diff --git a/go.mod b/go.mod index bb7573c72..3f4edaf39 100644 --- a/go.mod +++ b/go.mod @@ -3,6 +3,7 @@ module github.com/ceph/ceph-csi go 1.13 require ( + github.com/aws/aws-sdk-go v1.38.8 github.com/ceph/go-ceph v0.8.0 github.com/container-storage-interface/spec v1.3.0 github.com/go-logr/logr v0.2.1 // indirect diff --git a/go.sum b/go.sum index b4a5a4c71..6d9925453 100644 --- a/go.sum +++ b/go.sum @@ -156,6 +156,8 @@ github.com/aws/aws-sdk-go v1.28.2/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN github.com/aws/aws-sdk-go v1.30.27/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= github.com/aws/aws-sdk-go v1.35.24 h1:U3GNTg8+7xSM6OAJ8zksiSM4bRqxBWmVwwehvOSNG3A= github.com/aws/aws-sdk-go v1.35.24/go.mod h1:tlPOdRjfxPBpNIwqDj61rmsnA85v9jc0Ps9+muhnW+k= +github.com/aws/aws-sdk-go v1.38.8 h1:rQz2XmTYIdO7FUvLF2Nd1+a7nqzAhnm0bphbhlgDdGw= +github.com/aws/aws-sdk-go v1.38.8/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc= github.com/bazelbuild/bazel-gazelle v0.18.2/go.mod h1:D0ehMSbS+vesFsLGiD6JXu3mVEzOlfUl8wNnq+x/9p0= github.com/bazelbuild/bazel-gazelle v0.19.1-0.20191105222053-70208cbdc798/go.mod h1:rPwzNHUqEzngx1iVBfO/2X2npKaT3tqPqqHW6rVsn/A= diff --git a/vendor/github.com/aws/aws-sdk-go/aws/client/client.go b/vendor/github.com/aws/aws-sdk-go/aws/client/client.go index 03334d692..74f35ccf0 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/client/client.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/client/client.go @@ -88,10 +88,6 @@ func (c *Client) NewRequest(operation *request.Operation, params interface{}, da // AddDebugHandlers injects debug logging handlers into the service to log request // debug information. func (c *Client) AddDebugHandlers() { - if !c.Config.LogLevel.AtLeast(aws.LogDebug) { - return - } - c.Handlers.Send.PushFrontNamed(LogHTTPRequestHandler) c.Handlers.Send.PushBackNamed(LogHTTPResponseHandler) } diff --git a/vendor/github.com/aws/aws-sdk-go/aws/client/logger.go b/vendor/github.com/aws/aws-sdk-go/aws/client/logger.go index 8958c32d4..1d774cfa2 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/client/logger.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/client/logger.go @@ -53,6 +53,10 @@ var LogHTTPRequestHandler = request.NamedHandler{ } func logRequest(r *request.Request) { + if !r.Config.LogLevel.AtLeast(aws.LogDebug) { + return + } + logBody := r.Config.LogLevel.Matches(aws.LogDebugWithHTTPBody) bodySeekable := aws.IsReaderSeekable(r.Body) @@ -120,6 +124,10 @@ var LogHTTPResponseHandler = request.NamedHandler{ } func logResponse(r *request.Request) { + if !r.Config.LogLevel.AtLeast(aws.LogDebug) { + return + } + lw := &logWriter{r.Config.Logger, bytes.NewBuffer(nil)} if r.HTTPResponse == nil { diff --git a/vendor/github.com/aws/aws-sdk-go/aws/config.go b/vendor/github.com/aws/aws-sdk-go/aws/config.go index 3b809e847..39fa6d5fe 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/config.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/config.go @@ -438,13 +438,6 @@ func (c *Config) WithDisableEndpointHostPrefix(t bool) *Config { return c } -// MergeIn merges the passed in configs into the existing config object. -func (c *Config) MergeIn(cfgs ...*Config) { - for _, other := range cfgs { - mergeInConfig(c, other) - } -} - // WithSTSRegionalEndpoint will set whether or not to use regional endpoint flag // when resolving the endpoint for a service func (c *Config) WithSTSRegionalEndpoint(sre endpoints.STSRegionalEndpoint) *Config { @@ -459,6 +452,27 @@ func (c *Config) WithS3UsEast1RegionalEndpoint(sre endpoints.S3UsEast1RegionalEn return c } +// WithLowerCaseHeaderMaps sets a config LowerCaseHeaderMaps value +// returning a Config pointer for chaining. +func (c *Config) WithLowerCaseHeaderMaps(t bool) *Config { + c.LowerCaseHeaderMaps = &t + return c +} + +// WithDisableRestProtocolURICleaning sets a config DisableRestProtocolURICleaning value +// returning a Config pointer for chaining. +func (c *Config) WithDisableRestProtocolURICleaning(t bool) *Config { + c.DisableRestProtocolURICleaning = &t + return c +} + +// MergeIn merges the passed in configs into the existing config object. +func (c *Config) MergeIn(cfgs ...*Config) { + for _, other := range cfgs { + mergeInConfig(c, other) + } +} + func mergeInConfig(dst *Config, other *Config) { if other == nil { return @@ -571,6 +585,10 @@ func mergeInConfig(dst *Config, other *Config) { if other.S3UsEast1RegionalEndpoint != endpoints.UnsetS3UsEast1Endpoint { dst.S3UsEast1RegionalEndpoint = other.S3UsEast1RegionalEndpoint } + + if other.LowerCaseHeaderMaps != nil { + dst.LowerCaseHeaderMaps = other.LowerCaseHeaderMaps + } } // Copy will return a shallow copy of the Config object. If any additional diff --git a/vendor/github.com/aws/aws-sdk-go/aws/corehandlers/handlers.go b/vendor/github.com/aws/aws-sdk-go/aws/corehandlers/handlers.go new file mode 100644 index 000000000..d95a5eb54 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/corehandlers/handlers.go @@ -0,0 +1,232 @@ +package corehandlers + +import ( + "bytes" + "fmt" + "io/ioutil" + "net/http" + "net/url" + "regexp" + "strconv" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/request" +) + +// Interface for matching types which also have a Len method. +type lener interface { + Len() int +} + +// BuildContentLengthHandler builds the content length of a request based on the body, +// or will use the HTTPRequest.Header's "Content-Length" if defined. If unable +// to determine request body length and no "Content-Length" was specified it will panic. +// +// The Content-Length will only be added to the request if the length of the body +// is greater than 0. If the body is empty or the current `Content-Length` +// header is <= 0, the header will also be stripped. +var BuildContentLengthHandler = request.NamedHandler{Name: "core.BuildContentLengthHandler", Fn: func(r *request.Request) { + var length int64 + + if slength := r.HTTPRequest.Header.Get("Content-Length"); slength != "" { + length, _ = strconv.ParseInt(slength, 10, 64) + } else { + if r.Body != nil { + var err error + length, err = aws.SeekerLen(r.Body) + if err != nil { + r.Error = awserr.New(request.ErrCodeSerialization, "failed to get request body's length", err) + return + } + } + } + + if length > 0 { + r.HTTPRequest.ContentLength = length + r.HTTPRequest.Header.Set("Content-Length", fmt.Sprintf("%d", length)) + } else { + r.HTTPRequest.ContentLength = 0 + r.HTTPRequest.Header.Del("Content-Length") + } +}} + +var reStatusCode = regexp.MustCompile(`^(\d{3})`) + +// ValidateReqSigHandler is a request handler to ensure that the request's +// signature doesn't expire before it is sent. This can happen when a request +// is built and signed significantly before it is sent. Or significant delays +// occur when retrying requests that would cause the signature to expire. +var ValidateReqSigHandler = request.NamedHandler{ + Name: "core.ValidateReqSigHandler", + Fn: func(r *request.Request) { + // Unsigned requests are not signed + if r.Config.Credentials == credentials.AnonymousCredentials { + return + } + + signedTime := r.Time + if !r.LastSignedAt.IsZero() { + signedTime = r.LastSignedAt + } + + // 5 minutes to allow for some clock skew/delays in transmission. + // Would be improved with aws/aws-sdk-go#423 + if signedTime.Add(5 * time.Minute).After(time.Now()) { + return + } + + fmt.Println("request expired, resigning") + r.Sign() + }, +} + +// SendHandler is a request handler to send service request using HTTP client. +var SendHandler = request.NamedHandler{ + Name: "core.SendHandler", + Fn: func(r *request.Request) { + sender := sendFollowRedirects + if r.DisableFollowRedirects { + sender = sendWithoutFollowRedirects + } + + if request.NoBody == r.HTTPRequest.Body { + // Strip off the request body if the NoBody reader was used as a + // place holder for a request body. This prevents the SDK from + // making requests with a request body when it would be invalid + // to do so. + // + // Use a shallow copy of the http.Request to ensure the race condition + // of transport on Body will not trigger + reqOrig, reqCopy := r.HTTPRequest, *r.HTTPRequest + reqCopy.Body = nil + r.HTTPRequest = &reqCopy + defer func() { + r.HTTPRequest = reqOrig + }() + } + + var err error + r.HTTPResponse, err = sender(r) + if err != nil { + handleSendError(r, err) + } + }, +} + +func sendFollowRedirects(r *request.Request) (*http.Response, error) { + return r.Config.HTTPClient.Do(r.HTTPRequest) +} + +func sendWithoutFollowRedirects(r *request.Request) (*http.Response, error) { + transport := r.Config.HTTPClient.Transport + if transport == nil { + transport = http.DefaultTransport + } + + return transport.RoundTrip(r.HTTPRequest) +} + +func handleSendError(r *request.Request, err error) { + // Prevent leaking if an HTTPResponse was returned. Clean up + // the body. + if r.HTTPResponse != nil { + r.HTTPResponse.Body.Close() + } + // Capture the case where url.Error is returned for error processing + // response. e.g. 301 without location header comes back as string + // error and r.HTTPResponse is nil. Other URL redirect errors will + // comeback in a similar method. + if e, ok := err.(*url.Error); ok && e.Err != nil { + if s := reStatusCode.FindStringSubmatch(e.Err.Error()); s != nil { + code, _ := strconv.ParseInt(s[1], 10, 64) + r.HTTPResponse = &http.Response{ + StatusCode: int(code), + Status: http.StatusText(int(code)), + Body: ioutil.NopCloser(bytes.NewReader([]byte{})), + } + return + } + } + if r.HTTPResponse == nil { + // Add a dummy request response object to ensure the HTTPResponse + // value is consistent. + r.HTTPResponse = &http.Response{ + StatusCode: int(0), + Status: http.StatusText(int(0)), + Body: ioutil.NopCloser(bytes.NewReader([]byte{})), + } + } + // Catch all request errors, and let the default retrier determine + // if the error is retryable. + r.Error = awserr.New(request.ErrCodeRequestError, "send request failed", err) + + // Override the error with a context canceled error, if that was canceled. + ctx := r.Context() + select { + case <-ctx.Done(): + r.Error = awserr.New(request.CanceledErrorCode, + "request context canceled", ctx.Err()) + r.Retryable = aws.Bool(false) + default: + } +} + +// ValidateResponseHandler is a request handler to validate service response. +var ValidateResponseHandler = request.NamedHandler{Name: "core.ValidateResponseHandler", Fn: func(r *request.Request) { + if r.HTTPResponse.StatusCode == 0 || r.HTTPResponse.StatusCode >= 300 { + // this may be replaced by an UnmarshalError handler + r.Error = awserr.New("UnknownError", "unknown error", nil) + } +}} + +// AfterRetryHandler performs final checks to determine if the request should +// be retried and how long to delay. +var AfterRetryHandler = request.NamedHandler{ + Name: "core.AfterRetryHandler", + Fn: func(r *request.Request) { + // If one of the other handlers already set the retry state + // we don't want to override it based on the service's state + if r.Retryable == nil || aws.BoolValue(r.Config.EnforceShouldRetryCheck) { + r.Retryable = aws.Bool(r.ShouldRetry(r)) + } + + if r.WillRetry() { + r.RetryDelay = r.RetryRules(r) + + if sleepFn := r.Config.SleepDelay; sleepFn != nil { + // Support SleepDelay for backwards compatibility and testing + sleepFn(r.RetryDelay) + } else if err := aws.SleepWithContext(r.Context(), r.RetryDelay); err != nil { + r.Error = awserr.New(request.CanceledErrorCode, + "request context canceled", err) + r.Retryable = aws.Bool(false) + return + } + + // when the expired token exception occurs the credentials + // need to be expired locally so that the next request to + // get credentials will trigger a credentials refresh. + if r.IsErrorExpired() { + r.Config.Credentials.Expire() + } + + r.RetryCount++ + r.Error = nil + } + }} + +// ValidateEndpointHandler is a request handler to validate a request had the +// appropriate Region and Endpoint set. Will set r.Error if the endpoint or +// region is not valid. +var ValidateEndpointHandler = request.NamedHandler{Name: "core.ValidateEndpointHandler", Fn: func(r *request.Request) { + if r.ClientInfo.SigningRegion == "" && aws.StringValue(r.Config.Region) == "" { + r.Error = aws.ErrMissingRegion + } else if r.ClientInfo.Endpoint == "" { + // Was any endpoint provided by the user, or one was derived by the + // SDK's endpoint resolver? + r.Error = aws.ErrMissingEndpoint + } +}} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/corehandlers/param_validator.go b/vendor/github.com/aws/aws-sdk-go/aws/corehandlers/param_validator.go new file mode 100644 index 000000000..7d50b1557 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/corehandlers/param_validator.go @@ -0,0 +1,17 @@ +package corehandlers + +import "github.com/aws/aws-sdk-go/aws/request" + +// ValidateParametersHandler is a request handler to validate the input parameters. +// Validating parameters only has meaning if done prior to the request being sent. +var ValidateParametersHandler = request.NamedHandler{Name: "core.ValidateParametersHandler", Fn: func(r *request.Request) { + if !r.ParamsFilled() { + return + } + + if v, ok := r.Params.(request.Validator); ok { + if err := v.Validate(); err != nil { + r.Error = err + } + } +}} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/corehandlers/user_agent.go b/vendor/github.com/aws/aws-sdk-go/aws/corehandlers/user_agent.go new file mode 100644 index 000000000..ab69c7a6f --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/corehandlers/user_agent.go @@ -0,0 +1,37 @@ +package corehandlers + +import ( + "os" + "runtime" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/request" +) + +// SDKVersionUserAgentHandler is a request handler for adding the SDK Version +// to the user agent. +var SDKVersionUserAgentHandler = request.NamedHandler{ + Name: "core.SDKVersionUserAgentHandler", + Fn: request.MakeAddToUserAgentHandler(aws.SDKName, aws.SDKVersion, + runtime.Version(), runtime.GOOS, runtime.GOARCH), +} + +const execEnvVar = `AWS_EXECUTION_ENV` +const execEnvUAKey = `exec-env` + +// AddHostExecEnvUserAgentHander is a request handler appending the SDK's +// execution environment to the user agent. +// +// If the environment variable AWS_EXECUTION_ENV is set, its value will be +// appended to the user agent string. +var AddHostExecEnvUserAgentHander = request.NamedHandler{ + Name: "core.AddHostExecEnvUserAgentHander", + Fn: func(r *request.Request) { + v := os.Getenv(execEnvVar) + if len(v) == 0 { + return + } + + request.AddToUserAgent(r, execEnvUAKey+"/"+v) + }, +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds/ec2_role_provider.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds/ec2_role_provider.go new file mode 100644 index 000000000..92af5b725 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds/ec2_role_provider.go @@ -0,0 +1,188 @@ +package ec2rolecreds + +import ( + "bufio" + "encoding/json" + "fmt" + "strings" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/client" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/ec2metadata" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/internal/sdkuri" +) + +// ProviderName provides a name of EC2Role provider +const ProviderName = "EC2RoleProvider" + +// A EC2RoleProvider retrieves credentials from the EC2 service, and keeps track if +// those credentials are expired. +// +// Example how to configure the EC2RoleProvider with custom http Client, Endpoint +// or ExpiryWindow +// +// p := &ec2rolecreds.EC2RoleProvider{ +// // Pass in a custom timeout to be used when requesting +// // IAM EC2 Role credentials. +// Client: ec2metadata.New(sess, aws.Config{ +// HTTPClient: &http.Client{Timeout: 10 * time.Second}, +// }), +// +// // Do not use early expiry of credentials. If a non zero value is +// // specified the credentials will be expired early +// ExpiryWindow: 0, +// } +type EC2RoleProvider struct { + credentials.Expiry + + // Required EC2Metadata client to use when connecting to EC2 metadata service. + Client *ec2metadata.EC2Metadata + + // ExpiryWindow will allow the credentials to trigger refreshing prior to + // the credentials actually expiring. This is beneficial so race conditions + // with expiring credentials do not cause request to fail unexpectedly + // due to ExpiredTokenException exceptions. + // + // So a ExpiryWindow of 10s would cause calls to IsExpired() to return true + // 10 seconds before the credentials are actually expired. + // + // If ExpiryWindow is 0 or less it will be ignored. + ExpiryWindow time.Duration +} + +// NewCredentials returns a pointer to a new Credentials object wrapping +// the EC2RoleProvider. Takes a ConfigProvider to create a EC2Metadata client. +// The ConfigProvider is satisfied by the session.Session type. +func NewCredentials(c client.ConfigProvider, options ...func(*EC2RoleProvider)) *credentials.Credentials { + p := &EC2RoleProvider{ + Client: ec2metadata.New(c), + } + + for _, option := range options { + option(p) + } + + return credentials.NewCredentials(p) +} + +// NewCredentialsWithClient returns a pointer to a new Credentials object wrapping +// the EC2RoleProvider. Takes a EC2Metadata client to use when connecting to EC2 +// metadata service. +func NewCredentialsWithClient(client *ec2metadata.EC2Metadata, options ...func(*EC2RoleProvider)) *credentials.Credentials { + p := &EC2RoleProvider{ + Client: client, + } + + for _, option := range options { + option(p) + } + + return credentials.NewCredentials(p) +} + +// Retrieve retrieves credentials from the EC2 service. +// Error will be returned if the request fails, or unable to extract +// the desired credentials. +func (m *EC2RoleProvider) Retrieve() (credentials.Value, error) { + return m.RetrieveWithContext(aws.BackgroundContext()) +} + +// RetrieveWithContext retrieves credentials from the EC2 service. +// Error will be returned if the request fails, or unable to extract +// the desired credentials. +func (m *EC2RoleProvider) RetrieveWithContext(ctx credentials.Context) (credentials.Value, error) { + credsList, err := requestCredList(ctx, m.Client) + if err != nil { + return credentials.Value{ProviderName: ProviderName}, err + } + + if len(credsList) == 0 { + return credentials.Value{ProviderName: ProviderName}, awserr.New("EmptyEC2RoleList", "empty EC2 Role list", nil) + } + credsName := credsList[0] + + roleCreds, err := requestCred(ctx, m.Client, credsName) + if err != nil { + return credentials.Value{ProviderName: ProviderName}, err + } + + m.SetExpiration(roleCreds.Expiration, m.ExpiryWindow) + + return credentials.Value{ + AccessKeyID: roleCreds.AccessKeyID, + SecretAccessKey: roleCreds.SecretAccessKey, + SessionToken: roleCreds.Token, + ProviderName: ProviderName, + }, nil +} + +// A ec2RoleCredRespBody provides the shape for unmarshaling credential +// request responses. +type ec2RoleCredRespBody struct { + // Success State + Expiration time.Time + AccessKeyID string + SecretAccessKey string + Token string + + // Error state + Code string + Message string +} + +const iamSecurityCredsPath = "iam/security-credentials/" + +// requestCredList requests a list of credentials from the EC2 service. +// If there are no credentials, or there is an error making or receiving the request +func requestCredList(ctx aws.Context, client *ec2metadata.EC2Metadata) ([]string, error) { + resp, err := client.GetMetadataWithContext(ctx, iamSecurityCredsPath) + if err != nil { + return nil, awserr.New("EC2RoleRequestError", "no EC2 instance role found", err) + } + + credsList := []string{} + s := bufio.NewScanner(strings.NewReader(resp)) + for s.Scan() { + credsList = append(credsList, s.Text()) + } + + if err := s.Err(); err != nil { + return nil, awserr.New(request.ErrCodeSerialization, + "failed to read EC2 instance role from metadata service", err) + } + + return credsList, nil +} + +// requestCred requests the credentials for a specific credentials from the EC2 service. +// +// If the credentials cannot be found, or there is an error reading the response +// and error will be returned. +func requestCred(ctx aws.Context, client *ec2metadata.EC2Metadata, credsName string) (ec2RoleCredRespBody, error) { + resp, err := client.GetMetadataWithContext(ctx, sdkuri.PathJoin(iamSecurityCredsPath, credsName)) + if err != nil { + return ec2RoleCredRespBody{}, + awserr.New("EC2RoleRequestError", + fmt.Sprintf("failed to get %s EC2 instance role credentials", credsName), + err) + } + + respCreds := ec2RoleCredRespBody{} + if err := json.NewDecoder(strings.NewReader(resp)).Decode(&respCreds); err != nil { + return ec2RoleCredRespBody{}, + awserr.New(request.ErrCodeSerialization, + fmt.Sprintf("failed to decode %s EC2 instance role credentials", credsName), + err) + } + + if respCreds.Code != "Success" { + // If an error code was returned something failed requesting the role. + return ec2RoleCredRespBody{}, awserr.New(respCreds.Code, respCreds.Message, nil) + } + + return respCreds, nil +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds/provider.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds/provider.go new file mode 100644 index 000000000..785f30d8e --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds/provider.go @@ -0,0 +1,210 @@ +// Package endpointcreds provides support for retrieving credentials from an +// arbitrary HTTP endpoint. +// +// The credentials endpoint Provider can receive both static and refreshable +// credentials that will expire. Credentials are static when an "Expiration" +// value is not provided in the endpoint's response. +// +// Static credentials will never expire once they have been retrieved. The format +// of the static credentials response: +// { +// "AccessKeyId" : "MUA...", +// "SecretAccessKey" : "/7PC5om....", +// } +// +// Refreshable credentials will expire within the "ExpiryWindow" of the Expiration +// value in the response. The format of the refreshable credentials response: +// { +// "AccessKeyId" : "MUA...", +// "SecretAccessKey" : "/7PC5om....", +// "Token" : "AQoDY....=", +// "Expiration" : "2016-02-25T06:03:31Z" +// } +// +// Errors should be returned in the following format and only returned with 400 +// or 500 HTTP status codes. +// { +// "code": "ErrorCode", +// "message": "Helpful error message." +// } +package endpointcreds + +import ( + "encoding/json" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/client" + "github.com/aws/aws-sdk-go/aws/client/metadata" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/private/protocol/json/jsonutil" +) + +// ProviderName is the name of the credentials provider. +const ProviderName = `CredentialsEndpointProvider` + +// Provider satisfies the credentials.Provider interface, and is a client to +// retrieve credentials from an arbitrary endpoint. +type Provider struct { + staticCreds bool + credentials.Expiry + + // Requires a AWS Client to make HTTP requests to the endpoint with. + // the Endpoint the request will be made to is provided by the aws.Config's + // Endpoint value. + Client *client.Client + + // ExpiryWindow will allow the credentials to trigger refreshing prior to + // the credentials actually expiring. This is beneficial so race conditions + // with expiring credentials do not cause request to fail unexpectedly + // due to ExpiredTokenException exceptions. + // + // So a ExpiryWindow of 10s would cause calls to IsExpired() to return true + // 10 seconds before the credentials are actually expired. + // + // If ExpiryWindow is 0 or less it will be ignored. + ExpiryWindow time.Duration + + // Optional authorization token value if set will be used as the value of + // the Authorization header of the endpoint credential request. + AuthorizationToken string +} + +// NewProviderClient returns a credentials Provider for retrieving AWS credentials +// from arbitrary endpoint. +func NewProviderClient(cfg aws.Config, handlers request.Handlers, endpoint string, options ...func(*Provider)) credentials.Provider { + p := &Provider{ + Client: client.New( + cfg, + metadata.ClientInfo{ + ServiceName: "CredentialsEndpoint", + Endpoint: endpoint, + }, + handlers, + ), + } + + p.Client.Handlers.Unmarshal.PushBack(unmarshalHandler) + p.Client.Handlers.UnmarshalError.PushBack(unmarshalError) + p.Client.Handlers.Validate.Clear() + p.Client.Handlers.Validate.PushBack(validateEndpointHandler) + + for _, option := range options { + option(p) + } + + return p +} + +// NewCredentialsClient returns a pointer to a new Credentials object +// wrapping the endpoint credentials Provider. +func NewCredentialsClient(cfg aws.Config, handlers request.Handlers, endpoint string, options ...func(*Provider)) *credentials.Credentials { + return credentials.NewCredentials(NewProviderClient(cfg, handlers, endpoint, options...)) +} + +// IsExpired returns true if the credentials retrieved are expired, or not yet +// retrieved. +func (p *Provider) IsExpired() bool { + if p.staticCreds { + return false + } + return p.Expiry.IsExpired() +} + +// Retrieve will attempt to request the credentials from the endpoint the Provider +// was configured for. And error will be returned if the retrieval fails. +func (p *Provider) Retrieve() (credentials.Value, error) { + return p.RetrieveWithContext(aws.BackgroundContext()) +} + +// RetrieveWithContext will attempt to request the credentials from the endpoint the Provider +// was configured for. And error will be returned if the retrieval fails. +func (p *Provider) RetrieveWithContext(ctx credentials.Context) (credentials.Value, error) { + resp, err := p.getCredentials(ctx) + if err != nil { + return credentials.Value{ProviderName: ProviderName}, + awserr.New("CredentialsEndpointError", "failed to load credentials", err) + } + + if resp.Expiration != nil { + p.SetExpiration(*resp.Expiration, p.ExpiryWindow) + } else { + p.staticCreds = true + } + + return credentials.Value{ + AccessKeyID: resp.AccessKeyID, + SecretAccessKey: resp.SecretAccessKey, + SessionToken: resp.Token, + ProviderName: ProviderName, + }, nil +} + +type getCredentialsOutput struct { + Expiration *time.Time + AccessKeyID string + SecretAccessKey string + Token string +} + +type errorOutput struct { + Code string `json:"code"` + Message string `json:"message"` +} + +func (p *Provider) getCredentials(ctx aws.Context) (*getCredentialsOutput, error) { + op := &request.Operation{ + Name: "GetCredentials", + HTTPMethod: "GET", + } + + out := &getCredentialsOutput{} + req := p.Client.NewRequest(op, nil, out) + req.SetContext(ctx) + req.HTTPRequest.Header.Set("Accept", "application/json") + if authToken := p.AuthorizationToken; len(authToken) != 0 { + req.HTTPRequest.Header.Set("Authorization", authToken) + } + + return out, req.Send() +} + +func validateEndpointHandler(r *request.Request) { + if len(r.ClientInfo.Endpoint) == 0 { + r.Error = aws.ErrMissingEndpoint + } +} + +func unmarshalHandler(r *request.Request) { + defer r.HTTPResponse.Body.Close() + + out := r.Data.(*getCredentialsOutput) + if err := json.NewDecoder(r.HTTPResponse.Body).Decode(&out); err != nil { + r.Error = awserr.New(request.ErrCodeSerialization, + "failed to decode endpoint credentials", + err, + ) + } +} + +func unmarshalError(r *request.Request) { + defer r.HTTPResponse.Body.Close() + + var errOut errorOutput + err := jsonutil.UnmarshalJSONError(&errOut, r.HTTPResponse.Body) + if err != nil { + r.Error = awserr.NewRequestFailure( + awserr.New(request.ErrCodeSerialization, + "failed to decode error message", err), + r.HTTPResponse.StatusCode, + r.RequestID, + ) + return + } + + // Response body format is not consistent between metadata endpoints. + // Grab the error message as a string and include that as the source error + r.Error = awserr.New(errOut.Code, errOut.Message, nil) +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/processcreds/provider.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/processcreds/provider.go new file mode 100644 index 000000000..e62483600 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/processcreds/provider.go @@ -0,0 +1,426 @@ +/* +Package processcreds is a credential Provider to retrieve `credential_process` +credentials. + +WARNING: The following describes a method of sourcing credentials from an external +process. This can potentially be dangerous, so proceed with caution. Other +credential providers should be preferred if at all possible. If using this +option, you should make sure that the config file is as locked down as possible +using security best practices for your operating system. + +You can use credentials from a `credential_process` in a variety of ways. + +One way is to setup your shared config file, located in the default +location, with the `credential_process` key and the command you want to be +called. You also need to set the AWS_SDK_LOAD_CONFIG environment variable +(e.g., `export AWS_SDK_LOAD_CONFIG=1`) to use the shared config file. + + [default] + credential_process = /command/to/call + +Creating a new session will use the credential process to retrieve credentials. +NOTE: If there are credentials in the profile you are using, the credential +process will not be used. + + // Initialize a session to load credentials. + sess, _ := session.NewSession(&aws.Config{ + Region: aws.String("us-east-1")}, + ) + + // Create S3 service client to use the credentials. + svc := s3.New(sess) + +Another way to use the `credential_process` method is by using +`credentials.NewCredentials()` and providing a command to be executed to +retrieve credentials: + + // Create credentials using the ProcessProvider. + creds := processcreds.NewCredentials("/path/to/command") + + // Create service client value configured for credentials. + svc := s3.New(sess, &aws.Config{Credentials: creds}) + +You can set a non-default timeout for the `credential_process` with another +constructor, `credentials.NewCredentialsTimeout()`, providing the timeout. To +set a one minute timeout: + + // Create credentials using the ProcessProvider. + creds := processcreds.NewCredentialsTimeout( + "/path/to/command", + time.Duration(500) * time.Millisecond) + +If you need more control, you can set any configurable options in the +credentials using one or more option functions. For example, you can set a two +minute timeout, a credential duration of 60 minutes, and a maximum stdout +buffer size of 2k. + + creds := processcreds.NewCredentials( + "/path/to/command", + func(opt *ProcessProvider) { + opt.Timeout = time.Duration(2) * time.Minute + opt.Duration = time.Duration(60) * time.Minute + opt.MaxBufSize = 2048 + }) + +You can also use your own `exec.Cmd`: + + // Create an exec.Cmd + myCommand := exec.Command("/path/to/command") + + // Create credentials using your exec.Cmd and custom timeout + creds := processcreds.NewCredentialsCommand( + myCommand, + func(opt *processcreds.ProcessProvider) { + opt.Timeout = time.Duration(1) * time.Second + }) +*/ +package processcreds + +import ( + "bytes" + "encoding/json" + "fmt" + "io" + "io/ioutil" + "os" + "os/exec" + "runtime" + "strings" + "time" + + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/internal/sdkio" +) + +const ( + // ProviderName is the name this credentials provider will label any + // returned credentials Value with. + ProviderName = `ProcessProvider` + + // ErrCodeProcessProviderParse error parsing process output + ErrCodeProcessProviderParse = "ProcessProviderParseError" + + // ErrCodeProcessProviderVersion version error in output + ErrCodeProcessProviderVersion = "ProcessProviderVersionError" + + // ErrCodeProcessProviderRequired required attribute missing in output + ErrCodeProcessProviderRequired = "ProcessProviderRequiredError" + + // ErrCodeProcessProviderExecution execution of command failed + ErrCodeProcessProviderExecution = "ProcessProviderExecutionError" + + // errMsgProcessProviderTimeout process took longer than allowed + errMsgProcessProviderTimeout = "credential process timed out" + + // errMsgProcessProviderProcess process error + errMsgProcessProviderProcess = "error in credential_process" + + // errMsgProcessProviderParse problem parsing output + errMsgProcessProviderParse = "parse failed of credential_process output" + + // errMsgProcessProviderVersion version error in output + errMsgProcessProviderVersion = "wrong version in process output (not 1)" + + // errMsgProcessProviderMissKey missing access key id in output + errMsgProcessProviderMissKey = "missing AccessKeyId in process output" + + // errMsgProcessProviderMissSecret missing secret acess key in output + errMsgProcessProviderMissSecret = "missing SecretAccessKey in process output" + + // errMsgProcessProviderPrepareCmd prepare of command failed + errMsgProcessProviderPrepareCmd = "failed to prepare command" + + // errMsgProcessProviderEmptyCmd command must not be empty + errMsgProcessProviderEmptyCmd = "command must not be empty" + + // errMsgProcessProviderPipe failed to initialize pipe + errMsgProcessProviderPipe = "failed to initialize pipe" + + // DefaultDuration is the default amount of time in minutes that the + // credentials will be valid for. + DefaultDuration = time.Duration(15) * time.Minute + + // DefaultBufSize limits buffer size from growing to an enormous + // amount due to a faulty process. + DefaultBufSize = int(8 * sdkio.KibiByte) + + // DefaultTimeout default limit on time a process can run. + DefaultTimeout = time.Duration(1) * time.Minute +) + +// ProcessProvider satisfies the credentials.Provider interface, and is a +// client to retrieve credentials from a process. +type ProcessProvider struct { + staticCreds bool + credentials.Expiry + originalCommand []string + + // Expiry duration of the credentials. Defaults to 15 minutes if not set. + Duration time.Duration + + // ExpiryWindow will allow the credentials to trigger refreshing prior to + // the credentials actually expiring. This is beneficial so race conditions + // with expiring credentials do not cause request to fail unexpectedly + // due to ExpiredTokenException exceptions. + // + // So a ExpiryWindow of 10s would cause calls to IsExpired() to return true + // 10 seconds before the credentials are actually expired. + // + // If ExpiryWindow is 0 or less it will be ignored. + ExpiryWindow time.Duration + + // A string representing an os command that should return a JSON with + // credential information. + command *exec.Cmd + + // MaxBufSize limits memory usage from growing to an enormous + // amount due to a faulty process. + MaxBufSize int + + // Timeout limits the time a process can run. + Timeout time.Duration +} + +// NewCredentials returns a pointer to a new Credentials object wrapping the +// ProcessProvider. The credentials will expire every 15 minutes by default. +func NewCredentials(command string, options ...func(*ProcessProvider)) *credentials.Credentials { + p := &ProcessProvider{ + command: exec.Command(command), + Duration: DefaultDuration, + Timeout: DefaultTimeout, + MaxBufSize: DefaultBufSize, + } + + for _, option := range options { + option(p) + } + + return credentials.NewCredentials(p) +} + +// NewCredentialsTimeout returns a pointer to a new Credentials object with +// the specified command and timeout, and default duration and max buffer size. +func NewCredentialsTimeout(command string, timeout time.Duration) *credentials.Credentials { + p := NewCredentials(command, func(opt *ProcessProvider) { + opt.Timeout = timeout + }) + + return p +} + +// NewCredentialsCommand returns a pointer to a new Credentials object with +// the specified command, and default timeout, duration and max buffer size. +func NewCredentialsCommand(command *exec.Cmd, options ...func(*ProcessProvider)) *credentials.Credentials { + p := &ProcessProvider{ + command: command, + Duration: DefaultDuration, + Timeout: DefaultTimeout, + MaxBufSize: DefaultBufSize, + } + + for _, option := range options { + option(p) + } + + return credentials.NewCredentials(p) +} + +type credentialProcessResponse struct { + Version int + AccessKeyID string `json:"AccessKeyId"` + SecretAccessKey string + SessionToken string + Expiration *time.Time +} + +// Retrieve executes the 'credential_process' and returns the credentials. +func (p *ProcessProvider) Retrieve() (credentials.Value, error) { + out, err := p.executeCredentialProcess() + if err != nil { + return credentials.Value{ProviderName: ProviderName}, err + } + + // Serialize and validate response + resp := &credentialProcessResponse{} + if err = json.Unmarshal(out, resp); err != nil { + return credentials.Value{ProviderName: ProviderName}, awserr.New( + ErrCodeProcessProviderParse, + fmt.Sprintf("%s: %s", errMsgProcessProviderParse, string(out)), + err) + } + + if resp.Version != 1 { + return credentials.Value{ProviderName: ProviderName}, awserr.New( + ErrCodeProcessProviderVersion, + errMsgProcessProviderVersion, + nil) + } + + if len(resp.AccessKeyID) == 0 { + return credentials.Value{ProviderName: ProviderName}, awserr.New( + ErrCodeProcessProviderRequired, + errMsgProcessProviderMissKey, + nil) + } + + if len(resp.SecretAccessKey) == 0 { + return credentials.Value{ProviderName: ProviderName}, awserr.New( + ErrCodeProcessProviderRequired, + errMsgProcessProviderMissSecret, + nil) + } + + // Handle expiration + p.staticCreds = resp.Expiration == nil + if resp.Expiration != nil { + p.SetExpiration(*resp.Expiration, p.ExpiryWindow) + } + + return credentials.Value{ + ProviderName: ProviderName, + AccessKeyID: resp.AccessKeyID, + SecretAccessKey: resp.SecretAccessKey, + SessionToken: resp.SessionToken, + }, nil +} + +// IsExpired returns true if the credentials retrieved are expired, or not yet +// retrieved. +func (p *ProcessProvider) IsExpired() bool { + if p.staticCreds { + return false + } + return p.Expiry.IsExpired() +} + +// prepareCommand prepares the command to be executed. +func (p *ProcessProvider) prepareCommand() error { + + var cmdArgs []string + if runtime.GOOS == "windows" { + cmdArgs = []string{"cmd.exe", "/C"} + } else { + cmdArgs = []string{"sh", "-c"} + } + + if len(p.originalCommand) == 0 { + p.originalCommand = make([]string, len(p.command.Args)) + copy(p.originalCommand, p.command.Args) + + // check for empty command because it succeeds + if len(strings.TrimSpace(p.originalCommand[0])) < 1 { + return awserr.New( + ErrCodeProcessProviderExecution, + fmt.Sprintf( + "%s: %s", + errMsgProcessProviderPrepareCmd, + errMsgProcessProviderEmptyCmd), + nil) + } + } + + cmdArgs = append(cmdArgs, p.originalCommand...) + p.command = exec.Command(cmdArgs[0], cmdArgs[1:]...) + p.command.Env = os.Environ() + + return nil +} + +// executeCredentialProcess starts the credential process on the OS and +// returns the results or an error. +func (p *ProcessProvider) executeCredentialProcess() ([]byte, error) { + + if err := p.prepareCommand(); err != nil { + return nil, err + } + + // Setup the pipes + outReadPipe, outWritePipe, err := os.Pipe() + if err != nil { + return nil, awserr.New( + ErrCodeProcessProviderExecution, + errMsgProcessProviderPipe, + err) + } + + p.command.Stderr = os.Stderr // display stderr on console for MFA + p.command.Stdout = outWritePipe // get creds json on process's stdout + p.command.Stdin = os.Stdin // enable stdin for MFA + + output := bytes.NewBuffer(make([]byte, 0, p.MaxBufSize)) + + stdoutCh := make(chan error, 1) + go readInput( + io.LimitReader(outReadPipe, int64(p.MaxBufSize)), + output, + stdoutCh) + + execCh := make(chan error, 1) + go executeCommand(*p.command, execCh) + + finished := false + var errors []error + for !finished { + select { + case readError := <-stdoutCh: + errors = appendError(errors, readError) + finished = true + case execError := <-execCh: + err := outWritePipe.Close() + errors = appendError(errors, err) + errors = appendError(errors, execError) + if errors != nil { + return output.Bytes(), awserr.NewBatchError( + ErrCodeProcessProviderExecution, + errMsgProcessProviderProcess, + errors) + } + case <-time.After(p.Timeout): + finished = true + return output.Bytes(), awserr.NewBatchError( + ErrCodeProcessProviderExecution, + errMsgProcessProviderTimeout, + errors) // errors can be nil + } + } + + out := output.Bytes() + + if runtime.GOOS == "windows" { + // windows adds slashes to quotes + out = []byte(strings.Replace(string(out), `\"`, `"`, -1)) + } + + return out, nil +} + +// appendError conveniently checks for nil before appending slice +func appendError(errors []error, err error) []error { + if err != nil { + return append(errors, err) + } + return errors +} + +func executeCommand(cmd exec.Cmd, exec chan error) { + // Start the command + err := cmd.Start() + if err == nil { + err = cmd.Wait() + } + + exec <- err +} + +func readInput(r io.Reader, w io.Writer, read chan error) { + tee := io.TeeReader(r, w) + + _, err := ioutil.ReadAll(tee) + + if err == io.EOF { + err = nil + } + + read <- err // will only arrive here when write end of pipe is closed +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/doc.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/doc.go new file mode 100644 index 000000000..18c940ab3 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/doc.go @@ -0,0 +1,60 @@ +// Package ssocreds provides a credential provider for retrieving temporary AWS credentials using an SSO access token. +// +// IMPORTANT: The provider in this package does not initiate or perform the AWS SSO login flow. The SDK provider +// expects that you have already performed the SSO login flow using AWS CLI using the "aws sso login" command, or by +// some other mechanism. The provider must find a valid non-expired access token for the AWS SSO user portal URL in +// ~/.aws/sso/cache. If a cached token is not found, it is expired, or the file is malformed an error will be returned. +// +// Loading AWS SSO credentials with the AWS shared configuration file +// +// You can use configure AWS SSO credentials from the AWS shared configuration file by +// providing the specifying the required keys in the profile: +// +// sso_account_id +// sso_region +// sso_role_name +// sso_start_url +// +// For example, the following defines a profile "devsso" and specifies the AWS SSO parameters that defines the target +// account, role, sign-on portal, and the region where the user portal is located. Note: all SSO arguments must be +// provided, or an error will be returned. +// +// [profile devsso] +// sso_start_url = https://my-sso-portal.awsapps.com/start +// sso_role_name = SSOReadOnlyRole +// sso_region = us-east-1 +// sso_account_id = 123456789012 +// +// Using the config module, you can load the AWS SDK shared configuration, and specify that this profile be used to +// retrieve credentials. For example: +// +// sess, err := session.NewSessionWithOptions(session.Options{ +// SharedConfigState: session.SharedConfigEnable, +// Profile: "devsso", +// }) +// if err != nil { +// return err +// } +// +// Programmatically loading AWS SSO credentials directly +// +// You can programmatically construct the AWS SSO Provider in your application, and provide the necessary information +// to load and retrieve temporary credentials using an access token from ~/.aws/sso/cache. +// +// svc := sso.New(sess, &aws.Config{ +// Region: aws.String("us-west-2"), // Client Region must correspond to the AWS SSO user portal region +// }) +// +// provider := ssocreds.NewCredentialsWithClient(svc, "123456789012", "SSOReadOnlyRole", "https://my-sso-portal.awsapps.com/start") +// +// credentials, err := provider.Get() +// if err != nil { +// return err +// } +// +// Additional Resources +// +// Configuring the AWS CLI to use AWS Single Sign-On: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html +// +// AWS Single Sign-On User Guide: https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html +package ssocreds diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/os.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/os.go new file mode 100644 index 000000000..ceca7dcee --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/os.go @@ -0,0 +1,9 @@ +// +build !windows + +package ssocreds + +import "os" + +func getHomeDirectory() string { + return os.Getenv("HOME") +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/os_windows.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/os_windows.go new file mode 100644 index 000000000..eb48f61e5 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/os_windows.go @@ -0,0 +1,7 @@ +package ssocreds + +import "os" + +func getHomeDirectory() string { + return os.Getenv("USERPROFILE") +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/provider.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/provider.go new file mode 100644 index 000000000..6eda2a555 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/provider.go @@ -0,0 +1,180 @@ +package ssocreds + +import ( + "crypto/sha1" + "encoding/hex" + "encoding/json" + "fmt" + "io/ioutil" + "path/filepath" + "strings" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/client" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/service/sso" + "github.com/aws/aws-sdk-go/service/sso/ssoiface" +) + +// ErrCodeSSOProviderInvalidToken is the code type that is returned if loaded token has expired or is otherwise invalid. +// To refresh the SSO session run aws sso login with the corresponding profile. +const ErrCodeSSOProviderInvalidToken = "SSOProviderInvalidToken" + +const invalidTokenMessage = "the SSO session has expired or is invalid" + +func init() { + nowTime = time.Now + defaultCacheLocation = defaultCacheLocationImpl +} + +var nowTime func() time.Time + +// ProviderName is the name of the provider used to specify the source of credentials. +const ProviderName = "SSOProvider" + +var defaultCacheLocation func() string + +func defaultCacheLocationImpl() string { + return filepath.Join(getHomeDirectory(), ".aws", "sso", "cache") +} + +// Provider is an AWS credential provider that retrieves temporary AWS credentials by exchanging an SSO login token. +type Provider struct { + credentials.Expiry + + // The Client which is configured for the AWS Region where the AWS SSO user portal is located. + Client ssoiface.SSOAPI + + // The AWS account that is assigned to the user. + AccountID string + + // The role name that is assigned to the user. + RoleName string + + // The URL that points to the organization's AWS Single Sign-On (AWS SSO) user portal. + StartURL string +} + +// NewCredentials returns a new AWS Single Sign-On (AWS SSO) credential provider. The ConfigProvider is expected to be configured +// for the AWS Region where the AWS SSO user portal is located. +func NewCredentials(configProvider client.ConfigProvider, accountID, roleName, startURL string, optFns ...func(provider *Provider)) *credentials.Credentials { + return NewCredentialsWithClient(sso.New(configProvider), accountID, roleName, startURL, optFns...) +} + +// NewCredentialsWithClient returns a new AWS Single Sign-On (AWS SSO) credential provider. The provided client is expected to be configured +// for the AWS Region where the AWS SSO user portal is located. +func NewCredentialsWithClient(client ssoiface.SSOAPI, accountID, roleName, startURL string, optFns ...func(provider *Provider)) *credentials.Credentials { + p := &Provider{ + Client: client, + AccountID: accountID, + RoleName: roleName, + StartURL: startURL, + } + + for _, fn := range optFns { + fn(p) + } + + return credentials.NewCredentials(p) +} + +// Retrieve retrieves temporary AWS credentials from the configured Amazon Single Sign-On (AWS SSO) user portal +// by exchanging the accessToken present in ~/.aws/sso/cache. +func (p *Provider) Retrieve() (credentials.Value, error) { + return p.RetrieveWithContext(aws.BackgroundContext()) +} + +// RetrieveWithContext retrieves temporary AWS credentials from the configured Amazon Single Sign-On (AWS SSO) user portal +// by exchanging the accessToken present in ~/.aws/sso/cache. +func (p *Provider) RetrieveWithContext(ctx credentials.Context) (credentials.Value, error) { + tokenFile, err := loadTokenFile(p.StartURL) + if err != nil { + return credentials.Value{}, err + } + + output, err := p.Client.GetRoleCredentialsWithContext(ctx, &sso.GetRoleCredentialsInput{ + AccessToken: &tokenFile.AccessToken, + AccountId: &p.AccountID, + RoleName: &p.RoleName, + }) + if err != nil { + return credentials.Value{}, err + } + + expireTime := time.Unix(0, aws.Int64Value(output.RoleCredentials.Expiration)*int64(time.Millisecond)).UTC() + p.SetExpiration(expireTime, 0) + + return credentials.Value{ + AccessKeyID: aws.StringValue(output.RoleCredentials.AccessKeyId), + SecretAccessKey: aws.StringValue(output.RoleCredentials.SecretAccessKey), + SessionToken: aws.StringValue(output.RoleCredentials.SessionToken), + ProviderName: ProviderName, + }, nil +} + +func getCacheFileName(url string) (string, error) { + hash := sha1.New() + _, err := hash.Write([]byte(url)) + if err != nil { + return "", err + } + return strings.ToLower(hex.EncodeToString(hash.Sum(nil))) + ".json", nil +} + +type rfc3339 time.Time + +func (r *rfc3339) UnmarshalJSON(bytes []byte) error { + var value string + + if err := json.Unmarshal(bytes, &value); err != nil { + return err + } + + parse, err := time.Parse(time.RFC3339, value) + if err != nil { + return fmt.Errorf("expected RFC3339 timestamp: %v", err) + } + + *r = rfc3339(parse) + + return nil +} + +type token struct { + AccessToken string `json:"accessToken"` + ExpiresAt rfc3339 `json:"expiresAt"` + Region string `json:"region,omitempty"` + StartURL string `json:"startUrl,omitempty"` +} + +func (t token) Expired() bool { + return nowTime().Round(0).After(time.Time(t.ExpiresAt)) +} + +func loadTokenFile(startURL string) (t token, err error) { + key, err := getCacheFileName(startURL) + if err != nil { + return token{}, awserr.New(ErrCodeSSOProviderInvalidToken, invalidTokenMessage, err) + } + + fileBytes, err := ioutil.ReadFile(filepath.Join(defaultCacheLocation(), key)) + if err != nil { + return token{}, awserr.New(ErrCodeSSOProviderInvalidToken, invalidTokenMessage, err) + } + + if err := json.Unmarshal(fileBytes, &t); err != nil { + return token{}, awserr.New(ErrCodeSSOProviderInvalidToken, invalidTokenMessage, err) + } + + if len(t.AccessToken) == 0 { + return token{}, awserr.New(ErrCodeSSOProviderInvalidToken, invalidTokenMessage, nil) + } + + if t.Expired() { + return token{}, awserr.New(ErrCodeSSOProviderInvalidToken, invalidTokenMessage, nil) + } + + return t, nil +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/assume_role_provider.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/assume_role_provider.go new file mode 100644 index 000000000..260a37cbb --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/assume_role_provider.go @@ -0,0 +1,367 @@ +/* +Package stscreds are credential Providers to retrieve STS AWS credentials. + +STS provides multiple ways to retrieve credentials which can be used when making +future AWS service API operation calls. + +The SDK will ensure that per instance of credentials.Credentials all requests +to refresh the credentials will be synchronized. But, the SDK is unable to +ensure synchronous usage of the AssumeRoleProvider if the value is shared +between multiple Credentials, Sessions or service clients. + +Assume Role + +To assume an IAM role using STS with the SDK you can create a new Credentials +with the SDKs's stscreds package. + + // Initial credentials loaded from SDK's default credential chain. Such as + // the environment, shared credentials (~/.aws/credentials), or EC2 Instance + // Role. These credentials will be used to to make the STS Assume Role API. + sess := session.Must(session.NewSession()) + + // Create the credentials from AssumeRoleProvider to assume the role + // referenced by the "myRoleARN" ARN. + creds := stscreds.NewCredentials(sess, "myRoleArn") + + // Create service client value configured for credentials + // from assumed role. + svc := s3.New(sess, &aws.Config{Credentials: creds}) + +Assume Role with static MFA Token + +To assume an IAM role with a MFA token you can either specify a MFA token code +directly or provide a function to prompt the user each time the credentials +need to refresh the role's credentials. Specifying the TokenCode should be used +for short lived operations that will not need to be refreshed, and when you do +not want to have direct control over the user provides their MFA token. + +With TokenCode the AssumeRoleProvider will be not be able to refresh the role's +credentials. + + // Create the credentials from AssumeRoleProvider to assume the role + // referenced by the "myRoleARN" ARN using the MFA token code provided. + creds := stscreds.NewCredentials(sess, "myRoleArn", func(p *stscreds.AssumeRoleProvider) { + p.SerialNumber = aws.String("myTokenSerialNumber") + p.TokenCode = aws.String("00000000") + }) + + // Create service client value configured for credentials + // from assumed role. + svc := s3.New(sess, &aws.Config{Credentials: creds}) + +Assume Role with MFA Token Provider + +To assume an IAM role with MFA for longer running tasks where the credentials +may need to be refreshed setting the TokenProvider field of AssumeRoleProvider +will allow the credential provider to prompt for new MFA token code when the +role's credentials need to be refreshed. + +The StdinTokenProvider function is available to prompt on stdin to retrieve +the MFA token code from the user. You can also implement custom prompts by +satisfing the TokenProvider function signature. + +Using StdinTokenProvider with multiple AssumeRoleProviders, or Credentials will +have undesirable results as the StdinTokenProvider will not be synchronized. A +single Credentials with an AssumeRoleProvider can be shared safely. + + // Create the credentials from AssumeRoleProvider to assume the role + // referenced by the "myRoleARN" ARN. Prompting for MFA token from stdin. + creds := stscreds.NewCredentials(sess, "myRoleArn", func(p *stscreds.AssumeRoleProvider) { + p.SerialNumber = aws.String("myTokenSerialNumber") + p.TokenProvider = stscreds.StdinTokenProvider + }) + + // Create service client value configured for credentials + // from assumed role. + svc := s3.New(sess, &aws.Config{Credentials: creds}) + +*/ +package stscreds + +import ( + "fmt" + "os" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/client" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/internal/sdkrand" + "github.com/aws/aws-sdk-go/service/sts" +) + +// StdinTokenProvider will prompt on stderr and read from stdin for a string value. +// An error is returned if reading from stdin fails. +// +// Use this function to read MFA tokens from stdin. The function makes no attempt +// to make atomic prompts from stdin across multiple gorouties. +// +// Using StdinTokenProvider with multiple AssumeRoleProviders, or Credentials will +// have undesirable results as the StdinTokenProvider will not be synchronized. A +// single Credentials with an AssumeRoleProvider can be shared safely +// +// Will wait forever until something is provided on the stdin. +func StdinTokenProvider() (string, error) { + var v string + fmt.Fprintf(os.Stderr, "Assume Role MFA token code: ") + _, err := fmt.Scanln(&v) + + return v, err +} + +// ProviderName provides a name of AssumeRole provider +const ProviderName = "AssumeRoleProvider" + +// AssumeRoler represents the minimal subset of the STS client API used by this provider. +type AssumeRoler interface { + AssumeRole(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error) +} + +type assumeRolerWithContext interface { + AssumeRoleWithContext(aws.Context, *sts.AssumeRoleInput, ...request.Option) (*sts.AssumeRoleOutput, error) +} + +// DefaultDuration is the default amount of time in minutes that the credentials +// will be valid for. +var DefaultDuration = time.Duration(15) * time.Minute + +// AssumeRoleProvider retrieves temporary credentials from the STS service, and +// keeps track of their expiration time. +// +// This credential provider will be used by the SDKs default credential change +// when shared configuration is enabled, and the shared config or shared credentials +// file configure assume role. See Session docs for how to do this. +// +// AssumeRoleProvider does not provide any synchronization and it is not safe +// to share this value across multiple Credentials, Sessions, or service clients +// without also sharing the same Credentials instance. +type AssumeRoleProvider struct { + credentials.Expiry + + // STS client to make assume role request with. + Client AssumeRoler + + // Role to be assumed. + RoleARN string + + // Session name, if you wish to reuse the credentials elsewhere. + RoleSessionName string + + // Optional, you can pass tag key-value pairs to your session. These tags are called session tags. + Tags []*sts.Tag + + // A list of keys for session tags that you want to set as transitive. + // If you set a tag key as transitive, the corresponding key and value passes to subsequent sessions in a role chain. + TransitiveTagKeys []*string + + // Expiry duration of the STS credentials. Defaults to 15 minutes if not set. + Duration time.Duration + + // Optional ExternalID to pass along, defaults to nil if not set. + ExternalID *string + + // The policy plain text must be 2048 bytes or shorter. However, an internal + // conversion compresses it into a packed binary format with a separate limit. + // The PackedPolicySize response element indicates by percentage how close to + // the upper size limit the policy is, with 100% equaling the maximum allowed + // size. + Policy *string + + // The ARNs of IAM managed policies you want to use as managed session policies. + // The policies must exist in the same account as the role. + // + // This parameter is optional. You can provide up to 10 managed policy ARNs. + // However, the plain text that you use for both inline and managed session + // policies can't exceed 2,048 characters. + // + // An AWS conversion compresses the passed session policies and session tags + // into a packed binary format that has a separate limit. Your request can fail + // for this limit even if your plain text meets the other requirements. The + // PackedPolicySize response element indicates by percentage how close the policies + // and tags for your request are to the upper size limit. + // + // Passing policies to this operation returns new temporary credentials. The + // resulting session's permissions are the intersection of the role's identity-based + // policy and the session policies. You can use the role's temporary credentials + // in subsequent AWS API calls to access resources in the account that owns + // the role. You cannot use session policies to grant more permissions than + // those allowed by the identity-based policy of the role that is being assumed. + // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) + // in the IAM User Guide. + PolicyArns []*sts.PolicyDescriptorType + + // The identification number of the MFA device that is associated with the user + // who is making the AssumeRole call. Specify this value if the trust policy + // of the role being assumed includes a condition that requires MFA authentication. + // The value is either the serial number for a hardware device (such as GAHT12345678) + // or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). + SerialNumber *string + + // The value provided by the MFA device, if the trust policy of the role being + // assumed requires MFA (that is, if the policy includes a condition that tests + // for MFA). If the role being assumed requires MFA and if the TokenCode value + // is missing or expired, the AssumeRole call returns an "access denied" error. + // + // If SerialNumber is set and neither TokenCode nor TokenProvider are also + // set an error will be returned. + TokenCode *string + + // Async method of providing MFA token code for assuming an IAM role with MFA. + // The value returned by the function will be used as the TokenCode in the Retrieve + // call. See StdinTokenProvider for a provider that prompts and reads from stdin. + // + // This token provider will be called when ever the assumed role's + // credentials need to be refreshed when SerialNumber is also set and + // TokenCode is not set. + // + // If both TokenCode and TokenProvider is set, TokenProvider will be used and + // TokenCode is ignored. + TokenProvider func() (string, error) + + // ExpiryWindow will allow the credentials to trigger refreshing prior to + // the credentials actually expiring. This is beneficial so race conditions + // with expiring credentials do not cause request to fail unexpectedly + // due to ExpiredTokenException exceptions. + // + // So a ExpiryWindow of 10s would cause calls to IsExpired() to return true + // 10 seconds before the credentials are actually expired. + // + // If ExpiryWindow is 0 or less it will be ignored. + ExpiryWindow time.Duration + + // MaxJitterFrac reduces the effective Duration of each credential requested + // by a random percentage between 0 and MaxJitterFraction. MaxJitterFrac must + // have a value between 0 and 1. Any other value may lead to expected behavior. + // With a MaxJitterFrac value of 0, default) will no jitter will be used. + // + // For example, with a Duration of 30m and a MaxJitterFrac of 0.1, the + // AssumeRole call will be made with an arbitrary Duration between 27m and + // 30m. + // + // MaxJitterFrac should not be negative. + MaxJitterFrac float64 +} + +// NewCredentials returns a pointer to a new Credentials value wrapping the +// AssumeRoleProvider. The credentials will expire every 15 minutes and the +// role will be named after a nanosecond timestamp of this operation. The +// Credentials value will attempt to refresh the credentials using the provider +// when Credentials.Get is called, if the cached credentials are expiring. +// +// Takes a Config provider to create the STS client. The ConfigProvider is +// satisfied by the session.Session type. +// +// It is safe to share the returned Credentials with multiple Sessions and +// service clients. All access to the credentials and refreshing them +// will be synchronized. +func NewCredentials(c client.ConfigProvider, roleARN string, options ...func(*AssumeRoleProvider)) *credentials.Credentials { + p := &AssumeRoleProvider{ + Client: sts.New(c), + RoleARN: roleARN, + Duration: DefaultDuration, + } + + for _, option := range options { + option(p) + } + + return credentials.NewCredentials(p) +} + +// NewCredentialsWithClient returns a pointer to a new Credentials value wrapping the +// AssumeRoleProvider. The credentials will expire every 15 minutes and the +// role will be named after a nanosecond timestamp of this operation. The +// Credentials value will attempt to refresh the credentials using the provider +// when Credentials.Get is called, if the cached credentials are expiring. +// +// Takes an AssumeRoler which can be satisfied by the STS client. +// +// It is safe to share the returned Credentials with multiple Sessions and +// service clients. All access to the credentials and refreshing them +// will be synchronized. +func NewCredentialsWithClient(svc AssumeRoler, roleARN string, options ...func(*AssumeRoleProvider)) *credentials.Credentials { + p := &AssumeRoleProvider{ + Client: svc, + RoleARN: roleARN, + Duration: DefaultDuration, + } + + for _, option := range options { + option(p) + } + + return credentials.NewCredentials(p) +} + +// Retrieve generates a new set of temporary credentials using STS. +func (p *AssumeRoleProvider) Retrieve() (credentials.Value, error) { + return p.RetrieveWithContext(aws.BackgroundContext()) +} + +// RetrieveWithContext generates a new set of temporary credentials using STS. +func (p *AssumeRoleProvider) RetrieveWithContext(ctx credentials.Context) (credentials.Value, error) { + // Apply defaults where parameters are not set. + if p.RoleSessionName == "" { + // Try to work out a role name that will hopefully end up unique. + p.RoleSessionName = fmt.Sprintf("%d", time.Now().UTC().UnixNano()) + } + if p.Duration == 0 { + // Expire as often as AWS permits. + p.Duration = DefaultDuration + } + jitter := time.Duration(sdkrand.SeededRand.Float64() * p.MaxJitterFrac * float64(p.Duration)) + input := &sts.AssumeRoleInput{ + DurationSeconds: aws.Int64(int64((p.Duration - jitter) / time.Second)), + RoleArn: aws.String(p.RoleARN), + RoleSessionName: aws.String(p.RoleSessionName), + ExternalId: p.ExternalID, + Tags: p.Tags, + PolicyArns: p.PolicyArns, + TransitiveTagKeys: p.TransitiveTagKeys, + } + if p.Policy != nil { + input.Policy = p.Policy + } + if p.SerialNumber != nil { + if p.TokenCode != nil { + input.SerialNumber = p.SerialNumber + input.TokenCode = p.TokenCode + } else if p.TokenProvider != nil { + input.SerialNumber = p.SerialNumber + code, err := p.TokenProvider() + if err != nil { + return credentials.Value{ProviderName: ProviderName}, err + } + input.TokenCode = aws.String(code) + } else { + return credentials.Value{ProviderName: ProviderName}, + awserr.New("AssumeRoleTokenNotAvailable", + "assume role with MFA enabled, but neither TokenCode nor TokenProvider are set", nil) + } + } + + var roleOutput *sts.AssumeRoleOutput + var err error + + if c, ok := p.Client.(assumeRolerWithContext); ok { + roleOutput, err = c.AssumeRoleWithContext(ctx, input) + } else { + roleOutput, err = p.Client.AssumeRole(input) + } + + if err != nil { + return credentials.Value{ProviderName: ProviderName}, err + } + + // We will proactively generate new credentials before they expire. + p.SetExpiration(*roleOutput.Credentials.Expiration, p.ExpiryWindow) + + return credentials.Value{ + AccessKeyID: *roleOutput.Credentials.AccessKeyId, + SecretAccessKey: *roleOutput.Credentials.SecretAccessKey, + SessionToken: *roleOutput.Credentials.SessionToken, + ProviderName: ProviderName, + }, nil +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/web_identity_provider.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/web_identity_provider.go new file mode 100644 index 000000000..cefe2a76d --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/web_identity_provider.go @@ -0,0 +1,154 @@ +package stscreds + +import ( + "fmt" + "io/ioutil" + "strconv" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/client" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/service/sts" + "github.com/aws/aws-sdk-go/service/sts/stsiface" +) + +const ( + // ErrCodeWebIdentity will be used as an error code when constructing + // a new error to be returned during session creation or retrieval. + ErrCodeWebIdentity = "WebIdentityErr" + + // WebIdentityProviderName is the web identity provider name + WebIdentityProviderName = "WebIdentityCredentials" +) + +// now is used to return a time.Time object representing +// the current time. This can be used to easily test and +// compare test values. +var now = time.Now + +// TokenFetcher shuold return WebIdentity token bytes or an error +type TokenFetcher interface { + FetchToken(credentials.Context) ([]byte, error) +} + +// FetchTokenPath is a path to a WebIdentity token file +type FetchTokenPath string + +// FetchToken returns a token by reading from the filesystem +func (f FetchTokenPath) FetchToken(ctx credentials.Context) ([]byte, error) { + data, err := ioutil.ReadFile(string(f)) + if err != nil { + errMsg := fmt.Sprintf("unable to read file at %s", f) + return nil, awserr.New(ErrCodeWebIdentity, errMsg, err) + } + return data, nil +} + +// WebIdentityRoleProvider is used to retrieve credentials using +// an OIDC token. +type WebIdentityRoleProvider struct { + credentials.Expiry + PolicyArns []*sts.PolicyDescriptorType + + // Duration the STS credentials will be valid for. Truncated to seconds. + // If unset, the assumed role will use AssumeRoleWithWebIdentity's default + // expiry duration. See + // https://docs.aws.amazon.com/sdk-for-go/api/service/sts/#STS.AssumeRoleWithWebIdentity + // for more information. + Duration time.Duration + + // The amount of time the credentials will be refreshed before they expire. + // This is useful refresh credentials before they expire to reduce risk of + // using credentials as they expire. If unset, will default to no expiry + // window. + ExpiryWindow time.Duration + + client stsiface.STSAPI + + tokenFetcher TokenFetcher + roleARN string + roleSessionName string +} + +// NewWebIdentityCredentials will return a new set of credentials with a given +// configuration, role arn, and token file path. +func NewWebIdentityCredentials(c client.ConfigProvider, roleARN, roleSessionName, path string) *credentials.Credentials { + svc := sts.New(c) + p := NewWebIdentityRoleProvider(svc, roleARN, roleSessionName, path) + return credentials.NewCredentials(p) +} + +// NewWebIdentityRoleProvider will return a new WebIdentityRoleProvider with the +// provided stsiface.STSAPI +func NewWebIdentityRoleProvider(svc stsiface.STSAPI, roleARN, roleSessionName, path string) *WebIdentityRoleProvider { + return NewWebIdentityRoleProviderWithToken(svc, roleARN, roleSessionName, FetchTokenPath(path)) +} + +// NewWebIdentityRoleProviderWithToken will return a new WebIdentityRoleProvider with the +// provided stsiface.STSAPI and a TokenFetcher +func NewWebIdentityRoleProviderWithToken(svc stsiface.STSAPI, roleARN, roleSessionName string, tokenFetcher TokenFetcher) *WebIdentityRoleProvider { + return &WebIdentityRoleProvider{ + client: svc, + tokenFetcher: tokenFetcher, + roleARN: roleARN, + roleSessionName: roleSessionName, + } +} + +// Retrieve will attempt to assume a role from a token which is located at +// 'WebIdentityTokenFilePath' specified destination and if that is empty an +// error will be returned. +func (p *WebIdentityRoleProvider) Retrieve() (credentials.Value, error) { + return p.RetrieveWithContext(aws.BackgroundContext()) +} + +// RetrieveWithContext will attempt to assume a role from a token which is located at +// 'WebIdentityTokenFilePath' specified destination and if that is empty an +// error will be returned. +func (p *WebIdentityRoleProvider) RetrieveWithContext(ctx credentials.Context) (credentials.Value, error) { + b, err := p.tokenFetcher.FetchToken(ctx) + if err != nil { + return credentials.Value{}, awserr.New(ErrCodeWebIdentity, "failed fetching WebIdentity token: ", err) + } + + sessionName := p.roleSessionName + if len(sessionName) == 0 { + // session name is used to uniquely identify a session. This simply + // uses unix time in nanoseconds to uniquely identify sessions. + sessionName = strconv.FormatInt(now().UnixNano(), 10) + } + + var duration *int64 + if p.Duration != 0 { + duration = aws.Int64(int64(p.Duration / time.Second)) + } + + req, resp := p.client.AssumeRoleWithWebIdentityRequest(&sts.AssumeRoleWithWebIdentityInput{ + PolicyArns: p.PolicyArns, + RoleArn: &p.roleARN, + RoleSessionName: &sessionName, + WebIdentityToken: aws.String(string(b)), + DurationSeconds: duration, + }) + + req.SetContext(ctx) + + // InvalidIdentityToken error is a temporary error that can occur + // when assuming an Role with a JWT web identity token. + req.RetryErrorCodes = append(req.RetryErrorCodes, sts.ErrCodeInvalidIdentityTokenException) + if err := req.Send(); err != nil { + return credentials.Value{}, awserr.New(ErrCodeWebIdentity, "failed to retrieve credentials", err) + } + + p.SetExpiration(aws.TimeValue(resp.Credentials.Expiration), p.ExpiryWindow) + + value := credentials.Value{ + AccessKeyID: aws.StringValue(resp.Credentials.AccessKeyId), + SecretAccessKey: aws.StringValue(resp.Credentials.SecretAccessKey), + SessionToken: aws.StringValue(resp.Credentials.SessionToken), + ProviderName: WebIdentityProviderName, + } + return value, nil +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/csm/doc.go b/vendor/github.com/aws/aws-sdk-go/aws/csm/doc.go new file mode 100644 index 000000000..25a66d1dd --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/csm/doc.go @@ -0,0 +1,69 @@ +// Package csm provides the Client Side Monitoring (CSM) client which enables +// sending metrics via UDP connection to the CSM agent. This package provides +// control options, and configuration for the CSM client. The client can be +// controlled manually, or automatically via the SDK's Session configuration. +// +// Enabling CSM client via SDK's Session configuration +// +// The CSM client can be enabled automatically via SDK's Session configuration. +// The SDK's session configuration enables the CSM client if the AWS_CSM_PORT +// environment variable is set to a non-empty value. +// +// The configuration options for the CSM client via the SDK's session +// configuration are: +// +// * AWS_CSM_PORT= +// The port number the CSM agent will receive metrics on. +// +// * AWS_CSM_HOST= +// The hostname, or IP address the CSM agent will receive metrics on. +// Without port number. +// +// Manually enabling the CSM client +// +// The CSM client can be started, paused, and resumed manually. The Start +// function will enable the CSM client to publish metrics to the CSM agent. It +// is safe to call Start concurrently, but if Start is called additional times +// with different ClientID or address it will panic. +// +// r, err := csm.Start("clientID", ":31000") +// if err != nil { +// panic(fmt.Errorf("failed starting CSM: %v", err)) +// } +// +// When controlling the CSM client manually, you must also inject its request +// handlers into the SDK's Session configuration for the SDK's API clients to +// publish metrics. +// +// sess, err := session.NewSession(&aws.Config{}) +// if err != nil { +// panic(fmt.Errorf("failed loading session: %v", err)) +// } +// +// // Add CSM client's metric publishing request handlers to the SDK's +// // Session Configuration. +// r.InjectHandlers(&sess.Handlers) +// +// Controlling CSM client +// +// Once the CSM client has been enabled the Get function will return a Reporter +// value that you can use to pause and resume the metrics published to the CSM +// agent. If Get function is called before the reporter is enabled with the +// Start function or via SDK's Session configuration nil will be returned. +// +// The Pause method can be called to stop the CSM client publishing metrics to +// the CSM agent. The Continue method will resume metric publishing. +// +// // Get the CSM client Reporter. +// r := csm.Get() +// +// // Will pause monitoring +// r.Pause() +// resp, err = client.GetObject(&s3.GetObjectInput{ +// Bucket: aws.String("bucket"), +// Key: aws.String("key"), +// }) +// +// // Resume monitoring +// r.Continue() +package csm diff --git a/vendor/github.com/aws/aws-sdk-go/aws/csm/enable.go b/vendor/github.com/aws/aws-sdk-go/aws/csm/enable.go new file mode 100644 index 000000000..4b19e2800 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/csm/enable.go @@ -0,0 +1,89 @@ +package csm + +import ( + "fmt" + "strings" + "sync" +) + +var ( + lock sync.Mutex +) + +const ( + // DefaultPort is used when no port is specified. + DefaultPort = "31000" + + // DefaultHost is the host that will be used when none is specified. + DefaultHost = "127.0.0.1" +) + +// AddressWithDefaults returns a CSM address built from the host and port +// values. If the host or port is not set, default values will be used +// instead. If host is "localhost" it will be replaced with "127.0.0.1". +func AddressWithDefaults(host, port string) string { + if len(host) == 0 || strings.EqualFold(host, "localhost") { + host = DefaultHost + } + + if len(port) == 0 { + port = DefaultPort + } + + // Only IP6 host can contain a colon + if strings.Contains(host, ":") { + return "[" + host + "]:" + port + } + + return host + ":" + port +} + +// Start will start a long running go routine to capture +// client side metrics. Calling start multiple time will only +// start the metric listener once and will panic if a different +// client ID or port is passed in. +// +// r, err := csm.Start("clientID", "127.0.0.1:31000") +// if err != nil { +// panic(fmt.Errorf("expected no error, but received %v", err)) +// } +// sess := session.NewSession() +// r.InjectHandlers(sess.Handlers) +// +// svc := s3.New(sess) +// out, err := svc.GetObject(&s3.GetObjectInput{ +// Bucket: aws.String("bucket"), +// Key: aws.String("key"), +// }) +func Start(clientID string, url string) (*Reporter, error) { + lock.Lock() + defer lock.Unlock() + + if sender == nil { + sender = newReporter(clientID, url) + } else { + if sender.clientID != clientID { + panic(fmt.Errorf("inconsistent client IDs. %q was expected, but received %q", sender.clientID, clientID)) + } + + if sender.url != url { + panic(fmt.Errorf("inconsistent URLs. %q was expected, but received %q", sender.url, url)) + } + } + + if err := connect(url); err != nil { + sender = nil + return nil, err + } + + return sender, nil +} + +// Get will return a reporter if one exists, if one does not exist, nil will +// be returned. +func Get() *Reporter { + lock.Lock() + defer lock.Unlock() + + return sender +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/csm/metric.go b/vendor/github.com/aws/aws-sdk-go/aws/csm/metric.go new file mode 100644 index 000000000..5bacc791a --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/csm/metric.go @@ -0,0 +1,109 @@ +package csm + +import ( + "strconv" + "time" + + "github.com/aws/aws-sdk-go/aws" +) + +type metricTime time.Time + +func (t metricTime) MarshalJSON() ([]byte, error) { + ns := time.Duration(time.Time(t).UnixNano()) + return []byte(strconv.FormatInt(int64(ns/time.Millisecond), 10)), nil +} + +type metric struct { + ClientID *string `json:"ClientId,omitempty"` + API *string `json:"Api,omitempty"` + Service *string `json:"Service,omitempty"` + Timestamp *metricTime `json:"Timestamp,omitempty"` + Type *string `json:"Type,omitempty"` + Version *int `json:"Version,omitempty"` + + AttemptCount *int `json:"AttemptCount,omitempty"` + Latency *int `json:"Latency,omitempty"` + + Fqdn *string `json:"Fqdn,omitempty"` + UserAgent *string `json:"UserAgent,omitempty"` + AttemptLatency *int `json:"AttemptLatency,omitempty"` + + SessionToken *string `json:"SessionToken,omitempty"` + Region *string `json:"Region,omitempty"` + AccessKey *string `json:"AccessKey,omitempty"` + HTTPStatusCode *int `json:"HttpStatusCode,omitempty"` + XAmzID2 *string `json:"XAmzId2,omitempty"` + XAmzRequestID *string `json:"XAmznRequestId,omitempty"` + + AWSException *string `json:"AwsException,omitempty"` + AWSExceptionMessage *string `json:"AwsExceptionMessage,omitempty"` + SDKException *string `json:"SdkException,omitempty"` + SDKExceptionMessage *string `json:"SdkExceptionMessage,omitempty"` + + FinalHTTPStatusCode *int `json:"FinalHttpStatusCode,omitempty"` + FinalAWSException *string `json:"FinalAwsException,omitempty"` + FinalAWSExceptionMessage *string `json:"FinalAwsExceptionMessage,omitempty"` + FinalSDKException *string `json:"FinalSdkException,omitempty"` + FinalSDKExceptionMessage *string `json:"FinalSdkExceptionMessage,omitempty"` + + DestinationIP *string `json:"DestinationIp,omitempty"` + ConnectionReused *int `json:"ConnectionReused,omitempty"` + + AcquireConnectionLatency *int `json:"AcquireConnectionLatency,omitempty"` + ConnectLatency *int `json:"ConnectLatency,omitempty"` + RequestLatency *int `json:"RequestLatency,omitempty"` + DNSLatency *int `json:"DnsLatency,omitempty"` + TCPLatency *int `json:"TcpLatency,omitempty"` + SSLLatency *int `json:"SslLatency,omitempty"` + + MaxRetriesExceeded *int `json:"MaxRetriesExceeded,omitempty"` +} + +func (m *metric) TruncateFields() { + m.ClientID = truncateString(m.ClientID, 255) + m.UserAgent = truncateString(m.UserAgent, 256) + + m.AWSException = truncateString(m.AWSException, 128) + m.AWSExceptionMessage = truncateString(m.AWSExceptionMessage, 512) + + m.SDKException = truncateString(m.SDKException, 128) + m.SDKExceptionMessage = truncateString(m.SDKExceptionMessage, 512) + + m.FinalAWSException = truncateString(m.FinalAWSException, 128) + m.FinalAWSExceptionMessage = truncateString(m.FinalAWSExceptionMessage, 512) + + m.FinalSDKException = truncateString(m.FinalSDKException, 128) + m.FinalSDKExceptionMessage = truncateString(m.FinalSDKExceptionMessage, 512) +} + +func truncateString(v *string, l int) *string { + if v != nil && len(*v) > l { + nv := (*v)[:l] + return &nv + } + + return v +} + +func (m *metric) SetException(e metricException) { + switch te := e.(type) { + case awsException: + m.AWSException = aws.String(te.exception) + m.AWSExceptionMessage = aws.String(te.message) + case sdkException: + m.SDKException = aws.String(te.exception) + m.SDKExceptionMessage = aws.String(te.message) + } +} + +func (m *metric) SetFinalException(e metricException) { + switch te := e.(type) { + case awsException: + m.FinalAWSException = aws.String(te.exception) + m.FinalAWSExceptionMessage = aws.String(te.message) + case sdkException: + m.FinalSDKException = aws.String(te.exception) + m.FinalSDKExceptionMessage = aws.String(te.message) + } +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/csm/metric_chan.go b/vendor/github.com/aws/aws-sdk-go/aws/csm/metric_chan.go new file mode 100644 index 000000000..82a3e345e --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/csm/metric_chan.go @@ -0,0 +1,55 @@ +package csm + +import ( + "sync/atomic" +) + +const ( + runningEnum = iota + pausedEnum +) + +var ( + // MetricsChannelSize of metrics to hold in the channel + MetricsChannelSize = 100 +) + +type metricChan struct { + ch chan metric + paused *int64 +} + +func newMetricChan(size int) metricChan { + return metricChan{ + ch: make(chan metric, size), + paused: new(int64), + } +} + +func (ch *metricChan) Pause() { + atomic.StoreInt64(ch.paused, pausedEnum) +} + +func (ch *metricChan) Continue() { + atomic.StoreInt64(ch.paused, runningEnum) +} + +func (ch *metricChan) IsPaused() bool { + v := atomic.LoadInt64(ch.paused) + return v == pausedEnum +} + +// Push will push metrics to the metric channel if the channel +// is not paused +func (ch *metricChan) Push(m metric) bool { + if ch.IsPaused() { + return false + } + + select { + case ch.ch <- m: + return true + default: + return false + } +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/csm/metric_exception.go b/vendor/github.com/aws/aws-sdk-go/aws/csm/metric_exception.go new file mode 100644 index 000000000..54a99280c --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/csm/metric_exception.go @@ -0,0 +1,26 @@ +package csm + +type metricException interface { + Exception() string + Message() string +} + +type requestException struct { + exception string + message string +} + +func (e requestException) Exception() string { + return e.exception +} +func (e requestException) Message() string { + return e.message +} + +type awsException struct { + requestException +} + +type sdkException struct { + requestException +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/csm/reporter.go b/vendor/github.com/aws/aws-sdk-go/aws/csm/reporter.go new file mode 100644 index 000000000..835bcd49c --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/csm/reporter.go @@ -0,0 +1,264 @@ +package csm + +import ( + "encoding/json" + "net" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/request" +) + +// Reporter will gather metrics of API requests made and +// send those metrics to the CSM endpoint. +type Reporter struct { + clientID string + url string + conn net.Conn + metricsCh metricChan + done chan struct{} +} + +var ( + sender *Reporter +) + +func connect(url string) error { + const network = "udp" + if err := sender.connect(network, url); err != nil { + return err + } + + if sender.done == nil { + sender.done = make(chan struct{}) + go sender.start() + } + + return nil +} + +func newReporter(clientID, url string) *Reporter { + return &Reporter{ + clientID: clientID, + url: url, + metricsCh: newMetricChan(MetricsChannelSize), + } +} + +func (rep *Reporter) sendAPICallAttemptMetric(r *request.Request) { + if rep == nil { + return + } + + now := time.Now() + creds, _ := r.Config.Credentials.Get() + + m := metric{ + ClientID: aws.String(rep.clientID), + API: aws.String(r.Operation.Name), + Service: aws.String(r.ClientInfo.ServiceID), + Timestamp: (*metricTime)(&now), + UserAgent: aws.String(r.HTTPRequest.Header.Get("User-Agent")), + Region: r.Config.Region, + Type: aws.String("ApiCallAttempt"), + Version: aws.Int(1), + + XAmzRequestID: aws.String(r.RequestID), + + AttemptLatency: aws.Int(int(now.Sub(r.AttemptTime).Nanoseconds() / int64(time.Millisecond))), + AccessKey: aws.String(creds.AccessKeyID), + } + + if r.HTTPResponse != nil { + m.HTTPStatusCode = aws.Int(r.HTTPResponse.StatusCode) + } + + if r.Error != nil { + if awserr, ok := r.Error.(awserr.Error); ok { + m.SetException(getMetricException(awserr)) + } + } + + m.TruncateFields() + rep.metricsCh.Push(m) +} + +func getMetricException(err awserr.Error) metricException { + msg := err.Error() + code := err.Code() + + switch code { + case request.ErrCodeRequestError, + request.ErrCodeSerialization, + request.CanceledErrorCode: + return sdkException{ + requestException{exception: code, message: msg}, + } + default: + return awsException{ + requestException{exception: code, message: msg}, + } + } +} + +func (rep *Reporter) sendAPICallMetric(r *request.Request) { + if rep == nil { + return + } + + now := time.Now() + m := metric{ + ClientID: aws.String(rep.clientID), + API: aws.String(r.Operation.Name), + Service: aws.String(r.ClientInfo.ServiceID), + Timestamp: (*metricTime)(&now), + UserAgent: aws.String(r.HTTPRequest.Header.Get("User-Agent")), + Type: aws.String("ApiCall"), + AttemptCount: aws.Int(r.RetryCount + 1), + Region: r.Config.Region, + Latency: aws.Int(int(time.Since(r.Time) / time.Millisecond)), + XAmzRequestID: aws.String(r.RequestID), + MaxRetriesExceeded: aws.Int(boolIntValue(r.RetryCount >= r.MaxRetries())), + } + + if r.HTTPResponse != nil { + m.FinalHTTPStatusCode = aws.Int(r.HTTPResponse.StatusCode) + } + + if r.Error != nil { + if awserr, ok := r.Error.(awserr.Error); ok { + m.SetFinalException(getMetricException(awserr)) + } + } + + m.TruncateFields() + + // TODO: Probably want to figure something out for logging dropped + // metrics + rep.metricsCh.Push(m) +} + +func (rep *Reporter) connect(network, url string) error { + if rep.conn != nil { + rep.conn.Close() + } + + conn, err := net.Dial(network, url) + if err != nil { + return awserr.New("UDPError", "Could not connect", err) + } + + rep.conn = conn + + return nil +} + +func (rep *Reporter) close() { + if rep.done != nil { + close(rep.done) + } + + rep.metricsCh.Pause() +} + +func (rep *Reporter) start() { + defer func() { + rep.metricsCh.Pause() + }() + + for { + select { + case <-rep.done: + rep.done = nil + return + case m := <-rep.metricsCh.ch: + // TODO: What to do with this error? Probably should just log + b, err := json.Marshal(m) + if err != nil { + continue + } + + rep.conn.Write(b) + } + } +} + +// Pause will pause the metric channel preventing any new metrics from being +// added. It is safe to call concurrently with other calls to Pause, but if +// called concurently with Continue can lead to unexpected state. +func (rep *Reporter) Pause() { + lock.Lock() + defer lock.Unlock() + + if rep == nil { + return + } + + rep.close() +} + +// Continue will reopen the metric channel and allow for monitoring to be +// resumed. It is safe to call concurrently with other calls to Continue, but +// if called concurently with Pause can lead to unexpected state. +func (rep *Reporter) Continue() { + lock.Lock() + defer lock.Unlock() + if rep == nil { + return + } + + if !rep.metricsCh.IsPaused() { + return + } + + rep.metricsCh.Continue() +} + +// Client side metric handler names +const ( + APICallMetricHandlerName = "awscsm.SendAPICallMetric" + APICallAttemptMetricHandlerName = "awscsm.SendAPICallAttemptMetric" +) + +// InjectHandlers will will enable client side metrics and inject the proper +// handlers to handle how metrics are sent. +// +// InjectHandlers is NOT safe to call concurrently. Calling InjectHandlers +// multiple times may lead to unexpected behavior, (e.g. duplicate metrics). +// +// // Start must be called in order to inject the correct handlers +// r, err := csm.Start("clientID", "127.0.0.1:8094") +// if err != nil { +// panic(fmt.Errorf("expected no error, but received %v", err)) +// } +// +// sess := session.NewSession() +// r.InjectHandlers(&sess.Handlers) +// +// // create a new service client with our client side metric session +// svc := s3.New(sess) +func (rep *Reporter) InjectHandlers(handlers *request.Handlers) { + if rep == nil { + return + } + + handlers.Complete.PushFrontNamed(request.NamedHandler{ + Name: APICallMetricHandlerName, + Fn: rep.sendAPICallMetric, + }) + + handlers.CompleteAttempt.PushFrontNamed(request.NamedHandler{ + Name: APICallAttemptMetricHandlerName, + Fn: rep.sendAPICallAttemptMetric, + }) +} + +// boolIntValue return 1 for true and 0 for false. +func boolIntValue(b bool) int { + if b { + return 1 + } + + return 0 +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/defaults/defaults.go b/vendor/github.com/aws/aws-sdk-go/aws/defaults/defaults.go new file mode 100644 index 000000000..23bb639e0 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/defaults/defaults.go @@ -0,0 +1,207 @@ +// Package defaults is a collection of helpers to retrieve the SDK's default +// configuration and handlers. +// +// Generally this package shouldn't be used directly, but session.Session +// instead. This package is useful when you need to reset the defaults +// of a session or service client to the SDK defaults before setting +// additional parameters. +package defaults + +import ( + "fmt" + "net" + "net/http" + "net/url" + "os" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/corehandlers" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" + "github.com/aws/aws-sdk-go/aws/credentials/endpointcreds" + "github.com/aws/aws-sdk-go/aws/ec2metadata" + "github.com/aws/aws-sdk-go/aws/endpoints" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/internal/shareddefaults" +) + +// A Defaults provides a collection of default values for SDK clients. +type Defaults struct { + Config *aws.Config + Handlers request.Handlers +} + +// Get returns the SDK's default values with Config and handlers pre-configured. +func Get() Defaults { + cfg := Config() + handlers := Handlers() + cfg.Credentials = CredChain(cfg, handlers) + + return Defaults{ + Config: cfg, + Handlers: handlers, + } +} + +// Config returns the default configuration without credentials. +// To retrieve a config with credentials also included use +// `defaults.Get().Config` instead. +// +// Generally you shouldn't need to use this method directly, but +// is available if you need to reset the configuration of an +// existing service client or session. +func Config() *aws.Config { + return aws.NewConfig(). + WithCredentials(credentials.AnonymousCredentials). + WithRegion(os.Getenv("AWS_REGION")). + WithHTTPClient(http.DefaultClient). + WithMaxRetries(aws.UseServiceDefaultRetries). + WithLogger(aws.NewDefaultLogger()). + WithLogLevel(aws.LogOff). + WithEndpointResolver(endpoints.DefaultResolver()) +} + +// Handlers returns the default request handlers. +// +// Generally you shouldn't need to use this method directly, but +// is available if you need to reset the request handlers of an +// existing service client or session. +func Handlers() request.Handlers { + var handlers request.Handlers + + handlers.Validate.PushBackNamed(corehandlers.ValidateEndpointHandler) + handlers.Validate.AfterEachFn = request.HandlerListStopOnError + handlers.Build.PushBackNamed(corehandlers.SDKVersionUserAgentHandler) + handlers.Build.PushBackNamed(corehandlers.AddHostExecEnvUserAgentHander) + handlers.Build.AfterEachFn = request.HandlerListStopOnError + handlers.Sign.PushBackNamed(corehandlers.BuildContentLengthHandler) + handlers.Send.PushBackNamed(corehandlers.ValidateReqSigHandler) + handlers.Send.PushBackNamed(corehandlers.SendHandler) + handlers.AfterRetry.PushBackNamed(corehandlers.AfterRetryHandler) + handlers.ValidateResponse.PushBackNamed(corehandlers.ValidateResponseHandler) + + return handlers +} + +// CredChain returns the default credential chain. +// +// Generally you shouldn't need to use this method directly, but +// is available if you need to reset the credentials of an +// existing service client or session's Config. +func CredChain(cfg *aws.Config, handlers request.Handlers) *credentials.Credentials { + return credentials.NewCredentials(&credentials.ChainProvider{ + VerboseErrors: aws.BoolValue(cfg.CredentialsChainVerboseErrors), + Providers: CredProviders(cfg, handlers), + }) +} + +// CredProviders returns the slice of providers used in +// the default credential chain. +// +// For applications that need to use some other provider (for example use +// different environment variables for legacy reasons) but still fall back +// on the default chain of providers. This allows that default chaint to be +// automatically updated +func CredProviders(cfg *aws.Config, handlers request.Handlers) []credentials.Provider { + return []credentials.Provider{ + &credentials.EnvProvider{}, + &credentials.SharedCredentialsProvider{Filename: "", Profile: ""}, + RemoteCredProvider(*cfg, handlers), + } +} + +const ( + httpProviderAuthorizationEnvVar = "AWS_CONTAINER_AUTHORIZATION_TOKEN" + httpProviderEnvVar = "AWS_CONTAINER_CREDENTIALS_FULL_URI" +) + +// RemoteCredProvider returns a credentials provider for the default remote +// endpoints such as EC2 or ECS Roles. +func RemoteCredProvider(cfg aws.Config, handlers request.Handlers) credentials.Provider { + if u := os.Getenv(httpProviderEnvVar); len(u) > 0 { + return localHTTPCredProvider(cfg, handlers, u) + } + + if uri := os.Getenv(shareddefaults.ECSCredsProviderEnvVar); len(uri) > 0 { + u := fmt.Sprintf("%s%s", shareddefaults.ECSContainerCredentialsURI, uri) + return httpCredProvider(cfg, handlers, u) + } + + return ec2RoleProvider(cfg, handlers) +} + +var lookupHostFn = net.LookupHost + +func isLoopbackHost(host string) (bool, error) { + ip := net.ParseIP(host) + if ip != nil { + return ip.IsLoopback(), nil + } + + // Host is not an ip, perform lookup + addrs, err := lookupHostFn(host) + if err != nil { + return false, err + } + for _, addr := range addrs { + if !net.ParseIP(addr).IsLoopback() { + return false, nil + } + } + + return true, nil +} + +func localHTTPCredProvider(cfg aws.Config, handlers request.Handlers, u string) credentials.Provider { + var errMsg string + + parsed, err := url.Parse(u) + if err != nil { + errMsg = fmt.Sprintf("invalid URL, %v", err) + } else { + host := aws.URLHostname(parsed) + if len(host) == 0 { + errMsg = "unable to parse host from local HTTP cred provider URL" + } else if isLoopback, loopbackErr := isLoopbackHost(host); loopbackErr != nil { + errMsg = fmt.Sprintf("failed to resolve host %q, %v", host, loopbackErr) + } else if !isLoopback { + errMsg = fmt.Sprintf("invalid endpoint host, %q, only loopback hosts are allowed.", host) + } + } + + if len(errMsg) > 0 { + if cfg.Logger != nil { + cfg.Logger.Log("Ignoring, HTTP credential provider", errMsg, err) + } + return credentials.ErrorProvider{ + Err: awserr.New("CredentialsEndpointError", errMsg, err), + ProviderName: endpointcreds.ProviderName, + } + } + + return httpCredProvider(cfg, handlers, u) +} + +func httpCredProvider(cfg aws.Config, handlers request.Handlers, u string) credentials.Provider { + return endpointcreds.NewProviderClient(cfg, handlers, u, + func(p *endpointcreds.Provider) { + p.ExpiryWindow = 5 * time.Minute + p.AuthorizationToken = os.Getenv(httpProviderAuthorizationEnvVar) + }, + ) +} + +func ec2RoleProvider(cfg aws.Config, handlers request.Handlers) credentials.Provider { + resolver := cfg.EndpointResolver + if resolver == nil { + resolver = endpoints.DefaultResolver() + } + + e, _ := resolver.EndpointFor(endpoints.Ec2metadataServiceID, "") + return &ec2rolecreds.EC2RoleProvider{ + Client: ec2metadata.NewClient(cfg, handlers, e.URL, e.SigningRegion), + ExpiryWindow: 5 * time.Minute, + } +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/defaults/shared_config.go b/vendor/github.com/aws/aws-sdk-go/aws/defaults/shared_config.go new file mode 100644 index 000000000..ca0ee1dcc --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/defaults/shared_config.go @@ -0,0 +1,27 @@ +package defaults + +import ( + "github.com/aws/aws-sdk-go/internal/shareddefaults" +) + +// SharedCredentialsFilename returns the SDK's default file path +// for the shared credentials file. +// +// Builds the shared config file path based on the OS's platform. +// +// - Linux/Unix: $HOME/.aws/credentials +// - Windows: %USERPROFILE%\.aws\credentials +func SharedCredentialsFilename() string { + return shareddefaults.SharedCredentialsFilename() +} + +// SharedConfigFilename returns the SDK's default file path for +// the shared config file. +// +// Builds the shared config file path based on the OS's platform. +// +// - Linux/Unix: $HOME/.aws/config +// - Windows: %USERPROFILE%\.aws\config +func SharedConfigFilename() string { + return shareddefaults.SharedConfigFilename() +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/ec2metadata/api.go b/vendor/github.com/aws/aws-sdk-go/aws/ec2metadata/api.go new file mode 100644 index 000000000..69fa63dc0 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/ec2metadata/api.go @@ -0,0 +1,250 @@ +package ec2metadata + +import ( + "encoding/json" + "fmt" + "net/http" + "strconv" + "strings" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/internal/sdkuri" +) + +// getToken uses the duration to return a token for EC2 metadata service, +// or an error if the request failed. +func (c *EC2Metadata) getToken(ctx aws.Context, duration time.Duration) (tokenOutput, error) { + op := &request.Operation{ + Name: "GetToken", + HTTPMethod: "PUT", + HTTPPath: "/latest/api/token", + } + + var output tokenOutput + req := c.NewRequest(op, nil, &output) + req.SetContext(ctx) + + // remove the fetch token handler from the request handlers to avoid infinite recursion + req.Handlers.Sign.RemoveByName(fetchTokenHandlerName) + + // Swap the unmarshalMetadataHandler with unmarshalTokenHandler on this request. + req.Handlers.Unmarshal.Swap(unmarshalMetadataHandlerName, unmarshalTokenHandler) + + ttl := strconv.FormatInt(int64(duration/time.Second), 10) + req.HTTPRequest.Header.Set(ttlHeader, ttl) + + err := req.Send() + + // Errors with bad request status should be returned. + if err != nil { + err = awserr.NewRequestFailure( + awserr.New(req.HTTPResponse.Status, http.StatusText(req.HTTPResponse.StatusCode), err), + req.HTTPResponse.StatusCode, req.RequestID) + } + + return output, err +} + +// GetMetadata uses the path provided to request information from the EC2 +// instance metadata service. The content will be returned as a string, or +// error if the request failed. +func (c *EC2Metadata) GetMetadata(p string) (string, error) { + return c.GetMetadataWithContext(aws.BackgroundContext(), p) +} + +// GetMetadataWithContext uses the path provided to request information from the EC2 +// instance metadata service. The content will be returned as a string, or +// error if the request failed. +func (c *EC2Metadata) GetMetadataWithContext(ctx aws.Context, p string) (string, error) { + op := &request.Operation{ + Name: "GetMetadata", + HTTPMethod: "GET", + HTTPPath: sdkuri.PathJoin("/latest/meta-data", p), + } + output := &metadataOutput{} + + req := c.NewRequest(op, nil, output) + + req.SetContext(ctx) + + err := req.Send() + return output.Content, err +} + +// GetUserData returns the userdata that was configured for the service. If +// there is no user-data setup for the EC2 instance a "NotFoundError" error +// code will be returned. +func (c *EC2Metadata) GetUserData() (string, error) { + return c.GetUserDataWithContext(aws.BackgroundContext()) +} + +// GetUserDataWithContext returns the userdata that was configured for the service. If +// there is no user-data setup for the EC2 instance a "NotFoundError" error +// code will be returned. +func (c *EC2Metadata) GetUserDataWithContext(ctx aws.Context) (string, error) { + op := &request.Operation{ + Name: "GetUserData", + HTTPMethod: "GET", + HTTPPath: "/latest/user-data", + } + + output := &metadataOutput{} + req := c.NewRequest(op, nil, output) + req.SetContext(ctx) + + err := req.Send() + return output.Content, err +} + +// GetDynamicData uses the path provided to request information from the EC2 +// instance metadata service for dynamic data. The content will be returned +// as a string, or error if the request failed. +func (c *EC2Metadata) GetDynamicData(p string) (string, error) { + return c.GetDynamicDataWithContext(aws.BackgroundContext(), p) +} + +// GetDynamicDataWithContext uses the path provided to request information from the EC2 +// instance metadata service for dynamic data. The content will be returned +// as a string, or error if the request failed. +func (c *EC2Metadata) GetDynamicDataWithContext(ctx aws.Context, p string) (string, error) { + op := &request.Operation{ + Name: "GetDynamicData", + HTTPMethod: "GET", + HTTPPath: sdkuri.PathJoin("/latest/dynamic", p), + } + + output := &metadataOutput{} + req := c.NewRequest(op, nil, output) + req.SetContext(ctx) + + err := req.Send() + return output.Content, err +} + +// GetInstanceIdentityDocument retrieves an identity document describing an +// instance. Error is returned if the request fails or is unable to parse +// the response. +func (c *EC2Metadata) GetInstanceIdentityDocument() (EC2InstanceIdentityDocument, error) { + return c.GetInstanceIdentityDocumentWithContext(aws.BackgroundContext()) +} + +// GetInstanceIdentityDocumentWithContext retrieves an identity document describing an +// instance. Error is returned if the request fails or is unable to parse +// the response. +func (c *EC2Metadata) GetInstanceIdentityDocumentWithContext(ctx aws.Context) (EC2InstanceIdentityDocument, error) { + resp, err := c.GetDynamicDataWithContext(ctx, "instance-identity/document") + if err != nil { + return EC2InstanceIdentityDocument{}, + awserr.New("EC2MetadataRequestError", + "failed to get EC2 instance identity document", err) + } + + doc := EC2InstanceIdentityDocument{} + if err := json.NewDecoder(strings.NewReader(resp)).Decode(&doc); err != nil { + return EC2InstanceIdentityDocument{}, + awserr.New(request.ErrCodeSerialization, + "failed to decode EC2 instance identity document", err) + } + + return doc, nil +} + +// IAMInfo retrieves IAM info from the metadata API +func (c *EC2Metadata) IAMInfo() (EC2IAMInfo, error) { + return c.IAMInfoWithContext(aws.BackgroundContext()) +} + +// IAMInfoWithContext retrieves IAM info from the metadata API +func (c *EC2Metadata) IAMInfoWithContext(ctx aws.Context) (EC2IAMInfo, error) { + resp, err := c.GetMetadataWithContext(ctx, "iam/info") + if err != nil { + return EC2IAMInfo{}, + awserr.New("EC2MetadataRequestError", + "failed to get EC2 IAM info", err) + } + + info := EC2IAMInfo{} + if err := json.NewDecoder(strings.NewReader(resp)).Decode(&info); err != nil { + return EC2IAMInfo{}, + awserr.New(request.ErrCodeSerialization, + "failed to decode EC2 IAM info", err) + } + + if info.Code != "Success" { + errMsg := fmt.Sprintf("failed to get EC2 IAM Info (%s)", info.Code) + return EC2IAMInfo{}, + awserr.New("EC2MetadataError", errMsg, nil) + } + + return info, nil +} + +// Region returns the region the instance is running in. +func (c *EC2Metadata) Region() (string, error) { + return c.RegionWithContext(aws.BackgroundContext()) +} + +// RegionWithContext returns the region the instance is running in. +func (c *EC2Metadata) RegionWithContext(ctx aws.Context) (string, error) { + ec2InstanceIdentityDocument, err := c.GetInstanceIdentityDocumentWithContext(ctx) + if err != nil { + return "", err + } + // extract region from the ec2InstanceIdentityDocument + region := ec2InstanceIdentityDocument.Region + if len(region) == 0 { + return "", awserr.New("EC2MetadataError", "invalid region received for ec2metadata instance", nil) + } + // returns region + return region, nil +} + +// Available returns if the application has access to the EC2 Metadata service. +// Can be used to determine if application is running within an EC2 Instance and +// the metadata service is available. +func (c *EC2Metadata) Available() bool { + return c.AvailableWithContext(aws.BackgroundContext()) +} + +// AvailableWithContext returns if the application has access to the EC2 Metadata service. +// Can be used to determine if application is running within an EC2 Instance and +// the metadata service is available. +func (c *EC2Metadata) AvailableWithContext(ctx aws.Context) bool { + if _, err := c.GetMetadataWithContext(ctx, "instance-id"); err != nil { + return false + } + + return true +} + +// An EC2IAMInfo provides the shape for unmarshaling +// an IAM info from the metadata API +type EC2IAMInfo struct { + Code string + LastUpdated time.Time + InstanceProfileArn string + InstanceProfileID string +} + +// An EC2InstanceIdentityDocument provides the shape for unmarshaling +// an instance identity document +type EC2InstanceIdentityDocument struct { + DevpayProductCodes []string `json:"devpayProductCodes"` + MarketplaceProductCodes []string `json:"marketplaceProductCodes"` + AvailabilityZone string `json:"availabilityZone"` + PrivateIP string `json:"privateIp"` + Version string `json:"version"` + Region string `json:"region"` + InstanceID string `json:"instanceId"` + BillingProducts []string `json:"billingProducts"` + InstanceType string `json:"instanceType"` + AccountID string `json:"accountId"` + PendingTime time.Time `json:"pendingTime"` + ImageID string `json:"imageId"` + KernelID string `json:"kernelId"` + RamdiskID string `json:"ramdiskId"` + Architecture string `json:"architecture"` +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/ec2metadata/service.go b/vendor/github.com/aws/aws-sdk-go/aws/ec2metadata/service.go new file mode 100644 index 000000000..8f35b3464 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/ec2metadata/service.go @@ -0,0 +1,245 @@ +// Package ec2metadata provides the client for making API calls to the +// EC2 Metadata service. +// +// This package's client can be disabled completely by setting the environment +// variable "AWS_EC2_METADATA_DISABLED=true". This environment variable set to +// true instructs the SDK to disable the EC2 Metadata client. The client cannot +// be used while the environment variable is set to true, (case insensitive). +// +// The endpoint of the EC2 IMDS client can be configured via the environment +// variable, AWS_EC2_METADATA_SERVICE_ENDPOINT when creating the client with a +// Session. See aws/session#Options.EC2IMDSEndpoint for more details. +package ec2metadata + +import ( + "bytes" + "errors" + "io" + "net/http" + "net/url" + "os" + "strconv" + "strings" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/client" + "github.com/aws/aws-sdk-go/aws/client/metadata" + "github.com/aws/aws-sdk-go/aws/corehandlers" + "github.com/aws/aws-sdk-go/aws/request" +) + +const ( + // ServiceName is the name of the service. + ServiceName = "ec2metadata" + disableServiceEnvVar = "AWS_EC2_METADATA_DISABLED" + + // Headers for Token and TTL + ttlHeader = "x-aws-ec2-metadata-token-ttl-seconds" + tokenHeader = "x-aws-ec2-metadata-token" + + // Named Handler constants + fetchTokenHandlerName = "FetchTokenHandler" + unmarshalMetadataHandlerName = "unmarshalMetadataHandler" + unmarshalTokenHandlerName = "unmarshalTokenHandler" + enableTokenProviderHandlerName = "enableTokenProviderHandler" + + // TTL constants + defaultTTL = 21600 * time.Second + ttlExpirationWindow = 30 * time.Second +) + +// A EC2Metadata is an EC2 Metadata service Client. +type EC2Metadata struct { + *client.Client +} + +// New creates a new instance of the EC2Metadata client with a session. +// This client is safe to use across multiple goroutines. +// +// +// Example: +// // Create a EC2Metadata client from just a session. +// svc := ec2metadata.New(mySession) +// +// // Create a EC2Metadata client with additional configuration +// svc := ec2metadata.New(mySession, aws.NewConfig().WithLogLevel(aws.LogDebugHTTPBody)) +func New(p client.ConfigProvider, cfgs ...*aws.Config) *EC2Metadata { + c := p.ClientConfig(ServiceName, cfgs...) + return NewClient(*c.Config, c.Handlers, c.Endpoint, c.SigningRegion) +} + +// NewClient returns a new EC2Metadata client. Should be used to create +// a client when not using a session. Generally using just New with a session +// is preferred. +// +// Will remove the URL path from the endpoint provided to ensure the EC2 IMDS +// client is able to communicate with the EC2 IMDS API. +// +// If an unmodified HTTP client is provided from the stdlib default, or no client +// the EC2RoleProvider's EC2Metadata HTTP client's timeout will be shortened. +// To disable this set Config.EC2MetadataDisableTimeoutOverride to false. Enabled by default. +func NewClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegion string, opts ...func(*client.Client)) *EC2Metadata { + if !aws.BoolValue(cfg.EC2MetadataDisableTimeoutOverride) && httpClientZero(cfg.HTTPClient) { + // If the http client is unmodified and this feature is not disabled + // set custom timeouts for EC2Metadata requests. + cfg.HTTPClient = &http.Client{ + // use a shorter timeout than default because the metadata + // service is local if it is running, and to fail faster + // if not running on an ec2 instance. + Timeout: 1 * time.Second, + } + // max number of retries on the client operation + cfg.MaxRetries = aws.Int(2) + } + + if u, err := url.Parse(endpoint); err == nil { + // Remove path from the endpoint since it will be added by requests. + // This is an artifact of the SDK adding `/latest` to the endpoint for + // EC2 IMDS, but this is now moved to the operation definition. + u.Path = "" + u.RawPath = "" + endpoint = u.String() + } + + svc := &EC2Metadata{ + Client: client.New( + cfg, + metadata.ClientInfo{ + ServiceName: ServiceName, + ServiceID: ServiceName, + Endpoint: endpoint, + APIVersion: "latest", + }, + handlers, + ), + } + + // token provider instance + tp := newTokenProvider(svc, defaultTTL) + + // NamedHandler for fetching token + svc.Handlers.Sign.PushBackNamed(request.NamedHandler{ + Name: fetchTokenHandlerName, + Fn: tp.fetchTokenHandler, + }) + // NamedHandler for enabling token provider + svc.Handlers.Complete.PushBackNamed(request.NamedHandler{ + Name: enableTokenProviderHandlerName, + Fn: tp.enableTokenProviderHandler, + }) + + svc.Handlers.Unmarshal.PushBackNamed(unmarshalHandler) + svc.Handlers.UnmarshalError.PushBack(unmarshalError) + svc.Handlers.Validate.Clear() + svc.Handlers.Validate.PushBack(validateEndpointHandler) + + // Disable the EC2 Metadata service if the environment variable is set. + // This short-circuits the service's functionality to always fail to send + // requests. + if strings.ToLower(os.Getenv(disableServiceEnvVar)) == "true" { + svc.Handlers.Send.SwapNamed(request.NamedHandler{ + Name: corehandlers.SendHandler.Name, + Fn: func(r *request.Request) { + r.HTTPResponse = &http.Response{ + Header: http.Header{}, + } + r.Error = awserr.New( + request.CanceledErrorCode, + "EC2 IMDS access disabled via "+disableServiceEnvVar+" env var", + nil) + }, + }) + } + + // Add additional options to the service config + for _, option := range opts { + option(svc.Client) + } + return svc +} + +func httpClientZero(c *http.Client) bool { + return c == nil || (c.Transport == nil && c.CheckRedirect == nil && c.Jar == nil && c.Timeout == 0) +} + +type metadataOutput struct { + Content string +} + +type tokenOutput struct { + Token string + TTL time.Duration +} + +// unmarshal token handler is used to parse the response of a getToken operation +var unmarshalTokenHandler = request.NamedHandler{ + Name: unmarshalTokenHandlerName, + Fn: func(r *request.Request) { + defer r.HTTPResponse.Body.Close() + var b bytes.Buffer + if _, err := io.Copy(&b, r.HTTPResponse.Body); err != nil { + r.Error = awserr.NewRequestFailure(awserr.New(request.ErrCodeSerialization, + "unable to unmarshal EC2 metadata response", err), r.HTTPResponse.StatusCode, r.RequestID) + return + } + + v := r.HTTPResponse.Header.Get(ttlHeader) + data, ok := r.Data.(*tokenOutput) + if !ok { + return + } + + data.Token = b.String() + // TTL is in seconds + i, err := strconv.ParseInt(v, 10, 64) + if err != nil { + r.Error = awserr.NewRequestFailure(awserr.New(request.ParamFormatErrCode, + "unable to parse EC2 token TTL response", err), r.HTTPResponse.StatusCode, r.RequestID) + return + } + t := time.Duration(i) * time.Second + data.TTL = t + }, +} + +var unmarshalHandler = request.NamedHandler{ + Name: unmarshalMetadataHandlerName, + Fn: func(r *request.Request) { + defer r.HTTPResponse.Body.Close() + var b bytes.Buffer + if _, err := io.Copy(&b, r.HTTPResponse.Body); err != nil { + r.Error = awserr.NewRequestFailure(awserr.New(request.ErrCodeSerialization, + "unable to unmarshal EC2 metadata response", err), r.HTTPResponse.StatusCode, r.RequestID) + return + } + + if data, ok := r.Data.(*metadataOutput); ok { + data.Content = b.String() + } + }, +} + +func unmarshalError(r *request.Request) { + defer r.HTTPResponse.Body.Close() + var b bytes.Buffer + + if _, err := io.Copy(&b, r.HTTPResponse.Body); err != nil { + r.Error = awserr.NewRequestFailure( + awserr.New(request.ErrCodeSerialization, "unable to unmarshal EC2 metadata error response", err), + r.HTTPResponse.StatusCode, r.RequestID) + return + } + + // Response body format is not consistent between metadata endpoints. + // Grab the error message as a string and include that as the source error + r.Error = awserr.NewRequestFailure(awserr.New("EC2MetadataError", "failed to make EC2Metadata request", errors.New(b.String())), + r.HTTPResponse.StatusCode, r.RequestID) +} + +func validateEndpointHandler(r *request.Request) { + if r.ClientInfo.Endpoint == "" { + r.Error = aws.ErrMissingEndpoint + } +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/ec2metadata/token_provider.go b/vendor/github.com/aws/aws-sdk-go/aws/ec2metadata/token_provider.go new file mode 100644 index 000000000..4b29f190b --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/ec2metadata/token_provider.go @@ -0,0 +1,93 @@ +package ec2metadata + +import ( + "net/http" + "sync/atomic" + "time" + + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/request" +) + +// A tokenProvider struct provides access to EC2Metadata client +// and atomic instance of a token, along with configuredTTL for it. +// tokenProvider also provides an atomic flag to disable the +// fetch token operation. +// The disabled member will use 0 as false, and 1 as true. +type tokenProvider struct { + client *EC2Metadata + token atomic.Value + configuredTTL time.Duration + disabled uint32 +} + +// A ec2Token struct helps use of token in EC2 Metadata service ops +type ec2Token struct { + token string + credentials.Expiry +} + +// newTokenProvider provides a pointer to a tokenProvider instance +func newTokenProvider(c *EC2Metadata, duration time.Duration) *tokenProvider { + return &tokenProvider{client: c, configuredTTL: duration} +} + +// fetchTokenHandler fetches token for EC2Metadata service client by default. +func (t *tokenProvider) fetchTokenHandler(r *request.Request) { + + // short-circuits to insecure data flow if tokenProvider is disabled. + if v := atomic.LoadUint32(&t.disabled); v == 1 { + return + } + + if ec2Token, ok := t.token.Load().(ec2Token); ok && !ec2Token.IsExpired() { + r.HTTPRequest.Header.Set(tokenHeader, ec2Token.token) + return + } + + output, err := t.client.getToken(r.Context(), t.configuredTTL) + + if err != nil { + + // change the disabled flag on token provider to true, + // when error is request timeout error. + if requestFailureError, ok := err.(awserr.RequestFailure); ok { + switch requestFailureError.StatusCode() { + case http.StatusForbidden, http.StatusNotFound, http.StatusMethodNotAllowed: + atomic.StoreUint32(&t.disabled, 1) + case http.StatusBadRequest: + r.Error = requestFailureError + } + + // Check if request timed out while waiting for response + if e, ok := requestFailureError.OrigErr().(awserr.Error); ok { + if e.Code() == request.ErrCodeRequestError { + atomic.StoreUint32(&t.disabled, 1) + } + } + } + return + } + + newToken := ec2Token{ + token: output.Token, + } + newToken.SetExpiration(time.Now().Add(output.TTL), ttlExpirationWindow) + t.token.Store(newToken) + + // Inject token header to the request. + if ec2Token, ok := t.token.Load().(ec2Token); ok { + r.HTTPRequest.Header.Set(tokenHeader, ec2Token.token) + } +} + +// enableTokenProviderHandler enables the token provider +func (t *tokenProvider) enableTokenProviderHandler(r *request.Request) { + // If the error code status is 401, we enable the token provider + if e, ok := r.Error.(awserr.RequestFailure); ok && e != nil && + e.StatusCode() == http.StatusUnauthorized { + t.token.Store(ec2Token{}) + atomic.StoreUint32(&t.disabled, 0) + } +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go index c30391084..11df2e641 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go @@ -21,6 +21,7 @@ const ( ApEast1RegionID = "ap-east-1" // Asia Pacific (Hong Kong). ApNortheast1RegionID = "ap-northeast-1" // Asia Pacific (Tokyo). ApNortheast2RegionID = "ap-northeast-2" // Asia Pacific (Seoul). + ApNortheast3RegionID = "ap-northeast-3" // Asia Pacific (Osaka). ApSouth1RegionID = "ap-south-1" // Asia Pacific (Mumbai). ApSoutheast1RegionID = "ap-southeast-1" // Asia Pacific (Singapore). ApSoutheast2RegionID = "ap-southeast-2" // Asia Pacific (Sydney). @@ -121,6 +122,9 @@ var awsPartition = partition{ "ap-northeast-2": region{ Description: "Asia Pacific (Seoul)", }, + "ap-northeast-3": region{ + Description: "Asia Pacific (Osaka)", + }, "ap-south-1": region{ Description: "Asia Pacific (Mumbai)", }, @@ -184,6 +188,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -239,6 +244,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -344,6 +350,37 @@ var awsPartition = partition{ "us-west-2": endpoint{}, }, }, + "airflow": service{ + + Endpoints: endpoints{ + "ap-northeast-1": endpoint{}, + "ap-southeast-1": endpoint{}, + "ap-southeast-2": endpoint{}, + "eu-central-1": endpoint{}, + "eu-north-1": endpoint{}, + "eu-west-1": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-2": endpoint{}, + }, + }, + "amplifybackend": service{ + + Endpoints: endpoints{ + "ap-northeast-1": endpoint{}, + "ap-northeast-2": endpoint{}, + "ap-south-1": endpoint{}, + "ap-southeast-1": endpoint{}, + "ap-southeast-2": endpoint{}, + "ca-central-1": endpoint{}, + "eu-central-1": endpoint{}, + "eu-west-1": endpoint{}, + "eu-west-2": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-2": endpoint{}, + }, + }, "api.detective": service{ Defaults: endpoint{ Protocols: []string{"https"}, @@ -366,9 +403,33 @@ var awsPartition = partition{ "me-south-1": endpoint{}, "sa-east-1": endpoint{}, "us-east-1": endpoint{}, - "us-east-2": endpoint{}, - "us-west-1": endpoint{}, - "us-west-2": endpoint{}, + "us-east-1-fips": endpoint{ + Hostname: "api.detective-fips.us-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-1", + }, + }, + "us-east-2": endpoint{}, + "us-east-2-fips": endpoint{ + Hostname: "api.detective-fips.us-east-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-2", + }, + }, + "us-west-1": endpoint{}, + "us-west-1-fips": endpoint{ + Hostname: "api.detective-fips.us-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-1", + }, + }, + "us-west-2": endpoint{}, + "us-west-2-fips": endpoint{ + Hostname: "api.detective-fips.us-west-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-2", + }, + }, }, }, "api.ecr": service{ @@ -398,6 +459,12 @@ var awsPartition = partition{ Region: "ap-northeast-2", }, }, + "ap-northeast-3": endpoint{ + Hostname: "api.ecr.ap-northeast-3.amazonaws.com", + CredentialScope: credentialScope{ + Region: "ap-northeast-3", + }, + }, "ap-south-1": endpoint{ Hostname: "api.ecr.ap-south-1.amazonaws.com", CredentialScope: credentialScope{ @@ -567,6 +634,12 @@ var awsPartition = partition{ }, }, }, + "api.fleethub.iot": service{ + + Endpoints: endpoints{ + "us-east-1": endpoint{}, + }, + }, "api.mediatailor": service{ Endpoints: endpoints{ @@ -646,6 +719,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -664,6 +738,18 @@ var awsPartition = partition{ "us-west-2": endpoint{}, }, }, + "app-integrations": service{ + + Endpoints: endpoints{ + "ap-northeast-1": endpoint{}, + "ap-southeast-1": endpoint{}, + "ap-southeast-2": endpoint{}, + "eu-central-1": endpoint{}, + "eu-west-2": endpoint{}, + "us-east-1": endpoint{}, + "us-west-2": endpoint{}, + }, + }, "appflow": service{ Endpoints: endpoints{ @@ -693,6 +779,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -714,6 +801,7 @@ var awsPartition = partition{ "appmesh": service{ Endpoints: endpoints{ + "af-south-1": endpoint{}, "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, @@ -762,28 +850,6 @@ var awsPartition = partition{ }, "appsync": service{ - Endpoints: endpoints{ - "ap-northeast-1": endpoint{}, - "ap-northeast-2": endpoint{}, - "ap-south-1": endpoint{}, - "ap-southeast-1": endpoint{}, - "ap-southeast-2": endpoint{}, - "ca-central-1": endpoint{}, - "eu-central-1": endpoint{}, - "eu-north-1": endpoint{}, - "eu-south-1": endpoint{}, - "eu-west-1": endpoint{}, - "eu-west-2": endpoint{}, - "eu-west-3": endpoint{}, - "sa-east-1": endpoint{}, - "us-east-1": endpoint{}, - "us-east-2": endpoint{}, - "us-west-1": endpoint{}, - "us-west-2": endpoint{}, - }, - }, - "athena": service{ - Endpoints: endpoints{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, @@ -806,6 +872,55 @@ var awsPartition = partition{ "us-west-2": endpoint{}, }, }, + "athena": service{ + + Endpoints: endpoints{ + "af-south-1": endpoint{}, + "ap-east-1": endpoint{}, + "ap-northeast-1": endpoint{}, + "ap-northeast-2": endpoint{}, + "ap-south-1": endpoint{}, + "ap-southeast-1": endpoint{}, + "ap-southeast-2": endpoint{}, + "ca-central-1": endpoint{}, + "eu-central-1": endpoint{}, + "eu-north-1": endpoint{}, + "eu-south-1": endpoint{}, + "eu-west-1": endpoint{}, + "eu-west-2": endpoint{}, + "eu-west-3": endpoint{}, + "fips-us-east-1": endpoint{ + Hostname: "athena-fips.us-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-1", + }, + }, + "fips-us-east-2": endpoint{ + Hostname: "athena-fips.us-east-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-2", + }, + }, + "fips-us-west-1": endpoint{ + Hostname: "athena-fips.us-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-1", + }, + }, + "fips-us-west-2": endpoint{ + Hostname: "athena-fips.us-west-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-2", + }, + }, + "me-south-1": endpoint{}, + "sa-east-1": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-1": endpoint{}, + "us-west-2": endpoint{}, + }, + }, "autoscaling": service{ Defaults: endpoint{ Protocols: []string{"http", "https"}, @@ -815,6 +930,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -867,6 +983,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -888,9 +1005,11 @@ var awsPartition = partition{ "batch": service{ Endpoints: endpoints{ + "af-south-1": endpoint{}, "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -963,12 +1082,11 @@ var awsPartition = partition{ PartitionEndpoint: "aws-global", IsRegionalized: boxedFalse, Defaults: endpoint{ - SSLCommonName: "service.chime.aws.amazon.com", - Protocols: []string{"https"}, + Protocols: []string{"https"}, }, Endpoints: endpoints{ "aws-global": endpoint{ - Hostname: "service.chime.aws.amazon.com", + Hostname: "chime.us-east-1.amazonaws.com", Protocols: []string{"https"}, CredentialScope: credentialScope{ Region: "us-east-1", @@ -1021,6 +1139,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -1203,6 +1322,7 @@ var awsPartition = partition{ "codebuild": service{ Endpoints: endpoints{ + "af-south-1": endpoint{}, "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, @@ -1285,6 +1405,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -1327,9 +1448,25 @@ var awsPartition = partition{ }, }, }, + "codeguru-reviewer": service{ + + Endpoints: endpoints{ + "ap-northeast-1": endpoint{}, + "ap-southeast-1": endpoint{}, + "ap-southeast-2": endpoint{}, + "eu-central-1": endpoint{}, + "eu-north-1": endpoint{}, + "eu-west-1": endpoint{}, + "eu-west-2": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-2": endpoint{}, + }, + }, "codepipeline": service{ Endpoints: endpoints{ + "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, "ap-south-1": endpoint{}, @@ -1338,6 +1475,7 @@ var awsPartition = partition{ "ca-central-1": endpoint{}, "eu-central-1": endpoint{}, "eu-north-1": endpoint{}, + "eu-south-1": endpoint{}, "eu-west-1": endpoint{}, "eu-west-2": endpoint{}, "eu-west-3": endpoint{}, @@ -1427,8 +1565,10 @@ var awsPartition = partition{ "ap-southeast-2": endpoint{}, "ca-central-1": endpoint{}, "eu-central-1": endpoint{}, + "eu-north-1": endpoint{}, "eu-west-1": endpoint{}, "eu-west-2": endpoint{}, + "eu-west-3": endpoint{}, "fips-us-east-1": endpoint{ Hostname: "cognito-identity-fips.us-east-1.amazonaws.com", CredentialScope: credentialScope{ @@ -1447,8 +1587,10 @@ var awsPartition = partition{ Region: "us-west-2", }, }, + "sa-east-1": endpoint{}, "us-east-1": endpoint{}, "us-east-2": endpoint{}, + "us-west-1": endpoint{}, "us-west-2": endpoint{}, }, }, @@ -1462,8 +1604,10 @@ var awsPartition = partition{ "ap-southeast-2": endpoint{}, "ca-central-1": endpoint{}, "eu-central-1": endpoint{}, + "eu-north-1": endpoint{}, "eu-west-1": endpoint{}, "eu-west-2": endpoint{}, + "eu-west-3": endpoint{}, "fips-us-east-1": endpoint{ Hostname: "cognito-idp-fips.us-east-1.amazonaws.com", CredentialScope: credentialScope{ @@ -1476,14 +1620,22 @@ var awsPartition = partition{ Region: "us-east-2", }, }, + "fips-us-west-1": endpoint{ + Hostname: "cognito-idp-fips.us-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-1", + }, + }, "fips-us-west-2": endpoint{ Hostname: "cognito-idp-fips.us-west-2.amazonaws.com", CredentialScope: credentialScope{ Region: "us-west-2", }, }, + "sa-east-1": endpoint{}, "us-east-1": endpoint{}, "us-east-2": endpoint{}, + "us-west-1": endpoint{}, "us-west-2": endpoint{}, }, }, @@ -1573,24 +1725,51 @@ var awsPartition = partition{ "config": service{ Endpoints: endpoints{ + "af-south-1": endpoint{}, "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, "ca-central-1": endpoint{}, "eu-central-1": endpoint{}, "eu-north-1": endpoint{}, + "eu-south-1": endpoint{}, "eu-west-1": endpoint{}, "eu-west-2": endpoint{}, "eu-west-3": endpoint{}, - "me-south-1": endpoint{}, - "sa-east-1": endpoint{}, - "us-east-1": endpoint{}, - "us-east-2": endpoint{}, - "us-west-1": endpoint{}, - "us-west-2": endpoint{}, + "fips-us-east-1": endpoint{ + Hostname: "config-fips.us-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-1", + }, + }, + "fips-us-east-2": endpoint{ + Hostname: "config-fips.us-east-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-2", + }, + }, + "fips-us-west-1": endpoint{ + Hostname: "config-fips.us-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-1", + }, + }, + "fips-us-west-2": endpoint{ + Hostname: "config-fips.us-west-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-2", + }, + }, + "me-south-1": endpoint{}, + "sa-east-1": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-1": endpoint{}, + "us-west-2": endpoint{}, }, }, "connect": service{ @@ -1605,6 +1784,17 @@ var awsPartition = partition{ "us-west-2": endpoint{}, }, }, + "contact-lens": service{ + + Endpoints: endpoints{ + "ap-northeast-1": endpoint{}, + "ap-southeast-2": endpoint{}, + "eu-central-1": endpoint{}, + "eu-west-2": endpoint{}, + "us-east-1": endpoint{}, + "us-west-2": endpoint{}, + }, + }, "cur": service{ Endpoints: endpoints{ @@ -1737,6 +1927,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -1798,6 +1989,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -1885,6 +2077,12 @@ var awsPartition = partition{ Region: "eu-west-3", }, }, + "sa-east-1": endpoint{ + Hostname: "rds.sa-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "sa-east-1", + }, + }, "us-east-1": endpoint{ Hostname: "rds.us-east-1.amazonaws.com", CredentialScope: credentialScope{ @@ -1969,6 +2167,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -2031,6 +2230,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -2088,6 +2288,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -2154,6 +2355,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -2205,6 +2407,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -2254,6 +2457,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -2285,6 +2489,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -2334,6 +2539,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -2368,6 +2574,12 @@ var awsPartition = partition{ Region: "ap-northeast-2", }, }, + "fips-ap-northeast-3": endpoint{ + Hostname: "elasticfilesystem-fips.ap-northeast-3.amazonaws.com", + CredentialScope: credentialScope{ + Region: "ap-northeast-3", + }, + }, "fips-ap-south-1": endpoint{ Hostname: "elasticfilesystem-fips.ap-south-1.amazonaws.com", CredentialScope: credentialScope{ @@ -2481,6 +2693,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -2533,6 +2746,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -2609,6 +2823,24 @@ var awsPartition = partition{ "us-west-2": endpoint{}, }, }, + "emr-containers": service{ + + Endpoints: endpoints{ + "ap-northeast-1": endpoint{}, + "ap-northeast-2": endpoint{}, + "ap-south-1": endpoint{}, + "ap-southeast-1": endpoint{}, + "ap-southeast-2": endpoint{}, + "ca-central-1": endpoint{}, + "eu-central-1": endpoint{}, + "eu-west-1": endpoint{}, + "eu-west-2": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-1": endpoint{}, + "us-west-2": endpoint{}, + }, + }, "entitlement.marketplace": service{ Defaults: endpoint{ CredentialScope: credentialScope{ @@ -2626,6 +2858,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -2657,6 +2890,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -2706,6 +2940,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -2767,6 +3002,18 @@ var awsPartition = partition{ "eu-west-1": endpoint{}, "eu-west-2": endpoint{}, "eu-west-3": endpoint{}, + "fips-af-south-1": endpoint{ + Hostname: "fms-fips.af-south-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "af-south-1", + }, + }, + "fips-ap-east-1": endpoint{ + Hostname: "fms-fips.ap-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "ap-east-1", + }, + }, "fips-ap-northeast-1": endpoint{ Hostname: "fms-fips.ap-northeast-1.amazonaws.com", CredentialScope: credentialScope{ @@ -2809,6 +3056,12 @@ var awsPartition = partition{ Region: "eu-central-1", }, }, + "fips-eu-south-1": endpoint{ + Hostname: "fms-fips.eu-south-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "eu-south-1", + }, + }, "fips-eu-west-1": endpoint{ Hostname: "fms-fips.eu-west-1.amazonaws.com", CredentialScope: credentialScope{ @@ -2827,6 +3080,12 @@ var awsPartition = partition{ Region: "eu-west-3", }, }, + "fips-me-south-1": endpoint{ + Hostname: "fms-fips.me-south-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "me-south-1", + }, + }, "fips-sa-east-1": endpoint{ Hostname: "fms-fips.sa-east-1.amazonaws.com", CredentialScope: credentialScope{ @@ -2898,6 +3157,7 @@ var awsPartition = partition{ "fsx": service{ Endpoints: endpoints{ + "af-south-1": endpoint{}, "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, @@ -2907,14 +3167,46 @@ var awsPartition = partition{ "ca-central-1": endpoint{}, "eu-central-1": endpoint{}, "eu-north-1": endpoint{}, + "eu-south-1": endpoint{}, "eu-west-1": endpoint{}, "eu-west-2": endpoint{}, "eu-west-3": endpoint{}, - "sa-east-1": endpoint{}, - "us-east-1": endpoint{}, - "us-east-2": endpoint{}, - "us-west-1": endpoint{}, - "us-west-2": endpoint{}, + "fips-prod-ca-central-1": endpoint{ + Hostname: "fsx-fips.ca-central-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "ca-central-1", + }, + }, + "fips-prod-us-east-1": endpoint{ + Hostname: "fsx-fips.us-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-1", + }, + }, + "fips-prod-us-east-2": endpoint{ + Hostname: "fsx-fips.us-east-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-2", + }, + }, + "fips-prod-us-west-1": endpoint{ + Hostname: "fsx-fips.us-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-1", + }, + }, + "fips-prod-us-west-2": endpoint{ + Hostname: "fsx-fips.us-west-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-2", + }, + }, + "me-south-1": endpoint{}, + "sa-east-1": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-1": endpoint{}, + "us-west-2": endpoint{}, }, }, "gamelift": service{ @@ -2945,6 +3237,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -2996,9 +3289,11 @@ var awsPartition = partition{ "glue": service{ Endpoints: endpoints{ + "af-south-1": endpoint{}, "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -3147,6 +3442,14 @@ var awsPartition = partition{ }, }, }, + "healthlake": service{ + Defaults: endpoint{ + Protocols: []string{"https"}, + }, + Endpoints: endpoints{ + "us-east-1": endpoint{}, + }, + }, "honeycode": service{ Endpoints: endpoints{ @@ -3403,6 +3706,23 @@ var awsPartition = partition{ "us-west-2": endpoint{}, }, }, + "iotwireless": service{ + + Endpoints: endpoints{ + "eu-west-1": endpoint{ + Hostname: "api.iotwireless.eu-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "eu-west-1", + }, + }, + "us-east-1": endpoint{ + Hostname: "api.iotwireless.us-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-1", + }, + }, + }, + }, "kafka": service{ Endpoints: endpoints{ @@ -3434,6 +3754,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -3527,6 +3848,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -3548,6 +3870,7 @@ var awsPartition = partition{ "lakeformation": service{ Endpoints: endpoints{ + "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, "ap-south-1": endpoint{}, @@ -3584,11 +3907,12 @@ var awsPartition = partition{ Region: "us-west-2", }, }, - "sa-east-1": endpoint{}, - "us-east-1": endpoint{}, - "us-east-2": endpoint{}, - "us-west-1": endpoint{}, - "us-west-2": endpoint{}, + "me-south-1": endpoint{}, + "sa-east-1": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-1": endpoint{}, + "us-west-2": endpoint{}, }, }, "lambda": service{ @@ -3598,6 +3922,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -3714,6 +4039,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -3756,6 +4082,18 @@ var awsPartition = partition{ "us-west-2": endpoint{}, }, }, + "lookoutvision": service{ + + Endpoints: endpoints{ + "ap-northeast-1": endpoint{}, + "ap-northeast-2": endpoint{}, + "eu-central-1": endpoint{}, + "eu-west-1": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-2": endpoint{}, + }, + }, "machinelearning": service{ Endpoints: endpoints{ @@ -3785,6 +4123,7 @@ var awsPartition = partition{ "macie2": service{ Endpoints: endpoints{ + "af-south-1": endpoint{}, "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, @@ -3794,6 +4133,7 @@ var awsPartition = partition{ "ca-central-1": endpoint{}, "eu-central-1": endpoint{}, "eu-north-1": endpoint{}, + "eu-south-1": endpoint{}, "eu-west-1": endpoint{}, "eu-west-2": endpoint{}, "eu-west-3": endpoint{}, @@ -3821,11 +4161,12 @@ var awsPartition = partition{ Region: "us-west-2", }, }, - "sa-east-1": endpoint{}, - "us-east-1": endpoint{}, - "us-east-2": endpoint{}, - "us-west-1": endpoint{}, - "us-west-2": endpoint{}, + "me-south-1": endpoint{}, + "sa-east-1": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-1": endpoint{}, + "us-west-2": endpoint{}, }, }, "managedblockchain": service{ @@ -3998,6 +4339,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -4048,7 +4390,19 @@ var awsPartition = partition{ "eu-west-1": endpoint{}, "eu-west-2": endpoint{}, "us-east-1": endpoint{}, - "us-west-2": endpoint{}, + "us-east-1-fips": endpoint{ + Hostname: "models-fips.lex.us-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-1", + }, + }, + "us-west-2": endpoint{}, + "us-west-2-fips": endpoint{ + Hostname: "models-fips.lex.us-west-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-2", + }, + }, }, }, "monitoring": service{ @@ -4060,6 +4414,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -4612,6 +4967,18 @@ var awsPartition = partition{ }, }, }, + "profile": service{ + + Endpoints: endpoints{ + "ap-northeast-1": endpoint{}, + "ap-southeast-1": endpoint{}, + "ap-southeast-2": endpoint{}, + "eu-central-1": endpoint{}, + "eu-west-2": endpoint{}, + "us-east-1": endpoint{}, + "us-west-2": endpoint{}, + }, + }, "projects.iot1click": service{ Endpoints: endpoints{ @@ -4655,12 +5022,42 @@ var awsPartition = partition{ "eu-west-1": endpoint{}, "eu-west-2": endpoint{}, "eu-west-3": endpoint{}, - "me-south-1": endpoint{}, - "sa-east-1": endpoint{}, - "us-east-1": endpoint{}, - "us-east-2": endpoint{}, - "us-west-1": endpoint{}, - "us-west-2": endpoint{}, + "fips-ca-central-1": endpoint{ + Hostname: "ram-fips.ca-central-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "ca-central-1", + }, + }, + "fips-us-east-1": endpoint{ + Hostname: "ram-fips.us-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-1", + }, + }, + "fips-us-east-2": endpoint{ + Hostname: "ram-fips.us-east-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-2", + }, + }, + "fips-us-west-1": endpoint{ + Hostname: "ram-fips.us-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-1", + }, + }, + "fips-us-west-2": endpoint{ + Hostname: "ram-fips.us-west-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-2", + }, + }, + "me-south-1": endpoint{}, + "sa-east-1": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-1": endpoint{}, + "us-west-2": endpoint{}, }, }, "rds": service{ @@ -4670,6 +5067,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -4727,6 +5125,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -4830,6 +5229,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -4950,7 +5350,19 @@ var awsPartition = partition{ "eu-west-1": endpoint{}, "eu-west-2": endpoint{}, "us-east-1": endpoint{}, - "us-west-2": endpoint{}, + "us-east-1-fips": endpoint{ + Hostname: "runtime-fips.lex.us-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-1", + }, + }, + "us-west-2": endpoint{}, + "us-west-2-fips": endpoint{ + Hostname: "runtime-fips.lex.us-west-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-2", + }, + }, }, }, "runtime.sagemaker": service{ @@ -5013,6 +5425,90 @@ var awsPartition = partition{ DualStackHostname: "{service}.dualstack.{region}.{dnsSuffix}", }, Endpoints: endpoints{ + "accesspoint-af-south-1": endpoint{ + Hostname: "s3-accesspoint.af-south-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-ap-east-1": endpoint{ + Hostname: "s3-accesspoint.ap-east-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-ap-northeast-1": endpoint{ + Hostname: "s3-accesspoint.ap-northeast-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-ap-northeast-2": endpoint{ + Hostname: "s3-accesspoint.ap-northeast-2.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-ap-northeast-3": endpoint{ + Hostname: "s3-accesspoint.ap-northeast-3.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-ap-south-1": endpoint{ + Hostname: "s3-accesspoint.ap-south-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-ap-southeast-1": endpoint{ + Hostname: "s3-accesspoint.ap-southeast-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-ap-southeast-2": endpoint{ + Hostname: "s3-accesspoint.ap-southeast-2.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-ca-central-1": endpoint{ + Hostname: "s3-accesspoint.ca-central-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-eu-central-1": endpoint{ + Hostname: "s3-accesspoint.eu-central-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-eu-north-1": endpoint{ + Hostname: "s3-accesspoint.eu-north-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-eu-south-1": endpoint{ + Hostname: "s3-accesspoint.eu-south-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-eu-west-1": endpoint{ + Hostname: "s3-accesspoint.eu-west-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-eu-west-2": endpoint{ + Hostname: "s3-accesspoint.eu-west-2.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-eu-west-3": endpoint{ + Hostname: "s3-accesspoint.eu-west-3.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-me-south-1": endpoint{ + Hostname: "s3-accesspoint.me-south-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-sa-east-1": endpoint{ + Hostname: "s3-accesspoint.sa-east-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-us-east-1": endpoint{ + Hostname: "s3-accesspoint.us-east-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-us-east-2": endpoint{ + Hostname: "s3-accesspoint.us-east-2.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-us-west-1": endpoint{ + Hostname: "s3-accesspoint.us-west-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-us-west-2": endpoint{ + Hostname: "s3-accesspoint.us-west-2.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, "af-south-1": endpoint{}, "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{ @@ -5020,6 +5516,7 @@ var awsPartition = partition{ SignatureVersions: []string{"s3", "s3v4"}, }, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{ Hostname: "s3.ap-southeast-1.amazonaws.com", @@ -5044,8 +5541,28 @@ var awsPartition = partition{ Hostname: "s3.eu-west-1.amazonaws.com", SignatureVersions: []string{"s3", "s3v4"}, }, - "eu-west-2": endpoint{}, - "eu-west-3": endpoint{}, + "eu-west-2": endpoint{}, + "eu-west-3": endpoint{}, + "fips-accesspoint-ca-central-1": endpoint{ + Hostname: "s3-accesspoint-fips.ca-central-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "fips-accesspoint-us-east-1": endpoint{ + Hostname: "s3-accesspoint-fips.us-east-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "fips-accesspoint-us-east-2": endpoint{ + Hostname: "s3-accesspoint-fips.us-east-2.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "fips-accesspoint-us-west-1": endpoint{ + Hostname: "s3-accesspoint-fips.us-west-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "fips-accesspoint-us-west-2": endpoint{ + Hostname: "s3-accesspoint-fips.us-west-2.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, "me-south-1": endpoint{}, "s3-external-1": endpoint{ Hostname: "s3-external-1.amazonaws.com", @@ -5096,6 +5613,13 @@ var awsPartition = partition{ Region: "ap-northeast-2", }, }, + "ap-northeast-3": endpoint{ + Hostname: "s3-control.ap-northeast-3.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + CredentialScope: credentialScope{ + Region: "ap-northeast-3", + }, + }, "ap-south-1": endpoint{ Hostname: "s3-control.ap-south-1.amazonaws.com", SignatureVersions: []string{"s3v4"}, @@ -5291,6 +5815,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -5495,6 +6020,7 @@ var awsPartition = partition{ "servicediscovery": service{ Endpoints: endpoints{ + "af-south-1": endpoint{}, "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, @@ -5504,6 +6030,7 @@ var awsPartition = partition{ "ca-central-1": endpoint{}, "eu-central-1": endpoint{}, "eu-north-1": endpoint{}, + "eu-south-1": endpoint{}, "eu-west-1": endpoint{}, "eu-west-2": endpoint{}, "eu-west-3": endpoint{}, @@ -5530,6 +6057,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -5636,9 +6164,11 @@ var awsPartition = partition{ "snowball": service{ Endpoints: endpoints{ + "af-south-1": endpoint{}, "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -5761,6 +6291,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -5813,6 +6344,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -5864,6 +6396,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -5919,6 +6452,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -6064,6 +6598,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -6131,6 +6666,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -6180,6 +6716,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -6249,11 +6786,14 @@ var awsPartition = partition{ "transcribestreaming": service{ Endpoints: endpoints{ + "ap-northeast-1": endpoint{}, + "ap-northeast-2": endpoint{}, "ap-southeast-2": endpoint{}, "ca-central-1": endpoint{}, "eu-central-1": endpoint{}, "eu-west-1": endpoint{}, "eu-west-2": endpoint{}, + "sa-east-1": endpoint{}, "us-east-1": endpoint{}, "us-east-2": endpoint{}, "us-west-2": endpoint{}, @@ -6262,6 +6802,8 @@ var awsPartition = partition{ "transfer": service{ Endpoints: endpoints{ + "af-south-1": endpoint{}, + "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, "ap-south-1": endpoint{}, @@ -6303,11 +6845,12 @@ var awsPartition = partition{ Region: "us-west-2", }, }, - "sa-east-1": endpoint{}, - "us-east-1": endpoint{}, - "us-east-2": endpoint{}, - "us-west-1": endpoint{}, - "us-west-2": endpoint{}, + "me-south-1": endpoint{}, + "sa-east-1": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-1": endpoint{}, + "us-west-2": endpoint{}, }, }, "translate": service{ @@ -6653,6 +7196,7 @@ var awsPartition = partition{ Endpoints: endpoints{ "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, "ca-central-1": endpoint{}, @@ -6683,6 +7227,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -6693,12 +7238,36 @@ var awsPartition = partition{ "eu-west-1": endpoint{}, "eu-west-2": endpoint{}, "eu-west-3": endpoint{}, - "me-south-1": endpoint{}, - "sa-east-1": endpoint{}, - "us-east-1": endpoint{}, - "us-east-2": endpoint{}, - "us-west-1": endpoint{}, - "us-west-2": endpoint{}, + "fips-us-east-1": endpoint{ + Hostname: "xray-fips.us-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-1", + }, + }, + "fips-us-east-2": endpoint{ + Hostname: "xray-fips.us-east-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-2", + }, + }, + "fips-us-west-1": endpoint{ + Hostname: "xray-fips.us-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-1", + }, + }, + "fips-us-west-2": endpoint{ + Hostname: "xray-fips.us-west-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-2", + }, + }, + "me-south-1": endpoint{}, + "sa-east-1": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-1": endpoint{}, + "us-west-2": endpoint{}, }, }, }, @@ -6790,7 +7359,8 @@ var awscnPartition = partition{ "appsync": service{ Endpoints: endpoints{ - "cn-north-1": endpoint{}, + "cn-north-1": endpoint{}, + "cn-northwest-1": endpoint{}, }, }, "athena": service{ @@ -6946,6 +7516,17 @@ var awscnPartition = partition{ "cn-northwest-1": endpoint{}, }, }, + "docdb": service{ + + Endpoints: endpoints{ + "cn-northwest-1": endpoint{ + Hostname: "rds.cn-northwest-1.amazonaws.com.cn", + CredentialScope: credentialScope{ + Region: "cn-northwest-1", + }, + }, + }, + }, "ds": service{ Endpoints: endpoints{ @@ -7115,6 +7696,16 @@ var awscnPartition = partition{ "cn-north-1": endpoint{}, }, }, + "guardduty": service{ + IsRegionalized: boxedTrue, + Defaults: endpoint{ + Protocols: []string{"https"}, + }, + Endpoints: endpoints{ + "cn-north-1": endpoint{}, + "cn-northwest-1": endpoint{}, + }, + }, "health": service{ Endpoints: endpoints{ @@ -7273,12 +7864,6 @@ var awscnPartition = partition{ Region: "cn-northwest-1", }, }, - "fips-aws-cn-global": endpoint{ - Hostname: "organizations.cn-northwest-1.amazonaws.com.cn", - CredentialScope: credentialScope{ - Region: "cn-northwest-1", - }, - }, }, }, "polly": service{ @@ -7287,6 +7872,13 @@ var awscnPartition = partition{ "cn-northwest-1": endpoint{}, }, }, + "ram": service{ + + Endpoints: endpoints{ + "cn-north-1": endpoint{}, + "cn-northwest-1": endpoint{}, + }, + }, "rds": service{ Endpoints: endpoints{ @@ -7337,6 +7929,14 @@ var awscnPartition = partition{ DualStackHostname: "{service}.dualstack.{region}.{dnsSuffix}", }, Endpoints: endpoints{ + "accesspoint-cn-north-1": endpoint{ + Hostname: "s3-accesspoint.cn-north-1.amazonaws.com.cn", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-cn-northwest-1": endpoint{ + Hostname: "s3-accesspoint.cn-northwest-1.amazonaws.com.cn", + SignatureVersions: []string{"s3v4"}, + }, "cn-north-1": endpoint{}, "cn-northwest-1": endpoint{}, }, @@ -7630,6 +8230,27 @@ var awsusgovPartition = partition{ "us-gov-west-1": endpoint{}, }, }, + "api.detective": service{ + Defaults: endpoint{ + Protocols: []string{"https"}, + }, + Endpoints: endpoints{ + "us-gov-east-1": endpoint{}, + "us-gov-east-1-fips": endpoint{ + Hostname: "api.detective-fips.us-gov-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-east-1", + }, + }, + "us-gov-west-1": endpoint{}, + "us-gov-west-1-fips": endpoint{ + Hostname: "api.detective-fips.us-gov-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-west-1", + }, + }, + }, + }, "api.ecr": service{ Endpoints: endpoints{ @@ -7783,18 +8404,6 @@ var awsusgovPartition = partition{ "batch": service{ Endpoints: endpoints{ - "fips-us-gov-east-1": endpoint{ - Hostname: "batch.us-gov-east-1.amazonaws.com", - CredentialScope: credentialScope{ - Region: "us-gov-east-1", - }, - }, - "fips-us-gov-west-1": endpoint{ - Hostname: "batch.us-gov-west-1.amazonaws.com", - CredentialScope: credentialScope{ - Region: "us-gov-west-1", - }, - }, "us-gov-east-1": endpoint{}, "us-gov-west-1": endpoint{}, }, @@ -7972,10 +8581,28 @@ var awsusgovPartition = partition{ "config": service{ Endpoints: endpoints{ + "fips-us-gov-east-1": endpoint{ + Hostname: "config.us-gov-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-east-1", + }, + }, + "fips-us-gov-west-1": endpoint{ + Hostname: "config.us-gov-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-west-1", + }, + }, "us-gov-east-1": endpoint{}, "us-gov-west-1": endpoint{}, }, }, + "connect": service{ + + Endpoints: endpoints{ + "us-gov-west-1": endpoint{}, + }, + }, "datasync": service{ Endpoints: endpoints{ @@ -8301,6 +8928,25 @@ var awsusgovPartition = partition{ "us-gov-west-1": endpoint{}, }, }, + "fsx": service{ + + Endpoints: endpoints{ + "fips-prod-us-gov-east-1": endpoint{ + Hostname: "fsx-fips.us-gov-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-east-1", + }, + }, + "fips-prod-us-gov-west-1": endpoint{ + Hostname: "fsx-fips.us-gov-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-west-1", + }, + }, + "us-gov-east-1": endpoint{}, + "us-gov-west-1": endpoint{}, + }, + }, "glacier": service{ Endpoints: endpoints{ @@ -8344,12 +8990,30 @@ var awsusgovPartition = partition{ Protocols: []string{"https"}, }, Endpoints: endpoints{ + "dataplane-us-gov-east-1": endpoint{ + Hostname: "greengrass-ats.iot.us-gov-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-east-1", + }, + }, "dataplane-us-gov-west-1": endpoint{ Hostname: "greengrass-ats.iot.us-gov-west-1.amazonaws.com", CredentialScope: credentialScope{ Region: "us-gov-west-1", }, }, + "fips-us-gov-east-1": endpoint{ + Hostname: "greengrass-fips.us-gov-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-east-1", + }, + }, + "us-gov-east-1": endpoint{ + Hostname: "greengrass.us-gov-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-east-1", + }, + }, "us-gov-west-1": endpoint{ Hostname: "greengrass.us-gov-west-1.amazonaws.com", CredentialScope: credentialScope{ @@ -8365,6 +9029,12 @@ var awsusgovPartition = partition{ }, Endpoints: endpoints{ "us-gov-east-1": endpoint{}, + "us-gov-east-1-fips": endpoint{ + Hostname: "guardduty.us-gov-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-east-1", + }, + }, "us-gov-west-1": endpoint{}, "us-gov-west-1-fips": endpoint{ Hostname: "guardduty.us-gov-west-1.amazonaws.com", @@ -8485,6 +9155,18 @@ var awsusgovPartition = partition{ "us-gov-west-1": endpoint{}, }, }, + "lakeformation": service{ + + Endpoints: endpoints{ + "fips-us-gov-west-1": endpoint{ + Hostname: "lakeformation-fips.us-gov-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-west-1", + }, + }, + "us-gov-west-1": endpoint{}, + }, + }, "lambda": service{ Endpoints: endpoints{ @@ -8562,6 +9244,22 @@ var awsusgovPartition = partition{ "us-gov-west-1": endpoint{}, }, }, + "models.lex": service{ + Defaults: endpoint{ + CredentialScope: credentialScope{ + Service: "lex", + }, + }, + Endpoints: endpoints{ + "us-gov-west-1": endpoint{}, + "us-gov-west-1-fips": endpoint{ + Hostname: "models-fips.lex.us-gov-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-west-1", + }, + }, + }, + }, "monitoring": service{ Endpoints: endpoints{ @@ -8670,8 +9368,18 @@ var awsusgovPartition = partition{ "ram": service{ Endpoints: endpoints{ - "us-gov-east-1": endpoint{}, - "us-gov-west-1": endpoint{}, + "us-gov-east-1": endpoint{ + Hostname: "ram.us-gov-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-east-1", + }, + }, + "us-gov-west-1": endpoint{ + Hostname: "ram.us-gov-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-west-1", + }, + }, }, }, "rds": service{ @@ -8767,10 +9475,32 @@ var awsusgovPartition = partition{ "us-gov-west-1": endpoint{}, }, }, + "runtime.lex": service{ + Defaults: endpoint{ + CredentialScope: credentialScope{ + Service: "lex", + }, + }, + Endpoints: endpoints{ + "us-gov-west-1": endpoint{}, + "us-gov-west-1-fips": endpoint{ + Hostname: "runtime-fips.lex.us-gov-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-west-1", + }, + }, + }, + }, "runtime.sagemaker": service{ Endpoints: endpoints{ "us-gov-west-1": endpoint{}, + "us-gov-west-1-fips": endpoint{ + Hostname: "runtime.sagemaker.us-gov-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-west-1", + }, + }, }, }, "s3": service{ @@ -8781,6 +9511,22 @@ var awsusgovPartition = partition{ DualStackHostname: "{service}.dualstack.{region}.