Package {paws.security.identity}

Optional configuration of credentials, endpoint, and/or region.

• credentials:

  • creds:

    • access_key_id: AWS access key ID

    • secret_access_key: AWS secret access key

    • session_token: AWS temporary session token

  • profile: The name of a profile to use. If not given, then the default profile is used.

  • anonymous: Set anonymous credentials.

• endpoint: The complete URL to use for the constructed client.

• region: The AWS Region used in instantiating the client.

• close_connection: Immediately close all HTTP connections.

• timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.

• s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e. ⁠http://s3.amazonaws.com/BUCKET/KEY⁠.

• sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

Optional credentials shorthand for the config parameter

• creds:

  • access_key_id: AWS access key ID

  • secret_access_key: AWS secret access key

  • session_token: AWS temporary session token

• profile: The name of a profile to use. If not given, then the default profile is used.

• anonymous: Set anonymous credentials.

Optional shorthand for complete URL to use for the constructed client.

Optional shorthand for AWS Region used in instantiating the client.

[required] The Amazon resource name (ARN) of the analyzer.

[required] The name of the rule to apply.

A client token.

[required] The JobId that is returned by the start_policy_generation operation. The JobId can be used with get_generated_policy to retrieve the generated policies or used with cancel_policy_generation to cancel the policy generation request.

[required] The JSON policy document to use as the content for the policy.

[required] An access object containing the permissions that shouldn't be granted by the specified policy. If only actions are specified, IAM Access Analyzer checks for access to peform at least one of the actions on any resource in the policy. If only resources are specified, then IAM Access Analyzer checks for access to perform any action on at least one of the resources. If both actions and resources are specified, IAM Access Analyzer checks for access to perform at least one of the specified actions on at least one of the specified resources.

[required] The type of policy. Identity policies grant permissions to IAM principals. Identity policies include managed and inline policies for IAM roles, users, and groups.

Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust policies for IAM roles and bucket policies for Amazon S3 buckets.

[required] The JSON policy document to use as the content for the updated policy.

[required] The JSON policy document to use as the content for the existing policy.

[required] The type of policy to compare. Identity policies grant permissions to IAM principals. Identity policies include managed and inline policies for IAM roles, users, and groups.

Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust policies for IAM roles and bucket policies for Amazon S3 buckets. You can provide a generic input such as identity policy or resource policy or a specific input such as managed policy or Amazon S3 bucket policy.

[required] The JSON policy document to evaluate for public access.

[required] The type of resource to evaluate for public access. For example, to check for public access to Amazon S3 buckets, you can choose ⁠AWS::S3::Bucket⁠ for the resource type.

For resource types not supported as valid values, IAM Access Analyzer will return an error.

[required] The ARN of the account analyzer used to generate the access preview. You can only create an access preview for analyzers with an Account type and Active status.

[required] Access control configuration for your resource that is used to generate the access preview. The access preview includes findings for external access allowed to the resource with the proposed access control configuration. The configuration must contain exactly one element.

A client token.

[required] The name of the analyzer to create.

[required] The type of analyzer to create. You can create only one analyzer per account per Region. You can create up to 5 analyzers per organization per Region.

Specifies the archive rules to add for the analyzer. Archive rules automatically archive findings that meet the criteria you define for the rule.

An array of key-value pairs to apply to the analyzer. You can use the set of Unicode letters, digits, whitespace, ⁠_⁠, ., /, =, +, and -.

For the tag key, you can specify a value that is 1 to 128 characters in length and cannot be prefixed with ⁠aws:⁠.

For the tag value, you can specify a value that is 0 to 256 characters in length.

A client token.

Specifies the configuration of the analyzer. If the analyzer is an unused access analyzer, the specified scope of unused access is used for the configuration. If the analyzer is an internal access analyzer, the specified internal access analysis rules are used for the configuration.

[required] The name of the created analyzer.

[required] The name of the rule to create.

[required] The criteria for the rule.

A client token.

[required] The type of analyzer to create. Valid values are ACCOUNT_UNUSED_ACCESS and ORGANIZATION_UNUSED_ACCESS.

Specifies the archive rules to add for the analyzer. Archive rules automatically archive findings that meet the criteria you define for the rule.

A client token.

