IAMRolesAnywhere

Table of Contents

• IAMRolesAnywhere
  • Client
  • Paginators

Client

class IAMRolesAnywhere.Client

A low-level client representing IAM Roles Anywhere

AWS Identity and Access Management Roles Anywhere provides a secure way for your workloads such as servers, containers, and applications running outside of AWS to obtain Temporary AWS credentials. Your workloads can use the same IAM policies and roles that you have configured with native AWS applications to access AWS resources. Using IAM Roles Anywhere will eliminate the need to manage long term credentials for workloads running outside of AWS.

To use IAM Roles Anywhere customer workloads will need to use X.509 certificates issued by their Certificate Authority (CA) . The Certificate Authority (CA) needs to be registered with IAM Roles Anywhere as a trust anchor to establish trust between customer PKI and IAM Roles Anywhere. Customers who do not manage their own PKI system can use AWS Certificate Manager Private Certificate Authority (ACM PCA) to create a Certificate Authority and use that to establish trust with IAM Roles Anywhere

This guide describes the IAM rolesanywhere operations that you can call programmatically. For general information about IAM Roles Anywhere see https://docs.aws.amazon.com/

import boto3

client = boto3.client('rolesanywhere')

These are the available methods:

• can_paginate()
• close()
• create_profile()
• create_trust_anchor()
• delete_crl()
• delete_profile()
• delete_trust_anchor()
• disable_crl()
• disable_profile()
• disable_trust_anchor()
• enable_crl()
• enable_profile()
• enable_trust_anchor()
• get_crl()
• get_paginator()
• get_profile()
• get_subject()
• get_trust_anchor()
• get_waiter()
• import_crl()
• list_crls()
• list_profiles()
• list_subjects()
• list_tags_for_resource()
• list_trust_anchors()
• tag_resource()
• untag_resource()
• update_crl()
• update_profile()
• update_trust_anchor()

can_paginate(operation_name)

Check if an operation can be paginated.

Parameters

operation_name (string) -- The operation name. This is the same name as the method name on the client. For example, if the method name is create_foo, and you'd normally invoke the operation as client.create_foo(**kwargs), if the create_foo operation can be paginated, you can use the call client.get_paginator("create_foo").

Returns

True if the operation can be paginated, False otherwise.

close()

Closes underlying endpoint connections.

create_profile(**kwargs)

Creates a profile. A profile is configuration resource to list the roles that RolesAnywhere service is trusted to assume. In addition, by applying a profile you can intersect permissions with IAM managed policies.

Required permissions: rolesanywhere:CreateProfile .

See also: AWS API Documentation

Request Syntax

response = client.create_profile(
    durationSeconds=123,
    enabled=True|False,
    managedPolicyArns=[
        'string',
    ],
    name='string',
    requireInstanceProperties=True|False,
    roleArns=[
        'string',
    ],
    sessionPolicy='string',
    tags=[
        {
            'key': 'string',
            'value': 'string'
        },
    ]
)

Parameters

• durationSeconds (integer) -- The number of seconds the vended session credentials are valid for.
• enabled (boolean) -- Specifies whether the profile is enabled.
• managedPolicyArns (list) --

  A list of managed policy ARNs that apply to the vended session credentials.

  • (string) --
• name (string) --

  [REQUIRED]

  The name of the profile.

• requireInstanceProperties (boolean) -- Specifies whether instance properties are required in CreateSession requests with this profile.
• roleArns (list) --

  [REQUIRED]

  A list of IAM roles that this profile can assume in a CreateSession operation.

  • (string) --
• sessionPolicy (string) -- A session policy that applies to the trust boundary of the vended session credentials.
• tags (list) --

  The tags to attach to the profile.

  • (dict) --

    A label that consists of a key and value you define.

    • key (string) -- [REQUIRED]

      The tag key.

    • value (string) -- [REQUIRED]

      The tag value.

Return type

dict

Returns

Response Syntax

{
    'profile': {
        'createdAt': datetime(2015, 1, 1),
        'createdBy': 'string',
        'durationSeconds': 123,
        'enabled': True|False,
        'managedPolicyArns': [
            'string',
        ],
        'name': 'string',
        'profileArn': 'string',
        'profileId': 'string',
        'requireInstanceProperties': True|False,
        'roleArns': [
            'string',
        ],
        'sessionPolicy': 'string',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

• (dict) --

  • profile (dict) --

    The state of the profile after a read or write operation.

    • createdAt (datetime) --

      The ISO-8601 timestamp when the profile was created.

    • createdBy (string) --

      The Amazon Web Services account that created the profile.

    • durationSeconds (integer) --

      The number of seconds the vended session credentials are valid for.

    • enabled (boolean) --

      Indicates whether the profile is enabled.

    • managedPolicyArns (list) --

      A list of managed policy ARNs that apply to the vended session credentials.

      • (string) --

    • name (string) --

      The name of the profile.

    • profileArn (string) --

      The ARN of the profile.

    • profileId (string) --

      The unique identifier of the profile.

    • requireInstanceProperties (boolean) --

      Specifies whether instance properties are required in CreateSession requests with this profile.

    • roleArns (list) --

      A list of IAM roles that this profile can assume in a CreateSession operation.

      • (string) --

    • sessionPolicy (string) --

      A session policy that applies to the trust boundary of the vended session credentials.

    • updatedAt (datetime) --

      The ISO-8601 timestamp when the profile was last updated.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ValidationException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

create_trust_anchor(**kwargs)

Creates a trust anchor. You establish trust between IAM Roles Anywhere and your certificate authority (CA) by configuring a trust anchor. A Trust Anchor is defined either as a reference to a AWS Certificate Manager Private Certificate Authority (ACM PCA), or by uploading a Certificate Authority (CA) certificate. Your AWS workloads can authenticate with the trust anchor using certificates issued by the trusted Certificate Authority (CA) in exchange for temporary AWS credentials.

Required permissions: rolesanywhere:CreateTrustAnchor .

See also: AWS API Documentation

Request Syntax

response = client.create_trust_anchor(
    enabled=True|False,
    name='string',
    source={
        'sourceData': {
            'acmPcaArn': 'string',
            'x509CertificateData': 'string'
        },
        'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY'
    },
    tags=[
        {
            'key': 'string',
            'value': 'string'
        },
    ]
)

Parameters

• enabled (boolean) -- Specifies whether the trust anchor is enabled.
• name (string) --

  [REQUIRED]

  The name of the trust anchor.

• source (dict) --

  [REQUIRED]

  The trust anchor type and its related certificate data.

  • sourceData (dict) --

    The data field of the trust anchor depending on its type.

    Note

    This is a Tagged Union structure. Only one of the following top level keys can be set: acmPcaArn, x509CertificateData.

    • acmPcaArn (string) --

      The root certificate of the Certificate Manager Private Certificate Authority specified by this ARN is used in trust validation for CreateSession operations. Included for trust anchors of type AWS_ACM_PCA .

    • x509CertificateData (string) --

      The PEM-encoded data for the certificate anchor. Included for trust anchors of type CERTIFICATE_BUNDLE .

  • sourceType (string) --

    The type of the trust anchor.

• tags (list) --

  The tags to attach to the trust anchor.

  • (dict) --

    A label that consists of a key and value you define.

    • key (string) -- [REQUIRED]

      The tag key.

    • value (string) -- [REQUIRED]

      The tag value.

Return type

dict

Returns

Response Syntax

{
    'trustAnchor': {
        'createdAt': datetime(2015, 1, 1),
        'enabled': True|False,
        'name': 'string',
        'source': {
            'sourceData': {
                'acmPcaArn': 'string',
                'x509CertificateData': 'string'
            },
            'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY'
        },
        'trustAnchorArn': 'string',
        'trustAnchorId': 'string',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

• (dict) --

  • trustAnchor (dict) --

    The state of the trust anchor after a read or write operation.

    • createdAt (datetime) --

      The ISO-8601 timestamp when the trust anchor was created.

    • enabled (boolean) --

      Indicates whether the trust anchor is enabled.

    • name (string) --

      The name of the trust anchor.

