2026/02/02 - AWS Multi-party Approval - 4 updated api methods
Changes Updates to multi-party approval (MPA) service to add support for multi-factor authentication (MFA) for voting operations.
{'Approvers': {'MfaMethods': [{'SyncStatus': 'IN_SYNC | OUT_OF_SYNC',
'Type': 'EMAIL_OTP'}]},
'PendingUpdate': {'Approvers': {'MfaMethods': [{'SyncStatus': 'IN_SYNC | '
'OUT_OF_SYNC',
'Type': 'EMAIL_OTP'}]}}}
Returns details for an approval team.
See also: AWS API Documentation
Request Syntax
client.get_approval_team(
Arn='string'
)
string
[REQUIRED]
Amazon Resource Name (ARN) for the team.
dict
Response Syntax
{
'CreationTime': datetime(2015, 1, 1),
'ApprovalStrategy': {
'MofN': {
'MinApprovalsRequired': 123
}
},
'NumberOfApprovers': 123,
'Approvers': [
{
'ApproverId': 'string',
'ResponseTime': datetime(2015, 1, 1),
'PrimaryIdentityId': 'string',
'PrimaryIdentitySourceArn': 'string',
'PrimaryIdentityStatus': 'PENDING'|'ACCEPTED'|'REJECTED'|'INVALID',
'MfaMethods': [
{
'Type': 'EMAIL_OTP',
'SyncStatus': 'IN_SYNC'|'OUT_OF_SYNC'
},
]
},
],
'Arn': 'string',
'Description': 'string',
'Name': 'string',
'Status': 'ACTIVE'|'INACTIVE'|'DELETING'|'PENDING',
'StatusCode': 'VALIDATING'|'PENDING_ACTIVATION'|'FAILED_VALIDATION'|'FAILED_ACTIVATION'|'UPDATE_PENDING_APPROVAL'|'UPDATE_PENDING_ACTIVATION'|'UPDATE_FAILED_APPROVAL'|'UPDATE_FAILED_ACTIVATION'|'UPDATE_FAILED_VALIDATION'|'DELETE_PENDING_APPROVAL'|'DELETE_FAILED_APPROVAL'|'DELETE_FAILED_VALIDATION',
'StatusMessage': 'string',
'UpdateSessionArn': 'string',
'VersionId': 'string',
'Policies': [
{
'PolicyArn': 'string'
},
],
'LastUpdateTime': datetime(2015, 1, 1),
'PendingUpdate': {
'VersionId': 'string',
'Description': 'string',
'ApprovalStrategy': {
'MofN': {
'MinApprovalsRequired': 123
}
},
'NumberOfApprovers': 123,
'Status': 'ACTIVE'|'INACTIVE'|'DELETING'|'PENDING',
'StatusCode': 'VALIDATING'|'PENDING_ACTIVATION'|'FAILED_VALIDATION'|'FAILED_ACTIVATION'|'UPDATE_PENDING_APPROVAL'|'UPDATE_PENDING_ACTIVATION'|'UPDATE_FAILED_APPROVAL'|'UPDATE_FAILED_ACTIVATION'|'UPDATE_FAILED_VALIDATION'|'DELETE_PENDING_APPROVAL'|'DELETE_FAILED_APPROVAL'|'DELETE_FAILED_VALIDATION',
'StatusMessage': 'string',
'Approvers': [
{
'ApproverId': 'string',
'ResponseTime': datetime(2015, 1, 1),
'PrimaryIdentityId': 'string',
'PrimaryIdentitySourceArn': 'string',
'PrimaryIdentityStatus': 'PENDING'|'ACCEPTED'|'REJECTED'|'INVALID',
'MfaMethods': [
{
'Type': 'EMAIL_OTP',
'SyncStatus': 'IN_SYNC'|'OUT_OF_SYNC'
},
]
},
],
'UpdateInitiationTime': datetime(2015, 1, 1)
}
}
Response Structure
(dict) --
CreationTime (datetime) --
Timestamp when the team was created.
ApprovalStrategy (dict) --
An ApprovalStrategyResponse object. Contains details for how the team grants approval.
MofN (dict) --
Minimum number of approvals (M) required for a total number of approvers (N).
MinApprovalsRequired (integer) --
Minimum number of approvals (M) required for a total number of approvers (N).
NumberOfApprovers (integer) --
Total number of approvers in the team.
Approvers (list) --
An array of GetApprovalTeamResponseApprover objects. Contains details for the approvers in the team.
(dict) --
Contains details for an approver.
ApproverId (string) --
ID for the approver.
ResponseTime (datetime) --
Timestamp when the approver responded to an approval team invitation.
PrimaryIdentityId (string) --
ID for the user.
PrimaryIdentitySourceArn (string) --
Amazon Resource Name (ARN) for the identity source. The identity source manages the user authentication for approvers.