Specifies the configuration of the analyzer. The specified scope of unused access is used for the configuration.

[required] The name of the analyzer to delete.

A client token.

[required] The name of the analyzer that associated with the archive rule to delete.

[required] The name of the rule to delete.

A client token.

[required] The name of the service-linked analyzer to delete. Service-linked analyzer names follow the format ⁠_AccessAnalyzerFor{ServiceName}-{Id}⁠.

A client token.

[required] The ARN of the analyzer used to generate the finding recommendation.

[required] The unique ID for the finding recommendation.

[required] The unique ID for the access preview.

[required] The ARN of the analyzer used to generate the access preview.

[required] The ARN of the analyzer to retrieve information from.

[required] The ARN of the resource to retrieve information about.

[required] The name of the analyzer retrieved.

[required] The name of the analyzer to retrieve rules from.

[required] The name of the rule to retrieve.

[required] The ARN of the analyzer that generated the finding.

[required] The ID of the finding to retrieve.

[required] The ARN of the analyzer used to generate the finding recommendation.

[required] The unique ID for the finding recommendation.

The maximum number of results to return in the response.

A token used for pagination of results returned.

[required] The ARN of the analyzer that generated the finding.

[required] The ID of the finding to retrieve.

The maximum number of results to return in the response.

A token used for pagination of results returned.

[required] The ARN of the analyzer used to generate the statistics.

[required] The JobId that is returned by the start_policy_generation operation. The JobId can be used with get_generated_policy to retrieve the generated policies or used with cancel_policy_generation to cancel the policy generation request.

The level of detail that you want to generate. You can specify whether to generate policies with placeholders for resource ARNs for actions that support resource level granularity in policies.

For example, in the resource section of a policy, you can receive a placeholder such as "Resource":"arn:aws:s3:::${BucketName}" instead of "*".

The level of detail that you want to generate. You can specify whether to generate service-level policies.

IAM Access Analyzer uses iam:servicelastaccessed to identify services that have been used recently to create this service-level template.

[required] The unique ID for the access preview.

[required] The ARN of the analyzer used to generate the access.

Criteria to filter the returned findings.

A token used for pagination of results returned.

The maximum number of results to return in the response.

[required] The ARN of the analyzer used to generate the access preview.

A token used for pagination of results returned.

The maximum number of results to return in the response.

[required] The ARN of the analyzer to retrieve a list of analyzed resources from.

The type of resource.

A token used for pagination of results returned.

The maximum number of results to return in the response.

A token used for pagination of results returned.

The maximum number of results to return in the response.

The type of analyzer.

[required] The name of the analyzer to retrieve rules from.

A token used for pagination of results returned.

The maximum number of results to return in the request.

[required] The ARN of the analyzer to retrieve findings from.

A filter to match for the findings to return.

The sort order for the findings returned.

A token used for pagination of results returned.

The maximum number of results to return in the response.

[required] The ARN of the analyzer to retrieve findings from.

A filter to match for the findings to return.

The maximum number of results to return in the response.

A token used for pagination of results returned.

The criteria used to sort.

The ARN of the IAM entity (user or role) for which you are generating a policy. Use this with ListGeneratedPolicies to filter the results to only include results for a specific principal.

The maximum number of results to return in the response.

A token used for pagination of results returned.

[required] The ARN of the resource to retrieve tags from.

[required] Contains the ARN of the IAM entity (user or role) for which you are generating a policy.

A CloudTrailDetails object that contains details about a Trail that you want to analyze to generate policies.

A unique, case-sensitive identifier that you provide to ensure the idempotency of the request. Idempotency ensures that an API request completes only once. With an idempotent request, if the original request completes successfully, the subsequent retries with the same client token return the result from the original successful request and they have no additional effect.

If you do not specify a client token, one is automatically generated by the Amazon Web Services SDK.

[required] The ARN of the analyzer to use to scan the policies applied to the specified resource.

[required] The ARN of the resource to scan.

The Amazon Web Services account ID that owns the resource. For most Amazon Web Services resources, the owning account is the account in which the resource was created.

[required] The ARN of the resource to add the tag to.

[required] The tags to add to the resource.

[required] The ARN of the resource to remove the tag from.

[required] The key for the tag to add.

[required] The name of the analyzer to modify.