    • source (dict) --

      The trust anchor type and its related certificate data.

      • sourceData (dict) --

        The data field of the trust anchor depending on its type.

        Note

        This is a Tagged Union structure. Only one of the following top level keys will be set: acmPcaArn, x509CertificateData. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:

        'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
        

        • acmPcaArn (string) --

          The root certificate of the Certificate Manager Private Certificate Authority specified by this ARN is used in trust validation for CreateSession operations. Included for trust anchors of type AWS_ACM_PCA .

        • x509CertificateData (string) --

          The PEM-encoded data for the certificate anchor. Included for trust anchors of type CERTIFICATE_BUNDLE .

      • sourceType (string) --

        The type of the trust anchor.

    • trustAnchorArn (string) --

      The ARN of the trust anchor.

    • trustAnchorId (string) --

      The unique identifier of the trust anchor.

    • updatedAt (datetime) --

      The ISO-8601 timestamp when the trust anchor was last updated.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ValidationException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

delete_crl(**kwargs)

Deletes a certificate revocation list (CRL).

Required permissions: rolesanywhere:DeleteCrl .

See also: AWS API Documentation

Request Syntax

response = client.delete_crl(
    crlId='string'
)

Parameters

crlId (string) --

[REQUIRED]

The unique identifier of the certificate revocation list (CRL).

Return type

dict

Returns

Response Syntax

{
    'crl': {
        'createdAt': datetime(2015, 1, 1),
        'crlArn': 'string',
        'crlData': b'bytes',
        'crlId': 'string',
        'enabled': True|False,
        'name': 'string',
        'trustAnchorArn': 'string',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

• (dict) --
  • crl (dict) --

    The state of the certificate revocation list (CRL) after a read or write operation.

    • createdAt (datetime) --

      The ISO-8601 timestamp when the certificate revocation list (CRL) was created.

    • crlArn (string) --

      The ARN of the certificate revocation list (CRL).

    • crlData (bytes) --

      The state of the certificate revocation list (CRL) after a read or write operation.

    • crlId (string) --

      The unique identifier of the certificate revocation list (CRL).

    • enabled (boolean) --

      Indicates whether the certificate revocation list (CRL) is enabled.

    • name (string) --

      The name of the certificate revocation list (CRL).

    • trustAnchorArn (string) --

      The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for.

    • updatedAt (datetime) --

      The ISO-8601 timestamp when the certificate revocation list (CRL) was last updated.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

delete_profile(**kwargs)

Deletes a profile.

Required permissions: rolesanywhere:DeleteProfile .

See also: AWS API Documentation

Request Syntax

response = client.delete_profile(
    profileId='string'
)

Parameters

profileId (string) --

[REQUIRED]

The unique identifier of the profile.

Return type

dict

Returns

Response Syntax

{
    'profile': {
        'createdAt': datetime(2015, 1, 1),
        'createdBy': 'string',
        'durationSeconds': 123,
        'enabled': True|False,
        'managedPolicyArns': [
            'string',
        ],
        'name': 'string',
        'profileArn': 'string',
        'profileId': 'string',
        'requireInstanceProperties': True|False,
        'roleArns': [
            'string',
        ],
        'sessionPolicy': 'string',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

• (dict) --
  • profile (dict) --

    The state of the profile after a read or write operation.

    • createdAt (datetime) --

      The ISO-8601 timestamp when the profile was created.

    • createdBy (string) --

      The Amazon Web Services account that created the profile.

    • durationSeconds (integer) --

      The number of seconds the vended session credentials are valid for.

    • enabled (boolean) --

      Indicates whether the profile is enabled.

    • managedPolicyArns (list) --

      A list of managed policy ARNs that apply to the vended session credentials.

      • (string) --
    • name (string) --

      The name of the profile.

    • profileArn (string) --

      The ARN of the profile.

    • profileId (string) --

      The unique identifier of the profile.

    • requireInstanceProperties (boolean) --

      Specifies whether instance properties are required in CreateSession requests with this profile.

    • roleArns (list) --

      A list of IAM roles that this profile can assume in a CreateSession operation.

      • (string) --
    • sessionPolicy (string) --

      A session policy that applies to the trust boundary of the vended session credentials.

    • updatedAt (datetime) --

      The ISO-8601 timestamp when the profile was last updated.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

delete_trust_anchor(**kwargs)

Deletes a trust anchor.

Required permissions: rolesanywhere:DeleteTrustAnchor .

See also: AWS API Documentation

Request Syntax

response = client.delete_trust_anchor(
    trustAnchorId='string'
)

Parameters

trustAnchorId (string) --

[REQUIRED]

The unique identifier of the trust anchor.

Return type

dict

Returns

Response Syntax

{
    'trustAnchor': {
        'createdAt': datetime(2015, 1, 1),
        'enabled': True|False,
        'name': 'string',
        'source': {
            'sourceData': {
                'acmPcaArn': 'string',
                'x509CertificateData': 'string'
            },
            'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY'
        },
        'trustAnchorArn': 'string',
        'trustAnchorId': 'string',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

• (dict) --
  • trustAnchor (dict) --

    The state of the trust anchor after a read or write operation.

    • createdAt (datetime) --

      The ISO-8601 timestamp when the trust anchor was created.

    • enabled (boolean) --

      Indicates whether the trust anchor is enabled.

    • name (string) --

      The name of the trust anchor.

    • source (dict) --

      The trust anchor type and its related certificate data.

      • sourceData (dict) --

        The data field of the trust anchor depending on its type.

        Note

        This is a Tagged Union structure. Only one of the following top level keys will be set: acmPcaArn, x509CertificateData. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:

        'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
        

        • acmPcaArn (string) --

          The root certificate of the Certificate Manager Private Certificate Authority specified by this ARN is used in trust validation for CreateSession operations. Included for trust anchors of type AWS_ACM_PCA .

        • x509CertificateData (string) --

          The PEM-encoded data for the certificate anchor. Included for trust anchors of type CERTIFICATE_BUNDLE .

      • sourceType (string) --

        The type of the trust anchor.

    • trustAnchorArn (string) --

      The ARN of the trust anchor.

    • trustAnchorId (string) --

      The unique identifier of the trust anchor.

    • updatedAt (datetime) --

      The ISO-8601 timestamp when the trust anchor was last updated.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

disable_crl(**kwargs)

Disables a certificate revocation list (CRL).

Required permissions: rolesanywhere:DisableCrl .

See also: AWS API Documentation

Request Syntax

response = client.disable_crl(
    crlId='string'
)

Parameters

crlId (string) --

[REQUIRED]

The unique identifier of the certificate revocation list (CRL).

Return type

dict

Returns

Response Syntax

{
    'crl': {
        'createdAt': datetime(2015, 1, 1),
        'crlArn': 'string',
        'crlData': b'bytes',
        'crlId': 'string',
        'enabled': True|False,
        'name': 'string',
        'trustAnchorArn': 'string',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

• (dict) --
  • crl (dict) --

    The state of the certificate revocation list (CRL) after a read or write operation.

    • createdAt (datetime) --

      The ISO-8601 timestamp when the certificate revocation list (CRL) was created.

    • crlArn (string) --

      The ARN of the certificate revocation list (CRL).

    • crlData (bytes) --

      The state of the certificate revocation list (CRL) after a read or write operation.

    • crlId (string) --

      The unique identifier of the certificate revocation list (CRL).

    • enabled (boolean) --

      Indicates whether the certificate revocation list (CRL) is enabled.

    • name (string) --

      The name of the certificate revocation list (CRL).

    • trustAnchorArn (string) --

      The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for.

    • updatedAt (datetime) --

      The ISO-8601 timestamp when the certificate revocation list (CRL) was last updated.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

disable_profile(**kwargs)

Disables a profile. When disabled, CreateSession requests with this profile fail.

Required permissions: rolesanywhere:DisableProfile .

See also: AWS API Documentation

Request Syntax

response = client.disable_profile(
    profileId='string'
)

Parameters

profileId (string) --

[REQUIRED]

The unique identifier of the profile.

