IAMRolesAnywhere **************** Client ====== class IAMRolesAnywhere.Client A low-level client representing IAM Roles Anywhere Identity and Access Management Roles Anywhere provides a secure way for your workloads such as servers, containers, and applications that run outside of Amazon Web Services to obtain temporary Amazon Web Services credentials. Your workloads can use the same IAM policies and roles you have for native Amazon Web Services applications to access Amazon Web Services resources. Using IAM Roles Anywhere eliminates the need to manage long-term credentials for workloads running outside of Amazon Web Services. To use IAM Roles Anywhere, your workloads must use X.509 certificates issued by their certificate authority (CA). You register the CA with IAM Roles Anywhere as a trust anchor to establish trust between your public key infrastructure (PKI) and IAM Roles Anywhere. If you don't manage your own PKI system, you can use Private Certificate Authority to create a CA and then use that to establish trust with IAM Roles Anywhere. This guide describes the IAM Roles Anywhere operations that you can call programmatically. For more information about IAM Roles Anywhere, see the IAM Roles Anywhere User Guide. import boto3 client = boto3.client('rolesanywhere') These are the available methods: * can_paginate * close * create_profile * create_trust_anchor * delete_attribute_mapping * delete_crl * delete_profile * delete_trust_anchor * disable_crl * disable_profile * disable_trust_anchor * enable_crl * enable_profile * enable_trust_anchor * get_crl * get_paginator * get_profile * get_subject * get_trust_anchor * get_waiter * import_crl * list_crls * list_profiles * list_subjects * list_tags_for_resource * list_trust_anchors * put_attribute_mapping * put_notification_settings * reset_notification_settings * tag_resource * untag_resource * update_crl * update_profile * update_trust_anchor Paginators ========== Paginators are available on a client instance via the "get_paginator" method. For more detailed instructions and examples on the usage of paginators, see the paginators user guide. The available paginators are: * ListCrls * ListProfiles * ListSubjects * ListTrustAnchors IAMRolesAnywhere / Paginator / ListCrls ListCrls ******** class IAMRolesAnywhere.Paginator.ListCrls paginator = client.get_paginator('list_crls') paginate(**kwargs) Creates an iterator that will paginate through responses from "IAMRolesAnywhere.Client.list_crls()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( pageSize=123, PaginationConfig={ 'MaxItems': 123, 'StartingToken': 'string' } ) Parameters: * **pageSize** (*integer*) -- The number of resources in the paginated list. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'crls': [ { 'createdAt': datetime(2015, 1, 1), 'crlArn': 'string', 'crlData': b'bytes', 'crlId': 'string', 'enabled': True|False, 'name': 'string', 'trustAnchorArn': 'string', 'updatedAt': datetime(2015, 1, 1) }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **crls** *(list) --* A list of certificate revocation lists (CRL). * *(dict) --* The state of the certificate revocation list (CRL) after a read or write operation. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the certificate revocation list (CRL) was created. * **crlArn** *(string) --* The ARN of the certificate revocation list (CRL). * **crlData** *(bytes) --* The state of the certificate revocation list (CRL) after a read or write operation. * **crlId** *(string) --* The unique identifier of the certificate revocation list (CRL). * **enabled** *(boolean) --* Indicates whether the certificate revocation list (CRL) is enabled. * **name** *(string) --* The name of the certificate revocation list (CRL). * **trustAnchorArn** *(string) --* The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the certificate revocation list (CRL) was last updated. * **NextToken** *(string) --* A token to resume pagination. IAMRolesAnywhere / Paginator / ListTrustAnchors ListTrustAnchors **************** class IAMRolesAnywhere.Paginator.ListTrustAnchors paginator = client.get_paginator('list_trust_anchors') paginate(**kwargs) Creates an iterator that will paginate through responses from "IAMRolesAnywhere.Client.list_trust_anchors()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( pageSize=123, PaginationConfig={ 'MaxItems': 123, 'StartingToken': 'string' } ) Parameters: * **pageSize** (*integer*) -- The number of resources in the paginated list. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'trustAnchors': [ { 'createdAt': datetime(2015, 1, 1), 'enabled': True|False, 'name': 'string', 'notificationSettings': [ { 'channel': 'ALL', 'configuredBy': 'string', 'enabled': True|False, 'event': 'CA_CERTIFICATE_EXPIRY'|'END_ENTITY_CERTIFICATE_EXPIRY', 'threshold': 123 }, ], 'source': { 'sourceData': { 'acmPcaArn': 'string', 'x509CertificateData': 'string' }, 'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY' }, 'trustAnchorArn': 'string', 'trustAnchorId': 'string', 'updatedAt': datetime(2015, 1, 1) }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **trustAnchors** *(list) --* A list of trust anchors. * *(dict) --* The state of the trust anchor after a read or write operation. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the trust anchor was created. * **enabled** *(boolean) --* Indicates whether the trust anchor is enabled. * **name** *(string) --* The name of the trust anchor. * **notificationSettings** *(list) --* A list of notification settings to be associated to the trust anchor. * *(dict) --* The state of a notification setting. A notification setting includes information such as event name, threshold, status of the notification setting, and the channel to notify. * **channel** *(string) --* The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge, and Health Dashboard to notify for an event. Note: In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels. * **configuredBy** *(string) --* The principal that configured the notification setting. For default settings configured by IAM Roles Anywhere, the value is "rolesanywhere.amazonaws.com", and for customized notifications settings, it is the respective account ID. * **enabled** *(boolean) --* Indicates whether the notification setting is enabled. * **event** *(string) --* The event to which this notification setting is applied. * **threshold** *(integer) --* The number of days before a notification event. * **source** *(dict) --* The trust anchor type and its related certificate data. * **sourceData** *(dict) --* The data field of the trust anchor depending on its type. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "acmPcaArn", "x509CertificateData". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **acmPcaArn** *(string) --* The root certificate of the Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type "AWS_ACM_PCA". * **x509CertificateData** *(string) --* The PEM-encoded data for the certificate anchor. Included for trust anchors of type "CERTIFICATE_BUNDLE". * **sourceType** *(string) --* The type of the trust anchor. * **trustAnchorArn** *(string) --* The ARN of the trust anchor. * **trustAnchorId** *(string) --* The unique identifier of the trust anchor. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the trust anchor was last updated. * **NextToken** *(string) --* A token to resume pagination. IAMRolesAnywhere / Paginator / ListProfiles ListProfiles ************ class IAMRolesAnywhere.Paginator.ListProfiles paginator = client.get_paginator('list_profiles') paginate(**kwargs) Creates an iterator that will paginate through responses from "IAMRolesAnywhere.Client.list_profiles()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( pageSize=123, PaginationConfig={ 'MaxItems': 123, 'StartingToken': 'string' } ) Parameters: * **pageSize** (*integer*) -- The number of resources in the paginated list. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'profiles': [ { 'acceptRoleSessionName': True|False, 'attributeMappings': [ { 'certificateField': 'x509Subject'|'x509Issuer'|'x509SAN', 'mappingRules': [ { 'specifier': 'string' }, ] }, ], 'createdAt': datetime(2015, 1, 1), 'createdBy': 'string', 'durationSeconds': 123, 'enabled': True|False, 'managedPolicyArns': [ 'string', ], 'name': 'string', 'profileArn': 'string', 'profileId': 'string', 'requireInstanceProperties': True|False, 'roleArns': [ 'string', ], 'sessionPolicy': 'string', 'updatedAt': datetime(2015, 1, 1) }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **profiles** *(list) --* A list of profiles. * *(dict) --* The state of the profile after a read or write operation. * **acceptRoleSessionName** *(boolean) --* Used to determine if a custom role session name will be accepted in a temporary credential request. * **attributeMappings** *(list) --* A mapping applied to the authenticating end-entity certificate. * *(dict) --* A mapping applied to the authenticating end-entity certificate. * **certificateField** *(string) --* Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates. * **mappingRules** *(list) --* A list of mapping entries for every supported specifier or sub-field. * *(dict) --* A single mapping entry for each supported specifier or sub-field. * **specifier** *(string) --* Specifier within a certificate field, such as CN, OU, or UID from the Subject field. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the profile was created. * **createdBy** *(string) --* The Amazon Web Services account that created the profile. * **durationSeconds** *(integer) --* Used to determine how long sessions vended using this profile are valid for. See the "Expiration" section of the CreateSession API documentation page for more details. In requests, if this value is not provided, the default value will be 3600. * **enabled** *(boolean) --* Indicates whether the profile is enabled. * **managedPolicyArns** *(list) --* A list of managed policy ARNs that apply to the vended session credentials. * *(string) --* * **name** *(string) --* The name of the profile. * **profileArn** *(string) --* The ARN of the profile. * **profileId** *(string) --* The unique identifier of the profile. * **requireInstanceProperties** *(boolean) --* Specifies whether instance properties are required in temporary credential requests with this profile. * **roleArns** *(list) --* A list of IAM roles that this profile can assume in a temporary credential request. * *(string) --* * **sessionPolicy** *(string) --* A session policy that applies to the trust boundary of the vended session credentials. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the profile was last updated. * **NextToken** *(string) --* A token to resume pagination. IAMRolesAnywhere / Paginator / ListSubjects ListSubjects ************ class IAMRolesAnywhere.Paginator.ListSubjects paginator = client.get_paginator('list_subjects') paginate(**kwargs) Creates an iterator that will paginate through responses from "IAMRolesAnywhere.Client.list_subjects()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( pageSize=123, PaginationConfig={ 'MaxItems': 123, 'StartingToken': 'string' } ) Parameters: * **pageSize** (*integer*) -- The number of resources in the paginated list. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'subjects': [ { 'createdAt': datetime(2015, 1, 1), 'enabled': True|False, 'lastSeenAt': datetime(2015, 1, 1), 'subjectArn': 'string', 'subjectId': 'string', 'updatedAt': datetime(2015, 1, 1), 'x509Subject': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **subjects** *(list) --* A list of subjects. * *(dict) --* A summary representation of subjects. * **createdAt** *(datetime) --* The ISO-8601 time stamp of when the certificate was first used in a temporary credential request. * **enabled** *(boolean) --* The enabled status of the subject. * **lastSeenAt** *(datetime) --* The ISO-8601 time stamp of when the certificate was last used in a temporary credential request. * **subjectArn** *(string) --* The ARN of the resource. * **subjectId** *(string) --* The id of the resource. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the subject was last updated. * **x509Subject** *(string) --* The x509 principal identifier of the authenticating certificate. * **NextToken** *(string) --* A token to resume pagination. IAMRolesAnywhere / Client / disable_trust_anchor disable_trust_anchor ******************** IAMRolesAnywhere.Client.disable_trust_anchor(**kwargs) Disables a trust anchor. When disabled, temporary credential requests specifying this trust anchor are unauthorized. **Required permissions:** "rolesanywhere:DisableTrustAnchor". See also: AWS API Documentation **Request Syntax** response = client.disable_trust_anchor( trustAnchorId='string' ) Parameters: **trustAnchorId** (*string*) -- **[REQUIRED]** The unique identifier of the trust anchor. Return type: dict Returns: **Response Syntax** { 'trustAnchor': { 'createdAt': datetime(2015, 1, 1), 'enabled': True|False, 'name': 'string', 'notificationSettings': [ { 'channel': 'ALL', 'configuredBy': 'string', 'enabled': True|False, 'event': 'CA_CERTIFICATE_EXPIRY'|'END_ENTITY_CERTIFICATE_EXPIRY', 'threshold': 123 }, ], 'source': { 'sourceData': { 'acmPcaArn': 'string', 'x509CertificateData': 'string' }, 'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY' }, 'trustAnchorArn': 'string', 'trustAnchorId': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **trustAnchor** *(dict) --* The state of the trust anchor after a read or write operation. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the trust anchor was created. * **enabled** *(boolean) --* Indicates whether the trust anchor is enabled. * **name** *(string) --* The name of the trust anchor. * **notificationSettings** *(list) --* A list of notification settings to be associated to the trust anchor. * *(dict) --* The state of a notification setting. A notification setting includes information such as event name, threshold, status of the notification setting, and the channel to notify. * **channel** *(string) --* The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge, and Health Dashboard to notify for an event. Note: In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels. * **configuredBy** *(string) --* The principal that configured the notification setting. For default settings configured by IAM Roles Anywhere, the value is "rolesanywhere.amazonaws.com", and for customized notifications settings, it is the respective account ID. * **enabled** *(boolean) --* Indicates whether the notification setting is enabled. * **event** *(string) --* The event to which this notification setting is applied. * **threshold** *(integer) --* The number of days before a notification event. * **source** *(dict) --* The trust anchor type and its related certificate data. * **sourceData** *(dict) --* The data field of the trust anchor depending on its type. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "acmPcaArn", "x509CertificateData". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **acmPcaArn** *(string) --* The root certificate of the Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type "AWS_ACM_PCA". * **x509CertificateData** *(string) --* The PEM-encoded data for the certificate anchor. Included for trust anchors of type "CERTIFICATE_BUNDLE". * **sourceType** *(string) --* The type of the trust anchor. * **trustAnchorArn** *(string) --* The ARN of the trust anchor. * **trustAnchorId** *(string) --* The unique identifier of the trust anchor. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the trust anchor was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / get_paginator get_paginator ************* IAMRolesAnywhere.Client.get_paginator(operation_name) Create a paginator for an operation. Parameters: **operation_name** (*string*) -- The operation name. This is the same name as the method name on the client. For example, if the method name is "create_foo", and you'd normally invoke the operation as "client.create_foo(**kwargs)", if the "create_foo" operation can be paginated, you can use the call "client.get_paginator("create_foo")". Raises: **OperationNotPageableError** -- Raised if the operation is not pageable. You can use the "client.can_paginate" method to check if an operation is pageable. Return type: "botocore.paginate.Paginator" Returns: A paginator object. IAMRolesAnywhere / Client / disable_profile disable_profile *************** IAMRolesAnywhere.Client.disable_profile(**kwargs) Disables a profile. When disabled, temporary credential requests with this profile fail. **Required permissions:** "rolesanywhere:DisableProfile". See also: AWS API Documentation **Request Syntax** response = client.disable_profile( profileId='string' ) Parameters: **profileId** (*string*) -- **[REQUIRED]** The unique identifier of the profile. Return type: dict Returns: **Response Syntax** { 'profile': { 'acceptRoleSessionName': True|False, 'attributeMappings': [ { 'certificateField': 'x509Subject'|'x509Issuer'|'x509SAN', 'mappingRules': [ { 'specifier': 'string' }, ] }, ], 'createdAt': datetime(2015, 1, 1), 'createdBy': 'string', 'durationSeconds': 123, 'enabled': True|False, 'managedPolicyArns': [ 'string', ], 'name': 'string', 'profileArn': 'string', 'profileId': 'string', 'requireInstanceProperties': True|False, 'roleArns': [ 'string', ], 'sessionPolicy': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **profile** *(dict) --* The state of the profile after a read or write operation. * **acceptRoleSessionName** *(boolean) --* Used to determine if a custom role session name will be accepted in a temporary credential request. * **attributeMappings** *(list) --* A mapping applied to the authenticating end-entity certificate. * *(dict) --* A mapping applied to the authenticating end-entity certificate. * **certificateField** *(string) --* Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates. * **mappingRules** *(list) --* A list of mapping entries for every supported specifier or sub-field. * *(dict) --* A single mapping entry for each supported specifier or sub-field. * **specifier** *(string) --* Specifier within a certificate field, such as CN, OU, or UID from the Subject field. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the profile was created. * **createdBy** *(string) --* The Amazon Web Services account that created the profile. * **durationSeconds** *(integer) --* Used to determine how long sessions vended using this profile are valid for. See the "Expiration" section of the CreateSession API documentation page for more details. In requests, if this value is not provided, the default value will be 3600. * **enabled** *(boolean) --* Indicates whether the profile is enabled. * **managedPolicyArns** *(list) --* A list of managed policy ARNs that apply to the vended session credentials. * *(string) --* * **name** *(string) --* The name of the profile. * **profileArn** *(string) --* The ARN of the profile. * **profileId** *(string) --* The unique identifier of the profile. * **requireInstanceProperties** *(boolean) --* Specifies whether instance properties are required in temporary credential requests with this profile. * **roleArns** *(list) --* A list of IAM roles that this profile can assume in a temporary credential request. * *(string) --* * **sessionPolicy** *(string) --* A session policy that applies to the trust boundary of the vended session credentials. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the profile was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / put_attribute_mapping put_attribute_mapping ********************* IAMRolesAnywhere.Client.put_attribute_mapping(**kwargs) Put an entry in the attribute mapping rules that will be enforced by a given profile. A mapping specifies a certificate field and one or more specifiers that have contextual meanings. See also: AWS API Documentation **Request Syntax** response = client.put_attribute_mapping( certificateField='x509Subject'|'x509Issuer'|'x509SAN', mappingRules=[ { 'specifier': 'string' }, ], profileId='string' ) Parameters: * **certificateField** (*string*) -- **[REQUIRED]** Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates. * **mappingRules** (*list*) -- **[REQUIRED]** A list of mapping entries for every supported specifier or sub-field. * *(dict) --* A single mapping entry for each supported specifier or sub- field. * **specifier** *(string) --* **[REQUIRED]** Specifier within a certificate field, such as CN, OU, or UID from the Subject field. * **profileId** (*string*) -- **[REQUIRED]** The unique identifier of the profile. Return type: dict Returns: **Response Syntax** { 'profile': { 'acceptRoleSessionName': True|False, 'attributeMappings': [ { 'certificateField': 'x509Subject'|'x509Issuer'|'x509SAN', 'mappingRules': [ { 'specifier': 'string' }, ] }, ], 'createdAt': datetime(2015, 1, 1), 'createdBy': 'string', 'durationSeconds': 123, 'enabled': True|False, 'managedPolicyArns': [ 'string', ], 'name': 'string', 'profileArn': 'string', 'profileId': 'string', 'requireInstanceProperties': True|False, 'roleArns': [ 'string', ], 'sessionPolicy': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **profile** *(dict) --* The state of the profile after a read or write operation. * **acceptRoleSessionName** *(boolean) --* Used to determine if a custom role session name will be accepted in a temporary credential request. * **attributeMappings** *(list) --* A mapping applied to the authenticating end-entity certificate. * *(dict) --* A mapping applied to the authenticating end-entity certificate. * **certificateField** *(string) --* Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates. * **mappingRules** *(list) --* A list of mapping entries for every supported specifier or sub-field. * *(dict) --* A single mapping entry for each supported specifier or sub-field. * **specifier** *(string) --* Specifier within a certificate field, such as CN, OU, or UID from the Subject field. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the profile was created. * **createdBy** *(string) --* The Amazon Web Services account that created the profile. * **durationSeconds** *(integer) --* Used to determine how long sessions vended using this profile are valid for. See the "Expiration" section of the CreateSession API documentation page for more details. In requests, if this value is not provided, the default value will be 3600. * **enabled** *(boolean) --* Indicates whether the profile is enabled. * **managedPolicyArns** *(list) --* A list of managed policy ARNs that apply to the vended session credentials. * *(string) --* * **name** *(string) --* The name of the profile. * **profileArn** *(string) --* The ARN of the profile. * **profileId** *(string) --* The unique identifier of the profile. * **requireInstanceProperties** *(boolean) --* Specifies whether instance properties are required in temporary credential requests with this profile. * **roleArns** *(list) --* A list of IAM roles that this profile can assume in a temporary credential request. * *(string) --* * **sessionPolicy** *(string) --* A session policy that applies to the trust boundary of the vended session credentials. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the profile was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ValidationException" * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / enable_crl enable_crl ********** IAMRolesAnywhere.Client.enable_crl(**kwargs) Enables a certificate revocation list (CRL). When enabled, certificates stored in the CRL are unauthorized to receive session credentials. **Required permissions:** "rolesanywhere:EnableCrl". See also: AWS API Documentation **Request Syntax** response = client.enable_crl( crlId='string' ) Parameters: **crlId** (*string*) -- **[REQUIRED]** The unique identifier of the certificate revocation list (CRL). Return type: dict Returns: **Response Syntax** { 'crl': { 'createdAt': datetime(2015, 1, 1), 'crlArn': 'string', 'crlData': b'bytes', 'crlId': 'string', 'enabled': True|False, 'name': 'string', 'trustAnchorArn': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **crl** *(dict) --* The state of the certificate revocation list (CRL) after a read or write operation. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the certificate revocation list (CRL) was created. * **crlArn** *(string) --* The ARN of the certificate revocation list (CRL). * **crlData** *(bytes) --* The state of the certificate revocation list (CRL) after a read or write operation. * **crlId** *(string) --* The unique identifier of the certificate revocation list (CRL). * **enabled** *(boolean) --* Indicates whether the certificate revocation list (CRL) is enabled. * **name** *(string) --* The name of the certificate revocation list (CRL). * **trustAnchorArn** *(string) --* The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the certificate revocation list (CRL) was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / can_paginate can_paginate ************ IAMRolesAnywhere.Client.can_paginate(operation_name) Check if an operation can be paginated. Parameters: **operation_name** (*string*) -- The operation name. This is the same name as the method name on the client. For example, if the method name is "create_foo", and you'd normally invoke the operation as "client.create_foo(**kwargs)", if the "create_foo" operation can be paginated, you can use the call "client.get_paginator("create_foo")". Returns: "True" if the operation can be paginated, "False" otherwise. IAMRolesAnywhere / Client / get_subject get_subject *********** IAMRolesAnywhere.Client.get_subject(**kwargs) Gets a *subject*, which associates a certificate identity with authentication attempts. The subject stores auditing information such as the status of the last authentication attempt, the certificate data used in the attempt, and the last time the associated identity attempted authentication. **Required permissions:** "rolesanywhere:GetSubject". See also: AWS API Documentation **Request Syntax** response = client.get_subject( subjectId='string' ) Parameters: **subjectId** (*string*) -- **[REQUIRED]** The unique identifier of the subject. Return type: dict Returns: **Response Syntax** { 'subject': { 'createdAt': datetime(2015, 1, 1), 'credentials': [ { 'enabled': True|False, 'failed': True|False, 'issuer': 'string', 'seenAt': datetime(2015, 1, 1), 'serialNumber': 'string', 'x509CertificateData': 'string' }, ], 'enabled': True|False, 'instanceProperties': [ { 'failed': True|False, 'properties': { 'string': 'string' }, 'seenAt': datetime(2015, 1, 1) }, ], 'lastSeenAt': datetime(2015, 1, 1), 'subjectArn': 'string', 'subjectId': 'string', 'updatedAt': datetime(2015, 1, 1), 'x509Subject': 'string' } } **Response Structure** * *(dict) --* * **subject** *(dict) --* The state of the subject after a read or write operation. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the subject was created. * **credentials** *(list) --* The temporary session credentials vended at the last authenticating call with this subject. * *(dict) --* A record of a presented X509 credential from a temporary credential request. * **enabled** *(boolean) --* Indicates whether the credential is enabled. * **failed** *(boolean) --* Indicates whether the temporary credential request was successful. * **issuer** *(string) --* The fully qualified domain name of the issuing certificate for the presented end-entity certificate. * **seenAt** *(datetime) --* The ISO-8601 time stamp of when the certificate was last used in a temporary credential request. * **serialNumber** *(string) --* The serial number of the certificate. * **x509CertificateData** *(string) --* The PEM-encoded data of the certificate. * **enabled** *(boolean) --* The enabled status of the subject. * **instanceProperties** *(list) --* The specified instance properties associated with the request. * *(dict) --* A key-value pair you set that identifies a property of the authenticating instance. * **failed** *(boolean) --* Indicates whether the temporary credential request was successful. * **properties** *(dict) --* A list of instanceProperty objects. * *(string) --* * *(string) --* * **seenAt** *(datetime) --* The ISO-8601 time stamp of when the certificate was last used in a temporary credential request. * **lastSeenAt** *(datetime) --* The ISO-8601 timestamp of the last time this subject requested temporary session credentials. * **subjectArn** *(string) --* The ARN of the resource. * **subjectId** *(string) --* The id of the resource * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the subject was last updated. * **x509Subject** *(string) --* The x509 principal identifier of the authenticating certificate. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / enable_trust_anchor enable_trust_anchor ******************* IAMRolesAnywhere.Client.enable_trust_anchor(**kwargs) Enables a trust anchor. When enabled, certificates in the trust anchor chain are authorized for trust validation. **Required permissions:** "rolesanywhere:EnableTrustAnchor". See also: AWS API Documentation **Request Syntax** response = client.enable_trust_anchor( trustAnchorId='string' ) Parameters: **trustAnchorId** (*string*) -- **[REQUIRED]** The unique identifier of the trust anchor. Return type: dict Returns: **Response Syntax** { 'trustAnchor': { 'createdAt': datetime(2015, 1, 1), 'enabled': True|False, 'name': 'string', 'notificationSettings': [ { 'channel': 'ALL', 'configuredBy': 'string', 'enabled': True|False, 'event': 'CA_CERTIFICATE_EXPIRY'|'END_ENTITY_CERTIFICATE_EXPIRY', 'threshold': 123 }, ], 'source': { 'sourceData': { 'acmPcaArn': 'string', 'x509CertificateData': 'string' }, 'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY' }, 'trustAnchorArn': 'string', 'trustAnchorId': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **trustAnchor** *(dict) --* The state of the trust anchor after a read or write operation. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the trust anchor was created. * **enabled** *(boolean) --* Indicates whether the trust anchor is enabled. * **name** *(string) --* The name of the trust anchor. * **notificationSettings** *(list) --* A list of notification settings to be associated to the trust anchor. * *(dict) --* The state of a notification setting. A notification setting includes information such as event name, threshold, status of the notification setting, and the channel to notify. * **channel** *(string) --* The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge, and Health Dashboard to notify for an event. Note: In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels. * **configuredBy** *(string) --* The principal that configured the notification setting. For default settings configured by IAM Roles Anywhere, the value is "rolesanywhere.amazonaws.com", and for customized notifications settings, it is the respective account ID. * **enabled** *(boolean) --* Indicates whether the notification setting is enabled. * **event** *(string) --* The event to which this notification setting is applied. * **threshold** *(integer) --* The number of days before a notification event. * **source** *(dict) --* The trust anchor type and its related certificate data. * **sourceData** *(dict) --* The data field of the trust anchor depending on its type. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "acmPcaArn", "x509CertificateData". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **acmPcaArn** *(string) --* The root certificate of the Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type "AWS_ACM_PCA". * **x509CertificateData** *(string) --* The PEM-encoded data for the certificate anchor. Included for trust anchors of type "CERTIFICATE_BUNDLE". * **sourceType** *(string) --* The type of the trust anchor. * **trustAnchorArn** *(string) --* The ARN of the trust anchor. * **trustAnchorId** *(string) --* The unique identifier of the trust anchor. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the trust anchor was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / list_crls list_crls ********* IAMRolesAnywhere.Client.list_crls(**kwargs) Lists all certificate revocation lists (CRL) in the authenticated account and Amazon Web Services Region. **Required permissions:** "rolesanywhere:ListCrls". See also: AWS API Documentation **Request Syntax** response = client.list_crls( nextToken='string', pageSize=123 ) Parameters: * **nextToken** (*string*) -- A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value. * **pageSize** (*integer*) -- The number of resources in the paginated list. Return type: dict Returns: **Response Syntax** { 'crls': [ { 'createdAt': datetime(2015, 1, 1), 'crlArn': 'string', 'crlData': b'bytes', 'crlId': 'string', 'enabled': True|False, 'name': 'string', 'trustAnchorArn': 'string', 'updatedAt': datetime(2015, 1, 1) }, ], 'nextToken': 'string' } **Response Structure** * *(dict) --* * **crls** *(list) --* A list of certificate revocation lists (CRL). * *(dict) --* The state of the certificate revocation list (CRL) after a read or write operation. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the certificate revocation list (CRL) was created. * **crlArn** *(string) --* The ARN of the certificate revocation list (CRL). * **crlData** *(bytes) --* The state of the certificate revocation list (CRL) after a read or write operation. * **crlId** *(string) --* The unique identifier of the certificate revocation list (CRL). * **enabled** *(boolean) --* Indicates whether the certificate revocation list (CRL) is enabled. * **name** *(string) --* The name of the certificate revocation list (CRL). * **trustAnchorArn** *(string) --* The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the certificate revocation list (CRL) was last updated. * **nextToken** *(string) --* A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ValidationException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / disable_crl disable_crl *********** IAMRolesAnywhere.Client.disable_crl(**kwargs) Disables a certificate revocation list (CRL). **Required permissions:** "rolesanywhere:DisableCrl". See also: AWS API Documentation **Request Syntax** response = client.disable_crl( crlId='string' ) Parameters: **crlId** (*string*) -- **[REQUIRED]** The unique identifier of the certificate revocation list (CRL). Return type: dict Returns: **Response Syntax** { 'crl': { 'createdAt': datetime(2015, 1, 1), 'crlArn': 'string', 'crlData': b'bytes', 'crlId': 'string', 'enabled': True|False, 'name': 'string', 'trustAnchorArn': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **crl** *(dict) --* The state of the certificate revocation list (CRL) after a read or write operation. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the certificate revocation list (CRL) was created. * **crlArn** *(string) --* The ARN of the certificate revocation list (CRL). * **crlData** *(bytes) --* The state of the certificate revocation list (CRL) after a read or write operation. * **crlId** *(string) --* The unique identifier of the certificate revocation list (CRL). * **enabled** *(boolean) --* Indicates whether the certificate revocation list (CRL) is enabled. * **name** *(string) --* The name of the certificate revocation list (CRL). * **trustAnchorArn** *(string) --* The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the certificate revocation list (CRL) was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / enable_profile enable_profile ************** IAMRolesAnywhere.Client.enable_profile(**kwargs) Enables temporary credential requests for a profile. **Required permissions:** "rolesanywhere:EnableProfile". See also: AWS API Documentation **Request Syntax** response = client.enable_profile( profileId='string' ) Parameters: **profileId** (*string*) -- **[REQUIRED]** The unique identifier of the profile. Return type: dict Returns: **Response Syntax** { 'profile': { 'acceptRoleSessionName': True|False, 'attributeMappings': [ { 'certificateField': 'x509Subject'|'x509Issuer'|'x509SAN', 'mappingRules': [ { 'specifier': 'string' }, ] }, ], 'createdAt': datetime(2015, 1, 1), 'createdBy': 'string', 'durationSeconds': 123, 'enabled': True|False, 'managedPolicyArns': [ 'string', ], 'name': 'string', 'profileArn': 'string', 'profileId': 'string', 'requireInstanceProperties': True|False, 'roleArns': [ 'string', ], 'sessionPolicy': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **profile** *(dict) --* The state of the profile after a read or write operation. * **acceptRoleSessionName** *(boolean) --* Used to determine if a custom role session name will be accepted in a temporary credential request. * **attributeMappings** *(list) --* A mapping applied to the authenticating end-entity certificate. * *(dict) --* A mapping applied to the authenticating end-entity certificate. * **certificateField** *(string) --* Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates. * **mappingRules** *(list) --* A list of mapping entries for every supported specifier or sub-field. * *(dict) --* A single mapping entry for each supported specifier or sub-field. * **specifier** *(string) --* Specifier within a certificate field, such as CN, OU, or UID from the Subject field. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the profile was created. * **createdBy** *(string) --* The Amazon Web Services account that created the profile. * **durationSeconds** *(integer) --* Used to determine how long sessions vended using this profile are valid for. See the "Expiration" section of the CreateSession API documentation page for more details. In requests, if this value is not provided, the default value will be 3600. * **enabled** *(boolean) --* Indicates whether the profile is enabled. * **managedPolicyArns** *(list) --* A list of managed policy ARNs that apply to the vended session credentials. * *(string) --* * **name** *(string) --* The name of the profile. * **profileArn** *(string) --* The ARN of the profile. * **profileId** *(string) --* The unique identifier of the profile. * **requireInstanceProperties** *(boolean) --* Specifies whether instance properties are required in temporary credential requests with this profile. * **roleArns** *(list) --* A list of IAM roles that this profile can assume in a temporary credential request. * *(string) --* * **sessionPolicy** *(string) --* A session policy that applies to the trust boundary of the vended session credentials. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the profile was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / list_tags_for_resource list_tags_for_resource ********************** IAMRolesAnywhere.Client.list_tags_for_resource(**kwargs) Lists the tags attached to the resource. **Required permissions:** "rolesanywhere:ListTagsForResource". See also: AWS API Documentation **Request Syntax** response = client.list_tags_for_resource( resourceArn='string' ) Parameters: **resourceArn** (*string*) -- **[REQUIRED]** The ARN of the resource. Return type: dict Returns: **Response Syntax** { 'tags': [ { 'key': 'string', 'value': 'string' }, ] } **Response Structure** * *(dict) --* * **tags** *(list) --* A list of tags attached to the resource. * *(dict) --* A label that consists of a key and value you define. * **key** *(string) --* The tag key. * **value** *(string) --* The tag value. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ValidationException" * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / untag_resource untag_resource ************** IAMRolesAnywhere.Client.untag_resource(**kwargs) Removes tags from the resource. **Required permissions:** "rolesanywhere:UntagResource". See also: AWS API Documentation **Request Syntax** response = client.untag_resource( resourceArn='string', tagKeys=[ 'string', ] ) Parameters: * **resourceArn** (*string*) -- **[REQUIRED]** The ARN of the resource. * **tagKeys** (*list*) -- **[REQUIRED]** A list of keys. Tag keys are the unique identifiers of tags. * *(string) --* Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ValidationException" * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / get_profile get_profile *********** IAMRolesAnywhere.Client.get_profile(**kwargs) Gets a profile. **Required permissions:** "rolesanywhere:GetProfile". See also: AWS API Documentation **Request Syntax** response = client.get_profile( profileId='string' ) Parameters: **profileId** (*string*) -- **[REQUIRED]** The unique identifier of the profile. Return type: dict Returns: **Response Syntax** { 'profile': { 'acceptRoleSessionName': True|False, 'attributeMappings': [ { 'certificateField': 'x509Subject'|'x509Issuer'|'x509SAN', 'mappingRules': [ { 'specifier': 'string' }, ] }, ], 'createdAt': datetime(2015, 1, 1), 'createdBy': 'string', 'durationSeconds': 123, 'enabled': True|False, 'managedPolicyArns': [ 'string', ], 'name': 'string', 'profileArn': 'string', 'profileId': 'string', 'requireInstanceProperties': True|False, 'roleArns': [ 'string', ], 'sessionPolicy': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **profile** *(dict) --* The state of the profile after a read or write operation. * **acceptRoleSessionName** *(boolean) --* Used to determine if a custom role session name will be accepted in a temporary credential request. * **attributeMappings** *(list) --* A mapping applied to the authenticating end-entity certificate. * *(dict) --* A mapping applied to the authenticating end-entity certificate. * **certificateField** *(string) --* Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates. * **mappingRules** *(list) --* A list of mapping entries for every supported specifier or sub-field. * *(dict) --* A single mapping entry for each supported specifier or sub-field. * **specifier** *(string) --* Specifier within a certificate field, such as CN, OU, or UID from the Subject field. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the profile was created. * **createdBy** *(string) --* The Amazon Web Services account that created the profile. * **durationSeconds** *(integer) --* Used to determine how long sessions vended using this profile are valid for. See the "Expiration" section of the CreateSession API documentation page for more details. In requests, if this value is not provided, the default value will be 3600. * **enabled** *(boolean) --* Indicates whether the profile is enabled. * **managedPolicyArns** *(list) --* A list of managed policy ARNs that apply to the vended session credentials. * *(string) --* * **name** *(string) --* The name of the profile. * **profileArn** *(string) --* The ARN of the profile. * **profileId** *(string) --* The unique identifier of the profile. * **requireInstanceProperties** *(boolean) --* Specifies whether instance properties are required in temporary credential requests with this profile. * **roleArns** *(list) --* A list of IAM roles that this profile can assume in a temporary credential request. * *(string) --* * **sessionPolicy** *(string) --* A session policy that applies to the trust boundary of the vended session credentials. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the profile was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / get_waiter get_waiter ********** IAMRolesAnywhere.Client.get_waiter(waiter_name) Returns an object that can wait for some condition. Parameters: **waiter_name** (*str*) -- The name of the waiter to get. See the waiters section of the service docs for a list of available waiters. Returns: The specified waiter object. Return type: "botocore.waiter.Waiter" IAMRolesAnywhere / Client / delete_attribute_mapping delete_attribute_mapping ************************ IAMRolesAnywhere.Client.delete_attribute_mapping(**kwargs) Delete an entry from the attribute mapping rules enforced by a given profile. See also: AWS API Documentation **Request Syntax** response = client.delete_attribute_mapping( certificateField='x509Subject'|'x509Issuer'|'x509SAN', profileId='string', specifiers=[ 'string', ] ) Parameters: * **certificateField** (*string*) -- **[REQUIRED]** Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates. * **profileId** (*string*) -- **[REQUIRED]** The unique identifier of the profile. * **specifiers** (*list*) -- A list of specifiers of a certificate field; for example, CN, OU, UID from a Subject. * *(string) --* Return type: dict Returns: **Response Syntax** { 'profile': { 'acceptRoleSessionName': True|False, 'attributeMappings': [ { 'certificateField': 'x509Subject'|'x509Issuer'|'x509SAN', 'mappingRules': [ { 'specifier': 'string' }, ] }, ], 'createdAt': datetime(2015, 1, 1), 'createdBy': 'string', 'durationSeconds': 123, 'enabled': True|False, 'managedPolicyArns': [ 'string', ], 'name': 'string', 'profileArn': 'string', 'profileId': 'string', 'requireInstanceProperties': True|False, 'roleArns': [ 'string', ], 'sessionPolicy': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **profile** *(dict) --* The state of the profile after a read or write operation. * **acceptRoleSessionName** *(boolean) --* Used to determine if a custom role session name will be accepted in a temporary credential request. * **attributeMappings** *(list) --* A mapping applied to the authenticating end-entity certificate. * *(dict) --* A mapping applied to the authenticating end-entity certificate. * **certificateField** *(string) --* Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates. * **mappingRules** *(list) --* A list of mapping entries for every supported specifier or sub-field. * *(dict) --* A single mapping entry for each supported specifier or sub-field. * **specifier** *(string) --* Specifier within a certificate field, such as CN, OU, or UID from the Subject field. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the profile was created. * **createdBy** *(string) --* The Amazon Web Services account that created the profile. * **durationSeconds** *(integer) --* Used to determine how long sessions vended using this profile are valid for. See the "Expiration" section of the CreateSession API documentation page for more details. In requests, if this value is not provided, the default value will be 3600. * **enabled** *(boolean) --* Indicates whether the profile is enabled. * **managedPolicyArns** *(list) --* A list of managed policy ARNs that apply to the vended session credentials. * *(string) --* * **name** *(string) --* The name of the profile. * **profileArn** *(string) --* The ARN of the profile. * **profileId** *(string) --* The unique identifier of the profile. * **requireInstanceProperties** *(boolean) --* Specifies whether instance properties are required in temporary credential requests with this profile. * **roleArns** *(list) --* A list of IAM roles that this profile can assume in a temporary credential request. * *(string) --* * **sessionPolicy** *(string) --* A session policy that applies to the trust boundary of the vended session credentials. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the profile was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ValidationException" * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / delete_trust_anchor delete_trust_anchor ******************* IAMRolesAnywhere.Client.delete_trust_anchor(**kwargs) Deletes a trust anchor. **Required permissions:** "rolesanywhere:DeleteTrustAnchor". See also: AWS API Documentation **Request Syntax** response = client.delete_trust_anchor( trustAnchorId='string' ) Parameters: **trustAnchorId** (*string*) -- **[REQUIRED]** The unique identifier of the trust anchor. Return type: dict Returns: **Response Syntax** { 'trustAnchor': { 'createdAt': datetime(2015, 1, 1), 'enabled': True|False, 'name': 'string', 'notificationSettings': [ { 'channel': 'ALL', 'configuredBy': 'string', 'enabled': True|False, 'event': 'CA_CERTIFICATE_EXPIRY'|'END_ENTITY_CERTIFICATE_EXPIRY', 'threshold': 123 }, ], 'source': { 'sourceData': { 'acmPcaArn': 'string', 'x509CertificateData': 'string' }, 'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY' }, 'trustAnchorArn': 'string', 'trustAnchorId': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **trustAnchor** *(dict) --* The state of the trust anchor after a read or write operation. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the trust anchor was created. * **enabled** *(boolean) --* Indicates whether the trust anchor is enabled. * **name** *(string) --* The name of the trust anchor. * **notificationSettings** *(list) --* A list of notification settings to be associated to the trust anchor. * *(dict) --* The state of a notification setting. A notification setting includes information such as event name, threshold, status of the notification setting, and the channel to notify. * **channel** *(string) --* The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge, and Health Dashboard to notify for an event. Note: In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels. * **configuredBy** *(string) --* The principal that configured the notification setting. For default settings configured by IAM Roles Anywhere, the value is "rolesanywhere.amazonaws.com", and for customized notifications settings, it is the respective account ID. * **enabled** *(boolean) --* Indicates whether the notification setting is enabled. * **event** *(string) --* The event to which this notification setting is applied. * **threshold** *(integer) --* The number of days before a notification event. * **source** *(dict) --* The trust anchor type and its related certificate data. * **sourceData** *(dict) --* The data field of the trust anchor depending on its type. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "acmPcaArn", "x509CertificateData". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **acmPcaArn** *(string) --* The root certificate of the Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type "AWS_ACM_PCA". * **x509CertificateData** *(string) --* The PEM-encoded data for the certificate anchor. Included for trust anchors of type "CERTIFICATE_BUNDLE". * **sourceType** *(string) --* The type of the trust anchor. * **trustAnchorArn** *(string) --* The ARN of the trust anchor. * **trustAnchorId** *(string) --* The unique identifier of the trust anchor. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the trust anchor was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / put_notification_settings put_notification_settings ************************* IAMRolesAnywhere.Client.put_notification_settings(**kwargs) Attaches a list of *notification settings* to a trust anchor. A notification setting includes information such as event name, threshold, status of the notification setting, and the channel to notify. **Required permissions:** "rolesanywhere:PutNotificationSettings". See also: AWS API Documentation **Request Syntax** response = client.put_notification_settings( notificationSettings=[ { 'channel': 'ALL', 'enabled': True|False, 'event': 'CA_CERTIFICATE_EXPIRY'|'END_ENTITY_CERTIFICATE_EXPIRY', 'threshold': 123 }, ], trustAnchorId='string' ) Parameters: * **notificationSettings** (*list*) -- **[REQUIRED]** A list of notification settings to be associated to the trust anchor. * *(dict) --* Customizable notification settings that will be applied to notification events. IAM Roles Anywhere consumes these settings while notifying across multiple channels - CloudWatch metrics, EventBridge, and Health Dashboard. * **channel** *(string) --* The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge, and Health Dashboard to notify for an event. Note: In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels. * **enabled** *(boolean) --* **[REQUIRED]** Indicates whether the notification setting is enabled. * **event** *(string) --* **[REQUIRED]** The event to which this notification setting is applied. * **threshold** *(integer) --* The number of days before a notification event. This value is required for a notification setting that is enabled. * **trustAnchorId** (*string*) -- **[REQUIRED]** The unique identifier of the trust anchor. Return type: dict Returns: **Response Syntax** { 'trustAnchor': { 'createdAt': datetime(2015, 1, 1), 'enabled': True|False, 'name': 'string', 'notificationSettings': [ { 'channel': 'ALL', 'configuredBy': 'string', 'enabled': True|False, 'event': 'CA_CERTIFICATE_EXPIRY'|'END_ENTITY_CERTIFICATE_EXPIRY', 'threshold': 123 }, ], 'source': { 'sourceData': { 'acmPcaArn': 'string', 'x509CertificateData': 'string' }, 'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY' }, 'trustAnchorArn': 'string', 'trustAnchorId': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **trustAnchor** *(dict) --* The state of the trust anchor after a read or write operation. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the trust anchor was created. * **enabled** *(boolean) --* Indicates whether the trust anchor is enabled. * **name** *(string) --* The name of the trust anchor. * **notificationSettings** *(list) --* A list of notification settings to be associated to the trust anchor. * *(dict) --* The state of a notification setting. A notification setting includes information such as event name, threshold, status of the notification setting, and the channel to notify. * **channel** *(string) --* The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge, and Health Dashboard to notify for an event. Note: In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels. * **configuredBy** *(string) --* The principal that configured the notification setting. For default settings configured by IAM Roles Anywhere, the value is "rolesanywhere.amazonaws.com", and for customized notifications settings, it is the respective account ID. * **enabled** *(boolean) --* Indicates whether the notification setting is enabled. * **event** *(string) --* The event to which this notification setting is applied. * **threshold** *(integer) --* The number of days before a notification event. * **source** *(dict) --* The trust anchor type and its related certificate data. * **sourceData** *(dict) --* The data field of the trust anchor depending on its type. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "acmPcaArn", "x509CertificateData". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **acmPcaArn** *(string) --* The root certificate of the Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type "AWS_ACM_PCA". * **x509CertificateData** *(string) --* The PEM-encoded data for the certificate anchor. Included for trust anchors of type "CERTIFICATE_BUNDLE". * **sourceType** *(string) --* The type of the trust anchor. * **trustAnchorArn** *(string) --* The ARN of the trust anchor. * **trustAnchorId** *(string) --* The unique identifier of the trust anchor. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the trust anchor was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ValidationException" * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / list_profiles list_profiles ************* IAMRolesAnywhere.Client.list_profiles(**kwargs) Lists all profiles in the authenticated account and Amazon Web Services Region. **Required permissions:** "rolesanywhere:ListProfiles". See also: AWS API Documentation **Request Syntax** response = client.list_profiles( nextToken='string', pageSize=123 ) Parameters: * **nextToken** (*string*) -- A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value. * **pageSize** (*integer*) -- The number of resources in the paginated list. Return type: dict Returns: **Response Syntax** { 'nextToken': 'string', 'profiles': [ { 'acceptRoleSessionName': True|False, 'attributeMappings': [ { 'certificateField': 'x509Subject'|'x509Issuer'|'x509SAN', 'mappingRules': [ { 'specifier': 'string' }, ] }, ], 'createdAt': datetime(2015, 1, 1), 'createdBy': 'string', 'durationSeconds': 123, 'enabled': True|False, 'managedPolicyArns': [ 'string', ], 'name': 'string', 'profileArn': 'string', 'profileId': 'string', 'requireInstanceProperties': True|False, 'roleArns': [ 'string', ], 'sessionPolicy': 'string', 'updatedAt': datetime(2015, 1, 1) }, ] } **Response Structure** * *(dict) --* * **nextToken** *(string) --* A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value. * **profiles** *(list) --* A list of profiles. * *(dict) --* The state of the profile after a read or write operation. * **acceptRoleSessionName** *(boolean) --* Used to determine if a custom role session name will be accepted in a temporary credential request. * **attributeMappings** *(list) --* A mapping applied to the authenticating end-entity certificate. * *(dict) --* A mapping applied to the authenticating end-entity certificate. * **certificateField** *(string) --* Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates. * **mappingRules** *(list) --* A list of mapping entries for every supported specifier or sub-field. * *(dict) --* A single mapping entry for each supported specifier or sub-field. * **specifier** *(string) --* Specifier within a certificate field, such as CN, OU, or UID from the Subject field. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the profile was created. * **createdBy** *(string) --* The Amazon Web Services account that created the profile. * **durationSeconds** *(integer) --* Used to determine how long sessions vended using this profile are valid for. See the "Expiration" section of the CreateSession API documentation page for more details. In requests, if this value is not provided, the default value will be 3600. * **enabled** *(boolean) --* Indicates whether the profile is enabled. * **managedPolicyArns** *(list) --* A list of managed policy ARNs that apply to the vended session credentials. * *(string) --* * **name** *(string) --* The name of the profile. * **profileArn** *(string) --* The ARN of the profile. * **profileId** *(string) --* The unique identifier of the profile. * **requireInstanceProperties** *(boolean) --* Specifies whether instance properties are required in temporary credential requests with this profile. * **roleArns** *(list) --* A list of IAM roles that this profile can assume in a temporary credential request. * *(string) --* * **sessionPolicy** *(string) --* A session policy that applies to the trust boundary of the vended session credentials. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the profile was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ValidationException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / list_trust_anchors list_trust_anchors ****************** IAMRolesAnywhere.Client.list_trust_anchors(**kwargs) Lists the trust anchors in the authenticated account and Amazon Web Services Region. **Required permissions:** "rolesanywhere:ListTrustAnchors". See also: AWS API Documentation **Request Syntax** response = client.list_trust_anchors( nextToken='string', pageSize=123 ) Parameters: * **nextToken** (*string*) -- A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value. * **pageSize** (*integer*) -- The number of resources in the paginated list. Return type: dict Returns: **Response Syntax** { 'nextToken': 'string', 'trustAnchors': [ { 'createdAt': datetime(2015, 1, 1), 'enabled': True|False, 'name': 'string', 'notificationSettings': [ { 'channel': 'ALL', 'configuredBy': 'string', 'enabled': True|False, 'event': 'CA_CERTIFICATE_EXPIRY'|'END_ENTITY_CERTIFICATE_EXPIRY', 'threshold': 123 }, ], 'source': { 'sourceData': { 'acmPcaArn': 'string', 'x509CertificateData': 'string' }, 'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY' }, 'trustAnchorArn': 'string', 'trustAnchorId': 'string', 'updatedAt': datetime(2015, 1, 1) }, ] } **Response Structure** * *(dict) --* * **nextToken** *(string) --* A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value. * **trustAnchors** *(list) --* A list of trust anchors. * *(dict) --* The state of the trust anchor after a read or write operation. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the trust anchor was created. * **enabled** *(boolean) --* Indicates whether the trust anchor is enabled. * **name** *(string) --* The name of the trust anchor. * **notificationSettings** *(list) --* A list of notification settings to be associated to the trust anchor. * *(dict) --* The state of a notification setting. A notification setting includes information such as event name, threshold, status of the notification setting, and the channel to notify. * **channel** *(string) --* The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge, and Health Dashboard to notify for an event. Note: In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels. * **configuredBy** *(string) --* The principal that configured the notification setting. For default settings configured by IAM Roles Anywhere, the value is "rolesanywhere.amazonaws.com", and for customized notifications settings, it is the respective account ID. * **enabled** *(boolean) --* Indicates whether the notification setting is enabled. * **event** *(string) --* The event to which this notification setting is applied. * **threshold** *(integer) --* The number of days before a notification event. * **source** *(dict) --* The trust anchor type and its related certificate data. * **sourceData** *(dict) --* The data field of the trust anchor depending on its type. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "acmPcaArn", "x509CertificateData". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **acmPcaArn** *(string) --* The root certificate of the Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type "AWS_ACM_PCA". * **x509CertificateData** *(string) --* The PEM-encoded data for the certificate anchor. Included for trust anchors of type "CERTIFICATE_BUNDLE". * **sourceType** *(string) --* The type of the trust anchor. * **trustAnchorArn** *(string) --* The ARN of the trust anchor. * **trustAnchorId** *(string) --* The unique identifier of the trust anchor. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the trust anchor was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ValidationException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / list_subjects list_subjects ************* IAMRolesAnywhere.Client.list_subjects(**kwargs) Lists the subjects in the authenticated account and Amazon Web Services Region. **Required permissions:** "rolesanywhere:ListSubjects". See also: AWS API Documentation **Request Syntax** response = client.list_subjects( nextToken='string', pageSize=123 ) Parameters: * **nextToken** (*string*) -- A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value. * **pageSize** (*integer*) -- The number of resources in the paginated list. Return type: dict Returns: **Response Syntax** { 'nextToken': 'string', 'subjects': [ { 'createdAt': datetime(2015, 1, 1), 'enabled': True|False, 'lastSeenAt': datetime(2015, 1, 1), 'subjectArn': 'string', 'subjectId': 'string', 'updatedAt': datetime(2015, 1, 1), 'x509Subject': 'string' }, ] } **Response Structure** * *(dict) --* * **nextToken** *(string) --* A token that indicates where the output should continue from, if a previous request did not show all results. To get the next results, make the request again with this value. * **subjects** *(list) --* A list of subjects. * *(dict) --* A summary representation of subjects. * **createdAt** *(datetime) --* The ISO-8601 time stamp of when the certificate was first used in a temporary credential request. * **enabled** *(boolean) --* The enabled status of the subject. * **lastSeenAt** *(datetime) --* The ISO-8601 time stamp of when the certificate was last used in a temporary credential request. * **subjectArn** *(string) --* The ARN of the resource. * **subjectId** *(string) --* The id of the resource. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the subject was last updated. * **x509Subject** *(string) --* The x509 principal identifier of the authenticating certificate. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ValidationException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / create_profile create_profile ************** IAMRolesAnywhere.Client.create_profile(**kwargs) Creates a *profile*, a list of the roles that Roles Anywhere service is trusted to assume. You use profiles to intersect permissions with IAM managed policies. **Required permissions:** "rolesanywhere:CreateProfile". See also: AWS API Documentation **Request Syntax** response = client.create_profile( acceptRoleSessionName=True|False, durationSeconds=123, enabled=True|False, managedPolicyArns=[ 'string', ], name='string', requireInstanceProperties=True|False, roleArns=[ 'string', ], sessionPolicy='string', tags=[ { 'key': 'string', 'value': 'string' }, ] ) Parameters: * **acceptRoleSessionName** (*boolean*) -- Used to determine if a custom role session name will be accepted in a temporary credential request. * **durationSeconds** (*integer*) -- Used to determine how long sessions vended using this profile are valid for. See the "Expiration" section of the CreateSession API documentation page for more details. In requests, if this value is not provided, the default value will be 3600. * **enabled** (*boolean*) -- Specifies whether the profile is enabled. * **managedPolicyArns** (*list*) -- A list of managed policy ARNs that apply to the vended session credentials. * *(string) --* * **name** (*string*) -- **[REQUIRED]** The name of the profile. * **requireInstanceProperties** (*boolean*) -- Specifies whether instance properties are required in temporary credential requests with this profile. * **roleArns** (*list*) -- **[REQUIRED]** A list of IAM roles that this profile can assume in a temporary credential request. * *(string) --* * **sessionPolicy** (*string*) -- A session policy that applies to the trust boundary of the vended session credentials. * **tags** (*list*) -- The tags to attach to the profile. * *(dict) --* A label that consists of a key and value you define. * **key** *(string) --* **[REQUIRED]** The tag key. * **value** *(string) --* **[REQUIRED]** The tag value. Return type: dict Returns: **Response Syntax** { 'profile': { 'acceptRoleSessionName': True|False, 'attributeMappings': [ { 'certificateField': 'x509Subject'|'x509Issuer'|'x509SAN', 'mappingRules': [ { 'specifier': 'string' }, ] }, ], 'createdAt': datetime(2015, 1, 1), 'createdBy': 'string', 'durationSeconds': 123, 'enabled': True|False, 'managedPolicyArns': [ 'string', ], 'name': 'string', 'profileArn': 'string', 'profileId': 'string', 'requireInstanceProperties': True|False, 'roleArns': [ 'string', ], 'sessionPolicy': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **profile** *(dict) --* The state of the profile after a read or write operation. * **acceptRoleSessionName** *(boolean) --* Used to determine if a custom role session name will be accepted in a temporary credential request. * **attributeMappings** *(list) --* A mapping applied to the authenticating end-entity certificate. * *(dict) --* A mapping applied to the authenticating end-entity certificate. * **certificateField** *(string) --* Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates. * **mappingRules** *(list) --* A list of mapping entries for every supported specifier or sub-field. * *(dict) --* A single mapping entry for each supported specifier or sub-field. * **specifier** *(string) --* Specifier within a certificate field, such as CN, OU, or UID from the Subject field. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the profile was created. * **createdBy** *(string) --* The Amazon Web Services account that created the profile. * **durationSeconds** *(integer) --* Used to determine how long sessions vended using this profile are valid for. See the "Expiration" section of the CreateSession API documentation page for more details. In requests, if this value is not provided, the default value will be 3600. * **enabled** *(boolean) --* Indicates whether the profile is enabled. * **managedPolicyArns** *(list) --* A list of managed policy ARNs that apply to the vended session credentials. * *(string) --* * **name** *(string) --* The name of the profile. * **profileArn** *(string) --* The ARN of the profile. * **profileId** *(string) --* The unique identifier of the profile. * **requireInstanceProperties** *(boolean) --* Specifies whether instance properties are required in temporary credential requests with this profile. * **roleArns** *(list) --* A list of IAM roles that this profile can assume in a temporary credential request. * *(string) --* * **sessionPolicy** *(string) --* A session policy that applies to the trust boundary of the vended session credentials. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the profile was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ValidationException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / close close ***** IAMRolesAnywhere.Client.close() Closes underlying endpoint connections. IAMRolesAnywhere / Client / create_trust_anchor create_trust_anchor ******************* IAMRolesAnywhere.Client.create_trust_anchor(**kwargs) Creates a trust anchor to establish trust between IAM Roles Anywhere and your certificate authority (CA). You can define a trust anchor as a reference to an Private Certificate Authority (Private CA) or by uploading a CA certificate. Your Amazon Web Services workloads can authenticate with the trust anchor using certificates issued by the CA in exchange for temporary Amazon Web Services credentials. **Required permissions:** "rolesanywhere:CreateTrustAnchor". See also: AWS API Documentation **Request Syntax** response = client.create_trust_anchor( enabled=True|False, name='string', notificationSettings=[ { 'channel': 'ALL', 'enabled': True|False, 'event': 'CA_CERTIFICATE_EXPIRY'|'END_ENTITY_CERTIFICATE_EXPIRY', 'threshold': 123 }, ], source={ 'sourceData': { 'acmPcaArn': 'string', 'x509CertificateData': 'string' }, 'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY' }, tags=[ { 'key': 'string', 'value': 'string' }, ] ) Parameters: * **enabled** (*boolean*) -- Specifies whether the trust anchor is enabled. * **name** (*string*) -- **[REQUIRED]** The name of the trust anchor. * **notificationSettings** (*list*) -- A list of notification settings to be associated to the trust anchor. * *(dict) --* Customizable notification settings that will be applied to notification events. IAM Roles Anywhere consumes these settings while notifying across multiple channels - CloudWatch metrics, EventBridge, and Health Dashboard. * **channel** *(string) --* The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge, and Health Dashboard to notify for an event. Note: In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels. * **enabled** *(boolean) --* **[REQUIRED]** Indicates whether the notification setting is enabled. * **event** *(string) --* **[REQUIRED]** The event to which this notification setting is applied. * **threshold** *(integer) --* The number of days before a notification event. This value is required for a notification setting that is enabled. * **source** (*dict*) -- **[REQUIRED]** The trust anchor type and its related certificate data. * **sourceData** *(dict) --* The data field of the trust anchor depending on its type. Note: This is a Tagged Union structure. Only one of the following top level keys can be set: "acmPcaArn", "x509CertificateData". * **acmPcaArn** *(string) --* The root certificate of the Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type "AWS_ACM_PCA". * **x509CertificateData** *(string) --* The PEM-encoded data for the certificate anchor. Included for trust anchors of type "CERTIFICATE_BUNDLE". * **sourceType** *(string) --* The type of the trust anchor. * **tags** (*list*) -- The tags to attach to the trust anchor. * *(dict) --* A label that consists of a key and value you define. * **key** *(string) --* **[REQUIRED]** The tag key. * **value** *(string) --* **[REQUIRED]** The tag value. Return type: dict Returns: **Response Syntax** { 'trustAnchor': { 'createdAt': datetime(2015, 1, 1), 'enabled': True|False, 'name': 'string', 'notificationSettings': [ { 'channel': 'ALL', 'configuredBy': 'string', 'enabled': True|False, 'event': 'CA_CERTIFICATE_EXPIRY'|'END_ENTITY_CERTIFICATE_EXPIRY', 'threshold': 123 }, ], 'source': { 'sourceData': { 'acmPcaArn': 'string', 'x509CertificateData': 'string' }, 'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY' }, 'trustAnchorArn': 'string', 'trustAnchorId': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **trustAnchor** *(dict) --* The state of the trust anchor after a read or write operation. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the trust anchor was created. * **enabled** *(boolean) --* Indicates whether the trust anchor is enabled. * **name** *(string) --* The name of the trust anchor. * **notificationSettings** *(list) --* A list of notification settings to be associated to the trust anchor. * *(dict) --* The state of a notification setting. A notification setting includes information such as event name, threshold, status of the notification setting, and the channel to notify. * **channel** *(string) --* The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge, and Health Dashboard to notify for an event. Note: In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels. * **configuredBy** *(string) --* The principal that configured the notification setting. For default settings configured by IAM Roles Anywhere, the value is "rolesanywhere.amazonaws.com", and for customized notifications settings, it is the respective account ID. * **enabled** *(boolean) --* Indicates whether the notification setting is enabled. * **event** *(string) --* The event to which this notification setting is applied. * **threshold** *(integer) --* The number of days before a notification event. * **source** *(dict) --* The trust anchor type and its related certificate data. * **sourceData** *(dict) --* The data field of the trust anchor depending on its type. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "acmPcaArn", "x509CertificateData". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **acmPcaArn** *(string) --* The root certificate of the Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type "AWS_ACM_PCA". * **x509CertificateData** *(string) --* The PEM-encoded data for the certificate anchor. Included for trust anchors of type "CERTIFICATE_BUNDLE". * **sourceType** *(string) --* The type of the trust anchor. * **trustAnchorArn** *(string) --* The ARN of the trust anchor. * **trustAnchorId** *(string) --* The unique identifier of the trust anchor. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the trust anchor was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ValidationException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / update_crl update_crl ********** IAMRolesAnywhere.Client.update_crl(**kwargs) Updates the certificate revocation list (CRL). A CRL is a list of certificates that have been revoked by the issuing certificate authority (CA). IAM Roles Anywhere validates against the CRL before issuing credentials. **Required permissions:** "rolesanywhere:UpdateCrl". See also: AWS API Documentation **Request Syntax** response = client.update_crl( crlData=b'bytes', crlId='string', name='string' ) Parameters: * **crlData** (*bytes*) -- The x509 v3 specified certificate revocation list (CRL). * **crlId** (*string*) -- **[REQUIRED]** The unique identifier of the certificate revocation list (CRL). * **name** (*string*) -- The name of the Crl. Return type: dict Returns: **Response Syntax** { 'crl': { 'createdAt': datetime(2015, 1, 1), 'crlArn': 'string', 'crlData': b'bytes', 'crlId': 'string', 'enabled': True|False, 'name': 'string', 'trustAnchorArn': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **crl** *(dict) --* The state of the certificate revocation list (CRL) after a read or write operation. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the certificate revocation list (CRL) was created. * **crlArn** *(string) --* The ARN of the certificate revocation list (CRL). * **crlData** *(bytes) --* The state of the certificate revocation list (CRL) after a read or write operation. * **crlId** *(string) --* The unique identifier of the certificate revocation list (CRL). * **enabled** *(boolean) --* Indicates whether the certificate revocation list (CRL) is enabled. * **name** *(string) --* The name of the certificate revocation list (CRL). * **trustAnchorArn** *(string) --* The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the certificate revocation list (CRL) was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ValidationException" * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / import_crl import_crl ********** IAMRolesAnywhere.Client.import_crl(**kwargs) Imports the certificate revocation list (CRL). A CRL is a list of certificates that have been revoked by the issuing certificate Authority (CA).In order to be properly imported, a CRL must be in PEM format. IAM Roles Anywhere validates against the CRL before issuing credentials. **Required permissions:** "rolesanywhere:ImportCrl". See also: AWS API Documentation **Request Syntax** response = client.import_crl( crlData=b'bytes', enabled=True|False, name='string', tags=[ { 'key': 'string', 'value': 'string' }, ], trustAnchorArn='string' ) Parameters: * **crlData** (*bytes*) -- **[REQUIRED]** The x509 v3 specified certificate revocation list (CRL). * **enabled** (*boolean*) -- Specifies whether the certificate revocation list (CRL) is enabled. * **name** (*string*) -- **[REQUIRED]** The name of the certificate revocation list (CRL). * **tags** (*list*) -- A list of tags to attach to the certificate revocation list (CRL). * *(dict) --* A label that consists of a key and value you define. * **key** *(string) --* **[REQUIRED]** The tag key. * **value** *(string) --* **[REQUIRED]** The tag value. * **trustAnchorArn** (*string*) -- **[REQUIRED]** The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for. Return type: dict Returns: **Response Syntax** { 'crl': { 'createdAt': datetime(2015, 1, 1), 'crlArn': 'string', 'crlData': b'bytes', 'crlId': 'string', 'enabled': True|False, 'name': 'string', 'trustAnchorArn': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **crl** *(dict) --* The state of the certificate revocation list (CRL) after a read or write operation. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the certificate revocation list (CRL) was created. * **crlArn** *(string) --* The ARN of the certificate revocation list (CRL). * **crlData** *(bytes) --* The state of the certificate revocation list (CRL) after a read or write operation. * **crlId** *(string) --* The unique identifier of the certificate revocation list (CRL). * **enabled** *(boolean) --* Indicates whether the certificate revocation list (CRL) is enabled. * **name** *(string) --* The name of the certificate revocation list (CRL). * **trustAnchorArn** *(string) --* The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the certificate revocation list (CRL) was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ValidationException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / get_trust_anchor get_trust_anchor **************** IAMRolesAnywhere.Client.get_trust_anchor(**kwargs) Gets a trust anchor. **Required permissions:** "rolesanywhere:GetTrustAnchor". See also: AWS API Documentation **Request Syntax** response = client.get_trust_anchor( trustAnchorId='string' ) Parameters: **trustAnchorId** (*string*) -- **[REQUIRED]** The unique identifier of the trust anchor. Return type: dict Returns: **Response Syntax** { 'trustAnchor': { 'createdAt': datetime(2015, 1, 1), 'enabled': True|False, 'name': 'string', 'notificationSettings': [ { 'channel': 'ALL', 'configuredBy': 'string', 'enabled': True|False, 'event': 'CA_CERTIFICATE_EXPIRY'|'END_ENTITY_CERTIFICATE_EXPIRY', 'threshold': 123 }, ], 'source': { 'sourceData': { 'acmPcaArn': 'string', 'x509CertificateData': 'string' }, 'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY' }, 'trustAnchorArn': 'string', 'trustAnchorId': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **trustAnchor** *(dict) --* The state of the trust anchor after a read or write operation. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the trust anchor was created. * **enabled** *(boolean) --* Indicates whether the trust anchor is enabled. * **name** *(string) --* The name of the trust anchor. * **notificationSettings** *(list) --* A list of notification settings to be associated to the trust anchor. * *(dict) --* The state of a notification setting. A notification setting includes information such as event name, threshold, status of the notification setting, and the channel to notify. * **channel** *(string) --* The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge, and Health Dashboard to notify for an event. Note: In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels. * **configuredBy** *(string) --* The principal that configured the notification setting. For default settings configured by IAM Roles Anywhere, the value is "rolesanywhere.amazonaws.com", and for customized notifications settings, it is the respective account ID. * **enabled** *(boolean) --* Indicates whether the notification setting is enabled. * **event** *(string) --* The event to which this notification setting is applied. * **threshold** *(integer) --* The number of days before a notification event. * **source** *(dict) --* The trust anchor type and its related certificate data. * **sourceData** *(dict) --* The data field of the trust anchor depending on its type. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "acmPcaArn", "x509CertificateData". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **acmPcaArn** *(string) --* The root certificate of the Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type "AWS_ACM_PCA". * **x509CertificateData** *(string) --* The PEM-encoded data for the certificate anchor. Included for trust anchors of type "CERTIFICATE_BUNDLE". * **sourceType** *(string) --* The type of the trust anchor. * **trustAnchorArn** *(string) --* The ARN of the trust anchor. * **trustAnchorId** *(string) --* The unique identifier of the trust anchor. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the trust anchor was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ValidationException" * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / delete_profile delete_profile ************** IAMRolesAnywhere.Client.delete_profile(**kwargs) Deletes a profile. **Required permissions:** "rolesanywhere:DeleteProfile". See also: AWS API Documentation **Request Syntax** response = client.delete_profile( profileId='string' ) Parameters: **profileId** (*string*) -- **[REQUIRED]** The unique identifier of the profile. Return type: dict Returns: **Response Syntax** { 'profile': { 'acceptRoleSessionName': True|False, 'attributeMappings': [ { 'certificateField': 'x509Subject'|'x509Issuer'|'x509SAN', 'mappingRules': [ { 'specifier': 'string' }, ] }, ], 'createdAt': datetime(2015, 1, 1), 'createdBy': 'string', 'durationSeconds': 123, 'enabled': True|False, 'managedPolicyArns': [ 'string', ], 'name': 'string', 'profileArn': 'string', 'profileId': 'string', 'requireInstanceProperties': True|False, 'roleArns': [ 'string', ], 'sessionPolicy': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **profile** *(dict) --* The state of the profile after a read or write operation. * **acceptRoleSessionName** *(boolean) --* Used to determine if a custom role session name will be accepted in a temporary credential request. * **attributeMappings** *(list) --* A mapping applied to the authenticating end-entity certificate. * *(dict) --* A mapping applied to the authenticating end-entity certificate. * **certificateField** *(string) --* Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates. * **mappingRules** *(list) --* A list of mapping entries for every supported specifier or sub-field. * *(dict) --* A single mapping entry for each supported specifier or sub-field. * **specifier** *(string) --* Specifier within a certificate field, such as CN, OU, or UID from the Subject field. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the profile was created. * **createdBy** *(string) --* The Amazon Web Services account that created the profile. * **durationSeconds** *(integer) --* Used to determine how long sessions vended using this profile are valid for. See the "Expiration" section of the CreateSession API documentation page for more details. In requests, if this value is not provided, the default value will be 3600. * **enabled** *(boolean) --* Indicates whether the profile is enabled. * **managedPolicyArns** *(list) --* A list of managed policy ARNs that apply to the vended session credentials. * *(string) --* * **name** *(string) --* The name of the profile. * **profileArn** *(string) --* The ARN of the profile. * **profileId** *(string) --* The unique identifier of the profile. * **requireInstanceProperties** *(boolean) --* Specifies whether instance properties are required in temporary credential requests with this profile. * **roleArns** *(list) --* A list of IAM roles that this profile can assume in a temporary credential request. * *(string) --* * **sessionPolicy** *(string) --* A session policy that applies to the trust boundary of the vended session credentials. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the profile was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / update_profile update_profile ************** IAMRolesAnywhere.Client.update_profile(**kwargs) Updates a *profile*, a list of the roles that IAM Roles Anywhere service is trusted to assume. You use profiles to intersect permissions with IAM managed policies. **Required permissions:** "rolesanywhere:UpdateProfile". See also: AWS API Documentation **Request Syntax** response = client.update_profile( acceptRoleSessionName=True|False, durationSeconds=123, managedPolicyArns=[ 'string', ], name='string', profileId='string', roleArns=[ 'string', ], sessionPolicy='string' ) Parameters: * **acceptRoleSessionName** (*boolean*) -- Used to determine if a custom role session name will be accepted in a temporary credential request. * **durationSeconds** (*integer*) -- Used to determine how long sessions vended using this profile are valid for. See the "Expiration" section of the CreateSession API documentation page for more details. In requests, if this value is not provided, the default value will be 3600. * **managedPolicyArns** (*list*) -- A list of managed policy ARNs that apply to the vended session credentials. * *(string) --* * **name** (*string*) -- The name of the profile. * **profileId** (*string*) -- **[REQUIRED]** The unique identifier of the profile. * **roleArns** (*list*) -- A list of IAM roles that this profile can assume in a temporary credential request. * *(string) --* * **sessionPolicy** (*string*) -- A session policy that applies to the trust boundary of the vended session credentials. Return type: dict Returns: **Response Syntax** { 'profile': { 'acceptRoleSessionName': True|False, 'attributeMappings': [ { 'certificateField': 'x509Subject'|'x509Issuer'|'x509SAN', 'mappingRules': [ { 'specifier': 'string' }, ] }, ], 'createdAt': datetime(2015, 1, 1), 'createdBy': 'string', 'durationSeconds': 123, 'enabled': True|False, 'managedPolicyArns': [ 'string', ], 'name': 'string', 'profileArn': 'string', 'profileId': 'string', 'requireInstanceProperties': True|False, 'roleArns': [ 'string', ], 'sessionPolicy': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **profile** *(dict) --* The state of the profile after a read or write operation. * **acceptRoleSessionName** *(boolean) --* Used to determine if a custom role session name will be accepted in a temporary credential request. * **attributeMappings** *(list) --* A mapping applied to the authenticating end-entity certificate. * *(dict) --* A mapping applied to the authenticating end-entity certificate. * **certificateField** *(string) --* Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates. * **mappingRules** *(list) --* A list of mapping entries for every supported specifier or sub-field. * *(dict) --* A single mapping entry for each supported specifier or sub-field. * **specifier** *(string) --* Specifier within a certificate field, such as CN, OU, or UID from the Subject field. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the profile was created. * **createdBy** *(string) --* The Amazon Web Services account that created the profile. * **durationSeconds** *(integer) --* Used to determine how long sessions vended using this profile are valid for. See the "Expiration" section of the CreateSession API documentation page for more details. In requests, if this value is not provided, the default value will be 3600. * **enabled** *(boolean) --* Indicates whether the profile is enabled. * **managedPolicyArns** *(list) --* A list of managed policy ARNs that apply to the vended session credentials. * *(string) --* * **name** *(string) --* The name of the profile. * **profileArn** *(string) --* The ARN of the profile. * **profileId** *(string) --* The unique identifier of the profile. * **requireInstanceProperties** *(boolean) --* Specifies whether instance properties are required in temporary credential requests with this profile. * **roleArns** *(list) --* A list of IAM roles that this profile can assume in a temporary credential request. * *(string) --* * **sessionPolicy** *(string) --* A session policy that applies to the trust boundary of the vended session credentials. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the profile was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ValidationException" * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / tag_resource tag_resource ************ IAMRolesAnywhere.Client.tag_resource(**kwargs) Attaches tags to a resource. **Required permissions:** "rolesanywhere:TagResource". See also: AWS API Documentation **Request Syntax** response = client.tag_resource( resourceArn='string', tags=[ { 'key': 'string', 'value': 'string' }, ] ) Parameters: * **resourceArn** (*string*) -- **[REQUIRED]** The ARN of the resource. * **tags** (*list*) -- **[REQUIRED]** The tags to attach to the resource. * *(dict) --* A label that consists of a key and value you define. * **key** *(string) --* **[REQUIRED]** The tag key. * **value** *(string) --* **[REQUIRED]** The tag value. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ValidationException" * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" * "IAMRolesAnywhere.Client.exceptions.TooManyTagsException" IAMRolesAnywhere / Client / get_crl get_crl ******* IAMRolesAnywhere.Client.get_crl(**kwargs) Gets a certificate revocation list (CRL). **Required permissions:** "rolesanywhere:GetCrl". See also: AWS API Documentation **Request Syntax** response = client.get_crl( crlId='string' ) Parameters: **crlId** (*string*) -- **[REQUIRED]** The unique identifier of the certificate revocation list (CRL). Return type: dict Returns: **Response Syntax** { 'crl': { 'createdAt': datetime(2015, 1, 1), 'crlArn': 'string', 'crlData': b'bytes', 'crlId': 'string', 'enabled': True|False, 'name': 'string', 'trustAnchorArn': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **crl** *(dict) --* The state of the certificate revocation list (CRL) after a read or write operation. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the certificate revocation list (CRL) was created. * **crlArn** *(string) --* The ARN of the certificate revocation list (CRL). * **crlData** *(bytes) --* The state of the certificate revocation list (CRL) after a read or write operation. * **crlId** *(string) --* The unique identifier of the certificate revocation list (CRL). * **enabled** *(boolean) --* Indicates whether the certificate revocation list (CRL) is enabled. * **name** *(string) --* The name of the certificate revocation list (CRL). * **trustAnchorArn** *(string) --* The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the certificate revocation list (CRL) was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" IAMRolesAnywhere / Client / update_trust_anchor update_trust_anchor ******************* IAMRolesAnywhere.Client.update_trust_anchor(**kwargs) Updates a trust anchor. You establish trust between IAM Roles Anywhere and your certificate authority (CA) by configuring a trust anchor. You can define a trust anchor as a reference to an Private Certificate Authority (Private CA) or by uploading a CA certificate. Your Amazon Web Services workloads can authenticate with the trust anchor using certificates issued by the CA in exchange for temporary Amazon Web Services credentials. **Required permissions:** "rolesanywhere:UpdateTrustAnchor". See also: AWS API Documentation **Request Syntax** response = client.update_trust_anchor( name='string', source={ 'sourceData': { 'acmPcaArn': 'string', 'x509CertificateData': 'string' }, 'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY' }, trustAnchorId='string' ) Parameters: * **name** (*string*) -- The name of the trust anchor. * **source** (*dict*) -- The trust anchor type and its related certificate data. * **sourceData** *(dict) --* The data field of the trust anchor depending on its type. Note: This is a Tagged Union structure. Only one of the following top level keys can be set: "acmPcaArn", "x509CertificateData". * **acmPcaArn** *(string) --* The root certificate of the Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type "AWS_ACM_PCA". * **x509CertificateData** *(string) --* The PEM-encoded data for the certificate anchor. Included for trust anchors of type "CERTIFICATE_BUNDLE". * **sourceType** *(string) --* The type of the trust anchor. * **trustAnchorId** (*string*) -- **[REQUIRED]** The unique identifier of the trust anchor. Return type: dict Returns: **Response Syntax** { 'trustAnchor': { 'createdAt': datetime(2015, 1, 1), 'enabled': True|False, 'name': 'string', 'notificationSettings': [ { 'channel': 'ALL', 'configuredBy': 'string', 'enabled': True|False, 'event': 'CA_CERTIFICATE_EXPIRY'|'END_ENTITY_CERTIFICATE_EXPIRY', 'threshold': 123 }, ], 'source': { 'sourceData': { 'acmPcaArn': 'string', 'x509CertificateData': 'string' }, 'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY' }, 'trustAnchorArn': 'string', 'trustAnchorId': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **trustAnchor** *(dict) --* The state of the trust anchor after a read or write operation. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the trust anchor was created. * **enabled** *(boolean) --* Indicates whether the trust anchor is enabled. * **name** *(string) --* The name of the trust anchor. * **notificationSettings** *(list) --* A list of notification settings to be associated to the trust anchor. * *(dict) --* The state of a notification setting. A notification setting includes information such as event name, threshold, status of the notification setting, and the channel to notify. * **channel** *(string) --* The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge, and Health Dashboard to notify for an event. Note: In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels. * **configuredBy** *(string) --* The principal that configured the notification setting. For default settings configured by IAM Roles Anywhere, the value is "rolesanywhere.amazonaws.com", and for customized notifications settings, it is the respective account ID. * **enabled** *(boolean) --* Indicates whether the notification setting is enabled. * **event** *(string) --* The event to which this notification setting is applied. * **threshold** *(integer) --* The number of days before a notification event. * **source** *(dict) --* The trust anchor type and its related certificate data. * **sourceData** *(dict) --* The data field of the trust anchor depending on its type. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "acmPcaArn", "x509CertificateData". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **acmPcaArn** *(string) --* The root certificate of the Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type "AWS_ACM_PCA". * **x509CertificateData** *(string) --* The PEM-encoded data for the certificate anchor. Included for trust anchors of type "CERTIFICATE_BUNDLE". * **sourceType** *(string) --* The type of the trust anchor. * **trustAnchorArn** *(string) --* The ARN of the trust anchor. * **trustAnchorId** *(string) --* The unique identifier of the trust anchor. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the trust anchor was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ValidationException" * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / reset_notification_settings reset_notification_settings *************************** IAMRolesAnywhere.Client.reset_notification_settings(**kwargs) Resets the *custom notification setting* to IAM Roles Anywhere default setting. **Required permissions:** "rolesanywhere:ResetNotificationSettings". See also: AWS API Documentation **Request Syntax** response = client.reset_notification_settings( notificationSettingKeys=[ { 'channel': 'ALL', 'event': 'CA_CERTIFICATE_EXPIRY'|'END_ENTITY_CERTIFICATE_EXPIRY' }, ], trustAnchorId='string' ) Parameters: * **notificationSettingKeys** (*list*) -- **[REQUIRED]** A list of notification setting keys to reset. A notification setting key includes the event and the channel. * *(dict) --* A notification setting key to reset. A notification setting key includes the event and the channel. * **channel** *(string) --* The specified channel of notification. * **event** *(string) --* **[REQUIRED]** The notification setting event to reset. * **trustAnchorId** (*string*) -- **[REQUIRED]** The unique identifier of the trust anchor. Return type: dict Returns: **Response Syntax** { 'trustAnchor': { 'createdAt': datetime(2015, 1, 1), 'enabled': True|False, 'name': 'string', 'notificationSettings': [ { 'channel': 'ALL', 'configuredBy': 'string', 'enabled': True|False, 'event': 'CA_CERTIFICATE_EXPIRY'|'END_ENTITY_CERTIFICATE_EXPIRY', 'threshold': 123 }, ], 'source': { 'sourceData': { 'acmPcaArn': 'string', 'x509CertificateData': 'string' }, 'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY' }, 'trustAnchorArn': 'string', 'trustAnchorId': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **trustAnchor** *(dict) --* The state of the trust anchor after a read or write operation. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the trust anchor was created. * **enabled** *(boolean) --* Indicates whether the trust anchor is enabled. * **name** *(string) --* The name of the trust anchor. * **notificationSettings** *(list) --* A list of notification settings to be associated to the trust anchor. * *(dict) --* The state of a notification setting. A notification setting includes information such as event name, threshold, status of the notification setting, and the channel to notify. * **channel** *(string) --* The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge, and Health Dashboard to notify for an event. Note: In the absence of a specific channel, IAM Roles Anywhere applies this setting to 'ALL' channels. * **configuredBy** *(string) --* The principal that configured the notification setting. For default settings configured by IAM Roles Anywhere, the value is "rolesanywhere.amazonaws.com", and for customized notifications settings, it is the respective account ID. * **enabled** *(boolean) --* Indicates whether the notification setting is enabled. * **event** *(string) --* The event to which this notification setting is applied. * **threshold** *(integer) --* The number of days before a notification event. * **source** *(dict) --* The trust anchor type and its related certificate data. * **sourceData** *(dict) --* The data field of the trust anchor depending on its type. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "acmPcaArn", "x509CertificateData". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **acmPcaArn** *(string) --* The root certificate of the Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type "AWS_ACM_PCA". * **x509CertificateData** *(string) --* The PEM-encoded data for the certificate anchor. Included for trust anchors of type "CERTIFICATE_BUNDLE". * **sourceType** *(string) --* The type of the trust anchor. * **trustAnchorArn** *(string) --* The ARN of the trust anchor. * **trustAnchorId** *(string) --* The unique identifier of the trust anchor. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the trust anchor was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ValidationException" * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException" IAMRolesAnywhere / Client / delete_crl delete_crl ********** IAMRolesAnywhere.Client.delete_crl(**kwargs) Deletes a certificate revocation list (CRL). **Required permissions:** "rolesanywhere:DeleteCrl". See also: AWS API Documentation **Request Syntax** response = client.delete_crl( crlId='string' ) Parameters: **crlId** (*string*) -- **[REQUIRED]** The unique identifier of the certificate revocation list (CRL). Return type: dict Returns: **Response Syntax** { 'crl': { 'createdAt': datetime(2015, 1, 1), 'crlArn': 'string', 'crlData': b'bytes', 'crlId': 'string', 'enabled': True|False, 'name': 'string', 'trustAnchorArn': 'string', 'updatedAt': datetime(2015, 1, 1) } } **Response Structure** * *(dict) --* * **crl** *(dict) --* The state of the certificate revocation list (CRL) after a read or write operation. * **createdAt** *(datetime) --* The ISO-8601 timestamp when the certificate revocation list (CRL) was created. * **crlArn** *(string) --* The ARN of the certificate revocation list (CRL). * **crlData** *(bytes) --* The state of the certificate revocation list (CRL) after a read or write operation. * **crlId** *(string) --* The unique identifier of the certificate revocation list (CRL). * **enabled** *(boolean) --* Indicates whether the certificate revocation list (CRL) is enabled. * **name** *(string) --* The name of the certificate revocation list (CRL). * **trustAnchorArn** *(string) --* The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for. * **updatedAt** *(datetime) --* The ISO-8601 timestamp when the certificate revocation list (CRL) was last updated. **Exceptions** * "IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException" * "IAMRolesAnywhere.Client.exceptions.AccessDeniedException"