* The tag key and value pairs attached to the resource share. * *(dict) --* A structure containing a tag. A tag is metadata that you can attach to your resources to help organize and categorize them. You can also use them to help you secure your resources. For more information, see Controlling access to Amazon Web Services resources using tags. For more information about tags, see Tagging Amazon Web Services resources in the *Amazon Web Services General Reference Guide*. * **key** *(string) --* The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive. * **value** *(string) --* The string value attached to the tag. The value can be an empty string. Key values are case sensitive. * **creationTime** *(datetime) --* The date and time when the resource share was created. * **lastUpdatedTime** *(datetime) --* The date and time when the resource share was last updated. * **featureSet** *(string) --* Indicates what features are available for this resource share. This parameter can have one of the following values: * **STANDARD** – A resource share that supports all functionality. These resource shares are visible to all principals you share the resource share with. You can modify these resource shares in RAM using the console or APIs. This resource share might have been created by RAM, or it might have been **CREATED_FROM_POLICY** and then promoted. * **CREATED_FROM_POLICY** – The customer manually shared a resource by attaching a resource-based policy. That policy did not match any existing managed permissions, so RAM created this customer managed permission automatically on the customer's behalf based on the attached policy document. This type of resource share is visible only to the Amazon Web Services account that created it. You can't modify it in RAM unless you promote it. For more information, see PromoteResourceShareCreatedFromPolicy. * **PROMOTING_TO_STANDARD** – This resource share was originally "CREATED_FROM_POLICY", but the customer ran the PromoteResourceShareCreatedFromPolicy and that operation is still in progress. This value changes to "STANDARD" when complete. * **clientToken** *(string) --* The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the "clientToken" request parameter of that later call. All other parameters must also have the same values that you used in the first call. **Exceptions** * "RAM.Client.exceptions.IdempotentParameterMismatchException" * "RAM.Client.exceptions.MissingRequiredParameterException" * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.InvalidClientTokenException" * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.OperationNotPermittedException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" RAM / Client / can_paginate can_paginate ************ RAM.Client.can_paginate(operation_name) Check if an operation can be paginated. Parameters: **operation_name** (*string*) -- The operation name. This is the same name as the method name on the client. For example, if the method name is "create_foo", and you'd normally invoke the operation as "client.create_foo(**kwargs)", if the "create_foo" operation can be paginated, you can use the call "client.get_paginator("create_foo")". Returns: "True" if the operation can be paginated, "False" otherwise. RAM / Client / delete_permission delete_permission ***************** RAM.Client.delete_permission(**kwargs) Deletes the specified customer managed permission in the Amazon Web Services Region in which you call this operation. You can delete a customer managed permission only if it isn't attached to any resource share. The operation deletes all versions associated with the customer managed permission. See also: AWS API Documentation **Request Syntax** response = client.delete_permission( permissionArn='string', clientToken='string' ) Parameters: * **permissionArn** (*string*) -- **[REQUIRED]** Specifies the Amazon Resource Name (ARN) of the customer managed permission that you want to delete. * **clientToken** (*string*) -- Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value.. If you don't provide this value, then Amazon Web Services generates a random one for you. If you retry the operation with the same "ClientToken", but with different parameters, the retry fails with an "IdempotentParameterMismatch" error. Return type: dict Returns: **Response Syntax** { 'returnValue': True|False, 'clientToken': 'string', 'permissionStatus': 'ATTACHABLE'|'UNATTACHABLE'|'DELETING'|'DELETED' } **Response Structure** * *(dict) --* * **returnValue** *(boolean) --* A boolean that indicates whether the delete operations succeeded. * **clientToken** *(string) --* The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the "clientToken" request parameter of that later call. All other parameters must also have the same values that you used in the first call. * **permissionStatus** *(string) --* This operation is performed asynchronously, and this response parameter indicates the current status. **Exceptions** * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" * "RAM.Client.exceptions.OperationNotPermittedException" * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.InvalidClientTokenException" * "RAM.Client.exceptions.IdempotentParameterMismatchException" RAM / Client / delete_permission_version delete_permission_version ************************* RAM.Client.delete_permission_version(**kwargs) Deletes one version of a customer managed permission. The version you specify must not be attached to any resource share and must not be the default version for the permission. If a customer managed permission has the maximum of 5 versions, then you must delete at least one version before you can create another. See also: AWS API Documentation **Request Syntax** response = client.delete_permission_version( permissionArn='string', permissionVersion=123, clientToken='string' ) Parameters: * **permissionArn** (*string*) -- **[REQUIRED]** Specifies the Amazon Resource Name (ARN) of the permission with the version you want to delete. * **permissionVersion** (*integer*) -- **[REQUIRED]** Specifies the version number to delete. You can't delete the default version for a customer managed permission. You can't delete a version if it's the only version of the permission. You must either first create another version, or delete the permission completely. You can't delete a version if it is attached to any resource shares. If the version is the default, you must first use SetDefaultPermissionVersion to set a different version as the default for the customer managed permission, and then use AssociateResourceSharePermission to update your resource shares to use the new default version. * **clientToken** (*string*) -- Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value.. If you don't provide this value, then Amazon Web Services generates a random one for you. If you retry the operation with the same "ClientToken", but with different parameters, the retry fails with an "IdempotentParameterMismatch" error. Return type: dict Returns: **Response Syntax** { 'returnValue': True|False, 'clientToken': 'string', 'permissionStatus': 'ATTACHABLE'|'UNATTACHABLE'|'DELETING'|'DELETED' } **Response Structure** * *(dict) --* * **returnValue** *(boolean) --* A boolean value that indicates whether the operation is successful. * **clientToken** *(string) --* The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the "clientToken" request parameter of that later call. All other parameters must also have the same values that you used in the first call. * **permissionStatus** *(string) --* This operation is performed asynchronously, and this response parameter indicates the current status. **Exceptions** * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" * "RAM.Client.exceptions.OperationNotPermittedException" * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.InvalidClientTokenException" * "RAM.Client.exceptions.IdempotentParameterMismatchException" RAM / Client / list_permission_versions list_permission_versions ************************ RAM.Client.list_permission_versions(**kwargs) Lists the available versions of the specified RAM permission. See also: AWS API Documentation **Request Syntax** response = client.list_permission_versions( permissionArn='string', nextToken='string', maxResults=123 ) Parameters: * **permissionArn** (*string*) -- **[REQUIRED]** Specifies the Amazon Resource Name (ARN) of the RAM permission whose versions you want to list. You can use the "permissionVersion" parameter on the AssociateResourceSharePermission operation to specify a non- default version to attach. * **nextToken** (*string*) -- Specifies that you want to receive the next page of results. Valid only if you received a "NextToken" response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's "NextToken" response to request the next page of results. * **maxResults** (*integer*) -- Specifies the total number of results that you want included on each page of the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the number you specify, the "NextToken" response element is returned with a value (not null). Include the specified value as the "NextToken" request parameter in the next call to the operation to get the next part of the results. Note that the service might return fewer results than the maximum even when there are more results available. You should check "NextToken" after every operation to ensure that you receive all of the results. Return type: dict Returns: **Response Syntax** { 'permissions': [ { 'arn': 'string', 'version': 'string', 'defaultVersion': True|False, 'name': 'string', 'resourceType': 'string', 'status': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'isResourceTypeDefault': True|False, 'permissionType': 'CUSTOMER_MANAGED'|'AWS_MANAGED', 'featureSet': 'CREATED_FROM_POLICY'|'PROMOTING_TO_STANDARD'|'STANDARD', 'tags': [ { 'key': 'string', 'value': 'string' }, ] }, ], 'nextToken': 'string' } **Response Structure** * *(dict) --* * **permissions** *(list) --* An array of objects that contain details for each of the available versions. * *(dict) --* Information about an RAM permission. * **arn** *(string) --* The Amazon Resource Name (ARN) of the permission you want information about. * **version** *(string) --* The version of the permission associated with this resource share. * **defaultVersion** *(boolean) --* Specifies whether the version of the managed permission used by this resource share is the default version for this managed permission. * **name** *(string) --* The name of this managed permission. * **resourceType** *(string) --* The type of resource to which this permission applies. This takes the form of: "service-code": "resource-code", and is case-insensitive. For example, an Amazon EC2 Subnet would be represented by the string "ec2:subnet". * **status** *(string) --* The current status of the permission. * **creationTime** *(datetime) --* The date and time when the permission was created. * **lastUpdatedTime** *(datetime) --* The date and time when the permission was last updated. * **isResourceTypeDefault** *(boolean) --* Specifies whether the managed permission associated with this resource share is the default managed permission for all resources of this resource type. * **permissionType** *(string) --* The type of managed permission. This can be one of the following values: * "AWS_MANAGED" – Amazon Web Services created and manages this managed permission. You can associate it with your resource shares, but you can't modify it. * "CUSTOMER_MANAGED" – You, or another principal in your account created this managed permission. You can associate it with your resource shares and create new versions that have different permissions. * **featureSet** *(string) --* Indicates what features are available for this resource share. This parameter can have one of the following values: * **STANDARD** – A resource share that supports all functionality. These resource shares are visible to all principals you share the resource share with. You can modify these resource shares in RAM using the console or APIs. This resource share might have been created by RAM, or it might have been **CREATED_FROM_POLICY** and then promoted. * **CREATED_FROM_POLICY** – The customer manually shared a resource by attaching a resource-based policy. That policy did not match any existing managed permissions, so RAM created this customer managed permission automatically on the customer's behalf based on the attached policy document. This type of resource share is visible only to the Amazon Web Services account that created it. You can't modify it in RAM unless you promote it. For more information, see PromoteResourceShareCreatedFromPolicy. * **PROMOTING_TO_STANDARD** – This resource share was originally "CREATED_FROM_POLICY", but the customer ran the PromoteResourceShareCreatedFromPolicy and that operation is still in progress. This value changes to "STANDARD" when complete. * **tags** *(list) --* A list of the tag key value pairs currently attached to the permission. * *(dict) --* A structure containing a tag. A tag is metadata that you can attach to your resources to help organize and categorize them. You can also use them to help you secure your resources. For more information, see Controlling access to Amazon Web Services resources using tags. For more information about tags, see Tagging Amazon Web Services resources in the *Amazon Web Services General Reference Guide*. * **key** *(string) --* The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive. * **value** *(string) --* The string value attached to the tag. The value can be an empty string. Key values are case sensitive. * **nextToken** *(string) --* If present, this value indicates that more output is available than is included in the current response. Use this value in the "NextToken" request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the "NextToken" response element comes back as "null". This indicates that this is the last page of results. **Exceptions** * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.InvalidNextTokenException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" * "RAM.Client.exceptions.OperationNotPermittedException" * "RAM.Client.exceptions.InvalidParameterException" RAM / Client / disassociate_resource_share disassociate_resource_share *************************** RAM.Client.disassociate_resource_share(**kwargs) Removes the specified principals or resources from participating in the specified resource share. See also: AWS API Documentation **Request Syntax** response = client.disassociate_resource_share( resourceShareArn='string', resourceArns=[ 'string', ], principals=[ 'string', ], clientToken='string', sources=[ 'string', ] ) Parameters: * **resourceShareArn** (*string*) -- **[REQUIRED]** Specifies Amazon Resource Name (ARN) of the resource share that you want to remove resources or principals from. * **resourceArns** (*list*) -- Specifies a list of Amazon Resource Names (ARNs) for one or more resources that you want to remove from the resource share. After the operation runs, these resources are no longer shared with principals associated with the resource share. * *(string) --* * **principals** (*list*) -- Specifies a list of one or more principals that no longer are to have access to the resources in this resource share. You can include the following values: * An Amazon Web Services account ID, for example: "123456789012" * An Amazon Resource Name (ARN) of an organization in Organizations, for example: "organizations::123456789012:organization/o-exampleorgid" * An ARN of an organizational unit (OU) in Organizations, for example: "organizations::123456789012:ou/o-exampleorgid/ou- examplerootid-exampleouid123" * An ARN of an IAM role, for example: "iam::123456789012:role/rolename" * An ARN of an IAM user, for example: "iam::123456789012user/username" Note: Not all resource types can be shared with IAM roles and users. For more information, see Sharing with IAM roles and users in the *Resource Access Manager User Guide*. * *(string) --* * **clientToken** (*string*) -- Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value.. If you don't provide this value, then Amazon Web Services generates a random one for you. If you retry the operation with the same "ClientToken", but with different parameters, the retry fails with an "IdempotentParameterMismatch" error. * **sources** (*list*) -- Specifies from which source accounts the service principal no longer has access to the resources in this resource share. * *(string) --* Return type: dict Returns: **Response Syntax** { 'resourceShareAssociations': [ { 'resourceShareArn': 'string', 'resourceShareName': 'string', 'associatedEntity': 'string', 'associationType': 'PRINCIPAL'|'RESOURCE', 'status': 'ASSOCIATING'|'ASSOCIATED'|'FAILED'|'DISASSOCIATING'|'DISASSOCIATED', 'statusMessage': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'external': True|False }, ], 'clientToken': 'string' } **Response Structure** * *(dict) --* * **resourceShareAssociations** *(list) --* An array of objects with information about the updated associations for this resource share. * *(dict) --* Describes an association