Return type

dict

Returns

Response Syntax

{
    'profile': {
        'createdAt': datetime(2015, 1, 1),
        'createdBy': 'string',
        'durationSeconds': 123,
        'enabled': True|False,
        'managedPolicyArns': [
            'string',
        ],
        'name': 'string',
        'profileArn': 'string',
        'profileId': 'string',
        'requireInstanceProperties': True|False,
        'roleArns': [
            'string',
        ],
        'sessionPolicy': 'string',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

• (dict) --
  • profile (dict) --

    The state of the profile after a read or write operation.

    • createdAt (datetime) --

      The ISO-8601 timestamp when the profile was created.

    • createdBy (string) --

      The Amazon Web Services account that created the profile.

    • durationSeconds (integer) --

      The number of seconds the vended session credentials are valid for.

    • enabled (boolean) --

      Indicates whether the profile is enabled.

    • managedPolicyArns (list) --

      A list of managed policy ARNs that apply to the vended session credentials.

      • (string) --
    • name (string) --

      The name of the profile.

    • profileArn (string) --

      The ARN of the profile.

    • profileId (string) --

      The unique identifier of the profile.

    • requireInstanceProperties (boolean) --

      Specifies whether instance properties are required in CreateSession requests with this profile.

    • roleArns (list) --

      A list of IAM roles that this profile can assume in a CreateSession operation.

      • (string) --
    • sessionPolicy (string) --

      A session policy that applies to the trust boundary of the vended session credentials.

    • updatedAt (datetime) --

      The ISO-8601 timestamp when the profile was last updated.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

disable_trust_anchor(**kwargs)

Disables a trust anchor. When disabled, CreateSession requests specifying this trust anchor are unauthorized.

Required permissions: rolesanywhere:DisableTrustAnchor .

See also: AWS API Documentation

Request Syntax

response = client.disable_trust_anchor(
    trustAnchorId='string'
)

Parameters

trustAnchorId (string) --

[REQUIRED]

The unique identifier of the trust anchor.

Return type

dict

Returns

Response Syntax

{
    'trustAnchor': {
        'createdAt': datetime(2015, 1, 1),
        'enabled': True|False,
        'name': 'string',
        'source': {
            'sourceData': {
                'acmPcaArn': 'string',
                'x509CertificateData': 'string'
            },
            'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY'
        },
        'trustAnchorArn': 'string',
        'trustAnchorId': 'string',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

• (dict) --
  • trustAnchor (dict) --

    The state of the trust anchor after a read or write operation.

    • createdAt (datetime) --

      The ISO-8601 timestamp when the trust anchor was created.

    • enabled (boolean) --

      Indicates whether the trust anchor is enabled.

    • name (string) --

      The name of the trust anchor.

    • source (dict) --

      The trust anchor type and its related certificate data.

      • sourceData (dict) --

        The data field of the trust anchor depending on its type.

        Note

        This is a Tagged Union structure. Only one of the following top level keys will be set: acmPcaArn, x509CertificateData. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:

        'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
        

        • acmPcaArn (string) --

          The root certificate of the Certificate Manager Private Certificate Authority specified by this ARN is used in trust validation for CreateSession operations. Included for trust anchors of type AWS_ACM_PCA .

        • x509CertificateData (string) --

          The PEM-encoded data for the certificate anchor. Included for trust anchors of type CERTIFICATE_BUNDLE .

      • sourceType (string) --

        The type of the trust anchor.

    • trustAnchorArn (string) --

      The ARN of the trust anchor.

    • trustAnchorId (string) --

      The unique identifier of the trust anchor.

    • updatedAt (datetime) --

      The ISO-8601 timestamp when the trust anchor was last updated.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

enable_crl(**kwargs)

Enables a certificate revocation list (CRL). When enabled, certificates stored in the CRL are unauthorized to receive session credentials.

Required permissions: rolesanywhere:EnableCrl .

See also: AWS API Documentation

Request Syntax

response = client.enable_crl(
    crlId='string'
)

Parameters

crlId (string) --

[REQUIRED]

The unique identifier of the certificate revocation list (CRL).

Return type

dict

Returns

Response Syntax

{
    'crl': {
        'createdAt': datetime(2015, 1, 1),
        'crlArn': 'string',
        'crlData': b'bytes',
        'crlId': 'string',
        'enabled': True|False,
        'name': 'string',
        'trustAnchorArn': 'string',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

• (dict) --
  • crl (dict) --

    The state of the certificate revocation list (CRL) after a read or write operation.

    • createdAt (datetime) --

      The ISO-8601 timestamp when the certificate revocation list (CRL) was created.

    • crlArn (string) --

      The ARN of the certificate revocation list (CRL).

    • crlData (bytes) --

      The state of the certificate revocation list (CRL) after a read or write operation.

    • crlId (string) --

      The unique identifier of the certificate revocation list (CRL).

    • enabled (boolean) --

      Indicates whether the certificate revocation list (CRL) is enabled.

    • name (string) --

      The name of the certificate revocation list (CRL).

    • trustAnchorArn (string) --

      The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for.

    • updatedAt (datetime) --

      The ISO-8601 timestamp when the certificate revocation list (CRL) was last updated.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

enable_profile(**kwargs)

Enables the roles in a profile to receive session credentials in CreateSession.

Required permissions: rolesanywhere:EnableProfile .

See also: AWS API Documentation

Request Syntax

response = client.enable_profile(
    profileId='string'
)

Parameters

profileId (string) --

[REQUIRED]

The unique identifier of the profile.

Return type

dict

Returns

Response Syntax

{
    'profile': {
        'createdAt': datetime(2015, 1, 1),
        'createdBy': 'string',
        'durationSeconds': 123,
        'enabled': True|False,
        'managedPolicyArns': [
            'string',
        ],
        'name': 'string',
        'profileArn': 'string',
        'profileId': 'string',
        'requireInstanceProperties': True|False,
        'roleArns': [
            'string',
        ],
        'sessionPolicy': 'string',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

• (dict) --
  • profile (dict) --

    The state of the profile after a read or write operation.

    • createdAt (datetime) --

      The ISO-8601 timestamp when the profile was created.

    • createdBy (string) --

      The Amazon Web Services account that created the profile.

    • durationSeconds (integer) --

      The number of seconds the vended session credentials are valid for.

    • enabled (boolean) --

      Indicates whether the profile is enabled.

    • managedPolicyArns (list) --

      A list of managed policy ARNs that apply to the vended session credentials.

      • (string) --
    • name (string) --

      The name of the profile.

    • profileArn (string) --

      The ARN of the profile.

    • profileId (string) --

      The unique identifier of the profile.

    • requireInstanceProperties (boolean) --

      Specifies whether instance properties are required in CreateSession requests with this profile.

    • roleArns (list) --

      A list of IAM roles that this profile can assume in a CreateSession operation.

      • (string) --
    • sessionPolicy (string) --

      A session policy that applies to the trust boundary of the vended session credentials.

    • updatedAt (datetime) --

      The ISO-8601 timestamp when the profile was last updated.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

enable_trust_anchor(**kwargs)

Enables a trust anchor. When enabled, certificates in the trust anchor chain are authorized for trust validation.

Required permissions: rolesanywhere:EnableTrustAnchor .

See also: AWS API Documentation

Request Syntax

response = client.enable_trust_anchor(
    trustAnchorId='string'
)

Parameters

trustAnchorId (string) --

[REQUIRED]

The unique identifier of the trust anchor.

Return type

dict

Returns

Response Syntax

{
    'trustAnchor': {
        'createdAt': datetime(2015, 1, 1),
        'enabled': True|False,
        'name': 'string',
        'source': {
            'sourceData': {
                'acmPcaArn': 'string',
                'x509CertificateData': 'string'
            },
            'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY'
        },
        'trustAnchorArn': 'string',
        'trustAnchorId': 'string',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

• (dict) --
  • trustAnchor (dict) --

    The state of the trust anchor after a read or write operation.

    • createdAt (datetime) --

      The ISO-8601 timestamp when the trust anchor was created.

    • enabled (boolean) --

      Indicates whether the trust anchor is enabled.

    • name (string) --

      The name of the trust anchor.

    • source (dict) --

      The trust anchor type and its related certificate data.