Contains information about the configuration of an analyzer for an Amazon Web Services organization or account.

[required] The name of the analyzer to update the archive rules for.

[required] The name of the rule to update.

[required] A filter to match for the rules to update. Only rules that match the filter are updated.

A client token.

[required] The ARN of the analyzer that generated the findings to update.

[required] The state represents the action to take to update the finding Status. Use ARCHIVE to change an Active finding to an Archived finding. Use ACTIVE to change an Archived finding to an Active finding.

The IDs of the findings to update.

The ARN of the resource identified in the finding.

A client token.

The locale to use for localizing the findings.

The maximum number of results to return in the response.

A token used for pagination of results returned.

[required] The JSON policy document to use as the content for the policy.

[required] The type of policy to validate. Identity policies grant permissions to IAM principals. Identity policies include managed and inline policies for IAM roles, users, and groups.

Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust policies for IAM roles and bucket policies for Amazon S3 buckets. You can provide a generic input such as identity policy or resource policy or a specific input such as managed policy or Amazon S3 bucket policy.

Service control policies (SCPs) are a type of organization policy attached to an Amazon Web Services organization, organizational unit (OU), or an account.

The type of resource to attach to your resource policy. Specify a value for the policy validation resource type only if the policy type is RESOURCE_POLICY. For example, to validate a resource policy to attach to an Amazon S3 bucket, you can choose ⁠AWS::S3::Bucket⁠ for the policy validation resource type.

For resource types not supported as valid values, IAM Access Analyzer runs policy checks that apply to all resource policies. For example, to validate a resource policy to attach to a KMS key, do not specify a value for the policy validation resource type and IAM Access Analyzer will run policy checks that apply to all resource policies.

Optional configuration of credentials, endpoint, and/or region.

• credentials:

  • creds:

    • access_key_id: AWS access key ID

    • secret_access_key: AWS secret access key

    • session_token: AWS temporary session token

  • profile: The name of a profile to use. If not given, then the default profile is used.

  • anonymous: Set anonymous credentials.

• endpoint: The complete URL to use for the constructed client.

• region: The AWS Region used in instantiating the client.

• close_connection: Immediately close all HTTP connections.

• timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.

• s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e. ⁠http://s3.amazonaws.com/BUCKET/KEY⁠.

• sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

Optional credentials shorthand for the config parameter

• creds:

  • access_key_id: AWS access key ID

  • secret_access_key: AWS secret access key

  • session_token: AWS temporary session token

• profile: The name of a profile to use. If not given, then the default profile is used.

• anonymous: Set anonymous credentials.

Optional shorthand for complete URL to use for the constructed client.

Optional shorthand for AWS Region used in instantiating the client.

[required] Specifies the 12-digit account ID number of the Amazon Web Services account that you want to access or modify with this operation. To use this parameter, the caller must be an identity in the organization's management account or a delegated administrator account. The specified account ID must be a member account in the same organization. The organization must have all features enabled, and the organization must have trusted access enabled for the Account Management service, and optionally a delegated admin account assigned.

This operation can only be called from the management account or the delegated administrator account of an organization for a member account.

The management account can't specify its own AccountId.

[required] The new primary email address for use with the specified account. This must match the PrimaryEmail from the start_primary_email_update API call.

[required] The OTP code sent to the PrimaryEmail specified on the start_primary_email_update API call.

[required] Specifies which of the alternate contacts to delete.

Specifies the 12 digit account ID number of the Amazon Web Services account that you want to access or modify with this operation.

If you do not specify this parameter, it defaults to the Amazon Web Services account of the identity used to call the operation.

To use this parameter, the caller must be an identity in the organization's management account or a delegated administrator account, and the specified account ID must be a member account in the same organization. The organization must have all features enabled, and the organization must have trusted access enabled for the Account Management service, and optionally a delegated administrator account assigned.

The management account can't specify its own AccountId; it must call the operation in standalone context by not including the AccountId parameter.

To call this operation on an account that is not a member of an organization, then don't specify this parameter, and call the operation using an identity belonging to the account whose contacts you wish to retrieve or modify.