between a resource share and either a principal or a resource. * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of the resource share. * **resourceShareName** *(string) --* The name of the resource share. * **associatedEntity** *(string) --* The associated entity. This can be either of the following: * For a resource association, this is the Amazon Resource Name (ARN) of the resource. * For principal associations, this is one of the following: * The ID of an Amazon Web Services account * The Amazon Resource Name (ARN) of an organization in Organizations * The ARN of an organizational unit (OU) in Organizations * The ARN of an IAM role * The ARN of an IAM user * **associationType** *(string) --* The type of entity included in this association. * **status** *(string) --* The current status of the association. * **statusMessage** *(string) --* A message about the status of the association. * **creationTime** *(datetime) --* The date and time when the association was created. * **lastUpdatedTime** *(datetime) --* The date and time when the association was last updated. * **external** *(boolean) --* Indicates whether the principal belongs to the same organization in Organizations as the Amazon Web Services account that owns the resource share. * **clientToken** *(string) --* The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the "clientToken" request parameter of that later call. All other parameters must also have the same values that you used in the first call. **Exceptions** * "RAM.Client.exceptions.IdempotentParameterMismatchException" * "RAM.Client.exceptions.ResourceShareLimitExceededException" * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.InvalidStateTransitionException" * "RAM.Client.exceptions.InvalidClientTokenException" * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.OperationNotPermittedException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" * "RAM.Client.exceptions.UnknownResourceException" RAM / Client / untag_resource untag_resource ************** RAM.Client.untag_resource(**kwargs) Removes the specified tag key and value pairs from the specified resource share or managed permission. See also: AWS API Documentation **Request Syntax** response = client.untag_resource( resourceShareArn='string', tagKeys=[ 'string', ], resourceArn='string' ) Parameters: * **resourceShareArn** (*string*) -- Specifies the Amazon Resource Name (ARN) of the resource share that you want to remove tags from. The tags are removed from the resource share, not the resources in the resource share. You must specify either "resourceShareArn", or "resourceArn", but not both. * **tagKeys** (*list*) -- **[REQUIRED]** Specifies a list of one or more tag keys that you want to remove. * *(string) --* * **resourceArn** (*string*) -- Specifies the Amazon Resource Name (ARN) of the managed permission that you want to remove tags from. You must specify either "resourceArn", or "resourceShareArn", but not both. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" RAM / Client / list_resource_share_permissions list_resource_share_permissions ******************************* RAM.Client.list_resource_share_permissions(**kwargs) Lists the RAM permissions that are associated with a resource share. See also: AWS API Documentation **Request Syntax** response = client.list_resource_share_permissions( resourceShareArn='string', nextToken='string', maxResults=123 ) Parameters: * **resourceShareArn** (*string*) -- **[REQUIRED]** Specifies the Amazon Resource Name (ARN) of the resource share for which you want to retrieve the associated permissions. * **nextToken** (*string*) -- Specifies that you want to receive the next page of results. Valid only if you received a "NextToken" response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's "NextToken" response to request the next page of results. * **maxResults** (*integer*) -- Specifies the total number of results that you want included on each page of the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the number you specify, the "NextToken" response element is returned with a value (not null). Include the specified value as the "NextToken" request parameter in the next call to the operation to get the next part of the results. Note that the service might return fewer results than the maximum even when there are more results available. You should check "NextToken" after every operation to ensure that you receive all of the results. Return type: dict Returns: **Response Syntax** { 'permissions': [ { 'arn': 'string', 'version': 'string', 'defaultVersion': True|False, 'name': 'string', 'resourceType': 'string', 'status': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'isResourceTypeDefault': True|False, 'permissionType': 'CUSTOMER_MANAGED'|'AWS_MANAGED', 'featureSet': 'CREATED_FROM_POLICY'|'PROMOTING_TO_STANDARD'|'STANDARD', 'tags': [ { 'key': 'string', 'value': 'string' }, ] }, ], 'nextToken': 'string' } **Response Structure** * *(dict) --* * **permissions** *(list) --* An array of objects that describe the permissions associated with the resource share. * *(dict) --* Information about an RAM permission. * **arn** *(string) --* The Amazon Resource Name (ARN) of the permission you want information about. * **version** *(string) --* The version of the permission associated with this resource share. * **defaultVersion** *(boolean) --* Specifies whether the version of the managed permission used by this resource share is the default version for this managed permission. * **name** *(string) --* The name of this managed permission. * **resourceType** *(string) --* The type of resource to which this permission applies. This takes the form of: "service-code": "resource-code", and is case-insensitive. For example, an Amazon EC2 Subnet would be represented by the string "ec2:subnet". * **status** *(string) --* The current status of the permission. * **creationTime** *(datetime) --* The date and time when the permission was created. * **lastUpdatedTime** *(datetime) --* The date and time when the permission was last updated. * **isResourceTypeDefault** *(boolean) --* Specifies whether the managed permission associated with this resource share is the default managed permission for all resources of this resource type. * **permissionType** *(string) --* The type of managed permission. This can be one of the following values: * "AWS_MANAGED" – Amazon Web Services created and manages this managed permission. You can associate it with your resource shares, but you can't modify it. * "CUSTOMER_MANAGED" – You, or another principal in your account created this managed permission. You can associate it with your resource shares and create new versions that have different permissions. * **featureSet** *(string) --* Indicates what features are available for this resource share. This parameter can have one of the following values: * **STANDARD** – A resource share that supports all functionality. These resource shares are visible to all principals you share the resource share with. You can modify these resource shares in RAM using the console or APIs. This resource share might have been created by RAM, or it might have been **CREATED_FROM_POLICY** and then promoted. * **CREATED_FROM_POLICY** – The customer manually shared a resource by attaching a resource-based policy. That policy did not match any existing managed permissions, so RAM created this customer managed permission automatically on the customer's behalf based on the attached policy document. This type of resource share is visible only to the Amazon Web Services account that created it. You can't modify it in RAM unless you promote it. For more information, see PromoteResourceShareCreatedFromPolicy. * **PROMOTING_TO_STANDARD** – This resource share was originally "CREATED_FROM_POLICY", but the customer ran the PromoteResourceShareCreatedFromPolicy and that operation is still in progress. This value changes to "STANDARD" when complete. * **tags** *(list) --* A list of the tag key value pairs currently attached to the permission. * *(dict) --* A structure containing a tag. A tag is metadata that you can attach to your resources to help organize and categorize them. You can also use them to help you secure your resources. For more information, see Controlling access to Amazon Web Services resources using tags. For more information about tags, see Tagging Amazon Web Services resources in the *Amazon Web Services General Reference Guide*. * **key** *(string) --* The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive. * **value** *(string) --* The string value attached to the tag. The value can be an empty string. Key values are case sensitive. * **nextToken** *(string) --* If present, this value indicates that more output is available than is included in the current response. Use this value in the "NextToken" request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the "NextToken" response element comes back as "null". This indicates that this is the last page of results. **Exceptions** * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.InvalidNextTokenException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" * "RAM.Client.exceptions.OperationNotPermittedException" RAM / Client / list_resource_types list_resource_types ******************* RAM.Client.list_resource_types(**kwargs) Lists the resource types that can be shared by RAM. See also: AWS API Documentation **Request Syntax** response = client.list_resource_types( nextToken='string', maxResults=123, resourceRegionScope='ALL'|'REGIONAL'|'GLOBAL' ) Parameters: * **nextToken** (*string*) -- Specifies that you want to receive the next page of results. Valid only if you received a "NextToken" response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's "NextToken" response to request the next page of results. * **maxResults** (*integer*) -- Specifies the total number of results that you want included on each page of the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the number you specify, the "NextToken" response element is returned with a value (not null). Include the specified value as the "NextToken" request parameter in the next call to the operation to get the next part of the results. Note that the service might return fewer results than the maximum even when there are more results available. You should check "NextToken" after every operation to ensure that you receive all of the results. * **resourceRegionScope** (*string*) -- Specifies that you want the results to include only resources that have the specified scope. * "ALL" – the results include both global and regional resources or resource types. * "GLOBAL" – the results include only global resources or resource types. * "REGIONAL" – the results include only regional resources or resource types. The default value is "ALL". Return type: dict Returns: **Response Syntax** { 'resourceTypes': [ { 'resourceType': 'string', 'serviceName': 'string', 'resourceRegionScope': 'REGIONAL'|'GLOBAL' }, ], 'nextToken': 'string' } **Response Structure** * *(dict) --* * **resourceTypes** *(list) --* An array of objects that contain information about the resource types that can be shared using RAM. * *(dict) --* Information about a shareable resource type and the Amazon Web Services service to which resources of that type belong. * **resourceType** *(string) --* The type of the resource. This takes the form of: "service-code": "resource-code", and is case- insensitive. For example, an Amazon EC2 Subnet would be represented by the string "ec2:subnet". * **serviceName** *(string) --* The name of the Amazon Web Services service to which resources of this type belong. * **resourceRegionScope** *(string) --* Specifies the scope of visibility of resources of this type: * **REGIONAL** – The resource can be accessed only by using requests that target the Amazon Web Services Region in which the resource exists. * **GLOBAL** – The resource can be accessed from any Amazon Web Services Region. * **nextToken** *(string) --* If present, this value indicates that more output is available than is included in the current response. Use this value in the "NextToken" request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the "NextToken" response element comes back as "null". This indicates that this is the last page of results. **Exceptions** * "RAM.Client.exceptions.InvalidNextTokenException" * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" RAM / Client / get_waiter get_waiter ********** RAM.Client.get_waiter(waiter_name) Returns an object that can wait for some condition. Parameters: **waiter_name** (*str*) -- The name of the waiter to get. See the waiters section of the service docs for a list of available waiters. Returns: The specified waiter object. Return type: "botocore.waiter.Waiter" RAM / Client / list_resources list_resources ************** RAM.Client.list_resources(**kwargs) Lists the resources that you added to a resource share or the resources that are shared with you. See also: AWS API Documentation **Request Syntax** response = client.list_resources( resourceOwner='SELF'|'OTHER-ACCOUNTS', principal='string', resourceType='string', resourceArns=[ 'string', ], resourceShareArns=[ 'string', ], nextToken='string', maxResults=123, resourceRegionScope='ALL'|'REGIONAL'|'GLOBAL' ) Parameters: * **resourceOwner** (*string*) -- **[REQUIRED]** Specifies that you want to list only the resource shares that match the following: * "SELF" – resources that your account shares with other accounts * "OTHER-ACCOUNTS" – resources that other accounts share with your account * **principal** (*string*) -- Specifies that you want to list only the resource shares that are associated with the specified principal. * **resourceType** (*string*) -- Specifies that you want to list only the resource shares that include resources of the specified resource type. For valid values, query the ListResourceTypes operation. * **resourceArns** (*list*) -- Specifies that you want to list only the resource shares that include resources with the specified Amazon Resource Names (ARNs). * *(string) --* * **resourceShareArns** (*list*) -- Specifies that you want to list only resources in the resource shares identified by the specified Amazon Resource Names (ARNs). * *(string) --* * **nextToken** (*string*) -- Specifies that you want to receive the next page of results. Valid only if you received a "NextToken" response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's "NextToken" response to request the next page of results. * **maxResults** (*integer*) -- Specifies the total number of results that you want included on each page of the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the number you specify, the "NextToken" response element is returned with a value (not null). Include the specified value as the "NextToken" request parameter in the next call to the operation to get the next part of the results. Note that the service might return fewer results than the maximum even when there are more results available. You should check "NextToken" after every operation to ensure that you receive all of the results. * **resourceRegionScope** (*string*) -- Specifies that you want the results to include only resources that have the specified scope. * "ALL" – the results include both global and regional resources or resource types. * "GLOBAL" – the results include only global resources or resource types. * "REGIONAL" – the results include only regional resources or resource types. The default value is "ALL". Return type: dict Returns: **Response Syntax** { 'resources': [ { 'arn': 'string', 'type': 'string', 'resourceShareArn': 'string', 'resourceGroupArn': 'string', 'status': 'AVAILABLE'|'ZONAL_RESOURCE_INACCESSIBLE'|'LIMIT_EXCEEDED'|'UNAVAILABLE'|'PENDING', 'statusMessage': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'resourceRegionScope': 'REGIONAL'|'GLOBAL' }, ], 'nextToken': 'string' } **Response Structure** * *(dict) --* * **resources** *(list) --* An array of objects that contain information about the resources. * *(dict) --* Describes a resource associated with a resource share in RAM. * **arn** *(string) --* The Amazon Resource Name (ARN) of the resource. * **type** *(string) --* The resource type. This takes the form of: "service- code": "resource-code", and is case-insensitive. For example, an Amazon EC2 Subnet would be represented by the string "ec2:subnet". * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of the resource share this resource is associated with. * **resourceGroupArn** *(string) --* The Amazon Resource Name (ARN) of the resource group. This value is available only if the resource is part of a resource group. * **status** *(string) --* The current status of the resource. * **statusMessage** *(string) --* A message about the status of the resource. * **creationTime** *(datetime) --* The date and time when the resource was associated with the resource share. * **lastUpdatedTime** *(datetime) --* The date an time when the association between the resource and the resource share was last updated. * **resourceRegionScope** *(string) --* Specifies the scope of visibility of this resource: * **REGIONAL** – The resource can be accessed only by using requests that target the Amazon Web Services Region in which the resource exists. * **GLOBAL** – The resource can be accessed from any Amazon Web Services Region. * **nextToken** *(string) --* If present, this value indicates that more output is available than is included in the current response. Use this value in the "NextToken" request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the "NextToken" response element comes back as "null". This indicates that this is the last page of results. **Exceptions** * "RAM.Client.exceptions.InvalidResourceTypeException" * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.InvalidNextTokenException" * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" RAM / Client / associate_resource_share_permission associate_resource_share_permission *********************************** RAM.Client.associate_resource_share_permission(**kwargs) Adds or replaces the RAM permission for a resource type included in a resource share. You can have exactly one permission associated with each resource type in the resource share. You can add a new RAM permission only if there are currently no resources of that resource type currently in the resource share. See also: AWS API Documentation **Request Syntax** response = client.associate_resource_share_permission( resourceShareArn='string', permissionArn='string', replace=True|False, clientToken='string', permissionVersion=123 ) Parameters: * **resourceShareArn** (*string*) -- **[REQUIRED]** Specifies the Amazon Resource Name (ARN) of the resource share to which you want to add or replace permissions. * **permissionArn** (*string*) -- **[REQUIRED]** Specifies the Amazon Resource Name (ARN) of the RAM permission to associate with the resource share. To find the ARN for a permission, use either the ListPermissions operation or go to the Permissions library page in the RAM console and then choose the name of the permission. The ARN is displayed on the detail page. * **replace** (*boolean*) -- Specifies whether the specified permission should replace the existing permission associated with the resource share. Use "true" to replace the current permissions. Use "false" to add the permission to a resource share that currently doesn't have a permission. The default value is "false". Note: A resource share can have only one permission per resource type. If a resource share already has a permission for the specified resource type and you don't set "replace" to "true" then the operation returns an error. This helps prevent accidental overwriting of a permission. * **clientToken** (*string*) -- Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value.. If you don't provide this value, then Amazon Web Services generates a random one for you. If you retry the operation with the same "ClientToken", but with different parameters, the retry fails with an "IdempotentParameterMismatch" error. * **permissionVersion** (*integer*) -- Specifies the version of the RAM permission to associate with the resource share. You can specify *only* the version that is currently set as the default version for the permission. If you also set the "replace" pararameter to "true", then this operation updates an outdated version of the permission to the current default version. Note: You don't need to specify this parameter because the default behavior is to use the version that is currently set as the default version for the permission. This parameter is supported for backwards compatibility. Return type: dict Returns: **Response Syntax** { 'returnValue': True|False, 'clientToken': 'string' } **Response Structure** * *(dict) --* * **returnValue** *(boolean) --* A return value of "true" indicates that the request succeeded. A value of "false" indicates that the request failed. * **clientToken** *(string) --* The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the "clientToken" request parameter of that later call. All other parameters must also have the same values that you used in the first call. **Exceptions** * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.InvalidClientTokenException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" * "RAM.Client.exceptions.OperationNotPermittedException" RAM / Client / create_permission_version create_permission_version ************************* RAM.Client.create_permission_version(**kwargs) Creates a new version of the specified customer managed permission. The new version is automatically set as the default version of the customer managed permission. New resource shares automatically use the default permission. Existing resource shares continue to use their original permission versions, but you can use ReplacePermissionAssociations to update them. If the specified customer managed permission already has the maximum of 5 versions, then you must delete one of the existing versions before you can create a new one. See also: AWS API Documentation **Request Syntax** response = client.create_permission_version( permissionArn='string', policyTemplate='string', clientToken='string' ) Parameters: * **permissionArn** (*string*) -- **[REQUIRED]** Specifies the Amazon Resource Name (ARN) of the customer managed permission you're creating a new version for. * **policyTemplate** (*string*) -- **[REQUIRED]** A string in JSON format string that contains the following elements of a resource-based policy: * **Effect**: must be set to "ALLOW". * **Action**: specifies the actions that are allowed by this customer managed permission. The list must contain only actions that are supported by the specified resource type. For a list of all actions supported by each resource type, see Actions, resources, and condition keys for Amazon Web Services services in the *Identity and Access Management User Guide*. * **Condition**: (optional) specifies conditional parameters that must evaluate to true when a user attempts an action for that action to be allowed. For more information about the Condition element, see IAM policies: Condition element in the *Identity and Access Management User Guide*. This template can't include either the "Resource" or "Principal" elements. Those are both filled in by RAM when it instantiates the resource-based policy on each resource shared using this managed permission. The "Resource" comes from the ARN of the specific resource that you are sharing. The "Principal" comes from the list of identities added to the resource share. * **clientToken** (*string*) -- Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value.. If you don't provide this value, then Amazon Web Services generates a random one for you. If you retry the operation with the same "ClientToken", but with different parameters, the retry fails with an "IdempotentParameterMismatch" error. Return type: dict Returns: **Response Syntax** { 'permission': { 'arn': 'string', 'version': 'string', 'defaultVersion': True|False, 'name': 'string', 'resourceType': 'string', 'permission': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'isResourceTypeDefault': True|False, 'permissionType': 'CUSTOMER_MANAGED'|'AWS_MANAGED', 'featureSet': 'CREATED_FROM_POLICY'|'PROMOTING_TO_STANDARD'|'STANDARD', 'status': 'ATTACHABLE'|'UNATTACHABLE'|'DELETING'|'DELETED', 'tags': [ { 'key': 'string', 'value': 'string' }, ] }, 'clientToken': 'string' } **Response Structure** * *(dict) --* * **permission** *(dict) --* Information about a RAM managed permission. * **arn** *(string) --* The Amazon Resource Name (ARN) of this RAM managed permission. * **version** *(string) --* The version of the permission described in this response. * **defaultVersion** *(boolean) --* Specifies whether the version of the permission represented in this response is the default version for this permission. * **name** *(string) --* The name of this permission. * **resourceType** *(string) --* The resource type to which this permission applies. * **permission** *(string) --* The permission's effect and actions in JSON format. The "effect" indicates whether the specified actions are allowed or denied. The "actions" list the operations to which the principal is granted or denied access. * **creationTime** *(datetime) --* The date and time when the permission was created. * **lastUpdatedTime** *(datetime) --* The date and time when the permission was last updated. * **isResourceTypeDefault** *(boolean) --* Specifies whether the version of the permission represented in this response is the default version for all resources of this resource type. * **permissionType** *(string) --* The type of managed permission. This can be one of the following values: * "AWS_MANAGED" – Amazon Web Services created and manages this managed permission. You can associate it with your resource shares, but you can't modify it. * "CUSTOMER_MANAGED" – You, or another principal in your account created this managed permission. You can associate it with your resource shares and create new versions that have different permissions. * **featureSet** *(string) --* Indicates what features are available for this resource share. This parameter can have one of the following values: * **STANDARD** – A resource share that supports all functionality. These resource shares are visible to all principals you share the resource share with. You can modify these resource shares in RAM using the console or APIs. This resource share might have been created by RAM, or it might have been **CREATED_FROM_POLICY** and then promoted. * **CREATED_FROM_POLICY** – The customer manually shared a resource by attaching a resource-based policy. That policy did not match any existing managed permissions, so RAM created this customer managed permission automatically on the customer's behalf based on the attached policy document. This type of resource share is visible only to the Amazon Web Services account that created it. You can't modify it in RAM unless you promote it. For more information, see PromoteResourceShareCreatedFromPolicy. * **PROMOTING_TO_STANDARD** – This resource share was originally "CREATED_FROM_POLICY", but the customer ran the PromoteResourceShareCreatedFromPolicy and that operation is still in progress. This value changes to "STANDARD" when complete. * **status** *(string) --* The current status of the association between the permission and the resource share. The following are the possible values: * "ATTACHABLE" – This permission or version can be associated with resource shares. * "UNATTACHABLE" – This permission or version can't currently be associated with resource shares. * "DELETING" – This permission or version is in the process of being deleted. * "DELETED" – This permission or version is deleted. * **tags** *(list) --* The tag key and value pairs attached to the resource share. * *(dict) --* A structure containing a tag. A tag is metadata that you can attach to your resources to help organize and categorize them. You can also use them to help you secure your resources. For more information, see Controlling access to Amazon Web Services resources using tags. For more information about tags, see Tagging Amazon Web Services resources in the *Amazon Web Services General Reference Guide*. * **key** *(string) --* The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive. * **value** *(string) --* The string value attached to the tag. The value can be an empty string. Key values are case sensitive. * **clientToken** *(string) --* The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the "clientToken" request parameter of that later call. All other parameters must also have the same values that you used in the first call. **Exceptions** * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.InvalidPolicyException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.MalformedPolicyTemplateException" * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.InvalidClientTokenException" * "RAM.Client.exceptions.IdempotentParameterMismatchException" * "RAM.Client.exceptions.PermissionVersionsLimitExceededException" RAM / Client / associate_resource_share associate_resource_share ************************ RAM.Client.associate_resource_share(**kwargs) Adds the specified list of principals and list of resources to a resource share. Principals that already have access to this resource share immediately receive access to the added resources. Newly added principals immediately receive access to the resources shared in this resource share. See also: AWS API Documentation **Request Syntax** response = client.associate_resource_share( resourceShareArn='string', resourceArns=[ 'string', ], principals=[ 'string', ], clientToken='string', sources=[ 'string', ] ) Parameters: * **resourceShareArn** (*string*) -- **[REQUIRED]** Specifies the Amazon Resource Name (ARN) of the resource share that you want to add principals or resources to. * **resourceArns** (*list*) -- Specifies a list of Amazon Resource Names (ARNs) of the resources that you want to share. This can be "null" if you want to add only principals. * *(string) --* * **principals** (*list*) -- Specifies a list of principals to whom you want to the resource share. This can be "null" if you want to add only resources. What the principals can do with the resources in the share is determined by the RAM permissions that you associate with the resource share. See AssociateResourceSharePermission. You can include the following values: * An Amazon Web Services account ID, for example: "123456789012" * An Amazon Resource Name (ARN) of an organization in Organizations, for example: "organizations::123456789012:organization/o-exampleorgid" * An ARN of an organizational unit (OU) in Organizations, for example: "organizations::123456789012:ou/o-exampleorgid/ou- examplerootid-exampleouid123" * An ARN of an IAM role, for example: "iam::123456789012:role/rolename" * An ARN of an IAM user, for example: "iam::123456789012user/username" Note: Not all resource types can be shared with IAM roles and users. For more information, see Sharing with IAM roles and users in the *Resource Access Manager User Guide*. * *(string) --* * **clientToken** (*string*) -- Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value.. If you don't provide this value, then Amazon Web Services generates a random one for you. If you retry the operation with the same "ClientToken", but with different parameters, the retry fails with an "IdempotentParameterMismatch" error. * **sources** (*list*) -- Specifies from which source accounts the service principal has access to the resources in this resource share. * *(string) --* Return type: dict Returns: **Response Syntax** { 'resourceShareAssociations': [ { 'resourceShareArn': 'string', 'resourceShareName': 'string', 'associatedEntity': 'string', 'associationType': 'PRINCIPAL'|'RESOURCE', 'status': 'ASSOCIATING'|'ASSOCIATED'|'FAILED'|'DISASSOCIATING'|'DISASSOCIATED', 'statusMessage': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'external': True|False }, ], 'clientToken': 'string' } **Response Structure** * *(dict) --* * **resourceShareAssociations** *(list) --* An array of objects that contain information about the associations. * *(dict) --* Describes an association between a resource share and either a principal or a resource. * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of the resource share. * **resourceShareName** *(string) --* The name of the resource share. * **associatedEntity** *(string) --* The associated entity. This can be either of the following: * For a resource association, this is the Amazon Resource Name (ARN) of the resource. * For principal associations, this is one of the following: * The ID of an Amazon Web Services account * The Amazon Resource Name (ARN) of an organization in Organizations * The ARN of an organizational unit (OU) in Organizations * The ARN of an IAM role * The ARN of an IAM user * **associationType** *(string) --* The type of entity included in this association. * **status** *(string) --* The current status of the association. * **statusMessage** *(string) --* A message about the status of the association. * **creationTime** *(datetime) --* The date and time when the association was created. * **lastUpdatedTime** *(datetime) --* The date and time when the association was last updated. * **external** *(boolean) --* Indicates whether the principal belongs to the same organization in Organizations as the Amazon Web Services account that owns the resource share. * **clientToken** *(string) --* The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the "clientToken" request parameter of that later call. All other parameters must also have the same values that you used in the first call. **Exceptions** * "RAM.Client.exceptions.IdempotentParameterMismatchException" * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.InvalidStateTransitionException" * "RAM.Client.exceptions.ResourceShareLimitExceededException" * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.InvalidStateTransitionException" * "RAM.Client.exceptions.InvalidClientTokenException" * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.OperationNotPermittedException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.ThrottlingException" RAM / Client / get_resource_share_associations get_resource_share_associations ******************************* RAM.Client.get_resource_share_associations(**kwargs) Retrieves the lists of resources and principals that associated for resource shares that you own. See also: AWS API Documentation **Request Syntax** response = client.get_resource_share_associations( associationType='PRINCIPAL'|'RESOURCE', resourceShareArns=[ 'string', ], resourceArn='string', principal='string', associationStatus='ASSOCIATING'|'ASSOCIATED'|'FAILED'|'DISASSOCIATING'|'DISASSOCIATED', nextToken='string', maxResults=123 ) Parameters: * **associationType** (*string*) -- **[REQUIRED]** Specifies whether you want to retrieve the associations that involve a specified resource or principal. * "PRINCIPAL" – list the principals whose associations you want to see. * "RESOURCE" – list the resources whose associations you want to see. * **resourceShareArns** (*list*) -- Specifies a list of Amazon Resource Names (ARNs) of the resource share whose associations you want to retrieve. * *(string) --* * **resourceArn** (*string*) -- Specifies the Amazon Resource Name (ARN) of a resource whose resource shares you want to retrieve. You cannot specify this parameter if the association type is "PRINCIPAL". * **principal** (*string*) -- Specifies the ID of the principal whose resource shares you want to retrieve. This can be an Amazon Web Services account ID, an organization ID, an organizational unit ID, or the Amazon Resource Name (ARN) of an individual IAM role or user. You cannot specify this parameter if the association type is "RESOURCE". * **associationStatus** (*string*) -- Specifies that you want to retrieve only associations that have this status. * **nextToken** (*string*) -- Specifies that you want to receive the next page of results. Valid only if you received a "NextToken" response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's "NextToken" response to request the next page of results. * **maxResults** (*integer*) -- Specifies the total number of results that you want included on each page of the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the number you specify, the "NextToken" response element is returned with a value (not null). Include the specified value as the "NextToken" request parameter in the next call to the operation to get the next part of the results. Note that the service might return fewer results than the maximum even when there are more results available. You should check "NextToken" after every operation to ensure that you receive all of the results. Return type: dict Returns: **Response Syntax** { 'resourceShareAssociations': [ { 'resourceShareArn': 'string', 'resourceShareName': 'string', 'associatedEntity': 'string', 'associationType': 'PRINCIPAL'|'RESOURCE', 'status': 'ASSOCIATING'|'ASSOCIATED'|'FAILED'|'DISASSOCIATING'|'DISASSOCIATED', 'statusMessage': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'external': True|False }, ], 'nextToken': 'string' } **Response Structure** * *(dict) --* * **resourceShareAssociations** *(list) --* An array of objects that contain the details about the associations. * *(dict) --* Describes an association between a resource share and either a principal or a resource. * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of the resource share. * **resourceShareName** *(string) --* The name of the resource share. * **associatedEntity** *(string) --* The associated entity. This can be either of the following: * For a resource association, this is the Amazon Resource Name (ARN) of the resource. * For principal associations, this is one of the following: * The ID of an Amazon Web Services account * The Amazon Resource Name (ARN) of an organization in Organizations * The ARN of an organizational unit (OU) in Organizations * The ARN of an IAM role * The ARN of an IAM user * **associationType** *(string) --* The type of entity included in this association. * **status** *(string) --* The current status of the association. * **statusMessage** *(string) --* A message about the status of the association. * **creationTime** *(datetime) --* The date and time when the association was created. * **lastUpdatedTime** *(datetime) --* The date and time when the association was last updated. * **external** *(boolean) --* Indicates whether the principal belongs to the same organization in Organizations as the Amazon Web Services account that owns the resource share. * **nextToken** *(string) --* If present, this value indicates that more output is available than is included in the current response. Use this value in the "NextToken" request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the "NextToken" response element comes back as "null". This indicates that this is the last page of results. **Exceptions** * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.InvalidNextTokenException" * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.OperationNotPermittedException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" RAM / Client / get_resource_share_invitations get_resource_share_invitations ****************************** RAM.Client.get_resource_share_invitations(**kwargs) Retrieves details about invitations that you have received for resource shares. See also: AWS API Documentation **Request Syntax** response = client.get_resource_share_invitations( resourceShareInvitationArns=[ 'string', ], resourceShareArns=[ 'string', ], nextToken='string', maxResults=123 ) Parameters: * **resourceShareInvitationArns** (*list*) -- Specifies the Amazon Resource Names (ARNs) of the resource share invitations you want information about. * *(string) --* * **resourceShareArns** (*list*) -- Specifies that you want details about invitations only for the resource shares described by this list of Amazon Resource Names (ARNs) * *(string) --* * **nextToken** (*string*) -- Specifies that you want to receive the next page of results. Valid only if you received a "NextToken" response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's "NextToken" response to request the next page of results. * **maxResults** (*integer*) -- Specifies the total number of results that you want included on each page of the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the number you specify, the "NextToken" response element is returned with a value (not null). Include the specified value as the "NextToken" request parameter in the next call to the operation to get the next part of the results. Note that the service might return fewer results than the maximum even when there are more results available. You should check "NextToken" after every operation to ensure that you receive all of the results. Return type: dict Returns: **Response Syntax** { 'resourceShareInvitations': [ { 'resourceShareInvitationArn': 'string', 'resourceShareName': 'string', 'resourceShareArn': 'string', 'senderAccountId': 'string', 'receiverAccountId': 'string', 'invitationTimestamp': datetime(2015, 1, 1), 'status': 'PENDING'|'ACCEPTED'|'REJECTED'|'EXPIRED', 'resourceShareAssociations': [ { 'resourceShareArn': 'string', 'resourceShareName': 'string', 'associatedEntity': 'string', 'associationType': 'PRINCIPAL'|'RESOURCE', 'status': 'ASSOCIATING'|'ASSOCIATED'|'FAILED'|'DISASSOCIATING'|'DISASSOCIATED', 'statusMessage': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'external': True|False }, ], 'receiverArn': 'string' }, ], 'nextToken': 'string' } **Response Structure** * *(dict) --* * **resourceShareInvitations** *(list) --* An array of objects that contain the details about the invitations. * *(dict) --* Describes an invitation for an Amazon Web Services account to join a resource share. * **resourceShareInvitationArn** *(string) --* The Amazon Resource Name (ARN) of the invitation. * **resourceShareName** *(string) --* The name of the resource share. * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of the resource share * **senderAccountId** *(string) --* The ID of the Amazon Web Services account that sent the invitation. * **receiverAccountId** *(string) --* The ID of the Amazon Web Services account that received the invitation. * **invitationTimestamp** *(datetime) --* The date and time when the invitation was sent. * **status** *(string) --* The current status of the invitation. * **resourceShareAssociations** *(list) --* To view the resources associated with a pending resource share invitation, use ListPendingInvitationResources. * *(dict) --* Describes an association between a resource share and either a principal or a resource. * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of the resource share. * **resourceShareName** *(string) --* The name of the resource share. * **associatedEntity** *(string) --* The associated entity. This can be either of the following: * For a resource association, this is the Amazon Resource Name (ARN) of the resource. * For principal associations, this is one of the following: * The ID of an Amazon Web Services account * The Amazon Resource Name (ARN) of an organization in Organizations * The ARN of an organizational unit (OU) in Organizations * The ARN of an IAM role * The ARN of an IAM user * **associationType** *(string) --* The type of entity included in this association. * **status** *(string) --* The current status of the association. * **statusMessage** *(string) --* A message about the status of the association. * **creationTime** *(datetime) --* The date and time when the association was created. * **lastUpdatedTime** *(datetime) --* The date and time when the association was last updated. * **external** *(boolean) --* Indicates whether the principal belongs to the same organization in Organizations as the Amazon Web Services account that owns the resource share. * **receiverArn** *(string) --* The Amazon Resource Name (ARN) of the IAM user or role that received the invitation. * **nextToken** *(string) --* If present, this value indicates that more output is available than is included in the current response. Use this value in the "NextToken" request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the "NextToken" response element comes back as "null". This indicates that this is the last page of results. **Exceptions** * "RAM.Client.exceptions.ResourceShareInvitationArnNotFoundExcepti on" * "RAM.Client.exceptions.InvalidMaxResultsException" * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.InvalidNextTokenException" * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" RAM / Client / create_resource_share create_resource_share ********************* RAM.Client.create_resource_share(**kwargs) Creates a resource share. You can provide a list of the Amazon Resource Names (ARNs) for the resources that you want to share, a list of principals you want to share the resources with, and the permissions to grant those principals. Note: Sharing a resource makes it available for use by principals outside of the Amazon Web Services account that created the resource. Sharing doesn't change any permissions or quotas that apply to the resource in the account that created it. See also: AWS API Documentation **Request Syntax** response = client.create_resource_share( name='string', resourceArns=[ 'string', ], principals=[ 'string', ], tags=[ { 'key': 'string', 'value': 'string' }, ], allowExternalPrincipals=True|False, clientToken='string', permissionArns=[ 'string', ], sources=[ 'string', ] ) Parameters: * **name** (*string*) -- **[REQUIRED]** Specifies the name of the resource share. * **resourceArns** (*list*) -- Specifies a list of one or more ARNs of the resources to associate with the resource share. * *(string) --* * **principals** (*list*) -- Specifies a list of one or more principals to associate with the resource share. You can include the following values: * An Amazon Web Services account ID, for example: "123456789012" * An Amazon Resource Name (ARN) of an organization in Organizations, for example: "organizations::123456789012:organization/o-exampleorgid" * An ARN of an organizational unit (OU) in Organizations, for example: "organizations::123456789012:ou/o-exampleorgid/ou- examplerootid-exampleouid123" * An ARN of an IAM role, for example: "iam::123456789012:role/rolename" * An ARN of an IAM user, for example: "iam::123456789012user/username" Note: Not all resource types can be shared with IAM roles and users. For more information, see Sharing with IAM roles and users in the *Resource Access Manager User Guide*. * *(string) --* * **tags** (*list*) -- Specifies one or more tags to attach to the resource share itself. It doesn't attach the tags to the resources associated with the resource share. * *(dict) --* A structure containing a tag. A tag is metadata that you can attach to your resources to help organize and categorize them. You can also use them to help you secure your resources. For more information, see Controlling access to Amazon Web Services resources using tags. For more information about tags, see Tagging Amazon Web Services resources in the *Amazon Web Services General Reference Guide*. * **key** *(string) --* The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive. * **value** *(string) --* The string value attached to the tag. The value can be an empty string. Key values are case sensitive. * **allowExternalPrincipals** (*boolean*) -- Specifies whether principals outside your organization in Organizations can be associated with a resource share. A value of "true" lets you share with individual Amazon Web Services accounts that are *not* in your organization. A value of "false" only has meaning if your account is a member of an Amazon Web Services Organization. The default value is "true". * **clientToken** (*string*) -- Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value.. If you don't provide this value, then Amazon Web Services generates a random one for you. If you retry the operation with the same "ClientToken", but with different parameters, the retry fails with an "IdempotentParameterMismatch" error. * **permissionArns** (*list*) -- Specifies the Amazon Resource Names (ARNs) of the RAM permission to associate with the resource share. If you do not specify an ARN for the permission, RAM automatically attaches the default version of the permission for each resource type. You can associate only one permission with each resource type included in the resource share. * *(string) --* * **sources** (*list*) -- Specifies from which source accounts the service principal has access to the resources in this resource share. * *(string) --* Return type: dict Returns: **Response Syntax** { 'resourceShare': { 'resourceShareArn': 'string', 'name': 'string', 'owningAccountId': 'string', 'allowExternalPrincipals': True|False, 'status': 'PENDING'|'ACTIVE'|'FAILED'|'DELETING'|'DELETED', 'statusMessage': 'string', 'tags': [ { 'key': 'string', 'value': 'string' }, ], 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'featureSet': 'CREATED_FROM_POLICY'|'PROMOTING_TO_STANDARD'|'STANDARD' }, 'clientToken': 'string' } **Response Structure** * *(dict) --* * **resourceShare** *(dict) --* An object with information about the new resource share. * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of the resource share * **name** *(string) --* The name of the resource share. * **owningAccountId** *(string) --* The ID of the Amazon Web Services account that owns the resource share. * **allowExternalPrincipals** *(boolean) --* Indicates whether principals outside your organization in Organizations can be associated with a resource share. * "True" – the resource share can be shared with any Amazon Web Services account. * "False" – the resource share can be shared with only accounts in the same organization as the account that owns the resource share. * **status** *(string) --* The current status of the resource share. * **statusMessage** *(string) --* A message about the status of the resource share. * **tags** *(list) --* The tag key and value pairs attached to the resource share. * *(dict) --* A structure containing a tag. A tag is metadata that you can attach to your resources to help organize and categorize them. You can also use them to help you secure your resources. For more information, see Controlling access to Amazon Web Services resources using tags. For more information about tags, see Tagging Amazon Web Services resources in the *Amazon Web Services General Reference Guide*. * **key** *(string) --* The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive. * **value** *(string) --* The string value attached to the tag. The value can be an empty string. Key values are case sensitive. * **creationTime** *(datetime) --* The date and time when the resource share was created. * **lastUpdatedTime** *(datetime) --* The date and time when the resource share was last updated. * **featureSet** *(string) --* Indicates what features are available for this resource share. This parameter can have one of the following values: * **STANDARD** – A resource share that supports all functionality. These resource shares are visible to all principals you share the resource share with. You can modify these resource shares in RAM using the console or