      • sourceData (dict) --

        The data field of the trust anchor depending on its type.

        Note

        This is a Tagged Union structure. Only one of the following top level keys will be set: acmPcaArn, x509CertificateData. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:

        'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
        

        • acmPcaArn (string) --

          The root certificate of the Certificate Manager Private Certificate Authority specified by this ARN is used in trust validation for CreateSession operations. Included for trust anchors of type AWS_ACM_PCA .

        • x509CertificateData (string) --

          The PEM-encoded data for the certificate anchor. Included for trust anchors of type CERTIFICATE_BUNDLE .

      • sourceType (string) --

        The type of the trust anchor.

    • trustAnchorArn (string) --

      The ARN of the trust anchor.

    • trustAnchorId (string) --

      The unique identifier of the trust anchor.

    • updatedAt (datetime) --

      The ISO-8601 timestamp when the trust anchor was last updated.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

get_crl(**kwargs)

Gets a certificate revocation list (CRL).

Required permissions: rolesanywhere:GetCrl .

See also: AWS API Documentation

Request Syntax

response = client.get_crl(
    crlId='string'
)

Parameters

crlId (string) --

[REQUIRED]

The unique identifier of the certificate revocation list (CRL).

Return type

dict

Returns

Response Syntax

{
    'crl': {
        'createdAt': datetime(2015, 1, 1),
        'crlArn': 'string',
        'crlData': b'bytes',
        'crlId': 'string',
        'enabled': True|False,
        'name': 'string',
        'trustAnchorArn': 'string',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

• (dict) --
  • crl (dict) --

    The state of the certificate revocation list (CRL) after a read or write operation.

    • createdAt (datetime) --

      The ISO-8601 timestamp when the certificate revocation list (CRL) was created.

    • crlArn (string) --

      The ARN of the certificate revocation list (CRL).

    • crlData (bytes) --

      The state of the certificate revocation list (CRL) after a read or write operation.

    • crlId (string) --

      The unique identifier of the certificate revocation list (CRL).

    • enabled (boolean) --

      Indicates whether the certificate revocation list (CRL) is enabled.

    • name (string) --

      The name of the certificate revocation list (CRL).

    • trustAnchorArn (string) --

      The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for.

    • updatedAt (datetime) --

      The ISO-8601 timestamp when the certificate revocation list (CRL) was last updated.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException

get_paginator(operation_name)

Create a paginator for an operation.

Parameters

operation_name (string) -- The operation name. This is the same name as the method name on the client. For example, if the method name is create_foo, and you'd normally invoke the operation as client.create_foo(**kwargs), if the create_foo operation can be paginated, you can use the call client.get_paginator("create_foo").

Raises OperationNotPageableError

Raised if the operation is not pageable. You can use the client.can_paginate method to check if an operation is pageable.

Return type

L{botocore.paginate.Paginator}

Returns

A paginator object.

get_profile(**kwargs)

Gets a profile.

Required permissions: rolesanywhere:GetProfile .

See also: AWS API Documentation

Request Syntax

response = client.get_profile(
    profileId='string'
)

Parameters

profileId (string) --

[REQUIRED]

The unique identifier of the profile.

Return type

dict

Returns

Response Syntax

{
    'profile': {
        'createdAt': datetime(2015, 1, 1),
        'createdBy': 'string',
        'durationSeconds': 123,
        'enabled': True|False,
        'managedPolicyArns': [
            'string',
        ],
        'name': 'string',
        'profileArn': 'string',
        'profileId': 'string',
        'requireInstanceProperties': True|False,
        'roleArns': [
            'string',
        ],
        'sessionPolicy': 'string',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

• (dict) --
  • profile (dict) --

    The state of the profile after a read or write operation.

    • createdAt (datetime) --

      The ISO-8601 timestamp when the profile was created.

    • createdBy (string) --

      The Amazon Web Services account that created the profile.

    • durationSeconds (integer) --

      The number of seconds the vended session credentials are valid for.

    • enabled (boolean) --

      Indicates whether the profile is enabled.

    • managedPolicyArns (list) --

      A list of managed policy ARNs that apply to the vended session credentials.

      • (string) --
    • name (string) --

      The name of the profile.

    • profileArn (string) --

      The ARN of the profile.

    • profileId (string) --

      The unique identifier of the profile.

    • requireInstanceProperties (boolean) --

      Specifies whether instance properties are required in CreateSession requests with this profile.

    • roleArns (list) --

      A list of IAM roles that this profile can assume in a CreateSession operation.

      • (string) --
    • sessionPolicy (string) --

      A session policy that applies to the trust boundary of the vended session credentials.

    • updatedAt (datetime) --

      The ISO-8601 timestamp when the profile was last updated.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

get_subject(**kwargs)

Gets a Subject. A Subject associates a certificate identity with authentication attempts by CreateSession. The Subject resources stores audit information such as status of the last authentication attempt, the certificate data used in the attempt, and the last time the associated identity attempted authentication.

Required permissions: rolesanywhere:GetSubject .

See also: AWS API Documentation

Request Syntax

response = client.get_subject(
    subjectId='string'
)

Parameters

subjectId (string) --

[REQUIRED]

The unique identifier of the subject.

Return type

dict

Returns

Response Syntax

{
    'subject': {
        'createdAt': datetime(2015, 1, 1),
        'credentials': [
            {
                'enabled': True|False,
                'failed': True|False,
                'issuer': 'string',
                'seenAt': datetime(2015, 1, 1),
                'serialNumber': 'string',
                'x509CertificateData': 'string'
            },
        ],
        'enabled': True|False,
        'instanceProperties': [
            {
                'failed': True|False,
                'properties': {
                    'string': 'string'
                },
                'seenAt': datetime(2015, 1, 1)
            },
        ],
        'lastSeenAt': datetime(2015, 1, 1),
        'subjectArn': 'string',
        'subjectId': 'string',
        'updatedAt': datetime(2015, 1, 1),
        'x509Subject': 'string'
    }
}

Response Structure

• (dict) --
  • subject (dict) --

    The state of the subject after a read or write operation.

    • createdAt (datetime) --

      The ISO-8601 timestamp when the subject was created.

    • credentials (list) --

      The temporary session credentials vended at the last authenticating call with this Subject.

      • (dict) --

        A record of a presented X509 credential to CreateSession.

        • enabled (boolean) --

          Indicates whether the credential is enabled.

        • failed (boolean) --

          Indicates whether the CreateSession operation was successful.

        • issuer (string) --

          The fully qualified domain name of the issuing certificate for the presented end-entity certificate.

        • seenAt (datetime) --

          The ISO-8601 time stamp of when the certificate was last used in a CreateSession operation.

        • serialNumber (string) --

          The serial number of the certificate.

        • x509CertificateData (string) --

          The PEM-encoded data of the certificate.

    • enabled (boolean) --

      The enabled status of the subject.

    • instanceProperties (list) --

      The specified instance properties associated with the request.

      • (dict) --

        A key-value pair you set that identifies a property of the authenticating instance.

        • failed (boolean) --

          Indicates whether the CreateSession operation was successful.

        • properties (dict) --

          A list of instanceProperty objects.

          • (string) --
            • (string) --
        • seenAt (datetime) --

          The ISO-8601 time stamp of when the certificate was last used in a CreateSession operation.

    • lastSeenAt (datetime) --

      The ISO-8601 timestamp of the last time this Subject requested temporary session credentials.

    • subjectArn (string) --

      The ARN of the resource.

    • subjectId (string) --

      The id of the resource

    • updatedAt (datetime) --

      The ISO-8601 timestamp when the subject was last updated.

    • x509Subject (string) --

      The x509 principal identifier of the authenticating certificate.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

get_trust_anchor(**kwargs)

Gets a trust anchor.

Required permissions: rolesanywhere:GetTrustAnchor .

See also: AWS API Documentation

Request Syntax

response = client.get_trust_anchor(
    trustAnchorId='string'
)

Parameters

trustAnchorId (string) --

[REQUIRED]

The unique identifier of the trust anchor.

