2024/08/26 - Amazon WorkSpaces - 2 updated api methods
Changes This release adds support for creating and managing directories that use AWS IAM Identity Center as user identity source. Such directories can be used to create non-Active Directory domain joined WorkSpaces Personal.Updated RegisterWorkspaceDirectory and DescribeWorkspaceDirectories APIs.
{'Filters': [{'Name': 'USER_IDENTITY_TYPE | WORKSPACE_TYPE',
'Values': ['string']}]}
Response {'Directories': {'DirectoryType': {'AWS_IAM_IDENTITY_CENTER'},
'IDCConfig': {'ApplicationArn': 'string',
'InstanceArn': 'string'},
'MicrosoftEntraConfig': {'ApplicationConfigSecretArn': 'string',
'TenantId': 'string'},
'UserIdentityType': {'AWS_IAM_IDENTITY_CENTER'}}}
Describes the available directories that are registered with Amazon WorkSpaces.
See also: AWS API Documentation
Request Syntax
client.describe_workspace_directories(
DirectoryIds=[
'string',
],
WorkspaceDirectoryNames=[
'string',
],
Limit=123,
NextToken='string',
Filters=[
{
'Name': 'USER_IDENTITY_TYPE'|'WORKSPACE_TYPE',
'Values': [
'string',
]
},
]
)
list
The identifiers of the directories. If the value is null, all directories are retrieved.
(string) --
list
The names of the WorkSpace directories.
(string) --
integer
The maximum number of directories to return.
string
If you received a NextToken from a previous call that was paginated, provide this token to receive the next set of results.
list
The filter condition for the WorkSpaces.
(dict) --
Describes the filter conditions for the WorkSpaces to return.
Name (string) -- [REQUIRED]
The name of the WorkSpaces to filter.
Values (list) -- [REQUIRED]
The values for filtering WorkSpaces
(string) --
dict
Response Syntax
{
'Directories': [
{
'DirectoryId': 'string',
'Alias': 'string',
'DirectoryName': 'string',
'RegistrationCode': 'string',
'SubnetIds': [
'string',
],
'DnsIpAddresses': [
'string',
],
'CustomerUserName': 'string',
'IamRoleId': 'string',
'DirectoryType': 'SIMPLE_AD'|'AD_CONNECTOR'|'CUSTOMER_MANAGED'|'AWS_IAM_IDENTITY_CENTER',
'WorkspaceSecurityGroupId': 'string',
'State': 'REGISTERING'|'REGISTERED'|'DEREGISTERING'|'DEREGISTERED'|'ERROR',
'WorkspaceCreationProperties': {
'EnableWorkDocs': True|False,
'EnableInternetAccess': True|False,
'DefaultOu': 'string',
'CustomSecurityGroupId': 'string',
'UserEnabledAsLocalAdministrator': True|False,
'EnableMaintenanceMode': True|False,
'InstanceIamRoleArn': 'string'
},
'ipGroupIds': [
'string',
],
'WorkspaceAccessProperties': {
'DeviceTypeWindows': 'ALLOW'|'DENY',
'DeviceTypeOsx': 'ALLOW'|'DENY',
'DeviceTypeWeb': 'ALLOW'|'DENY',
'DeviceTypeIos': 'ALLOW'|'DENY',
'DeviceTypeAndroid': 'ALLOW'|'DENY',
'DeviceTypeChromeOs': 'ALLOW'|'DENY',
'DeviceTypeZeroClient': 'ALLOW'|'DENY',
'DeviceTypeLinux': 'ALLOW'|'DENY'
},
'Tenancy': 'DEDICATED'|'SHARED',
'SelfservicePermissions': {
'RestartWorkspace': 'ENABLED'|'DISABLED',
'IncreaseVolumeSize': 'ENABLED'|'DISABLED',
'ChangeComputeType': 'ENABLED'|'DISABLED',
'SwitchRunningMode': 'ENABLED'|'DISABLED',
'RebuildWorkspace': 'ENABLED'|'DISABLED'
},
'SamlProperties': {
'Status': 'DISABLED'|'ENABLED'|'ENABLED_WITH_DIRECTORY_LOGIN_FALLBACK',
'UserAccessUrl': 'string',
'RelayStateParameterName': 'string'
},
'CertificateBasedAuthProperties': {
'Status': 'DISABLED'|'ENABLED',
'CertificateAuthorityArn': 'string'
},
'MicrosoftEntraConfig': {
'TenantId': 'string',
'ApplicationConfigSecretArn': 'string'
},
'WorkspaceDirectoryName': 'string',
'WorkspaceDirectoryDescription': 'string',
'UserIdentityType': 'CUSTOMER_MANAGED'|'AWS_DIRECTORY_SERVICE'|'AWS_IAM_IDENTITY_CENTER',
'WorkspaceType': 'PERSONAL'|'POOLS',
'IDCConfig': {
'InstanceArn': 'string',
'ApplicationArn': 'string'
},
'ActiveDirectoryConfig': {
'DomainName': 'string',
'ServiceAccountSecretArn': 'string'
},
'StreamingProperties': {
'StreamingExperiencePreferredProtocol': 'TCP'|'UDP',
'UserSettings': [
{
'Action': 'CLIPBOARD_COPY_FROM_LOCAL_DEVICE'|'CLIPBOARD_COPY_TO_LOCAL_DEVICE'|'PRINTING_TO_LOCAL_DEVICE'|'SMART_CARD',
'Permission': 'ENABLED'|'DISABLED',
'MaximumLength': 123
},
],
'StorageConnectors': [
{
'ConnectorType': 'HOME_FOLDER',
'Status': 'ENABLED'|'DISABLED'
},
]
},
'ErrorMessage': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Directories (list) --
Information about the directories.