Specifies the 12-digit account ID number of the Amazon Web Services account that you want to access or modify with this operation. If you don't specify this parameter, it defaults to the Amazon Web Services account of the identity used to call the operation. To use this parameter, the caller must be an identity in the organization's management account or a delegated administrator account. The specified account ID must be a member account in the same organization. The organization must have all features enabled, and the organization must have trusted access enabled for the Account Management service, and optionally a delegated admin account assigned.

The management account can't specify its own AccountId. It must call the operation in standalone context by not including the AccountId parameter.

To call this operation on an account that is not a member of an organization, don't specify this parameter. Instead, call the operation using an identity belonging to the account whose contacts you wish to retrieve or modify.

[required] Specifies the Region-code for a given Region name (for example, af-south-1). When you disable a Region, Amazon Web Services performs actions to deactivate that Region in your account, such as destroying IAM resources in the Region. This process takes a few minutes for most accounts, but this can take several hours. You cannot enable the Region until the disabling process is fully completed.

Specifies the 12-digit account ID number of the Amazon Web Services account that you want to access or modify with this operation. If you don't specify this parameter, it defaults to the Amazon Web Services account of the identity used to call the operation. To use this parameter, the caller must be an identity in the organization's management account or a delegated administrator account. The specified account ID must be a member account in the same organization. The organization must have all features enabled, and the organization must have trusted access enabled for the Account Management service, and optionally a delegated admin account assigned.

The management account can't specify its own AccountId. It must call the operation in standalone context by not including the AccountId parameter.

To call this operation on an account that is not a member of an organization, don't specify this parameter. Instead, call the operation using an identity belonging to the account whose contacts you wish to retrieve or modify.

[required] Specifies the Region-code for a given Region name (for example, af-south-1). When you enable a Region, Amazon Web Services performs actions to prepare your account in that Region, such as distributing your IAM resources to the Region. This process takes a few minutes for most accounts, but it can take several hours. You cannot use the Region until this process is complete. Furthermore, you cannot disable the Region until the enabling process is fully completed.

Specifies the 12 digit account ID number of the Amazon Web Services account that you want to access or modify with this operation.

If you do not specify this parameter, it defaults to the Amazon Web Services account of the identity used to call the operation.

To use this parameter, the caller must be an identity in the organization's management account or a delegated administrator account, and the specified account ID must be a member account in the same organization. The organization must have all features enabled, and the organization must have trusted access enabled for the Account Management service, and optionally a delegated administrator account assigned.

The management account can't specify its own AccountId; it must call the operation in standalone context by not including the AccountId parameter.

To call this operation on an account that is not a member of an organization, then don't specify this parameter, and call the operation using an identity belonging to the account whose contacts you wish to retrieve or modify.

[required] Specifies which alternate contact you want to retrieve.

Specifies the 12 digit account ID number of the Amazon Web Services account that you want to access or modify with this operation.

If you do not specify this parameter, it defaults to the Amazon Web Services account of the identity used to call the operation.

To use this parameter, the caller must be an identity in the organization's management account or a delegated administrator account, and the specified account ID must be a member account in the same organization. The organization must have all features enabled, and the organization must have trusted access enabled for the Account Management service, and optionally a delegated administrator account assigned.

The management account can't specify its own AccountId; it must call the operation in standalone context by not including the AccountId parameter.

To call this operation on an account that is not a member of an organization, then don't specify this parameter, and call the operation using an identity belonging to the account whose contacts you wish to retrieve or modify.

Specifies the 12-digit account ID number of the Amazon Web Services account that you want to access or modify with this operation. If you don't specify this parameter, it defaults to the Amazon Web Services account of the identity used to call the operation. To use this parameter, the caller must be an identity in the organization's management account or a delegated administrator account. The specified account ID must be a member account in the same organization. The organization must have all features enabled, and the organization must have trusted access enabled for the Account Management service, and optionally a delegated admin account assigned.

The management account can't specify its own AccountId. It must call the operation in standalone context by not including the AccountId parameter.

To call this operation on an account that is not a member of an organization, don't specify this parameter. Instead, call the operation using an identity belonging to the account whose contacts you wish to retrieve or modify.

Specifies the 12 digit account ID number of the Amazon Web Services account that you want to access or modify with this operation.

If you do not specify this parameter, it defaults to the Amazon Web Services account of the identity used to call the operation.