Return type

dict

Returns

Response Syntax

{
    'trustAnchor': {
        'createdAt': datetime(2015, 1, 1),
        'enabled': True|False,
        'name': 'string',
        'source': {
            'sourceData': {
                'acmPcaArn': 'string',
                'x509CertificateData': 'string'
            },
            'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY'
        },
        'trustAnchorArn': 'string',
        'trustAnchorId': 'string',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

• (dict) --
  • trustAnchor (dict) --

    The state of the trust anchor after a read or write operation.

    • createdAt (datetime) --

      The ISO-8601 timestamp when the trust anchor was created.

    • enabled (boolean) --

      Indicates whether the trust anchor is enabled.

    • name (string) --

      The name of the trust anchor.

    • source (dict) --

      The trust anchor type and its related certificate data.

      • sourceData (dict) --

        The data field of the trust anchor depending on its type.

        Note

        This is a Tagged Union structure. Only one of the following top level keys will be set: acmPcaArn, x509CertificateData. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:

        'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
        

        • acmPcaArn (string) --

          The root certificate of the Certificate Manager Private Certificate Authority specified by this ARN is used in trust validation for CreateSession operations. Included for trust anchors of type AWS_ACM_PCA .

        • x509CertificateData (string) --

          The PEM-encoded data for the certificate anchor. Included for trust anchors of type CERTIFICATE_BUNDLE .

      • sourceType (string) --

        The type of the trust anchor.

    • trustAnchorArn (string) --

      The ARN of the trust anchor.

    • trustAnchorId (string) --

      The unique identifier of the trust anchor.

    • updatedAt (datetime) --

      The ISO-8601 timestamp when the trust anchor was last updated.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ValidationException
• IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

get_waiter(waiter_name)

Returns an object that can wait for some condition.

Parameters

waiter_name (str) -- The name of the waiter to get. See the waiters section of the service docs for a list of available waiters.

Returns

The specified waiter object.

Return type

botocore.waiter.Waiter

import_crl(**kwargs)

Imports the certificate revocation list (CRL). CRl is a list of certificates that have been revoked by the issuing certificate Authority (CA). IAM Roles Anywhere validates against the crl list before issuing credentials.

Required permissions: rolesanywhere:ImportCrl .

See also: AWS API Documentation

Request Syntax

response = client.import_crl(
    crlData=b'bytes',
    enabled=True|False,
    name='string',
    tags=[
        {
            'key': 'string',
            'value': 'string'
        },
    ],
    trustAnchorArn='string'
)

Parameters

• crlData (bytes) --

  [REQUIRED]

  The x509 v3 specified certificate revocation list

• enabled (boolean) -- Specifies whether the certificate revocation list (CRL) is enabled.
• name (string) --

  [REQUIRED]

  The name of the certificate revocation list (CRL).

• tags (list) --

  A list of tags to attach to the certificate revocation list (CRL).

  • (dict) --

    A label that consists of a key and value you define.

    • key (string) -- [REQUIRED]

      The tag key.

    • value (string) -- [REQUIRED]

      The tag value.

• trustAnchorArn (string) --

  [REQUIRED]

  The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for.

Return type

dict

Returns

Response Syntax

{
    'crl': {
        'createdAt': datetime(2015, 1, 1),
        'crlArn': 'string',
        'crlData': b'bytes',
        'crlId': 'string',
        'enabled': True|False,
        'name': 'string',
        'trustAnchorArn': 'string',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

• (dict) --

  • crl (dict) --

    The state of the certificate revocation list (CRL) after a read or write operation.

    • createdAt (datetime) --

      The ISO-8601 timestamp when the certificate revocation list (CRL) was created.

    • crlArn (string) --

      The ARN of the certificate revocation list (CRL).

    • crlData (bytes) --

      The state of the certificate revocation list (CRL) after a read or write operation.

    • crlId (string) --

      The unique identifier of the certificate revocation list (CRL).

    • enabled (boolean) --

      Indicates whether the certificate revocation list (CRL) is enabled.

    • name (string) --

      The name of the certificate revocation list (CRL).

    • trustAnchorArn (string) --

      The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for.

    • updatedAt (datetime) --

      The ISO-8601 timestamp when the certificate revocation list (CRL) was last updated.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ValidationException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

list_crls(**kwargs)

Lists all Crls in the authenticated account and Amazon Web Services Region.

Required permissions: rolesanywhere:ListCrls .

See also: AWS API Documentation

Request Syntax

response = client.list_crls(
    nextToken='string',
    pageSize=123
)

Parameters

• nextToken (string) -- A token that indicates where the output should continue from, if a previous operation did not show all results. To get the next results, call the operation again with this value.
• pageSize (integer) -- The number of resources in the paginated list.

Return type

dict

Returns

Response Syntax

{
    'crls': [
        {
            'createdAt': datetime(2015, 1, 1),
            'crlArn': 'string',
            'crlData': b'bytes',
            'crlId': 'string',
            'enabled': True|False,
            'name': 'string',
            'trustAnchorArn': 'string',
            'updatedAt': datetime(2015, 1, 1)
        },
    ],
    'nextToken': 'string'
}

Response Structure

• (dict) --

  • crls (list) --

    A list of certificate revocation lists (CRL).

    • (dict) --

      The state of the certificate revocation list (CRL) after a read or write operation.

      • createdAt (datetime) --

        The ISO-8601 timestamp when the certificate revocation list (CRL) was created.

      • crlArn (string) --

        The ARN of the certificate revocation list (CRL).

      • crlData (bytes) --

        The state of the certificate revocation list (CRL) after a read or write operation.

      • crlId (string) --

        The unique identifier of the certificate revocation list (CRL).

      • enabled (boolean) --

        Indicates whether the certificate revocation list (CRL) is enabled.

      • name (string) --

        The name of the certificate revocation list (CRL).

      • trustAnchorArn (string) --

        The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for.

      • updatedAt (datetime) --

        The ISO-8601 timestamp when the certificate revocation list (CRL) was last updated.

  • nextToken (string) --

    A token that indicates where the output should continue from, if a previous operation did not show all results. To get the next results, call the operation again with this value.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ValidationException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

list_profiles(**kwargs)

Lists all profiles in the authenticated account and Amazon Web Services Region.

Required permissions: rolesanywhere:ListProfiles .

See also: AWS API Documentation

Request Syntax

response = client.list_profiles(
    nextToken='string',
    pageSize=123
)

Parameters

• nextToken (string) -- A token that indicates where the output should continue from, if a previous operation did not show all results. To get the next results, call the operation again with this value.
• pageSize (integer) -- The number of resources in the paginated list.

Return type

dict

Returns

Response Syntax

{
    'nextToken': 'string',
    'profiles': [
        {
            'createdAt': datetime(2015, 1, 1),
            'createdBy': 'string',
            'durationSeconds': 123,
            'enabled': True|False,
            'managedPolicyArns': [
                'string',
            ],
            'name': 'string',
            'profileArn': 'string',
            'profileId': 'string',
            'requireInstanceProperties': True|False,
            'roleArns': [
                'string',
            ],
            'sessionPolicy': 'string',
            'updatedAt': datetime(2015, 1, 1)
        },
    ]
}

Response Structure

• (dict) --

  • nextToken (string) --

    A token that indicates where the output should continue from, if a previous operation did not show all results. To get the next results, call the operation again with this value.

  • profiles (list) --

    A list of profiles.

    • (dict) --

      The state of the profile after a read or write operation.

      • createdAt (datetime) --

        The ISO-8601 timestamp when the profile was created.

      • createdBy (string) --

        The Amazon Web Services account that created the profile.

      • durationSeconds (integer) --

        The number of seconds the vended session credentials are valid for.

      • enabled (boolean) --

        Indicates whether the profile is enabled.

      • managedPolicyArns (list) --

        A list of managed policy ARNs that apply to the vended session credentials.

        • (string) --

      • name (string) --

        The name of the profile.

      • profileArn (string) --

        The ARN of the profile.

      • profileId (string) --

        The unique identifier of the profile.

      • requireInstanceProperties (boolean) --

        Specifies whether instance properties are required in CreateSession requests with this profile.

