Changes
Added ListSourceAssociations API. Allows RAM resource share owners to list source associations that determine which sources can access resources through service principal associations. Supports filtering by resource share ARN, source ID, source type, or status, with pagination.
Lists source associations for resource shares. Source associations control which sources can be used with service principals in resource shares. This operation provides visibility into source associations for resource share owners.
You can filter the results by resource share Amazon Resource Name (ARN), source ID, source type, or association status. We recommend using pagination to ensure that the operation returns quickly and successfully.
The Amazon Resource Names (ARNs) of the resource shares for which you want to retrieve source associations.
(string) --
type sourceId:
string
param sourceId:
The identifier of the source for which you want to retrieve associations. This can be an account ID, Amazon Resource Name (ARN), organization ID, or organization path.
type sourceType:
string
param sourceType:
The type of source for which you want to retrieve associations.
type associationStatus:
string
param associationStatus:
The status of the source associations that you want to retrieve.
type nextToken:
string
param nextToken:
The pagination token that indicates the next set of results to retrieve.
type maxResults:
integer
param maxResults:
The maximum number of results to return in a single call. To retrieve the remaining results, make another call with the returned nextToken value.
Accepts an invitation to a resource share from another Amazon Web Services account. After you accept the invitation, the resources included in the resource share are available to interact with in the relevant Amazon Web Services Management Consoles and tools.
Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..
If you don't provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.
The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the clientToken request parameter of that later call. All other parameters must also have the same values that you used in the first call.
AssociateResourceShare (updated)
Link ¶ Changes (response)
Adds the specified list of principals, resources, and source constraints to a resource share. Principals that already have access to this resource share immediately receive access to the added resources. Newly added principals immediately receive access to the resources shared in this resource share.
Specifies the Amazon Resource Name (ARN) of the resource share that you want to add principals or resources to.
type resourceArns:
list
param resourceArns:
Specifies a list of Amazon Resource Names (ARNs) of the resources that you want to share. This can be null if you want to add only principals.
(string) --
type principals:
list
param principals:
Specifies a list of principals to whom you want to the resource share. This can be null if you want to add only resources.
What the principals can do with the resources in the share is determined by the RAM permissions that you associate with the resource share. See AssociateResourceSharePermission.
You can include the following values:
An Amazon Web Services account ID, for example: 123456789012
An Amazon Resource Name (ARN) of an organization in Organizations, for example: organizations::123456789012:organization/o-exampleorgid
An ARN of an organizational unit (OU) in Organizations, for example: organizations::123456789012:ou/o-exampleorgid/ou-examplerootid-exampleouid123
An ARN of an IAM role, for example: iam::123456789012:role/rolename
An ARN of an IAM user, for example: iam::123456789012user/username
A service principal name, for example: service-id.amazonaws.com
(string) --
type clientToken:
string
param clientToken:
Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..
If you don't provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.
type sources:
list
param sources:
Specifies source constraints (accounts, ARNs, organization IDs, or organization paths) that limit when service principals can access resources in this resource share. When a service principal attempts to access a shared resource, validation is performed to ensure the request originates from one of the specified sources. This helps prevent confused deputy attacks by applying constraints on where service principals can access resources from.
The ARN of an organizational unit (OU) in Organizations
The ARN of an IAM role
The ARN of an IAM user
associationType(string) --
The type of entity included in this association.
status(string) --
The current status of the association.
statusMessage(string) --
A message about the status of the association.
creationTime(datetime) --
The date and time when the association was created.
lastUpdatedTime(datetime) --
The date and time when the association was last updated.
external(boolean) --
Indicates whether the principal belongs to the same organization in Organizations as the Amazon Web Services account that owns the resource share.
clientToken(string) --
The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the clientToken request parameter of that later call. All other parameters must also have the same values that you used in the first call.
DisassociateResourceShare (updated)
Link ¶ Changes (response)
Specifies Amazon Resource Name (ARN) of the resource share that you want to remove resources or principals from.
type resourceArns:
list
param resourceArns:
Specifies a list of Amazon Resource Names (ARNs) for one or more resources that you want to remove from the resource share. After the operation runs, these resources are no longer shared with principals associated with the resource share.
(string) --
type principals:
list
param principals:
Specifies a list of one or more principals that no longer are to have access to the resources in this resource share.
You can include the following values:
An Amazon Web Services account ID, for example: 123456789012
An Amazon Resource Name (ARN) of an organization in Organizations, for example: organizations::123456789012:organization/o-exampleorgid
An ARN of an organizational unit (OU) in Organizations, for example: organizations::123456789012:ou/o-exampleorgid/ou-examplerootid-exampleouid123
An ARN of an IAM role, for example: iam::123456789012:role/rolename
An ARN of an IAM user, for example: iam::123456789012user/username
A service principal name, for example: service-id.amazonaws.com
(string) --
type clientToken:
string
param clientToken:
Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..
If you don't provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.
type sources:
list
param sources:
Specifies source constraints (accounts, ARNs, organization IDs, or organization paths) to remove from the resource share. This enables granular management of source constraints while maintaining service principal associations. At least one source must remain when service principals are present.
The ARN of an organizational unit (OU) in Organizations
The ARN of an IAM role
The ARN of an IAM user
associationType(string) --
The type of entity included in this association.
status(string) --
The current status of the association.
statusMessage(string) --
A message about the status of the association.
creationTime(datetime) --
The date and time when the association was created.
lastUpdatedTime(datetime) --
The date and time when the association was last updated.
external(boolean) --
Indicates whether the principal belongs to the same organization in Organizations as the Amazon Web Services account that owns the resource share.
clientToken(string) --
The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the clientToken request parameter of that later call. All other parameters must also have the same values that you used in the first call.