(dict) --
Describes a directory that is used with Amazon WorkSpaces.
DirectoryId (string) --
The directory identifier.
Alias (string) --
The directory alias.
DirectoryName (string) --
The name of the directory.
RegistrationCode (string) --
The registration code for the directory. This is the code that users enter in their Amazon WorkSpaces client application to connect to the directory.
SubnetIds (list) --
The identifiers of the subnets used with the directory.
(string) --
DnsIpAddresses (list) --
The IP addresses of the DNS servers for the directory.
(string) --
CustomerUserName (string) --
The user name for the service account.
IamRoleId (string) --
The identifier of the IAM role. This is the role that allows Amazon WorkSpaces to make calls to other services, such as Amazon EC2, on your behalf.
DirectoryType (string) --
The directory type.
WorkspaceSecurityGroupId (string) --
The identifier of the security group that is assigned to new WorkSpaces.
State (string) --
The state of the directory's registration with Amazon WorkSpaces. After a directory is deregistered, the DEREGISTERED state is returned very briefly before the directory metadata is cleaned up, so this state is rarely returned. To confirm that a directory is deregistered, check for the directory ID by using DescribeWorkspaceDirectories. If the directory ID isn't returned, then the directory has been successfully deregistered.
WorkspaceCreationProperties (dict) --
The default creation properties for all WorkSpaces in the directory.
EnableWorkDocs (boolean) --
Specifies whether the directory is enabled for Amazon WorkDocs.
EnableInternetAccess (boolean) --
Specifies whether to automatically assign an Elastic public IP address to WorkSpaces in this directory by default. If enabled, the Elastic public IP address allows outbound internet access from your WorkSpaces when you’re using an internet gateway in the Amazon VPC in which your WorkSpaces are located. If you're using a Network Address Translation (NAT) gateway for outbound internet access from your VPC, or if your WorkSpaces are in public subnets and you manually assign them Elastic IP addresses, you should disable this setting. This setting applies to new WorkSpaces that you launch or to existing WorkSpaces that you rebuild. For more information, see Configure a VPC for Amazon WorkSpaces.
DefaultOu (string) --
The organizational unit (OU) in the directory for the WorkSpace machine accounts.
CustomSecurityGroupId (string) --
The identifier of the default security group to apply to WorkSpaces when they are created. For more information, see Security Groups for Your WorkSpaces.
UserEnabledAsLocalAdministrator (boolean) --
Specifies whether WorkSpace users are local administrators on their WorkSpaces.
EnableMaintenanceMode (boolean) --
Specifies whether maintenance mode is enabled for WorkSpaces. For more information, see WorkSpace Maintenance.
InstanceIamRoleArn (string) --
Indicates the IAM role ARN of the instance.
ipGroupIds (list) --
The identifiers of the IP access control groups associated with the directory.
(string) --
WorkspaceAccessProperties (dict) --
The devices and operating systems that users can use to access WorkSpaces.
DeviceTypeWindows (string) --
Indicates whether users can use Windows clients to access their WorkSpaces.
DeviceTypeOsx (string) --
Indicates whether users can use macOS clients to access their WorkSpaces.