      • roleArns (list) --

        A list of IAM roles that this profile can assume in a CreateSession operation.

        • (string) --

      • sessionPolicy (string) --

        A session policy that applies to the trust boundary of the vended session credentials.

      • updatedAt (datetime) --

        The ISO-8601 timestamp when the profile was last updated.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ValidationException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

list_subjects(**kwargs)

Lists the subjects in the authenticated account and Amazon Web Services Region.

Required permissions: rolesanywhere:ListSubjects .

See also: AWS API Documentation

Request Syntax

response = client.list_subjects(
    nextToken='string',
    pageSize=123
)

Parameters

• nextToken (string) -- A token that indicates where the output should continue from, if a previous operation did not show all results. To get the next results, call the operation again with this value.
• pageSize (integer) -- The number of resources in the paginated list.

Return type

dict

Returns

Response Syntax

{
    'nextToken': 'string',
    'subjects': [
        {
            'createdAt': datetime(2015, 1, 1),
            'enabled': True|False,
            'lastSeenAt': datetime(2015, 1, 1),
            'subjectArn': 'string',
            'subjectId': 'string',
            'updatedAt': datetime(2015, 1, 1),
            'x509Subject': 'string'
        },
    ]
}

Response Structure

• (dict) --

  • nextToken (string) --

    A token that indicates where the output should continue from, if a previous operation did not show all results. To get the next results, call the operation again with this value.

  • subjects (list) --

    A list of subjects.

    • (dict) --

      A summary representation of Subject resources returned in read operations; primarily ListSubjects.

      • createdAt (datetime) --

        The ISO-8601 time stamp of when the certificate was first used in a CreateSession operation.

      • enabled (boolean) --

        The enabled status of the Subject.

      • lastSeenAt (datetime) --

        The ISO-8601 time stamp of when the certificate was last used in a CreateSession operation.

      • subjectArn (string) --

        The ARN of the resource.

      • subjectId (string) --

        The id of the resource.

      • updatedAt (datetime) --

        The ISO-8601 timestamp when the subject was last updated.

      • x509Subject (string) --

        The x509 principal identifier of the authenticating certificate.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ValidationException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

list_tags_for_resource(**kwargs)

Lists the tags attached to the resource.

Required permissions: rolesanywhere:ListTagsForResource .

See also: AWS API Documentation

Request Syntax

response = client.list_tags_for_resource(
    resourceArn='string'
)

Parameters

resourceArn (string) --

[REQUIRED]

The ARN of the resource.

Return type

dict

Returns

Response Syntax

{
    'tags': [
        {
            'key': 'string',
            'value': 'string'
        },
    ]
}

Response Structure

• (dict) --
  • tags (list) --

    A list of tags attached to the resource.

    • (dict) --

      A label that consists of a key and value you define.

      • key (string) --

        The tag key.

      • value (string) --

        The tag value.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ValidationException
• IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

list_trust_anchors(**kwargs)

Lists the trust anchors in the authenticated account and Amazon Web Services Region.

Required permissions: rolesanywhere:ListTrustAnchors .

See also: AWS API Documentation

Request Syntax

response = client.list_trust_anchors(
    nextToken='string',
    pageSize=123
)

Parameters

• nextToken (string) -- A token that indicates where the output should continue from, if a previous operation did not show all results. To get the next results, call the operation again with this value.
• pageSize (integer) -- The number of resources in the paginated list.

Return type

dict

Returns

Response Syntax

{
    'nextToken': 'string',
    'trustAnchors': [
        {
            'createdAt': datetime(2015, 1, 1),
            'enabled': True|False,
            'name': 'string',
            'source': {
                'sourceData': {
                    'acmPcaArn': 'string',
                    'x509CertificateData': 'string'
                },
                'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY'
            },
            'trustAnchorArn': 'string',
            'trustAnchorId': 'string',
            'updatedAt': datetime(2015, 1, 1)
        },
    ]
}

Response Structure

• (dict) --

  • nextToken (string) --

    A token that indicates where the output should continue from, if a previous operation did not show all results. To get the next results, call the operation again with this value.

  • trustAnchors (list) --

    A list of trust anchors.

    • (dict) --

      The state of the trust anchor after a read or write operation.

      • createdAt (datetime) --

        The ISO-8601 timestamp when the trust anchor was created.

      • enabled (boolean) --

        Indicates whether the trust anchor is enabled.

      • name (string) --

        The name of the trust anchor.

      • source (dict) --

        The trust anchor type and its related certificate data.

        • sourceData (dict) --

          The data field of the trust anchor depending on its type.

          Note

          This is a Tagged Union structure. Only one of the following top level keys will be set: acmPcaArn, x509CertificateData. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:

          'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
          

          • acmPcaArn (string) --

            The root certificate of the Certificate Manager Private Certificate Authority specified by this ARN is used in trust validation for CreateSession operations. Included for trust anchors of type AWS_ACM_PCA .

          • x509CertificateData (string) --

            The PEM-encoded data for the certificate anchor. Included for trust anchors of type CERTIFICATE_BUNDLE .

        • sourceType (string) --

          The type of the trust anchor.

      • trustAnchorArn (string) --

        The ARN of the trust anchor.

      • trustAnchorId (string) --

        The unique identifier of the trust anchor.

      • updatedAt (datetime) --

        The ISO-8601 timestamp when the trust anchor was last updated.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ValidationException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

tag_resource(**kwargs)

Attaches tags to a resource.

Required permissions: rolesanywhere:TagResource .

See also: AWS API Documentation

Request Syntax

response = client.tag_resource(
    resourceArn='string',
    tags=[
        {
            'key': 'string',
            'value': 'string'
        },
    ]
)

Parameters

• resourceArn (string) --

  [REQUIRED]

  The ARN of the resource.

• tags (list) --

  [REQUIRED]

  The tags to attach to the resource.

  • (dict) --

    A label that consists of a key and value you define.

    • key (string) -- [REQUIRED]

      The tag key.

    • value (string) -- [REQUIRED]

      The tag value.

Return type

dict

Returns

Response Syntax

{}

Response Structure

• (dict) --

Exceptions

• IAMRolesAnywhere.Client.exceptions.ValidationException
• IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException
• IAMRolesAnywhere.Client.exceptions.TooManyTagsException

untag_resource(**kwargs)

Removes tags from the resource.

Required permissions: rolesanywhere:UntagResource .

See also: AWS API Documentation

Request Syntax

response = client.untag_resource(
    resourceArn='string',
    tagKeys=[
        'string',
    ]
)

Parameters

• resourceArn (string) --

  [REQUIRED]

  The ARN of the resource.

• tagKeys (list) --

  [REQUIRED]

  A list of keys. Tag keys are the unique identifiers of tags.

  • (string) --

Return type

dict

Returns

Response Syntax

{}

Response Structure

• (dict) --

Exceptions

• IAMRolesAnywhere.Client.exceptions.ValidationException
• IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

update_crl(**kwargs)

Updates the certificate revocation list (CRL). CRl is a list of certificates that have been revoked by the issuing certificate Authority (CA). IAM Roles Anywhere validates against the crl list before issuing credentials.

Required permissions: rolesanywhere:UpdateCrl .

See also: AWS API Documentation

Request Syntax

response = client.update_crl(
    crlData=b'bytes',
    crlId='string',
    name='string'
)

Parameters

• crlData (bytes) -- The x509 v3 specified certificate revocation list
• crlId (string) --

  [REQUIRED]

  The unique identifier of the certificate revocation list (CRL).

• name (string) -- The name of the Crl.

Return type

dict

Returns

Response Syntax

{
    'crl': {
        'createdAt': datetime(2015, 1, 1),
        'crlArn': 'string',
        'crlData': b'bytes',
        'crlId': 'string',
        'enabled': True|False,
        'name': 'string',
        'trustAnchorArn': 'string',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

• (dict) --

  • crl (dict) --

    The state of the certificate revocation list (CRL) after a read or write operation.

    • createdAt (datetime) --

      The ISO-8601 timestamp when the certificate revocation list (CRL) was created.

    • crlArn (string) --

      The ARN of the certificate revocation list (CRL).