APIs. This resource share might have been created by RAM, or it might have been **CREATED_FROM_POLICY** and then promoted. * **CREATED_FROM_POLICY** – The customer manually shared a resource by attaching a resource-based policy. That policy did not match any existing managed permissions, so RAM created this customer managed permission automatically on the customer's behalf based on the attached policy document. This type of resource share is visible only to the Amazon Web Services account that created it. You can't modify it in RAM unless you promote it. For more information, see PromoteResourceShareCreatedFromPolicy. * **PROMOTING_TO_STANDARD** – This resource share was originally "CREATED_FROM_POLICY", but the customer ran the PromoteResourceShareCreatedFromPolicy and that operation is still in progress. This value changes to "STANDARD" when complete. * **clientToken** *(string) --* The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the "clientToken" request parameter of that later call. All other parameters must also have the same values that you used in the first call. **Exceptions** * "RAM.Client.exceptions.IdempotentParameterMismatchException" * "RAM.Client.exceptions.InvalidStateTransitionException" * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.InvalidClientTokenException" * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.OperationNotPermittedException" * "RAM.Client.exceptions.ResourceShareLimitExceededException" * "RAM.Client.exceptions.TagPolicyViolationException" * "RAM.Client.exceptions.TagLimitExceededException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" RAM / Client / get_resource_shares get_resource_shares ******************* RAM.Client.get_resource_shares(**kwargs) Retrieves details about the resource shares that you own or that are shared with you. See also: AWS API Documentation **Request Syntax** response = client.get_resource_shares( resourceShareArns=[ 'string', ], resourceShareStatus='PENDING'|'ACTIVE'|'FAILED'|'DELETING'|'DELETED', resourceOwner='SELF'|'OTHER-ACCOUNTS', name='string', tagFilters=[ { 'tagKey': 'string', 'tagValues': [ 'string', ] }, ], nextToken='string', maxResults=123, permissionArn='string', permissionVersion=123 ) Parameters: * **resourceShareArns** (*list*) -- Specifies the Amazon Resource Names (ARNs) of individual resource shares that you want information about. * *(string) --* * **resourceShareStatus** (*string*) -- Specifies that you want to retrieve details of only those resource shares that have this status. * **resourceOwner** (*string*) -- **[REQUIRED]** Specifies that you want to retrieve details of only those resource shares that match the following: * "SELF" – resource shares that your account shares with other accounts * "OTHER-ACCOUNTS" – resource shares that other accounts share with your account * **name** (*string*) -- Specifies the name of an individual resource share that you want to retrieve details about. * **tagFilters** (*list*) -- Specifies that you want to retrieve details of only those resource shares that match the specified tag keys and values. * *(dict) --* A tag key and optional list of possible values that you can use to filter results for tagged resources. * **tagKey** *(string) --* The tag key. This must have a valid string value and can't be empty. * **tagValues** *(list) --* A list of zero or more tag values. If no values are provided, then the filter matches any tag with the specified key, regardless of its value. * *(string) --* * **nextToken** (*string*) -- Specifies that you want to receive the next page of results. Valid only if you received a "NextToken" response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's "NextToken" response to request the next page of results. * **maxResults** (*integer*) -- Specifies the total number of results that you want included on each page of the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the number you specify, the "NextToken" response element is returned with a value (not null). Include the specified value as the "NextToken" request parameter in the next call to the operation to get the next part of the results. Note that the service might return fewer results than the maximum even when there are more results available. You should check "NextToken" after every operation to ensure that you receive all of the results. * **permissionArn** (*string*) -- Specifies that you want to retrieve details of only those resource shares that use the managed permission with this Amazon Resource Name (ARN). * **permissionVersion** (*integer*) -- Specifies that you want to retrieve details for only those resource shares that use the specified version of the managed permission. Return type: dict Returns: **Response Syntax** { 'resourceShares': [ { 'resourceShareArn': 'string', 'name': 'string', 'owningAccountId': 'string', 'allowExternalPrincipals': True|False, 'status': 'PENDING'|'ACTIVE'|'FAILED'|'DELETING'|'DELETED', 'statusMessage': 'string', 'tags': [ { 'key': 'string', 'value': 'string' }, ], 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'featureSet': 'CREATED_FROM_POLICY'|'PROMOTING_TO_STANDARD'|'STANDARD' }, ], 'nextToken': 'string' } **Response Structure** * *(dict) --* * **resourceShares** *(list) --* An array of objects that contain the information about the resource shares. * *(dict) --* Describes a resource share in RAM. * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of the resource share * **name** *(string) --* The name of the resource share. * **owningAccountId** *(string) --* The ID of the Amazon Web Services account that owns the resource share. * **allowExternalPrincipals** *(boolean) --* Indicates whether principals outside your organization in Organizations can be associated with a resource share. * "True" – the resource share can be shared with any Amazon Web Services account. * "False" – the resource share can be shared with only accounts in the same organization as the account that owns the resource share. * **status** *(string) --* The current status of the resource share. * **statusMessage** *(string) --* A message about the status of the resource share. * **tags** *(list) --* The tag key and value pairs attached to the resource share. * *(dict) --* A structure containing a tag. A tag is metadata that you can attach to your resources to help organize and categorize them. You can also use them to help you secure your resources. For more information, see Controlling access to Amazon Web Services resources using tags. For more information about tags, see Tagging Amazon Web Services resources in the *Amazon Web Services General Reference Guide*. * **key** *(string) --* The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive. * **value** *(string) --* The string value attached to the tag. The value can be an empty string. Key values are case sensitive. * **creationTime** *(datetime) --* The date and time when the resource share was created. * **lastUpdatedTime** *(datetime) --* The date and time when the resource share was last updated. * **featureSet** *(string) --* Indicates what features are available for this resource share. This parameter can have one of the following values: * **STANDARD** – A resource share that supports all functionality. These resource shares are visible to all principals you share the resource share with. You can modify these resource shares in RAM using the console or APIs. This resource share might have been created by RAM, or it might have been **CREATED_FROM_POLICY** and then promoted. * **CREATED_FROM_POLICY** – The customer manually shared a resource by attaching a resource-based policy. That policy did not match any existing managed permissions, so RAM created this customer managed permission automatically on the customer's behalf based on the attached policy document. This type of resource share is visible only to the Amazon Web Services account that created it. You can't modify it in RAM unless you promote it. For more information, see PromoteResourceShareCreatedFromPolicy. * **PROMOTING_TO_STANDARD** – This resource share was originally "CREATED_FROM_POLICY", but the customer ran the PromoteResourceShareCreatedFromPolicy and that operation is still in progress. This value changes to "STANDARD" when complete. * **nextToken** *(string) --* If present, this value indicates that more output is available than is included in the current response. Use this value in the "NextToken" request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the "NextToken" response element comes back as "null". This indicates that this is the last page of results. **Exceptions** * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.InvalidNextTokenException" * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" RAM / Client / get_resource_policies get_resource_policies ********************* RAM.Client.get_resource_policies(**kwargs) Retrieves the resource policies for the specified resources that you own and have shared. See also: AWS API Documentation **Request Syntax** response = client.get_resource_policies( resourceArns=[ 'string', ], principal='string', nextToken='string', maxResults=123 ) Parameters: * **resourceArns** (*list*) -- **[REQUIRED]** Specifies the Amazon Resource Names (ARNs) of the resources whose policies you want to retrieve. * *(string) --* * **principal** (*string*) -- Specifies the principal. * **nextToken** (*string*) -- Specifies that you want to receive the next page of results. Valid only if you received a "NextToken" response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's "NextToken" response to request the next page of results. * **maxResults** (*integer*) -- Specifies the total number of results that you want included on each page of the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the number you specify, the "NextToken" response element is returned with a value (not null). Include the specified value as the "NextToken" request parameter in the next call to the operation to get the next part of the results. Note that the service might return fewer results than the maximum even when there are more results available. You should check "NextToken" after every operation to ensure that you receive all of the results. Return type: dict Returns: **Response Syntax** { 'policies': [ 'string', ], 'nextToken': 'string' } **Response Structure** * *(dict) --* * **policies** *(list) --* An array of resource policy documents in JSON format. * *(string) --* * **nextToken** *(string) --* If present, this value indicates that more output is available than is included in the current response. Use this value in the "NextToken" request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the "NextToken" response element comes back as "null". This indicates that this is the last page of results. **Exceptions** * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.InvalidNextTokenException" * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.ResourceArnNotFoundException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" RAM / Client / disassociate_resource_share_permission disassociate_resource_share_permission ************************************** RAM.Client.disassociate_resource_share_permission(**kwargs) Removes a managed permission from a resource share. Permission changes take effect immediately. You can remove a managed permission from a resource share only if there are currently no resources of the relevant resource type currently attached to the resource share. See also: AWS API Documentation **Request Syntax** response = client.disassociate_resource_share_permission( resourceShareArn='string', permissionArn='string', clientToken='string' ) Parameters: * **resourceShareArn** (*string*) -- **[REQUIRED]** The Amazon Resource Name (ARN) of the resource share that you want to remove the managed permission from. * **permissionArn** (*string*) -- **[REQUIRED]** The Amazon Resource Name (ARN) of the managed permission to disassociate from the resource share. Changes to permissions take effect immediately. * **clientToken** (*string*) -- Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value.. If you don't provide this value, then Amazon Web Services generates a random one for you. If you retry the operation with the same "ClientToken", but with different parameters, the retry fails with an "IdempotentParameterMismatch" error. Return type: dict Returns: **Response Syntax** { 'returnValue': True|False, 'clientToken': 'string' } **Response Structure** * *(dict) --* * **returnValue** *(boolean) --* A return value of "true" indicates that the request succeeded. A value of "false" indicates that the request failed. * **clientToken** *(string) --* The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the "clientToken" request parameter of that later call. All other parameters must also have the same values that you used in the first call. **Exceptions** * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.InvalidClientTokenException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" * "RAM.Client.exceptions.OperationNotPermittedException" * "RAM.Client.exceptions.InvalidStateTransitionException" RAM / Client / delete_resource_share delete_resource_share ********************* RAM.Client.delete_resource_share(**kwargs) Deletes the specified resource share. Warning: This doesn't delete any of the resources that were associated with the resource share; it only stops the sharing of those resources through this resource share. See also: AWS API Documentation **Request Syntax** response = client.delete_resource_share( resourceShareArn='string', clientToken='string' ) Parameters: * **resourceShareArn** (*string*) -- **[REQUIRED]** Specifies the Amazon Resource Name (ARN) of the resource share to delete. * **clientToken** (*string*) -- Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value.. If you don't provide this value, then Amazon Web Services generates a random one for you. If you retry the operation with the same "ClientToken", but with different parameters, the retry fails with an "IdempotentParameterMismatch" error. Return type: dict Returns: **Response Syntax** { 'returnValue': True|False, 'clientToken': 'string' } **Response Structure** * *(dict) --* * **returnValue** *(boolean) --* A return value of "true" indicates that the request succeeded. A value of "false" indicates that the request failed. * **clientToken** *(string) --* The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the "clientToken" request parameter of that later call. All other parameters must also have the same values that you used in the first call. **Exceptions** * "RAM.Client.exceptions.OperationNotPermittedException" * "RAM.Client.exceptions.IdempotentParameterMismatchException" * "RAM.Client.exceptions.InvalidStateTransitionException" * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.InvalidClientTokenException" * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" RAM / Client / get_permission get_permission ************** RAM.Client.get_permission(**kwargs) Retrieves the contents of a managed permission in JSON format. See also: AWS API Documentation **Request Syntax** response = client.get_permission( permissionArn='string', permissionVersion=123 ) Parameters: * **permissionArn** (*string*) -- **[REQUIRED]** Specifies the Amazon Resource Name (ARN) of the permission whose contents you want to retrieve. To find the ARN for a permission, use either the ListPermissions operation or go to the Permissions library page in the RAM console and then choose the name of the permission. The ARN is displayed on the detail page. * **permissionVersion** (*integer*) -- Specifies the version number of the RAM permission to retrieve. If you don't specify this parameter, the operation retrieves the default version. To see the list of available versions, use ListPermissionVersions. Return type: dict Returns: **Response Syntax** { 'permission': { 'arn': 'string', 'version': 'string', 'defaultVersion': True|False, 'name': 'string', 'resourceType': 'string', 'permission': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'isResourceTypeDefault': True|False, 'permissionType': 'CUSTOMER_MANAGED'|'AWS_MANAGED', 'featureSet': 'CREATED_FROM_POLICY'|'PROMOTING_TO_STANDARD'|'STANDARD', 'status': 'ATTACHABLE'|'UNATTACHABLE'|'DELETING'|'DELETED', 'tags': [ { 'key': 'string', 'value': 'string' }, ] } } **Response Structure** * *(dict) --* * **permission** *(dict) --* An object with details about the permission. * **arn** *(string) --* The Amazon Resource Name (ARN) of this RAM managed permission. * **version** *(string) --* The version of the permission described in this response. * **defaultVersion** *(boolean) --* Specifies whether the version of the permission represented in this response is the default version for this permission. * **name** *(string) --* The name of this permission. * **resourceType** *(string) --* The resource type to which this permission applies. * **permission** *(string) --* The permission's effect and actions in JSON format. The "effect" indicates whether the specified actions are allowed or denied. The "actions" list the operations to which the principal is granted or