{dnsSuffix}", }, Endpoints: endpoints{ + "accesspoint-us-gov-east-1": endpoint{ + Hostname: "s3-accesspoint.us-gov-east-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "accesspoint-us-gov-west-1": endpoint{ + Hostname: "s3-accesspoint.us-gov-west-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "fips-accesspoint-us-gov-east-1": endpoint{ + Hostname: "s3-accesspoint-fips.us-gov-east-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, + "fips-accesspoint-us-gov-west-1": endpoint{ + Hostname: "s3-accesspoint-fips.us-gov-west-1.amazonaws.com", + SignatureVersions: []string{"s3v4"}, + }, "fips-us-gov-west-1": endpoint{ Hostname: "s3-fips.us-gov-west-1.amazonaws.com", CredentialScope: credentialScope{ @@ -9181,12 +9927,24 @@ var awsusgovPartition = partition{ "waf-regional": service{ Endpoints: endpoints{ + "fips-us-gov-east-1": endpoint{ + Hostname: "waf-regional-fips.us-gov-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-east-1", + }, + }, "fips-us-gov-west-1": endpoint{ Hostname: "waf-regional-fips.us-gov-west-1.amazonaws.com", CredentialScope: credentialScope{ Region: "us-gov-west-1", }, }, + "us-gov-east-1": endpoint{ + Hostname: "waf-regional.us-gov-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-east-1", + }, + }, "us-gov-west-1": endpoint{ Hostname: "waf-regional.us-gov-west-1.amazonaws.com", CredentialScope: credentialScope{ @@ -9210,6 +9968,18 @@ var awsusgovPartition = partition{ "xray": service{ Endpoints: endpoints{ + "fips-us-gov-east-1": endpoint{ + Hostname: "xray-fips.us-gov-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-east-1", + }, + }, + "fips-us-gov-west-1": endpoint{ + Hostname: "xray-fips.us-gov-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-west-1", + }, + }, "us-gov-east-1": endpoint{}, "us-gov-west-1": endpoint{}, }, @@ -9466,12 +10236,30 @@ var awsisoPartition = partition{ "us-iso-east-1": endpoint{}, }, }, + "medialive": service{ + + Endpoints: endpoints{ + "us-iso-east-1": endpoint{}, + }, + }, + "mediapackage": service{ + + Endpoints: endpoints{ + "us-iso-east-1": endpoint{}, + }, + }, "monitoring": service{ Endpoints: endpoints{ "us-iso-east-1": endpoint{}, }, }, + "outposts": service{ + + Endpoints: endpoints{ + "us-iso-east-1": endpoint{}, + }, + }, "rds": service{ Endpoints: endpoints{ @@ -9514,6 +10302,12 @@ var awsisoPartition = partition{ }, }, }, + "secretsmanager": service{ + + Endpoints: endpoints{ + "us-iso-east-1": endpoint{}, + }, + }, "snowball": service{ Endpoints: endpoints{ @@ -9536,6 +10330,12 @@ var awsisoPartition = partition{ }, }, }, + "ssm": service{ + + Endpoints: endpoints{ + "us-iso-east-1": endpoint{}, + }, + }, "states": service{ Endpoints: endpoints{ @@ -9593,6 +10393,14 @@ var awsisoPartition = partition{ "us-iso-east-1": endpoint{}, }, }, + "translate": service{ + Defaults: endpoint{ + Protocols: []string{"https"}, + }, + Endpoints: endpoints{ + "us-iso-east-1": endpoint{}, + }, + }, "workspaces": service{ Endpoints: endpoints{ @@ -9667,6 +10475,12 @@ var awsisobPartition = partition{ "us-isob-east-1": endpoint{}, }, }, + "codedeploy": service{ + + Endpoints: endpoints{ + "us-isob-east-1": endpoint{}, + }, + }, "config": service{ Endpoints: endpoints{ @@ -9744,6 +10558,12 @@ var awsisobPartition = partition{ "us-isob-east-1": endpoint{}, }, }, + "es": service{ + + Endpoints: endpoints{ + "us-isob-east-1": endpoint{}, + }, + }, "events": service{ Endpoints: endpoints{ @@ -9829,6 +10649,19 @@ var awsisobPartition = partition{ "us-isob-east-1": endpoint{}, }, }, + "route53": service{ + PartitionEndpoint: "aws-iso-b-global", + IsRegionalized: boxedFalse, + + Endpoints: endpoints{ + "aws-iso-b-global": endpoint{ + Hostname: "route53.sc2s.sgov.gov", + CredentialScope: credentialScope{ + Region: "us-isob-east-1", + }, + }, + }, + }, "s3": service{ Defaults: endpoint{ Protocols: []string{"http", "https"}, diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/credentials.go b/vendor/github.com/aws/aws-sdk-go/aws/session/credentials.go new file mode 100644 index 000000000..3ddd4e512 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/session/credentials.go @@ -0,0 +1,290 @@ +package session + +import ( + "fmt" + "os" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/credentials/processcreds" + "github.com/aws/aws-sdk-go/aws/credentials/ssocreds" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" + "github.com/aws/aws-sdk-go/aws/defaults" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/internal/shareddefaults" +) + +func resolveCredentials(cfg *aws.Config, + envCfg envConfig, sharedCfg sharedConfig, + handlers request.Handlers, + sessOpts Options, +) (*credentials.Credentials, error) { + + switch { + case len(sessOpts.Profile) != 0: + // User explicitly provided an Profile in the session's configuration + // so load that profile from shared config first. + // Github(aws/aws-sdk-go#2727) + return resolveCredsFromProfile(cfg, envCfg, sharedCfg, handlers, sessOpts) + + case envCfg.Creds.HasKeys(): + // Environment credentials + return credentials.NewStaticCredentialsFromCreds(envCfg.Creds), nil + + case len(envCfg.WebIdentityTokenFilePath) != 0: + // Web identity token from environment, RoleARN required to also be + // set. + return assumeWebIdentity(cfg, handlers, + envCfg.WebIdentityTokenFilePath, + envCfg.RoleARN, + envCfg.RoleSessionName, + ) + + default: + // Fallback to the "default" credential resolution chain. + return resolveCredsFromProfile(cfg, envCfg, sharedCfg, handlers, sessOpts) + } +} + +// WebIdentityEmptyRoleARNErr will occur if 'AWS_WEB_IDENTITY_TOKEN_FILE' was set but +// 'AWS_ROLE_ARN' was not set. +var WebIdentityEmptyRoleARNErr = awserr.New(stscreds.ErrCodeWebIdentity, "role ARN is not set", nil) + +// WebIdentityEmptyTokenFilePathErr will occur if 'AWS_ROLE_ARN' was set but +// 'AWS_WEB_IDENTITY_TOKEN_FILE' was not set. +var WebIdentityEmptyTokenFilePathErr = awserr.New(stscreds.ErrCodeWebIdentity, "token file path is not set", nil) + +func assumeWebIdentity(cfg *aws.Config, handlers request.Handlers, + filepath string, + roleARN, sessionName string, +) (*credentials.Credentials, error) { + + if len(filepath) == 0 { + return nil, WebIdentityEmptyTokenFilePathErr + } + + if len(roleARN) == 0 { + return nil, WebIdentityEmptyRoleARNErr + } + + creds := stscreds.NewWebIdentityCredentials( + &Session{ + Config: cfg, + Handlers: handlers.Copy(), + }, + roleARN, + sessionName, + filepath, + ) + + return creds, nil +} + +func resolveCredsFromProfile(cfg *aws.Config, + envCfg envConfig, sharedCfg sharedConfig, + handlers request.Handlers, + sessOpts Options, +) (creds *credentials.Credentials, err error) { + + switch { + case sharedCfg.SourceProfile != nil: + // Assume IAM role with credentials source from a different profile. + creds, err = resolveCredsFromProfile(cfg, envCfg, + *sharedCfg.SourceProfile, handlers, sessOpts, + ) + + case sharedCfg.Creds.HasKeys(): + // Static Credentials from Shared Config/Credentials file. + creds = credentials.NewStaticCredentialsFromCreds( + sharedCfg.Creds, + ) + + case sharedCfg.hasSSOConfiguration(): + creds, err = resolveSSOCredentials(cfg, sharedCfg, handlers) + + case len(sharedCfg.CredentialProcess) != 0: + // Get credentials from CredentialProcess + creds = processcreds.NewCredentials(sharedCfg.CredentialProcess) + + case len(sharedCfg.CredentialSource) != 0: + creds, err = resolveCredsFromSource(cfg, envCfg, + sharedCfg, handlers, sessOpts, + ) + + case len(sharedCfg.WebIdentityTokenFile) != 0: + // Credentials from Assume Web Identity token require an IAM Role, and + // that roll will be assumed. May be wrapped with another assume role + // via SourceProfile. + return assumeWebIdentity(cfg, handlers, + sharedCfg.WebIdentityTokenFile, + sharedCfg.RoleARN, + sharedCfg.RoleSessionName, + ) + + default: + // Fallback to default credentials provider, include mock errors for + // the credential chain so user can identify why credentials failed to + // be retrieved. + creds = credentials.NewCredentials(&credentials.ChainProvider{ + VerboseErrors: aws.BoolValue(cfg.CredentialsChainVerboseErrors), + Providers: []credentials.Provider{ + &credProviderError{ + Err: awserr.New("EnvAccessKeyNotFound", + "failed to find credentials in the environment.", nil), + }, + &credProviderError{ + Err: awserr.New("SharedCredsLoad", + fmt.Sprintf("failed to load profile, %s.", envCfg.Profile), nil), + }, + defaults.RemoteCredProvider(*cfg, handlers), + }, + }) + } + if err != nil { + return nil, err + } + + if len(sharedCfg.RoleARN) > 0 { + cfgCp := *cfg + cfgCp.Credentials = creds + return credsFromAssumeRole(cfgCp, handlers, sharedCfg, sessOpts) + } + + return creds, nil +} + +func resolveSSOCredentials(cfg *aws.Config, sharedCfg sharedConfig, handlers request.Handlers) (*credentials.Credentials, error) { + if err := sharedCfg.validateSSOConfiguration(); err != nil { + return nil, err + } + + cfgCopy := cfg.Copy() + cfgCopy.Region = &sharedCfg.SSORegion + + return ssocreds.NewCredentials( + &Session{ + Config: cfgCopy, + Handlers: handlers.Copy(), + }, + sharedCfg.SSOAccountID, + sharedCfg.SSORoleName, + sharedCfg.SSOStartURL, + ), nil +} + +// valid credential source values +const ( + credSourceEc2Metadata = "Ec2InstanceMetadata" + credSourceEnvironment = "Environment" + credSourceECSContainer = "EcsContainer" +) + +func resolveCredsFromSource(cfg *aws.Config, + envCfg envConfig, sharedCfg sharedConfig, + handlers request.Handlers, + sessOpts Options, +) (creds *credentials.Credentials, err error) { + + switch sharedCfg.CredentialSource { + case credSourceEc2Metadata: + p := defaults.RemoteCredProvider(*cfg, handlers) + creds = credentials.NewCredentials(p) + + case credSourceEnvironment: + creds = credentials.NewStaticCredentialsFromCreds(envCfg.Creds) + + case credSourceECSContainer: + if len(os.Getenv(shareddefaults.ECSCredsProviderEnvVar)) == 0 { + return nil, ErrSharedConfigECSContainerEnvVarEmpty + } + + p := defaults.RemoteCredProvider(*cfg, handlers) + creds = credentials.NewCredentials(p) + + default: + return nil, ErrSharedConfigInvalidCredSource + } + + return creds, nil +} + +func credsFromAssumeRole(cfg aws.Config, + handlers request.Handlers, + sharedCfg sharedConfig, + sessOpts Options, +) (*credentials.Credentials, error) { + + if len(sharedCfg.MFASerial) != 0 && sessOpts.AssumeRoleTokenProvider == nil { + // AssumeRole Token provider is required if doing Assume Role + // with MFA. + return nil, AssumeRoleTokenProviderNotSetError{} + } + + return stscreds.NewCredentials( + &Session{ + Config: &cfg, + Handlers: handlers.Copy(), + }, + sharedCfg.RoleARN, + func(opt *stscreds.AssumeRoleProvider) { + opt.RoleSessionName = sharedCfg.RoleSessionName + + if sessOpts.AssumeRoleDuration == 0 && + sharedCfg.AssumeRoleDuration != nil && + *sharedCfg.AssumeRoleDuration/time.Minute > 15 { + opt.Duration = *sharedCfg.AssumeRoleDuration + } else if sessOpts.AssumeRoleDuration != 0 { + opt.Duration = sessOpts.AssumeRoleDuration + } + + // Assume role with external ID + if len(sharedCfg.ExternalID) > 0 { + opt.ExternalID = aws.String(sharedCfg.ExternalID) + } + + // Assume role with MFA + if len(sharedCfg.MFASerial) > 0 { + opt.SerialNumber = aws.String(sharedCfg.MFASerial) + opt.TokenProvider = sessOpts.AssumeRoleTokenProvider + } + }, + ), nil +} + +// AssumeRoleTokenProviderNotSetError is an error returned when creating a +// session when the MFAToken option is not set when shared config is configured +// load assume a role with an MFA token. +type AssumeRoleTokenProviderNotSetError struct{} + +// Code is the short id of the error. +func (e AssumeRoleTokenProviderNotSetError) Code() string { + return "AssumeRoleTokenProviderNotSetError" +} + +// Message is the description of the error +func (e AssumeRoleTokenProviderNotSetError) Message() string { + return fmt.Sprintf("assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.") +} + +// OrigErr is the underlying error that caused the failure. +func (e AssumeRoleTokenProviderNotSetError) OrigErr() error { + return nil +} + +// Error satisfies the error interface. +func (e AssumeRoleTokenProviderNotSetError) Error() string { + return awserr.SprintError(e.Code(), e.Message(), "", nil) +} + +type credProviderError struct { + Err error +} + +func (c credProviderError) Retrieve() (credentials.Value, error) { + return credentials.Value{}, c.Err +} +func (c credProviderError) IsExpired() bool { + return true +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport.go b/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport.go new file mode 100644 index 000000000..593aedc42 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport.go @@ -0,0 +1,27 @@ +// +build go1.13 + +package session + +import ( + "net" + "net/http" + "time" +) + +// Transport that should be used when a custom CA bundle is specified with the +// SDK. +func getCustomTransport() *http.Transport { + return &http.Transport{ + Proxy: http.ProxyFromEnvironment, + DialContext: (&net.Dialer{ + Timeout: 30 * time.Second, + KeepAlive: 30 * time.Second, + DualStack: true, + }).DialContext, + ForceAttemptHTTP2: true, + MaxIdleConns: 100, + IdleConnTimeout: 90 * time.Second, + TLSHandshakeTimeout: 10 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + } +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.12.go b/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.12.go new file mode 100644 index 000000000..1bf31cf8e --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.12.go @@ -0,0 +1,26 @@ +// +build !go1.13,go1.7 + +package session + +import ( + "net" + "net/http" + "time" +) + +// Transport that should be used when a custom CA bundle is specified with the +// SDK. +func getCustomTransport() *http.Transport { + return &http.Transport{ + Proxy: http.ProxyFromEnvironment, + DialContext: (&net.Dialer{ + Timeout: 30 * time.Second, + KeepAlive: 30 * time.Second, + DualStack: true, + }).DialContext, + MaxIdleConns: 100, + IdleConnTimeout: 90 * time.Second, + TLSHandshakeTimeout: 10 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + } +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.5.go b/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.5.go new file mode 100644 index 000000000..253d7bc9d --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.5.go @@ -0,0 +1,22 @@ +// +build !go1.6,go1.5 + +package session + +import ( + "net" + "net/http" + "time" +) + +// Transport that should be used when a custom CA bundle is specified with the +// SDK. +func getCustomTransport() *http.Transport { + return &http.Transport{ + Proxy: http.ProxyFromEnvironment, + Dial: (&net.Dialer{ + Timeout: 30 * time.Second, + KeepAlive: 30 * time.Second, + }).Dial, + TLSHandshakeTimeout: 10 * time.Second, + } +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.6.go b/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.6.go new file mode 100644 index 000000000..db2406054 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.6.go @@ -0,0 +1,23 @@ +// +build !go1.7,go1.6 + +package session + +import ( + "net" + "net/http" + "time" +) + +// Transport that should be used when a custom CA bundle is specified with the +// SDK. +func getCustomTransport() *http.Transport { + return &http.Transport{ + Proxy: http.ProxyFromEnvironment, + Dial: (&net.Dialer{ + Timeout: 30 * time.Second, + KeepAlive: 30 * time.Second, + }).Dial, + TLSHandshakeTimeout: 10 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + } +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/doc.go b/vendor/github.com/aws/aws-sdk-go/aws/session/doc.go new file mode 100644 index 000000000..9419b518d --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/session/doc.go @@ -0,0 +1,289 @@ +/* +Package session provides configuration for the SDK's service clients. Sessions +can be shared across service clients that share the same base configuration. + +Sessions are safe to use concurrently as long as the Session is not being +modified. Sessions should be cached when possible, because creating a new +Session will load all configuration values from the environment, and config +files each time the Session is created. Sharing the Session value across all of +your service clients will ensure the configuration is loaded the fewest number +of times possible. + +Sessions options from Shared Config + +By default NewSession will only load credentials from the shared credentials +file (~/.aws/credentials). If the AWS_SDK_LOAD_CONFIG environment variable is +set to a truthy value the Session will be created from the configuration +values from the shared config (~/.aws/config) and shared credentials +(~/.aws/credentials) files. Using the NewSessionWithOptions with +SharedConfigState set to SharedConfigEnable will create the session as if the +AWS_SDK_LOAD_CONFIG environment variable was set. + +Credential and config loading order + +The Session will attempt to load configuration and credentials from the +environment, configuration files, and other credential sources. The order +configuration is loaded in is: + + * Environment Variables + * Shared Credentials file + * Shared Configuration file (if SharedConfig is enabled) + * EC2 Instance Metadata (credentials only) + +The Environment variables for credentials will have precedence over shared +config even if SharedConfig is enabled. To override this behavior, and use +shared config credentials instead specify the session.Options.Profile, (e.g. +when using credential_source=Environment to assume a role). + + sess, err := session.NewSessionWithOptions(session.Options{ + Profile: "myProfile", + }) + +Creating Sessions + +Creating a Session without additional options will load credentials region, and +profile loaded from the environment and shared config automatically. See, +"Environment Variables" section for information on environment variables used +by Session. + + // Create Session + sess, err := session.NewSession() + + +When creating Sessions optional aws.Config values can be passed in that will +override the default, or loaded, config values the Session is being created +with. This allows you to provide additional, or case based, configuration +as needed. + + // Create a Session with a custom region + sess, err := session.NewSession(&aws.Config{ + Region: aws.String("us-west-2"), + }) + +Use NewSessionWithOptions to provide additional configuration driving how the +Session's configuration will be loaded. Such as, specifying shared config +profile, or override the shared config state, (AWS_SDK_LOAD_CONFIG). + + // Equivalent to session.NewSession() + sess, err := session.NewSessionWithOptions(session.Options{ + // Options + }) + + sess, err := session.NewSessionWithOptions(session.Options{ + // Specify profile to load for the session's config + Profile: "profile_name", + + // Provide SDK Config options, such as Region. + Config: aws.Config{ + Region: aws.String("us-west-2"), + }, + + // Force enable Shared Config support + SharedConfigState: session.SharedConfigEnable, + }) + +Adding Handlers + +You can add handlers to a session to decorate API operation, (e.g. adding HTTP +headers). All clients that use the Session receive a copy of the Session's +handlers. For example, the following request handler added to the Session logs +every requests made. + + // Create a session, and add additional handlers for all service + // clients created with the Session to inherit. Adds logging handler. + sess := session.Must(session.NewSession()) + + sess.Handlers.Send.PushFront(func(r *request.Request) { + // Log every request made and its payload + logger.Printf("Request: %s/%s, Params: %s", + r.ClientInfo.ServiceName, r.Operation, r.Params) + }) + +Shared Config Fields + +By default the SDK will only load the shared credentials file's +(~/.aws/credentials) credentials values, and all other config is provided by +the environment variables, SDK defaults, and user provided aws.Config values. + +If the AWS_SDK_LOAD_CONFIG environment variable is set, or SharedConfigEnable +option is used to create the Session the full shared config values will be +loaded. This includes credentials, region, and support for assume role. In +addition the Session will load its configuration from both the shared config +file (~/.aws/config) and shared credentials file (~/.aws/credentials). Both +files have the same format. + +If both config files are present the configuration from both files will be +read. The Session will be created from configuration values from the shared +credentials file (~/.aws/credentials) over those in the shared config file +(~/.aws/config). + +Credentials are the values the SDK uses to authenticating requests with AWS +Services. When specified in a file, both aws_access_key_id and +aws_secret_access_key must be provided together in the same file to be +considered valid. They will be ignored if both are not present. +aws_session_token is an optional field that can be provided in addition to the +other two fields. + + aws_access_key_id = AKID + aws_secret_access_key = SECRET + aws_session_token = TOKEN + + ; region only supported if SharedConfigEnabled. + region = us-east-1 + +Assume Role configuration + +The role_arn field allows you to configure the SDK to assume an IAM role using +a set of credentials from another source. Such as when paired with static +credentials, "profile_source", "credential_process", or "credential_source" +fields. If "role_arn" is provided, a source of credentials must also be +specified, such as "source_profile", "credential_source", or +"credential_process". + + role_arn = arn:aws:iam:::role/ + source_profile = profile_with_creds + external_id = 1234 + mfa_serial = + role_session_name = session_name + + +The SDK supports assuming a role with MFA token. If "mfa_serial" is set, you +must also set the Session Option.AssumeRoleTokenProvider. The Session will fail +to load if the AssumeRoleTokenProvider is not specified. + + sess := session.Must(session.NewSessionWithOptions(session.Options{ + AssumeRoleTokenProvider: stscreds.StdinTokenProvider, + })) + +To setup Assume Role outside of a session see the stscreds.AssumeRoleProvider +documentation. + +Environment Variables + +When a Session is created several environment variables can be set to adjust +how the SDK functions, and what configuration data it loads when creating +Sessions. All environment values are optional, but some values like credentials +require multiple of the values to set or the partial values will be ignored. +All environment variable values are strings unless otherwise noted. + +Environment configuration values. If set both Access Key ID and Secret Access +Key must be provided. Session Token and optionally also be provided, but is +not required. + + # Access Key ID + AWS_ACCESS_KEY_ID=AKID + AWS_ACCESS_KEY=AKID # only read if AWS_ACCESS_KEY_ID is not set. + + # Secret Access Key + AWS_SECRET_ACCESS_KEY=SECRET + AWS_SECRET_KEY=SECRET=SECRET # only read if AWS_SECRET_ACCESS_KEY is not set. + + # Session Token + AWS_SESSION_TOKEN=TOKEN + +Region value will instruct the SDK where to make service API requests to. If is +not provided in the environment the region must be provided before a service +client request is made. + + AWS_REGION=us-east-1 + + # AWS_DEFAULT_REGION is only read if AWS_SDK_LOAD_CONFIG is also set, + # and AWS_REGION is not also set. + AWS_DEFAULT_REGION=us-east-1 + +Profile name the SDK should load use when loading shared config from the +configuration files. If not provided "default" will be used as the profile name. + + AWS_PROFILE=my_profile + + # AWS_DEFAULT_PROFILE is only read if AWS_SDK_LOAD_CONFIG is also set, + # and AWS_PROFILE is not also set. + AWS_DEFAULT_PROFILE=my_profile + +SDK load config instructs the SDK to load the shared config in addition to +shared credentials. This also expands the configuration loaded so the shared +credentials will have parity with the shared config file. This also enables +Region and Profile support for the AWS_DEFAULT_REGION and AWS_DEFAULT_PROFILE +env values as well. + + AWS_SDK_LOAD_CONFIG=1 + +Custom Shared Config and Credential Files + +Shared credentials file path can be set to instruct the SDK to use an alternative +file for the shared credentials. If not set the file will be loaded from +$HOME/.aws/credentials on Linux/Unix based systems, and +%USERPROFILE%\.aws\credentials on Windows. + + AWS_SHARED_CREDENTIALS_FILE=$HOME/my_shared_credentials + +Shared config file path can be set to instruct the SDK to use an alternative +file for the shared config. If not set the file will be loaded from +$HOME/.aws/config on Linux/Unix based systems, and +%USERPROFILE%\.aws\config on Windows. + + AWS_CONFIG_FILE=$HOME/my_shared_config + +Custom CA Bundle + +Path to a custom Credentials Authority (CA) bundle PEM file that the SDK +will use instead of the default system's root CA bundle. Use this only +if you want to replace the CA bundle the SDK uses for TLS requests. + + AWS_CA_BUNDLE=$HOME/my_custom_ca_bundle + +Enabling this option will attempt to merge the Transport into the SDK's HTTP +client. If the client's Transport is not a http.Transport an error will be +returned. If the Transport's TLS config is set this option will cause the SDK +to overwrite the Transport's TLS config's RootCAs value. If the CA bundle file +contains multiple certificates all of them will be loaded. + +The Session option CustomCABundle is also available when creating sessions +to also enable this feature. CustomCABundle session option field has priority +over the AWS_CA_BUNDLE environment variable, and will be used if both are set. + +Setting a custom HTTPClient in the aws.Config options will override this setting. +To use this option and custom HTTP client, the HTTP client needs to be provided +when creating the session. Not the service client. + +Custom Client TLS Certificate + +The SDK supports the environment and session option being configured with +Client TLS certificates that are sent as a part of the client's TLS handshake +for client authentication. If used, both Cert and Key values are required. If +one is missing, or either fail to load the contents of the file an error will +be returned. + +HTTP Client's Transport concrete implementation must be a http.Transport +or creating the session will fail. + + AWS_SDK_GO_CLIENT_TLS_KEY=$HOME/my_client_key + AWS_SDK_GO_CLIENT_TLS_CERT=$HOME/my_client_cert + +This can also be configured via the session.Options ClientTLSCert and ClientTLSKey. + + sess, err := session.NewSessionWithOptions(session.Options{ + ClientTLSCert: myCertFile, + ClientTLSKey: myKeyFile, + }) + +Custom EC2 IMDS Endpoint + +The endpoint of the EC2 IMDS client can be configured via the environment +variable, AWS_EC2_METADATA_SERVICE_ENDPOINT when creating the client with a +Session. See Options.EC2IMDSEndpoint for more details. + + AWS_EC2_METADATA_SERVICE_ENDPOINT=http://169.254.169.254 + +If using an URL with an IPv6 address literal, the IPv6 address +component must be enclosed in square brackets. + + AWS_EC2_METADATA_SERVICE_ENDPOINT=http://[::1] + +The custom EC2 IMDS endpoint can also be specified via the Session options. + + sess, err := session.NewSessionWithOptions(session.Options{ + EC2IMDSEndpoint: "http://[::1]", + }) +*/ +package session diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/env_config.go b/vendor/github.com/aws/aws-sdk-go/aws/session/env_config.go new file mode 100644 index 000000000..3cd5d4b5a --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/session/env_config.go @@ -0,0 +1,378 @@ +package session + +import ( + "fmt" + "os" + "strconv" + "strings" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/defaults" + "github.com/aws/aws-sdk-go/aws/endpoints" +) + +// EnvProviderName provides a name of the provider when config is loaded from environment. +const EnvProviderName = "EnvConfigCredentials" + +// envConfig is a collection of environment values the SDK will read +// setup config from. All environment values are optional. But some values +// such as credentials require multiple values to be complete or the values +// will be ignored. +type envConfig struct { + // Environment configuration values. If set both Access Key ID and Secret Access + // Key must be provided. Session Token and optionally also be provided, but is + // not required. + // + // # Access Key ID + // AWS_ACCESS_KEY_ID=AKID + // AWS_ACCESS_KEY=AKID # only read if AWS_ACCESS_KEY_ID is not set. + // + // # Secret Access Key + // AWS_SECRET_ACCESS_KEY=SECRET + // AWS_SECRET_KEY=SECRET=SECRET # only read if AWS_SECRET_ACCESS_KEY is not set. + // + // # Session Token + // AWS_SESSION_TOKEN=TOKEN + Creds credentials.Value + + // Region value will instruct the SDK where to make service API requests to. If is + // not provided in the environment the region must be provided before a service + // client request is made. + // + // AWS_REGION=us-east-1 + // + // # AWS_DEFAULT_REGION is only read if AWS_SDK_LOAD_CONFIG is also set, + // # and AWS_REGION is not also set. + // AWS_DEFAULT_REGION=us-east-1 + Region string + + // Profile name the SDK should load use when loading shared configuration from the + // shared configuration files. If not provided "default" will be used as the + // profile name. + // + // AWS_PROFILE=my_profile + // + // # AWS_DEFAULT_PROFILE is only read if AWS_SDK_LOAD_CONFIG is also set, + // # and AWS_PROFILE is not also set. + // AWS_DEFAULT_PROFILE=my_profile + Profile string + + // SDK load config instructs the SDK to load the shared config in addition to + // shared credentials. This also expands the configuration loaded from the shared + // credentials to have parity with the shared config file. This also enables + // Region and Profile support for the AWS_DEFAULT_REGION and AWS_DEFAULT_PROFILE + // env values as well. + // + // AWS_SDK_LOAD_CONFIG=1 + EnableSharedConfig bool + + // Shared credentials file path can be set to instruct the SDK to use an alternate + // file for the shared credentials. If not set the file will be loaded from + // $HOME/.aws/credentials on Linux/Unix based systems, and + // %USERPROFILE%\.aws\credentials on Windows. + // + // AWS_SHARED_CREDENTIALS_FILE=$HOME/my_shared_credentials + SharedCredentialsFile string + + // Shared config file path can be set to instruct the SDK to use an alternate + // file for the shared config. If not set the file will be loaded from + // $HOME/.aws/config on Linux/Unix based systems, and + // %USERPROFILE%\.aws\config on Windows. + // + // AWS_CONFIG_FILE=$HOME/my_shared_config + SharedConfigFile string + + // Sets the path to a custom Credentials Authority (CA) Bundle PEM file + // that the SDK will use instead of the system's root CA bundle. + // Only use this if you want to configure the SDK to use a custom set + // of CAs. + // + // Enabling this option will attempt to merge the Transport + // into the SDK's HTTP client. If the client's Transport is + // not a http.Transport an error will be returned. If the + // Transport's TLS config is set this option will cause the + // SDK to overwrite the Transport's TLS config's RootCAs value. + // + // Setting a custom HTTPClient in the aws.Config options will override this setting. + // To use this option and custom HTTP client, the HTTP client needs to be provided + // when creating the session. Not the service client. + // + // AWS_CA_BUNDLE=$HOME/my_custom_ca_bundle + CustomCABundle string + + // Sets the TLC client certificate that should be used by the SDK's HTTP transport + // when making requests. The certificate must be paired with a TLS client key file. + // + // AWS_SDK_GO_CLIENT_TLS_CERT=$HOME/my_client_cert + ClientTLSCert string + + // Sets the TLC client key that should be used by the SDK's HTTP transport + // when making requests. The key must be paired with a TLS client certificate file. + // + // AWS_SDK_GO_CLIENT_TLS_KEY=$HOME/my_client_key + ClientTLSKey string + + csmEnabled string + CSMEnabled *bool + CSMPort string + CSMHost string + CSMClientID string + + // Enables endpoint discovery via environment variables. + // + // AWS_ENABLE_ENDPOINT_DISCOVERY=true + EnableEndpointDiscovery *bool + enableEndpointDiscovery string + + // Specifies the WebIdentity token the SDK should use to assume a role + // with. + // + // AWS_WEB_IDENTITY_TOKEN_FILE=file_path + WebIdentityTokenFilePath string + + // Specifies the IAM role arn to use when assuming an role. + // + // AWS_ROLE_ARN=role_arn + RoleARN string + + // Specifies the IAM role session name to use when assuming a role. + // + // AWS_ROLE_SESSION_NAME=session_name + RoleSessionName string + + // Specifies the STS Regional Endpoint flag for the SDK to resolve the endpoint + // for a service. + // + // AWS_STS_REGIONAL_ENDPOINTS=regional + // This can take value as `regional` or `legacy` + STSRegionalEndpoint endpoints.STSRegionalEndpoint + + // Specifies the S3 Regional Endpoint flag for the SDK to resolve the + // endpoint for a service. + // + // AWS_S3_US_EAST_1_REGIONAL_ENDPOINT=regional + // This can take value as `regional` or `legacy` + S3UsEast1RegionalEndpoint endpoints.S3UsEast1RegionalEndpoint + + // Specifies if the S3 service should allow ARNs to direct the region + // the client's requests are sent to. + // + // AWS_S3_USE_ARN_REGION=true + S3UseARNRegion bool + + // Specifies the alternative endpoint to use for EC2 IMDS. + // + // AWS_EC2_METADATA_SERVICE_ENDPOINT=http://[::1] + EC2IMDSEndpoint string +} + +var ( + csmEnabledEnvKey = []string{ + "AWS_CSM_ENABLED", + } + csmHostEnvKey = []string{ + "AWS_CSM_HOST", + } + csmPortEnvKey = []string{ + "AWS_CSM_PORT", + } + csmClientIDEnvKey = []string{ + "AWS_CSM_CLIENT_ID", + } + credAccessEnvKey = []string{ + "AWS_ACCESS_KEY_ID", + "AWS_ACCESS_KEY", + } + credSecretEnvKey = []string{ + "AWS_SECRET_ACCESS_KEY", + "AWS_SECRET_KEY", + } + credSessionEnvKey = []string{ + "AWS_SESSION_TOKEN", + } + + enableEndpointDiscoveryEnvKey = []string{ + "AWS_ENABLE_ENDPOINT_DISCOVERY", + } + + regionEnvKeys = []string{ + "AWS_REGION", + "AWS_DEFAULT_REGION", // Only read if AWS_SDK_LOAD_CONFIG is also set + } + profileEnvKeys = []string{ + "AWS_PROFILE", + "AWS_DEFAULT_PROFILE", // Only read if AWS_SDK_LOAD_CONFIG is also set + } + sharedCredsFileEnvKey = []string{ + "AWS_SHARED_CREDENTIALS_FILE", + } + sharedConfigFileEnvKey = []string{ + "AWS_CONFIG_FILE", + } + webIdentityTokenFilePathEnvKey = []string{ + "AWS_WEB_IDENTITY_TOKEN_FILE", + } + roleARNEnvKey = []string{ + "AWS_ROLE_ARN", + } + roleSessionNameEnvKey = []string{ + "AWS_ROLE_SESSION_NAME", + } + stsRegionalEndpointKey = []string{ + "AWS_STS_REGIONAL_ENDPOINTS", + } + s3UsEast1RegionalEndpoint = []string{ + "AWS_S3_US_EAST_1_REGIONAL_ENDPOINT", + } + s3UseARNRegionEnvKey = []string{ + "AWS_S3_USE_ARN_REGION", + } + ec2IMDSEndpointEnvKey = []string{ + "AWS_EC2_METADATA_SERVICE_ENDPOINT", + } + useCABundleKey = []string{ + "AWS_CA_BUNDLE", + } + useClientTLSCert = []string{ + "AWS_SDK_GO_CLIENT_TLS_CERT", + } + useClientTLSKey = []string{ + "AWS_SDK_GO_CLIENT_TLS_KEY", + } +) + +// loadEnvConfig retrieves the SDK's environment configuration. +// See `envConfig` for the values that will be retrieved. +// +// If the environment variable `AWS_SDK_LOAD_CONFIG` is set to a truthy value +// the shared SDK config will be loaded in addition to the SDK's specific +// configuration values. +func loadEnvConfig() (envConfig, error) { + enableSharedConfig, _ := strconv.ParseBool(os.Getenv("AWS_SDK_LOAD_CONFIG")) + return envConfigLoad(enableSharedConfig) +} + +// loadEnvSharedConfig retrieves the SDK's environment configuration, and the +// SDK shared config. See `envConfig` for the values that will be retrieved. +// +// Loads the shared configuration in addition to the SDK's specific configuration. +// This will load the same values as `loadEnvConfig` if the `AWS_SDK_LOAD_CONFIG` +// environment variable is set. +func loadSharedEnvConfig() (envConfig, error) { + return envConfigLoad(true) +} + +func envConfigLoad(enableSharedConfig bool) (envConfig, error) { + cfg := envConfig{} + + cfg.EnableSharedConfig = enableSharedConfig + + // Static environment credentials + var creds credentials.Value + setFromEnvVal(&creds.AccessKeyID, credAccessEnvKey) + setFromEnvVal(&creds.SecretAccessKey, credSecretEnvKey) + setFromEnvVal(&creds.SessionToken, credSessionEnvKey) + if creds.HasKeys() { + // Require logical grouping of credentials + creds.ProviderName = EnvProviderName + cfg.Creds = creds + } + + // Role Metadata + setFromEnvVal(&cfg.RoleARN, roleARNEnvKey) + setFromEnvVal(&cfg.RoleSessionName, roleSessionNameEnvKey) + + // Web identity environment variables + setFromEnvVal(&cfg.WebIdentityTokenFilePath, webIdentityTokenFilePathEnvKey) + + // CSM environment variables + setFromEnvVal(&cfg.csmEnabled, csmEnabledEnvKey) + setFromEnvVal(&cfg.CSMHost, csmHostEnvKey) + setFromEnvVal(&cfg.CSMPort, csmPortEnvKey) + setFromEnvVal(&cfg.CSMClientID, csmClientIDEnvKey) + + if len(cfg.csmEnabled) != 0 { + v, _ := strconv.ParseBool(cfg.csmEnabled) + cfg.CSMEnabled = &v + } + + regionKeys := regionEnvKeys + profileKeys := profileEnvKeys + if !cfg.EnableSharedConfig { + regionKeys = regionKeys[:1] + profileKeys = profileKeys[:1] + } + + setFromEnvVal(&cfg.Region, regionKeys) + setFromEnvVal(&cfg.Profile, profileKeys) + + // endpoint discovery is in reference to it being enabled. + setFromEnvVal(&cfg.enableEndpointDiscovery, enableEndpointDiscoveryEnvKey) + if len(cfg.enableEndpointDiscovery) > 0 { + cfg.EnableEndpointDiscovery = aws.Bool(cfg.enableEndpointDiscovery != "false") + } + + setFromEnvVal(&cfg.SharedCredentialsFile, sharedCredsFileEnvKey) + setFromEnvVal(&cfg.SharedConfigFile, sharedConfigFileEnvKey) + + if len(cfg.SharedCredentialsFile) == 0 { + cfg.SharedCredentialsFile = defaults.SharedCredentialsFilename() + } + if len(cfg.SharedConfigFile) == 0 { + cfg.SharedConfigFile = defaults.SharedConfigFilename() + } + + setFromEnvVal(&cfg.CustomCABundle, useCABundleKey) + setFromEnvVal(&cfg.ClientTLSCert, useClientTLSCert) + setFromEnvVal(&cfg.ClientTLSKey, useClientTLSKey) + + var err error + // STS Regional Endpoint variable + for _, k := range stsRegionalEndpointKey { + if v := os.Getenv(k); len(v) != 0 { + cfg.STSRegionalEndpoint, err = endpoints.GetSTSRegionalEndpoint(v) + if err != nil { + return cfg, fmt.Errorf("failed to load, %v from env config, %v", k, err) + } + } + } + + // S3 Regional Endpoint variable + for _, k := range s3UsEast1RegionalEndpoint { + if v := os.Getenv(k); len(v) != 0 { + cfg.S3UsEast1RegionalEndpoint, err = endpoints.GetS3UsEast1RegionalEndpoint(v) + if err != nil { + return cfg, fmt.Errorf("failed to load, %v from env config, %v", k, err) + } + } + } + + var s3UseARNRegion string + setFromEnvVal(&s3UseARNRegion, s3UseARNRegionEnvKey) + if len(s3UseARNRegion) != 0 { + switch { + case strings.EqualFold(s3UseARNRegion, "false"): + cfg.S3UseARNRegion = false + case strings.EqualFold(s3UseARNRegion, "true"): + cfg.S3UseARNRegion = true + default: + return envConfig{}, fmt.Errorf( + "invalid value for environment variable, %s=%s, need true or false", + s3UseARNRegionEnvKey[0], s3UseARNRegion) + } + } + + setFromEnvVal(&cfg.EC2IMDSEndpoint, ec2IMDSEndpointEnvKey) + + return cfg, nil +} + +func setFromEnvVal(dst *string, keys []string) { + for _, k := range keys { + if v := os.Getenv(k); len(v) != 0 { + *dst = v + break + } + } +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/session.go b/vendor/github.com/aws/aws-sdk-go/aws/session/session.go new file mode 100644 index 000000000..038ae222f --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/session/session.go @@ -0,0 +1,912 @@ +package session + +import ( + "crypto/tls" + "crypto/x509" + "fmt" + "io" + "io/ioutil" + "net/http" + "os" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/client" + "github.com/aws/aws-sdk-go/aws/corehandlers" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/csm" + "github.com/aws/aws-sdk-go/aws/defaults" + "github.com/aws/aws-sdk-go/aws/endpoints" + "github.com/aws/aws-sdk-go/aws/request" +) + +const ( + // ErrCodeSharedConfig represents an error that occurs in the shared + // configuration logic + ErrCodeSharedConfig = "SharedConfigErr" + + // ErrCodeLoadCustomCABundle error code for unable to load custom CA bundle. + ErrCodeLoadCustomCABundle = "LoadCustomCABundleError" + + // ErrCodeLoadClientTLSCert error code for unable to load client TLS + // certificate or key + ErrCodeLoadClientTLSCert = "LoadClientTLSCertError" +) + +// ErrSharedConfigSourceCollision will be returned if a section contains both +// source_profile and credential_source +var ErrSharedConfigSourceCollision = awserr.New(ErrCodeSharedConfig, "only one credential type may be specified per profile: source profile, credential source, credential process, web identity token, or sso", nil) + +// ErrSharedConfigECSContainerEnvVarEmpty will be returned if the environment +// variables are empty and Environment was set as the credential source +var ErrSharedConfigECSContainerEnvVarEmpty = awserr.New(ErrCodeSharedConfig, "EcsContainer was specified as the credential_source, but 'AWS_CONTAINER_CREDENTIALS_RELATIVE_URI' was not set", nil) + +// ErrSharedConfigInvalidCredSource will be returned if an invalid credential source was provided +var ErrSharedConfigInvalidCredSource = awserr.New(ErrCodeSharedConfig, "credential source values must be EcsContainer, Ec2InstanceMetadata, or Environment", nil) + +// A Session provides a central location to create service clients from and +// store configurations and request handlers for those services. +// +// Sessions are safe to create service clients concurrently, but it is not safe +// to mutate the Session concurrently. +// +// The Session satisfies the service client's client.ConfigProvider. +type Session struct { + Config *aws.Config + Handlers request.Handlers + + options Options +} + +// New creates a new instance of the handlers merging in the provided configs +// on top of the SDK's default configurations. Once the Session is created it +// can be mutated to modify the Config or Handlers. The Session is safe to be +// read concurrently, but it should not be written to concurrently. +// +// If the AWS_SDK_LOAD_CONFIG environment is set to a truthy value, the New +// method could now encounter an error when loading the configuration. When +// The environment variable is set, and an error occurs, New will return a +// session that will fail all requests reporting the error that occurred while +// loading the session. Use NewSession to get the error when creating the +// session. +// +// If the AWS_SDK_LOAD_CONFIG environment variable is set to a truthy value +// the shared config file (~/.aws/config) will also be loaded, in addition to +// the shared credentials file (~/.aws/credentials). Values set in both the +// shared config, and shared credentials will be taken from the shared +// credentials file. +// +// Deprecated: Use NewSession functions to create sessions instead. NewSession +// has the same functionality as New except an error can be returned when the +// func is called instead of waiting to receive an error until a request is made. +func New(cfgs ...*aws.Config) *Session { + // load initial config from environment + envCfg, envErr := loadEnvConfig() + + if envCfg.EnableSharedConfig { + var cfg aws.Config + cfg.MergeIn(cfgs...) + s, err := NewSessionWithOptions(Options{ + Config: cfg, + SharedConfigState: SharedConfigEnable, + }) + if err != nil { + // Old session.New expected all errors to be discovered when + // a request is made, and would report the errors then. This + // needs to be replicated if an error occurs while creating + // the session. + msg := "failed to create session with AWS_SDK_LOAD_CONFIG enabled. " + + "Use session.NewSession to handle errors occurring during session creation." + + // Session creation failed, need to report the error and prevent + // any requests from succeeding. + s = &Session{Config: defaults.Config()} + s.logDeprecatedNewSessionError(msg, err, cfgs) + } + + return s + } + + s := deprecatedNewSession(envCfg, cfgs...) + if envErr != nil { + msg := "failed to load env config" + s.logDeprecatedNewSessionError(msg, envErr, cfgs) + } + + if csmCfg, err := loadCSMConfig(envCfg, []string{}); err != nil { + if l := s.Config.Logger; l != nil { + l.Log(fmt.Sprintf("ERROR: failed to load CSM configuration, %v", err)) + } + } else if csmCfg.Enabled { + err := enableCSM(&s.Handlers, csmCfg, s.Config.Logger) + if err != nil { + msg := "failed to enable CSM" + s.logDeprecatedNewSessionError(msg, err, cfgs) + } + } + + return s +} + +// NewSession returns a new Session created from SDK defaults, config files, +// environment, and user provided config files. Once the Session is created +// it can be mutated to modify the Config or Handlers. The Session is safe to +// be read concurrently, but it should not be written to concurrently. +// +// If the AWS_SDK_LOAD_CONFIG environment variable is set to a truthy value +// the shared config file (~/.aws/config) will also be loaded in addition to +// the shared credentials file (~/.aws/credentials). Values set in both the +// shared config, and shared credentials will be taken from the shared +// credentials file. Enabling the Shared Config will also allow the Session +// to be built with retrieving credentials with AssumeRole set in the config. +// +// See the NewSessionWithOptions func for information on how to override or +// control through code how the Session will be created, such as specifying the +// config profile, and controlling if shared config is enabled or not. +func NewSession(cfgs ...*aws.Config) (*Session, error) { + opts := Options{} + opts.Config.MergeIn(cfgs...) + + return NewSessionWithOptions(opts) +} + +// SharedConfigState provides the ability to optionally override the state +// of the session's creation based on the shared config being enabled or +// disabled. +type SharedConfigState int + +const ( + // SharedConfigStateFromEnv does not override any state of the + // AWS_SDK_LOAD_CONFIG env var. It is the default value of the + // SharedConfigState type. + SharedConfigStateFromEnv SharedConfigState = iota + + // SharedConfigDisable overrides the AWS_SDK_LOAD_CONFIG env var value + // and disables the shared config functionality. + SharedConfigDisable + + // SharedConfigEnable overrides the AWS_SDK_LOAD_CONFIG env var value + // and enables the shared config functionality. + SharedConfigEnable +) + +// Options provides the means to control how a Session is created and what +// configuration values will be loaded. +// +type Options struct { + // Provides config values for the SDK to use when creating service clients + // and making API requests to services. Any value set in with this field + // will override the associated value provided by the SDK defaults, + // environment or config files where relevant. + // + // If not set, configuration values from from SDK defaults, environment, + // config will be used. + Config aws.Config + + // Overrides the config profile the Session should be created from. If not + // set the value of the environment variable will be loaded (AWS_PROFILE, + // or AWS_DEFAULT_PROFILE if the Shared Config is enabled). + // + // If not set and environment variables are not set the "default" + // (DefaultSharedConfigProfile) will be used as the profile to load the + // session config from. + Profile string + + // Instructs how the Session will be created based on the AWS_SDK_LOAD_CONFIG + // environment variable. By default a Session will be created using the + // value provided by the AWS_SDK_LOAD_CONFIG environment variable. + // + // Setting this value to SharedConfigEnable or SharedConfigDisable + // will allow you to override the AWS_SDK_LOAD_CONFIG environment variable + // and enable or disable the shared config functionality. + SharedConfigState SharedConfigState + + // Ordered list of files the session will load configuration from. + // It will override environment variable AWS_SHARED_CREDENTIALS_FILE, AWS_CONFIG_FILE. + SharedConfigFiles []string + + // When the SDK's shared config is configured to assume a role with MFA + // this option is required in order to provide the mechanism that will + // retrieve the MFA token. There is no default value for this field. If + // it is not set an error will be returned when creating the session. + // + // This token provider will be called when ever the assumed role's + // credentials need to be refreshed. Within the context of service clients + // all sharing the same session the SDK will ensure calls to the token + // provider are atomic. When sharing a token provider across multiple + // sessions additional synchronization logic is needed to ensure the + // token providers do not introduce race conditions. It is recommend to + // share the session where possible. + // + // stscreds.StdinTokenProvider is a basic implementation that will prompt + // from stdin for the MFA token code. + // + // This field is only used if the shared configuration is enabled, and + // the config enables assume role wit MFA via the mfa_serial field. + AssumeRoleTokenProvider func() (string, error) + + // When the SDK's shared config is configured to assume a role this option + // may be provided to set the expiry duration of the STS credentials. + // Defaults to 15 minutes if not set as documented in the + // stscreds.AssumeRoleProvider. + AssumeRoleDuration time.Duration + + // Reader for a custom Credentials Authority (CA) bundle in PEM format that + // the SDK will use instead of the default system's root CA bundle. Use this + // only if you want to replace the CA bundle the SDK uses for TLS requests. + // + // HTTP Client's Transport concrete implementation must be a http.Transport + // or creating the session will fail. + // + // If the Transport's TLS config is set this option will cause the SDK + // to overwrite the Transport's TLS config's RootCAs value. If the CA + // bundle reader contains multiple certificates all of them will be loaded. + // + // Can also be specified via the environment variable: + // + // AWS_CA_BUNDLE=$HOME/ca_bundle + // + // Can also be specified via the shared config field: + // + // ca_bundle = $HOME/ca_bundle + CustomCABundle io.Reader + + // Reader for the TLC client certificate that should be used by the SDK's + // HTTP transport when making requests. The certificate must be paired with + // a TLS client key file. Will be ignored if both are not provided. + // + // HTTP Client's Transport concrete implementation must be a http.Transport + // or creating the session will fail. + // + // Can also be specified via the environment variable: + // + // AWS_SDK_GO_CLIENT_TLS_CERT=$HOME/my_client_cert + ClientTLSCert io.Reader + + // Reader for the TLC client key that should be used by the SDK's HTTP + // transport when making requests. The key must be paired with a TLS client + // certificate file. Will be ignored if both are not provided. + // + // HTTP Client's Transport concrete implementation must be a http.Transport + // or creating the session will fail. + // + // Can also be specified via the environment variable: + // + // AWS_SDK_GO_CLIENT_TLS_KEY=$HOME/my_client_key + ClientTLSKey io.Reader + + // The handlers that the session and all API clients will be created with. + // This must be a complete set of handlers. Use the defaults.Handlers() + // function to initialize this value before changing the handlers to be + // used by the SDK. + Handlers request.Handlers + + // Allows specifying a custom endpoint to be used by the EC2 IMDS client + // when making requests to the EC2 IMDS API. The must endpoint value must + // include protocol prefix. + // + // If unset, will the EC2 IMDS client will use its default endpoint. + // + // Can also be specified via the environment variable, + // AWS_EC2_METADATA_SERVICE_ENDPOINT. + // + // AWS_EC2_METADATA_SERVICE_ENDPOINT=http://169.254.169.254 + // + // If using an URL with an IPv6 address literal, the IPv6 address + // component must be enclosed in square brackets. + // + // AWS_EC2_METADATA_SERVICE_ENDPOINT=http://[::1] + EC2IMDSEndpoint string +} + +// NewSessionWithOptions returns a new Session created from SDK defaults, config files, +// environment, and user provided config files. This func uses the Options +// values to configure how the Session is created. +// +// If the AWS_SDK_LOAD_CONFIG environment variable is set to a truthy value +// the shared config file (~/.aws/config) will also be loaded in addition to +// the shared credentials file (~/.aws/credentials). Values set in both the +// shared config, and shared credentials will be taken from the shared +// credentials file. Enabling the Shared Config will also allow the Session +// to be built with retrieving credentials with AssumeRole set in the config. +// +// // Equivalent to session.New +// sess := session.Must(session.NewSessionWithOptions(session.Options{})) +// +// // Specify profile to load for the session's config +// sess := session.Must(session.NewSessionWithOptions(session.Options{ +// Profile: "profile_name", +// })) +// +// // Specify profile for config and region for requests +// sess := session.Must(session.NewSessionWithOptions(session.Options{ +// Config: aws.Config{Region: aws.String("us-east-1")}, +// Profile: "profile_name", +// })) +// +// // Force enable Shared Config support +// sess := session.Must(session.NewSessionWithOptions(session.Options{ +// SharedConfigState: session.SharedConfigEnable, +// })) +func NewSessionWithOptions(opts Options) (*Session, error) { + var envCfg envConfig + var err error + if opts.SharedConfigState == SharedConfigEnable { + envCfg, err = loadSharedEnvConfig() + if err != nil { + return nil, fmt.Errorf("failed to load shared config, %v", err) + } + } else { + envCfg, err = loadEnvConfig() + if err != nil { + return nil, fmt.Errorf("failed to load environment config, %v", err) + } + } + + if len(opts.Profile) != 0 { + envCfg.Profile = opts.Profile + } + + switch opts.SharedConfigState { + case SharedConfigDisable: + envCfg.EnableSharedConfig = false + case SharedConfigEnable: + envCfg.EnableSharedConfig = true + } + + return newSession(opts, envCfg, &opts.Config) +} + +// Must is a helper function to ensure the Session is valid and there was no +// error when calling a NewSession function. +// +// This helper is intended to be used in variable initialization to load the +// Session and configuration at startup. Such as: +// +// var sess = session.Must(session.NewSession()) +func Must(sess *Session, err error) *Session { + if err != nil { + panic(err) + } + + return sess +} + +// Wraps the endpoint resolver with a resolver that will return a custom +// endpoint for EC2 IMDS. +func wrapEC2IMDSEndpoint(resolver endpoints.Resolver, endpoint string) endpoints.Resolver { + return endpoints.ResolverFunc( + func(service, region string, opts ...func(*endpoints.Options)) ( + endpoints.ResolvedEndpoint, error, + ) { + if service == ec2MetadataServiceID { + return endpoints.ResolvedEndpoint{ + URL: endpoint, + SigningName: ec2MetadataServiceID, + SigningRegion: region, + }, nil + } + return resolver.EndpointFor(service, region) + }) +} + +func deprecatedNewSession(envCfg envConfig, cfgs ...*aws.Config) *Session { + cfg := defaults.Config() + handlers := defaults.Handlers() + + // Apply the passed in configs so the configuration can be applied to the + // default credential chain + cfg.MergeIn(cfgs...) + if cfg.EndpointResolver == nil { + // An endpoint resolver is required for a session to be able to provide + // endpoints for service client configurations. + cfg.EndpointResolver = endpoints.DefaultResolver() + } + + if len(envCfg.EC2IMDSEndpoint) != 0 { + cfg.EndpointResolver = wrapEC2IMDSEndpoint(cfg.EndpointResolver, envCfg.EC2IMDSEndpoint) + } + + cfg.Credentials = defaults.CredChain(cfg, handlers) + + // Reapply any passed in configs to override credentials if set + cfg.MergeIn(cfgs...) + + s := &Session{ + Config: cfg, + Handlers: handlers, + options: Options{ + EC2IMDSEndpoint: envCfg.EC2IMDSEndpoint, + }, + } + + initHandlers(s) + return s +} + +func enableCSM(handlers *request.Handlers, cfg csmConfig, logger aws.Logger) error { + if logger != nil { + logger.Log("Enabling CSM") + } + + r, err := csm.Start(cfg.ClientID, csm.AddressWithDefaults(cfg.Host, cfg.Port)) + if err != nil { + return err + } + r.InjectHandlers(handlers) + + return nil +} + +func newSession(opts Options, envCfg envConfig, cfgs ...*aws.Config) (*Session, error) { + cfg := defaults.Config() + + handlers := opts.Handlers + if handlers.IsEmpty() { + handlers = defaults.Handlers() + } + + // Get a merged version of the user provided config to determine if + // credentials were. + userCfg := &aws.Config{} + userCfg.MergeIn(cfgs...) + cfg.MergeIn(userCfg) + + // Ordered config files will be loaded in with later files overwriting + // previous config file values. + var cfgFiles []string + if opts.SharedConfigFiles != nil { + cfgFiles = opts.SharedConfigFiles + } else { + cfgFiles = []string{envCfg.SharedConfigFile, envCfg.SharedCredentialsFile} + if !envCfg.EnableSharedConfig { + // The shared config file (~/.aws/config) is only loaded if instructed + // to load via the envConfig.EnableSharedConfig (AWS_SDK_LOAD_CONFIG). + cfgFiles = cfgFiles[1:] + } + } + + // Load additional config from file(s) + sharedCfg, err := loadSharedConfig(envCfg.Profile, cfgFiles, envCfg.EnableSharedConfig) + if err != nil { + if len(envCfg.Profile) == 0 && !envCfg.EnableSharedConfig && (envCfg.Creds.HasKeys() || userCfg.Credentials != nil) { + // Special case where the user has not explicitly specified an AWS_PROFILE, + // or session.Options.profile, shared config is not enabled, and the + // environment has credentials, allow the shared config file to fail to + // load since the user has already provided credentials, and nothing else + // is required to be read file. Github(aws/aws-sdk-go#2455) + } else if _, ok := err.(SharedConfigProfileNotExistsError); !ok { + return nil, err + } + } + + if err := mergeConfigSrcs(cfg, userCfg, envCfg, sharedCfg, handlers, opts); err != nil { + return nil, err + } + + if err := setTLSOptions(&opts, cfg, envCfg, sharedCfg); err != nil { + return nil, err + } + + s := &Session{ + Config: cfg, + Handlers: handlers, + options: opts, + } + + initHandlers(s) + + if csmCfg, err := loadCSMConfig(envCfg, cfgFiles); err != nil { + if l := s.Config.Logger; l != nil { + l.Log(fmt.Sprintf("ERROR: failed to load CSM configuration, %v", err)) + } + } else if csmCfg.Enabled { + err = enableCSM(&s.Handlers, csmCfg, s.Config.Logger) + if err != nil { + return nil, err + } + } + + return s, nil +} + +type csmConfig struct { + Enabled bool + Host string + Port string + ClientID string +} + +var csmProfileName = "aws_csm" + +func loadCSMConfig(envCfg envConfig, cfgFiles []string) (csmConfig, error) { + if envCfg.CSMEnabled != nil { + if *envCfg.CSMEnabled { + return csmConfig{ + Enabled: true, + ClientID: envCfg.CSMClientID, + Host: envCfg.CSMHost, + Port: envCfg.CSMPort, + }, nil + } + return csmConfig{}, nil + } + + sharedCfg, err := loadSharedConfig(csmProfileName, cfgFiles, false) + if err != nil { + if _, ok := err.(SharedConfigProfileNotExistsError); !ok { + return csmConfig{}, err + } + } + if sharedCfg.CSMEnabled != nil && *sharedCfg.CSMEnabled == true { + return csmConfig{ + Enabled: true, + ClientID: sharedCfg.CSMClientID, + Host: sharedCfg.CSMHost, + Port: sharedCfg.CSMPort, + }, nil + } + + return csmConfig{}, nil +} + +func setTLSOptions(opts *Options, cfg *aws.Config, envCfg envConfig, sharedCfg sharedConfig) error { + // CA Bundle can be specified in both environment variable shared config file. + var caBundleFilename = envCfg.CustomCABundle + if len(caBundleFilename) == 0 { + caBundleFilename = sharedCfg.CustomCABundle + } + + // Only use environment value if session option is not provided. + customTLSOptions := map[string]struct { + filename string + field *io.Reader + errCode string + }{ + "custom CA bundle PEM": {filename: caBundleFilename, field: &opts.CustomCABundle, errCode: ErrCodeLoadCustomCABundle}, + "custom client TLS cert": {filename: envCfg.ClientTLSCert, field: &opts.ClientTLSCert, errCode: ErrCodeLoadClientTLSCert}, + "custom client TLS key": {filename: envCfg.ClientTLSKey, field: &opts.ClientTLSKey, errCode: ErrCodeLoadClientTLSCert}, + } + for name, v := range customTLSOptions { + if len(v.filename) != 0 && *v.field == nil { + f, err := os.Open(v.filename) + if err != nil { + return awserr.New(v.errCode, fmt.Sprintf("failed to open %s file", name), err) + } + defer f.Close() + *v.field = f + } + } + + // Setup HTTP client with custom cert bundle if enabled + if opts.CustomCABundle != nil { + if err := loadCustomCABundle(cfg.HTTPClient, opts.CustomCABundle); err != nil { + return err + } + } + + // Setup HTTP client TLS certificate and key for client TLS authentication. + if opts.ClientTLSCert != nil && opts.ClientTLSKey != nil { + if err := loadClientTLSCert(cfg.HTTPClient, opts.ClientTLSCert, opts.ClientTLSKey); err != nil { + return err + } + } else if opts.ClientTLSCert == nil && opts.ClientTLSKey == nil { + // Do nothing if neither values are available. + + } else { + return awserr.New(ErrCodeLoadClientTLSCert, + fmt.Sprintf("client TLS cert(%t) and key(%t) must both be provided", + opts.ClientTLSCert != nil, opts.ClientTLSKey != nil), nil) + } + + return nil +} + +func getHTTPTransport(client *http.Client) (*http.Transport, error) { + var t *http.Transport + switch v := client.Transport.(type) { + case *http.Transport: + t = v + default: + if client.Transport != nil { + return nil, fmt.Errorf("unsupported transport, %T", client.Transport) + } + } + if t == nil { + // Nil transport implies `http.DefaultTransport` should be used. Since + // the SDK cannot modify, nor copy the `DefaultTransport` specifying + // the values the next closest behavior. + t = getCustomTransport() + } + + return t, nil +} + +func loadCustomCABundle(client *http.Client, bundle io.Reader) error { + t, err := getHTTPTransport(client) + if err != nil { + return awserr.New(ErrCodeLoadCustomCABundle, + "unable to load custom CA bundle, HTTPClient's transport unsupported type", err) + } + + p, err := loadCertPool(bundle) + if err != nil { + return err + } + if t.TLSClientConfig == nil { + t.TLSClientConfig = &tls.Config{} + } + t.TLSClientConfig.RootCAs = p + + client.Transport = t + + return nil +} + +func loadCertPool(r io.Reader) (*x509.CertPool, error) { + b, err := ioutil.ReadAll(r) + if err != nil { + return nil, awserr.New(ErrCodeLoadCustomCABundle, + "failed to read custom CA bundle PEM file", err) + } + + p := x509.NewCertPool() + if !p.AppendCertsFromPEM(b) { + return nil, awserr.New(ErrCodeLoadCustomCABundle, + "failed to load custom CA bundle PEM file", err) + } + + return p, nil +} + +func loadClientTLSCert(client *http.Client, certFile, keyFile io.Reader) error { + t, err := getHTTPTransport(client) + if err != nil { + return awserr.New(ErrCodeLoadClientTLSCert, + "unable to get usable HTTP transport from client", err) + } + + cert, err := ioutil.ReadAll(certFile) + if err != nil { + return awserr.New(ErrCodeLoadClientTLSCert, + "unable to get read client TLS cert file", err) + } + + key, err := ioutil.ReadAll(keyFile) + if err != nil { + return awserr.New(ErrCodeLoadClientTLSCert, + "unable to get read client TLS key file", err) + } + + clientCert, err := tls.X509KeyPair(cert, key) + if err != nil { + return awserr.New(ErrCodeLoadClientTLSCert, + "unable to load x509 key pair from client cert", err) + } + + tlsCfg := t.TLSClientConfig + if tlsCfg == nil { + tlsCfg = &tls.Config{} + } + + tlsCfg.Certificates = append(tlsCfg.Certificates, clientCert) + + t.TLSClientConfig = tlsCfg + client.Transport = t + + return nil +} + +func mergeConfigSrcs(cfg, userCfg *aws.Config, + envCfg envConfig, sharedCfg sharedConfig, + handlers request.Handlers, + sessOpts Options, +) error { + + // Region if not already set by user + if len(aws.StringValue(cfg.Region)) == 0 { + if len(envCfg.Region) > 0 { + cfg.WithRegion(envCfg.Region) + } else if envCfg.EnableSharedConfig && len(sharedCfg.Region) > 0 { + cfg.WithRegion(sharedCfg.Region) + } + } + + if cfg.EnableEndpointDiscovery == nil { + if envCfg.EnableEndpointDiscovery != nil { + cfg.WithEndpointDiscovery(*envCfg.EnableEndpointDiscovery) + } else if envCfg.EnableSharedConfig && sharedCfg.EnableEndpointDiscovery != nil { + cfg.WithEndpointDiscovery(*sharedCfg.EnableEndpointDiscovery) + } + } + + // Regional Endpoint flag for STS endpoint resolving + mergeSTSRegionalEndpointConfig(cfg, []endpoints.STSRegionalEndpoint{ + userCfg.STSRegionalEndpoint, + envCfg.STSRegionalEndpoint, + sharedCfg.STSRegionalEndpoint, + endpoints.LegacySTSEndpoint, + }) + + // Regional Endpoint flag for S3 endpoint resolving + mergeS3UsEast1RegionalEndpointConfig(cfg, []endpoints.S3UsEast1RegionalEndpoint{ + userCfg.S3UsEast1RegionalEndpoint, + envCfg.S3UsEast1RegionalEndpoint, + sharedCfg.S3UsEast1RegionalEndpoint, + endpoints.LegacyS3UsEast1Endpoint, + }) + + ec2IMDSEndpoint := sessOpts.EC2IMDSEndpoint + if len(ec2IMDSEndpoint) == 0 { + ec2IMDSEndpoint = envCfg.EC2IMDSEndpoint + } + if len(ec2IMDSEndpoint) != 0 { + cfg.EndpointResolver = wrapEC2IMDSEndpoint(cfg.EndpointResolver, ec2IMDSEndpoint) + } + + // Configure credentials if not already set by the user when creating the + // Session. + if cfg.Credentials == credentials.AnonymousCredentials && userCfg.Credentials == nil { + creds, err := resolveCredentials(cfg, envCfg, sharedCfg, handlers, sessOpts) + if err != nil { + return err + } + cfg.Credentials = creds + } + + cfg.S3UseARNRegion = userCfg.S3UseARNRegion + if cfg.S3UseARNRegion == nil { + cfg.S3UseARNRegion = &envCfg.S3UseARNRegion + } + if cfg.S3UseARNRegion == nil { + cfg.S3UseARNRegion = &sharedCfg.S3UseARNRegion + } + + return nil +} + +func mergeSTSRegionalEndpointConfig(cfg *aws.Config, values []endpoints.STSRegionalEndpoint) { + for _, v := range values { + if v != endpoints.UnsetSTSEndpoint { + cfg.STSRegionalEndpoint = v + break + } + } +} + +func mergeS3UsEast1RegionalEndpointConfig(cfg *aws.Config, values []endpoints.S3UsEast1RegionalEndpoint) { + for _, v := range values { + if v != endpoints.UnsetS3UsEast1Endpoint { + cfg.S3UsEast1RegionalEndpoint = v + break + } + } +} + +func initHandlers(s *Session) { + // Add the Validate parameter handler if it is not disabled. + s.Handlers.Validate.Remove(corehandlers.ValidateParametersHandler) + if !aws.BoolValue(s.Config.DisableParamValidation) { + s.Handlers.Validate.PushBackNamed(corehandlers.ValidateParametersHandler) + } +} + +// Copy creates and returns a copy of the current Session, copying the config +// and handlers. If any additional configs are provided they will be merged +// on top of the Session's copied config. +// +// // Create a copy of the current Session, configured for the us-west-2 region. +// sess.Copy(&aws.Config{Region: aws.String("us-west-2")}) +func (s *Session) Copy(cfgs ...*aws.Config) *Session { + newSession := &Session{ + Config: s.Config.Copy(cfgs...), + Handlers: s.Handlers.Copy(), + options: s.options, + } + + initHandlers(newSession) + + return newSession +} + +// ClientConfig satisfies the client.ConfigProvider interface and is used to +// configure the service client instances. Passing the Session to the service +// client's constructor (New) will use this method to configure the client. +func (s *Session) ClientConfig(service string, cfgs ...*aws.Config) client.Config { + s = s.Copy(cfgs...) + + region := aws.StringValue(s.Config.Region) + resolved, err := s.resolveEndpoint(service, region, s.Config) + if err != nil { + s.Handlers.Validate.PushBack(func(r *request.Request) { + if len(r.ClientInfo.Endpoint) != 0 { + // Error occurred while resolving endpoint, but the request + // being invoked has had an endpoint specified after the client + // was created. + return + } + r.Error = err + }) + } + + return client.Config{ + Config: s.Config, + Handlers: s.Handlers, + PartitionID: resolved.PartitionID, + Endpoint: resolved.URL, + SigningRegion: resolved.SigningRegion, + SigningNameDerived: resolved.SigningNameDerived, + SigningName: resolved.SigningName, + } +} + +const ec2MetadataServiceID = "ec2metadata" + +func (s *Session) resolveEndpoint(service, region string, cfg *aws.Config) (endpoints.ResolvedEndpoint, error) { + + if ep := aws.StringValue(cfg.Endpoint); len(ep) != 0 { + return endpoints.ResolvedEndpoint{ + URL: endpoints.AddScheme(ep, aws.BoolValue(cfg.DisableSSL)), + SigningRegion: region, + }, nil + } + + resolved, err := cfg.EndpointResolver.EndpointFor(service, region, + func(opt *endpoints.Options) { + opt.DisableSSL = aws.BoolValue(cfg.DisableSSL) + opt.UseDualStack = aws.BoolValue(cfg.UseDualStack) + // Support for STSRegionalEndpoint where the STSRegionalEndpoint is + // provided in envConfig or sharedConfig with envConfig getting + // precedence. + opt.STSRegionalEndpoint = cfg.STSRegionalEndpoint + + // Support for S3UsEast1RegionalEndpoint where the S3UsEast1RegionalEndpoint is + // provided in envConfig or sharedConfig with envConfig getting + // precedence. + opt.S3UsEast1RegionalEndpoint = cfg.S3UsEast1RegionalEndpoint + + // Support the condition where the service is modeled but its + // endpoint metadata is not available. + opt.ResolveUnknownService = true + }, + ) + if err != nil { + return endpoints.ResolvedEndpoint{}, err + } + + return resolved, nil +} + +// ClientConfigNoResolveEndpoint is the same as ClientConfig with the exception +// that the EndpointResolver will not be used to resolve the endpoint. The only +// endpoint set must come from the aws.Config.Endpoint field. +func (s *Session) ClientConfigNoResolveEndpoint(cfgs ...*aws.Config) client.Config { + s = s.Copy(cfgs...) + + var resolved endpoints.ResolvedEndpoint + if ep := aws.StringValue(s.Config.Endpoint); len(ep) > 0 { + resolved.URL = endpoints.AddScheme(ep, aws.BoolValue(s.Config.DisableSSL)) + resolved.SigningRegion = aws.StringValue(s.Config.Region) + } + + return client.Config{ + Config: s.Config, + Handlers: s.Handlers, + Endpoint: resolved.URL, + SigningRegion: resolved.SigningRegion, + SigningNameDerived: resolved.SigningNameDerived, + SigningName: resolved.SigningName, + } +} + +// logDeprecatedNewSessionError function enables error handling for session +func (s *Session) logDeprecatedNewSessionError(msg string, err error, cfgs []*aws.Config) { + // Session creation failed, need to report the error and prevent + // any requests from succeeding. + s.Config.MergeIn(cfgs...) + s.Config.Logger.Log("ERROR:", msg, "Error:", err) + s.Handlers.Validate.PushBack(func(r *request.Request) { + r.Error = err + }) +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/shared_config.go b/vendor/github.com/aws/aws-sdk-go/aws/session/shared_config.go new file mode 100644 index 000000000..c3f38b6ec --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/session/shared_config.go @@ -0,0 +1,642 @@ +package session + +import ( + "fmt" + "strings" + "time" + + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/endpoints" + "github.com/aws/aws-sdk-go/internal/ini" +) + +const ( + // Static Credentials group + accessKeyIDKey = `aws_access_key_id` // group required + secretAccessKey = `aws_secret_access_key` // group required + sessionTokenKey = `aws_session_token` // optional + + // Assume Role Credentials group + roleArnKey = `role_arn` // group required + sourceProfileKey = `source_profile` // group required (or credential_source) + credentialSourceKey = `credential_source` // group required (or source_profile) + externalIDKey = `external_id` // optional + mfaSerialKey = `mfa_serial` // optional + roleSessionNameKey = `role_session_name` // optional + roleDurationSecondsKey = "duration_seconds" // optional + + // AWS Single Sign-On (AWS SSO) group + ssoAccountIDKey = "sso_account_id" + ssoRegionKey = "sso_region" + ssoRoleNameKey = "sso_role_name" + ssoStartURL = "sso_start_url" + + // CSM options + csmEnabledKey = `csm_enabled` + csmHostKey = `csm_host` + csmPortKey = `csm_port` + csmClientIDKey = `csm_client_id` + + // Additional Config fields + regionKey = `region` + + // custom CA Bundle filename + customCABundleKey = `ca_bundle` + + // endpoint discovery group + enableEndpointDiscoveryKey = `endpoint_discovery_enabled` // optional + + // External Credential Process + credentialProcessKey = `credential_process` // optional + + // Web Identity Token File + webIdentityTokenFileKey = `web_identity_token_file` // optional + + // Additional config fields for regional or legacy endpoints + stsRegionalEndpointSharedKey = `sts_regional_endpoints` + + // Additional config fields for regional or legacy endpoints + s3UsEast1RegionalSharedKey = `s3_us_east_1_regional_endpoint` + + // DefaultSharedConfigProfile is the default profile to be used when + // loading configuration from the config files if another profile name + // is not provided. + DefaultSharedConfigProfile = `default` + + // S3 ARN Region Usage + s3UseARNRegionKey = "s3_use_arn_region" +) + +// sharedConfig represents the configuration fields of the SDK config files. +type sharedConfig struct { + Profile string + + // Credentials values from the config file. Both aws_access_key_id and + // aws_secret_access_key must be provided together in the same file to be + // considered valid. The values will be ignored if not a complete group. + // aws_session_token is an optional field that can be provided if both of + // the other two fields are also provided. + // + // aws_access_key_id + // aws_secret_access_key + // aws_session_token + Creds credentials.Value + + CredentialSource string + CredentialProcess string + WebIdentityTokenFile string + + SSOAccountID string + SSORegion string + SSORoleName string + SSOStartURL string + + RoleARN string + RoleSessionName string + ExternalID string + MFASerial string + AssumeRoleDuration *time.Duration + + SourceProfileName string + SourceProfile *sharedConfig + + // Region is the region the SDK should use for looking up AWS service + // endpoints and signing requests. + // + // region + Region string + + // CustomCABundle is the file path to a PEM file the SDK will read and + // use to configure the HTTP transport with additional CA certs that are + // not present in the platforms default CA store. + // + // This value will be ignored if the file does not exist. + // + // ca_bundle + CustomCABundle string + + // EnableEndpointDiscovery can be enabled in the shared config by setting + // endpoint_discovery_enabled to true + // + // endpoint_discovery_enabled = true + EnableEndpointDiscovery *bool + + // CSM Options + CSMEnabled *bool + CSMHost string + CSMPort string + CSMClientID string + + // Specifies the Regional Endpoint flag for the SDK to resolve the endpoint for a service + // + // sts_regional_endpoints = regional + // This can take value as `LegacySTSEndpoint` or `RegionalSTSEndpoint` + STSRegionalEndpoint endpoints.STSRegionalEndpoint + + // Specifies the Regional Endpoint flag for the SDK to resolve the endpoint for a service + // + // s3_us_east_1_regional_endpoint = regional + // This can take value as `LegacyS3UsEast1Endpoint` or `RegionalS3UsEast1Endpoint` + S3UsEast1RegionalEndpoint endpoints.S3UsEast1RegionalEndpoint + + // Specifies if the S3 service should allow ARNs to direct the region + // the client's requests are sent to. + // + // s3_use_arn_region=true + S3UseARNRegion bool +} + +type sharedConfigFile struct { + Filename string + IniData ini.Sections +} + +// loadSharedConfig retrieves the configuration from the list of files using +// the profile provided. The order the files are listed will determine +// precedence. Values in subsequent files will overwrite values defined in +// earlier files. +// +// For example, given two files A and B. Both define credentials. If the order +// of the files are A then B, B's credential values will be used instead of +// A's. +// +// See sharedConfig.setFromFile for information how the config files +// will be loaded. +func loadSharedConfig(profile string, filenames []string, exOpts bool) (sharedConfig, error) { + if len(profile) == 0 { + profile = DefaultSharedConfigProfile + } + + files, err := loadSharedConfigIniFiles(filenames) + if err != nil { + return sharedConfig{}, err + } + + cfg := sharedConfig{} + profiles := map[string]struct{}{} + if err = cfg.setFromIniFiles(profiles, profile, files, exOpts); err != nil { + return sharedConfig{}, err + } + + return cfg, nil +} + +func loadSharedConfigIniFiles(filenames []string) ([]sharedConfigFile, error) { + files := make([]sharedConfigFile, 0, len(filenames)) + + for _, filename := range filenames { + sections, err := ini.OpenFile(filename) + if aerr, ok := err.(awserr.Error); ok && aerr.Code() == ini.ErrCodeUnableToReadFile { + // Skip files which can't be opened and read for whatever reason + continue + } else if err != nil { + return nil, SharedConfigLoadError{Filename: filename, Err: err} + } + + files = append(files, sharedConfigFile{ + Filename: filename, IniData: sections, + }) + } + + return files, nil +} + +func (cfg *sharedConfig) setFromIniFiles(profiles map[string]struct{}, profile string, files []sharedConfigFile, exOpts bool) error { + cfg.Profile = profile + + // Trim files from the list that don't exist. + var skippedFiles int + var profileNotFoundErr error + for _, f := range files { + if err := cfg.setFromIniFile(profile, f, exOpts); err != nil { + if _, ok := err.(SharedConfigProfileNotExistsError); ok { + // Ignore profiles not defined in individual files. + profileNotFoundErr = err + skippedFiles++ + continue + } + return err + } + } + if skippedFiles == len(files) { + // If all files were skipped because the profile is not found, return + // the original profile not found error. + return profileNotFoundErr + } + + if _, ok := profiles[profile]; ok { + // if this is the second instance of the profile the Assume Role + // options must be cleared because they are only valid for the + // first reference of a profile. The self linked instance of the + // profile only have credential provider options. + cfg.clearAssumeRoleOptions() + } else { + // First time a profile has been seen, It must either be a assume role + // credentials, or SSO. Assert if the credential type requires a role ARN, + // the ARN is also set, or validate that the SSO configuration is complete. + if err := cfg.validateCredentialsConfig(profile); err != nil { + return err + } + } + profiles[profile] = struct{}{} + + if err := cfg.validateCredentialType(); err != nil { + return err + } + + // Link source profiles for assume roles + if len(cfg.SourceProfileName) != 0 { + // Linked profile via source_profile ignore credential provider + // options, the source profile must provide the credentials. + cfg.clearCredentialOptions() + + srcCfg := &sharedConfig{} + err := srcCfg.setFromIniFiles(profiles, cfg.SourceProfileName, files, exOpts) + if err != nil { + // SourceProfile that doesn't exist is an error in configuration. + if _, ok := err.(SharedConfigProfileNotExistsError); ok { + err = SharedConfigAssumeRoleError{ + RoleARN: cfg.RoleARN, + SourceProfile: cfg.SourceProfileName, + } + } + return err + } + + if !srcCfg.hasCredentials() { + return SharedConfigAssumeRoleError{ + RoleARN: cfg.RoleARN, + SourceProfile: cfg.SourceProfileName, + } + } + + cfg.SourceProfile = srcCfg + } + + return nil +} + +// setFromFile loads the configuration from the file using the profile +// provided. A sharedConfig pointer type value is used so that multiple config +// file loadings can be chained. +// +// Only loads complete logically grouped values, and will not set fields in cfg +// for incomplete grouped values in the config. Such as credentials. For +// example if a config file only includes aws_access_key_id but no +// aws_secret_access_key the aws_access_key_id will be ignored. +func (cfg *sharedConfig) setFromIniFile(profile string, file sharedConfigFile, exOpts bool) error { + section, ok := file.IniData.GetSection(profile) + if !ok { + // Fallback to to alternate profile name: profile + section, ok = file.IniData.GetSection(fmt.Sprintf("profile %s", profile)) + if !ok { + return SharedConfigProfileNotExistsError{Profile: profile, Err: nil} + } + } + + if exOpts { + // Assume Role Parameters + updateString(&cfg.RoleARN, section, roleArnKey) + updateString(&cfg.ExternalID, section, externalIDKey) + updateString(&cfg.MFASerial, section, mfaSerialKey) + updateString(&cfg.RoleSessionName, section, roleSessionNameKey) + updateString(&cfg.SourceProfileName, section, sourceProfileKey) + updateString(&cfg.CredentialSource, section, credentialSourceKey) + updateString(&cfg.Region, section, regionKey) + updateString(&cfg.CustomCABundle, section, customCABundleKey) + + if section.Has(roleDurationSecondsKey) { + d := time.Duration(section.Int(roleDurationSecondsKey)) * time.Second + cfg.AssumeRoleDuration = &d + } + + if v := section.String(stsRegionalEndpointSharedKey); len(v) != 0 { + sre, err := endpoints.GetSTSRegionalEndpoint(v) + if err != nil { + return fmt.Errorf("failed to load %s from shared config, %s, %v", + stsRegionalEndpointSharedKey, file.Filename, err) + } + cfg.STSRegionalEndpoint = sre + } + + if v := section.String(s3UsEast1RegionalSharedKey); len(v) != 0 { + sre, err := endpoints.GetS3UsEast1RegionalEndpoint(v) + if err != nil { + return fmt.Errorf("failed to load %s from shared config, %s, %v", + s3UsEast1RegionalSharedKey, file.Filename, err) + } + cfg.S3UsEast1RegionalEndpoint = sre + } + + // AWS Single Sign-On (AWS SSO) + updateString(&cfg.SSOAccountID, section, ssoAccountIDKey) + updateString(&cfg.SSORegion, section, ssoRegionKey) + updateString(&cfg.SSORoleName, section, ssoRoleNameKey) + updateString(&cfg.SSOStartURL, section, ssoStartURL) + } + + updateString(&cfg.CredentialProcess, section, credentialProcessKey) + updateString(&cfg.WebIdentityTokenFile, section, webIdentityTokenFileKey) + + // Shared Credentials + creds := credentials.Value{ + AccessKeyID: section.String(accessKeyIDKey), + SecretAccessKey: section.String(secretAccessKey), + SessionToken: section.String(sessionTokenKey), + ProviderName: fmt.Sprintf("SharedConfigCredentials: %s", file.Filename), + } + if creds.HasKeys() { + cfg.Creds = creds + } + + // Endpoint discovery + updateBoolPtr(&cfg.EnableEndpointDiscovery, section, enableEndpointDiscoveryKey) + + // CSM options + updateBoolPtr(&cfg.CSMEnabled, section, csmEnabledKey) + updateString(&cfg.CSMHost, section, csmHostKey) + updateString(&cfg.CSMPort, section, csmPortKey) + updateString(&cfg.CSMClientID, section, csmClientIDKey) + + updateBool(&cfg.S3UseARNRegion, section, s3UseARNRegionKey) + + return nil +} + +func (cfg *sharedConfig) validateCredentialsConfig(profile string) error { + if err := cfg.validateCredentialsRequireARN(profile); err != nil { + return err + } + + return nil +} + +func (cfg *sharedConfig) validateCredentialsRequireARN(profile string) error { + var credSource string + + switch { + case len(cfg.SourceProfileName) != 0: + credSource = sourceProfileKey + case len(cfg.CredentialSource) != 0: + credSource = credentialSourceKey + case len(cfg.WebIdentityTokenFile) != 0: + credSource = webIdentityTokenFileKey + } + + if len(credSource) != 0 && len(cfg.RoleARN) == 0 { + return CredentialRequiresARNError{ + Type: credSource, + Profile: profile, + } + } + + return nil +} + +func (cfg *sharedConfig) validateCredentialType() error { + // Only one or no credential type can be defined. + if !oneOrNone( + len(cfg.SourceProfileName) != 0, + len(cfg.CredentialSource) != 0, + len(cfg.CredentialProcess) != 0, + len(cfg.WebIdentityTokenFile) != 0, + cfg.hasSSOConfiguration(), + ) { + return ErrSharedConfigSourceCollision + } + + return nil +} + +func (cfg *sharedConfig) validateSSOConfiguration() error { + if !cfg.hasSSOConfiguration() { + return nil + } + + var missing []string + if len(cfg.SSOAccountID) == 0 { + missing = append(missing, ssoAccountIDKey) + } + + if len(cfg.SSORegion) == 0 { + missing = append(missing, ssoRegionKey) + } + + if len(cfg.SSORoleName) == 0 { + missing = append(missing, ssoRoleNameKey) + } + + if len(cfg.SSOStartURL) == 0 { + missing = append(missing, ssoStartURL) + } + + if len(missing) > 0 { + return fmt.Errorf("profile %q is configured to use SSO but is missing required configuration: %s", + cfg.Profile, strings.Join(missing, ", ")) + } + + return nil +} + +func (cfg *sharedConfig) hasCredentials() bool { + switch { + case len(cfg.SourceProfileName) != 0: + case len(cfg.CredentialSource) != 0: + case len(cfg.CredentialProcess) != 0: + case len(cfg.WebIdentityTokenFile) != 0: + case cfg.hasSSOConfiguration(): + case cfg.Creds.HasKeys(): + default: + return false + } + + return true +} + +func (cfg *sharedConfig) clearCredentialOptions() { + cfg.CredentialSource = "" + cfg.CredentialProcess = "" + cfg.WebIdentityTokenFile = "" + cfg.Creds = credentials.Value{} +} + +func (cfg *sharedConfig) clearAssumeRoleOptions() { + cfg.RoleARN = "" + cfg.ExternalID = "" + cfg.MFASerial = "" + cfg.RoleSessionName = "" + cfg.SourceProfileName = "" +} + +func (cfg *sharedConfig) hasSSOConfiguration() bool { + switch { + case len(cfg.SSOAccountID) != 0: + case len(cfg.SSORegion) != 0: + case len(cfg.SSORoleName) != 0: + case len(cfg.SSOStartURL) != 0: + default: + return false + } + return true +} + +func oneOrNone(bs ...bool) bool { + var count int + + for _, b := range bs { + if b { + count++ + if count > 1 { + return false + } + } + } + + return true +} + +// updateString will only update the dst with the value in the section key, key +// is present in the section. +func updateString(dst *string, section ini.Section, key string) { + if !section.Has(key) { + return + } + *dst = section.String(key) +} + +// updateBool will only update the dst with the value in the section key, key +// is present in the section. +func updateBool(dst *bool, section ini.Section, key string) { + if !section.Has(key) { + return + } + *dst = section.Bool(key) +} + +// updateBoolPtr will only update the dst with the value in the section key, +// key is present in the section. +func updateBoolPtr(dst **bool, section ini.Section, key string) { + if !section.Has(key) { + return + } + *dst = new(bool) + **dst = section.Bool(key) +} + +// SharedConfigLoadError is an error for the shared config file failed to load. +type SharedConfigLoadError struct { + Filename string + Err error +} + +// Code is the short id of the error. +func (e SharedConfigLoadError) Code() string { + return "SharedConfigLoadError" +} + +// Message is the description of the error +func (e SharedConfigLoadError) Message() string { + return fmt.Sprintf("failed to load config file, %s", e.Filename) +} + +// OrigErr is the underlying error that caused the failure. +func (e SharedConfigLoadError) OrigErr() error { + return e.Err +} + +// Error satisfies the error interface. +func (e SharedConfigLoadError) Error() string { + return awserr.SprintError(e.Code(), e.Message(), "", e.Err) +} + +// SharedConfigProfileNotExistsError is an error for the shared config when +// the profile was not find in the config file. +type SharedConfigProfileNotExistsError struct { + Profile string + Err error +} + +// Code is the short id of the error. +func (e SharedConfigProfileNotExistsError) Code() string { + return "SharedConfigProfileNotExistsError" +} + +// Message is the description of the error +func (e SharedConfigProfileNotExistsError) Message() string { + return fmt.Sprintf("failed to get profile, %s", e.Profile) +} + +// OrigErr is the underlying error that caused the failure. +func (e SharedConfigProfileNotExistsError) OrigErr() error { + return e.Err +} + +// Error satisfies the error interface. +func (e SharedConfigProfileNotExistsError) Error() string { + return awserr.SprintError(e.Code(), e.Message(), "", e.Err) +} + +// SharedConfigAssumeRoleError is an error for the shared config when the +// profile contains assume role information, but that information is invalid +// or not complete. +type SharedConfigAssumeRoleError struct { + RoleARN string + SourceProfile string +} + +// Code is the short id of the error. +func (e SharedConfigAssumeRoleError) Code() string { + return "SharedConfigAssumeRoleError" +} + +// Message is the description of the error +func (e SharedConfigAssumeRoleError) Message() string { + return fmt.Sprintf( + "failed to load assume role for %s, source profile %s has no shared credentials", + e.RoleARN, e.SourceProfile, + ) +} + +// OrigErr is the underlying error that caused the failure. +func (e SharedConfigAssumeRoleError) OrigErr() error { + return nil +} + +// Error satisfies the error interface. +func (e SharedConfigAssumeRoleError) Error() string { + return awserr.SprintError(e.Code(), e.Message(), "", nil) +} + +// CredentialRequiresARNError provides the error for shared config credentials +// that are incorrectly configured in the shared config or credentials file. +type CredentialRequiresARNError struct { + // type of credentials that were configured. + Type string + + // Profile name the credentials were in. + Profile string +} + +// Code is the short id of the error. +func (e CredentialRequiresARNError) Code() string { + return "CredentialRequiresARNError" +} + +// Message is the description of the error +func (e CredentialRequiresARNError) Message() string { + return fmt.Sprintf( + "credential type %s requires role_arn, profile %s", + e.Type, e.Profile, + ) +} + +// OrigErr is the underlying error that caused the failure. +func (e CredentialRequiresARNError) OrigErr() error { + return nil +} + +// Error satisfies the error interface. +func (e CredentialRequiresARNError) Error() string { + return awserr.SprintError(e.Code(), e.Message(), "", nil) +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/v4.go b/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/v4.go index d71f7b3f4..1737c2686 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/v4.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/v4.go @@ -689,9 +689,12 @@ func (ctx *signingCtx) buildBodyDigest() error { if hash == "" { includeSHA256Header := ctx.unsignedPayload || ctx.ServiceName == "s3" || + ctx.ServiceName == "s3-object-lambda" || ctx.ServiceName == "glacier" - s3Presign := ctx.isPresign && ctx.ServiceName == "s3" + s3Presign := ctx.isPresign && + (ctx.ServiceName == "s3" || + ctx.ServiceName == "s3-object-lambda") if ctx.unsignedPayload || s3Presign { hash = "UNSIGNED-PAYLOAD" diff --git a/vendor/github.com/aws/aws-sdk-go/aws/version.go b/vendor/github.com/aws/aws-sdk-go/aws/version.go index cc41ca0bc..5aef660e1 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/version.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/version.go @@ -5,4 +5,4 @@ package aws const SDKName = "aws-sdk-go" // SDKVersion is the version of this SDK -const SDKVersion = "1.35.24" +const SDKVersion = "1.38.8" diff --git a/vendor/github.com/aws/aws-sdk-go/internal/sdkuri/path.go b/vendor/github.com/aws/aws-sdk-go/internal/sdkuri/path.go new file mode 100644 index 000000000..38ea61afe --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/internal/sdkuri/path.go @@ -0,0 +1,23 @@ +package sdkuri + +import ( + "path" + "strings" +) + +// PathJoin will join the elements of the path delimited by the "/" +// character. Similar to path.Join with the exception the trailing "/" +// character is preserved if present. +func PathJoin(elems ...string) string { + if len(elems) == 0 { + return "" + } + + hasTrailing := strings.HasSuffix(elems[len(elems)-1], "/") + str := path.Join(elems...) + if hasTrailing && str != "/" { + str += "/" + } + + return str +} diff --git a/vendor/github.com/aws/aws-sdk-go/private/protocol/host.go b/vendor/github.com/aws/aws-sdk-go/private/protocol/host.go index d7d42db0a..1f1d27aea 100644 --- a/vendor/github.com/aws/aws-sdk-go/private/protocol/host.go +++ b/vendor/github.com/aws/aws-sdk-go/private/protocol/host.go @@ -1,9 +1,10 @@ package protocol import ( - "strings" - "github.com/aws/aws-sdk-go/aws/request" + "net" + "strconv" + "strings" ) // ValidateEndpointHostHandler is a request handler that will validate the @@ -22,8 +23,26 @@ var ValidateEndpointHostHandler = request.NamedHandler{ // 3986 host. Returns error if the host is not valid. func ValidateEndpointHost(opName, host string) error { paramErrs := request.ErrInvalidParams{Context: opName} - labels := strings.Split(host, ".") + var hostname string + var port string + var err error + + if strings.Contains(host, ":") { + hostname, port, err = net.SplitHostPort(host) + + if err != nil { + paramErrs.Add(request.NewErrParamFormat("endpoint", err.Error(), host)) + } + + if !ValidPortNumber(port) { + paramErrs.Add(request.NewErrParamFormat("endpoint port number", "[0-65535]", port)) + } + } else { + hostname = host + } + + labels := strings.Split(hostname, ".") for i, label := range labels { if i == len(labels)-1 && len(label) == 0 { // Allow trailing dot for FQDN hosts. @@ -36,7 +55,11 @@ func ValidateEndpointHost(opName, host string) error { } } - if len(host) > 255 { + if len(hostname) == 0 { + paramErrs.Add(request.NewErrParamMinLen("endpoint host", 1)) + } + + if len(hostname) > 255 { paramErrs.Add(request.NewErrParamMaxLen( "endpoint host", 255, host, )) @@ -66,3 +89,16 @@ func ValidHostLabel(label string) bool { return true } + +// ValidPortNumber return if the port is valid RFC 3986 port +func ValidPortNumber(port string) bool { + i, err := strconv.Atoi(port) + if err != nil { + return false + } + + if i < 0 || i > 65535 { + return false + } + return true +} diff --git a/vendor/github.com/aws/aws-sdk-go/private/protocol/json/jsonutil/build.go b/vendor/github.com/aws/aws-sdk-go/private/protocol/json/jsonutil/build.go new file mode 100644 index 000000000..864fb6704 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/private/protocol/json/jsonutil/build.go @@ -0,0 +1,296 @@ +// Package jsonutil provides JSON serialization of AWS requests and responses. +package jsonutil + +import ( + "bytes" + "encoding/base64" + "encoding/json" + "fmt" + "math" + "reflect" + "sort" + "strconv" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/private/protocol" +) + +var timeType = reflect.ValueOf(time.Time{}).Type() +var byteSliceType = reflect.ValueOf([]byte{}).Type() + +// BuildJSON builds a JSON string for a given object v. +func BuildJSON(v interface{}) ([]byte, error) { + var buf bytes.Buffer + + err := buildAny(reflect.ValueOf(v), &buf, "") + return buf.Bytes(), err +} + +func buildAny(value reflect.Value, buf *bytes.Buffer, tag reflect.StructTag) error { + origVal := value + value = reflect.Indirect(value) + if !value.IsValid() { + return nil + } + + vtype := value.Type() + + t := tag.Get("type") + if t == "" { + switch vtype.Kind() { + case reflect.Struct: + // also it can't be a time object + if value.Type() != timeType { + t = "structure" + } + case reflect.Slice: + // also it can't be a byte slice + if _, ok := value.Interface().([]byte); !ok { + t = "list" + } + case reflect.Map: + // cannot be a JSONValue map + if _, ok := value.Interface().(aws.JSONValue); !ok { + t = "map" + } + } + } + + switch t { + case "structure": + if field, ok := vtype.FieldByName("_"); ok { + tag = field.Tag + } + return buildStruct(value, buf, tag) + case "list": + return buildList(value, buf, tag) + case "map": + return buildMap(value, buf, tag) + default: + return buildScalar(origVal, buf, tag) + } +} + +func buildStruct(value reflect.Value, buf *bytes.Buffer, tag reflect.StructTag) error { + if !value.IsValid() { + return nil + } + + // unwrap payloads + if payload := tag.Get("payload"); payload != "" { + field, _ := value.Type().FieldByName(payload) + tag = field.Tag + value = elemOf(value.FieldByName(payload)) + + if !value.IsValid() { + return nil + } + } + + buf.WriteByte('{') + + t := value.Type() + first := true + for i := 0; i < t.NumField(); i++ { + member := value.Field(i) + + // This allocates the most memory. + // Additionally, we cannot skip nil fields due to + // idempotency auto filling. + field := t.Field(i) + + if field.PkgPath != "" { + continue // ignore unexported fields + } + if field.Tag.Get("json") == "-" { + continue + } + if field.Tag.Get("location") != "" { + continue // ignore non-body elements + } + if field.Tag.Get("ignore") != "" { + continue + } + + if protocol.CanSetIdempotencyToken(member, field) { + token := protocol.GetIdempotencyToken() + member = reflect.ValueOf(&token) + } + + if (member.Kind() == reflect.Ptr || member.Kind() == reflect.Slice || member.Kind() == reflect.Map) && member.IsNil() { + continue // ignore unset fields + } + + if first { + first = false + } else { + buf.WriteByte(',') + } + + // figure out what this field is called + name := field.Name + if locName := field.Tag.Get("locationName"); locName != "" { + name = locName + } + + writeString(name, buf) + buf.WriteString(`:`) + + err := buildAny(member, buf, field.Tag) + if err != nil { + return err + } + + } + + buf.WriteString("}") + + return nil +} + +func buildList(value reflect.Value, buf *bytes.Buffer, tag reflect.StructTag) error { + buf.WriteString("[") + + for i := 0; i < value.Len(); i++ { + buildAny(value.Index(i), buf, "") + + if i < value.Len()-1 { + buf.WriteString(",") + } + } + + buf.WriteString("]") + + return nil +} + +type sortedValues []reflect.Value + +func (sv sortedValues) Len() int { return len(sv) } +func (sv sortedValues) Swap(i, j int) { sv[i], sv[j] = sv[j], sv[i] } +func (sv sortedValues) Less(i, j int) bool { return sv[i].String() < sv[j].String() } + +func buildMap(value reflect.Value, buf *bytes.Buffer, tag reflect.StructTag) error { + buf.WriteString("{") + + sv := sortedValues(value.MapKeys()) + sort.Sort(sv) + + for i, k := range sv { + if i > 0 { + buf.WriteByte(',') + } + + writeString(k.String(), buf) + buf.WriteString(`:`) + + buildAny(value.MapIndex(k), buf, "") + } + + buf.WriteString("}") + + return nil +} + +func buildScalar(v reflect.Value, buf *bytes.Buffer, tag reflect.StructTag) error { + // prevents allocation on the heap. + scratch := [64]byte{} + switch value := reflect.Indirect(v); value.Kind() { + case reflect.String: + writeString(value.String(), buf) + case reflect.Bool: + if value.Bool() { + buf.WriteString("true") + } else { + buf.WriteString("false") + } + case reflect.Int64: + buf.Write(strconv.AppendInt(scratch[:0], value.Int(), 10)) + case reflect.Float64: + f := value.Float() + if math.IsInf(f, 0) || math.IsNaN(f) { + return &json.UnsupportedValueError{Value: v, Str: strconv.FormatFloat(f, 'f', -1, 64)} + } + buf.Write(strconv.AppendFloat(scratch[:0], f, 'f', -1, 64)) + default: + switch converted := value.Interface().(type) { + case time.Time: + format := tag.Get("timestampFormat") + if len(format) == 0 { + format = protocol.UnixTimeFormatName + } + + ts := protocol.FormatTime(format, converted) + if format != protocol.UnixTimeFormatName { + ts = `"` + ts + `"` + } + + buf.WriteString(ts) + case []byte: + if !value.IsNil() { + buf.WriteByte('"') + if len(converted) < 1024 { + // for small buffers, using Encode directly is much faster. + dst := make([]byte, base64.StdEncoding.EncodedLen(len(converted))) + base64.StdEncoding.Encode(dst, converted) + buf.Write(dst) + } else { + // for large buffers, avoid unnecessary extra temporary + // buffer space. + enc := base64.NewEncoder(base64.StdEncoding, buf) + enc.Write(converted) + enc.Close() + } + buf.WriteByte('"') + } + case aws.JSONValue: + str, err := protocol.EncodeJSONValue(converted, protocol.QuotedEscape) + if err != nil { + return fmt.Errorf("unable to encode JSONValue, %v", err) + } + buf.WriteString(str) + default: + return fmt.Errorf("unsupported JSON value %v (%s)", value.Interface(), value.Type()) + } + } + return nil +} + +var hex = "0123456789abcdef" + +func writeString(s string, buf *bytes.Buffer) { + buf.WriteByte('"') + for i := 0; i < len(s); i++ { + if s[i] == '"' { + buf.WriteString(`\"`) + } else if s[i] == '\\' { + buf.WriteString(`\\`) + } else if s[i] == '\b' { + buf.WriteString(`\b`) + } else if s[i] == '\f' { + buf.WriteString(`\f`) + } else if s[i] == '\r' { + buf.WriteString(`\r`) + } else if s[i] == '\t' { + buf.WriteString(`\t`) + } else if s[i] == '\n' { + buf.WriteString(`\n`) + } else if s[i] < 32 { + buf.WriteString("\\u00") + buf.WriteByte(hex[s[i]>>4]) + buf.WriteByte(hex[s[i]&0xF]) + } else { + buf.WriteByte(s[i]) + } + } + buf.WriteByte('"') +} + +// Returns the reflection element of a value, if it is a pointer. +func elemOf(value reflect.Value) reflect.Value { + for value.Kind() == reflect.Ptr { + value = value.Elem() + } + return value +} diff --git a/vendor/github.com/aws/aws-sdk-go/private/protocol/json/jsonutil/unmarshal.go b/vendor/github.com/aws/aws-sdk-go/private/protocol/json/jsonutil/unmarshal.go new file mode 100644 index 000000000..8b2c9bbeb --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/private/protocol/json/jsonutil/unmarshal.go @@ -0,0 +1,304 @@ +package jsonutil + +import ( + "bytes" + "encoding/base64" + "encoding/json" + "fmt" + "io" + "math/big" + "reflect" + "strings" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/private/protocol" +) + +var millisecondsFloat = new(big.Float).SetInt64(1e3) + +// UnmarshalJSONError unmarshal's the reader's JSON document into the passed in +// type. The value to unmarshal the json document into must be a pointer to the +// type. +func UnmarshalJSONError(v interface{}, stream io.Reader) error { + var errBuf bytes.Buffer + body := io.TeeReader(stream, &errBuf) + + err := json.NewDecoder(body).Decode(v) + if err != nil { + msg := "failed decoding error message" + if err == io.EOF { + msg = "error message missing" + err = nil + } + return awserr.NewUnmarshalError(err, msg, errBuf.Bytes()) + } + + return nil +} + +// UnmarshalJSON reads a stream and unmarshals the results in object v. +func UnmarshalJSON(v interface{}, stream io.Reader) error { + var out interface{} + + decoder := json.NewDecoder(stream) + decoder.UseNumber() + err := decoder.Decode(&out) + if err == io.EOF { + return nil + } else if err != nil { + return err + } + + return unmarshaler{}.unmarshalAny(reflect.ValueOf(v), out, "") +} + +// UnmarshalJSONCaseInsensitive reads a stream and unmarshals the result into the +// object v. Ignores casing for structure members. +func UnmarshalJSONCaseInsensitive(v interface{}, stream io.Reader) error { + var out interface{} + + decoder := json.NewDecoder(stream) + decoder.UseNumber() + err := decoder.Decode(&out) + if err == io.EOF { + return nil + } else if err != nil { + return err + } + + return unmarshaler{ + caseInsensitive: true, + }.unmarshalAny(reflect.ValueOf(v), out, "") +} + +type unmarshaler struct { + caseInsensitive bool +} + +func (u unmarshaler) unmarshalAny(value reflect.Value, data interface{}, tag reflect.StructTag) error { + vtype := value.Type() + if vtype.Kind() == reflect.Ptr { + vtype = vtype.Elem() // check kind of actual element type + } + + t := tag.Get("type") + if t == "" { + switch vtype.Kind() { + case reflect.Struct: + // also it can't be a time object + if _, ok := value.Interface().(*time.Time); !ok { + t = "structure" + } + case reflect.Slice: + // also it can't be a byte slice + if _, ok := value.Interface().([]byte); !ok { + t = "list" + } + case reflect.Map: + // cannot be a JSONValue map + if _, ok := value.Interface().(aws.JSONValue); !ok { + t = "map" + } + } + } + + switch t { + case "structure": + if field, ok := vtype.FieldByName("_"); ok { + tag = field.Tag + } + return u.unmarshalStruct(value, data, tag) + case "list": + return u.unmarshalList(value, data, tag) + case "map": + return u.unmarshalMap(value, data, tag) + default: + return u.unmarshalScalar(value, data, tag) + } +} + +func (u unmarshaler) unmarshalStruct(value reflect.Value, data interface{}, tag reflect.StructTag) error { + if data == nil { + return nil + } + mapData, ok := data.(map[string]interface{}) + if !ok { + return fmt.Errorf("JSON value is not a structure (%#v)", data) + } + + t := value.Type() + if value.Kind() == reflect.Ptr { + if value.IsNil() { // create the structure if it's nil + s := reflect.New(value.Type().Elem()) + value.Set(s) + value = s + } + + value = value.Elem() + t = t.Elem() + } + + // unwrap any payloads + if payload := tag.Get("payload"); payload != "" { + field, _ := t.FieldByName(payload) + return u.unmarshalAny(value.FieldByName(payload), data, field.Tag) + } + + for i := 0; i < t.NumField(); i++ { + field := t.Field(i) + if field.PkgPath != "" { + continue // ignore unexported fields + } + + // figure out what this field is called + name := field.Name + if locName := field.Tag.Get("locationName"); locName != "" { + name = locName + } + if u.caseInsensitive { + if _, ok := mapData[name]; !ok { + // Fallback to uncased name search if the exact name didn't match. + for kn, v := range mapData { + if strings.EqualFold(kn, name) { + mapData[name] = v + } + } + } + } + + member := value.FieldByIndex(field.Index) + err := u.unmarshalAny(member, mapData[name], field.Tag) + if err != nil { + return err + } + } + return nil +} + +func (u unmarshaler) unmarshalList(value reflect.Value, data interface{}, tag reflect.StructTag) error { + if data == nil { + return nil + } + listData, ok := data.([]interface{}) + if !ok { + return fmt.Errorf("JSON value is not a list (%#v)", data) + } + + if value.IsNil() { + l := len(listData) + value.Set(reflect.MakeSlice(value.Type(), l, l)) + } + + for i, c := range listData { + err := u.unmarshalAny(value.Index(i), c, "") + if err != nil { + return err + } + } + + return nil +} + +func (u unmarshaler) unmarshalMap(value reflect.Value, data interface{}, tag reflect.StructTag) error { + if data == nil { + return nil + } + mapData, ok := data.(map[string]interface{}) + if !ok { + return fmt.Errorf("JSON value is not a map (%#v)", data) + } + + if value.IsNil() { + value.Set(reflect.MakeMap(value.Type())) + } + + for k, v := range mapData { + kvalue := reflect.ValueOf(k) + vvalue := reflect.New(value.Type().Elem()).Elem() + + u.unmarshalAny(vvalue, v, "") + value.SetMapIndex(kvalue, vvalue) + } + + return nil +} + +func (u unmarshaler) unmarshalScalar(value reflect.Value, data interface{}, tag reflect.StructTag) error { + + switch d := data.(type) { + case nil: + return nil // nothing to do here + case string: + switch value.Interface().(type) { + case *string: + value.Set(reflect.ValueOf(&d)) + case []byte: + b, err := base64.StdEncoding.DecodeString(d) + if err != nil { + return err + } + value.Set(reflect.ValueOf(b)) + case *time.Time: + format := tag.Get("timestampFormat") + if len(format) == 0 { + format = protocol.ISO8601TimeFormatName + } + + t, err := protocol.ParseTime(format, d) + if err != nil { + return err + } + value.Set(reflect.ValueOf(&t)) + case aws.JSONValue: + // No need to use escaping as the value is a non-quoted string. + v, err := protocol.DecodeJSONValue(d, protocol.NoEscape) + if err != nil { + return err + } + value.Set(reflect.ValueOf(v)) + default: + return fmt.Errorf("unsupported value: %v (%s)", value.Interface(), value.Type()) + } + case json.Number: + switch value.Interface().(type) { + case *int64: + // Retain the old behavior where we would just truncate the float64 + // calling d.Int64() here could cause an invalid syntax error due to the usage of strconv.ParseInt + f, err := d.Float64() + if err != nil { + return err + } + di := int64(f) + value.Set(reflect.ValueOf(&di)) + case *float64: + f, err := d.Float64() + if err != nil { + return err + } + value.Set(reflect.ValueOf(&f)) + case *time.Time: + float, ok := new(big.Float).SetString(d.String()) + if !ok { + return fmt.Errorf("unsupported float time representation: %v", d.String()) + } + float = float.Mul(float, millisecondsFloat) + ms, _ := float.Int64() + t := time.Unix(0, ms*1e6).UTC() + value.Set(reflect.ValueOf(&t)) + default: + return fmt.Errorf("unsupported value: %v (%s)", value.Interface(), value.Type()) + } + case bool: + switch value.Interface().(type) { + case *bool: + value.Set(reflect.ValueOf(&d)) + default: + return fmt.Errorf("unsupported value: %v (%s)", value.Interface(), value.Type()) + } + default: + return fmt.Errorf("unsupported JSON value (%v)", data) + } + return nil +} diff --git a/vendor/github.com/aws/aws-sdk-go/private/protocol/jsonrpc/jsonrpc.go b/vendor/github.com/aws/aws-sdk-go/private/protocol/jsonrpc/jsonrpc.go new file mode 100644 index 000000000..a029217e4 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/private/protocol/jsonrpc/jsonrpc.go @@ -0,0 +1,88 @@ +// Package jsonrpc provides JSON RPC utilities for serialization of AWS +// requests and responses. +package jsonrpc + +//go:generate go run -tags codegen ../../../private/model/cli/gen-protocol-tests ../../../models/protocol_tests/input/json.json build_test.go +//go:generate go run -tags codegen ../../../private/model/cli/gen-protocol-tests ../../../models/protocol_tests/output/json.json unmarshal_test.go + +import ( + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/private/protocol/json/jsonutil" + "github.com/aws/aws-sdk-go/private/protocol/rest" +) + +var emptyJSON = []byte("{}") + +// BuildHandler is a named request handler for building jsonrpc protocol +// requests +var BuildHandler = request.NamedHandler{ + Name: "awssdk.jsonrpc.Build", + Fn: Build, +} + +// UnmarshalHandler is a named request handler for unmarshaling jsonrpc +// protocol requests +var UnmarshalHandler = request.NamedHandler{ + Name: "awssdk.jsonrpc.Unmarshal", + Fn: Unmarshal, +} + +// UnmarshalMetaHandler is a named request handler for unmarshaling jsonrpc +// protocol request metadata +var UnmarshalMetaHandler = request.NamedHandler{ + Name: "awssdk.jsonrpc.UnmarshalMeta", + Fn: UnmarshalMeta, +} + +// Build builds a JSON payload for a JSON RPC request. +func Build(req *request.Request) { + var buf []byte + var err error + if req.ParamsFilled() { + buf, err = jsonutil.BuildJSON(req.Params) + if err != nil { + req.Error = awserr.New(request.ErrCodeSerialization, "failed encoding JSON RPC request", err) + return + } + } else { + buf = emptyJSON + } + + if req.ClientInfo.TargetPrefix != "" || string(buf) != "{}" { + req.SetBufferBody(buf) + } + + if req.ClientInfo.TargetPrefix != "" { + target := req.ClientInfo.TargetPrefix + "." + req.Operation.Name + req.HTTPRequest.Header.Add("X-Amz-Target", target) + } + + // Only set the content type if one is not already specified and an + // JSONVersion is specified. + if ct, v := req.HTTPRequest.Header.Get("Content-Type"), req.ClientInfo.JSONVersion; len(ct) == 0 && len(v) != 0 { + jsonVersion := req.ClientInfo.JSONVersion + req.HTTPRequest.Header.Set("Content-Type", "application/x-amz-json-"+jsonVersion) + } +} + +// Unmarshal unmarshals a response for a JSON RPC service. +func Unmarshal(req *request.Request) { + defer req.HTTPResponse.Body.Close() + if req.DataFilled() { + err := jsonutil.UnmarshalJSON(req.Data, req.HTTPResponse.Body) + if err != nil { + req.Error = awserr.NewRequestFailure( + awserr.New(request.ErrCodeSerialization, "failed decoding JSON RPC response", err), + req.HTTPResponse.StatusCode, + req.RequestID, + ) + } + } + return +} + +// UnmarshalMeta unmarshals headers from a response for a JSON RPC service. +func UnmarshalMeta(req *request.Request) { + rest.UnmarshalMeta(req) +} diff --git a/vendor/github.com/aws/aws-sdk-go/private/protocol/jsonrpc/unmarshal_error.go b/vendor/github.com/aws/aws-sdk-go/private/protocol/jsonrpc/unmarshal_error.go new file mode 100644 index 000000000..c0c52e2db --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/private/protocol/jsonrpc/unmarshal_error.go @@ -0,0 +1,107 @@ +package jsonrpc + +import ( + "bytes" + "io" + "io/ioutil" + "net/http" + "strings" + + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/private/protocol" + "github.com/aws/aws-sdk-go/private/protocol/json/jsonutil" +) + +// UnmarshalTypedError provides unmarshaling errors API response errors +// for both typed and untyped errors. +type UnmarshalTypedError struct { + exceptions map[string]func(protocol.ResponseMetadata) error +} + +// NewUnmarshalTypedError returns an UnmarshalTypedError initialized for the +// set of exception names to the error unmarshalers +func NewUnmarshalTypedError(exceptions map[string]func(protocol.ResponseMetadata) error) *UnmarshalTypedError { + return &UnmarshalTypedError{ + exceptions: exceptions, + } +} + +// UnmarshalError attempts to unmarshal the HTTP response error as a known +// error type. If unable to unmarshal the error type, the generic SDK error +// type will be used. +func (u *UnmarshalTypedError) UnmarshalError( + resp *http.Response, + respMeta protocol.ResponseMetadata, +) (error, error) { + + var buf bytes.Buffer + var jsonErr jsonErrorResponse + teeReader := io.TeeReader(resp.Body, &buf) + err := jsonutil.UnmarshalJSONError(&jsonErr, teeReader) + if err != nil { + return nil, err + } + body := ioutil.NopCloser(&buf) + + // Code may be separated by hash(#), with the last element being the code + // used by the SDK. + codeParts := strings.SplitN(jsonErr.Code, "#", 2) + code := codeParts[len(codeParts)-1] + msg := jsonErr.Message + + if fn, ok := u.exceptions[code]; ok { + // If exception code is know, use associated constructor to get a value + // for the exception that the JSON body can be unmarshaled into. + v := fn(respMeta) + err := jsonutil.UnmarshalJSONCaseInsensitive(v, body) + if err != nil { + return nil, err + } + + return v, nil + } + + // fallback to unmodeled generic exceptions + return awserr.NewRequestFailure( + awserr.New(code, msg, nil), + respMeta.StatusCode, + respMeta.RequestID, + ), nil +} + +// UnmarshalErrorHandler is a named request handler for unmarshaling jsonrpc +// protocol request errors +var UnmarshalErrorHandler = request.NamedHandler{ + Name: "awssdk.jsonrpc.UnmarshalError", + Fn: UnmarshalError, +} + +// UnmarshalError unmarshals an error response for a JSON RPC service. +func UnmarshalError(req *request.Request) { + defer req.HTTPResponse.Body.Close() + + var jsonErr jsonErrorResponse + err := jsonutil.UnmarshalJSONError(&jsonErr, req.HTTPResponse.Body) + if err != nil { + req.Error = awserr.NewRequestFailure( + awserr.New(request.ErrCodeSerialization, + "failed to unmarshal error message", err), + req.HTTPResponse.StatusCode, + req.RequestID, + ) + return + } + + codes := strings.SplitN(jsonErr.Code, "#", 2) + req.Error = awserr.NewRequestFailure( + awserr.New(codes[len(codes)-1], jsonErr.Message, nil), + req.HTTPResponse.StatusCode, + req.RequestID, + ) +} + +type jsonErrorResponse struct { + Code string `json:"__type"` + Message string `json:"message"` +} diff --git a/vendor/github.com/aws/aws-sdk-go/private/protocol/query/build.go b/vendor/github.com/aws/aws-sdk-go/private/protocol/query/build.go new file mode 100644 index 000000000..d40346a77 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/private/protocol/query/build.go @@ -0,0 +1,36 @@ +// Package query provides serialization of AWS query requests, and responses. +package query + +//go:generate go run -tags codegen ../../../private/model/cli/gen-protocol-tests ../../../models/protocol_tests/input/query.json build_test.go + +import ( + "net/url" + + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/private/protocol/query/queryutil" +) + +// BuildHandler is a named request handler for building query protocol requests +var BuildHandler = request.NamedHandler{Name: "awssdk.query.Build", Fn: Build} + +// Build builds a request for an AWS Query service. +func Build(r *request.Request) { + body := url.Values{ + "Action": {r.Operation.Name}, + "Version": {r.ClientInfo.APIVersion}, + } + if err := queryutil.Parse(body, r.Params, false); err != nil { + r.Error = awserr.New(request.ErrCodeSerialization, "failed encoding Query request", err) + return + } + + if !r.IsPresigned() { + r.HTTPRequest.Method = "POST" + r.HTTPRequest.Header.Set("Content-Type", "application/x-www-form-urlencoded; charset=utf-8") + r.SetBufferBody([]byte(body.Encode())) + } else { // This is a pre-signed request + r.HTTPRequest.Method = "GET" + r.HTTPRequest.URL.RawQuery = body.Encode() + } +} diff --git a/vendor/github.com/aws/aws-sdk-go/private/protocol/query/unmarshal.go b/vendor/github.com/aws/aws-sdk-go/private/protocol/query/unmarshal.go new file mode 100644 index 000000000..9231e95d1 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/private/protocol/query/unmarshal.go @@ -0,0 +1,39 @@ +package query + +//go:generate go run -tags codegen ../../../private/model/cli/gen-protocol-tests ../../../models/protocol_tests/output/query.json unmarshal_test.go + +import ( + "encoding/xml" + + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/private/protocol/xml/xmlutil" +) + +// UnmarshalHandler is a named request handler for unmarshaling query protocol requests +var UnmarshalHandler = request.NamedHandler{Name: "awssdk.query.Unmarshal", Fn: Unmarshal} + +// UnmarshalMetaHandler is a named request handler for unmarshaling query protocol request metadata +var UnmarshalMetaHandler = request.NamedHandler{Name: "awssdk.query.UnmarshalMeta", Fn: UnmarshalMeta} + +// Unmarshal unmarshals a response for an AWS Query service. +func Unmarshal(r *request.Request) { + defer r.HTTPResponse.Body.Close() + if r.DataFilled() { + decoder := xml.NewDecoder(r.HTTPResponse.Body) + err := xmlutil.UnmarshalXML(r.Data, decoder, r.Operation.Name+"Result") + if err != nil { + r.Error = awserr.NewRequestFailure( + awserr.New(request.ErrCodeSerialization, "failed decoding Query response", err), + r.HTTPResponse.StatusCode, + r.RequestID, + ) + return + } + } +} + +// UnmarshalMeta unmarshals header response values for an AWS Query service. +func UnmarshalMeta(r *request.Request) { + r.RequestID = r.HTTPResponse.Header.Get("X-Amzn-Requestid") +} diff --git a/vendor/github.com/aws/aws-sdk-go/private/protocol/query/unmarshal_error.go b/vendor/github.com/aws/aws-sdk-go/private/protocol/query/unmarshal_error.go new file mode 100644 index 000000000..831b0110c --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/private/protocol/query/unmarshal_error.go @@ -0,0 +1,69 @@ +package query + +import ( + "encoding/xml" + "fmt" + + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/private/protocol/xml/xmlutil" +) + +// UnmarshalErrorHandler is a name request handler to unmarshal request errors +var UnmarshalErrorHandler = request.NamedHandler{Name: "awssdk.query.UnmarshalError", Fn: UnmarshalError} + +type xmlErrorResponse struct { + Code string `xml:"Error>Code"` + Message string `xml:"Error>Message"` + RequestID string `xml:"RequestId"` +} + +type xmlResponseError struct { + xmlErrorResponse +} + +func (e *xmlResponseError) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error { + const svcUnavailableTagName = "ServiceUnavailableException" + const errorResponseTagName = "ErrorResponse" + + switch start.Name.Local { + case svcUnavailableTagName: + e.Code = svcUnavailableTagName + e.Message = "service is unavailable" + return d.Skip() + + case errorResponseTagName: + return d.DecodeElement(&e.xmlErrorResponse, &start) + + default: + return fmt.Errorf("unknown error response tag, %v", start) + } +} + +// UnmarshalError unmarshals an error response for an AWS Query service. +func UnmarshalError(r *request.Request) { + defer r.HTTPResponse.Body.Close() + + var respErr xmlResponseError + err := xmlutil.UnmarshalXMLError(&respErr, r.HTTPResponse.Body) + if err != nil { + r.Error = awserr.NewRequestFailure( + awserr.New(request.ErrCodeSerialization, + "failed to unmarshal error message", err), + r.HTTPResponse.StatusCode, + r.RequestID, + ) + return + } + + reqID := respErr.RequestID + if len(reqID) == 0 { + reqID = r.RequestID + } + + r.Error = awserr.NewRequestFailure( + awserr.New(respErr.Code, respErr.Message, nil), + r.HTTPResponse.StatusCode, + reqID, + ) +} diff --git a/vendor/github.com/aws/aws-sdk-go/private/protocol/restjson/restjson.go b/vendor/github.com/aws/aws-sdk-go/private/protocol/restjson/restjson.go new file mode 100644 index 000000000..2e0e205af --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/private/protocol/restjson/restjson.go @@ -0,0 +1,59 @@ +// Package restjson provides RESTful JSON serialization of AWS +// requests and responses. +package restjson + +//go:generate go run -tags codegen ../../../private/model/cli/gen-protocol-tests ../../../models/protocol_tests/input/rest-json.json build_test.go +//go:generate go run -tags codegen ../../../private/model/cli/gen-protocol-tests ../../../models/protocol_tests/output/rest-json.json unmarshal_test.go + +import ( + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/private/protocol/jsonrpc" + "github.com/aws/aws-sdk-go/private/protocol/rest" +) + +// BuildHandler is a named request handler for building restjson protocol +// requests +var BuildHandler = request.NamedHandler{ + Name: "awssdk.restjson.Build", + Fn: Build, +} + +// UnmarshalHandler is a named request handler for unmarshaling restjson +// protocol requests +var UnmarshalHandler = request.NamedHandler{ + Name: "awssdk.restjson.Unmarshal", + Fn: Unmarshal, +} + +// UnmarshalMetaHandler is a named request handler for unmarshaling restjson +// protocol request metadata +var UnmarshalMetaHandler = request.NamedHandler{ + Name: "awssdk.restjson.UnmarshalMeta", + Fn: UnmarshalMeta, +} + +// Build builds a request for the REST JSON protocol. +func Build(r *request.Request) { + rest.Build(r) + + if t := rest.PayloadType(r.Params); t == "structure" || t == "" { + if v := r.HTTPRequest.Header.Get("Content-Type"); len(v) == 0 { + r.HTTPRequest.Header.Set("Content-Type", "application/json") + } + jsonrpc.Build(r) + } +} + +// Unmarshal unmarshals a response body for the REST JSON protocol. +func Unmarshal(r *request.Request) { + if t := rest.PayloadType(r.Data); t == "structure" || t == "" { + jsonrpc.Unmarshal(r) + } else { + rest.Unmarshal(r) + } +} + +// UnmarshalMeta unmarshals response headers for the REST JSON protocol. +func UnmarshalMeta(r *request.Request) { + rest.UnmarshalMeta(r) +} diff --git a/vendor/github.com/aws/aws-sdk-go/private/protocol/restjson/unmarshal_error.go b/vendor/github.com/aws/aws-sdk-go/private/protocol/restjson/unmarshal_error.go new file mode 100644 index 000000000..d756d8cc5 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/private/protocol/restjson/unmarshal_error.go @@ -0,0 +1,134 @@ +package restjson + +import ( + "bytes" + "io" + "io/ioutil" + "net/http" + "strings" + + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/private/protocol" + "github.com/aws/aws-sdk-go/private/protocol/json/jsonutil" + "github.com/aws/aws-sdk-go/private/protocol/rest" +) + +const ( + errorTypeHeader = "X-Amzn-Errortype" + errorMessageHeader = "X-Amzn-Errormessage" +) + +// UnmarshalTypedError provides unmarshaling errors API response errors +// for both typed and untyped errors. +type UnmarshalTypedError struct { + exceptions map[string]func(protocol.ResponseMetadata) error +} + +// NewUnmarshalTypedError returns an UnmarshalTypedError initialized for the +// set of exception names to the error unmarshalers +func NewUnmarshalTypedError(exceptions map[string]func(protocol.ResponseMetadata) error) *UnmarshalTypedError { + return &UnmarshalTypedError{ + exceptions: exceptions, + } +} + +// UnmarshalError attempts to unmarshal the HTTP response error as a known +// error type. If unable to unmarshal the error type, the generic SDK error +// type will be used. +func (u *UnmarshalTypedError) UnmarshalError( + resp *http.Response, + respMeta protocol.ResponseMetadata, +) (error, error) { + + code := resp.Header.Get(errorTypeHeader) + msg := resp.Header.Get(errorMessageHeader) + + body := resp.Body + if len(code) == 0 { + // If unable to get code from HTTP headers have to parse JSON message + // to determine what kind of exception this will be. + var buf bytes.Buffer + var jsonErr jsonErrorResponse + teeReader := io.TeeReader(resp.Body, &buf) + err := jsonutil.UnmarshalJSONError(&jsonErr, teeReader) + if err != nil { + return nil, err + } + + body = ioutil.NopCloser(&buf) + code = jsonErr.Code + msg = jsonErr.Message + } + + // If code has colon separators remove them so can compare against modeled + // exception names. + code = strings.SplitN(code, ":", 2)[0] + + if fn, ok := u.exceptions[code]; ok { + // If exception code is know, use associated constructor to get a value + // for the exception that the JSON body can be unmarshaled into. + v := fn(respMeta) + if err := jsonutil.UnmarshalJSONCaseInsensitive(v, body); err != nil { + return nil, err + } + + if err := rest.UnmarshalResponse(resp, v, true); err != nil { + return nil, err + } + + return v, nil + } + + // fallback to unmodeled generic exceptions + return awserr.NewRequestFailure( + awserr.New(code, msg, nil), + respMeta.StatusCode, + respMeta.RequestID, + ), nil +} + +// UnmarshalErrorHandler is a named request handler for unmarshaling restjson +// protocol request errors +var UnmarshalErrorHandler = request.NamedHandler{ + Name: "awssdk.restjson.UnmarshalError", + Fn: UnmarshalError, +} + +// UnmarshalError unmarshals a response error for the REST JSON protocol. +func UnmarshalError(r *request.Request) { + defer r.HTTPResponse.Body.Close() + + var jsonErr jsonErrorResponse + err := jsonutil.UnmarshalJSONError(&jsonErr, r.HTTPResponse.Body) + if err != nil { + r.Error = awserr.NewRequestFailure( + awserr.New(request.ErrCodeSerialization, + "failed to unmarshal response error", err), + r.HTTPResponse.StatusCode, + r.RequestID, + ) + return + } + + code := r.HTTPResponse.Header.Get(errorTypeHeader) + if code == "" { + code = jsonErr.Code + } + msg := r.HTTPResponse.Header.Get(errorMessageHeader) + if msg == "" { + msg = jsonErr.Message + } + + code = strings.SplitN(code, ":", 2)[0] + r.Error = awserr.NewRequestFailure( + awserr.New(code, jsonErr.Message, nil), + r.HTTPResponse.StatusCode, + r.RequestID, + ) +} + +type jsonErrorResponse struct { + Code string `json:"code"` + Message string `json:"message"` +} diff --git a/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go b/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go index ba7661add..0248d3b60 100644 --- a/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go +++ b/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go @@ -88,6 +88,80 @@ func (c *EC2) AcceptReservedInstancesExchangeQuoteWithContext(ctx aws.Context, i return out, req.Send() } +const opAcceptTransitGatewayMulticastDomainAssociations = "AcceptTransitGatewayMulticastDomainAssociations" + +// AcceptTransitGatewayMulticastDomainAssociationsRequest generates a "aws/request.Request" representing the +// client's request for the AcceptTransitGatewayMulticastDomainAssociations operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See AcceptTransitGatewayMulticastDomainAssociations for more information on using the AcceptTransitGatewayMulticastDomainAssociations +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the AcceptTransitGatewayMulticastDomainAssociationsRequest method. +// req, resp := client.AcceptTransitGatewayMulticastDomainAssociationsRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/AcceptTransitGatewayMulticastDomainAssociations +func (c *EC2) AcceptTransitGatewayMulticastDomainAssociationsRequest(input *AcceptTransitGatewayMulticastDomainAssociationsInput) (req *request.Request, output *AcceptTransitGatewayMulticastDomainAssociationsOutput) { + op := &request.Operation{ + Name: opAcceptTransitGatewayMulticastDomainAssociations, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &AcceptTransitGatewayMulticastDomainAssociationsInput{} + } + + output = &AcceptTransitGatewayMulticastDomainAssociationsOutput{} + req = c.newRequest(op, input, output) + return +} + +// AcceptTransitGatewayMulticastDomainAssociations API operation for Amazon Elastic Compute Cloud. +// +// Accepts a request to associate subnets with a transit gateway multicast domain. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation AcceptTransitGatewayMulticastDomainAssociations for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/AcceptTransitGatewayMulticastDomainAssociations +func (c *EC2) AcceptTransitGatewayMulticastDomainAssociations(input *AcceptTransitGatewayMulticastDomainAssociationsInput) (*AcceptTransitGatewayMulticastDomainAssociationsOutput, error) { + req, out := c.AcceptTransitGatewayMulticastDomainAssociationsRequest(input) + return out, req.Send() +} + +// AcceptTransitGatewayMulticastDomainAssociationsWithContext is the same as AcceptTransitGatewayMulticastDomainAssociations with the addition of +// the ability to pass a context and additional request options. +// +// See AcceptTransitGatewayMulticastDomainAssociations for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) AcceptTransitGatewayMulticastDomainAssociationsWithContext(ctx aws.Context, input *AcceptTransitGatewayMulticastDomainAssociationsInput, opts ...request.Option) (*AcceptTransitGatewayMulticastDomainAssociationsOutput, error) { + req, out := c.AcceptTransitGatewayMulticastDomainAssociationsRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opAcceptTransitGatewayPeeringAttachment = "AcceptTransitGatewayPeeringAttachment" // AcceptTransitGatewayPeeringAttachmentRequest generates a "aws/request.Request" representing the @@ -2039,7 +2113,7 @@ func (c *EC2) AttachVolumeRequest(input *AttachVolumeInput) (req *request.Reques // the instance with the specified device name. // // Encrypted EBS volumes must be attached to instances that support Amazon EBS -// encryption. For more information, see Amazon EBS Encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) +// encryption. For more information, see Amazon EBS encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) // in the Amazon Elastic Compute Cloud User Guide. // // After you attach an EBS volume, you must make it available. For more information, @@ -2941,7 +3015,7 @@ func (c *EC2) CancelReservedInstancesListingRequest(input *CancelReservedInstanc // Marketplace. // // For more information, see Reserved Instance Marketplace (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ri-market-general.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -3323,14 +3397,25 @@ func (c *EC2) CopyImageRequest(input *CopyImageInput) (req *request.Request, out // CopyImage API operation for Amazon Elastic Compute Cloud. // -// Initiates the copy of an AMI from the specified source Region to the current -// Region. You specify the destination Region by using its endpoint when making -// the request. +// Initiates the copy of an AMI. You can copy an AMI from one Region to another, +// or from a Region to an AWS Outpost. You can't copy an AMI from an Outpost +// to a Region, from one Outpost to another, or within the same Outpost. // -// Copies of encrypted backing snapshots for the AMI are encrypted. Copies of -// unencrypted backing snapshots remain unencrypted, unless you set Encrypted -// during the copy operation. You cannot create an unencrypted copy of an encrypted -// backing snapshot. +// To copy an AMI from one Region to another, specify the source Region using +// the SourceRegion parameter, and specify the destination Region using its +// endpoint. Copies of encrypted backing snapshots for the AMI are encrypted. +// Copies of unencrypted backing snapshots remain unencrypted, unless you set +// Encrypted during the copy operation. You cannot create an unencrypted copy +// of an encrypted backing snapshot. +// +// To copy an AMI from a Region to an Outpost, specify the source Region using +// the SourceRegion parameter, and specify the ARN of the destination Outpost +// using DestinationOutpostArn. Backing snapshots copied to an Outpost are encrypted +// by default using the default encryption key for the Region, or a different +// key that you specify in the request using KmsKeyId. Outposts do not support +// unencrypted snapshots. For more information, Amazon EBS local snapshots on +// Outposts (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html#ami) +// in the Amazon Elastic Compute Cloud User Guide. // // For more information about the prerequisites and limits when copying an AMI, // see Copying an AMI (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html) @@ -3409,18 +3494,25 @@ func (c *EC2) CopySnapshotRequest(input *CopySnapshotInput) (req *request.Reques // CopySnapshot API operation for Amazon Elastic Compute Cloud. // // Copies a point-in-time snapshot of an EBS volume and stores it in Amazon -// S3. You can copy the snapshot within the same Region or from one Region to -// another. You can use the snapshot to create EBS volumes or Amazon Machine -// Images (AMIs). +// S3. You can copy a snapshot within the same Region, from one Region to another, +// or from a Region to an Outpost. You can't copy a snapshot from an Outpost +// to a Region, from one Outpost to another, or within the same Outpost. // -// Copies of encrypted EBS snapshots remain encrypted. Copies of unencrypted -// snapshots remain unencrypted, unless you enable encryption for the snapshot -// copy operation. By default, encrypted snapshot copies use the default AWS -// Key Management Service (AWS KMS) customer master key (CMK); however, you -// can specify a different CMK. +// You can use the snapshot to create EBS volumes or Amazon Machine Images (AMIs). // -// To copy an encrypted snapshot that has been shared from another account, -// you must have permissions for the CMK used to encrypt the snapshot. +// When copying snapshots to a Region, copies of encrypted EBS snapshots remain +// encrypted. Copies of unencrypted snapshots remain unencrypted, unless you +// enable encryption for the snapshot copy operation. By default, encrypted +// snapshot copies use the default AWS Key Management Service (AWS KMS) customer +// master key (CMK); however, you can specify a different CMK. To copy an encrypted +// snapshot that has been shared from another account, you must have permissions +// for the CMK used to encrypt the snapshot. +// +// Snapshots copied to an Outpost are encrypted by default using the default +// encryption key for the Region, or a different key that you specify in the +// request using KmsKeyId. Outposts do not support unencrypted snapshots. For +// more information, Amazon EBS local snapshots on Outposts (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html#ami) +// in the Amazon Elastic Compute Cloud User Guide. // // Snapshots created by copying another snapshot have an arbitrary volume ID // that should not be used for any purpose. @@ -3509,7 +3601,7 @@ func (c *EC2) CreateCapacityReservationRequest(input *CreateCapacityReservationI // you ensure that you always have access to Amazon EC2 capacity when you need // it, for as long as you need it. For more information, see Capacity Reservations // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-capacity-reservations.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Your request to create a Capacity Reservation could fail if Amazon EC2 does // not have sufficient capacity to fulfill the request. If your request fails @@ -3522,8 +3614,8 @@ func (c *EC2) CreateCapacityReservationRequest(input *CreateCapacityReservationI // Instance limit for the selected instance type. If your request fails due // to limit constraints, increase your On-Demand Instance limit for the required // instance type and try again. For more information about increasing your instance -// limits, see Amazon EC2 Service Limits (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) -// in the Amazon Elastic Compute Cloud User Guide. +// limits, see Amazon EC2 Service Quotas (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html) +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -4288,7 +4380,7 @@ func (c *EC2) CreateFleetRequest(input *CreateFleetInput) (req *request.Request, // that vary by instance type, AMI, Availability Zone, or subnet. // // For more information, see Launching an EC2 Fleet (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -5448,6 +5540,84 @@ func (c *EC2) CreateNetworkAclEntryWithContext(ctx aws.Context, input *CreateNet return out, req.Send() } +const opCreateNetworkInsightsPath = "CreateNetworkInsightsPath" + +// CreateNetworkInsightsPathRequest generates a "aws/request.Request" representing the +// client's request for the CreateNetworkInsightsPath operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See CreateNetworkInsightsPath for more information on using the CreateNetworkInsightsPath +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the CreateNetworkInsightsPathRequest method. +// req, resp := client.CreateNetworkInsightsPathRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/CreateNetworkInsightsPath +func (c *EC2) CreateNetworkInsightsPathRequest(input *CreateNetworkInsightsPathInput) (req *request.Request, output *CreateNetworkInsightsPathOutput) { + op := &request.Operation{ + Name: opCreateNetworkInsightsPath, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &CreateNetworkInsightsPathInput{} + } + + output = &CreateNetworkInsightsPathOutput{} + req = c.newRequest(op, input, output) + return +} + +// CreateNetworkInsightsPath API operation for Amazon Elastic Compute Cloud. +// +// Creates a path to analyze for reachability. +// +// Reachability Analyzer enables you to analyze and debug network reachability +// between two resources in your virtual private cloud (VPC). For more information, +// see What is Reachability Analyzer (https://docs.aws.amazon.com/vpc/latest/reachability/). +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation CreateNetworkInsightsPath for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/CreateNetworkInsightsPath +func (c *EC2) CreateNetworkInsightsPath(input *CreateNetworkInsightsPathInput) (*CreateNetworkInsightsPathOutput, error) { + req, out := c.CreateNetworkInsightsPathRequest(input) + return out, req.Send() +} + +// CreateNetworkInsightsPathWithContext is the same as CreateNetworkInsightsPath with the addition of +// the ability to pass a context and additional request options. +// +// See CreateNetworkInsightsPath for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) CreateNetworkInsightsPathWithContext(ctx aws.Context, input *CreateNetworkInsightsPathInput, opts ...request.Option) (*CreateNetworkInsightsPathOutput, error) { + req, out := c.CreateNetworkInsightsPathRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opCreateNetworkInterface = "CreateNetworkInterface" // CreateNetworkInterfaceRequest generates a "aws/request.Request" representing the @@ -5659,7 +5829,7 @@ func (c *EC2) CreatePlacementGroupRequest(input *CreatePlacementGroupInput) (req // in another partition. // // For more information, see Placement groups (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -5755,7 +5925,7 @@ func (c *EC2) CreateReservedInstancesListingRequest(input *CreateReservedInstanc // you can use the DescribeReservedInstancesListings operation. // // For more information, see Reserved Instance Marketplace (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ri-market-general.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -6103,12 +6273,18 @@ func (c *EC2) CreateSnapshotRequest(input *CreateSnapshotInput) (req *request.Re // snapshots for backups, to make copies of EBS volumes, and to save data before // shutting down an instance. // +// You can create snapshots of volumes in a Region and volumes on an Outpost. +// If you create a snapshot of a volume in a Region, the snapshot must be stored +// in the same Region as the volume. If you create a snapshot of a volume on +// an Outpost, the snapshot can be stored on the same Outpost as the volume, +// or in the Region for that Outpost. +// // When a snapshot is created, any AWS Marketplace product codes that are associated // with the source volume are propagated to the snapshot. // // You can take a snapshot of an attached volume that is in use. However, snapshots // only capture data that has been written to your EBS volume at the time the -// snapshot command is issued; this may exclude any data that has been cached +// snapshot command is issued; this might exclude any data that has been cached // by any applications or the operating system. If you can pause any file systems // on the volume long enough to take a snapshot, your snapshot should be complete. // However, if you cannot pause all file writes to the volume, you should unmount @@ -6129,7 +6305,7 @@ func (c *EC2) CreateSnapshotRequest(input *CreateSnapshotInput) (req *request.Re // in the Amazon Elastic Compute Cloud User Guide. // // For more information, see Amazon Elastic Block Store (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html) -// and Amazon EBS Encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) +// and Amazon EBS encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -6209,6 +6385,12 @@ func (c *EC2) CreateSnapshotsRequest(input *CreateSnapshotsInput) (req *request. // will produce one snapshot each that is crash-consistent across the instance. // Boot volumes can be excluded by changing the parameters. // +// You can create multi-volume snapshots of instances in a Region and instances +// on an Outpost. If you create snapshots from an instance in a Region, the +// snapshots must be stored in the same Region as the instance. If you create +// snapshots from an instance on an Outpost, the snapshots can be stored on +// the same Outpost as the instance, or in the Region for that Outpost. +// // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. @@ -6916,6 +7098,166 @@ func (c *EC2) CreateTransitGatewayWithContext(ctx aws.Context, input *CreateTran return out, req.Send() } +const opCreateTransitGatewayConnect = "CreateTransitGatewayConnect" + +// CreateTransitGatewayConnectRequest generates a "aws/request.Request" representing the +// client's request for the CreateTransitGatewayConnect operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See CreateTransitGatewayConnect for more information on using the CreateTransitGatewayConnect +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the CreateTransitGatewayConnectRequest method. +// req, resp := client.CreateTransitGatewayConnectRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/CreateTransitGatewayConnect +func (c *EC2) CreateTransitGatewayConnectRequest(input *CreateTransitGatewayConnectInput) (req *request.Request, output *CreateTransitGatewayConnectOutput) { + op := &request.Operation{ + Name: opCreateTransitGatewayConnect, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &CreateTransitGatewayConnectInput{} + } + + output = &CreateTransitGatewayConnectOutput{} + req = c.newRequest(op, input, output) + return +} + +// CreateTransitGatewayConnect API operation for Amazon Elastic Compute Cloud. +// +// Creates a Connect attachment from a specified transit gateway attachment. +// A Connect attachment is a GRE-based tunnel attachment that you can use to +// establish a connection between a transit gateway and an appliance. +// +// A Connect attachment uses an existing VPC or AWS Direct Connect attachment +// as the underlying transport mechanism. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation CreateTransitGatewayConnect for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/CreateTransitGatewayConnect +func (c *EC2) CreateTransitGatewayConnect(input *CreateTransitGatewayConnectInput) (*CreateTransitGatewayConnectOutput, error) { + req, out := c.CreateTransitGatewayConnectRequest(input) + return out, req.Send() +} + +// CreateTransitGatewayConnectWithContext is the same as CreateTransitGatewayConnect with the addition of +// the ability to pass a context and additional request options. +// +// See CreateTransitGatewayConnect for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) CreateTransitGatewayConnectWithContext(ctx aws.Context, input *CreateTransitGatewayConnectInput, opts ...request.Option) (*CreateTransitGatewayConnectOutput, error) { + req, out := c.CreateTransitGatewayConnectRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opCreateTransitGatewayConnectPeer = "CreateTransitGatewayConnectPeer" + +// CreateTransitGatewayConnectPeerRequest generates a "aws/request.Request" representing the +// client's request for the CreateTransitGatewayConnectPeer operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See CreateTransitGatewayConnectPeer for more information on using the CreateTransitGatewayConnectPeer +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the CreateTransitGatewayConnectPeerRequest method. +// req, resp := client.CreateTransitGatewayConnectPeerRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/CreateTransitGatewayConnectPeer +func (c *EC2) CreateTransitGatewayConnectPeerRequest(input *CreateTransitGatewayConnectPeerInput) (req *request.Request, output *CreateTransitGatewayConnectPeerOutput) { + op := &request.Operation{ + Name: opCreateTransitGatewayConnectPeer, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &CreateTransitGatewayConnectPeerInput{} + } + + output = &CreateTransitGatewayConnectPeerOutput{} + req = c.newRequest(op, input, output) + return +} + +// CreateTransitGatewayConnectPeer API operation for Amazon Elastic Compute Cloud. +// +// Creates a Connect peer for a specified transit gateway Connect attachment +// between a transit gateway and an appliance. +// +// The peer address and transit gateway address must be the same IP address +// family (IPv4 or IPv6). +// +// For more information, see Connect peers (https://docs.aws.amazon.com/vpc/latest/tgw/tgw-connect.html#tgw-connect-peer) +// in the Transit Gateways Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation CreateTransitGatewayConnectPeer for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/CreateTransitGatewayConnectPeer +func (c *EC2) CreateTransitGatewayConnectPeer(input *CreateTransitGatewayConnectPeerInput) (*CreateTransitGatewayConnectPeerOutput, error) { + req, out := c.CreateTransitGatewayConnectPeerRequest(input) + return out, req.Send() +} + +// CreateTransitGatewayConnectPeerWithContext is the same as CreateTransitGatewayConnectPeer with the addition of +// the ability to pass a context and additional request options. +// +// See CreateTransitGatewayConnectPeer for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) CreateTransitGatewayConnectPeerWithContext(ctx aws.Context, input *CreateTransitGatewayConnectPeerInput, opts ...request.Option) (*CreateTransitGatewayConnectPeerOutput, error) { + req, out := c.CreateTransitGatewayConnectPeerRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opCreateTransitGatewayMulticastDomain = "CreateTransitGatewayMulticastDomain" // CreateTransitGatewayMulticastDomainRequest generates a "aws/request.Request" representing the @@ -7423,8 +7765,7 @@ func (c *EC2) CreateVolumeRequest(input *CreateVolumeInput) (req *request.Reques // CreateVolume API operation for Amazon Elastic Compute Cloud. // // Creates an EBS volume that can be attached to an instance in the same Availability -// Zone. The volume is created in the regional endpoint that you send the HTTP -// request to. For more information see Regions and Endpoints (https://docs.aws.amazon.com/general/latest/gr/rande.html). +// Zone. // // You can create a new empty volume or restore a volume from an EBS snapshot. // Any AWS Marketplace product codes from the snapshot are propagated to the @@ -7433,7 +7774,7 @@ func (c *EC2) CreateVolumeRequest(input *CreateVolumeInput) (req *request.Reques // You can create encrypted volumes. Encrypted volumes must be attached to instances // that support Amazon EBS encryption. Volumes that are created from encrypted // snapshots are also automatically encrypted. For more information, see Amazon -// EBS Encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) +// EBS encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) // in the Amazon Elastic Compute Cloud User Guide. // // You can tag your volumes during creation. For more information, see Tagging @@ -7624,6 +7965,10 @@ func (c *EC2) CreateVpcEndpointRequest(input *CreateVpcEndpointInput) (req *requ // the subnets in which to create an endpoint, and the security groups to associate // with the endpoint network interface. // +// A GatewayLoadBalancer endpoint is a network interface in your subnet that +// serves an endpoint for communicating with a Gateway Load Balancer that you've +// configured as a VPC endpoint service. +// // Use DescribeVpcEndpointServices to get a list of supported services. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -7779,12 +8124,19 @@ func (c *EC2) CreateVpcEndpointServiceConfigurationRequest(input *CreateVpcEndpo // CreateVpcEndpointServiceConfiguration API operation for Amazon Elastic Compute Cloud. // // Creates a VPC endpoint service configuration to which service consumers (AWS -// accounts, IAM users, and IAM roles) can connect. Service consumers can create -// an interface VPC endpoint to connect to your service. +// accounts, IAM users, and IAM roles) can connect. // -// To create an endpoint service configuration, you must first create a Network -// Load Balancer for your service. For more information, see VPC Endpoint Services -// (https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-service.html) +// To create an endpoint service configuration, you must first create one of +// the following for your service: +// +// * A Network Load Balancer (https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html). +// Service consumers connect to your service using an interface endpoint. +// +// * A Gateway Load Balancer (https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/introduction.html). +// Service consumers connect to your service using a Gateway Load Balancer +// endpoint. +// +// For more information, see VPC Endpoint Services (https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-service.html) // in the Amazon Virtual Private Cloud User Guide. // // If you set the private DNS name, you must prove that you own the private @@ -8666,11 +9018,29 @@ func (c *EC2) DeleteFleetsRequest(input *DeleteFleetsInput) (req *request.Reques // // Deletes the specified EC2 Fleet. // -// After you delete an EC2 Fleet, it launches no new instances. You must specify -// whether an EC2 Fleet should also terminate its instances. If you terminate -// the instances, the EC2 Fleet enters the deleted_terminating state. Otherwise, -// the EC2 Fleet enters the deleted_running state, and the instances continue -// to run until they are interrupted or you terminate them manually. +// After you delete an EC2 Fleet, it launches no new instances. +// +// You must specify whether a deleted EC2 Fleet should also terminate its instances. +// If you choose to terminate the instances, the EC2 Fleet enters the deleted_terminating +// state. Otherwise, the EC2 Fleet enters the deleted_running state, and the +// instances continue to run until they are interrupted or you terminate them +// manually. +// +// For instant fleets, EC2 Fleet must terminate the instances when the fleet +// is deleted. A deleted instant fleet with running instances is not supported. +// +// Restrictions +// +// * You can delete up to 25 instant fleets in a single request. If you exceed +// this number, no instant fleets are deleted and an error is returned. There +// is no restriction on the number of fleets of type maintain or request +// that can be deleted in a single request. +// +// * Up to 1000 instances can be terminated in a single request to delete +// instant fleets. +// +// For more information, see Deleting an EC2 Fleet (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/manage-ec2-fleet.html#delete-fleet) +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -9602,6 +9972,154 @@ func (c *EC2) DeleteNetworkAclEntryWithContext(ctx aws.Context, input *DeleteNet return out, req.Send() } +const opDeleteNetworkInsightsAnalysis = "DeleteNetworkInsightsAnalysis" + +// DeleteNetworkInsightsAnalysisRequest generates a "aws/request.Request" representing the +// client's request for the DeleteNetworkInsightsAnalysis operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DeleteNetworkInsightsAnalysis for more information on using the DeleteNetworkInsightsAnalysis +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DeleteNetworkInsightsAnalysisRequest method. +// req, resp := client.DeleteNetworkInsightsAnalysisRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteNetworkInsightsAnalysis +func (c *EC2) DeleteNetworkInsightsAnalysisRequest(input *DeleteNetworkInsightsAnalysisInput) (req *request.Request, output *DeleteNetworkInsightsAnalysisOutput) { + op := &request.Operation{ + Name: opDeleteNetworkInsightsAnalysis, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DeleteNetworkInsightsAnalysisInput{} + } + + output = &DeleteNetworkInsightsAnalysisOutput{} + req = c.newRequest(op, input, output) + return +} + +// DeleteNetworkInsightsAnalysis API operation for Amazon Elastic Compute Cloud. +// +// Deletes the specified network insights analysis. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation DeleteNetworkInsightsAnalysis for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteNetworkInsightsAnalysis +func (c *EC2) DeleteNetworkInsightsAnalysis(input *DeleteNetworkInsightsAnalysisInput) (*DeleteNetworkInsightsAnalysisOutput, error) { + req, out := c.DeleteNetworkInsightsAnalysisRequest(input) + return out, req.Send() +} + +// DeleteNetworkInsightsAnalysisWithContext is the same as DeleteNetworkInsightsAnalysis with the addition of +// the ability to pass a context and additional request options. +// +// See DeleteNetworkInsightsAnalysis for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DeleteNetworkInsightsAnalysisWithContext(ctx aws.Context, input *DeleteNetworkInsightsAnalysisInput, opts ...request.Option) (*DeleteNetworkInsightsAnalysisOutput, error) { + req, out := c.DeleteNetworkInsightsAnalysisRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDeleteNetworkInsightsPath = "DeleteNetworkInsightsPath" + +// DeleteNetworkInsightsPathRequest generates a "aws/request.Request" representing the +// client's request for the DeleteNetworkInsightsPath operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DeleteNetworkInsightsPath for more information on using the DeleteNetworkInsightsPath +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DeleteNetworkInsightsPathRequest method. +// req, resp := client.DeleteNetworkInsightsPathRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteNetworkInsightsPath +func (c *EC2) DeleteNetworkInsightsPathRequest(input *DeleteNetworkInsightsPathInput) (req *request.Request, output *DeleteNetworkInsightsPathOutput) { + op := &request.Operation{ + Name: opDeleteNetworkInsightsPath, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DeleteNetworkInsightsPathInput{} + } + + output = &DeleteNetworkInsightsPathOutput{} + req = c.newRequest(op, input, output) + return +} + +// DeleteNetworkInsightsPath API operation for Amazon Elastic Compute Cloud. +// +// Deletes the specified path. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation DeleteNetworkInsightsPath for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteNetworkInsightsPath +func (c *EC2) DeleteNetworkInsightsPath(input *DeleteNetworkInsightsPathInput) (*DeleteNetworkInsightsPathOutput, error) { + req, out := c.DeleteNetworkInsightsPathRequest(input) + return out, req.Send() +} + +// DeleteNetworkInsightsPathWithContext is the same as DeleteNetworkInsightsPath with the addition of +// the ability to pass a context and additional request options. +// +// See DeleteNetworkInsightsPath for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DeleteNetworkInsightsPathWithContext(ctx aws.Context, input *DeleteNetworkInsightsPathInput, opts ...request.Option) (*DeleteNetworkInsightsPathOutput, error) { + req, out := c.DeleteNetworkInsightsPathRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opDeleteNetworkInterface = "DeleteNetworkInterface" // DeleteNetworkInterfaceRequest generates a "aws/request.Request" representing the @@ -9803,7 +10321,7 @@ func (c *EC2) DeletePlacementGroupRequest(input *DeletePlacementGroupInput) (req // Deletes the specified placement group. You must terminate all instances in // the placement group before you can delete the placement group. For more information, // see Placement groups (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -10833,6 +11351,155 @@ func (c *EC2) DeleteTransitGatewayWithContext(ctx aws.Context, input *DeleteTran return out, req.Send() } +const opDeleteTransitGatewayConnect = "DeleteTransitGatewayConnect" + +// DeleteTransitGatewayConnectRequest generates a "aws/request.Request" representing the +// client's request for the DeleteTransitGatewayConnect operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DeleteTransitGatewayConnect for more information on using the DeleteTransitGatewayConnect +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DeleteTransitGatewayConnectRequest method. +// req, resp := client.DeleteTransitGatewayConnectRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteTransitGatewayConnect +func (c *EC2) DeleteTransitGatewayConnectRequest(input *DeleteTransitGatewayConnectInput) (req *request.Request, output *DeleteTransitGatewayConnectOutput) { + op := &request.Operation{ + Name: opDeleteTransitGatewayConnect, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DeleteTransitGatewayConnectInput{} + } + + output = &DeleteTransitGatewayConnectOutput{} + req = c.newRequest(op, input, output) + return +} + +// DeleteTransitGatewayConnect API operation for Amazon Elastic Compute Cloud. +// +// Deletes the specified Connect attachment. You must first delete any Connect +// peers for the attachment. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation DeleteTransitGatewayConnect for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteTransitGatewayConnect +func (c *EC2) DeleteTransitGatewayConnect(input *DeleteTransitGatewayConnectInput) (*DeleteTransitGatewayConnectOutput, error) { + req, out := c.DeleteTransitGatewayConnectRequest(input) + return out, req.Send() +} + +// DeleteTransitGatewayConnectWithContext is the same as DeleteTransitGatewayConnect with the addition of +// the ability to pass a context and additional request options. +// +// See DeleteTransitGatewayConnect for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DeleteTransitGatewayConnectWithContext(ctx aws.Context, input *DeleteTransitGatewayConnectInput, opts ...request.Option) (*DeleteTransitGatewayConnectOutput, error) { + req, out := c.DeleteTransitGatewayConnectRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDeleteTransitGatewayConnectPeer = "DeleteTransitGatewayConnectPeer" + +// DeleteTransitGatewayConnectPeerRequest generates a "aws/request.Request" representing the +// client's request for the DeleteTransitGatewayConnectPeer operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DeleteTransitGatewayConnectPeer for more information on using the DeleteTransitGatewayConnectPeer +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DeleteTransitGatewayConnectPeerRequest method. +// req, resp := client.DeleteTransitGatewayConnectPeerRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteTransitGatewayConnectPeer +func (c *EC2) DeleteTransitGatewayConnectPeerRequest(input *DeleteTransitGatewayConnectPeerInput) (req *request.Request, output *DeleteTransitGatewayConnectPeerOutput) { + op := &request.Operation{ + Name: opDeleteTransitGatewayConnectPeer, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DeleteTransitGatewayConnectPeerInput{} + } + + output = &DeleteTransitGatewayConnectPeerOutput{} + req = c.newRequest(op, input, output) + return +} + +// DeleteTransitGatewayConnectPeer API operation for Amazon Elastic Compute Cloud. +// +// Deletes the specified Connect peer. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation DeleteTransitGatewayConnectPeer for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteTransitGatewayConnectPeer +func (c *EC2) DeleteTransitGatewayConnectPeer(input *DeleteTransitGatewayConnectPeerInput) (*DeleteTransitGatewayConnectPeerOutput, error) { + req, out := c.DeleteTransitGatewayConnectPeerRequest(input) + return out, req.Send() +} + +// DeleteTransitGatewayConnectPeerWithContext is the same as DeleteTransitGatewayConnectPeer with the addition of +// the ability to pass a context and additional request options. +// +// See DeleteTransitGatewayConnectPeer for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DeleteTransitGatewayConnectPeerWithContext(ctx aws.Context, input *DeleteTransitGatewayConnectPeerInput, opts ...request.Option) (*DeleteTransitGatewayConnectPeerOutput, error) { + req, out := c.DeleteTransitGatewayConnectPeerRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opDeleteTransitGatewayMulticastDomain = "DeleteTransitGatewayMulticastDomain" // DeleteTransitGatewayMulticastDomainRequest generates a "aws/request.Request" representing the @@ -11635,10 +12302,26 @@ func (c *EC2) DeleteVpcEndpointsRequest(input *DeleteVpcEndpointsInput) (req *re // DeleteVpcEndpoints API operation for Amazon Elastic Compute Cloud. // -// Deletes one or more specified VPC endpoints. Deleting a gateway endpoint -// also deletes the endpoint routes in the route tables that were associated -// with the endpoint. Deleting an interface endpoint deletes the endpoint network -// interfaces. +// Deletes one or more specified VPC endpoints. You can delete any of the following +// types of VPC endpoints. +// +// * Gateway endpoint, +// +// * Gateway Load Balancer endpoint, +// +// * Interface endpoint +// +// The following rules apply when you delete a VPC endpoint: +// +// * When you delete a gateway endpoint, we delete the endpoint routes in +// the route tables that are associated with the endpoint. +// +// * When you delete a Gateway Load Balancer endpoint, we delete the endpoint +// network interfaces. You can only delete Gateway Load Balancer endpoints +// when the routes that are associated with the endpoint are deleted. +// +// * When you delete an interface endpoint, we delete the endpoint network +// interfaces. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -12550,6 +13233,139 @@ func (c *EC2) DescribeAddressesWithContext(ctx aws.Context, input *DescribeAddre return out, req.Send() } +const opDescribeAddressesAttribute = "DescribeAddressesAttribute" + +// DescribeAddressesAttributeRequest generates a "aws/request.Request" representing the +// client's request for the DescribeAddressesAttribute operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DescribeAddressesAttribute for more information on using the DescribeAddressesAttribute +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DescribeAddressesAttributeRequest method. +// req, resp := client.DescribeAddressesAttributeRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeAddressesAttribute +func (c *EC2) DescribeAddressesAttributeRequest(input *DescribeAddressesAttributeInput) (req *request.Request, output *DescribeAddressesAttributeOutput) { + op := &request.Operation{ + Name: opDescribeAddressesAttribute, + HTTPMethod: "POST", + HTTPPath: "/", + Paginator: &request.Paginator{ + InputTokens: []string{"NextToken"}, + OutputTokens: []string{"NextToken"}, + LimitToken: "MaxResults", + TruncationToken: "", + }, + } + + if input == nil { + input = &DescribeAddressesAttributeInput{} + } + + output = &DescribeAddressesAttributeOutput{} + req = c.newRequest(op, input, output) + return +} + +// DescribeAddressesAttribute API operation for Amazon Elastic Compute Cloud. +// +// Describes the attributes of the specified Elastic IP addresses. For requirements, +// see Using reverse DNS for email applications (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#Using_Elastic_Addressing_Reverse_DNS). +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation DescribeAddressesAttribute for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeAddressesAttribute +func (c *EC2) DescribeAddressesAttribute(input *DescribeAddressesAttributeInput) (*DescribeAddressesAttributeOutput, error) { + req, out := c.DescribeAddressesAttributeRequest(input) + return out, req.Send() +} + +// DescribeAddressesAttributeWithContext is the same as DescribeAddressesAttribute with the addition of +// the ability to pass a context and additional request options. +// +// See DescribeAddressesAttribute for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DescribeAddressesAttributeWithContext(ctx aws.Context, input *DescribeAddressesAttributeInput, opts ...request.Option) (*DescribeAddressesAttributeOutput, error) { + req, out := c.DescribeAddressesAttributeRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// DescribeAddressesAttributePages iterates over the pages of a DescribeAddressesAttribute operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See DescribeAddressesAttribute method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a DescribeAddressesAttribute operation. +// pageNum := 0 +// err := client.DescribeAddressesAttributePages(params, +// func(page *ec2.DescribeAddressesAttributeOutput, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +// +func (c *EC2) DescribeAddressesAttributePages(input *DescribeAddressesAttributeInput, fn func(*DescribeAddressesAttributeOutput, bool) bool) error { + return c.DescribeAddressesAttributePagesWithContext(aws.BackgroundContext(), input, fn) +} + +// DescribeAddressesAttributePagesWithContext same as DescribeAddressesAttributePages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DescribeAddressesAttributePagesWithContext(ctx aws.Context, input *DescribeAddressesAttributeInput, fn func(*DescribeAddressesAttributeOutput, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *DescribeAddressesAttributeInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.DescribeAddressesAttributeRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + for p.Next() { + if !fn(p.Page().