    • crlData (bytes) --

      The state of the certificate revocation list (CRL) after a read or write operation.

    • crlId (string) --

      The unique identifier of the certificate revocation list (CRL).

    • enabled (boolean) --

      Indicates whether the certificate revocation list (CRL) is enabled.

    • name (string) --

      The name of the certificate revocation list (CRL).

    • trustAnchorArn (string) --

      The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for.

    • updatedAt (datetime) --

      The ISO-8601 timestamp when the certificate revocation list (CRL) was last updated.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ValidationException
• IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

update_profile(**kwargs)

Updates the profile. A profile is configuration resource to list the roles that RolesAnywhere service is trusted to assume. In addition, by applying a profile you can scope-down permissions with IAM managed policies.

Required permissions: rolesanywhere:UpdateProfile .

See also: AWS API Documentation

Request Syntax

response = client.update_profile(
    durationSeconds=123,
    managedPolicyArns=[
        'string',
    ],
    name='string',
    profileId='string',
    roleArns=[
        'string',
    ],
    sessionPolicy='string'
)

Parameters

• durationSeconds (integer) -- The number of seconds the vended session credentials are valid for.
• managedPolicyArns (list) --

  A list of managed policy ARNs that apply to the vended session credentials.

  • (string) --
• name (string) -- The name of the profile.
• profileId (string) --

  [REQUIRED]

  The unique identifier of the profile.

• roleArns (list) --

  A list of IAM roles that this profile can assume in a CreateSession operation.

  • (string) --
• sessionPolicy (string) -- A session policy that applies to the trust boundary of the vended session credentials.

Return type

dict

Returns

Response Syntax

{
    'profile': {
        'createdAt': datetime(2015, 1, 1),
        'createdBy': 'string',
        'durationSeconds': 123,
        'enabled': True|False,
        'managedPolicyArns': [
            'string',
        ],
        'name': 'string',
        'profileArn': 'string',
        'profileId': 'string',
        'requireInstanceProperties': True|False,
        'roleArns': [
            'string',
        ],
        'sessionPolicy': 'string',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

• (dict) --

  • profile (dict) --

    The state of the profile after a read or write operation.

    • createdAt (datetime) --

      The ISO-8601 timestamp when the profile was created.

    • createdBy (string) --

      The Amazon Web Services account that created the profile.

    • durationSeconds (integer) --

      The number of seconds the vended session credentials are valid for.

    • enabled (boolean) --

      Indicates whether the profile is enabled.

    • managedPolicyArns (list) --

      A list of managed policy ARNs that apply to the vended session credentials.

      • (string) --

    • name (string) --

      The name of the profile.

    • profileArn (string) --

      The ARN of the profile.

    • profileId (string) --

      The unique identifier of the profile.

    • requireInstanceProperties (boolean) --

      Specifies whether instance properties are required in CreateSession requests with this profile.

    • roleArns (list) --

      A list of IAM roles that this profile can assume in a CreateSession operation.

      • (string) --

    • sessionPolicy (string) --

      A session policy that applies to the trust boundary of the vended session credentials.

    • updatedAt (datetime) --

      The ISO-8601 timestamp when the profile was last updated.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ValidationException
• IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

update_trust_anchor(**kwargs)

Updates the trust anchor.You establish trust between IAM Roles Anywhere and your certificate authority (CA) by configuring a trust anchor. A Trust Anchor is defined either as a reference to a AWS Certificate Manager Private Certificate Authority (ACM PCA), or by uploading a Certificate Authority (CA) certificate. Your AWS workloads can authenticate with the trust anchor using certificates issued by the trusted Certificate Authority (CA) in exchange for temporary AWS credentials.

Required permissions: rolesanywhere:UpdateTrustAnchor .

See also: AWS API Documentation

Request Syntax

response = client.update_trust_anchor(
    name='string',
    source={
        'sourceData': {
            'acmPcaArn': 'string',
            'x509CertificateData': 'string'
        },
        'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY'
    },
    trustAnchorId='string'
)

Parameters

• name (string) -- The name of the trust anchor.
• source (dict) --

  The trust anchor type and its related certificate data.

  • sourceData (dict) --

    The data field of the trust anchor depending on its type.

    Note

    This is a Tagged Union structure. Only one of the following top level keys can be set: acmPcaArn, x509CertificateData.

    • acmPcaArn (string) --

      The root certificate of the Certificate Manager Private Certificate Authority specified by this ARN is used in trust validation for CreateSession operations. Included for trust anchors of type AWS_ACM_PCA .

    • x509CertificateData (string) --

      The PEM-encoded data for the certificate anchor. Included for trust anchors of type CERTIFICATE_BUNDLE .

  • sourceType (string) --

    The type of the trust anchor.

• trustAnchorId (string) --

  [REQUIRED]

  The unique identifier of the trust anchor.

Return type

dict

Returns

Response Syntax

{
    'trustAnchor': {
        'createdAt': datetime(2015, 1, 1),
        'enabled': True|False,
        'name': 'string',
        'source': {
            'sourceData': {
                'acmPcaArn': 'string',
                'x509CertificateData': 'string'
            },
            'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY'
        },
        'trustAnchorArn': 'string',
        'trustAnchorId': 'string',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

• (dict) --

  • trustAnchor (dict) --

    The state of the trust anchor after a read or write operation.

    • createdAt (datetime) --

      The ISO-8601 timestamp when the trust anchor was created.

    • enabled (boolean) --

      Indicates whether the trust anchor is enabled.

    • name (string) --

      The name of the trust anchor.

    • source (dict) --

      The trust anchor type and its related certificate data.

      • sourceData (dict) --

        The data field of the trust anchor depending on its type.

        Note

        This is a Tagged Union structure. Only one of the following top level keys will be set: acmPcaArn, x509CertificateData. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:

        'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
        

        • acmPcaArn (string) --

          The root certificate of the Certificate Manager Private Certificate Authority specified by this ARN is used in trust validation for CreateSession operations. Included for trust anchors of type AWS_ACM_PCA .

        • x509CertificateData (string) --

          The PEM-encoded data for the certificate anchor. Included for trust anchors of type CERTIFICATE_BUNDLE .

      • sourceType (string) --

        The type of the trust anchor.

    • trustAnchorArn (string) --

      The ARN of the trust anchor.

    • trustAnchorId (string) --

      The unique identifier of the trust anchor.

    • updatedAt (datetime) --

      The ISO-8601 timestamp when the trust anchor was last updated.

Exceptions

• IAMRolesAnywhere.Client.exceptions.ValidationException
• IAMRolesAnywhere.Client.exceptions.ResourceNotFoundException
• IAMRolesAnywhere.Client.exceptions.AccessDeniedException

Paginators

The available paginators are:

• IAMRolesAnywhere.Paginator.ListCrls
• IAMRolesAnywhere.Paginator.ListProfiles
• IAMRolesAnywhere.Paginator.ListSubjects
• IAMRolesAnywhere.Paginator.ListTrustAnchors

class IAMRolesAnywhere.Paginator.ListCrls

paginator = client.get_paginator('list_crls')

paginate(**kwargs)

Creates an iterator that will paginate through responses from IAMRolesAnywhere.Client.list_crls().

See also: AWS API Documentation

Request Syntax

response_iterator = paginator.paginate(
    pageSize=123,
    PaginationConfig={
        'MaxItems': 123,
        'StartingToken': 'string'
    }
)

Parameters

• pageSize (integer) -- The number of resources in the paginated list.
• PaginationConfig (dict) --

  A dictionary that provides parameters to control pagination.

  • MaxItems (integer) --

    The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.

  • StartingToken (string) --

    A token to specify where to start paginating. This is the NextToken from a previous response.

Return type

dict

Returns

Response Syntax

{
    'crls': [
        {
            'createdAt': datetime(2015, 1, 1),
            'crlArn': 'string',
            'crlData': b'bytes',
            'crlId': 'string',
            'enabled': True|False,
            'name': 'string',
            'trustAnchorArn': 'string',
            'updatedAt': datetime(2015, 1, 1)
        },
    ],
    'NextToken': 'string'
}

Response Structure

• (dict) --

  • crls (list) --

    A list of certificate revocation lists (CRL).