denied access. * **creationTime** *(datetime) --* The date and time when the permission was created. * **lastUpdatedTime** *(datetime) --* The date and time when the permission was last updated. * **isResourceTypeDefault** *(boolean) --* Specifies whether the version of the permission represented in this response is the default version for all resources of this resource type. * **permissionType** *(string) --* The type of managed permission. This can be one of the following values: * "AWS_MANAGED" – Amazon Web Services created and manages this managed permission. You can associate it with your resource shares, but you can't modify it. * "CUSTOMER_MANAGED" – You, or another principal in your account created this managed permission. You can associate it with your resource shares and create new versions that have different permissions. * **featureSet** *(string) --* Indicates what features are available for this resource share. This parameter can have one of the following values: * **STANDARD** – A resource share that supports all functionality. These resource shares are visible to all principals you share the resource share with. You can modify these resource shares in RAM using the console or APIs. This resource share might have been created by RAM, or it might have been **CREATED_FROM_POLICY** and then promoted. * **CREATED_FROM_POLICY** – The customer manually shared a resource by attaching a resource-based policy. That policy did not match any existing managed permissions, so RAM created this customer managed permission automatically on the customer's behalf based on the attached policy document. This type of resource share is visible only to the Amazon Web Services account that created it. You can't modify it in RAM unless you promote it. For more information, see PromoteResourceShareCreatedFromPolicy. * **PROMOTING_TO_STANDARD** – This resource share was originally "CREATED_FROM_POLICY", but the customer ran the PromoteResourceShareCreatedFromPolicy and that operation is still in progress. This value changes to "STANDARD" when complete. * **status** *(string) --* The current status of the association between the permission and the resource share. The following are the possible values: * "ATTACHABLE" – This permission or version can be associated with resource shares. * "UNATTACHABLE" – This permission or version can't currently be associated with resource shares. * "DELETING" – This permission or version is in the process of being deleted. * "DELETED" – This permission or version is deleted. * **tags** *(list) --* The tag key and value pairs attached to the resource share. * *(dict) --* A structure containing a tag. A tag is metadata that you can attach to your resources to help organize and categorize them. You can also use them to help you secure your resources. For more information, see Controlling access to Amazon Web Services resources using tags. For more information about tags, see Tagging Amazon Web Services resources in the *Amazon Web Services General Reference Guide*. * **key** *(string) --* The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive. * **value** *(string) --* The string value attached to the tag. The value can be an empty string. Key values are case sensitive. **Exceptions** * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" * "RAM.Client.exceptions.OperationNotPermittedException" RAM / Client / replace_permission_associations replace_permission_associations ******************************* RAM.Client.replace_permission_associations(**kwargs) Updates all resource shares that use a managed permission to a different managed permission. This operation always applies the default version of the target managed permission. You can optionally specify that the update applies to only resource shares that currently use a specified version. This enables you to update to the latest version, without changing the which managed permission is used. You can use this operation to update all of your resource shares to use the current default version of the permission by specifying the same value for the "fromPermissionArn" and "toPermissionArn" parameters. You can use the optional "fromPermissionVersion" parameter to update only those resources that use a specified version of the managed permission to the new managed permission. Warning: To successfully perform this operation, you must have permission to update the resource-based policy on all affected resource types. See also: AWS API Documentation **Request Syntax** response = client.replace_permission_associations( fromPermissionArn='string', fromPermissionVersion=123, toPermissionArn='string', clientToken='string' ) Parameters: * **fromPermissionArn** (*string*) -- **[REQUIRED]** Specifies the Amazon Resource Name (ARN) of the managed permission that you want to replace. * **fromPermissionVersion** (*integer*) -- Specifies that you want to updated the permissions for only those resource shares that use the specified version of the managed permission. * **toPermissionArn** (*string*) -- **[REQUIRED]** Specifies the ARN of the managed permission that you want to associate with resource shares in place of the one specified by "fromPerssionArn" and "fromPermissionVersion". The operation always associates the version that is currently the default for the specified managed permission. * **clientToken** (*string*) -- Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value.. If you don't provide this value, then Amazon Web Services generates a random one for you. If you retry the operation with the same "ClientToken", but with different parameters, the retry fails with an "IdempotentParameterMismatch" error. Return type: dict Returns: **Response Syntax** { 'replacePermissionAssociationsWork': { 'id': 'string', 'fromPermissionArn': 'string', 'fromPermissionVersion': 'string', 'toPermissionArn': 'string', 'toPermissionVersion': 'string', 'status': 'IN_PROGRESS'|'COMPLETED'|'FAILED', 'statusMessage': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1) }, 'clientToken': 'string' } **Response Structure** * *(dict) --* * **replacePermissionAssociationsWork** *(dict) --* Specifies a data structure that you can use to track the asynchronous tasks that RAM performs to complete this operation. You can use the ListReplacePermissionAssociationsWork operation and pass the "id" value returned in this structure. * **id** *(string) --* The unique identifier for the background task associated with one ReplacePermissionAssociations request. * **fromPermissionArn** *(string) --* The Amazon Resource Name (ARN) of the managed permission that this background task is replacing. * **fromPermissionVersion** *(string) --* The version of the managed permission that this background task is replacing. * **toPermissionArn** *(string) --* The ARN of the managed permission that this background task is associating with the resource shares in place of the managed permission and version specified in "fromPermissionArn" and "fromPermissionVersion". * **toPermissionVersion** *(string) --* The version of the managed permission that this background task is associating with the resource shares. This is always the version that is currently the default for this managed permission. * **status** *(string) --* Specifies the current status of the background tasks for the specified ID. The output is one of the following strings: * "IN_PROGRESS" * "COMPLETED" * "FAILED" * **statusMessage** *(string) --* Specifies the reason for a "FAILED" status. This field is present only when there "status" is "FAILED". * **creationTime** *(datetime) --* The date and time when this asynchronous background task was created. * **lastUpdatedTime** *(datetime) --* The date and time when the status of this background task was last updated. * **clientToken** *(string) --* The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the "clientToken" request parameter of that later call. All other parameters must also have the same values that you used in the first call. **Exceptions** * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" * "RAM.Client.exceptions.OperationNotPermittedException" * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.InvalidClientTokenException" * "RAM.Client.exceptions.IdempotentParameterMismatchException" RAM / Client / accept_resource_share_invitation accept_resource_share_invitation ******************************** RAM.Client.accept_resource_share_invitation(**kwargs) Accepts an invitation to a resource share from another Amazon Web Services account. After you accept the invitation, the resources included in the resource share are available to interact with in the relevant Amazon Web Services Management Consoles and tools. See also: AWS API Documentation **Request Syntax** response = client.accept_resource_share_invitation( resourceShareInvitationArn='string', clientToken='string' ) Parameters: * **resourceShareInvitationArn** (*string*) -- **[REQUIRED]** The Amazon Resource Name (ARN) of the invitation that you want to accept. * **clientToken** (*string*) -- Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value.. If you don't provide this value, then Amazon Web Services generates a random one for you. If you retry the operation with the same "ClientToken", but with different parameters, the retry fails with an "IdempotentParameterMismatch" error. Return type: dict Returns: **Response Syntax** { 'resourceShareInvitation': { 'resourceShareInvitationArn': 'string', 'resourceShareName': 'string', 'resourceShareArn': 'string', 'senderAccountId': 'string', 'receiverAccountId': 'string', 'invitationTimestamp': datetime(2015, 1, 1), 'status': 'PENDING'|'ACCEPTED'|'REJECTED'|'EXPIRED', 'resourceShareAssociations': [ { 'resourceShareArn': 'string', 'resourceShareName': 'string', 'associatedEntity': 'string', 'associationType': 'PRINCIPAL'|'RESOURCE', 'status': 'ASSOCIATING'|'ASSOCIATED'|'FAILED'|'DISASSOCIATING'|'DISASSOCIATED', 'statusMessage': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'external': True|False }, ], 'receiverArn': 'string' }, 'clientToken': 'string' } **Response Structure** * *(dict) --* * **resourceShareInvitation** *(dict) --* An object that contains information about the specified invitation. * **resourceShareInvitationArn** *(string) --* The Amazon Resource Name (ARN) of the invitation. * **resourceShareName** *(string) --* The name of the resource share. * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of the resource share * **senderAccountId** *(string) --* The ID of the Amazon Web Services account that sent the invitation. * **receiverAccountId** *(string) --* The ID of the Amazon Web Services account that received the invitation. * **invitationTimestamp** *(datetime) --* The date and time when the invitation was sent. * **status** *(string) --* The current status of the invitation. * **resourceShareAssociations** *(list) --* To view the resources associated with a pending resource share invitation, use ListPendingInvitationResources. * *(dict) --* Describes an association between a resource share and either a principal or a resource. * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of the resource share. * **resourceShareName** *(string) --* The name of the resource share. * **associatedEntity** *(string) --* The associated entity. This can be either of the following: * For a resource association, this is the Amazon Resource Name (ARN) of the resource. * For principal associations, this is one of the following: * The ID of an Amazon Web Services account * The Amazon Resource Name (ARN) of an organization in Organizations * The ARN of an organizational unit (OU) in Organizations * The ARN of an IAM role * The ARN of an IAM user * **associationType** *(string) --* The type of entity included in this association. * **status** *(string) --* The current status of the association. * **statusMessage** *(string) --* A message about the status of the association. * **creationTime** *(datetime) --* The date and time when the association was created. * **lastUpdatedTime** *(datetime) --* The date and time when the association was last updated. * **external** *(boolean) --* Indicates whether the principal belongs to the same organization in Organizations as the Amazon Web Services account that owns the resource share. * **receiverArn** *(string) --* The Amazon Resource Name (ARN) of the IAM user or role that received the invitation. * **clientToken** *(string) --* The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the "clientToken" request parameter of that later call. All other parameters must also have the same values that you used in the first call. **Exceptions** * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.OperationNotPermittedException" * "RAM.Client.exceptions.ResourceShareInvitationArnNotFoundExcepti on" * "RAM.Client.exceptions.ResourceShareInvitationAlreadyAcceptedExc eption" * "RAM.Client.exceptions.ResourceShareInvitationAlreadyRejectedExc eption" * "RAM.Client.exceptions.ResourceShareInvitationExpiredException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" * "RAM.Client.exceptions.InvalidClientTokenException" * "RAM.Client.exceptions.IdempotentParameterMismatchException" RAM / Client / list_pending_invitation_resources list_pending_invitation_resources ********************************* RAM.Client.list_pending_invitation_resources(**kwargs) Lists the resources in a resource share that is shared with you but for which the invitation is still "PENDING". That means that you haven't accepted or rejected the invitation and the invitation hasn't expired. See also: AWS API Documentation **Request Syntax** response = client.list_pending_invitation_resources( resourceShareInvitationArn='string', nextToken='string', maxResults=123, resourceRegionScope='ALL'|'REGIONAL'|'GLOBAL' ) Parameters: * **resourceShareInvitationArn** (*string*) -- **[REQUIRED]** Specifies the Amazon Resource Name (ARN) of the invitation. You can use GetResourceShareInvitations to find the ARN of the invitation. * **nextToken** (*string*) -- Specifies that you want to receive the next page of results. Valid only if you received a "NextToken" response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's "NextToken" response to request the next page of results. * **maxResults** (*integer*) -- Specifies the total number of results that you want included on each page of the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the number you specify, the "NextToken" response element is returned with a value (not null). Include the specified value as the "NextToken" request parameter in the next call to the operation to get the next part of the results. Note that the service might return fewer results than the maximum even when there are more results available. You should check "NextToken" after every operation to ensure that you receive all of the results. * **resourceRegionScope** (*string*) -- Specifies that you want the results to include only resources that have the specified scope. * "ALL" – the results include both global and regional resources or resource types. * "GLOBAL" – the results include only global resources or resource types. * "REGIONAL" – the results include only regional resources or resource types. The default value is "ALL". Return type: dict Returns: **Response Syntax** { 'resources': [ { 'arn': 'string', 'type': 'string', 'resourceShareArn': 'string', 'resourceGroupArn': 'string', 'status': 'AVAILABLE'|'ZONAL_RESOURCE_INACCESSIBLE'|'LIMIT_EXCEEDED'|'UNAVAILABLE'|'PENDING', 'statusMessage': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'resourceRegionScope': 'REGIONAL'|'GLOBAL' }, ], 'nextToken': 'string' } **Response Structure** * *(dict) --* * **resources** *(list) --* An array of objects that contain the information about the resources included the specified resource share. * *(dict) --* Describes a resource associated with a resource share in RAM. * **arn** *(string) --* The Amazon Resource Name (ARN) of the resource. * **type** *(string) --* The resource type. This takes the form of: "service- code": "resource-code", and is case-insensitive. For example, an Amazon EC2 Subnet would be represented by the string "ec2:subnet". * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of the resource share this resource is associated with. * **resourceGroupArn** *(string) --* The Amazon Resource Name (ARN) of the resource group. This value is available only if the resource is part of a resource group. * **status** *(string) --* The current status of the resource. * **statusMessage** *(string) --* A message about the status of the resource. * **creationTime** *(datetime) --* The date and time when the resource was associated with the resource share. * **lastUpdatedTime** *(datetime) --* The date an time when the association between the resource and the resource share was last updated. * **resourceRegionScope** *(string) --* Specifies the scope of visibility of this resource: * **REGIONAL** – The resource can be accessed only by using requests that target the Amazon Web Services Region in which the resource exists. * **GLOBAL** – The resource can be accessed from any Amazon Web Services Region. * **nextToken** *(string) --* If