GetResourceShareAssociations (updated)
Link ¶ Changes (request, response)
Request
You cannot specify this parameter if the association type is PRINCIPAL.
type principal:
string
param principal:
Specifies the ID of the principal whose resource shares you want to retrieve. This can be an Amazon Web Services account ID, an organization ID, an organizational unit ID, or the Amazon Resource Name (ARN) of an individual IAM role or user.
You cannot specify this parameter if the association type is RESOURCE.
type associationStatus:
string
param associationStatus:
Specifies that you want to retrieve only associations that have this status.
type nextToken:
string
param nextToken:
Specifies that you want to receive the next page of results. Valid only if you received a NextToken response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's NextToken response to request the next page of results.
type maxResults:
integer
param maxResults:
Specifies the total number of results that you want included on each page of the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the number you specify, the NextToken response element is returned with a value (not null). Include the specified value as the NextToken request parameter in the next call to the operation to get the next part of the results. Note that the service might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.
The ARN of an organizational unit (OU) in Organizations
The ARN of an IAM role
The ARN of an IAM user
associationType(string) --
The type of entity included in this association.
status(string) --
The current status of the association.
statusMessage(string) --
A message about the status of the association.
creationTime(datetime) --
The date and time when the association was created.
lastUpdatedTime(datetime) --
The date and time when the association was last updated.
external(boolean) --
Indicates whether the principal belongs to the same organization in Organizations as the Amazon Web Services account that owns the resource share.
nextToken(string) --
If present, this value indicates that more output is available than is included in the current response. Use this value in the NextToken request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the NextToken response element comes back as null. This indicates that this is the last page of results.
GetResourceShareInvitations (updated)
Link ¶ Changes (response)
Specifies that you want details about invitations only for the resource shares described by this list of Amazon Resource Names (ARNs)
(string) --
type nextToken:
string
param nextToken:
Specifies that you want to receive the next page of results. Valid only if you received a NextToken response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's NextToken response to request the next page of results.
type maxResults:
integer
param maxResults:
Specifies the total number of results that you want included on each page of the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the number you specify, the NextToken response element is returned with a value (not null). Include the specified value as the NextToken request parameter in the next call to the operation to get the next part of the results. Note that the service might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.
If present, this value indicates that more output is available than is included in the current response. Use this value in the NextToken request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the NextToken response element comes back as null. This indicates that this is the last page of results.
ListPermissionAssociations (updated)
Link ¶ Changes (request)
Lists information about the managed permission and its associations to any resource shares that use this managed permission. This lets you see which resource shares use which versions of the specified managed permission.
Specifies that you want to list only those associations with resource shares that use this version of the managed permission. If you don't provide a value for this parameter, then the operation returns information about associations with resource shares that use any version of the managed permission.
type associationStatus:
string
param associationStatus:
Specifies that you want to list only those associations with resource shares that match this status.
type resourceType:
string
param resourceType:
Specifies that you want to list only those associations with resource shares that include at least one resource of this resource type.
type featureSet:
string
param featureSet:
Specifies that you want to list only those associations with resource shares that have a featureSet with this value.
type defaultVersion:
boolean
param defaultVersion:
When true, specifies that you want to list only those associations with resource shares that use the default version of the specified managed permission.
When false (the default value), lists associations with resource shares that use any version of the specified managed permission.
type nextToken:
string
param nextToken:
Specifies that you want to receive the next page of results. Valid only if you received a NextToken response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's NextToken response to request the next page of results.
type maxResults:
integer
param maxResults:
Specifies the total number of results that you want included on each page of the response. If you do not include this parameter, it defaults to a value that is specific to the operation. If additional items exist beyond the number you specify, the NextToken response element is returned with a value (not null). Include the specified value as the NextToken request parameter in the next call to the operation to get the next part of the results. Note that the service might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.
The version of the permission currently associated with the resource share.
defaultVersion(boolean) --
Indicates whether the associated resource share is using the default version of the permission.
resourceType(string) --
The resource type to which this permission applies.
status(string) --
The current status of the association between the permission and the resource share. The following are the possible values:
ATTACHABLE – This permission or version can be associated with resource shares.
UNATTACHABLE – This permission or version can't currently be associated with resource shares.
DELETING – This permission or version is in the process of being deleted.
DELETED – This permission or version is deleted.
featureSet(string) --
Indicates what features are available for this resource share. This parameter can have one of the following values:
STANDARD – A resource share that supports all functionality. These resource shares are visible to all principals you share the resource share with. You can modify these resource shares in RAM using the console or APIs. This resource share might have been created by RAM, or it might have been CREATED_FROM_POLICY and then promoted.
CREATED_FROM_POLICY – The customer manually shared a resource by attaching a resource-based policy. That policy did not match any existing managed permissions, so RAM created this customer managed permission automatically on the customer's behalf based on the attached policy document. This type of resource share is visible only to the Amazon Web Services account that created it. You can't modify it in RAM unless you promote it. For more information, see PromoteResourceShareCreatedFromPolicy.
PROMOTING_TO_STANDARD – This resource share was originally CREATED_FROM_POLICY, but the customer ran the PromoteResourceShareCreatedFromPolicy and that operation is still in progress. This value changes to STANDARD when complete.
lastUpdatedTime(datetime) --
The date and time when the association between the permission and the resource share was last updated.
If present, this value indicates that more output is available than is included in the current response. Use this value in the NextToken request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the NextToken response element comes back as null. This indicates that this is the last page of results.
RejectResourceShareInvitation (updated)
Link ¶ Changes (response)
Specifies a unique, case-sensitive identifier that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..
If you don't provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.
The idempotency identifier associated with this request. If you want to repeat the same operation in an idempotent manner then you must include this value in the clientToken request parameter of that later call. All other parameters must also have the same values that you used in the first call.