To use this parameter, the caller must be an identity in the organization's management account or a delegated administrator account, and the specified account ID must be a member account in the same organization. The organization must have all features enabled, and the organization must have trusted access enabled for the Account Management service, and optionally a delegated administrator account assigned.

The management account can't specify its own AccountId; it must call the operation in standalone context by not including the AccountId parameter.

To call this operation on an account that is not a member of an organization, then don't specify this parameter, and call the operation using an identity belonging to the account whose contacts you wish to retrieve or modify.

[required] Specifies the 12-digit account ID number of the Amazon Web Services account that you want to access or modify with this operation. To use this parameter, the caller must be an identity in the organization's management account or a delegated administrator account. The specified account ID must be a member account in the same organization. The organization must have all features enabled, and the organization must have trusted access enabled for the Account Management service, and optionally a delegated admin account assigned.

This operation can only be called from the management account or the delegated administrator account of an organization for a member account.

The management account can't specify its own AccountId.

Specifies the 12-digit account ID number of the Amazon Web Services account that you want to access or modify with this operation. If you don't specify this parameter, it defaults to the Amazon Web Services account of the identity used to call the operation. To use this parameter, the caller must be an identity in the organization's management account or a delegated administrator account. The specified account ID must be a member account in the same organization. The organization must have all features enabled, and the organization must have trusted access enabled for the Account Management service, and optionally a delegated admin account assigned.

The management account can't specify its own AccountId. It must call the operation in standalone context by not including the AccountId parameter.

To call this operation on an account that is not a member of an organization, don't specify this parameter. Instead, call the operation using an identity belonging to the account whose contacts you wish to retrieve or modify.

[required] Specifies the Region-code for a given Region name (for example, af-south-1). This function will return the status of whatever Region you pass into this parameter.

Specifies the 12-digit account ID number of the Amazon Web Services account that you want to access or modify with this operation. If you don't specify this parameter, it defaults to the Amazon Web Services account of the identity used to call the operation. To use this parameter, the caller must be an identity in the organization's management account or a delegated administrator account. The specified account ID must be a member account in the same organization. The organization must have all features enabled, and the organization must have trusted access enabled for the Account Management service, and optionally a delegated admin account assigned.

The management account can't specify its own AccountId. It must call the operation in standalone context by not including the AccountId parameter.

To call this operation on an account that is not a member of an organization, don't specify this parameter. Instead, call the operation using an identity belonging to the account whose contacts you wish to retrieve or modify.

The total number of items to return in the command’s output. If the total number of items available is more than the value specified, a NextToken is provided in the command’s output. To resume pagination, provide the NextToken value in the starting-token argument of a subsequent command. Do not use the NextToken response element directly outside of the Amazon Web Services CLI. For usage examples, see Pagination in the Amazon Web Services Command Line Interface User Guide.

A token used to specify where to start paginating. This is the NextToken from a previously truncated response. For usage examples, see Pagination in the Amazon Web Services Command Line Interface User Guide.

A list of Region statuses (Enabling, Enabled, Disabling, Disabled, Enabled_by_default) to use to filter the list of Regions for a given account. For example, passing in a value of ENABLING will only return a list of Regions with a Region status of ENABLING.

[required] The name of the account.

Specifies the 12 digit account ID number of the Amazon Web Services account that you want to access or modify with this operation.

If you do not specify this parameter, it defaults to the Amazon Web Services account of the identity used to call the operation.

To use this parameter, the caller must be an identity in the organization's management account or a delegated administrator account, and the specified account ID must be a member account in the same organization. The organization must have all features enabled, and the organization must have trusted access enabled for the Account Management service, and optionally a delegated administrator account assigned.

The management account can't specify its own AccountId; it must call the operation in standalone context by not including the AccountId parameter.

To call this operation on an account that is not a member of an organization, then don't specify this parameter, and call the operation using an identity belonging to the account whose contacts you wish to retrieve or modify.

[required] Specifies a name for the alternate contact.

[required] Specifies a title for the alternate contact.

[required] Specifies an email address for the alternate contact.

[required] Specifies a phone number for the alternate contact.

[required] Specifies which alternate contact you want to create or update.

Specifies the 12 digit account ID number of the Amazon Web Services account that you want to access or modify with this operation.

If you do not specify this parameter, it defaults to the Amazon Web Services account of the identity used to call the operation.