DeviceTypeWeb (string) --
Indicates whether users can access their WorkSpaces through a web browser.
DeviceTypeIos (string) --
Indicates whether users can use iOS devices to access their WorkSpaces.
DeviceTypeAndroid (string) --
Indicates whether users can use Android and Android-compatible Chrome OS devices to access their WorkSpaces.
DeviceTypeChromeOs (string) --
Indicates whether users can use Chromebooks to access their WorkSpaces.
DeviceTypeZeroClient (string) --
Indicates whether users can use zero client devices to access their WorkSpaces.
DeviceTypeLinux (string) --
Indicates whether users can use Linux clients to access their WorkSpaces.
Tenancy (string) --
Specifies whether the directory is dedicated or shared. To use Bring Your Own License (BYOL), this value must be set to DEDICATED . For more information, see Bring Your Own Windows Desktop Images.
SelfservicePermissions (dict) --
The default self-service permissions for WorkSpaces in the directory.
RestartWorkspace (string) --
Specifies whether users can restart their WorkSpace.
IncreaseVolumeSize (string) --
Specifies whether users can increase the volume size of the drives on their WorkSpace.
ChangeComputeType (string) --
Specifies whether users can change the compute type (bundle) for their WorkSpace.
SwitchRunningMode (string) --
Specifies whether users can switch the running mode of their WorkSpace.
RebuildWorkspace (string) --
Specifies whether users can rebuild the operating system of a WorkSpace to its original state.
SamlProperties (dict) --
Describes the enablement status, user access URL, and relay state parameter name that are used for configuring federation with an SAML 2.0 identity provider.
Status (string) --
Indicates the status of SAML 2.0 authentication. These statuses include the following.
If the setting is DISABLED , end users will be directed to login with their directory credentials.
If the setting is ENABLED , end users will be directed to login via the user access URL. Users attempting to connect to WorkSpaces from a client application that does not support SAML 2.0 authentication will not be able to connect.
If the setting is ENABLED_WITH_DIRECTORY_LOGIN_FALLBACK , end users will be directed to login via the user access URL on supported client applications, but will not prevent clients that do not support SAML 2.0 authentication from connecting as if SAML 2.0 authentication was disabled.
UserAccessUrl (string) --
The SAML 2.0 identity provider (IdP) user access URL is the URL a user would navigate to in their web browser in order to federate from the IdP and directly access the application, without any SAML 2.0 service provider (SP) bindings.
RelayStateParameterName (string) --
The relay state parameter name supported by the SAML 2.0 identity provider (IdP). When the end user is redirected to the user access URL from the WorkSpaces client application, this relay state parameter name is appended as a query parameter to the URL along with the relay state endpoint to return the user to the client application session.
To use SAML 2.0 authentication with WorkSpaces, the IdP must support IdP-initiated deep linking for the relay state URL. Consult your IdP documentation for more information.
CertificateBasedAuthProperties (dict) --
The certificate-based authentication properties used to authenticate SAML 2.0 Identity Provider (IdP) user identities to Active Directory for WorkSpaces login.
Status (string) --
The status of the certificate-based authentication properties.
CertificateAuthorityArn (string) --
The Amazon Resource Name (ARN) of the Amazon Web Services Certificate Manager Private CA resource.
MicrosoftEntraConfig (dict) --
Specifies details about Microsoft Entra configurations.
TenantId (string) --
The identifier of the tenant.
ApplicationConfigSecretArn (string) --
The Amazon Resource Name (ARN) of the application config.
WorkspaceDirectoryName (string) --
The name fo the WorkSpace directory.
WorkspaceDirectoryDescription (string) --
The description of the WorkSpace directory
UserIdentityType (string) --
Indicates the identity type of the specifired user.
WorkspaceType (string) --
Indicates whether the directory's WorkSpace type is personal or pools.
IDCConfig (dict) --
Specifies details about identity center configurations.
InstanceArn (string) --
The Amazon Resource Name (ARN) of the identity center instance.
ApplicationArn (string) --
The Amazon Resource Name (ARN) of the application.
ActiveDirectoryConfig (dict) --
Information about the Active Directory config.
DomainName (string) --
The name of the domain.
ServiceAccountSecretArn (string) --
Indicates the secret ARN on the service account.
StreamingProperties (dict) --
The streaming properties to configure.
StreamingExperiencePreferredProtocol (string) --
Indicates the type of preferred protocol for the streaming experience.