PrimaryIdentityStatus (string) --
Status for the identity source. For example, if an approver has accepted a team invitation with a user authentication method managed by the identity source.
MfaMethods (list) --
Multi-factor authentication configuration for the approver
(dict) --
MFA configuration and sycnronization status for an approver
Type (string) --
The type of MFA configuration used by the approver
SyncStatus (string) --
Indicates if the approver's MFA device is in-sync with the Identity Source
Arn (string) --
Amazon Resource Name (ARN) for the team.
Description (string) --
Description for the team.
Name (string) --
Name of the approval team.
Status (string) --
Status for the team. For more information, see Team health in the Multi-party approval User Guide.
StatusCode (string) --
Status code for the approval team. For more information, see Team health in the Multi-party approval User Guide.
StatusMessage (string) --
Message describing the status for the team.
UpdateSessionArn (string) --
Amazon Resource Name (ARN) for the session.
VersionId (string) --
Version ID for the team.
Policies (list) --
An array of PolicyReference objects. Contains a list of policies that define the permissions for team resources.
(dict) --
Contains the Amazon Resource Name (ARN) for a policy. Policies define what operations a team that define the permissions for team resources.
PolicyArn (string) --
Amazon Resource Name (ARN) for the policy.
LastUpdateTime (datetime) --
Timestamp when the team was last updated.
PendingUpdate (dict) --
A PendingUpdate object. Contains details for the pending updates for the team, if applicable.
VersionId (string) --
Version ID for the team.
Description (string) --
Description for the team.
ApprovalStrategy (dict) --
An ApprovalStrategyResponse object. Contains details for how the team grants approval.
MofN (dict) --
Minimum number of approvals (M) required for a total number of approvers (N).
MinApprovalsRequired (integer) --
Minimum number of approvals (M) required for a total number of approvers (N).
NumberOfApprovers (integer) --
Total number of approvers in the team.
Status (string) --
Status for the team. For more information, see Team health in the Multi-party approval User Guide.
StatusCode (string) --
Status code for the update. For more information, see Team health in the Multi-party approval User Guide.
StatusMessage (string) --
Message describing the status for the team.
Approvers (list) --
An array of GetApprovalTeamResponseApprover objects. Contains details for the approvers in the team.
(dict) --
Contains details for an approver.
ApproverId (string) --
ID for the approver.
ResponseTime (datetime) --
Timestamp when the approver responded to an approval team invitation.
PrimaryIdentityId (string) --
ID for the user.
PrimaryIdentitySourceArn (string) --
Amazon Resource Name (ARN) for the identity source. The identity source manages the user authentication for approvers.
PrimaryIdentityStatus (string) --
Status for the identity source. For example, if an approver has accepted a team invitation with a user authentication method managed by the identity source.
MfaMethods (list) --
Multi-factor authentication configuration for the approver
(dict) --
MFA configuration and sycnronization status for an approver
Type (string) --
The type of MFA configuration used by the approver
SyncStatus (string) --
Indicates if the approver's MFA device is in-sync with the Identity Source
UpdateInitiationTime (datetime) --
Timestamp when the update request was initiated.
{'AdditionalSecurityRequirements': ['APPROVER_VERIFICATION_REQUIRED']}
Returns details for an approval session. For more information, see Session in the Multi-party approval User Guide.
See also: AWS API Documentation
Request Syntax
client.get_session(
SessionArn='string'
)
string
[REQUIRED]
Amazon Resource Name (ARN) for the session.
dict
Response Syntax
{
'SessionArn': 'string',
'ApprovalTeamArn': 'string',
'ApprovalTeamName': 'string',
'ProtectedResourceArn': 'string',
'ApprovalStrategy': {
'MofN': {
'MinApprovalsRequired': 123
}
},
'NumberOfApprovers': 123,
'InitiationTime': datetime(2015, 1, 1),
'ExpirationTime': datetime(2015, 1, 1),
'CompletionTime': datetime(2015, 1, 1),
'Description': 'string',
'Metadata': {
'string': 'string'
},
'Status': 'PENDING'|'CANCELLED'|'APPROVED'|'FAILED'|'CREATING',
'StatusCode': 'REJECTED'|'EXPIRED'|'CONFIGURATION_CHANGED',
'StatusMessage': 'string',
'ExecutionStatus': 'EXECUTED'|'FAILED'|'PENDING',
'ActionName': 'string',
'RequesterServicePrincipal': 'string',
'RequesterPrincipalArn': 'string',
'RequesterAccountId': 'string',
'RequesterRegion': 'string',
'RequesterComment': 'string',
'ActionCompletionStrategy': 'AUTO_COMPLETION_UPON_APPROVAL',
'ApproverResponses': [
{
'ApproverId': 'string',
'IdentitySourceArn': 'string',
'IdentityId': 'string',
'Response': 'APPROVED'|'REJECTED'|'NO_RESPONSE',
'ResponseTime': datetime(2015, 1, 1)
},
],
'AdditionalSecurityRequirements': [
'APPROVER_VERIFICATION_REQUIRED',
]
}
Response Structure
(dict) --
SessionArn (string) --
Amazon Resource Name (ARN) for the session.