To use this parameter, the caller must be an identity in the organization's management account or a delegated administrator account, and the specified account ID must be a member account in the same organization. The organization must have all features enabled, and the organization must have trusted access enabled for the Account Management service, and optionally a delegated administrator account assigned.

The management account can't specify its own AccountId; it must call the operation in standalone context by not including the AccountId parameter.

To call this operation on an account that is not a member of an organization, then don't specify this parameter, and call the operation using an identity belonging to the account whose contacts you wish to retrieve or modify.

[required] Contains the details of the primary contact information associated with an Amazon Web Services account.

Specifies the 12-digit account ID number of the Amazon Web Services account that you want to access or modify with this operation. If you don't specify this parameter, it defaults to the Amazon Web Services account of the identity used to call the operation. To use this parameter, the caller must be an identity in the organization's management account or a delegated administrator account. The specified account ID must be a member account in the same organization. The organization must have all features enabled, and the organization must have trusted access enabled for the Account Management service, and optionally a delegated administrator account assigned.

The management account can't specify its own AccountId. It must call the operation in standalone context by not including the AccountId parameter.

To call this operation on an account that is not a member of an organization, don't specify this parameter. Instead, call the operation using an identity belonging to the account whose contacts you wish to retrieve or modify.

[required] Specifies the 12-digit account ID number of the Amazon Web Services account that you want to access or modify with this operation. To use this parameter, the caller must be an identity in the organization's management account or a delegated administrator account. The specified account ID must be a member account in the same organization. The organization must have all features enabled, and the organization must have trusted access enabled for the Account Management service, and optionally a delegated admin account assigned.

This operation can only be called from the management account or the delegated administrator account of an organization for a member account.

The management account can't specify its own AccountId.

[required] The new primary email address (also known as the root user email address) to use in the specified account.

Optional configuration of credentials, endpoint, and/or region.

• credentials:

  • creds:

    • access_key_id: AWS access key ID

    • secret_access_key: AWS secret access key

    • session_token: AWS temporary session token

  • profile: The name of a profile to use. If not given, then the default profile is used.

  • anonymous: Set anonymous credentials.

• endpoint: The complete URL to use for the constructed client.

• region: The AWS Region used in instantiating the client.

• close_connection: Immediately close all HTTP connections.

• timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.

• s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e. ⁠http://s3.amazonaws.com/BUCKET/KEY⁠.

• sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

Optional credentials shorthand for the config parameter

• creds:

  • access_key_id: AWS access key ID

  • secret_access_key: AWS secret access key

  • session_token: AWS temporary session token

• profile: The name of a profile to use. If not given, then the default profile is used.

• anonymous: Set anonymous credentials.

Optional shorthand for complete URL to use for the constructed client.

Optional shorthand for AWS Region used in instantiating the client.

[required] String that contains the ARN of the ACM certificate to which the tag is to be applied. This must be of the form:

arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012

For more information about ARNs, see Amazon Resource Names (ARNs).

[required] The key-value pair that defines the tag. The tag value is optional.

[required] String that contains the ARN of the ACM certificate to be deleted. This must be of the form:

arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012

For more information about ARNs, see Amazon Resource Names (ARNs).

[required] The Amazon Resource Name (ARN) of the ACM certificate. The ARN must have the following form:

arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012

For more information about ARNs, see Amazon Resource Names (ARNs).

[required] An Amazon Resource Name (ARN) of the issued certificate. This must be of the form:

arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012

[required] Passphrase to associate with the encrypted exported private key.

When creating your passphrase, you can use any ASCII character except #, $, or %.

If you want to later decrypt the private key, you must have the passphrase. You can use the following OpenSSL command to decrypt a private key. After entering the command, you are prompted for the passphrase.

⁠openssl rsa -in encrypted_key.pem -out decrypted_key.pem⁠

[required] String that contains a certificate ARN in the following format:

arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012

For more information about ARNs, see Amazon Resource Names (ARNs).

The Amazon Resource Name (ARN) of an imported certificate to replace. To import a new certificate, omit this field.

[required] The certificate to import.

[required] The private key that matches the public key in the certificate.

The PEM encoded certificate chain.

One or more resource tags to associate with the imported certificate.