UserSettings (list) --
Indicates the permission settings asscoiated with the user.
(dict) --
Information about the user's permission settings.
Action (string) --
Indicates the type of action.
Permission (string) --
Indicates if the setting is enabled or disabled.
MaximumLength (integer) --
Indicates the maximum character length for the specified user setting.
StorageConnectors (list) --
Indicates the storage connector used
(dict) --
Describes the storage connector.
ConnectorType (string) --
The type of connector used to save user files.
Status (string) --
Indicates if the storage connetor is enabled or disabled.
ErrorMessage (string) --
The error message returned.
NextToken (string) --
The token to use to retrieve the next page of results. This value is null when there are no more results to return.
{'IdcInstanceArn': 'string',
'MicrosoftEntraConfig': {'ApplicationConfigSecretArn': 'string',
'TenantId': 'string'},
'UserIdentityType': {'AWS_IAM_IDENTITY_CENTER'}}
Registers the specified directory. This operation is asynchronous and returns before the WorkSpace directory is registered. If this is the first time you are registering a directory, you will need to create the workspaces_DefaultRole role before you can register a directory. For more information, see Creating the workspaces_DefaultRole Role.
See also: AWS API Documentation
Request Syntax
client.register_workspace_directory(
DirectoryId='string',
SubnetIds=[
'string',
],
EnableWorkDocs=True|False,
EnableSelfService=True|False,
Tenancy='DEDICATED'|'SHARED',
Tags=[
{
'Key': 'string',
'Value': 'string'
},
],
WorkspaceDirectoryName='string',
WorkspaceDirectoryDescription='string',
UserIdentityType='CUSTOMER_MANAGED'|'AWS_DIRECTORY_SERVICE'|'AWS_IAM_IDENTITY_CENTER',
IdcInstanceArn='string',
MicrosoftEntraConfig={
'TenantId': 'string',
'ApplicationConfigSecretArn': 'string'
},
WorkspaceType='PERSONAL'|'POOLS',
ActiveDirectoryConfig={
'DomainName': 'string',
'ServiceAccountSecretArn': 'string'
}
)
string
The identifier of the directory. You cannot register a directory if it does not have a status of Active. If the directory does not have a status of Active, you will receive an InvalidResourceStateException error. If you have already registered the maximum number of directories that you can register with Amazon WorkSpaces, you will receive a ResourceLimitExceededException error. Deregister directories that you are not using for WorkSpaces, and try again.
list
The identifiers of the subnets for your virtual private cloud (VPC). Make sure that the subnets are in supported Availability Zones. The subnets must also be in separate Availability Zones. If these conditions are not met, you will receive an OperationNotSupportedException error.
(string) --
boolean
Indicates whether Amazon WorkDocs is enabled or disabled. If you have enabled this parameter and WorkDocs is not available in the Region, you will receive an OperationNotSupportedException error. Set EnableWorkDocs to disabled, and try again.
boolean
Indicates whether self-service capabilities are enabled or disabled.
string
Indicates whether your WorkSpace directory is dedicated or shared. To use Bring Your Own License (BYOL) images, this value must be set to DEDICATED and your Amazon Web Services account must be enabled for BYOL. If your account has not been enabled for BYOL, you will receive an InvalidParameterValuesException error. For more information about BYOL images, see Bring Your Own Windows Desktop Images.
list
The tags associated with the directory.
(dict) --
Describes a tag.
Key (string) -- [REQUIRED]
The key of the tag.
Value (string) --
The value of the tag.
string
The name of the directory to register.
string
Description of the directory to register.
string
The type of identity management the user is using.
string
The Amazon Resource Name (ARN) of the identity center instance.
dict
The details about Microsoft Entra config.
TenantId (string) --
The identifier of the tenant.
ApplicationConfigSecretArn (string) --
The Amazon Resource Name (ARN) of the application config.
string
Indicates whether the directory's WorkSpace type is personal or pools.
dict
The active directory config of the directory.
DomainName (string) -- [REQUIRED]
The name of the domain.
ServiceAccountSecretArn (string) -- [REQUIRED]
Indicates the secret ARN on the service account.
dict
Response Syntax
{
'DirectoryId': 'string',
'State': 'REGISTERING'|'REGISTERED'|'DEREGISTERING'|'DEREGISTERED'|'ERROR'
}
Response Structure
(dict) --
DirectoryId (string) --
The identifier of the directory.
State (string) --
The registration status of the WorkSpace directory.