ApprovalTeamArn (string) --
Amazon Resource Name (ARN) for the approval team.
ApprovalTeamName (string) --
Name of the approval team.
ProtectedResourceArn (string) --
Amazon Resource Name (ARN) for the protected operation.
ApprovalStrategy (dict) --
An ApprovalStrategyResponse object. Contains details for how the team grants approval
MofN (dict) --
Minimum number of approvals (M) required for a total number of approvers (N).
MinApprovalsRequired (integer) --
Minimum number of approvals (M) required for a total number of approvers (N).
NumberOfApprovers (integer) --
Total number of approvers in the session.
InitiationTime (datetime) --
Timestamp when the session was initiated.
ExpirationTime (datetime) --
Timestamp when the session will expire.
CompletionTime (datetime) --
Timestamp when the session completed.
Description (string) --
Description for the session.
Metadata (dict) --
Metadata for the session.
(string) --
(string) --
Status (string) --
Status for the session. For example, if the team has approved the requested operation.
StatusCode (string) --
Status code of the session.
StatusMessage (string) --
Message describing the status for session.
ExecutionStatus (string) --
Status for the protected operation. For example, if the operation is PENDING.
ActionName (string) --
Name of the protected operation.
RequesterServicePrincipal (string) --
Service principal for the service associated with the protected operation.
RequesterPrincipalArn (string) --
IAM principal that made the operation request.
RequesterAccountId (string) --
ID for the account that made the operation request.
RequesterRegion (string) --
Amazon Web Services Region where the operation request originated.
RequesterComment (string) --
Message from the account that made the operation request
ActionCompletionStrategy (string) --
Strategy for executing the protected operation. AUTO_COMPLETION_UPON_APPROVAL means the operation is automatically executed using the requester's permissions, if approved.
ApproverResponses (list) --
An array of GetSessionResponseApproverResponse objects. Contains details for approver responses in the session.
(dict) --
Contains details for an approver response in an approval session.
ApproverId (string) --
ID for the approver.
IdentitySourceArn (string) --
Amazon Resource Name (ARN) for the identity source. The identity source manages the user authentication for approvers.
IdentityId (string) --
ID for the identity source. The identity source manages the user authentication for approvers.
Response (string) --
Response to the operation request.
ResponseTime (datetime) --
Timestamp when a approver responded to the operation request.
AdditionalSecurityRequirements (list) --
A list of AdditionalSecurityRequirement applied to the session.
(string) --
Additional security requirements applied to a session or invitation
APPROVER_VERIFICATION_REQUIRED: Approvers will be required to perform an MFA challenge to vote
{'Sessions': {'AdditionalSecurityRequirements': ['APPROVER_VERIFICATION_REQUIRED']}}
Returns a list of approval sessions. For more information, see Session in the Multi-party approval User Guide.
See also: AWS API Documentation
Request Syntax
client.list_sessions(
ApprovalTeamArn='string',
MaxResults=123,
NextToken='string',
Filters=[
{
'FieldName': 'ActionName'|'ApprovalTeamName'|'VotingTime'|'Vote'|'SessionStatus'|'InitiationTime',
'Operator': 'EQ'|'NE'|'GT'|'LT'|'GTE'|'LTE'|'CONTAINS'|'NOT_CONTAINS'|'BETWEEN',
'Value': 'string'
},
]
)
string
[REQUIRED]
Amazon Resource Name (ARN) for the approval team.
integer
The maximum number of items to return in the response. If more results exist than the specified MaxResults value, a token is included in the response so that you can retrieve the remaining results.
string
If present, indicates that more output is available than is included in the current response. Use this value in the NextToken request parameter in a next call to the operation to get more output. You can repeat this until the NextToken response element returns null.
list
An array of Filter objects. Contains the filter to apply when listing sessions.
(dict) --
Contains the filter to apply to requests. You can specify up to 10 filters for a request.
FieldName (string) --
Name of the filter to use.
Operator (string) --
Operator to use for filtering.
EQ: Equal to the specified value
NE: Not equal to the specified value
GT: Greater than the specified value
LT: Less than the specified value
GTE: Greater than or equal to the specified value
LTE: Less than or equal to the specified value
CONTAINS: Contains the specified value
NOT_CONTAINS: Does not contain the specified value
BETWEEN: Between two values, inclusive of the specified values.