(*DescribeAddressesAttributeOutput), !p.HasNextPage()) { + break + } + } + + return p.Err() +} + const opDescribeAggregateIdFormat = "DescribeAggregateIdFormat" // DescribeAggregateIdFormatRequest generates a "aws/request.Request" representing the @@ -15013,6 +15829,9 @@ func (c *EC2) DescribeFleetHistoryRequest(input *DescribeFleetHistoryInput) (req // This ensures that you can query by the last evaluated time and not miss a // recorded event. EC2 Fleet events are available for 48 hours. // +// For more information, see Monitoring your EC2 Fleet (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet.html#monitor-ec2-fleet) +// in the Amazon EC2 User Guide. +// // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. @@ -15087,6 +15906,9 @@ func (c *EC2) DescribeFleetInstancesRequest(input *DescribeFleetInstancesInput) // // Describes the running instances for the specified EC2 Fleet. // +// For more information, see Monitoring your EC2 Fleet (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet.html#monitor-ec2-fleet) +// in the Amazon EC2 User Guide. +// // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. @@ -15167,6 +15989,9 @@ func (c *EC2) DescribeFleetsRequest(input *DescribeFleetsInput) (req *request.Re // // Describes the specified EC2 Fleets or all of your EC2 Fleets. // +// For more information, see Monitoring your EC2 Fleet (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet.html#monitor-ec2-fleet) +// in the Amazon EC2 User Guide. +// // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. @@ -15646,8 +16471,8 @@ func (c *EC2) DescribeHostReservationOfferingsRequest(input *DescribeHostReserva // Hosts. When purchasing an offering, ensure that the instance family and Region // of the offering matches that of the Dedicated Hosts with which it is to be // associated. For more information about supported instance types, see Dedicated -// Hosts Overview (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-overview.html) -// in the Amazon Elastic Compute Cloud User Guide. +// Hosts (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-overview.html) +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -16886,7 +17711,7 @@ func (c *EC2) DescribeInstanceCreditSpecificationsRequest(input *DescribeInstanc // the call works normally. // // For more information, see Burstable performance instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -17103,18 +17928,18 @@ func (c *EC2) DescribeInstanceStatusRequest(input *DescribeInstanceStatusInput) // to identify hardware and software issues. For more information, see Status // checks for your instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-system-instance-status-check.html) // and Troubleshooting instances with failed status checks (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstances.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // * Scheduled events - Amazon EC2 can schedule events (such as reboot, stop, // or terminate) for your instances related to hardware issues, software // updates, or system maintenance. For more information, see Scheduled events // for your instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-instances-status-check_sched.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // * Instance state - You can manage your instances from the moment you launch // them through their termination. For more information, see Instance lifecycle // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-lifecycle.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -19553,6 +20378,270 @@ func (c *EC2) DescribeNetworkAclsPagesWithContext(ctx aws.Context, input *Descri return p.Err() } +const opDescribeNetworkInsightsAnalyses = "DescribeNetworkInsightsAnalyses" + +// DescribeNetworkInsightsAnalysesRequest generates a "aws/request.Request" representing the +// client's request for the DescribeNetworkInsightsAnalyses operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DescribeNetworkInsightsAnalyses for more information on using the DescribeNetworkInsightsAnalyses +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DescribeNetworkInsightsAnalysesRequest method. +// req, resp := client.DescribeNetworkInsightsAnalysesRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeNetworkInsightsAnalyses +func (c *EC2) DescribeNetworkInsightsAnalysesRequest(input *DescribeNetworkInsightsAnalysesInput) (req *request.Request, output *DescribeNetworkInsightsAnalysesOutput) { + op := &request.Operation{ + Name: opDescribeNetworkInsightsAnalyses, + HTTPMethod: "POST", + HTTPPath: "/", + Paginator: &request.Paginator{ + InputTokens: []string{"NextToken"}, + OutputTokens: []string{"NextToken"}, + LimitToken: "MaxResults", + TruncationToken: "", + }, + } + + if input == nil { + input = &DescribeNetworkInsightsAnalysesInput{} + } + + output = &DescribeNetworkInsightsAnalysesOutput{} + req = c.newRequest(op, input, output) + return +} + +// DescribeNetworkInsightsAnalyses API operation for Amazon Elastic Compute Cloud. +// +// Describes one or more of your network insights analyses. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation DescribeNetworkInsightsAnalyses for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeNetworkInsightsAnalyses +func (c *EC2) DescribeNetworkInsightsAnalyses(input *DescribeNetworkInsightsAnalysesInput) (*DescribeNetworkInsightsAnalysesOutput, error) { + req, out := c.DescribeNetworkInsightsAnalysesRequest(input) + return out, req.Send() +} + +// DescribeNetworkInsightsAnalysesWithContext is the same as DescribeNetworkInsightsAnalyses with the addition of +// the ability to pass a context and additional request options. +// +// See DescribeNetworkInsightsAnalyses for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DescribeNetworkInsightsAnalysesWithContext(ctx aws.Context, input *DescribeNetworkInsightsAnalysesInput, opts ...request.Option) (*DescribeNetworkInsightsAnalysesOutput, error) { + req, out := c.DescribeNetworkInsightsAnalysesRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// DescribeNetworkInsightsAnalysesPages iterates over the pages of a DescribeNetworkInsightsAnalyses operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See DescribeNetworkInsightsAnalyses method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a DescribeNetworkInsightsAnalyses operation. +// pageNum := 0 +// err := client.DescribeNetworkInsightsAnalysesPages(params, +// func(page *ec2.DescribeNetworkInsightsAnalysesOutput, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +// +func (c *EC2) DescribeNetworkInsightsAnalysesPages(input *DescribeNetworkInsightsAnalysesInput, fn func(*DescribeNetworkInsightsAnalysesOutput, bool) bool) error { + return c.DescribeNetworkInsightsAnalysesPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// DescribeNetworkInsightsAnalysesPagesWithContext same as DescribeNetworkInsightsAnalysesPages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DescribeNetworkInsightsAnalysesPagesWithContext(ctx aws.Context, input *DescribeNetworkInsightsAnalysesInput, fn func(*DescribeNetworkInsightsAnalysesOutput, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *DescribeNetworkInsightsAnalysesInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.DescribeNetworkInsightsAnalysesRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + for p.Next() { + if !fn(p.Page().(*DescribeNetworkInsightsAnalysesOutput), !p.HasNextPage()) { + break + } + } + + return p.Err() +} + +const opDescribeNetworkInsightsPaths = "DescribeNetworkInsightsPaths" + +// DescribeNetworkInsightsPathsRequest generates a "aws/request.Request" representing the +// client's request for the DescribeNetworkInsightsPaths operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DescribeNetworkInsightsPaths for more information on using the DescribeNetworkInsightsPaths +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DescribeNetworkInsightsPathsRequest method. +// req, resp := client.DescribeNetworkInsightsPathsRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeNetworkInsightsPaths +func (c *EC2) DescribeNetworkInsightsPathsRequest(input *DescribeNetworkInsightsPathsInput) (req *request.Request, output *DescribeNetworkInsightsPathsOutput) { + op := &request.Operation{ + Name: opDescribeNetworkInsightsPaths, + HTTPMethod: "POST", + HTTPPath: "/", + Paginator: &request.Paginator{ + InputTokens: []string{"NextToken"}, + OutputTokens: []string{"NextToken"}, + LimitToken: "MaxResults", + TruncationToken: "", + }, + } + + if input == nil { + input = &DescribeNetworkInsightsPathsInput{} + } + + output = &DescribeNetworkInsightsPathsOutput{} + req = c.newRequest(op, input, output) + return +} + +// DescribeNetworkInsightsPaths API operation for Amazon Elastic Compute Cloud. +// +// Describes one or more of your paths. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation DescribeNetworkInsightsPaths for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeNetworkInsightsPaths +func (c *EC2) DescribeNetworkInsightsPaths(input *DescribeNetworkInsightsPathsInput) (*DescribeNetworkInsightsPathsOutput, error) { + req, out := c.DescribeNetworkInsightsPathsRequest(input) + return out, req.Send() +} + +// DescribeNetworkInsightsPathsWithContext is the same as DescribeNetworkInsightsPaths with the addition of +// the ability to pass a context and additional request options. +// +// See DescribeNetworkInsightsPaths for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DescribeNetworkInsightsPathsWithContext(ctx aws.Context, input *DescribeNetworkInsightsPathsInput, opts ...request.Option) (*DescribeNetworkInsightsPathsOutput, error) { + req, out := c.DescribeNetworkInsightsPathsRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// DescribeNetworkInsightsPathsPages iterates over the pages of a DescribeNetworkInsightsPaths operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See DescribeNetworkInsightsPaths method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a DescribeNetworkInsightsPaths operation. +// pageNum := 0 +// err := client.DescribeNetworkInsightsPathsPages(params, +// func(page *ec2.DescribeNetworkInsightsPathsOutput, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +// +func (c *EC2) DescribeNetworkInsightsPathsPages(input *DescribeNetworkInsightsPathsInput, fn func(*DescribeNetworkInsightsPathsOutput, bool) bool) error { + return c.DescribeNetworkInsightsPathsPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// DescribeNetworkInsightsPathsPagesWithContext same as DescribeNetworkInsightsPathsPages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DescribeNetworkInsightsPathsPagesWithContext(ctx aws.Context, input *DescribeNetworkInsightsPathsInput, fn func(*DescribeNetworkInsightsPathsOutput, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *DescribeNetworkInsightsPathsInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.DescribeNetworkInsightsPathsRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + for p.Next() { + if !fn(p.Page().(*DescribeNetworkInsightsPathsOutput), !p.HasNextPage()) { + break + } + } + + return p.Err() +} + const opDescribeNetworkInterfaceAttribute = "DescribeNetworkInterfaceAttribute" // DescribeNetworkInterfaceAttributeRequest generates a "aws/request.Request" representing the @@ -19938,7 +21027,7 @@ func (c *EC2) DescribePlacementGroupsRequest(input *DescribePlacementGroupsInput // // Describes the specified placement groups or all of your placement groups. // For more information, see Placement groups (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -20510,7 +21599,7 @@ func (c *EC2) DescribeReservedInstancesRequest(input *DescribeReservedInstancesI // Describes one or more of the Reserved Instances that you purchased. // // For more information about Reserved Instances, see Reserved Instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts-on-demand-reserved-instances.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -20605,7 +21694,7 @@ func (c *EC2) DescribeReservedInstancesListingsRequest(input *DescribeReservedIn // that you purchase. // // For more information, see Reserved Instance Marketplace (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ri-market-general.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -20691,7 +21780,7 @@ func (c *EC2) DescribeReservedInstancesModificationsRequest(input *DescribeReser // about the specific modification is returned. // // For more information, see Modifying Reserved Instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ri-modifying.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -20834,7 +21923,7 @@ func (c *EC2) DescribeReservedInstancesOfferingsRequest(input *DescribeReservedI // that you do not purchase your own Reserved Instances. // // For more information, see Reserved Instance Marketplace (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ri-market-general.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -21589,7 +22678,7 @@ func (c *EC2) DescribeSnapshotAttributeRequest(input *DescribeSnapshotAttributeI // Describes the specified attribute of the specified snapshot. You can specify // only one attribute at a time. // -// For more information about EBS snapshots, see Amazon EBS Snapshots (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html) +// For more information about EBS snapshots, see Amazon EBS snapshots (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -21718,7 +22807,7 @@ func (c *EC2) DescribeSnapshotsRequest(input *DescribeSnapshotsInput) (req *requ // // To get the state of fast snapshot restores for a snapshot, use DescribeFastSnapshotRestores. // -// For more information about EBS snapshots, see Amazon EBS Snapshots (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html) +// For more information about EBS snapshots, see Amazon EBS snapshots (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -23389,6 +24478,270 @@ func (c *EC2) DescribeTransitGatewayAttachmentsPagesWithContext(ctx aws.Context, return p.Err() } +const opDescribeTransitGatewayConnectPeers = "DescribeTransitGatewayConnectPeers" + +// DescribeTransitGatewayConnectPeersRequest generates a "aws/request.Request" representing the +// client's request for the DescribeTransitGatewayConnectPeers operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DescribeTransitGatewayConnectPeers for more information on using the DescribeTransitGatewayConnectPeers +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DescribeTransitGatewayConnectPeersRequest method. +// req, resp := client.DescribeTransitGatewayConnectPeersRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeTransitGatewayConnectPeers +func (c *EC2) DescribeTransitGatewayConnectPeersRequest(input *DescribeTransitGatewayConnectPeersInput) (req *request.Request, output *DescribeTransitGatewayConnectPeersOutput) { + op := &request.Operation{ + Name: opDescribeTransitGatewayConnectPeers, + HTTPMethod: "POST", + HTTPPath: "/", + Paginator: &request.Paginator{ + InputTokens: []string{"NextToken"}, + OutputTokens: []string{"NextToken"}, + LimitToken: "MaxResults", + TruncationToken: "", + }, + } + + if input == nil { + input = &DescribeTransitGatewayConnectPeersInput{} + } + + output = &DescribeTransitGatewayConnectPeersOutput{} + req = c.newRequest(op, input, output) + return +} + +// DescribeTransitGatewayConnectPeers API operation for Amazon Elastic Compute Cloud. +// +// Describes one or more Connect peers. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation DescribeTransitGatewayConnectPeers for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeTransitGatewayConnectPeers +func (c *EC2) DescribeTransitGatewayConnectPeers(input *DescribeTransitGatewayConnectPeersInput) (*DescribeTransitGatewayConnectPeersOutput, error) { + req, out := c.DescribeTransitGatewayConnectPeersRequest(input) + return out, req.Send() +} + +// DescribeTransitGatewayConnectPeersWithContext is the same as DescribeTransitGatewayConnectPeers with the addition of +// the ability to pass a context and additional request options. +// +// See DescribeTransitGatewayConnectPeers for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DescribeTransitGatewayConnectPeersWithContext(ctx aws.Context, input *DescribeTransitGatewayConnectPeersInput, opts ...request.Option) (*DescribeTransitGatewayConnectPeersOutput, error) { + req, out := c.DescribeTransitGatewayConnectPeersRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// DescribeTransitGatewayConnectPeersPages iterates over the pages of a DescribeTransitGatewayConnectPeers operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See DescribeTransitGatewayConnectPeers method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a DescribeTransitGatewayConnectPeers operation. +// pageNum := 0 +// err := client.DescribeTransitGatewayConnectPeersPages(params, +// func(page *ec2.DescribeTransitGatewayConnectPeersOutput, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +// +func (c *EC2) DescribeTransitGatewayConnectPeersPages(input *DescribeTransitGatewayConnectPeersInput, fn func(*DescribeTransitGatewayConnectPeersOutput, bool) bool) error { + return c.DescribeTransitGatewayConnectPeersPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// DescribeTransitGatewayConnectPeersPagesWithContext same as DescribeTransitGatewayConnectPeersPages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DescribeTransitGatewayConnectPeersPagesWithContext(ctx aws.Context, input *DescribeTransitGatewayConnectPeersInput, fn func(*DescribeTransitGatewayConnectPeersOutput, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *DescribeTransitGatewayConnectPeersInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.DescribeTransitGatewayConnectPeersRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + for p.Next() { + if !fn(p.Page().(*DescribeTransitGatewayConnectPeersOutput), !p.HasNextPage()) { + break + } + } + + return p.Err() +} + +const opDescribeTransitGatewayConnects = "DescribeTransitGatewayConnects" + +// DescribeTransitGatewayConnectsRequest generates a "aws/request.Request" representing the +// client's request for the DescribeTransitGatewayConnects operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DescribeTransitGatewayConnects for more information on using the DescribeTransitGatewayConnects +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DescribeTransitGatewayConnectsRequest method. +// req, resp := client.DescribeTransitGatewayConnectsRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeTransitGatewayConnects +func (c *EC2) DescribeTransitGatewayConnectsRequest(input *DescribeTransitGatewayConnectsInput) (req *request.Request, output *DescribeTransitGatewayConnectsOutput) { + op := &request.Operation{ + Name: opDescribeTransitGatewayConnects, + HTTPMethod: "POST", + HTTPPath: "/", + Paginator: &request.Paginator{ + InputTokens: []string{"NextToken"}, + OutputTokens: []string{"NextToken"}, + LimitToken: "MaxResults", + TruncationToken: "", + }, + } + + if input == nil { + input = &DescribeTransitGatewayConnectsInput{} + } + + output = &DescribeTransitGatewayConnectsOutput{} + req = c.newRequest(op, input, output) + return +} + +// DescribeTransitGatewayConnects API operation for Amazon Elastic Compute Cloud. +// +// Describes one or more Connect attachments. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation DescribeTransitGatewayConnects for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeTransitGatewayConnects +func (c *EC2) DescribeTransitGatewayConnects(input *DescribeTransitGatewayConnectsInput) (*DescribeTransitGatewayConnectsOutput, error) { + req, out := c.DescribeTransitGatewayConnectsRequest(input) + return out, req.Send() +} + +// DescribeTransitGatewayConnectsWithContext is the same as DescribeTransitGatewayConnects with the addition of +// the ability to pass a context and additional request options. +// +// See DescribeTransitGatewayConnects for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DescribeTransitGatewayConnectsWithContext(ctx aws.Context, input *DescribeTransitGatewayConnectsInput, opts ...request.Option) (*DescribeTransitGatewayConnectsOutput, error) { + req, out := c.DescribeTransitGatewayConnectsRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// DescribeTransitGatewayConnectsPages iterates over the pages of a DescribeTransitGatewayConnects operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See DescribeTransitGatewayConnects method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a DescribeTransitGatewayConnects operation. +// pageNum := 0 +// err := client.DescribeTransitGatewayConnectsPages(params, +// func(page *ec2.DescribeTransitGatewayConnectsOutput, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +// +func (c *EC2) DescribeTransitGatewayConnectsPages(input *DescribeTransitGatewayConnectsInput, fn func(*DescribeTransitGatewayConnectsOutput, bool) bool) error { + return c.DescribeTransitGatewayConnectsPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// DescribeTransitGatewayConnectsPagesWithContext same as DescribeTransitGatewayConnectsPages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DescribeTransitGatewayConnectsPagesWithContext(ctx aws.Context, input *DescribeTransitGatewayConnectsInput, fn func(*DescribeTransitGatewayConnectsOutput, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *DescribeTransitGatewayConnectsInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.DescribeTransitGatewayConnectsRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + for p.Next() { + if !fn(p.Page().(*DescribeTransitGatewayConnectsOutput), !p.HasNextPage()) { + break + } + } + + return p.Err() +} + const opDescribeTransitGatewayMulticastDomains = "DescribeTransitGatewayMulticastDomains" // DescribeTransitGatewayMulticastDomainsRequest generates a "aws/request.Request" representing the @@ -24099,7 +25452,7 @@ func (c *EC2) DescribeVolumeAttributeRequest(input *DescribeVolumeAttributeInput // Describes the specified attribute of the specified volume. You can specify // only one attribute at a time. // -// For more information about EBS volumes, see Amazon EBS Volumes (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumes.html) +// For more information about EBS volumes, see Amazon EBS volumes (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumes.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -24195,19 +25548,19 @@ func (c *EC2) DescribeVolumeStatusRequest(input *DescribeVolumeStatusInput) (req // Status: Reflects the current status of the volume. The possible values are // ok, impaired , warning, or insufficient-data. If all checks pass, the overall // status of the volume is ok. If the check fails, the overall status is impaired. -// If the status is insufficient-data, then the checks may still be taking place -// on your volume at the time. We recommend that you retry the request. For -// more information about volume status, see Monitoring the status of your volumes -// (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-volume-status.html) +// If the status is insufficient-data, then the checks might still be taking +// place on your volume at the time. We recommend that you retry the request. +// For more information about volume status, see Monitoring the status of your +// volumes (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-volume-status.html) // in the Amazon Elastic Compute Cloud User Guide. // -// Events: Reflect the cause of a volume status and may require you to take +// Events: Reflect the cause of a volume status and might require you to take // action. For example, if your volume returns an impaired status, then the // volume event might be potential-data-inconsistency. This means that your // volume has been affected by an issue with the underlying host, has all I/O -// operations disabled, and may have inconsistent data. +// operations disabled, and might have inconsistent data. // -// Actions: Reflect the actions you may have to take in response to an event. +// Actions: Reflect the actions you might have to take in response to an event. // For example, if the status of the volume is impaired and the volume event // shows potential-data-inconsistency, then the action shows enable-volume-io. // This means that you may want to enable the I/O operations for the volume @@ -24356,7 +25709,7 @@ func (c *EC2) DescribeVolumesRequest(input *DescribeVolumesInput) (req *request. // with a NextToken value that can be passed to a subsequent DescribeVolumes // request to retrieve the remaining results. // -// For more information about EBS volumes, see Amazon EBS Volumes (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumes.html) +// For more information about EBS volumes, see Amazon EBS volumes (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumes.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -25446,12 +26799,12 @@ func (c *EC2) DescribeVpcEndpointServicesRequest(input *DescribeVpcEndpointServi // // Describes available services to which you can create a VPC endpoint. // -// When the service provider and the consumer have different accounts multiple +// When the service provider and the consumer have different accounts in multiple // Availability Zones, and the consumer views the VPC endpoint service information, // the response only includes the common Availability Zones. For example, when // the service provider account uses us-east-1a and us-east-1c and the consumer -// uses us-east-1a and us-east-1a and us-east-1b, the response includes the -// VPC endpoint services in the common Availability Zone, us-east-1a. +// uses us-east-1a and us-east-1b, the response includes the VPC endpoint services +// in the common Availability Zone, us-east-1a. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -26480,7 +27833,7 @@ func (c *EC2) DisableEbsEncryptionByDefaultRequest(input *DisableEbsEncryptionBy // Disabling encryption by default does not change the encryption status of // your existing volumes. // -// For more information, see Amazon EBS Encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) +// For more information, see Amazon EBS encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -27647,7 +29000,7 @@ func (c *EC2) EnableEbsEncryptionByDefaultRequest(input *EnableEbsEncryptionByDe // // After you enable encryption by default, the EBS volumes that you create are // are always encrypted, either using the default CMK or the CMK that you specified -// when you created each volume. For more information, see Amazon EBS Encryption +// when you created each volume. For more information, see Amazon EBS encryption // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) // in the Amazon Elastic Compute Cloud User Guide. // @@ -28891,8 +30244,8 @@ func (c *EC2) GetConsoleOutputRequest(input *GetConsoleOutputInput) (req *reques // during the instance lifecycle. This option is supported on instance types // that use the Nitro hypervisor. // -// For more information, see Instance Console Output (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-console.html#instance-console-console-output) -// in the Amazon Elastic Compute Cloud User Guide. +// For more information, see Instance console output (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-console.html#instance-console-console-output) +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -29046,7 +30399,7 @@ func (c *EC2) GetDefaultCreditSpecificationRequest(input *GetDefaultCreditSpecif // instance family. // // For more information, see Burstable performance instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -29124,7 +30477,7 @@ func (c *EC2) GetEbsDefaultKmsKeyIdRequest(input *GetEbsDefaultKmsKeyIdInput) (r // for your account in this Region. You can change the default CMK for encryption // by default using ModifyEbsDefaultKmsKeyId or ResetEbsDefaultKmsKeyId. // -// For more information, see Amazon EBS Encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) +// For more information, see Amazon EBS encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -29202,7 +30555,7 @@ func (c *EC2) GetEbsEncryptionByDefaultRequest(input *GetEbsEncryptionByDefaultI // Describes whether EBS encryption by default is enabled for your account in // the current Region. // -// For more information, see Amazon EBS Encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) +// For more information, see Amazon EBS encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -29840,7 +31193,7 @@ func (c *EC2) GetPasswordDataRequest(input *GetPasswordDataInput) (req *request. // scripts (Windows Server 2016 and later). This usually only happens the first // time an instance is launched. For more information, see EC2Config (https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/UsingConfig_WinAMI.html) // and EC2Launch (https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2launch.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // For the EC2Config service, the password is not generated for rebundled AMIs // unless Ec2SetPassword is enabled before bundling. @@ -31091,6 +32444,81 @@ func (c *EC2) ImportVolumeWithContext(ctx aws.Context, input *ImportVolumeInput, return out, req.Send() } +const opModifyAddressAttribute = "ModifyAddressAttribute" + +// ModifyAddressAttributeRequest generates a "aws/request.Request" representing the +// client's request for the ModifyAddressAttribute operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ModifyAddressAttribute for more information on using the ModifyAddressAttribute +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ModifyAddressAttributeRequest method. +// req, resp := client.ModifyAddressAttributeRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyAddressAttribute +func (c *EC2) ModifyAddressAttributeRequest(input *ModifyAddressAttributeInput) (req *request.Request, output *ModifyAddressAttributeOutput) { + op := &request.Operation{ + Name: opModifyAddressAttribute, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ModifyAddressAttributeInput{} + } + + output = &ModifyAddressAttributeOutput{} + req = c.newRequest(op, input, output) + return +} + +// ModifyAddressAttribute API operation for Amazon Elastic Compute Cloud. +// +// Modifies an attribute of the specified Elastic IP address. For requirements, +// see Using reverse DNS for email applications (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#Using_Elastic_Addressing_Reverse_DNS). +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation ModifyAddressAttribute for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyAddressAttribute +func (c *EC2) ModifyAddressAttribute(input *ModifyAddressAttributeInput) (*ModifyAddressAttributeOutput, error) { + req, out := c.ModifyAddressAttributeRequest(input) + return out, req.Send() +} + +// ModifyAddressAttributeWithContext is the same as ModifyAddressAttribute with the addition of +// the ability to pass a context and additional request options. +// +// See ModifyAddressAttribute for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) ModifyAddressAttributeWithContext(ctx aws.Context, input *ModifyAddressAttributeInput, opts ...request.Option) (*ModifyAddressAttributeOutput, error) { + req, out := c.ModifyAddressAttributeRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opModifyAvailabilityZoneGroup = "ModifyAvailabilityZoneGroup" // ModifyAvailabilityZoneGroupRequest generates a "aws/request.Request" representing the @@ -31381,7 +32809,7 @@ func (c *EC2) ModifyDefaultCreditSpecificationRequest(input *ModifyDefaultCredit // for updates. // // For more information, see Burstable performance instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -31467,7 +32895,7 @@ func (c *EC2) ModifyEbsDefaultKmsKeyIdRequest(input *ModifyEbsDefaultKmsKeyIdInp // If you delete or disable the customer managed CMK that you specified for // use with encryption by default, your instances will fail to launch. // -// For more information, see Amazon EBS Encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) +// For more information, see Amazon EBS encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -32093,7 +33521,7 @@ func (c *EC2) ModifyInstanceAttributeRequest(input *ModifyInstanceAttributeInput // // To modify some attributes, the instance must be stopped. For more information, // see Modifying attributes of a stopped instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_ChangingAttributesWhileInstanceStopped.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -32248,7 +33676,7 @@ func (c *EC2) ModifyInstanceCreditSpecificationRequest(input *ModifyInstanceCred // performance instance. The credit options are standard and unlimited. // // For more information, see Burstable performance instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -32402,7 +33830,8 @@ func (c *EC2) ModifyInstanceMetadataOptionsRequest(input *ModifyInstanceMetadata // the API responds with a state of “pending”. After the parameter modifications // are successfully applied to the instance, the state of the modifications // changes from “pending” to “applied” in subsequent describe-instances -// API calls. For more information, see Instance metadata and user data (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html). +// API calls. For more information, see Instance metadata and user data (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -32810,7 +34239,7 @@ func (c *EC2) ModifyReservedInstancesRequest(input *ModifyReservedInstancesInput // network platform, and instance type. // // For more information, see Modifying Reserved Instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ri-modifying.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -33611,7 +35040,7 @@ func (c *EC2) ModifyVolumeRequest(input *ModifyVolumeInput) (req *request.Reques // // You can modify several parameters of an existing EBS volume, including volume // size, volume type, and IOPS capacity. If your EBS volume is attached to a -// current-generation EC2 instance type, you may be able to apply these changes +// current-generation EC2 instance type, you might be able to apply these changes // without stopping the instance or detaching the volume from it. For more information // about modifying an EBS volume running Linux, see Modifying the size, IOPS, // or type of an EBS volume on Linux (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-expand-volume.html). @@ -33632,11 +35061,11 @@ func (c *EC2) ModifyVolumeRequest(input *ModifyVolumeInput) (req *request.Reques // For information about tracking status changes using either method, see Monitoring // volume modifications (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-expand-volume.html#monitoring_mods). // -// With previous-generation instance types, resizing an EBS volume may require +// With previous-generation instance types, resizing an EBS volume might require // detaching and reattaching the volume or stopping and restarting the instance. -// For more information, see Modifying the size, IOPS, or type of an EBS volume -// on Linux (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-expand-volume.html) -// and Modifying the size, IOPS, or type of an EBS volume on Windows (https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-expand-volume.html). +// For more information, see Amazon EBS Elastic Volumes (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modify-volume.html) +// (Linux) or Amazon EBS Elastic Volumes (https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-modify-volume.html) +// (Windows). // // If you reach the maximum volume modification rate per volume limit, you will // need to wait at least six hours before applying further modifications to @@ -33874,8 +35303,8 @@ func (c *EC2) ModifyVpcEndpointRequest(input *ModifyVpcEndpointInput) (req *requ // ModifyVpcEndpoint API operation for Amazon Elastic Compute Cloud. // // Modifies attributes of a specified VPC endpoint. The attributes that you -// can modify depend on the type of VPC endpoint (interface or gateway). For -// more information, see VPC Endpoints (https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html) +// can modify depend on the type of VPC endpoint (interface, gateway, or Gateway +// Load Balancer). For more information, see VPC Endpoints (https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html) // in the Amazon Virtual Private Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -34027,9 +35456,9 @@ func (c *EC2) ModifyVpcEndpointServiceConfigurationRequest(input *ModifyVpcEndpo // ModifyVpcEndpointServiceConfiguration API operation for Amazon Elastic Compute Cloud. // // Modifies the attributes of your VPC endpoint service configuration. You can -// change the Network Load Balancers for your service, and you can specify whether -// acceptance is required for requests to connect to your endpoint service through -// an interface VPC endpoint. +// change the Network Load Balancers or Gateway Load Balancers for your service, +// and you can specify whether acceptance is required for requests to connect +// to your endpoint service through an interface VPC endpoint. // // If you set or modify the private DNS name, you must prove that you own the // private DNS domain name. For more information, see VPC Endpoint Service Private @@ -34717,7 +36146,7 @@ func (c *EC2) MonitorInstancesRequest(input *MonitorInstancesInput) (req *reques // Enables detailed monitoring for a running instance. Otherwise, basic monitoring // is enabled. For more information, see Monitoring your instances and volumes // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // To disable detailed monitoring, see . // @@ -35053,7 +36482,7 @@ func (c *EC2) PurchaseReservedInstancesOfferingRequest(input *PurchaseReservedIn // // For more information, see Reserved Instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts-on-demand-reserved-instances.html) // and Reserved Instance Marketplace (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ri-market-general.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -35221,7 +36650,7 @@ func (c *EC2) RebootInstancesRequest(input *RebootInstancesInput) (req *request. // // For more information about troubleshooting, see Getting console output and // rebooting instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-console.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -35303,12 +36732,25 @@ func (c *EC2) RegisterImageRequest(input *RegisterImageInput) (req *request.Requ // For Amazon EBS-backed instances, CreateImage creates and registers the AMI // in a single request, so you don't have to register the AMI yourself. // -// You can also use RegisterImage to create an Amazon EBS-backed Linux AMI from -// a snapshot of a root device volume. You specify the snapshot using the block -// device mapping. For more information, see Launching a Linux instance from -// a backup (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-launch-snapshot.html) +// If needed, you can deregister an AMI at any time. Any modifications you make +// to an AMI backed by an instance store volume invalidates its registration. +// If you make changes to an image, deregister the previous image and register +// the new image. +// +// Register a snapshot of a root device volume +// +// You can use RegisterImage to create an Amazon EBS-backed Linux AMI from a +// snapshot of a root device volume. You specify the snapshot using a block +// device mapping. You can't set the encryption state of the volume using the +// block device mapping. If the snapshot is encrypted, or encryption by default +// is enabled, the root volume of an instance launched from the AMI is encrypted. +// +// For more information, see Create a Linux AMI from a snapshot (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html#creating-launching-ami-from-snapshot) +// and Use encryption with EBS-backed AMIs (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html) // in the Amazon Elastic Compute Cloud User Guide. // +// AWS Marketplace product codes +// // If any snapshots have AWS Marketplace product codes, they are copied to the // new AMI. // @@ -35334,11 +36776,6 @@ func (c *EC2) RegisterImageRequest(input *RegisterImageInput) (req *request.Requ // Obtaining billing information (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-billing-info.html) // in the Amazon Elastic Compute Cloud User Guide. // -// If needed, you can deregister an AMI at any time. Any modifications you make -// to an AMI backed by an instance store volume invalidates its registration. -// If you make changes to an image, deregister the previous image and register -// the new image. -// // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. @@ -35608,6 +37045,81 @@ func (c *EC2) RegisterTransitGatewayMulticastGroupSourcesWithContext(ctx aws.Con return out, req.Send() } +const opRejectTransitGatewayMulticastDomainAssociations = "RejectTransitGatewayMulticastDomainAssociations" + +// RejectTransitGatewayMulticastDomainAssociationsRequest generates a "aws/request.Request" representing the +// client's request for the RejectTransitGatewayMulticastDomainAssociations operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See RejectTransitGatewayMulticastDomainAssociations for more information on using the RejectTransitGatewayMulticastDomainAssociations +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the RejectTransitGatewayMulticastDomainAssociationsRequest method. +// req, resp := client.RejectTransitGatewayMulticastDomainAssociationsRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/RejectTransitGatewayMulticastDomainAssociations +func (c *EC2) RejectTransitGatewayMulticastDomainAssociationsRequest(input *RejectTransitGatewayMulticastDomainAssociationsInput) (req *request.Request, output *RejectTransitGatewayMulticastDomainAssociationsOutput) { + op := &request.Operation{ + Name: opRejectTransitGatewayMulticastDomainAssociations, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &RejectTransitGatewayMulticastDomainAssociationsInput{} + } + + output = &RejectTransitGatewayMulticastDomainAssociationsOutput{} + req = c.newRequest(op, input, output) + return +} + +// RejectTransitGatewayMulticastDomainAssociations API operation for Amazon Elastic Compute Cloud. +// +// Rejects a request to associate cross-account subnets with a transit gateway +// multicast domain. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation RejectTransitGatewayMulticastDomainAssociations for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/RejectTransitGatewayMulticastDomainAssociations +func (c *EC2) RejectTransitGatewayMulticastDomainAssociations(input *RejectTransitGatewayMulticastDomainAssociationsInput) (*RejectTransitGatewayMulticastDomainAssociationsOutput, error) { + req, out := c.RejectTransitGatewayMulticastDomainAssociationsRequest(input) + return out, req.Send() +} + +// RejectTransitGatewayMulticastDomainAssociationsWithContext is the same as RejectTransitGatewayMulticastDomainAssociations with the addition of +// the ability to pass a context and additional request options. +// +// See RejectTransitGatewayMulticastDomainAssociations for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) RejectTransitGatewayMulticastDomainAssociationsWithContext(ctx aws.Context, input *RejectTransitGatewayMulticastDomainAssociationsInput, opts ...request.Option) (*RejectTransitGatewayMulticastDomainAssociationsOutput, error) { + req, out := c.RejectTransitGatewayMulticastDomainAssociationsRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opRejectTransitGatewayPeeringAttachment = "RejectTransitGatewayPeeringAttachment" // RejectTransitGatewayPeeringAttachmentRequest generates a "aws/request.Request" representing the @@ -36817,6 +38329,81 @@ func (c *EC2) RequestSpotInstancesWithContext(ctx aws.Context, input *RequestSpo return out, req.Send() } +const opResetAddressAttribute = "ResetAddressAttribute" + +// ResetAddressAttributeRequest generates a "aws/request.Request" representing the +// client's request for the ResetAddressAttribute operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ResetAddressAttribute for more information on using the ResetAddressAttribute +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ResetAddressAttributeRequest method. +// req, resp := client.ResetAddressAttributeRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ResetAddressAttribute +func (c *EC2) ResetAddressAttributeRequest(input *ResetAddressAttributeInput) (req *request.Request, output *ResetAddressAttributeOutput) { + op := &request.Operation{ + Name: opResetAddressAttribute, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ResetAddressAttributeInput{} + } + + output = &ResetAddressAttributeOutput{} + req = c.newRequest(op, input, output) + return +} + +// ResetAddressAttribute API operation for Amazon Elastic Compute Cloud. +// +// Resets the attribute of the specified IP address. For requirements, see Using +// reverse DNS for email applications (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#Using_Elastic_Addressing_Reverse_DNS). +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation ResetAddressAttribute for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ResetAddressAttribute +func (c *EC2) ResetAddressAttribute(input *ResetAddressAttributeInput) (*ResetAddressAttributeOutput, error) { + req, out := c.ResetAddressAttributeRequest(input) + return out, req.Send() +} + +// ResetAddressAttributeWithContext is the same as ResetAddressAttribute with the addition of +// the ability to pass a context and additional request options. +// +// See ResetAddressAttribute for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) ResetAddressAttributeWithContext(ctx aws.Context, input *ResetAddressAttributeInput, opts ...request.Option) (*ResetAddressAttributeOutput, error) { + req, out := c.ResetAddressAttributeRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opResetEbsDefaultKmsKeyId = "ResetEbsDefaultKmsKeyId" // ResetEbsDefaultKmsKeyIdRequest generates a "aws/request.Request" representing the @@ -36866,7 +38453,7 @@ func (c *EC2) ResetEbsDefaultKmsKeyIdRequest(input *ResetEbsDefaultKmsKeyIdInput // // After resetting the default CMK to the AWS managed CMK, you can continue // to encrypt by a customer managed CMK by specifying it when you create the -// volume. For more information, see Amazon EBS Encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) +// volume. For more information, see Amazon EBS encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -37102,7 +38689,7 @@ func (c *EC2) ResetInstanceAttributeRequest(input *ResetInstanceAttributeInput) // is enabled. The default value is true, which means checking is enabled. This // value must be false for a NAT instance to perform NAT. For more information, // see NAT Instances (https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html) -// in the Amazon Virtual Private Cloud User Guide. +// in the Amazon VPC User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -37789,13 +39376,11 @@ func (c *EC2) RunInstancesRequest(input *RunInstancesInput) (req *request.Reques // Linux instances have access to the public key of the key pair at boot. You // can use this key to provide secure access to the instance. Amazon EC2 public // images use this feature to provide secure access without passwords. For more -// information, see Key pairs (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) -// in the Amazon Elastic Compute Cloud User Guide. +// information, see Key pairs (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html). // // For troubleshooting, see What to do if an instance immediately terminates // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_InstanceStraightToTerminated.html), -// and Troubleshooting connecting to your instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html) -// in the Amazon Elastic Compute Cloud User Guide. +// and Troubleshooting connecting to your instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html). // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -37879,7 +39464,7 @@ func (c *EC2) RunScheduledInstancesRequest(input *RunScheduledInstancesInput) (r // If you terminate a Scheduled Instance before the current scheduled time period // ends, you can launch it again after a few minutes. For more information, // see Scheduled Instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-scheduled-instances.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -38406,7 +39991,7 @@ func (c *EC2) StartInstancesRequest(input *StartInstancesInput) (req *request.Re // root device returns an error. // // For more information, see Stopping instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Stop_Start.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -38436,6 +40021,81 @@ func (c *EC2) StartInstancesWithContext(ctx aws.Context, input *StartInstancesIn return out, req.Send() } +const opStartNetworkInsightsAnalysis = "StartNetworkInsightsAnalysis" + +// StartNetworkInsightsAnalysisRequest generates a "aws/request.Request" representing the +// client's request for the StartNetworkInsightsAnalysis operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See StartNetworkInsightsAnalysis for more information on using the StartNetworkInsightsAnalysis +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the StartNetworkInsightsAnalysisRequest method. +// req, resp := client.StartNetworkInsightsAnalysisRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/StartNetworkInsightsAnalysis +func (c *EC2) StartNetworkInsightsAnalysisRequest(input *StartNetworkInsightsAnalysisInput) (req *request.Request, output *StartNetworkInsightsAnalysisOutput) { + op := &request.Operation{ + Name: opStartNetworkInsightsAnalysis, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &StartNetworkInsightsAnalysisInput{} + } + + output = &StartNetworkInsightsAnalysisOutput{} + req = c.newRequest(op, input, output) + return +} + +// StartNetworkInsightsAnalysis API operation for Amazon Elastic Compute Cloud. +// +// Starts analyzing the specified path. If the path is reachable, the operation +// returns the shortest feasible path. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation StartNetworkInsightsAnalysis for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/StartNetworkInsightsAnalysis +func (c *EC2) StartNetworkInsightsAnalysis(input *StartNetworkInsightsAnalysisInput) (*StartNetworkInsightsAnalysisOutput, error) { + req, out := c.StartNetworkInsightsAnalysisRequest(input) + return out, req.Send() +} + +// StartNetworkInsightsAnalysisWithContext is the same as StartNetworkInsightsAnalysis with the addition of +// the ability to pass a context and additional request options. +// +// See StartNetworkInsightsAnalysis for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) StartNetworkInsightsAnalysisWithContext(ctx aws.Context, input *StartNetworkInsightsAnalysisInput, opts ...request.Option) (*StartNetworkInsightsAnalysisOutput, error) { + req, out := c.StartNetworkInsightsAnalysisRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opStartVpcEndpointServicePrivateDnsVerification = "StartVpcEndpointServicePrivateDnsVerification" // StartVpcEndpointServicePrivateDnsVerificationRequest generates a "aws/request.Request" representing the @@ -38569,7 +40229,7 @@ func (c *EC2) StopInstancesRequest(input *StopInstancesInput) (req *request.Requ // for hibernation (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html#enabling-hibernation) // and it meets the hibernation prerequisites (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html#hibernating-prerequisites). // For more information, see Hibernate your instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // We don't charge usage for a stopped instance, or data transfer fees; however, // your root partition Amazon EBS volume remains and continues to persist your @@ -38585,7 +40245,7 @@ func (c *EC2) StopInstancesRequest(input *StopInstancesInput) (req *request.Requ // the Stop action to hibernate Spot Instances, but you can specify that Amazon // EC2 should hibernate Spot Instances when they are interrupted. For more information, // see Hibernating interrupted Spot Instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-interruptions.html#hibernate-spot-instances) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // When you stop or hibernate an instance, we shut it down. You can restart // your instance at any time. Before stopping or hibernating an instance, make @@ -38601,13 +40261,13 @@ func (c *EC2) StopInstancesRequest(input *StopInstancesInput) (req *request.Requ // launch are automatically deleted. For more information about the differences // between rebooting, stopping, hibernating, and terminating instances, see // Instance lifecycle (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-lifecycle.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // When you stop an instance, we attempt to shut it down forcibly after a short // while. If your instance appears stuck in the stopping state after a period // of time, there may be an issue with the underlying host computer. For more // information, see Troubleshooting stopping your instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesStopping.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -38777,11 +40437,11 @@ func (c *EC2) TerminateInstancesRequest(input *TerminateInstancesInput) (req *re // device mapping parameter set to true are automatically deleted. For more // information about the differences between stopping and terminating instances, // see Instance lifecycle (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-lifecycle.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // For more information about troubleshooting, see Troubleshooting terminating // your instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesShuttingDown.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -39006,7 +40666,7 @@ func (c *EC2) UnmonitorInstancesRequest(input *UnmonitorInstancesInput) (req *re // // Disables detailed monitoring for a running instance. For more information, // see Monitoring your instances and volumes (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -39372,6 +41032,82 @@ func (s *AcceptReservedInstancesExchangeQuoteOutput) SetExchangeId(v string) *Ac return s } +type AcceptTransitGatewayMulticastDomainAssociationsInput struct { + _ struct{} `type:"structure"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The IDs of the subnets to associate with the transit gateway multicast domain. + SubnetIds []*string `locationNameList:"item" type:"list"` + + // The ID of the transit gateway attachment. + TransitGatewayAttachmentId *string `type:"string"` + + // The ID of the transit gateway multicast domain. + TransitGatewayMulticastDomainId *string `type:"string"` +} + +// String returns the string representation +func (s AcceptTransitGatewayMulticastDomainAssociationsInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AcceptTransitGatewayMulticastDomainAssociationsInput) GoString() string { + return s.String() +} + +// SetDryRun sets the DryRun field's value. +func (s *AcceptTransitGatewayMulticastDomainAssociationsInput) SetDryRun(v bool) *AcceptTransitGatewayMulticastDomainAssociationsInput { + s.DryRun = &v + return s +} + +// SetSubnetIds sets the SubnetIds field's value. +func (s *AcceptTransitGatewayMulticastDomainAssociationsInput) SetSubnetIds(v []*string) *AcceptTransitGatewayMulticastDomainAssociationsInput { + s.SubnetIds = v + return s +} + +// SetTransitGatewayAttachmentId sets the TransitGatewayAttachmentId field's value. +func (s *AcceptTransitGatewayMulticastDomainAssociationsInput) SetTransitGatewayAttachmentId(v string) *AcceptTransitGatewayMulticastDomainAssociationsInput { + s.TransitGatewayAttachmentId = &v + return s +} + +// SetTransitGatewayMulticastDomainId sets the TransitGatewayMulticastDomainId field's value. +func (s *AcceptTransitGatewayMulticastDomainAssociationsInput) SetTransitGatewayMulticastDomainId(v string) *AcceptTransitGatewayMulticastDomainAssociationsInput { + s.TransitGatewayMulticastDomainId = &v + return s +} + +type AcceptTransitGatewayMulticastDomainAssociationsOutput struct { + _ struct{} `type:"structure"` + + // Describes the multicast domain associations. + Associations *TransitGatewayMulticastDomainAssociations `locationName:"associations" type:"structure"` +} + +// String returns the string representation +func (s AcceptTransitGatewayMulticastDomainAssociationsOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AcceptTransitGatewayMulticastDomainAssociationsOutput) GoString() string { + return s.String() +} + +// SetAssociations sets the Associations field's value. +func (s *AcceptTransitGatewayMulticastDomainAssociationsOutput) SetAssociations(v *TransitGatewayMulticastDomainAssociations) *AcceptTransitGatewayMulticastDomainAssociationsOutput { + s.Associations = v + return s +} + type AcceptTransitGatewayPeeringAttachmentInput struct { _ struct{} `type:"structure"` @@ -39970,6 +41706,57 @@ func (s *Address) SetTags(v []*Tag) *Address { return s } +// The attributes associated with an Elastic IP address. +type AddressAttribute struct { + _ struct{} `type:"structure"` + + // [EC2-VPC] The allocation ID. + AllocationId *string `locationName:"allocationId" type:"string"` + + // The pointer (PTR) record for the IP address. + PtrRecord *string `locationName:"ptrRecord" type:"string"` + + // The updated PTR record for the IP address. + PtrRecordUpdate *PtrUpdateStatus `locationName:"ptrRecordUpdate" type:"structure"` + + // The public IP address. + PublicIp *string `locationName:"publicIp" type:"string"` +} + +// String returns the string representation +func (s AddressAttribute) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AddressAttribute) GoString() string { + return s.String() +} + +// SetAllocationId sets the AllocationId field's value. +func (s *AddressAttribute) SetAllocationId(v string) *AddressAttribute { + s.AllocationId = &v + return s +} + +// SetPtrRecord sets the PtrRecord field's value. +func (s *AddressAttribute) SetPtrRecord(v string) *AddressAttribute { + s.PtrRecord = &v + return s +} + +// SetPtrRecordUpdate sets the PtrRecordUpdate field's value. +func (s *AddressAttribute) SetPtrRecordUpdate(v *PtrUpdateStatus) *AddressAttribute { + s.PtrRecordUpdate = v + return s +} + +// SetPublicIp sets the PublicIp field's value. +func (s *AddressAttribute) SetPublicIp(v string) *AddressAttribute { + s.PublicIp = &v + return s +} + type AdvertiseByoipCidrInput struct { _ struct{} `type:"structure"` @@ -40085,6 +41872,9 @@ type AllocateAddressInput struct { // EC2 select an address from the address pool. To specify a specific address // from the address pool, use the Address parameter instead. PublicIpv4Pool *string `type:"string"` + + // The tags to assign to the Elastic IP address. + TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` } // String returns the string representation @@ -40133,6 +41923,12 @@ func (s *AllocateAddressInput) SetPublicIpv4Pool(v string) *AllocateAddressInput return s } +// SetTagSpecifications sets the TagSpecifications field's value. +func (s *AllocateAddressInput) SetTagSpecifications(v []*TagSpecification) *AllocateAddressInput { + s.TagSpecifications = v + return s +} + type AllocateAddressOutput struct { _ struct{} `type:"structure"` @@ -40229,8 +42025,8 @@ type AllocateHostsInput struct { // Indicates whether the host accepts any untargeted instance launches that // match its instance type configuration, or if it only accepts Host tenancy // instance launches that specify its unique host ID. For more information, - // see Understanding Instance Placement and Host Affinity (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/how-dedicated-hosts-work.html#dedicated-hosts-understanding) - // in the Amazon EC2 User Guide for Linux Instances. + // see Understanding auto-placement and affinity (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/how-dedicated-hosts-work.html#dedicated-hosts-understanding) + // in the Amazon EC2 User Guide. // // Default: on AutoPlacement *string `locationName:"autoPlacement" type:"string" enum:"AutoPlacement"` @@ -40241,13 +42037,13 @@ type AllocateHostsInput struct { AvailabilityZone *string `locationName:"availabilityZone" type:"string" required:"true"` // Unique, case-sensitive identifier that you provide to ensure the idempotency - // of the request. For more information, see How to Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). + // of the request. For more information, see Ensuring Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). ClientToken *string `locationName:"clientToken" type:"string"` // Indicates whether to enable or disable host recovery for the Dedicated Host. - // Host recovery is disabled by default. For more information, see Host Recovery + // Host recovery is disabled by default. For more information, see Host recovery // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-recovery.html) - // in the Amazon Elastic Compute Cloud User Guide. + // in the Amazon EC2 User Guide. // // Default: off HostRecovery *string `type:"string" enum:"HostRecovery"` @@ -40411,6 +42207,472 @@ func (s *AllowedPrincipal) SetPrincipalType(v string) *AllowedPrincipal { return s } +// Describes an potential intermediate component of a feasible path. +type AlternatePathHint struct { + _ struct{} `type:"structure"` + + // The Amazon Resource Name (ARN) of the component. + ComponentArn *string `locationName:"componentArn" type:"string"` + + // The ID of the component. + ComponentId *string `locationName:"componentId" type:"string"` +} + +// String returns the string representation +func (s AlternatePathHint) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AlternatePathHint) GoString() string { + return s.String() +} + +// SetComponentArn sets the ComponentArn field's value. +func (s *AlternatePathHint) SetComponentArn(v string) *AlternatePathHint { + s.ComponentArn = &v + return s +} + +// SetComponentId sets the ComponentId field's value. +func (s *AlternatePathHint) SetComponentId(v string) *AlternatePathHint { + s.ComponentId = &v + return s +} + +// Describes a network access control (ACL) rule. +type AnalysisAclRule struct { + _ struct{} `type:"structure"` + + // The IPv4 address range, in CIDR notation. + Cidr *string `locationName:"cidr" type:"string"` + + // Indicates whether the rule is an outbound rule. + Egress *bool `locationName:"egress" type:"boolean"` + + // The range of ports. + PortRange *PortRange `locationName:"portRange" type:"structure"` + + // The protocol. + Protocol *string `locationName:"protocol" type:"string"` + + // Indicates whether to allow or deny traffic that matches the rule. + RuleAction *string `locationName:"ruleAction" type:"string"` + + // The rule number. + RuleNumber *int64 `locationName:"ruleNumber" type:"integer"` +} + +// String returns the string representation +func (s AnalysisAclRule) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AnalysisAclRule) GoString() string { + return s.String() +} + +// SetCidr sets the Cidr field's value. +func (s *AnalysisAclRule) SetCidr(v string) *AnalysisAclRule { + s.Cidr = &v + return s +} + +// SetEgress sets the Egress field's value. +func (s *AnalysisAclRule) SetEgress(v bool) *AnalysisAclRule { + s.Egress = &v + return s +} + +// SetPortRange sets the PortRange field's value. +func (s *AnalysisAclRule) SetPortRange(v *PortRange) *AnalysisAclRule { + s.PortRange = v + return s +} + +// SetProtocol sets the Protocol field's value. +func (s *AnalysisAclRule) SetProtocol(v string) *AnalysisAclRule { + s.Protocol = &v + return s +} + +// SetRuleAction sets the RuleAction field's value. +func (s *AnalysisAclRule) SetRuleAction(v string) *AnalysisAclRule { + s.RuleAction = &v + return s +} + +// SetRuleNumber sets the RuleNumber field's value. +func (s *AnalysisAclRule) SetRuleNumber(v int64) *AnalysisAclRule { + s.RuleNumber = &v + return s +} + +// Describes a path component. +type AnalysisComponent struct { + _ struct{} `type:"structure"` + + // The Amazon Resource Name (ARN) of the component. + Arn *string `locationName:"arn" type:"string"` + + // The ID of the component. + Id *string `locationName:"id" type:"string"` +} + +// String returns the string representation +func (s AnalysisComponent) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AnalysisComponent) GoString() string { + return s.String() +} + +// SetArn sets the Arn field's value. +func (s *AnalysisComponent) SetArn(v string) *AnalysisComponent { + s.Arn = &v + return s +} + +// SetId sets the Id field's value. +func (s *AnalysisComponent) SetId(v string) *AnalysisComponent { + s.Id = &v + return s +} + +// Describes a load balancer listener. +type AnalysisLoadBalancerListener struct { + _ struct{} `type:"structure"` + + // [Classic Load Balancers] The back-end port for the listener. + InstancePort *int64 `locationName:"instancePort" min:"1" type:"integer"` + + // The port on which the load balancer is listening. + LoadBalancerPort *int64 `locationName:"loadBalancerPort" min:"1" type:"integer"` +} + +// String returns the string representation +func (s AnalysisLoadBalancerListener) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AnalysisLoadBalancerListener) GoString() string { + return s.String() +} + +// SetInstancePort sets the InstancePort field's value. +func (s *AnalysisLoadBalancerListener) SetInstancePort(v int64) *AnalysisLoadBalancerListener { + s.InstancePort = &v + return s +} + +// SetLoadBalancerPort sets the LoadBalancerPort field's value. +func (s *AnalysisLoadBalancerListener) SetLoadBalancerPort(v int64) *AnalysisLoadBalancerListener { + s.LoadBalancerPort = &v + return s +} + +// Describes a load balancer target. +type AnalysisLoadBalancerTarget struct { + _ struct{} `type:"structure"` + + // The IP address. + Address *string `locationName:"address" type:"string"` + + // The Availability Zone. + AvailabilityZone *string `locationName:"availabilityZone" type:"string"` + + // Information about the instance. + Instance *AnalysisComponent `locationName:"instance" type:"structure"` + + // The port on which the target is listening. + Port *int64 `locationName:"port" min:"1" type:"integer"` +} + +// String returns the string representation +func (s AnalysisLoadBalancerTarget) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AnalysisLoadBalancerTarget) GoString() string { + return s.String() +} + +// SetAddress sets the Address field's value. +func (s *AnalysisLoadBalancerTarget) SetAddress(v string) *AnalysisLoadBalancerTarget { + s.Address = &v + return s +} + +// SetAvailabilityZone sets the AvailabilityZone field's value. +func (s *AnalysisLoadBalancerTarget) SetAvailabilityZone(v string) *AnalysisLoadBalancerTarget { + s.AvailabilityZone = &v + return s +} + +// SetInstance sets the Instance field's value. +func (s *AnalysisLoadBalancerTarget) SetInstance(v *AnalysisComponent) *AnalysisLoadBalancerTarget { + s.Instance = v + return s +} + +// SetPort sets the Port field's value. +func (s *AnalysisLoadBalancerTarget) SetPort(v int64) *AnalysisLoadBalancerTarget { + s.Port = &v + return s +} + +// Describes a header. Reflects any changes made by a component as traffic passes +// through. The fields of an inbound header are null except for the first component +// of a path. +type AnalysisPacketHeader struct { + _ struct{} `type:"structure"` + + // The destination addresses. + DestinationAddresses []*string `locationName:"destinationAddressSet" locationNameList:"item" type:"list"` + + // The destination port ranges. + DestinationPortRanges []*PortRange `locationName:"destinationPortRangeSet" locationNameList:"item" type:"list"` + + // The protocol. + Protocol *string `locationName:"protocol" type:"string"` + + // The source addresses. + SourceAddresses []*string `locationName:"sourceAddressSet" locationNameList:"item" type:"list"` + + // The source port ranges. + SourcePortRanges []*PortRange `locationName:"sourcePortRangeSet" locationNameList:"item" type:"list"` +} + +// String returns the string representation +func (s AnalysisPacketHeader) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AnalysisPacketHeader) GoString() string { + return s.String() +} + +// SetDestinationAddresses sets the DestinationAddresses field's value. +func (s *AnalysisPacketHeader) SetDestinationAddresses(v []*string) *AnalysisPacketHeader { + s.DestinationAddresses = v + return s +} + +// SetDestinationPortRanges sets the DestinationPortRanges field's value. +func (s *AnalysisPacketHeader) SetDestinationPortRanges(v []*PortRange) *AnalysisPacketHeader { + s.DestinationPortRanges = v + return s +} + +// SetProtocol sets the Protocol field's value. +func (s *AnalysisPacketHeader) SetProtocol(v string) *AnalysisPacketHeader { + s.Protocol = &v + return s +} + +// SetSourceAddresses sets the SourceAddresses field's value. +func (s *AnalysisPacketHeader) SetSourceAddresses(v []*string) *AnalysisPacketHeader { + s.SourceAddresses = v + return s +} + +// SetSourcePortRanges sets the SourcePortRanges field's value. +func (s *AnalysisPacketHeader) SetSourcePortRanges(v []*PortRange) *AnalysisPacketHeader { + s.SourcePortRanges = v + return s +} + +// Describes a route table route. +type AnalysisRouteTableRoute struct { + _ struct{} `type:"structure"` + + // The destination IPv4 address, in CIDR notation. + DestinationCidr *string `locationName:"destinationCidr" type:"string"` + + // The prefix of the AWS service. + DestinationPrefixListId *string `locationName:"destinationPrefixListId" type:"string"` + + // The ID of an egress-only internet gateway. + EgressOnlyInternetGatewayId *string `locationName:"egressOnlyInternetGatewayId" type:"string"` + + // The ID of the gateway, such as an internet gateway or virtual private gateway. + GatewayId *string `locationName:"gatewayId" type:"string"` + + // The ID of the instance, such as a NAT instance. + InstanceId *string `locationName:"instanceId" type:"string"` + + // The ID of a NAT gateway. + NatGatewayId *string `locationName:"natGatewayId" type:"string"` + + // The ID of a network interface. + NetworkInterfaceId *string `locationName:"networkInterfaceId" type:"string"` + + // Describes how the route was created. The following are possible values: + // + // * CreateRouteTable - The route was automatically created when the route + // table was created. + // + // * CreateRoute - The route was manually added to the route table. + // + // * EnableVgwRoutePropagation - The route was propagated by route propagation. + Origin *string `locationName:"origin" type:"string"` + + // The ID of a transit gateway. + TransitGatewayId *string `locationName:"transitGatewayId" type:"string"` + + // The ID of a VPC peering connection. + VpcPeeringConnectionId *string `locationName:"vpcPeeringConnectionId" type:"string"` +} + +// String returns the string representation +func (s AnalysisRouteTableRoute) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AnalysisRouteTableRoute) GoString() string { + return s.String() +} + +// SetDestinationCidr sets the DestinationCidr field's value. +func (s *AnalysisRouteTableRoute) SetDestinationCidr(v string) *AnalysisRouteTableRoute { + s.DestinationCidr = &v + return s +} + +// SetDestinationPrefixListId sets the DestinationPrefixListId field's value. +func (s *AnalysisRouteTableRoute) SetDestinationPrefixListId(v string) *AnalysisRouteTableRoute { + s.DestinationPrefixListId = &v + return s +} + +// SetEgressOnlyInternetGatewayId sets the EgressOnlyInternetGatewayId field's value. +func (s *AnalysisRouteTableRoute) SetEgressOnlyInternetGatewayId(v string) *AnalysisRouteTableRoute { + s.EgressOnlyInternetGatewayId = &v + return s +} + +// SetGatewayId sets the GatewayId field's value. +func (s *AnalysisRouteTableRoute) SetGatewayId(v string) *AnalysisRouteTableRoute { + s.GatewayId = &v + return s +} + +// SetInstanceId sets the InstanceId field's value. +func (s *AnalysisRouteTableRoute) SetInstanceId(v string) *AnalysisRouteTableRoute { + s.InstanceId = &v + return s +} + +// SetNatGatewayId sets the NatGatewayId field's value. +func (s *AnalysisRouteTableRoute) SetNatGatewayId(v string) *AnalysisRouteTableRoute { + s.NatGatewayId = &v + return s +} + +// SetNetworkInterfaceId sets the NetworkInterfaceId field's value. +func (s *AnalysisRouteTableRoute) SetNetworkInterfaceId(v string) *AnalysisRouteTableRoute { + s.NetworkInterfaceId = &v + return s +} + +// SetOrigin sets the Origin field's value. +func (s *AnalysisRouteTableRoute) SetOrigin(v string) *AnalysisRouteTableRoute { + s.Origin = &v + return s +} + +// SetTransitGatewayId sets the TransitGatewayId field's value. +func (s *AnalysisRouteTableRoute) SetTransitGatewayId(v string) *AnalysisRouteTableRoute { + s.TransitGatewayId = &v + return s +} + +// SetVpcPeeringConnectionId sets the VpcPeeringConnectionId field's value. +func (s *AnalysisRouteTableRoute) SetVpcPeeringConnectionId(v string) *AnalysisRouteTableRoute { + s.VpcPeeringConnectionId = &v + return s +} + +// Describes a security group rule. +type AnalysisSecurityGroupRule struct { + _ struct{} `type:"structure"` + + // The IPv4 address range, in CIDR notation. + Cidr *string `locationName:"cidr" type:"string"` + + // The direction. The following are possible values: + // + // * egress + // + // * ingress + Direction *string `locationName:"direction" type:"string"` + + // The port range. + PortRange *PortRange `locationName:"portRange" type:"structure"` + + // The prefix list ID. + PrefixListId *string `locationName:"prefixListId" type:"string"` + + // The protocol name. + Protocol *string `locationName:"protocol" type:"string"` + + // The security group ID. + SecurityGroupId *string `locationName:"securityGroupId" type:"string"` +} + +// String returns the string representation +func (s AnalysisSecurityGroupRule) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AnalysisSecurityGroupRule) GoString() string { + return s.String() +} + +// SetCidr sets the Cidr field's value. +func (s *AnalysisSecurityGroupRule) SetCidr(v string) *AnalysisSecurityGroupRule { + s.Cidr = &v + return s +} + +// SetDirection sets the Direction field's value. +func (s *AnalysisSecurityGroupRule) SetDirection(v string) *AnalysisSecurityGroupRule { + s.Direction = &v + return s +} + +// SetPortRange sets the PortRange field's value. +func (s *AnalysisSecurityGroupRule) SetPortRange(v *PortRange) *AnalysisSecurityGroupRule { + s.PortRange = v + return s +} + +// SetPrefixListId sets the PrefixListId field's value. +func (s *AnalysisSecurityGroupRule) SetPrefixListId(v string) *AnalysisSecurityGroupRule { + s.PrefixListId = &v + return s +} + +// SetProtocol sets the Protocol field's value. +func (s *AnalysisSecurityGroupRule) SetProtocol(v string) *AnalysisSecurityGroupRule { + s.Protocol = &v + return s +} + +// SetSecurityGroupId sets the SecurityGroupId field's value. +func (s *AnalysisSecurityGroupRule) SetSecurityGroupId(v string) *AnalysisSecurityGroupRule { + s.SecurityGroupId = &v + return s +} + type ApplySecurityGroupsToClientVpnTargetNetworkInput struct { _ struct{} `type:"structure"` @@ -40516,8 +42778,10 @@ func (s *ApplySecurityGroupsToClientVpnTargetNetworkOutput) SetSecurityGroupIds( type AssignIpv6AddressesInput struct { _ struct{} `type:"structure"` - // The number of IPv6 addresses to assign to the network interface. Amazon EC2 - // automatically selects the IPv6 addresses from the subnet range. You can't + // The number of additional IPv6 addresses to assign to the network interface. + // The specified number of IPv6 addresses are assigned in addition to the existing + // IPv6 addresses that are already assigned to the network interface. Amazon + // EC2 automatically selects the IPv6 addresses from the subnet range. You can't // use this option if specifying specific IPv6 addresses. Ipv6AddressCount *int64 `locationName:"ipv6AddressCount" type:"integer"` @@ -40575,7 +42839,8 @@ func (s *AssignIpv6AddressesInput) SetNetworkInterfaceId(v string) *AssignIpv6Ad type AssignIpv6AddressesOutput struct { _ struct{} `type:"structure"` - // The IPv6 addresses assigned to the network interface. + // The new IPv6 addresses assigned to the network interface. Existing IPv6 addresses + // that were assigned to the network interface before the request are not included. AssignedIpv6Addresses []*string `locationName:"assignedIpv6Addresses" locationNameList:"item" type:"list"` // The ID of the network interface. @@ -40753,10 +43018,10 @@ type AssociateAddressInput struct { // it is UnauthorizedOperation. DryRun *bool `locationName:"dryRun" type:"boolean"` - // The ID of the instance. This is required for EC2-Classic. For EC2-VPC, you - // can specify either the instance ID or the network interface ID, but not both. - // The operation fails if you specify an instance ID unless exactly one network - // interface is attached. + // The ID of the instance. The instance must have exactly one attached network + // interface. For EC2-VPC, you can specify either the instance ID or the network + // interface ID, but not both. For EC2-Classic, you must specify an instance + // ID and the instance must be in the running state. InstanceId *string `type:"string"` // [EC2-VPC] The ID of the network interface. If the instance has more than @@ -40771,8 +43036,8 @@ type AssociateAddressInput struct { // address is associated with the primary private IP address. PrivateIpAddress *string `locationName:"privateIpAddress" type:"string"` - // The Elastic IP address to associate with the instance. This is required for - // EC2-Classic. + // [EC2-Classic] The Elastic IP address to associate with the instance. This + // is required for EC2-Classic. PublicIp *string `type:"string"` } @@ -41105,7 +43370,7 @@ type AssociateEnclaveCertificateIamRoleOutput struct { CertificateS3BucketName *string `locationName:"certificateS3BucketName" type:"string"` // The Amazon S3 object key where the certificate, certificate chain, and encrypted - // private key bundle are stored. The object key is formatted as follows: certificate_arn/role_arn. + // private key bundle are stored. The object key is formatted as follows: role_arn/certificate_arn. CertificateS3ObjectKey *string `locationName:"certificateS3ObjectKey" type:"string"` // The ID of the AWS KMS CMK used to encrypt the private key of the certificate. @@ -41710,7 +43975,7 @@ type AssociatedRole struct { // The key of the Amazon S3 object ey where the certificate, certificate chain, // and encrypted private key bundle is stored. The object key is formated as - // follows: certificate_arn/role_arn. + // follows: role_arn/certificate_arn. CertificateS3ObjectKey *string `locationName:"certificateS3ObjectKey" type:"string"` // The ID of the KMS customer master key (CMK) used to encrypt the private key. @@ -43047,8 +45312,7 @@ type BlockDeviceMapping struct { // launched. Ebs *EbsBlockDevice `locationName:"ebs" type:"structure"` - // Suppresses the specified device included in the block device mapping of the - // AMI. + // To omit the device from the block device mapping, specify an empty string. NoDevice *string `locationName:"noDevice" type:"string"` // The virtual device name (ephemeralN). Instance store volumes are numbered @@ -44181,6 +46445,9 @@ type CapacityReservation struct { // The ID of the AWS account that owns the Capacity Reservation. OwnerId *string `locationName:"ownerId" type:"string"` + // The date and time at which the Capacity Reservation was started. + StartDate *time.Time `locationName:"startDate" type:"timestamp"` + // The current state of the Capacity Reservation. A Capacity Reservation can // be in one of the following states: // @@ -44191,8 +46458,8 @@ type CapacityReservation struct { // and time specified in your request. The reserved capacity is no longer // available for your use. // - // * cancelled - The Capacity Reservation was manually cancelled. The reserved - // capacity is no longer available for your use. + // * cancelled - The Capacity Reservation was cancelled. The reserved capacity + // is no longer available for your use. // // * pending - The Capacity Reservation request was successful but the capacity // provisioning is still pending. @@ -44314,6 +46581,12 @@ func (s *CapacityReservation) SetOwnerId(v string) *CapacityReservation { return s } +// SetStartDate sets the StartDate field's value. +func (s *CapacityReservation) SetStartDate(v time.Time) *CapacityReservation { + s.StartDate = &v + return s +} + // SetState sets the State field's value. func (s *CapacityReservation) SetState(v string) *CapacityReservation { s.State = &v @@ -44378,9 +46651,9 @@ func (s *CapacityReservationGroup) SetOwnerId(v string) *CapacityReservationGrou // // For more information about Capacity Reservations, see On-Demand Capacity // Reservations (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-capacity-reservations.html) -// in the Amazon Elastic Compute Cloud User Guide. For examples of using Capacity -// Reservations in an EC2 Fleet, see EC2 Fleet example configurations (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-examples.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. For examples of using Capacity Reservations +// in an EC2 Fleet, see EC2 Fleet example configurations (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-examples.html) +// in the Amazon EC2 User Guide. type CapacityReservationOptions struct { _ struct{} `type:"structure"` @@ -44423,9 +46696,9 @@ func (s *CapacityReservationOptions) SetUsageStrategy(v string) *CapacityReserva // // For more information about Capacity Reservations, see On-Demand Capacity // Reservations (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-capacity-reservations.html) -// in the Amazon Elastic Compute Cloud User Guide. For examples of using Capacity -// Reservations in an EC2 Fleet, see EC2 Fleet example configurations (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-examples.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. For examples of using Capacity Reservations +// in an EC2 Fleet, see EC2 Fleet example configurations (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-examples.html) +// in the Amazon EC2 User Guide. type CapacityReservationOptionsRequest struct { _ struct{} `type:"structure"` @@ -46426,13 +48699,23 @@ type CopyImageInput struct { _ struct{} `type:"structure"` // Unique, case-sensitive identifier you provide to ensure idempotency of the - // request. For more information, see How to Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Run_Instance_Idempotency.html) - // in the Amazon Elastic Compute Cloud User Guide. + // request. For more information, see Ensuring idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html) + // in the Amazon EC2 API Reference. ClientToken *string `type:"string"` // A description for the new AMI in the destination Region. Description *string `type:"string"` + // The Amazon Resource Name (ARN) of the Outpost to which to copy the AMI. Only + // specify this parameter when copying an AMI from an AWS Region to an Outpost. + // The AMI must be in the Region of the destination Outpost. You cannot copy + // an AMI from an Outpost to a Region, from one Outpost to another, or within + // the same Outpost. + // + // For more information, see Copying AMIs from an AWS Region to an Outpost (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html#copy-amis) + // in the Amazon Elastic Compute Cloud User Guide. + DestinationOutpostArn *string `type:"string"` + // Checks whether you have the required permissions for the action, without // actually making the request, and provides an error response. If you have // the required permissions, the error response is DryRunOperation. Otherwise, @@ -46528,6 +48811,12 @@ func (s *CopyImageInput) SetDescription(v string) *CopyImageInput { return s } +// SetDestinationOutpostArn sets the DestinationOutpostArn field's value. +func (s *CopyImageInput) SetDestinationOutpostArn(v string) *CopyImageInput { + s.DestinationOutpostArn = &v + return s +} + // SetDryRun sets the DryRun field's value. func (s *CopyImageInput) SetDryRun(v bool) *CopyImageInput { s.DryRun = &v @@ -46594,6 +48883,17 @@ type CopySnapshotInput struct { // A description for the EBS snapshot. Description *string `type:"string"` + // The Amazon Resource Name (ARN) of the Outpost to which to copy the snapshot. + // Only specify this parameter when copying a snapshot from an AWS Region to + // an Outpost. The snapshot must be in the Region for the destination Outpost. + // You cannot copy a snapshot from an Outpost to a Region, from one Outpost + // to another, or within the same Outpost. + // + // For more information, see Copying snapshots from an AWS Region to an Outpost + // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html#copy-snapshots) + // in the Amazon Elastic Compute Cloud User Guide. + DestinationOutpostArn *string `type:"string"` + // The destination Region to use in the PresignedUrl parameter of a snapshot // copy operation. This parameter is only valid for specifying the destination // Region in a PresignedUrl parameter, where it is required. @@ -46614,7 +48914,7 @@ type CopySnapshotInput struct { // not enabled, enable encryption using this parameter. Otherwise, omit this // parameter. Encrypted snapshots are encrypted, even if you omit this parameter // and encryption by default is not enabled. You cannot set this parameter to - // false. For more information, see Amazon EBS Encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) + // false. For more information, see Amazon EBS encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) // in the Amazon Elastic Compute Cloud User Guide. Encrypted *bool `locationName:"encrypted" type:"boolean"` @@ -46640,14 +48940,14 @@ type CopySnapshotInput struct { // When you copy an encrypted source snapshot using the Amazon EC2 Query API, // you must supply a pre-signed URL. This parameter is optional for unencrypted - // snapshots. For more information, see Query Requests (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Query-Requests.html). + // snapshots. For more information, see Query requests (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Query-Requests.html). // // The PresignedUrl should use the snapshot source endpoint, the CopySnapshot // action, and include the SourceRegion, SourceSnapshotId, and DestinationRegion // parameters. The PresignedUrl must be signed using AWS Signature Version 4. // Because EBS snapshots are stored in Amazon S3, the signing algorithm for - // this parameter uses the same logic that is described in Authenticating Requests - // by Using Query Parameters (AWS Signature Version 4) (https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html) + // this parameter uses the same logic that is described in Authenticating Requests: + // Using Query Parameters (AWS Signature Version 4) (https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html) // in the Amazon Simple Storage Service API Reference. An invalid or improperly // signed PresignedUrl will cause the copy operation to fail asynchronously, // and the snapshot will move to an error state. @@ -46699,6 +48999,12 @@ func (s *CopySnapshotInput) SetDescription(v string) *CopySnapshotInput { return s } +// SetDestinationOutpostArn sets the DestinationOutpostArn field's value. +func (s *CopySnapshotInput) SetDestinationOutpostArn(v string) *CopySnapshotInput { + s.DestinationOutpostArn = &v + return s +} + // SetDestinationRegion sets the DestinationRegion field's value. func (s *CopySnapshotInput) SetDestinationRegion(v string) *CopySnapshotInput { s.DestinationRegion = &v @@ -46857,7 +49163,7 @@ type CreateCapacityReservationInput struct { AvailabilityZoneId *string `type:"string"` // Unique, case-sensitive identifier that you provide to ensure the idempotency - // of the request. For more information, see How to Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). + // of the request. For more information, see Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). ClientToken *string `type:"string"` // Checks whether you have the required permissions for the action, without @@ -46929,8 +49235,8 @@ type CreateCapacityReservationInput struct { InstancePlatform *string `type:"string" required:"true" enum:"CapacityReservationInstancePlatform"` // The instance type for which to reserve capacity. For more information, see - // Instance Types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) - // in the Amazon Elastic Compute Cloud User Guide. + // Instance types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) + // in the Amazon EC2 User Guide. // // InstanceType is a required field InstanceType *string `type:"string" required:"true"` @@ -48095,7 +50401,10 @@ type CreateFleetInput struct { // Describes the configuration of On-Demand Instances in an EC2 Fleet. OnDemandOptions *OnDemandOptionsRequest `type:"structure"` - // Indicates whether EC2 Fleet should replace unhealthy instances. + // Indicates whether EC2 Fleet should replace unhealthy Spot Instances. Supported + // only for fleets of type maintain. For more information, see EC2 Fleet health + // checks (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/manage-ec2-fleet.html#ec2-fleet-health-checks) + // in the Amazon EC2 User Guide. ReplaceUnhealthyInstances *bool `type:"boolean"` // Describes the configuration of Spot Instances in an EC2 Fleet. @@ -48118,7 +50427,7 @@ type CreateFleetInput struct { // The type of request. The default value is maintain. // - // * maintain - The EC2 Fleet plaees an asynchronous request for your desired + // * maintain - The EC2 Fleet places an asynchronous request for your desired // capacity, and continues to maintain your desired Spot capacity by replenishing // interrupted Spot Instances. // @@ -48132,7 +50441,7 @@ type CreateFleetInput struct { // be launched. // // For more information, see EC2 Fleet request types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-configuration-strategies.html#ec2-fleet-request-type) - // in the Amazon Elastic Compute Cloud User Guide. + // in the Amazon EC2 User Guide. Type *string `type:"string" enum:"FleetType"` // The start date and time of the request, in UTC format (for example, YYYY-MM-DDTHH:MM:SSZ). @@ -48774,10 +51083,25 @@ type CreateImageInput struct { Name *string `locationName:"name" type:"string" required:"true"` // By default, Amazon EC2 attempts to shut down and reboot the instance before - // creating the image. If the 'No Reboot' option is set, Amazon EC2 doesn't - // shut down the instance before creating the image. When this option is used, - // file system integrity on the created image can't be guaranteed. + // creating the image. If the No Reboot option is set, Amazon EC2 doesn't shut + // down the instance before creating the image. When this option is used, file + // system integrity on the created image can't be guaranteed. NoReboot *bool `locationName:"noReboot" type:"boolean"` + + // The tags to apply to the AMI and snapshots on creation. You can tag the AMI, + // the snapshots, or both. + // + // * To tag the AMI, the value for ResourceType must be image. + // + // * To tag the snapshots that are created of the root volume and of other + // EBS volumes that are attached to the instance, the value for ResourceType + // must be snapshot. The same tag is applied to all of the snapshots that + // are created. + // + // If you specify other values for ResourceType, the request fails. + // + // To tag an AMI or snapshot after it has been created, see CreateTags (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html). + TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` } // String returns the string representation @@ -48842,6 +51166,12 @@ func (s *CreateImageInput) SetNoReboot(v bool) *CreateImageInput { return s } +// SetTagSpecifications sets the TagSpecifications field's value. +func (s *CreateImageInput) SetTagSpecifications(v []*TagSpecification) *CreateImageInput { + s.TagSpecifications = v + return s +} + type CreateImageOutput struct { _ struct{} `type:"structure"` @@ -48872,7 +51202,7 @@ type CreateInstanceExportTaskInput struct { // maximum length is 255 characters. Description *string `locationName:"description" type:"string"` - // The format and location for an instance export task. + // The format and location for an export instance task. // // ExportToS3Task is a required field ExportToS3Task *ExportToS3TaskSpecification `locationName:"exportToS3" type:"structure" required:"true"` @@ -48882,7 +51212,7 @@ type CreateInstanceExportTaskInput struct { // InstanceId is a required field InstanceId *string `locationName:"instanceId" type:"string" required:"true"` - // The tags to apply to the instance export task during creation. + // The tags to apply to the export instance task during creation. TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` // The target virtualization environment. @@ -48953,7 +51283,7 @@ func (s *CreateInstanceExportTaskInput) SetTargetEnvironment(v string) *CreateIn type CreateInstanceExportTaskOutput struct { _ struct{} `type:"structure"` - // Information about the instance export task. + // Information about the export instance task. ExportTask *ExportTask `locationName:"exportTask" type:"structure"` } @@ -50150,6 +52480,156 @@ func (s *CreateNetworkAclOutput) SetNetworkAcl(v *NetworkAcl) *CreateNetworkAclO return s } +type CreateNetworkInsightsPathInput struct { + _ struct{} `type:"structure"` + + // Unique, case-sensitive identifier that you provide to ensure the idempotency + // of the request. For more information, see How to Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). + ClientToken *string `type:"string" idempotencyToken:"true"` + + // The AWS resource that is the destination of the path. + // + // Destination is a required field + Destination *string `type:"string" required:"true"` + + // The IP address of the AWS resource that is the destination of the path. + DestinationIp *string `type:"string"` + + // The destination port. + DestinationPort *int64 `min:"1" type:"integer"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The protocol. + // + // Protocol is a required field + Protocol *string `type:"string" required:"true" enum:"Protocol"` + + // The AWS resource that is the source of the path. + // + // Source is a required field + Source *string `type:"string" required:"true"` + + // The IP address of the AWS resource that is the source of the path. + SourceIp *string `type:"string"` + + // The tags to add to the path. + TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` +} + +// String returns the string representation +func (s CreateNetworkInsightsPathInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateNetworkInsightsPathInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *CreateNetworkInsightsPathInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "CreateNetworkInsightsPathInput"} + if s.Destination == nil { + invalidParams.Add(request.NewErrParamRequired("Destination")) + } + if s.DestinationPort != nil && *s.DestinationPort < 1 { + invalidParams.Add(request.NewErrParamMinValue("DestinationPort", 1)) + } + if s.Protocol == nil { + invalidParams.Add(request.NewErrParamRequired("Protocol")) + } + if s.Source == nil { + invalidParams.Add(request.NewErrParamRequired("Source")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetClientToken sets the ClientToken field's value. +func (s *CreateNetworkInsightsPathInput) SetClientToken(v string) *CreateNetworkInsightsPathInput { + s.ClientToken = &v + return s +} + +// SetDestination sets the Destination field's value. +func (s *CreateNetworkInsightsPathInput) SetDestination(v string) *CreateNetworkInsightsPathInput { + s.Destination = &v + return s +} + +// SetDestinationIp sets the DestinationIp field's value. +func (s *CreateNetworkInsightsPathInput) SetDestinationIp(v string) *CreateNetworkInsightsPathInput { + s.DestinationIp = &v + return s +} + +// SetDestinationPort sets the DestinationPort field's value. +func (s *CreateNetworkInsightsPathInput) SetDestinationPort(v int64) *CreateNetworkInsightsPathInput { + s.DestinationPort = &v + return s +} + +// SetDryRun sets the DryRun field's value. +func (s *CreateNetworkInsightsPathInput) SetDryRun(v bool) *CreateNetworkInsightsPathInput { + s.DryRun = &v + return s +} + +// SetProtocol sets the Protocol field's value. +func (s *CreateNetworkInsightsPathInput) SetProtocol(v string) *CreateNetworkInsightsPathInput { + s.Protocol = &v + return s +} + +// SetSource sets the Source field's value. +func (s *CreateNetworkInsightsPathInput) SetSource(v string) *CreateNetworkInsightsPathInput { + s.Source = &v + return s +} + +// SetSourceIp sets the SourceIp field's value. +func (s *CreateNetworkInsightsPathInput) SetSourceIp(v string) *CreateNetworkInsightsPathInput { + s.SourceIp = &v + return s +} + +// SetTagSpecifications sets the TagSpecifications field's value. +func (s *CreateNetworkInsightsPathInput) SetTagSpecifications(v []*TagSpecification) *CreateNetworkInsightsPathInput { + s.TagSpecifications = v + return s +} + +type CreateNetworkInsightsPathOutput struct { + _ struct{} `type:"structure"` + + // Information about the path. + NetworkInsightsPath *NetworkInsightsPath `locationName:"networkInsightsPath" type:"structure"` +} + +// String returns the string representation +func (s CreateNetworkInsightsPathOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateNetworkInsightsPathOutput) GoString() string { + return s.String() +} + +// SetNetworkInsightsPath sets the NetworkInsightsPath field's value. +func (s *CreateNetworkInsightsPathOutput) SetNetworkInsightsPath(v *NetworkInsightsPath) *CreateNetworkInsightsPathOutput { + s.NetworkInsightsPath = v + return s +} + // Contains the parameters for CreateNetworkInterface. type CreateNetworkInterfaceInput struct { _ struct{} `type:"structure"` @@ -50687,6 +53167,9 @@ type CreateRouteInput struct { // The ID of a transit gateway. TransitGatewayId *string `type:"string"` + // The ID of a VPC endpoint. Supported for Gateway Load Balancer endpoints only. + VpcEndpointId *string `type:"string"` + // The ID of a VPC peering connection. VpcPeeringConnectionId *string `locationName:"vpcPeeringConnectionId" type:"string"` } @@ -50792,6 +53275,12 @@ func (s *CreateRouteInput) SetTransitGatewayId(v string) *CreateRouteInput { return s } +// SetVpcEndpointId sets the VpcEndpointId field's value. +func (s *CreateRouteInput) SetVpcEndpointId(v string) *CreateRouteInput { + s.VpcEndpointId = &v + return s +} + // SetVpcPeeringConnectionId sets the VpcPeeringConnectionId field's value. func (s *CreateRouteInput) SetVpcPeeringConnectionId(v string) *CreateRouteInput { s.VpcPeeringConnectionId = &v @@ -51041,6 +53530,25 @@ type CreateSnapshotInput struct { // it is UnauthorizedOperation. DryRun *bool `locationName:"dryRun" type:"boolean"` + // The Amazon Resource Name (ARN) of the AWS Outpost on which to create a local + // snapshot. + // + // * To create a snapshot of a volume in a Region, omit this parameter. The + // snapshot is created in the same Region as the volume. + // + // * To create a snapshot of a volume on an Outpost and store the snapshot + // in the Region, omit this parameter. The snapshot is created in the Region + // for the Outpost. + // + // * To create a snapshot of a volume on an Outpost and store the snapshot + // on an Outpost, specify the ARN of the destination Outpost. The snapshot + // must be created on the same Outpost as the volume. + // + // For more information, see Creating local snapshots from volumes on an Outpost + // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html#create-snapshot) + // in the Amazon Elastic Compute Cloud User Guide. + OutpostArn *string `type:"string"` + // The tags to apply to the snapshot during creation. TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` @@ -51085,6 +53593,12 @@ func (s *CreateSnapshotInput) SetDryRun(v bool) *CreateSnapshotInput { return s } +// SetOutpostArn sets the OutpostArn field's value. +func (s *CreateSnapshotInput) SetOutpostArn(v string) *CreateSnapshotInput { + s.OutpostArn = &v + return s +} + // SetTagSpecifications sets the TagSpecifications field's value. func (s *CreateSnapshotInput) SetTagSpecifications(v []*TagSpecification) *CreateSnapshotInput { s.TagSpecifications = v @@ -51117,6 +53631,25 @@ type CreateSnapshotsInput struct { // InstanceSpecification is a required field InstanceSpecification *InstanceSpecification `type:"structure" required:"true"` + // The Amazon Resource Name (ARN) of the AWS Outpost on which to create the + // local snapshots. + // + // * To create snapshots from an instance in a Region, omit this parameter. + // The snapshots are created in the same Region as the instance. + // + // * To create snapshots from an instance on an Outpost and store the snapshots + // in the Region, omit this parameter. The snapshots are created in the Region + // for the Outpost. + // + // * To create snapshots from an instance on an Outpost and store the snapshots + // on an Outpost, specify the ARN of the destination Outpost. The snapshots + // must be created on the same Outpost as the instance. + // + // For more information, see Creating multi-volume local snapshots from instances + // on an Outpost (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html#create-multivol-snapshot) + // in the Amazon Elastic Compute Cloud User Guide. + OutpostArn *string `type:"string"` + // Tags to apply to every snapshot specified by the instance. TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` } @@ -51168,6 +53701,12 @@ func (s *CreateSnapshotsInput) SetInstanceSpecification(v *InstanceSpecification return s } +// SetOutpostArn sets the OutpostArn field's value. +func (s *CreateSnapshotsInput) SetOutpostArn(v string) *CreateSnapshotsInput { + s.OutpostArn = &v + return s +} + // SetTagSpecifications sets the TagSpecifications field's value. func (s *CreateSnapshotsInput) SetTagSpecifications(v []*TagSpecification) *CreateSnapshotsInput { s.TagSpecifications = v @@ -52096,6 +54635,283 @@ func (s *CreateTrafficMirrorTargetOutput) SetTrafficMirrorTarget(v *TrafficMirro return s } +type CreateTransitGatewayConnectInput struct { + _ struct{} `type:"structure"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The Connect attachment options. + // + // Options is a required field + Options *CreateTransitGatewayConnectRequestOptions `type:"structure" required:"true"` + + // The tags to apply to the Connect attachment. + TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` + + // The ID of the transit gateway attachment. You can specify a VPC attachment + // or a AWS Direct Connect attachment. + // + // TransportTransitGatewayAttachmentId is a required field + TransportTransitGatewayAttachmentId *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s CreateTransitGatewayConnectInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateTransitGatewayConnectInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *CreateTransitGatewayConnectInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "CreateTransitGatewayConnectInput"} + if s.Options == nil { + invalidParams.Add(request.NewErrParamRequired("Options")) + } + if s.TransportTransitGatewayAttachmentId == nil { + invalidParams.Add(request.NewErrParamRequired("TransportTransitGatewayAttachmentId")) + } + if s.Options != nil { + if err := s.Options.Validate(); err != nil { + invalidParams.AddNested("Options", err.(request.ErrInvalidParams)) + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDryRun sets the DryRun field's value. +func (s *CreateTransitGatewayConnectInput) SetDryRun(v bool) *CreateTransitGatewayConnectInput { + s.DryRun = &v + return s +} + +// SetOptions sets the Options field's value. +func (s *CreateTransitGatewayConnectInput) SetOptions(v *CreateTransitGatewayConnectRequestOptions) *CreateTransitGatewayConnectInput { + s.Options = v + return s +} + +// SetTagSpecifications sets the TagSpecifications field's value. +func (s *CreateTransitGatewayConnectInput) SetTagSpecifications(v []*TagSpecification) *CreateTransitGatewayConnectInput { + s.TagSpecifications = v + return s +} + +// SetTransportTransitGatewayAttachmentId sets the TransportTransitGatewayAttachmentId field's value. +func (s *CreateTransitGatewayConnectInput) SetTransportTransitGatewayAttachmentId(v string) *CreateTransitGatewayConnectInput { + s.TransportTransitGatewayAttachmentId = &v + return s +} + +type CreateTransitGatewayConnectOutput struct { + _ struct{} `type:"structure"` + + // Information about the Connect attachment. + TransitGatewayConnect *TransitGatewayConnect `locationName:"transitGatewayConnect" type:"structure"` +} + +// String returns the string representation +func (s CreateTransitGatewayConnectOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateTransitGatewayConnectOutput) GoString() string { + return s.String() +} + +// SetTransitGatewayConnect sets the TransitGatewayConnect field's value. +func (s *CreateTransitGatewayConnectOutput) SetTransitGatewayConnect(v *TransitGatewayConnect) *CreateTransitGatewayConnectOutput { + s.TransitGatewayConnect = v + return s +} + +type CreateTransitGatewayConnectPeerInput struct { + _ struct{} `type:"structure"` + + // The BGP options for the Connect peer. + BgpOptions *TransitGatewayConnectRequestBgpOptions `type:"structure"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The range of inside IP addresses that are used for BGP peering. You must + // specify a size /29 IPv4 CIDR block from the 169.254.0.0/16 range. The first + // address from the range must be configured on the appliance as the BGP IP + // address. You can also optionally specify a size /125 IPv6 CIDR block from + // the fd00::/8 range. + // + // InsideCidrBlocks is a required field + InsideCidrBlocks []*string `locationNameList:"item" type:"list" required:"true"` + + // The peer IP address (GRE outer IP address) on the appliance side of the Connect + // peer. + // + // PeerAddress is a required field + PeerAddress *string `type:"string" required:"true"` + + // The tags to apply to the Connect peer. + TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` + + // The peer IP address (GRE outer IP address) on the transit gateway side of + // the Connect peer, which must be specified from a transit gateway CIDR block. + // If not specified, Amazon automatically assigns the first available IP address + // from the transit gateway CIDR block. + TransitGatewayAddress *string `type:"string"` + + // The ID of the Connect attachment. + // + // TransitGatewayAttachmentId is a required field + TransitGatewayAttachmentId *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s CreateTransitGatewayConnectPeerInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateTransitGatewayConnectPeerInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *CreateTransitGatewayConnectPeerInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "CreateTransitGatewayConnectPeerInput"} + if s.InsideCidrBlocks == nil { + invalidParams.Add(request.NewErrParamRequired("InsideCidrBlocks")) + } + if s.PeerAddress == nil { + invalidParams.Add(request.NewErrParamRequired("PeerAddress")) + } + if s.TransitGatewayAttachmentId == nil { + invalidParams.Add(request.NewErrParamRequired("TransitGatewayAttachmentId")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetBgpOptions sets the BgpOptions field's value. +func (s *CreateTransitGatewayConnectPeerInput) SetBgpOptions(v *TransitGatewayConnectRequestBgpOptions) *CreateTransitGatewayConnectPeerInput { + s.BgpOptions = v + return s +} + +// SetDryRun sets the DryRun field's value. +func (s *CreateTransitGatewayConnectPeerInput) SetDryRun(v bool) *CreateTransitGatewayConnectPeerInput { + s.DryRun = &v + return s +} + +// SetInsideCidrBlocks sets the InsideCidrBlocks field's value. +func (s *CreateTransitGatewayConnectPeerInput) SetInsideCidrBlocks(v []*string) *CreateTransitGatewayConnectPeerInput { + s.InsideCidrBlocks = v + return s +} + +// SetPeerAddress sets the PeerAddress field's value. +func (s *CreateTransitGatewayConnectPeerInput) SetPeerAddress(v string) *CreateTransitGatewayConnectPeerInput { + s.PeerAddress = &v + return s +} + +// SetTagSpecifications sets the TagSpecifications field's value. +func (s *CreateTransitGatewayConnectPeerInput) SetTagSpecifications(v []*TagSpecification) *CreateTransitGatewayConnectPeerInput { + s.TagSpecifications = v + return s +} + +// SetTransitGatewayAddress sets the TransitGatewayAddress field's value. +func (s *CreateTransitGatewayConnectPeerInput) SetTransitGatewayAddress(v string) *CreateTransitGatewayConnectPeerInput { + s.TransitGatewayAddress = &v + return s +} + +// SetTransitGatewayAttachmentId sets the TransitGatewayAttachmentId field's value. +func (s *CreateTransitGatewayConnectPeerInput) SetTransitGatewayAttachmentId(v string) *CreateTransitGatewayConnectPeerInput { + s.TransitGatewayAttachmentId = &v + return s +} + +type CreateTransitGatewayConnectPeerOutput struct { + _ struct{} `type:"structure"` + + // Information about the Connect peer. + TransitGatewayConnectPeer *TransitGatewayConnectPeer `locationName:"transitGatewayConnectPeer" type:"structure"` +} + +// String returns the string representation +func (s CreateTransitGatewayConnectPeerOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateTransitGatewayConnectPeerOutput) GoString() string { + return s.String() +} + +// SetTransitGatewayConnectPeer sets the TransitGatewayConnectPeer field's value. +func (s *CreateTransitGatewayConnectPeerOutput) SetTransitGatewayConnectPeer(v *TransitGatewayConnectPeer) *CreateTransitGatewayConnectPeerOutput { + s.TransitGatewayConnectPeer = v + return s +} + +// The options for a Connect attachment. +type CreateTransitGatewayConnectRequestOptions struct { + _ struct{} `type:"structure"` + + // The tunnel protocol. + // + // Protocol is a required field + Protocol *string `type:"string" required:"true" enum:"ProtocolValue"` +} + +// String returns the string representation +func (s CreateTransitGatewayConnectRequestOptions) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateTransitGatewayConnectRequestOptions) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *CreateTransitGatewayConnectRequestOptions) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "CreateTransitGatewayConnectRequestOptions"} + if s.Protocol == nil { + invalidParams.Add(request.NewErrParamRequired("Protocol")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetProtocol sets the Protocol field's value. +func (s *CreateTransitGatewayConnectRequestOptions) SetProtocol(v string) *CreateTransitGatewayConnectRequestOptions { + s.Protocol = &v + return s +} + type CreateTransitGatewayInput struct { _ struct{} `type:"structure"` @@ -52158,6 +54974,9 @@ type CreateTransitGatewayMulticastDomainInput struct { // it is UnauthorizedOperation. DryRun *bool `type:"boolean"` + // The options for the transit gateway multicast domain. + Options *CreateTransitGatewayMulticastDomainRequestOptions `type:"structure"` + // The tags for the transit gateway multicast domain. TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` @@ -52196,6 +55015,12 @@ func (s *CreateTransitGatewayMulticastDomainInput) SetDryRun(v bool) *CreateTran return s } +// SetOptions sets the Options field's value. +func (s *CreateTransitGatewayMulticastDomainInput) SetOptions(v *CreateTransitGatewayMulticastDomainRequestOptions) *CreateTransitGatewayMulticastDomainInput { + s.Options = v + return s +} + // SetTagSpecifications sets the TagSpecifications field's value. func (s *CreateTransitGatewayMulticastDomainInput) SetTagSpecifications(v []*TagSpecification) *CreateTransitGatewayMulticastDomainInput { s.TagSpecifications = v @@ -52231,6 +55056,51 @@ func (s *CreateTransitGatewayMulticastDomainOutput) SetTransitGatewayMulticastDo return s } +// The options for the transit gateway multicast domain. +type CreateTransitGatewayMulticastDomainRequestOptions struct { + _ struct{} `type:"structure"` + + // Indicates whether to automatically accept cross-account subnet associations + // that are associated with the transit gateway multicast domain. + AutoAcceptSharedAssociations *string `type:"string" enum:"AutoAcceptSharedAssociationsValue"` + + // Specify whether to enable Internet Group Management Protocol (IGMP) version + // 2 for the transit gateway multicast domain. + Igmpv2Support *string `type:"string" enum:"Igmpv2SupportValue"` + + // Specify whether to enable support for statically configuring multicast group + // sources for a domain. + StaticSourcesSupport *string `type:"string" enum:"StaticSourcesSupportValue"` +} + +// String returns the string representation +func (s CreateTransitGatewayMulticastDomainRequestOptions) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateTransitGatewayMulticastDomainRequestOptions) GoString() string { + return s.String() +} + +// SetAutoAcceptSharedAssociations sets the AutoAcceptSharedAssociations field's value. +func (s *CreateTransitGatewayMulticastDomainRequestOptions) SetAutoAcceptSharedAssociations(v string) *CreateTransitGatewayMulticastDomainRequestOptions { + s.AutoAcceptSharedAssociations = &v + return s +} + +// SetIgmpv2Support sets the Igmpv2Support field's value. +func (s *CreateTransitGatewayMulticastDomainRequestOptions) SetIgmpv2Support(v string) *CreateTransitGatewayMulticastDomainRequestOptions { + s.Igmpv2Support = &v + return s +} + +// SetStaticSourcesSupport sets the StaticSourcesSupport field's value. +func (s *CreateTransitGatewayMulticastDomainRequestOptions) SetStaticSourcesSupport(v string) *CreateTransitGatewayMulticastDomainRequestOptions { + s.StaticSourcesSupport = &v + return s +} + type CreateTransitGatewayOutput struct { _ struct{} `type:"structure"` @@ -52805,7 +55675,7 @@ type CreateTransitGatewayVpcAttachmentRequestOptions struct { // Enable or disable DNS support. The default is enable. DnsSupport *string `type:"string" enum:"DnsSupportValue"` - // Enable or disable IPv6 support. + // Enable or disable IPv6 support. The default is disable. Ipv6Support *string `type:"string" enum:"Ipv6SupportValue"` } @@ -52851,7 +55721,7 @@ type CreateVolumeInput struct { // it is UnauthorizedOperation. DryRun *bool `locationName:"dryRun" type:"boolean"` - // Specifies whether the volume should be encrypted. The effect of setting the + // Indicates whether the volume should be encrypted. The effect of setting the // encryption state to true depends on the volume origin (new or from a snapshot), // starting encryption state, ownership, and whether encryption by default is // enabled. For more information, see Encryption by default (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default) @@ -52861,15 +55731,26 @@ type CreateVolumeInput struct { // EBS encryption. For more information, see Supported instance types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_supported_instances). Encrypted *bool `locationName:"encrypted" type:"boolean"` - // The number of I/O operations per second (IOPS) to provision for an io1 or - // io2 volume, with a maximum ratio of 50 IOPS/GiB for io1, and 500 IOPS/GiB - // for io2. Range is 100 to 64,000 IOPS for volumes in most Regions. Maximum - // IOPS of 64,000 is guaranteed only on Nitro-based instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances). - // Other instance families guarantee performance up to 32,000 IOPS. For more - // information, see Amazon EBS volume types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) - // in the Amazon Elastic Compute Cloud User Guide. + // The number of I/O operations per second (IOPS). For gp3, io1, and io2 volumes, + // this represents the number of IOPS that are provisioned for the volume. For + // gp2 volumes, this represents the baseline performance of the volume and the + // rate at which the volume accumulates I/O credits for bursting. // - // This parameter is valid only for Provisioned IOPS SSD (io1 and io2) volumes. + // The following are the supported values for each volume type: + // + // * gp3: 3,000-16,000 IOPS + // + // * io1: 100-64,000 IOPS + // + // * io2: 100-64,000 IOPS + // + // For io1 and io2 volumes, we guarantee 64,000 IOPS only for Instances built + // on the Nitro System (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances). + // Other instance families guarantee performance up to 32,000 IOPS. + // + // This parameter is required for io1 and io2 volumes. The default for gp3 volumes + // is 3,000 IOPS. This parameter is not supported for gp2, st1, sc1, or standard + // volumes. Iops *int64 `type:"integer"` // The identifier of the AWS Key Management Service (AWS KMS) customer master @@ -52892,10 +55773,11 @@ type CreateVolumeInput struct { // fails. KmsKeyId *string `type:"string"` - // Specifies whether to enable Amazon EBS Multi-Attach. If you enable Multi-Attach, - // you can attach the volume to up to 16 Nitro-based instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) - // in the same Availability Zone. For more information, see Amazon EBS Multi-Attach - // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volumes-multi.html) + // Indicates whether to enable Amazon EBS Multi-Attach. If you enable Multi-Attach, + // you can attach the volume to up to 16 Instances built on the Nitro System + // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) + // in the same Availability Zone. This parameter is supported with io1 and io2 + // volumes only. For more information, see Amazon EBS Multi-Attach (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volumes-multi.html) // in the Amazon Elastic Compute Cloud User Guide. MultiAttachEnabled *bool `type:"boolean"` @@ -52903,14 +55785,19 @@ type CreateVolumeInput struct { OutpostArn *string `type:"string"` // The size of the volume, in GiBs. You must specify either a snapshot ID or - // a volume size. + // a volume size. If you specify a snapshot, the default is the snapshot size. + // You can specify a volume size that is equal to or larger than the snapshot + // size. // - // Constraints: 1-16,384 for gp2, 4-16,384 for io1 and io2, 500-16,384 for st1, - // 500-16,384 for sc1, and 1-1,024 for standard. If you specify a snapshot, - // the volume size must be equal to or larger than the snapshot size. + // The following are the supported volumes sizes for each volume type: // - // Default: If you're creating the volume from a snapshot and don't specify - // a volume size, the default is the snapshot size. + // * gp2 and gp3: 1-16,384 + // + // * io1 and io2: 4-16,384 + // + // * st1 and sc1: 125-16,384 + // + // * standard: 1-1,024 Size *int64 `type:"integer"` // The snapshot from which to create the volume. You must specify either a snapshot @@ -52920,9 +55807,27 @@ type CreateVolumeInput struct { // The tags to apply to the volume during creation. TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` - // The volume type. This can be gp2 for General Purpose SSD, io1 or io2 for - // Provisioned IOPS SSD, st1 for Throughput Optimized HDD, sc1 for Cold HDD, - // or standard for Magnetic volumes. + // The throughput to provision for a volume, with a maximum of 1,000 MiB/s. + // + // This parameter is valid only for gp3 volumes. + // + // Valid Range: Minimum value of 125. Maximum value of 1000. + Throughput *int64 `type:"integer"` + + // The volume type. This parameter can be one of the following values: + // + // * General Purpose SSD: gp2 | gp3 + // + // * Provisioned IOPS SSD: io1 | io2 + // + // * Throughput Optimized HDD: st1 + // + // * Cold HDD: sc1 + // + // * Magnetic: standard + // + // For more information, see Amazon EBS volume types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) + // in the Amazon Elastic Compute Cloud User Guide. // // Default: gp2 VolumeType *string `type:"string" enum:"VolumeType"` @@ -53011,6 +55916,12 @@ func (s *CreateVolumeInput) SetTagSpecifications(v []*TagSpecification) *CreateV return s } +// SetThroughput sets the Throughput field's value. +func (s *CreateVolumeInput) SetThroughput(v int64) *CreateVolumeInput { + s.Throughput = &v + return s +} + // SetVolumeType sets the VolumeType field's value. func (s *CreateVolumeInput) SetVolumeType(v string) *CreateVolumeInput { s.VolumeType = &v @@ -53224,9 +56135,10 @@ type CreateVpcEndpointInput struct { // it is UnauthorizedOperation. DryRun *bool `type:"boolean"` - // A policy to attach to the endpoint that controls access to the service. The - // policy must be in valid JSON format. If this parameter is not specified, - // we attach a default policy that allows full access to the service. + // (Interface and gateway endpoints) A policy to attach to the endpoint that + // controls access to the service. The policy must be in valid JSON format. + // If this parameter is not specified, we attach a default policy that allows + // full access to the service. PolicyDocument *string `type:"string"` // (Interface endpoint) Indicates whether to associate a private hosted zone @@ -53257,8 +56169,9 @@ type CreateVpcEndpointInput struct { // ServiceName is a required field ServiceName *string `type:"string" required:"true"` - // (Interface endpoint) The ID of one or more subnets in which to create an - // endpoint network interface. + // (Interface and Gateway Load Balancer endpoints) The ID of one or more subnets + // in which to create an endpoint network interface. For a Gateway Load Balancer + // endpoint, you can specify one subnet only. SubnetIds []*string `locationName:"SubnetId" locationNameList:"item" type:"list"` // The tags to associate with the endpoint. @@ -53418,13 +56331,15 @@ type CreateVpcEndpointServiceConfigurationInput struct { // it is UnauthorizedOperation. DryRun *bool `type:"boolean"` + // The Amazon Resource Names (ARNs) of one or more Gateway Load Balancers. + GatewayLoadBalancerArns []*string `locationName:"GatewayLoadBalancerArn" locationNameList:"item" type:"list"` + // The Amazon Resource Names (ARNs) of one or more Network Load Balancers for // your service. - // - // NetworkLoadBalancerArns is a required field - NetworkLoadBalancerArns []*string `locationName:"NetworkLoadBalancerArn" locationNameList:"item" type:"list" required:"true"` + NetworkLoadBalancerArns []*string `locationName:"NetworkLoadBalancerArn" locationNameList:"item" type:"list"` - // The private DNS name to assign to the VPC endpoint service. + // (Interface endpoint configuration) The private DNS name to assign to the + // VPC endpoint service. PrivateDnsName *string `type:"string"` // The tags to associate with the service. @@ -53441,19 +56356,6 @@ func (s CreateVpcEndpointServiceConfigurationInput) GoString() string { return s.String() } -// Validate inspects the fields of the type to determine if they are valid. -func (s *CreateVpcEndpointServiceConfigurationInput) Validate() error { - invalidParams := request.ErrInvalidParams{Context: "CreateVpcEndpointServiceConfigurationInput"} - if s.NetworkLoadBalancerArns == nil { - invalidParams.Add(request.NewErrParamRequired("NetworkLoadBalancerArns")) - } - - if invalidParams.Len() > 0 { - return invalidParams - } - return nil -} - // SetAcceptanceRequired sets the AcceptanceRequired field's value. func (s *CreateVpcEndpointServiceConfigurationInput) SetAcceptanceRequired(v bool) *CreateVpcEndpointServiceConfigurationInput { s.AcceptanceRequired = &v @@ -53472,6 +56374,12 @@ func (s *CreateVpcEndpointServiceConfigurationInput) SetDryRun(v bool) *CreateVp return s } +// SetGatewayLoadBalancerArns sets the GatewayLoadBalancerArns field's value. +func (s *CreateVpcEndpointServiceConfigurationInput) SetGatewayLoadBalancerArns(v []*string) *CreateVpcEndpointServiceConfigurationInput { + s.GatewayLoadBalancerArns = v + return s +} + // SetNetworkLoadBalancerArns sets the NetworkLoadBalancerArns field's value. func (s *CreateVpcEndpointServiceConfigurationInput) SetNetworkLoadBalancerArns(v []*string) *CreateVpcEndpointServiceConfigurationInput { s.NetworkLoadBalancerArns = v @@ -54789,8 +57697,14 @@ type DeleteFleetsInput struct { // FleetIds is a required field FleetIds []*string `locationName:"FleetId" type:"list" required:"true"` - // Indicates whether to terminate instances for an EC2 Fleet if it is deleted - // successfully. + // Indicates whether to terminate the instances when the EC2 Fleet is deleted. + // The default is to terminate the instances. + // + // To let the instances continue to run after the EC2 Fleet is deleted, specify + // NoTerminateInstances. Supported only for fleets of type maintain and request. + // + // For instant fleets, you cannot specify NoTerminateInstances. A deleted instant + // fleet with running instances is not supported. // // TerminateInstances is a required field TerminateInstances *bool `type:"boolean" required:"true"` @@ -55884,6 +58798,152 @@ func (s DeleteNetworkAclOutput) GoString() string { return s.String() } +type DeleteNetworkInsightsAnalysisInput struct { + _ struct{} `type:"structure"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The ID of the network insights analysis. + // + // NetworkInsightsAnalysisId is a required field + NetworkInsightsAnalysisId *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s DeleteNetworkInsightsAnalysisInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteNetworkInsightsAnalysisInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DeleteNetworkInsightsAnalysisInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DeleteNetworkInsightsAnalysisInput"} + if s.NetworkInsightsAnalysisId == nil { + invalidParams.Add(request.NewErrParamRequired("NetworkInsightsAnalysisId")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDryRun sets the DryRun field's value. +func (s *DeleteNetworkInsightsAnalysisInput) SetDryRun(v bool) *DeleteNetworkInsightsAnalysisInput { + s.DryRun = &v + return s +} + +// SetNetworkInsightsAnalysisId sets the NetworkInsightsAnalysisId field's value. +func (s *DeleteNetworkInsightsAnalysisInput) SetNetworkInsightsAnalysisId(v string) *DeleteNetworkInsightsAnalysisInput { + s.NetworkInsightsAnalysisId = &v + return s +} + +type DeleteNetworkInsightsAnalysisOutput struct { + _ struct{} `type:"structure"` + + // The ID of the network insights analysis. + NetworkInsightsAnalysisId *string `locationName:"networkInsightsAnalysisId" type:"string"` +} + +// String returns the string representation +func (s DeleteNetworkInsightsAnalysisOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteNetworkInsightsAnalysisOutput) GoString() string { + return s.String() +} + +// SetNetworkInsightsAnalysisId sets the NetworkInsightsAnalysisId field's value. +func (s *DeleteNetworkInsightsAnalysisOutput) SetNetworkInsightsAnalysisId(v string) *DeleteNetworkInsightsAnalysisOutput { + s.NetworkInsightsAnalysisId = &v + return s +} + +type DeleteNetworkInsightsPathInput struct { + _ struct{} `type:"structure"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The ID of the path. + // + // NetworkInsightsPathId is a required field + NetworkInsightsPathId *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s DeleteNetworkInsightsPathInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteNetworkInsightsPathInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DeleteNetworkInsightsPathInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DeleteNetworkInsightsPathInput"} + if s.NetworkInsightsPathId == nil { + invalidParams.Add(request.NewErrParamRequired("NetworkInsightsPathId")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDryRun sets the DryRun field's value. +func (s *DeleteNetworkInsightsPathInput) SetDryRun(v bool) *DeleteNetworkInsightsPathInput { + s.DryRun = &v + return s +} + +// SetNetworkInsightsPathId sets the NetworkInsightsPathId field's value. +func (s *DeleteNetworkInsightsPathInput) SetNetworkInsightsPathId(v string) *DeleteNetworkInsightsPathInput { + s.NetworkInsightsPathId = &v + return s +} + +type DeleteNetworkInsightsPathOutput struct { + _ struct{} `type:"structure"` + + // The ID of the path. + NetworkInsightsPathId *string `locationName:"networkInsightsPathId" type:"string"` +} + +// String returns the string representation +func (s DeleteNetworkInsightsPathOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteNetworkInsightsPathOutput) GoString() string { + return s.String() +} + +// SetNetworkInsightsPathId sets the NetworkInsightsPathId field's value. +func (s *DeleteNetworkInsightsPathOutput) SetNetworkInsightsPathId(v string) *DeleteNetworkInsightsPathOutput { + s.NetworkInsightsPathId = &v + return s +} + // Contains the parameters for DeleteNetworkInterface. type DeleteNetworkInterfaceInput struct { _ struct{} `type:"structure"` @@ -56977,6 +60037,152 @@ func (s *DeleteTrafficMirrorTargetOutput) SetTrafficMirrorTargetId(v string) *De return s } +type DeleteTransitGatewayConnectInput struct { + _ struct{} `type:"structure"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The ID of the Connect attachment. + // + // TransitGatewayAttachmentId is a required field + TransitGatewayAttachmentId *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s DeleteTransitGatewayConnectInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteTransitGatewayConnectInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DeleteTransitGatewayConnectInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DeleteTransitGatewayConnectInput"} + if s.TransitGatewayAttachmentId == nil { + invalidParams.Add(request.NewErrParamRequired("TransitGatewayAttachmentId")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDryRun sets the DryRun field's value. +func (s *DeleteTransitGatewayConnectInput) SetDryRun(v bool) *DeleteTransitGatewayConnectInput { + s.DryRun = &v + return s +} + +// SetTransitGatewayAttachmentId sets the TransitGatewayAttachmentId field's value. +func (s *DeleteTransitGatewayConnectInput) SetTransitGatewayAttachmentId(v string) *DeleteTransitGatewayConnectInput { + s.TransitGatewayAttachmentId = &v + return s +} + +type DeleteTransitGatewayConnectOutput struct { + _ struct{} `type:"structure"` + + // Information about the deleted Connect attachment. + TransitGatewayConnect *TransitGatewayConnect `locationName:"transitGatewayConnect" type:"structure"` +} + +// String returns the string representation +func (s DeleteTransitGatewayConnectOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteTransitGatewayConnectOutput) GoString() string { + return s.String() +} + +// SetTransitGatewayConnect sets the TransitGatewayConnect field's value. +func (s *DeleteTransitGatewayConnectOutput) SetTransitGatewayConnect(v *TransitGatewayConnect) *DeleteTransitGatewayConnectOutput { + s.TransitGatewayConnect = v + return s +} + +type DeleteTransitGatewayConnectPeerInput struct { + _ struct{} `type:"structure"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The ID of the Connect peer. + // + // TransitGatewayConnectPeerId is a required field + TransitGatewayConnectPeerId *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s DeleteTransitGatewayConnectPeerInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteTransitGatewayConnectPeerInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DeleteTransitGatewayConnectPeerInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DeleteTransitGatewayConnectPeerInput"} + if s.TransitGatewayConnectPeerId == nil { + invalidParams.Add(request.NewErrParamRequired("TransitGatewayConnectPeerId")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDryRun sets the DryRun field's value. +func (s *DeleteTransitGatewayConnectPeerInput) SetDryRun(v bool) *DeleteTransitGatewayConnectPeerInput { + s.DryRun = &v + return s +} + +// SetTransitGatewayConnectPeerId sets the TransitGatewayConnectPeerId field's value. +func (s *DeleteTransitGatewayConnectPeerInput) SetTransitGatewayConnectPeerId(v string) *DeleteTransitGatewayConnectPeerInput { + s.TransitGatewayConnectPeerId = &v + return s +} + +type DeleteTransitGatewayConnectPeerOutput struct { + _ struct{} `type:"structure"` + + // Information about the deleted Connect peer. + TransitGatewayConnectPeer *TransitGatewayConnectPeer `locationName:"transitGatewayConnectPeer" type:"structure"` +} + +// String returns the string representation +func (s DeleteTransitGatewayConnectPeerOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteTransitGatewayConnectPeerOutput) GoString() string { + return s.String() +} + +// SetTransitGatewayConnectPeer sets the TransitGatewayConnectPeer field's value. +func (s *DeleteTransitGatewayConnectPeerOutput) SetTransitGatewayConnectPeer(v *TransitGatewayConnectPeer) *DeleteTransitGatewayConnectPeerOutput { + s.TransitGatewayConnectPeer = v + return s +} + type DeleteTransitGatewayInput struct { _ struct{} `type:"structure"` @@ -58579,6 +61785,115 @@ func (s *DescribeAccountAttributesOutput) SetAccountAttributes(v []*AccountAttri return s } +type DescribeAddressesAttributeInput struct { + _ struct{} `type:"structure"` + + // [EC2-VPC] The allocation IDs. + AllocationIds []*string `locationName:"AllocationId" locationNameList:"item" type:"list"` + + // The attribute of the IP address. + Attribute *string `type:"string" enum:"AddressAttributeName"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The maximum number of results to return with a single call. To retrieve the + // remaining results, make another call with the returned nextToken value. + MaxResults *int64 `min:"1" type:"integer"` + + // The token for the next page of results. + NextToken *string `type:"string"` +} + +// String returns the string representation +func (s DescribeAddressesAttributeInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeAddressesAttributeInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DescribeAddressesAttributeInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DescribeAddressesAttributeInput"} + if s.MaxResults != nil && *s.MaxResults < 1 { + invalidParams.Add(request.NewErrParamMinValue("MaxResults", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAllocationIds sets the AllocationIds field's value. +func (s *DescribeAddressesAttributeInput) SetAllocationIds(v []*string) *DescribeAddressesAttributeInput { + s.AllocationIds = v + return s +} + +// SetAttribute sets the Attribute field's value. +func (s *DescribeAddressesAttributeInput) SetAttribute(v string) *DescribeAddressesAttributeInput { + s.Attribute = &v + return s +} + +// SetDryRun sets the DryRun field's value. +func (s *DescribeAddressesAttributeInput) SetDryRun(v bool) *DescribeAddressesAttributeInput { + s.DryRun = &v + return s +} + +// SetMaxResults sets the MaxResults field's value. +func (s *DescribeAddressesAttributeInput) SetMaxResults(v int64) *DescribeAddressesAttributeInput { + s.MaxResults = &v + return s +} + +// SetNextToken sets the NextToken field's value. +func (s *DescribeAddressesAttributeInput) SetNextToken(v string) *DescribeAddressesAttributeInput { + s.NextToken = &v + return s +} + +type DescribeAddressesAttributeOutput struct { + _ struct{} `type:"structure"` + + // Information about the IP addresses. + Addresses []*AddressAttribute `locationName:"addressSet" locationNameList:"item" type:"list"` + + // The token to use to retrieve the next page of results. This value is null + // when there are no more results to return. + NextToken *string `locationName:"nextToken" type:"string"` +} + +// String returns the string representation +func (s DescribeAddressesAttributeOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeAddressesAttributeOutput) GoString() string { + return s.String() +} + +// SetAddresses sets the Addresses field's value. +func (s *DescribeAddressesAttributeOutput) SetAddresses(v []*AddressAttribute) *DescribeAddressesAttributeOutput { + s.Addresses = v + return s +} + +// SetNextToken sets the NextToken field's value. +func (s *DescribeAddressesAttributeOutput) SetNextToken(v string) *DescribeAddressesAttributeOutput { + s.NextToken = &v + return s +} + type DescribeAddressesInput struct { _ struct{} `type:"structure"` @@ -59095,12 +62410,12 @@ type DescribeCapacityReservationsInput struct { // is active and the capacity is available for your use. expired - The Capacity // Reservation expired automatically at the date and time specified in your // request. The reserved capacity is no longer available for your use. cancelled - // - The Capacity Reservation was manually cancelled. The reserved capacity - // is no longer available for your use. pending - The Capacity Reservation - // request was successful but the capacity provisioning is still pending. - // failed - The Capacity Reservation request has failed. A request might - // fail due to invalid request parameters, capacity constraints, or instance - // limit constraints. Failed requests are retained for 60 minutes. + // - The Capacity Reservation was cancelled. The reserved capacity is no + // longer available for your use. pending - The Capacity Reservation request + // was successful but the capacity provisioning is still pending. failed + // - The Capacity Reservation request has failed. A request might fail due + // to invalid request parameters, capacity constraints, or instance limit + // constraints. Failed requests are retained for 60 minutes. // // * end-date - The date and time at which the Capacity Reservation expires. // When a Capacity Reservation expires, the reserved capacity is released @@ -62559,9 +65874,9 @@ type DescribeImageAttributeInput struct { // The AMI attribute. // - // Note: Depending on your account privileges, the blockDeviceMapping attribute - // may return a Client.AuthFailure error. If this happens, use DescribeImages - // to get information about the block device mapping for the AMI. + // Note: The blockDeviceMapping attribute is deprecated. Using this attribute + // returns the Client.AuthFailure error. To get information about the block + // device mappings for an AMI, use the DescribeImages action. // // Attribute is a required field Attribute *string `type:"string" required:"true" enum:"ImageAttributeName"` @@ -62629,6 +65944,9 @@ type DescribeImageAttributeOutput struct { // The block device mapping entries. BlockDeviceMappings []*BlockDeviceMapping `locationName:"blockDeviceMapping" locationNameList:"item" type:"list"` + // Describes a value for a resource attribute that is a String. + BootMode *AttributeValue `locationName:"bootMode" type:"structure"` + // A description for the AMI. Description *AttributeValue `locationName:"description" type:"structure"` @@ -62668,6 +65986,12 @@ func (s *DescribeImageAttributeOutput) SetBlockDeviceMappings(v []*BlockDeviceMa return s } +// SetBootMode sets the BootMode field's value. +func (s *DescribeImageAttributeOutput) SetBootMode(v *AttributeValue) *DescribeImageAttributeOutput { + s.BootMode = v + return s +} + // SetDescription sets the Description field's value. func (s *DescribeImageAttributeOutput) SetDescription(v *AttributeValue) *DescribeImageAttributeOutput { s.Description = v @@ -62764,13 +66088,13 @@ type DescribeImagesInput struct { // // * name - The name of the AMI (provided during image creation). // - // * owner-alias - The owner alias, from an Amazon-maintained list (amazon - // | aws-marketplace). This is not the user-configured AWS account alias - // set using the IAM console. We recommend that you use the related parameter - // instead of this filter. + // * owner-alias - The owner alias (amazon | aws-marketplace). The valid + // aliases are defined in an Amazon-maintained list. This is not the AWS + // account alias that can be set using the IAM console. We recommend that + // you use the Owner request parameter instead of this filter. // // * owner-id - The AWS account ID of the owner. We recommend that you use - // the related parameter instead of this filter. + // the Owner request parameter instead of this filter. // // * platform - The platform. To only list Windows-based AMIs, use windows. // @@ -63188,9 +66512,12 @@ type DescribeInstanceAttributeOutput struct { // The device name of the root device volume (for example, /dev/sda1). RootDeviceName *AttributeValue `locationName:"rootDeviceName" type:"structure"` - // Indicates whether source/destination checking is enabled. A value of true - // means that checking is enabled, and false means that checking is disabled. - // This value must be false for a NAT instance to perform NAT. + // Enable or disable source/destination checks, which ensure that the instance + // is either the source or the destination of any traffic that it receives. + // If the value is true, source/destination checks are enabled; otherwise, they + // are disabled. The default value is true. You must disable source/destination + // checks if the instance runs services such as network address translation, + // routing, or firewalls. SourceDestCheck *AttributeBooleanValue `locationName:"sourceDestCheck" type:"structure"` // Indicates whether enhanced networking with the Intel 82599 Virtual Function @@ -63823,6 +67150,9 @@ type DescribeInstanceTypesInput struct { // // * memory-info.size-in-mib - The memory size. // + // * network-info.efa-info.maximum-efa-interfaces - The maximum number of + // Elastic Fabric Adapters (EFAs) per instance. (true | false). + // // * network-info.efa-supported - Indicates whether the instance type supports // Elastic Fabric Adapter (EFA) (true | false). // @@ -63850,6 +67180,8 @@ type DescribeInstanceTypesInput struct { // * processor-info.sustained-clock-speed-in-ghz - The CPU clock speed, in // GHz. // + // * supported-boot-mode - The boot mode (legacy-bios | uefi). + // // * supported-root-device-type - The root device type (ebs | instance-store). // // * supported-usage-class - The usage class (on-demand | spot). @@ -63872,8 +67204,8 @@ type DescribeInstanceTypesInput struct { // can be configured for the instance type. For example, "1" or "1,2". Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"` - // The instance types. For more information, see Instance Types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) - // in the Amazon Elastic Compute Cloud User Guide. + // The instance types. For more information, see Instance types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) + // in the Amazon EC2 User Guide. InstanceTypes []*string `locationName:"InstanceType" type:"list"` // The maximum number of results to return for the request in a single page. @@ -63941,8 +67273,8 @@ func (s *DescribeInstanceTypesInput) SetNextToken(v string) *DescribeInstanceTyp type DescribeInstanceTypesOutput struct { _ struct{} `type:"structure"` - // The instance type. For more information, see Instance Types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) - // in the Amazon Elastic Compute Cloud User Guide. + // The instance type. For more information, see Instance types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) + // in the Amazon EC2 User Guide. InstanceTypes []*InstanceTypeInfo `locationName:"instanceTypeSet" locationNameList:"item" type:"list"` // The token to use to retrieve the next page of results. This value is null @@ -64159,6 +67491,8 @@ type DescribeInstancesInput struct { // // * network-interface.vpc-id - The ID of the VPC for the network interface. // + // * outpost-arn - The Amazon Resource Name (ARN) of the Outpost. + // // * owner-id - The AWS account ID of the instance owner. // // * placement-group-name - The name of the placement group for the instance. @@ -66197,6 +69531,267 @@ func (s *DescribeNetworkAclsOutput) SetNextToken(v string) *DescribeNetworkAclsO return s } +type DescribeNetworkInsightsAnalysesInput struct { + _ struct{} `type:"structure"` + + // The time when the network insights analyses ended. + AnalysisEndTime *time.Time `type:"timestamp"` + + // The time when the network insights analyses started. + AnalysisStartTime *time.Time `type:"timestamp"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The filters. The following are possible values: + // + // * PathFound - A Boolean value that indicates whether a feasible path is + // found. + // + // * Status - The status of the analysis (running | succeeded | failed). + Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"` + + // The maximum number of results to return with a single call. To retrieve the + // remaining results, make another call with the returned nextToken value. + MaxResults *int64 `min:"1" type:"integer"` + + // The ID of the network insights analyses. You must specify either analysis + // IDs or a path ID. + NetworkInsightsAnalysisIds []*string `locationName:"NetworkInsightsAnalysisId" locationNameList:"item" type:"list"` + + // The ID of the path. You must specify either a path ID or analysis IDs. + NetworkInsightsPathId *string `type:"string"` + + // The token for the next page of results. + NextToken *string `type:"string"` +} + +// String returns the string representation +func (s DescribeNetworkInsightsAnalysesInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeNetworkInsightsAnalysesInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DescribeNetworkInsightsAnalysesInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DescribeNetworkInsightsAnalysesInput"} + if s.MaxResults != nil && *s.MaxResults < 1 { + invalidParams.Add(request.NewErrParamMinValue("MaxResults", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAnalysisEndTime sets the AnalysisEndTime field's value. +func (s *DescribeNetworkInsightsAnalysesInput) SetAnalysisEndTime(v time.Time) *DescribeNetworkInsightsAnalysesInput { + s.AnalysisEndTime = &v + return s +} + +// SetAnalysisStartTime sets the AnalysisStartTime field's value. +func (s *DescribeNetworkInsightsAnalysesInput) SetAnalysisStartTime(v time.Time) *DescribeNetworkInsightsAnalysesInput { + s.AnalysisStartTime = &v + return s +} + +// SetDryRun sets the DryRun field's value. +func (s *DescribeNetworkInsightsAnalysesInput) SetDryRun(v bool) *DescribeNetworkInsightsAnalysesInput { + s.DryRun = &v + return s +} + +// SetFilters sets the Filters field's value. +func (s *DescribeNetworkInsightsAnalysesInput) SetFilters(v []*Filter) *DescribeNetworkInsightsAnalysesInput { + s.Filters = v + return s +} + +// SetMaxResults sets the MaxResults field's value. +func (s *DescribeNetworkInsightsAnalysesInput) SetMaxResults(v int64) *DescribeNetworkInsightsAnalysesInput { + s.MaxResults = &v + return s +} + +// SetNetworkInsightsAnalysisIds sets the NetworkInsightsAnalysisIds field's value. +func (s *DescribeNetworkInsightsAnalysesInput) SetNetworkInsightsAnalysisIds(v []*string) *DescribeNetworkInsightsAnalysesInput { + s.NetworkInsightsAnalysisIds = v + return s +} + +// SetNetworkInsightsPathId sets the NetworkInsightsPathId field's value. +func (s *DescribeNetworkInsightsAnalysesInput) SetNetworkInsightsPathId(v string) *DescribeNetworkInsightsAnalysesInput { + s.NetworkInsightsPathId = &v + return s +} + +// SetNextToken sets the NextToken field's value. +func (s *DescribeNetworkInsightsAnalysesInput) SetNextToken(v string) *DescribeNetworkInsightsAnalysesInput { + s.NextToken = &v + return s +} + +type DescribeNetworkInsightsAnalysesOutput struct { + _ struct{} `type:"structure"` + + // Information about the network insights analyses. + NetworkInsightsAnalyses []*NetworkInsightsAnalysis `locationName:"networkInsightsAnalysisSet" locationNameList:"item" type:"list"` + + // The token to use to retrieve the next page of results. This value is null + // when there are no more results to return. + NextToken *string `locationName:"nextToken" type:"string"` +} + +// String returns the string representation +func (s DescribeNetworkInsightsAnalysesOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeNetworkInsightsAnalysesOutput) GoString() string { + return s.String() +} + +// SetNetworkInsightsAnalyses sets the NetworkInsightsAnalyses field's value. +func (s *DescribeNetworkInsightsAnalysesOutput) SetNetworkInsightsAnalyses(v []*NetworkInsightsAnalysis) *DescribeNetworkInsightsAnalysesOutput { + s.NetworkInsightsAnalyses = v + return s +} + +// SetNextToken sets the NextToken field's value. +func (s *DescribeNetworkInsightsAnalysesOutput) SetNextToken(v string) *DescribeNetworkInsightsAnalysesOutput { + s.NextToken = &v + return s +} + +type DescribeNetworkInsightsPathsInput struct { + _ struct{} `type:"structure"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The filters. The following are possible values: + // + // * Destination - The ID of the resource. + // + // * DestinationPort - The destination port. + // + // * Name - The path name. + // + // * Protocol - The protocol. + // + // * Source - The ID of the resource. + Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"` + + // The maximum number of results to return with a single call. To retrieve the + // remaining results, make another call with the returned nextToken value. + MaxResults *int64 `min:"1" type:"integer"` + + // The IDs of the paths. + NetworkInsightsPathIds []*string `locationName:"NetworkInsightsPathId" locationNameList:"item" type:"list"` + + // The token for the next page of results. + NextToken *string `type:"string"` +} + +// String returns the string representation +func (s DescribeNetworkInsightsPathsInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeNetworkInsightsPathsInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DescribeNetworkInsightsPathsInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DescribeNetworkInsightsPathsInput"} + if s.MaxResults != nil && *s.MaxResults < 1 { + invalidParams.Add(request.NewErrParamMinValue("MaxResults", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDryRun sets the DryRun field's value. +func (s *DescribeNetworkInsightsPathsInput) SetDryRun(v bool) *DescribeNetworkInsightsPathsInput { + s.DryRun = &v + return s +} + +// SetFilters sets the Filters field's value. +func (s *DescribeNetworkInsightsPathsInput) SetFilters(v []*Filter) *DescribeNetworkInsightsPathsInput { + s.Filters = v + return s +} + +// SetMaxResults sets the MaxResults field's value. +func (s *DescribeNetworkInsightsPathsInput) SetMaxResults(v int64) *DescribeNetworkInsightsPathsInput { + s.MaxResults = &v + return s +} + +// SetNetworkInsightsPathIds sets the NetworkInsightsPathIds field's value. +func (s *DescribeNetworkInsightsPathsInput) SetNetworkInsightsPathIds(v []*string) *DescribeNetworkInsightsPathsInput { + s.NetworkInsightsPathIds = v + return s +} + +// SetNextToken sets the NextToken field's value. +func (s *DescribeNetworkInsightsPathsInput) SetNextToken(v string) *DescribeNetworkInsightsPathsInput { + s.NextToken = &v + return s +} + +type DescribeNetworkInsightsPathsOutput struct { + _ struct{} `type:"structure"` + + // Information about the paths. + NetworkInsightsPaths []*NetworkInsightsPath `locationName:"networkInsightsPathSet" locationNameList:"item" type:"list"` + + // The token to use to retrieve the next page of results. This value is null + // when there are no more results to return. + NextToken *string `locationName:"nextToken" type:"string"` +} + +// String returns the string representation +func (s DescribeNetworkInsightsPathsOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeNetworkInsightsPathsOutput) GoString() string { + return s.String() +} + +// SetNetworkInsightsPaths sets the NetworkInsightsPaths field's value. +func (s *DescribeNetworkInsightsPathsOutput) SetNetworkInsightsPaths(v []*NetworkInsightsPath) *DescribeNetworkInsightsPathsOutput { + s.NetworkInsightsPaths = v + return s +} + +// SetNextToken sets the NextToken field's value. +func (s *DescribeNetworkInsightsPathsOutput) SetNextToken(v string) *DescribeNetworkInsightsPathsOutput { + s.NextToken = &v + return s +} + // Contains the parameters for DescribeNetworkInterfaceAttribute. type DescribeNetworkInterfaceAttributeInput struct { _ struct{} `type:"structure"` @@ -66511,8 +70106,8 @@ type DescribeNetworkInterfacesInput struct { // // * private-dns-name - The private DNS name of the network interface (IPv4). // - // * requester-id - The ID of the entity that launched the instance on your - // behalf (for example, AWS Management Console, Auto Scaling, and so on). + // * requester-id - The alias or AWS account ID of the principal or service + // that created the network interface. // // * requester-managed - Indicates whether the network interface is being // managed by an AWS service (for example, AWS Management Console, Auto Scaling, @@ -67499,8 +71094,8 @@ type DescribeReservedInstancesOfferingsInput struct { InstanceTenancy *string `locationName:"instanceTenancy" type:"string" enum:"Tenancy"` // The instance type that the reservation will cover (for example, m1.small). - // For more information, see Instance Types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) - // in the Amazon Elastic Compute Cloud User Guide. + // For more information, see Instance types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) + // in the Amazon EC2 User Guide. InstanceType *string `type:"string" enum:"InstanceType"` // The maximum duration (in seconds) to filter when searching for offerings. @@ -68257,7 +71852,7 @@ type DescribeSecurityGroupsInput struct { // been referenced in an outbound security group rule. // // * egress.ip-permission.group-name - The name of a security group that - // has been referenced in an outbound security group rule. + // is referenced in an outbound security group rule. // // * egress.ip-permission.ipv6-cidr - An IPv6 CIDR block for an outbound // security group rule. @@ -68266,7 +71861,7 @@ type DescribeSecurityGroupsInput struct { // a security group rule allows outbound access. // // * egress.ip-permission.protocol - The IP protocol for an outbound security - // group rule (tcp | udp | icmp or a protocol number). + // group rule (tcp | udp | icmp, a protocol number, or -1 for all protocols). // // * egress.ip-permission.to-port - For an outbound rule, the end of port // range for the TCP and UDP protocols, or an ICMP code. @@ -68287,8 +71882,8 @@ type DescribeSecurityGroupsInput struct { // * ip-permission.group-id - The ID of a security group that has been referenced // in an inbound security group rule. // - // * ip-permission.group-name - The name of a security group that has been - // referenced in an inbound security group rule. + // * ip-permission.group-name - The name of a security group that is referenced + // in an inbound security group rule. // // * ip-permission.ipv6-cidr - An IPv6 CIDR block for an inbound security // group rule. @@ -68297,7 +71892,7 @@ type DescribeSecurityGroupsInput struct { // security group rule allows inbound access. // // * ip-permission.protocol - The IP protocol for an inbound security group - // rule (tcp | udp | icmp or a protocol number). + // rule (tcp | udp | icmp, a protocol number, or -1 for all protocols). // // * ip-permission.to-port - For an inbound rule, the end of port range for // the TCP and UDP protocols, or an ICMP code. @@ -68593,7 +72188,7 @@ type DescribeSnapshotsInput struct { // results in a single page along with a NextToken response element. The remaining // results of the initial request can be seen by sending another DescribeSnapshots // request with the returned NextToken value. This value can be between 5 and - // 1000; if MaxResults is given a value larger than 1000, only 1000 results + // 1,000; if MaxResults is given a value larger than 1,000, only 1,000 results // are returned. If this parameter is not used, then DescribeSnapshots returns // all results. You cannot specify this parameter and the snapshot IDs parameter // in the same request. @@ -70240,7 +73835,7 @@ type DescribeTransitGatewayAttachmentsInput struct { // * resource-owner-id - The ID of the AWS account that owns the resource. // // * resource-type - The resource type. Valid values are vpc | vpn | direct-connect-gateway - // | peering. + // | peering | connect. // // * state - The state of the attachment. Valid values are available | deleted // | deleting | failed | failing | initiatingRequest | modifying | pendingAcceptance @@ -70351,6 +73946,244 @@ func (s *DescribeTransitGatewayAttachmentsOutput) SetTransitGatewayAttachments(v return s } +type DescribeTransitGatewayConnectPeersInput struct { + _ struct{} `type:"structure"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // One or more filters. The possible values are: + // + // * state - The state of the Connect peer (pending | available | deleting + // | deleted). + // + // * transit-gateway-attachment-id - The ID of the attachment. + // + // * transit-gateway-connect-peer-id - The ID of the Connect peer. + Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"` + + // The maximum number of results to return with a single call. To retrieve the + // remaining results, make another call with the returned nextToken value. + MaxResults *int64 `min:"5" type:"integer"` + + // The token for the next page of results. + NextToken *string `type:"string"` + + // The IDs of the Connect peers. + TransitGatewayConnectPeerIds []*string `locationNameList:"item" type:"list"` +} + +// String returns the string representation +func (s DescribeTransitGatewayConnectPeersInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeTransitGatewayConnectPeersInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DescribeTransitGatewayConnectPeersInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DescribeTransitGatewayConnectPeersInput"} + if s.MaxResults != nil && *s.MaxResults < 5 { + invalidParams.Add(request.NewErrParamMinValue("MaxResults", 5)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDryRun sets the DryRun field's value. +func (s *DescribeTransitGatewayConnectPeersInput) SetDryRun(v bool) *DescribeTransitGatewayConnectPeersInput { + s.DryRun = &v + return s +} + +// SetFilters sets the Filters field's value. +func (s *DescribeTransitGatewayConnectPeersInput) SetFilters(v []*Filter) *DescribeTransitGatewayConnectPeersInput { + s.Filters = v + return s +} + +// SetMaxResults sets the MaxResults field's value. +func (s *DescribeTransitGatewayConnectPeersInput) SetMaxResults(v int64) *DescribeTransitGatewayConnectPeersInput { + s.MaxResults = &v + return s +} + +// SetNextToken sets the NextToken field's value. +func (s *DescribeTransitGatewayConnectPeersInput) SetNextToken(v string) *DescribeTransitGatewayConnectPeersInput { + s.NextToken = &v + return s +} + +// SetTransitGatewayConnectPeerIds sets the TransitGatewayConnectPeerIds field's value. +func (s *DescribeTransitGatewayConnectPeersInput) SetTransitGatewayConnectPeerIds(v []*string) *DescribeTransitGatewayConnectPeersInput { + s.TransitGatewayConnectPeerIds = v + return s +} + +type DescribeTransitGatewayConnectPeersOutput struct { + _ struct{} `type:"structure"` + + // The token to use to retrieve the next page of results. This value is null + // when there are no more results to return. + NextToken *string `locationName:"nextToken" type:"string"` + + // Information about the Connect peers. + TransitGatewayConnectPeers []*TransitGatewayConnectPeer `locationName:"transitGatewayConnectPeerSet" locationNameList:"item" type:"list"` +} + +// String returns the string representation +func (s DescribeTransitGatewayConnectPeersOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeTransitGatewayConnectPeersOutput) GoString() string { + return s.String() +} + +// SetNextToken sets the NextToken field's value. +func (s *DescribeTransitGatewayConnectPeersOutput) SetNextToken(v string) *DescribeTransitGatewayConnectPeersOutput { + s.NextToken = &v + return s +} + +// SetTransitGatewayConnectPeers sets the TransitGatewayConnectPeers field's value. +func (s *DescribeTransitGatewayConnectPeersOutput) SetTransitGatewayConnectPeers(v []*TransitGatewayConnectPeer) *DescribeTransitGatewayConnectPeersOutput { + s.TransitGatewayConnectPeers = v + return s +} + +type DescribeTransitGatewayConnectsInput struct { + _ struct{} `type:"structure"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // One or more filters. The possible values are: + // + // * options.protocol - The tunnel protocol (gre). + // + // * state - The state of the attachment (initiating | initiatingRequest + // | pendingAcceptance | rollingBack | pending | available | modifying | + // deleting | deleted | failed | rejected | rejecting | failing). + // + // * transit-gateway-attachment-id - The ID of the Connect attachment. + // + // * transit-gateway-id - The ID of the transit gateway. + // + // * transport-transit-gateway-attachment-id - The ID of the transit gateway + // attachment from which the Connect attachment was created. + Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"` + + // The maximum number of results to return with a single call. To retrieve the + // remaining results, make another call with the returned nextToken value. + MaxResults *int64 `min:"5" type:"integer"` + + // The token for the next page of results. + NextToken *string `type:"string"` + + // The IDs of the attachments. + TransitGatewayAttachmentIds []*string `type:"list"` +} + +// String returns the string representation +func (s DescribeTransitGatewayConnectsInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeTransitGatewayConnectsInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DescribeTransitGatewayConnectsInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DescribeTransitGatewayConnectsInput"} + if s.MaxResults != nil && *s.MaxResults < 5 { + invalidParams.Add(request.NewErrParamMinValue("MaxResults", 5)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDryRun sets the DryRun field's value. +func (s *DescribeTransitGatewayConnectsInput) SetDryRun(v bool) *DescribeTransitGatewayConnectsInput { + s.DryRun = &v + return s +} + +// SetFilters sets the Filters field's value. +func (s *DescribeTransitGatewayConnectsInput) SetFilters(v []*Filter) *DescribeTransitGatewayConnectsInput { + s.Filters = v + return s +} + +// SetMaxResults sets the MaxResults field's value. +func (s *DescribeTransitGatewayConnectsInput) SetMaxResults(v int64) *DescribeTransitGatewayConnectsInput { + s.MaxResults = &v + return s +} + +// SetNextToken sets the NextToken field's value. +func (s *DescribeTransitGatewayConnectsInput) SetNextToken(v string) *DescribeTransitGatewayConnectsInput { + s.NextToken = &v + return s +} + +// SetTransitGatewayAttachmentIds sets the TransitGatewayAttachmentIds field's value. +func (s *DescribeTransitGatewayConnectsInput) SetTransitGatewayAttachmentIds(v []*string) *DescribeTransitGatewayConnectsInput { + s.TransitGatewayAttachmentIds = v + return s +} + +type DescribeTransitGatewayConnectsOutput struct { + _ struct{} `type:"structure"` + + // The token to use to retrieve the next page of results. This value is null + // when there are no more results to return. + NextToken *string `locationName:"nextToken" type:"string"` + + // Information about the Connect attachments. + TransitGatewayConnects []*TransitGatewayConnect `locationName:"transitGatewayConnectSet" locationNameList:"item" type:"list"` +} + +// String returns the string representation +func (s DescribeTransitGatewayConnectsOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeTransitGatewayConnectsOutput) GoString() string { + return s.String() +} + +// SetNextToken sets the NextToken field's value. +func (s *DescribeTransitGatewayConnectsOutput) SetNextToken(v string) *DescribeTransitGatewayConnectsOutput { + s.NextToken = &v + return s +} + +// SetTransitGatewayConnects sets the TransitGatewayConnects field's value. +func (s *DescribeTransitGatewayConnectsOutput) SetTransitGatewayConnects(v []*TransitGatewayConnect) *DescribeTransitGatewayConnectsOutput { + s.TransitGatewayConnects = v + return s +} + type DescribeTransitGatewayMulticastDomainsInput struct { _ struct{} `type:"structure"` @@ -71135,8 +74968,8 @@ type DescribeVolumeStatusInput struct { // paginated output. When this parameter is used, the request only returns MaxResults // results in a single page along with a NextToken response element. The remaining // results of the initial request can be seen by sending another request with - // the returned NextToken value. This value can be between 5 and 1000; if MaxResults - // is given a value larger than 1000, only 1000 results are returned. If this + // the returned NextToken value. This value can be between 5 and 1,000; if MaxResults + // is given a value larger than 1,000, only 1,000 results are returned. If this // parameter is not used, then DescribeVolumeStatus returns all results. You // cannot specify this parameter and the volume IDs parameter in the same request. MaxResults *int64 `type:"integer"` @@ -71281,9 +75114,8 @@ type DescribeVolumesInput struct { // // * volume-id - The volume ID. // - // * volume-type - The Amazon EBS volume type. This can be gp2 for General - // Purpose SSD, io1 or io2 for Provisioned IOPS SSD, st1 for Throughput Optimized - // HDD, sc1 for Cold HDD, or standard for Magnetic volumes. + // * volume-type - The Amazon EBS volume type (gp2 | gp3 | io1 | io2 | st1 + // | sc1| standard) Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"` // The maximum number of volume results returned by DescribeVolumes in paginated @@ -72241,6 +76073,8 @@ type DescribeVpcEndpointServicesInput struct { // // * service-name - The name of the service. // + // * service-type - The type of service (Interface | Gateway). + // // * tag: - The key/value combination of a tag assigned to the resource. // Use the tag key in the filter name and the tag value as the filter value. // For example, to find all resources that have a tag with the key Owner @@ -72371,6 +76205,9 @@ type DescribeVpcEndpointsInput struct { // * vpc-endpoint-state - The state of the endpoint (pendingAcceptance | // pending | available | deleting | deleted | rejected | failed). // + // * vpc-endpoint-type - The type of VPC endpoint (Interface | Gateway | + // GatewayLoadBalancer). + // // * tag: - The key/value combination of a tag assigned to the resource. // Use the tag key in the filter name and the tag value as the filter value. // For example, to find all resources that have a tag with the key Owner @@ -75206,15 +79043,15 @@ type EbsBlockDevice struct { // Indicates whether the EBS volume is deleted on instance termination. For // more information, see Preserving Amazon EBS volumes on instance termination // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html#preserving-volumes-on-termination) - // in the Amazon Elastic Compute Cloud User Guide. + // in the Amazon EC2 User Guide. DeleteOnTermination *bool `locationName:"deleteOnTermination" type:"boolean"` // Indicates whether the encryption state of an EBS volume is changed while // being restored from a backing snapshot. The effect of setting the encryption // state to true depends on the volume origin (new or from a snapshot), starting // encryption state, ownership, and whether encryption by default is enabled. - // For more information, see Amazon EBS Encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-parameters) - // in the Amazon Elastic Compute Cloud User Guide. + // For more information, see Amazon EBS encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-parameters) + // in the Amazon EC2 User Guide. // // In no case can you remove encryption from an encrypted volume. // @@ -75224,22 +79061,25 @@ type EbsBlockDevice struct { // This parameter is not returned by . Encrypted *bool `locationName:"encrypted" type:"boolean"` - // The number of I/O operations per second (IOPS) that the volume supports. - // For io1 and io2 volumes, this represents the number of IOPS that are provisioned - // for the volume. For gp2 volumes, this represents the baseline performance - // of the volume and the rate at which the volume accumulates I/O credits for - // bursting. For more information, see Amazon EBS volume types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) - // in the Amazon Elastic Compute Cloud User Guide. + // The number of I/O operations per second (IOPS). For gp3, io1, and io2 volumes, + // this represents the number of IOPS that are provisioned for the volume. For + // gp2 volumes, this represents the baseline performance of the volume and the + // rate at which the volume accumulates I/O credits for bursting. // - // Constraints: Range is 100-16,000 IOPS for gp2 volumes and 100 to 64,000 IOPS - // for io1 and io2 volumes in most Regions. Maximum io1 and io2 IOPS of 64,000 - // is guaranteed only on Nitro-based instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances). - // Other instance families guarantee performance up to 32,000 IOPS. For more - // information, see Amazon EBS Volume Types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) - // in the Amazon Elastic Compute Cloud User Guide. + // The following are the supported values for each volume type: // - // Condition: This parameter is required for requests to create io1 and io2 - // volumes; it is not used in requests to create gp2, st1, sc1, or standard + // * gp3: 3,000-16,000 IOPS + // + // * io1: 100-64,000 IOPS + // + // * io2: 100-64,000 IOPS + // + // For io1 and io2 volumes, we guarantee 64,000 IOPS only for Instances built + // on the Nitro System (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances). + // Other instance families guarantee performance up to 32,000 IOPS. + // + // This parameter is required for io1 and io2 volumes. The default for gp3 volumes + // is 3,000 IOPS. This parameter is not supported for gp2, st1, sc1, or standard // volumes. Iops *int64 `locationName:"iops" type:"integer"` @@ -75252,26 +79092,38 @@ type EbsBlockDevice struct { // and RequestSpotInstances (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RequestSpotInstances.html). KmsKeyId *string `type:"string"` + // The ARN of the Outpost on which the snapshot is stored. + OutpostArn *string `locationName:"outpostArn" type:"string"` + // The ID of the snapshot. SnapshotId *string `locationName:"snapshotId" type:"string"` - // The size of the volume, in GiB. + // The throughput that the volume supports, in MiB/s. // - // Default: If you're creating the volume from a snapshot and don't specify - // a volume size, the default is the snapshot size. + // This parameter is valid only for gp3 volumes. // - // Constraints: 1-16384 for General Purpose SSD (gp2), 4-16384 for Provisioned - // IOPS SSD (io1 and io2), 500-16384 for Throughput Optimized HDD (st1), 500-16384 - // for Cold HDD (sc1), and 1-1024 for Magnetic (standard) volumes. If you specify - // a snapshot, the volume size must be equal to or larger than the snapshot + // Valid Range: Minimum value of 125. Maximum value of 1000. + Throughput *int64 `locationName:"throughput" type:"integer"` + + // The size of the volume, in GiBs. You must specify either a snapshot ID or + // a volume size. If you specify a snapshot, the default is the snapshot size. + // You can specify a volume size that is equal to or larger than the snapshot // size. + // + // The following are the supported volumes sizes for each volume type: + // + // * gp2 and gp3:1-16,384 + // + // * io1 and io2: 4-16,384 + // + // * st1 and sc1: 125-16,384 + // + // * standard: 1-1,024 VolumeSize *int64 `locationName:"volumeSize" type:"integer"` - // The volume type. If you set the type to io1 or io2, you must also specify - // the Iops parameter. If you set the type to gp2, st1, sc1, or standard, you - // must omit the Iops parameter. - // - // Default: gp2 + // The volume type. For more information, see Amazon EBS volume types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) + // in the Amazon EC2 User Guide. If the volume type is io1 or io2, you must + // specify the IOPS that the volume supports. VolumeType *string `locationName:"volumeType" type:"string" enum:"VolumeType"` } @@ -75309,12 +79161,24 @@ func (s *EbsBlockDevice) SetKmsKeyId(v string) *EbsBlockDevice { return s } +// SetOutpostArn sets the OutpostArn field's value. +func (s *EbsBlockDevice) SetOutpostArn(v string) *EbsBlockDevice { + s.OutpostArn = &v + return s +} + // SetSnapshotId sets the SnapshotId field's value. func (s *EbsBlockDevice) SetSnapshotId(v string) *EbsBlockDevice { s.SnapshotId = &v return s } +// SetThroughput sets the Throughput field's value. +func (s *EbsBlockDevice) SetThroughput(v int64) *EbsBlockDevice { + s.Throughput = &v + return s +} + // SetVolumeSize sets the VolumeSize field's value. func (s *EbsBlockDevice) SetVolumeSize(v int64) *EbsBlockDevice { s.VolumeSize = &v @@ -75335,8 +79199,8 @@ type EbsInfo struct { EbsOptimizedInfo *EbsOptimizedInfo `locationName:"ebsOptimizedInfo" type:"structure"` // Indicates whether the instance type is Amazon EBS-optimized. For more information, - // see Amazon EBS-Optimized Instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSOptimized.html) - // in Amazon EC2 User Guide for Linux Instances. + // see Amazon EBS-optimized instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSOptimized.html) + // in Amazon EC2 User Guide. EbsOptimizedSupport *string `locationName:"ebsOptimizedSupport" type:"string" enum:"EbsOptimizedSupport"` // Indicates whether Amazon EBS encryption is supported. @@ -75540,6 +79404,30 @@ func (s *EbsOptimizedInfo) SetMaximumThroughputInMBps(v float64) *EbsOptimizedIn return s } +// Describes the Elastic Fabric Adapters for the instance type. +type EfaInfo struct { + _ struct{} `type:"structure"` + + // The maximum number of Elastic Fabric Adapters for the instance type. + MaximumEfaInterfaces *int64 `locationName:"maximumEfaInterfaces" type:"integer"` +} + +// String returns the string representation +func (s EfaInfo) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s EfaInfo) GoString() string { + return s.String() +} + +// SetMaximumEfaInterfaces sets the MaximumEfaInterfaces field's value. +func (s *EfaInfo) SetMaximumEfaInterfaces(v int64) *EfaInfo { + s.MaximumEfaInterfaces = &v + return s +} + // Describes an egress-only internet gateway. type EgressOnlyInternetGateway struct { _ struct{} `type:"structure"` @@ -76786,6 +80674,431 @@ func (s *EventInformation) SetInstanceId(v string) *EventInformation { return s } +// Describes an explanation code for an unreachable path. For more information, +// see Reachability Analyzer explanation codes (https://docs.aws.amazon.com/vpc/latest/reachability/explanation-codes.html). +type Explanation struct { + _ struct{} `type:"structure"` + + // The network ACL. + Acl *AnalysisComponent `locationName:"acl" type:"structure"` + + // The network ACL rule. + AclRule *AnalysisAclRule `locationName:"aclRule" type:"structure"` + + // The IPv4 address, in CIDR notation. + Address *string `locationName:"address" type:"string"` + + // The IPv4 addresses, in CIDR notation. + Addresses []*string `locationName:"addressSet" locationNameList:"item" type:"list"` + + // The resource to which the component is attached. + AttachedTo *AnalysisComponent `locationName:"attachedTo" type:"structure"` + + // The Availability Zones. + AvailabilityZones []*string `locationName:"availabilityZoneSet" locationNameList:"item" type:"list"` + + // The CIDR ranges. + Cidrs []*string `locationName:"cidrSet" locationNameList:"item" type:"list"` + + // The listener for a Classic Load Balancer. + ClassicLoadBalancerListener *AnalysisLoadBalancerListener `locationName:"classicLoadBalancerListener" type:"structure"` + + // The component. + Component *AnalysisComponent `locationName:"component" type:"structure"` + + // The customer gateway. + CustomerGateway *AnalysisComponent `locationName:"customerGateway" type:"structure"` + + // The destination. + Destination *AnalysisComponent `locationName:"destination" type:"structure"` + + // The destination VPC. + DestinationVpc *AnalysisComponent `locationName:"destinationVpc" type:"structure"` + + // The direction. The following are possible values: + // + // * egress + // + // * ingress + Direction *string `locationName:"direction" type:"string"` + + // The load balancer listener. + ElasticLoadBalancerListener *AnalysisComponent `locationName:"elasticLoadBalancerListener" type:"structure"` + + // The explanation code. + ExplanationCode *string `locationName:"explanationCode" type:"string"` + + // The route table. + IngressRouteTable *AnalysisComponent `locationName:"ingressRouteTable" type:"structure"` + + // The internet gateway. + InternetGateway *AnalysisComponent `locationName:"internetGateway" type:"structure"` + + // The Amazon Resource Name (ARN) of the load balancer. + LoadBalancerArn *string `locationName:"loadBalancerArn" min:"1" type:"string"` + + // The listener port of the load balancer. + LoadBalancerListenerPort *int64 `locationName:"loadBalancerListenerPort" min:"1" type:"integer"` + + // The target. + LoadBalancerTarget *AnalysisLoadBalancerTarget `locationName:"loadBalancerTarget" type:"structure"` + + // The target group. + LoadBalancerTargetGroup *AnalysisComponent `locationName:"loadBalancerTargetGroup" type:"structure"` + + // The target groups. + LoadBalancerTargetGroups []*AnalysisComponent `locationName:"loadBalancerTargetGroupSet" locationNameList:"item" type:"list"` + + // The target port. + LoadBalancerTargetPort *int64 `locationName:"loadBalancerTargetPort" min:"1" type:"integer"` + + // The missing component. + MissingComponent *string `locationName:"missingComponent" type:"string"` + + // The NAT gateway. + NatGateway *AnalysisComponent `locationName:"natGateway" type:"structure"` + + // The network interface. + NetworkInterface *AnalysisComponent `locationName:"networkInterface" type:"structure"` + + // The packet field. + PacketField *string `locationName:"packetField" type:"string"` + + // The port. + Port *int64 `locationName:"port" min:"1" type:"integer"` + + // The port ranges. + PortRanges []*PortRange `locationName:"portRangeSet" locationNameList:"item" type:"list"` + + // The prefix list. + PrefixList *AnalysisComponent `locationName:"prefixList" type:"structure"` + + // The protocols. + Protocols []*string `locationName:"protocolSet" locationNameList:"item" type:"list"` + + // The route table. + RouteTable *AnalysisComponent `locationName:"routeTable" type:"structure"` + + // The route table route. + RouteTableRoute *AnalysisRouteTableRoute `locationName:"routeTableRoute" type:"structure"` + + // The security group. + SecurityGroup *AnalysisComponent `locationName:"securityGroup" type:"structure"` + + // The security group rule. + SecurityGroupRule *AnalysisSecurityGroupRule `locationName:"securityGroupRule" type:"structure"` + + // The security groups. + SecurityGroups []*AnalysisComponent `locationName:"securityGroupSet" locationNameList:"item" type:"list"` + + // The source VPC. + SourceVpc *AnalysisComponent `locationName:"sourceVpc" type:"structure"` + + // The state. + State *string `locationName:"state" type:"string"` + + // The subnet. + Subnet *AnalysisComponent `locationName:"subnet" type:"structure"` + + // The route table for the subnet. + SubnetRouteTable *AnalysisComponent `locationName:"subnetRouteTable" type:"structure"` + + // The component VPC. + Vpc *AnalysisComponent `locationName:"vpc" type:"structure"` + + // The VPC endpoint. + VpcEndpoint *AnalysisComponent `locationName:"vpcEndpoint" type:"structure"` + + // The VPC peering connection. + VpcPeeringConnection *AnalysisComponent `locationName:"vpcPeeringConnection" type:"structure"` + + // The VPN connection. + VpnConnection *AnalysisComponent `locationName:"vpnConnection" type:"structure"` + + // The VPN gateway. + VpnGateway *AnalysisComponent `locationName:"vpnGateway" type:"structure"` +} + +// String returns the string representation +func (s Explanation) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s Explanation) GoString() string { + return s.String() +} + +// SetAcl sets the Acl field's value. +func (s *Explanation) SetAcl(v *AnalysisComponent) *Explanation { + s.Acl = v + return s +} + +// SetAclRule sets the AclRule field's value. +func (s *Explanation) SetAclRule(v *AnalysisAclRule) *Explanation { + s.AclRule = v + return s +} + +// SetAddress sets the Address field's value. +func (s *Explanation) SetAddress(v string) *Explanation { + s.Address = &v + return s +} + +// SetAddresses sets the Addresses field's value. +func (s *Explanation) SetAddresses(v []*string) *Explanation { + s.Addresses = v + return s +} + +// SetAttachedTo sets the AttachedTo field's value. +func (s *Explanation) SetAttachedTo(v *AnalysisComponent) *Explanation { + s.AttachedTo = v + return s +} + +// SetAvailabilityZones sets the AvailabilityZones field's value. +func (s *Explanation) SetAvailabilityZones(v []*string) *Explanation { + s.AvailabilityZones = v + return s +} + +// SetCidrs sets the Cidrs field's value. +func (s *Explanation) SetCidrs(v []*string) *Explanation { + s.Cidrs = v + return s +} + +// SetClassicLoadBalancerListener sets the ClassicLoadBalancerListener field's value. +func (s *Explanation) SetClassicLoadBalancerListener(v *AnalysisLoadBalancerListener) *Explanation { + s.ClassicLoadBalancerListener = v + return s +} + +// SetComponent sets the Component field's value. +func (s *Explanation) SetComponent(v *AnalysisComponent) *Explanation { + s.Component = v + return s +} + +// SetCustomerGateway sets the CustomerGateway field's value. +func (s *Explanation) SetCustomerGateway(v *AnalysisComponent) *Explanation { + s.CustomerGateway = v + return s +} + +// SetDestination sets the Destination field's value. +func (s *Explanation) SetDestination(v *AnalysisComponent) *Explanation { + s.Destination = v + return s +} + +// SetDestinationVpc sets the DestinationVpc field's value. +func (s *Explanation) SetDestinationVpc(v *AnalysisComponent) *Explanation { + s.DestinationVpc = v + return s +} + +// SetDirection sets the Direction field's value. +func (s *Explanation) SetDirection(v string) *Explanation { + s.Direction = &v + return s +} + +// SetElasticLoadBalancerListener sets the ElasticLoadBalancerListener field's value. +func (s *Explanation) SetElasticLoadBalancerListener(v *AnalysisComponent) *Explanation { + s.ElasticLoadBalancerListener = v + return s +} + +// SetExplanationCode sets the ExplanationCode field's value. +func (s *Explanation) SetExplanationCode(v string) *Explanation { + s.ExplanationCode = &v + return s +} + +// SetIngressRouteTable sets the IngressRouteTable field's value. +func (s *Explanation) SetIngressRouteTable(v *AnalysisComponent) *Explanation { + s.IngressRouteTable = v + return s +} + +// SetInternetGateway sets the InternetGateway field's value. +func (s *Explanation) SetInternetGateway(v *AnalysisComponent) *Explanation { + s.InternetGateway = v + return s +} + +// SetLoadBalancerArn sets the LoadBalancerArn field's value. +func (s *Explanation) SetLoadBalancerArn(v string) *Explanation { + s.LoadBalancerArn = &v + return s +} + +// SetLoadBalancerListenerPort sets the LoadBalancerListenerPort field's value. +func (s *Explanation) SetLoadBalancerListenerPort(v int64) *Explanation { + s.LoadBalancerListenerPort = &v + return s +} + +// SetLoadBalancerTarget sets the LoadBalancerTarget field's value. +func (s *Explanation) SetLoadBalancerTarget(v *AnalysisLoadBalancerTarget) *Explanation { + s.LoadBalancerTarget = v + return s +} + +// SetLoadBalancerTargetGroup sets the LoadBalancerTargetGroup field's value. +func (s *Explanation) SetLoadBalancerTargetGroup(v *AnalysisComponent) *Explanation { + s.LoadBalancerTargetGroup = v + return s +} + +// SetLoadBalancerTargetGroups sets the LoadBalancerTargetGroups field's value. +func (s *Explanation) SetLoadBalancerTargetGroups(v []*AnalysisComponent) *Explanation { + s.LoadBalancerTargetGroups = v + return s +} + +// SetLoadBalancerTargetPort sets the LoadBalancerTargetPort field's value. +func (s *Explanation) SetLoadBalancerTargetPort(v int64) *Explanation { + s.LoadBalancerTargetPort = &v + return s +} + +// SetMissingComponent sets the MissingComponent field's value. +func (s *Explanation) SetMissingComponent(v string) *Explanation { + s.MissingComponent = &v + return s +} + +// SetNatGateway sets the NatGateway field's value. +func (s *Explanation) SetNatGateway(v *AnalysisComponent) *Explanation { + s.NatGateway = v + return s +} + +// SetNetworkInterface sets the NetworkInterface field's value. +func (s *Explanation) SetNetworkInterface(v *AnalysisComponent) *Explanation { + s.NetworkInterface = v + return s +} + +// SetPacketField sets the PacketField field's value. +func (s *Explanation) SetPacketField(v string) *Explanation { + s.PacketField = &v + return s +} + +// SetPort sets the Port field's value. +func (s *Explanation) SetPort(v int64) *Explanation { + s.Port = &v + return s +} + +// SetPortRanges sets the PortRanges field's value. +func (s *Explanation) SetPortRanges(v []*PortRange) *Explanation { + s.PortRanges = v + return s +} + +// SetPrefixList sets the PrefixList field's value. +func (s *Explanation) SetPrefixList(v *AnalysisComponent) *Explanation { + s.PrefixList = v + return s +} + +// SetProtocols sets the Protocols field's value. +func (s *Explanation) SetProtocols(v []*string) *Explanation { + s.Protocols = v + return s +} + +// SetRouteTable sets the RouteTable field's value. +func (s *Explanation) SetRouteTable(v *AnalysisComponent) *Explanation { + s.RouteTable = v + return s +} + +// SetRouteTableRoute sets the RouteTableRoute field's value. +func (s *Explanation) SetRouteTableRoute(v *AnalysisRouteTableRoute) *Explanation { + s.RouteTableRoute = v + return s +} + +// SetSecurityGroup sets the SecurityGroup field's value. +func (s *Explanation) SetSecurityGroup(v *AnalysisComponent) *Explanation { + s.SecurityGroup = v + return s +} + +// SetSecurityGroupRule sets the SecurityGroupRule field's value. +func (s *Explanation) SetSecurityGroupRule(v *AnalysisSecurityGroupRule) *Explanation { + s.SecurityGroupRule = v + return s +} + +// SetSecurityGroups sets the SecurityGroups field's value. +func (s *Explanation) SetSecurityGroups(v []*AnalysisComponent) *Explanation { + s.SecurityGroups = v + return s +} + +// SetSourceVpc sets the SourceVpc field's value. +func (s *Explanation) SetSourceVpc(v *AnalysisComponent) *Explanation { + s.SourceVpc = v + return s +} + +// SetState sets the State field's value. +func (s *Explanation) SetState(v string) *Explanation { + s.State = &v + return s +} + +// SetSubnet sets the Subnet field's value. +func (s *Explanation) SetSubnet(v *AnalysisComponent) *Explanation { + s.Subnet = v + return s +} + +// SetSubnetRouteTable sets the SubnetRouteTable field's value. +func (s *Explanation) SetSubnetRouteTable(v *AnalysisComponent) *Explanation { + s.SubnetRouteTable = v + return s +} + +// SetVpc sets the Vpc field's value. +func (s *Explanation) SetVpc(v *AnalysisComponent) *Explanation { + s.Vpc = v + return s +} + +// SetVpcEndpoint sets the VpcEndpoint field's value. +func (s *Explanation) SetVpcEndpoint(v *AnalysisComponent) *Explanation { + s.VpcEndpoint = v + return s +} + +// SetVpcPeeringConnection sets the VpcPeeringConnection field's value. +func (s *Explanation) SetVpcPeeringConnection(v *AnalysisComponent) *Explanation { + s.VpcPeeringConnection = v + return s +} + +// SetVpnConnection sets the VpnConnection field's value. +func (s *Explanation) SetVpnConnection(v *AnalysisComponent) *Explanation { + s.VpnConnection = v + return s +} + +// SetVpnGateway sets the VpnGateway field's value. +func (s *Explanation) SetVpnGateway(v *AnalysisComponent) *Explanation { + s.VpnGateway = v + return s +} + type ExportClientVpnClientCertificateRevocationListInput struct { _ struct{} `type:"structure"` @@ -76977,7 +81290,7 @@ type ExportImageInput struct { // S3ExportLocation is a required field S3ExportLocation *ExportTaskS3LocationRequest `type:"structure" required:"true"` - // The tags to apply to the image being exported. + // The tags to apply to the export image task during creation. TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` } @@ -77095,7 +81408,7 @@ type ExportImageOutput struct { // The status message for the export image task. StatusMessage *string `locationName:"statusMessage" type:"string"` - // Any tags assigned to the image being exported. + // Any tags assigned to the export image task. Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"` } @@ -77195,7 +81508,7 @@ type ExportImageTask struct { // The status message for the export image task. StatusMessage *string `locationName:"statusMessage" type:"string"` - // Any tags assigned to the image being exported. + // Any tags assigned to the export image task. Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"` } @@ -77257,7 +81570,7 @@ func (s *ExportImageTask) SetTags(v []*Tag) *ExportImageTask { return s } -// Describes an instance export task. +// Describes an export instance task. type ExportTask struct { _ struct{} `type:"structure"` @@ -77416,7 +81729,7 @@ func (s *ExportTaskS3LocationRequest) SetS3Prefix(v string) *ExportTaskS3Locatio return s } -// Describes the format and location for an instance export task. +// Describes the format and location for the export task. type ExportToS3Task struct { _ struct{} `type:"structure"` @@ -77469,7 +81782,7 @@ func (s *ExportToS3Task) SetS3Key(v string) *ExportToS3Task { return s } -// Describes an instance export task. +// Describes an export instance task. type ExportToS3TaskSpecification struct { _ struct{} `type:"structure"` @@ -77746,29 +82059,7 @@ func (s *FederatedAuthenticationRequest) SetSelfServiceSAMLProviderArn(v string) // A filter name and value pair that is used to return a more specific list // of results from a describe operation. Filters can be used to match a set -// of resources by specific criteria, such as tags, attributes, or IDs. The -// filters supported by a describe operation are documented with the describe -// operation. For example: -// -// * DescribeAvailabilityZones -// -// * DescribeImages -// -// * DescribeInstances -// -// * DescribeKeyPairs -// -// * DescribeSecurityGroups -// -// * DescribeSnapshots -// -// * DescribeSubnets -// -// * DescribeTags -// -// * DescribeVolumes -// -// * DescribeVpcs +// of resources by specific criteria, such as tags, attributes, or IDs. type Filter struct { _ struct{} `type:"structure"` @@ -77853,7 +82144,10 @@ type FleetData struct { // The allocation strategy of On-Demand Instances in an EC2 Fleet. OnDemandOptions *OnDemandOptions `locationName:"onDemandOptions" type:"structure"` - // Indicates whether EC2 Fleet should replace unhealthy instances. + // Indicates whether EC2 Fleet should replace unhealthy Spot Instances. Supported + // only for fleets of type maintain. For more information, see EC2 Fleet health + // checks (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/manage-ec2-fleet.html#ec2-fleet-health-checks) + // in the Amazon EC2 User Guide. ReplaceUnhealthyInstances *bool `locationName:"replaceUnhealthyInstances" type:"boolean"` // The configuration of Spot Instances in an EC2 Fleet. @@ -78067,6 +82361,9 @@ type FleetLaunchTemplateConfigRequest struct { // Any parameters that you specify override the same parameters in the launch // template. + // + // For fleets of type request and maintain, a maximum of 300 items is allowed + // across all launch templates. Overrides []*FleetLaunchTemplateOverridesRequest `locationNameList:"item" type:"list"` } @@ -78123,12 +82420,21 @@ type FleetLaunchTemplateOverrides struct { // The location where the instance launched, if applicable. Placement *PlacementResponse `locationName:"placement" type:"structure"` - // The priority for the launch template override. If AllocationStrategy is set - // to prioritized, EC2 Fleet uses priority to determine which launch template - // override to use first in fulfilling On-Demand capacity. The highest priority - // is launched first. Valid values are whole numbers starting at 0. The lower - // the number, the higher the priority. If no number is set, the override has - // the lowest priority. + // The priority for the launch template override. The highest priority is launched + // first. + // + // If the On-Demand AllocationStrategy is set to prioritized, EC2 Fleet uses + // priority to determine which launch template override to use first in fulfilling + // On-Demand capacity. + // + // If the Spot AllocationStrategy is set to capacity-optimized-prioritized, + // EC2 Fleet uses priority on a best-effort basis to determine which launch + // template override to use first in fulfilling Spot capacity, but optimizes + // for capacity first. + // + // Valid values are whole numbers starting at 0. The lower the number, the higher + // the priority. If no number is set, the override has the lowest priority. + // You can set the same priority for different launch template overrides. Priority *float64 `locationName:"priority" type:"double"` // The ID of the subnet in which to launch the instances. @@ -78206,12 +82512,21 @@ type FleetLaunchTemplateOverridesRequest struct { // The location where the instance launched, if applicable. Placement *Placement `type:"structure"` - // The priority for the launch template override. If AllocationStrategy is set - // to prioritized, EC2 Fleet uses priority to determine which launch template - // override to use first in fulfilling On-Demand capacity. The highest priority - // is launched first. Valid values are whole numbers starting at 0. The lower - // the number, the higher the priority. If no number is set, the launch template - // override has the lowest priority. + // The priority for the launch template override. The highest priority is launched + // first. + // + // If the On-Demand AllocationStrategy is set to prioritized, EC2 Fleet uses + // priority to determine which launch template override to use first in fulfilling + // On-Demand capacity. + // + // If the Spot AllocationStrategy is set to capacity-optimized-prioritized, + // EC2 Fleet uses priority on a best-effort basis to determine which launch + // template override to use first in fulfilling Spot capacity, but optimizes + // for capacity first. + // + // Valid values are whole numbers starting at 0. The lower the number, the higher + // the priority. If no number is set, the launch template override has the lowest + // priority. You can set the same priority for different launch template overrides. Priority *float64 `type:"double"` // The IDs of the subnets in which to launch the instances. Separate multiple @@ -78347,7 +82662,7 @@ func (s *FleetLaunchTemplateSpecification) SetVersion(v string) *FleetLaunchTemp // that can be used by an EC2 Fleet to configure Amazon EC2 instances. For information // about launch templates, see Launching an instance from a launch template // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. type FleetLaunchTemplateSpecificationRequest struct { _ struct{} `type:"structure"` @@ -78421,9 +82736,8 @@ type FleetSpotCapacityRebalance struct { // specify launch. Only available for fleets of type maintain. // // When a replacement instance is launched, the instance marked for rebalance - // is not automatically terminated. You can terminate it, or you can wait until - // Amazon EC2 interrupts it. You are charged for both instances while they are - // running. + // is not automatically terminated. You can terminate it, or you can leave it + // running. You are charged for both instances while they are running. ReplacementStrategy *string `locationName:"replacementStrategy" type:"string" enum:"FleetReplacementStrategy"` } @@ -78446,7 +82760,7 @@ func (s *FleetSpotCapacityRebalance) SetReplacementStrategy(v string) *FleetSpot // The Spot Instance replacement strategy to use when Amazon EC2 emits a signal // that your Spot Instance is at an elevated risk of being interrupted. For // more information, see Capacity rebalancing (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-configuration-strategies.html#ec2-fleet-capacity-rebalance) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. type FleetSpotCapacityRebalanceRequest struct { _ struct{} `type:"structure"` @@ -78457,9 +82771,8 @@ type FleetSpotCapacityRebalanceRequest struct { // specify launch. You must specify a value, otherwise you get an error. // // When a replacement instance is launched, the instance marked for rebalance - // is not automatically terminated. You can terminate it, or you can wait until - // Amazon EC2 interrupts it. You are charged for all instances while they are - // running. + // is not automatically terminated. You can terminate it, or you can leave it + // running. You are charged for all instances while they are running. ReplacementStrategy *string `type:"string" enum:"FleetReplacementStrategy"` } @@ -79333,8 +83646,8 @@ type GetCapacityReservationUsageOutput struct { // and time specified in your request. The reserved capacity is no longer // available for your use. // - // * cancelled - The Capacity Reservation was manually cancelled. The reserved - // capacity is no longer available for your use. + // * cancelled - The Capacity Reservation was cancelled. The reserved capacity + // is no longer available for your use. // // * pending - The Capacity Reservation request was successful but the capacity // provisioning is still pending. @@ -81042,7 +85355,7 @@ type GetTransitGatewayRouteTableAssociationsInput struct { // * resource-id - The ID of the resource. // // * resource-type - The resource type. Valid values are vpc | vpn | direct-connect-gateway - // | peering. + // | peering | connect. // // * transit-gateway-attachment-id - The ID of the attachment. Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"` @@ -81163,7 +85476,7 @@ type GetTransitGatewayRouteTablePropagationsInput struct { // * resource-id - The ID of the resource. // // * resource-type - The resource type. Valid values are vpc | vpn | direct-connect-gateway - // | peering. + // | peering | connect. // // * transit-gateway-attachment-id - The ID of the attachment. Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"` @@ -81415,7 +85728,7 @@ func (s *GroupIdentifier) SetGroupName(v string) *GroupIdentifier { // Indicates whether your instance is configured for hibernation. This parameter // is valid only if the instance meets the hibernation prerequisites (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html#hibernating-prerequisites). // For more information, see Hibernate your instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. type HibernationOptions struct { _ struct{} `type:"structure"` @@ -81443,7 +85756,7 @@ func (s *HibernationOptions) SetConfigured(v bool) *HibernationOptions { // Indicates whether your instance is configured for hibernation. This parameter // is valid only if the instance meets the hibernation prerequisites (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html#hibernating-prerequisites). // For more information, see Hibernate your instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html) -// in the Amazon Elastic Compute Cloud User Guide. +// in the Amazon EC2 User Guide. type HibernationOptionsRequest struct { _ struct{} `type:"structure"` @@ -81570,10 +85883,9 @@ type Host struct { AllocationTime *time.Time `locationName:"allocationTime" type:"timestamp"` // Indicates whether the Dedicated Host supports multiple instance types of - // the same instance family, or a specific instance type only. one indicates - // that the Dedicated Host supports multiple instance types in the instance - // family. off indicates that the Dedicated Host supports a single instance - // type only. + // the same instance family. If the value is on, the Dedicated Host supports + // multiple instance types in the instance family. If the value is off, the + // Dedicated Host supports a single instance type only. AllowsMultipleInstanceTypes *string `locationName:"allowsMultipleInstanceTypes" type:"string" enum:"AllowsMultipleInstanceTypes"` // Whether auto-placement is on or off. @@ -81589,7 +85901,7 @@ type Host struct { AvailableCapacity *AvailableCapacity `locationName:"availableCapacity" type:"structure"` // Unique, case-sensitive identifier that you provide to ensure the idempotency - // of the request. For more information, see How to Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). + // of the request. For more information, see Ensuring Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). ClientToken *string `locationName:"clientToken" type:"string"` // The ID of the Dedicated Host. @@ -82326,6 +86638,10 @@ type Image struct { // Any block device mapping entries. BlockDeviceMappings []*BlockDeviceMapping `locationName:"blockDeviceMapping" locationNameList:"item" type:"list"` + // The boot mode of the image. For more information, see Boot modes (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-boot.html) + // in the Amazon Elastic Compute Cloud User Guide. + BootMode *string `locationName:"bootMode" type:"string" enum:"BootModeValues"` + // The date and time the image was created. CreationDate *string `locationName:"creationDate" type:"string"` @@ -82436,6 +86752,12 @@ func (s *Image) SetBlockDeviceMappings(v []*BlockDeviceMapping) *Image { return s } +// SetBootMode sets the BootMode field's value. +func (s *Image) SetBootMode(v string) *Image { + s.BootMode = &v + return s +} + // SetCreationDate sets the CreationDate field's value. func (s *Image) SetCreationDate(v string) *Image { s.CreationDate = &v @@ -82592,7 +86914,7 @@ type ImageDiskContainer struct { // The format of the disk image being imported. // - // Valid values: OVA | VHD | VHDX |VMDK + // Valid values: OVA | VHD | VHDX | VMDK | RAW Format *string `type:"string"` // The ID of the EBS snapshot to be used for importing the snapshot. @@ -82835,7 +87157,7 @@ type ImportImageInput struct { // The name of the role to use when not using the default role, 'vmimport'. RoleName *string `type:"string"` - // The tags to apply to the image being imported. + // The tags to apply to the import image task during creation. TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` } @@ -83027,7 +87349,7 @@ type ImportImageOutput struct { // A detailed status message of the import task. StatusMessage *string `locationName:"statusMessage" type:"string"` - // Any tags assigned to the image being imported. + // Any tags assigned to the import image task. Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"` } @@ -83832,7 +88154,7 @@ type ImportSnapshotInput struct { // The name of the role to use when not using the default role, 'vmimport'. RoleName *string `type:"string"` - // The tags to apply to the snapshot being imported. + // The tags to apply to the import snapshot task during creation. TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` } @@ -83912,7 +88234,7 @@ type ImportSnapshotOutput struct { // Information about the import snapshot task. SnapshotTaskDetail *SnapshotTaskDetail `locationName:"snapshotTaskDetail" type:"structure"` - // Any tags assigned to the snapshot being imported. + // Any tags assigned to the import snapshot task. Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"` } @@ -84261,6 +88583,10 @@ type Instance struct { // Any block device mapping entries for the instance. BlockDeviceMappings []*InstanceBlockDeviceMapping `locationName:"blockDeviceMapping" locationNameList:"item" type:"list"` + // The boot mode of the instance. For more information, see Boot modes (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-boot.html) + // in the Amazon EC2 User Guide. + BootMode *string `locationName:"bootMode" type:"string" enum:"BootModeValues"` + // The ID of the Capacity Reservation. CapacityReservationId *string `locationName:"capacityReservationId" type:"string"` @@ -84386,12 +88712,7 @@ type Instance struct { // The security groups for the instance. SecurityGroups []*GroupIdentifier `locationName:"groupSet" locationNameList:"item" type:"list"` - // Specifies whether to enable an instance launched in a VPC to perform NAT. - // This controls whether source/destination checking is enabled on the instance. - // A value of true means that checking is enabled, and false means that checking - // is disabled. The value must be false for the instance to perform NAT. For - // more information, see NAT Instances (https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html) - // in the Amazon Virtual Private Cloud User Guide. + // Indicates whether source/destination checking is enabled. SourceDestCheck *bool `locationName:"sourceDestCheck" type:"boolean"` // If the request is a Spot Instance request, the ID of the request. @@ -84451,6 +88772,12 @@ func (s *Instance) SetBlockDeviceMappings(v []*InstanceBlockDeviceMapping) *Inst return s } +// SetBootMode sets the BootMode field's value. +func (s *Instance) SetBootMode(v string) *Instance { + s.BootMode = &v + return s +} + // SetCapacityReservationId sets the CapacityReservationId field's value. func (s *Instance) SetCapacityReservationId(v string) *Instance { s.CapacityReservationId = &v @@ -86295,8 +90622,8 @@ type InstanceTypeInfo struct { // Indicates whether instance storage is supported. InstanceStorageSupported *bool `locationName:"instanceStorageSupported" type:"boolean"` - // The instance type. For more information, see Instance Types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) - // in the Amazon Elastic Compute Cloud User Guide. + // The instance type. For more information, see Instance types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) + // in the Amazon EC2 User Guide. InstanceType *string `locationName:"instanceType" type:"string" enum:"InstanceType"` // Describes the memory for the instance type. @@ -86311,6 +90638,10 @@ type InstanceTypeInfo struct { // Describes the processor. ProcessorInfo *ProcessorInfo `locationName:"processorInfo" type:"structure"` + // The supported boot modes. For more information, see Boot modes (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-boot.html) + // in the Amazon EC2 User Guide. + SupportedBootModes []*string `locationName:"supportedBootModes" locationNameList:"item" type:"list"` + // The supported root device types. SupportedRootDeviceTypes []*string `locationName:"supportedRootDeviceTypes" locationNameList:"item" type:"list"` @@ -86448,6 +90779,12 @@ func (s *InstanceTypeInfo) SetProcessorInfo(v *ProcessorInfo) *InstanceTypeInfo return s } +// SetSupportedBootModes sets the SupportedBootModes field's value. +func (s *InstanceTypeInfo) SetSupportedBootModes(v []*string) *InstanceTypeInfo { + s.SupportedBootModes = v + return s +} + // SetSupportedRootDeviceTypes sets the SupportedRootDeviceTypes field's value. func (s *InstanceTypeInfo) SetSupportedRootDeviceTypes(v []*string) *InstanceTypeInfo { s.SupportedRootDeviceTypes = v @@ -86476,8 +90813,8 @@ func (s *InstanceTypeInfo) SetVCpuInfo(v *VCpuInfo) *InstanceTypeInfo { type InstanceTypeOffering struct { _ struct{} `type:"structure"` - // The instance type. For more information, see Instance Types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) - // in the Amazon Elastic Compute Cloud User Guide. + // The instance type. For more information, see Instance types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) + // in the Amazon EC2 User Guide. InstanceType *string `locationName:"instanceType" type:"string" enum:"InstanceType"` // The identifier for the location. This depends on the location type. For example, @@ -87005,6 +91342,8 @@ type LaunchPermission struct { Group *string `locationName:"group" type:"string" enum:"PermissionGroup"` // The AWS account ID. + // + // Constraints: Up to 10 000 account IDs can be specified in a single request. UserId *string `locationName:"userId" type:"string"` } @@ -87345,8 +91684,7 @@ type LaunchTemplateBlockDeviceMapping struct { // Information about the block device for an EBS volume. Ebs *LaunchTemplateEbsBlockDevice `locationName:"ebs" type:"structure"` - // Suppresses the specified device included in the block device mapping of the - // AMI. + // To omit the device from the block device mapping, specify an empty string. NoDevice *string `locationName:"noDevice" type:"string"` // The virtual device name (ephemeralN). @@ -87398,8 +91736,7 @@ type LaunchTemplateBlockDeviceMappingRequest struct { // launched. Ebs *LaunchTemplateEbsBlockDeviceRequest `type:"structure"` - // Suppresses the specified device included in the block device mapping of the - // AMI. + // To omit the device from the block device mapping, specify an empty string. NoDevice *string `type:"string"` // The virtual device name (ephemeralN). Instance store volumes are numbered @@ -87667,6 +92004,9 @@ type LaunchTemplateEbsBlockDevice struct { // The ID of the snapshot. SnapshotId *string `locationName:"snapshotId" type:"string"` + // The throughput that the volume supports, in MiB/s. + Throughput *int64 `locationName:"throughput" type:"integer"` + // The size of the volume, in GiB. VolumeSize *int64 `locationName:"volumeSize" type:"integer"` @@ -87714,6 +92054,12 @@ func (s *LaunchTemplateEbsBlockDevice) SetSnapshotId(v string) *LaunchTemplateEb return s } +// SetThroughput sets the Throughput field's value. +func (s *LaunchTemplateEbsBlockDevice) SetThroughput(v int64) *LaunchTemplateEbsBlockDevice { + s.Throughput = &v + return s +} + // SetVolumeSize sets the VolumeSize field's value. func (s *LaunchTemplateEbsBlockDevice) SetVolumeSize(v int64) *LaunchTemplateEbsBlockDevice { s.VolumeSize = &v @@ -87738,15 +92084,25 @@ type LaunchTemplateEbsBlockDeviceRequest struct { // a volume from a snapshot, you can't specify an encryption value. Encrypted *bool `type:"boolean"` - // The number of I/O operations per second (IOPS) to provision for an io1 or - // io2 volume, with a maximum ratio of 50 IOPS/GiB for io1, and 500 IOPS/GiB - // for io2. Range is 100 to 64,000 IOPS for volumes in most Regions. Maximum - // IOPS of 64,000 is guaranteed only on Nitro-based instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances). - // Other instance families guarantee performance up to 32,000 IOPS. For more - // information, see Amazon EBS Volume Types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) - // in the Amazon Elastic Compute Cloud User Guide. + // The number of I/O operations per second (IOPS). For gp3, io1, and io2 volumes, + // this represents the number of IOPS that are provisioned for the volume. For + // gp2 volumes, this represents the baseline performance of the volume and the + // rate at which the volume accumulates I/O credits for bursting. // - // This parameter is valid only for Provisioned IOPS SSD (io1 and io2) volumes. + // The following are the supported values for each volume type: + // + // * gp3: 3,000-16,000 IOPS + // + // * io1: 100-64,000 IOPS + // + // * io2: 100-64,000 IOPS + // + // For io1 and io2 volumes, we guarantee 64,000 IOPS only for Instances built + // on the Nitro System (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances). + // Other instance families guarantee performance up to 32,000 IOPS. + // + // This parameter is supported for io1, io2, and gp3 volumes only. This parameter + // is not supported for gp2, st1, sc1, or standard volumes. Iops *int64 `type:"integer"` // The ARN of the symmetric AWS Key Management Service (AWS KMS) CMK used for @@ -87756,13 +92112,26 @@ type LaunchTemplateEbsBlockDeviceRequest struct { // The ID of the snapshot. SnapshotId *string `type:"string"` - // The size of the volume, in GiB. + // The throughput to provision for a gp3 volume, with a maximum of 1,000 MiB/s. // - // Default: If you're creating the volume from a snapshot and don't specify - // a volume size, the default is the snapshot size. + // Valid Range: Minimum value of 125. Maximum value of 1000. + Throughput *int64 `type:"integer"` + + // The size of the volume, in GiBs. You must specify either a snapshot ID or + // a volume size. The following are the supported volumes sizes for each volume + // type: + // + // * gp2 and gp3: 1-16,384 + // + // * io1 and io2: 4-16,384 + // + // * st1 and sc1: 125-16,384 + // + // * standard: 1-1,024 VolumeSize *int64 `type:"integer"` - // The volume type. + // The volume type. For more information, see Amazon EBS volume types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) + // in the Amazon Elastic Compute Cloud User Guide. VolumeType *string `type:"string" enum:"VolumeType"` } @@ -87806,6 +92175,12 @@ func (s *LaunchTemplateEbsBlockDeviceRequest) SetSnapshotId(v string) *LaunchTem return s } +// SetThroughput sets the Throughput field's value. +func (s *LaunchTemplateEbsBlockDeviceRequest) SetThroughput(v int64) *LaunchTemplateEbsBlockDeviceRequest { + s.Throughput = &v + return s +} + // SetVolumeSize sets the VolumeSize field's value. func (s *LaunchTemplateEbsBlockDeviceRequest) SetVolumeSize(v int64) *LaunchTemplateEbsBlockDeviceRequest { s.VolumeSize = &v @@ -88668,12 +93043,21 @@ type LaunchTemplateOverrides struct { // The instance type. InstanceType *string `locationName:"instanceType" type:"string" enum:"InstanceType"` - // The priority for the launch template override. If OnDemandAllocationStrategy - // is set to prioritized, Spot Fleet uses priority to determine which launch - // template override to use first in fulfilling On-Demand capacity. The highest - // priority is launched first. Valid values are whole numbers starting at 0. - // The lower the number, the higher the priority. If no number is set, the launch - // template override has the lowest priority. + // The priority for the launch template override. The highest priority is launched + // first. + // + // If OnDemandAllocationStrategy is set to prioritized, Spot Fleet uses priority + // to determine which launch template override to use first in fulfilling On-Demand + // capacity. + // + // If the Spot AllocationStrategy is set to capacityOptimizedPrioritized, Spot + // Fleet uses priority on a best-effort basis to determine which launch template + // override to use first in fulfilling Spot capacity, but optimizes for capacity + // first. + // + // Valid values are whole numbers starting at 0. The lower the number, the higher + // the priority. If no number is set, the launch template override has the lowest + // priority. You can set the same priority for different launch template overrides. Priority *float64 `locationName:"priority" type:"double"` // The maximum price per unit hour that you are willing to pay for a Spot Instance. @@ -90172,6 +94556,88 @@ func (s *MemoryInfo) SetSizeInMiB(v int64) *MemoryInfo { return s } +type ModifyAddressAttributeInput struct { + _ struct{} `type:"structure"` + + // [EC2-VPC] The allocation ID. + // + // AllocationId is a required field + AllocationId *string `type:"string" required:"true"` + + // The domain name to modify for the IP address. + DomainName *string `type:"string"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` +} + +// String returns the string representation +func (s ModifyAddressAttributeInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ModifyAddressAttributeInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ModifyAddressAttributeInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ModifyAddressAttributeInput"} + if s.AllocationId == nil { + invalidParams.Add(request.NewErrParamRequired("AllocationId")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAllocationId sets the AllocationId field's value. +func (s *ModifyAddressAttributeInput) SetAllocationId(v string) *ModifyAddressAttributeInput { + s.AllocationId = &v + return s +} + +// SetDomainName sets the DomainName field's value. +func (s *ModifyAddressAttributeInput) SetDomainName(v string) *ModifyAddressAttributeInput { + s.DomainName = &v + return s +} + +// SetDryRun sets the DryRun field's value. +func (s *ModifyAddressAttributeInput) SetDryRun(v bool) *ModifyAddressAttributeInput { + s.DryRun = &v + return s +} + +type ModifyAddressAttributeOutput struct { + _ struct{} `type:"structure"` + + // Information about the Elastic IP address. + Address *AddressAttribute `locationName:"address" type:"structure"` +} + +// String returns the string representation +func (s ModifyAddressAttributeOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ModifyAddressAttributeOutput) GoString() string { + return s.String() +} + +// SetAddress sets the Address field's value. +func (s *ModifyAddressAttributeOutput) SetAddress(v *AddressAttribute) *ModifyAddressAttributeOutput { + s.Address = v + return s +} + type ModifyAvailabilityZoneGroupInput struct { _ struct{} `type:"structure"` @@ -90266,6 +94732,9 @@ func (s *ModifyAvailabilityZoneGroupOutput) SetReturn(v bool) *ModifyAvailabilit type ModifyCapacityReservationInput struct { _ struct{} `type:"structure"` + // Reserved. Capacity Reservations you have created are accepted by default. + Accept *bool `type:"boolean"` + // The ID of the Capacity Reservation. // // CapacityReservationId is a required field @@ -90327,6 +94796,12 @@ func (s *ModifyCapacityReservationInput) Validate() error { return nil } +// SetAccept sets the Accept field's value. +func (s *ModifyCapacityReservationInput) SetAccept(v bool) *ModifyCapacityReservationInput { + s.Accept = &v + return s +} + // SetCapacityReservationId sets the CapacityReservationId field's value. func (s *ModifyCapacityReservationInput) SetCapacityReservationId(v string) *ModifyCapacityReservationInput { s.CapacityReservationId = &v @@ -91022,8 +95497,8 @@ type ModifyHostsInput struct { HostIds []*string `locationName:"hostId" locationNameList:"item" type:"list" required:"true"` // Indicates whether to enable or disable host recovery for the Dedicated Host. - // For more information, see Host Recovery (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-recovery.html) - // in the Amazon Elastic Compute Cloud User Guide. + // For more information, see Host recovery (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-recovery.html) + // in the Amazon EC2 User Guide. HostRecovery *string `type:"string" enum:"HostRecovery"` // Specifies the instance family to be supported by the Dedicated Host. Specify @@ -91454,7 +95929,7 @@ type ModifyInstanceAttributeInput struct { // To add instance store volumes to an Amazon EBS-backed instance, you must // add them when you launch the instance. For more information, see Updating // the block device mapping when launching an instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html#Using_OverridingAMIBDM) - // in the Amazon Elastic Compute Cloud User Guide. + // in the Amazon EC2 User Guide. BlockDeviceMappings []*InstanceBlockDeviceMappingSpecification `locationName:"blockDeviceMapping" locationNameList:"item" type:"list"` // If the value is true, you can't terminate the instance using the Amazon EC2 @@ -91496,8 +95971,9 @@ type ModifyInstanceAttributeInput struct { InstanceInitiatedShutdownBehavior *AttributeValue `locationName:"instanceInitiatedShutdownBehavior" type:"structure"` // Changes the instance type to the specified value. For more information, see - // Instance types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html). - // If the instance type is not valid, the error returned is InvalidInstanceAttributeValue. + // Instance types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) + // in the Amazon EC2 User Guide. If the instance type is not valid, the error + // returned is InvalidInstanceAttributeValue. InstanceType *AttributeValue `locationName:"instanceType" type:"structure"` // Changes the instance's kernel to the specified value. We recommend that you @@ -91510,9 +95986,12 @@ type ModifyInstanceAttributeInput struct { // PV-GRUB (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedKernels.html). Ramdisk *AttributeValue `locationName:"ramdisk" type:"structure"` - // Specifies whether source/destination checking is enabled. A value of true - // means that checking is enabled, and false means that checking is disabled. - // This value must be false for a NAT instance to perform NAT. + // Enable or disable source/destination checks, which ensure that the instance + // is either the source or the destination of any traffic that it receives. + // If the value is true, source/destination checks are enabled; otherwise, they + // are disabled. The default value is true. You must disable source/destination + // checks if the instance runs services such as network address translation, + // routing, or firewalls. SourceDestCheck *AttributeBooleanValue `type:"structure"` // Set to simple to enable enhanced networking with the Intel 82599 Virtual @@ -93434,6 +97913,10 @@ func (s *ModifyTransitGatewayInput) SetTransitGatewayId(v string) *ModifyTransit type ModifyTransitGatewayOptions struct { _ struct{} `type:"structure"` + // Adds IPv4 or IPv6 CIDR blocks for the transit gateway. Must be a size /24 + // CIDR block or larger for IPv4, or a size /64 CIDR block or larger for IPv6. + AddTransitGatewayCidrBlocks []*string `locationNameList:"item" type:"list"` + // The ID of the default association route table. AssociationDefaultRouteTableId *string `type:"string"` @@ -93454,6 +97937,9 @@ type ModifyTransitGatewayOptions struct { // The ID of the default propagation route table. PropagationDefaultRouteTableId *string `type:"string"` + // Removes CIDR blocks for the transit gateway. + RemoveTransitGatewayCidrBlocks []*string `locationNameList:"item" type:"list"` + // Enable or disable Equal Cost Multipath Protocol support. VpnEcmpSupport *string `type:"string" enum:"VpnEcmpSupportValue"` } @@ -93468,6 +97954,12 @@ func (s ModifyTransitGatewayOptions) GoString() string { return s.String() } +// SetAddTransitGatewayCidrBlocks sets the AddTransitGatewayCidrBlocks field's value. +func (s *ModifyTransitGatewayOptions) SetAddTransitGatewayCidrBlocks(v []*string) *ModifyTransitGatewayOptions { + s.AddTransitGatewayCidrBlocks = v + return s +} + // SetAssociationDefaultRouteTableId sets the AssociationDefaultRouteTableId field's value. func (s *ModifyTransitGatewayOptions) SetAssociationDefaultRouteTableId(v string) *ModifyTransitGatewayOptions { s.AssociationDefaultRouteTableId = &v @@ -93504,6 +97996,12 @@ func (s *ModifyTransitGatewayOptions) SetPropagationDefaultRouteTableId(v string return s } +// SetRemoveTransitGatewayCidrBlocks sets the RemoveTransitGatewayCidrBlocks field's value. +func (s *ModifyTransitGatewayOptions) SetRemoveTransitGatewayCidrBlocks(v []*string) *ModifyTransitGatewayOptions { + s.RemoveTransitGatewayCidrBlocks = v + return s +} + // SetVpnEcmpSupport sets the VpnEcmpSupport field's value. func (s *ModifyTransitGatewayOptions) SetVpnEcmpSupport(v string) *ModifyTransitGatewayOptions { s.VpnEcmpSupport = &v @@ -93867,27 +98365,59 @@ type ModifyVolumeInput struct { // it is UnauthorizedOperation. DryRun *bool `type:"boolean"` - // The target IOPS rate of the volume. + // The target IOPS rate of the volume. This parameter is valid only for gp3, + // io1, and io2 volumes. // - // This is only valid for Provisioned IOPS SSD (io1 and io2) volumes. For moreinformation, - // see Provisioned IOPS SSD (io1 and io2) volumes (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html#EBSVolumeTypes_piops). + // The following are the supported values for each volume type: + // + // * gp3: 3,000-16,000 IOPS + // + // * io1: 100-64,000 IOPS + // + // * io2: 100-64,000 IOPS // // Default: If no IOPS value is specified, the existing value is retained. Iops *int64 `type:"integer"` + // Specifies whether to enable Amazon EBS Multi-Attach. If you enable Multi-Attach, + // you can attach the volume to up to 16 Nitro-based instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) + // in the same Availability Zone. This parameter is supported with io1 and io2 + // volumes only. For more information, see Amazon EBS Multi-Attach (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volumes-multi.html) + // in the Amazon Elastic Compute Cloud User Guide. + MultiAttachEnabled *bool `type:"boolean"` + // The target size of the volume, in GiB. The target volume size must be greater - // than or equal to than the existing size of the volume. For information about - // available EBS volume sizes, see Amazon EBS Volume Types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html). + // than or equal to the existing size of the volume. + // + // The following are the supported volumes sizes for each volume type: + // + // * gp2 and gp3: 1-16,384 + // + // * io1 and io2: 4-16,384 + // + // * st1 and sc1: 125-16,384 + // + // * standard: 1-1,024 // // Default: If no size is specified, the existing size is retained. Size *int64 `type:"integer"` + // The target throughput of the volume, in MiB/s. This parameter is valid only + // for gp3 volumes. The maximum value is 1,000. + // + // Default: If no throughput value is specified, the existing value is retained. + // + // Valid Range: Minimum value of 125. Maximum value of 1000. + Throughput *int64 `type:"integer"` + // The ID of the volume. // // VolumeId is a required field VolumeId *string `type:"string" required:"true"` - // The target EBS volume type of the volume. + // The target EBS volume type of the volume. For more information, see Amazon + // EBS volume types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) + // in the Amazon Elastic Compute Cloud User Guide. // // Default: If no type is specified, the existing type is retained. VolumeType *string `type:"string" enum:"VolumeType"` @@ -93928,12 +98458,24 @@ func (s *ModifyVolumeInput) SetIops(v int64) *ModifyVolumeInput { return s } +// SetMultiAttachEnabled sets the MultiAttachEnabled field's value. +func (s *ModifyVolumeInput) SetMultiAttachEnabled(v bool) *ModifyVolumeInput { + s.MultiAttachEnabled = &v + return s +} + // SetSize sets the Size field's value. func (s *ModifyVolumeInput) SetSize(v int64) *ModifyVolumeInput { s.Size = &v return s } +// SetThroughput sets the Throughput field's value. +func (s *ModifyVolumeInput) SetThroughput(v int64) *ModifyVolumeInput { + s.Throughput = &v + return s +} + // SetVolumeId sets the VolumeId field's value. func (s *ModifyVolumeInput) SetVolumeId(v string) *ModifyVolumeInput { s.VolumeId = &v @@ -94154,7 +98696,9 @@ type ModifyVpcEndpointInput struct { // network interface. AddSecurityGroupIds []*string `locationName:"AddSecurityGroupId" locationNameList:"item" type:"list"` - // (Interface endpoint) One or more subnet IDs in which to serve the endpoint. + // (Interface and Gateway Load Balancer endpoints) One or more subnet IDs in + // which to serve the endpoint. For a Gateway Load Balancer endpoint, you can + // specify only one subnet. AddSubnetIds []*string `locationName:"AddSubnetId" locationNameList:"item" type:"list"` // Checks whether you have the required permissions for the action, without @@ -94163,8 +98707,8 @@ type ModifyVpcEndpointInput struct { // it is UnauthorizedOperation. DryRun *bool `type:"boolean"` - // A policy to attach to the endpoint that controls access to the service. The - // policy must be in valid JSON format. + // (Interface and gateway endpoints) A policy to attach to the endpoint that + // controls access to the service. The policy must be in valid JSON format. PolicyDocument *string `type:"string"` // (Interface endpoint) Indicates whether a private hosted zone is associated @@ -94310,6 +98854,10 @@ type ModifyVpcEndpointServiceConfigurationInput struct { // accepted. AcceptanceRequired *bool `type:"boolean"` + // The Amazon Resource Names (ARNs) of Gateway Load Balancers to add to your + // service configuration. + AddGatewayLoadBalancerArns []*string `locationName:"AddGatewayLoadBalancerArn" locationNameList:"item" type:"list"` + // The Amazon Resource Names (ARNs) of Network Load Balancers to add to your // service configuration. AddNetworkLoadBalancerArns []*string `locationName:"AddNetworkLoadBalancerArn" locationNameList:"item" type:"list"` @@ -94320,14 +98868,20 @@ type ModifyVpcEndpointServiceConfigurationInput struct { // it is UnauthorizedOperation. DryRun *bool `type:"boolean"` - // The private DNS name to assign to the endpoint service. + // (Interface endpoint configuration) The private DNS name to assign to the + // endpoint service. PrivateDnsName *string `type:"string"` + // The Amazon Resource Names (ARNs) of Gateway Load Balancers to remove from + // your service configuration. + RemoveGatewayLoadBalancerArns []*string `locationName:"RemoveGatewayLoadBalancerArn" locationNameList:"item" type:"list"` + // The Amazon Resource Names (ARNs) of Network Load Balancers to remove from // your service configuration. RemoveNetworkLoadBalancerArns []*string `locationName:"RemoveNetworkLoadBalancerArn" locationNameList:"item" type:"list"` - // Removes the private DNS name of the endpoint service. + // (Interface endpoint configuration) Removes the private DNS name of the endpoint + // service. RemovePrivateDnsName *bool `type:"boolean"` // The ID of the service. @@ -94365,6 +98919,12 @@ func (s *ModifyVpcEndpointServiceConfigurationInput) SetAcceptanceRequired(v boo return s } +// SetAddGatewayLoadBalancerArns sets the AddGatewayLoadBalancerArns field's value. +func (s *ModifyVpcEndpointServiceConfigurationInput) SetAddGatewayLoadBalancerArns(v []*string) *ModifyVpcEndpointServiceConfigurationInput { + s.AddGatewayLoadBalancerArns = v + return s +} + // SetAddNetworkLoadBalancerArns sets the AddNetworkLoadBalancerArns field's value. func (s *ModifyVpcEndpointServiceConfigurationInput) SetAddNetworkLoadBalancerArns(v []*string) *ModifyVpcEndpointServiceConfigurationInput { s.AddNetworkLoadBalancerArns = v @@ -94383,6 +98943,12 @@ func (s *ModifyVpcEndpointServiceConfigurationInput) SetPrivateDnsName(v string) return s } +// SetRemoveGatewayLoadBalancerArns sets the RemoveGatewayLoadBalancerArns field's value. +func (s *ModifyVpcEndpointServiceConfigurationInput) SetRemoveGatewayLoadBalancerArns(v []*string) *ModifyVpcEndpointServiceConfigurationInput { + s.RemoveGatewayLoadBalancerArns = v + return s +} + // SetRemoveNetworkLoadBalancerArns sets the RemoveNetworkLoadBalancerArns field's value. func (s *ModifyVpcEndpointServiceConfigurationInput) SetRemoveNetworkLoadBalancerArns(v []*string) *ModifyVpcEndpointServiceConfigurationInput { s.RemoveNetworkLoadBalancerArns = v @@ -96051,6 +100617,9 @@ type NetworkInfo struct { // The index of the default network card, starting at 0. DefaultNetworkCardIndex *int64 `locationName:"defaultNetworkCardIndex" type:"integer"` + // Describes the Elastic Fabric Adapters for the instance type. + EfaInfo *EfaInfo `locationName:"efaInfo" type:"structure"` + // Indicates whether Elastic Fabric Adapter (EFA) is supported. EfaSupported *bool `locationName:"efaSupported" type:"boolean"` @@ -96096,6 +100665,12 @@ func (s *NetworkInfo) SetDefaultNetworkCardIndex(v int64) *NetworkInfo { return s } +// SetEfaInfo sets the EfaInfo field's value. +func (s *NetworkInfo) SetEfaInfo(v *EfaInfo) *NetworkInfo { + s.EfaInfo = v + return s +} + // SetEfaSupported sets the EfaSupported field's value. func (s *NetworkInfo) SetEfaSupported(v bool) *NetworkInfo { s.EfaSupported = &v @@ -96150,6 +100725,244 @@ func (s *NetworkInfo) SetNetworkPerformance(v string) *NetworkInfo { return s } +// Describes a network insights analysis. +type NetworkInsightsAnalysis struct { + _ struct{} `type:"structure"` + + // Potential intermediate components. + AlternatePathHints []*AlternatePathHint `locationName:"alternatePathHintSet" locationNameList:"item" type:"list"` + + // The explanations. For more information, see Reachability Analyzer explanation + // codes (https://docs.aws.amazon.com/vpc/latest/reachability/explanation-codes.html). + Explanations []*Explanation `locationName:"explanationSet" locationNameList:"item" type:"list"` + + // The Amazon Resource Names (ARN) of the AWS resources that the path must traverse. + FilterInArns []*string `locationName:"filterInArnSet" locationNameList:"item" type:"list"` + + // The components in the path from source to destination. + ForwardPathComponents []*PathComponent `locationName:"forwardPathComponentSet" locationNameList:"item" type:"list"` + + // The Amazon Resource Name (ARN) of the network insights analysis. + NetworkInsightsAnalysisArn *string `locationName:"networkInsightsAnalysisArn" min:"1" type:"string"` + + // The ID of the network insights analysis. + NetworkInsightsAnalysisId *string `locationName:"networkInsightsAnalysisId" type:"string"` + + // The ID of the path. + NetworkInsightsPathId *string `locationName:"networkInsightsPathId" type:"string"` + + // Indicates whether the destination is reachable from the source. + NetworkPathFound *bool `locationName:"networkPathFound" type:"boolean"` + + // The components in the path from destination to source. + ReturnPathComponents []*PathComponent `locationName:"returnPathComponentSet" locationNameList:"item" type:"list"` + + // The time the analysis started. + StartDate *time.Time `locationName:"startDate" type:"timestamp"` + + // The status of the network insights analysis. + Status *string `locationName:"status" type:"string" enum:"AnalysisStatus"` + + // The status message, if the status is failed. + StatusMessage *string `locationName:"statusMessage" type:"string"` + + // The tags. + Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"` +} + +// String returns the string representation +func (s NetworkInsightsAnalysis) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s NetworkInsightsAnalysis) GoString() string { + return s.String() +} + +// SetAlternatePathHints sets the AlternatePathHints field's value. +func (s *NetworkInsightsAnalysis) SetAlternatePathHints(v []*AlternatePathHint) *NetworkInsightsAnalysis { + s.AlternatePathHints = v + return s +} + +// SetExplanations sets the Explanations field's value. +func (s *NetworkInsightsAnalysis) SetExplanations(v []*Explanation) *NetworkInsightsAnalysis { + s.Explanations = v + return s +} + +// SetFilterInArns sets the FilterInArns field's value. +func (s *NetworkInsightsAnalysis) SetFilterInArns(v []*string) *NetworkInsightsAnalysis { + s.FilterInArns = v + return s +} + +// SetForwardPathComponents sets the ForwardPathComponents field's value. +func (s *NetworkInsightsAnalysis) SetForwardPathComponents(v []*PathComponent) *NetworkInsightsAnalysis { + s.ForwardPathComponents = v + return s +} + +// SetNetworkInsightsAnalysisArn sets the NetworkInsightsAnalysisArn field's value. +func (s *NetworkInsightsAnalysis) SetNetworkInsightsAnalysisArn(v string) *NetworkInsightsAnalysis { + s.NetworkInsightsAnalysisArn = &v + return s +} + +// SetNetworkInsightsAnalysisId sets the NetworkInsightsAnalysisId field's value. +func (s *NetworkInsightsAnalysis) SetNetworkInsightsAnalysisId(v string) *NetworkInsightsAnalysis { + s.NetworkInsightsAnalysisId = &v + return s +} + +// SetNetworkInsightsPathId sets the NetworkInsightsPathId field's value. +func (s *NetworkInsightsAnalysis) SetNetworkInsightsPathId(v string) *NetworkInsightsAnalysis { + s.NetworkInsightsPathId = &v + return s +} + +// SetNetworkPathFound sets the NetworkPathFound field's value. +func (s *NetworkInsightsAnalysis) SetNetworkPathFound(v bool) *NetworkInsightsAnalysis { + s.NetworkPathFound = &v + return s +} + +// SetReturnPathComponents sets the ReturnPathComponents field's value. +func (s *NetworkInsightsAnalysis) SetReturnPathComponents(v []*PathComponent) *NetworkInsightsAnalysis { + s.ReturnPathComponents = v + return s +} + +// SetStartDate sets the StartDate field's value. +func (s *NetworkInsightsAnalysis) SetStartDate(v time.Time) *NetworkInsightsAnalysis { + s.StartDate = &v + return s +} + +// SetStatus sets the Status field's value. +func (s *NetworkInsightsAnalysis) SetStatus(v string) *NetworkInsightsAnalysis { + s.Status = &v + return s +} + +// SetStatusMessage sets the StatusMessage field's value. +func (s *NetworkInsightsAnalysis) SetStatusMessage(v string) *NetworkInsightsAnalysis { + s.StatusMessage = &v + return s +} + +// SetTags sets the Tags field's value. +func (s *NetworkInsightsAnalysis) SetTags(v []*Tag) *NetworkInsightsAnalysis { + s.Tags = v + return s +} + +// Describes a path. +type NetworkInsightsPath struct { + _ struct{} `type:"structure"` + + // The time stamp when the path was created. + CreatedDate *time.Time `locationName:"createdDate" type:"timestamp"` + + // The AWS resource that is the destination of the path. + Destination *string `locationName:"destination" type:"string"` + + // The IP address of the AWS resource that is the destination of the path. + DestinationIp *string `locationName:"destinationIp" type:"string"` + + // The destination port. + DestinationPort *int64 `locationName:"destinationPort" type:"integer"` + + // The Amazon Resource Name (ARN) of the path. + NetworkInsightsPathArn *string `locationName:"networkInsightsPathArn" min:"1" type:"string"` + + // The ID of the path. + NetworkInsightsPathId *string `locationName:"networkInsightsPathId" type:"string"` + + // The protocol. + Protocol *string `locationName:"protocol" type:"string" enum:"Protocol"` + + // The AWS resource that is the source of the path. + Source *string `locationName:"source" type:"string"` + + // The IP address of the AWS resource that is the source of the path. + SourceIp *string `locationName:"sourceIp" type:"string"` + + // The tags associated with the path. + Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"` +} + +// String returns the string representation +func (s NetworkInsightsPath) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s NetworkInsightsPath) GoString() string { + return s.String() +} + +// SetCreatedDate sets the CreatedDate field's value. +func (s *NetworkInsightsPath) SetCreatedDate(v time.Time) *NetworkInsightsPath { + s.CreatedDate = &v + return s +} + +// SetDestination sets the Destination field's value. +func (s *NetworkInsightsPath) SetDestination(v string) *NetworkInsightsPath { + s.Destination = &v + return s +} + +// SetDestinationIp sets the DestinationIp field's value. +func (s *NetworkInsightsPath) SetDestinationIp(v string) *NetworkInsightsPath { + s.DestinationIp = &v + return s +} + +// SetDestinationPort sets the DestinationPort field's value. +func (s *NetworkInsightsPath) SetDestinationPort(v int64) *NetworkInsightsPath { + s.DestinationPort = &v + return s +} + +// SetNetworkInsightsPathArn sets the NetworkInsightsPathArn field's value. +func (s *NetworkInsightsPath) SetNetworkInsightsPathArn(v string) *NetworkInsightsPath { + s.NetworkInsightsPathArn = &v + return s +} + +// SetNetworkInsightsPathId sets the NetworkInsightsPathId field's value. +func (s *NetworkInsightsPath) SetNetworkInsightsPathId(v string) *NetworkInsightsPath { + s.NetworkInsightsPathId = &v + return s +} + +// SetProtocol sets the Protocol field's value. +func (s *NetworkInsightsPath) SetProtocol(v string) *NetworkInsightsPath { + s.Protocol = &v + return s +} + +// SetSource sets the Source field's value. +func (s *NetworkInsightsPath) SetSource(v string) *NetworkInsightsPath { + s.Source = &v + return s +} + +// SetSourceIp sets the SourceIp field's value. +func (s *NetworkInsightsPath) SetSourceIp(v string) *NetworkInsightsPath { + s.SourceIp = &v + return s +} + +// SetTags sets the Tags field's value. +func (s *NetworkInsightsPath) SetTags(v []*Tag) *NetworkInsightsPath { + s.Tags = v + return s +} + // Describes a network interface. type NetworkInterface struct { _ struct{} `type:"structure"` @@ -96197,8 +101010,8 @@ type NetworkInterface struct { // The private IPv4 addresses associated with the network interface. PrivateIpAddresses []*NetworkInterfacePrivateIpAddress `locationName:"privateIpAddressesSet" locationNameList:"item" type:"list"` - // The ID of the entity that launched the instance on your behalf (for example, - // AWS Management Console or Auto Scaling). + // The alias or AWS account ID of the principal or service that created the + // network interface. RequesterId *string `locationName:"requesterId" type:"string"` // Indicates whether the network interface is being managed by AWS. @@ -96926,6 +101739,120 @@ func (s *OnDemandOptionsRequest) SetSingleInstanceType(v bool) *OnDemandOptionsR return s } +// Describes a path component. +type PathComponent struct { + _ struct{} `type:"structure"` + + // The network ACL rule. + AclRule *AnalysisAclRule `locationName:"aclRule" type:"structure"` + + // The component. + Component *AnalysisComponent `locationName:"component" type:"structure"` + + // The destination VPC. + DestinationVpc *AnalysisComponent `locationName:"destinationVpc" type:"structure"` + + // The inbound header. + InboundHeader *AnalysisPacketHeader `locationName:"inboundHeader" type:"structure"` + + // The outbound header. + OutboundHeader *AnalysisPacketHeader `locationName:"outboundHeader" type:"structure"` + + // The route table route. + RouteTableRoute *AnalysisRouteTableRoute `locationName:"routeTableRoute" type:"structure"` + + // The security group rule. + SecurityGroupRule *AnalysisSecurityGroupRule `locationName:"securityGroupRule" type:"structure"` + + // The sequence number. + SequenceNumber *int64 `locationName:"sequenceNumber" type:"integer"` + + // The source VPC. + SourceVpc *AnalysisComponent `locationName:"sourceVpc" type:"structure"` + + // The subnet. + Subnet *AnalysisComponent `locationName:"subnet" type:"structure"` + + // The component VPC. + Vpc *AnalysisComponent `locationName:"vpc" type:"structure"` +} + +// String returns the string representation +func (s PathComponent) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s PathComponent) GoString() string { + return s.String() +} + +// SetAclRule sets the AclRule field's value. +func (s *PathComponent) SetAclRule(v *AnalysisAclRule) *PathComponent { + s.AclRule = v + return s +} + +// SetComponent sets the Component field's value. +func (s *PathComponent) SetComponent(v *AnalysisComponent) *PathComponent { + s.Component = v + return s +} + +// SetDestinationVpc sets the DestinationVpc field's value. +func (s *PathComponent) SetDestinationVpc(v *AnalysisComponent) *PathComponent { + s.DestinationVpc = v + return s +} + +// SetInboundHeader sets the InboundHeader field's value. +func (s *PathComponent) SetInboundHeader(v *AnalysisPacketHeader) *PathComponent { + s.InboundHeader = v + return s +} + +// SetOutboundHeader sets the OutboundHeader field's value. +func (s *PathComponent) SetOutboundHeader(v *AnalysisPacketHeader) *PathComponent { + s.OutboundHeader = v + return s +} + +// SetRouteTableRoute sets the RouteTableRoute field's value. +func (s *PathComponent) SetRouteTableRoute(v *AnalysisRouteTableRoute) *PathComponent { + s.RouteTableRoute = v + return s +} + +// SetSecurityGroupRule sets the SecurityGroupRule field's value. +func (s *PathComponent) SetSecurityGroupRule(v *AnalysisSecurityGroupRule) *PathComponent { + s.SecurityGroupRule = v + return s +} + +// SetSequenceNumber sets the SequenceNumber field's value. +func (s *PathComponent) SetSequenceNumber(v int64) *PathComponent { + s.SequenceNumber = &v + return s +} + +// SetSourceVpc sets the SourceVpc field's value. +func (s *PathComponent) SetSourceVpc(v *AnalysisComponent) *PathComponent { + s.SourceVpc = v + return s +} + +// SetSubnet sets the Subnet field's value. +func (s *PathComponent) SetSubnet(v *AnalysisComponent) *PathComponent { + s.Subnet = v + return s +} + +// SetVpc sets the Vpc field's value. +func (s *PathComponent) SetVpc(v *AnalysisComponent) *PathComponent { + s.Vpc = v + return s +} + // Describes the data that identifies an Amazon FPGA image (AFI) on the PCI // bus. type PciId struct { @@ -98038,6 +102965,30 @@ func (s *PrincipalIdFormat) SetStatuses(v []*IdFormat) *PrincipalIdFormat { return s } +// Information about the Private DNS name for interface endpoints. +type PrivateDnsDetails struct { + _ struct{} `type:"structure"` + + // The private DNS name assigned to the VPC endpoint service. + PrivateDnsName *string `locationName:"privateDnsName" type:"string"` +} + +// String returns the string representation +func (s PrivateDnsDetails) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s PrivateDnsDetails) GoString() string { + return s.String() +} + +// SetPrivateDnsName sets the PrivateDnsName field's value. +func (s *PrivateDnsDetails) SetPrivateDnsName(v string) *PrivateDnsDetails { + s.PrivateDnsName = &v + return s +} + // Information about the private DNS name for the service endpoint. For more // information about these parameters, see VPC Endpoint Service Private DNS // Name Verification (https://docs.aws.amazon.com/vpc/latest/userguide/ndpoint-services-dns-validation.html) @@ -98414,6 +103365,48 @@ func (s *ProvisionedBandwidth) SetStatus(v string) *ProvisionedBandwidth { return s } +// The status of an updated pointer (PTR) record for an Elastic IP address. +type PtrUpdateStatus struct { + _ struct{} `type:"structure"` + + // The reason for the PTR record update. + Reason *string `locationName:"reason" type:"string"` + + // The status of the PTR record update. + Status *string `locationName:"status" type:"string"` + + // The value for the PTR record update. + Value *string `locationName:"value" type:"string"` +} + +// String returns the string representation +func (s PtrUpdateStatus) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s PtrUpdateStatus) GoString() string { + return s.String() +} + +// SetReason sets the Reason field's value. +func (s *PtrUpdateStatus) SetReason(v string) *PtrUpdateStatus { + s.Reason = &v + return s +} + +// SetStatus sets the Status field's value. +func (s *PtrUpdateStatus) SetStatus(v string) *PtrUpdateStatus { + s.Status = &v + return s +} + +// SetValue sets the Value field's value. +func (s *PtrUpdateStatus) SetValue(v string) *PtrUpdateStatus { + s.Value = &v + return s +} + // Describes an IPv4 address pool. type PublicIpv4Pool struct { _ struct{} `type:"structure"` @@ -98638,7 +103631,7 @@ type PurchaseHostReservationInput struct { _ struct{} `type:"structure"` // Unique, case-sensitive identifier that you provide to ensure the idempotency - // of the request. For more information, see How to Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). + // of the request. For more information, see Ensuring Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). ClientToken *string `type:"string"` // The currency in which the totalUpfrontPrice, LimitPrice, and totalHourlyPrice @@ -98733,7 +103726,7 @@ type PurchaseHostReservationOutput struct { _ struct{} `type:"structure"` // Unique, case-sensitive identifier that you provide to ensure the idempotency - // of the request. For more information, see How to Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). + // of the request. For more information, see Ensuring Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). ClientToken *string `locationName:"clientToken" type:"string"` // The currency in which the totalUpfrontPrice and totalHourlyPrice amounts @@ -99207,8 +104200,21 @@ type RegisterImageInput struct { BillingProducts []*string `locationName:"BillingProduct" locationNameList:"item" type:"list"` // The block device mapping entries. + // + // If you specify an EBS volume using the ID of an EBS snapshot, you can't specify + // the encryption state of the volume. + // + // If you create an AMI on an Outpost, then all backing snapshots must be on + // the same Outpost or in the Region of that Outpost. AMIs on an Outpost that + // include local snapshots can be used to launch instances on the same Outpost + // only. For more information, Amazon EBS local snapshots on Outposts (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html#ami) + // in the Amazon Elastic Compute Cloud User Guide. BlockDeviceMappings []*BlockDeviceMapping `locationName:"BlockDeviceMapping" locationNameList:"BlockDeviceMapping" type:"list"` + // The boot mode of the AMI. For more information, see Boot modes (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-boot.html) + // in the Amazon Elastic Compute Cloud User Guide. + BootMode *string `type:"string" enum:"BootModeValues"` + // A description for your AMI. Description *string `locationName:"description" type:"string"` @@ -99306,6 +104312,12 @@ func (s *RegisterImageInput) SetBlockDeviceMappings(v []*BlockDeviceMapping) *Re return s } +// SetBootMode sets the BootMode field's value. +func (s *RegisterImageInput) SetBootMode(v string) *RegisterImageInput { + s.BootMode = &v + return s +} + // SetDescription sets the Description field's value. func (s *RegisterImageInput) SetDescription(v string) *RegisterImageInput { s.Description = &v @@ -99639,6 +104651,82 @@ func (s *RegisterTransitGatewayMulticastGroupSourcesOutput) SetRegisteredMultica return s } +type RejectTransitGatewayMulticastDomainAssociationsInput struct { + _ struct{} `type:"structure"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The IDs of the subnets to associate with the transit gateway multicast domain. + SubnetIds []*string `locationNameList:"item" type:"list"` + + // The ID of the transit gateway attachment. + TransitGatewayAttachmentId *string `type:"string"` + + // The ID of the transit gateway multicast domain. + TransitGatewayMulticastDomainId *string `type:"string"` +} + +// String returns the string representation +func (s RejectTransitGatewayMulticastDomainAssociationsInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s RejectTransitGatewayMulticastDomainAssociationsInput) GoString() string { + return s.String() +} + +// SetDryRun sets the DryRun field's value. +func (s *RejectTransitGatewayMulticastDomainAssociationsInput) SetDryRun(v bool) *RejectTransitGatewayMulticastDomainAssociationsInput { + s.DryRun = &v + return s +} + +// SetSubnetIds sets the SubnetIds field's value. +func (s *RejectTransitGatewayMulticastDomainAssociationsInput) SetSubnetIds(v []*string) *RejectTransitGatewayMulticastDomainAssociationsInput { + s.SubnetIds = v + return s +} + +// SetTransitGatewayAttachmentId sets the TransitGatewayAttachmentId field's value. +func (s *RejectTransitGatewayMulticastDomainAssociationsInput) SetTransitGatewayAttachmentId(v string) *RejectTransitGatewayMulticastDomainAssociationsInput { + s.TransitGatewayAttachmentId = &v + return s +} + +// SetTransitGatewayMulticastDomainId sets the TransitGatewayMulticastDomainId field's value. +func (s *RejectTransitGatewayMulticastDomainAssociationsInput) SetTransitGatewayMulticastDomainId(v string) *RejectTransitGatewayMulticastDomainAssociationsInput { + s.TransitGatewayMulticastDomainId = &v + return s +} + +type RejectTransitGatewayMulticastDomainAssociationsOutput struct { + _ struct{} `type:"structure"` + + // Describes the multicast domain associations. + Associations *TransitGatewayMulticastDomainAssociations `locationName:"associations" type:"structure"` +} + +// String returns the string representation +func (s RejectTransitGatewayMulticastDomainAssociationsOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s RejectTransitGatewayMulticastDomainAssociationsOutput) GoString() string { + return s.String() +} + +// SetAssociations sets the Associations field's value. +func (s *RejectTransitGatewayMulticastDomainAssociationsOutput) SetAssociations(v *TransitGatewayMulticastDomainAssociations) *RejectTransitGatewayMulticastDomainAssociationsOutput { + s.Associations = v + return s +} + type RejectTransitGatewayPeeringAttachmentInput struct { _ struct{} `type:"structure"` @@ -100511,6 +105599,9 @@ type ReplaceRouteInput struct { // The ID of a transit gateway. TransitGatewayId *string `type:"string"` + // The ID of a VPC endpoint. Supported for Gateway Load Balancer endpoints only. + VpcEndpointId *string `type:"string"` + // The ID of a VPC peering connection. VpcPeeringConnectionId *string `locationName:"vpcPeeringConnectionId" type:"string"` } @@ -100622,6 +105713,12 @@ func (s *ReplaceRouteInput) SetTransitGatewayId(v string) *ReplaceRouteInput { return s } +// SetVpcEndpointId sets the VpcEndpointId field's value. +func (s *ReplaceRouteInput) SetVpcEndpointId(v string) *ReplaceRouteInput { + s.VpcEndpointId = &v + return s +} + // SetVpcPeeringConnectionId sets the VpcPeeringConnectionId field's value. func (s *ReplaceRouteInput) SetVpcPeeringConnectionId(v string) *ReplaceRouteInput { s.VpcPeeringConnectionId = &v @@ -101039,7 +106136,7 @@ type RequestLaunchTemplateData struct { // in the Amazon Elastic Compute Cloud User Guide. HibernationOptions *LaunchTemplateHibernationOptionsRequest `type:"structure"` - // The IAM instance profile. + // The name or Amazon Resource Name (ARN) of an IAM instance profile. IamInstanceProfile *LaunchTemplateIamInstanceProfileSpecificationRequest `type:"structure"` // The ID of the AMI. @@ -102672,6 +107769,93 @@ func (s *ReservedInstancesOffering) SetUsagePrice(v float64) *ReservedInstancesO return s } +type ResetAddressAttributeInput struct { + _ struct{} `type:"structure"` + + // [EC2-VPC] The allocation ID. + // + // AllocationId is a required field + AllocationId *string `type:"string" required:"true"` + + // The attribute of the IP address. + // + // Attribute is a required field + Attribute *string `type:"string" required:"true" enum:"AddressAttributeName"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` +} + +// String returns the string representation +func (s ResetAddressAttributeInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ResetAddressAttributeInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ResetAddressAttributeInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ResetAddressAttributeInput"} + if s.AllocationId == nil { + invalidParams.Add(request.NewErrParamRequired("AllocationId")) + } + if s.Attribute == nil { + invalidParams.Add(request.NewErrParamRequired("Attribute")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAllocationId sets the AllocationId field's value. +func (s *ResetAddressAttributeInput) SetAllocationId(v string) *ResetAddressAttributeInput { + s.AllocationId = &v + return s +} + +// SetAttribute sets the Attribute field's value. +func (s *ResetAddressAttributeInput) SetAttribute(v string) *ResetAddressAttributeInput { + s.Attribute = &v + return s +} + +// SetDryRun sets the DryRun field's value. +func (s *ResetAddressAttributeInput) SetDryRun(v bool) *ResetAddressAttributeInput { + s.DryRun = &v + return s +} + +type ResetAddressAttributeOutput struct { + _ struct{} `type:"structure"` + + // Information about the IP address. + Address *AddressAttribute `locationName:"address" type:"structure"` +} + +// String returns the string representation +func (s ResetAddressAttributeOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ResetAddressAttributeOutput) GoString() string { + return s.String() +} + +// SetAddress sets the Address field's value. +func (s *ResetAddressAttributeOutput) SetAddress(v *AddressAttribute) *ResetAddressAttributeOutput { + s.Address = v + return s +} + type ResetEbsDefaultKmsKeyIdInput struct { _ struct{} `type:"structure"` @@ -104380,14 +109564,14 @@ type RunInstancesInput struct { // The CPU options for the instance. For more information, see Optimizing CPU // options (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-optimize-cpu.html) - // in the Amazon Elastic Compute Cloud User Guide. + // in the Amazon EC2 User Guide. CpuOptions *CpuOptionsRequest `type:"structure"` // The credit option for CPU usage of the burstable performance instance. Valid // values are standard and unlimited. To change this attribute after launch, // use ModifyInstanceCreditSpecification (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceCreditSpecification.html). // For more information, see Burstable performance instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html) - // in the Amazon Elastic Compute Cloud User Guide. + // in the Amazon EC2 User Guide. // // Default: standard (T2 instances) or unlimited (T3/T3a instances) CreditSpecification *CreditSpecificationRequest `type:"structure"` @@ -104419,7 +109603,7 @@ type RunInstancesInput struct { // An elastic GPU to associate with the instance. An Elastic GPU is a GPU resource // that you can attach to your Windows instance to accelerate the graphics performance // of your applications. For more information, see Amazon EC2 Elastic GPUs (https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/elastic-graphics.html) - // in the Amazon Elastic Compute Cloud User Guide. + // in the Amazon EC2 User Guide. ElasticGpuSpecification []*ElasticGpuSpecification `locationNameList:"item" type:"list"` // An elastic inference accelerator to associate with the instance. Elastic @@ -104438,12 +109622,12 @@ type RunInstancesInput struct { // Indicates whether an instance is enabled for hibernation. For more information, // see Hibernate your instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html) - // in the Amazon Elastic Compute Cloud User Guide. + // in the Amazon EC2 User Guide. // // You can't enable hibernation and AWS Nitro Enclaves on the same instance. HibernationOptions *HibernationOptionsRequest `type:"structure"` - // The IAM instance profile. + // The name or Amazon Resource Name (ARN) of an IAM instance profile. IamInstanceProfile *IamInstanceProfileSpecification `locationName:"iamInstanceProfile" type:"structure"` // The ID of the AMI. An AMI ID is required to launch an instance and must be @@ -104463,7 +109647,7 @@ type RunInstancesInput struct { InstanceMarketOptions *InstanceMarketOptionsRequest `type:"structure"` // The instance type. For more information, see Instance types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) - // in the Amazon Elastic Compute Cloud User Guide. + // in the Amazon EC2 User Guide. // // Default: m1.small InstanceType *string `type:"string" enum:"InstanceType"` @@ -104491,7 +109675,7 @@ type RunInstancesInput struct { // // We recommend that you use PV-GRUB instead of kernels and RAM disks. For more // information, see PV-GRUB (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedkernels.html) - // in the Amazon Elastic Compute Cloud User Guide. + // in the Amazon EC2 User Guide. KernelId *string `type:"string"` // The name of the key pair. You can create a key pair using CreateKeyPair (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateKeyPair.html) @@ -104567,7 +109751,7 @@ type RunInstancesInput struct { // // We recommend that you use PV-GRUB instead of kernels and RAM disks. For more // information, see PV-GRUB (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedkernels.html) - // in the Amazon Elastic Compute Cloud User Guide. + // in the Amazon EC2 User Guide. RamdiskId *string `type:"string"` // The IDs of the security groups. You can create a security group using CreateSecurityGroup @@ -105534,8 +110718,7 @@ type ScheduledInstancesBlockDeviceMapping struct { // launched. Ebs *ScheduledInstancesEbs `type:"structure"` - // Suppresses the specified device included in the block device mapping of the - // AMI. + // To omit the device from the block device mapping, specify an empty string. NoDevice *string `type:"string"` // The virtual device name (ephemeralN). Instance store volumes are numbered @@ -105599,10 +110782,11 @@ type ScheduledInstancesEbs struct { // The number of I/O operations per second (IOPS) to provision for an io1 or // io2 volume, with a maximum ratio of 50 IOPS/GiB for io1, and 500 IOPS/GiB // for io2. Range is 100 to 64,000 IOPS for volumes in most Regions. Maximum - // IOPS of 64,000 is guaranteed only on Nitro-based instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances). + // IOPS of 64,000 is guaranteed only on instances built on the Nitro System + // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances). // Other instance families guarantee performance up to 32,000 IOPS. For more - // information, see Amazon EBS Volume Types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) - // in the Amazon Elastic Compute Cloud User Guide. + // information, see Amazon EBS volume types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) + // in the Amazon EC2 User Guide. // // This parameter is valid only for Provisioned IOPS SSD (io1 and io2) volumes. Iops *int64 `type:"integer"` @@ -106378,7 +111562,7 @@ type SearchTransitGatewayRoutesInput struct { // * attachment.resource-id - The resource id of the transit gateway attachment. // // * attachment.resource-type - The attachment resource type. Valid values - // are vpc | vpn | direct-connect-gateway | peering. + // are vpc | vpn | direct-connect-gateway | peering | connect. // // * prefix-list-id - The ID of the prefix list. // @@ -106736,6 +111920,9 @@ type ServiceConfiguration struct { // The DNS names for the service. BaseEndpointDnsNames []*string `locationName:"baseEndpointDnsNameSet" locationNameList:"item" type:"list"` + // The Amazon Resource Names (ARNs) of the Gateway Load Balancers for the service. + GatewayLoadBalancerArns []*string `locationName:"gatewayLoadBalancerArnSet" locationNameList:"item" type:"list"` + // Indicates whether the service manages its VPC endpoints. Management of the // service VPC endpoints using the VPC endpoint API is restricted. ManagesVpcEndpoints *bool `locationName:"managesVpcEndpoints" type:"boolean"` @@ -106793,6 +111980,12 @@ func (s *ServiceConfiguration) SetBaseEndpointDnsNames(v []*string) *ServiceConf return s } +// SetGatewayLoadBalancerArns sets the GatewayLoadBalancerArns field's value. +func (s *ServiceConfiguration) SetGatewayLoadBalancerArns(v []*string) *ServiceConfiguration { + s.GatewayLoadBalancerArns = v + return s +} + // SetManagesVpcEndpoints sets the ManagesVpcEndpoints field's value. func (s *ServiceConfiguration) SetManagesVpcEndpoints(v bool) *ServiceConfiguration { s.ManagesVpcEndpoints = &v @@ -106877,6 +112070,9 @@ type ServiceDetail struct { // is not verified. PrivateDnsNameVerificationState *string `locationName:"privateDnsNameVerificationState" type:"string" enum:"DnsNameState"` + // The private DNS names assigned to the VPC endpoint service. + PrivateDnsNames []*PrivateDnsDetails `locationName:"privateDnsNameSet" locationNameList:"item" type:"list"` + // The ID of the endpoint service. ServiceId *string `locationName:"serviceId" type:"string"` @@ -106945,6 +112141,12 @@ func (s *ServiceDetail) SetPrivateDnsNameVerificationState(v string) *ServiceDet return s } +// SetPrivateDnsNames sets the PrivateDnsNames field's value. +func (s *ServiceDetail) SetPrivateDnsNames(v []*PrivateDnsDetails) *ServiceDetail { + s.PrivateDnsNames = v + return s +} + // SetServiceId sets the ServiceId field's value. func (s *ServiceDetail) SetServiceId(v string) *ServiceDetail { s.ServiceId = &v @@ -107111,6 +112313,11 @@ type Snapshot struct { // key for the parent volume. KmsKeyId *string `locationName:"kmsKeyId" type:"string"` + // The ARN of the AWS Outpost on which the snapshot is stored. For more information, + // see EBS Local Snapshot on Outposts (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html) + // in the Amazon Elastic Compute Cloud User Guide. + OutpostArn *string `locationName:"outpostArn" type:"string"` + // The AWS owner alias, from an Amazon-maintained list (amazon). This is not // the user-configured AWS account alias set using the IAM console. OwnerAlias *string `locationName:"ownerAlias" type:"string"` @@ -107184,6 +112391,12 @@ func (s *Snapshot) SetKmsKeyId(v string) *Snapshot { return s } +// SetOutpostArn sets the OutpostArn field's value. +func (s *Snapshot) SetOutpostArn(v string) *Snapshot { + s.OutpostArn = &v + return s +} + // SetOwnerAlias sets the OwnerAlias field's value. func (s *Snapshot) SetOwnerAlias(v string) *Snapshot { s.OwnerAlias = &v @@ -107358,7 +112571,7 @@ type SnapshotDiskContainer struct { // The format of the disk image being imported. // - // Valid values: VHD | VMDK + // Valid values: VHD | VMDK | RAW Format *string `type:"string"` // The URL to the Amazon S3-based disk image being imported. It can either be @@ -107414,6 +112627,11 @@ type SnapshotInfo struct { // Indicates whether the snapshot is encrypted. Encrypted *bool `locationName:"encrypted" type:"boolean"` + // The ARN of the AWS Outpost on which the snapshot is stored. For more information, + // see EBS Local Snapshot on Outposts (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html) + // in the Amazon Elastic Compute Cloud User Guide. + OutpostArn *string `locationName:"outpostArn" type:"string"` + // Account id used when creating this snapshot. OwnerId *string `locationName:"ownerId" type:"string"` @@ -107462,6 +112680,12 @@ func (s *SnapshotInfo) SetEncrypted(v bool) *SnapshotInfo { return s } +// SetOutpostArn sets the OutpostArn field's value. +func (s *SnapshotInfo) SetOutpostArn(v string) *SnapshotInfo { + s.OutpostArn = &v + return s +} + // SetOwnerId sets the OwnerId field's value. func (s *SnapshotInfo) SetOwnerId(v string) *SnapshotInfo { s.OwnerId = &v @@ -107640,9 +112864,8 @@ type SpotCapacityRebalance struct { // launch. // // When a replacement instance is launched, the instance marked for rebalance - // is not automatically terminated. You can terminate it, or you can wait until - // Amazon EC2 interrupts it. You are charged for all instances while they are - // running. + // is not automatically terminated. You can terminate it, or you can leave it + // running. You are charged for all instances while they are running. ReplacementStrategy *string `locationName:"replacementStrategy" type:"string" enum:"ReplacementStrategy"` } @@ -108045,9 +113268,16 @@ type SpotFleetRequestConfigData struct { // If the allocation strategy is diversified, Spot Fleet launches instances // from all the Spot Instance pools that you specify. // - // If the allocation strategy is capacityOptimized, Spot Fleet launches instances - // from Spot Instance pools with optimal capacity for the number of instances - // that are launching. + // If the allocation strategy is capacityOptimized (recommended), Spot Fleet + // launches instances from Spot Instance pools with optimal capacity for the + // number of instances that are launching. To give certain instance types a + // higher chance of launching first, use capacityOptimizedPrioritized. Set a + // priority for each instance type by using the Priority parameter for LaunchTemplateOverrides. + // You can assign the same priority to different LaunchTemplateOverrides. EC2 + // implements the priorities on a best-effort basis, but optimizes for capacity + // first. capacityOptimizedPrioritized is supported only if your Spot Fleet + // uses a launch template. Note that if the OnDemandAllocationStrategy is set + // to prioritized, the same priority is applied when fulfilling On-Demand capacity. AllocationStrategy *string `locationName:"allocationStrategy" type:"string" enum:"AllocationStrategy"` // A unique, case-sensitive identifier that you provide to ensure the idempotency @@ -108753,8 +113983,8 @@ type SpotMarketOptions struct { MaxPrice *string `type:"string"` // The Spot Instance request type. For RunInstances (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances), - // persistent Spot Instance requests are only supported when InstanceInterruptionBehavior - // is set to either hibernate or stop. + // persistent Spot Instance requests are only supported when the instance interruption + // behavior is either hibernate or stop. SpotInstanceType *string `type:"string" enum:"SpotInstanceType"` // The end date of the request, in UTC format (YYYY-MM-DDTHH:MM:SSZ). Supported @@ -108823,9 +114053,16 @@ type SpotOptions struct { // If the allocation strategy is diversified, EC2 Fleet launches instances from // all of the Spot Instance pools that you specify. // - // If the allocation strategy is capacity-optimized, EC2 Fleet launches instances - // from Spot Instance pools with optimal capacity for the number of instances - // that are launching. + // If the allocation strategy is capacity-optimized (recommended), EC2 Fleet + // launches instances from Spot Instance pools with optimal capacity for the + // number of instances that are launching. To give certain instance types a + // higher chance of launching first, use capacity-optimized-prioritized. Set + // a priority for each instance type by using the Priority parameter for LaunchTemplateOverrides. + // You can assign the same priority to different LaunchTemplateOverrides. EC2 + // implements the priorities on a best-effort basis, but optimizes for capacity + // first. capacity-optimized-prioritized is supported only if your fleet uses + // a launch template. Note that if the On-Demand AllocationStrategy is set to + // prioritized, the same priority is applied when fulfilling On-Demand capacity. AllocationStrategy *string `locationName:"allocationStrategy" type:"string" enum:"SpotAllocationStrategy"` // The behavior when a Spot Instance is interrupted. The default is terminate. @@ -108929,9 +114166,16 @@ type SpotOptionsRequest struct { // If the allocation strategy is diversified, EC2 Fleet launches instances from // all of the Spot Instance pools that you specify. // - // If the allocation strategy is capacity-optimized, EC2 Fleet launches instances - // from Spot Instance pools with optimal capacity for the number of instances - // that are launching. + // If the allocation strategy is capacity-optimized (recommended), EC2 Fleet + // launches instances from Spot Instance pools with optimal capacity for the + // number of instances that are launching. To give certain instance types a + // higher chance of launching first, use capacity-optimized-prioritized. Set + // a priority for each instance type by using the Priority parameter for LaunchTemplateOverrides. + // You can assign the same priority to different LaunchTemplateOverrides. EC2 + // implements the priorities on a best-effort basis, but optimizes for capacity + // first. capacity-optimized-prioritized is supported only if your fleet uses + // a launch template. Note that if the On-Demand AllocationStrategy is set to + // prioritized, the same priority is applied when fulfilling On-Demand capacity. AllocationStrategy *string `type:"string" enum:"SpotAllocationStrategy"` // The behavior when a Spot Instance is interrupted. The default is terminate. @@ -109353,6 +114597,107 @@ func (s *StartInstancesOutput) SetStartingInstances(v []*InstanceStateChange) *S return s } +type StartNetworkInsightsAnalysisInput struct { + _ struct{} `type:"structure"` + + // Unique, case-sensitive identifier that you provide to ensure the idempotency + // of the request. For more information, see How to Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). + ClientToken *string `type:"string" idempotencyToken:"true"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The Amazon Resource Names (ARN) of the resources that the path must traverse. + FilterInArns []*string `locationName:"FilterInArn" locationNameList:"item" type:"list"` + + // The ID of the path. + // + // NetworkInsightsPathId is a required field + NetworkInsightsPathId *string `type:"string" required:"true"` + + // The tags to apply. + TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` +} + +// String returns the string representation +func (s StartNetworkInsightsAnalysisInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s StartNetworkInsightsAnalysisInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *StartNetworkInsightsAnalysisInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "StartNetworkInsightsAnalysisInput"} + if s.NetworkInsightsPathId == nil { + invalidParams.Add(request.NewErrParamRequired("NetworkInsightsPathId")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetClientToken sets the ClientToken field's value. +func (s *StartNetworkInsightsAnalysisInput) SetClientToken(v string) *StartNetworkInsightsAnalysisInput { + s.ClientToken = &v + return s +} + +// SetDryRun sets the DryRun field's value. +func (s *StartNetworkInsightsAnalysisInput) SetDryRun(v bool) *StartNetworkInsightsAnalysisInput { + s.DryRun = &v + return s +} + +// SetFilterInArns sets the FilterInArns field's value. +func (s *StartNetworkInsightsAnalysisInput) SetFilterInArns(v []*string) *StartNetworkInsightsAnalysisInput { + s.FilterInArns = v + return s +} + +// SetNetworkInsightsPathId sets the NetworkInsightsPathId field's value. +func (s *StartNetworkInsightsAnalysisInput) SetNetworkInsightsPathId(v string) *StartNetworkInsightsAnalysisInput { + s.NetworkInsightsPathId = &v + return s +} + +// SetTagSpecifications sets the TagSpecifications field's value. +func (s *StartNetworkInsightsAnalysisInput) SetTagSpecifications(v []*TagSpecification) *StartNetworkInsightsAnalysisInput { + s.TagSpecifications = v + return s +} + +type StartNetworkInsightsAnalysisOutput struct { + _ struct{} `type:"structure"` + + // Information about the network insights analysis. + NetworkInsightsAnalysis *NetworkInsightsAnalysis `locationName:"networkInsightsAnalysis" type:"structure"` +} + +// String returns the string representation +func (s StartNetworkInsightsAnalysisOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s StartNetworkInsightsAnalysisOutput) GoString() string { + return s.String() +} + +// SetNetworkInsightsAnalysis sets the NetworkInsightsAnalysis field's value. +func (s *StartNetworkInsightsAnalysisOutput) SetNetworkInsightsAnalysis(v *NetworkInsightsAnalysis) *StartNetworkInsightsAnalysisOutput { + s.NetworkInsightsAnalysis = v + return s +} + type StartVpcEndpointServicePrivateDnsVerificationInput struct { _ struct{} `type:"structure"` @@ -109517,7 +114862,7 @@ type StopInstancesInput struct { // Hibernates the instance if the instance was enabled for hibernation at launch. // If the instance cannot hibernate successfully, a normal shutdown occurs. // For more information, see Hibernate your instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html) - // in the Amazon Elastic Compute Cloud User Guide. + // in the Amazon EC2 User Guide. // // Default: false Hibernate *bool `type:"boolean"` @@ -110081,16 +115426,18 @@ type TagSpecification struct { // The type of resource to tag. Currently, the resource types that support tagging // on creation are: capacity-reservation | carrier-gateway | client-vpn-endpoint - // | customer-gateway | dedicated-host | dhcp-options | export-image-task | - // export-instance-task | fleet | fpga-image | host-reservation | import-image-task - // | import-snapshot-task | instance | internet-gateway | ipv4pool-ec2 | ipv6pool-ec2 - // | key-pair | launch-template | placement-group | prefix-list | natgateway - // | network-acl | route-table | security-group | spot-fleet-request | spot-instances-request + // | customer-gateway | dedicated-host | dhcp-options | egress-only-internet-gateway + // | elastic-ip | elastic-gpu | export-image-task | export-instance-task | fleet + // | fpga-image | host-reservation | image| import-image-task | import-snapshot-task + // | instance | internet-gateway | ipv4pool-ec2 | ipv6pool-ec2 | key-pair | + // launch-template | local-gateway-route-table-vpc-association | placement-group + // | prefix-list | natgateway | network-acl | network-interface | reserved-instances + // |route-table | security-group| snapshot | spot-fleet-request | spot-instances-request // | snapshot | subnet | traffic-mirror-filter | traffic-mirror-session | traffic-mirror-target - // | transit-gateway | transit-gateway-attachment | transit-gateway-route-table - // | volume |vpc | vpc-peering-connection | vpc-endpoint (for interface and - // gateway endpoints) | vpc-endpoint-service (for AWS PrivateLink) | vpc-flow-log - // | vpn-connection | vpn-gateway. + // | transit-gateway | transit-gateway-attachment | transit-gateway-multicast-domain + // | transit-gateway-route-table | volume |vpc | vpc-peering-connection | vpc-endpoint + // (for interface and gateway endpoints) | vpc-endpoint-service (for AWS PrivateLink) + // | vpc-flow-log | vpn-connection | vpn-gateway. // // To tag a resource after it has been created, see CreateTags (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html). ResourceType *string `locationName:"resourceType" type:"string" enum:"ResourceType"` @@ -110135,7 +115482,7 @@ func (s *TagSpecification) SetTags(v []*Tag) *TagSpecification { // you're willing to pay is reached, the fleet stops launching instances even // if it hasn’t met the target capacity. The MaxTotalPrice parameters are // located in OnDemandOptions (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_OnDemandOptions.html) -// and SpotOptions (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotOptions) +// and SpotOptions (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotOptions). type TargetCapacitySpecification struct { _ struct{} `type:"structure"` @@ -111479,6 +116826,66 @@ func (s *TransitGatewayAttachmentAssociation) SetTransitGatewayRouteTableId(v st return s } +// The BGP configuration information. +type TransitGatewayAttachmentBgpConfiguration struct { + _ struct{} `type:"structure"` + + // The BGP status. + BgpStatus *string `locationName:"bgpStatus" type:"string" enum:"BgpStatus"` + + // The interior BGP peer IP address for the appliance. + PeerAddress *string `locationName:"peerAddress" type:"string"` + + // The peer Autonomous System Number (ASN). + PeerAsn *int64 `locationName:"peerAsn" type:"long"` + + // The interior BGP peer IP address for the transit gateway. + TransitGatewayAddress *string `locationName:"transitGatewayAddress" type:"string"` + + // The transit gateway Autonomous System Number (ASN). + TransitGatewayAsn *int64 `locationName:"transitGatewayAsn" type:"long"` +} + +// String returns the string representation +func (s TransitGatewayAttachmentBgpConfiguration) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s TransitGatewayAttachmentBgpConfiguration) GoString() string { + return s.String() +} + +// SetBgpStatus sets the BgpStatus field's value. +func (s *TransitGatewayAttachmentBgpConfiguration) SetBgpStatus(v string) *TransitGatewayAttachmentBgpConfiguration { + s.BgpStatus = &v + return s +} + +// SetPeerAddress sets the PeerAddress field's value. +func (s *TransitGatewayAttachmentBgpConfiguration) SetPeerAddress(v string) *TransitGatewayAttachmentBgpConfiguration { + s.PeerAddress = &v + return s +} + +// SetPeerAsn sets the PeerAsn field's value. +func (s *TransitGatewayAttachmentBgpConfiguration) SetPeerAsn(v int64) *TransitGatewayAttachmentBgpConfiguration { + s.PeerAsn = &v + return s +} + +// SetTransitGatewayAddress sets the TransitGatewayAddress field's value. +func (s *TransitGatewayAttachmentBgpConfiguration) SetTransitGatewayAddress(v string) *TransitGatewayAttachmentBgpConfiguration { + s.TransitGatewayAddress = &v + return s +} + +// SetTransitGatewayAsn sets the TransitGatewayAsn field's value. +func (s *TransitGatewayAttachmentBgpConfiguration) SetTransitGatewayAsn(v int64) *TransitGatewayAttachmentBgpConfiguration { + s.TransitGatewayAsn = &v + return s +} + // Describes a propagation route table. type TransitGatewayAttachmentPropagation struct { _ struct{} `type:"structure"` @@ -111512,6 +116919,261 @@ func (s *TransitGatewayAttachmentPropagation) SetTransitGatewayRouteTableId(v st return s } +// Describes a transit gateway Connect attachment. +type TransitGatewayConnect struct { + _ struct{} `type:"structure"` + + // The creation time. + CreationTime *time.Time `locationName:"creationTime" type:"timestamp"` + + // The Connect attachment options. + Options *TransitGatewayConnectOptions `locationName:"options" type:"structure"` + + // The state of the attachment. + State *string `locationName:"state" type:"string" enum:"TransitGatewayAttachmentState"` + + // The tags for the attachment. + Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"` + + // The ID of the Connect attachment. + TransitGatewayAttachmentId *string `locationName:"transitGatewayAttachmentId" type:"string"` + + // The ID of the transit gateway. + TransitGatewayId *string `locationName:"transitGatewayId" type:"string"` + + // The ID of the attachment from which the Connect attachment was created. + TransportTransitGatewayAttachmentId *string `locationName:"transportTransitGatewayAttachmentId" type:"string"` +} + +// String returns the string representation +func (s TransitGatewayConnect) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s TransitGatewayConnect) GoString() string { + return s.String() +} + +// SetCreationTime sets the CreationTime field's value. +func (s *TransitGatewayConnect) SetCreationTime(v time.Time) *TransitGatewayConnect { + s.CreationTime = &v + return s +} + +// SetOptions sets the Options field's value. +func (s *TransitGatewayConnect) SetOptions(v *TransitGatewayConnectOptions) *TransitGatewayConnect { + s.Options = v + return s +} + +// SetState sets the State field's value. +func (s *TransitGatewayConnect) SetState(v string) *TransitGatewayConnect { + s.State = &v + return s +} + +// SetTags sets the Tags field's value. +func (s *TransitGatewayConnect) SetTags(v []*Tag) *TransitGatewayConnect { + s.Tags = v + return s +} + +// SetTransitGatewayAttachmentId sets the TransitGatewayAttachmentId field's value. +func (s *TransitGatewayConnect) SetTransitGatewayAttachmentId(v string) *TransitGatewayConnect { + s.TransitGatewayAttachmentId = &v + return s +} + +// SetTransitGatewayId sets the TransitGatewayId field's value. +func (s *TransitGatewayConnect) SetTransitGatewayId(v string) *TransitGatewayConnect { + s.TransitGatewayId = &v + return s +} + +// SetTransportTransitGatewayAttachmentId sets the TransportTransitGatewayAttachmentId field's value. +func (s *TransitGatewayConnect) SetTransportTransitGatewayAttachmentId(v string) *TransitGatewayConnect { + s.TransportTransitGatewayAttachmentId = &v + return s +} + +// Describes the Connect attachment options. +type TransitGatewayConnectOptions struct { + _ struct{} `type:"structure"` + + // The tunnel protocol. + Protocol *string `locationName:"protocol" type:"string" enum:"ProtocolValue"` +} + +// String returns the string representation +func (s TransitGatewayConnectOptions) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s TransitGatewayConnectOptions) GoString() string { + return s.String() +} + +// SetProtocol sets the Protocol field's value. +func (s *TransitGatewayConnectOptions) SetProtocol(v string) *TransitGatewayConnectOptions { + s.Protocol = &v + return s +} + +// Describes a transit gateway Connect peer. +type TransitGatewayConnectPeer struct { + _ struct{} `type:"structure"` + + // The Connect peer details. + ConnectPeerConfiguration *TransitGatewayConnectPeerConfiguration `locationName:"connectPeerConfiguration" type:"structure"` + + // The creation time. + CreationTime *time.Time `locationName:"creationTime" type:"timestamp"` + + // The state of the Connect peer. + State *string `locationName:"state" type:"string" enum:"TransitGatewayConnectPeerState"` + + // The tags for the Connect peer. + Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"` + + // The ID of the Connect attachment. + TransitGatewayAttachmentId *string `locationName:"transitGatewayAttachmentId" type:"string"` + + // The ID of the Connect peer. + TransitGatewayConnectPeerId *string `locationName:"transitGatewayConnectPeerId" type:"string"` +} + +// String returns the string representation +func (s TransitGatewayConnectPeer) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s TransitGatewayConnectPeer) GoString() string { + return s.String() +} + +// SetConnectPeerConfiguration sets the ConnectPeerConfiguration field's value. +func (s *TransitGatewayConnectPeer) SetConnectPeerConfiguration(v *TransitGatewayConnectPeerConfiguration) *TransitGatewayConnectPeer { + s.ConnectPeerConfiguration = v + return s +} + +// SetCreationTime sets the CreationTime field's value. +func (s *TransitGatewayConnectPeer) SetCreationTime(v time.Time) *TransitGatewayConnectPeer { + s.CreationTime = &v + return s +} + +// SetState sets the State field's value. +func (s *TransitGatewayConnectPeer) SetState(v string) *TransitGatewayConnectPeer { + s.State = &v + return s +} + +// SetTags sets the Tags field's value. +func (s *TransitGatewayConnectPeer) SetTags(v []*Tag) *TransitGatewayConnectPeer { + s.Tags = v + return s +} + +// SetTransitGatewayAttachmentId sets the TransitGatewayAttachmentId field's value. +func (s *TransitGatewayConnectPeer) SetTransitGatewayAttachmentId(v string) *TransitGatewayConnectPeer { + s.TransitGatewayAttachmentId = &v + return s +} + +// SetTransitGatewayConnectPeerId sets the TransitGatewayConnectPeerId field's value. +func (s *TransitGatewayConnectPeer) SetTransitGatewayConnectPeerId(v string) *TransitGatewayConnectPeer { + s.TransitGatewayConnectPeerId = &v + return s +} + +// Describes the Connect peer details. +type TransitGatewayConnectPeerConfiguration struct { + _ struct{} `type:"structure"` + + // The BGP configuration details. + BgpConfigurations []*TransitGatewayAttachmentBgpConfiguration `locationName:"bgpConfigurations" locationNameList:"item" type:"list"` + + // The range of interior BGP peer IP addresses. + InsideCidrBlocks []*string `locationName:"insideCidrBlocks" locationNameList:"item" type:"list"` + + // The Connect peer IP address on the appliance side of the tunnel. + PeerAddress *string `locationName:"peerAddress" type:"string"` + + // The tunnel protocol. + Protocol *string `locationName:"protocol" type:"string" enum:"ProtocolValue"` + + // The Connect peer IP address on the transit gateway side of the tunnel. + TransitGatewayAddress *string `locationName:"transitGatewayAddress" type:"string"` +} + +// String returns the string representation +func (s TransitGatewayConnectPeerConfiguration) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s TransitGatewayConnectPeerConfiguration) GoString() string { + return s.String() +} + +// SetBgpConfigurations sets the BgpConfigurations field's value. +func (s *TransitGatewayConnectPeerConfiguration) SetBgpConfigurations(v []*TransitGatewayAttachmentBgpConfiguration) *TransitGatewayConnectPeerConfiguration { + s.BgpConfigurations = v + return s +} + +// SetInsideCidrBlocks sets the InsideCidrBlocks field's value. +func (s *TransitGatewayConnectPeerConfiguration) SetInsideCidrBlocks(v []*string) *TransitGatewayConnectPeerConfiguration { + s.InsideCidrBlocks = v + return s +} + +// SetPeerAddress sets the PeerAddress field's value. +func (s *TransitGatewayConnectPeerConfiguration) SetPeerAddress(v string) *TransitGatewayConnectPeerConfiguration { + s.PeerAddress = &v + return s +} + +// SetProtocol sets the Protocol field's value. +func (s *TransitGatewayConnectPeerConfiguration) SetProtocol(v string) *TransitGatewayConnectPeerConfiguration { + s.Protocol = &v + return s +} + +// SetTransitGatewayAddress sets the TransitGatewayAddress field's value. +func (s *TransitGatewayConnectPeerConfiguration) SetTransitGatewayAddress(v string) *TransitGatewayConnectPeerConfiguration { + s.TransitGatewayAddress = &v + return s +} + +// The BGP options for the Connect attachment. +type TransitGatewayConnectRequestBgpOptions struct { + _ struct{} `type:"structure"` + + // The peer Autonomous System Number (ASN). + PeerAsn *int64 `type:"long"` +} + +// String returns the string representation +func (s TransitGatewayConnectRequestBgpOptions) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s TransitGatewayConnectRequestBgpOptions) GoString() string { + return s.String() +} + +// SetPeerAsn sets the PeerAsn field's value. +func (s *TransitGatewayConnectRequestBgpOptions) SetPeerAsn(v int64) *TransitGatewayConnectRequestBgpOptions { + s.PeerAsn = &v + return s +} + // Describes the deregistered transit gateway multicast group members. type TransitGatewayMulticastDeregisteredGroupMembers struct { _ struct{} `type:"structure"` @@ -111603,6 +117265,12 @@ type TransitGatewayMulticastDomain struct { // The time the transit gateway multicast domain was created. CreationTime *time.Time `locationName:"creationTime" type:"timestamp"` + // The options for the transit gateway multicast domain. + Options *TransitGatewayMulticastDomainOptions `locationName:"options" type:"structure"` + + // The ID of the AWS account that owns the transit gateway multiicast domain. + OwnerId *string `locationName:"ownerId" type:"string"` + // The state of the transit gateway multicast domain. State *string `locationName:"state" type:"string" enum:"TransitGatewayMulticastDomainState"` @@ -111612,6 +117280,9 @@ type TransitGatewayMulticastDomain struct { // The ID of the transit gateway. TransitGatewayId *string `locationName:"transitGatewayId" type:"string"` + // The Amazon Resource Name (ARN) of the transit gateway multicast domain. + TransitGatewayMulticastDomainArn *string `locationName:"transitGatewayMulticastDomainArn" type:"string"` + // The ID of the transit gateway multicast domain. TransitGatewayMulticastDomainId *string `locationName:"transitGatewayMulticastDomainId" type:"string"` } @@ -111632,6 +117303,18 @@ func (s *TransitGatewayMulticastDomain) SetCreationTime(v time.Time) *TransitGat return s } +// SetOptions sets the Options field's value. +func (s *TransitGatewayMulticastDomain) SetOptions(v *TransitGatewayMulticastDomainOptions) *TransitGatewayMulticastDomain { + s.Options = v + return s +} + +// SetOwnerId sets the OwnerId field's value. +func (s *TransitGatewayMulticastDomain) SetOwnerId(v string) *TransitGatewayMulticastDomain { + s.OwnerId = &v + return s +} + // SetState sets the State field's value. func (s *TransitGatewayMulticastDomain) SetState(v string) *TransitGatewayMulticastDomain { s.State = &v @@ -111650,6 +117333,12 @@ func (s *TransitGatewayMulticastDomain) SetTransitGatewayId(v string) *TransitGa return s } +// SetTransitGatewayMulticastDomainArn sets the TransitGatewayMulticastDomainArn field's value. +func (s *TransitGatewayMulticastDomain) SetTransitGatewayMulticastDomainArn(v string) *TransitGatewayMulticastDomain { + s.TransitGatewayMulticastDomainArn = &v + return s +} + // SetTransitGatewayMulticastDomainId sets the TransitGatewayMulticastDomainId field's value. func (s *TransitGatewayMulticastDomain) SetTransitGatewayMulticastDomainId(v string) *TransitGatewayMulticastDomain { s.TransitGatewayMulticastDomainId = &v @@ -111663,6 +117352,10 @@ type TransitGatewayMulticastDomainAssociation struct { // The ID of the resource. ResourceId *string `locationName:"resourceId" type:"string"` + // The ID of the AWS account that owns the transit gateway multicast domain + // association resource. + ResourceOwnerId *string `locationName:"resourceOwnerId" type:"string"` + // The type of resource, for example a VPC attachment. ResourceType *string `locationName:"resourceType" type:"string" enum:"TransitGatewayAttachmentResourceType"` @@ -111689,6 +117382,12 @@ func (s *TransitGatewayMulticastDomainAssociation) SetResourceId(v string) *Tran return s } +// SetResourceOwnerId sets the ResourceOwnerId field's value. +func (s *TransitGatewayMulticastDomainAssociation) SetResourceOwnerId(v string) *TransitGatewayMulticastDomainAssociation { + s.ResourceOwnerId = &v + return s +} + // SetResourceType sets the ResourceType field's value. func (s *TransitGatewayMulticastDomainAssociation) SetResourceType(v string) *TransitGatewayMulticastDomainAssociation { s.ResourceType = &v @@ -111714,6 +117413,9 @@ type TransitGatewayMulticastDomainAssociations struct { // The ID of the resource. ResourceId *string `locationName:"resourceId" type:"string"` + // The ID of the AWS account that owns the resource. + ResourceOwnerId *string `locationName:"resourceOwnerId" type:"string"` + // The type of resource, for example a VPC attachment. ResourceType *string `locationName:"resourceType" type:"string" enum:"TransitGatewayAttachmentResourceType"` @@ -111743,6 +117445,12 @@ func (s *TransitGatewayMulticastDomainAssociations) SetResourceId(v string) *Tra return s } +// SetResourceOwnerId sets the ResourceOwnerId field's value. +func (s *TransitGatewayMulticastDomainAssociations) SetResourceOwnerId(v string) *TransitGatewayMulticastDomainAssociations { + s.ResourceOwnerId = &v + return s +} + // SetResourceType sets the ResourceType field's value. func (s *TransitGatewayMulticastDomainAssociations) SetResourceType(v string) *TransitGatewayMulticastDomainAssociations { s.ResourceType = &v @@ -111767,6 +117475,51 @@ func (s *TransitGatewayMulticastDomainAssociations) SetTransitGatewayMulticastDo return s } +// Describes the options for a transit gateway multicast domain. +type TransitGatewayMulticastDomainOptions struct { + _ struct{} `type:"structure"` + + // Indicates whether to automatically cross-account subnet associations that + // are associated with the transit gateway multicast domain. + AutoAcceptSharedAssociations *string `locationName:"autoAcceptSharedAssociations" type:"string" enum:"AutoAcceptSharedAssociationsValue"` + + // Indicates whether Internet Group Management Protocol (IGMP) version 2 is + // turned on for the transit gateway multicast domain. + Igmpv2Support *string `locationName:"igmpv2Support" type:"string" enum:"Igmpv2SupportValue"` + + // Indicates whether support for statically configuring transit gateway multicast + // group sources is turned on. + StaticSourcesSupport *string `locationName:"staticSourcesSupport" type:"string" enum:"StaticSourcesSupportValue"` +} + +// String returns the string representation +func (s TransitGatewayMulticastDomainOptions) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s TransitGatewayMulticastDomainOptions) GoString() string { + return s.String() +} + +// SetAutoAcceptSharedAssociations sets the AutoAcceptSharedAssociations field's value. +func (s *TransitGatewayMulticastDomainOptions) SetAutoAcceptSharedAssociations(v string) *TransitGatewayMulticastDomainOptions { + s.AutoAcceptSharedAssociations = &v + return s +} + +// SetIgmpv2Support sets the Igmpv2Support field's value. +func (s *TransitGatewayMulticastDomainOptions) SetIgmpv2Support(v string) *TransitGatewayMulticastDomainOptions { + s.Igmpv2Support = &v + return s +} + +// SetStaticSourcesSupport sets the StaticSourcesSupport field's value. +func (s *TransitGatewayMulticastDomainOptions) SetStaticSourcesSupport(v string) *TransitGatewayMulticastDomainOptions { + s.StaticSourcesSupport = &v + return s +} + // Describes the transit gateway multicast group resources. type TransitGatewayMulticastGroup struct { _ struct{} `type:"structure"` @@ -111789,6 +117542,10 @@ type TransitGatewayMulticastGroup struct { // The ID of the resource. ResourceId *string `locationName:"resourceId" type:"string"` + // The ID of the AWS account that owns the transit gateway multicast domain + // group resource. + ResourceOwnerId *string `locationName:"resourceOwnerId" type:"string"` + // The type of resource, for example a VPC attachment. ResourceType *string `locationName:"resourceType" type:"string" enum:"TransitGatewayAttachmentResourceType"` @@ -111848,6 +117605,12 @@ func (s *TransitGatewayMulticastGroup) SetResourceId(v string) *TransitGatewayMu return s } +// SetResourceOwnerId sets the ResourceOwnerId field's value. +func (s *TransitGatewayMulticastGroup) SetResourceOwnerId(v string) *TransitGatewayMulticastGroup { + s.ResourceOwnerId = &v + return s +} + // SetResourceType sets the ResourceType field's value. func (s *TransitGatewayMulticastGroup) SetResourceType(v string) *TransitGatewayMulticastGroup { s.ResourceType = &v @@ -111989,6 +117752,9 @@ type TransitGatewayOptions struct { // The ID of the default propagation route table. PropagationDefaultRouteTableId *string `locationName:"propagationDefaultRouteTableId" type:"string"` + // The transit gateway CIDR blocks. + TransitGatewayCidrBlocks []*string `locationName:"transitGatewayCidrBlocks" locationNameList:"item" type:"list"` + // Indicates whether Equal Cost Multipath Protocol support is enabled. VpnEcmpSupport *string `locationName:"vpnEcmpSupport" type:"string" enum:"VpnEcmpSupportValue"` } @@ -112051,6 +117817,12 @@ func (s *TransitGatewayOptions) SetPropagationDefaultRouteTableId(v string) *Tra return s } +// SetTransitGatewayCidrBlocks sets the TransitGatewayCidrBlocks field's value. +func (s *TransitGatewayOptions) SetTransitGatewayCidrBlocks(v []*string) *TransitGatewayOptions { + s.TransitGatewayCidrBlocks = v + return s +} + // SetVpnEcmpSupport sets the VpnEcmpSupport field's value. func (s *TransitGatewayOptions) SetVpnEcmpSupport(v string) *TransitGatewayOptions { s.VpnEcmpSupport = &v @@ -112334,6 +118106,11 @@ type TransitGatewayRequestOptions struct { // Indicates whether multicast is enabled on the transit gateway MulticastSupport *string `type:"string" enum:"MulticastSupportValue"` + // One or more IPv4 or IPv6 CIDR blocks for the transit gateway. Must be a size + // /24 CIDR block or larger for IPv4, or a size /64 CIDR block or larger for + // IPv6. + TransitGatewayCidrBlocks []*string `locationNameList:"item" type:"list"` + // Enable or disable Equal Cost Multipath Protocol support. Enabled by default. VpnEcmpSupport *string `type:"string" enum:"VpnEcmpSupportValue"` } @@ -112384,6 +118161,12 @@ func (s *TransitGatewayRequestOptions) SetMulticastSupport(v string) *TransitGat return s } +// SetTransitGatewayCidrBlocks sets the TransitGatewayCidrBlocks field's value. +func (s *TransitGatewayRequestOptions) SetTransitGatewayCidrBlocks(v []*string) *TransitGatewayRequestOptions { + s.TransitGatewayCidrBlocks = v + return s +} + // SetVpnEcmpSupport sets the VpnEcmpSupport field's value. func (s *TransitGatewayRequestOptions) SetVpnEcmpSupport(v string) *TransitGatewayRequestOptions { s.VpnEcmpSupport = &v @@ -113953,22 +119736,10 @@ type Volume struct { // Indicates whether the volume was created using fast snapshot restore. FastRestored *bool `locationName:"fastRestored" type:"boolean"` - // The number of I/O operations per second (IOPS) that the volume supports. - // For Provisioned IOPS SSD volumes, this represents the number of IOPS that - // are provisioned for the volume. For General Purpose SSD volumes, this represents - // the baseline performance of the volume and the rate at which the volume accumulates - // I/O credits for bursting. For more information, see Amazon EBS volume types - // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) - // in the Amazon Elastic Compute Cloud User Guide. - // - // Constraints: Range is 100-16,000 IOPS for gp2 volumes and 100 to 64,000 IOPS - // for io1 and io2 volumes, in most Regions. The maximum IOPS for io1 and io2 - // of 64,000 is guaranteed only on Nitro-based instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances). - // Other instance families guarantee performance up to 32,000 IOPS. - // - // Condition: This parameter is required for requests to create io1 and io2 - // volumes; it is not used in requests to create gp2, st1, sc1, or standard - // volumes. + // The number of I/O operations per second (IOPS). For gp3, io1, and io2 volumes, + // this represents the number of IOPS that are provisioned for the volume. For + // gp2 volumes, this represents the baseline performance of the volume and the + // rate at which the volume accumulates I/O credits for bursting. Iops *int64 `locationName:"iops" type:"integer"` // The Amazon Resource Name (ARN) of the AWS Key Management Service (AWS KMS) @@ -113994,12 +119765,13 @@ type Volume struct { // Any tags assigned to the volume. Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"` + // The throughput that the volume supports, in MiB/s. + Throughput *int64 `locationName:"throughput" type:"integer"` + // The ID of the volume. VolumeId *string `locationName:"volumeId" type:"string"` - // The volume type. This can be gp2 for General Purpose SSD, io1 or io2 for - // Provisioned IOPS SSD, st1 for Throughput Optimized HDD, sc1 for Cold HDD, - // or standard for Magnetic volumes. + // The volume type. VolumeType *string `locationName:"volumeType" type:"string" enum:"VolumeType"` } @@ -114091,6 +119863,12 @@ func (s *Volume) SetTags(v []*Tag) *Volume { return s } +// SetThroughput sets the Throughput field's value. +func (s *Volume) SetThroughput(v int64) *Volume { + s.Throughput = &v + return s +} + // SetVolumeId sets the VolumeId field's value. func (s *Volume) SetVolumeId(v string) *Volume { s.VolumeId = &v @@ -114227,9 +120005,15 @@ type VolumeModification struct { // The original IOPS rate of the volume. OriginalIops *int64 `locationName:"originalIops" type:"integer"` + // The original setting for Amazon EBS Multi-Attach. + OriginalMultiAttachEnabled *bool `locationName:"originalMultiAttachEnabled" type:"boolean"` + // The original size of the volume, in GiB. OriginalSize *int64 `locationName:"originalSize" type:"integer"` + // The original throughput of the volume, in MiB/s. + OriginalThroughput *int64 `locationName:"originalThroughput" type:"integer"` + // The original EBS volume type of the volume. OriginalVolumeType *string `locationName:"originalVolumeType" type:"string" enum:"VolumeType"` @@ -114245,9 +120029,15 @@ type VolumeModification struct { // The target IOPS rate of the volume. TargetIops *int64 `locationName:"targetIops" type:"integer"` + // The target setting for Amazon EBS Multi-Attach. + TargetMultiAttachEnabled *bool `locationName:"targetMultiAttachEnabled" type:"boolean"` + // The target size of the volume, in GiB. TargetSize *int64 `locationName:"targetSize" type:"integer"` + // The target throughput of the volume, in MiB/s. + TargetThroughput *int64 `locationName:"targetThroughput" type:"integer"` + // The target EBS volume type of the volume. TargetVolumeType *string `locationName:"targetVolumeType" type:"string" enum:"VolumeType"` @@ -114283,12 +120073,24 @@ func (s *VolumeModification) SetOriginalIops(v int64) *VolumeModification { return s } +// SetOriginalMultiAttachEnabled sets the OriginalMultiAttachEnabled field's value. +func (s *VolumeModification) SetOriginalMultiAttachEnabled(v bool) *VolumeModification { + s.OriginalMultiAttachEnabled = &v + return s +} + // SetOriginalSize sets the OriginalSize field's value. func (s *VolumeModification) SetOriginalSize(v int64) *VolumeModification { s.OriginalSize = &v return s } +// SetOriginalThroughput sets the OriginalThroughput field's value. +func (s *VolumeModification) SetOriginalThroughput(v int64) *VolumeModification { + s.OriginalThroughput = &v + return s +} + // SetOriginalVolumeType sets the OriginalVolumeType field's value. func (s *VolumeModification) SetOriginalVolumeType(v string) *VolumeModification { s.OriginalVolumeType = &v @@ -114319,12 +120121,24 @@ func (s *VolumeModification) SetTargetIops(v int64) *VolumeModification { return s } +// SetTargetMultiAttachEnabled sets the TargetMultiAttachEnabled field's value. +func (s *VolumeModification) SetTargetMultiAttachEnabled(v bool) *VolumeModification { + s.TargetMultiAttachEnabled = &v + return s +} + // SetTargetSize sets the TargetSize field's value. func (s *VolumeModification) SetTargetSize(v int64) *VolumeModification { s.TargetSize = &v return s } +// SetTargetThroughput sets the TargetThroughput field's value. +func (s *VolumeModification) SetTargetThroughput(v int64) *VolumeModification { + s.TargetThroughput = &v + return s +} + // SetTargetVolumeType sets the TargetVolumeType field's value. func (s *VolumeModification) SetTargetVolumeType(v string) *VolumeModification { s.TargetVolumeType = &v @@ -115069,6 +120883,9 @@ type VpcEndpointConnection struct { // The DNS entries for the VPC endpoint. DnsEntries []*DnsEntry `locationName:"dnsEntrySet" locationNameList:"item" type:"list"` + // The Amazon Resource Names (ARNs) of the Gateway Load Balancers for the service. + GatewayLoadBalancerArns []*string `locationName:"gatewayLoadBalancerArnSet" locationNameList:"item" type:"list"` + // The Amazon Resource Names (ARNs) of the network load balancers for the service. NetworkLoadBalancerArns []*string `locationName:"networkLoadBalancerArnSet" locationNameList:"item" type:"list"` @@ -115107,6 +120924,12 @@ func (s *VpcEndpointConnection) SetDnsEntries(v []*DnsEntry) *VpcEndpointConnect return s } +// SetGatewayLoadBalancerArns sets the GatewayLoadBalancerArns field's value. +func (s *VpcEndpointConnection) SetGatewayLoadBalancerArns(v []*string) *VpcEndpointConnection { + s.GatewayLoadBalancerArns = v + return s +} + // SetNetworkLoadBalancerArns sets the NetworkLoadBalancerArns field's value. func (s *VpcEndpointConnection) SetNetworkLoadBalancerArns(v []*string) *VpcEndpointConnection { s.NetworkLoadBalancerArns = v @@ -116241,6 +122064,18 @@ func ActivityStatus_Values() []string { } } +const ( + // AddressAttributeNameDomainName is a AddressAttributeName enum value + AddressAttributeNameDomainName = "domain-name" +) + +// AddressAttributeName_Values returns all elements of the AddressAttributeName enum +func AddressAttributeName_Values() []string { + return []string{ + AddressAttributeNameDomainName, + } +} + const ( // AffinityDefault is a Affinity enum value AffinityDefault = "default" @@ -116298,6 +122133,9 @@ const ( // AllocationStrategyCapacityOptimized is a AllocationStrategy enum value AllocationStrategyCapacityOptimized = "capacityOptimized" + + // AllocationStrategyCapacityOptimizedPrioritized is a AllocationStrategy enum value + AllocationStrategyCapacityOptimizedPrioritized = "capacityOptimizedPrioritized" ) // AllocationStrategy_Values returns all elements of the AllocationStrategy enum @@ -116306,6 +122144,7 @@ func AllocationStrategy_Values() []string { AllocationStrategyLowestPrice, AllocationStrategyDiversified, AllocationStrategyCapacityOptimized, + AllocationStrategyCapacityOptimizedPrioritized, } } @@ -116325,6 +122164,26 @@ func AllowsMultipleInstanceTypes_Values() []string { } } +const ( + // AnalysisStatusRunning is a AnalysisStatus enum value + AnalysisStatusRunning = "running" + + // AnalysisStatusSucceeded is a AnalysisStatus enum value + AnalysisStatusSucceeded = "succeeded" + + // AnalysisStatusFailed is a AnalysisStatus enum value + AnalysisStatusFailed = "failed" +) + +// AnalysisStatus_Values returns all elements of the AnalysisStatus enum +func AnalysisStatus_Values() []string { + return []string{ + AnalysisStatusRunning, + AnalysisStatusSucceeded, + AnalysisStatusFailed, + } +} + const ( // ApplianceModeSupportValueEnable is a ApplianceModeSupportValue enum value ApplianceModeSupportValueEnable = "enable" @@ -116445,6 +122304,22 @@ func AttachmentStatus_Values() []string { } } +const ( + // AutoAcceptSharedAssociationsValueEnable is a AutoAcceptSharedAssociationsValue enum value + AutoAcceptSharedAssociationsValueEnable = "enable" + + // AutoAcceptSharedAssociationsValueDisable is a AutoAcceptSharedAssociationsValue enum value + AutoAcceptSharedAssociationsValueDisable = "disable" +) + +// AutoAcceptSharedAssociationsValue_Values returns all elements of the AutoAcceptSharedAssociationsValue enum +func AutoAcceptSharedAssociationsValue_Values() []string { + return []string{ + AutoAcceptSharedAssociationsValueEnable, + AutoAcceptSharedAssociationsValueDisable, + } +} + const ( // AutoAcceptSharedAttachmentsValueEnable is a AutoAcceptSharedAttachmentsValue enum value AutoAcceptSharedAttachmentsValueEnable = "enable" @@ -116557,6 +122432,54 @@ func BatchState_Values() []string { } } +const ( + // BgpStatusUp is a BgpStatus enum value + BgpStatusUp = "up" + + // BgpStatusDown is a BgpStatus enum value + BgpStatusDown = "down" +) + +// BgpStatus_Values returns all elements of the BgpStatus enum +func BgpStatus_Values() []string { + return []string{ + BgpStatusUp, + BgpStatusDown, + } +} + +const ( + // BootModeTypeLegacyBios is a BootModeType enum value + BootModeTypeLegacyBios = "legacy-bios" + + // BootModeTypeUefi is a BootModeType enum value + BootModeTypeUefi = "uefi" +) + +// BootModeType_Values returns all elements of the BootModeType enum +func BootModeType_Values() []string { + return []string{ + BootModeTypeLegacyBios, + BootModeTypeUefi, + } +} + +const ( + // BootModeValuesLegacyBios is a BootModeValues enum value + BootModeValuesLegacyBios = "legacy-bios" + + // BootModeValuesUefi is a BootModeValues enum value + BootModeValuesUefi = "uefi" +) + +// BootModeValues_Values returns all elements of the BootModeValues enum +func BootModeValues_Values() []string { + return []string{ + BootModeValuesLegacyBios, + BootModeValuesUefi, + } +} + const ( // BundleTaskStatePending is a BundleTaskState enum value BundleTaskStatePending = "pending" @@ -117873,6 +123796,22 @@ func IamInstanceProfileAssociationState_Values() []string { } } +const ( + // Igmpv2SupportValueEnable is a Igmpv2SupportValue enum value + Igmpv2SupportValueEnable = "enable" + + // Igmpv2SupportValueDisable is a Igmpv2SupportValue enum value + Igmpv2SupportValueDisable = "disable" +) + +// Igmpv2SupportValue_Values returns all elements of the Igmpv2SupportValue enum +func Igmpv2SupportValue_Values() []string { + return []string{ + Igmpv2SupportValueEnable, + Igmpv2SupportValueDisable, + } +} + const ( // ImageAttributeNameDescription is a ImageAttributeName enum value ImageAttributeNameDescription = "description" @@ -117894,6 +123833,9 @@ const ( // ImageAttributeNameSriovNetSupport is a ImageAttributeName enum value ImageAttributeNameSriovNetSupport = "sriovNetSupport" + + // ImageAttributeNameBootMode is a ImageAttributeName enum value + ImageAttributeNameBootMode = "bootMode" ) // ImageAttributeName_Values returns all elements of the ImageAttributeName enum @@ -117906,6 +123848,7 @@ func ImageAttributeName_Values() []string { ImageAttributeNameProductCodes, ImageAttributeNameBlockDeviceMapping, ImageAttributeNameSriovNetSupport, + ImageAttributeNameBootMode, } } @@ -118407,6 +124350,33 @@ const ( // InstanceTypeR5a24xlarge is a InstanceType enum value InstanceTypeR5a24xlarge = "r5a.24xlarge" + // InstanceTypeR5bLarge is a InstanceType enum value + InstanceTypeR5bLarge = "r5b.large" + + // InstanceTypeR5bXlarge is a InstanceType enum value + InstanceTypeR5bXlarge = "r5b.xlarge" + + // InstanceTypeR5b2xlarge is a InstanceType enum value + InstanceTypeR5b2xlarge = "r5b.2xlarge" + + // InstanceTypeR5b4xlarge is a InstanceType enum value + InstanceTypeR5b4xlarge = "r5b.4xlarge" + + // InstanceTypeR5b8xlarge is a InstanceType enum value + InstanceTypeR5b8xlarge = "r5b.8xlarge" + + // InstanceTypeR5b12xlarge is a InstanceType enum value + InstanceTypeR5b12xlarge = "r5b.12xlarge" + + // InstanceTypeR5b16xlarge is a InstanceType enum value + InstanceTypeR5b16xlarge = "r5b.16xlarge" + + // InstanceTypeR5b24xlarge is a InstanceType enum value + InstanceTypeR5b24xlarge = "r5b.24xlarge" + + // InstanceTypeR5bMetal is a InstanceType enum value + InstanceTypeR5bMetal = "r5b.metal" + // InstanceTypeR5dLarge is a InstanceType enum value InstanceTypeR5dLarge = "r5d.large" @@ -118755,6 +124725,9 @@ const ( // InstanceTypeC5n18xlarge is a InstanceType enum value InstanceTypeC5n18xlarge = "c5n.18xlarge" + // InstanceTypeC5nMetal is a InstanceType enum value + InstanceTypeC5nMetal = "c5n.metal" + // InstanceTypeC6gMetal is a InstanceType enum value InstanceTypeC6gMetal = "c6g.metal" @@ -118809,6 +124782,30 @@ const ( // InstanceTypeC6gd16xlarge is a InstanceType enum value InstanceTypeC6gd16xlarge = "c6gd.16xlarge" + // InstanceTypeC6gnMedium is a InstanceType enum value + InstanceTypeC6gnMedium = "c6gn.medium" + + // InstanceTypeC6gnLarge is a InstanceType enum value + InstanceTypeC6gnLarge = "c6gn.large" + + // InstanceTypeC6gnXlarge is a InstanceType enum value + InstanceTypeC6gnXlarge = "c6gn.xlarge" + + // InstanceTypeC6gn2xlarge is a InstanceType enum value + InstanceTypeC6gn2xlarge = "c6gn.2xlarge" + + // InstanceTypeC6gn4xlarge is a InstanceType enum value + InstanceTypeC6gn4xlarge = "c6gn.4xlarge" + + // InstanceTypeC6gn8xlarge is a InstanceType enum value + InstanceTypeC6gn8xlarge = "c6gn.8xlarge" + + // InstanceTypeC6gn12xlarge is a InstanceType enum value + InstanceTypeC6gn12xlarge = "c6gn.12xlarge" + + // InstanceTypeC6gn16xlarge is a InstanceType enum value + InstanceTypeC6gn16xlarge = "c6gn.16xlarge" + // InstanceTypeCc14xlarge is a InstanceType enum value InstanceTypeCc14xlarge = "cc1.4xlarge" @@ -118833,6 +124830,15 @@ const ( // InstanceTypeG3sXlarge is a InstanceType enum value InstanceTypeG3sXlarge = "g3s.xlarge" + // InstanceTypeG4ad4xlarge is a InstanceType enum value + InstanceTypeG4ad4xlarge = "g4ad.4xlarge" + + // InstanceTypeG4ad8xlarge is a InstanceType enum value + InstanceTypeG4ad8xlarge = "g4ad.8xlarge" + + // InstanceTypeG4ad16xlarge is a InstanceType enum value + InstanceTypeG4ad16xlarge = "g4ad.16xlarge" + // InstanceTypeG4dnXlarge is a InstanceType enum value InstanceTypeG4dnXlarge = "g4dn.xlarge" @@ -118893,6 +124899,36 @@ const ( // InstanceTypeD28xlarge is a InstanceType enum value InstanceTypeD28xlarge = "d2.8xlarge" + // InstanceTypeD3Xlarge is a InstanceType enum value + InstanceTypeD3Xlarge = "d3.xlarge" + + // InstanceTypeD32xlarge is a InstanceType enum value + InstanceTypeD32xlarge = "d3.2xlarge" + + // InstanceTypeD34xlarge is a InstanceType enum value + InstanceTypeD34xlarge = "d3.4xlarge" + + // InstanceTypeD38xlarge is a InstanceType enum value + InstanceTypeD38xlarge = "d3.8xlarge" + + // InstanceTypeD3enXlarge is a InstanceType enum value + InstanceTypeD3enXlarge = "d3en.xlarge" + + // InstanceTypeD3en2xlarge is a InstanceType enum value + InstanceTypeD3en2xlarge = "d3en.2xlarge" + + // InstanceTypeD3en4xlarge is a InstanceType enum value + InstanceTypeD3en4xlarge = "d3en.4xlarge" + + // InstanceTypeD3en6xlarge is a InstanceType enum value + InstanceTypeD3en6xlarge = "d3en.6xlarge" + + // InstanceTypeD3en8xlarge is a InstanceType enum value + InstanceTypeD3en8xlarge = "d3en.8xlarge" + + // InstanceTypeD3en12xlarge is a InstanceType enum value + InstanceTypeD3en12xlarge = "d3en.12xlarge" + // InstanceTypeF12xlarge is a InstanceType enum value InstanceTypeF12xlarge = "f1.2xlarge" @@ -119004,6 +125040,27 @@ const ( // InstanceTypeM5ad24xlarge is a InstanceType enum value InstanceTypeM5ad24xlarge = "m5ad.24xlarge" + // InstanceTypeM5znLarge is a InstanceType enum value + InstanceTypeM5znLarge = "m5zn.large" + + // InstanceTypeM5znXlarge is a InstanceType enum value + InstanceTypeM5znXlarge = "m5zn.xlarge" + + // InstanceTypeM5zn2xlarge is a InstanceType enum value + InstanceTypeM5zn2xlarge = "m5zn.2xlarge" + + // InstanceTypeM5zn3xlarge is a InstanceType enum value + InstanceTypeM5zn3xlarge = "m5zn.3xlarge" + + // InstanceTypeM5zn6xlarge is a InstanceType enum value + InstanceTypeM5zn6xlarge = "m5zn.6xlarge" + + // InstanceTypeM5zn12xlarge is a InstanceType enum value + InstanceTypeM5zn12xlarge = "m5zn.12xlarge" + + // InstanceTypeM5znMetal is a InstanceType enum value + InstanceTypeM5znMetal = "m5zn.metal" + // InstanceTypeH12xlarge is a InstanceType enum value InstanceTypeH12xlarge = "h1.2xlarge" @@ -119231,6 +125288,36 @@ const ( // InstanceTypeM6gd16xlarge is a InstanceType enum value InstanceTypeM6gd16xlarge = "m6gd.16xlarge" + + // InstanceTypeMac1Metal is a InstanceType enum value + InstanceTypeMac1Metal = "mac1.metal" + + // InstanceTypeX2gdMedium is a InstanceType enum value + InstanceTypeX2gdMedium = "x2gd.medium" + + // InstanceTypeX2gdLarge is a InstanceType enum value + InstanceTypeX2gdLarge = "x2gd.large" + + // InstanceTypeX2gdXlarge is a InstanceType enum value + InstanceTypeX2gdXlarge = "x2gd.xlarge" + + // InstanceTypeX2gd2xlarge is a InstanceType enum value + InstanceTypeX2gd2xlarge = "x2gd.2xlarge" + + // InstanceTypeX2gd4xlarge is a InstanceType enum value + InstanceTypeX2gd4xlarge = "x2gd.4xlarge" + + // InstanceTypeX2gd8xlarge is a InstanceType enum value + InstanceTypeX2gd8xlarge = "x2gd.8xlarge" + + // InstanceTypeX2gd12xlarge is a InstanceType enum value + InstanceTypeX2gd12xlarge = "x2gd.12xlarge" + + // InstanceTypeX2gd16xlarge is a InstanceType enum value + InstanceTypeX2gd16xlarge = "x2gd.16xlarge" + + // InstanceTypeX2gdMetal is a InstanceType enum value + InstanceTypeX2gdMetal = "x2gd.metal" ) // InstanceType_Values returns all elements of the InstanceType enum @@ -119311,6 +125398,15 @@ func InstanceType_Values() []string { InstanceTypeR5a12xlarge, InstanceTypeR5a16xlarge, InstanceTypeR5a24xlarge, + InstanceTypeR5bLarge, + InstanceTypeR5bXlarge, + InstanceTypeR5b2xlarge, + InstanceTypeR5b4xlarge, + InstanceTypeR5b8xlarge, + InstanceTypeR5b12xlarge, + InstanceTypeR5b16xlarge, + InstanceTypeR5b24xlarge, + InstanceTypeR5bMetal, InstanceTypeR5dLarge, InstanceTypeR5dXlarge, InstanceTypeR5d2xlarge, @@ -119427,6 +125523,7 @@ func InstanceType_Values() []string { InstanceTypeC5n4xlarge, InstanceTypeC5n9xlarge, InstanceTypeC5n18xlarge, + InstanceTypeC5nMetal, InstanceTypeC6gMetal, InstanceTypeC6gMedium, InstanceTypeC6gLarge, @@ -119445,6 +125542,14 @@ func InstanceType_Values() []string { InstanceTypeC6gd8xlarge, InstanceTypeC6gd12xlarge, InstanceTypeC6gd16xlarge, + InstanceTypeC6gnMedium, + InstanceTypeC6gnLarge, + InstanceTypeC6gnXlarge, + InstanceTypeC6gn2xlarge, + InstanceTypeC6gn4xlarge, + InstanceTypeC6gn8xlarge, + InstanceTypeC6gn12xlarge, + InstanceTypeC6gn16xlarge, InstanceTypeCc14xlarge, InstanceTypeCc28xlarge, InstanceTypeG22xlarge, @@ -119453,6 +125558,9 @@ func InstanceType_Values() []string { InstanceTypeG38xlarge, InstanceTypeG316xlarge, InstanceTypeG3sXlarge, + InstanceTypeG4ad4xlarge, + InstanceTypeG4ad8xlarge, + InstanceTypeG4ad16xlarge, InstanceTypeG4dnXlarge, InstanceTypeG4dn2xlarge, InstanceTypeG4dn4xlarge, @@ -119473,6 +125581,16 @@ func InstanceType_Values() []string { InstanceTypeD22xlarge, InstanceTypeD24xlarge, InstanceTypeD28xlarge, + InstanceTypeD3Xlarge, + InstanceTypeD32xlarge, + InstanceTypeD34xlarge, + InstanceTypeD38xlarge, + InstanceTypeD3enXlarge, + InstanceTypeD3en2xlarge, + InstanceTypeD3en4xlarge, + InstanceTypeD3en6xlarge, + InstanceTypeD3en8xlarge, + InstanceTypeD3en12xlarge, InstanceTypeF12xlarge, InstanceTypeF14xlarge, InstanceTypeF116xlarge, @@ -119510,6 +125628,13 @@ func InstanceType_Values() []string { InstanceTypeM5ad12xlarge, InstanceTypeM5ad16xlarge, InstanceTypeM5ad24xlarge, + InstanceTypeM5znLarge, + InstanceTypeM5znXlarge, + InstanceTypeM5zn2xlarge, + InstanceTypeM5zn3xlarge, + InstanceTypeM5zn6xlarge, + InstanceTypeM5zn12xlarge, + InstanceTypeM5znMetal, InstanceTypeH12xlarge, InstanceTypeH14xlarge, InstanceTypeH18xlarge, @@ -119586,6 +125711,16 @@ func InstanceType_Values() []string { InstanceTypeM6gd8xlarge, InstanceTypeM6gd12xlarge, InstanceTypeM6gd16xlarge, + InstanceTypeMac1Metal, + InstanceTypeX2gdMedium, + InstanceTypeX2gdLarge, + InstanceTypeX2gdXlarge, + InstanceTypeX2gd2xlarge, + InstanceTypeX2gd4xlarge, + InstanceTypeX2gd8xlarge, + InstanceTypeX2gd12xlarge, + InstanceTypeX2gd16xlarge, + InstanceTypeX2gdMetal, } } @@ -120373,6 +126508,34 @@ func ProductCodeValues_Values() []string { } } +const ( + // ProtocolTcp is a Protocol enum value + ProtocolTcp = "tcp" + + // ProtocolUdp is a Protocol enum value + ProtocolUdp = "udp" +) + +// Protocol_Values returns all elements of the Protocol enum +func Protocol_Values() []string { + return []string{ + ProtocolTcp, + ProtocolUdp, + } +} + +const ( + // ProtocolValueGre is a ProtocolValue enum value + ProtocolValueGre = "gre" +) + +// ProtocolValue_Values returns all elements of the ProtocolValue enum +func ProtocolValue_Values() []string { + return []string{ + ProtocolValueGre, + } +} + const ( // RIProductDescriptionLinuxUnix is a RIProductDescription enum value RIProductDescriptionLinuxUnix = "Linux/UNIX" @@ -120631,6 +126794,12 @@ const ( // ResourceTypeNetworkInterface is a ResourceType enum value ResourceTypeNetworkInterface = "network-interface" + // ResourceTypeNetworkInsightsAnalysis is a ResourceType enum value + ResourceTypeNetworkInsightsAnalysis = "network-insights-analysis" + + // ResourceTypeNetworkInsightsPath is a ResourceType enum value + ResourceTypeNetworkInsightsPath = "network-insights-path" + // ResourceTypePlacementGroup is a ResourceType enum value ResourceTypePlacementGroup = "placement-group" @@ -120670,6 +126839,9 @@ const ( // ResourceTypeTransitGatewayAttachment is a ResourceType enum value ResourceTypeTransitGatewayAttachment = "transit-gateway-attachment" + // ResourceTypeTransitGatewayConnectPeer is a ResourceType enum value + ResourceTypeTransitGatewayConnectPeer = "transit-gateway-connect-peer" + // ResourceTypeTransitGatewayMulticastDomain is a ResourceType enum value ResourceTypeTransitGatewayMulticastDomain = "transit-gateway-multicast-domain" @@ -120721,6 +126893,8 @@ func ResourceType_Values() []string { ResourceTypeNatgateway, ResourceTypeNetworkAcl, ResourceTypeNetworkInterface, + ResourceTypeNetworkInsightsAnalysis, + ResourceTypeNetworkInsightsPath, ResourceTypePlacementGroup, ResourceTypeReservedInstances, ResourceTypeRouteTable, @@ -120734,6 +126908,7 @@ func ResourceType_Values() []string { ResourceTypeTrafficMirrorTarget, ResourceTypeTransitGateway, ResourceTypeTransitGatewayAttachment, + ResourceTypeTransitGatewayConnectPeer, ResourceTypeTransitGatewayMulticastDomain, ResourceTypeTransitGatewayRouteTable, ResourceTypeVolume, @@ -120907,6 +127082,9 @@ const ( // ServiceTypeGateway is a ServiceType enum value ServiceTypeGateway = "Gateway" + + // ServiceTypeGatewayLoadBalancer is a ServiceType enum value + ServiceTypeGatewayLoadBalancer = "GatewayLoadBalancer" ) // ServiceType_Values returns all elements of the ServiceType enum @@ -120914,6 +127092,7 @@ func ServiceType_Values() []string { return []string{ ServiceTypeInterface, ServiceTypeGateway, + ServiceTypeGatewayLoadBalancer, } } @@ -120978,6 +127157,9 @@ const ( // SpotAllocationStrategyCapacityOptimized is a SpotAllocationStrategy enum value SpotAllocationStrategyCapacityOptimized = "capacity-optimized" + + // SpotAllocationStrategyCapacityOptimizedPrioritized is a SpotAllocationStrategy enum value + SpotAllocationStrategyCapacityOptimizedPrioritized = "capacity-optimized-prioritized" ) // SpotAllocationStrategy_Values returns all elements of the SpotAllocationStrategy enum @@ -120986,6 +127168,7 @@ func SpotAllocationStrategy_Values() []string { SpotAllocationStrategyLowestPrice, SpotAllocationStrategyDiversified, SpotAllocationStrategyCapacityOptimized, + SpotAllocationStrategyCapacityOptimizedPrioritized, } } @@ -121093,6 +127276,22 @@ func State_Values() []string { } } +const ( + // StaticSourcesSupportValueEnable is a StaticSourcesSupportValue enum value + StaticSourcesSupportValueEnable = "enable" + + // StaticSourcesSupportValueDisable is a StaticSourcesSupportValue enum value + StaticSourcesSupportValueDisable = "disable" +) + +// StaticSourcesSupportValue_Values returns all elements of the StaticSourcesSupportValue enum +func StaticSourcesSupportValue_Values() []string { + return []string{ + StaticSourcesSupportValueEnable, + StaticSourcesSupportValueDisable, + } +} + const ( // StatusMoveInProgress is a Status enum value StatusMoveInProgress = "MoveInProgress" @@ -121419,6 +127618,9 @@ const ( // TransitGatewayAttachmentResourceTypeDirectConnectGateway is a TransitGatewayAttachmentResourceType enum value TransitGatewayAttachmentResourceTypeDirectConnectGateway = "direct-connect-gateway" + // TransitGatewayAttachmentResourceTypeConnect is a TransitGatewayAttachmentResourceType enum value + TransitGatewayAttachmentResourceTypeConnect = "connect" + // TransitGatewayAttachmentResourceTypePeering is a TransitGatewayAttachmentResourceType enum value TransitGatewayAttachmentResourceTypePeering = "peering" @@ -121432,6 +127634,7 @@ func TransitGatewayAttachmentResourceType_Values() []string { TransitGatewayAttachmentResourceTypeVpc, TransitGatewayAttachmentResourceTypeVpn, TransitGatewayAttachmentResourceTypeDirectConnectGateway, + TransitGatewayAttachmentResourceTypeConnect, TransitGatewayAttachmentResourceTypePeering, TransitGatewayAttachmentResourceTypeTgwPeering, } @@ -121498,6 +127701,33 @@ func TransitGatewayAttachmentState_Values() []string { } const ( + // TransitGatewayConnectPeerStatePending is a TransitGatewayConnectPeerState enum value + TransitGatewayConnectPeerStatePending = "pending" + + // TransitGatewayConnectPeerStateAvailable is a TransitGatewayConnectPeerState enum value + TransitGatewayConnectPeerStateAvailable = "available" + + // TransitGatewayConnectPeerStateDeleting is a TransitGatewayConnectPeerState enum value + TransitGatewayConnectPeerStateDeleting = "deleting" + + // TransitGatewayConnectPeerStateDeleted is a TransitGatewayConnectPeerState enum value + TransitGatewayConnectPeerStateDeleted = "deleted" +) + +// TransitGatewayConnectPeerState_Values returns all elements of the TransitGatewayConnectPeerState enum +func TransitGatewayConnectPeerState_Values() []string { + return []string{ + TransitGatewayConnectPeerStatePending, + TransitGatewayConnectPeerStateAvailable, + TransitGatewayConnectPeerStateDeleting, + TransitGatewayConnectPeerStateDeleted, + } +} + +const ( + // TransitGatewayMulitcastDomainAssociationStatePendingAcceptance is a TransitGatewayMulitcastDomainAssociationState enum value + TransitGatewayMulitcastDomainAssociationStatePendingAcceptance = "pendingAcceptance" + // TransitGatewayMulitcastDomainAssociationStateAssociating is a TransitGatewayMulitcastDomainAssociationState enum value TransitGatewayMulitcastDomainAssociationStateAssociating = "associating" @@ -121509,15 +127739,24 @@ const ( // TransitGatewayMulitcastDomainAssociationStateDisassociated is a TransitGatewayMulitcastDomainAssociationState enum value TransitGatewayMulitcastDomainAssociationStateDisassociated = "disassociated" + + // TransitGatewayMulitcastDomainAssociationStateRejected is a TransitGatewayMulitcastDomainAssociationState enum value + TransitGatewayMulitcastDomainAssociationStateRejected = "rejected" + + // TransitGatewayMulitcastDomainAssociationStateFailed is a TransitGatewayMulitcastDomainAssociationState enum value + TransitGatewayMulitcastDomainAssociationStateFailed = "failed" ) // TransitGatewayMulitcastDomainAssociationState_Values returns all elements of the TransitGatewayMulitcastDomainAssociationState enum func TransitGatewayMulitcastDomainAssociationState_Values() []string { return []string{ + TransitGatewayMulitcastDomainAssociationStatePendingAcceptance, TransitGatewayMulitcastDomainAssociationStateAssociating, TransitGatewayMulitcastDomainAssociationStateAssociated, TransitGatewayMulitcastDomainAssociationStateDisassociating, TransitGatewayMulitcastDomainAssociationStateDisassociated, + TransitGatewayMulitcastDomainAssociationStateRejected, + TransitGatewayMulitcastDomainAssociationStateFailed, } } @@ -121955,6 +128194,9 @@ const ( // VolumeTypeSt1 is a VolumeType enum value VolumeTypeSt1 = "st1" + + // VolumeTypeGp3 is a VolumeType enum value + VolumeTypeGp3 = "gp3" ) // VolumeType_Values returns all elements of the VolumeType enum @@ -121966,6 +128208,7 @@ func VolumeType_Values() []string { VolumeTypeGp2, VolumeTypeSc1, VolumeTypeSt1, + VolumeTypeGp3, } } @@ -122023,6 +128266,9 @@ const ( // VpcEndpointTypeGateway is a VpcEndpointType enum value VpcEndpointTypeGateway = "Gateway" + + // VpcEndpointTypeGatewayLoadBalancer is a VpcEndpointType enum value + VpcEndpointTypeGatewayLoadBalancer = "GatewayLoadBalancer" ) // VpcEndpointType_Values returns all elements of the VpcEndpointType enum @@ -122030,6 +128276,7 @@ func VpcEndpointType_Values() []string { return []string{ VpcEndpointTypeInterface, VpcEndpointTypeGateway, + VpcEndpointTypeGatewayLoadBalancer, } } diff --git a/vendor/github.com/aws/aws-sdk-go/service/ec2/doc.go b/vendor/github.com/aws/aws-sdk-go/service/ec2/doc.go index 31c314e0e..47c44cc9d 100644 --- a/vendor/github.com/aws/aws-sdk-go/service/ec2/doc.go +++ b/vendor/github.com/aws/aws-sdk-go/service/ec2/doc.go @@ -4,8 +4,14 @@ // requests to Amazon Elastic Compute Cloud. // // Amazon Elastic Compute Cloud (Amazon EC2) provides secure and resizable computing -// capacity in the AWS cloud. Using Amazon EC2 eliminates the need to invest +// capacity in the AWS Cloud. Using Amazon EC2 eliminates the need to invest // in hardware up front, so you can develop and deploy applications faster. +// Amazon Virtual Private Cloud (Amazon VPC) enables you to provision a logically +// isolated section of the AWS Cloud where you can launch AWS resources in a +// virtual network that you've defined. Amazon Elastic Block Store (Amazon EBS) +// provides block level storage volumes for use with EC2 instances. EBS volumes +// are highly available and reliable storage volumes that can be attached to +// any running instance and used like a hard drive. // // To learn more, see the following resources: // @@ -13,7 +19,7 @@ // EC2 documentation (http://aws.amazon.com/documentation/ec2) // // * Amazon EBS: Amazon EBS product page (http://aws.amazon.com/ebs), Amazon -// EBS documentation (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html) +// EBS documentation (http://aws.amazon.com/documentation/ebs) // // * Amazon VPC: Amazon VPC product page (http://aws.amazon.com/vpc), Amazon // VPC documentation (http://aws.amazon.com/documentation/vpc) diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/api.go b/vendor/github.com/aws/aws-sdk-go/service/kms/api.go new file mode 100644 index 000000000..0a9db87ab --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/kms/api.go @@ -0,0 +1,15680 @@ +// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. + +package kms + +import ( + "fmt" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awsutil" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/private/protocol" + "github.com/aws/aws-sdk-go/private/protocol/jsonrpc" +) + +const opCancelKeyDeletion = "CancelKeyDeletion" + +// CancelKeyDeletionRequest generates a "aws/request.Request" representing the +// client's request for the CancelKeyDeletion operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See CancelKeyDeletion for more information on using the CancelKeyDeletion +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the CancelKeyDeletionRequest method. +// req, resp := client.CancelKeyDeletionRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletion +func (c *KMS) CancelKeyDeletionRequest(input *CancelKeyDeletionInput) (req *request.Request, output *CancelKeyDeletionOutput) { + op := &request.Operation{ + Name: opCancelKeyDeletion, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &CancelKeyDeletionInput{} + } + + output = &CancelKeyDeletionOutput{} + req = c.newRequest(op, input, output) + return +} + +// CancelKeyDeletion API operation for AWS Key Management Service. +// +// Cancels the deletion of a customer master key (CMK). When this operation +// succeeds, the key state of the CMK is Disabled. To enable the CMK, use EnableKey. +// +// For more information about scheduling and canceling deletion of a CMK, see +// Deleting Customer Master Keys (https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) +// in the AWS Key Management Service Developer Guide. +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a CMK in a different +// AWS account. +// +// Required permissions: kms:CancelKeyDeletion (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: ScheduleKeyDeletion +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation CancelKeyDeletion for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletion +func (c *KMS) CancelKeyDeletion(input *CancelKeyDeletionInput) (*CancelKeyDeletionOutput, error) { + req, out := c.CancelKeyDeletionRequest(input) + return out, req.Send() +} + +// CancelKeyDeletionWithContext is the same as CancelKeyDeletion with the addition of +// the ability to pass a context and additional request options. +// +// See CancelKeyDeletion for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) CancelKeyDeletionWithContext(ctx aws.Context, input *CancelKeyDeletionInput, opts ...request.Option) (*CancelKeyDeletionOutput, error) { + req, out := c.CancelKeyDeletionRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opConnectCustomKeyStore = "ConnectCustomKeyStore" + +// ConnectCustomKeyStoreRequest generates a "aws/request.Request" representing the +// client's request for the ConnectCustomKeyStore operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ConnectCustomKeyStore for more information on using the ConnectCustomKeyStore +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ConnectCustomKeyStoreRequest method. +// req, resp := client.ConnectCustomKeyStoreRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStore +func (c *KMS) ConnectCustomKeyStoreRequest(input *ConnectCustomKeyStoreInput) (req *request.Request, output *ConnectCustomKeyStoreOutput) { + op := &request.Operation{ + Name: opConnectCustomKeyStore, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ConnectCustomKeyStoreInput{} + } + + output = &ConnectCustomKeyStoreOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// ConnectCustomKeyStore API operation for AWS Key Management Service. +// +// Connects or reconnects a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// to its associated AWS CloudHSM cluster. +// +// The custom key store must be connected before you can create customer master +// keys (CMKs) in the key store or use the CMKs it contains. You can disconnect +// and reconnect a custom key store at any time. +// +// To connect a custom key store, its associated AWS CloudHSM cluster must have +// at least one active HSM. To get the number of active HSMs in a cluster, use +// the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) +// operation. To add HSMs to the cluster, use the CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) +// operation. Also, the kmsuser crypto user (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser) +// (CU) must not be logged into the cluster. This prevents AWS KMS from using +// this account to log in. +// +// The connection process can take an extended amount of time to complete; up +// to 20 minutes. This operation starts the connection process, but it does +// not wait for it to complete. When it succeeds, this operation quickly returns +// an HTTP 200 response and a JSON object with no properties. However, this +// response does not indicate that the custom key store is connected. To get +// the connection state of the custom key store, use the DescribeCustomKeyStores +// operation. +// +// During the connection process, AWS KMS finds the AWS CloudHSM cluster that +// is associated with the custom key store, creates the connection infrastructure, +// connects to the cluster, logs into the AWS CloudHSM client as the kmsuser +// CU, and rotates its password. +// +// The ConnectCustomKeyStore operation might fail for various reasons. To find +// the reason, use the DescribeCustomKeyStores operation and see the ConnectionErrorCode +// in the response. For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry. +// +// To fix the failure, use the DisconnectCustomKeyStore operation to disconnect +// the custom key store, correct the error, use the UpdateCustomKeyStore operation +// if necessary, and then use ConnectCustomKeyStore again. +// +// If you are having trouble connecting or disconnecting a custom key store, +// see Troubleshooting a Custom Key Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a custom key +// store in a different AWS account. +// +// Required permissions: kms:ConnectCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (IAM policy) +// +// Related operations +// +// * CreateCustomKeyStore +// +// * DeleteCustomKeyStore +// +// * DescribeCustomKeyStores +// +// * DisconnectCustomKeyStore +// +// * UpdateCustomKeyStore +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ConnectCustomKeyStore for usage and error information. +// +// Returned Error Types: +// * CloudHsmClusterNotActiveException +// The request was rejected because the AWS CloudHSM cluster that is associated +// with the custom key store is not active. Initialize and activate the cluster +// and try the command again. For detailed instructions, see Getting Started +// (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) +// in the AWS CloudHSM User Guide. +// +// * CustomKeyStoreInvalidStateException +// The request was rejected because of the ConnectionState of the custom key +// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores +// operation. +// +// This exception is thrown under the following conditions: +// +// * You requested the CreateKey or GenerateRandom operation in a custom +// key store that is not connected. These operations are valid only when +// the custom key store ConnectionState is CONNECTED. +// +// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation +// on a custom key store that is not disconnected. This operation is valid +// only when the custom key store ConnectionState is DISCONNECTED. +// +// * You requested the ConnectCustomKeyStore operation on a custom key store +// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid +// for all other ConnectionState values. +// +// * CustomKeyStoreNotFoundException +// The request was rejected because AWS KMS cannot find a custom key store with +// the specified key store name or ID. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * CloudHsmClusterInvalidConfigurationException +// The request was rejected because the associated AWS CloudHSM cluster did +// not meet the configuration requirements for a custom key store. +// +// * The cluster must be configured with private subnets in at least two +// different Availability Zones in the Region. +// +// * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) +// (cloudhsm-cluster--sg) must include inbound rules and outbound +// rules that allow TCP traffic on ports 2223-2225. The Source in the inbound +// rules and the Destination in the outbound rules must match the security +// group ID. These rules are set by default when you create the cluster. +// Do not delete or change them. To get information about a particular security +// group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) +// operation. +// +// * The cluster must contain at least as many HSMs as the operation requires. +// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) +// operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey +// operations, the AWS CloudHSM cluster must have at least two active HSMs, +// each in a different Availability Zone. For the ConnectCustomKeyStore operation, +// the AWS CloudHSM must contain at least one active HSM. +// +// For information about the requirements for an AWS CloudHSM cluster that is +// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) +// in the AWS Key Management Service Developer Guide. For information about +// creating a private subnet for an AWS CloudHSM cluster, see Create a Private +// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) +// in the AWS CloudHSM User Guide. For information about cluster security groups, +// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) +// in the AWS CloudHSM User Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStore +func (c *KMS) ConnectCustomKeyStore(input *ConnectCustomKeyStoreInput) (*ConnectCustomKeyStoreOutput, error) { + req, out := c.ConnectCustomKeyStoreRequest(input) + return out, req.Send() +} + +// ConnectCustomKeyStoreWithContext is the same as ConnectCustomKeyStore with the addition of +// the ability to pass a context and additional request options. +// +// See ConnectCustomKeyStore for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ConnectCustomKeyStoreWithContext(ctx aws.Context, input *ConnectCustomKeyStoreInput, opts ...request.Option) (*ConnectCustomKeyStoreOutput, error) { + req, out := c.ConnectCustomKeyStoreRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opCreateAlias = "CreateAlias" + +// CreateAliasRequest generates a "aws/request.Request" representing the +// client's request for the CreateAlias operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See CreateAlias for more information on using the CreateAlias +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the CreateAliasRequest method. +// req, resp := client.CreateAliasRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAlias +func (c *KMS) CreateAliasRequest(input *CreateAliasInput) (req *request.Request, output *CreateAliasOutput) { + op := &request.Operation{ + Name: opCreateAlias, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &CreateAliasInput{} + } + + output = &CreateAliasOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// CreateAlias API operation for AWS Key Management Service. +// +// Creates a friendly name for a customer master key (CMK). You can use an alias +// to identify a CMK in the AWS KMS console, in the DescribeKey operation and +// in cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations), +// such as Encrypt and GenerateDataKey. +// +// You can also change the CMK that's associated with the alias (UpdateAlias) +// or delete the alias (DeleteAlias) at any time. These operations don't affect +// the underlying CMK. +// +// You can associate the alias with any customer managed CMK in the same AWS +// Region. Each alias is associated with only on CMK at a time, but a CMK can +// have multiple aliases. A valid CMK is required. You can't create an alias +// without a CMK. +// +// The alias must be unique in the account and Region, but you can have aliases +// with the same name in different Regions. For detailed information about aliases, +// see Using aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html) +// in the AWS Key Management Service Developer Guide. +// +// This operation does not return a response. To get the alias that you created, +// use the ListAliases operation. +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on an alias in a +// different AWS account. +// +// Required permissions +// +// * kms:CreateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// on the alias (IAM policy). +// +// * kms:CreateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// on the CMK (key policy). +// +// For details, see Controlling access to aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access) +// in the AWS Key Management Service Developer Guide. +// +// Related operations: +// +// * DeleteAlias +// +// * ListAliases +// +// * UpdateAlias +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation CreateAlias for usage and error information. +// +// Returned Error Types: +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * AlreadyExistsException +// The request was rejected because it attempted to create a resource that already +// exists. +// +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * InvalidAliasNameException +// The request was rejected because the specified alias name is not valid. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * LimitExceededException +// The request was rejected because a quota was exceeded. For more information, +// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) +// in the AWS Key Management Service Developer Guide. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAlias +func (c *KMS) CreateAlias(input *CreateAliasInput) (*CreateAliasOutput, error) { + req, out := c.CreateAliasRequest(input) + return out, req.Send() +} + +// CreateAliasWithContext is the same as CreateAlias with the addition of +// the ability to pass a context and additional request options. +// +// See CreateAlias for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) CreateAliasWithContext(ctx aws.Context, input *CreateAliasInput, opts ...request.Option) (*CreateAliasOutput, error) { + req, out := c.CreateAliasRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opCreateCustomKeyStore = "CreateCustomKeyStore" + +// CreateCustomKeyStoreRequest generates a "aws/request.Request" representing the +// client's request for the CreateCustomKeyStore operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See CreateCustomKeyStore for more information on using the CreateCustomKeyStore +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the CreateCustomKeyStoreRequest method. +// req, resp := client.CreateCustomKeyStoreRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore +func (c *KMS) CreateCustomKeyStoreRequest(input *CreateCustomKeyStoreInput) (req *request.Request, output *CreateCustomKeyStoreOutput) { + op := &request.Operation{ + Name: opCreateCustomKeyStore, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &CreateCustomKeyStoreInput{} + } + + output = &CreateCustomKeyStoreOutput{} + req = c.newRequest(op, input, output) + return +} + +// CreateCustomKeyStore API operation for AWS Key Management Service. +// +// Creates a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// that is associated with an AWS CloudHSM cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html) +// that you own and manage. +// +// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// feature in AWS KMS, which combines the convenience and extensive integration +// of AWS KMS with the isolation and control of a single-tenant key store. +// +// Before you create the custom key store, you must assemble the required elements, +// including an AWS CloudHSM cluster that fulfills the requirements for a custom +// key store. For details about the required elements, see Assemble the Prerequisites +// (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) +// in the AWS Key Management Service Developer Guide. +// +// When the operation completes successfully, it returns the ID of the new custom +// key store. Before you can use your new custom key store, you need to use +// the ConnectCustomKeyStore operation to connect the new key store to its AWS +// CloudHSM cluster. Even if you are not going to use your custom key store +// immediately, you might want to connect it to verify that all settings are +// correct and then disconnect it until you are ready to use it. +// +// For help with failures, see Troubleshooting a Custom Key Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a custom key +// store in a different AWS account. +// +// Required permissions: kms:CreateCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (IAM policy). +// +// Related operations: +// +// * ConnectCustomKeyStore +// +// * DeleteCustomKeyStore +// +// * DescribeCustomKeyStores +// +// * DisconnectCustomKeyStore +// +// * UpdateCustomKeyStore +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation CreateCustomKeyStore for usage and error information. +// +// Returned Error Types: +// * CloudHsmClusterInUseException +// The request was rejected because the specified AWS CloudHSM cluster is already +// associated with a custom key store or it shares a backup history with a cluster +// that is associated with a custom key store. Each custom key store must be +// associated with a different AWS CloudHSM cluster. +// +// Clusters that share a backup history have the same cluster certificate. To +// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) +// operation. +// +// * CustomKeyStoreNameInUseException +// The request was rejected because the specified custom key store name is already +// assigned to another custom key store in the account. Try again with a custom +// key store name that is unique in the account. +// +// * CloudHsmClusterNotFoundException +// The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster +// with the specified cluster ID. Retry the request with a different cluster +// ID. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * CloudHsmClusterNotActiveException +// The request was rejected because the AWS CloudHSM cluster that is associated +// with the custom key store is not active. Initialize and activate the cluster +// and try the command again. For detailed instructions, see Getting Started +// (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) +// in the AWS CloudHSM User Guide. +// +// * IncorrectTrustAnchorException +// The request was rejected because the trust anchor certificate in the request +// is not the trust anchor certificate for the specified AWS CloudHSM cluster. +// +// When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr), +// you create the trust anchor certificate and save it in the customerCA.crt +// file. +// +// * CloudHsmClusterInvalidConfigurationException +// The request was rejected because the associated AWS CloudHSM cluster did +// not meet the configuration requirements for a custom key store. +// +// * The cluster must be configured with private subnets in at least two +// different Availability Zones in the Region. +// +// * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) +// (cloudhsm-cluster--sg) must include inbound rules and outbound +// rules that allow TCP traffic on ports 2223-2225. The Source in the inbound +// rules and the Destination in the outbound rules must match the security +// group ID. These rules are set by default when you create the cluster. +// Do not delete or change them. To get information about a particular security +// group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) +// operation. +// +// * The cluster must contain at least as many HSMs as the operation requires. +// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) +// operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey +// operations, the AWS CloudHSM cluster must have at least two active HSMs, +// each in a different Availability Zone. For the ConnectCustomKeyStore operation, +// the AWS CloudHSM must contain at least one active HSM. +// +// For information about the requirements for an AWS CloudHSM cluster that is +// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) +// in the AWS Key Management Service Developer Guide. For information about +// creating a private subnet for an AWS CloudHSM cluster, see Create a Private +// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) +// in the AWS CloudHSM User Guide. For information about cluster security groups, +// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) +// in the AWS CloudHSM User Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore +func (c *KMS) CreateCustomKeyStore(input *CreateCustomKeyStoreInput) (*CreateCustomKeyStoreOutput, error) { + req, out := c.CreateCustomKeyStoreRequest(input) + return out, req.Send() +} + +// CreateCustomKeyStoreWithContext is the same as CreateCustomKeyStore with the addition of +// the ability to pass a context and additional request options. +// +// See CreateCustomKeyStore for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) CreateCustomKeyStoreWithContext(ctx aws.Context, input *CreateCustomKeyStoreInput, opts ...request.Option) (*CreateCustomKeyStoreOutput, error) { + req, out := c.CreateCustomKeyStoreRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opCreateGrant = "CreateGrant" + +// CreateGrantRequest generates a "aws/request.Request" representing the +// client's request for the CreateGrant operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See CreateGrant for more information on using the CreateGrant +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the CreateGrantRequest method. +// req, resp := client.CreateGrantRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrant +func (c *KMS) CreateGrantRequest(input *CreateGrantInput) (req *request.Request, output *CreateGrantOutput) { + op := &request.Operation{ + Name: opCreateGrant, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &CreateGrantInput{} + } + + output = &CreateGrantOutput{} + req = c.newRequest(op, input, output) + return +} + +// CreateGrant API operation for AWS Key Management Service. +// +// Adds a grant to a customer master key (CMK). The grant allows the grantee +// principal to use the CMK when the conditions specified in the grant are met. +// When setting permissions, grants are an alternative to key policies. +// +// To create a grant that allows a cryptographic operation (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) +// only when the request includes a particular encryption context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context), +// use the Constraints parameter. For details, see GrantConstraints. +// +// You can create grants on symmetric and asymmetric CMKs. However, if the grant +// allows an operation that the CMK does not support, CreateGrant fails with +// a ValidationException. +// +// * Grants for symmetric CMKs cannot allow operations that are not supported +// for symmetric CMKs, including Sign, Verify, and GetPublicKey. (There are +// limited exceptions to this rule for legacy operations, but you should +// not create a grant for an operation that AWS KMS does not support.) +// +// * Grants for asymmetric CMKs cannot allow operations that are not supported +// for asymmetric CMKs, including operations that generate data keys (https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey) +// or data key pairs (https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair), +// or operations related to automatic key rotation (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html), +// imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), +// or CMKs in custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). +// +// * Grants for asymmetric CMKs with a KeyUsage of ENCRYPT_DECRYPT cannot +// allow the Sign or Verify operations. Grants for asymmetric CMKs with a +// KeyUsage of SIGN_VERIFY cannot allow the Encrypt or Decrypt operations. +// +// * Grants for asymmetric CMKs cannot include an encryption context grant +// constraint. An encryption context is not supported on asymmetric CMKs. +// +// For information about symmetric and asymmetric CMKs, see Using Symmetric +// and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) +// in the AWS Key Management Service Developer Guide. For more information about +// grants, see Grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) +// in the AWS Key Management Service Developer Guide . +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: Yes. To perform this operation on a CMK in a different +// AWS account, specify the key ARN in the value of the KeyId parameter. +// +// Required permissions: kms:CreateGrant (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: +// +// * ListGrants +// +// * ListRetirableGrants +// +// * RetireGrant +// +// * RevokeGrant +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation CreateGrant for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * DisabledException +// The request was rejected because the specified CMK is not enabled. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidGrantTokenException +// The request was rejected because the specified grant token is not valid. +// +// * LimitExceededException +// The request was rejected because a quota was exceeded. For more information, +// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) +// in the AWS Key Management Service Developer Guide. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrant +func (c *KMS) CreateGrant(input *CreateGrantInput) (*CreateGrantOutput, error) { + req, out := c.CreateGrantRequest(input) + return out, req.Send() +} + +// CreateGrantWithContext is the same as CreateGrant with the addition of +// the ability to pass a context and additional request options. +// +// See CreateGrant for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) CreateGrantWithContext(ctx aws.Context, input *CreateGrantInput, opts ...request.Option) (*CreateGrantOutput, error) { + req, out := c.CreateGrantRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opCreateKey = "CreateKey" + +// CreateKeyRequest generates a "aws/request.Request" representing the +// client's request for the CreateKey operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See CreateKey for more information on using the CreateKey +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the CreateKeyRequest method. +// req, resp := client.CreateKeyRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey +func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, output *CreateKeyOutput) { + op := &request.Operation{ + Name: opCreateKey, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &CreateKeyInput{} + } + + output = &CreateKeyOutput{} + req = c.newRequest(op, input, output) + return +} + +// CreateKey API operation for AWS Key Management Service. +// +// Creates a unique customer managed customer master key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master-keys) +// (CMK) in your AWS account and Region. +// +// You can use the CreateKey operation to create symmetric or asymmetric CMKs. +// +// * Symmetric CMKs contain a 256-bit symmetric key that never leaves AWS +// KMS unencrypted. To use the CMK, you must call AWS KMS. You can use a +// symmetric CMK to encrypt and decrypt small amounts of data, but they are +// typically used to generate data keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys) +// and data keys pairs (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-key-pairs). +// For details, see GenerateDataKey and GenerateDataKeyPair. +// +// * Asymmetric CMKs can contain an RSA key pair or an Elliptic Curve (ECC) +// key pair. The private key in an asymmetric CMK never leaves AWS KMS unencrypted. +// However, you can use the GetPublicKey operation to download the public +// key so it can be used outside of AWS KMS. CMKs with RSA key pairs can +// be used to encrypt or decrypt data or sign and verify messages (but not +// both). CMKs with ECC key pairs can be used only to sign and verify messages. +// +// For information about symmetric and asymmetric CMKs, see Using Symmetric +// and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) +// in the AWS Key Management Service Developer Guide. +// +// To create different types of CMKs, use the following guidance: +// +// Asymmetric CMKs +// +// To create an asymmetric CMK, use the CustomerMasterKeySpec parameter to specify +// the type of key material in the CMK. Then, use the KeyUsage parameter to +// determine whether the CMK will be used to encrypt and decrypt or sign and +// verify. You can't change these properties after the CMK is created. +// +// Symmetric CMKs +// +// When creating a symmetric CMK, you don't need to specify the CustomerMasterKeySpec +// or KeyUsage parameters. The default value for CustomerMasterKeySpec, SYMMETRIC_DEFAULT, +// and the default value for KeyUsage, ENCRYPT_DECRYPT, are the only valid values +// for symmetric CMKs. +// +// Imported Key Material +// +// To import your own key material, begin by creating a symmetric CMK with no +// key material. To do this, use the Origin parameter of CreateKey with a value +// of EXTERNAL. Next, use GetParametersForImport operation to get a public key +// and import token, and use the public key to encrypt your key material. Then, +// use ImportKeyMaterial with your import token to import the key material. +// For step-by-step instructions, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) +// in the AWS Key Management Service Developer Guide . You cannot import the +// key material into an asymmetric CMK. +// +// Custom Key Stores +// +// To create a symmetric CMK in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), +// use the CustomKeyStoreId parameter to specify the custom key store. You must +// also use the Origin parameter with a value of AWS_CLOUDHSM. The AWS CloudHSM +// cluster that is associated with the custom key store must have at least two +// active HSMs in different Availability Zones in the AWS Region. +// +// You cannot create an asymmetric CMK in a custom key store. For information +// about custom key stores in AWS KMS see Using Custom Key Stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// in the AWS Key Management Service Developer Guide . +// +// Cross-account use: No. You cannot use this operation to create a CMK in a +// different AWS account. +// +// Required permissions: kms:CreateKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (IAM policy). To use the Tags parameter, kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (IAM policy). For examples and information about related permissions, see +// Allow a user to create CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key) +// in the AWS Key Management Service Developer Guide. +// +// Related operations: +// +// * DescribeKey +// +// * ListKeys +// +// * ScheduleKeyDeletion +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation CreateKey for usage and error information. +// +// Returned Error Types: +// * MalformedPolicyDocumentException +// The request was rejected because the specified policy is not syntactically +// or semantically correct. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * UnsupportedOperationException +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * LimitExceededException +// The request was rejected because a quota was exceeded. For more information, +// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) +// in the AWS Key Management Service Developer Guide. +// +// * TagException +// The request was rejected because one or more tags are not valid. +// +// * CustomKeyStoreNotFoundException +// The request was rejected because AWS KMS cannot find a custom key store with +// the specified key store name or ID. +// +// * CustomKeyStoreInvalidStateException +// The request was rejected because of the ConnectionState of the custom key +// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores +// operation. +// +// This exception is thrown under the following conditions: +// +// * You requested the CreateKey or GenerateRandom operation in a custom +// key store that is not connected. These operations are valid only when +// the custom key store ConnectionState is CONNECTED. +// +// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation +// on a custom key store that is not disconnected. This operation is valid +// only when the custom key store ConnectionState is DISCONNECTED. +// +// * You requested the ConnectCustomKeyStore operation on a custom key store +// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid +// for all other ConnectionState values. +// +// * CloudHsmClusterInvalidConfigurationException +// The request was rejected because the associated AWS CloudHSM cluster did +// not meet the configuration requirements for a custom key store. +// +// * The cluster must be configured with private subnets in at least two +// different Availability Zones in the Region. +// +// * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) +// (cloudhsm-cluster--sg) must include inbound rules and outbound +// rules that allow TCP traffic on ports 2223-2225. The Source in the inbound +// rules and the Destination in the outbound rules must match the security +// group ID. These rules are set by default when you create the cluster. +// Do not delete or change them. To get information about a particular security +// group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) +// operation. +// +// * The cluster must contain at least as many HSMs as the operation requires. +// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) +// operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey +// operations, the AWS CloudHSM cluster must have at least two active HSMs, +// each in a different Availability Zone. For the ConnectCustomKeyStore operation, +// the AWS CloudHSM must contain at least one active HSM. +// +// For information about the requirements for an AWS CloudHSM cluster that is +// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) +// in the AWS Key Management Service Developer Guide. For information about +// creating a private subnet for an AWS CloudHSM cluster, see Create a Private +// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) +// in the AWS CloudHSM User Guide. For information about cluster security groups, +// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) +// in the AWS CloudHSM User Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey +func (c *KMS) CreateKey(input *CreateKeyInput) (*CreateKeyOutput, error) { + req, out := c.CreateKeyRequest(input) + return out, req.Send() +} + +// CreateKeyWithContext is the same as CreateKey with the addition of +// the ability to pass a context and additional request options. +// +// See CreateKey for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) CreateKeyWithContext(ctx aws.Context, input *CreateKeyInput, opts ...request.Option) (*CreateKeyOutput, error) { + req, out := c.CreateKeyRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDecrypt = "Decrypt" + +// DecryptRequest generates a "aws/request.Request" representing the +// client's request for the Decrypt operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See Decrypt for more information on using the Decrypt +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DecryptRequest method. +// req, resp := client.DecryptRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt +func (c *KMS) DecryptRequest(input *DecryptInput) (req *request.Request, output *DecryptOutput) { + op := &request.Operation{ + Name: opDecrypt, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DecryptInput{} + } + + output = &DecryptOutput{} + req = c.newRequest(op, input, output) + return +} + +// Decrypt API operation for AWS Key Management Service. +// +// Decrypts ciphertext that was encrypted by a AWS KMS customer master key (CMK) +// using any of the following operations: +// +// * Encrypt +// +// * GenerateDataKey +// +// * GenerateDataKeyPair +// +// * GenerateDataKeyWithoutPlaintext +// +// * GenerateDataKeyPairWithoutPlaintext +// +// You can use this operation to decrypt ciphertext that was encrypted under +// a symmetric or asymmetric CMK. When the CMK is asymmetric, you must specify +// the CMK and the encryption algorithm that was used to encrypt the ciphertext. +// For information about symmetric and asymmetric CMKs, see Using Symmetric +// and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) +// in the AWS Key Management Service Developer Guide. +// +// The Decrypt operation also decrypts ciphertext that was encrypted outside +// of AWS KMS by the public key in an AWS KMS asymmetric CMK. However, it cannot +// decrypt ciphertext produced by other libraries, such as the AWS Encryption +// SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/) +// or Amazon S3 client-side encryption (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html). +// These libraries return a ciphertext format that is incompatible with AWS +// KMS. +// +// If the ciphertext was encrypted under a symmetric CMK, the KeyId parameter +// is optional. AWS KMS can get this information from metadata that it adds +// to the symmetric ciphertext blob. This feature adds durability to your implementation +// by ensuring that authorized users can decrypt ciphertext decades after it +// was encrypted, even if they've lost track of the CMK ID. However, specifying +// the CMK is always recommended as a best practice. When you use the KeyId +// parameter to specify a CMK, AWS KMS only uses the CMK you specify. If the +// ciphertext was encrypted under a different CMK, the Decrypt operation fails. +// This practice ensures that you use the CMK that you intend. +// +// Whenever possible, use key policies to give users permission to call the +// Decrypt operation on a particular CMK, instead of using IAM policies. Otherwise, +// you might create an IAM user policy that gives the user Decrypt permission +// on all CMKs. This user could decrypt ciphertext that was encrypted by CMKs +// in other accounts if the key policy for the cross-account CMK permits it. +// If you must use an IAM policy for Decrypt permissions, limit the user to +// particular CMKs or particular trusted accounts. For details, see Best practices +// for IAM policies (https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policies-best-practices) +// in the AWS Key Management Service Developer Guide. +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: Yes. You can decrypt a ciphertext using a CMK in a different +// AWS account. +// +// Required permissions: kms:Decrypt (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: +// +// * Encrypt +// +// * GenerateDataKey +// +// * GenerateDataKeyPair +// +// * ReEncrypt +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation Decrypt for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * DisabledException +// The request was rejected because the specified CMK is not enabled. +// +// * InvalidCiphertextException +// From the Decrypt or ReEncrypt operation, the request was rejected because +// the specified ciphertext, or additional authenticated data incorporated into +// the ciphertext, such as the encryption context, is corrupted, missing, or +// otherwise invalid. +// +// From the ImportKeyMaterial operation, the request was rejected because AWS +// KMS could not decrypt the encrypted (wrapped) key material. +// +// * KeyUnavailableException +// The request was rejected because the specified CMK was not available. You +// can retry the request. +// +// * IncorrectKeyException +// The request was rejected because the specified CMK cannot decrypt the data. +// The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request +// must identify the same CMK that was used to encrypt the ciphertext. +// +// * InvalidKeyUsageException +// The request was rejected for one of the following reasons: +// +// * The KeyUsage value of the CMK is incompatible with the API operation. +// +// * The encryption algorithm or signing algorithm specified for the operation +// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// +// For encrypting, decrypting, re-encrypting, and generating data keys, the +// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage +// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// +// To find the encryption or signing algorithms supported for a particular CMK, +// use the DescribeKey operation. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InvalidGrantTokenException +// The request was rejected because the specified grant token is not valid. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt +func (c *KMS) Decrypt(input *DecryptInput) (*DecryptOutput, error) { + req, out := c.DecryptRequest(input) + return out, req.Send() +} + +// DecryptWithContext is the same as Decrypt with the addition of +// the ability to pass a context and additional request options. +// +// See Decrypt for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) DecryptWithContext(ctx aws.Context, input *DecryptInput, opts ...request.Option) (*DecryptOutput, error) { + req, out := c.DecryptRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDeleteAlias = "DeleteAlias" + +// DeleteAliasRequest generates a "aws/request.Request" representing the +// client's request for the DeleteAlias operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DeleteAlias for more information on using the DeleteAlias +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DeleteAliasRequest method. +// req, resp := client.DeleteAliasRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAlias +func (c *KMS) DeleteAliasRequest(input *DeleteAliasInput) (req *request.Request, output *DeleteAliasOutput) { + op := &request.Operation{ + Name: opDeleteAlias, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DeleteAliasInput{} + } + + output = &DeleteAliasOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// DeleteAlias API operation for AWS Key Management Service. +// +// Deletes the specified alias. +// +// Because an alias is not a property of a CMK, you can delete and change the +// aliases of a CMK without affecting the CMK. Also, aliases do not appear in +// the response from the DescribeKey operation. To get the aliases of all CMKs, +// use the ListAliases operation. +// +// Each CMK can have multiple aliases. To change the alias of a CMK, use DeleteAlias +// to delete the current alias and CreateAlias to create a new alias. To associate +// an existing alias with a different customer master key (CMK), call UpdateAlias. +// +// Cross-account use: No. You cannot perform this operation on an alias in a +// different AWS account. +// +// Required permissions +// +// * kms:DeleteAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// on the alias (IAM policy). +// +// * kms:DeleteAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// on the CMK (key policy). +// +// For details, see Controlling access to aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access) +// in the AWS Key Management Service Developer Guide. +// +// Related operations: +// +// * CreateAlias +// +// * ListAliases +// +// * UpdateAlias +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation DeleteAlias for usage and error information. +// +// Returned Error Types: +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAlias +func (c *KMS) DeleteAlias(input *DeleteAliasInput) (*DeleteAliasOutput, error) { + req, out := c.DeleteAliasRequest(input) + return out, req.Send() +} + +// DeleteAliasWithContext is the same as DeleteAlias with the addition of +// the ability to pass a context and additional request options. +// +// See DeleteAlias for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) DeleteAliasWithContext(ctx aws.Context, input *DeleteAliasInput, opts ...request.Option) (*DeleteAliasOutput, error) { + req, out := c.DeleteAliasRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDeleteCustomKeyStore = "DeleteCustomKeyStore" + +// DeleteCustomKeyStoreRequest generates a "aws/request.Request" representing the +// client's request for the DeleteCustomKeyStore operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DeleteCustomKeyStore for more information on using the DeleteCustomKeyStore +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DeleteCustomKeyStoreRequest method. +// req, resp := client.DeleteCustomKeyStoreRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStore +func (c *KMS) DeleteCustomKeyStoreRequest(input *DeleteCustomKeyStoreInput) (req *request.Request, output *DeleteCustomKeyStoreOutput) { + op := &request.Operation{ + Name: opDeleteCustomKeyStore, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DeleteCustomKeyStoreInput{} + } + + output = &DeleteCustomKeyStoreOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// DeleteCustomKeyStore API operation for AWS Key Management Service. +// +// Deletes a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). +// This operation does not delete the AWS CloudHSM cluster that is associated +// with the custom key store, or affect any users or keys in the cluster. +// +// The custom key store that you delete cannot contain any AWS KMS customer +// master keys (CMKs) (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys). +// Before deleting the key store, verify that you will never need to use any +// of the CMKs in the key store for any cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations). +// Then, use ScheduleKeyDeletion to delete the AWS KMS customer master keys +// (CMKs) from the key store. When the scheduled waiting period expires, the +// ScheduleKeyDeletion operation deletes the CMKs. Then it makes a best effort +// to delete the key material from the associated cluster. However, you might +// need to manually delete the orphaned key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key) +// from the cluster and its backups. +// +// After all CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore to +// disconnect the key store from AWS KMS. Then, you can delete the custom key +// store. +// +// Instead of deleting the custom key store, consider using DisconnectCustomKeyStore +// to disconnect it from AWS KMS. While the key store is disconnected, you cannot +// create or use the CMKs in the key store. But, you do not need to delete CMKs +// and you can reconnect a disconnected custom key store at any time. +// +// If the operation succeeds, it returns a JSON object with no properties. +// +// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// feature in AWS KMS, which combines the convenience and extensive integration +// of AWS KMS with the isolation and control of a single-tenant key store. +// +// Cross-account use: No. You cannot perform this operation on a custom key +// store in a different AWS account. +// +// Required permissions: kms:DeleteCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (IAM policy) +// +// Related operations: +// +// * ConnectCustomKeyStore +// +// * CreateCustomKeyStore +// +// * DescribeCustomKeyStores +// +// * DisconnectCustomKeyStore +// +// * UpdateCustomKeyStore +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation DeleteCustomKeyStore for usage and error information. +// +// Returned Error Types: +// * CustomKeyStoreHasCMKsException +// The request was rejected because the custom key store contains AWS KMS customer +// master keys (CMKs). After verifying that you do not need to use the CMKs, +// use the ScheduleKeyDeletion operation to delete the CMKs. After they are +// deleted, you can delete the custom key store. +// +// * CustomKeyStoreInvalidStateException +// The request was rejected because of the ConnectionState of the custom key +// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores +// operation. +// +// This exception is thrown under the following conditions: +// +// * You requested the CreateKey or GenerateRandom operation in a custom +// key store that is not connected. These operations are valid only when +// the custom key store ConnectionState is CONNECTED. +// +// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation +// on a custom key store that is not disconnected. This operation is valid +// only when the custom key store ConnectionState is DISCONNECTED. +// +// * You requested the ConnectCustomKeyStore operation on a custom key store +// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid +// for all other ConnectionState values. +// +// * CustomKeyStoreNotFoundException +// The request was rejected because AWS KMS cannot find a custom key store with +// the specified key store name or ID. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStore +func (c *KMS) DeleteCustomKeyStore(input *DeleteCustomKeyStoreInput) (*DeleteCustomKeyStoreOutput, error) { + req, out := c.DeleteCustomKeyStoreRequest(input) + return out, req.Send() +} + +// DeleteCustomKeyStoreWithContext is the same as DeleteCustomKeyStore with the addition of +// the ability to pass a context and additional request options. +// +// See DeleteCustomKeyStore for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) DeleteCustomKeyStoreWithContext(ctx aws.Context, input *DeleteCustomKeyStoreInput, opts ...request.Option) (*DeleteCustomKeyStoreOutput, error) { + req, out := c.DeleteCustomKeyStoreRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDeleteImportedKeyMaterial = "DeleteImportedKeyMaterial" + +// DeleteImportedKeyMaterialRequest generates a "aws/request.Request" representing the +// client's request for the DeleteImportedKeyMaterial operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DeleteImportedKeyMaterial for more information on using the DeleteImportedKeyMaterial +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DeleteImportedKeyMaterialRequest method. +// req, resp := client.DeleteImportedKeyMaterialRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterial +func (c *KMS) DeleteImportedKeyMaterialRequest(input *DeleteImportedKeyMaterialInput) (req *request.Request, output *DeleteImportedKeyMaterialOutput) { + op := &request.Operation{ + Name: opDeleteImportedKeyMaterial, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DeleteImportedKeyMaterialInput{} + } + + output = &DeleteImportedKeyMaterialOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// DeleteImportedKeyMaterial API operation for AWS Key Management Service. +// +// Deletes key material that you previously imported. This operation makes the +// specified customer master key (CMK) unusable. For more information about +// importing key material into AWS KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) +// in the AWS Key Management Service Developer Guide. +// +// When the specified CMK is in the PendingDeletion state, this operation does +// not change the CMK's state. Otherwise, it changes the CMK's state to PendingImport. +// +// After you delete key material, you can use ImportKeyMaterial to reimport +// the same key material into the CMK. +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a CMK in a different +// AWS account. +// +// Required permissions: kms:DeleteImportedKeyMaterial (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: +// +// * GetParametersForImport +// +// * ImportKeyMaterial +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation DeleteImportedKeyMaterial for usage and error information. +// +// Returned Error Types: +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * UnsupportedOperationException +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterial +func (c *KMS) DeleteImportedKeyMaterial(input *DeleteImportedKeyMaterialInput) (*DeleteImportedKeyMaterialOutput, error) { + req, out := c.DeleteImportedKeyMaterialRequest(input) + return out, req.Send() +} + +// DeleteImportedKeyMaterialWithContext is the same as DeleteImportedKeyMaterial with the addition of +// the ability to pass a context and additional request options. +// +// See DeleteImportedKeyMaterial for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) DeleteImportedKeyMaterialWithContext(ctx aws.Context, input *DeleteImportedKeyMaterialInput, opts ...request.Option) (*DeleteImportedKeyMaterialOutput, error) { + req, out := c.DeleteImportedKeyMaterialRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDescribeCustomKeyStores = "DescribeCustomKeyStores" + +// DescribeCustomKeyStoresRequest generates a "aws/request.Request" representing the +// client's request for the DescribeCustomKeyStores operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DescribeCustomKeyStores for more information on using the DescribeCustomKeyStores +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DescribeCustomKeyStoresRequest method. +// req, resp := client.DescribeCustomKeyStoresRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores +func (c *KMS) DescribeCustomKeyStoresRequest(input *DescribeCustomKeyStoresInput) (req *request.Request, output *DescribeCustomKeyStoresOutput) { + op := &request.Operation{ + Name: opDescribeCustomKeyStores, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DescribeCustomKeyStoresInput{} + } + + output = &DescribeCustomKeyStoresOutput{} + req = c.newRequest(op, input, output) + return +} + +// DescribeCustomKeyStores API operation for AWS Key Management Service. +// +// Gets information about custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// in the account and region. +// +// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// feature in AWS KMS, which combines the convenience and extensive integration +// of AWS KMS with the isolation and control of a single-tenant key store. +// +// By default, this operation returns information about all custom key stores +// in the account and region. To get only information about a particular custom +// key store, use either the CustomKeyStoreName or CustomKeyStoreId parameter +// (but not both). +// +// To determine whether the custom key store is connected to its AWS CloudHSM +// cluster, use the ConnectionState element in the response. If an attempt to +// connect the custom key store failed, the ConnectionState value is FAILED +// and the ConnectionErrorCode element in the response indicates the cause of +// the failure. For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry. +// +// Custom key stores have a DISCONNECTED connection state if the key store has +// never been connected or you use the DisconnectCustomKeyStore operation to +// disconnect it. If your custom key store state is CONNECTED but you are having +// trouble using it, make sure that its associated AWS CloudHSM cluster is active +// and contains the minimum number of HSMs required for the operation, if any. +// +// For help repairing your custom key store, see the Troubleshooting Custom +// Key Stores (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) +// topic in the AWS Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a custom key +// store in a different AWS account. +// +// Required permissions: kms:DescribeCustomKeyStores (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (IAM policy) +// +// Related operations: +// +// * ConnectCustomKeyStore +// +// * CreateCustomKeyStore +// +// * DeleteCustomKeyStore +// +// * DisconnectCustomKeyStore +// +// * UpdateCustomKeyStore +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation DescribeCustomKeyStores for usage and error information. +// +// Returned Error Types: +// * CustomKeyStoreNotFoundException +// The request was rejected because AWS KMS cannot find a custom key store with +// the specified key store name or ID. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores +func (c *KMS) DescribeCustomKeyStores(input *DescribeCustomKeyStoresInput) (*DescribeCustomKeyStoresOutput, error) { + req, out := c.DescribeCustomKeyStoresRequest(input) + return out, req.Send() +} + +// DescribeCustomKeyStoresWithContext is the same as DescribeCustomKeyStores with the addition of +// the ability to pass a context and additional request options. +// +// See DescribeCustomKeyStores for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) DescribeCustomKeyStoresWithContext(ctx aws.Context, input *DescribeCustomKeyStoresInput, opts ...request.Option) (*DescribeCustomKeyStoresOutput, error) { + req, out := c.DescribeCustomKeyStoresRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDescribeKey = "DescribeKey" + +// DescribeKeyRequest generates a "aws/request.Request" representing the +// client's request for the DescribeKey operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DescribeKey for more information on using the DescribeKey +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DescribeKeyRequest method. +// req, resp := client.DescribeKeyRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey +func (c *KMS) DescribeKeyRequest(input *DescribeKeyInput) (req *request.Request, output *DescribeKeyOutput) { + op := &request.Operation{ + Name: opDescribeKey, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DescribeKeyInput{} + } + + output = &DescribeKeyOutput{} + req = c.newRequest(op, input, output) + return +} + +// DescribeKey API operation for AWS Key Management Service. +// +// Provides detailed information about a customer master key (CMK). You can +// run DescribeKey on a customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) +// or an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). +// +// This detailed information includes the key ARN, creation date (and deletion +// date, if applicable), the key state, and the origin and expiration date (if +// any) of the key material. For CMKs in custom key stores, it includes information +// about the custom key store, such as the key store ID and the AWS CloudHSM +// cluster ID. It includes fields, like KeySpec, that help you distinguish symmetric +// from asymmetric CMKs. It also provides information that is particularly important +// to asymmetric CMKs, such as the key usage (encryption or signing) and the +// encryption algorithms or signing algorithms that the CMK supports. +// +// DescribeKey does not return the following information: +// +// * Aliases associated with the CMK. To get this information, use ListAliases. +// +// * Whether automatic key rotation is enabled on the CMK. To get this information, +// use GetKeyRotationStatus. Also, some key states prevent a CMK from being +// automatically rotated. For details, see How Automatic Key Rotation Works +// (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works) +// in AWS Key Management Service Developer Guide. +// +// * Tags on the CMK. To get this information, use ListResourceTags. +// +// * Key policies and grants on the CMK. To get this information, use GetKeyPolicy +// and ListGrants. +// +// If you call the DescribeKey operation on a predefined AWS alias, that is, +// an AWS alias with no key ID, AWS KMS creates an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys). +// Then, it associates the alias with the new CMK, and returns the KeyId and +// Arn of the new CMK in the response. +// +// Cross-account use: Yes. To perform this operation with a CMK in a different +// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. +// +// Required permissions: kms:DescribeKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: +// +// * GetKeyPolicy +// +// * GetKeyRotationStatus +// +// * ListAliases +// +// * ListGrants +// +// * ListKeys +// +// * ListResourceTags +// +// * ListRetirableGrants +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation DescribeKey for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey +func (c *KMS) DescribeKey(input *DescribeKeyInput) (*DescribeKeyOutput, error) { + req, out := c.DescribeKeyRequest(input) + return out, req.Send() +} + +// DescribeKeyWithContext is the same as DescribeKey with the addition of +// the ability to pass a context and additional request options. +// +// See DescribeKey for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) DescribeKeyWithContext(ctx aws.Context, input *DescribeKeyInput, opts ...request.Option) (*DescribeKeyOutput, error) { + req, out := c.DescribeKeyRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDisableKey = "DisableKey" + +// DisableKeyRequest generates a "aws/request.Request" representing the +// client's request for the DisableKey operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DisableKey for more information on using the DisableKey +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DisableKeyRequest method. +// req, resp := client.DisableKeyRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKey +func (c *KMS) DisableKeyRequest(input *DisableKeyInput) (req *request.Request, output *DisableKeyOutput) { + op := &request.Operation{ + Name: opDisableKey, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DisableKeyInput{} + } + + output = &DisableKeyOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// DisableKey API operation for AWS Key Management Service. +// +// Sets the state of a customer master key (CMK) to disabled. This change temporarily +// prevents use of the CMK for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations). +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects the Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a CMK in a different +// AWS account. +// +// Required permissions: kms:DisableKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: EnableKey +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation DisableKey for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKey +func (c *KMS) DisableKey(input *DisableKeyInput) (*DisableKeyOutput, error) { + req, out := c.DisableKeyRequest(input) + return out, req.Send() +} + +// DisableKeyWithContext is the same as DisableKey with the addition of +// the ability to pass a context and additional request options. +// +// See DisableKey for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) DisableKeyWithContext(ctx aws.Context, input *DisableKeyInput, opts ...request.Option) (*DisableKeyOutput, error) { + req, out := c.DisableKeyRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDisableKeyRotation = "DisableKeyRotation" + +// DisableKeyRotationRequest generates a "aws/request.Request" representing the +// client's request for the DisableKeyRotation operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DisableKeyRotation for more information on using the DisableKeyRotation +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DisableKeyRotationRequest method. +// req, resp := client.DisableKeyRotationRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotation +func (c *KMS) DisableKeyRotationRequest(input *DisableKeyRotationInput) (req *request.Request, output *DisableKeyRotationOutput) { + op := &request.Operation{ + Name: opDisableKeyRotation, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DisableKeyRotationInput{} + } + + output = &DisableKeyRotationOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// DisableKeyRotation API operation for AWS Key Management Service. +// +// Disables automatic rotation of the key material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) +// for the specified symmetric customer master key (CMK). +// +// You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported +// key material, or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a CMK in a different +// AWS account. +// +// Required permissions: kms:DisableKeyRotation (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: +// +// * EnableKeyRotation +// +// * GetKeyRotationStatus +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation DisableKeyRotation for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * DisabledException +// The request was rejected because the specified CMK is not enabled. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// * UnsupportedOperationException +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotation +func (c *KMS) DisableKeyRotation(input *DisableKeyRotationInput) (*DisableKeyRotationOutput, error) { + req, out := c.DisableKeyRotationRequest(input) + return out, req.Send() +} + +// DisableKeyRotationWithContext is the same as DisableKeyRotation with the addition of +// the ability to pass a context and additional request options. +// +// See DisableKeyRotation for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) DisableKeyRotationWithContext(ctx aws.Context, input *DisableKeyRotationInput, opts ...request.Option) (*DisableKeyRotationOutput, error) { + req, out := c.DisableKeyRotationRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDisconnectCustomKeyStore = "DisconnectCustomKeyStore" + +// DisconnectCustomKeyStoreRequest generates a "aws/request.Request" representing the +// client's request for the DisconnectCustomKeyStore operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DisconnectCustomKeyStore for more information on using the DisconnectCustomKeyStore +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DisconnectCustomKeyStoreRequest method. +// req, resp := client.DisconnectCustomKeyStoreRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStore +func (c *KMS) DisconnectCustomKeyStoreRequest(input *DisconnectCustomKeyStoreInput) (req *request.Request, output *DisconnectCustomKeyStoreOutput) { + op := &request.Operation{ + Name: opDisconnectCustomKeyStore, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DisconnectCustomKeyStoreInput{} + } + + output = &DisconnectCustomKeyStoreOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// DisconnectCustomKeyStore API operation for AWS Key Management Service. +// +// Disconnects the custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// from its associated AWS CloudHSM cluster. While a custom key store is disconnected, +// you can manage the custom key store and its customer master keys (CMKs), +// but you cannot create or use CMKs in the custom key store. You can reconnect +// the custom key store at any time. +// +// While a custom key store is disconnected, all attempts to create customer +// master keys (CMKs) in the custom key store or to use existing CMKs in cryptographic +// operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) +// will fail. This action can prevent users from storing and accessing sensitive +// data. +// +// To find the connection state of a custom key store, use the DescribeCustomKeyStores +// operation. To reconnect a custom key store, use the ConnectCustomKeyStore +// operation. +// +// If the operation succeeds, it returns a JSON object with no properties. +// +// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// feature in AWS KMS, which combines the convenience and extensive integration +// of AWS KMS with the isolation and control of a single-tenant key store. +// +// Cross-account use: No. You cannot perform this operation on a custom key +// store in a different AWS account. +// +// Required permissions: kms:DisconnectCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (IAM policy) +// +// Related operations: +// +// * ConnectCustomKeyStore +// +// * CreateCustomKeyStore +// +// * DeleteCustomKeyStore +// +// * DescribeCustomKeyStores +// +// * UpdateCustomKeyStore +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation DisconnectCustomKeyStore for usage and error information. +// +// Returned Error Types: +// * CustomKeyStoreInvalidStateException +// The request was rejected because of the ConnectionState of the custom key +// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores +// operation. +// +// This exception is thrown under the following conditions: +// +// * You requested the CreateKey or GenerateRandom operation in a custom +// key store that is not connected. These operations are valid only when +// the custom key store ConnectionState is CONNECTED. +// +// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation +// on a custom key store that is not disconnected. This operation is valid +// only when the custom key store ConnectionState is DISCONNECTED. +// +// * You requested the ConnectCustomKeyStore operation on a custom key store +// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid +// for all other ConnectionState values. +// +// * CustomKeyStoreNotFoundException +// The request was rejected because AWS KMS cannot find a custom key store with +// the specified key store name or ID. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStore +func (c *KMS) DisconnectCustomKeyStore(input *DisconnectCustomKeyStoreInput) (*DisconnectCustomKeyStoreOutput, error) { + req, out := c.DisconnectCustomKeyStoreRequest(input) + return out, req.Send() +} + +// DisconnectCustomKeyStoreWithContext is the same as DisconnectCustomKeyStore with the addition of +// the ability to pass a context and additional request options. +// +// See DisconnectCustomKeyStore for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) DisconnectCustomKeyStoreWithContext(ctx aws.Context, input *DisconnectCustomKeyStoreInput, opts ...request.Option) (*DisconnectCustomKeyStoreOutput, error) { + req, out := c.DisconnectCustomKeyStoreRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opEnableKey = "EnableKey" + +// EnableKeyRequest generates a "aws/request.Request" representing the +// client's request for the EnableKey operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See EnableKey for more information on using the EnableKey +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the EnableKeyRequest method. +// req, resp := client.EnableKeyRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKey +func (c *KMS) EnableKeyRequest(input *EnableKeyInput) (req *request.Request, output *EnableKeyOutput) { + op := &request.Operation{ + Name: opEnableKey, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &EnableKeyInput{} + } + + output = &EnableKeyOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// EnableKey API operation for AWS Key Management Service. +// +// Sets the key state of a customer master key (CMK) to enabled. This allows +// you to use the CMK for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations). +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a CMK in a different +// AWS account. +// +// Required permissions: kms:EnableKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: DisableKey +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation EnableKey for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * LimitExceededException +// The request was rejected because a quota was exceeded. For more information, +// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) +// in the AWS Key Management Service Developer Guide. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKey +func (c *KMS) EnableKey(input *EnableKeyInput) (*EnableKeyOutput, error) { + req, out := c.EnableKeyRequest(input) + return out, req.Send() +} + +// EnableKeyWithContext is the same as EnableKey with the addition of +// the ability to pass a context and additional request options. +// +// See EnableKey for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) EnableKeyWithContext(ctx aws.Context, input *EnableKeyInput, opts ...request.Option) (*EnableKeyOutput, error) { + req, out := c.EnableKeyRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opEnableKeyRotation = "EnableKeyRotation" + +// EnableKeyRotationRequest generates a "aws/request.Request" representing the +// client's request for the EnableKeyRotation operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See EnableKeyRotation for more information on using the EnableKeyRotation +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the EnableKeyRotationRequest method. +// req, resp := client.EnableKeyRotationRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotation +func (c *KMS) EnableKeyRotationRequest(input *EnableKeyRotationInput) (req *request.Request, output *EnableKeyRotationOutput) { + op := &request.Operation{ + Name: opEnableKeyRotation, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &EnableKeyRotationInput{} + } + + output = &EnableKeyRotationOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// EnableKeyRotation API operation for AWS Key Management Service. +// +// Enables automatic rotation of the key material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) +// for the specified symmetric customer master key (CMK). +// +// You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported +// key material, or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a CMK in a different +// AWS account. +// +// Required permissions: kms:EnableKeyRotation (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: +// +// * DisableKeyRotation +// +// * GetKeyRotationStatus +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation EnableKeyRotation for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * DisabledException +// The request was rejected because the specified CMK is not enabled. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// * UnsupportedOperationException +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotation +func (c *KMS) EnableKeyRotation(input *EnableKeyRotationInput) (*EnableKeyRotationOutput, error) { + req, out := c.EnableKeyRotationRequest(input) + return out, req.Send() +} + +// EnableKeyRotationWithContext is the same as EnableKeyRotation with the addition of +// the ability to pass a context and additional request options. +// +// See EnableKeyRotation for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) EnableKeyRotationWithContext(ctx aws.Context, input *EnableKeyRotationInput, opts ...request.Option) (*EnableKeyRotationOutput, error) { + req, out := c.EnableKeyRotationRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opEncrypt = "Encrypt" + +// EncryptRequest generates a "aws/request.Request" representing the +// client's request for the Encrypt operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See Encrypt for more information on using the Encrypt +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the EncryptRequest method. +// req, resp := client.EncryptRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt +func (c *KMS) EncryptRequest(input *EncryptInput) (req *request.Request, output *EncryptOutput) { + op := &request.Operation{ + Name: opEncrypt, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &EncryptInput{} + } + + output = &EncryptOutput{} + req = c.newRequest(op, input, output) + return +} + +// Encrypt API operation for AWS Key Management Service. +// +// Encrypts plaintext into ciphertext by using a customer master key (CMK). +// The Encrypt operation has two primary use cases: +// +// * You can encrypt small amounts of arbitrary data, such as a personal +// identifier or database password, or other sensitive information. +// +// * You can use the Encrypt operation to move encrypted data from one AWS +// Region to another. For example, in Region A, generate a data key and use +// the plaintext key to encrypt your data. Then, in Region A, use the Encrypt +// operation to encrypt the plaintext data key under a CMK in Region B. Now, +// you can move the encrypted data and the encrypted data key to Region B. +// When necessary, you can decrypt the encrypted data key and the encrypted +// data entirely within in Region B. +// +// You don't need to use the Encrypt operation to encrypt a data key. The GenerateDataKey +// and GenerateDataKeyPair operations return a plaintext data key and an encrypted +// copy of that data key. +// +// When you encrypt data, you must specify a symmetric or asymmetric CMK to +// use in the encryption operation. The CMK must have a KeyUsage value of ENCRYPT_DECRYPT. +// To find the KeyUsage of a CMK, use the DescribeKey operation. +// +// If you use a symmetric CMK, you can use an encryption context to add additional +// security to your encryption operation. If you specify an EncryptionContext +// when encrypting data, you must specify the same encryption context (a case-sensitive +// exact match) when decrypting the data. Otherwise, the request to decrypt +// fails with an InvalidCiphertextException. For more information, see Encryption +// Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) +// in the AWS Key Management Service Developer Guide. +// +// If you specify an asymmetric CMK, you must also specify the encryption algorithm. +// The algorithm must be compatible with the CMK type. +// +// When you use an asymmetric CMK to encrypt or reencrypt data, be sure to record +// the CMK and encryption algorithm that you choose. You will be required to +// provide the same CMK and encryption algorithm when you decrypt the data. +// If the CMK and algorithm do not match the values used to encrypt the data, +// the decrypt operation fails. +// +// You are not required to supply the CMK ID and encryption algorithm when you +// decrypt with symmetric CMKs because AWS KMS stores this information in the +// ciphertext blob. AWS KMS cannot store metadata in ciphertext generated with +// asymmetric keys. The standard format for asymmetric key ciphertext does not +// include configurable fields. +// +// The maximum size of the data that you can encrypt varies with the type of +// CMK and the encryption algorithm that you choose. +// +// * Symmetric CMKs SYMMETRIC_DEFAULT: 4096 bytes +// +// * RSA_2048 RSAES_OAEP_SHA_1: 214 bytes RSAES_OAEP_SHA_256: 190 bytes +// +// * RSA_3072 RSAES_OAEP_SHA_1: 342 bytes RSAES_OAEP_SHA_256: 318 bytes +// +// * RSA_4096 RSAES_OAEP_SHA_1: 470 bytes RSAES_OAEP_SHA_256: 446 bytes +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: Yes. To perform this operation with a CMK in a different +// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. +// +// Required permissions: kms:Encrypt (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: +// +// * Decrypt +// +// * GenerateDataKey +// +// * GenerateDataKeyPair +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation Encrypt for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * DisabledException +// The request was rejected because the specified CMK is not enabled. +// +// * KeyUnavailableException +// The request was rejected because the specified CMK was not available. You +// can retry the request. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InvalidKeyUsageException +// The request was rejected for one of the following reasons: +// +// * The KeyUsage value of the CMK is incompatible with the API operation. +// +// * The encryption algorithm or signing algorithm specified for the operation +// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// +// For encrypting, decrypting, re-encrypting, and generating data keys, the +// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage +// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// +// To find the encryption or signing algorithms supported for a particular CMK, +// use the DescribeKey operation. +// +// * InvalidGrantTokenException +// The request was rejected because the specified grant token is not valid. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt +func (c *KMS) Encrypt(input *EncryptInput) (*EncryptOutput, error) { + req, out := c.EncryptRequest(input) + return out, req.Send() +} + +// EncryptWithContext is the same as Encrypt with the addition of +// the ability to pass a context and additional request options. +// +// See Encrypt for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) EncryptWithContext(ctx aws.Context, input *EncryptInput, opts ...request.Option) (*EncryptOutput, error) { + req, out := c.EncryptRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGenerateDataKey = "GenerateDataKey" + +// GenerateDataKeyRequest generates a "aws/request.Request" representing the +// client's request for the GenerateDataKey operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GenerateDataKey for more information on using the GenerateDataKey +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GenerateDataKeyRequest method. +// req, resp := client.GenerateDataKeyRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey +func (c *KMS) GenerateDataKeyRequest(input *GenerateDataKeyInput) (req *request.Request, output *GenerateDataKeyOutput) { + op := &request.Operation{ + Name: opGenerateDataKey, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GenerateDataKeyInput{} + } + + output = &GenerateDataKeyOutput{} + req = c.newRequest(op, input, output) + return +} + +// GenerateDataKey API operation for AWS Key Management Service. +// +// Generates a unique symmetric data key for client-side encryption. This operation +// returns a plaintext copy of the data key and a copy that is encrypted under +// a customer master key (CMK) that you specify. You can use the plaintext key +// to encrypt your data outside of AWS KMS and store the encrypted data key +// with the encrypted data. +// +// GenerateDataKey returns a unique data key for each request. The bytes in +// the plaintext key are not related to the caller or the CMK. +// +// To generate a data key, specify the symmetric CMK that will be used to encrypt +// the data key. You cannot use an asymmetric CMK to generate data keys. To +// get the type of your CMK, use the DescribeKey operation. You must also specify +// the length of the data key. Use either the KeySpec or NumberOfBytes parameters +// (but not both). For 128-bit and 256-bit data keys, use the KeySpec parameter. +// +// To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext. +// To generate an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext +// operation. To get a cryptographically secure random byte string, use GenerateRandom. +// +// You can use the optional encryption context to add additional security to +// the encryption operation. If you specify an EncryptionContext, you must specify +// the same encryption context (a case-sensitive exact match) when decrypting +// the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. +// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) +// in the AWS Key Management Service Developer Guide. +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// How to use your data key +// +// We recommend that you use the following pattern to encrypt data locally in +// your application. You can write your own code or use a client-side encryption +// library, such as the AWS Encryption SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/), +// the Amazon DynamoDB Encryption Client (https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/), +// or Amazon S3 client-side encryption (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html) +// to do these tasks for you. +// +// To encrypt data outside of AWS KMS: +// +// Use the GenerateDataKey operation to get a data key. +// +// Use the plaintext data key (in the Plaintext field of the response) to encrypt +// your data outside of AWS KMS. Then erase the plaintext data key from memory. +// +// Store the encrypted data key (in the CiphertextBlob field of the response) +// with the encrypted data. +// +// To decrypt data outside of AWS KMS: +// +// Use the Decrypt operation to decrypt the encrypted data key. The operation +// returns a plaintext copy of the data key. +// +// Use the plaintext data key to decrypt data outside of AWS KMS, then erase +// the plaintext data key from memory. +// +// Cross-account use: Yes. To perform this operation with a CMK in a different +// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. +// +// Required permissions: kms:GenerateDataKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: +// +// * Decrypt +// +// * Encrypt +// +// * GenerateDataKeyPair +// +// * GenerateDataKeyPairWithoutPlaintext +// +// * GenerateDataKeyWithoutPlaintext +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation GenerateDataKey for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * DisabledException +// The request was rejected because the specified CMK is not enabled. +// +// * KeyUnavailableException +// The request was rejected because the specified CMK was not available. You +// can retry the request. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InvalidKeyUsageException +// The request was rejected for one of the following reasons: +// +// * The KeyUsage value of the CMK is incompatible with the API operation. +// +// * The encryption algorithm or signing algorithm specified for the operation +// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// +// For encrypting, decrypting, re-encrypting, and generating data keys, the +// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage +// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// +// To find the encryption or signing algorithms supported for a particular CMK, +// use the DescribeKey operation. +// +// * InvalidGrantTokenException +// The request was rejected because the specified grant token is not valid. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey +func (c *KMS) GenerateDataKey(input *GenerateDataKeyInput) (*GenerateDataKeyOutput, error) { + req, out := c.GenerateDataKeyRequest(input) + return out, req.Send() +} + +// GenerateDataKeyWithContext is the same as GenerateDataKey with the addition of +// the ability to pass a context and additional request options. +// +// See GenerateDataKey for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) GenerateDataKeyWithContext(ctx aws.Context, input *GenerateDataKeyInput, opts ...request.Option) (*GenerateDataKeyOutput, error) { + req, out := c.GenerateDataKeyRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGenerateDataKeyPair = "GenerateDataKeyPair" + +// GenerateDataKeyPairRequest generates a "aws/request.Request" representing the +// client's request for the GenerateDataKeyPair operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GenerateDataKeyPair for more information on using the GenerateDataKeyPair +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GenerateDataKeyPairRequest method. +// req, resp := client.GenerateDataKeyPairRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPair +func (c *KMS) GenerateDataKeyPairRequest(input *GenerateDataKeyPairInput) (req *request.Request, output *GenerateDataKeyPairOutput) { + op := &request.Operation{ + Name: opGenerateDataKeyPair, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GenerateDataKeyPairInput{} + } + + output = &GenerateDataKeyPairOutput{} + req = c.newRequest(op, input, output) + return +} + +// GenerateDataKeyPair API operation for AWS Key Management Service. +// +// Generates a unique asymmetric data key pair. The GenerateDataKeyPair operation +// returns a plaintext public key, a plaintext private key, and a copy of the +// private key that is encrypted under the symmetric CMK you specify. You can +// use the data key pair to perform asymmetric cryptography outside of AWS KMS. +// +// GenerateDataKeyPair returns a unique data key pair for each request. The +// bytes in the keys are not related to the caller or the CMK that is used to +// encrypt the private key. +// +// You can use the public key that GenerateDataKeyPair returns to encrypt data +// or verify a signature outside of AWS KMS. Then, store the encrypted private +// key with the data. When you are ready to decrypt data or sign a message, +// you can use the Decrypt operation to decrypt the encrypted private key. +// +// To generate a data key pair, you must specify a symmetric customer master +// key (CMK) to encrypt the private key in a data key pair. You cannot use an +// asymmetric CMK or a CMK in a custom key store. To get the type and origin +// of your CMK, use the DescribeKey operation. +// +// If you are using the data key pair to encrypt data, or for any operation +// where you don't immediately need a private key, consider using the GenerateDataKeyPairWithoutPlaintext +// operation. GenerateDataKeyPairWithoutPlaintext returns a plaintext public +// key and an encrypted private key, but omits the plaintext private key that +// you need only to decrypt ciphertext or sign a message. Later, when you need +// to decrypt the data or sign a message, use the Decrypt operation to decrypt +// the encrypted private key in the data key pair. +// +// You can use the optional encryption context to add additional security to +// the encryption operation. If you specify an EncryptionContext, you must specify +// the same encryption context (a case-sensitive exact match) when decrypting +// the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. +// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) +// in the AWS Key Management Service Developer Guide. +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: Yes. To perform this operation with a CMK in a different +// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. +// +// Required permissions: kms:GenerateDataKeyPair (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: +// +// * Decrypt +// +// * Encrypt +// +// * GenerateDataKey +// +// * GenerateDataKeyPairWithoutPlaintext +// +// * GenerateDataKeyWithoutPlaintext +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation GenerateDataKeyPair for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * DisabledException +// The request was rejected because the specified CMK is not enabled. +// +// * KeyUnavailableException +// The request was rejected because the specified CMK was not available. You +// can retry the request. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InvalidKeyUsageException +// The request was rejected for one of the following reasons: +// +// * The KeyUsage value of the CMK is incompatible with the API operation. +// +// * The encryption algorithm or signing algorithm specified for the operation +// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// +// For encrypting, decrypting, re-encrypting, and generating data keys, the +// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage +// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// +// To find the encryption or signing algorithms supported for a particular CMK, +// use the DescribeKey operation. +// +// * InvalidGrantTokenException +// The request was rejected because the specified grant token is not valid. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// * UnsupportedOperationException +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPair +func (c *KMS) GenerateDataKeyPair(input *GenerateDataKeyPairInput) (*GenerateDataKeyPairOutput, error) { + req, out := c.GenerateDataKeyPairRequest(input) + return out, req.Send() +} + +// GenerateDataKeyPairWithContext is the same as GenerateDataKeyPair with the addition of +// the ability to pass a context and additional request options. +// +// See GenerateDataKeyPair for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) GenerateDataKeyPairWithContext(ctx aws.Context, input *GenerateDataKeyPairInput, opts ...request.Option) (*GenerateDataKeyPairOutput, error) { + req, out := c.GenerateDataKeyPairRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGenerateDataKeyPairWithoutPlaintext = "GenerateDataKeyPairWithoutPlaintext" + +// GenerateDataKeyPairWithoutPlaintextRequest generates a "aws/request.Request" representing the +// client's request for the GenerateDataKeyPairWithoutPlaintext operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GenerateDataKeyPairWithoutPlaintext for more information on using the GenerateDataKeyPairWithoutPlaintext +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GenerateDataKeyPairWithoutPlaintextRequest method. +// req, resp := client.GenerateDataKeyPairWithoutPlaintextRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintext +func (c *KMS) GenerateDataKeyPairWithoutPlaintextRequest(input *GenerateDataKeyPairWithoutPlaintextInput) (req *request.Request, output *GenerateDataKeyPairWithoutPlaintextOutput) { + op := &request.Operation{ + Name: opGenerateDataKeyPairWithoutPlaintext, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GenerateDataKeyPairWithoutPlaintextInput{} + } + + output = &GenerateDataKeyPairWithoutPlaintextOutput{} + req = c.newRequest(op, input, output) + return +} + +// GenerateDataKeyPairWithoutPlaintext API operation for AWS Key Management Service. +// +// Generates a unique asymmetric data key pair. The GenerateDataKeyPairWithoutPlaintext +// operation returns a plaintext public key and a copy of the private key that +// is encrypted under the symmetric CMK you specify. Unlike GenerateDataKeyPair, +// this operation does not return a plaintext private key. +// +// To generate a data key pair, you must specify a symmetric customer master +// key (CMK) to encrypt the private key in the data key pair. You cannot use +// an asymmetric CMK or a CMK in a custom key store. To get the type and origin +// of your CMK, use the KeySpec field in the DescribeKey response. +// +// You can use the public key that GenerateDataKeyPairWithoutPlaintext returns +// to encrypt data or verify a signature outside of AWS KMS. Then, store the +// encrypted private key with the data. When you are ready to decrypt data or +// sign a message, you can use the Decrypt operation to decrypt the encrypted +// private key. +// +// GenerateDataKeyPairWithoutPlaintext returns a unique data key pair for each +// request. The bytes in the key are not related to the caller or CMK that is +// used to encrypt the private key. +// +// You can use the optional encryption context to add additional security to +// the encryption operation. If you specify an EncryptionContext, you must specify +// the same encryption context (a case-sensitive exact match) when decrypting +// the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. +// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) +// in the AWS Key Management Service Developer Guide. +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: Yes. To perform this operation with a CMK in a different +// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. +// +// Required permissions: kms:GenerateDataKeyPairWithoutPlaintext (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: +// +// * Decrypt +// +// * Encrypt +// +// * GenerateDataKey +// +// * GenerateDataKeyPair +// +// * GenerateDataKeyWithoutPlaintext +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation GenerateDataKeyPairWithoutPlaintext for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * DisabledException +// The request was rejected because the specified CMK is not enabled. +// +// * KeyUnavailableException +// The request was rejected because the specified CMK was not available. You +// can retry the request. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InvalidKeyUsageException +// The request was rejected for one of the following reasons: +// +// * The KeyUsage value of the CMK is incompatible with the API operation. +// +// * The encryption algorithm or signing algorithm specified for the operation +// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// +// For encrypting, decrypting, re-encrypting, and generating data keys, the +// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage +// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// +// To find the encryption or signing algorithms supported for a particular CMK, +// use the DescribeKey operation. +// +// * InvalidGrantTokenException +// The request was rejected because the specified grant token is not valid. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// * UnsupportedOperationException +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintext +func (c *KMS) GenerateDataKeyPairWithoutPlaintext(input *GenerateDataKeyPairWithoutPlaintextInput) (*GenerateDataKeyPairWithoutPlaintextOutput, error) { + req, out := c.GenerateDataKeyPairWithoutPlaintextRequest(input) + return out, req.Send() +} + +// GenerateDataKeyPairWithoutPlaintextWithContext is the same as GenerateDataKeyPairWithoutPlaintext with the addition of +// the ability to pass a context and additional request options. +// +// See GenerateDataKeyPairWithoutPlaintext for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) GenerateDataKeyPairWithoutPlaintextWithContext(ctx aws.Context, input *GenerateDataKeyPairWithoutPlaintextInput, opts ...request.Option) (*GenerateDataKeyPairWithoutPlaintextOutput, error) { + req, out := c.GenerateDataKeyPairWithoutPlaintextRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGenerateDataKeyWithoutPlaintext = "GenerateDataKeyWithoutPlaintext" + +// GenerateDataKeyWithoutPlaintextRequest generates a "aws/request.Request" representing the +// client's request for the GenerateDataKeyWithoutPlaintext operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GenerateDataKeyWithoutPlaintext for more information on using the GenerateDataKeyWithoutPlaintext +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GenerateDataKeyWithoutPlaintextRequest method. +// req, resp := client.GenerateDataKeyWithoutPlaintextRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintext +func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWithoutPlaintextInput) (req *request.Request, output *GenerateDataKeyWithoutPlaintextOutput) { + op := &request.Operation{ + Name: opGenerateDataKeyWithoutPlaintext, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GenerateDataKeyWithoutPlaintextInput{} + } + + output = &GenerateDataKeyWithoutPlaintextOutput{} + req = c.newRequest(op, input, output) + return +} + +// GenerateDataKeyWithoutPlaintext API operation for AWS Key Management Service. +// +// Generates a unique symmetric data key. This operation returns a data key +// that is encrypted under a customer master key (CMK) that you specify. To +// request an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext +// operations. +// +// GenerateDataKeyWithoutPlaintext is identical to the GenerateDataKey operation +// except that returns only the encrypted copy of the data key. This operation +// is useful for systems that need to encrypt data at some point, but not immediately. +// When you need to encrypt the data, you call the Decrypt operation on the +// encrypted copy of the key. +// +// It's also useful in distributed systems with different levels of trust. For +// example, you might store encrypted data in containers. One component of your +// system creates new containers and stores an encrypted data key with each +// container. Then, a different component puts the data into the containers. +// That component first decrypts the data key, uses the plaintext data key to +// encrypt data, puts the encrypted data into the container, and then destroys +// the plaintext data key. In this system, the component that creates the containers +// never sees the plaintext data key. +// +// GenerateDataKeyWithoutPlaintext returns a unique data key for each request. +// The bytes in the keys are not related to the caller or CMK that is used to +// encrypt the private key. +// +// To generate a data key, you must specify the symmetric customer master key +// (CMK) that is used to encrypt the data key. You cannot use an asymmetric +// CMK to generate a data key. To get the type of your CMK, use the DescribeKey +// operation. +// +// If the operation succeeds, you will find the encrypted copy of the data key +// in the CiphertextBlob field. +// +// You can use the optional encryption context to add additional security to +// the encryption operation. If you specify an EncryptionContext, you must specify +// the same encryption context (a case-sensitive exact match) when decrypting +// the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. +// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) +// in the AWS Key Management Service Developer Guide. +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: Yes. To perform this operation with a CMK in a different +// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. +// +// Required permissions: kms:GenerateDataKeyWithoutPlaintext (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: +// +// * Decrypt +// +// * Encrypt +// +// * GenerateDataKey +// +// * GenerateDataKeyPair +// +// * GenerateDataKeyPairWithoutPlaintext +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation GenerateDataKeyWithoutPlaintext for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * DisabledException +// The request was rejected because the specified CMK is not enabled. +// +// * KeyUnavailableException +// The request was rejected because the specified CMK was not available. You +// can retry the request. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InvalidKeyUsageException +// The request was rejected for one of the following reasons: +// +// * The KeyUsage value of the CMK is incompatible with the API operation. +// +// * The encryption algorithm or signing algorithm specified for the operation +// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// +// For encrypting, decrypting, re-encrypting, and generating data keys, the +// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage +// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// +// To find the encryption or signing algorithms supported for a particular CMK, +// use the DescribeKey operation. +// +// * InvalidGrantTokenException +// The request was rejected because the specified grant token is not valid. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintext +func (c *KMS) GenerateDataKeyWithoutPlaintext(input *GenerateDataKeyWithoutPlaintextInput) (*GenerateDataKeyWithoutPlaintextOutput, error) { + req, out := c.GenerateDataKeyWithoutPlaintextRequest(input) + return out, req.Send() +} + +// GenerateDataKeyWithoutPlaintextWithContext is the same as GenerateDataKeyWithoutPlaintext with the addition of +// the ability to pass a context and additional request options. +// +// See GenerateDataKeyWithoutPlaintext for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) GenerateDataKeyWithoutPlaintextWithContext(ctx aws.Context, input *GenerateDataKeyWithoutPlaintextInput, opts ...request.Option) (*GenerateDataKeyWithoutPlaintextOutput, error) { + req, out := c.GenerateDataKeyWithoutPlaintextRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGenerateRandom = "GenerateRandom" + +// GenerateRandomRequest generates a "aws/request.Request" representing the +// client's request for the GenerateRandom operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GenerateRandom for more information on using the GenerateRandom +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GenerateRandomRequest method. +// req, resp := client.GenerateRandomRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom +func (c *KMS) GenerateRandomRequest(input *GenerateRandomInput) (req *request.Request, output *GenerateRandomOutput) { + op := &request.Operation{ + Name: opGenerateRandom, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GenerateRandomInput{} + } + + output = &GenerateRandomOutput{} + req = c.newRequest(op, input, output) + return +} + +// GenerateRandom API operation for AWS Key Management Service. +// +// Returns a random byte string that is cryptographically secure. +// +// By default, the random byte string is generated in AWS KMS. To generate the +// byte string in the AWS CloudHSM cluster that is associated with a custom +// key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), +// specify the custom key store ID. +// +// For more information about entropy and random number generation, see the +// AWS Key Management Service Cryptographic Details (https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf) +// whitepaper. +// +// Required permissions: kms:GenerateRandom (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (IAM policy) +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation GenerateRandom for usage and error information. +// +// Returned Error Types: +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * CustomKeyStoreNotFoundException +// The request was rejected because AWS KMS cannot find a custom key store with +// the specified key store name or ID. +// +// * CustomKeyStoreInvalidStateException +// The request was rejected because of the ConnectionState of the custom key +// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores +// operation. +// +// This exception is thrown under the following conditions: +// +// * You requested the CreateKey or GenerateRandom operation in a custom +// key store that is not connected. These operations are valid only when +// the custom key store ConnectionState is CONNECTED. +// +// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation +// on a custom key store that is not disconnected. This operation is valid +// only when the custom key store ConnectionState is DISCONNECTED. +// +// * You requested the ConnectCustomKeyStore operation on a custom key store +// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid +// for all other ConnectionState values. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom +func (c *KMS) GenerateRandom(input *GenerateRandomInput) (*GenerateRandomOutput, error) { + req, out := c.GenerateRandomRequest(input) + return out, req.Send() +} + +// GenerateRandomWithContext is the same as GenerateRandom with the addition of +// the ability to pass a context and additional request options. +// +// See GenerateRandom for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) GenerateRandomWithContext(ctx aws.Context, input *GenerateRandomInput, opts ...request.Option) (*GenerateRandomOutput, error) { + req, out := c.GenerateRandomRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGetKeyPolicy = "GetKeyPolicy" + +// GetKeyPolicyRequest generates a "aws/request.Request" representing the +// client's request for the GetKeyPolicy operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GetKeyPolicy for more information on using the GetKeyPolicy +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GetKeyPolicyRequest method. +// req, resp := client.GetKeyPolicyRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy +func (c *KMS) GetKeyPolicyRequest(input *GetKeyPolicyInput) (req *request.Request, output *GetKeyPolicyOutput) { + op := &request.Operation{ + Name: opGetKeyPolicy, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GetKeyPolicyInput{} + } + + output = &GetKeyPolicyOutput{} + req = c.newRequest(op, input, output) + return +} + +// GetKeyPolicy API operation for AWS Key Management Service. +// +// Gets a key policy attached to the specified customer master key (CMK). +// +// Cross-account use: No. You cannot perform this operation on a CMK in a different +// AWS account. +// +// Required permissions: kms:GetKeyPolicy (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: PutKeyPolicy +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation GetKeyPolicy for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy +func (c *KMS) GetKeyPolicy(input *GetKeyPolicyInput) (*GetKeyPolicyOutput, error) { + req, out := c.GetKeyPolicyRequest(input) + return out, req.Send() +} + +// GetKeyPolicyWithContext is the same as GetKeyPolicy with the addition of +// the ability to pass a context and additional request options. +// +// See GetKeyPolicy for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) GetKeyPolicyWithContext(ctx aws.Context, input *GetKeyPolicyInput, opts ...request.Option) (*GetKeyPolicyOutput, error) { + req, out := c.GetKeyPolicyRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGetKeyRotationStatus = "GetKeyRotationStatus" + +// GetKeyRotationStatusRequest generates a "aws/request.Request" representing the +// client's request for the GetKeyRotationStatus operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GetKeyRotationStatus for more information on using the GetKeyRotationStatus +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GetKeyRotationStatusRequest method. +// req, resp := client.GetKeyRotationStatusRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatus +func (c *KMS) GetKeyRotationStatusRequest(input *GetKeyRotationStatusInput) (req *request.Request, output *GetKeyRotationStatusOutput) { + op := &request.Operation{ + Name: opGetKeyRotationStatus, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GetKeyRotationStatusInput{} + } + + output = &GetKeyRotationStatusOutput{} + req = c.newRequest(op, input, output) + return +} + +// GetKeyRotationStatus API operation for AWS Key Management Service. +// +// Gets a Boolean value that indicates whether automatic rotation of the key +// material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) +// is enabled for the specified customer master key (CMK). +// +// You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported +// key material, or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). +// The key rotation status for these CMKs is always false. +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// * Disabled: The key rotation status does not change when you disable a +// CMK. However, while the CMK is disabled, AWS KMS does not rotate the backing +// key. +// +// * Pending deletion: While a CMK is pending deletion, its key rotation +// status is false and AWS KMS does not rotate the backing key. If you cancel +// the deletion, the original key rotation status is restored. +// +// Cross-account use: Yes. To perform this operation on a CMK in a different +// AWS account, specify the key ARN in the value of the KeyId parameter. +// +// Required permissions: kms:GetKeyRotationStatus (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: +// +// * DisableKeyRotation +// +// * EnableKeyRotation +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation GetKeyRotationStatus for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// * UnsupportedOperationException +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatus +func (c *KMS) GetKeyRotationStatus(input *GetKeyRotationStatusInput) (*GetKeyRotationStatusOutput, error) { + req, out := c.GetKeyRotationStatusRequest(input) + return out, req.Send() +} + +// GetKeyRotationStatusWithContext is the same as GetKeyRotationStatus with the addition of +// the ability to pass a context and additional request options. +// +// See GetKeyRotationStatus for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) GetKeyRotationStatusWithContext(ctx aws.Context, input *GetKeyRotationStatusInput, opts ...request.Option) (*GetKeyRotationStatusOutput, error) { + req, out := c.GetKeyRotationStatusRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGetParametersForImport = "GetParametersForImport" + +// GetParametersForImportRequest generates a "aws/request.Request" representing the +// client's request for the GetParametersForImport operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GetParametersForImport for more information on using the GetParametersForImport +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GetParametersForImportRequest method. +// req, resp := client.GetParametersForImportRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImport +func (c *KMS) GetParametersForImportRequest(input *GetParametersForImportInput) (req *request.Request, output *GetParametersForImportOutput) { + op := &request.Operation{ + Name: opGetParametersForImport, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GetParametersForImportInput{} + } + + output = &GetParametersForImportOutput{} + req = c.newRequest(op, input, output) + return +} + +// GetParametersForImport API operation for AWS Key Management Service. +// +// Returns the items you need to import key material into a symmetric, customer +// managed customer master key (CMK). For more information about importing key +// material into AWS KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) +// in the AWS Key Management Service Developer Guide. +// +// This operation returns a public key and an import token. Use the public key +// to encrypt the symmetric key material. Store the import token to send with +// a subsequent ImportKeyMaterial request. +// +// You must specify the key ID of the symmetric CMK into which you will import +// key material. This CMK's Origin must be EXTERNAL. You must also specify the +// wrapping algorithm and type of wrapping key (public key) that you will use +// to encrypt the key material. You cannot perform this operation on an asymmetric +// CMK or on any CMK in a different AWS account. +// +// To import key material, you must use the public key and import token from +// the same response. These items are valid for 24 hours. The expiration date +// and time appear in the GetParametersForImport response. You cannot use an +// expired token in an ImportKeyMaterial request. If your key and token expire, +// send another GetParametersForImport request. +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a CMK in a different +// AWS account. +// +// Required permissions: kms:GetParametersForImport (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: +// +// * ImportKeyMaterial +// +// * DeleteImportedKeyMaterial +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation GetParametersForImport for usage and error information. +// +// Returned Error Types: +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * UnsupportedOperationException +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImport +func (c *KMS) GetParametersForImport(input *GetParametersForImportInput) (*GetParametersForImportOutput, error) { + req, out := c.GetParametersForImportRequest(input) + return out, req.Send() +} + +// GetParametersForImportWithContext is the same as GetParametersForImport with the addition of +// the ability to pass a context and additional request options. +// +// See GetParametersForImport for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) GetParametersForImportWithContext(ctx aws.Context, input *GetParametersForImportInput, opts ...request.Option) (*GetParametersForImportOutput, error) { + req, out := c.GetParametersForImportRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGetPublicKey = "GetPublicKey" + +// GetPublicKeyRequest generates a "aws/request.Request" representing the +// client's request for the GetPublicKey operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GetPublicKey for more information on using the GetPublicKey +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GetPublicKeyRequest method. +// req, resp := client.GetPublicKeyRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey +func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Request, output *GetPublicKeyOutput) { + op := &request.Operation{ + Name: opGetPublicKey, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GetPublicKeyInput{} + } + + output = &GetPublicKeyOutput{} + req = c.newRequest(op, input, output) + return +} + +// GetPublicKey API operation for AWS Key Management Service. +// +// Returns the public key of an asymmetric CMK. Unlike the private key of a +// asymmetric CMK, which never leaves AWS KMS unencrypted, callers with kms:GetPublicKey +// permission can download the public key of an asymmetric CMK. You can share +// the public key to allow others to encrypt messages and verify signatures +// outside of AWS KMS. For information about symmetric and asymmetric CMKs, +// see Using Symmetric and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) +// in the AWS Key Management Service Developer Guide. +// +// You do not need to download the public key. Instead, you can use the public +// key within AWS KMS by calling the Encrypt, ReEncrypt, or Verify operations +// with the identifier of an asymmetric CMK. When you use the public key within +// AWS KMS, you benefit from the authentication, authorization, and logging +// that are part of every AWS KMS operation. You also reduce of risk of encrypting +// data that cannot be decrypted. These features are not effective outside of +// AWS KMS. For details, see Special Considerations for Downloading Public Keys +// (https://docs.aws.amazon.com/kms/latest/developerguide/download-public-key.html#download-public-key-considerations). +// +// To help you use the public key safely outside of AWS KMS, GetPublicKey returns +// important information about the public key in the response, including: +// +// * CustomerMasterKeySpec (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-CustomerMasterKeySpec): +// The type of key material in the public key, such as RSA_4096 or ECC_NIST_P521. +// +// * KeyUsage (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage): +// Whether the key is used for encryption or signing. +// +// * EncryptionAlgorithms (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms) +// or SigningAlgorithms (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms): +// A list of the encryption algorithms or the signing algorithms for the +// key. +// +// Although AWS KMS cannot enforce these restrictions on external operations, +// it is crucial that you use this information to prevent the public key from +// being used improperly. For example, you can prevent a public signing key +// from being used encrypt data, or prevent a public key from being used with +// an encryption algorithm that is not supported by AWS KMS. You can also avoid +// errors, such as using the wrong signing algorithm in a verification operation. +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: Yes. To perform this operation with a CMK in a different +// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. +// +// Required permissions: kms:GetPublicKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: CreateKey +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation GetPublicKey for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * DisabledException +// The request was rejected because the specified CMK is not enabled. +// +// * KeyUnavailableException +// The request was rejected because the specified CMK was not available. You +// can retry the request. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * UnsupportedOperationException +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * InvalidGrantTokenException +// The request was rejected because the specified grant token is not valid. +// +// * InvalidKeyUsageException +// The request was rejected for one of the following reasons: +// +// * The KeyUsage value of the CMK is incompatible with the API operation. +// +// * The encryption algorithm or signing algorithm specified for the operation +// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// +// For encrypting, decrypting, re-encrypting, and generating data keys, the +// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage +// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// +// To find the encryption or signing algorithms supported for a particular CMK, +// use the DescribeKey operation. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey +func (c *KMS) GetPublicKey(input *GetPublicKeyInput) (*GetPublicKeyOutput, error) { + req, out := c.GetPublicKeyRequest(input) + return out, req.Send() +} + +// GetPublicKeyWithContext is the same as GetPublicKey with the addition of +// the ability to pass a context and additional request options. +// +// See GetPublicKey for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) GetPublicKeyWithContext(ctx aws.Context, input *GetPublicKeyInput, opts ...request.Option) (*GetPublicKeyOutput, error) { + req, out := c.GetPublicKeyRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opImportKeyMaterial = "ImportKeyMaterial" + +// ImportKeyMaterialRequest generates a "aws/request.Request" representing the +// client's request for the ImportKeyMaterial operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ImportKeyMaterial for more information on using the ImportKeyMaterial +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ImportKeyMaterialRequest method. +// req, resp := client.ImportKeyMaterialRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterial +func (c *KMS) ImportKeyMaterialRequest(input *ImportKeyMaterialInput) (req *request.Request, output *ImportKeyMaterialOutput) { + op := &request.Operation{ + Name: opImportKeyMaterial, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ImportKeyMaterialInput{} + } + + output = &ImportKeyMaterialOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// ImportKeyMaterial API operation for AWS Key Management Service. +// +// Imports key material into an existing symmetric AWS KMS customer master key +// (CMK) that was created without key material. After you successfully import +// key material into a CMK, you can reimport the same key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material) +// into that CMK, but you cannot import different key material. +// +// You cannot perform this operation on an asymmetric CMK or on any CMK in a +// different AWS account. For more information about creating CMKs with no key +// material and then importing key material, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) +// in the AWS Key Management Service Developer Guide. +// +// Before using this operation, call GetParametersForImport. Its response includes +// a public key and an import token. Use the public key to encrypt the key material. +// Then, submit the import token from the same GetParametersForImport response. +// +// When calling this operation, you must specify the following values: +// +// * The key ID or key ARN of a CMK with no key material. Its Origin must +// be EXTERNAL. To create a CMK with no key material, call CreateKey and +// set the value of its Origin parameter to EXTERNAL. To get the Origin of +// a CMK, call DescribeKey.) +// +// * The encrypted key material. To get the public key to encrypt the key +// material, call GetParametersForImport. +// +// * The import token that GetParametersForImport returned. You must use +// a public key and token from the same GetParametersForImport response. +// +// * Whether the key material expires and if so, when. If you set an expiration +// date, AWS KMS deletes the key material from the CMK on the specified date, +// and the CMK becomes unusable. To use the CMK again, you must reimport +// the same key material. The only way to change an expiration date is by +// reimporting the same key material and specifying a new expiration date. +// +// When this operation is successful, the key state of the CMK changes from +// PendingImport to Enabled, and you can use the CMK. +// +// If this operation fails, use the exception to help determine the problem. +// If the error is related to the key material, the import token, or wrapping +// key, use GetParametersForImport to get a new public key and import token +// for the CMK and repeat the import procedure. For help, see How To Import +// Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview) +// in the AWS Key Management Service Developer Guide. +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a CMK in a different +// AWS account. +// +// Required permissions: kms:ImportKeyMaterial (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: +// +// * DeleteImportedKeyMaterial +// +// * GetParametersForImport +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ImportKeyMaterial for usage and error information. +// +// Returned Error Types: +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * UnsupportedOperationException +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// * InvalidCiphertextException +// From the Decrypt or ReEncrypt operation, the request was rejected because +// the specified ciphertext, or additional authenticated data incorporated into +// the ciphertext, such as the encryption context, is corrupted, missing, or +// otherwise invalid. +// +// From the ImportKeyMaterial operation, the request was rejected because AWS +// KMS could not decrypt the encrypted (wrapped) key material. +// +// * IncorrectKeyMaterialException +// The request was rejected because the key material in the request is, expired, +// invalid, or is not the same key material that was previously imported into +// this customer master key (CMK). +// +// * ExpiredImportTokenException +// The request was rejected because the specified import token is expired. Use +// GetParametersForImport to get a new import token and public key, use the +// new public key to encrypt the key material, and then try the request again. +// +// * InvalidImportTokenException +// The request was rejected because the provided import token is invalid or +// is associated with a different customer master key (CMK). +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterial +func (c *KMS) ImportKeyMaterial(input *ImportKeyMaterialInput) (*ImportKeyMaterialOutput, error) { + req, out := c.ImportKeyMaterialRequest(input) + return out, req.Send() +} + +// ImportKeyMaterialWithContext is the same as ImportKeyMaterial with the addition of +// the ability to pass a context and additional request options. +// +// See ImportKeyMaterial for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ImportKeyMaterialWithContext(ctx aws.Context, input *ImportKeyMaterialInput, opts ...request.Option) (*ImportKeyMaterialOutput, error) { + req, out := c.ImportKeyMaterialRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opListAliases = "ListAliases" + +// ListAliasesRequest generates a "aws/request.Request" representing the +// client's request for the ListAliases operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ListAliases for more information on using the ListAliases +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ListAliasesRequest method. +// req, resp := client.ListAliasesRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases +func (c *KMS) ListAliasesRequest(input *ListAliasesInput) (req *request.Request, output *ListAliasesOutput) { + op := &request.Operation{ + Name: opListAliases, + HTTPMethod: "POST", + HTTPPath: "/", + Paginator: &request.Paginator{ + InputTokens: []string{"Marker"}, + OutputTokens: []string{"NextMarker"}, + LimitToken: "Limit", + TruncationToken: "Truncated", + }, + } + + if input == nil { + input = &ListAliasesInput{} + } + + output = &ListAliasesOutput{} + req = c.newRequest(op, input, output) + return +} + +// ListAliases API operation for AWS Key Management Service. +// +// Gets a list of aliases in the caller's AWS account and region. For more information +// about aliases, see CreateAlias. +// +// By default, the ListAliases operation returns all aliases in the account +// and region. To get only the aliases associated with a particular customer +// master key (CMK), use the KeyId parameter. +// +// The ListAliases response can include aliases that you created and associated +// with your customer managed CMKs, and aliases that AWS created and associated +// with AWS managed CMKs in your account. You can recognize AWS aliases because +// their names have the format aws/, such as aws/dynamodb. +// +// The response might also include aliases that have no TargetKeyId field. These +// are predefined aliases that AWS has created but has not yet associated with +// a CMK. Aliases that AWS creates in your account, including predefined aliases, +// do not count against your AWS KMS aliases quota (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit). +// +// Cross-account use: No. ListAliases does not return aliases in other AWS accounts. +// +// Required permissions: kms:ListAliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (IAM policy) +// +// For details, see Controlling access to aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access) +// in the AWS Key Management Service Developer Guide. +// +// Related operations: +// +// * CreateAlias +// +// * DeleteAlias +// +// * UpdateAlias +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ListAliases for usage and error information. +// +// Returned Error Types: +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InvalidMarkerException +// The request was rejected because the marker that specifies where pagination +// should next begin is not valid. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases +func (c *KMS) ListAliases(input *ListAliasesInput) (*ListAliasesOutput, error) { + req, out := c.ListAliasesRequest(input) + return out, req.Send() +} + +// ListAliasesWithContext is the same as ListAliases with the addition of +// the ability to pass a context and additional request options. +// +// See ListAliases for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ListAliasesWithContext(ctx aws.Context, input *ListAliasesInput, opts ...request.Option) (*ListAliasesOutput, error) { + req, out := c.ListAliasesRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// ListAliasesPages iterates over the pages of a ListAliases operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See ListAliases method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a ListAliases operation. +// pageNum := 0 +// err := client.ListAliasesPages(params, +// func(page *kms.ListAliasesOutput, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +// +func (c *KMS) ListAliasesPages(input *ListAliasesInput, fn func(*ListAliasesOutput, bool) bool) error { + return c.ListAliasesPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// ListAliasesPagesWithContext same as ListAliasesPages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ListAliasesPagesWithContext(ctx aws.Context, input *ListAliasesInput, fn func(*ListAliasesOutput, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *ListAliasesInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.ListAliasesRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + for p.Next() { + if !fn(p.Page().(*ListAliasesOutput), !p.HasNextPage()) { + break + } + } + + return p.Err() +} + +const opListGrants = "ListGrants" + +// ListGrantsRequest generates a "aws/request.Request" representing the +// client's request for the ListGrants operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ListGrants for more information on using the ListGrants +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ListGrantsRequest method. +// req, resp := client.ListGrantsRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants +func (c *KMS) ListGrantsRequest(input *ListGrantsInput) (req *request.Request, output *ListGrantsResponse) { + op := &request.Operation{ + Name: opListGrants, + HTTPMethod: "POST", + HTTPPath: "/", + Paginator: &request.Paginator{ + InputTokens: []string{"Marker"}, + OutputTokens: []string{"NextMarker"}, + LimitToken: "Limit", + TruncationToken: "Truncated", + }, + } + + if input == nil { + input = &ListGrantsInput{} + } + + output = &ListGrantsResponse{} + req = c.newRequest(op, input, output) + return +} + +// ListGrants API operation for AWS Key Management Service. +// +// Gets a list of all grants for the specified customer master key (CMK). +// +// You must specify the CMK in all requests. You can filter the grant list by +// grant ID or grantee principal. +// +// The GranteePrincipal field in the ListGrants response usually contains the +// user or role designated as the grantee principal in the grant. However, when +// the grantee principal in the grant is an AWS service, the GranteePrincipal +// field contains the service principal (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services), +// which might represent several different grantee principals. +// +// Cross-account use: Yes. To perform this operation on a CMK in a different +// AWS account, specify the key ARN in the value of the KeyId parameter. +// +// Required permissions: kms:ListGrants (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: +// +// * CreateGrant +// +// * ListRetirableGrants +// +// * RetireGrant +// +// * RevokeGrant +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ListGrants for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InvalidMarkerException +// The request was rejected because the marker that specifies where pagination +// should next begin is not valid. +// +// * InvalidGrantIdException +// The request was rejected because the specified GrantId is not valid. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants +func (c *KMS) ListGrants(input *ListGrantsInput) (*ListGrantsResponse, error) { + req, out := c.ListGrantsRequest(input) + return out, req.Send() +} + +// ListGrantsWithContext is the same as ListGrants with the addition of +// the ability to pass a context and additional request options. +// +// See ListGrants for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ListGrantsWithContext(ctx aws.Context, input *ListGrantsInput, opts ...request.Option) (*ListGrantsResponse, error) { + req, out := c.ListGrantsRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// ListGrantsPages iterates over the pages of a ListGrants operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See ListGrants method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a ListGrants operation. +// pageNum := 0 +// err := client.ListGrantsPages(params, +// func(page *kms.ListGrantsResponse, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +// +func (c *KMS) ListGrantsPages(input *ListGrantsInput, fn func(*ListGrantsResponse, bool) bool) error { + return c.ListGrantsPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// ListGrantsPagesWithContext same as ListGrantsPages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ListGrantsPagesWithContext(ctx aws.Context, input *ListGrantsInput, fn func(*ListGrantsResponse, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *ListGrantsInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.ListGrantsRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + for p.Next() { + if !fn(p.Page().(*ListGrantsResponse), !p.HasNextPage()) { + break + } + } + + return p.Err() +} + +const opListKeyPolicies = "ListKeyPolicies" + +// ListKeyPoliciesRequest generates a "aws/request.Request" representing the +// client's request for the ListKeyPolicies operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ListKeyPolicies for more information on using the ListKeyPolicies +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ListKeyPoliciesRequest method. +// req, resp := client.ListKeyPoliciesRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies +func (c *KMS) ListKeyPoliciesRequest(input *ListKeyPoliciesInput) (req *request.Request, output *ListKeyPoliciesOutput) { + op := &request.Operation{ + Name: opListKeyPolicies, + HTTPMethod: "POST", + HTTPPath: "/", + Paginator: &request.Paginator{ + InputTokens: []string{"Marker"}, + OutputTokens: []string{"NextMarker"}, + LimitToken: "Limit", + TruncationToken: "Truncated", + }, + } + + if input == nil { + input = &ListKeyPoliciesInput{} + } + + output = &ListKeyPoliciesOutput{} + req = c.newRequest(op, input, output) + return +} + +// ListKeyPolicies API operation for AWS Key Management Service. +// +// Gets the names of the key policies that are attached to a customer master +// key (CMK). This operation is designed to get policy names that you can use +// in a GetKeyPolicy operation. However, the only valid policy name is default. +// +// Cross-account use: No. You cannot perform this operation on a CMK in a different +// AWS account. +// +// Required permissions: kms:ListKeyPolicies (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: +// +// * GetKeyPolicy +// +// * PutKeyPolicy +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ListKeyPolicies for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies +func (c *KMS) ListKeyPolicies(input *ListKeyPoliciesInput) (*ListKeyPoliciesOutput, error) { + req, out := c.ListKeyPoliciesRequest(input) + return out, req.Send() +} + +// ListKeyPoliciesWithContext is the same as ListKeyPolicies with the addition of +// the ability to pass a context and additional request options. +// +// See ListKeyPolicies for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ListKeyPoliciesWithContext(ctx aws.Context, input *ListKeyPoliciesInput, opts ...request.Option) (*ListKeyPoliciesOutput, error) { + req, out := c.ListKeyPoliciesRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// ListKeyPoliciesPages iterates over the pages of a ListKeyPolicies operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See ListKeyPolicies method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a ListKeyPolicies operation. +// pageNum := 0 +// err := client.ListKeyPoliciesPages(params, +// func(page *kms.ListKeyPoliciesOutput, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +// +func (c *KMS) ListKeyPoliciesPages(input *ListKeyPoliciesInput, fn func(*ListKeyPoliciesOutput, bool) bool) error { + return c.ListKeyPoliciesPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// ListKeyPoliciesPagesWithContext same as ListKeyPoliciesPages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ListKeyPoliciesPagesWithContext(ctx aws.Context, input *ListKeyPoliciesInput, fn func(*ListKeyPoliciesOutput, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *ListKeyPoliciesInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.ListKeyPoliciesRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + for p.Next() { + if !fn(p.Page().(*ListKeyPoliciesOutput), !p.HasNextPage()) { + break + } + } + + return p.Err() +} + +const opListKeys = "ListKeys" + +// ListKeysRequest generates a "aws/request.Request" representing the +// client's request for the ListKeys operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ListKeys for more information on using the ListKeys +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ListKeysRequest method. +// req, resp := client.ListKeysRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys +func (c *KMS) ListKeysRequest(input *ListKeysInput) (req *request.Request, output *ListKeysOutput) { + op := &request.Operation{ + Name: opListKeys, + HTTPMethod: "POST", + HTTPPath: "/", + Paginator: &request.Paginator{ + InputTokens: []string{"Marker"}, + OutputTokens: []string{"NextMarker"}, + LimitToken: "Limit", + TruncationToken: "Truncated", + }, + } + + if input == nil { + input = &ListKeysInput{} + } + + output = &ListKeysOutput{} + req = c.newRequest(op, input, output) + return +} + +// ListKeys API operation for AWS Key Management Service. +// +// Gets a list of all customer master keys (CMKs) in the caller's AWS account +// and Region. +// +// Cross-account use: No. You cannot perform this operation on a CMK in a different +// AWS account. +// +// Required permissions: kms:ListKeys (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (IAM policy) +// +// Related operations: +// +// * CreateKey +// +// * DescribeKey +// +// * ListAliases +// +// * ListResourceTags +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ListKeys for usage and error information. +// +// Returned Error Types: +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidMarkerException +// The request was rejected because the marker that specifies where pagination +// should next begin is not valid. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys +func (c *KMS) ListKeys(input *ListKeysInput) (*ListKeysOutput, error) { + req, out := c.ListKeysRequest(input) + return out, req.Send() +} + +// ListKeysWithContext is the same as ListKeys with the addition of +// the ability to pass a context and additional request options. +// +// See ListKeys for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ListKeysWithContext(ctx aws.Context, input *ListKeysInput, opts ...request.Option) (*ListKeysOutput, error) { + req, out := c.ListKeysRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// ListKeysPages iterates over the pages of a ListKeys operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See ListKeys method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a ListKeys operation. +// pageNum := 0 +// err := client.ListKeysPages(params, +// func(page *kms.ListKeysOutput, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +// +func (c *KMS) ListKeysPages(input *ListKeysInput, fn func(*ListKeysOutput, bool) bool) error { + return c.ListKeysPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// ListKeysPagesWithContext same as ListKeysPages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ListKeysPagesWithContext(ctx aws.Context, input *ListKeysInput, fn func(*ListKeysOutput, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *ListKeysInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.ListKeysRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + for p.Next() { + if !fn(p.Page().(*ListKeysOutput), !p.HasNextPage()) { + break + } + } + + return p.Err() +} + +const opListResourceTags = "ListResourceTags" + +// ListResourceTagsRequest generates a "aws/request.Request" representing the +// client's request for the ListResourceTags operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ListResourceTags for more information on using the ListResourceTags +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ListResourceTagsRequest method. +// req, resp := client.ListResourceTagsRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags +func (c *KMS) ListResourceTagsRequest(input *ListResourceTagsInput) (req *request.Request, output *ListResourceTagsOutput) { + op := &request.Operation{ + Name: opListResourceTags, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ListResourceTagsInput{} + } + + output = &ListResourceTagsOutput{} + req = c.newRequest(op, input, output) + return +} + +// ListResourceTags API operation for AWS Key Management Service. +// +// Returns all tags on the specified customer master key (CMK). +// +// For general information about tags, including the format and syntax, see +// Tagging AWS resources (https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) +// in the Amazon Web Services General Reference. For information about using +// tags in AWS KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). +// +// Cross-account use: No. You cannot perform this operation on a CMK in a different +// AWS account. +// +// Required permissions: kms:ListResourceTags (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: +// +// * TagResource +// +// * UntagResource +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ListResourceTags for usage and error information. +// +// Returned Error Types: +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * InvalidMarkerException +// The request was rejected because the marker that specifies where pagination +// should next begin is not valid. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags +func (c *KMS) ListResourceTags(input *ListResourceTagsInput) (*ListResourceTagsOutput, error) { + req, out := c.ListResourceTagsRequest(input) + return out, req.Send() +} + +// ListResourceTagsWithContext is the same as ListResourceTags with the addition of +// the ability to pass a context and additional request options. +// +// See ListResourceTags for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ListResourceTagsWithContext(ctx aws.Context, input *ListResourceTagsInput, opts ...request.Option) (*ListResourceTagsOutput, error) { + req, out := c.ListResourceTagsRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opListRetirableGrants = "ListRetirableGrants" + +// ListRetirableGrantsRequest generates a "aws/request.Request" representing the +// client's request for the ListRetirableGrants operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ListRetirableGrants for more information on using the ListRetirableGrants +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ListRetirableGrantsRequest method. +// req, resp := client.ListRetirableGrantsRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants +func (c *KMS) ListRetirableGrantsRequest(input *ListRetirableGrantsInput) (req *request.Request, output *ListGrantsResponse) { + op := &request.Operation{ + Name: opListRetirableGrants, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ListRetirableGrantsInput{} + } + + output = &ListGrantsResponse{} + req = c.newRequest(op, input, output) + return +} + +// ListRetirableGrants API operation for AWS Key Management Service. +// +// Returns all grants in which the specified principal is the RetiringPrincipal +// in the grant. +// +// You can specify any principal in your AWS account. The grants that are returned +// include grants for CMKs in your AWS account and other AWS accounts. +// +// You might use this operation to determine which grants you may retire. To +// retire a grant, use the RetireGrant operation. +// +// Cross-account use: You must specify a principal in your AWS account. However, +// this operation can return grants in any AWS account. You do not need kms:ListRetirableGrants +// permission (or any other additional permission) in any AWS account other +// than your own. +// +// Required permissions: kms:ListRetirableGrants (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (IAM policy) in your AWS account. +// +// Related operations: +// +// * CreateGrant +// +// * ListGrants +// +// * RetireGrant +// +// * RevokeGrant +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ListRetirableGrants for usage and error information. +// +// Returned Error Types: +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InvalidMarkerException +// The request was rejected because the marker that specifies where pagination +// should next begin is not valid. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants +func (c *KMS) ListRetirableGrants(input *ListRetirableGrantsInput) (*ListGrantsResponse, error) { + req, out := c.ListRetirableGrantsRequest(input) + return out, req.Send() +} + +// ListRetirableGrantsWithContext is the same as ListRetirableGrants with the addition of +// the ability to pass a context and additional request options. +// +// See ListRetirableGrants for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ListRetirableGrantsWithContext(ctx aws.Context, input *ListRetirableGrantsInput, opts ...request.Option) (*ListGrantsResponse, error) { + req, out := c.ListRetirableGrantsRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opPutKeyPolicy = "PutKeyPolicy" + +// PutKeyPolicyRequest generates a "aws/request.Request" representing the +// client's request for the PutKeyPolicy operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See PutKeyPolicy for more information on using the PutKeyPolicy +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the PutKeyPolicyRequest method. +// req, resp := client.PutKeyPolicyRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicy +func (c *KMS) PutKeyPolicyRequest(input *PutKeyPolicyInput) (req *request.Request, output *PutKeyPolicyOutput) { + op := &request.Operation{ + Name: opPutKeyPolicy, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &PutKeyPolicyInput{} + } + + output = &PutKeyPolicyOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// PutKeyPolicy API operation for AWS Key Management Service. +// +// Attaches a key policy to the specified customer master key (CMK). +// +// For more information about key policies, see Key Policies (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) +// in the AWS Key Management Service Developer Guide. For help writing and formatting +// a JSON policy document, see the IAM JSON Policy Reference (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) +// in the IAM User Guide . For examples of adding a key policy in multiple programming +// languages, see Setting a key policy (https://docs.aws.amazon.com/kms/latest/developerguide/programming-key-policies.html#put-policy) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a CMK in a different +// AWS account. +// +// Required permissions: kms:PutKeyPolicy (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: GetKeyPolicy +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation PutKeyPolicy for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * MalformedPolicyDocumentException +// The request was rejected because the specified policy is not syntactically +// or semantically correct. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * UnsupportedOperationException +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * LimitExceededException +// The request was rejected because a quota was exceeded. For more information, +// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) +// in the AWS Key Management Service Developer Guide. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicy +func (c *KMS) PutKeyPolicy(input *PutKeyPolicyInput) (*PutKeyPolicyOutput, error) { + req, out := c.PutKeyPolicyRequest(input) + return out, req.Send() +} + +// PutKeyPolicyWithContext is the same as PutKeyPolicy with the addition of +// the ability to pass a context and additional request options. +// +// See PutKeyPolicy for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) PutKeyPolicyWithContext(ctx aws.Context, input *PutKeyPolicyInput, opts ...request.Option) (*PutKeyPolicyOutput, error) { + req, out := c.PutKeyPolicyRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opReEncrypt = "ReEncrypt" + +// ReEncryptRequest generates a "aws/request.Request" representing the +// client's request for the ReEncrypt operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ReEncrypt for more information on using the ReEncrypt +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ReEncryptRequest method. +// req, resp := client.ReEncryptRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt +func (c *KMS) ReEncryptRequest(input *ReEncryptInput) (req *request.Request, output *ReEncryptOutput) { + op := &request.Operation{ + Name: opReEncrypt, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ReEncryptInput{} + } + + output = &ReEncryptOutput{} + req = c.newRequest(op, input, output) + return +} + +// ReEncrypt API operation for AWS Key Management Service. +// +// Decrypts ciphertext and then reencrypts it entirely within AWS KMS. You can +// use this operation to change the customer master key (CMK) under which data +// is encrypted, such as when you manually rotate (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually) +// a CMK or change the CMK that protects a ciphertext. You can also use it to +// reencrypt ciphertext under the same CMK, such as to change the encryption +// context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) +// of a ciphertext. +// +// The ReEncrypt operation can decrypt ciphertext that was encrypted by using +// an AWS KMS CMK in an AWS KMS operation, such as Encrypt or GenerateDataKey. +// It can also decrypt ciphertext that was encrypted by using the public key +// of an asymmetric CMK (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks) +// outside of AWS KMS. However, it cannot decrypt ciphertext produced by other +// libraries, such as the AWS Encryption SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/) +// or Amazon S3 client-side encryption (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html). +// These libraries return a ciphertext format that is incompatible with AWS +// KMS. +// +// When you use the ReEncrypt operation, you need to provide information for +// the decrypt operation and the subsequent encrypt operation. +// +// * If your ciphertext was encrypted under an asymmetric CMK, you must use +// the SourceKeyId parameter to identify the CMK that encrypted the ciphertext. +// You must also supply the encryption algorithm that was used. This information +// is required to decrypt the data. +// +// * If your ciphertext was encrypted under a symmetric CMK, the SourceKeyId +// parameter is optional. AWS KMS can get this information from metadata +// that it adds to the symmetric ciphertext blob. This feature adds durability +// to your implementation by ensuring that authorized users can decrypt ciphertext +// decades after it was encrypted, even if they've lost track of the CMK +// ID. However, specifying the source CMK is always recommended as a best +// practice. When you use the SourceKeyId parameter to specify a CMK, AWS +// KMS uses only the CMK you specify. If the ciphertext was encrypted under +// a different CMK, the ReEncrypt operation fails. This practice ensures +// that you use the CMK that you intend. +// +// * To reencrypt the data, you must use the DestinationKeyId parameter specify +// the CMK that re-encrypts the data after it is decrypted. You can select +// a symmetric or asymmetric CMK. If the destination CMK is an asymmetric +// CMK, you must also provide the encryption algorithm. The algorithm that +// you choose must be compatible with the CMK. When you use an asymmetric +// CMK to encrypt or reencrypt data, be sure to record the CMK and encryption +// algorithm that you choose. You will be required to provide the same CMK +// and encryption algorithm when you decrypt the data. If the CMK and algorithm +// do not match the values used to encrypt the data, the decrypt operation +// fails. You are not required to supply the CMK ID and encryption algorithm +// when you decrypt with symmetric CMKs because AWS KMS stores this information +// in the ciphertext blob. AWS KMS cannot store metadata in ciphertext generated +// with asymmetric keys. The standard format for asymmetric key ciphertext +// does not include configurable fields. +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: Yes. The source CMK and destination CMK can be in different +// AWS accounts. Either or both CMKs can be in a different account than the +// caller. +// +// Required permissions: +// +// * kms:ReEncryptFrom (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// permission on the source CMK (key policy) +// +// * kms:ReEncryptTo (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// permission on the destination CMK (key policy) +// +// To permit reencryption from or to a CMK, include the "kms:ReEncrypt*" permission +// in your key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html). +// This permission is automatically included in the key policy when you use +// the console to create a CMK. But you must include it manually when you create +// a CMK programmatically or when you use the PutKeyPolicy operation to set +// a key policy. +// +// Related operations: +// +// * Decrypt +// +// * Encrypt +// +// * GenerateDataKey +// +// * GenerateDataKeyPair +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ReEncrypt for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * DisabledException +// The request was rejected because the specified CMK is not enabled. +// +// * InvalidCiphertextException +// From the Decrypt or ReEncrypt operation, the request was rejected because +// the specified ciphertext, or additional authenticated data incorporated into +// the ciphertext, such as the encryption context, is corrupted, missing, or +// otherwise invalid. +// +// From the ImportKeyMaterial operation, the request was rejected because AWS +// KMS could not decrypt the encrypted (wrapped) key material. +// +// * KeyUnavailableException +// The request was rejected because the specified CMK was not available. You +// can retry the request. +// +// * IncorrectKeyException +// The request was rejected because the specified CMK cannot decrypt the data. +// The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request +// must identify the same CMK that was used to encrypt the ciphertext. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InvalidKeyUsageException +// The request was rejected for one of the following reasons: +// +// * The KeyUsage value of the CMK is incompatible with the API operation. +// +// * The encryption algorithm or signing algorithm specified for the operation +// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// +// For encrypting, decrypting, re-encrypting, and generating data keys, the +// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage +// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// +// To find the encryption or signing algorithms supported for a particular CMK, +// use the DescribeKey operation. +// +// * InvalidGrantTokenException +// The request was rejected because the specified grant token is not valid. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt +func (c *KMS) ReEncrypt(input *ReEncryptInput) (*ReEncryptOutput, error) { + req, out := c.ReEncryptRequest(input) + return out, req.Send() +} + +// ReEncryptWithContext is the same as ReEncrypt with the addition of +// the ability to pass a context and additional request options. +// +// See ReEncrypt for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ReEncryptWithContext(ctx aws.Context, input *ReEncryptInput, opts ...request.Option) (*ReEncryptOutput, error) { + req, out := c.ReEncryptRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opRetireGrant = "RetireGrant" + +// RetireGrantRequest generates a "aws/request.Request" representing the +// client's request for the RetireGrant operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See RetireGrant for more information on using the RetireGrant +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the RetireGrantRequest method. +// req, resp := client.RetireGrantRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant +func (c *KMS) RetireGrantRequest(input *RetireGrantInput) (req *request.Request, output *RetireGrantOutput) { + op := &request.Operation{ + Name: opRetireGrant, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &RetireGrantInput{} + } + + output = &RetireGrantOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// RetireGrant API operation for AWS Key Management Service. +// +// Retires a grant. To clean up, you can retire a grant when you're done using +// it. You should revoke a grant when you intend to actively deny operations +// that depend on it. The following are permitted to call this API: +// +// * The AWS account (root user) under which the grant was created +// +// * The RetiringPrincipal, if present in the grant +// +// * The GranteePrincipal, if RetireGrant is an operation specified in the +// grant +// +// You must identify the grant to retire by its grant token or by a combination +// of the grant ID and the Amazon Resource Name (ARN) of the customer master +// key (CMK). A grant token is a unique variable-length base64-encoded string. +// A grant ID is a 64 character unique identifier of a grant. The CreateGrant +// operation returns both. +// +// Cross-account use: Yes. You can retire a grant on a CMK in a different AWS +// account. +// +// Required permissions:: Permission to retire a grant is specified in the grant. +// You cannot control access to this operation in a policy. For more information, +// see Using grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) +// in the AWS Key Management Service Developer Guide. +// +// Related operations: +// +// * CreateGrant +// +// * ListGrants +// +// * ListRetirableGrants +// +// * RevokeGrant +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation RetireGrant for usage and error information. +// +// Returned Error Types: +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * InvalidGrantTokenException +// The request was rejected because the specified grant token is not valid. +// +// * InvalidGrantIdException +// The request was rejected because the specified GrantId is not valid. +// +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant +func (c *KMS) RetireGrant(input *RetireGrantInput) (*RetireGrantOutput, error) { + req, out := c.RetireGrantRequest(input) + return out, req.Send() +} + +// RetireGrantWithContext is the same as RetireGrant with the addition of +// the ability to pass a context and additional request options. +// +// See RetireGrant for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) RetireGrantWithContext(ctx aws.Context, input *RetireGrantInput, opts ...request.Option) (*RetireGrantOutput, error) { + req, out := c.RetireGrantRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opRevokeGrant = "RevokeGrant" + +// RevokeGrantRequest generates a "aws/request.Request" representing the +// client's request for the RevokeGrant operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See RevokeGrant for more information on using the RevokeGrant +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the RevokeGrantRequest method. +// req, resp := client.RevokeGrantRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant +func (c *KMS) RevokeGrantRequest(input *RevokeGrantInput) (req *request.Request, output *RevokeGrantOutput) { + op := &request.Operation{ + Name: opRevokeGrant, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &RevokeGrantInput{} + } + + output = &RevokeGrantOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// RevokeGrant API operation for AWS Key Management Service. +// +// Revokes the specified grant for the specified customer master key (CMK). +// You can revoke a grant to actively deny operations that depend on it. +// +// Cross-account use: Yes. To perform this operation on a CMK in a different +// AWS account, specify the key ARN in the value of the KeyId parameter. +// +// Required permissions: kms:RevokeGrant (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: +// +// * CreateGrant +// +// * ListGrants +// +// * ListRetirableGrants +// +// * RetireGrant +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation RevokeGrant for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * InvalidGrantIdException +// The request was rejected because the specified GrantId is not valid. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant +func (c *KMS) RevokeGrant(input *RevokeGrantInput) (*RevokeGrantOutput, error) { + req, out := c.RevokeGrantRequest(input) + return out, req.Send() +} + +// RevokeGrantWithContext is the same as RevokeGrant with the addition of +// the ability to pass a context and additional request options. +// +// See RevokeGrant for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) RevokeGrantWithContext(ctx aws.Context, input *RevokeGrantInput, opts ...request.Option) (*RevokeGrantOutput, error) { + req, out := c.RevokeGrantRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opScheduleKeyDeletion = "ScheduleKeyDeletion" + +// ScheduleKeyDeletionRequest generates a "aws/request.Request" representing the +// client's request for the ScheduleKeyDeletion operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ScheduleKeyDeletion for more information on using the ScheduleKeyDeletion +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ScheduleKeyDeletionRequest method. +// req, resp := client.ScheduleKeyDeletionRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion +func (c *KMS) ScheduleKeyDeletionRequest(input *ScheduleKeyDeletionInput) (req *request.Request, output *ScheduleKeyDeletionOutput) { + op := &request.Operation{ + Name: opScheduleKeyDeletion, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ScheduleKeyDeletionInput{} + } + + output = &ScheduleKeyDeletionOutput{} + req = c.newRequest(op, input, output) + return +} + +// ScheduleKeyDeletion API operation for AWS Key Management Service. +// +// Schedules the deletion of a customer master key (CMK). You may provide a +// waiting period, specified in days, before deletion occurs. If you do not +// provide a waiting period, the default period of 30 days is used. When this +// operation is successful, the key state of the CMK changes to PendingDeletion. +// Before the waiting period ends, you can use CancelKeyDeletion to cancel the +// deletion of the CMK. After the waiting period ends, AWS KMS deletes the CMK +// and all AWS KMS data associated with it, including all aliases that refer +// to it. +// +// Deleting a CMK is a destructive and potentially dangerous operation. When +// a CMK is deleted, all data that was encrypted under the CMK is unrecoverable. +// To prevent the use of a CMK without deleting it, use DisableKey. +// +// If you schedule deletion of a CMK from a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), +// when the waiting period expires, ScheduleKeyDeletion deletes the CMK from +// AWS KMS. Then AWS KMS makes a best effort to delete the key material from +// the associated AWS CloudHSM cluster. However, you might need to manually +// delete the orphaned key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key) +// from the cluster and its backups. +// +// For more information about scheduling a CMK for deletion, see Deleting Customer +// Master Keys (https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) +// in the AWS Key Management Service Developer Guide. +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a CMK in a different +// AWS account. +// +// Required permissions: kms:ScheduleKeyDeletion (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations +// +// * CancelKeyDeletion +// +// * DisableKey +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ScheduleKeyDeletion for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion +func (c *KMS) ScheduleKeyDeletion(input *ScheduleKeyDeletionInput) (*ScheduleKeyDeletionOutput, error) { + req, out := c.ScheduleKeyDeletionRequest(input) + return out, req.Send() +} + +// ScheduleKeyDeletionWithContext is the same as ScheduleKeyDeletion with the addition of +// the ability to pass a context and additional request options. +// +// See ScheduleKeyDeletion for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ScheduleKeyDeletionWithContext(ctx aws.Context, input *ScheduleKeyDeletionInput, opts ...request.Option) (*ScheduleKeyDeletionOutput, error) { + req, out := c.ScheduleKeyDeletionRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opSign = "Sign" + +// SignRequest generates a "aws/request.Request" representing the +// client's request for the Sign operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See Sign for more information on using the Sign +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the SignRequest method. +// req, resp := client.SignRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign +func (c *KMS) SignRequest(input *SignInput) (req *request.Request, output *SignOutput) { + op := &request.Operation{ + Name: opSign, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &SignInput{} + } + + output = &SignOutput{} + req = c.newRequest(op, input, output) + return +} + +// Sign API operation for AWS Key Management Service. +// +// Creates a digital signature (https://en.wikipedia.org/wiki/Digital_signature) +// for a message or message digest by using the private key in an asymmetric +// CMK. To verify the signature, use the Verify operation, or use the public +// key in the same asymmetric CMK outside of AWS KMS. For information about +// symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) +// in the AWS Key Management Service Developer Guide. +// +// Digital signatures are generated and verified by using asymmetric key pair, +// such as an RSA or ECC pair that is represented by an asymmetric customer +// master key (CMK). The key owner (or an authorized user) uses their private +// key to sign a message. Anyone with the public key can verify that the message +// was signed with that particular private key and that the message hasn't changed +// since it was signed. +// +// To use the Sign operation, provide the following information: +// +// * Use the KeyId parameter to identify an asymmetric CMK with a KeyUsage +// value of SIGN_VERIFY. To get the KeyUsage value of a CMK, use the DescribeKey +// operation. The caller must have kms:Sign permission on the CMK. +// +// * Use the Message parameter to specify the message or message digest to +// sign. You can submit messages of up to 4096 bytes. To sign a larger message, +// generate a hash digest of the message, and then provide the hash digest +// in the Message parameter. To indicate whether the message is a full message +// or a digest, use the MessageType parameter. +// +// * Choose a signing algorithm that is compatible with the CMK. +// +// When signing a message, be sure to record the CMK and the signing algorithm. +// This information is required to verify the signature. +// +// To verify the signature that this operation generates, use the Verify operation. +// Or use the GetPublicKey operation to download the public key and then use +// the public key to verify the signature outside of AWS KMS. +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: Yes. To perform this operation with a CMK in a different +// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. +// +// Required permissions: kms:Sign (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: Verify +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation Sign for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * DisabledException +// The request was rejected because the specified CMK is not enabled. +// +// * KeyUnavailableException +// The request was rejected because the specified CMK was not available. You +// can retry the request. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InvalidKeyUsageException +// The request was rejected for one of the following reasons: +// +// * The KeyUsage value of the CMK is incompatible with the API operation. +// +// * The encryption algorithm or signing algorithm specified for the operation +// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// +// For encrypting, decrypting, re-encrypting, and generating data keys, the +// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage +// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// +// To find the encryption or signing algorithms supported for a particular CMK, +// use the DescribeKey operation. +// +// * InvalidGrantTokenException +// The request was rejected because the specified grant token is not valid. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign +func (c *KMS) Sign(input *SignInput) (*SignOutput, error) { + req, out := c.SignRequest(input) + return out, req.Send() +} + +// SignWithContext is the same as Sign with the addition of +// the ability to pass a context and additional request options. +// +// See Sign for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) SignWithContext(ctx aws.Context, input *SignInput, opts ...request.Option) (*SignOutput, error) { + req, out := c.SignRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opTagResource = "TagResource" + +// TagResourceRequest generates a "aws/request.Request" representing the +// client's request for the TagResource operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See TagResource for more information on using the TagResource +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the TagResourceRequest method. +// req, resp := client.TagResourceRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagResource +func (c *KMS) TagResourceRequest(input *TagResourceInput) (req *request.Request, output *TagResourceOutput) { + op := &request.Operation{ + Name: opTagResource, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &TagResourceInput{} + } + + output = &TagResourceOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// TagResource API operation for AWS Key Management Service. +// +// Adds or edits tags on a customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk). +// +// Each tag consists of a tag key and a tag value, both of which are case-sensitive +// strings. The tag value can be an empty (null) string. +// +// To add a tag, specify a new tag key and a tag value. To edit a tag, specify +// an existing tag key and a new tag value. +// +// You can use this operation to tag a customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk), +// but you cannot tag an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk), +// an AWS owned CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk), +// or an alias. +// +// For general information about tags, including the format and syntax, see +// Tagging AWS resources (https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) +// in the Amazon Web Services General Reference. For information about using +// tags in AWS KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a CMK in a different +// AWS account. +// +// Required permissions: kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations +// +// * UntagResource +// +// * ListResourceTags +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation TagResource for usage and error information. +// +// Returned Error Types: +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// * LimitExceededException +// The request was rejected because a quota was exceeded. For more information, +// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) +// in the AWS Key Management Service Developer Guide. +// +// * TagException +// The request was rejected because one or more tags are not valid. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagResource +func (c *KMS) TagResource(input *TagResourceInput) (*TagResourceOutput, error) { + req, out := c.TagResourceRequest(input) + return out, req.Send() +} + +// TagResourceWithContext is the same as TagResource with the addition of +// the ability to pass a context and additional request options. +// +// See TagResource for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) TagResourceWithContext(ctx aws.Context, input *TagResourceInput, opts ...request.Option) (*TagResourceOutput, error) { + req, out := c.TagResourceRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opUntagResource = "UntagResource" + +// UntagResourceRequest generates a "aws/request.Request" representing the +// client's request for the UntagResource operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See UntagResource for more information on using the UntagResource +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the UntagResourceRequest method. +// req, resp := client.UntagResourceRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UntagResource +func (c *KMS) UntagResourceRequest(input *UntagResourceInput) (req *request.Request, output *UntagResourceOutput) { + op := &request.Operation{ + Name: opUntagResource, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &UntagResourceInput{} + } + + output = &UntagResourceOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// UntagResource API operation for AWS Key Management Service. +// +// Deletes tags from a customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk). +// To delete a tag, specify the tag key and the CMK. +// +// When it succeeds, the UntagResource operation doesn't return any output. +// Also, if the specified tag key isn't found on the CMK, it doesn't throw an +// exception or return a response. To confirm that the operation worked, use +// the ListResourceTags operation. +// +// For general information about tags, including the format and syntax, see +// Tagging AWS resources (https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) +// in the Amazon Web Services General Reference. For information about using +// tags in AWS KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a CMK in a different +// AWS account. +// +// Required permissions: kms:UntagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations +// +// * TagResource +// +// * ListResourceTags +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation UntagResource for usage and error information. +// +// Returned Error Types: +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// * TagException +// The request was rejected because one or more tags are not valid. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UntagResource +func (c *KMS) UntagResource(input *UntagResourceInput) (*UntagResourceOutput, error) { + req, out := c.UntagResourceRequest(input) + return out, req.Send() +} + +// UntagResourceWithContext is the same as UntagResource with the addition of +// the ability to pass a context and additional request options. +// +// See UntagResource for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) UntagResourceWithContext(ctx aws.Context, input *UntagResourceInput, opts ...request.Option) (*UntagResourceOutput, error) { + req, out := c.UntagResourceRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opUpdateAlias = "UpdateAlias" + +// UpdateAliasRequest generates a "aws/request.Request" representing the +// client's request for the UpdateAlias operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See UpdateAlias for more information on using the UpdateAlias +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the UpdateAliasRequest method. +// req, resp := client.UpdateAliasRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAlias +func (c *KMS) UpdateAliasRequest(input *UpdateAliasInput) (req *request.Request, output *UpdateAliasOutput) { + op := &request.Operation{ + Name: opUpdateAlias, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &UpdateAliasInput{} + } + + output = &UpdateAliasOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// UpdateAlias API operation for AWS Key Management Service. +// +// Associates an existing AWS KMS alias with a different customer master key +// (CMK). Each alias is associated with only one CMK at a time, although a CMK +// can have multiple aliases. The alias and the CMK must be in the same AWS +// account and region. +// +// The current and new CMK must be the same type (both symmetric or both asymmetric), +// and they must have the same key usage (ENCRYPT_DECRYPT or SIGN_VERIFY). This +// restriction prevents errors in code that uses aliases. If you must assign +// an alias to a different type of CMK, use DeleteAlias to delete the old alias +// and CreateAlias to create a new alias. +// +// You cannot use UpdateAlias to change an alias name. To change an alias name, +// use DeleteAlias to delete the old alias and CreateAlias to create a new alias. +// +// Because an alias is not a property of a CMK, you can create, update, and +// delete the aliases of a CMK without affecting the CMK. Also, aliases do not +// appear in the response from the DescribeKey operation. To get the aliases +// of all CMKs in the account, use the ListAliases operation. +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a CMK in a different +// AWS account. +// +// Required permissions +// +// * kms:UpdateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// on the alias (IAM policy). +// +// * kms:UpdateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// on the current CMK (key policy). +// +// * kms:UpdateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// on the new CMK (key policy). +// +// For details, see Controlling access to aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access) +// in the AWS Key Management Service Developer Guide. +// +// Related operations: +// +// * CreateAlias +// +// * DeleteAlias +// +// * ListAliases +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation UpdateAlias for usage and error information. +// +// Returned Error Types: +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * LimitExceededException +// The request was rejected because a quota was exceeded. For more information, +// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) +// in the AWS Key Management Service Developer Guide. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAlias +func (c *KMS) UpdateAlias(input *UpdateAliasInput) (*UpdateAliasOutput, error) { + req, out := c.UpdateAliasRequest(input) + return out, req.Send() +} + +// UpdateAliasWithContext is the same as UpdateAlias with the addition of +// the ability to pass a context and additional request options. +// +// See UpdateAlias for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) UpdateAliasWithContext(ctx aws.Context, input *UpdateAliasInput, opts ...request.Option) (*UpdateAliasOutput, error) { + req, out := c.UpdateAliasRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opUpdateCustomKeyStore = "UpdateCustomKeyStore" + +// UpdateCustomKeyStoreRequest generates a "aws/request.Request" representing the +// client's request for the UpdateCustomKeyStore operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See UpdateCustomKeyStore for more information on using the UpdateCustomKeyStore +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the UpdateCustomKeyStoreRequest method. +// req, resp := client.UpdateCustomKeyStoreRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore +func (c *KMS) UpdateCustomKeyStoreRequest(input *UpdateCustomKeyStoreInput) (req *request.Request, output *UpdateCustomKeyStoreOutput) { + op := &request.Operation{ + Name: opUpdateCustomKeyStore, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &UpdateCustomKeyStoreInput{} + } + + output = &UpdateCustomKeyStoreOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// UpdateCustomKeyStore API operation for AWS Key Management Service. +// +// Changes the properties of a custom key store. Use the CustomKeyStoreId parameter +// to identify the custom key store you want to edit. Use the remaining parameters +// to change the properties of the custom key store. +// +// You can only update a custom key store that is disconnected. To disconnect +// the custom key store, use DisconnectCustomKeyStore. To reconnect the custom +// key store after the update completes, use ConnectCustomKeyStore. To find +// the connection state of a custom key store, use the DescribeCustomKeyStores +// operation. +// +// Use the parameters of UpdateCustomKeyStore to edit your keystore settings. +// +// * Use the NewCustomKeyStoreName parameter to change the friendly name +// of the custom key store to the value that you specify. +// +// * Use the KeyStorePassword parameter tell AWS KMS the current password +// of the kmsuser crypto user (CU) (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser) +// in the associated AWS CloudHSM cluster. You can use this parameter to +// fix connection failures (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-password) +// that occur when AWS KMS cannot log into the associated cluster because +// the kmsuser password has changed. This value does not change the password +// in the AWS CloudHSM cluster. +// +// * Use the CloudHsmClusterId parameter to associate the custom key store +// with a different, but related, AWS CloudHSM cluster. You can use this +// parameter to repair a custom key store if its AWS CloudHSM cluster becomes +// corrupted or is deleted, or when you need to create or restore a cluster +// from a backup. +// +// If the operation succeeds, it returns a JSON object with no properties. +// +// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// feature in AWS KMS, which combines the convenience and extensive integration +// of AWS KMS with the isolation and control of a single-tenant key store. +// +// Cross-account use: No. You cannot perform this operation on a custom key +// store in a different AWS account. +// +// Required permissions: kms:UpdateCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (IAM policy) +// +// Related operations: +// +// * ConnectCustomKeyStore +// +// * CreateCustomKeyStore +// +// * DeleteCustomKeyStore +// +// * DescribeCustomKeyStores +// +// * DisconnectCustomKeyStore +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation UpdateCustomKeyStore for usage and error information. +// +// Returned Error Types: +// * CustomKeyStoreNotFoundException +// The request was rejected because AWS KMS cannot find a custom key store with +// the specified key store name or ID. +// +// * CustomKeyStoreNameInUseException +// The request was rejected because the specified custom key store name is already +// assigned to another custom key store in the account. Try again with a custom +// key store name that is unique in the account. +// +// * CloudHsmClusterNotFoundException +// The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster +// with the specified cluster ID. Retry the request with a different cluster +// ID. +// +// * CloudHsmClusterNotRelatedException +// The request was rejected because the specified AWS CloudHSM cluster has a +// different cluster certificate than the original cluster. You cannot use the +// operation to specify an unrelated cluster. +// +// Specify a cluster that shares a backup history with the original cluster. +// This includes clusters that were created from a backup of the current cluster, +// and clusters that were created from the same backup that produced the current +// cluster. +// +// Clusters that share a backup history have the same cluster certificate. To +// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) +// operation. +// +// * CustomKeyStoreInvalidStateException +// The request was rejected because of the ConnectionState of the custom key +// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores +// operation. +// +// This exception is thrown under the following conditions: +// +// * You requested the CreateKey or GenerateRandom operation in a custom +// key store that is not connected. These operations are valid only when +// the custom key store ConnectionState is CONNECTED. +// +// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation +// on a custom key store that is not disconnected. This operation is valid +// only when the custom key store ConnectionState is DISCONNECTED. +// +// * You requested the ConnectCustomKeyStore operation on a custom key store +// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid +// for all other ConnectionState values. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * CloudHsmClusterNotActiveException +// The request was rejected because the AWS CloudHSM cluster that is associated +// with the custom key store is not active. Initialize and activate the cluster +// and try the command again. For detailed instructions, see Getting Started +// (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) +// in the AWS CloudHSM User Guide. +// +// * CloudHsmClusterInvalidConfigurationException +// The request was rejected because the associated AWS CloudHSM cluster did +// not meet the configuration requirements for a custom key store. +// +// * The cluster must be configured with private subnets in at least two +// different Availability Zones in the Region. +// +// * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) +// (cloudhsm-cluster--sg) must include inbound rules and outbound +// rules that allow TCP traffic on ports 2223-2225. The Source in the inbound +// rules and the Destination in the outbound rules must match the security +// group ID. These rules are set by default when you create the cluster. +// Do not delete or change them. To get information about a particular security +// group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) +// operation. +// +// * The cluster must contain at least as many HSMs as the operation requires. +// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) +// operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey +// operations, the AWS CloudHSM cluster must have at least two active HSMs, +// each in a different Availability Zone. For the ConnectCustomKeyStore operation, +// the AWS CloudHSM must contain at least one active HSM. +// +// For information about the requirements for an AWS CloudHSM cluster that is +// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) +// in the AWS Key Management Service Developer Guide. For information about +// creating a private subnet for an AWS CloudHSM cluster, see Create a Private +// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) +// in the AWS CloudHSM User Guide. For information about cluster security groups, +// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) +// in the AWS CloudHSM User Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore +func (c *KMS) UpdateCustomKeyStore(input *UpdateCustomKeyStoreInput) (*UpdateCustomKeyStoreOutput, error) { + req, out := c.UpdateCustomKeyStoreRequest(input) + return out, req.Send() +} + +// UpdateCustomKeyStoreWithContext is the same as UpdateCustomKeyStore with the addition of +// the ability to pass a context and additional request options. +// +// See UpdateCustomKeyStore for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) UpdateCustomKeyStoreWithContext(ctx aws.Context, input *UpdateCustomKeyStoreInput, opts ...request.Option) (*UpdateCustomKeyStoreOutput, error) { + req, out := c.UpdateCustomKeyStoreRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opUpdateKeyDescription = "UpdateKeyDescription" + +// UpdateKeyDescriptionRequest generates a "aws/request.Request" representing the +// client's request for the UpdateKeyDescription operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See UpdateKeyDescription for more information on using the UpdateKeyDescription +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the UpdateKeyDescriptionRequest method. +// req, resp := client.UpdateKeyDescriptionRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescription +func (c *KMS) UpdateKeyDescriptionRequest(input *UpdateKeyDescriptionInput) (req *request.Request, output *UpdateKeyDescriptionOutput) { + op := &request.Operation{ + Name: opUpdateKeyDescription, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &UpdateKeyDescriptionInput{} + } + + output = &UpdateKeyDescriptionOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// UpdateKeyDescription API operation for AWS Key Management Service. +// +// Updates the description of a customer master key (CMK). To see the description +// of a CMK, use DescribeKey. +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: No. You cannot perform this operation on a CMK in a different +// AWS account. +// +// Required permissions: kms:UpdateKeyDescription (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations +// +// * CreateKey +// +// * DescribeKey +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation UpdateKeyDescription for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescription +func (c *KMS) UpdateKeyDescription(input *UpdateKeyDescriptionInput) (*UpdateKeyDescriptionOutput, error) { + req, out := c.UpdateKeyDescriptionRequest(input) + return out, req.Send() +} + +// UpdateKeyDescriptionWithContext is the same as UpdateKeyDescription with the addition of +// the ability to pass a context and additional request options. +// +// See UpdateKeyDescription for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) UpdateKeyDescriptionWithContext(ctx aws.Context, input *UpdateKeyDescriptionInput, opts ...request.Option) (*UpdateKeyDescriptionOutput, error) { + req, out := c.UpdateKeyDescriptionRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opVerify = "Verify" + +// VerifyRequest generates a "aws/request.Request" representing the +// client's request for the Verify operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See Verify for more information on using the Verify +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the VerifyRequest method. +// req, resp := client.VerifyRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify +func (c *KMS) VerifyRequest(input *VerifyInput) (req *request.Request, output *VerifyOutput) { + op := &request.Operation{ + Name: opVerify, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &VerifyInput{} + } + + output = &VerifyOutput{} + req = c.newRequest(op, input, output) + return +} + +// Verify API operation for AWS Key Management Service. +// +// Verifies a digital signature that was generated by the Sign operation. +// +// Verification confirms that an authorized user signed the message with the +// specified CMK and signing algorithm, and the message hasn't changed since +// it was signed. If the signature is verified, the value of the SignatureValid +// field in the response is True. If the signature verification fails, the Verify +// operation fails with an KMSInvalidSignatureException exception. +// +// A digital signature is generated by using the private key in an asymmetric +// CMK. The signature is verified by using the public key in the same asymmetric +// CMK. For information about symmetric and asymmetric CMKs, see Using Symmetric +// and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) +// in the AWS Key Management Service Developer Guide. +// +// To verify a digital signature, you can use the Verify operation. Specify +// the same asymmetric CMK, message, and signing algorithm that were used to +// produce the signature. +// +// You can also verify the digital signature by using the public key of the +// CMK outside of AWS KMS. Use the GetPublicKey operation to download the public +// key in the asymmetric CMK and then use the public key to verify the signature +// outside of AWS KMS. The advantage of using the Verify operation is that it +// is performed within AWS KMS. As a result, it's easy to call, the operation +// is performed within the FIPS boundary, it is logged in AWS CloudTrail, and +// you can use key policy and IAM policy to determine who is authorized to use +// the CMK to verify signatures. +// +// The CMK that you use for this operation must be in a compatible key state. +// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Cross-account use: Yes. To perform this operation with a CMK in a different +// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. +// +// Required permissions: kms:Verify (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) +// (key policy) +// +// Related operations: Sign +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation Verify for usage and error information. +// +// Returned Error Types: +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * DisabledException +// The request was rejected because the specified CMK is not enabled. +// +// * KeyUnavailableException +// The request was rejected because the specified CMK was not available. You +// can retry the request. +// +// * DependencyTimeoutException +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * InvalidKeyUsageException +// The request was rejected for one of the following reasons: +// +// * The KeyUsage value of the CMK is incompatible with the API operation. +// +// * The encryption algorithm or signing algorithm specified for the operation +// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// +// For encrypting, decrypting, re-encrypting, and generating data keys, the +// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage +// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// +// To find the encryption or signing algorithms supported for a particular CMK, +// use the DescribeKey operation. +// +// * InvalidGrantTokenException +// The request was rejected because the specified grant token is not valid. +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// * KMSInvalidSignatureException +// The request was rejected because the signature verification failed. Signature +// verification fails when it cannot confirm that signature was produced by +// signing the specified message with the specified CMK and signing algorithm. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify +func (c *KMS) Verify(input *VerifyInput) (*VerifyOutput, error) { + req, out := c.VerifyRequest(input) + return out, req.Send() +} + +// VerifyWithContext is the same as Verify with the addition of +// the ability to pass a context and additional request options. +// +// See Verify for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) VerifyWithContext(ctx aws.Context, input *VerifyInput, opts ...request.Option) (*VerifyOutput, error) { + req, out := c.VerifyRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// Contains information about an alias. +type AliasListEntry struct { + _ struct{} `type:"structure"` + + // String that contains the key ARN. + AliasArn *string `min:"20" type:"string"` + + // String that contains the alias. This value begins with alias/. + AliasName *string `min:"1" type:"string"` + + CreationDate *time.Time `type:"timestamp"` + + LastUpdatedDate *time.Time `type:"timestamp"` + + // String that contains the key identifier referred to by the alias. + TargetKeyId *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s AliasListEntry) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AliasListEntry) GoString() string { + return s.String() +} + +// SetAliasArn sets the AliasArn field's value. +func (s *AliasListEntry) SetAliasArn(v string) *AliasListEntry { + s.AliasArn = &v + return s +} + +// SetAliasName sets the AliasName field's value. +func (s *AliasListEntry) SetAliasName(v string) *AliasListEntry { + s.AliasName = &v + return s +} + +// SetCreationDate sets the CreationDate field's value. +func (s *AliasListEntry) SetCreationDate(v time.Time) *AliasListEntry { + s.CreationDate = &v + return s +} + +// SetLastUpdatedDate sets the LastUpdatedDate field's value. +func (s *AliasListEntry) SetLastUpdatedDate(v time.Time) *AliasListEntry { + s.LastUpdatedDate = &v + return s +} + +// SetTargetKeyId sets the TargetKeyId field's value. +func (s *AliasListEntry) SetTargetKeyId(v string) *AliasListEntry { + s.TargetKeyId = &v + return s +} + +// The request was rejected because it attempted to create a resource that already +// exists. +type AlreadyExistsException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s AlreadyExistsException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AlreadyExistsException) GoString() string { + return s.String() +} + +func newErrorAlreadyExistsException(v protocol.ResponseMetadata) error { + return &AlreadyExistsException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *AlreadyExistsException) Code() string { + return "AlreadyExistsException" +} + +// Message returns the exception's message. +func (s *AlreadyExistsException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *AlreadyExistsException) OrigErr() error { + return nil +} + +func (s *AlreadyExistsException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *AlreadyExistsException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *AlreadyExistsException) RequestID() string { + return s.RespMetadata.RequestID +} + +type CancelKeyDeletionInput struct { + _ struct{} `type:"structure"` + + // The unique identifier for the customer master key (CMK) for which to cancel + // deletion. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s CancelKeyDeletionInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CancelKeyDeletionInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *CancelKeyDeletionInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "CancelKeyDeletionInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *CancelKeyDeletionInput) SetKeyId(v string) *CancelKeyDeletionInput { + s.KeyId = &v + return s +} + +type CancelKeyDeletionOutput struct { + _ struct{} `type:"structure"` + + // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) + // of the CMK whose deletion is canceled. + KeyId *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s CancelKeyDeletionOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CancelKeyDeletionOutput) GoString() string { + return s.String() +} + +// SetKeyId sets the KeyId field's value. +func (s *CancelKeyDeletionOutput) SetKeyId(v string) *CancelKeyDeletionOutput { + s.KeyId = &v + return s +} + +// The request was rejected because the specified AWS CloudHSM cluster is already +// associated with a custom key store or it shares a backup history with a cluster +// that is associated with a custom key store. Each custom key store must be +// associated with a different AWS CloudHSM cluster. +// +// Clusters that share a backup history have the same cluster certificate. To +// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) +// operation. +type CloudHsmClusterInUseException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s CloudHsmClusterInUseException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CloudHsmClusterInUseException) GoString() string { + return s.String() +} + +func newErrorCloudHsmClusterInUseException(v protocol.ResponseMetadata) error { + return &CloudHsmClusterInUseException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *CloudHsmClusterInUseException) Code() string { + return "CloudHsmClusterInUseException" +} + +// Message returns the exception's message. +func (s *CloudHsmClusterInUseException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *CloudHsmClusterInUseException) OrigErr() error { + return nil +} + +func (s *CloudHsmClusterInUseException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *CloudHsmClusterInUseException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *CloudHsmClusterInUseException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected because the associated AWS CloudHSM cluster did +// not meet the configuration requirements for a custom key store. +// +// * The cluster must be configured with private subnets in at least two +// different Availability Zones in the Region. +// +// * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) +// (cloudhsm-cluster--sg) must include inbound rules and outbound +// rules that allow TCP traffic on ports 2223-2225. The Source in the inbound +// rules and the Destination in the outbound rules must match the security +// group ID. These rules are set by default when you create the cluster. +// Do not delete or change them. To get information about a particular security +// group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) +// operation. +// +// * The cluster must contain at least as many HSMs as the operation requires. +// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) +// operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey +// operations, the AWS CloudHSM cluster must have at least two active HSMs, +// each in a different Availability Zone. For the ConnectCustomKeyStore operation, +// the AWS CloudHSM must contain at least one active HSM. +// +// For information about the requirements for an AWS CloudHSM cluster that is +// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) +// in the AWS Key Management Service Developer Guide. For information about +// creating a private subnet for an AWS CloudHSM cluster, see Create a Private +// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) +// in the AWS CloudHSM User Guide. For information about cluster security groups, +// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) +// in the AWS CloudHSM User Guide . +type CloudHsmClusterInvalidConfigurationException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s CloudHsmClusterInvalidConfigurationException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CloudHsmClusterInvalidConfigurationException) GoString() string { + return s.String() +} + +func newErrorCloudHsmClusterInvalidConfigurationException(v protocol.ResponseMetadata) error { + return &CloudHsmClusterInvalidConfigurationException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *CloudHsmClusterInvalidConfigurationException) Code() string { + return "CloudHsmClusterInvalidConfigurationException" +} + +// Message returns the exception's message. +func (s *CloudHsmClusterInvalidConfigurationException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *CloudHsmClusterInvalidConfigurationException) OrigErr() error { + return nil +} + +func (s *CloudHsmClusterInvalidConfigurationException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *CloudHsmClusterInvalidConfigurationException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *CloudHsmClusterInvalidConfigurationException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected because the AWS CloudHSM cluster that is associated +// with the custom key store is not active. Initialize and activate the cluster +// and try the command again. For detailed instructions, see Getting Started +// (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) +// in the AWS CloudHSM User Guide. +type CloudHsmClusterNotActiveException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s CloudHsmClusterNotActiveException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CloudHsmClusterNotActiveException) GoString() string { + return s.String() +} + +func newErrorCloudHsmClusterNotActiveException(v protocol.ResponseMetadata) error { + return &CloudHsmClusterNotActiveException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *CloudHsmClusterNotActiveException) Code() string { + return "CloudHsmClusterNotActiveException" +} + +// Message returns the exception's message. +func (s *CloudHsmClusterNotActiveException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *CloudHsmClusterNotActiveException) OrigErr() error { + return nil +} + +func (s *CloudHsmClusterNotActiveException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *CloudHsmClusterNotActiveException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *CloudHsmClusterNotActiveException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster +// with the specified cluster ID. Retry the request with a different cluster +// ID. +type CloudHsmClusterNotFoundException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s CloudHsmClusterNotFoundException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CloudHsmClusterNotFoundException) GoString() string { + return s.String() +} + +func newErrorCloudHsmClusterNotFoundException(v protocol.ResponseMetadata) error { + return &CloudHsmClusterNotFoundException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *CloudHsmClusterNotFoundException) Code() string { + return "CloudHsmClusterNotFoundException" +} + +// Message returns the exception's message. +func (s *CloudHsmClusterNotFoundException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *CloudHsmClusterNotFoundException) OrigErr() error { + return nil +} + +func (s *CloudHsmClusterNotFoundException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *CloudHsmClusterNotFoundException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *CloudHsmClusterNotFoundException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected because the specified AWS CloudHSM cluster has a +// different cluster certificate than the original cluster. You cannot use the +// operation to specify an unrelated cluster. +// +// Specify a cluster that shares a backup history with the original cluster. +// This includes clusters that were created from a backup of the current cluster, +// and clusters that were created from the same backup that produced the current +// cluster. +// +// Clusters that share a backup history have the same cluster certificate. To +// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) +// operation. +type CloudHsmClusterNotRelatedException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s CloudHsmClusterNotRelatedException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CloudHsmClusterNotRelatedException) GoString() string { + return s.String() +} + +func newErrorCloudHsmClusterNotRelatedException(v protocol.ResponseMetadata) error { + return &CloudHsmClusterNotRelatedException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *CloudHsmClusterNotRelatedException) Code() string { + return "CloudHsmClusterNotRelatedException" +} + +// Message returns the exception's message. +func (s *CloudHsmClusterNotRelatedException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *CloudHsmClusterNotRelatedException) OrigErr() error { + return nil +} + +func (s *CloudHsmClusterNotRelatedException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *CloudHsmClusterNotRelatedException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *CloudHsmClusterNotRelatedException) RequestID() string { + return s.RespMetadata.RequestID +} + +type ConnectCustomKeyStoreInput struct { + _ struct{} `type:"structure"` + + // Enter the key store ID of the custom key store that you want to connect. + // To find the ID of a custom key store, use the DescribeCustomKeyStores operation. + // + // CustomKeyStoreId is a required field + CustomKeyStoreId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s ConnectCustomKeyStoreInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ConnectCustomKeyStoreInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ConnectCustomKeyStoreInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ConnectCustomKeyStoreInput"} + if s.CustomKeyStoreId == nil { + invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId")) + } + if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. +func (s *ConnectCustomKeyStoreInput) SetCustomKeyStoreId(v string) *ConnectCustomKeyStoreInput { + s.CustomKeyStoreId = &v + return s +} + +type ConnectCustomKeyStoreOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s ConnectCustomKeyStoreOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ConnectCustomKeyStoreOutput) GoString() string { + return s.String() +} + +type CreateAliasInput struct { + _ struct{} `type:"structure"` + + // Specifies the alias name. This value must begin with alias/ followed by a + // name, such as alias/ExampleAlias. + // + // The AliasName value must be string of 1-256 characters. It can contain only + // alphanumeric characters, forward slashes (/), underscores (_), and dashes + // (-). The alias name cannot begin with alias/aws/. The alias/aws/ prefix is + // reserved for AWS managed CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). + // + // AliasName is a required field + AliasName *string `min:"1" type:"string" required:"true"` + + // Associates the alias with the specified customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk). + // The CMK must be in the same AWS Region. + // + // A valid CMK ID is required. If you supply a null or empty string value, this + // operation returns an error. + // + // For help finding the key ID and ARN, see Finding the Key ID and ARN (https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn) + // in the AWS Key Management Service Developer Guide. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // TargetKeyId is a required field + TargetKeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s CreateAliasInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateAliasInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *CreateAliasInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "CreateAliasInput"} + if s.AliasName == nil { + invalidParams.Add(request.NewErrParamRequired("AliasName")) + } + if s.AliasName != nil && len(*s.AliasName) < 1 { + invalidParams.Add(request.NewErrParamMinLen("AliasName", 1)) + } + if s.TargetKeyId == nil { + invalidParams.Add(request.NewErrParamRequired("TargetKeyId")) + } + if s.TargetKeyId != nil && len(*s.TargetKeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("TargetKeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAliasName sets the AliasName field's value. +func (s *CreateAliasInput) SetAliasName(v string) *CreateAliasInput { + s.AliasName = &v + return s +} + +// SetTargetKeyId sets the TargetKeyId field's value. +func (s *CreateAliasInput) SetTargetKeyId(v string) *CreateAliasInput { + s.TargetKeyId = &v + return s +} + +type CreateAliasOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s CreateAliasOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateAliasOutput) GoString() string { + return s.String() +} + +type CreateCustomKeyStoreInput struct { + _ struct{} `type:"structure"` + + // Identifies the AWS CloudHSM cluster for the custom key store. Enter the cluster + // ID of any active AWS CloudHSM cluster that is not already associated with + // a custom key store. To find the cluster ID, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) + // operation. + // + // CloudHsmClusterId is a required field + CloudHsmClusterId *string `min:"19" type:"string" required:"true"` + + // Specifies a friendly name for the custom key store. The name must be unique + // in your AWS account. + // + // CustomKeyStoreName is a required field + CustomKeyStoreName *string `min:"1" type:"string" required:"true"` + + // Enter the password of the kmsuser crypto user (CU) account (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser) + // in the specified AWS CloudHSM cluster. AWS KMS logs into the cluster as this + // user to manage key material on your behalf. + // + // The password must be a string of 7 to 32 characters. Its value is case sensitive. + // + // This parameter tells AWS KMS the kmsuser account password; it does not change + // the password in the AWS CloudHSM cluster. + // + // KeyStorePassword is a required field + KeyStorePassword *string `min:"7" type:"string" required:"true" sensitive:"true"` + + // Enter the content of the trust anchor certificate for the cluster. This is + // the content of the customerCA.crt file that you created when you initialized + // the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html). + // + // TrustAnchorCertificate is a required field + TrustAnchorCertificate *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s CreateCustomKeyStoreInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateCustomKeyStoreInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *CreateCustomKeyStoreInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "CreateCustomKeyStoreInput"} + if s.CloudHsmClusterId == nil { + invalidParams.Add(request.NewErrParamRequired("CloudHsmClusterId")) + } + if s.CloudHsmClusterId != nil && len(*s.CloudHsmClusterId) < 19 { + invalidParams.Add(request.NewErrParamMinLen("CloudHsmClusterId", 19)) + } + if s.CustomKeyStoreName == nil { + invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreName")) + } + if s.CustomKeyStoreName != nil && len(*s.CustomKeyStoreName) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreName", 1)) + } + if s.KeyStorePassword == nil { + invalidParams.Add(request.NewErrParamRequired("KeyStorePassword")) + } + if s.KeyStorePassword != nil && len(*s.KeyStorePassword) < 7 { + invalidParams.Add(request.NewErrParamMinLen("KeyStorePassword", 7)) + } + if s.TrustAnchorCertificate == nil { + invalidParams.Add(request.NewErrParamRequired("TrustAnchorCertificate")) + } + if s.TrustAnchorCertificate != nil && len(*s.TrustAnchorCertificate) < 1 { + invalidParams.Add(request.NewErrParamMinLen("TrustAnchorCertificate", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCloudHsmClusterId sets the CloudHsmClusterId field's value. +func (s *CreateCustomKeyStoreInput) SetCloudHsmClusterId(v string) *CreateCustomKeyStoreInput { + s.CloudHsmClusterId = &v + return s +} + +// SetCustomKeyStoreName sets the CustomKeyStoreName field's value. +func (s *CreateCustomKeyStoreInput) SetCustomKeyStoreName(v string) *CreateCustomKeyStoreInput { + s.CustomKeyStoreName = &v + return s +} + +// SetKeyStorePassword sets the KeyStorePassword field's value. +func (s *CreateCustomKeyStoreInput) SetKeyStorePassword(v string) *CreateCustomKeyStoreInput { + s.KeyStorePassword = &v + return s +} + +// SetTrustAnchorCertificate sets the TrustAnchorCertificate field's value. +func (s *CreateCustomKeyStoreInput) SetTrustAnchorCertificate(v string) *CreateCustomKeyStoreInput { + s.TrustAnchorCertificate = &v + return s +} + +type CreateCustomKeyStoreOutput struct { + _ struct{} `type:"structure"` + + // A unique identifier for the new custom key store. + CustomKeyStoreId *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s CreateCustomKeyStoreOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateCustomKeyStoreOutput) GoString() string { + return s.String() +} + +// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. +func (s *CreateCustomKeyStoreOutput) SetCustomKeyStoreId(v string) *CreateCustomKeyStoreOutput { + s.CustomKeyStoreId = &v + return s +} + +type CreateGrantInput struct { + _ struct{} `type:"structure"` + + // Allows a cryptographic operation (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) + // only when the encryption context matches or includes the encryption context + // specified in this structure. For more information about encryption context, + // see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) + // in the AWS Key Management Service Developer Guide . + // + // Grant constraints are not applied to operations that do not support an encryption + // context, such as cryptographic operations with asymmetric CMKs and management + // operations, such as DescribeKey or RetireGrant. + Constraints *GrantConstraints `type:"structure"` + + // A list of grant tokens. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantTokens []*string `type:"list"` + + // The principal that is given permission to perform the operations that the + // grant permits. + // + // To specify the principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // of an AWS principal. Valid AWS principals include AWS accounts (root), IAM + // users, IAM roles, federated users, and assumed role users. For examples of + // the ARN syntax to use for specifying a principal, see AWS Identity and Access + // Management (IAM) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam) + // in the Example ARNs section of the AWS General Reference. + // + // GranteePrincipal is a required field + GranteePrincipal *string `min:"1" type:"string" required:"true"` + + // The unique identifier for the customer master key (CMK) that the grant applies + // to. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify + // a CMK in a different AWS account, you must use the key ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // A friendly name for the grant. Use this value to prevent the unintended creation + // of duplicate grants when retrying this request. + // + // When this value is absent, all CreateGrant requests result in a new grant + // with a unique GrantId even if all the supplied parameters are identical. + // This can result in unintended duplicates when you retry the CreateGrant request. + // + // When this value is present, you can retry a CreateGrant request with identical + // parameters; if the grant already exists, the original GrantId is returned + // without creating a new grant. Note that the returned grant token is unique + // with every CreateGrant request, even when a duplicate GrantId is returned. + // All grant tokens for the same grant ID can be used interchangeably. + Name *string `min:"1" type:"string"` + + // A list of operations that the grant permits. + // + // Operations is a required field + Operations []*string `type:"list" required:"true"` + + // The principal that is given permission to retire the grant by using RetireGrant + // operation. + // + // To specify the principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // of an AWS principal. Valid AWS principals include AWS accounts (root), IAM + // users, federated users, and assumed role users. For examples of the ARN syntax + // to use for specifying a principal, see AWS Identity and Access Management + // (IAM) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam) + // in the Example ARNs section of the AWS General Reference. + RetiringPrincipal *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s CreateGrantInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateGrantInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *CreateGrantInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "CreateGrantInput"} + if s.GranteePrincipal == nil { + invalidParams.Add(request.NewErrParamRequired("GranteePrincipal")) + } + if s.GranteePrincipal != nil && len(*s.GranteePrincipal) < 1 { + invalidParams.Add(request.NewErrParamMinLen("GranteePrincipal", 1)) + } + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.Name != nil && len(*s.Name) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Name", 1)) + } + if s.Operations == nil { + invalidParams.Add(request.NewErrParamRequired("Operations")) + } + if s.RetiringPrincipal != nil && len(*s.RetiringPrincipal) < 1 { + invalidParams.Add(request.NewErrParamMinLen("RetiringPrincipal", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetConstraints sets the Constraints field's value. +func (s *CreateGrantInput) SetConstraints(v *GrantConstraints) *CreateGrantInput { + s.Constraints = v + return s +} + +// SetGrantTokens sets the GrantTokens field's value. +func (s *CreateGrantInput) SetGrantTokens(v []*string) *CreateGrantInput { + s.GrantTokens = v + return s +} + +// SetGranteePrincipal sets the GranteePrincipal field's value. +func (s *CreateGrantInput) SetGranteePrincipal(v string) *CreateGrantInput { + s.GranteePrincipal = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *CreateGrantInput) SetKeyId(v string) *CreateGrantInput { + s.KeyId = &v + return s +} + +// SetName sets the Name field's value. +func (s *CreateGrantInput) SetName(v string) *CreateGrantInput { + s.Name = &v + return s +} + +// SetOperations sets the Operations field's value. +func (s *CreateGrantInput) SetOperations(v []*string) *CreateGrantInput { + s.Operations = v + return s +} + +// SetRetiringPrincipal sets the RetiringPrincipal field's value. +func (s *CreateGrantInput) SetRetiringPrincipal(v string) *CreateGrantInput { + s.RetiringPrincipal = &v + return s +} + +type CreateGrantOutput struct { + _ struct{} `type:"structure"` + + // The unique identifier for the grant. + // + // You can use the GrantId in a ListGrants, RetireGrant, or RevokeGrant operation. + GrantId *string `min:"1" type:"string"` + + // The grant token. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantToken *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s CreateGrantOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateGrantOutput) GoString() string { + return s.String() +} + +// SetGrantId sets the GrantId field's value. +func (s *CreateGrantOutput) SetGrantId(v string) *CreateGrantOutput { + s.GrantId = &v + return s +} + +// SetGrantToken sets the GrantToken field's value. +func (s *CreateGrantOutput) SetGrantToken(v string) *CreateGrantOutput { + s.GrantToken = &v + return s +} + +type CreateKeyInput struct { + _ struct{} `type:"structure"` + + // A flag to indicate whether to bypass the key policy lockout safety check. + // + // Setting this value to true increases the risk that the CMK becomes unmanageable. + // Do not set this value to true indiscriminately. + // + // For more information, refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) + // section in the AWS Key Management Service Developer Guide . + // + // Use this parameter only when you include a policy in the request and you + // intend to prevent the principal that is making the request from making a + // subsequent PutKeyPolicy request on the CMK. + // + // The default value is false. + BypassPolicyLockoutSafetyCheck *bool `type:"boolean"` + + // Creates the CMK in the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) + // and the key material in its associated AWS CloudHSM cluster. To create a + // CMK in a custom key store, you must also specify the Origin parameter with + // a value of AWS_CLOUDHSM. The AWS CloudHSM cluster that is associated with + // the custom key store must have at least two active HSMs, each in a different + // Availability Zone in the Region. + // + // This parameter is valid only for symmetric CMKs. You cannot create an asymmetric + // CMK in a custom key store. + // + // To find the ID of a custom key store, use the DescribeCustomKeyStores operation. + // + // The response includes the custom key store ID and the ID of the AWS CloudHSM + // cluster. + // + // This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) + // feature in AWS KMS, which combines the convenience and extensive integration + // of AWS KMS with the isolation and control of a single-tenant key store. + CustomKeyStoreId *string `min:"1" type:"string"` + + // Specifies the type of CMK to create. The default value, SYMMETRIC_DEFAULT, + // creates a CMK with a 256-bit symmetric key for encryption and decryption. + // For help choosing a key spec for your CMK, see How to Choose Your CMK Configuration + // (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html) + // in the AWS Key Management Service Developer Guide. + // + // The CustomerMasterKeySpec determines whether the CMK contains a symmetric + // key or an asymmetric key pair. It also determines the encryption algorithms + // or signing algorithms that the CMK supports. You can't change the CustomerMasterKeySpec + // after the CMK is created. To further restrict the algorithms that can be + // used with the CMK, use a condition key in its key policy or IAM policy. For + // more information, see kms:EncryptionAlgorithm (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm) + // or kms:Signing Algorithm (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm) + // in the AWS Key Management Service Developer Guide. + // + // AWS services that are integrated with AWS KMS (http://aws.amazon.com/kms/features/#AWS_Service_Integration) + // use symmetric CMKs to protect your data. These services do not support asymmetric + // CMKs. For help determining whether a CMK is symmetric or asymmetric, see + // Identifying Symmetric and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html) + // in the AWS Key Management Service Developer Guide. + // + // AWS KMS supports the following key specs for CMKs: + // + // * Symmetric key (default) SYMMETRIC_DEFAULT (AES-256-GCM) + // + // * Asymmetric RSA key pairs RSA_2048 RSA_3072 RSA_4096 + // + // * Asymmetric NIST-recommended elliptic curve key pairs ECC_NIST_P256 (secp256r1) + // ECC_NIST_P384 (secp384r1) ECC_NIST_P521 (secp521r1) + // + // * Other asymmetric elliptic curve key pairs ECC_SECG_P256K1 (secp256k1), + // commonly used for cryptocurrencies. + CustomerMasterKeySpec *string `type:"string" enum:"CustomerMasterKeySpec"` + + // A description of the CMK. + // + // Use a description that helps you decide whether the CMK is appropriate for + // a task. + Description *string `type:"string"` + + // Determines the cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) + // for which you can use the CMK. The default value is ENCRYPT_DECRYPT. This + // parameter is required only for asymmetric CMKs. You can't change the KeyUsage + // value after the CMK is created. + // + // Select only one valid value. + // + // * For symmetric CMKs, omit the parameter or specify ENCRYPT_DECRYPT. + // + // * For asymmetric CMKs with RSA key material, specify ENCRYPT_DECRYPT or + // SIGN_VERIFY. + // + // * For asymmetric CMKs with ECC key material, specify SIGN_VERIFY. + KeyUsage *string `type:"string" enum:"KeyUsageType"` + + // The source of the key material for the CMK. You cannot change the origin + // after you create the CMK. The default is AWS_KMS, which means AWS KMS creates + // the key material. + // + // When the parameter value is EXTERNAL, AWS KMS creates a CMK without key material + // so that you can import key material from your existing key management infrastructure. + // For more information about importing key material into AWS KMS, see Importing + // Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) + // in the AWS Key Management Service Developer Guide. This value is valid only + // for symmetric CMKs. + // + // When the parameter value is AWS_CLOUDHSM, AWS KMS creates the CMK in an AWS + // KMS custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) + // and creates its key material in the associated AWS CloudHSM cluster. You + // must also use the CustomKeyStoreId parameter to identify the custom key store. + // This value is valid only for symmetric CMKs. + Origin *string `type:"string" enum:"OriginType"` + + // The key policy to attach to the CMK. + // + // If you provide a key policy, it must meet the following criteria: + // + // * If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy + // must allow the principal that is making the CreateKey request to make + // a subsequent PutKeyPolicy request on the CMK. This reduces the risk that + // the CMK becomes unmanageable. For more information, refer to the scenario + // in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) + // section of the AWS Key Management Service Developer Guide . + // + // * Each statement in the key policy must contain one or more principals. + // The principals in the key policy must exist and be visible to AWS KMS. + // When you create a new AWS principal (for example, an IAM user or role), + // you might need to enforce a delay before including the new principal in + // a key policy because the new principal might not be immediately visible + // to AWS KMS. For more information, see Changes that I make are not always + // immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) + // in the AWS Identity and Access Management User Guide. + // + // If you do not provide a key policy, AWS KMS attaches a default key policy + // to the CMK. For more information, see Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) + // in the AWS Key Management Service Developer Guide. + // + // The key policy size quota is 32 kilobytes (32768 bytes). + // + // For help writing and formatting a JSON policy document, see the IAM JSON + // Policy Reference (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) + // in the IAM User Guide . + Policy *string `min:"1" type:"string"` + + // One or more tags. Each tag consists of a tag key and a tag value. Both the + // tag key and the tag value are required, but the tag value can be an empty + // (null) string. + // + // When you add tags to an AWS resource, AWS generates a cost allocation report + // with usage and costs aggregated by tags. For information about adding, changing, + // deleting and listing tags for CMKs, see Tagging Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). + // + // Use this parameter to tag the CMK when it is created. To add tags to an existing + // CMK, use the TagResource operation. + // + // To use this parameter, you must have kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) + // permission in an IAM policy. + Tags []*Tag `type:"list"` +} + +// String returns the string representation +func (s CreateKeyInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateKeyInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *CreateKeyInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "CreateKeyInput"} + if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) + } + if s.Policy != nil && len(*s.Policy) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) + } + if s.Tags != nil { + for i, v := range s.Tags { + if v == nil { + continue + } + if err := v.Validate(); err != nil { + invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams)) + } + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetBypassPolicyLockoutSafetyCheck sets the BypassPolicyLockoutSafetyCheck field's value. +func (s *CreateKeyInput) SetBypassPolicyLockoutSafetyCheck(v bool) *CreateKeyInput { + s.BypassPolicyLockoutSafetyCheck = &v + return s +} + +// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. +func (s *CreateKeyInput) SetCustomKeyStoreId(v string) *CreateKeyInput { + s.CustomKeyStoreId = &v + return s +} + +// SetCustomerMasterKeySpec sets the CustomerMasterKeySpec field's value. +func (s *CreateKeyInput) SetCustomerMasterKeySpec(v string) *CreateKeyInput { + s.CustomerMasterKeySpec = &v + return s +} + +// SetDescription sets the Description field's value. +func (s *CreateKeyInput) SetDescription(v string) *CreateKeyInput { + s.Description = &v + return s +} + +// SetKeyUsage sets the KeyUsage field's value. +func (s *CreateKeyInput) SetKeyUsage(v string) *CreateKeyInput { + s.KeyUsage = &v + return s +} + +// SetOrigin sets the Origin field's value. +func (s *CreateKeyInput) SetOrigin(v string) *CreateKeyInput { + s.Origin = &v + return s +} + +// SetPolicy sets the Policy field's value. +func (s *CreateKeyInput) SetPolicy(v string) *CreateKeyInput { + s.Policy = &v + return s +} + +// SetTags sets the Tags field's value. +func (s *CreateKeyInput) SetTags(v []*Tag) *CreateKeyInput { + s.Tags = v + return s +} + +type CreateKeyOutput struct { + _ struct{} `type:"structure"` + + // Metadata associated with the CMK. + KeyMetadata *KeyMetadata `type:"structure"` +} + +// String returns the string representation +func (s CreateKeyOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateKeyOutput) GoString() string { + return s.String() +} + +// SetKeyMetadata sets the KeyMetadata field's value. +func (s *CreateKeyOutput) SetKeyMetadata(v *KeyMetadata) *CreateKeyOutput { + s.KeyMetadata = v + return s +} + +// The request was rejected because the custom key store contains AWS KMS customer +// master keys (CMKs). After verifying that you do not need to use the CMKs, +// use the ScheduleKeyDeletion operation to delete the CMKs. After they are +// deleted, you can delete the custom key store. +type CustomKeyStoreHasCMKsException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s CustomKeyStoreHasCMKsException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CustomKeyStoreHasCMKsException) GoString() string { + return s.String() +} + +func newErrorCustomKeyStoreHasCMKsException(v protocol.ResponseMetadata) error { + return &CustomKeyStoreHasCMKsException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *CustomKeyStoreHasCMKsException) Code() string { + return "CustomKeyStoreHasCMKsException" +} + +// Message returns the exception's message. +func (s *CustomKeyStoreHasCMKsException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *CustomKeyStoreHasCMKsException) OrigErr() error { + return nil +} + +func (s *CustomKeyStoreHasCMKsException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *CustomKeyStoreHasCMKsException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *CustomKeyStoreHasCMKsException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected because of the ConnectionState of the custom key +// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores +// operation. +// +// This exception is thrown under the following conditions: +// +// * You requested the CreateKey or GenerateRandom operation in a custom +// key store that is not connected. These operations are valid only when +// the custom key store ConnectionState is CONNECTED. +// +// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation +// on a custom key store that is not disconnected. This operation is valid +// only when the custom key store ConnectionState is DISCONNECTED. +// +// * You requested the ConnectCustomKeyStore operation on a custom key store +// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid +// for all other ConnectionState values. +type CustomKeyStoreInvalidStateException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s CustomKeyStoreInvalidStateException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CustomKeyStoreInvalidStateException) GoString() string { + return s.String() +} + +func newErrorCustomKeyStoreInvalidStateException(v protocol.ResponseMetadata) error { + return &CustomKeyStoreInvalidStateException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *CustomKeyStoreInvalidStateException) Code() string { + return "CustomKeyStoreInvalidStateException" +} + +// Message returns the exception's message. +func (s *CustomKeyStoreInvalidStateException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *CustomKeyStoreInvalidStateException) OrigErr() error { + return nil +} + +func (s *CustomKeyStoreInvalidStateException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *CustomKeyStoreInvalidStateException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *CustomKeyStoreInvalidStateException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected because the specified custom key store name is already +// assigned to another custom key store in the account. Try again with a custom +// key store name that is unique in the account. +type CustomKeyStoreNameInUseException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s CustomKeyStoreNameInUseException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CustomKeyStoreNameInUseException) GoString() string { + return s.String() +} + +func newErrorCustomKeyStoreNameInUseException(v protocol.ResponseMetadata) error { + return &CustomKeyStoreNameInUseException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *CustomKeyStoreNameInUseException) Code() string { + return "CustomKeyStoreNameInUseException" +} + +// Message returns the exception's message. +func (s *CustomKeyStoreNameInUseException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *CustomKeyStoreNameInUseException) OrigErr() error { + return nil +} + +func (s *CustomKeyStoreNameInUseException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *CustomKeyStoreNameInUseException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *CustomKeyStoreNameInUseException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected because AWS KMS cannot find a custom key store with +// the specified key store name or ID. +type CustomKeyStoreNotFoundException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s CustomKeyStoreNotFoundException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CustomKeyStoreNotFoundException) GoString() string { + return s.String() +} + +func newErrorCustomKeyStoreNotFoundException(v protocol.ResponseMetadata) error { + return &CustomKeyStoreNotFoundException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *CustomKeyStoreNotFoundException) Code() string { + return "CustomKeyStoreNotFoundException" +} + +// Message returns the exception's message. +func (s *CustomKeyStoreNotFoundException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *CustomKeyStoreNotFoundException) OrigErr() error { + return nil +} + +func (s *CustomKeyStoreNotFoundException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *CustomKeyStoreNotFoundException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *CustomKeyStoreNotFoundException) RequestID() string { + return s.RespMetadata.RequestID +} + +// Contains information about each custom key store in the custom key store +// list. +type CustomKeyStoresListEntry struct { + _ struct{} `type:"structure"` + + // A unique identifier for the AWS CloudHSM cluster that is associated with + // the custom key store. + CloudHsmClusterId *string `min:"19" type:"string"` + + // Describes the connection error. This field appears in the response only when + // the ConnectionState is FAILED. For help resolving these errors, see How to + // Fix a Connection Failure (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed) + // in AWS Key Management Service Developer Guide. + // + // Valid values are: + // + // * CLUSTER_NOT_FOUND - AWS KMS cannot find the AWS CloudHSM cluster with + // the specified cluster ID. + // + // * INSUFFICIENT_CLOUDHSM_HSMS - The associated AWS CloudHSM cluster does + // not contain any active HSMs. To connect a custom key store to its AWS + // CloudHSM cluster, the cluster must contain at least one active HSM. + // + // * INTERNAL_ERROR - AWS KMS could not complete the request due to an internal + // error. Retry the request. For ConnectCustomKeyStore requests, disconnect + // the custom key store before trying to connect again. + // + // * INVALID_CREDENTIALS - AWS KMS does not have the correct password for + // the kmsuser crypto user in the AWS CloudHSM cluster. Before you can connect + // your custom key store to its AWS CloudHSM cluster, you must change the + // kmsuser account password and update the key store password value for the + // custom key store. + // + // * NETWORK_ERRORS - Network errors are preventing AWS KMS from connecting + // to the custom key store. + // + // * SUBNET_NOT_FOUND - A subnet in the AWS CloudHSM cluster configuration + // was deleted. If AWS KMS cannot find all of the subnets in the cluster + // configuration, attempts to connect the custom key store to the AWS CloudHSM + // cluster fail. To fix this error, create a cluster from a recent backup + // and associate it with your custom key store. (This process creates a new + // cluster configuration with a VPC and private subnets.) For details, see + // How to Fix a Connection Failure (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed) + // in the AWS Key Management Service Developer Guide. + // + // * USER_LOCKED_OUT - The kmsuser CU account is locked out of the associated + // AWS CloudHSM cluster due to too many failed password attempts. Before + // you can connect your custom key store to its AWS CloudHSM cluster, you + // must change the kmsuser account password and update the key store password + // value for the custom key store. + // + // * USER_LOGGED_IN - The kmsuser CU account is logged into the the associated + // AWS CloudHSM cluster. This prevents AWS KMS from rotating the kmsuser + // account password and logging into the cluster. Before you can connect + // your custom key store to its AWS CloudHSM cluster, you must log the kmsuser + // CU out of the cluster. If you changed the kmsuser password to log into + // the cluster, you must also and update the key store password value for + // the custom key store. For help, see How to Log Out and Reconnect (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2) + // in the AWS Key Management Service Developer Guide. + // + // * USER_NOT_FOUND - AWS KMS cannot find a kmsuser CU account in the associated + // AWS CloudHSM cluster. Before you can connect your custom key store to + // its AWS CloudHSM cluster, you must create a kmsuser CU account in the + // cluster, and then update the key store password value for the custom key + // store. + ConnectionErrorCode *string `type:"string" enum:"ConnectionErrorCodeType"` + + // Indicates whether the custom key store is connected to its AWS CloudHSM cluster. + // + // You can create and use CMKs in your custom key stores only when its connection + // state is CONNECTED. + // + // The value is DISCONNECTED if the key store has never been connected or you + // use the DisconnectCustomKeyStore operation to disconnect it. If the value + // is CONNECTED but you are having trouble using the custom key store, make + // sure that its associated AWS CloudHSM cluster is active and contains at least + // one active HSM. + // + // A value of FAILED indicates that an attempt to connect was unsuccessful. + // The ConnectionErrorCode field in the response indicates the cause of the + // failure. For help resolving a connection failure, see Troubleshooting a Custom + // Key Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) + // in the AWS Key Management Service Developer Guide. + ConnectionState *string `type:"string" enum:"ConnectionStateType"` + + // The date and time when the custom key store was created. + CreationDate *time.Time `type:"timestamp"` + + // A unique identifier for the custom key store. + CustomKeyStoreId *string `min:"1" type:"string"` + + // The user-specified friendly name for the custom key store. + CustomKeyStoreName *string `min:"1" type:"string"` + + // The trust anchor certificate of the associated AWS CloudHSM cluster. When + // you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr), + // you create this certificate and save it in the customerCA.crt file. + TrustAnchorCertificate *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s CustomKeyStoresListEntry) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CustomKeyStoresListEntry) GoString() string { + return s.String() +} + +// SetCloudHsmClusterId sets the CloudHsmClusterId field's value. +func (s *CustomKeyStoresListEntry) SetCloudHsmClusterId(v string) *CustomKeyStoresListEntry { + s.CloudHsmClusterId = &v + return s +} + +// SetConnectionErrorCode sets the ConnectionErrorCode field's value. +func (s *CustomKeyStoresListEntry) SetConnectionErrorCode(v string) *CustomKeyStoresListEntry { + s.ConnectionErrorCode = &v + return s +} + +// SetConnectionState sets the ConnectionState field's value. +func (s *CustomKeyStoresListEntry) SetConnectionState(v string) *CustomKeyStoresListEntry { + s.ConnectionState = &v + return s +} + +// SetCreationDate sets the CreationDate field's value. +func (s *CustomKeyStoresListEntry) SetCreationDate(v time.Time) *CustomKeyStoresListEntry { + s.CreationDate = &v + return s +} + +// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. +func (s *CustomKeyStoresListEntry) SetCustomKeyStoreId(v string) *CustomKeyStoresListEntry { + s.CustomKeyStoreId = &v + return s +} + +// SetCustomKeyStoreName sets the CustomKeyStoreName field's value. +func (s *CustomKeyStoresListEntry) SetCustomKeyStoreName(v string) *CustomKeyStoresListEntry { + s.CustomKeyStoreName = &v + return s +} + +// SetTrustAnchorCertificate sets the TrustAnchorCertificate field's value. +func (s *CustomKeyStoresListEntry) SetTrustAnchorCertificate(v string) *CustomKeyStoresListEntry { + s.TrustAnchorCertificate = &v + return s +} + +type DecryptInput struct { + _ struct{} `type:"structure"` + + // Ciphertext to be decrypted. The blob includes metadata. + // + // CiphertextBlob is automatically base64 encoded/decoded by the SDK. + // + // CiphertextBlob is a required field + CiphertextBlob []byte `min:"1" type:"blob" required:"true"` + + // Specifies the encryption algorithm that will be used to decrypt the ciphertext. + // Specify the same algorithm that was used to encrypt the data. If you specify + // a different algorithm, the Decrypt operation fails. + // + // This parameter is required only when the ciphertext was encrypted under an + // asymmetric CMK. The default value, SYMMETRIC_DEFAULT, represents the only + // supported algorithm that is valid for symmetric CMKs. + EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` + + // Specifies the encryption context to use when decrypting the data. An encryption + // context is valid only for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) + // with a symmetric CMK. The standard asymmetric encryption algorithms that + // AWS KMS uses do not support an encryption context. + // + // An encryption context is a collection of non-secret key-value pairs that + // represents additional authenticated data. When you use an encryption context + // to encrypt data, you must specify the same (an exact case-sensitive match) + // encryption context to decrypt the data. An encryption context is optional + // when encrypting with a symmetric CMK, but it is highly recommended. + // + // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) + // in the AWS Key Management Service Developer Guide. + EncryptionContext map[string]*string `type:"map"` + + // A list of grant tokens. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantTokens []*string `type:"list"` + + // Specifies the customer master key (CMK) that AWS KMS uses to decrypt the + // ciphertext. Enter a key ID of the CMK that was used to encrypt the ciphertext. + // + // This parameter is required only when the ciphertext was encrypted under an + // asymmetric CMK. If you used a symmetric CMK, AWS KMS can get the CMK from + // metadata that it adds to the symmetric ciphertext blob. However, it is always + // recommended as a best practice. This practice ensures that you use the CMK + // that you intend. + // + // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, + // or alias ARN. When using an alias name, prefix it with "alias/". To specify + // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Alias name: alias/ExampleAlias + // + // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To + // get the alias name and alias ARN, use ListAliases. + KeyId *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s DecryptInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DecryptInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DecryptInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DecryptInput"} + if s.CiphertextBlob == nil { + invalidParams.Add(request.NewErrParamRequired("CiphertextBlob")) + } + if s.CiphertextBlob != nil && len(s.CiphertextBlob) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CiphertextBlob", 1)) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCiphertextBlob sets the CiphertextBlob field's value. +func (s *DecryptInput) SetCiphertextBlob(v []byte) *DecryptInput { + s.CiphertextBlob = v + return s +} + +// SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value. +func (s *DecryptInput) SetEncryptionAlgorithm(v string) *DecryptInput { + s.EncryptionAlgorithm = &v + return s +} + +// SetEncryptionContext sets the EncryptionContext field's value. +func (s *DecryptInput) SetEncryptionContext(v map[string]*string) *DecryptInput { + s.EncryptionContext = v + return s +} + +// SetGrantTokens sets the GrantTokens field's value. +func (s *DecryptInput) SetGrantTokens(v []*string) *DecryptInput { + s.GrantTokens = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *DecryptInput) SetKeyId(v string) *DecryptInput { + s.KeyId = &v + return s +} + +type DecryptOutput struct { + _ struct{} `type:"structure"` + + // The encryption algorithm that was used to decrypt the ciphertext. + EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` + + // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) + // of the CMK that was used to decrypt the ciphertext. + KeyId *string `min:"1" type:"string"` + + // Decrypted plaintext data. When you use the HTTP API or the AWS CLI, the value + // is Base64-encoded. Otherwise, it is not Base64-encoded. + // + // Plaintext is automatically base64 encoded/decoded by the SDK. + Plaintext []byte `min:"1" type:"blob" sensitive:"true"` +} + +// String returns the string representation +func (s DecryptOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DecryptOutput) GoString() string { + return s.String() +} + +// SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value. +func (s *DecryptOutput) SetEncryptionAlgorithm(v string) *DecryptOutput { + s.EncryptionAlgorithm = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *DecryptOutput) SetKeyId(v string) *DecryptOutput { + s.KeyId = &v + return s +} + +// SetPlaintext sets the Plaintext field's value. +func (s *DecryptOutput) SetPlaintext(v []byte) *DecryptOutput { + s.Plaintext = v + return s +} + +type DeleteAliasInput struct { + _ struct{} `type:"structure"` + + // The alias to be deleted. The alias name must begin with alias/ followed by + // the alias name, such as alias/ExampleAlias. + // + // AliasName is a required field + AliasName *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s DeleteAliasInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteAliasInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DeleteAliasInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DeleteAliasInput"} + if s.AliasName == nil { + invalidParams.Add(request.NewErrParamRequired("AliasName")) + } + if s.AliasName != nil && len(*s.AliasName) < 1 { + invalidParams.Add(request.NewErrParamMinLen("AliasName", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAliasName sets the AliasName field's value. +func (s *DeleteAliasInput) SetAliasName(v string) *DeleteAliasInput { + s.AliasName = &v + return s +} + +type DeleteAliasOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s DeleteAliasOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteAliasOutput) GoString() string { + return s.String() +} + +type DeleteCustomKeyStoreInput struct { + _ struct{} `type:"structure"` + + // Enter the ID of the custom key store you want to delete. To find the ID of + // a custom key store, use the DescribeCustomKeyStores operation. + // + // CustomKeyStoreId is a required field + CustomKeyStoreId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s DeleteCustomKeyStoreInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteCustomKeyStoreInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DeleteCustomKeyStoreInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DeleteCustomKeyStoreInput"} + if s.CustomKeyStoreId == nil { + invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId")) + } + if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. +func (s *DeleteCustomKeyStoreInput) SetCustomKeyStoreId(v string) *DeleteCustomKeyStoreInput { + s.CustomKeyStoreId = &v + return s +} + +type DeleteCustomKeyStoreOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s DeleteCustomKeyStoreOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteCustomKeyStoreOutput) GoString() string { + return s.String() +} + +type DeleteImportedKeyMaterialInput struct { + _ struct{} `type:"structure"` + + // Identifies the CMK from which you are deleting imported key material. The + // Origin of the CMK must be EXTERNAL. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s DeleteImportedKeyMaterialInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteImportedKeyMaterialInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DeleteImportedKeyMaterialInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DeleteImportedKeyMaterialInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *DeleteImportedKeyMaterialInput) SetKeyId(v string) *DeleteImportedKeyMaterialInput { + s.KeyId = &v + return s +} + +type DeleteImportedKeyMaterialOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s DeleteImportedKeyMaterialOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteImportedKeyMaterialOutput) GoString() string { + return s.String() +} + +// The system timed out while trying to fulfill the request. The request can +// be retried. +type DependencyTimeoutException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s DependencyTimeoutException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DependencyTimeoutException) GoString() string { + return s.String() +} + +func newErrorDependencyTimeoutException(v protocol.ResponseMetadata) error { + return &DependencyTimeoutException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *DependencyTimeoutException) Code() string { + return "DependencyTimeoutException" +} + +// Message returns the exception's message. +func (s *DependencyTimeoutException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *DependencyTimeoutException) OrigErr() error { + return nil +} + +func (s *DependencyTimeoutException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *DependencyTimeoutException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *DependencyTimeoutException) RequestID() string { + return s.RespMetadata.RequestID +} + +type DescribeCustomKeyStoresInput struct { + _ struct{} `type:"structure"` + + // Gets only information about the specified custom key store. Enter the key + // store ID. + // + // By default, this operation gets information about all custom key stores in + // the account and region. To limit the output to a particular custom key store, + // you can use either the CustomKeyStoreId or CustomKeyStoreName parameter, + // but not both. + CustomKeyStoreId *string `min:"1" type:"string"` + + // Gets only information about the specified custom key store. Enter the friendly + // name of the custom key store. + // + // By default, this operation gets information about all custom key stores in + // the account and region. To limit the output to a particular custom key store, + // you can use either the CustomKeyStoreId or CustomKeyStoreName parameter, + // but not both. + CustomKeyStoreName *string `min:"1" type:"string"` + + // Use this parameter to specify the maximum number of items to return. When + // this value is present, AWS KMS does not return more than the specified number + // of items, but it might return fewer. + Limit *int64 `min:"1" type:"integer"` + + // Use this parameter in a subsequent request after you receive a response with + // truncated results. Set it to the value of NextMarker from the truncated response + // you just received. + Marker *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s DescribeCustomKeyStoresInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeCustomKeyStoresInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DescribeCustomKeyStoresInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DescribeCustomKeyStoresInput"} + if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) + } + if s.CustomKeyStoreName != nil && len(*s.CustomKeyStoreName) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreName", 1)) + } + if s.Limit != nil && *s.Limit < 1 { + invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) + } + if s.Marker != nil && len(*s.Marker) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. +func (s *DescribeCustomKeyStoresInput) SetCustomKeyStoreId(v string) *DescribeCustomKeyStoresInput { + s.CustomKeyStoreId = &v + return s +} + +// SetCustomKeyStoreName sets the CustomKeyStoreName field's value. +func (s *DescribeCustomKeyStoresInput) SetCustomKeyStoreName(v string) *DescribeCustomKeyStoresInput { + s.CustomKeyStoreName = &v + return s +} + +// SetLimit sets the Limit field's value. +func (s *DescribeCustomKeyStoresInput) SetLimit(v int64) *DescribeCustomKeyStoresInput { + s.Limit = &v + return s +} + +// SetMarker sets the Marker field's value. +func (s *DescribeCustomKeyStoresInput) SetMarker(v string) *DescribeCustomKeyStoresInput { + s.Marker = &v + return s +} + +type DescribeCustomKeyStoresOutput struct { + _ struct{} `type:"structure"` + + // Contains metadata about each custom key store. + CustomKeyStores []*CustomKeyStoresListEntry `type:"list"` + + // When Truncated is true, this element is present and contains the value to + // use for the Marker parameter in a subsequent request. + NextMarker *string `min:"1" type:"string"` + + // A flag that indicates whether there are more items in the list. When this + // value is true, the list in this response is truncated. To get more items, + // pass the value of the NextMarker element in thisresponse to the Marker parameter + // in a subsequent request. + Truncated *bool `type:"boolean"` +} + +// String returns the string representation +func (s DescribeCustomKeyStoresOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeCustomKeyStoresOutput) GoString() string { + return s.String() +} + +// SetCustomKeyStores sets the CustomKeyStores field's value. +func (s *DescribeCustomKeyStoresOutput) SetCustomKeyStores(v []*CustomKeyStoresListEntry) *DescribeCustomKeyStoresOutput { + s.CustomKeyStores = v + return s +} + +// SetNextMarker sets the NextMarker field's value. +func (s *DescribeCustomKeyStoresOutput) SetNextMarker(v string) *DescribeCustomKeyStoresOutput { + s.NextMarker = &v + return s +} + +// SetTruncated sets the Truncated field's value. +func (s *DescribeCustomKeyStoresOutput) SetTruncated(v bool) *DescribeCustomKeyStoresOutput { + s.Truncated = &v + return s +} + +type DescribeKeyInput struct { + _ struct{} `type:"structure"` + + // A list of grant tokens. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantTokens []*string `type:"list"` + + // Describes the specified customer master key (CMK). + // + // If you specify a predefined AWS alias (an AWS alias with no key ID), KMS + // associates the alias with an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys) + // and returns its KeyId and Arn in the response. + // + // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, + // or alias ARN. When using an alias name, prefix it with "alias/". To specify + // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Alias name: alias/ExampleAlias + // + // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To + // get the alias name and alias ARN, use ListAliases. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s DescribeKeyInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeKeyInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DescribeKeyInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DescribeKeyInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetGrantTokens sets the GrantTokens field's value. +func (s *DescribeKeyInput) SetGrantTokens(v []*string) *DescribeKeyInput { + s.GrantTokens = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *DescribeKeyInput) SetKeyId(v string) *DescribeKeyInput { + s.KeyId = &v + return s +} + +type DescribeKeyOutput struct { + _ struct{} `type:"structure"` + + // Metadata associated with the key. + KeyMetadata *KeyMetadata `type:"structure"` +} + +// String returns the string representation +func (s DescribeKeyOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeKeyOutput) GoString() string { + return s.String() +} + +// SetKeyMetadata sets the KeyMetadata field's value. +func (s *DescribeKeyOutput) SetKeyMetadata(v *KeyMetadata) *DescribeKeyOutput { + s.KeyMetadata = v + return s +} + +type DisableKeyInput struct { + _ struct{} `type:"structure"` + + // A unique identifier for the customer master key (CMK). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s DisableKeyInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DisableKeyInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DisableKeyInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DisableKeyInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *DisableKeyInput) SetKeyId(v string) *DisableKeyInput { + s.KeyId = &v + return s +} + +type DisableKeyOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s DisableKeyOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DisableKeyOutput) GoString() string { + return s.String() +} + +type DisableKeyRotationInput struct { + _ struct{} `type:"structure"` + + // Identifies a symmetric customer master key (CMK). You cannot enable or disable + // automatic rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks), + // CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), + // or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s DisableKeyRotationInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DisableKeyRotationInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DisableKeyRotationInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DisableKeyRotationInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *DisableKeyRotationInput) SetKeyId(v string) *DisableKeyRotationInput { + s.KeyId = &v + return s +} + +type DisableKeyRotationOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s DisableKeyRotationOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DisableKeyRotationOutput) GoString() string { + return s.String() +} + +// The request was rejected because the specified CMK is not enabled. +type DisabledException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s DisabledException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DisabledException) GoString() string { + return s.String() +} + +func newErrorDisabledException(v protocol.ResponseMetadata) error { + return &DisabledException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *DisabledException) Code() string { + return "DisabledException" +} + +// Message returns the exception's message. +func (s *DisabledException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *DisabledException) OrigErr() error { + return nil +} + +func (s *DisabledException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *DisabledException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *DisabledException) RequestID() string { + return s.RespMetadata.RequestID +} + +type DisconnectCustomKeyStoreInput struct { + _ struct{} `type:"structure"` + + // Enter the ID of the custom key store you want to disconnect. To find the + // ID of a custom key store, use the DescribeCustomKeyStores operation. + // + // CustomKeyStoreId is a required field + CustomKeyStoreId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s DisconnectCustomKeyStoreInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DisconnectCustomKeyStoreInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DisconnectCustomKeyStoreInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DisconnectCustomKeyStoreInput"} + if s.CustomKeyStoreId == nil { + invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId")) + } + if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. +func (s *DisconnectCustomKeyStoreInput) SetCustomKeyStoreId(v string) *DisconnectCustomKeyStoreInput { + s.CustomKeyStoreId = &v + return s +} + +type DisconnectCustomKeyStoreOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s DisconnectCustomKeyStoreOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DisconnectCustomKeyStoreOutput) GoString() string { + return s.String() +} + +type EnableKeyInput struct { + _ struct{} `type:"structure"` + + // A unique identifier for the customer master key (CMK). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s EnableKeyInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s EnableKeyInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *EnableKeyInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "EnableKeyInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *EnableKeyInput) SetKeyId(v string) *EnableKeyInput { + s.KeyId = &v + return s +} + +type EnableKeyOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s EnableKeyOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s EnableKeyOutput) GoString() string { + return s.String() +} + +type EnableKeyRotationInput struct { + _ struct{} `type:"structure"` + + // Identifies a symmetric customer master key (CMK). You cannot enable automatic + // rotation of asymmetric CMKs, CMKs with imported key material, or CMKs in + // a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s EnableKeyRotationInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s EnableKeyRotationInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *EnableKeyRotationInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "EnableKeyRotationInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *EnableKeyRotationInput) SetKeyId(v string) *EnableKeyRotationInput { + s.KeyId = &v + return s +} + +type EnableKeyRotationOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s EnableKeyRotationOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s EnableKeyRotationOutput) GoString() string { + return s.String() +} + +type EncryptInput struct { + _ struct{} `type:"structure"` + + // Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext + // message. The algorithm must be compatible with the CMK that you specify. + // + // This parameter is required only for asymmetric CMKs. The default value, SYMMETRIC_DEFAULT, + // is the algorithm used for symmetric CMKs. If you are using an asymmetric + // CMK, we recommend RSAES_OAEP_SHA_256. + EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` + + // Specifies the encryption context that will be used to encrypt the data. An + // encryption context is valid only for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) + // with a symmetric CMK. The standard asymmetric encryption algorithms that + // AWS KMS uses do not support an encryption context. + // + // An encryption context is a collection of non-secret key-value pairs that + // represents additional authenticated data. When you use an encryption context + // to encrypt data, you must specify the same (an exact case-sensitive match) + // encryption context to decrypt the data. An encryption context is optional + // when encrypting with a symmetric CMK, but it is highly recommended. + // + // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) + // in the AWS Key Management Service Developer Guide. + EncryptionContext map[string]*string `type:"map"` + + // A list of grant tokens. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantTokens []*string `type:"list"` + + // A unique identifier for the customer master key (CMK). + // + // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, + // or alias ARN. When using an alias name, prefix it with "alias/". To specify + // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Alias name: alias/ExampleAlias + // + // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To + // get the alias name and alias ARN, use ListAliases. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // Data to be encrypted. + // + // Plaintext is automatically base64 encoded/decoded by the SDK. + // + // Plaintext is a required field + Plaintext []byte `min:"1" type:"blob" required:"true" sensitive:"true"` +} + +// String returns the string representation +func (s EncryptInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s EncryptInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *EncryptInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "EncryptInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.Plaintext == nil { + invalidParams.Add(request.NewErrParamRequired("Plaintext")) + } + if s.Plaintext != nil && len(s.Plaintext) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Plaintext", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value. +func (s *EncryptInput) SetEncryptionAlgorithm(v string) *EncryptInput { + s.EncryptionAlgorithm = &v + return s +} + +// SetEncryptionContext sets the EncryptionContext field's value. +func (s *EncryptInput) SetEncryptionContext(v map[string]*string) *EncryptInput { + s.EncryptionContext = v + return s +} + +// SetGrantTokens sets the GrantTokens field's value. +func (s *EncryptInput) SetGrantTokens(v []*string) *EncryptInput { + s.GrantTokens = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *EncryptInput) SetKeyId(v string) *EncryptInput { + s.KeyId = &v + return s +} + +// SetPlaintext sets the Plaintext field's value. +func (s *EncryptInput) SetPlaintext(v []byte) *EncryptInput { + s.Plaintext = v + return s +} + +type EncryptOutput struct { + _ struct{} `type:"structure"` + + // The encrypted plaintext. When you use the HTTP API or the AWS CLI, the value + // is Base64-encoded. Otherwise, it is not Base64-encoded. + // + // CiphertextBlob is automatically base64 encoded/decoded by the SDK. + CiphertextBlob []byte `min:"1" type:"blob"` + + // The encryption algorithm that was used to encrypt the plaintext. + EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` + + // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) + // of the CMK that was used to encrypt the plaintext. + KeyId *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s EncryptOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s EncryptOutput) GoString() string { + return s.String() +} + +// SetCiphertextBlob sets the CiphertextBlob field's value. +func (s *EncryptOutput) SetCiphertextBlob(v []byte) *EncryptOutput { + s.CiphertextBlob = v + return s +} + +// SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value. +func (s *EncryptOutput) SetEncryptionAlgorithm(v string) *EncryptOutput { + s.EncryptionAlgorithm = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *EncryptOutput) SetKeyId(v string) *EncryptOutput { + s.KeyId = &v + return s +} + +// The request was rejected because the specified import token is expired. Use +// GetParametersForImport to get a new import token and public key, use the +// new public key to encrypt the key material, and then try the request again. +type ExpiredImportTokenException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s ExpiredImportTokenException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ExpiredImportTokenException) GoString() string { + return s.String() +} + +func newErrorExpiredImportTokenException(v protocol.ResponseMetadata) error { + return &ExpiredImportTokenException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *ExpiredImportTokenException) Code() string { + return "ExpiredImportTokenException" +} + +// Message returns the exception's message. +func (s *ExpiredImportTokenException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *ExpiredImportTokenException) OrigErr() error { + return nil +} + +func (s *ExpiredImportTokenException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *ExpiredImportTokenException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *ExpiredImportTokenException) RequestID() string { + return s.RespMetadata.RequestID +} + +type GenerateDataKeyInput struct { + _ struct{} `type:"structure"` + + // Specifies the encryption context that will be used when encrypting the data + // key. + // + // An encryption context is a collection of non-secret key-value pairs that + // represents additional authenticated data. When you use an encryption context + // to encrypt data, you must specify the same (an exact case-sensitive match) + // encryption context to decrypt the data. An encryption context is optional + // when encrypting with a symmetric CMK, but it is highly recommended. + // + // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) + // in the AWS Key Management Service Developer Guide. + EncryptionContext map[string]*string `type:"map"` + + // A list of grant tokens. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantTokens []*string `type:"list"` + + // Identifies the symmetric CMK that encrypts the data key. + // + // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, + // or alias ARN. When using an alias name, prefix it with "alias/". To specify + // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Alias name: alias/ExampleAlias + // + // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To + // get the alias name and alias ARN, use ListAliases. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // Specifies the length of the data key. Use AES_128 to generate a 128-bit symmetric + // key, or AES_256 to generate a 256-bit symmetric key. + // + // You must specify either the KeySpec or the NumberOfBytes parameter (but not + // both) in every GenerateDataKey request. + KeySpec *string `type:"string" enum:"DataKeySpec"` + + // Specifies the length of the data key in bytes. For example, use the value + // 64 to generate a 512-bit data key (64 bytes is 512 bits). For 128-bit (16-byte) + // and 256-bit (32-byte) data keys, use the KeySpec parameter. + // + // You must specify either the KeySpec or the NumberOfBytes parameter (but not + // both) in every GenerateDataKey request. + NumberOfBytes *int64 `min:"1" type:"integer"` +} + +// String returns the string representation +func (s GenerateDataKeyInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GenerateDataKeyInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GenerateDataKeyInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GenerateDataKeyInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.NumberOfBytes != nil && *s.NumberOfBytes < 1 { + invalidParams.Add(request.NewErrParamMinValue("NumberOfBytes", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetEncryptionContext sets the EncryptionContext field's value. +func (s *GenerateDataKeyInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyInput { + s.EncryptionContext = v + return s +} + +// SetGrantTokens sets the GrantTokens field's value. +func (s *GenerateDataKeyInput) SetGrantTokens(v []*string) *GenerateDataKeyInput { + s.GrantTokens = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *GenerateDataKeyInput) SetKeyId(v string) *GenerateDataKeyInput { + s.KeyId = &v + return s +} + +// SetKeySpec sets the KeySpec field's value. +func (s *GenerateDataKeyInput) SetKeySpec(v string) *GenerateDataKeyInput { + s.KeySpec = &v + return s +} + +// SetNumberOfBytes sets the NumberOfBytes field's value. +func (s *GenerateDataKeyInput) SetNumberOfBytes(v int64) *GenerateDataKeyInput { + s.NumberOfBytes = &v + return s +} + +type GenerateDataKeyOutput struct { + _ struct{} `type:"structure"` + + // The encrypted copy of the data key. When you use the HTTP API or the AWS + // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. + // + // CiphertextBlob is automatically base64 encoded/decoded by the SDK. + CiphertextBlob []byte `min:"1" type:"blob"` + + // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) + // of the CMK that encrypted the data key. + KeyId *string `min:"1" type:"string"` + + // The plaintext data key. When you use the HTTP API or the AWS CLI, the value + // is Base64-encoded. Otherwise, it is not Base64-encoded. Use this data key + // to encrypt your data outside of KMS. Then, remove it from memory as soon + // as possible. + // + // Plaintext is automatically base64 encoded/decoded by the SDK. + Plaintext []byte `min:"1" type:"blob" sensitive:"true"` +} + +// String returns the string representation +func (s GenerateDataKeyOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GenerateDataKeyOutput) GoString() string { + return s.String() +} + +// SetCiphertextBlob sets the CiphertextBlob field's value. +func (s *GenerateDataKeyOutput) SetCiphertextBlob(v []byte) *GenerateDataKeyOutput { + s.CiphertextBlob = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *GenerateDataKeyOutput) SetKeyId(v string) *GenerateDataKeyOutput { + s.KeyId = &v + return s +} + +// SetPlaintext sets the Plaintext field's value. +func (s *GenerateDataKeyOutput) SetPlaintext(v []byte) *GenerateDataKeyOutput { + s.Plaintext = v + return s +} + +type GenerateDataKeyPairInput struct { + _ struct{} `type:"structure"` + + // Specifies the encryption context that will be used when encrypting the private + // key in the data key pair. + // + // An encryption context is a collection of non-secret key-value pairs that + // represents additional authenticated data. When you use an encryption context + // to encrypt data, you must specify the same (an exact case-sensitive match) + // encryption context to decrypt the data. An encryption context is optional + // when encrypting with a symmetric CMK, but it is highly recommended. + // + // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) + // in the AWS Key Management Service Developer Guide. + EncryptionContext map[string]*string `type:"map"` + + // A list of grant tokens. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantTokens []*string `type:"list"` + + // Specifies the symmetric CMK that encrypts the private key in the data key + // pair. You cannot specify an asymmetric CMK or a CMK in a custom key store. + // To get the type and origin of your CMK, use the DescribeKey operation. + // + // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, + // or alias ARN. When using an alias name, prefix it with "alias/". To specify + // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Alias name: alias/ExampleAlias + // + // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To + // get the alias name and alias ARN, use ListAliases. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // Determines the type of data key pair that is generated. + // + // The AWS KMS rule that restricts the use of asymmetric RSA CMKs to encrypt + // and decrypt or to sign and verify (but not both), and the rule that permits + // you to use ECC CMKs only to sign and verify, are not effective outside of + // AWS KMS. + // + // KeyPairSpec is a required field + KeyPairSpec *string `type:"string" required:"true" enum:"DataKeyPairSpec"` +} + +// String returns the string representation +func (s GenerateDataKeyPairInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GenerateDataKeyPairInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GenerateDataKeyPairInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GenerateDataKeyPairInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.KeyPairSpec == nil { + invalidParams.Add(request.NewErrParamRequired("KeyPairSpec")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetEncryptionContext sets the EncryptionContext field's value. +func (s *GenerateDataKeyPairInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyPairInput { + s.EncryptionContext = v + return s +} + +// SetGrantTokens sets the GrantTokens field's value. +func (s *GenerateDataKeyPairInput) SetGrantTokens(v []*string) *GenerateDataKeyPairInput { + s.GrantTokens = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *GenerateDataKeyPairInput) SetKeyId(v string) *GenerateDataKeyPairInput { + s.KeyId = &v + return s +} + +// SetKeyPairSpec sets the KeyPairSpec field's value. +func (s *GenerateDataKeyPairInput) SetKeyPairSpec(v string) *GenerateDataKeyPairInput { + s.KeyPairSpec = &v + return s +} + +type GenerateDataKeyPairOutput struct { + _ struct{} `type:"structure"` + + // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) + // of the CMK that encrypted the private key. + KeyId *string `min:"1" type:"string"` + + // The type of data key pair that was generated. + KeyPairSpec *string `type:"string" enum:"DataKeyPairSpec"` + + // The encrypted copy of the private key. When you use the HTTP API or the AWS + // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. + // + // PrivateKeyCiphertextBlob is automatically base64 encoded/decoded by the SDK. + PrivateKeyCiphertextBlob []byte `min:"1" type:"blob"` + + // The plaintext copy of the private key. When you use the HTTP API or the AWS + // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. + // + // PrivateKeyPlaintext is automatically base64 encoded/decoded by the SDK. + PrivateKeyPlaintext []byte `min:"1" type:"blob" sensitive:"true"` + + // The public key (in plaintext). + // + // PublicKey is automatically base64 encoded/decoded by the SDK. + PublicKey []byte `min:"1" type:"blob"` +} + +// String returns the string representation +func (s GenerateDataKeyPairOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GenerateDataKeyPairOutput) GoString() string { + return s.String() +} + +// SetKeyId sets the KeyId field's value. +func (s *GenerateDataKeyPairOutput) SetKeyId(v string) *GenerateDataKeyPairOutput { + s.KeyId = &v + return s +} + +// SetKeyPairSpec sets the KeyPairSpec field's value. +func (s *GenerateDataKeyPairOutput) SetKeyPairSpec(v string) *GenerateDataKeyPairOutput { + s.KeyPairSpec = &v + return s +} + +// SetPrivateKeyCiphertextBlob sets the PrivateKeyCiphertextBlob field's value. +func (s *GenerateDataKeyPairOutput) SetPrivateKeyCiphertextBlob(v []byte) *GenerateDataKeyPairOutput { + s.PrivateKeyCiphertextBlob = v + return s +} + +// SetPrivateKeyPlaintext sets the PrivateKeyPlaintext field's value. +func (s *GenerateDataKeyPairOutput) SetPrivateKeyPlaintext(v []byte) *GenerateDataKeyPairOutput { + s.PrivateKeyPlaintext = v + return s +} + +// SetPublicKey sets the PublicKey field's value. +func (s *GenerateDataKeyPairOutput) SetPublicKey(v []byte) *GenerateDataKeyPairOutput { + s.PublicKey = v + return s +} + +type GenerateDataKeyPairWithoutPlaintextInput struct { + _ struct{} `type:"structure"` + + // Specifies the encryption context that will be used when encrypting the private + // key in the data key pair. + // + // An encryption context is a collection of non-secret key-value pairs that + // represents additional authenticated data. When you use an encryption context + // to encrypt data, you must specify the same (an exact case-sensitive match) + // encryption context to decrypt the data. An encryption context is optional + // when encrypting with a symmetric CMK, but it is highly recommended. + // + // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) + // in the AWS Key Management Service Developer Guide. + EncryptionContext map[string]*string `type:"map"` + + // A list of grant tokens. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantTokens []*string `type:"list"` + + // Specifies the CMK that encrypts the private key in the data key pair. You + // must specify a symmetric CMK. You cannot use an asymmetric CMK or a CMK in + // a custom key store. To get the type and origin of your CMK, use the DescribeKey + // operation. + // + // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, + // or alias ARN. When using an alias name, prefix it with "alias/". To specify + // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Alias name: alias/ExampleAlias + // + // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To + // get the alias name and alias ARN, use ListAliases. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // Determines the type of data key pair that is generated. + // + // The AWS KMS rule that restricts the use of asymmetric RSA CMKs to encrypt + // and decrypt or to sign and verify (but not both), and the rule that permits + // you to use ECC CMKs only to sign and verify, are not effective outside of + // AWS KMS. + // + // KeyPairSpec is a required field + KeyPairSpec *string `type:"string" required:"true" enum:"DataKeyPairSpec"` +} + +// String returns the string representation +func (s GenerateDataKeyPairWithoutPlaintextInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GenerateDataKeyPairWithoutPlaintextInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GenerateDataKeyPairWithoutPlaintextInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GenerateDataKeyPairWithoutPlaintextInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.KeyPairSpec == nil { + invalidParams.Add(request.NewErrParamRequired("KeyPairSpec")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetEncryptionContext sets the EncryptionContext field's value. +func (s *GenerateDataKeyPairWithoutPlaintextInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyPairWithoutPlaintextInput { + s.EncryptionContext = v + return s +} + +// SetGrantTokens sets the GrantTokens field's value. +func (s *GenerateDataKeyPairWithoutPlaintextInput) SetGrantTokens(v []*string) *GenerateDataKeyPairWithoutPlaintextInput { + s.GrantTokens = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *GenerateDataKeyPairWithoutPlaintextInput) SetKeyId(v string) *GenerateDataKeyPairWithoutPlaintextInput { + s.KeyId = &v + return s +} + +// SetKeyPairSpec sets the KeyPairSpec field's value. +func (s *GenerateDataKeyPairWithoutPlaintextInput) SetKeyPairSpec(v string) *GenerateDataKeyPairWithoutPlaintextInput { + s.KeyPairSpec = &v + return s +} + +type GenerateDataKeyPairWithoutPlaintextOutput struct { + _ struct{} `type:"structure"` + + // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) + // of the CMK that encrypted the private key. + KeyId *string `min:"1" type:"string"` + + // The type of data key pair that was generated. + KeyPairSpec *string `type:"string" enum:"DataKeyPairSpec"` + + // The encrypted copy of the private key. When you use the HTTP API or the AWS + // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. + // + // PrivateKeyCiphertextBlob is automatically base64 encoded/decoded by the SDK. + PrivateKeyCiphertextBlob []byte `min:"1" type:"blob"` + + // The public key (in plaintext). + // + // PublicKey is automatically base64 encoded/decoded by the SDK. + PublicKey []byte `min:"1" type:"blob"` +} + +// String returns the string representation +func (s GenerateDataKeyPairWithoutPlaintextOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GenerateDataKeyPairWithoutPlaintextOutput) GoString() string { + return s.String() +} + +// SetKeyId sets the KeyId field's value. +func (s *GenerateDataKeyPairWithoutPlaintextOutput) SetKeyId(v string) *GenerateDataKeyPairWithoutPlaintextOutput { + s.KeyId = &v + return s +} + +// SetKeyPairSpec sets the KeyPairSpec field's value. +func (s *GenerateDataKeyPairWithoutPlaintextOutput) SetKeyPairSpec(v string) *GenerateDataKeyPairWithoutPlaintextOutput { + s.KeyPairSpec = &v + return s +} + +// SetPrivateKeyCiphertextBlob sets the PrivateKeyCiphertextBlob field's value. +func (s *GenerateDataKeyPairWithoutPlaintextOutput) SetPrivateKeyCiphertextBlob(v []byte) *GenerateDataKeyPairWithoutPlaintextOutput { + s.PrivateKeyCiphertextBlob = v + return s +} + +// SetPublicKey sets the PublicKey field's value. +func (s *GenerateDataKeyPairWithoutPlaintextOutput) SetPublicKey(v []byte) *GenerateDataKeyPairWithoutPlaintextOutput { + s.PublicKey = v + return s +} + +type GenerateDataKeyWithoutPlaintextInput struct { + _ struct{} `type:"structure"` + + // Specifies the encryption context that will be used when encrypting the data + // key. + // + // An encryption context is a collection of non-secret key-value pairs that + // represents additional authenticated data. When you use an encryption context + // to encrypt data, you must specify the same (an exact case-sensitive match) + // encryption context to decrypt the data. An encryption context is optional + // when encrypting with a symmetric CMK, but it is highly recommended. + // + // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) + // in the AWS Key Management Service Developer Guide. + EncryptionContext map[string]*string `type:"map"` + + // A list of grant tokens. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantTokens []*string `type:"list"` + + // The identifier of the symmetric customer master key (CMK) that encrypts the + // data key. + // + // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, + // or alias ARN. When using an alias name, prefix it with "alias/". To specify + // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Alias name: alias/ExampleAlias + // + // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To + // get the alias name and alias ARN, use ListAliases. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // The length of the data key. Use AES_128 to generate a 128-bit symmetric key, + // or AES_256 to generate a 256-bit symmetric key. + KeySpec *string `type:"string" enum:"DataKeySpec"` + + // The length of the data key in bytes. For example, use the value 64 to generate + // a 512-bit data key (64 bytes is 512 bits). For common key lengths (128-bit + // and 256-bit symmetric keys), we recommend that you use the KeySpec field + // instead of this one. + NumberOfBytes *int64 `min:"1" type:"integer"` +} + +// String returns the string representation +func (s GenerateDataKeyWithoutPlaintextInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GenerateDataKeyWithoutPlaintextInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GenerateDataKeyWithoutPlaintextInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GenerateDataKeyWithoutPlaintextInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.NumberOfBytes != nil && *s.NumberOfBytes < 1 { + invalidParams.Add(request.NewErrParamMinValue("NumberOfBytes", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetEncryptionContext sets the EncryptionContext field's value. +func (s *GenerateDataKeyWithoutPlaintextInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyWithoutPlaintextInput { + s.EncryptionContext = v + return s +} + +// SetGrantTokens sets the GrantTokens field's value. +func (s *GenerateDataKeyWithoutPlaintextInput) SetGrantTokens(v []*string) *GenerateDataKeyWithoutPlaintextInput { + s.GrantTokens = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *GenerateDataKeyWithoutPlaintextInput) SetKeyId(v string) *GenerateDataKeyWithoutPlaintextInput { + s.KeyId = &v + return s +} + +// SetKeySpec sets the KeySpec field's value. +func (s *GenerateDataKeyWithoutPlaintextInput) SetKeySpec(v string) *GenerateDataKeyWithoutPlaintextInput { + s.KeySpec = &v + return s +} + +// SetNumberOfBytes sets the NumberOfBytes field's value. +func (s *GenerateDataKeyWithoutPlaintextInput) SetNumberOfBytes(v int64) *GenerateDataKeyWithoutPlaintextInput { + s.NumberOfBytes = &v + return s +} + +type GenerateDataKeyWithoutPlaintextOutput struct { + _ struct{} `type:"structure"` + + // The encrypted data key. When you use the HTTP API or the AWS CLI, the value + // is Base64-encoded. Otherwise, it is not Base64-encoded. + // + // CiphertextBlob is automatically base64 encoded/decoded by the SDK. + CiphertextBlob []byte `min:"1" type:"blob"` + + // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) + // of the CMK that encrypted the data key. + KeyId *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s GenerateDataKeyWithoutPlaintextOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GenerateDataKeyWithoutPlaintextOutput) GoString() string { + return s.String() +} + +// SetCiphertextBlob sets the CiphertextBlob field's value. +func (s *GenerateDataKeyWithoutPlaintextOutput) SetCiphertextBlob(v []byte) *GenerateDataKeyWithoutPlaintextOutput { + s.CiphertextBlob = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *GenerateDataKeyWithoutPlaintextOutput) SetKeyId(v string) *GenerateDataKeyWithoutPlaintextOutput { + s.KeyId = &v + return s +} + +type GenerateRandomInput struct { + _ struct{} `type:"structure"` + + // Generates the random byte string in the AWS CloudHSM cluster that is associated + // with the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). + // To find the ID of a custom key store, use the DescribeCustomKeyStores operation. + CustomKeyStoreId *string `min:"1" type:"string"` + + // The length of the byte string. + NumberOfBytes *int64 `min:"1" type:"integer"` +} + +// String returns the string representation +func (s GenerateRandomInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GenerateRandomInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GenerateRandomInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GenerateRandomInput"} + if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) + } + if s.NumberOfBytes != nil && *s.NumberOfBytes < 1 { + invalidParams.Add(request.NewErrParamMinValue("NumberOfBytes", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. +func (s *GenerateRandomInput) SetCustomKeyStoreId(v string) *GenerateRandomInput { + s.CustomKeyStoreId = &v + return s +} + +// SetNumberOfBytes sets the NumberOfBytes field's value. +func (s *GenerateRandomInput) SetNumberOfBytes(v int64) *GenerateRandomInput { + s.NumberOfBytes = &v + return s +} + +type GenerateRandomOutput struct { + _ struct{} `type:"structure"` + + // The random byte string. When you use the HTTP API or the AWS CLI, the value + // is Base64-encoded. Otherwise, it is not Base64-encoded. + // + // Plaintext is automatically base64 encoded/decoded by the SDK. + Plaintext []byte `min:"1" type:"blob" sensitive:"true"` +} + +// String returns the string representation +func (s GenerateRandomOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GenerateRandomOutput) GoString() string { + return s.String() +} + +// SetPlaintext sets the Plaintext field's value. +func (s *GenerateRandomOutput) SetPlaintext(v []byte) *GenerateRandomOutput { + s.Plaintext = v + return s +} + +type GetKeyPolicyInput struct { + _ struct{} `type:"structure"` + + // A unique identifier for the customer master key (CMK). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // Specifies the name of the key policy. The only valid name is default. To + // get the names of key policies, use ListKeyPolicies. + // + // PolicyName is a required field + PolicyName *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s GetKeyPolicyInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetKeyPolicyInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GetKeyPolicyInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GetKeyPolicyInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.PolicyName == nil { + invalidParams.Add(request.NewErrParamRequired("PolicyName")) + } + if s.PolicyName != nil && len(*s.PolicyName) < 1 { + invalidParams.Add(request.NewErrParamMinLen("PolicyName", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *GetKeyPolicyInput) SetKeyId(v string) *GetKeyPolicyInput { + s.KeyId = &v + return s +} + +// SetPolicyName sets the PolicyName field's value. +func (s *GetKeyPolicyInput) SetPolicyName(v string) *GetKeyPolicyInput { + s.PolicyName = &v + return s +} + +type GetKeyPolicyOutput struct { + _ struct{} `type:"structure"` + + // A key policy document in JSON format. + Policy *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s GetKeyPolicyOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetKeyPolicyOutput) GoString() string { + return s.String() +} + +// SetPolicy sets the Policy field's value. +func (s *GetKeyPolicyOutput) SetPolicy(v string) *GetKeyPolicyOutput { + s.Policy = &v + return s +} + +type GetKeyRotationStatusInput struct { + _ struct{} `type:"structure"` + + // A unique identifier for the customer master key (CMK). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify + // a CMK in a different AWS account, you must use the key ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s GetKeyRotationStatusInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetKeyRotationStatusInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GetKeyRotationStatusInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GetKeyRotationStatusInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *GetKeyRotationStatusInput) SetKeyId(v string) *GetKeyRotationStatusInput { + s.KeyId = &v + return s +} + +type GetKeyRotationStatusOutput struct { + _ struct{} `type:"structure"` + + // A Boolean value that specifies whether key rotation is enabled. + KeyRotationEnabled *bool `type:"boolean"` +} + +// String returns the string representation +func (s GetKeyRotationStatusOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetKeyRotationStatusOutput) GoString() string { + return s.String() +} + +// SetKeyRotationEnabled sets the KeyRotationEnabled field's value. +func (s *GetKeyRotationStatusOutput) SetKeyRotationEnabled(v bool) *GetKeyRotationStatusOutput { + s.KeyRotationEnabled = &v + return s +} + +type GetParametersForImportInput struct { + _ struct{} `type:"structure"` + + // The identifier of the symmetric CMK into which you will import key material. + // The Origin of the CMK must be EXTERNAL. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // The algorithm you will use to encrypt the key material before importing it + // with ImportKeyMaterial. For more information, see Encrypt the Key Material + // (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html) + // in the AWS Key Management Service Developer Guide. + // + // WrappingAlgorithm is a required field + WrappingAlgorithm *string `type:"string" required:"true" enum:"AlgorithmSpec"` + + // The type of wrapping key (public key) to return in the response. Only 2048-bit + // RSA public keys are supported. + // + // WrappingKeySpec is a required field + WrappingKeySpec *string `type:"string" required:"true" enum:"WrappingKeySpec"` +} + +// String returns the string representation +func (s GetParametersForImportInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetParametersForImportInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GetParametersForImportInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GetParametersForImportInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.WrappingAlgorithm == nil { + invalidParams.Add(request.NewErrParamRequired("WrappingAlgorithm")) + } + if s.WrappingKeySpec == nil { + invalidParams.Add(request.NewErrParamRequired("WrappingKeySpec")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *GetParametersForImportInput) SetKeyId(v string) *GetParametersForImportInput { + s.KeyId = &v + return s +} + +// SetWrappingAlgorithm sets the WrappingAlgorithm field's value. +func (s *GetParametersForImportInput) SetWrappingAlgorithm(v string) *GetParametersForImportInput { + s.WrappingAlgorithm = &v + return s +} + +// SetWrappingKeySpec sets the WrappingKeySpec field's value. +func (s *GetParametersForImportInput) SetWrappingKeySpec(v string) *GetParametersForImportInput { + s.WrappingKeySpec = &v + return s +} + +type GetParametersForImportOutput struct { + _ struct{} `type:"structure"` + + // The import token to send in a subsequent ImportKeyMaterial request. + // + // ImportToken is automatically base64 encoded/decoded by the SDK. + ImportToken []byte `min:"1" type:"blob"` + + // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) + // of the CMK to use in a subsequent ImportKeyMaterial request. This is the + // same CMK specified in the GetParametersForImport request. + KeyId *string `min:"1" type:"string"` + + // The time at which the import token and public key are no longer valid. After + // this time, you cannot use them to make an ImportKeyMaterial request and you + // must send another GetParametersForImport request to get new ones. + ParametersValidTo *time.Time `type:"timestamp"` + + // The public key to use to encrypt the key material before importing it with + // ImportKeyMaterial. + // + // PublicKey is automatically base64 encoded/decoded by the SDK. + PublicKey []byte `min:"1" type:"blob" sensitive:"true"` +} + +// String returns the string representation +func (s GetParametersForImportOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetParametersForImportOutput) GoString() string { + return s.String() +} + +// SetImportToken sets the ImportToken field's value. +func (s *GetParametersForImportOutput) SetImportToken(v []byte) *GetParametersForImportOutput { + s.ImportToken = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *GetParametersForImportOutput) SetKeyId(v string) *GetParametersForImportOutput { + s.KeyId = &v + return s +} + +// SetParametersValidTo sets the ParametersValidTo field's value. +func (s *GetParametersForImportOutput) SetParametersValidTo(v time.Time) *GetParametersForImportOutput { + s.ParametersValidTo = &v + return s +} + +// SetPublicKey sets the PublicKey field's value. +func (s *GetParametersForImportOutput) SetPublicKey(v []byte) *GetParametersForImportOutput { + s.PublicKey = v + return s +} + +type GetPublicKeyInput struct { + _ struct{} `type:"structure"` + + // A list of grant tokens. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantTokens []*string `type:"list"` + + // Identifies the asymmetric CMK that includes the public key. + // + // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, + // or alias ARN. When using an alias name, prefix it with "alias/". To specify + // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Alias name: alias/ExampleAlias + // + // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To + // get the alias name and alias ARN, use ListAliases. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s GetPublicKeyInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetPublicKeyInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GetPublicKeyInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GetPublicKeyInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetGrantTokens sets the GrantTokens field's value. +func (s *GetPublicKeyInput) SetGrantTokens(v []*string) *GetPublicKeyInput { + s.GrantTokens = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *GetPublicKeyInput) SetKeyId(v string) *GetPublicKeyInput { + s.KeyId = &v + return s +} + +type GetPublicKeyOutput struct { + _ struct{} `type:"structure"` + + // The type of the of the public key that was downloaded. + CustomerMasterKeySpec *string `type:"string" enum:"CustomerMasterKeySpec"` + + // The encryption algorithms that AWS KMS supports for this key. + // + // This information is critical. If a public key encrypts data outside of AWS + // KMS by using an unsupported encryption algorithm, the ciphertext cannot be + // decrypted. + // + // This field appears in the response only when the KeyUsage of the public key + // is ENCRYPT_DECRYPT. + EncryptionAlgorithms []*string `type:"list"` + + // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) + // of the asymmetric CMK from which the public key was downloaded. + KeyId *string `min:"1" type:"string"` + + // The permitted use of the public key. Valid values are ENCRYPT_DECRYPT or + // SIGN_VERIFY. + // + // This information is critical. If a public key with SIGN_VERIFY key usage + // encrypts data outside of AWS KMS, the ciphertext cannot be decrypted. + KeyUsage *string `type:"string" enum:"KeyUsageType"` + + // The exported public key. + // + // The value is a DER-encoded X.509 public key, also known as SubjectPublicKeyInfo + // (SPKI), as defined in RFC 5280 (https://tools.ietf.org/html/rfc5280). When + // you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, + // it is not Base64-encoded. + // + // PublicKey is automatically base64 encoded/decoded by the SDK. + PublicKey []byte `min:"1" type:"blob"` + + // The signing algorithms that AWS KMS supports for this key. + // + // This field appears in the response only when the KeyUsage of the public key + // is SIGN_VERIFY. + SigningAlgorithms []*string `type:"list"` +} + +// String returns the string representation +func (s GetPublicKeyOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetPublicKeyOutput) GoString() string { + return s.String() +} + +// SetCustomerMasterKeySpec sets the CustomerMasterKeySpec field's value. +func (s *GetPublicKeyOutput) SetCustomerMasterKeySpec(v string) *GetPublicKeyOutput { + s.CustomerMasterKeySpec = &v + return s +} + +// SetEncryptionAlgorithms sets the EncryptionAlgorithms field's value. +func (s *GetPublicKeyOutput) SetEncryptionAlgorithms(v []*string) *GetPublicKeyOutput { + s.EncryptionAlgorithms = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *GetPublicKeyOutput) SetKeyId(v string) *GetPublicKeyOutput { + s.KeyId = &v + return s +} + +// SetKeyUsage sets the KeyUsage field's value. +func (s *GetPublicKeyOutput) SetKeyUsage(v string) *GetPublicKeyOutput { + s.KeyUsage = &v + return s +} + +// SetPublicKey sets the PublicKey field's value. +func (s *GetPublicKeyOutput) SetPublicKey(v []byte) *GetPublicKeyOutput { + s.PublicKey = v + return s +} + +// SetSigningAlgorithms sets the SigningAlgorithms field's value. +func (s *GetPublicKeyOutput) SetSigningAlgorithms(v []*string) *GetPublicKeyOutput { + s.SigningAlgorithms = v + return s +} + +// Use this structure to allow cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) +// in the grant only when the operation request includes the specified encryption +// context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context). +// +// AWS KMS applies the grant constraints only to cryptographic operations that +// support an encryption context, that is, all cryptographic operations with +// a symmetric CMK (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks). +// Grant constraints are not applied to operations that do not support an encryption +// context, such as cryptographic operations with asymmetric CMKs and management +// operations, such as DescribeKey or RetireGrant. +// +// In a cryptographic operation, the encryption context in the decryption operation +// must be an exact, case-sensitive match for the keys and values in the encryption +// context of the encryption operation. Only the order of the pairs can vary. +// +// However, in a grant constraint, the key in each key-value pair is not case +// sensitive, but the value is case sensitive. +// +// To avoid confusion, do not use multiple encryption context pairs that differ +// only by case. To require a fully case-sensitive encryption context, use the +// kms:EncryptionContext: and kms:EncryptionContextKeys conditions in an IAM +// or key policy. For details, see kms:EncryptionContext: (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context) +// in the AWS Key Management Service Developer Guide . +type GrantConstraints struct { + _ struct{} `type:"structure"` + + // A list of key-value pairs that must match the encryption context in the cryptographic + // operation (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) + // request. The grant allows the operation only when the encryption context + // in the request is the same as the encryption context specified in this constraint. + EncryptionContextEquals map[string]*string `type:"map"` + + // A list of key-value pairs that must be included in the encryption context + // of the cryptographic operation (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) + // request. The grant allows the cryptographic operation only when the encryption + // context in the request includes the key-value pairs specified in this constraint, + // although it can include additional key-value pairs. + EncryptionContextSubset map[string]*string `type:"map"` +} + +// String returns the string representation +func (s GrantConstraints) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GrantConstraints) GoString() string { + return s.String() +} + +// SetEncryptionContextEquals sets the EncryptionContextEquals field's value. +func (s *GrantConstraints) SetEncryptionContextEquals(v map[string]*string) *GrantConstraints { + s.EncryptionContextEquals = v + return s +} + +// SetEncryptionContextSubset sets the EncryptionContextSubset field's value. +func (s *GrantConstraints) SetEncryptionContextSubset(v map[string]*string) *GrantConstraints { + s.EncryptionContextSubset = v + return s +} + +// Contains information about a grant. +type GrantListEntry struct { + _ struct{} `type:"structure"` + + // A list of key-value pairs that must be present in the encryption context + // of certain subsequent operations that the grant allows. + Constraints *GrantConstraints `type:"structure"` + + // The date and time when the grant was created. + CreationDate *time.Time `type:"timestamp"` + + // The unique identifier for the grant. + GrantId *string `min:"1" type:"string"` + + // The identity that gets the permissions in the grant. + // + // The GranteePrincipal field in the ListGrants response usually contains the + // user or role designated as the grantee principal in the grant. However, when + // the grantee principal in the grant is an AWS service, the GranteePrincipal + // field contains the service principal (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services), + // which might represent several different grantee principals. + GranteePrincipal *string `min:"1" type:"string"` + + // The AWS account under which the grant was issued. + IssuingAccount *string `min:"1" type:"string"` + + // The unique identifier for the customer master key (CMK) to which the grant + // applies. + KeyId *string `min:"1" type:"string"` + + // The friendly name that identifies the grant. If a name was provided in the + // CreateGrant request, that name is returned. Otherwise this value is null. + Name *string `min:"1" type:"string"` + + // The list of operations permitted by the grant. + Operations []*string `type:"list"` + + // The principal that can retire the grant. + RetiringPrincipal *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s GrantListEntry) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GrantListEntry) GoString() string { + return s.String() +} + +// SetConstraints sets the Constraints field's value. +func (s *GrantListEntry) SetConstraints(v *GrantConstraints) *GrantListEntry { + s.Constraints = v + return s +} + +// SetCreationDate sets the CreationDate field's value. +func (s *GrantListEntry) SetCreationDate(v time.Time) *GrantListEntry { + s.CreationDate = &v + return s +} + +// SetGrantId sets the GrantId field's value. +func (s *GrantListEntry) SetGrantId(v string) *GrantListEntry { + s.GrantId = &v + return s +} + +// SetGranteePrincipal sets the GranteePrincipal field's value. +func (s *GrantListEntry) SetGranteePrincipal(v string) *GrantListEntry { + s.GranteePrincipal = &v + return s +} + +// SetIssuingAccount sets the IssuingAccount field's value. +func (s *GrantListEntry) SetIssuingAccount(v string) *GrantListEntry { + s.IssuingAccount = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *GrantListEntry) SetKeyId(v string) *GrantListEntry { + s.KeyId = &v + return s +} + +// SetName sets the Name field's value. +func (s *GrantListEntry) SetName(v string) *GrantListEntry { + s.Name = &v + return s +} + +// SetOperations sets the Operations field's value. +func (s *GrantListEntry) SetOperations(v []*string) *GrantListEntry { + s.Operations = v + return s +} + +// SetRetiringPrincipal sets the RetiringPrincipal field's value. +func (s *GrantListEntry) SetRetiringPrincipal(v string) *GrantListEntry { + s.RetiringPrincipal = &v + return s +} + +type ImportKeyMaterialInput struct { + _ struct{} `type:"structure"` + + // The encrypted key material to import. The key material must be encrypted + // with the public wrapping key that GetParametersForImport returned, using + // the wrapping algorithm that you specified in the same GetParametersForImport + // request. + // + // EncryptedKeyMaterial is automatically base64 encoded/decoded by the SDK. + // + // EncryptedKeyMaterial is a required field + EncryptedKeyMaterial []byte `min:"1" type:"blob" required:"true"` + + // Specifies whether the key material expires. The default is KEY_MATERIAL_EXPIRES, + // in which case you must include the ValidTo parameter. When this parameter + // is set to KEY_MATERIAL_DOES_NOT_EXPIRE, you must omit the ValidTo parameter. + ExpirationModel *string `type:"string" enum:"ExpirationModelType"` + + // The import token that you received in the response to a previous GetParametersForImport + // request. It must be from the same response that contained the public key + // that you used to encrypt the key material. + // + // ImportToken is automatically base64 encoded/decoded by the SDK. + // + // ImportToken is a required field + ImportToken []byte `min:"1" type:"blob" required:"true"` + + // The identifier of the symmetric CMK that receives the imported key material. + // The CMK's Origin must be EXTERNAL. This must be the same CMK specified in + // the KeyID parameter of the corresponding GetParametersForImport request. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // The time at which the imported key material expires. When the key material + // expires, AWS KMS deletes the key material and the CMK becomes unusable. You + // must omit this parameter when the ExpirationModel parameter is set to KEY_MATERIAL_DOES_NOT_EXPIRE. + // Otherwise it is required. + ValidTo *time.Time `type:"timestamp"` +} + +// String returns the string representation +func (s ImportKeyMaterialInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ImportKeyMaterialInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ImportKeyMaterialInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ImportKeyMaterialInput"} + if s.EncryptedKeyMaterial == nil { + invalidParams.Add(request.NewErrParamRequired("EncryptedKeyMaterial")) + } + if s.EncryptedKeyMaterial != nil && len(s.EncryptedKeyMaterial) < 1 { + invalidParams.Add(request.NewErrParamMinLen("EncryptedKeyMaterial", 1)) + } + if s.ImportToken == nil { + invalidParams.Add(request.NewErrParamRequired("ImportToken")) + } + if s.ImportToken != nil && len(s.ImportToken) < 1 { + invalidParams.Add(request.NewErrParamMinLen("ImportToken", 1)) + } + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetEncryptedKeyMaterial sets the EncryptedKeyMaterial field's value. +func (s *ImportKeyMaterialInput) SetEncryptedKeyMaterial(v []byte) *ImportKeyMaterialInput { + s.EncryptedKeyMaterial = v + return s +} + +// SetExpirationModel sets the ExpirationModel field's value. +func (s *ImportKeyMaterialInput) SetExpirationModel(v string) *ImportKeyMaterialInput { + s.ExpirationModel = &v + return s +} + +// SetImportToken sets the ImportToken field's value. +func (s *ImportKeyMaterialInput) SetImportToken(v []byte) *ImportKeyMaterialInput { + s.ImportToken = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *ImportKeyMaterialInput) SetKeyId(v string) *ImportKeyMaterialInput { + s.KeyId = &v + return s +} + +// SetValidTo sets the ValidTo field's value. +func (s *ImportKeyMaterialInput) SetValidTo(v time.Time) *ImportKeyMaterialInput { + s.ValidTo = &v + return s +} + +type ImportKeyMaterialOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s ImportKeyMaterialOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ImportKeyMaterialOutput) GoString() string { + return s.String() +} + +// The request was rejected because the specified CMK cannot decrypt the data. +// The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request +// must identify the same CMK that was used to encrypt the ciphertext. +type IncorrectKeyException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s IncorrectKeyException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s IncorrectKeyException) GoString() string { + return s.String() +} + +func newErrorIncorrectKeyException(v protocol.ResponseMetadata) error { + return &IncorrectKeyException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *IncorrectKeyException) Code() string { + return "IncorrectKeyException" +} + +// Message returns the exception's message. +func (s *IncorrectKeyException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *IncorrectKeyException) OrigErr() error { + return nil +} + +func (s *IncorrectKeyException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *IncorrectKeyException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *IncorrectKeyException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected because the key material in the request is, expired, +// invalid, or is not the same key material that was previously imported into +// this customer master key (CMK). +type IncorrectKeyMaterialException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s IncorrectKeyMaterialException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s IncorrectKeyMaterialException) GoString() string { + return s.String() +} + +func newErrorIncorrectKeyMaterialException(v protocol.ResponseMetadata) error { + return &IncorrectKeyMaterialException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *IncorrectKeyMaterialException) Code() string { + return "IncorrectKeyMaterialException" +} + +// Message returns the exception's message. +func (s *IncorrectKeyMaterialException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *IncorrectKeyMaterialException) OrigErr() error { + return nil +} + +func (s *IncorrectKeyMaterialException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *IncorrectKeyMaterialException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *IncorrectKeyMaterialException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected because the trust anchor certificate in the request +// is not the trust anchor certificate for the specified AWS CloudHSM cluster. +// +// When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr), +// you create the trust anchor certificate and save it in the customerCA.crt +// file. +type IncorrectTrustAnchorException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s IncorrectTrustAnchorException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s IncorrectTrustAnchorException) GoString() string { + return s.String() +} + +func newErrorIncorrectTrustAnchorException(v protocol.ResponseMetadata) error { + return &IncorrectTrustAnchorException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *IncorrectTrustAnchorException) Code() string { + return "IncorrectTrustAnchorException" +} + +// Message returns the exception's message. +func (s *IncorrectTrustAnchorException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *IncorrectTrustAnchorException) OrigErr() error { + return nil +} + +func (s *IncorrectTrustAnchorException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *IncorrectTrustAnchorException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *IncorrectTrustAnchorException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected because an internal exception occurred. The request +// can be retried. +type InternalException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s InternalException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s InternalException) GoString() string { + return s.String() +} + +func newErrorInternalException(v protocol.ResponseMetadata) error { + return &InternalException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *InternalException) Code() string { + return "KMSInternalException" +} + +// Message returns the exception's message. +func (s *InternalException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *InternalException) OrigErr() error { + return nil +} + +func (s *InternalException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *InternalException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *InternalException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected because the specified alias name is not valid. +type InvalidAliasNameException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s InvalidAliasNameException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s InvalidAliasNameException) GoString() string { + return s.String() +} + +func newErrorInvalidAliasNameException(v protocol.ResponseMetadata) error { + return &InvalidAliasNameException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *InvalidAliasNameException) Code() string { + return "InvalidAliasNameException" +} + +// Message returns the exception's message. +func (s *InvalidAliasNameException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *InvalidAliasNameException) OrigErr() error { + return nil +} + +func (s *InvalidAliasNameException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *InvalidAliasNameException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *InvalidAliasNameException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +type InvalidArnException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s InvalidArnException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s InvalidArnException) GoString() string { + return s.String() +} + +func newErrorInvalidArnException(v protocol.ResponseMetadata) error { + return &InvalidArnException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *InvalidArnException) Code() string { + return "InvalidArnException" +} + +// Message returns the exception's message. +func (s *InvalidArnException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *InvalidArnException) OrigErr() error { + return nil +} + +func (s *InvalidArnException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *InvalidArnException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *InvalidArnException) RequestID() string { + return s.RespMetadata.RequestID +} + +// From the Decrypt or ReEncrypt operation, the request was rejected because +// the specified ciphertext, or additional authenticated data incorporated into +// the ciphertext, such as the encryption context, is corrupted, missing, or +// otherwise invalid. +// +// From the ImportKeyMaterial operation, the request was rejected because AWS +// KMS could not decrypt the encrypted (wrapped) key material. +type InvalidCiphertextException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s InvalidCiphertextException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s InvalidCiphertextException) GoString() string { + return s.String() +} + +func newErrorInvalidCiphertextException(v protocol.ResponseMetadata) error { + return &InvalidCiphertextException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *InvalidCiphertextException) Code() string { + return "InvalidCiphertextException" +} + +// Message returns the exception's message. +func (s *InvalidCiphertextException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *InvalidCiphertextException) OrigErr() error { + return nil +} + +func (s *InvalidCiphertextException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *InvalidCiphertextException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *InvalidCiphertextException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected because the specified GrantId is not valid. +type InvalidGrantIdException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s InvalidGrantIdException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s InvalidGrantIdException) GoString() string { + return s.String() +} + +func newErrorInvalidGrantIdException(v protocol.ResponseMetadata) error { + return &InvalidGrantIdException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *InvalidGrantIdException) Code() string { + return "InvalidGrantIdException" +} + +// Message returns the exception's message. +func (s *InvalidGrantIdException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *InvalidGrantIdException) OrigErr() error { + return nil +} + +func (s *InvalidGrantIdException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *InvalidGrantIdException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *InvalidGrantIdException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected because the specified grant token is not valid. +type InvalidGrantTokenException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s InvalidGrantTokenException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s InvalidGrantTokenException) GoString() string { + return s.String() +} + +func newErrorInvalidGrantTokenException(v protocol.ResponseMetadata) error { + return &InvalidGrantTokenException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *InvalidGrantTokenException) Code() string { + return "InvalidGrantTokenException" +} + +// Message returns the exception's message. +func (s *InvalidGrantTokenException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *InvalidGrantTokenException) OrigErr() error { + return nil +} + +func (s *InvalidGrantTokenException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *InvalidGrantTokenException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *InvalidGrantTokenException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected because the provided import token is invalid or +// is associated with a different customer master key (CMK). +type InvalidImportTokenException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s InvalidImportTokenException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s InvalidImportTokenException) GoString() string { + return s.String() +} + +func newErrorInvalidImportTokenException(v protocol.ResponseMetadata) error { + return &InvalidImportTokenException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *InvalidImportTokenException) Code() string { + return "InvalidImportTokenException" +} + +// Message returns the exception's message. +func (s *InvalidImportTokenException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *InvalidImportTokenException) OrigErr() error { + return nil +} + +func (s *InvalidImportTokenException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *InvalidImportTokenException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *InvalidImportTokenException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected for one of the following reasons: +// +// * The KeyUsage value of the CMK is incompatible with the API operation. +// +// * The encryption algorithm or signing algorithm specified for the operation +// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// +// For encrypting, decrypting, re-encrypting, and generating data keys, the +// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage +// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// +// To find the encryption or signing algorithms supported for a particular CMK, +// use the DescribeKey operation. +type InvalidKeyUsageException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s InvalidKeyUsageException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s InvalidKeyUsageException) GoString() string { + return s.String() +} + +func newErrorInvalidKeyUsageException(v protocol.ResponseMetadata) error { + return &InvalidKeyUsageException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *InvalidKeyUsageException) Code() string { + return "InvalidKeyUsageException" +} + +// Message returns the exception's message. +func (s *InvalidKeyUsageException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *InvalidKeyUsageException) OrigErr() error { + return nil +} + +func (s *InvalidKeyUsageException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *InvalidKeyUsageException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *InvalidKeyUsageException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected because the marker that specifies where pagination +// should next begin is not valid. +type InvalidMarkerException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s InvalidMarkerException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s InvalidMarkerException) GoString() string { + return s.String() +} + +func newErrorInvalidMarkerException(v protocol.ResponseMetadata) error { + return &InvalidMarkerException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *InvalidMarkerException) Code() string { + return "InvalidMarkerException" +} + +// Message returns the exception's message. +func (s *InvalidMarkerException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *InvalidMarkerException) OrigErr() error { + return nil +} + +func (s *InvalidMarkerException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *InvalidMarkerException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *InvalidMarkerException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +type InvalidStateException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s InvalidStateException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s InvalidStateException) GoString() string { + return s.String() +} + +func newErrorInvalidStateException(v protocol.ResponseMetadata) error { + return &InvalidStateException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *InvalidStateException) Code() string { + return "KMSInvalidStateException" +} + +// Message returns the exception's message. +func (s *InvalidStateException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *InvalidStateException) OrigErr() error { + return nil +} + +func (s *InvalidStateException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *InvalidStateException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *InvalidStateException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected because the signature verification failed. Signature +// verification fails when it cannot confirm that signature was produced by +// signing the specified message with the specified CMK and signing algorithm. +type KMSInvalidSignatureException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s KMSInvalidSignatureException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s KMSInvalidSignatureException) GoString() string { + return s.String() +} + +func newErrorKMSInvalidSignatureException(v protocol.ResponseMetadata) error { + return &KMSInvalidSignatureException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *KMSInvalidSignatureException) Code() string { + return "KMSInvalidSignatureException" +} + +// Message returns the exception's message. +func (s *KMSInvalidSignatureException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *KMSInvalidSignatureException) OrigErr() error { + return nil +} + +func (s *KMSInvalidSignatureException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *KMSInvalidSignatureException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *KMSInvalidSignatureException) RequestID() string { + return s.RespMetadata.RequestID +} + +// Contains information about each entry in the key list. +type KeyListEntry struct { + _ struct{} `type:"structure"` + + // ARN of the key. + KeyArn *string `min:"20" type:"string"` + + // Unique identifier of the key. + KeyId *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s KeyListEntry) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s KeyListEntry) GoString() string { + return s.String() +} + +// SetKeyArn sets the KeyArn field's value. +func (s *KeyListEntry) SetKeyArn(v string) *KeyListEntry { + s.KeyArn = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *KeyListEntry) SetKeyId(v string) *KeyListEntry { + s.KeyId = &v + return s +} + +// Contains metadata about a customer master key (CMK). +// +// This data type is used as a response element for the CreateKey and DescribeKey +// operations. +type KeyMetadata struct { + _ struct{} `type:"structure"` + + // The twelve-digit account ID of the AWS account that owns the CMK. + AWSAccountId *string `type:"string"` + + // The Amazon Resource Name (ARN) of the CMK. For examples, see AWS Key Management + // Service (AWS KMS) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms) + // in the Example ARNs section of the AWS General Reference. + Arn *string `min:"20" type:"string"` + + // The cluster ID of the AWS CloudHSM cluster that contains the key material + // for the CMK. When you create a CMK in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), + // AWS KMS creates the key material for the CMK in the associated AWS CloudHSM + // cluster. This value is present only when the CMK is created in a custom key + // store. + CloudHsmClusterId *string `min:"19" type:"string"` + + // The date and time when the CMK was created. + CreationDate *time.Time `type:"timestamp"` + + // A unique identifier for the custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) + // that contains the CMK. This value is present only when the CMK is created + // in a custom key store. + CustomKeyStoreId *string `min:"1" type:"string"` + + // Describes the type of key material in the CMK. + CustomerMasterKeySpec *string `type:"string" enum:"CustomerMasterKeySpec"` + + // The date and time after which AWS KMS deletes the CMK. This value is present + // only when KeyState is PendingDeletion. + DeletionDate *time.Time `type:"timestamp"` + + // The description of the CMK. + Description *string `type:"string"` + + // Specifies whether the CMK is enabled. When KeyState is Enabled this value + // is true, otherwise it is false. + Enabled *bool `type:"boolean"` + + // The encryption algorithms that the CMK supports. You cannot use the CMK with + // other encryption algorithms within AWS KMS. + // + // This field appears only when the KeyUsage of the CMK is ENCRYPT_DECRYPT. + EncryptionAlgorithms []*string `type:"list"` + + // Specifies whether the CMK's key material expires. This value is present only + // when Origin is EXTERNAL, otherwise this value is omitted. + ExpirationModel *string `type:"string" enum:"ExpirationModelType"` + + // The globally unique identifier for the CMK. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // The manager of the CMK. CMKs in your AWS account are either customer managed + // or AWS managed. For more information about the difference, see Customer Master + // Keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys) + // in the AWS Key Management Service Developer Guide. + KeyManager *string `type:"string" enum:"KeyManagerType"` + + // The current status of the CMK. + // + // For more information about how key state affects the use of a CMK, see Key + // state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) + // in the AWS Key Management Service Developer Guide. + KeyState *string `type:"string" enum:"KeyState"` + + // The cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) + // for which you can use the CMK. + KeyUsage *string `type:"string" enum:"KeyUsageType"` + + // The source of the CMK's key material. When this value is AWS_KMS, AWS KMS + // created the key material. When this value is EXTERNAL, the key material was + // imported from your existing key management infrastructure or the CMK lacks + // key material. When this value is AWS_CLOUDHSM, the key material was created + // in the AWS CloudHSM cluster associated with a custom key store. + Origin *string `type:"string" enum:"OriginType"` + + // The signing algorithms that the CMK supports. You cannot use the CMK with + // other signing algorithms within AWS KMS. + // + // This field appears only when the KeyUsage of the CMK is SIGN_VERIFY. + SigningAlgorithms []*string `type:"list"` + + // The time at which the imported key material expires. When the key material + // expires, AWS KMS deletes the key material and the CMK becomes unusable. This + // value is present only for CMKs whose Origin is EXTERNAL and whose ExpirationModel + // is KEY_MATERIAL_EXPIRES, otherwise this value is omitted. + ValidTo *time.Time `type:"timestamp"` +} + +// String returns the string representation +func (s KeyMetadata) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s KeyMetadata) GoString() string { + return s.String() +} + +// SetAWSAccountId sets the AWSAccountId field's value. +func (s *KeyMetadata) SetAWSAccountId(v string) *KeyMetadata { + s.AWSAccountId = &v + return s +} + +// SetArn sets the Arn field's value. +func (s *KeyMetadata) SetArn(v string) *KeyMetadata { + s.Arn = &v + return s +} + +// SetCloudHsmClusterId sets the CloudHsmClusterId field's value. +func (s *KeyMetadata) SetCloudHsmClusterId(v string) *KeyMetadata { + s.CloudHsmClusterId = &v + return s +} + +// SetCreationDate sets the CreationDate field's value. +func (s *KeyMetadata) SetCreationDate(v time.Time) *KeyMetadata { + s.CreationDate = &v + return s +} + +// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. +func (s *KeyMetadata) SetCustomKeyStoreId(v string) *KeyMetadata { + s.CustomKeyStoreId = &v + return s +} + +// SetCustomerMasterKeySpec sets the CustomerMasterKeySpec field's value. +func (s *KeyMetadata) SetCustomerMasterKeySpec(v string) *KeyMetadata { + s.CustomerMasterKeySpec = &v + return s +} + +// SetDeletionDate sets the DeletionDate field's value. +func (s *KeyMetadata) SetDeletionDate(v time.Time) *KeyMetadata { + s.DeletionDate = &v + return s +} + +// SetDescription sets the Description field's value. +func (s *KeyMetadata) SetDescription(v string) *KeyMetadata { + s.Description = &v + return s +} + +// SetEnabled sets the Enabled field's value. +func (s *KeyMetadata) SetEnabled(v bool) *KeyMetadata { + s.Enabled = &v + return s +} + +// SetEncryptionAlgorithms sets the EncryptionAlgorithms field's value. +func (s *KeyMetadata) SetEncryptionAlgorithms(v []*string) *KeyMetadata { + s.EncryptionAlgorithms = v + return s +} + +// SetExpirationModel sets the ExpirationModel field's value. +func (s *KeyMetadata) SetExpirationModel(v string) *KeyMetadata { + s.ExpirationModel = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *KeyMetadata) SetKeyId(v string) *KeyMetadata { + s.KeyId = &v + return s +} + +// SetKeyManager sets the KeyManager field's value. +func (s *KeyMetadata) SetKeyManager(v string) *KeyMetadata { + s.KeyManager = &v + return s +} + +// SetKeyState sets the KeyState field's value. +func (s *KeyMetadata) SetKeyState(v string) *KeyMetadata { + s.KeyState = &v + return s +} + +// SetKeyUsage sets the KeyUsage field's value. +func (s *KeyMetadata) SetKeyUsage(v string) *KeyMetadata { + s.KeyUsage = &v + return s +} + +// SetOrigin sets the Origin field's value. +func (s *KeyMetadata) SetOrigin(v string) *KeyMetadata { + s.Origin = &v + return s +} + +// SetSigningAlgorithms sets the SigningAlgorithms field's value. +func (s *KeyMetadata) SetSigningAlgorithms(v []*string) *KeyMetadata { + s.SigningAlgorithms = v + return s +} + +// SetValidTo sets the ValidTo field's value. +func (s *KeyMetadata) SetValidTo(v time.Time) *KeyMetadata { + s.ValidTo = &v + return s +} + +// The request was rejected because the specified CMK was not available. You +// can retry the request. +type KeyUnavailableException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s KeyUnavailableException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s KeyUnavailableException) GoString() string { + return s.String() +} + +func newErrorKeyUnavailableException(v protocol.ResponseMetadata) error { + return &KeyUnavailableException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *KeyUnavailableException) Code() string { + return "KeyUnavailableException" +} + +// Message returns the exception's message. +func (s *KeyUnavailableException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *KeyUnavailableException) OrigErr() error { + return nil +} + +func (s *KeyUnavailableException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *KeyUnavailableException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *KeyUnavailableException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected because a quota was exceeded. For more information, +// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) +// in the AWS Key Management Service Developer Guide. +type LimitExceededException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s LimitExceededException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s LimitExceededException) GoString() string { + return s.String() +} + +func newErrorLimitExceededException(v protocol.ResponseMetadata) error { + return &LimitExceededException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *LimitExceededException) Code() string { + return "LimitExceededException" +} + +// Message returns the exception's message. +func (s *LimitExceededException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *LimitExceededException) OrigErr() error { + return nil +} + +func (s *LimitExceededException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *LimitExceededException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *LimitExceededException) RequestID() string { + return s.RespMetadata.RequestID +} + +type ListAliasesInput struct { + _ struct{} `type:"structure"` + + // Lists only aliases that are associated with the specified CMK. Enter a CMK + // in your AWS account. + // + // This parameter is optional. If you omit it, ListAliases returns all aliases + // in the account and Region. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + KeyId *string `min:"1" type:"string"` + + // Use this parameter to specify the maximum number of items to return. When + // this value is present, AWS KMS does not return more than the specified number + // of items, but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and + // 100, inclusive. If you do not include a value, it defaults to 50. + Limit *int64 `min:"1" type:"integer"` + + // Use this parameter in a subsequent request after you receive a response with + // truncated results. Set it to the value of NextMarker from the truncated response + // you just received. + Marker *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s ListAliasesInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListAliasesInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ListAliasesInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ListAliasesInput"} + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.Limit != nil && *s.Limit < 1 { + invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) + } + if s.Marker != nil && len(*s.Marker) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *ListAliasesInput) SetKeyId(v string) *ListAliasesInput { + s.KeyId = &v + return s +} + +// SetLimit sets the Limit field's value. +func (s *ListAliasesInput) SetLimit(v int64) *ListAliasesInput { + s.Limit = &v + return s +} + +// SetMarker sets the Marker field's value. +func (s *ListAliasesInput) SetMarker(v string) *ListAliasesInput { + s.Marker = &v + return s +} + +type ListAliasesOutput struct { + _ struct{} `type:"structure"` + + // A list of aliases. + Aliases []*AliasListEntry `type:"list"` + + // When Truncated is true, this element is present and contains the value to + // use for the Marker parameter in a subsequent request. + NextMarker *string `min:"1" type:"string"` + + // A flag that indicates whether there are more items in the list. When this + // value is true, the list in this response is truncated. To get more items, + // pass the value of the NextMarker element in thisresponse to the Marker parameter + // in a subsequent request. + Truncated *bool `type:"boolean"` +} + +// String returns the string representation +func (s ListAliasesOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListAliasesOutput) GoString() string { + return s.String() +} + +// SetAliases sets the Aliases field's value. +func (s *ListAliasesOutput) SetAliases(v []*AliasListEntry) *ListAliasesOutput { + s.Aliases = v + return s +} + +// SetNextMarker sets the NextMarker field's value. +func (s *ListAliasesOutput) SetNextMarker(v string) *ListAliasesOutput { + s.NextMarker = &v + return s +} + +// SetTruncated sets the Truncated field's value. +func (s *ListAliasesOutput) SetTruncated(v bool) *ListAliasesOutput { + s.Truncated = &v + return s +} + +type ListGrantsInput struct { + _ struct{} `type:"structure"` + + // Returns only the grant with the specified grant ID. The grant ID uniquely + // identifies the grant. + GrantId *string `min:"1" type:"string"` + + // Returns only grants where the specified principal is the grantee principal + // for the grant. + GranteePrincipal *string `min:"1" type:"string"` + + // Returns only grants for the specified customer master key (CMK). This parameter + // is required. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify + // a CMK in a different AWS account, you must use the key ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // Use this parameter to specify the maximum number of items to return. When + // this value is present, AWS KMS does not return more than the specified number + // of items, but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and + // 100, inclusive. If you do not include a value, it defaults to 50. + Limit *int64 `min:"1" type:"integer"` + + // Use this parameter in a subsequent request after you receive a response with + // truncated results. Set it to the value of NextMarker from the truncated response + // you just received. + Marker *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s ListGrantsInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListGrantsInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ListGrantsInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ListGrantsInput"} + if s.GrantId != nil && len(*s.GrantId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("GrantId", 1)) + } + if s.GranteePrincipal != nil && len(*s.GranteePrincipal) < 1 { + invalidParams.Add(request.NewErrParamMinLen("GranteePrincipal", 1)) + } + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.Limit != nil && *s.Limit < 1 { + invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) + } + if s.Marker != nil && len(*s.Marker) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetGrantId sets the GrantId field's value. +func (s *ListGrantsInput) SetGrantId(v string) *ListGrantsInput { + s.GrantId = &v + return s +} + +// SetGranteePrincipal sets the GranteePrincipal field's value. +func (s *ListGrantsInput) SetGranteePrincipal(v string) *ListGrantsInput { + s.GranteePrincipal = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *ListGrantsInput) SetKeyId(v string) *ListGrantsInput { + s.KeyId = &v + return s +} + +// SetLimit sets the Limit field's value. +func (s *ListGrantsInput) SetLimit(v int64) *ListGrantsInput { + s.Limit = &v + return s +} + +// SetMarker sets the Marker field's value. +func (s *ListGrantsInput) SetMarker(v string) *ListGrantsInput { + s.Marker = &v + return s +} + +type ListGrantsResponse struct { + _ struct{} `type:"structure"` + + // A list of grants. + Grants []*GrantListEntry `type:"list"` + + // When Truncated is true, this element is present and contains the value to + // use for the Marker parameter in a subsequent request. + NextMarker *string `min:"1" type:"string"` + + // A flag that indicates whether there are more items in the list. When this + // value is true, the list in this response is truncated. To get more items, + // pass the value of the NextMarker element in thisresponse to the Marker parameter + // in a subsequent request. + Truncated *bool `type:"boolean"` +} + +// String returns the string representation +func (s ListGrantsResponse) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListGrantsResponse) GoString() string { + return s.String() +} + +// SetGrants sets the Grants field's value. +func (s *ListGrantsResponse) SetGrants(v []*GrantListEntry) *ListGrantsResponse { + s.Grants = v + return s +} + +// SetNextMarker sets the NextMarker field's value. +func (s *ListGrantsResponse) SetNextMarker(v string) *ListGrantsResponse { + s.NextMarker = &v + return s +} + +// SetTruncated sets the Truncated field's value. +func (s *ListGrantsResponse) SetTruncated(v bool) *ListGrantsResponse { + s.Truncated = &v + return s +} + +type ListKeyPoliciesInput struct { + _ struct{} `type:"structure"` + + // A unique identifier for the customer master key (CMK). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // Use this parameter to specify the maximum number of items to return. When + // this value is present, AWS KMS does not return more than the specified number + // of items, but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and + // 1000, inclusive. If you do not include a value, it defaults to 100. + // + // Only one policy can be attached to a key. + Limit *int64 `min:"1" type:"integer"` + + // Use this parameter in a subsequent request after you receive a response with + // truncated results. Set it to the value of NextMarker from the truncated response + // you just received. + Marker *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s ListKeyPoliciesInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListKeyPoliciesInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ListKeyPoliciesInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ListKeyPoliciesInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.Limit != nil && *s.Limit < 1 { + invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) + } + if s.Marker != nil && len(*s.Marker) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *ListKeyPoliciesInput) SetKeyId(v string) *ListKeyPoliciesInput { + s.KeyId = &v + return s +} + +// SetLimit sets the Limit field's value. +func (s *ListKeyPoliciesInput) SetLimit(v int64) *ListKeyPoliciesInput { + s.Limit = &v + return s +} + +// SetMarker sets the Marker field's value. +func (s *ListKeyPoliciesInput) SetMarker(v string) *ListKeyPoliciesInput { + s.Marker = &v + return s +} + +type ListKeyPoliciesOutput struct { + _ struct{} `type:"structure"` + + // When Truncated is true, this element is present and contains the value to + // use for the Marker parameter in a subsequent request. + NextMarker *string `min:"1" type:"string"` + + // A list of key policy names. The only valid value is default. + PolicyNames []*string `type:"list"` + + // A flag that indicates whether there are more items in the list. When this + // value is true, the list in this response is truncated. To get more items, + // pass the value of the NextMarker element in thisresponse to the Marker parameter + // in a subsequent request. + Truncated *bool `type:"boolean"` +} + +// String returns the string representation +func (s ListKeyPoliciesOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListKeyPoliciesOutput) GoString() string { + return s.String() +} + +// SetNextMarker sets the NextMarker field's value. +func (s *ListKeyPoliciesOutput) SetNextMarker(v string) *ListKeyPoliciesOutput { + s.NextMarker = &v + return s +} + +// SetPolicyNames sets the PolicyNames field's value. +func (s *ListKeyPoliciesOutput) SetPolicyNames(v []*string) *ListKeyPoliciesOutput { + s.PolicyNames = v + return s +} + +// SetTruncated sets the Truncated field's value. +func (s *ListKeyPoliciesOutput) SetTruncated(v bool) *ListKeyPoliciesOutput { + s.Truncated = &v + return s +} + +type ListKeysInput struct { + _ struct{} `type:"structure"` + + // Use this parameter to specify the maximum number of items to return. When + // this value is present, AWS KMS does not return more than the specified number + // of items, but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and + // 1000, inclusive. If you do not include a value, it defaults to 100. + Limit *int64 `min:"1" type:"integer"` + + // Use this parameter in a subsequent request after you receive a response with + // truncated results. Set it to the value of NextMarker from the truncated response + // you just received. + Marker *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s ListKeysInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListKeysInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ListKeysInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ListKeysInput"} + if s.Limit != nil && *s.Limit < 1 { + invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) + } + if s.Marker != nil && len(*s.Marker) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetLimit sets the Limit field's value. +func (s *ListKeysInput) SetLimit(v int64) *ListKeysInput { + s.Limit = &v + return s +} + +// SetMarker sets the Marker field's value. +func (s *ListKeysInput) SetMarker(v string) *ListKeysInput { + s.Marker = &v + return s +} + +type ListKeysOutput struct { + _ struct{} `type:"structure"` + + // A list of customer master keys (CMKs). + Keys []*KeyListEntry `type:"list"` + + // When Truncated is true, this element is present and contains the value to + // use for the Marker parameter in a subsequent request. + NextMarker *string `min:"1" type:"string"` + + // A flag that indicates whether there are more items in the list. When this + // value is true, the list in this response is truncated. To get more items, + // pass the value of the NextMarker element in thisresponse to the Marker parameter + // in a subsequent request. + Truncated *bool `type:"boolean"` +} + +// String returns the string representation +func (s ListKeysOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListKeysOutput) GoString() string { + return s.String() +} + +// SetKeys sets the Keys field's value. +func (s *ListKeysOutput) SetKeys(v []*KeyListEntry) *ListKeysOutput { + s.Keys = v + return s +} + +// SetNextMarker sets the NextMarker field's value. +func (s *ListKeysOutput) SetNextMarker(v string) *ListKeysOutput { + s.NextMarker = &v + return s +} + +// SetTruncated sets the Truncated field's value. +func (s *ListKeysOutput) SetTruncated(v bool) *ListKeysOutput { + s.Truncated = &v + return s +} + +type ListResourceTagsInput struct { + _ struct{} `type:"structure"` + + // A unique identifier for the customer master key (CMK). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // Use this parameter to specify the maximum number of items to return. When + // this value is present, AWS KMS does not return more than the specified number + // of items, but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and + // 50, inclusive. If you do not include a value, it defaults to 50. + Limit *int64 `min:"1" type:"integer"` + + // Use this parameter in a subsequent request after you receive a response with + // truncated results. Set it to the value of NextMarker from the truncated response + // you just received. + // + // Do not attempt to construct this value. Use only the value of NextMarker + // from the truncated response you just received. + Marker *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s ListResourceTagsInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListResourceTagsInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ListResourceTagsInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ListResourceTagsInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.Limit != nil && *s.Limit < 1 { + invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) + } + if s.Marker != nil && len(*s.Marker) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *ListResourceTagsInput) SetKeyId(v string) *ListResourceTagsInput { + s.KeyId = &v + return s +} + +// SetLimit sets the Limit field's value. +func (s *ListResourceTagsInput) SetLimit(v int64) *ListResourceTagsInput { + s.Limit = &v + return s +} + +// SetMarker sets the Marker field's value. +func (s *ListResourceTagsInput) SetMarker(v string) *ListResourceTagsInput { + s.Marker = &v + return s +} + +type ListResourceTagsOutput struct { + _ struct{} `type:"structure"` + + // When Truncated is true, this element is present and contains the value to + // use for the Marker parameter in a subsequent request. + // + // Do not assume or infer any information from this value. + NextMarker *string `min:"1" type:"string"` + + // A list of tags. Each tag consists of a tag key and a tag value. + Tags []*Tag `type:"list"` + + // A flag that indicates whether there are more items in the list. When this + // value is true, the list in this response is truncated. To get more items, + // pass the value of the NextMarker element in thisresponse to the Marker parameter + // in a subsequent request. + Truncated *bool `type:"boolean"` +} + +// String returns the string representation +func (s ListResourceTagsOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListResourceTagsOutput) GoString() string { + return s.String() +} + +// SetNextMarker sets the NextMarker field's value. +func (s *ListResourceTagsOutput) SetNextMarker(v string) *ListResourceTagsOutput { + s.NextMarker = &v + return s +} + +// SetTags sets the Tags field's value. +func (s *ListResourceTagsOutput) SetTags(v []*Tag) *ListResourceTagsOutput { + s.Tags = v + return s +} + +// SetTruncated sets the Truncated field's value. +func (s *ListResourceTagsOutput) SetTruncated(v bool) *ListResourceTagsOutput { + s.Truncated = &v + return s +} + +type ListRetirableGrantsInput struct { + _ struct{} `type:"structure"` + + // Use this parameter to specify the maximum number of items to return. When + // this value is present, AWS KMS does not return more than the specified number + // of items, but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and + // 100, inclusive. If you do not include a value, it defaults to 50. + Limit *int64 `min:"1" type:"integer"` + + // Use this parameter in a subsequent request after you receive a response with + // truncated results. Set it to the value of NextMarker from the truncated response + // you just received. + Marker *string `min:"1" type:"string"` + + // The retiring principal for which to list grants. Enter a principal in your + // AWS account. + // + // To specify the retiring principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // of an AWS principal. Valid AWS principals include AWS accounts (root), IAM + // users, federated users, and assumed role users. For examples of the ARN syntax + // for specifying a principal, see AWS Identity and Access Management (IAM) + // (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam) + // in the Example ARNs section of the Amazon Web Services General Reference. + // + // RetiringPrincipal is a required field + RetiringPrincipal *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s ListRetirableGrantsInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListRetirableGrantsInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ListRetirableGrantsInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ListRetirableGrantsInput"} + if s.Limit != nil && *s.Limit < 1 { + invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) + } + if s.Marker != nil && len(*s.Marker) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) + } + if s.RetiringPrincipal == nil { + invalidParams.Add(request.NewErrParamRequired("RetiringPrincipal")) + } + if s.RetiringPrincipal != nil && len(*s.RetiringPrincipal) < 1 { + invalidParams.Add(request.NewErrParamMinLen("RetiringPrincipal", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetLimit sets the Limit field's value. +func (s *ListRetirableGrantsInput) SetLimit(v int64) *ListRetirableGrantsInput { + s.Limit = &v + return s +} + +// SetMarker sets the Marker field's value. +func (s *ListRetirableGrantsInput) SetMarker(v string) *ListRetirableGrantsInput { + s.Marker = &v + return s +} + +// SetRetiringPrincipal sets the RetiringPrincipal field's value. +func (s *ListRetirableGrantsInput) SetRetiringPrincipal(v string) *ListRetirableGrantsInput { + s.RetiringPrincipal = &v + return s +} + +// The request was rejected because the specified policy is not syntactically +// or semantically correct. +type MalformedPolicyDocumentException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s MalformedPolicyDocumentException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s MalformedPolicyDocumentException) GoString() string { + return s.String() +} + +func newErrorMalformedPolicyDocumentException(v protocol.ResponseMetadata) error { + return &MalformedPolicyDocumentException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *MalformedPolicyDocumentException) Code() string { + return "MalformedPolicyDocumentException" +} + +// Message returns the exception's message. +func (s *MalformedPolicyDocumentException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *MalformedPolicyDocumentException) OrigErr() error { + return nil +} + +func (s *MalformedPolicyDocumentException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *MalformedPolicyDocumentException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *MalformedPolicyDocumentException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The request was rejected because the specified entity or resource could not +// be found. +type NotFoundException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s NotFoundException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s NotFoundException) GoString() string { + return s.String() +} + +func newErrorNotFoundException(v protocol.ResponseMetadata) error { + return &NotFoundException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *NotFoundException) Code() string { + return "NotFoundException" +} + +// Message returns the exception's message. +func (s *NotFoundException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *NotFoundException) OrigErr() error { + return nil +} + +func (s *NotFoundException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *NotFoundException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *NotFoundException) RequestID() string { + return s.RespMetadata.RequestID +} + +type PutKeyPolicyInput struct { + _ struct{} `type:"structure"` + + // A flag to indicate whether to bypass the key policy lockout safety check. + // + // Setting this value to true increases the risk that the CMK becomes unmanageable. + // Do not set this value to true indiscriminately. + // + // For more information, refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) + // section in the AWS Key Management Service Developer Guide. + // + // Use this parameter only when you intend to prevent the principal that is + // making the request from making a subsequent PutKeyPolicy request on the CMK. + // + // The default value is false. + BypassPolicyLockoutSafetyCheck *bool `type:"boolean"` + + // A unique identifier for the customer master key (CMK). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // The key policy to attach to the CMK. + // + // The key policy must meet the following criteria: + // + // * If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy + // must allow the principal that is making the PutKeyPolicy request to make + // a subsequent PutKeyPolicy request on the CMK. This reduces the risk that + // the CMK becomes unmanageable. For more information, refer to the scenario + // in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) + // section of the AWS Key Management Service Developer Guide. + // + // * Each statement in the key policy must contain one or more principals. + // The principals in the key policy must exist and be visible to AWS KMS. + // When you create a new AWS principal (for example, an IAM user or role), + // you might need to enforce a delay before including the new principal in + // a key policy because the new principal might not be immediately visible + // to AWS KMS. For more information, see Changes that I make are not always + // immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) + // in the AWS Identity and Access Management User Guide. + // + // The key policy cannot exceed 32 kilobytes (32768 bytes). For more information, + // see Resource Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html) + // in the AWS Key Management Service Developer Guide. + // + // Policy is a required field + Policy *string `min:"1" type:"string" required:"true"` + + // The name of the key policy. The only valid value is default. + // + // PolicyName is a required field + PolicyName *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s PutKeyPolicyInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s PutKeyPolicyInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *PutKeyPolicyInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "PutKeyPolicyInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.Policy == nil { + invalidParams.Add(request.NewErrParamRequired("Policy")) + } + if s.Policy != nil && len(*s.Policy) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) + } + if s.PolicyName == nil { + invalidParams.Add(request.NewErrParamRequired("PolicyName")) + } + if s.PolicyName != nil && len(*s.PolicyName) < 1 { + invalidParams.Add(request.NewErrParamMinLen("PolicyName", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetBypassPolicyLockoutSafetyCheck sets the BypassPolicyLockoutSafetyCheck field's value. +func (s *PutKeyPolicyInput) SetBypassPolicyLockoutSafetyCheck(v bool) *PutKeyPolicyInput { + s.BypassPolicyLockoutSafetyCheck = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *PutKeyPolicyInput) SetKeyId(v string) *PutKeyPolicyInput { + s.KeyId = &v + return s +} + +// SetPolicy sets the Policy field's value. +func (s *PutKeyPolicyInput) SetPolicy(v string) *PutKeyPolicyInput { + s.Policy = &v + return s +} + +// SetPolicyName sets the PolicyName field's value. +func (s *PutKeyPolicyInput) SetPolicyName(v string) *PutKeyPolicyInput { + s.PolicyName = &v + return s +} + +type PutKeyPolicyOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s PutKeyPolicyOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s PutKeyPolicyOutput) GoString() string { + return s.String() +} + +type ReEncryptInput struct { + _ struct{} `type:"structure"` + + // Ciphertext of the data to reencrypt. + // + // CiphertextBlob is automatically base64 encoded/decoded by the SDK. + // + // CiphertextBlob is a required field + CiphertextBlob []byte `min:"1" type:"blob" required:"true"` + + // Specifies the encryption algorithm that AWS KMS will use to reecrypt the + // data after it has decrypted it. The default value, SYMMETRIC_DEFAULT, represents + // the encryption algorithm used for symmetric CMKs. + // + // This parameter is required only when the destination CMK is an asymmetric + // CMK. + DestinationEncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` + + // Specifies that encryption context to use when the reencrypting the data. + // + // A destination encryption context is valid only when the destination CMK is + // a symmetric CMK. The standard ciphertext format for asymmetric CMKs does + // not include fields for metadata. + // + // An encryption context is a collection of non-secret key-value pairs that + // represents additional authenticated data. When you use an encryption context + // to encrypt data, you must specify the same (an exact case-sensitive match) + // encryption context to decrypt the data. An encryption context is optional + // when encrypting with a symmetric CMK, but it is highly recommended. + // + // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) + // in the AWS Key Management Service Developer Guide. + DestinationEncryptionContext map[string]*string `type:"map"` + + // A unique identifier for the CMK that is used to reencrypt the data. Specify + // a symmetric or asymmetric CMK with a KeyUsage value of ENCRYPT_DECRYPT. To + // find the KeyUsage value of a CMK, use the DescribeKey operation. + // + // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, + // or alias ARN. When using an alias name, prefix it with "alias/". To specify + // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Alias name: alias/ExampleAlias + // + // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To + // get the alias name and alias ARN, use ListAliases. + // + // DestinationKeyId is a required field + DestinationKeyId *string `min:"1" type:"string" required:"true"` + + // A list of grant tokens. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantTokens []*string `type:"list"` + + // Specifies the encryption algorithm that AWS KMS will use to decrypt the ciphertext + // before it is reencrypted. The default value, SYMMETRIC_DEFAULT, represents + // the algorithm used for symmetric CMKs. + // + // Specify the same algorithm that was used to encrypt the ciphertext. If you + // specify a different algorithm, the decrypt attempt fails. + // + // This parameter is required only when the ciphertext was encrypted under an + // asymmetric CMK. + SourceEncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` + + // Specifies the encryption context to use to decrypt the ciphertext. Enter + // the same encryption context that was used to encrypt the ciphertext. + // + // An encryption context is a collection of non-secret key-value pairs that + // represents additional authenticated data. When you use an encryption context + // to encrypt data, you must specify the same (an exact case-sensitive match) + // encryption context to decrypt the data. An encryption context is optional + // when encrypting with a symmetric CMK, but it is highly recommended. + // + // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) + // in the AWS Key Management Service Developer Guide. + SourceEncryptionContext map[string]*string `type:"map"` + + // Specifies the customer master key (CMK) that AWS KMS will use to decrypt + // the ciphertext before it is re-encrypted. Enter a key ID of the CMK that + // was used to encrypt the ciphertext. + // + // This parameter is required only when the ciphertext was encrypted under an + // asymmetric CMK. If you used a symmetric CMK, AWS KMS can get the CMK from + // metadata that it adds to the symmetric ciphertext blob. However, it is always + // recommended as a best practice. This practice ensures that you use the CMK + // that you intend. + // + // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, + // or alias ARN. When using an alias name, prefix it with "alias/". To specify + // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Alias name: alias/ExampleAlias + // + // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To + // get the alias name and alias ARN, use ListAliases. + SourceKeyId *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s ReEncryptInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ReEncryptInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ReEncryptInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ReEncryptInput"} + if s.CiphertextBlob == nil { + invalidParams.Add(request.NewErrParamRequired("CiphertextBlob")) + } + if s.CiphertextBlob != nil && len(s.CiphertextBlob) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CiphertextBlob", 1)) + } + if s.DestinationKeyId == nil { + invalidParams.Add(request.NewErrParamRequired("DestinationKeyId")) + } + if s.DestinationKeyId != nil && len(*s.DestinationKeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("DestinationKeyId", 1)) + } + if s.SourceKeyId != nil && len(*s.SourceKeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("SourceKeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCiphertextBlob sets the CiphertextBlob field's value. +func (s *ReEncryptInput) SetCiphertextBlob(v []byte) *ReEncryptInput { + s.CiphertextBlob = v + return s +} + +// SetDestinationEncryptionAlgorithm sets the DestinationEncryptionAlgorithm field's value. +func (s *ReEncryptInput) SetDestinationEncryptionAlgorithm(v string) *ReEncryptInput { + s.DestinationEncryptionAlgorithm = &v + return s +} + +// SetDestinationEncryptionContext sets the DestinationEncryptionContext field's value. +func (s *ReEncryptInput) SetDestinationEncryptionContext(v map[string]*string) *ReEncryptInput { + s.DestinationEncryptionContext = v + return s +} + +// SetDestinationKeyId sets the DestinationKeyId field's value. +func (s *ReEncryptInput) SetDestinationKeyId(v string) *ReEncryptInput { + s.DestinationKeyId = &v + return s +} + +// SetGrantTokens sets the GrantTokens field's value. +func (s *ReEncryptInput) SetGrantTokens(v []*string) *ReEncryptInput { + s.GrantTokens = v + return s +} + +// SetSourceEncryptionAlgorithm sets the SourceEncryptionAlgorithm field's value. +func (s *ReEncryptInput) SetSourceEncryptionAlgorithm(v string) *ReEncryptInput { + s.SourceEncryptionAlgorithm = &v + return s +} + +// SetSourceEncryptionContext sets the SourceEncryptionContext field's value. +func (s *ReEncryptInput) SetSourceEncryptionContext(v map[string]*string) *ReEncryptInput { + s.SourceEncryptionContext = v + return s +} + +// SetSourceKeyId sets the SourceKeyId field's value. +func (s *ReEncryptInput) SetSourceKeyId(v string) *ReEncryptInput { + s.SourceKeyId = &v + return s +} + +type ReEncryptOutput struct { + _ struct{} `type:"structure"` + + // The reencrypted data. When you use the HTTP API or the AWS CLI, the value + // is Base64-encoded. Otherwise, it is not Base64-encoded. + // + // CiphertextBlob is automatically base64 encoded/decoded by the SDK. + CiphertextBlob []byte `min:"1" type:"blob"` + + // The encryption algorithm that was used to reencrypt the data. + DestinationEncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` + + // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) + // of the CMK that was used to reencrypt the data. + KeyId *string `min:"1" type:"string"` + + // The encryption algorithm that was used to decrypt the ciphertext before it + // was reencrypted. + SourceEncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` + + // Unique identifier of the CMK used to originally encrypt the data. + SourceKeyId *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s ReEncryptOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ReEncryptOutput) GoString() string { + return s.String() +} + +// SetCiphertextBlob sets the CiphertextBlob field's value. +func (s *ReEncryptOutput) SetCiphertextBlob(v []byte) *ReEncryptOutput { + s.CiphertextBlob = v + return s +} + +// SetDestinationEncryptionAlgorithm sets the DestinationEncryptionAlgorithm field's value. +func (s *ReEncryptOutput) SetDestinationEncryptionAlgorithm(v string) *ReEncryptOutput { + s.DestinationEncryptionAlgorithm = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *ReEncryptOutput) SetKeyId(v string) *ReEncryptOutput { + s.KeyId = &v + return s +} + +// SetSourceEncryptionAlgorithm sets the SourceEncryptionAlgorithm field's value. +func (s *ReEncryptOutput) SetSourceEncryptionAlgorithm(v string) *ReEncryptOutput { + s.SourceEncryptionAlgorithm = &v + return s +} + +// SetSourceKeyId sets the SourceKeyId field's value. +func (s *ReEncryptOutput) SetSourceKeyId(v string) *ReEncryptOutput { + s.SourceKeyId = &v + return s +} + +type RetireGrantInput struct { + _ struct{} `type:"structure"` + + // Unique identifier of the grant to retire. The grant ID is returned in the + // response to a CreateGrant operation. + // + // * Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123 + GrantId *string `min:"1" type:"string"` + + // Token that identifies the grant to be retired. + GrantToken *string `min:"1" type:"string"` + + // The Amazon Resource Name (ARN) of the CMK associated with the grant. + // + // For example: arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab + KeyId *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s RetireGrantInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s RetireGrantInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *RetireGrantInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "RetireGrantInput"} + if s.GrantId != nil && len(*s.GrantId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("GrantId", 1)) + } + if s.GrantToken != nil && len(*s.GrantToken) < 1 { + invalidParams.Add(request.NewErrParamMinLen("GrantToken", 1)) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetGrantId sets the GrantId field's value. +func (s *RetireGrantInput) SetGrantId(v string) *RetireGrantInput { + s.GrantId = &v + return s +} + +// SetGrantToken sets the GrantToken field's value. +func (s *RetireGrantInput) SetGrantToken(v string) *RetireGrantInput { + s.GrantToken = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *RetireGrantInput) SetKeyId(v string) *RetireGrantInput { + s.KeyId = &v + return s +} + +type RetireGrantOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s RetireGrantOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s RetireGrantOutput) GoString() string { + return s.String() +} + +type RevokeGrantInput struct { + _ struct{} `type:"structure"` + + // Identifier of the grant to be revoked. + // + // GrantId is a required field + GrantId *string `min:"1" type:"string" required:"true"` + + // A unique identifier for the customer master key associated with the grant. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify + // a CMK in a different AWS account, you must use the key ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s RevokeGrantInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s RevokeGrantInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *RevokeGrantInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "RevokeGrantInput"} + if s.GrantId == nil { + invalidParams.Add(request.NewErrParamRequired("GrantId")) + } + if s.GrantId != nil && len(*s.GrantId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("GrantId", 1)) + } + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetGrantId sets the GrantId field's value. +func (s *RevokeGrantInput) SetGrantId(v string) *RevokeGrantInput { + s.GrantId = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *RevokeGrantInput) SetKeyId(v string) *RevokeGrantInput { + s.KeyId = &v + return s +} + +type RevokeGrantOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s RevokeGrantOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s RevokeGrantOutput) GoString() string { + return s.String() +} + +type ScheduleKeyDeletionInput struct { + _ struct{} `type:"structure"` + + // The unique identifier of the customer master key (CMK) to delete. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // The waiting period, specified in number of days. After the waiting period + // ends, AWS KMS deletes the customer master key (CMK). + // + // This value is optional. If you include a value, it must be between 7 and + // 30, inclusive. If you do not include a value, it defaults to 30. + PendingWindowInDays *int64 `min:"1" type:"integer"` +} + +// String returns the string representation +func (s ScheduleKeyDeletionInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ScheduleKeyDeletionInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ScheduleKeyDeletionInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ScheduleKeyDeletionInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.PendingWindowInDays != nil && *s.PendingWindowInDays < 1 { + invalidParams.Add(request.NewErrParamMinValue("PendingWindowInDays", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *ScheduleKeyDeletionInput) SetKeyId(v string) *ScheduleKeyDeletionInput { + s.KeyId = &v + return s +} + +// SetPendingWindowInDays sets the PendingWindowInDays field's value. +func (s *ScheduleKeyDeletionInput) SetPendingWindowInDays(v int64) *ScheduleKeyDeletionInput { + s.PendingWindowInDays = &v + return s +} + +type ScheduleKeyDeletionOutput struct { + _ struct{} `type:"structure"` + + // The date and time after which AWS KMS deletes the customer master key (CMK). + DeletionDate *time.Time `type:"timestamp"` + + // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) + // of the CMK whose deletion is scheduled. + KeyId *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s ScheduleKeyDeletionOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ScheduleKeyDeletionOutput) GoString() string { + return s.String() +} + +// SetDeletionDate sets the DeletionDate field's value. +func (s *ScheduleKeyDeletionOutput) SetDeletionDate(v time.Time) *ScheduleKeyDeletionOutput { + s.DeletionDate = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *ScheduleKeyDeletionOutput) SetKeyId(v string) *ScheduleKeyDeletionOutput { + s.KeyId = &v + return s +} + +type SignInput struct { + _ struct{} `type:"structure"` + + // A list of grant tokens. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantTokens []*string `type:"list"` + + // Identifies an asymmetric CMK. AWS KMS uses the private key in the asymmetric + // CMK to sign the message. The KeyUsage type of the CMK must be SIGN_VERIFY. + // To find the KeyUsage of a CMK, use the DescribeKey operation. + // + // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, + // or alias ARN. When using an alias name, prefix it with "alias/". To specify + // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Alias name: alias/ExampleAlias + // + // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To + // get the alias name and alias ARN, use ListAliases. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // Specifies the message or message digest to sign. Messages can be 0-4096 bytes. + // To sign a larger message, provide the message digest. + // + // If you provide a message, AWS KMS generates a hash digest of the message + // and then signs it. + // + // Message is automatically base64 encoded/decoded by the SDK. + // + // Message is a required field + Message []byte `min:"1" type:"blob" required:"true" sensitive:"true"` + + // Tells AWS KMS whether the value of the Message parameter is a message or + // message digest. The default value, RAW, indicates a message. To indicate + // a message digest, enter DIGEST. + MessageType *string `type:"string" enum:"MessageType"` + + // Specifies the signing algorithm to use when signing the message. + // + // Choose an algorithm that is compatible with the type and size of the specified + // asymmetric CMK. + // + // SigningAlgorithm is a required field + SigningAlgorithm *string `type:"string" required:"true" enum:"SigningAlgorithmSpec"` +} + +// String returns the string representation +func (s SignInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s SignInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *SignInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "SignInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.Message == nil { + invalidParams.Add(request.NewErrParamRequired("Message")) + } + if s.Message != nil && len(s.Message) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Message", 1)) + } + if s.SigningAlgorithm == nil { + invalidParams.Add(request.NewErrParamRequired("SigningAlgorithm")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetGrantTokens sets the GrantTokens field's value. +func (s *SignInput) SetGrantTokens(v []*string) *SignInput { + s.GrantTokens = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *SignInput) SetKeyId(v string) *SignInput { + s.KeyId = &v + return s +} + +// SetMessage sets the Message field's value. +func (s *SignInput) SetMessage(v []byte) *SignInput { + s.Message = v + return s +} + +// SetMessageType sets the MessageType field's value. +func (s *SignInput) SetMessageType(v string) *SignInput { + s.MessageType = &v + return s +} + +// SetSigningAlgorithm sets the SigningAlgorithm field's value. +func (s *SignInput) SetSigningAlgorithm(v string) *SignInput { + s.SigningAlgorithm = &v + return s +} + +type SignOutput struct { + _ struct{} `type:"structure"` + + // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) + // of the asymmetric CMK that was used to sign the message. + KeyId *string `min:"1" type:"string"` + + // The cryptographic signature that was generated for the message. + // + // * When used with the supported RSA signing algorithms, the encoding of + // this value is defined by PKCS #1 in RFC 8017 (https://tools.ietf.org/html/rfc8017). + // + // * When used with the ECDSA_SHA_256, ECDSA_SHA_384, or ECDSA_SHA_512 signing + // algorithms, this value is a DER-encoded object as defined by ANS X9.62–2005 + // and RFC 3279 Section 2.2.3 (https://tools.ietf.org/html/rfc3279#section-2.2.3). + // This is the most commonly used signature format and is appropriate for + // most uses. + // + // When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, + // it is not Base64-encoded. + // + // Signature is automatically base64 encoded/decoded by the SDK. + Signature []byte `min:"1" type:"blob"` + + // The signing algorithm that was used to sign the message. + SigningAlgorithm *string `type:"string" enum:"SigningAlgorithmSpec"` +} + +// String returns the string representation +func (s SignOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s SignOutput) GoString() string { + return s.String() +} + +// SetKeyId sets the KeyId field's value. +func (s *SignOutput) SetKeyId(v string) *SignOutput { + s.KeyId = &v + return s +} + +// SetSignature sets the Signature field's value. +func (s *SignOutput) SetSignature(v []byte) *SignOutput { + s.Signature = v + return s +} + +// SetSigningAlgorithm sets the SigningAlgorithm field's value. +func (s *SignOutput) SetSigningAlgorithm(v string) *SignOutput { + s.SigningAlgorithm = &v + return s +} + +// A key-value pair. A tag consists of a tag key and a tag value. Tag keys and +// tag values are both required, but tag values can be empty (null) strings. +// +// For information about the rules that apply to tag keys and tag values, see +// User-Defined Tag Restrictions (https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html) +// in the AWS Billing and Cost Management User Guide. +type Tag struct { + _ struct{} `type:"structure"` + + // The key of the tag. + // + // TagKey is a required field + TagKey *string `min:"1" type:"string" required:"true"` + + // The value of the tag. + // + // TagValue is a required field + TagValue *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s Tag) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s Tag) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *Tag) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "Tag"} + if s.TagKey == nil { + invalidParams.Add(request.NewErrParamRequired("TagKey")) + } + if s.TagKey != nil && len(*s.TagKey) < 1 { + invalidParams.Add(request.NewErrParamMinLen("TagKey", 1)) + } + if s.TagValue == nil { + invalidParams.Add(request.NewErrParamRequired("TagValue")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetTagKey sets the TagKey field's value. +func (s *Tag) SetTagKey(v string) *Tag { + s.TagKey = &v + return s +} + +// SetTagValue sets the TagValue field's value. +func (s *Tag) SetTagValue(v string) *Tag { + s.TagValue = &v + return s +} + +// The request was rejected because one or more tags are not valid. +type TagException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s TagException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s TagException) GoString() string { + return s.String() +} + +func newErrorTagException(v protocol.ResponseMetadata) error { + return &TagException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *TagException) Code() string { + return "TagException" +} + +// Message returns the exception's message. +func (s *TagException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *TagException) OrigErr() error { + return nil +} + +func (s *TagException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *TagException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *TagException) RequestID() string { + return s.RespMetadata.RequestID +} + +type TagResourceInput struct { + _ struct{} `type:"structure"` + + // Identifies a customer managed CMK in the account and Region. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // One or more tags. + // + // Each tag consists of a tag key and a tag value. The tag value can be an empty + // (null) string. + // + // You cannot have more than one tag on a CMK with the same tag key. If you + // specify an existing tag key with a different tag value, AWS KMS replaces + // the current tag value with the specified one. + // + // Tags is a required field + Tags []*Tag `type:"list" required:"true"` +} + +// String returns the string representation +func (s TagResourceInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s TagResourceInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *TagResourceInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "TagResourceInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.Tags == nil { + invalidParams.Add(request.NewErrParamRequired("Tags")) + } + if s.Tags != nil { + for i, v := range s.Tags { + if v == nil { + continue + } + if err := v.Validate(); err != nil { + invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams)) + } + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *TagResourceInput) SetKeyId(v string) *TagResourceInput { + s.KeyId = &v + return s +} + +// SetTags sets the Tags field's value. +func (s *TagResourceInput) SetTags(v []*Tag) *TagResourceInput { + s.Tags = v + return s +} + +type TagResourceOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s TagResourceOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s TagResourceOutput) GoString() string { + return s.String() +} + +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +type UnsupportedOperationException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s UnsupportedOperationException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s UnsupportedOperationException) GoString() string { + return s.String() +} + +func newErrorUnsupportedOperationException(v protocol.ResponseMetadata) error { + return &UnsupportedOperationException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *UnsupportedOperationException) Code() string { + return "UnsupportedOperationException" +} + +// Message returns the exception's message. +func (s *UnsupportedOperationException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *UnsupportedOperationException) OrigErr() error { + return nil +} + +func (s *UnsupportedOperationException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *UnsupportedOperationException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *UnsupportedOperationException) RequestID() string { + return s.RespMetadata.RequestID +} + +type UntagResourceInput struct { + _ struct{} `type:"structure"` + + // Identifies the CMK from which you are removing tags. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // One or more tag keys. Specify only the tag keys, not the tag values. + // + // TagKeys is a required field + TagKeys []*string `type:"list" required:"true"` +} + +// String returns the string representation +func (s UntagResourceInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s UntagResourceInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *UntagResourceInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "UntagResourceInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.TagKeys == nil { + invalidParams.Add(request.NewErrParamRequired("TagKeys")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *UntagResourceInput) SetKeyId(v string) *UntagResourceInput { + s.KeyId = &v + return s +} + +// SetTagKeys sets the TagKeys field's value. +func (s *UntagResourceInput) SetTagKeys(v []*string) *UntagResourceInput { + s.TagKeys = v + return s +} + +type UntagResourceOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s UntagResourceOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s UntagResourceOutput) GoString() string { + return s.String() +} + +type UpdateAliasInput struct { + _ struct{} `type:"structure"` + + // Identifies the alias that is changing its CMK. This value must begin with + // alias/ followed by the alias name, such as alias/ExampleAlias. You cannot + // use UpdateAlias to change the alias name. + // + // AliasName is a required field + AliasName *string `min:"1" type:"string" required:"true"` + + // Identifies the customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) + // to associate with the alias. You don't have permission to associate an alias + // with an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). + // + // The CMK must be in the same AWS account and Region as the alias. Also, the + // new target CMK must be the same type as the current target CMK (both symmetric + // or both asymmetric) and they must have the same key usage. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // To verify that the alias is mapped to the correct CMK, use ListAliases. + // + // TargetKeyId is a required field + TargetKeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s UpdateAliasInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s UpdateAliasInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *UpdateAliasInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "UpdateAliasInput"} + if s.AliasName == nil { + invalidParams.Add(request.NewErrParamRequired("AliasName")) + } + if s.AliasName != nil && len(*s.AliasName) < 1 { + invalidParams.Add(request.NewErrParamMinLen("AliasName", 1)) + } + if s.TargetKeyId == nil { + invalidParams.Add(request.NewErrParamRequired("TargetKeyId")) + } + if s.TargetKeyId != nil && len(*s.TargetKeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("TargetKeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAliasName sets the AliasName field's value. +func (s *UpdateAliasInput) SetAliasName(v string) *UpdateAliasInput { + s.AliasName = &v + return s +} + +// SetTargetKeyId sets the TargetKeyId field's value. +func (s *UpdateAliasInput) SetTargetKeyId(v string) *UpdateAliasInput { + s.TargetKeyId = &v + return s +} + +type UpdateAliasOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s UpdateAliasOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s UpdateAliasOutput) GoString() string { + return s.String() +} + +type UpdateCustomKeyStoreInput struct { + _ struct{} `type:"structure"` + + // Associates the custom key store with a related AWS CloudHSM cluster. + // + // Enter the cluster ID of the cluster that you used to create the custom key + // store or a cluster that shares a backup history and has the same cluster + // certificate as the original cluster. You cannot use this parameter to associate + // a custom key store with an unrelated cluster. In addition, the replacement + // cluster must fulfill the requirements (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) + // for a cluster associated with a custom key store. To view the cluster certificate + // of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) + // operation. + CloudHsmClusterId *string `min:"19" type:"string"` + + // Identifies the custom key store that you want to update. Enter the ID of + // the custom key store. To find the ID of a custom key store, use the DescribeCustomKeyStores + // operation. + // + // CustomKeyStoreId is a required field + CustomKeyStoreId *string `min:"1" type:"string" required:"true"` + + // Enter the current password of the kmsuser crypto user (CU) in the AWS CloudHSM + // cluster that is associated with the custom key store. + // + // This parameter tells AWS KMS the current password of the kmsuser crypto user + // (CU). It does not set or change the password of any users in the AWS CloudHSM + // cluster. + KeyStorePassword *string `min:"7" type:"string" sensitive:"true"` + + // Changes the friendly name of the custom key store to the value that you specify. + // The custom key store name must be unique in the AWS account. + NewCustomKeyStoreName *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s UpdateCustomKeyStoreInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s UpdateCustomKeyStoreInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *UpdateCustomKeyStoreInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "UpdateCustomKeyStoreInput"} + if s.CloudHsmClusterId != nil && len(*s.CloudHsmClusterId) < 19 { + invalidParams.Add(request.NewErrParamMinLen("CloudHsmClusterId", 19)) + } + if s.CustomKeyStoreId == nil { + invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId")) + } + if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) + } + if s.KeyStorePassword != nil && len(*s.KeyStorePassword) < 7 { + invalidParams.Add(request.NewErrParamMinLen("KeyStorePassword", 7)) + } + if s.NewCustomKeyStoreName != nil && len(*s.NewCustomKeyStoreName) < 1 { + invalidParams.Add(request.NewErrParamMinLen("NewCustomKeyStoreName", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCloudHsmClusterId sets the CloudHsmClusterId field's value. +func (s *UpdateCustomKeyStoreInput) SetCloudHsmClusterId(v string) *UpdateCustomKeyStoreInput { + s.CloudHsmClusterId = &v + return s +} + +// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. +func (s *UpdateCustomKeyStoreInput) SetCustomKeyStoreId(v string) *UpdateCustomKeyStoreInput { + s.CustomKeyStoreId = &v + return s +} + +// SetKeyStorePassword sets the KeyStorePassword field's value. +func (s *UpdateCustomKeyStoreInput) SetKeyStorePassword(v string) *UpdateCustomKeyStoreInput { + s.KeyStorePassword = &v + return s +} + +// SetNewCustomKeyStoreName sets the NewCustomKeyStoreName field's value. +func (s *UpdateCustomKeyStoreInput) SetNewCustomKeyStoreName(v string) *UpdateCustomKeyStoreInput { + s.NewCustomKeyStoreName = &v + return s +} + +type UpdateCustomKeyStoreOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s UpdateCustomKeyStoreOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s UpdateCustomKeyStoreOutput) GoString() string { + return s.String() +} + +type UpdateKeyDescriptionInput struct { + _ struct{} `type:"structure"` + + // New description for the CMK. + // + // Description is a required field + Description *string `type:"string" required:"true"` + + // A unique identifier for the customer master key (CMK). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s UpdateKeyDescriptionInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s UpdateKeyDescriptionInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *UpdateKeyDescriptionInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "UpdateKeyDescriptionInput"} + if s.Description == nil { + invalidParams.Add(request.NewErrParamRequired("Description")) + } + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDescription sets the Description field's value. +func (s *UpdateKeyDescriptionInput) SetDescription(v string) *UpdateKeyDescriptionInput { + s.Description = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *UpdateKeyDescriptionInput) SetKeyId(v string) *UpdateKeyDescriptionInput { + s.KeyId = &v + return s +} + +type UpdateKeyDescriptionOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s UpdateKeyDescriptionOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s UpdateKeyDescriptionOutput) GoString() string { + return s.String() +} + +type VerifyInput struct { + _ struct{} `type:"structure"` + + // A list of grant tokens. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantTokens []*string `type:"list"` + + // Identifies the asymmetric CMK that will be used to verify the signature. + // This must be the same CMK that was used to generate the signature. If you + // specify a different CMK, the signature verification fails. + // + // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, + // or alias ARN. When using an alias name, prefix it with "alias/". To specify + // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Alias name: alias/ExampleAlias + // + // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To + // get the alias name and alias ARN, use ListAliases. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // Specifies the message that was signed. You can submit a raw message of up + // to 4096 bytes, or a hash digest of the message. If you submit a digest, use + // the MessageType parameter with a value of DIGEST. + // + // If the message specified here is different from the message that was signed, + // the signature verification fails. A message and its hash digest are considered + // to be the same message. + // + // Message is automatically base64 encoded/decoded by the SDK. + // + // Message is a required field + Message []byte `min:"1" type:"blob" required:"true" sensitive:"true"` + + // Tells AWS KMS whether the value of the Message parameter is a message or + // message digest. The default value, RAW, indicates a message. To indicate + // a message digest, enter DIGEST. + // + // Use the DIGEST value only when the value of the Message parameter is a message + // digest. If you use the DIGEST value with a raw message, the security of the + // verification operation can be compromised. + MessageType *string `type:"string" enum:"MessageType"` + + // The signature that the Sign operation generated. + // + // Signature is automatically base64 encoded/decoded by the SDK. + // + // Signature is a required field + Signature []byte `min:"1" type:"blob" required:"true"` + + // The signing algorithm that was used to sign the message. If you submit a + // different algorithm, the signature verification fails. + // + // SigningAlgorithm is a required field + SigningAlgorithm *string `type:"string" required:"true" enum:"SigningAlgorithmSpec"` +} + +// String returns the string representation +func (s VerifyInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s VerifyInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *VerifyInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "VerifyInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.Message == nil { + invalidParams.Add(request.NewErrParamRequired("Message")) + } + if s.Message != nil && len(s.Message) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Message", 1)) + } + if s.Signature == nil { + invalidParams.Add(request.NewErrParamRequired("Signature")) + } + if s.Signature != nil && len(s.Signature) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Signature", 1)) + } + if s.SigningAlgorithm == nil { + invalidParams.Add(request.NewErrParamRequired("SigningAlgorithm")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetGrantTokens sets the GrantTokens field's value. +func (s *VerifyInput) SetGrantTokens(v []*string) *VerifyInput { + s.GrantTokens = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *VerifyInput) SetKeyId(v string) *VerifyInput { + s.KeyId = &v + return s +} + +// SetMessage sets the Message field's value. +func (s *VerifyInput) SetMessage(v []byte) *VerifyInput { + s.Message = v + return s +} + +// SetMessageType sets the MessageType field's value. +func (s *VerifyInput) SetMessageType(v string) *VerifyInput { + s.MessageType = &v + return s +} + +// SetSignature sets the Signature field's value. +func (s *VerifyInput) SetSignature(v []byte) *VerifyInput { + s.Signature = v + return s +} + +// SetSigningAlgorithm sets the SigningAlgorithm field's value. +func (s *VerifyInput) SetSigningAlgorithm(v string) *VerifyInput { + s.SigningAlgorithm = &v + return s +} + +type VerifyOutput struct { + _ struct{} `type:"structure"` + + // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) + // of the asymmetric CMK that was used to verify the signature. + KeyId *string `min:"1" type:"string"` + + // A Boolean value that indicates whether the signature was verified. A value + // of True indicates that the Signature was produced by signing the Message + // with the specified KeyID and SigningAlgorithm. If the signature is not verified, + // the Verify operation fails with a KMSInvalidSignatureException exception. + SignatureValid *bool `type:"boolean"` + + // The signing algorithm that was used to verify the signature. + SigningAlgorithm *string `type:"string" enum:"SigningAlgorithmSpec"` +} + +// String returns the string representation +func (s VerifyOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s VerifyOutput) GoString() string { + return s.String() +} + +// SetKeyId sets the KeyId field's value. +func (s *VerifyOutput) SetKeyId(v string) *VerifyOutput { + s.KeyId = &v + return s +} + +// SetSignatureValid sets the SignatureValid field's value. +func (s *VerifyOutput) SetSignatureValid(v bool) *VerifyOutput { + s.SignatureValid = &v + return s +} + +// SetSigningAlgorithm sets the SigningAlgorithm field's value. +func (s *VerifyOutput) SetSigningAlgorithm(v string) *VerifyOutput { + s.SigningAlgorithm = &v + return s +} + +const ( + // AlgorithmSpecRsaesPkcs1V15 is a AlgorithmSpec enum value + AlgorithmSpecRsaesPkcs1V15 = "RSAES_PKCS1_V1_5" + + // AlgorithmSpecRsaesOaepSha1 is a AlgorithmSpec enum value + AlgorithmSpecRsaesOaepSha1 = "RSAES_OAEP_SHA_1" + + // AlgorithmSpecRsaesOaepSha256 is a AlgorithmSpec enum value + AlgorithmSpecRsaesOaepSha256 = "RSAES_OAEP_SHA_256" +) + +// AlgorithmSpec_Values returns all elements of the AlgorithmSpec enum +func AlgorithmSpec_Values() []string { + return []string{ + AlgorithmSpecRsaesPkcs1V15, + AlgorithmSpecRsaesOaepSha1, + AlgorithmSpecRsaesOaepSha256, + } +} + +const ( + // ConnectionErrorCodeTypeInvalidCredentials is a ConnectionErrorCodeType enum value + ConnectionErrorCodeTypeInvalidCredentials = "INVALID_CREDENTIALS" + + // ConnectionErrorCodeTypeClusterNotFound is a ConnectionErrorCodeType enum value + ConnectionErrorCodeTypeClusterNotFound = "CLUSTER_NOT_FOUND" + + // ConnectionErrorCodeTypeNetworkErrors is a ConnectionErrorCodeType enum value + ConnectionErrorCodeTypeNetworkErrors = "NETWORK_ERRORS" + + // ConnectionErrorCodeTypeInternalError is a ConnectionErrorCodeType enum value + ConnectionErrorCodeTypeInternalError = "INTERNAL_ERROR" + + // ConnectionErrorCodeTypeInsufficientCloudhsmHsms is a ConnectionErrorCodeType enum value + ConnectionErrorCodeTypeInsufficientCloudhsmHsms = "INSUFFICIENT_CLOUDHSM_HSMS" + + // ConnectionErrorCodeTypeUserLockedOut is a ConnectionErrorCodeType enum value + ConnectionErrorCodeTypeUserLockedOut = "USER_LOCKED_OUT" + + // ConnectionErrorCodeTypeUserNotFound is a ConnectionErrorCodeType enum value + ConnectionErrorCodeTypeUserNotFound = "USER_NOT_FOUND" + + // ConnectionErrorCodeTypeUserLoggedIn is a ConnectionErrorCodeType enum value + ConnectionErrorCodeTypeUserLoggedIn = "USER_LOGGED_IN" + + // ConnectionErrorCodeTypeSubnetNotFound is a ConnectionErrorCodeType enum value + ConnectionErrorCodeTypeSubnetNotFound = "SUBNET_NOT_FOUND" +) + +// ConnectionErrorCodeType_Values returns all elements of the ConnectionErrorCodeType enum +func ConnectionErrorCodeType_Values() []string { + return []string{ + ConnectionErrorCodeTypeInvalidCredentials, + ConnectionErrorCodeTypeClusterNotFound, + ConnectionErrorCodeTypeNetworkErrors, + ConnectionErrorCodeTypeInternalError, + ConnectionErrorCodeTypeInsufficientCloudhsmHsms, + ConnectionErrorCodeTypeUserLockedOut, + ConnectionErrorCodeTypeUserNotFound, + ConnectionErrorCodeTypeUserLoggedIn, + ConnectionErrorCodeTypeSubnetNotFound, + } +} + +const ( + // ConnectionStateTypeConnected is a ConnectionStateType enum value + ConnectionStateTypeConnected = "CONNECTED" + + // ConnectionStateTypeConnecting is a ConnectionStateType enum value + ConnectionStateTypeConnecting = "CONNECTING" + + // ConnectionStateTypeFailed is a ConnectionStateType enum value + ConnectionStateTypeFailed = "FAILED" + + // ConnectionStateTypeDisconnected is a ConnectionStateType enum value + ConnectionStateTypeDisconnected = "DISCONNECTED" + + // ConnectionStateTypeDisconnecting is a ConnectionStateType enum value + ConnectionStateTypeDisconnecting = "DISCONNECTING" +) + +// ConnectionStateType_Values returns all elements of the ConnectionStateType enum +func ConnectionStateType_Values() []string { + return []string{ + ConnectionStateTypeConnected, + ConnectionStateTypeConnecting, + ConnectionStateTypeFailed, + ConnectionStateTypeDisconnected, + ConnectionStateTypeDisconnecting, + } +} + +const ( + // CustomerMasterKeySpecRsa2048 is a CustomerMasterKeySpec enum value + CustomerMasterKeySpecRsa2048 = "RSA_2048" + + // CustomerMasterKeySpecRsa3072 is a CustomerMasterKeySpec enum value + CustomerMasterKeySpecRsa3072 = "RSA_3072" + + // CustomerMasterKeySpecRsa4096 is a CustomerMasterKeySpec enum value + CustomerMasterKeySpecRsa4096 = "RSA_4096" + + // CustomerMasterKeySpecEccNistP256 is a CustomerMasterKeySpec enum value + CustomerMasterKeySpecEccNistP256 = "ECC_NIST_P256" + + // CustomerMasterKeySpecEccNistP384 is a CustomerMasterKeySpec enum value + CustomerMasterKeySpecEccNistP384 = "ECC_NIST_P384" + + // CustomerMasterKeySpecEccNistP521 is a CustomerMasterKeySpec enum value + CustomerMasterKeySpecEccNistP521 = "ECC_NIST_P521" + + // CustomerMasterKeySpecEccSecgP256k1 is a CustomerMasterKeySpec enum value + CustomerMasterKeySpecEccSecgP256k1 = "ECC_SECG_P256K1" + + // CustomerMasterKeySpecSymmetricDefault is a CustomerMasterKeySpec enum value + CustomerMasterKeySpecSymmetricDefault = "SYMMETRIC_DEFAULT" +) + +// CustomerMasterKeySpec_Values returns all elements of the CustomerMasterKeySpec enum +func CustomerMasterKeySpec_Values() []string { + return []string{ + CustomerMasterKeySpecRsa2048, + CustomerMasterKeySpecRsa3072, + CustomerMasterKeySpecRsa4096, + CustomerMasterKeySpecEccNistP256, + CustomerMasterKeySpecEccNistP384, + CustomerMasterKeySpecEccNistP521, + CustomerMasterKeySpecEccSecgP256k1, + CustomerMasterKeySpecSymmetricDefault, + } +} + +const ( + // DataKeyPairSpecRsa2048 is a DataKeyPairSpec enum value + DataKeyPairSpecRsa2048 = "RSA_2048" + + // DataKeyPairSpecRsa3072 is a DataKeyPairSpec enum value + DataKeyPairSpecRsa3072 = "RSA_3072" + + // DataKeyPairSpecRsa4096 is a DataKeyPairSpec enum value + DataKeyPairSpecRsa4096 = "RSA_4096" + + // DataKeyPairSpecEccNistP256 is a DataKeyPairSpec enum value + DataKeyPairSpecEccNistP256 = "ECC_NIST_P256" + + // DataKeyPairSpecEccNistP384 is a DataKeyPairSpec enum value + DataKeyPairSpecEccNistP384 = "ECC_NIST_P384" + + // DataKeyPairSpecEccNistP521 is a DataKeyPairSpec enum value + DataKeyPairSpecEccNistP521 = "ECC_NIST_P521" + + // DataKeyPairSpecEccSecgP256k1 is a DataKeyPairSpec enum value + DataKeyPairSpecEccSecgP256k1 = "ECC_SECG_P256K1" +) + +// DataKeyPairSpec_Values returns all elements of the DataKeyPairSpec enum +func DataKeyPairSpec_Values() []string { + return []string{ + DataKeyPairSpecRsa2048, + DataKeyPairSpecRsa3072, + DataKeyPairSpecRsa4096, + DataKeyPairSpecEccNistP256, + DataKeyPairSpecEccNistP384, + DataKeyPairSpecEccNistP521, + DataKeyPairSpecEccSecgP256k1, + } +} + +const ( + // DataKeySpecAes256 is a DataKeySpec enum value + DataKeySpecAes256 = "AES_256" + + // DataKeySpecAes128 is a DataKeySpec enum value + DataKeySpecAes128 = "AES_128" +) + +// DataKeySpec_Values returns all elements of the DataKeySpec enum +func DataKeySpec_Values() []string { + return []string{ + DataKeySpecAes256, + DataKeySpecAes128, + } +} + +const ( + // EncryptionAlgorithmSpecSymmetricDefault is a EncryptionAlgorithmSpec enum value + EncryptionAlgorithmSpecSymmetricDefault = "SYMMETRIC_DEFAULT" + + // EncryptionAlgorithmSpecRsaesOaepSha1 is a EncryptionAlgorithmSpec enum value + EncryptionAlgorithmSpecRsaesOaepSha1 = "RSAES_OAEP_SHA_1" + + // EncryptionAlgorithmSpecRsaesOaepSha256 is a EncryptionAlgorithmSpec enum value + EncryptionAlgorithmSpecRsaesOaepSha256 = "RSAES_OAEP_SHA_256" +) + +// EncryptionAlgorithmSpec_Values returns all elements of the EncryptionAlgorithmSpec enum +func EncryptionAlgorithmSpec_Values() []string { + return []string{ + EncryptionAlgorithmSpecSymmetricDefault, + EncryptionAlgorithmSpecRsaesOaepSha1, + EncryptionAlgorithmSpecRsaesOaepSha256, + } +} + +const ( + // ExpirationModelTypeKeyMaterialExpires is a ExpirationModelType enum value + ExpirationModelTypeKeyMaterialExpires = "KEY_MATERIAL_EXPIRES" + + // ExpirationModelTypeKeyMaterialDoesNotExpire is a ExpirationModelType enum value + ExpirationModelTypeKeyMaterialDoesNotExpire = "KEY_MATERIAL_DOES_NOT_EXPIRE" +) + +// ExpirationModelType_Values returns all elements of the ExpirationModelType enum +func ExpirationModelType_Values() []string { + return []string{ + ExpirationModelTypeKeyMaterialExpires, + ExpirationModelTypeKeyMaterialDoesNotExpire, + } +} + +const ( + // GrantOperationDecrypt is a GrantOperation enum value + GrantOperationDecrypt = "Decrypt" + + // GrantOperationEncrypt is a GrantOperation enum value + GrantOperationEncrypt = "Encrypt" + + // GrantOperationGenerateDataKey is a GrantOperation enum value + GrantOperationGenerateDataKey = "GenerateDataKey" + + // GrantOperationGenerateDataKeyWithoutPlaintext is a GrantOperation enum value + GrantOperationGenerateDataKeyWithoutPlaintext = "GenerateDataKeyWithoutPlaintext" + + // GrantOperationReEncryptFrom is a GrantOperation enum value + GrantOperationReEncryptFrom = "ReEncryptFrom" + + // GrantOperationReEncryptTo is a GrantOperation enum value + GrantOperationReEncryptTo = "ReEncryptTo" + + // GrantOperationSign is a GrantOperation enum value + GrantOperationSign = "Sign" + + // GrantOperationVerify is a GrantOperation enum value + GrantOperationVerify = "Verify" + + // GrantOperationGetPublicKey is a GrantOperation enum value + GrantOperationGetPublicKey = "GetPublicKey" + + // GrantOperationCreateGrant is a GrantOperation enum value + GrantOperationCreateGrant = "CreateGrant" + + // GrantOperationRetireGrant is a GrantOperation enum value + GrantOperationRetireGrant = "RetireGrant" + + // GrantOperationDescribeKey is a GrantOperation enum value + GrantOperationDescribeKey = "DescribeKey" + + // GrantOperationGenerateDataKeyPair is a GrantOperation enum value + GrantOperationGenerateDataKeyPair = "GenerateDataKeyPair" + + // GrantOperationGenerateDataKeyPairWithoutPlaintext is a GrantOperation enum value + GrantOperationGenerateDataKeyPairWithoutPlaintext = "GenerateDataKeyPairWithoutPlaintext" +) + +// GrantOperation_Values returns all elements of the GrantOperation enum +func GrantOperation_Values() []string { + return []string{ + GrantOperationDecrypt, + GrantOperationEncrypt, + GrantOperationGenerateDataKey, + GrantOperationGenerateDataKeyWithoutPlaintext, + GrantOperationReEncryptFrom, + GrantOperationReEncryptTo, + GrantOperationSign, + GrantOperationVerify, + GrantOperationGetPublicKey, + GrantOperationCreateGrant, + GrantOperationRetireGrant, + GrantOperationDescribeKey, + GrantOperationGenerateDataKeyPair, + GrantOperationGenerateDataKeyPairWithoutPlaintext, + } +} + +const ( + // KeyManagerTypeAws is a KeyManagerType enum value + KeyManagerTypeAws = "AWS" + + // KeyManagerTypeCustomer is a KeyManagerType enum value + KeyManagerTypeCustomer = "CUSTOMER" +) + +// KeyManagerType_Values returns all elements of the KeyManagerType enum +func KeyManagerType_Values() []string { + return []string{ + KeyManagerTypeAws, + KeyManagerTypeCustomer, + } +} + +const ( + // KeyStateEnabled is a KeyState enum value + KeyStateEnabled = "Enabled" + + // KeyStateDisabled is a KeyState enum value + KeyStateDisabled = "Disabled" + + // KeyStatePendingDeletion is a KeyState enum value + KeyStatePendingDeletion = "PendingDeletion" + + // KeyStatePendingImport is a KeyState enum value + KeyStatePendingImport = "PendingImport" + + // KeyStateUnavailable is a KeyState enum value + KeyStateUnavailable = "Unavailable" +) + +// KeyState_Values returns all elements of the KeyState enum +func KeyState_Values() []string { + return []string{ + KeyStateEnabled, + KeyStateDisabled, + KeyStatePendingDeletion, + KeyStatePendingImport, + KeyStateUnavailable, + } +} + +const ( + // KeyUsageTypeSignVerify is a KeyUsageType enum value + KeyUsageTypeSignVerify = "SIGN_VERIFY" + + // KeyUsageTypeEncryptDecrypt is a KeyUsageType enum value + KeyUsageTypeEncryptDecrypt = "ENCRYPT_DECRYPT" +) + +// KeyUsageType_Values returns all elements of the KeyUsageType enum +func KeyUsageType_Values() []string { + return []string{ + KeyUsageTypeSignVerify, + KeyUsageTypeEncryptDecrypt, + } +} + +const ( + // MessageTypeRaw is a MessageType enum value + MessageTypeRaw = "RAW" + + // MessageTypeDigest is a MessageType enum value + MessageTypeDigest = "DIGEST" +) + +// MessageType_Values returns all elements of the MessageType enum +func MessageType_Values() []string { + return []string{ + MessageTypeRaw, + MessageTypeDigest, + } +} + +const ( + // OriginTypeAwsKms is a OriginType enum value + OriginTypeAwsKms = "AWS_KMS" + + // OriginTypeExternal is a OriginType enum value + OriginTypeExternal = "EXTERNAL" + + // OriginTypeAwsCloudhsm is a OriginType enum value + OriginTypeAwsCloudhsm = "AWS_CLOUDHSM" +) + +// OriginType_Values returns all elements of the OriginType enum +func OriginType_Values() []string { + return []string{ + OriginTypeAwsKms, + OriginTypeExternal, + OriginTypeAwsCloudhsm, + } +} + +const ( + // SigningAlgorithmSpecRsassaPssSha256 is a SigningAlgorithmSpec enum value + SigningAlgorithmSpecRsassaPssSha256 = "RSASSA_PSS_SHA_256" + + // SigningAlgorithmSpecRsassaPssSha384 is a SigningAlgorithmSpec enum value + SigningAlgorithmSpecRsassaPssSha384 = "RSASSA_PSS_SHA_384" + + // SigningAlgorithmSpecRsassaPssSha512 is a SigningAlgorithmSpec enum value + SigningAlgorithmSpecRsassaPssSha512 = "RSASSA_PSS_SHA_512" + + // SigningAlgorithmSpecRsassaPkcs1V15Sha256 is a SigningAlgorithmSpec enum value + SigningAlgorithmSpecRsassaPkcs1V15Sha256 = "RSASSA_PKCS1_V1_5_SHA_256" + + // SigningAlgorithmSpecRsassaPkcs1V15Sha384 is a SigningAlgorithmSpec enum value + SigningAlgorithmSpecRsassaPkcs1V15Sha384 = "RSASSA_PKCS1_V1_5_SHA_384" + + // SigningAlgorithmSpecRsassaPkcs1V15Sha512 is a SigningAlgorithmSpec enum value + SigningAlgorithmSpecRsassaPkcs1V15Sha512 = "RSASSA_PKCS1_V1_5_SHA_512" + + // SigningAlgorithmSpecEcdsaSha256 is a SigningAlgorithmSpec enum value + SigningAlgorithmSpecEcdsaSha256 = "ECDSA_SHA_256" + + // SigningAlgorithmSpecEcdsaSha384 is a SigningAlgorithmSpec enum value + SigningAlgorithmSpecEcdsaSha384 = "ECDSA_SHA_384" + + // SigningAlgorithmSpecEcdsaSha512 is a SigningAlgorithmSpec enum value + SigningAlgorithmSpecEcdsaSha512 = "ECDSA_SHA_512" +) + +// SigningAlgorithmSpec_Values returns all elements of the SigningAlgorithmSpec enum +func SigningAlgorithmSpec_Values() []string { + return []string{ + SigningAlgorithmSpecRsassaPssSha256, + SigningAlgorithmSpecRsassaPssSha384, + SigningAlgorithmSpecRsassaPssSha512, + SigningAlgorithmSpecRsassaPkcs1V15Sha256, + SigningAlgorithmSpecRsassaPkcs1V15Sha384, + SigningAlgorithmSpecRsassaPkcs1V15Sha512, + SigningAlgorithmSpecEcdsaSha256, + SigningAlgorithmSpecEcdsaSha384, + SigningAlgorithmSpecEcdsaSha512, + } +} + +const ( + // WrappingKeySpecRsa2048 is a WrappingKeySpec enum value + WrappingKeySpecRsa2048 = "RSA_2048" +) + +// WrappingKeySpec_Values returns all elements of the WrappingKeySpec enum +func WrappingKeySpec_Values() []string { + return []string{ + WrappingKeySpecRsa2048, + } +} diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/doc.go b/vendor/github.com/aws/aws-sdk-go/service/kms/doc.go new file mode 100644 index 000000000..c4c212502 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/kms/doc.go @@ -0,0 +1,98 @@ +// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. + +// Package kms provides the client and types for making API +// requests to AWS Key Management Service. +// +// AWS Key Management Service (AWS KMS) is an encryption and key management +// web service. This guide describes the AWS KMS operations that you can call +// programmatically. For general information about AWS KMS, see the AWS Key +// Management Service Developer Guide (https://docs.aws.amazon.com/kms/latest/developerguide/). +// +// AWS provides SDKs that consist of libraries and sample code for various programming +// languages and platforms (Java, Ruby, .Net, macOS, Android, etc.). The SDKs +// provide a convenient way to create programmatic access to AWS KMS and other +// AWS services. For example, the SDKs take care of tasks such as signing requests +// (see below), managing errors, and retrying requests automatically. For more +// information about the AWS SDKs, including how to download and install them, +// see Tools for Amazon Web Services (http://aws.amazon.com/tools/). +// +// We recommend that you use the AWS SDKs to make programmatic API calls to +// AWS KMS. +// +// Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS +// 1.2. Clients must also support cipher suites with Perfect Forward Secrecy +// (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral +// Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support +// these modes. +// +// Signing Requests +// +// Requests must be signed by using an access key ID and a secret access key. +// We strongly recommend that you do not use your AWS account (root) access +// key ID and secret key for everyday work with AWS KMS. Instead, use the access +// key ID and secret access key for an IAM user. You can also use the AWS Security +// Token Service to generate temporary security credentials that you can use +// to sign requests. +// +// All AWS KMS operations require Signature Version 4 (https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html). +// +// Logging API Requests +// +// AWS KMS supports AWS CloudTrail, a service that logs AWS API calls and related +// events for your AWS account and delivers them to an Amazon S3 bucket that +// you specify. By using the information collected by CloudTrail, you can determine +// what requests were made to AWS KMS, who made the request, when it was made, +// and so on. To learn more about CloudTrail, including how to turn it on and +// find your log files, see the AWS CloudTrail User Guide (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/). +// +// Additional Resources +// +// For more information about credentials and request signing, see the following: +// +// * AWS Security Credentials (https://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html) +// - This topic provides general information about the types of credentials +// used for accessing AWS. +// +// * Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) +// - This section of the IAM User Guide describes how to create and use temporary +// security credentials. +// +// * Signature Version 4 Signing Process (https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) +// - This set of topics walks you through the process of signing a request +// using an access key ID and a secret access key. +// +// Commonly Used API Operations +// +// Of the API operations discussed in this guide, the following will prove the +// most useful for most applications. You will likely perform operations other +// than these, such as creating keys and assigning policies, by using the console. +// +// * Encrypt +// +// * Decrypt +// +// * GenerateDataKey +// +// * GenerateDataKeyWithoutPlaintext +// +// See https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01 for more information on this service. +// +// See kms package documentation for more information. +// https://docs.aws.amazon.com/sdk-for-go/api/service/kms/ +// +// Using the Client +// +// To contact AWS Key Management Service with the SDK use the New function to create +// a new service client. With that client you can make API requests to the service. +// These clients are safe to use concurrently. +// +// See the SDK's documentation for more information on how to use the SDK. +// https://docs.aws.amazon.com/sdk-for-go/api/ +// +// See aws.Config documentation for more information on configuring SDK clients. +// https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config +// +// See the AWS Key Management Service client KMS for more +// information on creating client for this service. +// https://docs.aws.amazon.com/sdk-for-go/api/service/kms/#New +package kms diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go b/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go new file mode 100644 index 000000000..911bf576e --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go @@ -0,0 +1,367 @@ +// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. + +package kms + +import ( + "github.com/aws/aws-sdk-go/private/protocol" +) + +const ( + + // ErrCodeAlreadyExistsException for service response error code + // "AlreadyExistsException". + // + // The request was rejected because it attempted to create a resource that already + // exists. + ErrCodeAlreadyExistsException = "AlreadyExistsException" + + // ErrCodeCloudHsmClusterInUseException for service response error code + // "CloudHsmClusterInUseException". + // + // The request was rejected because the specified AWS CloudHSM cluster is already + // associated with a custom key store or it shares a backup history with a cluster + // that is associated with a custom key store. Each custom key store must be + // associated with a different AWS CloudHSM cluster. + // + // Clusters that share a backup history have the same cluster certificate. To + // view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) + // operation. + ErrCodeCloudHsmClusterInUseException = "CloudHsmClusterInUseException" + + // ErrCodeCloudHsmClusterInvalidConfigurationException for service response error code + // "CloudHsmClusterInvalidConfigurationException". + // + // The request was rejected because the associated AWS CloudHSM cluster did + // not meet the configuration requirements for a custom key store. + // + // * The cluster must be configured with private subnets in at least two + // different Availability Zones in the Region. + // + // * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) + // (cloudhsm-cluster--sg) must include inbound rules and outbound + // rules that allow TCP traffic on ports 2223-2225. The Source in the inbound + // rules and the Destination in the outbound rules must match the security + // group ID. These rules are set by default when you create the cluster. + // Do not delete or change them. To get information about a particular security + // group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) + // operation. + // + // * The cluster must contain at least as many HSMs as the operation requires. + // To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) + // operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey + // operations, the AWS CloudHSM cluster must have at least two active HSMs, + // each in a different Availability Zone. For the ConnectCustomKeyStore operation, + // the AWS CloudHSM must contain at least one active HSM. + // + // For information about the requirements for an AWS CloudHSM cluster that is + // associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) + // in the AWS Key Management Service Developer Guide. For information about + // creating a private subnet for an AWS CloudHSM cluster, see Create a Private + // Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) + // in the AWS CloudHSM User Guide. For information about cluster security groups, + // see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) + // in the AWS CloudHSM User Guide . + ErrCodeCloudHsmClusterInvalidConfigurationException = "CloudHsmClusterInvalidConfigurationException" + + // ErrCodeCloudHsmClusterNotActiveException for service response error code + // "CloudHsmClusterNotActiveException". + // + // The request was rejected because the AWS CloudHSM cluster that is associated + // with the custom key store is not active. Initialize and activate the cluster + // and try the command again. For detailed instructions, see Getting Started + // (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) + // in the AWS CloudHSM User Guide. + ErrCodeCloudHsmClusterNotActiveException = "CloudHsmClusterNotActiveException" + + // ErrCodeCloudHsmClusterNotFoundException for service response error code + // "CloudHsmClusterNotFoundException". + // + // The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster + // with the specified cluster ID. Retry the request with a different cluster + // ID. + ErrCodeCloudHsmClusterNotFoundException = "CloudHsmClusterNotFoundException" + + // ErrCodeCloudHsmClusterNotRelatedException for service response error code + // "CloudHsmClusterNotRelatedException". + // + // The request was rejected because the specified AWS CloudHSM cluster has a + // different cluster certificate than the original cluster. You cannot use the + // operation to specify an unrelated cluster. + // + // Specify a cluster that shares a backup history with the original cluster. + // This includes clusters that were created from a backup of the current cluster, + // and clusters that were created from the same backup that produced the current + // cluster. + // + // Clusters that share a backup history have the same cluster certificate. To + // view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) + // operation. + ErrCodeCloudHsmClusterNotRelatedException = "CloudHsmClusterNotRelatedException" + + // ErrCodeCustomKeyStoreHasCMKsException for service response error code + // "CustomKeyStoreHasCMKsException". + // + // The request was rejected because the custom key store contains AWS KMS customer + // master keys (CMKs). After verifying that you do not need to use the CMKs, + // use the ScheduleKeyDeletion operation to delete the CMKs. After they are + // deleted, you can delete the custom key store. + ErrCodeCustomKeyStoreHasCMKsException = "CustomKeyStoreHasCMKsException" + + // ErrCodeCustomKeyStoreInvalidStateException for service response error code + // "CustomKeyStoreInvalidStateException". + // + // The request was rejected because of the ConnectionState of the custom key + // store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores + // operation. + // + // This exception is thrown under the following conditions: + // + // * You requested the CreateKey or GenerateRandom operation in a custom + // key store that is not connected. These operations are valid only when + // the custom key store ConnectionState is CONNECTED. + // + // * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation + // on a custom key store that is not disconnected. This operation is valid + // only when the custom key store ConnectionState is DISCONNECTED. + // + // * You requested the ConnectCustomKeyStore operation on a custom key store + // with a ConnectionState of DISCONNECTING or FAILED. This operation is valid + // for all other ConnectionState values. + ErrCodeCustomKeyStoreInvalidStateException = "CustomKeyStoreInvalidStateException" + + // ErrCodeCustomKeyStoreNameInUseException for service response error code + // "CustomKeyStoreNameInUseException". + // + // The request was rejected because the specified custom key store name is already + // assigned to another custom key store in the account. Try again with a custom + // key store name that is unique in the account. + ErrCodeCustomKeyStoreNameInUseException = "CustomKeyStoreNameInUseException" + + // ErrCodeCustomKeyStoreNotFoundException for service response error code + // "CustomKeyStoreNotFoundException". + // + // The request was rejected because AWS KMS cannot find a custom key store with + // the specified key store name or ID. + ErrCodeCustomKeyStoreNotFoundException = "CustomKeyStoreNotFoundException" + + // ErrCodeDependencyTimeoutException for service response error code + // "DependencyTimeoutException". + // + // The system timed out while trying to fulfill the request. The request can + // be retried. + ErrCodeDependencyTimeoutException = "DependencyTimeoutException" + + // ErrCodeDisabledException for service response error code + // "DisabledException". + // + // The request was rejected because the specified CMK is not enabled. + ErrCodeDisabledException = "DisabledException" + + // ErrCodeExpiredImportTokenException for service response error code + // "ExpiredImportTokenException". + // + // The request was rejected because the specified import token is expired. Use + // GetParametersForImport to get a new import token and public key, use the + // new public key to encrypt the key material, and then try the request again. + ErrCodeExpiredImportTokenException = "ExpiredImportTokenException" + + // ErrCodeIncorrectKeyException for service response error code + // "IncorrectKeyException". + // + // The request was rejected because the specified CMK cannot decrypt the data. + // The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request + // must identify the same CMK that was used to encrypt the ciphertext. + ErrCodeIncorrectKeyException = "IncorrectKeyException" + + // ErrCodeIncorrectKeyMaterialException for service response error code + // "IncorrectKeyMaterialException". + // + // The request was rejected because the key material in the request is, expired, + // invalid, or is not the same key material that was previously imported into + // this customer master key (CMK). + ErrCodeIncorrectKeyMaterialException = "IncorrectKeyMaterialException" + + // ErrCodeIncorrectTrustAnchorException for service response error code + // "IncorrectTrustAnchorException". + // + // The request was rejected because the trust anchor certificate in the request + // is not the trust anchor certificate for the specified AWS CloudHSM cluster. + // + // When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr), + // you create the trust anchor certificate and save it in the customerCA.crt + // file. + ErrCodeIncorrectTrustAnchorException = "IncorrectTrustAnchorException" + + // ErrCodeInternalException for service response error code + // "KMSInternalException". + // + // The request was rejected because an internal exception occurred. The request + // can be retried. + ErrCodeInternalException = "KMSInternalException" + + // ErrCodeInvalidAliasNameException for service response error code + // "InvalidAliasNameException". + // + // The request was rejected because the specified alias name is not valid. + ErrCodeInvalidAliasNameException = "InvalidAliasNameException" + + // ErrCodeInvalidArnException for service response error code + // "InvalidArnException". + // + // The request was rejected because a specified ARN, or an ARN in a key policy, + // is not valid. + ErrCodeInvalidArnException = "InvalidArnException" + + // ErrCodeInvalidCiphertextException for service response error code + // "InvalidCiphertextException". + // + // From the Decrypt or ReEncrypt operation, the request was rejected because + // the specified ciphertext, or additional authenticated data incorporated into + // the ciphertext, such as the encryption context, is corrupted, missing, or + // otherwise invalid. + // + // From the ImportKeyMaterial operation, the request was rejected because AWS + // KMS could not decrypt the encrypted (wrapped) key material. + ErrCodeInvalidCiphertextException = "InvalidCiphertextException" + + // ErrCodeInvalidGrantIdException for service response error code + // "InvalidGrantIdException". + // + // The request was rejected because the specified GrantId is not valid. + ErrCodeInvalidGrantIdException = "InvalidGrantIdException" + + // ErrCodeInvalidGrantTokenException for service response error code + // "InvalidGrantTokenException". + // + // The request was rejected because the specified grant token is not valid. + ErrCodeInvalidGrantTokenException = "InvalidGrantTokenException" + + // ErrCodeInvalidImportTokenException for service response error code + // "InvalidImportTokenException". + // + // The request was rejected because the provided import token is invalid or + // is associated with a different customer master key (CMK). + ErrCodeInvalidImportTokenException = "InvalidImportTokenException" + + // ErrCodeInvalidKeyUsageException for service response error code + // "InvalidKeyUsageException". + // + // The request was rejected for one of the following reasons: + // + // * The KeyUsage value of the CMK is incompatible with the API operation. + // + // * The encryption algorithm or signing algorithm specified for the operation + // is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). + // + // For encrypting, decrypting, re-encrypting, and generating data keys, the + // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage + // must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. + // + // To find the encryption or signing algorithms supported for a particular CMK, + // use the DescribeKey operation. + ErrCodeInvalidKeyUsageException = "InvalidKeyUsageException" + + // ErrCodeInvalidMarkerException for service response error code + // "InvalidMarkerException". + // + // The request was rejected because the marker that specifies where pagination + // should next begin is not valid. + ErrCodeInvalidMarkerException = "InvalidMarkerException" + + // ErrCodeInvalidStateException for service response error code + // "KMSInvalidStateException". + // + // The request was rejected because the state of the specified resource is not + // valid for this request. + // + // For more information about how key state affects the use of a CMK, see How + // Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) + // in the AWS Key Management Service Developer Guide . + ErrCodeInvalidStateException = "KMSInvalidStateException" + + // ErrCodeKMSInvalidSignatureException for service response error code + // "KMSInvalidSignatureException". + // + // The request was rejected because the signature verification failed. Signature + // verification fails when it cannot confirm that signature was produced by + // signing the specified message with the specified CMK and signing algorithm. + ErrCodeKMSInvalidSignatureException = "KMSInvalidSignatureException" + + // ErrCodeKeyUnavailableException for service response error code + // "KeyUnavailableException". + // + // The request was rejected because the specified CMK was not available. You + // can retry the request. + ErrCodeKeyUnavailableException = "KeyUnavailableException" + + // ErrCodeLimitExceededException for service response error code + // "LimitExceededException". + // + // The request was rejected because a quota was exceeded. For more information, + // see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) + // in the AWS Key Management Service Developer Guide. + ErrCodeLimitExceededException = "LimitExceededException" + + // ErrCodeMalformedPolicyDocumentException for service response error code + // "MalformedPolicyDocumentException". + // + // The request was rejected because the specified policy is not syntactically + // or semantically correct. + ErrCodeMalformedPolicyDocumentException = "MalformedPolicyDocumentException" + + // ErrCodeNotFoundException for service response error code + // "NotFoundException". + // + // The request was rejected because the specified entity or resource could not + // be found. + ErrCodeNotFoundException = "NotFoundException" + + // ErrCodeTagException for service response error code + // "TagException". + // + // The request was rejected because one or more tags are not valid. + ErrCodeTagException = "TagException" + + // ErrCodeUnsupportedOperationException for service response error code + // "UnsupportedOperationException". + // + // The request was rejected because a specified parameter is not supported or + // a specified resource is not valid for this operation. + ErrCodeUnsupportedOperationException = "UnsupportedOperationException" +) + +var exceptionFromCode = map[string]func(protocol.ResponseMetadata) error{ + "AlreadyExistsException": newErrorAlreadyExistsException, + "CloudHsmClusterInUseException": newErrorCloudHsmClusterInUseException, + "CloudHsmClusterInvalidConfigurationException": newErrorCloudHsmClusterInvalidConfigurationException, + "CloudHsmClusterNotActiveException": newErrorCloudHsmClusterNotActiveException, + "CloudHsmClusterNotFoundException": newErrorCloudHsmClusterNotFoundException, + "CloudHsmClusterNotRelatedException": newErrorCloudHsmClusterNotRelatedException, + "CustomKeyStoreHasCMKsException": newErrorCustomKeyStoreHasCMKsException, + "CustomKeyStoreInvalidStateException": newErrorCustomKeyStoreInvalidStateException, + "CustomKeyStoreNameInUseException": newErrorCustomKeyStoreNameInUseException, + "CustomKeyStoreNotFoundException": newErrorCustomKeyStoreNotFoundException, + "DependencyTimeoutException": newErrorDependencyTimeoutException, + "DisabledException": newErrorDisabledException, + "ExpiredImportTokenException": newErrorExpiredImportTokenException, + "IncorrectKeyException": newErrorIncorrectKeyException, + "IncorrectKeyMaterialException": newErrorIncorrectKeyMaterialException, + "IncorrectTrustAnchorException": newErrorIncorrectTrustAnchorException, + "KMSInternalException": newErrorInternalException, + "InvalidAliasNameException": newErrorInvalidAliasNameException, + "InvalidArnException": newErrorInvalidArnException, + "InvalidCiphertextException": newErrorInvalidCiphertextException, + "InvalidGrantIdException": newErrorInvalidGrantIdException, + "InvalidGrantTokenException": newErrorInvalidGrantTokenException, + "InvalidImportTokenException": newErrorInvalidImportTokenException, + "InvalidKeyUsageException": newErrorInvalidKeyUsageException, + "InvalidMarkerException": newErrorInvalidMarkerException, + "KMSInvalidStateException": newErrorInvalidStateException, + "KMSInvalidSignatureException": newErrorKMSInvalidSignatureException, + "KeyUnavailableException": newErrorKeyUnavailableException, + "LimitExceededException": newErrorLimitExceededException, + "MalformedPolicyDocumentException": newErrorMalformedPolicyDocumentException, + "NotFoundException": newErrorNotFoundException, + "TagException": newErrorTagException, + "UnsupportedOperationException": newErrorUnsupportedOperationException, +} diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/service.go b/vendor/github.com/aws/aws-sdk-go/service/kms/service.go new file mode 100644 index 000000000..50ca0c092 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/kms/service.go @@ -0,0 +1,103 @@ +// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. + +package kms + +import ( + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/client" + "github.com/aws/aws-sdk-go/aws/client/metadata" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/aws/signer/v4" + "github.com/aws/aws-sdk-go/private/protocol" + "github.com/aws/aws-sdk-go/private/protocol/jsonrpc" +) + +// KMS provides the API operation methods for making requests to +// AWS Key Management Service. See this package's package overview docs +// for details on the service. +// +// KMS methods are safe to use concurrently. It is not safe to +// modify mutate any of the struct's properties though. +type KMS struct { + *client.Client +} + +// Used for custom client initialization logic +var initClient func(*client.Client) + +// Used for custom request initialization logic +var initRequest func(*request.Request) + +// Service information constants +const ( + ServiceName = "kms" // Name of service. + EndpointsID = ServiceName // ID to lookup a service endpoint with. + ServiceID = "KMS" // ServiceID is a unique identifier of a specific service. +) + +// New creates a new instance of the KMS client with a session. +// If additional configuration is needed for the client instance use the optional +// aws.Config parameter to add your extra config. +// +// Example: +// mySession := session.Must(session.NewSession()) +// +// // Create a KMS client from just a session. +// svc := kms.New(mySession) +// +// // Create a KMS client with additional configuration +// svc := kms.New(mySession, aws.NewConfig().WithRegion("us-west-2")) +func New(p client.ConfigProvider, cfgs ...*aws.Config) *KMS { + c := p.ClientConfig(EndpointsID, cfgs...) + return newClient(*c.Config, c.Handlers, c.PartitionID, c.Endpoint, c.SigningRegion, c.SigningName) +} + +// newClient creates, initializes and returns a new service client instance. +func newClient(cfg aws.Config, handlers request.Handlers, partitionID, endpoint, signingRegion, signingName string) *KMS { + svc := &KMS{ + Client: client.New( + cfg, + metadata.ClientInfo{ + ServiceName: ServiceName, + ServiceID: ServiceID, + SigningName: signingName, + SigningRegion: signingRegion, + PartitionID: partitionID, + Endpoint: endpoint, + APIVersion: "2014-11-01", + JSONVersion: "1.1", + TargetPrefix: "TrentService", + }, + handlers, + ), + } + + // Handlers + svc.Handlers.Sign.PushBackNamed(v4.SignRequestHandler) + svc.Handlers.Build.PushBackNamed(jsonrpc.BuildHandler) + svc.Handlers.Unmarshal.PushBackNamed(jsonrpc.UnmarshalHandler) + svc.Handlers.UnmarshalMeta.PushBackNamed(jsonrpc.UnmarshalMetaHandler) + svc.Handlers.UnmarshalError.PushBackNamed( + protocol.NewUnmarshalErrorHandler(jsonrpc.NewUnmarshalTypedError(exceptionFromCode)).NamedHandler(), + ) + + // Run custom client initialization if present + if initClient != nil { + initClient(svc.Client) + } + + return svc +} + +// newRequest creates a new request for a KMS operation and runs any +// custom request initialization. +func (c *KMS) newRequest(op *request.Operation, params, data interface{}) *request.Request { + req := c.NewRequest(op, params, data) + + // Run custom request initialization if present + if initRequest != nil { + initRequest(req) + } + + return req +} diff --git a/vendor/github.com/aws/aws-sdk-go/service/sso/api.go b/vendor/github.com/aws/aws-sdk-go/service/sso/api.go new file mode 100644 index 000000000..4498f285e --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/sso/api.go @@ -0,0 +1,1210 @@ +// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. + +package sso + +import ( + "fmt" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awsutil" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/private/protocol" + "github.com/aws/aws-sdk-go/private/protocol/restjson" +) + +const opGetRoleCredentials = "GetRoleCredentials" + +// GetRoleCredentialsRequest generates a "aws/request.Request" representing the +// client's request for the GetRoleCredentials operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GetRoleCredentials for more information on using the GetRoleCredentials +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GetRoleCredentialsRequest method. +// req, resp := client.GetRoleCredentialsRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sso-2019-06-10/GetRoleCredentials +func (c *SSO) GetRoleCredentialsRequest(input *GetRoleCredentialsInput) (req *request.Request, output *GetRoleCredentialsOutput) { + op := &request.Operation{ + Name: opGetRoleCredentials, + HTTPMethod: "GET", + HTTPPath: "/federation/credentials", + } + + if input == nil { + input = &GetRoleCredentialsInput{} + } + + output = &GetRoleCredentialsOutput{} + req = c.newRequest(op, input, output) + req.Config.Credentials = credentials.AnonymousCredentials + return +} + +// GetRoleCredentials API operation for AWS Single Sign-On. +// +// Returns the STS short-term credentials for a given role name that is assigned +// to the user. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Single Sign-On's +// API operation GetRoleCredentials for usage and error information. +// +// Returned Error Types: +// * InvalidRequestException +// Indicates that a problem occurred with the input to the request. For example, +// a required parameter might be missing or out of range. +// +// * UnauthorizedException +// Indicates that the request is not authorized. This can happen due to an invalid +// access token in the request. +// +// * TooManyRequestsException +// Indicates that the request is being made too frequently and is more than +// what the server can handle. +// +// * ResourceNotFoundException +// The specified resource doesn't exist. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sso-2019-06-10/GetRoleCredentials +func (c *SSO) GetRoleCredentials(input *GetRoleCredentialsInput) (*GetRoleCredentialsOutput, error) { + req, out := c.GetRoleCredentialsRequest(input) + return out, req.Send() +} + +// GetRoleCredentialsWithContext is the same as GetRoleCredentials with the addition of +// the ability to pass a context and additional request options. +// +// See GetRoleCredentials for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *SSO) GetRoleCredentialsWithContext(ctx aws.Context, input *GetRoleCredentialsInput, opts ...request.Option) (*GetRoleCredentialsOutput, error) { + req, out := c.GetRoleCredentialsRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opListAccountRoles = "ListAccountRoles" + +// ListAccountRolesRequest generates a "aws/request.Request" representing the +// client's request for the ListAccountRoles operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ListAccountRoles for more information on using the ListAccountRoles +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ListAccountRolesRequest method. +// req, resp := client.ListAccountRolesRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sso-2019-06-10/ListAccountRoles +func (c *SSO) ListAccountRolesRequest(input *ListAccountRolesInput) (req *request.Request, output *ListAccountRolesOutput) { + op := &request.Operation{ + Name: opListAccountRoles, + HTTPMethod: "GET", + HTTPPath: "/assignment/roles", + Paginator: &request.Paginator{ + InputTokens: []string{"nextToken"}, + OutputTokens: []string{"nextToken"}, + LimitToken: "maxResults", + TruncationToken: "", + }, + } + + if input == nil { + input = &ListAccountRolesInput{} + } + + output = &ListAccountRolesOutput{} + req = c.newRequest(op, input, output) + req.Config.Credentials = credentials.AnonymousCredentials + return +} + +// ListAccountRoles API operation for AWS Single Sign-On. +// +// Lists all roles that are assigned to the user for a given AWS account. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Single Sign-On's +// API operation ListAccountRoles for usage and error information. +// +// Returned Error Types: +// * InvalidRequestException +// Indicates that a problem occurred with the input to the request. For example, +// a required parameter might be missing or out of range. +// +// * UnauthorizedException +// Indicates that the request is not authorized. This can happen due to an invalid +// access token in the request. +// +// * TooManyRequestsException +// Indicates that the request is being made too frequently and is more than +// what the server can handle. +// +// * ResourceNotFoundException +// The specified resource doesn't exist. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sso-2019-06-10/ListAccountRoles +func (c *SSO) ListAccountRoles(input *ListAccountRolesInput) (*ListAccountRolesOutput, error) { + req, out := c.ListAccountRolesRequest(input) + return out, req.Send() +} + +// ListAccountRolesWithContext is the same as ListAccountRoles with the addition of +// the ability to pass a context and additional request options. +// +// See ListAccountRoles for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *SSO) ListAccountRolesWithContext(ctx aws.Context, input *ListAccountRolesInput, opts ...request.Option) (*ListAccountRolesOutput, error) { + req, out := c.ListAccountRolesRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// ListAccountRolesPages iterates over the pages of a ListAccountRoles operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See ListAccountRoles method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a ListAccountRoles operation. +// pageNum := 0 +// err := client.ListAccountRolesPages(params, +// func(page *sso.ListAccountRolesOutput, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +// +func (c *SSO) ListAccountRolesPages(input *ListAccountRolesInput, fn func(*ListAccountRolesOutput, bool) bool) error { + return c.ListAccountRolesPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// ListAccountRolesPagesWithContext same as ListAccountRolesPages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *SSO) ListAccountRolesPagesWithContext(ctx aws.Context, input *ListAccountRolesInput, fn func(*ListAccountRolesOutput, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *ListAccountRolesInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.ListAccountRolesRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + for p.Next() { + if !fn(p.Page().(*ListAccountRolesOutput), !p.HasNextPage()) { + break + } + } + + return p.Err() +} + +const opListAccounts = "ListAccounts" + +// ListAccountsRequest generates a "aws/request.Request" representing the +// client's request for the ListAccounts operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ListAccounts for more information on using the ListAccounts +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ListAccountsRequest method. +// req, resp := client.ListAccountsRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sso-2019-06-10/ListAccounts +func (c *SSO) ListAccountsRequest(input *ListAccountsInput) (req *request.Request, output *ListAccountsOutput) { + op := &request.Operation{ + Name: opListAccounts, + HTTPMethod: "GET", + HTTPPath: "/assignment/accounts", + Paginator: &request.Paginator{ + InputTokens: []string{"nextToken"}, + OutputTokens: []string{"nextToken"}, + LimitToken: "maxResults", + TruncationToken: "", + }, + } + + if input == nil { + input = &ListAccountsInput{} + } + + output = &ListAccountsOutput{} + req = c.newRequest(op, input, output) + req.Config.Credentials = credentials.AnonymousCredentials + return +} + +// ListAccounts API operation for AWS Single Sign-On. +// +// Lists all AWS accounts assigned to the user. These AWS accounts are assigned +// by the administrator of the account. For more information, see Assign User +// Access (https://docs.aws.amazon.com/singlesignon/latest/userguide/useraccess.html#assignusers) +// in the AWS SSO User Guide. This operation returns a paginated response. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Single Sign-On's +// API operation ListAccounts for usage and error information. +// +// Returned Error Types: +// * InvalidRequestException +// Indicates that a problem occurred with the input to the request. For example, +// a required parameter might be missing or out of range. +// +// * UnauthorizedException +// Indicates that the request is not authorized. This can happen due to an invalid +// access token in the request. +// +// * TooManyRequestsException +// Indicates that the request is being made too frequently and is more than +// what the server can handle. +// +// * ResourceNotFoundException +// The specified resource doesn't exist. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sso-2019-06-10/ListAccounts +func (c *SSO) ListAccounts(input *ListAccountsInput) (*ListAccountsOutput, error) { + req, out := c.ListAccountsRequest(input) + return out, req.Send() +} + +// ListAccountsWithContext is the same as ListAccounts with the addition of +// the ability to pass a context and additional request options. +// +// See ListAccounts for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *SSO) ListAccountsWithContext(ctx aws.Context, input *ListAccountsInput, opts ...request.Option) (*ListAccountsOutput, error) { + req, out := c.ListAccountsRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// ListAccountsPages iterates over the pages of a ListAccounts operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See ListAccounts method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a ListAccounts operation. +// pageNum := 0 +// err := client.ListAccountsPages(params, +// func(page *sso.ListAccountsOutput, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +// +func (c *SSO) ListAccountsPages(input *ListAccountsInput, fn func(*ListAccountsOutput, bool) bool) error { + return c.ListAccountsPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// ListAccountsPagesWithContext same as ListAccountsPages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *SSO) ListAccountsPagesWithContext(ctx aws.Context, input *ListAccountsInput, fn func(*ListAccountsOutput, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *ListAccountsInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.ListAccountsRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + for p.Next() { + if !fn(p.Page().(*ListAccountsOutput), !p.HasNextPage()) { + break + } + } + + return p.Err() +} + +const opLogout = "Logout" + +// LogoutRequest generates a "aws/request.Request" representing the +// client's request for the Logout operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See Logout for more information on using the Logout +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the LogoutRequest method. +// req, resp := client.LogoutRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sso-2019-06-10/Logout +func (c *SSO) LogoutRequest(input *LogoutInput) (req *request.Request, output *LogoutOutput) { + op := &request.Operation{ + Name: opLogout, + HTTPMethod: "POST", + HTTPPath: "/logout", + } + + if input == nil { + input = &LogoutInput{} + } + + output = &LogoutOutput{} + req = c.newRequest(op, input, output) + req.Config.Credentials = credentials.AnonymousCredentials + req.Handlers.Unmarshal.Swap(restjson.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// Logout API operation for AWS Single Sign-On. +// +// Removes the client- and server-side session that is associated with the user. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Single Sign-On's +// API operation Logout for usage and error information. +// +// Returned Error Types: +// * InvalidRequestException +// Indicates that a problem occurred with the input to the request. For example, +// a required parameter might be missing or out of range. +// +// * UnauthorizedException +// Indicates that the request is not authorized. This can happen due to an invalid +// access token in the request. +// +// * TooManyRequestsException +// Indicates that the request is being made too frequently and is more than +// what the server can handle. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sso-2019-06-10/Logout +func (c *SSO) Logout(input *LogoutInput) (*LogoutOutput, error) { + req, out := c.LogoutRequest(input) + return out, req.Send() +} + +// LogoutWithContext is the same as Logout with the addition of +// the ability to pass a context and additional request options. +// +// See Logout for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *SSO) LogoutWithContext(ctx aws.Context, input *LogoutInput, opts ...request.Option) (*LogoutOutput, error) { + req, out := c.LogoutRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// Provides information about your AWS account. +type AccountInfo struct { + _ struct{} `type:"structure"` + + // The identifier of the AWS account that is assigned to the user. + AccountId *string `locationName:"accountId" type:"string"` + + // The display name of the AWS account that is assigned to the user. + AccountName *string `locationName:"accountName" type:"string"` + + // The email address of the AWS account that is assigned to the user. + EmailAddress *string `locationName:"emailAddress" min:"1" type:"string"` +} + +// String returns the string representation +func (s AccountInfo) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AccountInfo) GoString() string { + return s.String() +} + +// SetAccountId sets the AccountId field's value. +func (s *AccountInfo) SetAccountId(v string) *AccountInfo { + s.AccountId = &v + return s +} + +// SetAccountName sets the AccountName field's value. +func (s *AccountInfo) SetAccountName(v string) *AccountInfo { + s.AccountName = &v + return s +} + +// SetEmailAddress sets the EmailAddress field's value. +func (s *AccountInfo) SetEmailAddress(v string) *AccountInfo { + s.EmailAddress = &v + return s +} + +type GetRoleCredentialsInput struct { + _ struct{} `type:"structure"` + + // The token issued by the CreateToken API call. For more information, see CreateToken + // (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html) + // in the AWS SSO OIDC API Reference Guide. + // + // AccessToken is a required field + AccessToken *string `location:"header" locationName:"x-amz-sso_bearer_token" type:"string" required:"true" sensitive:"true"` + + // The identifier for the AWS account that is assigned to the user. + // + // AccountId is a required field + AccountId *string `location:"querystring" locationName:"account_id" type:"string" required:"true"` + + // The friendly name of the role that is assigned to the user. + // + // RoleName is a required field + RoleName *string `location:"querystring" locationName:"role_name" type:"string" required:"true"` +} + +// String returns the string representation +func (s GetRoleCredentialsInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetRoleCredentialsInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GetRoleCredentialsInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GetRoleCredentialsInput"} + if s.AccessToken == nil { + invalidParams.Add(request.NewErrParamRequired("AccessToken")) + } + if s.AccountId == nil { + invalidParams.Add(request.NewErrParamRequired("AccountId")) + } + if s.RoleName == nil { + invalidParams.Add(request.NewErrParamRequired("RoleName")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAccessToken sets the AccessToken field's value. +func (s *GetRoleCredentialsInput) SetAccessToken(v string) *GetRoleCredentialsInput { + s.AccessToken = &v + return s +} + +// SetAccountId sets the AccountId field's value. +func (s *GetRoleCredentialsInput) SetAccountId(v string) *GetRoleCredentialsInput { + s.AccountId = &v + return s +} + +// SetRoleName sets the RoleName field's value. +func (s *GetRoleCredentialsInput) SetRoleName(v string) *GetRoleCredentialsInput { + s.RoleName = &v + return s +} + +type GetRoleCredentialsOutput struct { + _ struct{} `type:"structure"` + + // The credentials for the role that is assigned to the user. + RoleCredentials *RoleCredentials `locationName:"roleCredentials" type:"structure"` +} + +// String returns the string representation +func (s GetRoleCredentialsOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetRoleCredentialsOutput) GoString() string { + return s.String() +} + +// SetRoleCredentials sets the RoleCredentials field's value. +func (s *GetRoleCredentialsOutput) SetRoleCredentials(v *RoleCredentials) *GetRoleCredentialsOutput { + s.RoleCredentials = v + return s +} + +// Indicates that a problem occurred with the input to the request. For example, +// a required parameter might be missing or out of range. +type InvalidRequestException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s InvalidRequestException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s InvalidRequestException) GoString() string { + return s.String() +} + +func newErrorInvalidRequestException(v protocol.ResponseMetadata) error { + return &InvalidRequestException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *InvalidRequestException) Code() string { + return "InvalidRequestException" +} + +// Message returns the exception's message. +func (s *InvalidRequestException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *InvalidRequestException) OrigErr() error { + return nil +} + +func (s *InvalidRequestException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *InvalidRequestException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *InvalidRequestException) RequestID() string { + return s.RespMetadata.RequestID +} + +type ListAccountRolesInput struct { + _ struct{} `type:"structure"` + + // The token issued by the CreateToken API call. For more information, see CreateToken + // (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html) + // in the AWS SSO OIDC API Reference Guide. + // + // AccessToken is a required field + AccessToken *string `location:"header" locationName:"x-amz-sso_bearer_token" type:"string" required:"true" sensitive:"true"` + + // The identifier for the AWS account that is assigned to the user. + // + // AccountId is a required field + AccountId *string `location:"querystring" locationName:"account_id" type:"string" required:"true"` + + // The number of items that clients can request per page. + MaxResults *int64 `location:"querystring" locationName:"max_result" min:"1" type:"integer"` + + // The page token from the previous response output when you request subsequent + // pages. + NextToken *string `location:"querystring" locationName:"next_token" type:"string"` +} + +// String returns the string representation +func (s ListAccountRolesInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListAccountRolesInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ListAccountRolesInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ListAccountRolesInput"} + if s.AccessToken == nil { + invalidParams.Add(request.NewErrParamRequired("AccessToken")) + } + if s.AccountId == nil { + invalidParams.Add(request.NewErrParamRequired("AccountId")) + } + if s.MaxResults != nil && *s.MaxResults < 1 { + invalidParams.Add(request.NewErrParamMinValue("MaxResults", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAccessToken sets the AccessToken field's value. +func (s *ListAccountRolesInput) SetAccessToken(v string) *ListAccountRolesInput { + s.AccessToken = &v + return s +} + +// SetAccountId sets the AccountId field's value. +func (s *ListAccountRolesInput) SetAccountId(v string) *ListAccountRolesInput { + s.AccountId = &v + return s +} + +// SetMaxResults sets the MaxResults field's value. +func (s *ListAccountRolesInput) SetMaxResults(v int64) *ListAccountRolesInput { + s.MaxResults = &v + return s +} + +// SetNextToken sets the NextToken field's value. +func (s *ListAccountRolesInput) SetNextToken(v string) *ListAccountRolesInput { + s.NextToken = &v + return s +} + +type ListAccountRolesOutput struct { + _ struct{} `type:"structure"` + + // The page token client that is used to retrieve the list of accounts. + NextToken *string `locationName:"nextToken" type:"string"` + + // A paginated response with the list of roles and the next token if more results + // are available. + RoleList []*RoleInfo `locationName:"roleList" type:"list"` +} + +// String returns the string representation +func (s ListAccountRolesOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListAccountRolesOutput) GoString() string { + return s.String() +} + +// SetNextToken sets the NextToken field's value. +func (s *ListAccountRolesOutput) SetNextToken(v string) *ListAccountRolesOutput { + s.NextToken = &v + return s +} + +// SetRoleList sets the RoleList field's value. +func (s *ListAccountRolesOutput) SetRoleList(v []*RoleInfo) *ListAccountRolesOutput { + s.RoleList = v + return s +} + +type ListAccountsInput struct { + _ struct{} `type:"structure"` + + // The token issued by the CreateToken API call. For more information, see CreateToken + // (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html) + // in the AWS SSO OIDC API Reference Guide. + // + // AccessToken is a required field + AccessToken *string `location:"header" locationName:"x-amz-sso_bearer_token" type:"string" required:"true" sensitive:"true"` + + // This is the number of items clients can request per page. + MaxResults *int64 `location:"querystring" locationName:"max_result" min:"1" type:"integer"` + + // (Optional) When requesting subsequent pages, this is the page token from + // the previous response output. + NextToken *string `location:"querystring" locationName:"next_token" type:"string"` +} + +// String returns the string representation +func (s ListAccountsInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListAccountsInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ListAccountsInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ListAccountsInput"} + if s.AccessToken == nil { + invalidParams.Add(request.NewErrParamRequired("AccessToken")) + } + if s.MaxResults != nil && *s.MaxResults < 1 { + invalidParams.Add(request.NewErrParamMinValue("MaxResults", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAccessToken sets the AccessToken field's value. +func (s *ListAccountsInput) SetAccessToken(v string) *ListAccountsInput { + s.AccessToken = &v + return s +} + +// SetMaxResults sets the MaxResults field's value. +func (s *ListAccountsInput) SetMaxResults(v int64) *ListAccountsInput { + s.MaxResults = &v + return s +} + +// SetNextToken sets the NextToken field's value. +func (s *ListAccountsInput) SetNextToken(v string) *ListAccountsInput { + s.NextToken = &v + return s +} + +type ListAccountsOutput struct { + _ struct{} `type:"structure"` + + // A paginated response with the list of account information and the next token + // if more results are available. + AccountList []*AccountInfo `locationName:"accountList" type:"list"` + + // The page token client that is used to retrieve the list of accounts. + NextToken *string `locationName:"nextToken" type:"string"` +} + +// String returns the string representation +func (s ListAccountsOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListAccountsOutput) GoString() string { + return s.String() +} + +// SetAccountList sets the AccountList field's value. +func (s *ListAccountsOutput) SetAccountList(v []*AccountInfo) *ListAccountsOutput { + s.AccountList = v + return s +} + +// SetNextToken sets the NextToken field's value. +func (s *ListAccountsOutput) SetNextToken(v string) *ListAccountsOutput { + s.NextToken = &v + return s +} + +type LogoutInput struct { + _ struct{} `type:"structure"` + + // The token issued by the CreateToken API call. For more information, see CreateToken + // (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html) + // in the AWS SSO OIDC API Reference Guide. + // + // AccessToken is a required field + AccessToken *string `location:"header" locationName:"x-amz-sso_bearer_token" type:"string" required:"true" sensitive:"true"` +} + +// String returns the string representation +func (s LogoutInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s LogoutInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *LogoutInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "LogoutInput"} + if s.AccessToken == nil { + invalidParams.Add(request.NewErrParamRequired("AccessToken")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAccessToken sets the AccessToken field's value. +func (s *LogoutInput) SetAccessToken(v string) *LogoutInput { + s.AccessToken = &v + return s +} + +type LogoutOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s LogoutOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s LogoutOutput) GoString() string { + return s.String() +} + +// The specified resource doesn't exist. +type ResourceNotFoundException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s ResourceNotFoundException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ResourceNotFoundException) GoString() string { + return s.String() +} + +func newErrorResourceNotFoundException(v protocol.ResponseMetadata) error { + return &ResourceNotFoundException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *ResourceNotFoundException) Code() string { + return "ResourceNotFoundException" +} + +// Message returns the exception's message. +func (s *ResourceNotFoundException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *ResourceNotFoundException) OrigErr() error { + return nil +} + +func (s *ResourceNotFoundException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *ResourceNotFoundException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *ResourceNotFoundException) RequestID() string { + return s.RespMetadata.RequestID +} + +// Provides information about the role credentials that are assigned to the +// user. +type RoleCredentials struct { + _ struct{} `type:"structure"` + + // The identifier used for the temporary security credentials. For more information, + // see Using Temporary Security Credentials to Request Access to AWS Resources + // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + // in the AWS IAM User Guide. + AccessKeyId *string `locationName:"accessKeyId" type:"string"` + + // The date on which temporary security credentials expire. + Expiration *int64 `locationName:"expiration" type:"long"` + + // The key that is used to sign the request. For more information, see Using + // Temporary Security Credentials to Request Access to AWS Resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + // in the AWS IAM User Guide. + SecretAccessKey *string `locationName:"secretAccessKey" type:"string" sensitive:"true"` + + // The token used for temporary credentials. For more information, see Using + // Temporary Security Credentials to Request Access to AWS Resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) + // in the AWS IAM User Guide. + SessionToken *string `locationName:"sessionToken" type:"string" sensitive:"true"` +} + +// String returns the string representation +func (s RoleCredentials) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s RoleCredentials) GoString() string { + return s.String() +} + +// SetAccessKeyId sets the AccessKeyId field's value. +func (s *RoleCredentials) SetAccessKeyId(v string) *RoleCredentials { + s.AccessKeyId = &v + return s +} + +// SetExpiration sets the Expiration field's value. +func (s *RoleCredentials) SetExpiration(v int64) *RoleCredentials { + s.Expiration = &v + return s +} + +// SetSecretAccessKey sets the SecretAccessKey field's value. +func (s *RoleCredentials) SetSecretAccessKey(v string) *RoleCredentials { + s.SecretAccessKey = &v + return s +} + +// SetSessionToken sets the SessionToken field's value. +func (s *RoleCredentials) SetSessionToken(v string) *RoleCredentials { + s.SessionToken = &v + return s +} + +// Provides information about the role that is assigned to the user. +type RoleInfo struct { + _ struct{} `type:"structure"` + + // The identifier of the AWS account assigned to the user. + AccountId *string `locationName:"accountId" type:"string"` + + // The friendly name of the role that is assigned to the user. + RoleName *string `locationName:"roleName" type:"string"` +} + +// String returns the string representation +func (s RoleInfo) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s RoleInfo) GoString() string { + return s.String() +} + +// SetAccountId sets the AccountId field's value. +func (s *RoleInfo) SetAccountId(v string) *RoleInfo { + s.AccountId = &v + return s +} + +// SetRoleName sets the RoleName field's value. +func (s *RoleInfo) SetRoleName(v string) *RoleInfo { + s.RoleName = &v + return s +} + +// Indicates that the request is being made too frequently and is more than +// what the server can handle. +type TooManyRequestsException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s TooManyRequestsException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s TooManyRequestsException) GoString() string { + return s.String() +} + +func newErrorTooManyRequestsException(v protocol.ResponseMetadata) error { + return &TooManyRequestsException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *TooManyRequestsException) Code() string { + return "TooManyRequestsException" +} + +// Message returns the exception's message. +func (s *TooManyRequestsException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *TooManyRequestsException) OrigErr() error { + return nil +} + +func (s *TooManyRequestsException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *TooManyRequestsException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *TooManyRequestsException) RequestID() string { + return s.RespMetadata.RequestID +} + +// Indicates that the request is not authorized. This can happen due to an invalid +// access token in the request. +type UnauthorizedException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation +func (s UnauthorizedException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s UnauthorizedException) GoString() string { + return s.String() +} + +func newErrorUnauthorizedException(v protocol.ResponseMetadata) error { + return &UnauthorizedException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *UnauthorizedException) Code() string { + return "UnauthorizedException" +} + +// Message returns the exception's message. +func (s *UnauthorizedException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *UnauthorizedException) OrigErr() error { + return nil +} + +func (s *UnauthorizedException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *UnauthorizedException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *UnauthorizedException) RequestID() string { + return s.RespMetadata.RequestID +} diff --git a/vendor/github.com/aws/aws-sdk-go/service/sso/doc.go b/vendor/github.com/aws/aws-sdk-go/service/sso/doc.go new file mode 100644 index 000000000..92d82b2af --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/sso/doc.go @@ -0,0 +1,44 @@ +// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. + +// Package sso provides the client and types for making API +// requests to AWS Single Sign-On. +// +// AWS Single Sign-On Portal is a web service that makes it easy for you to +// assign user access to AWS SSO resources such as the user portal. Users can +// get AWS account applications and roles assigned to them and get federated +// into the application. +// +// For general information about AWS SSO, see What is AWS Single Sign-On? (https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) +// in the AWS SSO User Guide. +// +// This API reference guide describes the AWS SSO Portal operations that you +// can call programatically and includes detailed information on data types +// and errors. +// +// AWS provides SDKs that consist of libraries and sample code for various programming +// languages and platforms, such as Java, Ruby, .Net, iOS, or Android. The SDKs +// provide a convenient way to create programmatic access to AWS SSO and other +// AWS services. For more information about the AWS SDKs, including how to download +// and install them, see Tools for Amazon Web Services (http://aws.amazon.com/tools/). +// +// See https://docs.aws.amazon.com/goto/WebAPI/sso-2019-06-10 for more information on this service. +// +// See sso package documentation for more information. +// https://docs.aws.amazon.com/sdk-for-go/api/service/sso/ +// +// Using the Client +// +// To contact AWS Single Sign-On with the SDK use the New function to create +// a new service client. With that client you can make API requests to the service. +// These clients are safe to use concurrently. +// +// See the SDK's documentation for more information on how to use the SDK. +// https://docs.aws.amazon.com/sdk-for-go/api/ +// +// See aws.Config documentation for more information on configuring SDK clients. +// https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config +// +// See the AWS Single Sign-On client SSO for more +// information on creating client for this service. +// https://docs.aws.amazon.com/sdk-for-go/api/service/sso/#New +package sso diff --git a/vendor/github.com/aws/aws-sdk-go/service/sso/errors.go b/vendor/github.com/aws/aws-sdk-go/service/sso/errors.go new file mode 100644 index 000000000..77a6792e3 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/sso/errors.go @@ -0,0 +1,44 @@ +// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. + +package sso + +import ( + "github.com/aws/aws-sdk-go/private/protocol" +) + +const ( + + // ErrCodeInvalidRequestException for service response error code + // "InvalidRequestException". + // + // Indicates that a problem occurred with the input to the request. For example, + // a required parameter might be missing or out of range. + ErrCodeInvalidRequestException = "InvalidRequestException" + + // ErrCodeResourceNotFoundException for service response error code + // "ResourceNotFoundException". + // + // The specified resource doesn't exist. + ErrCodeResourceNotFoundException = "ResourceNotFoundException" + + // ErrCodeTooManyRequestsException for service response error code + // "TooManyRequestsException". + // + // Indicates that the request is being made too frequently and is more than + // what the server can handle. + ErrCodeTooManyRequestsException = "TooManyRequestsException" + + // ErrCodeUnauthorizedException for service response error code + // "UnauthorizedException". + // + // Indicates that the request is not authorized. This can happen due to an invalid + // access token in the request. + ErrCodeUnauthorizedException = "UnauthorizedException" +) + +var exceptionFromCode = map[string]func(protocol.ResponseMetadata) error{ + "InvalidRequestException": newErrorInvalidRequestException, + "ResourceNotFoundException": newErrorResourceNotFoundException, + "TooManyRequestsException": newErrorTooManyRequestsException, + "UnauthorizedException": newErrorUnauthorizedException, +} diff --git a/vendor/github.com/aws/aws-sdk-go/service/sso/service.go b/vendor/github.com/aws/aws-sdk-go/service/sso/service.go new file mode 100644 index 000000000..35175331f --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/sso/service.go @@ -0,0 +1,104 @@ +// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. + +package sso + +import ( + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/client" + "github.com/aws/aws-sdk-go/aws/client/metadata" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/aws/signer/v4" + "github.com/aws/aws-sdk-go/private/protocol" + "github.com/aws/aws-sdk-go/private/protocol/restjson" +) + +// SSO provides the API operation methods for making requests to +// AWS Single Sign-On. See this package's package overview docs +// for details on the service. +// +// SSO methods are safe to use concurrently. It is not safe to +// modify mutate any of the struct's properties though. +type SSO struct { + *client.Client +} + +// Used for custom client initialization logic +var initClient func(*client.Client) + +// Used for custom request initialization logic +var initRequest func(*request.Request) + +// Service information constants +const ( + ServiceName = "SSO" // Name of service. + EndpointsID = "portal.sso" // ID to lookup a service endpoint with. + ServiceID = "SSO" // ServiceID is a unique identifier of a specific service. +) + +// New creates a new instance of the SSO client with a session. +// If additional configuration is needed for the client instance use the optional +// aws.Config parameter to add your extra config. +// +// Example: +// mySession := session.Must(session.NewSession()) +// +// // Create a SSO client from just a session. +// svc := sso.New(mySession) +// +// // Create a SSO client with additional configuration +// svc := sso.New(mySession, aws.NewConfig().WithRegion("us-west-2")) +func New(p client.ConfigProvider, cfgs ...*aws.Config) *SSO { + c := p.ClientConfig(EndpointsID, cfgs...) + if c.SigningNameDerived || len(c.SigningName) == 0 { + c.SigningName = "awsssoportal" + } + return newClient(*c.Config, c.Handlers, c.PartitionID, c.Endpoint, c.SigningRegion, c.SigningName) +} + +// newClient creates, initializes and returns a new service client instance. +func newClient(cfg aws.Config, handlers request.Handlers, partitionID, endpoint, signingRegion, signingName string) *SSO { + svc := &SSO{ + Client: client.New( + cfg, + metadata.ClientInfo{ + ServiceName: ServiceName, + ServiceID: ServiceID, + SigningName: signingName, + SigningRegion: signingRegion, + PartitionID: partitionID, + Endpoint: endpoint, + APIVersion: "2019-06-10", + }, + handlers, + ), + } + + // Handlers + svc.Handlers.Sign.PushBackNamed(v4.SignRequestHandler) + svc.Handlers.Build.PushBackNamed(restjson.BuildHandler) + svc.Handlers.Unmarshal.PushBackNamed(restjson.UnmarshalHandler) + svc.Handlers.UnmarshalMeta.PushBackNamed(restjson.UnmarshalMetaHandler) + svc.Handlers.UnmarshalError.PushBackNamed( + protocol.NewUnmarshalErrorHandler(restjson.NewUnmarshalTypedError(exceptionFromCode)).NamedHandler(), + ) + + // Run custom client initialization if present + if initClient != nil { + initClient(svc.Client) + } + + return svc +} + +// newRequest creates a new request for a SSO operation and runs any +// custom request initialization. +func (c *SSO) newRequest(op *request.Operation, params, data interface{}) *request.Request { + req := c.NewRequest(op, params, data) + + // Run custom request initialization if present + if initRequest != nil { + initRequest(req) + } + + return req +} diff --git a/vendor/github.com/aws/aws-sdk-go/service/sso/ssoiface/interface.go b/vendor/github.com/aws/aws-sdk-go/service/sso/ssoiface/interface.go new file mode 100644 index 000000000..4cac247c1 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/sso/ssoiface/interface.go @@ -0,0 +1,86 @@ +// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. + +// Package ssoiface provides an interface to enable mocking the AWS Single Sign-On service client +// for testing your code. +// +// It is important to note that this interface will have breaking changes +// when the service model is updated and adds new API operations, paginators, +// and waiters. +package ssoiface + +import ( + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/service/sso" +) + +// SSOAPI provides an interface to enable mocking the +// sso.SSO service client's API operation, +// paginators, and waiters. This make unit testing your code that calls out +// to the SDK's service client's calls easier. +// +// The best way to use this interface is so the SDK's service client's calls +// can be stubbed out for unit testing your code with the SDK without needing +// to inject custom request handlers into the SDK's request pipeline. +// +// // myFunc uses an SDK service client to make a request to +// // AWS Single Sign-On. +// func myFunc(svc ssoiface.SSOAPI) bool { +// // Make svc.GetRoleCredentials request +// } +// +// func main() { +// sess := session.New() +// svc := sso.New(sess) +// +// myFunc(svc) +// } +// +// In your _test.go file: +// +// // Define a mock struct to be used in your unit tests of myFunc. +// type mockSSOClient struct { +// ssoiface.SSOAPI +// } +// func (m *mockSSOClient) GetRoleCredentials(input *sso.GetRoleCredentialsInput) (*sso.GetRoleCredentialsOutput, error) { +// // mock response/functionality +// } +// +// func TestMyFunc(t *testing.T) { +// // Setup Test +// mockSvc := &mockSSOClient{} +// +// myfunc(mockSvc) +// +// // Verify myFunc's functionality +// } +// +// It is important to note that this interface will have breaking changes +// when the service model is updated and adds new API operations, paginators, +// and waiters. Its suggested to use the pattern above for testing, or using +// tooling to generate mocks to satisfy the interfaces. +type SSOAPI interface { + GetRoleCredentials(*sso.GetRoleCredentialsInput) (*sso.GetRoleCredentialsOutput, error) + GetRoleCredentialsWithContext(aws.Context, *sso.GetRoleCredentialsInput, ...request.Option) (*sso.GetRoleCredentialsOutput, error) + GetRoleCredentialsRequest(*sso.GetRoleCredentialsInput) (*request.Request, *sso.GetRoleCredentialsOutput) + + ListAccountRoles(*sso.ListAccountRolesInput) (*sso.ListAccountRolesOutput, error) + ListAccountRolesWithContext(aws.Context, *sso.ListAccountRolesInput, ...request.Option) (*sso.ListAccountRolesOutput, error) + ListAccountRolesRequest(*sso.ListAccountRolesInput) (*request.Request, *sso.ListAccountRolesOutput) + + ListAccountRolesPages(*sso.ListAccountRolesInput, func(*sso.ListAccountRolesOutput, bool) bool) error + ListAccountRolesPagesWithContext(aws.Context, *sso.ListAccountRolesInput, func(*sso.ListAccountRolesOutput, bool) bool, ...request.Option) error + + ListAccounts(*sso.ListAccountsInput) (*sso.ListAccountsOutput, error) + ListAccountsWithContext(aws.Context, *sso.ListAccountsInput, ...request.Option) (*sso.ListAccountsOutput, error) + ListAccountsRequest(*sso.ListAccountsInput) (*request.Request, *sso.ListAccountsOutput) + + ListAccountsPages(*sso.ListAccountsInput, func(*sso.ListAccountsOutput, bool) bool) error + ListAccountsPagesWithContext(aws.Context, *sso.ListAccountsInput, func(*sso.ListAccountsOutput, bool) bool, ...request.Option) error + + Logout(*sso.LogoutInput) (*sso.LogoutOutput, error) + LogoutWithContext(aws.Context, *sso.LogoutInput, ...request.Option) (*sso.LogoutOutput, error) + LogoutRequest(*sso.LogoutInput) (*request.Request, *sso.LogoutOutput) +} + +var _ SSOAPI = (*sso.SSO)(nil) diff --git a/vendor/github.com/aws/aws-sdk-go/service/sts/api.go b/vendor/github.com/aws/aws-sdk-go/service/sts/api.go new file mode 100644 index 000000000..bfc4372f9 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/sts/api.go @@ -0,0 +1,3119 @@ +// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. + +package sts + +import ( + "fmt" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awsutil" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/request" +) + +const opAssumeRole = "AssumeRole" + +// AssumeRoleRequest generates a "aws/request.Request" representing the +// client's request for the AssumeRole operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See AssumeRole for more information on using the AssumeRole +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the AssumeRoleRequest method. +// req, resp := client.AssumeRoleRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole +func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, output *AssumeRoleOutput) { + op := &request.Operation{ + Name: opAssumeRole, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &AssumeRoleInput{} + } + + output = &AssumeRoleOutput{} + req = c.newRequest(op, input, output) + return +} + +// AssumeRole API operation for AWS Security Token Service. +// +// Returns a set of temporary security credentials that you can use to access +// AWS resources that you might not normally have access to. These temporary +// credentials consist of an access key ID, a secret access key, and a security +// token. Typically, you use AssumeRole within your account or for cross-account +// access. For a comparison of AssumeRole with other API operations that produce +// temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) +// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) +// in the IAM User Guide. +// +// You cannot use AWS account root user credentials to call AssumeRole. You +// must use credentials for an IAM user or an IAM role to call AssumeRole. +// +// For cross-account access, imagine that you own multiple accounts and need +// to access resources in each account. You could create long-term credentials +// in each account to access those resources. However, managing all those credentials +// and remembering which one can access which account can be time consuming. +// Instead, you can create one set of long-term credentials in one account. +// Then use temporary security credentials to access all the other accounts +// by assuming roles in those accounts. For more information about roles, see +// IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) +// in the IAM User Guide. +// +// Session Duration +// +// By default, the temporary security credentials created by AssumeRole last +// for one hour. However, you can use the optional DurationSeconds parameter +// to specify the duration of your session. You can provide a value from 900 +// seconds (15 minutes) up to the maximum session duration setting for the role. +// This setting can have a value from 1 hour to 12 hours. To learn how to view +// the maximum value for your role, see View the Maximum Session Duration Setting +// for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) +// in the IAM User Guide. The maximum session duration limit applies when you +// use the AssumeRole* API operations or the assume-role* CLI commands. However +// the limit does not apply when you use those operations to create a console +// URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) +// in the IAM User Guide. +// +// Permissions +// +// The temporary security credentials created by AssumeRole can be used to make +// API calls to any AWS service with the following exception: You cannot call +// the AWS STS GetFederationToken or GetSessionToken API operations. +// +// (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) +// to this operation. You can pass a single JSON policy document to use as an +// inline session policy. You can also specify up to 10 managed policies to +// use as managed session policies. The plain text that you use for both inline +// and managed session policies can't exceed 2,048 characters. Passing policies +// to this operation returns new temporary credentials. The resulting session's +// permissions are the intersection of the role's identity-based policy and +// the session policies. You can use the role's temporary credentials in subsequent +// AWS API calls to access resources in the account that owns the role. You +// cannot use session policies to grant more permissions than those allowed +// by the identity-based policy of the role that is being assumed. For more +// information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) +// in the IAM User Guide. +// +// To assume a role from a different account, your AWS account must be trusted +// by the role. The trust relationship is defined in the role's trust policy +// when the role is created. That trust policy states which accounts are allowed +// to delegate that access to users in the account. +// +// A user who wants to access a role in a different account must also have permissions +// that are delegated from the user account administrator. The administrator +// must attach a policy that allows the user to call AssumeRole for the ARN +// of the role in the other account. If the user is in the same account as the +// role, then you can do either of the following: +// +// * Attach a policy to the user (identical to the previous user in a different +// account). +// +// * Add the user as a principal directly in the role's trust policy. +// +// In this case, the trust policy acts as an IAM resource-based policy. Users +// in the same account as the role do not need explicit permission to assume +// the role. For more information about trust policies and resource-based policies, +// see IAM Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) +// in the IAM User Guide. +// +// Tags +// +// (Optional) You can pass tag key-value pairs to your session. These tags are +// called session tags. For more information about session tags, see Passing +// Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) +// in the IAM User Guide. +// +// An administrator must grant you the permissions necessary to pass session +// tags. The administrator can also create granular permissions to allow you +// to pass only specific session tags. For more information, see Tutorial: Using +// Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) +// in the IAM User Guide. +// +// You can set the session tags as transitive. Transitive tags persist during +// role chaining. For more information, see Chaining Roles with Session Tags +// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) +// in the IAM User Guide. +// +// Using MFA with AssumeRole +// +// (Optional) You can include multi-factor authentication (MFA) information +// when you call AssumeRole. This is useful for cross-account scenarios to ensure +// that the user that assumes the role has been authenticated with an AWS MFA +// device. In that scenario, the trust policy of the role being assumed includes +// a condition that tests for MFA authentication. If the caller does not include +// valid MFA information, the request to assume the role is denied. The condition +// in a trust policy that tests for MFA authentication might look like the following +// example. +// +// "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}} +// +// For more information, see Configuring MFA-Protected API Access (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html) +// in the IAM User Guide guide. +// +// To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode +// parameters. The SerialNumber value identifies the user's hardware or virtual +// MFA device. The TokenCode is the time-based one-time password (TOTP) that +// the MFA device produces. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Security Token Service's +// API operation AssumeRole for usage and error information. +// +// Returned Error Codes: +// * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" +// The request was rejected because the policy document was malformed. The error +// message describes the specific error. +// +// * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" +// The request was rejected because the total packed size of the session policies +// and session tags combined was too large. An AWS conversion compresses the +// session policy document, session policy ARNs, and session tags into a packed +// binary format that has a separate limit. The error message indicates by percentage +// how close the policies and tags are to the upper size limit. For more information, +// see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) +// in the IAM User Guide. +// +// You could receive this error even though you meet other defined session policy +// and session tag limits. For more information, see IAM and STS Entity Character +// Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) +// in the IAM User Guide. +// +// * ErrCodeRegionDisabledException "RegionDisabledException" +// STS is not activated in the requested region for the account that is being +// asked to generate credentials. The account administrator must use the IAM +// console to activate STS in that region. For more information, see Activating +// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) +// in the IAM User Guide. +// +// * ErrCodeExpiredTokenException "ExpiredTokenException" +// The web identity token that was passed is expired or is not valid. Get a +// new identity token from the identity provider and then retry the request. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole +func (c *STS) AssumeRole(input *AssumeRoleInput) (*AssumeRoleOutput, error) { + req, out := c.AssumeRoleRequest(input) + return out, req.Send() +} + +// AssumeRoleWithContext is the same as AssumeRole with the addition of +// the ability to pass a context and additional request options. +// +// See AssumeRole for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *STS) AssumeRoleWithContext(ctx aws.Context, input *AssumeRoleInput, opts ...request.Option) (*AssumeRoleOutput, error) { + req, out := c.AssumeRoleRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opAssumeRoleWithSAML = "AssumeRoleWithSAML" + +// AssumeRoleWithSAMLRequest generates a "aws/request.Request" representing the +// client's request for the AssumeRoleWithSAML operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See AssumeRoleWithSAML for more information on using the AssumeRoleWithSAML +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the AssumeRoleWithSAMLRequest method. +// req, resp := client.AssumeRoleWithSAMLRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML +func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *request.Request, output *AssumeRoleWithSAMLOutput) { + op := &request.Operation{ + Name: opAssumeRoleWithSAML, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &AssumeRoleWithSAMLInput{} + } + + output = &AssumeRoleWithSAMLOutput{} + req = c.newRequest(op, input, output) + req.Config.Credentials = credentials.AnonymousCredentials + return +} + +// AssumeRoleWithSAML API operation for AWS Security Token Service. +// +// Returns a set of temporary security credentials for users who have been authenticated +// via a SAML authentication response. This operation provides a mechanism for +// tying an enterprise identity store or directory to role-based AWS access +// without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML +// with the other API operations that produce temporary credentials, see Requesting +// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) +// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) +// in the IAM User Guide. +// +// The temporary security credentials returned by this operation consist of +// an access key ID, a secret access key, and a security token. Applications +// can use these temporary security credentials to sign calls to AWS services. +// +// Session Duration +// +// By default, the temporary security credentials created by AssumeRoleWithSAML +// last for one hour. However, you can use the optional DurationSeconds parameter +// to specify the duration of your session. Your role session lasts for the +// duration that you specify, or until the time specified in the SAML authentication +// response's SessionNotOnOrAfter value, whichever is shorter. You can provide +// a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session +// duration setting for the role. This setting can have a value from 1 hour +// to 12 hours. To learn how to view the maximum value for your role, see View +// the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) +// in the IAM User Guide. The maximum session duration limit applies when you +// use the AssumeRole* API operations or the assume-role* CLI commands. However +// the limit does not apply when you use those operations to create a console +// URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) +// in the IAM User Guide. +// +// Permissions +// +// The temporary security credentials created by AssumeRoleWithSAML can be used +// to make API calls to any AWS service with the following exception: you cannot +// call the STS GetFederationToken or GetSessionToken API operations. +// +// (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) +// to this operation. You can pass a single JSON policy document to use as an +// inline session policy. You can also specify up to 10 managed policies to +// use as managed session policies. The plain text that you use for both inline +// and managed session policies can't exceed 2,048 characters. Passing policies +// to this operation returns new temporary credentials. The resulting session's +// permissions are the intersection of the role's identity-based policy and +// the session policies. You can use the role's temporary credentials in subsequent +// AWS API calls to access resources in the account that owns the role. You +// cannot use session policies to grant more permissions than those allowed +// by the identity-based policy of the role that is being assumed. For more +// information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) +// in the IAM User Guide. +// +// Calling AssumeRoleWithSAML does not require the use of AWS security credentials. +// The identity of the caller is validated by using keys in the metadata document +// that is uploaded for the SAML provider entity for your identity provider. +// +// Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail +// logs. The entry includes the value in the NameID element of the SAML assertion. +// We recommend that you use a NameIDType that is not associated with any personally +// identifiable information (PII). For example, you could instead use the persistent +// identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent). +// +// Tags +// +// (Optional) You can configure your IdP to pass attributes into your SAML assertion +// as session tags. Each session tag consists of a key name and an associated +// value. For more information about session tags, see Passing Session Tags +// in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) +// in the IAM User Guide. +// +// You can pass up to 50 session tags. The plain text session tag keys can’t +// exceed 128 characters and the values can’t exceed 256 characters. For these +// and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) +// in the IAM User Guide. +// +// An AWS conversion compresses the passed session policies and session tags +// into a packed binary format that has a separate limit. Your request can fail +// for this limit even if your plain text meets the other requirements. The +// PackedPolicySize response element indicates by percentage how close the policies +// and tags for your request are to the upper size limit. +// +// You can pass a session tag with the same key as a tag that is attached to +// the role. When you do, session tags override the role's tags with the same +// key. +// +// An administrator must grant you the permissions necessary to pass session +// tags. The administrator can also create granular permissions to allow you +// to pass only specific session tags. For more information, see Tutorial: Using +// Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) +// in the IAM User Guide. +// +// You can set the session tags as transitive. Transitive tags persist during +// role chaining. For more information, see Chaining Roles with Session Tags +// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) +// in the IAM User Guide. +// +// SAML Configuration +// +// Before your application can call AssumeRoleWithSAML, you must configure your +// SAML identity provider (IdP) to issue the claims required by AWS. Additionally, +// you must use AWS Identity and Access Management (IAM) to create a SAML provider +// entity in your AWS account that represents your identity provider. You must +// also create an IAM role that specifies this SAML provider in its trust policy. +// +// For more information, see the following resources: +// +// * About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) +// in the IAM User Guide. +// +// * Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) +// in the IAM User Guide. +// +// * Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html) +// in the IAM User Guide. +// +// * Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html) +// in the IAM User Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Security Token Service's +// API operation AssumeRoleWithSAML for usage and error information. +// +// Returned Error Codes: +// * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" +// The request was rejected because the policy document was malformed. The error +// message describes the specific error. +// +// * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" +// The request was rejected because the total packed size of the session policies +// and session tags combined was too large. An AWS conversion compresses the +// session policy document, session policy ARNs, and session tags into a packed +// binary format that has a separate limit. The error message indicates by percentage +// how close the policies and tags are to the upper size limit. For more information, +// see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) +// in the IAM User Guide. +// +// You could receive this error even though you meet other defined session policy +// and session tag limits. For more information, see IAM and STS Entity Character +// Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) +// in the IAM User Guide. +// +// * ErrCodeIDPRejectedClaimException "IDPRejectedClaim" +// The identity provider (IdP) reported that authentication failed. This might +// be because the claim is invalid. +// +// If this error is returned for the AssumeRoleWithWebIdentity operation, it +// can also mean that the claim has expired or has been explicitly revoked. +// +// * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken" +// The web identity token that was passed could not be validated by AWS. Get +// a new identity token from the identity provider and then retry the request. +// +// * ErrCodeExpiredTokenException "ExpiredTokenException" +// The web identity token that was passed is expired or is not valid. Get a +// new identity token from the identity provider and then retry the request. +// +// * ErrCodeRegionDisabledException "RegionDisabledException" +// STS is not activated in the requested region for the account that is being +// asked to generate credentials. The account administrator must use the IAM +// console to activate STS in that region. For more information, see Activating +// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) +// in the IAM User Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML +func (c *STS) AssumeRoleWithSAML(input *AssumeRoleWithSAMLInput) (*AssumeRoleWithSAMLOutput, error) { + req, out := c.AssumeRoleWithSAMLRequest(input) + return out, req.Send() +} + +// AssumeRoleWithSAMLWithContext is the same as AssumeRoleWithSAML with the addition of +// the ability to pass a context and additional request options. +// +// See AssumeRoleWithSAML for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *STS) AssumeRoleWithSAMLWithContext(ctx aws.Context, input *AssumeRoleWithSAMLInput, opts ...request.Option) (*AssumeRoleWithSAMLOutput, error) { + req, out := c.AssumeRoleWithSAMLRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opAssumeRoleWithWebIdentity = "AssumeRoleWithWebIdentity" + +// AssumeRoleWithWebIdentityRequest generates a "aws/request.Request" representing the +// client's request for the AssumeRoleWithWebIdentity operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See AssumeRoleWithWebIdentity for more information on using the AssumeRoleWithWebIdentity +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the AssumeRoleWithWebIdentityRequest method. +// req, resp := client.AssumeRoleWithWebIdentityRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity +func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityInput) (req *request.Request, output *AssumeRoleWithWebIdentityOutput) { + op := &request.Operation{ + Name: opAssumeRoleWithWebIdentity, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &AssumeRoleWithWebIdentityInput{} + } + + output = &AssumeRoleWithWebIdentityOutput{} + req = c.newRequest(op, input, output) + req.Config.Credentials = credentials.AnonymousCredentials + return +} + +// AssumeRoleWithWebIdentity API operation for AWS Security Token Service. +// +// Returns a set of temporary security credentials for users who have been authenticated +// in a mobile or web application with a web identity provider. Example providers +// include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID +// Connect-compatible identity provider. +// +// For mobile applications, we recommend that you use Amazon Cognito. You can +// use Amazon Cognito with the AWS SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) +// and the AWS SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/) +// to uniquely identify a user. You can also supply the user with a consistent +// identity throughout the lifetime of an application. +// +// To learn more about Amazon Cognito, see Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840) +// in AWS SDK for Android Developer Guide and Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664) +// in the AWS SDK for iOS Developer Guide. +// +// Calling AssumeRoleWithWebIdentity does not require the use of AWS security +// credentials. Therefore, you can distribute an application (for example, on +// mobile devices) that requests temporary security credentials without including +// long-term AWS credentials in the application. You also don't need to deploy +// server-based proxy services that use long-term AWS credentials. Instead, +// the identity of the caller is validated by using a token from the web identity +// provider. For a comparison of AssumeRoleWithWebIdentity with the other API +// operations that produce temporary credentials, see Requesting Temporary Security +// Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) +// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) +// in the IAM User Guide. +// +// The temporary security credentials returned by this API consist of an access +// key ID, a secret access key, and a security token. Applications can use these +// temporary security credentials to sign calls to AWS service API operations. +// +// Session Duration +// +// By default, the temporary security credentials created by AssumeRoleWithWebIdentity +// last for one hour. However, you can use the optional DurationSeconds parameter +// to specify the duration of your session. You can provide a value from 900 +// seconds (15 minutes) up to the maximum session duration setting for the role. +// This setting can have a value from 1 hour to 12 hours. To learn how to view +// the maximum value for your role, see View the Maximum Session Duration Setting +// for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) +// in the IAM User Guide. The maximum session duration limit applies when you +// use the AssumeRole* API operations or the assume-role* CLI commands. However +// the limit does not apply when you use those operations to create a console +// URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) +// in the IAM User Guide. +// +// Permissions +// +// The temporary security credentials created by AssumeRoleWithWebIdentity can +// be used to make API calls to any AWS service with the following exception: +// you cannot call the STS GetFederationToken or GetSessionToken API operations. +// +// (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) +// to this operation. You can pass a single JSON policy document to use as an +// inline session policy. You can also specify up to 10 managed policies to +// use as managed session policies. The plain text that you use for both inline +// and managed session policies can't exceed 2,048 characters. Passing policies +// to this operation returns new temporary credentials. The resulting session's +// permissions are the intersection of the role's identity-based policy and +// the session policies. You can use the role's temporary credentials in subsequent +// AWS API calls to access resources in the account that owns the role. You +// cannot use session policies to grant more permissions than those allowed +// by the identity-based policy of the role that is being assumed. For more +// information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) +// in the IAM User Guide. +// +// Tags +// +// (Optional) You can configure your IdP to pass attributes into your web identity +// token as session tags. Each session tag consists of a key name and an associated +// value. For more information about session tags, see Passing Session Tags +// in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) +// in the IAM User Guide. +// +// You can pass up to 50 session tags. The plain text session tag keys can’t +// exceed 128 characters and the values can’t exceed 256 characters. For these +// and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) +// in the IAM User Guide. +// +// An AWS conversion compresses the passed session policies and session tags +// into a packed binary format that has a separate limit. Your request can fail +// for this limit even if your plain text meets the other requirements. The +// PackedPolicySize response element indicates by percentage how close the policies +// and tags for your request are to the upper size limit. +// +// You can pass a session tag with the same key as a tag that is attached to +// the role. When you do, the session tag overrides the role tag with the same +// key. +// +// An administrator must grant you the permissions necessary to pass session +// tags. The administrator can also create granular permissions to allow you +// to pass only specific session tags. For more information, see Tutorial: Using +// Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) +// in the IAM User Guide. +// +// You can set the session tags as transitive. Transitive tags persist during +// role chaining. For more information, see Chaining Roles with Session Tags +// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) +// in the IAM User Guide. +// +// Identities +// +// Before your application can call AssumeRoleWithWebIdentity, you must have +// an identity token from a supported identity provider and create a role that +// the application can assume. The role that your application assumes must trust +// the identity provider that is associated with the identity token. In other +// words, the identity provider must be specified in the role's trust policy. +// +// Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail +// logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims) +// of the provided Web Identity Token. We recommend that you avoid using any +// personally identifiable information (PII) in this field. For example, you +// could instead use a GUID or a pairwise identifier, as suggested in the OIDC +// specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes). +// +// For more information about how to use web identity federation and the AssumeRoleWithWebIdentity +// API, see the following resources: +// +// * Using Web Identity Federation API Operations for Mobile Apps (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html) +// and Federation Through a Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity). +// +// * Web Identity Federation Playground (https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/). +// Walk through the process of authenticating through Login with Amazon, +// Facebook, or Google, getting temporary security credentials, and then +// using those credentials to make a request to AWS. +// +// * AWS SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) and +// AWS SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/). +// These toolkits contain sample apps that show how to invoke the identity +// providers. The toolkits then show how to use the information from these +// providers to get and use temporary security credentials. +// +// * Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications). +// This article discusses web identity federation and shows an example of +// how to use web identity federation to get access to content in Amazon +// S3. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Security Token Service's +// API operation AssumeRoleWithWebIdentity for usage and error information. +// +// Returned Error Codes: +// * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" +// The request was rejected because the policy document was malformed. The error +// message describes the specific error. +// +// * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" +// The request was rejected because the total packed size of the session policies +// and session tags combined was too large. An AWS conversion compresses the +// session policy document, session policy ARNs, and session tags into a packed +// binary format that has a separate limit. The error message indicates by percentage +// how close the policies and tags are to the upper size limit. For more information, +// see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) +// in the IAM User Guide. +// +// You could receive this error even though you meet other defined session policy +// and session tag limits. For more information, see IAM and STS Entity Character +// Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) +// in the IAM User Guide. +// +// * ErrCodeIDPRejectedClaimException "IDPRejectedClaim" +// The identity provider (IdP) reported that authentication failed. This might +// be because the claim is invalid. +// +// If this error is returned for the AssumeRoleWithWebIdentity operation, it +// can also mean that the claim has expired or has been explicitly revoked. +// +// * ErrCodeIDPCommunicationErrorException "IDPCommunicationError" +// The request could not be fulfilled because the identity provider (IDP) that +// was asked to verify the incoming identity token could not be reached. This +// is often a transient error caused by network conditions. Retry the request +// a limited number of times so that you don't exceed the request rate. If the +// error persists, the identity provider might be down or not responding. +// +// * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken" +// The web identity token that was passed could not be validated by AWS. Get +// a new identity token from the identity provider and then retry the request. +// +// * ErrCodeExpiredTokenException "ExpiredTokenException" +// The web identity token that was passed is expired or is not valid. Get a +// new identity token from the identity provider and then retry the request. +// +// * ErrCodeRegionDisabledException "RegionDisabledException" +// STS is not activated in the requested region for the account that is being +// asked to generate credentials. The account administrator must use the IAM +// console to activate STS in that region. For more information, see Activating +// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) +// in the IAM User Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity +func (c *STS) AssumeRoleWithWebIdentity(input *AssumeRoleWithWebIdentityInput) (*AssumeRoleWithWebIdentityOutput, error) { + req, out := c.AssumeRoleWithWebIdentityRequest(input) + return out, req.Send() +} + +// AssumeRoleWithWebIdentityWithContext is the same as AssumeRoleWithWebIdentity with the addition of +// the ability to pass a context and additional request options. +// +// See AssumeRoleWithWebIdentity for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *STS) AssumeRoleWithWebIdentityWithContext(ctx aws.Context, input *AssumeRoleWithWebIdentityInput, opts ...request.Option) (*AssumeRoleWithWebIdentityOutput, error) { + req, out := c.AssumeRoleWithWebIdentityRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDecodeAuthorizationMessage = "DecodeAuthorizationMessage" + +// DecodeAuthorizationMessageRequest generates a "aws/request.Request" representing the +// client's request for the DecodeAuthorizationMessage operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DecodeAuthorizationMessage for more information on using the DecodeAuthorizationMessage +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DecodeAuthorizationMessageRequest method. +// req, resp := client.DecodeAuthorizationMessageRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage +func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessageInput) (req *request.Request, output *DecodeAuthorizationMessageOutput) { + op := &request.Operation{ + Name: opDecodeAuthorizationMessage, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DecodeAuthorizationMessageInput{} + } + + output = &DecodeAuthorizationMessageOutput{} + req = c.newRequest(op, input, output) + return +} + +// DecodeAuthorizationMessage API operation for AWS Security Token Service. +// +// Decodes additional information about the authorization status of a request +// from an encoded message returned in response to an AWS request. +// +// For example, if a user is not authorized to perform an operation that he +// or she has requested, the request returns a Client.UnauthorizedOperation +// response (an HTTP 403 response). Some AWS operations additionally return +// an encoded message that can provide details about this authorization failure. +// +// Only certain AWS operations return an encoded authorization message. The +// documentation for an individual operation indicates whether that operation +// returns an encoded message in addition to returning an HTTP code. +// +// The message is encoded because the details of the authorization status can +// constitute privileged information that the user who requested the operation +// should not see. To decode an authorization status message, a user must be +// granted permissions via an IAM policy to request the DecodeAuthorizationMessage +// (sts:DecodeAuthorizationMessage) action. +// +// The decoded message includes the following type of information: +// +// * Whether the request was denied due to an explicit deny or due to the +// absence of an explicit allow. For more information, see Determining Whether +// a Request is Allowed or Denied (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow) +// in the IAM User Guide. +// +// * The principal who made the request. +// +// * The requested action. +// +// * The requested resource. +// +// * The values of condition keys in the context of the user's request. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Security Token Service's +// API operation DecodeAuthorizationMessage for usage and error information. +// +// Returned Error Codes: +// * ErrCodeInvalidAuthorizationMessageException "InvalidAuthorizationMessageException" +// The error returned if the message passed to DecodeAuthorizationMessage was +// invalid. This can happen if the token contains invalid characters, such as +// linebreaks. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage +func (c *STS) DecodeAuthorizationMessage(input *DecodeAuthorizationMessageInput) (*DecodeAuthorizationMessageOutput, error) { + req, out := c.DecodeAuthorizationMessageRequest(input) + return out, req.Send() +} + +// DecodeAuthorizationMessageWithContext is the same as DecodeAuthorizationMessage with the addition of +// the ability to pass a context and additional request options. +// +// See DecodeAuthorizationMessage for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *STS) DecodeAuthorizationMessageWithContext(ctx aws.Context, input *DecodeAuthorizationMessageInput, opts ...request.Option) (*DecodeAuthorizationMessageOutput, error) { + req, out := c.DecodeAuthorizationMessageRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGetAccessKeyInfo = "GetAccessKeyInfo" + +// GetAccessKeyInfoRequest generates a "aws/request.Request" representing the +// client's request for the GetAccessKeyInfo operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GetAccessKeyInfo for more information on using the GetAccessKeyInfo +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GetAccessKeyInfoRequest method. +// req, resp := client.GetAccessKeyInfoRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo +func (c *STS) GetAccessKeyInfoRequest(input *GetAccessKeyInfoInput) (req *request.Request, output *GetAccessKeyInfoOutput) { + op := &request.Operation{ + Name: opGetAccessKeyInfo, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GetAccessKeyInfoInput{} + } + + output = &GetAccessKeyInfoOutput{} + req = c.newRequest(op, input, output) + return +} + +// GetAccessKeyInfo API operation for AWS Security Token Service. +// +// Returns the account identifier for the specified access key ID. +// +// Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) +// and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). +// For more information about access keys, see Managing Access Keys for IAM +// Users (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) +// in the IAM User Guide. +// +// When you pass an access key ID to this operation, it returns the ID of the +// AWS account to which the keys belong. Access key IDs beginning with AKIA +// are long-term credentials for an IAM user or the AWS account root user. Access +// key IDs beginning with ASIA are temporary credentials that are created using +// STS operations. If the account in the response belongs to you, you can sign +// in as the root user and review your root user access keys. Then, you can +// pull a credentials report (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html) +// to learn which IAM user owns the keys. To learn who requested the temporary +// credentials for an ASIA access key, view the STS events in your CloudTrail +// logs (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html) +// in the IAM User Guide. +// +// This operation does not indicate the state of the access key. The key might +// be active, inactive, or deleted. Active keys might not have permissions to +// perform an operation. Providing a deleted access key might return an error +// that the key doesn't exist. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Security Token Service's +// API operation GetAccessKeyInfo for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo +func (c *STS) GetAccessKeyInfo(input *GetAccessKeyInfoInput) (*GetAccessKeyInfoOutput, error) { + req, out := c.GetAccessKeyInfoRequest(input) + return out, req.Send() +} + +// GetAccessKeyInfoWithContext is the same as GetAccessKeyInfo with the addition of +// the ability to pass a context and additional request options. +// +// See GetAccessKeyInfo for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *STS) GetAccessKeyInfoWithContext(ctx aws.Context, input *GetAccessKeyInfoInput, opts ...request.Option) (*GetAccessKeyInfoOutput, error) { + req, out := c.GetAccessKeyInfoRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGetCallerIdentity = "GetCallerIdentity" + +// GetCallerIdentityRequest generates a "aws/request.Request" representing the +// client's request for the GetCallerIdentity operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GetCallerIdentity for more information on using the GetCallerIdentity +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GetCallerIdentityRequest method. +// req, resp := client.GetCallerIdentityRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity +func (c *STS) GetCallerIdentityRequest(input *GetCallerIdentityInput) (req *request.Request, output *GetCallerIdentityOutput) { + op := &request.Operation{ + Name: opGetCallerIdentity, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GetCallerIdentityInput{} + } + + output = &GetCallerIdentityOutput{} + req = c.newRequest(op, input, output) + return +} + +// GetCallerIdentity API operation for AWS Security Token Service. +// +// Returns details about the IAM user or role whose credentials are used to +// call the operation. +// +// No permissions are required to perform this operation. If an administrator +// adds a policy to your IAM user or role that explicitly denies access to the +// sts:GetCallerIdentity action, you can still perform this operation. Permissions +// are not required because the same information is returned when an IAM user +// or role is denied access. To view an example response, see I Am Not Authorized +// to Perform: iam:DeleteVirtualMFADevice (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa) +// in the IAM User Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Security Token Service's +// API operation GetCallerIdentity for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity +func (c *STS) GetCallerIdentity(input *GetCallerIdentityInput) (*GetCallerIdentityOutput, error) { + req, out := c.GetCallerIdentityRequest(input) + return out, req.Send() +} + +// GetCallerIdentityWithContext is the same as GetCallerIdentity with the addition of +// the ability to pass a context and additional request options. +// +// See GetCallerIdentity for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *STS) GetCallerIdentityWithContext(ctx aws.Context, input *GetCallerIdentityInput, opts ...request.Option) (*GetCallerIdentityOutput, error) { + req, out := c.GetCallerIdentityRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGetFederationToken = "GetFederationToken" + +// GetFederationTokenRequest generates a "aws/request.Request" representing the +// client's request for the GetFederationToken operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GetFederationToken for more information on using the GetFederationToken +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GetFederationTokenRequest method. +// req, resp := client.GetFederationTokenRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken +func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *request.Request, output *GetFederationTokenOutput) { + op := &request.Operation{ + Name: opGetFederationToken, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GetFederationTokenInput{} + } + + output = &GetFederationTokenOutput{} + req = c.newRequest(op, input, output) + return +} + +// GetFederationToken API operation for AWS Security Token Service. +// +// Returns a set of temporary security credentials (consisting of an access +// key ID, a secret access key, and a security token) for a federated user. +// A typical use is in a proxy application that gets temporary security credentials +// on behalf of distributed applications inside a corporate network. You must +// call the GetFederationToken operation using the long-term security credentials +// of an IAM user. As a result, this call is appropriate in contexts where those +// credentials can be safely stored, usually in a server-based application. +// For a comparison of GetFederationToken with the other API operations that +// produce temporary credentials, see Requesting Temporary Security Credentials +// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) +// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) +// in the IAM User Guide. +// +// You can create a mobile-based or browser-based app that can authenticate +// users using a web identity provider like Login with Amazon, Facebook, Google, +// or an OpenID Connect-compatible identity provider. In this case, we recommend +// that you use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity. +// For more information, see Federation Through a Web-based Identity Provider +// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity) +// in the IAM User Guide. +// +// You can also call GetFederationToken using the security credentials of an +// AWS account root user, but we do not recommend it. Instead, we recommend +// that you create an IAM user for the purpose of the proxy application. Then +// attach a policy to the IAM user that limits federated users to only the actions +// and resources that they need to access. For more information, see IAM Best +// Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) +// in the IAM User Guide. +// +// Session duration +// +// The temporary credentials are valid for the specified duration, from 900 +// seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default +// session duration is 43,200 seconds (12 hours). Temporary credentials that +// are obtained by using AWS account root user credentials have a maximum duration +// of 3,600 seconds (1 hour). +// +// Permissions +// +// You can use the temporary credentials created by GetFederationToken in any +// AWS service except the following: +// +// * You cannot call any IAM operations using the AWS CLI or the AWS API. +// +// * You cannot call any STS operations except GetCallerIdentity. +// +// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) +// to this operation. You can pass a single JSON policy document to use as an +// inline session policy. You can also specify up to 10 managed policies to +// use as managed session policies. The plain text that you use for both inline +// and managed session policies can't exceed 2,048 characters. +// +// Though the session policy parameters are optional, if you do not pass a policy, +// then the resulting federated user session has no permissions. When you pass +// session policies, the session permissions are the intersection of the IAM +// user policies and the session policies that you pass. This gives you a way +// to further restrict the permissions for a federated user. You cannot use +// session policies to grant more permissions than those that are defined in +// the permissions policy of the IAM user. For more information, see Session +// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) +// in the IAM User Guide. For information about using GetFederationToken to +// create temporary security credentials, see GetFederationToken—Federation +// Through a Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken). +// +// You can use the credentials to access a resource that has a resource-based +// policy. If that policy specifically references the federated user session +// in the Principal element of the policy, the session has the permissions allowed +// by the policy. These permissions are granted in addition to the permissions +// granted by the session policies. +// +// Tags +// +// (Optional) You can pass tag key-value pairs to your session. These are called +// session tags. For more information about session tags, see Passing Session +// Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) +// in the IAM User Guide. +// +// An administrator must grant you the permissions necessary to pass session +// tags. The administrator can also create granular permissions to allow you +// to pass only specific session tags. For more information, see Tutorial: Using +// Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) +// in the IAM User Guide. +// +// Tag key–value pairs are not case sensitive, but case is preserved. This +// means that you cannot have separate Department and department tag keys. Assume +// that the user that you are federating has the Department=Marketing tag and +// you pass the department=engineering session tag. Department and department +// are not saved as separate tags, and the session tag passed in the request +// takes precedence over the user tag. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Security Token Service's +// API operation GetFederationToken for usage and error information. +// +// Returned Error Codes: +// * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" +// The request was rejected because the policy document was malformed. The error +// message describes the specific error. +// +// * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" +// The request was rejected because the total packed size of the session policies +// and session tags combined was too large. An AWS conversion compresses the +// session policy document, session policy ARNs, and session tags into a packed +// binary format that has a separate limit. The error message indicates by percentage +// how close the policies and tags are to the upper size limit. For more information, +// see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) +// in the IAM User Guide. +// +// You could receive this error even though you meet other defined session policy +// and session tag limits. For more information, see IAM and STS Entity Character +// Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) +// in the IAM User Guide. +// +// * ErrCodeRegionDisabledException "RegionDisabledException" +// STS is not activated in the requested region for the account that is being +// asked to generate credentials. The account administrator must use the IAM +// console to activate STS in that region. For more information, see Activating +// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) +// in the IAM User Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken +func (c *STS) GetFederationToken(input *GetFederationTokenInput) (*GetFederationTokenOutput, error) { + req, out := c.GetFederationTokenRequest(input) + return out, req.Send() +} + +// GetFederationTokenWithContext is the same as GetFederationToken with the addition of +// the ability to pass a context and additional request options. +// +// See GetFederationToken for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *STS) GetFederationTokenWithContext(ctx aws.Context, input *GetFederationTokenInput, opts ...request.Option) (*GetFederationTokenOutput, error) { + req, out := c.GetFederationTokenRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGetSessionToken = "GetSessionToken" + +// GetSessionTokenRequest generates a "aws/request.Request" representing the +// client's request for the GetSessionToken operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GetSessionToken for more information on using the GetSessionToken +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GetSessionTokenRequest method. +// req, resp := client.GetSessionTokenRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken +func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.Request, output *GetSessionTokenOutput) { + op := &request.Operation{ + Name: opGetSessionToken, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GetSessionTokenInput{} + } + + output = &GetSessionTokenOutput{} + req = c.newRequest(op, input, output) + return +} + +// GetSessionToken API operation for AWS Security Token Service. +// +// Returns a set of temporary credentials for an AWS account or IAM user. The +// credentials consist of an access key ID, a secret access key, and a security +// token. Typically, you use GetSessionToken if you want to use MFA to protect +// programmatic calls to specific AWS API operations like Amazon EC2 StopInstances. +// MFA-enabled IAM users would need to call GetSessionToken and submit an MFA +// code that is associated with their MFA device. Using the temporary security +// credentials that are returned from the call, IAM users can then make programmatic +// calls to API operations that require MFA authentication. If you do not supply +// a correct MFA code, then the API returns an access denied error. For a comparison +// of GetSessionToken with the other API operations that produce temporary credentials, +// see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) +// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) +// in the IAM User Guide. +// +// Session Duration +// +// The GetSessionToken operation must be called by using the long-term AWS security +// credentials of the AWS account root user or an IAM user. Credentials that +// are created by IAM users are valid for the duration that you specify. This +// duration can range from 900 seconds (15 minutes) up to a maximum of 129,600 +// seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials +// based on account credentials can range from 900 seconds (15 minutes) up to +// 3,600 seconds (1 hour), with a default of 1 hour. +// +// Permissions +// +// The temporary security credentials created by GetSessionToken can be used +// to make API calls to any AWS service with the following exceptions: +// +// * You cannot call any IAM API operations unless MFA authentication information +// is included in the request. +// +// * You cannot call any STS API except AssumeRole or GetCallerIdentity. +// +// We recommend that you do not call GetSessionToken with AWS account root user +// credentials. Instead, follow our best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users) +// by creating one or more IAM users, giving them the necessary permissions, +// and using IAM users for everyday interaction with AWS. +// +// The credentials that are returned by GetSessionToken are based on permissions +// associated with the user whose credentials were used to call the operation. +// If GetSessionToken is called using AWS account root user credentials, the +// temporary credentials have root user permissions. Similarly, if GetSessionToken +// is called using the credentials of an IAM user, the temporary credentials +// have the same permissions as the IAM user. +// +// For more information about using GetSessionToken to create temporary credentials, +// go to Temporary Credentials for Users in Untrusted Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken) +// in the IAM User Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Security Token Service's +// API operation GetSessionToken for usage and error information. +// +// Returned Error Codes: +// * ErrCodeRegionDisabledException "RegionDisabledException" +// STS is not activated in the requested region for the account that is being +// asked to generate credentials. The account administrator must use the IAM +// console to activate STS in that region. For more information, see Activating +// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) +// in the IAM User Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken +func (c *STS) GetSessionToken(input *GetSessionTokenInput) (*GetSessionTokenOutput, error) { + req, out := c.GetSessionTokenRequest(input) + return out, req.Send() +} + +// GetSessionTokenWithContext is the same as GetSessionToken with the addition of +// the ability to pass a context and additional request options. +// +// See GetSessionToken for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *STS) GetSessionTokenWithContext(ctx aws.Context, input *GetSessionTokenInput, opts ...request.Option) (*GetSessionTokenOutput, error) { + req, out := c.GetSessionTokenRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +type AssumeRoleInput struct { + _ struct{} `type:"structure"` + + // The duration, in seconds, of the role session. The value can range from 900 + // seconds (15 minutes) up to the maximum session duration setting for the role. + // This setting can have a value from 1 hour to 12 hours. If you specify a value + // higher than this setting, the operation fails. For example, if you specify + // a session duration of 12 hours, but your administrator set the maximum session + // duration to 6 hours, your operation fails. To learn how to view the maximum + // value for your role, see View the Maximum Session Duration Setting for a + // Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) + // in the IAM User Guide. + // + // By default, the value is set to 3600 seconds. + // + // The DurationSeconds parameter is separate from the duration of a console + // session that you might request using the returned credentials. The request + // to the federation endpoint for a console sign-in token takes a SessionDuration + // parameter that specifies the maximum length of the console session. For more + // information, see Creating a URL that Enables Federated Users to Access the + // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) + // in the IAM User Guide. + DurationSeconds *int64 `min:"900" type:"integer"` + + // A unique identifier that might be required when you assume a role in another + // account. If the administrator of the account to which the role belongs provided + // you with an external ID, then provide that value in the ExternalId parameter. + // This value can be any string, such as a passphrase or account number. A cross-account + // role is usually set up to trust everyone in an account. Therefore, the administrator + // of the trusting account might send an external ID to the administrator of + // the trusted account. That way, only someone with the ID can assume the role, + // rather than everyone in the account. For more information about the external + // ID, see How to Use an External ID When Granting Access to Your AWS Resources + // to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) + // in the IAM User Guide. + // + // The regex used to validate this parameter is a string of characters consisting + // of upper- and lower-case alphanumeric characters with no spaces. You can + // also include underscores or any of the following characters: =,.@:/- + ExternalId *string `min:"2" type:"string"` + + // An IAM policy in JSON format that you want to use as an inline session policy. + // + // This parameter is optional. Passing policies to this operation returns new + // temporary credentials. The resulting session's permissions are the intersection + // of the role's identity-based policy and the session policies. You can use + // the role's temporary credentials in subsequent AWS API calls to access resources + // in the account that owns the role. You cannot use session policies to grant + // more permissions than those allowed by the identity-based policy of the role + // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) + // in the IAM User Guide. + // + // The plain text that you use for both inline and managed session policies + // can't exceed 2,048 characters. The JSON policy characters can be any ASCII + // character from the space character to the end of the valid character list + // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), + // and carriage return (\u000D) characters. + // + // An AWS conversion compresses the passed session policies and session tags + // into a packed binary format that has a separate limit. Your request can fail + // for this limit even if your plain text meets the other requirements. The + // PackedPolicySize response element indicates by percentage how close the policies + // and tags for your request are to the upper size limit. + Policy *string `min:"1" type:"string"` + + // The Amazon Resource Names (ARNs) of the IAM managed policies that you want + // to use as managed session policies. The policies must exist in the same account + // as the role. + // + // This parameter is optional. You can provide up to 10 managed policy ARNs. + // However, the plain text that you use for both inline and managed session + // policies can't exceed 2,048 characters. For more information about ARNs, + // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // in the AWS General Reference. + // + // An AWS conversion compresses the passed session policies and session tags + // into a packed binary format that has a separate limit. Your request can fail + // for this limit even if your plain text meets the other requirements. The + // PackedPolicySize response element indicates by percentage how close the policies + // and tags for your request are to the upper size limit. + // + // Passing policies to this operation returns new temporary credentials. The + // resulting session's permissions are the intersection of the role's identity-based + // policy and the session policies. You can use the role's temporary credentials + // in subsequent AWS API calls to access resources in the account that owns + // the role. You cannot use session policies to grant more permissions than + // those allowed by the identity-based policy of the role that is being assumed. + // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) + // in the IAM User Guide. + PolicyArns []*PolicyDescriptorType `type:"list"` + + // The Amazon Resource Name (ARN) of the role to assume. + // + // RoleArn is a required field + RoleArn *string `min:"20" type:"string" required:"true"` + + // An identifier for the assumed role session. + // + // Use the role session name to uniquely identify a session when the same role + // is assumed by different principals or for different reasons. In cross-account + // scenarios, the role session name is visible to, and can be logged by the + // account that owns the role. The role session name is also used in the ARN + // of the assumed role principal. This means that subsequent cross-account API + // requests that use the temporary security credentials will expose the role + // session name to the external account in their AWS CloudTrail logs. + // + // The regex used to validate this parameter is a string of characters consisting + // of upper- and lower-case alphanumeric characters with no spaces. You can + // also include underscores or any of the following characters: =,.@- + // + // RoleSessionName is a required field + RoleSessionName *string `min:"2" type:"string" required:"true"` + + // The identification number of the MFA device that is associated with the user + // who is making the AssumeRole call. Specify this value if the trust policy + // of the role being assumed includes a condition that requires MFA authentication. + // The value is either the serial number for a hardware device (such as GAHT12345678) + // or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). + // + // The regex used to validate this parameter is a string of characters consisting + // of upper- and lower-case alphanumeric characters with no spaces. You can + // also include underscores or any of the following characters: =,.@- + SerialNumber *string `min:"9" type:"string"` + + // A list of session tags that you want to pass. Each session tag consists of + // a key name and an associated value. For more information about session tags, + // see Tagging AWS STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) + // in the IAM User Guide. + // + // This parameter is optional. You can pass up to 50 session tags. The plain + // text session tag keys can’t exceed 128 characters, and the values can’t + // exceed 256 characters. For these and additional limits, see IAM and STS Character + // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) + // in the IAM User Guide. + // + // An AWS conversion compresses the passed session policies and session tags + // into a packed binary format that has a separate limit. Your request can fail + // for this limit even if your plain text meets the other requirements. The + // PackedPolicySize response element indicates by percentage how close the policies + // and tags for your request are to the upper size limit. + // + // You can pass a session tag with the same key as a tag that is already attached + // to the role. When you do, session tags override a role tag with the same + // key. + // + // Tag key–value pairs are not case sensitive, but case is preserved. This + // means that you cannot have separate Department and department tag keys. Assume + // that the role has the Department=Marketing tag and you pass the department=engineering + // session tag. Department and department are not saved as separate tags, and + // the session tag passed in the request takes precedence over the role tag. + // + // Additionally, if you used temporary credentials to perform this operation, + // the new session inherits any transitive session tags from the calling session. + // If you pass a session tag with the same key as an inherited tag, the operation + // fails. To view the inherited tags for a session, see the AWS CloudTrail logs. + // For more information, see Viewing Session Tags in CloudTrail (https://docs.aws.amazon.com/IAM/latest/UserGuide/session-tags.html#id_session-tags_ctlogs) + // in the IAM User Guide. + Tags []*Tag `type:"list"` + + // The value provided by the MFA device, if the trust policy of the role being + // assumed requires MFA (that is, if the policy includes a condition that tests + // for MFA). If the role being assumed requires MFA and if the TokenCode value + // is missing or expired, the AssumeRole call returns an "access denied" error. + // + // The format for this parameter, as described by its regex pattern, is a sequence + // of six numeric digits. + TokenCode *string `min:"6" type:"string"` + + // A list of keys for session tags that you want to set as transitive. If you + // set a tag key as transitive, the corresponding key and value passes to subsequent + // sessions in a role chain. For more information, see Chaining Roles with Session + // Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) + // in the IAM User Guide. + // + // This parameter is optional. When you set session tags as transitive, the + // session policy and session tags packed binary limit is not affected. + // + // If you choose not to specify a transitive tag key, then no tags are passed + // from this session to any subsequent sessions. + TransitiveTagKeys []*string `type:"list"` +} + +// String returns the string representation +func (s AssumeRoleInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AssumeRoleInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *AssumeRoleInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "AssumeRoleInput"} + if s.DurationSeconds != nil && *s.DurationSeconds < 900 { + invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) + } + if s.ExternalId != nil && len(*s.ExternalId) < 2 { + invalidParams.Add(request.NewErrParamMinLen("ExternalId", 2)) + } + if s.Policy != nil && len(*s.Policy) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) + } + if s.RoleArn == nil { + invalidParams.Add(request.NewErrParamRequired("RoleArn")) + } + if s.RoleArn != nil && len(*s.RoleArn) < 20 { + invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) + } + if s.RoleSessionName == nil { + invalidParams.Add(request.NewErrParamRequired("RoleSessionName")) + } + if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 { + invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2)) + } + if s.SerialNumber != nil && len(*s.SerialNumber) < 9 { + invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9)) + } + if s.TokenCode != nil && len(*s.TokenCode) < 6 { + invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6)) + } + if s.PolicyArns != nil { + for i, v := range s.PolicyArns { + if v == nil { + continue + } + if err := v.Validate(); err != nil { + invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) + } + } + } + if s.Tags != nil { + for i, v := range s.Tags { + if v == nil { + continue + } + if err := v.Validate(); err != nil { + invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams)) + } + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDurationSeconds sets the DurationSeconds field's value. +func (s *AssumeRoleInput) SetDurationSeconds(v int64) *AssumeRoleInput { + s.DurationSeconds = &v + return s +} + +// SetExternalId sets the ExternalId field's value. +func (s *AssumeRoleInput) SetExternalId(v string) *AssumeRoleInput { + s.ExternalId = &v + return s +} + +// SetPolicy sets the Policy field's value. +func (s *AssumeRoleInput) SetPolicy(v string) *AssumeRoleInput { + s.Policy = &v + return s +} + +// SetPolicyArns sets the PolicyArns field's value. +func (s *AssumeRoleInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleInput { + s.PolicyArns = v + return s +} + +// SetRoleArn sets the RoleArn field's value. +func (s *AssumeRoleInput) SetRoleArn(v string) *AssumeRoleInput { + s.RoleArn = &v + return s +} + +// SetRoleSessionName sets the RoleSessionName field's value. +func (s *AssumeRoleInput) SetRoleSessionName(v string) *AssumeRoleInput { + s.RoleSessionName = &v + return s +} + +// SetSerialNumber sets the SerialNumber field's value. +func (s *AssumeRoleInput) SetSerialNumber(v string) *AssumeRoleInput { + s.SerialNumber = &v + return s +} + +// SetTags sets the Tags field's value. +func (s *AssumeRoleInput) SetTags(v []*Tag) *AssumeRoleInput { + s.Tags = v + return s +} + +// SetTokenCode sets the TokenCode field's value. +func (s *AssumeRoleInput) SetTokenCode(v string) *AssumeRoleInput { + s.TokenCode = &v + return s +} + +// SetTransitiveTagKeys sets the TransitiveTagKeys field's value. +func (s *AssumeRoleInput) SetTransitiveTagKeys(v []*string) *AssumeRoleInput { + s.TransitiveTagKeys = v + return s +} + +// Contains the response to a successful AssumeRole request, including temporary +// AWS credentials that can be used to make AWS requests. +type AssumeRoleOutput struct { + _ struct{} `type:"structure"` + + // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers + // that you can use to refer to the resulting temporary security credentials. + // For example, you can reference these credentials as a principal in a resource-based + // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName + // that you specified when you called AssumeRole. + AssumedRoleUser *AssumedRoleUser `type:"structure"` + + // The temporary security credentials, which include an access key ID, a secret + // access key, and a security (or session) token. + // + // The size of the security token that STS API operations return is not fixed. + // We strongly recommend that you make no assumptions about the maximum size. + Credentials *Credentials `type:"structure"` + + // A percentage value that indicates the packed size of the session policies + // and session tags combined passed in the request. The request fails if the + // packed size is greater than 100 percent, which means the policies and tags + // exceeded the allowed space. + PackedPolicySize *int64 `type:"integer"` +} + +// String returns the string representation +func (s AssumeRoleOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AssumeRoleOutput) GoString() string { + return s.String() +} + +// SetAssumedRoleUser sets the AssumedRoleUser field's value. +func (s *AssumeRoleOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleOutput { + s.AssumedRoleUser = v + return s +} + +// SetCredentials sets the Credentials field's value. +func (s *AssumeRoleOutput) SetCredentials(v *Credentials) *AssumeRoleOutput { + s.Credentials = v + return s +} + +// SetPackedPolicySize sets the PackedPolicySize field's value. +func (s *AssumeRoleOutput) SetPackedPolicySize(v int64) *AssumeRoleOutput { + s.PackedPolicySize = &v + return s +} + +type AssumeRoleWithSAMLInput struct { + _ struct{} `type:"structure"` + + // The duration, in seconds, of the role session. Your role session lasts for + // the duration that you specify for the DurationSeconds parameter, or until + // the time specified in the SAML authentication response's SessionNotOnOrAfter + // value, whichever is shorter. You can provide a DurationSeconds value from + // 900 seconds (15 minutes) up to the maximum session duration setting for the + // role. This setting can have a value from 1 hour to 12 hours. If you specify + // a value higher than this setting, the operation fails. For example, if you + // specify a session duration of 12 hours, but your administrator set the maximum + // session duration to 6 hours, your operation fails. To learn how to view the + // maximum value for your role, see View the Maximum Session Duration Setting + // for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) + // in the IAM User Guide. + // + // By default, the value is set to 3600 seconds. + // + // The DurationSeconds parameter is separate from the duration of a console + // session that you might request using the returned credentials. The request + // to the federation endpoint for a console sign-in token takes a SessionDuration + // parameter that specifies the maximum length of the console session. For more + // information, see Creating a URL that Enables Federated Users to Access the + // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) + // in the IAM User Guide. + DurationSeconds *int64 `min:"900" type:"integer"` + + // An IAM policy in JSON format that you want to use as an inline session policy. + // + // This parameter is optional. Passing policies to this operation returns new + // temporary credentials. The resulting session's permissions are the intersection + // of the role's identity-based policy and the session policies. You can use + // the role's temporary credentials in subsequent AWS API calls to access resources + // in the account that owns the role. You cannot use session policies to grant + // more permissions than those allowed by the identity-based policy of the role + // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) + // in the IAM User Guide. + // + // The plain text that you use for both inline and managed session policies + // can't exceed 2,048 characters. The JSON policy characters can be any ASCII + // character from the space character to the end of the valid character list + // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), + // and carriage return (\u000D) characters. + // + // An AWS conversion compresses the passed session policies and session tags + // into a packed binary format that has a separate limit. Your request can fail + // for this limit even if your plain text meets the other requirements. The + // PackedPolicySize response element indicates by percentage how close the policies + // and tags for your request are to the upper size limit. + Policy *string `min:"1" type:"string"` + + // The Amazon Resource Names (ARNs) of the IAM managed policies that you want + // to use as managed session policies. The policies must exist in the same account + // as the role. + // + // This parameter is optional. You can provide up to 10 managed policy ARNs. + // However, the plain text that you use for both inline and managed session + // policies can't exceed 2,048 characters. For more information about ARNs, + // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // in the AWS General Reference. + // + // An AWS conversion compresses the passed session policies and session tags + // into a packed binary format that has a separate limit. Your request can fail + // for this limit even if your plain text meets the other requirements. The + // PackedPolicySize response element indicates by percentage how close the policies + // and tags for your request are to the upper size limit. + // + // Passing policies to this operation returns new temporary credentials. The + // resulting session's permissions are the intersection of the role's identity-based + // policy and the session policies. You can use the role's temporary credentials + // in subsequent AWS API calls to access resources in the account that owns + // the role. You cannot use session policies to grant more permissions than + // those allowed by the identity-based policy of the role that is being assumed. + // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) + // in the IAM User Guide. + PolicyArns []*PolicyDescriptorType `type:"list"` + + // The Amazon Resource Name (ARN) of the SAML provider in IAM that describes + // the IdP. + // + // PrincipalArn is a required field + PrincipalArn *string `min:"20" type:"string" required:"true"` + + // The Amazon Resource Name (ARN) of the role that the caller is assuming. + // + // RoleArn is a required field + RoleArn *string `min:"20" type:"string" required:"true"` + + // The base-64 encoded SAML authentication response provided by the IdP. + // + // For more information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html) + // in the IAM User Guide. + // + // SAMLAssertion is a required field + SAMLAssertion *string `min:"4" type:"string" required:"true"` +} + +// String returns the string representation +func (s AssumeRoleWithSAMLInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AssumeRoleWithSAMLInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *AssumeRoleWithSAMLInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithSAMLInput"} + if s.DurationSeconds != nil && *s.DurationSeconds < 900 { + invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) + } + if s.Policy != nil && len(*s.Policy) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) + } + if s.PrincipalArn == nil { + invalidParams.Add(request.NewErrParamRequired("PrincipalArn")) + } + if s.PrincipalArn != nil && len(*s.PrincipalArn) < 20 { + invalidParams.Add(request.NewErrParamMinLen("PrincipalArn", 20)) + } + if s.RoleArn == nil { + invalidParams.Add(request.NewErrParamRequired("RoleArn")) + } + if s.RoleArn != nil && len(*s.RoleArn) < 20 { + invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) + } + if s.SAMLAssertion == nil { + invalidParams.Add(request.NewErrParamRequired("SAMLAssertion")) + } + if s.SAMLAssertion != nil && len(*s.SAMLAssertion) < 4 { + invalidParams.Add(request.NewErrParamMinLen("SAMLAssertion", 4)) + } + if s.PolicyArns != nil { + for i, v := range s.PolicyArns { + if v == nil { + continue + } + if err := v.Validate(); err != nil { + invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) + } + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDurationSeconds sets the DurationSeconds field's value. +func (s *AssumeRoleWithSAMLInput) SetDurationSeconds(v int64) *AssumeRoleWithSAMLInput { + s.DurationSeconds = &v + return s +} + +// SetPolicy sets the Policy field's value. +func (s *AssumeRoleWithSAMLInput) SetPolicy(v string) *AssumeRoleWithSAMLInput { + s.Policy = &v + return s +} + +// SetPolicyArns sets the PolicyArns field's value. +func (s *AssumeRoleWithSAMLInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleWithSAMLInput { + s.PolicyArns = v + return s +} + +// SetPrincipalArn sets the PrincipalArn field's value. +func (s *AssumeRoleWithSAMLInput) SetPrincipalArn(v string) *AssumeRoleWithSAMLInput { + s.PrincipalArn = &v + return s +} + +// SetRoleArn sets the RoleArn field's value. +func (s *AssumeRoleWithSAMLInput) SetRoleArn(v string) *AssumeRoleWithSAMLInput { + s.RoleArn = &v + return s +} + +// SetSAMLAssertion sets the SAMLAssertion field's value. +func (s *AssumeRoleWithSAMLInput) SetSAMLAssertion(v string) *AssumeRoleWithSAMLInput { + s.SAMLAssertion = &v + return s +} + +// Contains the response to a successful AssumeRoleWithSAML request, including +// temporary AWS credentials that can be used to make AWS requests. +type AssumeRoleWithSAMLOutput struct { + _ struct{} `type:"structure"` + + // The identifiers for the temporary security credentials that the operation + // returns. + AssumedRoleUser *AssumedRoleUser `type:"structure"` + + // The value of the Recipient attribute of the SubjectConfirmationData element + // of the SAML assertion. + Audience *string `type:"string"` + + // The temporary security credentials, which include an access key ID, a secret + // access key, and a security (or session) token. + // + // The size of the security token that STS API operations return is not fixed. + // We strongly recommend that you make no assumptions about the maximum size. + Credentials *Credentials `type:"structure"` + + // The value of the Issuer element of the SAML assertion. + Issuer *string `type:"string"` + + // A hash value based on the concatenation of the Issuer response value, the + // AWS account ID, and the friendly name (the last part of the ARN) of the SAML + // provider in IAM. The combination of NameQualifier and Subject can be used + // to uniquely identify a federated user. + // + // The following pseudocode shows how the hash value is calculated: + // + // BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" + // ) ) + NameQualifier *string `type:"string"` + + // A percentage value that indicates the packed size of the session policies + // and session tags combined passed in the request. The request fails if the + // packed size is greater than 100 percent, which means the policies and tags + // exceeded the allowed space. + PackedPolicySize *int64 `type:"integer"` + + // The value of the NameID element in the Subject element of the SAML assertion. + Subject *string `type:"string"` + + // The format of the name ID, as defined by the Format attribute in the NameID + // element of the SAML assertion. Typical examples of the format are transient + // or persistent. + // + // If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format, + // that prefix is removed. For example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient + // is returned as transient. If the format includes any other prefix, the format + // is returned with no modifications. + SubjectType *string `type:"string"` +} + +// String returns the string representation +func (s AssumeRoleWithSAMLOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AssumeRoleWithSAMLOutput) GoString() string { + return s.String() +} + +// SetAssumedRoleUser sets the AssumedRoleUser field's value. +func (s *AssumeRoleWithSAMLOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithSAMLOutput { + s.AssumedRoleUser = v + return s +} + +// SetAudience sets the Audience field's value. +func (s *AssumeRoleWithSAMLOutput) SetAudience(v string) *AssumeRoleWithSAMLOutput { + s.Audience = &v + return s +} + +// SetCredentials sets the Credentials field's value. +func (s *AssumeRoleWithSAMLOutput) SetCredentials(v *Credentials) *AssumeRoleWithSAMLOutput { + s.Credentials = v + return s +} + +// SetIssuer sets the Issuer field's value. +func (s *AssumeRoleWithSAMLOutput) SetIssuer(v string) *AssumeRoleWithSAMLOutput { + s.Issuer = &v + return s +} + +// SetNameQualifier sets the NameQualifier field's value. +func (s *AssumeRoleWithSAMLOutput) SetNameQualifier(v string) *AssumeRoleWithSAMLOutput { + s.NameQualifier = &v + return s +} + +// SetPackedPolicySize sets the PackedPolicySize field's value. +func (s *AssumeRoleWithSAMLOutput) SetPackedPolicySize(v int64) *AssumeRoleWithSAMLOutput { + s.PackedPolicySize = &v + return s +} + +// SetSubject sets the Subject field's value. +func (s *AssumeRoleWithSAMLOutput) SetSubject(v string) *AssumeRoleWithSAMLOutput { + s.Subject = &v + return s +} + +// SetSubjectType sets the SubjectType field's value. +func (s *AssumeRoleWithSAMLOutput) SetSubjectType(v string) *AssumeRoleWithSAMLOutput { + s.SubjectType = &v + return s +} + +type AssumeRoleWithWebIdentityInput struct { + _ struct{} `type:"structure"` + + // The duration, in seconds, of the role session. The value can range from 900 + // seconds (15 minutes) up to the maximum session duration setting for the role. + // This setting can have a value from 1 hour to 12 hours. If you specify a value + // higher than this setting, the operation fails. For example, if you specify + // a session duration of 12 hours, but your administrator set the maximum session + // duration to 6 hours, your operation fails. To learn how to view the maximum + // value for your role, see View the Maximum Session Duration Setting for a + // Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) + // in the IAM User Guide. + // + // By default, the value is set to 3600 seconds. + // + // The DurationSeconds parameter is separate from the duration of a console + // session that you might request using the returned credentials. The request + // to the federation endpoint for a console sign-in token takes a SessionDuration + // parameter that specifies the maximum length of the console session. For more + // information, see Creating a URL that Enables Federated Users to Access the + // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) + // in the IAM User Guide. + DurationSeconds *int64 `min:"900" type:"integer"` + + // An IAM policy in JSON format that you want to use as an inline session policy. + // + // This parameter is optional. Passing policies to this operation returns new + // temporary credentials. The resulting session's permissions are the intersection + // of the role's identity-based policy and the session policies. You can use + // the role's temporary credentials in subsequent AWS API calls to access resources + // in the account that owns the role. You cannot use session policies to grant + // more permissions than those allowed by the identity-based policy of the role + // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) + // in the IAM User Guide. + // + // The plain text that you use for both inline and managed session policies + // can't exceed 2,048 characters. The JSON policy characters can be any ASCII + // character from the space character to the end of the valid character list + // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), + // and carriage return (\u000D) characters. + // + // An AWS conversion compresses the passed session policies and session tags + // into a packed binary format that has a separate limit. Your request can fail + // for this limit even if your plain text meets the other requirements. The + // PackedPolicySize response element indicates by percentage how close the policies + // and tags for your request are to the upper size limit. + Policy *string `min:"1" type:"string"` + + // The Amazon Resource Names (ARNs) of the IAM managed policies that you want + // to use as managed session policies. The policies must exist in the same account + // as the role. + // + // This parameter is optional. You can provide up to 10 managed policy ARNs. + // However, the plain text that you use for both inline and managed session + // policies can't exceed 2,048 characters. For more information about ARNs, + // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // in the AWS General Reference. + // + // An AWS conversion compresses the passed session policies and session tags + // into a packed binary format that has a separate limit. Your request can fail + // for this limit even if your plain text meets the other requirements. The + // PackedPolicySize response element indicates by percentage how close the policies + // and tags for your request are to the upper size limit. + // + // Passing policies to this operation returns new temporary credentials. The + // resulting session's permissions are the intersection of the role's identity-based + // policy and the session policies. You can use the role's temporary credentials + // in subsequent AWS API calls to access resources in the account that owns + // the role. You cannot use session policies to grant more permissions than + // those allowed by the identity-based policy of the role that is being assumed. + // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) + // in the IAM User Guide. + PolicyArns []*PolicyDescriptorType `type:"list"` + + // The fully qualified host component of the domain name of the identity provider. + // + // Specify this value only for OAuth 2.0 access tokens. Currently www.amazon.com + // and graph.facebook.com are the only supported identity providers for OAuth + // 2.0 access tokens. Do not include URL schemes and port numbers. + // + // Do not specify this value for OpenID Connect ID tokens. + ProviderId *string `min:"4" type:"string"` + + // The Amazon Resource Name (ARN) of the role that the caller is assuming. + // + // RoleArn is a required field + RoleArn *string `min:"20" type:"string" required:"true"` + + // An identifier for the assumed role session. Typically, you pass the name + // or identifier that is associated with the user who is using your application. + // That way, the temporary security credentials that your application will use + // are associated with that user. This session name is included as part of the + // ARN and assumed role ID in the AssumedRoleUser response element. + // + // The regex used to validate this parameter is a string of characters consisting + // of upper- and lower-case alphanumeric characters with no spaces. You can + // also include underscores or any of the following characters: =,.@- + // + // RoleSessionName is a required field + RoleSessionName *string `min:"2" type:"string" required:"true"` + + // The OAuth 2.0 access token or OpenID Connect ID token that is provided by + // the identity provider. Your application must get this token by authenticating + // the user who is using your application with a web identity provider before + // the application makes an AssumeRoleWithWebIdentity call. + // + // WebIdentityToken is a required field + WebIdentityToken *string `min:"4" type:"string" required:"true"` +} + +// String returns the string representation +func (s AssumeRoleWithWebIdentityInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AssumeRoleWithWebIdentityInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *AssumeRoleWithWebIdentityInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithWebIdentityInput"} + if s.DurationSeconds != nil && *s.DurationSeconds < 900 { + invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) + } + if s.Policy != nil && len(*s.Policy) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) + } + if s.ProviderId != nil && len(*s.ProviderId) < 4 { + invalidParams.Add(request.NewErrParamMinLen("ProviderId", 4)) + } + if s.RoleArn == nil { + invalidParams.Add(request.NewErrParamRequired("RoleArn")) + } + if s.RoleArn != nil && len(*s.RoleArn) < 20 { + invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) + } + if s.RoleSessionName == nil { + invalidParams.Add(request.NewErrParamRequired("RoleSessionName")) + } + if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 { + invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2)) + } + if s.WebIdentityToken == nil { + invalidParams.Add(request.NewErrParamRequired("WebIdentityToken")) + } + if s.WebIdentityToken != nil && len(*s.WebIdentityToken) < 4 { + invalidParams.Add(request.NewErrParamMinLen("WebIdentityToken", 4)) + } + if s.PolicyArns != nil { + for i, v := range s.PolicyArns { + if v == nil { + continue + } + if err := v.Validate(); err != nil { + invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) + } + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDurationSeconds sets the DurationSeconds field's value. +func (s *AssumeRoleWithWebIdentityInput) SetDurationSeconds(v int64) *AssumeRoleWithWebIdentityInput { + s.DurationSeconds = &v + return s +} + +// SetPolicy sets the Policy field's value. +func (s *AssumeRoleWithWebIdentityInput) SetPolicy(v string) *AssumeRoleWithWebIdentityInput { + s.Policy = &v + return s +} + +// SetPolicyArns sets the PolicyArns field's value. +func (s *AssumeRoleWithWebIdentityInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleWithWebIdentityInput { + s.PolicyArns = v + return s +} + +// SetProviderId sets the ProviderId field's value. +func (s *AssumeRoleWithWebIdentityInput) SetProviderId(v string) *AssumeRoleWithWebIdentityInput { + s.ProviderId = &v + return s +} + +// SetRoleArn sets the RoleArn field's value. +func (s *AssumeRoleWithWebIdentityInput) SetRoleArn(v string) *AssumeRoleWithWebIdentityInput { + s.RoleArn = &v + return s +} + +// SetRoleSessionName sets the RoleSessionName field's value. +func (s *AssumeRoleWithWebIdentityInput) SetRoleSessionName(v string) *AssumeRoleWithWebIdentityInput { + s.RoleSessionName = &v + return s +} + +// SetWebIdentityToken sets the WebIdentityToken field's value. +func (s *AssumeRoleWithWebIdentityInput) SetWebIdentityToken(v string) *AssumeRoleWithWebIdentityInput { + s.WebIdentityToken = &v + return s +} + +// Contains the response to a successful AssumeRoleWithWebIdentity request, +// including temporary AWS credentials that can be used to make AWS requests. +type AssumeRoleWithWebIdentityOutput struct { + _ struct{} `type:"structure"` + + // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers + // that you can use to refer to the resulting temporary security credentials. + // For example, you can reference these credentials as a principal in a resource-based + // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName + // that you specified when you called AssumeRole. + AssumedRoleUser *AssumedRoleUser `type:"structure"` + + // The intended audience (also known as client ID) of the web identity token. + // This is traditionally the client identifier issued to the application that + // requested the web identity token. + Audience *string `type:"string"` + + // The temporary security credentials, which include an access key ID, a secret + // access key, and a security token. + // + // The size of the security token that STS API operations return is not fixed. + // We strongly recommend that you make no assumptions about the maximum size. + Credentials *Credentials `type:"structure"` + + // A percentage value that indicates the packed size of the session policies + // and session tags combined passed in the request. The request fails if the + // packed size is greater than 100 percent, which means the policies and tags + // exceeded the allowed space. + PackedPolicySize *int64 `type:"integer"` + + // The issuing authority of the web identity token presented. For OpenID Connect + // ID tokens, this contains the value of the iss field. For OAuth 2.0 access + // tokens, this contains the value of the ProviderId parameter that was passed + // in the AssumeRoleWithWebIdentity request. + Provider *string `type:"string"` + + // The unique user identifier that is returned by the identity provider. This + // identifier is associated with the WebIdentityToken that was submitted with + // the AssumeRoleWithWebIdentity call. The identifier is typically unique to + // the user and the application that acquired the WebIdentityToken (pairwise + // identifier). For OpenID Connect ID tokens, this field contains the value + // returned by the identity provider as the token's sub (Subject) claim. + SubjectFromWebIdentityToken *string `min:"6" type:"string"` +} + +// String returns the string representation +func (s AssumeRoleWithWebIdentityOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AssumeRoleWithWebIdentityOutput) GoString() string { + return s.String() +} + +// SetAssumedRoleUser sets the AssumedRoleUser field's value. +func (s *AssumeRoleWithWebIdentityOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithWebIdentityOutput { + s.AssumedRoleUser = v + return s +} + +// SetAudience sets the Audience field's value. +func (s *AssumeRoleWithWebIdentityOutput) SetAudience(v string) *AssumeRoleWithWebIdentityOutput { + s.Audience = &v + return s +} + +// SetCredentials sets the Credentials field's value. +func (s *AssumeRoleWithWebIdentityOutput) SetCredentials(v *Credentials) *AssumeRoleWithWebIdentityOutput { + s.Credentials = v + return s +} + +// SetPackedPolicySize sets the PackedPolicySize field's value. +func (s *AssumeRoleWithWebIdentityOutput) SetPackedPolicySize(v int64) *AssumeRoleWithWebIdentityOutput { + s.PackedPolicySize = &v + return s +} + +// SetProvider sets the Provider field's value. +func (s *AssumeRoleWithWebIdentityOutput) SetProvider(v string) *AssumeRoleWithWebIdentityOutput { + s.Provider = &v + return s +} + +// SetSubjectFromWebIdentityToken sets the SubjectFromWebIdentityToken field's value. +func (s *AssumeRoleWithWebIdentityOutput) SetSubjectFromWebIdentityToken(v string) *AssumeRoleWithWebIdentityOutput { + s.SubjectFromWebIdentityToken = &v + return s +} + +// The identifiers for the temporary security credentials that the operation +// returns. +type AssumedRoleUser struct { + _ struct{} `type:"structure"` + + // The ARN of the temporary security credentials that are returned from the + // AssumeRole action. For more information about ARNs and how to use them in + // policies, see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) + // in the IAM User Guide. + // + // Arn is a required field + Arn *string `min:"20" type:"string" required:"true"` + + // A unique identifier that contains the role ID and the role session name of + // the role that is being assumed. The role ID is generated by AWS when the + // role is created. + // + // AssumedRoleId is a required field + AssumedRoleId *string `min:"2" type:"string" required:"true"` +} + +// String returns the string representation +func (s AssumedRoleUser) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AssumedRoleUser) GoString() string { + return s.String() +} + +// SetArn sets the Arn field's value. +func (s *AssumedRoleUser) SetArn(v string) *AssumedRoleUser { + s.Arn = &v + return s +} + +// SetAssumedRoleId sets the AssumedRoleId field's value. +func (s *AssumedRoleUser) SetAssumedRoleId(v string) *AssumedRoleUser { + s.AssumedRoleId = &v + return s +} + +// AWS credentials for API authentication. +type Credentials struct { + _ struct{} `type:"structure"` + + // The access key ID that identifies the temporary security credentials. + // + // AccessKeyId is a required field + AccessKeyId *string `min:"16" type:"string" required:"true"` + + // The date on which the current credentials expire. + // + // Expiration is a required field + Expiration *time.Time `type:"timestamp" required:"true"` + + // The secret access key that can be used to sign requests. + // + // SecretAccessKey is a required field + SecretAccessKey *string `type:"string" required:"true"` + + // The token that users must pass to the service API to use the temporary credentials. + // + // SessionToken is a required field + SessionToken *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s Credentials) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s Credentials) GoString() string { + return s.String() +} + +// SetAccessKeyId sets the AccessKeyId field's value. +func (s *Credentials) SetAccessKeyId(v string) *Credentials { + s.AccessKeyId = &v + return s +} + +// SetExpiration sets the Expiration field's value. +func (s *Credentials) SetExpiration(v time.Time) *Credentials { + s.Expiration = &v + return s +} + +// SetSecretAccessKey sets the SecretAccessKey field's value. +func (s *Credentials) SetSecretAccessKey(v string) *Credentials { + s.SecretAccessKey = &v + return s +} + +// SetSessionToken sets the SessionToken field's value. +func (s *Credentials) SetSessionToken(v string) *Credentials { + s.SessionToken = &v + return s +} + +type DecodeAuthorizationMessageInput struct { + _ struct{} `type:"structure"` + + // The encoded message that was returned with the response. + // + // EncodedMessage is a required field + EncodedMessage *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s DecodeAuthorizationMessageInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DecodeAuthorizationMessageInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DecodeAuthorizationMessageInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DecodeAuthorizationMessageInput"} + if s.EncodedMessage == nil { + invalidParams.Add(request.NewErrParamRequired("EncodedMessage")) + } + if s.EncodedMessage != nil && len(*s.EncodedMessage) < 1 { + invalidParams.Add(request.NewErrParamMinLen("EncodedMessage", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetEncodedMessage sets the EncodedMessage field's value. +func (s *DecodeAuthorizationMessageInput) SetEncodedMessage(v string) *DecodeAuthorizationMessageInput { + s.EncodedMessage = &v + return s +} + +// A document that contains additional information about the authorization status +// of a request from an encoded message that is returned in response to an AWS +// request. +type DecodeAuthorizationMessageOutput struct { + _ struct{} `type:"structure"` + + // An XML document that contains the decoded message. + DecodedMessage *string `type:"string"` +} + +// String returns the string representation +func (s DecodeAuthorizationMessageOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DecodeAuthorizationMessageOutput) GoString() string { + return s.String() +} + +// SetDecodedMessage sets the DecodedMessage field's value. +func (s *DecodeAuthorizationMessageOutput) SetDecodedMessage(v string) *DecodeAuthorizationMessageOutput { + s.DecodedMessage = &v + return s +} + +// Identifiers for the federated user that is associated with the credentials. +type FederatedUser struct { + _ struct{} `type:"structure"` + + // The ARN that specifies the federated user that is associated with the credentials. + // For more information about ARNs and how to use them in policies, see IAM + // Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) + // in the IAM User Guide. + // + // Arn is a required field + Arn *string `min:"20" type:"string" required:"true"` + + // The string that identifies the federated user associated with the credentials, + // similar to the unique ID of an IAM user. + // + // FederatedUserId is a required field + FederatedUserId *string `min:"2" type:"string" required:"true"` +} + +// String returns the string representation +func (s FederatedUser) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s FederatedUser) GoString() string { + return s.String() +} + +// SetArn sets the Arn field's value. +func (s *FederatedUser) SetArn(v string) *FederatedUser { + s.Arn = &v + return s +} + +// SetFederatedUserId sets the FederatedUserId field's value. +func (s *FederatedUser) SetFederatedUserId(v string) *FederatedUser { + s.FederatedUserId = &v + return s +} + +type GetAccessKeyInfoInput struct { + _ struct{} `type:"structure"` + + // The identifier of an access key. + // + // This parameter allows (through its regex pattern) a string of characters + // that can consist of any upper- or lowercase letter or digit. + // + // AccessKeyId is a required field + AccessKeyId *string `min:"16" type:"string" required:"true"` +} + +// String returns the string representation +func (s GetAccessKeyInfoInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetAccessKeyInfoInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GetAccessKeyInfoInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GetAccessKeyInfoInput"} + if s.AccessKeyId == nil { + invalidParams.Add(request.NewErrParamRequired("AccessKeyId")) + } + if s.AccessKeyId != nil && len(*s.AccessKeyId) < 16 { + invalidParams.Add(request.NewErrParamMinLen("AccessKeyId", 16)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAccessKeyId sets the AccessKeyId field's value. +func (s *GetAccessKeyInfoInput) SetAccessKeyId(v string) *GetAccessKeyInfoInput { + s.AccessKeyId = &v + return s +} + +type GetAccessKeyInfoOutput struct { + _ struct{} `type:"structure"` + + // The number used to identify the AWS account. + Account *string `type:"string"` +} + +// String returns the string representation +func (s GetAccessKeyInfoOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetAccessKeyInfoOutput) GoString() string { + return s.String() +} + +// SetAccount sets the Account field's value. +func (s *GetAccessKeyInfoOutput) SetAccount(v string) *GetAccessKeyInfoOutput { + s.Account = &v + return s +} + +type GetCallerIdentityInput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s GetCallerIdentityInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetCallerIdentityInput) GoString() string { + return s.String() +} + +// Contains the response to a successful GetCallerIdentity request, including +// information about the entity making the request. +type GetCallerIdentityOutput struct { + _ struct{} `type:"structure"` + + // The AWS account ID number of the account that owns or contains the calling + // entity. + Account *string `type:"string"` + + // The AWS ARN associated with the calling entity. + Arn *string `min:"20" type:"string"` + + // The unique identifier of the calling entity. The exact value depends on the + // type of entity that is making the call. The values returned are those listed + // in the aws:userid column in the Principal table (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable) + // found on the Policy Variables reference page in the IAM User Guide. + UserId *string `type:"string"` +} + +// String returns the string representation +func (s GetCallerIdentityOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetCallerIdentityOutput) GoString() string { + return s.String() +} + +// SetAccount sets the Account field's value. +func (s *GetCallerIdentityOutput) SetAccount(v string) *GetCallerIdentityOutput { + s.Account = &v + return s +} + +// SetArn sets the Arn field's value. +func (s *GetCallerIdentityOutput) SetArn(v string) *GetCallerIdentityOutput { + s.Arn = &v + return s +} + +// SetUserId sets the UserId field's value. +func (s *GetCallerIdentityOutput) SetUserId(v string) *GetCallerIdentityOutput { + s.UserId = &v + return s +} + +type GetFederationTokenInput struct { + _ struct{} `type:"structure"` + + // The duration, in seconds, that the session should last. Acceptable durations + // for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds + // (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained + // using AWS account root user credentials are restricted to a maximum of 3,600 + // seconds (one hour). If the specified duration is longer than one hour, the + // session obtained by using root user credentials defaults to one hour. + DurationSeconds *int64 `min:"900" type:"integer"` + + // The name of the federated user. The name is used as an identifier for the + // temporary security credentials (such as Bob). For example, you can reference + // the federated user name in a resource-based policy, such as in an Amazon + // S3 bucket policy. + // + // The regex used to validate this parameter is a string of characters consisting + // of upper- and lower-case alphanumeric characters with no spaces. You can + // also include underscores or any of the following characters: =,.@- + // + // Name is a required field + Name *string `min:"2" type:"string" required:"true"` + + // An IAM policy in JSON format that you want to use as an inline session policy. + // + // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) + // to this operation. You can pass a single JSON policy document to use as an + // inline session policy. You can also specify up to 10 managed policies to + // use as managed session policies. + // + // This parameter is optional. However, if you do not pass any session policies, + // then the resulting federated user session has no permissions. + // + // When you pass session policies, the session permissions are the intersection + // of the IAM user policies and the session policies that you pass. This gives + // you a way to further restrict the permissions for a federated user. You cannot + // use session policies to grant more permissions than those that are defined + // in the permissions policy of the IAM user. For more information, see Session + // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) + // in the IAM User Guide. + // + // The resulting credentials can be used to access a resource that has a resource-based + // policy. If that policy specifically references the federated user session + // in the Principal element of the policy, the session has the permissions allowed + // by the policy. These permissions are granted in addition to the permissions + // that are granted by the session policies. + // + // The plain text that you use for both inline and managed session policies + // can't exceed 2,048 characters. The JSON policy characters can be any ASCII + // character from the space character to the end of the valid character list + // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), + // and carriage return (\u000D) characters. + // + // An AWS conversion compresses the passed session policies and session tags + // into a packed binary format that has a separate limit. Your request can fail + // for this limit even if your plain text meets the other requirements. The + // PackedPolicySize response element indicates by percentage how close the policies + // and tags for your request are to the upper size limit. + Policy *string `min:"1" type:"string"` + + // The Amazon Resource Names (ARNs) of the IAM managed policies that you want + // to use as a managed session policy. The policies must exist in the same account + // as the IAM user that is requesting federated access. + // + // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) + // to this operation. You can pass a single JSON policy document to use as an + // inline session policy. You can also specify up to 10 managed policies to + // use as managed session policies. The plain text that you use for both inline + // and managed session policies can't exceed 2,048 characters. You can provide + // up to 10 managed policy ARNs. For more information about ARNs, see Amazon + // Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // in the AWS General Reference. + // + // This parameter is optional. However, if you do not pass any session policies, + // then the resulting federated user session has no permissions. + // + // When you pass session policies, the session permissions are the intersection + // of the IAM user policies and the session policies that you pass. This gives + // you a way to further restrict the permissions for a federated user. You cannot + // use session policies to grant more permissions than those that are defined + // in the permissions policy of the IAM user. For more information, see Session + // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) + // in the IAM User Guide. + // + // The resulting credentials can be used to access a resource that has a resource-based + // policy. If that policy specifically references the federated user session + // in the Principal element of the policy, the session has the permissions allowed + // by the policy. These permissions are granted in addition to the permissions + // that are granted by the session policies. + // + // An AWS conversion compresses the passed session policies and session tags + // into a packed binary format that has a separate limit. Your request can fail + // for this limit even if your plain text meets the other requirements. The + // PackedPolicySize response element indicates by percentage how close the policies + // and tags for your request are to the upper size limit. + PolicyArns []*PolicyDescriptorType `type:"list"` + + // A list of session tags. Each session tag consists of a key name and an associated + // value. For more information about session tags, see Passing Session Tags + // in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) + // in the IAM User Guide. + // + // This parameter is optional. You can pass up to 50 session tags. The plain + // text session tag keys can’t exceed 128 characters and the values can’t + // exceed 256 characters. For these and additional limits, see IAM and STS Character + // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) + // in the IAM User Guide. + // + // An AWS conversion compresses the passed session policies and session tags + // into a packed binary format that has a separate limit. Your request can fail + // for this limit even if your plain text meets the other requirements. The + // PackedPolicySize response element indicates by percentage how close the policies + // and tags for your request are to the upper size limit. + // + // You can pass a session tag with the same key as a tag that is already attached + // to the user you are federating. When you do, session tags override a user + // tag with the same key. + // + // Tag key–value pairs are not case sensitive, but case is preserved. This + // means that you cannot have separate Department and department tag keys. Assume + // that the role has the Department=Marketing tag and you pass the department=engineering + // session tag. Department and department are not saved as separate tags, and + // the session tag passed in the request takes precedence over the role tag. + Tags []*Tag `type:"list"` +} + +// String returns the string representation +func (s GetFederationTokenInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetFederationTokenInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GetFederationTokenInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GetFederationTokenInput"} + if s.DurationSeconds != nil && *s.DurationSeconds < 900 { + invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) + } + if s.Name == nil { + invalidParams.Add(request.NewErrParamRequired("Name")) + } + if s.Name != nil && len(*s.Name) < 2 { + invalidParams.Add(request.NewErrParamMinLen("Name", 2)) + } + if s.Policy != nil && len(*s.Policy) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) + } + if s.PolicyArns != nil { + for i, v := range s.PolicyArns { + if v == nil { + continue + } + if err := v.Validate(); err != nil { + invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) + } + } + } + if s.Tags != nil { + for i, v := range s.Tags { + if v == nil { + continue + } + if err := v.Validate(); err != nil { + invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams)) + } + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDurationSeconds sets the DurationSeconds field's value. +func (s *GetFederationTokenInput) SetDurationSeconds(v int64) *GetFederationTokenInput { + s.DurationSeconds = &v + return s +} + +// SetName sets the Name field's value. +func (s *GetFederationTokenInput) SetName(v string) *GetFederationTokenInput { + s.Name = &v + return s +} + +// SetPolicy sets the Policy field's value. +func (s *GetFederationTokenInput) SetPolicy(v string) *GetFederationTokenInput { + s.Policy = &v + return s +} + +// SetPolicyArns sets the PolicyArns field's value. +func (s *GetFederationTokenInput) SetPolicyArns(v []*PolicyDescriptorType) *GetFederationTokenInput { + s.PolicyArns = v + return s +} + +// SetTags sets the Tags field's value. +func (s *GetFederationTokenInput) SetTags(v []*Tag) *GetFederationTokenInput { + s.Tags = v + return s +} + +// Contains the response to a successful GetFederationToken request, including +// temporary AWS credentials that can be used to make AWS requests. +type GetFederationTokenOutput struct { + _ struct{} `type:"structure"` + + // The temporary security credentials, which include an access key ID, a secret + // access key, and a security (or session) token. + // + // The size of the security token that STS API operations return is not fixed. + // We strongly recommend that you make no assumptions about the maximum size. + Credentials *Credentials `type:"structure"` + + // Identifiers for the federated user associated with the credentials (such + // as arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You + // can use the federated user's ARN in your resource-based policies, such as + // an Amazon S3 bucket policy. + FederatedUser *FederatedUser `type:"structure"` + + // A percentage value that indicates the packed size of the session policies + // and session tags combined passed in the request. The request fails if the + // packed size is greater than 100 percent, which means the policies and tags + // exceeded the allowed space. + PackedPolicySize *int64 `type:"integer"` +} + +// String returns the string representation +func (s GetFederationTokenOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetFederationTokenOutput) GoString() string { + return s.String() +} + +// SetCredentials sets the Credentials field's value. +func (s *GetFederationTokenOutput) SetCredentials(v *Credentials) *GetFederationTokenOutput { + s.Credentials = v + return s +} + +// SetFederatedUser sets the FederatedUser field's value. +func (s *GetFederationTokenOutput) SetFederatedUser(v *FederatedUser) *GetFederationTokenOutput { + s.FederatedUser = v + return s +} + +// SetPackedPolicySize sets the PackedPolicySize field's value. +func (s *GetFederationTokenOutput) SetPackedPolicySize(v int64) *GetFederationTokenOutput { + s.PackedPolicySize = &v + return s +} + +type GetSessionTokenInput struct { + _ struct{} `type:"structure"` + + // The duration, in seconds, that the credentials should remain valid. Acceptable + // durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 + // seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions + // for AWS account owners are restricted to a maximum of 3,600 seconds (one + // hour). If the duration is longer than one hour, the session for AWS account + // owners defaults to one hour. + DurationSeconds *int64 `min:"900" type:"integer"` + + // The identification number of the MFA device that is associated with the IAM + // user who is making the GetSessionToken call. Specify this value if the IAM + // user has a policy that requires MFA authentication. The value is either the + // serial number for a hardware device (such as GAHT12345678) or an Amazon Resource + // Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). + // You can find the device for an IAM user by going to the AWS Management Console + // and viewing the user's security credentials. + // + // The regex used to validate this parameter is a string of characters consisting + // of upper- and lower-case alphanumeric characters with no spaces. You can + // also include underscores or any of the following characters: =,.@:/- + SerialNumber *string `min:"9" type:"string"` + + // The value provided by the MFA device, if MFA is required. If any policy requires + // the IAM user to submit an MFA code, specify this value. If MFA authentication + // is required, the user must provide a code when requesting a set of temporary + // security credentials. A user who fails to provide the code receives an "access + // denied" response when requesting resources that require MFA authentication. + // + // The format for this parameter, as described by its regex pattern, is a sequence + // of six numeric digits. + TokenCode *string `min:"6" type:"string"` +} + +// String returns the string representation +func (s GetSessionTokenInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetSessionTokenInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GetSessionTokenInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GetSessionTokenInput"} + if s.DurationSeconds != nil && *s.DurationSeconds < 900 { + invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) + } + if s.SerialNumber != nil && len(*s.SerialNumber) < 9 { + invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9)) + } + if s.TokenCode != nil && len(*s.TokenCode) < 6 { + invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDurationSeconds sets the DurationSeconds field's value. +func (s *GetSessionTokenInput) SetDurationSeconds(v int64) *GetSessionTokenInput { + s.DurationSeconds = &v + return s +} + +// SetSerialNumber sets the SerialNumber field's value. +func (s *GetSessionTokenInput) SetSerialNumber(v string) *GetSessionTokenInput { + s.SerialNumber = &v + return s +} + +// SetTokenCode sets the TokenCode field's value. +func (s *GetSessionTokenInput) SetTokenCode(v string) *GetSessionTokenInput { + s.TokenCode = &v + return s +} + +// Contains the response to a successful GetSessionToken request, including +// temporary AWS credentials that can be used to make AWS requests. +type GetSessionTokenOutput struct { + _ struct{} `type:"structure"` + + // The temporary security credentials, which include an access key ID, a secret + // access key, and a security (or session) token. + // + // The size of the security token that STS API operations return is not fixed. + // We strongly recommend that you make no assumptions about the maximum size. + Credentials *Credentials `type:"structure"` +} + +// String returns the string representation +func (s GetSessionTokenOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetSessionTokenOutput) GoString() string { + return s.String() +} + +// SetCredentials sets the Credentials field's value. +func (s *GetSessionTokenOutput) SetCredentials(v *Credentials) *GetSessionTokenOutput { + s.Credentials = v + return s +} + +// A reference to the IAM managed policy that is passed as a session policy +// for a role session or a federated user session. +type PolicyDescriptorType struct { + _ struct{} `type:"structure"` + + // The Amazon Resource Name (ARN) of the IAM managed policy to use as a session + // policy for the role. For more information about ARNs, see Amazon Resource + // Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // in the AWS General Reference. + Arn *string `locationName:"arn" min:"20" type:"string"` +} + +// String returns the string representation +func (s PolicyDescriptorType) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s PolicyDescriptorType) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *PolicyDescriptorType) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "PolicyDescriptorType"} + if s.Arn != nil && len(*s.Arn) < 20 { + invalidParams.Add(request.NewErrParamMinLen("Arn", 20)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetArn sets the Arn field's value. +func (s *PolicyDescriptorType) SetArn(v string) *PolicyDescriptorType { + s.Arn = &v + return s +} + +// You can pass custom key-value pair attributes when you assume a role or federate +// a user. These are called session tags. You can then use the session tags +// to control access to resources. For more information, see Tagging AWS STS +// Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) +// in the IAM User Guide. +type Tag struct { + _ struct{} `type:"structure"` + + // The key for a session tag. + // + // You can pass up to 50 session tags. The plain text session tag keys can’t + // exceed 128 characters. For these and additional limits, see IAM and STS Character + // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) + // in the IAM User Guide. + // + // Key is a required field + Key *string `min:"1" type:"string" required:"true"` + + // The value for a session tag. + // + // You can pass up to 50 session tags. The plain text session tag values can’t + // exceed 256 characters. For these and additional limits, see IAM and STS Character + // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) + // in the IAM User Guide. + // + // Value is a required field + Value *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s Tag) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s Tag) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *Tag) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "Tag"} + if s.Key == nil { + invalidParams.Add(request.NewErrParamRequired("Key")) + } + if s.Key != nil && len(*s.Key) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Key", 1)) + } + if s.Value == nil { + invalidParams.Add(request.NewErrParamRequired("Value")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKey sets the Key field's value. +func (s *Tag) SetKey(v string) *Tag { + s.Key = &v + return s +} + +// SetValue sets the Value field's value. +func (s *Tag) SetValue(v string) *Tag { + s.Value = &v + return s +} diff --git a/vendor/github.com/aws/aws-sdk-go/service/sts/customizations.go b/vendor/github.com/aws/aws-sdk-go/service/sts/customizations.go new file mode 100644 index 000000000..d5307fcaa --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/sts/customizations.go @@ -0,0 +1,11 @@ +package sts + +import "github.com/aws/aws-sdk-go/aws/request" + +func init() { + initRequest = customizeRequest +} + +func customizeRequest(r *request.Request) { + r.RetryErrorCodes = append(r.RetryErrorCodes, ErrCodeIDPCommunicationErrorException) +} diff --git a/vendor/github.com/aws/aws-sdk-go/service/sts/doc.go b/vendor/github.com/aws/aws-sdk-go/service/sts/doc.go new file mode 100644 index 000000000..cb1debbaa --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/sts/doc.go @@ -0,0 +1,32 @@ +// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. + +// Package sts provides the client and types for making API +// requests to AWS Security Token Service. +// +// AWS Security Token Service (STS) enables you to request temporary, limited-privilege +// credentials for AWS Identity and Access Management (IAM) users or for users +// that you authenticate (federated users). This guide provides descriptions +// of the STS API. For more information about using this service, see Temporary +// Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html). +// +// See https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15 for more information on this service. +// +// See sts package documentation for more information. +// https://docs.aws.amazon.com/sdk-for-go/api/service/sts/ +// +// Using the Client +// +// To contact AWS Security Token Service with the SDK use the New function to create +// a new service client. With that client you can make API requests to the service. +// These clients are safe to use concurrently. +// +// See the SDK's documentation for more information on how to use the SDK. +// https://docs.aws.amazon.com/sdk-for-go/api/ +// +// See aws.Config documentation for more information on configuring SDK clients. +// https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config +// +// See the AWS Security Token Service client STS for more +// information on creating client for this service. +// https://docs.aws.amazon.com/sdk-for-go/api/service/sts/#New +package sts diff --git a/vendor/github.com/aws/aws-sdk-go/service/sts/errors.go b/vendor/github.com/aws/aws-sdk-go/service/sts/errors.go new file mode 100644 index 000000000..a233f542e --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/sts/errors.go @@ -0,0 +1,82 @@ +// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. + +package sts + +const ( + + // ErrCodeExpiredTokenException for service response error code + // "ExpiredTokenException". + // + // The web identity token that was passed is expired or is not valid. Get a + // new identity token from the identity provider and then retry the request. + ErrCodeExpiredTokenException = "ExpiredTokenException" + + // ErrCodeIDPCommunicationErrorException for service response error code + // "IDPCommunicationError". + // + // The request could not be fulfilled because the identity provider (IDP) that + // was asked to verify the incoming identity token could not be reached. This + // is often a transient error caused by network conditions. Retry the request + // a limited number of times so that you don't exceed the request rate. If the + // error persists, the identity provider might be down or not responding. + ErrCodeIDPCommunicationErrorException = "IDPCommunicationError" + + // ErrCodeIDPRejectedClaimException for service response error code + // "IDPRejectedClaim". + // + // The identity provider (IdP) reported that authentication failed. This might + // be because the claim is invalid. + // + // If this error is returned for the AssumeRoleWithWebIdentity operation, it + // can also mean that the claim has expired or has been explicitly revoked. + ErrCodeIDPRejectedClaimException = "IDPRejectedClaim" + + // ErrCodeInvalidAuthorizationMessageException for service response error code + // "InvalidAuthorizationMessageException". + // + // The error returned if the message passed to DecodeAuthorizationMessage was + // invalid. This can happen if the token contains invalid characters, such as + // linebreaks. + ErrCodeInvalidAuthorizationMessageException = "InvalidAuthorizationMessageException" + + // ErrCodeInvalidIdentityTokenException for service response error code + // "InvalidIdentityToken". + // + // The web identity token that was passed could not be validated by AWS. Get + // a new identity token from the identity provider and then retry the request. + ErrCodeInvalidIdentityTokenException = "InvalidIdentityToken" + + // ErrCodeMalformedPolicyDocumentException for service response error code + // "MalformedPolicyDocument". + // + // The request was rejected because the policy document was malformed. The error + // message describes the specific error. + ErrCodeMalformedPolicyDocumentException = "MalformedPolicyDocument" + + // ErrCodePackedPolicyTooLargeException for service response error code + // "PackedPolicyTooLarge". + // + // The request was rejected because the total packed size of the session policies + // and session tags combined was too large. An AWS conversion compresses the + // session policy document, session policy ARNs, and session tags into a packed + // binary format that has a separate limit. The error message indicates by percentage + // how close the policies and tags are to the upper size limit. For more information, + // see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) + // in the IAM User Guide. + // + // You could receive this error even though you meet other defined session policy + // and session tag limits. For more information, see IAM and STS Entity Character + // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) + // in the IAM User Guide. + ErrCodePackedPolicyTooLargeException = "PackedPolicyTooLarge" + + // ErrCodeRegionDisabledException for service response error code + // "RegionDisabledException". + // + // STS is not activated in the requested region for the account that is being + // asked to generate credentials. The account administrator must use the IAM + // console to activate STS in that region. For more information, see Activating + // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) + // in the IAM User Guide. + ErrCodeRegionDisabledException = "RegionDisabledException" +) diff --git a/vendor/github.com/aws/aws-sdk-go/service/sts/service.go b/vendor/github.com/aws/aws-sdk-go/service/sts/service.go new file mode 100644 index 000000000..d34a68553 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/sts/service.go @@ -0,0 +1,98 @@ +// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. + +package sts + +import ( + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/client" + "github.com/aws/aws-sdk-go/aws/client/metadata" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/aws/signer/v4" + "github.com/aws/aws-sdk-go/private/protocol/query" +) + +// STS provides the API operation methods for making requests to +// AWS Security Token Service. See this package's package overview docs +// for details on the service. +// +// STS methods are safe to use concurrently. It is not safe to +// modify mutate any of the struct's properties though. +type STS struct { + *client.Client +} + +// Used for custom client initialization logic +var initClient func(*client.Client) + +// Used for custom request initialization logic +var initRequest func(*request.Request) + +// Service information constants +const ( + ServiceName = "sts" // Name of service. + EndpointsID = ServiceName // ID to lookup a service endpoint with. + ServiceID = "STS" // ServiceID is a unique identifier of a specific service. +) + +// New creates a new instance of the STS client with a session. +// If additional configuration is needed for the client instance use the optional +// aws.Config parameter to add your extra config. +// +// Example: +// mySession := session.Must(session.NewSession()) +// +// // Create a STS client from just a session. +// svc := sts.New(mySession) +// +// // Create a STS client with additional configuration +// svc := sts.New(mySession, aws.NewConfig().WithRegion("us-west-2")) +func New(p client.ConfigProvider, cfgs ...*aws.Config) *STS { + c := p.ClientConfig(EndpointsID, cfgs...) + return newClient(*c.Config, c.Handlers, c.PartitionID, c.Endpoint, c.SigningRegion, c.SigningName) +} + +// newClient creates, initializes and returns a new service client instance. +func newClient(cfg aws.Config, handlers request.Handlers, partitionID, endpoint, signingRegion, signingName string) *STS { + svc := &STS{ + Client: client.New( + cfg, + metadata.ClientInfo{ + ServiceName: ServiceName, + ServiceID: ServiceID, + SigningName: signingName, + SigningRegion: signingRegion, + PartitionID: partitionID, + Endpoint: endpoint, + APIVersion: "2011-06-15", + }, + handlers, + ), + } + + // Handlers + svc.Handlers.Sign.PushBackNamed(v4.SignRequestHandler) + svc.Handlers.Build.PushBackNamed(query.BuildHandler) + svc.Handlers.Unmarshal.PushBackNamed(query.UnmarshalHandler) + svc.Handlers.UnmarshalMeta.PushBackNamed(query.UnmarshalMetaHandler) + svc.Handlers.UnmarshalError.PushBackNamed(query.UnmarshalErrorHandler) + + // Run custom client initialization if present + if initClient != nil { + initClient(svc.Client) + } + + return svc +} + +// newRequest creates a new request for a STS operation and runs any +// custom request initialization. +func (c *STS) newRequest(op *request.Operation, params, data interface{}) *request.Request { + req := c.NewRequest(op, params, data) + + // Run custom request initialization if present + if initRequest != nil { + initRequest(req) + } + + return req +} diff --git a/vendor/github.com/aws/aws-sdk-go/service/sts/stsiface/interface.go b/vendor/github.com/aws/aws-sdk-go/service/sts/stsiface/interface.go new file mode 100644 index 000000000..e2e1d6efe --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/sts/stsiface/interface.go @@ -0,0 +1,96 @@ +// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. + +// Package stsiface provides an interface to enable mocking the AWS Security Token Service service client +// for testing your code. +// +// It is important to note that this interface will have breaking changes +// when the service model is updated and adds new API operations, paginators, +// and waiters. +package stsiface + +import ( + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/service/sts" +) + +// STSAPI provides an interface to enable mocking the +// sts.STS service client's API operation, +// paginators, and waiters. This make unit testing your code that calls out +// to the SDK's service client's calls easier. +// +// The best way to use this interface is so the SDK's service client's calls +// can be stubbed out for unit testing your code with the SDK without needing +// to inject custom request handlers into the SDK's request pipeline. +// +// // myFunc uses an SDK service client to make a request to +// // AWS Security Token Service. +// func myFunc(svc stsiface.STSAPI) bool { +// // Make svc.AssumeRole request +// } +// +// func main() { +// sess := session.New() +// svc := sts.New(sess) +// +// myFunc(svc) +// } +// +// In your _test.go file: +// +// // Define a mock struct to be used in your unit tests of myFunc. +// type mockSTSClient struct { +// stsiface.STSAPI +// } +// func (m *mockSTSClient) AssumeRole(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error) { +// // mock response/functionality +// } +// +// func TestMyFunc(t *testing.T) { +// // Setup Test +// mockSvc := &mockSTSClient{} +// +// myfunc(mockSvc) +// +// // Verify myFunc's functionality +// } +// +// It is important to note that this interface will have breaking changes +// when the service model is updated and adds new API operations, paginators, +// and waiters. Its suggested to use the pattern above for testing, or using +// tooling to generate mocks to satisfy the interfaces. +type STSAPI interface { + AssumeRole(*sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error) + AssumeRoleWithContext(aws.Context, *sts.AssumeRoleInput, ...request.Option) (*sts.AssumeRoleOutput, error) + AssumeRoleRequest(*sts.AssumeRoleInput) (*request.Request, *sts.AssumeRoleOutput) + + AssumeRoleWithSAML(*sts.AssumeRoleWithSAMLInput) (*sts.AssumeRoleWithSAMLOutput, error) + AssumeRoleWithSAMLWithContext(aws.Context, *sts.AssumeRoleWithSAMLInput, ...request.Option) (*sts.AssumeRoleWithSAMLOutput, error) + AssumeRoleWithSAMLRequest(*sts.AssumeRoleWithSAMLInput) (*request.Request, *sts.AssumeRoleWithSAMLOutput) + + AssumeRoleWithWebIdentity(*sts.AssumeRoleWithWebIdentityInput) (*sts.AssumeRoleWithWebIdentityOutput, error) + AssumeRoleWithWebIdentityWithContext(aws.Context, *sts.AssumeRoleWithWebIdentityInput, ...request.Option) (*sts.AssumeRoleWithWebIdentityOutput, error) + AssumeRoleWithWebIdentityRequest(*sts.AssumeRoleWithWebIdentityInput) (*request.Request, *sts.AssumeRoleWithWebIdentityOutput) + + DecodeAuthorizationMessage(*sts.DecodeAuthorizationMessageInput) (*sts.DecodeAuthorizationMessageOutput, error) + DecodeAuthorizationMessageWithContext(aws.Context, *sts.DecodeAuthorizationMessageInput, ...request.Option) (*sts.DecodeAuthorizationMessageOutput, error) + DecodeAuthorizationMessageRequest(*sts.DecodeAuthorizationMessageInput) (*request.Request, *sts.DecodeAuthorizationMessageOutput) + + GetAccessKeyInfo(*sts.GetAccessKeyInfoInput) (*sts.GetAccessKeyInfoOutput, error) + GetAccessKeyInfoWithContext(aws.Context, *sts.GetAccessKeyInfoInput, ...request.Option) (*sts.GetAccessKeyInfoOutput, error) + GetAccessKeyInfoRequest(*sts.GetAccessKeyInfoInput) (*request.Request, *sts.GetAccessKeyInfoOutput) + + GetCallerIdentity(*sts.GetCallerIdentityInput) (*sts.GetCallerIdentityOutput, error) + GetCallerIdentityWithContext(aws.Context, *sts.GetCallerIdentityInput, ...request.Option) (*sts.GetCallerIdentityOutput, error) + GetCallerIdentityRequest(*sts.GetCallerIdentityInput) (*request.Request, *sts.GetCallerIdentityOutput) + + GetFederationToken(*sts.GetFederationTokenInput) (*sts.GetFederationTokenOutput, error) + GetFederationTokenWithContext(aws.Context, *sts.GetFederationTokenInput, ...request.Option) (*sts.GetFederationTokenOutput, error) + GetFederationTokenRequest(*sts.GetFederationTokenInput) (*request.Request, *sts.GetFederationTokenOutput) + + GetSessionToken(*sts.GetSessionTokenInput) (*sts.GetSessionTokenOutput, error) + GetSessionTokenWithContext(aws.Context, *sts.GetSessionTokenInput, ...request.Option) (*sts.GetSessionTokenOutput, error) + GetSessionTokenRequest(*sts.GetSessionTokenInput) (*request.Request, *sts.GetSessionTokenOutput) +} + +var _ STSAPI = (*sts.STS)(nil) diff --git a/vendor/modules.txt b/vendor/modules.txt index 2684e7b57..b80487963 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1,27 +1,47 @@ -# github.com/aws/aws-sdk-go v1.35.24 +# github.com/aws/aws-sdk-go v1.38.8 github.com/aws/aws-sdk-go/aws github.com/aws/aws-sdk-go/aws/awserr github.com/aws/aws-sdk-go/aws/awsutil github.com/aws/aws-sdk-go/aws/client github.com/aws/aws-sdk-go/aws/client/metadata +github.com/aws/aws-sdk-go/aws/corehandlers github.com/aws/aws-sdk-go/aws/credentials +github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds +github.com/aws/aws-sdk-go/aws/credentials/endpointcreds +github.com/aws/aws-sdk-go/aws/credentials/processcreds +github.com/aws/aws-sdk-go/aws/credentials/ssocreds +github.com/aws/aws-sdk-go/aws/credentials/stscreds +github.com/aws/aws-sdk-go/aws/csm +github.com/aws/aws-sdk-go/aws/defaults +github.com/aws/aws-sdk-go/aws/ec2metadata github.com/aws/aws-sdk-go/aws/endpoints github.com/aws/aws-sdk-go/aws/request +github.com/aws/aws-sdk-go/aws/session github.com/aws/aws-sdk-go/aws/signer/v4 github.com/aws/aws-sdk-go/internal/context github.com/aws/aws-sdk-go/internal/ini github.com/aws/aws-sdk-go/internal/sdkio github.com/aws/aws-sdk-go/internal/sdkmath github.com/aws/aws-sdk-go/internal/sdkrand +github.com/aws/aws-sdk-go/internal/sdkuri github.com/aws/aws-sdk-go/internal/shareddefaults github.com/aws/aws-sdk-go/internal/strings github.com/aws/aws-sdk-go/internal/sync/singleflight github.com/aws/aws-sdk-go/private/protocol github.com/aws/aws-sdk-go/private/protocol/ec2query +github.com/aws/aws-sdk-go/private/protocol/json/jsonutil +github.com/aws/aws-sdk-go/private/protocol/jsonrpc +github.com/aws/aws-sdk-go/private/protocol/query github.com/aws/aws-sdk-go/private/protocol/query/queryutil github.com/aws/aws-sdk-go/private/protocol/rest +github.com/aws/aws-sdk-go/private/protocol/restjson github.com/aws/aws-sdk-go/private/protocol/xml/xmlutil github.com/aws/aws-sdk-go/service/ec2 +github.com/aws/aws-sdk-go/service/kms +github.com/aws/aws-sdk-go/service/sso +github.com/aws/aws-sdk-go/service/sso/ssoiface +github.com/aws/aws-sdk-go/service/sts +github.com/aws/aws-sdk-go/service/sts/stsiface # github.com/beorn7/perks v1.0.1 github.com/beorn7/perks/quantile # github.com/blang/semver v3.5.1+incompatible