present, this value indicates that more output is available than is included in the current response. Use this value in the "NextToken" request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the "NextToken" response element comes back as "null". This indicates that this is the last page of results. **Exceptions** * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.InvalidNextTokenException" * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" * "RAM.Client.exceptions.ResourceShareInvitationArnNotFoundExcepti on" * "RAM.Client.exceptions.MissingRequiredParameterException" * "RAM.Client.exceptions.ResourceShareInvitationAlreadyRejectedExc eption" * "RAM.Client.exceptions.ResourceShareInvitationExpiredException" RAM / Client / list_replace_permission_associations_work list_replace_permission_associations_work ***************************************** RAM.Client.list_replace_permission_associations_work(**kwargs) Retrieves the current status of the asynchronous tasks performed by RAM when you perform the ReplacePermissionAssociationsWork operation. See also: AWS API Documentation **Request Syntax** response = client.list_replace_permission_associations_work( workIds=[ 'string', ], status='IN_PROGRESS'|'COMPLETED'|'FAILED', nextToken='string', maxResults=123 ) Parameters: * **workIds** (*list*) -- A list of IDs. These values come from the >>``<>``<:" and is not case sensitive. For example, to specify an Amazon EC2 Subnet, you can use the string "ec2:subnet". To see the list of valid values for this parameter, query the ListResourceTypes operation. * **policyTemplate** (*string*) -- **[REQUIRED]** A string in JSON format string that contains the following elements of a resource-based policy: * **Effect**: must be set to "ALLOW". * **Action**: specifies the actions that are allowed by this customer managed permission. The list must contain only actions that are supported by the specified resource type. For a list of all actions supported by each resource type, see Actions, resources, and condition keys for Amazon Web Services services in the *Identity and Access Management User Guide*. * **Condition**: (optional) specifies conditional parameters that must evaluate to true when a user attempts an action for that action to be allowed. For more information about the Condition element, see IAM policies: Condition element in the *Identity and Access Management User Guide*. This template can't include either the "Resource" or "Principal" elements. Those are both filled in by RAM when it instantiates the resource-based policy on each resource shared using this managed permission. The "Resource" comes from the ARN of the specific resource that you are sharing. The "Principal" comes from the list of identities added to the resource share. * **clientToken** (*string*) -- Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value.. If you don't provide this value, then Amazon Web Services generates a random one for you. If you retry the operation with the same "ClientToken", but with different parameters, the retry fails with an "IdempotentParameterMismatch" error. * **tags** (*list*) -- Specifies a list of one or more tag key and value pairs to attach to the permission. * *(dict) --* A structure containing a tag. A tag is metadata that you can attach to your resources to help organize and categorize them. You can also use them to help you secure your resources. For more information, see Controlling access to Amazon Web Services resources using tags. For more information about tags, see Tagging Amazon Web Services resources in the *Amazon Web Services General Reference Guide*. * **key** *(string) --* The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive. * **value** *(string) --* The string value attached to the tag. The value can be an empty string. Key values are case sensitive. Return type: dict Returns: **Response Syntax** { 'permission': { 'arn': 'string', 'version': 'string', 'defaultVersion': True|False, 'name': 'string', 'resourceType': 'string', 'status': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'isResourceTypeDefault': True|False, 'permissionType': 'CUSTOMER_MANAGED'|'AWS_MANAGED', 'featureSet': 'CREATED_FROM_POLICY'|'PROMOTING_TO_STANDARD'|'STANDARD', 'tags': [ { 'key': 'string', 'value': 'string' }, ] }, 'clientToken': 'string' } **Response Structure** * *(dict) --* * **permission** *(dict) --* A structure with information about this customer managed permission. * **arn** *(string) --* The Amazon Resource Name (ARN) of the permission you want information about. * **version** *(string) --* The version of the permission associated with this resource share. * **defaultVersion** *(boolean) --* Specifies whether the version of the managed permission used by this resource share is the default version for this managed permission. * **name** *(string) --* The name of this managed permission. * **resourceType** *(string) --* The type of resource to which this permission applies. This takes the form of: "service-code": "resource-code", and is case-insensitive. For example, an Amazon EC2 Subnet would be represented by the string "ec2:subnet". * **status** *(string) --* The current status of the permission. * **creationTime** *(datetime) --* The date and time when the permission was created. * **lastUpdatedTime** *(datetime) --* The date and time when the permission was last updated. * **isResourceTypeDefault** *(boolean) --* Specifies whether the managed permission associated with this resource share is the default managed permission for all resources of this resource type. * **permissionType** *(string) --* The type of managed permission. This can be one of the following values: * "AWS_MANAGED" – Amazon Web Services created and manages this managed permission. You can associate it with your resource shares, but you can't modify it. * "CUSTOMER_MANAGED" – You, or another principal in your account created this managed permission. You can associate it with your resource shares and create new versions that have different permissions. * **featureSet** *(string) --* Indicates what features are available for this resource share. This parameter can have one of the following values: * **STANDARD** – A resource share that supports all functionality. These resource shares are visible to all principals you share the resource share with. You can modify these resource shares in RAM using the console or APIs. This resource share might have been created by RAM, or it might have been **CREATED_FROM_POLICY** and then promoted. * **CREATED_FROM_POLICY** – The customer manually shared a resource by attaching a resource-based policy. That policy did not match any existing managed permissions, so RAM created this customer managed permission automatically on the customer's behalf based on the attached policy document. This type of resource share is visible only to the Amazon Web Services account that created it. You can't modify it in RAM unless you promote it. For more information, see PromoteResourceShareCreatedFromPolicy. * **PROMOTING_TO_STANDARD** – This resource share was originally "CREATED_FROM_POLICY", but the customer ran the PromoteResourceShareCreatedFromPolicy and that operation is still in progress. This value changes to "STANDARD" when complete. * **tags** *(list) --* A list of the tag key value pairs currently attached to the permission. * *(dict) --* A structure containing a tag. A tag is metadata that you can attach to your resources to help organize and categorize them. You can also use them to help you secure your resources. For more information, see Controlling access to Amazon Web Services resources using tags. For more information about tags, see Tagging Amazon Web Services resources in the *Amazon Web Services General Reference Guide*. * **key** *(string) --* The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive. * **value** *(string) --* The string value attached to the tag. The value can be an empty string. Key values are case sensitive. * **clientToken** *(string) --* The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the "clientToken" request parameter of that later call. All other parameters must also have the same values that you used in the first call. **Exceptions** * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.InvalidPolicyException" * "RAM.Client.exceptions.OperationNotPermittedException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" * "RAM.Client.exceptions.PermissionAlreadyExistsException" * "RAM.Client.exceptions.MalformedPolicyTemplateException" * "RAM.Client.exceptions.InvalidClientTokenException" * "RAM.Client.exceptions.PermissionLimitExceededException" * "RAM.Client.exceptions.IdempotentParameterMismatchException" RAM / Client / list_principals list_principals *************** RAM.Client.list_principals(**kwargs) Lists the principals that you are sharing resources with or that are sharing resources with you. See also: AWS API Documentation **Request Syntax** response = client.list_principals( resourceOwner='SELF'|'OTHER-ACCOUNTS', resourceArn='string', principals=[ 'string', ], resourceType='string', resourceShareArns=[ 'string', ], nextToken='string', maxResults=123 ) Parameters: * **resourceOwner** (*string*) -- **[REQUIRED]** Specifies that you want to list information for only resource shares that match the following: * "SELF" – principals that your account is sharing resources with * "OTHER-ACCOUNTS" – principals that are sharing resources with your account * **resourceArn** (*string*) -- Specifies that you want to list principal information for the resource share with the specified Amazon Resource Name (ARN). * **principals** (*list*) -- Specifies that you want to list information for only the listed principals. You can include the following values: * An Amazon Web Services account ID, for example: "123456789012" * An Amazon Resource Name (ARN) of an organization in Organizations, for example: "organizations::123456789012:organization/o-exampleorgid" * An ARN of an organizational unit (OU) in Organizations, for example: "organizations::123456789012:ou/o-exampleorgid/ou- examplerootid-exampleouid123" * An ARN of an IAM role, for example: "iam::123456789012:role/rolename" * An ARN of an IAM user, for example: "iam::123456789012user/username" Note: Not all resource types can be shared with IAM roles and users. For more information, see Sharing with IAM roles and users in the *Resource Access Manager User Guide*. * *(string) --* * **resourceType** (*string*) -- Specifies that you want to list information for only principals associated with resource shares that include the specified resource type. For a list of valid values, query the ListResourceTypes operation. * **resourceShareArns** (*list*) -- Specifies that you want to list information for only principals associated with the resource shares specified by a list the Amazon Resource Names (ARNs). * *(string) --* * **nextToken** (*string*) -- Specifies that you want to receive the next page of results. Valid only if you received a "NextToken" response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's "NextToken" response to request the next page of results. * **maxResults** (*integer*) -- Specifies the total number of results that you want included on each page of the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the number you specify, the "NextToken" response element is returned with a value (not null). Include the specified value as the "NextToken" request parameter in the next call to the operation to get the next part of the results. Note that the service might return fewer results than the maximum even when there are more results available. You should check "NextToken" after every operation to ensure that you receive all of the results. Return type: dict Returns: **Response Syntax** { 'principals': [ { 'id': 'string', 'resourceShareArn': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'external': True|False }, ], 'nextToken': 'string' } **Response Structure** * *(dict) --* * **principals** *(list) --* An array of objects that contain the details about the principals. * *(dict) --* Describes a principal for use with Resource Access Manager. * **id** *(string) --* The ID of the principal that can be associated with a resource share. * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of a resource share the principal is associated with. * **creationTime** *(datetime) --* The date and time when the principal was associated with the resource share. * **lastUpdatedTime** *(datetime) --* The date and time when the association between the resource share and the principal was last updated. * **external** *(boolean) --* Indicates the relationship between the Amazon Web Services account the principal belongs to and the account that owns the resource share: * "True" – The two accounts belong to same organization. * "False" – The two accounts do not belong to the same organization. * **nextToken** *(string) --* If present, this value indicates that more output is available than is included in the current response. Use this value in the "NextToken" request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the "NextToken" response element comes back as "null". This indicates that this is the last page of results. **Exceptions** * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.InvalidNextTokenException" * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" RAM / Client / reject_resource_share_invitation reject_resource_share_invitation ******************************** RAM.Client.reject_resource_share_invitation(**kwargs) Rejects an invitation to a resource share from another Amazon Web Services account. See also: AWS API Documentation **Request Syntax** response = client.reject_resource_share_invitation( resourceShareInvitationArn='string', clientToken='string' ) Parameters: * **resourceShareInvitationArn** (*string*) -- **[REQUIRED]** Specifies the Amazon Resource Name (ARN) of the invitation that you want to reject. * **clientToken** (*string*) -- Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value.. If you don't provide this value, then Amazon Web Services generates a random one for you. If you retry the operation with the same "ClientToken", but with different parameters, the retry fails with an "IdempotentParameterMismatch" error. Return type: dict Returns: **Response Syntax** { 'resourceShareInvitation': { 'resourceShareInvitationArn': 'string', 'resourceShareName': 'string', 'resourceShareArn': 'string', 'senderAccountId': 'string', 'receiverAccountId': 'string', 'invitationTimestamp': datetime(2015, 1, 1), 'status': 'PENDING'|'ACCEPTED'|'REJECTED'|'EXPIRED', 'resourceShareAssociations': [ { 'resourceShareArn': 'string', 'resourceShareName': 'string', 'associatedEntity': 'string', 'associationType': 'PRINCIPAL'|'RESOURCE', 'status': 'ASSOCIATING'|'ASSOCIATED'|'FAILED'|'DISASSOCIATING'|'DISASSOCIATED', 'statusMessage': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'external': True|False }, ], 'receiverArn': 'string' }, 'clientToken': 'string' } **Response Structure** * *(dict) --* * **resourceShareInvitation** *(dict) --* An object that contains the details about the rejected invitation. * **resourceShareInvitationArn** *(string) --* The Amazon Resource Name (ARN) of the invitation. * **resourceShareName** *(string) --* The name of the resource share. * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of the resource share * **senderAccountId** *(string) --* The ID of the Amazon Web Services account that sent the invitation. * **receiverAccountId** *(string) --* The ID of the Amazon Web Services account that received the invitation. * **invitationTimestamp** *(datetime) --* The date and time when the invitation was sent. * **status** *(string) --* The current status of the invitation. * **resourceShareAssociations** *(list) --* To view the resources associated with a pending resource share invitation, use ListPendingInvitationResources. * *(dict) --* Describes an association between a resource share and either a principal or a resource. * **resourceShareArn** *(string) --* The Amazon Resource Name (ARN) of the resource share. * **resourceShareName** *(string) --* The name of the resource share. * **associatedEntity** *(string) --* The associated entity. This can be either of the following: * For a resource association, this is the Amazon Resource Name (ARN) of the resource. * For principal associations, this is one of the following: * The ID of an Amazon Web Services account * The Amazon Resource Name (ARN) of an organization in Organizations * The ARN of an organizational unit (OU) in Organizations * The ARN of an IAM role * The ARN of an IAM user * **associationType** *(string) --* The type of entity included in this association. * **status** *(string) --* The current status of the association. * **statusMessage** *(string) --* A message about the status of the association. * **creationTime** *(datetime) --* The date and time when the association was created. * **lastUpdatedTime** *(datetime) --* The date and time when the association was last updated. * **external** *(boolean) --* Indicates whether the principal belongs to the