Value (string) --
Value to use for filtering. For the BETWEEN operator, specify values in the format a AND b ( AND is case-insensitive).
dict
Response Syntax
{
'NextToken': 'string',
'Sessions': [
{
'SessionArn': 'string',
'ApprovalTeamName': 'string',
'ApprovalTeamArn': 'string',
'InitiationTime': datetime(2015, 1, 1),
'ExpirationTime': datetime(2015, 1, 1),
'CompletionTime': datetime(2015, 1, 1),
'Description': 'string',
'ActionName': 'string',
'ProtectedResourceArn': 'string',
'RequesterServicePrincipal': 'string',
'RequesterPrincipalArn': 'string',
'RequesterRegion': 'string',
'RequesterAccountId': 'string',
'Status': 'PENDING'|'CANCELLED'|'APPROVED'|'FAILED'|'CREATING',
'StatusCode': 'REJECTED'|'EXPIRED'|'CONFIGURATION_CHANGED',
'StatusMessage': 'string',
'ActionCompletionStrategy': 'AUTO_COMPLETION_UPON_APPROVAL',
'AdditionalSecurityRequirements': [
'APPROVER_VERIFICATION_REQUIRED',
]
},
]
}
Response Structure
(dict) --
NextToken (string) --
If present, indicates that more output is available than is included in the current response. Use this value in the NextToken request parameter in a next call to the operation to get more output. You can repeat this until the NextToken response element returns null.
Sessions (list) --
An array of ListSessionsResponseSession objects. Contains details for the sessions.
(dict) --
Contains details for an approval session. For more information, see Session in the Multi-party approval User Guide
SessionArn (string) --
Amazon Resource Name (ARN) for the session.
ApprovalTeamName (string) --
Name of the approval team.
ApprovalTeamArn (string) --
Amazon Resource Name (ARN) for the approval team.
InitiationTime (datetime) --
Timestamp when the session was initiated.
ExpirationTime (datetime) --
Timestamp when the session was expire.
CompletionTime (datetime) --
Timestamp when the session was completed.
Description (string) --
Description for the team.
ActionName (string) --
Name of the protected operation.
ProtectedResourceArn (string) --
Amazon Resource Name (ARN) for the protected operation.
RequesterServicePrincipal (string) --
Service principal for the service associated with the protected operation.
RequesterPrincipalArn (string) --
IAM principal that made the operation request.
RequesterRegion (string) --
Amazon Web Services Region where the operation request originated.
RequesterAccountId (string) --
ID for the account that made the operation request.
Status (string) --
Status for the protected operation. For example, if the operation is PENDING.
StatusCode (string) --
Status code of the session.
StatusMessage (string) --
Message describing the status for session.
ActionCompletionStrategy (string) --
Strategy for executing the protected operation. AUTO_COMPLETION_UPON_APPROVAL means the operation is executed automatically using the requester's permissions, if approved.
AdditionalSecurityRequirements (list) --
A list of AdditionalSecurityRequirement applied to the session.
(string) --
Additional security requirements applied to a session or invitation
APPROVER_VERIFICATION_REQUIRED: Approvers will be required to perform an MFA challenge to vote
{'UpdateActions': ['SYNCHRONIZE_MFA_DEVICES']}
Updates an approval team. You can request to update the team description, approval threshold, and approvers in the team.
See also: AWS API Documentation
Request Syntax
client.update_approval_team(
ApprovalStrategy={
'MofN': {
'MinApprovalsRequired': 123
}
},
Approvers=[
{
'PrimaryIdentityId': 'string',
'PrimaryIdentitySourceArn': 'string'
},
],
Description='string',
Arn='string',
UpdateActions=[
'SYNCHRONIZE_MFA_DEVICES',
]
)
dict
An ApprovalStrategy object. Contains details for how the team grants approval.
MofN (dict) --
Minimum number of approvals (M) required for a total number of approvers (N).
MinApprovalsRequired (integer) -- [REQUIRED]
Minimum number of approvals (M) required for a total number of approvers (N).
list
An array of ApprovalTeamRequestApprover objects. Contains details for the approvers in the team.
(dict) --
Contains details for an approver.
PrimaryIdentityId (string) -- [REQUIRED]
ID for the user.
PrimaryIdentitySourceArn (string) -- [REQUIRED]
Amazon Resource Name (ARN) for the identity source. The identity source manages the user authentication for approvers.
string
Description for the team.
string
[REQUIRED]
Amazon Resource Name (ARN) for the team.
list
A list of UpdateAction to perform when updating the team.
(string) --
Actions that can be taken when updating an approval team
SYNCHRONIZE_MFA_DEVICES: Synchronize MFA devices for all approvers on the team
dict
Response Syntax
{
'VersionId': 'string'
}
Response Structure
(dict) --
VersionId (string) --
Version ID for the team that was created. When an approval team is updated, the version ID changes.