    • (dict) --

      The state of the certificate revocation list (CRL) after a read or write operation.

      • createdAt (datetime) --

        The ISO-8601 timestamp when the certificate revocation list (CRL) was created.

      • crlArn (string) --

        The ARN of the certificate revocation list (CRL).

      • crlData (bytes) --

        The state of the certificate revocation list (CRL) after a read or write operation.

      • crlId (string) --

        The unique identifier of the certificate revocation list (CRL).

      • enabled (boolean) --

        Indicates whether the certificate revocation list (CRL) is enabled.

      • name (string) --

        The name of the certificate revocation list (CRL).

      • trustAnchorArn (string) --

        The ARN of the TrustAnchor the certificate revocation list (CRL) will provide revocation for.

      • updatedAt (datetime) --

        The ISO-8601 timestamp when the certificate revocation list (CRL) was last updated.

  • NextToken (string) --

    A token to resume pagination.

class IAMRolesAnywhere.Paginator.ListProfiles

paginator = client.get_paginator('list_profiles')

paginate(**kwargs)

Creates an iterator that will paginate through responses from IAMRolesAnywhere.Client.list_profiles().

See also: AWS API Documentation

Request Syntax

response_iterator = paginator.paginate(
    pageSize=123,
    PaginationConfig={
        'MaxItems': 123,
        'StartingToken': 'string'
    }
)

Parameters

• pageSize (integer) -- The number of resources in the paginated list.
• PaginationConfig (dict) --

  A dictionary that provides parameters to control pagination.

  • MaxItems (integer) --

    The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.

  • StartingToken (string) --

    A token to specify where to start paginating. This is the NextToken from a previous response.

Return type

dict

Returns

Response Syntax

{
    'profiles': [
        {
            'createdAt': datetime(2015, 1, 1),
            'createdBy': 'string',
            'durationSeconds': 123,
            'enabled': True|False,
            'managedPolicyArns': [
                'string',
            ],
            'name': 'string',
            'profileArn': 'string',
            'profileId': 'string',
            'requireInstanceProperties': True|False,
            'roleArns': [
                'string',
            ],
            'sessionPolicy': 'string',
            'updatedAt': datetime(2015, 1, 1)
        },
    ],
    'NextToken': 'string'
}

Response Structure

• (dict) --

  • profiles (list) --

    A list of profiles.

    • (dict) --

      The state of the profile after a read or write operation.

      • createdAt (datetime) --

        The ISO-8601 timestamp when the profile was created.

      • createdBy (string) --

        The Amazon Web Services account that created the profile.

      • durationSeconds (integer) --

        The number of seconds the vended session credentials are valid for.

      • enabled (boolean) --

        Indicates whether the profile is enabled.

      • managedPolicyArns (list) --

        A list of managed policy ARNs that apply to the vended session credentials.

        • (string) --

      • name (string) --

        The name of the profile.

      • profileArn (string) --

        The ARN of the profile.

      • profileId (string) --

        The unique identifier of the profile.

      • requireInstanceProperties (boolean) --

        Specifies whether instance properties are required in CreateSession requests with this profile.

      • roleArns (list) --

        A list of IAM roles that this profile can assume in a CreateSession operation.

        • (string) --

      • sessionPolicy (string) --

        A session policy that applies to the trust boundary of the vended session credentials.

      • updatedAt (datetime) --

        The ISO-8601 timestamp when the profile was last updated.

  • NextToken (string) --

    A token to resume pagination.

class IAMRolesAnywhere.Paginator.ListSubjects

paginator = client.get_paginator('list_subjects')

paginate(**kwargs)

Creates an iterator that will paginate through responses from IAMRolesAnywhere.Client.list_subjects().

See also: AWS API Documentation

Request Syntax

response_iterator = paginator.paginate(
    pageSize=123,
    PaginationConfig={
        'MaxItems': 123,
        'StartingToken': 'string'
    }
)

Parameters

• pageSize (integer) -- The number of resources in the paginated list.
• PaginationConfig (dict) --

  A dictionary that provides parameters to control pagination.

  • MaxItems (integer) --

    The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.

  • StartingToken (string) --

    A token to specify where to start paginating. This is the NextToken from a previous response.

Return type

dict

Returns

Response Syntax

{
    'subjects': [
        {
            'createdAt': datetime(2015, 1, 1),
            'enabled': True|False,
            'lastSeenAt': datetime(2015, 1, 1),
            'subjectArn': 'string',
            'subjectId': 'string',
            'updatedAt': datetime(2015, 1, 1),
            'x509Subject': 'string'
        },
    ],
    'NextToken': 'string'
}

Response Structure

• (dict) --

  • subjects (list) --

    A list of subjects.

    • (dict) --

      A summary representation of Subject resources returned in read operations; primarily ListSubjects.

      • createdAt (datetime) --

        The ISO-8601 time stamp of when the certificate was first used in a CreateSession operation.

      • enabled (boolean) --

        The enabled status of the Subject.

      • lastSeenAt (datetime) --

        The ISO-8601 time stamp of when the certificate was last used in a CreateSession operation.

      • subjectArn (string) --

        The ARN of the resource.

      • subjectId (string) --

        The id of the resource.

      • updatedAt (datetime) --

        The ISO-8601 timestamp when the subject was last updated.

      • x509Subject (string) --

        The x509 principal identifier of the authenticating certificate.

  • NextToken (string) --

    A token to resume pagination.

class IAMRolesAnywhere.Paginator.ListTrustAnchors

paginator = client.get_paginator('list_trust_anchors')

paginate(**kwargs)

Creates an iterator that will paginate through responses from IAMRolesAnywhere.Client.list_trust_anchors().

See also: AWS API Documentation

Request Syntax

response_iterator = paginator.paginate(
    pageSize=123,
    PaginationConfig={
        'MaxItems': 123,
        'StartingToken': 'string'
    }
)

Parameters

• pageSize (integer) -- The number of resources in the paginated list.
• PaginationConfig (dict) --

  A dictionary that provides parameters to control pagination.

  • MaxItems (integer) --

    The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.

  • StartingToken (string) --

    A token to specify where to start paginating. This is the NextToken from a previous response.

Return type

dict

Returns

Response Syntax

{
    'trustAnchors': [
        {
            'createdAt': datetime(2015, 1, 1),
            'enabled': True|False,
            'name': 'string',
            'source': {
                'sourceData': {
                    'acmPcaArn': 'string',
                    'x509CertificateData': 'string'
                },
                'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY'
            },
            'trustAnchorArn': 'string',
            'trustAnchorId': 'string',
            'updatedAt': datetime(2015, 1, 1)
        },
    ],
    'NextToken': 'string'
}

Response Structure

• (dict) --

  • trustAnchors (list) --

    A list of trust anchors.

    • (dict) --

      The state of the trust anchor after a read or write operation.

      • createdAt (datetime) --

        The ISO-8601 timestamp when the trust anchor was created.

      • enabled (boolean) --

        Indicates whether the trust anchor is enabled.

      • name (string) --

        The name of the trust anchor.

      • source (dict) --

        The trust anchor type and its related certificate data.

        • sourceData (dict) --

          The data field of the trust anchor depending on its type.

          Note

          This is a Tagged Union structure. Only one of the following top level keys will be set: acmPcaArn, x509CertificateData. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:

          'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
          

          • acmPcaArn (string) --

            The root certificate of the Certificate Manager Private Certificate Authority specified by this ARN is used in trust validation for CreateSession operations. Included for trust anchors of type AWS_ACM_PCA .

          • x509CertificateData (string) --

            The PEM-encoded data for the certificate anchor. Included for trust anchors of type CERTIFICATE_BUNDLE .

        • sourceType (string) --

          The type of the trust anchor.

      • trustAnchorArn (string) --

        The ARN of the trust anchor.

      • trustAnchorId (string) --

        The unique identifier of the trust anchor.

      • updatedAt (datetime) --

        The ISO-8601 timestamp when the trust anchor was last updated.

  • NextToken (string) --

    A token to resume pagination.