same organization in Organizations as the Amazon Web Services account that owns the resource share. * **receiverArn** *(string) --* The Amazon Resource Name (ARN) of the IAM user or role that received the invitation. * **clientToken** *(string) --* The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the "clientToken" request parameter of that later call. All other parameters must also have the same values that you used in the first call. **Exceptions** * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.OperationNotPermittedException" * "RAM.Client.exceptions.ResourceShareInvitationArnNotFoundExcepti on" * "RAM.Client.exceptions.ResourceShareInvitationAlreadyAcceptedExc eption" * "RAM.Client.exceptions.ResourceShareInvitationAlreadyRejectedExc eption" * "RAM.Client.exceptions.ResourceShareInvitationExpiredException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" * "RAM.Client.exceptions.InvalidClientTokenException" * "RAM.Client.exceptions.IdempotentParameterMismatchException" RAM / Client / list_permissions list_permissions **************** RAM.Client.list_permissions(**kwargs) Retrieves a list of available RAM permissions that you can use for the supported resource types. See also: AWS API Documentation **Request Syntax** response = client.list_permissions( resourceType='string', nextToken='string', maxResults=123, permissionType='ALL'|'AWS_MANAGED'|'CUSTOMER_MANAGED' ) Parameters: * **resourceType** (*string*) -- Specifies that you want to list only those permissions that apply to the specified resource type. This parameter is not case sensitive. For example, to list only permissions that apply to Amazon EC2 subnets, specify "ec2:subnet". You can use the ListResourceTypes operation to get the specific string required. * **nextToken** (*string*) -- Specifies that you want to receive the next page of results. Valid only if you received a "NextToken" response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's "NextToken" response to request the next page of results. * **maxResults** (*integer*) -- Specifies the total number of results that you want included on each page of the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the number you specify, the "NextToken" response element is returned with a value (not null). Include the specified value as the "NextToken" request parameter in the next call to the operation to get the next part of the results. Note that the service might return fewer results than the maximum even when there are more results available. You should check "NextToken" after every operation to ensure that you receive all of the results. * **permissionType** (*string*) -- Specifies that you want to list only permissions of this type: * "AWS" – returns only Amazon Web Services managed permissions. * "LOCAL" – returns only customer managed permissions * "ALL" – returns both Amazon Web Services managed permissions and customer managed permissions. If you don't specify this parameter, the default is "All". Return type: dict Returns: **Response Syntax** { 'permissions': [ { 'arn': 'string', 'version': 'string', 'defaultVersion': True|False, 'name': 'string', 'resourceType': 'string', 'status': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'isResourceTypeDefault': True|False, 'permissionType': 'CUSTOMER_MANAGED'|'AWS_MANAGED', 'featureSet': 'CREATED_FROM_POLICY'|'PROMOTING_TO_STANDARD'|'STANDARD', 'tags': [ { 'key': 'string', 'value': 'string' }, ] }, ], 'nextToken': 'string' } **Response Structure** * *(dict) --* * **permissions** *(list) --* An array of objects with information about the permissions. * *(dict) --* Information about an RAM permission. * **arn** *(string) --* The Amazon Resource Name (ARN) of the permission you want information about. * **version** *(string) --* The version of the permission associated with this resource share. * **defaultVersion** *(boolean) --* Specifies whether the version of the managed permission used by this resource share is the default version for this managed permission. * **name** *(string) --* The name of this managed permission. * **resourceType** *(string) --* The type of resource to which this permission applies. This takes the form of: "service-code": "resource-code", and is case-insensitive. For example, an Amazon EC2 Subnet would be represented by the string "ec2:subnet". * **status** *(string) --* The current status of the permission. * **creationTime** *(datetime) --* The date and time when the permission was created. * **lastUpdatedTime** *(datetime) --* The date and time when the permission was last updated. * **isResourceTypeDefault** *(boolean) --* Specifies whether the managed permission associated with this resource share is the default managed permission for all resources of this resource type. * **permissionType** *(string) --* The type of managed permission. This can be one of the following values: * "AWS_MANAGED" – Amazon Web Services created and manages this managed permission. You can associate it with your resource shares, but you can't modify it. * "CUSTOMER_MANAGED" – You, or another principal in your account created this managed permission. You can associate it with your resource shares and create new versions that have different permissions. * **featureSet** *(string) --* Indicates what features are available for this resource share. This parameter can have one of the following values: * **STANDARD** – A resource share that supports all functionality. These resource shares are visible to all principals you share the resource share with. You can modify these resource shares in RAM using the console or APIs. This resource share might have been created by RAM, or it might have been **CREATED_FROM_POLICY** and then promoted. * **CREATED_FROM_POLICY** – The customer manually shared a resource by attaching a resource-based policy. That policy did not match any existing managed permissions, so RAM created this customer managed permission automatically on the customer's behalf based on the attached policy document. This type of resource share is visible only to the Amazon Web Services account that created it. You can't modify it in RAM unless you promote it. For more information, see PromoteResourceShareCreatedFromPolicy. * **PROMOTING_TO_STANDARD** – This resource share was originally "CREATED_FROM_POLICY", but the customer ran the PromoteResourceShareCreatedFromPolicy and that operation is still in progress. This value changes to "STANDARD" when complete. * **tags** *(list) --* A list of the tag key value pairs currently attached to the permission. * *(dict) --* A structure containing a tag. A tag is metadata that you can attach to your resources to help organize and categorize them. You can also use them to help you secure your resources. For more information, see Controlling access to Amazon Web Services resources using tags. For more information about tags, see Tagging Amazon Web Services resources in the *Amazon Web Services General Reference Guide*. * **key** *(string) --* The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive. * **value** *(string) --* The string value attached to the tag. The value can be an empty string. Key values are case sensitive. * **nextToken** *(string) --* If present, this value indicates that more output is available than is included in the current response. Use this value in the "NextToken" request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the "NextToken" response element comes back as "null". This indicates that this is the last page of results. **Exceptions** * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.InvalidNextTokenException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" * "RAM.Client.exceptions.OperationNotPermittedException" RAM / Client / tag_resource tag_resource ************ RAM.Client.tag_resource(**kwargs) Adds the specified tag keys and values to a resource share or managed permission. If you choose a resource share, the tags are attached to only the resource share, not to the resources that are in the resource share. The tags on a managed permission are the same for all versions of the managed permission. See also: AWS API Documentation **Request Syntax** response = client.tag_resource( resourceShareArn='string', tags=[ { 'key': 'string', 'value': 'string' }, ], resourceArn='string' ) Parameters: * **resourceShareArn** (*string*) -- Specifies the Amazon Resource Name (ARN) of the resource share that you want to add tags to. You must specify *either* "resourceShareArn", or "resourceArn", but not both. * **tags** (*list*) -- **[REQUIRED]** A list of one or more tag key and value pairs. The tag key must be present and not be an empty string. The tag value must be present but can be an empty string. * *(dict) --* A structure containing a tag. A tag is metadata that you can attach to your resources to help organize and categorize them. You can also use them to help you secure your resources. For more information, see Controlling access to Amazon Web Services resources using tags. For more information about tags, see Tagging Amazon Web Services resources in the *Amazon Web Services General Reference Guide*. * **key** *(string) --* The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive. * **value** *(string) --* The string value attached to the tag. The value can be an empty string. Key values are case sensitive. * **resourceArn** (*string*) -- Specifies the Amazon Resource Name (ARN) of the managed permission that you want to add tags to. You must specify *either* "resourceArn", or "resourceShareArn", but not both. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.UnknownResourceException" * "RAM.Client.exceptions.TagLimitExceededException" * "RAM.Client.exceptions.ResourceArnNotFoundException" * "RAM.Client.exceptions.TagPolicyViolationException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" RAM / Client / promote_permission_created_from_policy promote_permission_created_from_policy ************************************** RAM.Client.promote_permission_created_from_policy(**kwargs) When you attach a resource-based policy to a resource, RAM automatically creates a resource share of "featureSet``= ``CREATED_FROM_POLICY" with a managed permission that has the same IAM permissions as the original resource-based policy. However, this type of managed permission is visible to only the resource share owner, and the associated resource share can't be modified by using RAM. This operation creates a separate, fully manageable customer managed permission that has the same IAM permissions as the original resource-based policy. You can associate this customer managed permission to any resource shares. Before you use PromoteResourceShareCreatedFromPolicy, you should first run this operation to ensure that you have an appropriate customer managed permission that can be associated with the promoted resource share. Note: * The original "CREATED_FROM_POLICY" policy isn't deleted, and resource shares using that original policy aren't automatically updated. * You can't modify a "CREATED_FROM_POLICY" resource share so you can't associate the new customer managed permission by using "ReplacePermsissionAssociations". However, if you use PromoteResourceShareCreatedFromPolicy, that operation automatically associates the fully manageable customer managed permission to the newly promoted "STANDARD" resource share. * After you promote a resource share, if the original "CREATED_FROM_POLICY" managed permission has no other associations to A resource share, then RAM automatically deletes it. See also: AWS API Documentation **Request Syntax** response = client.promote_permission_created_from_policy( permissionArn='string', name='string', clientToken='string' ) Parameters: * **permissionArn** (*string*) -- **[REQUIRED]** Specifies the Amazon Resource Name (ARN) of the "CREATED_FROM_POLICY" permission that you want to promote. You can get this Amazon Resource Name (ARN) by calling the ListResourceSharePermissions operation. * **name** (*string*) -- **[REQUIRED]** Specifies a name for the promoted customer managed permission. * **clientToken** (*string*) -- Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value.. If you don't provide this value, then Amazon Web Services generates a random one for you. If you retry the operation with the same "ClientToken", but with different parameters, the retry fails with an "IdempotentParameterMismatch" error. Return type: dict Returns: **Response Syntax** { 'permission': { 'arn': 'string', 'version': 'string', 'defaultVersion': True|False, 'name': 'string', 'resourceType': 'string', 'status': 'string', 'creationTime': datetime(2015, 1, 1), 'lastUpdatedTime': datetime(2015, 1, 1), 'isResourceTypeDefault': True|False, 'permissionType': 'CUSTOMER_MANAGED'|'AWS_MANAGED', 'featureSet': 'CREATED_FROM_POLICY'|'PROMOTING_TO_STANDARD'|'STANDARD', 'tags': [ { 'key': 'string', 'value': 'string' }, ] }, 'clientToken': 'string' } **Response Structure** * *(dict) --* * **permission** *(dict) --* Information about an RAM permission. * **arn** *(string) --* The Amazon Resource Name (ARN) of the permission you want information about. * **version** *(string) --* The version of the permission associated with this resource share. * **defaultVersion** *(boolean) --* Specifies whether the version of the managed permission used by this resource share is the default version for this managed permission. * **name** *(string) --* The name of this managed permission. * **resourceType** *(string) --* The type of resource to which this permission applies. This takes the form of: "service-code": "resource-code", and is case-insensitive. For example, an Amazon EC2 Subnet would be represented by the string "ec2:subnet". * **status** *(string) --* The current status of the permission. * **creationTime** *(datetime) --* The date and time when the permission was created. * **lastUpdatedTime** *(datetime) --* The date and time when the permission was last updated. * **isResourceTypeDefault** *(boolean) --* Specifies whether the managed permission associated with this resource share is the default managed permission for all resources of this resource type. * **permissionType** *(string) --* The type of managed permission. This can be one of the following values: * "AWS_MANAGED" – Amazon Web Services created and manages this managed permission. You can associate it with your resource shares, but you can't modify it. * "CUSTOMER_MANAGED" – You, or another principal in your account created this managed permission. You can associate it with your resource shares and create new versions that have different permissions. * **featureSet** *(string) --* Indicates what features are available for this resource share. This parameter can have one of the following values: * **STANDARD** – A resource share that supports all functionality. These resource shares are visible to all principals you share the resource share with. You can modify these resource shares in RAM using the console or APIs. This resource share might have been created by RAM, or it might have been **CREATED_FROM_POLICY** and then promoted. * **CREATED_FROM_POLICY** – The customer manually shared a resource by attaching a resource-based policy. That policy did not match any existing managed permissions, so RAM created this customer managed permission automatically on the customer's behalf based on the attached policy document. This type of resource share is visible only to the Amazon Web Services account that created it. You can't modify it in RAM unless you promote it. For more information, see PromoteResourceShareCreatedFromPolicy. * **PROMOTING_TO_STANDARD** – This resource share was originally "CREATED_FROM_POLICY", but the customer ran the PromoteResourceShareCreatedFromPolicy and that operation is still in progress. This value changes to "STANDARD" when complete. * **tags** *(list) --* A list of the tag key value pairs currently attached to the permission. * *(dict) --* A structure containing a tag. A tag is metadata that you can attach to your resources to help organize and categorize them. You can also use them to help you secure your resources. For more information, see Controlling access to Amazon Web Services resources using tags. For more information about tags, see Tagging Amazon Web Services resources in the *Amazon Web Services General Reference Guide*. * **key** *(string) --* The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive. * **value** *(string) --* The string value attached to the tag. The value can be an empty string. Key values are case sensitive. * **clientToken** *(string) --* The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the "clientToken" request parameter of that later call. All other parameters must also have the same values that you used in the first call. **Exceptions** * "RAM.Client.exceptions.MalformedArnException" * "RAM.Client.exceptions.OperationNotPermittedException" * "RAM.Client.exceptions.InvalidParameterException" * "RAM.Client.exceptions.MissingRequiredParameterException" * "RAM.Client.exceptions.ServerInternalException" * "RAM.Client.exceptions.ServiceUnavailableException" * "RAM.Client.exceptions.UnknownResourceException"