Note: You cannot apply tags when reimporting a certificate.

Filter the certificate list by status value.

Filter the certificate list. For more information, see the Filters structure.

Use this parameter only when paginating results and only in a subsequent request after you receive a response with truncated results. Set it to the value of NextToken from the response you just received.

Use this parameter when paginating results to specify the maximum number of items to return in the response. If additional items exist beyond the number you specify, the NextToken element is sent in the response. Use this NextToken value in a subsequent request to retrieve additional items.

Specifies the field to sort results by. If you specify SortBy, you must also specify SortOrder.

Specifies the order of sorted results. If you specify SortOrder, you must also specify SortBy.

[required] String that contains the ARN of the ACM certificate for which you want to list the tags. This must have the following form:

arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012

For more information about ARNs, see Amazon Resource Names (ARNs).

Specifies expiration events associated with an account.

[required] Customer-chosen string used to distinguish between calls to put_account_configuration. Idempotency tokens time out after one hour. If you call put_account_configuration multiple times with the same unexpired idempotency token, ACM treats it as the same request and returns the original result. If you change the idempotency token for each call, ACM treats each call as a new request.

[required] String that contains the ARN of the ACM Certificate with one or more tags that you want to remove. This must be of the form:

arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012

For more information about ARNs, see Amazon Resource Names (ARNs).

[required] The key-value pair that defines the tag to remove.

[required] String that contains the ARN of the ACM certificate to be renewed. This must be of the form:

arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012

For more information about ARNs, see Amazon Resource Names (ARNs).

[required] Fully qualified domain name (FQDN), such as www.example.com, that you want to secure with an ACM certificate. Use an asterisk (*) to create a wildcard certificate that protects several sites in the same domain. For example, *.example.com protects www.example.com, site.example.com, and images.example.com.

In compliance with RFC 5280, the length of the domain name (technically, the Common Name) that you provide cannot exceed 64 octets (characters), including periods. To add a longer domain name, specify it in the Subject Alternative Name field, which supports names up to 253 octets in length.

The method you want to use if you are requesting a public certificate to validate that you own or control domain. You can validate with DNS or validate with email. We recommend that you use DNS validation.

Additional FQDNs to be included in the Subject Alternative Name extension of the ACM certificate. For example, add the name www.example.net to a certificate for which the DomainName field is www.example.com if users can reach your site by using either name. The maximum number of domain names that you can add to an ACM certificate is 100. However, the initial quota is 10 domain names. If you need more than 10 names, you must request a quota increase. For more information, see Quotas.

The maximum length of a SAN DNS name is 253 octets. The name is made up of multiple labels separated by periods. No label can be longer than 63 octets. Consider the following examples:

• ⁠(63 octets).(63 octets).(63 octets).(61 octets)⁠ is legal because the total length is 253 octets (63+1+63+1+63+1+61) and no label exceeds 63 octets.

• ⁠(64 octets).(63 octets).(63 octets).(61 octets)⁠ is not legal because the total length exceeds 253 octets (64+1+63+1+63+1+61) and the first label exceeds 63 octets.

• ⁠(63 octets).(63 octets).(63 octets).(62 octets)⁠ is not legal because the total length of the DNS name (63+1+63+1+63+1+62) exceeds 253 octets.

Customer chosen string that can be used to distinguish between calls to request_certificate. Idempotency tokens time out after one hour. Therefore, if you call request_certificate multiple times with the same idempotency token within one hour, ACM recognizes that you are requesting only one certificate and will issue only one. If you change the idempotency token for each call, ACM recognizes that you are requesting multiple certificates.

The domain name that you want ACM to use to send you emails so that you can validate domain ownership.

You can use this parameter to specify whether to add the certificate to a certificate transparency log and export your certificate.

Certificate transparency makes it possible to detect SSL/TLS certificates that have been mistakenly or maliciously issued. Certificates that have not been logged typically produce an error message in a browser. For more information, see Opting Out of Certificate Transparency Logging.

You can export public ACM certificates to use with Amazon Web Services services as well as outside the Amazon Web Services Cloud. For more information, see Certificate Manager exportable public certificate.

The Amazon Resource Name (ARN) of the private certificate authority (CA) that will be used to issue the certificate. If you do not provide an ARN and you are trying to request a private certificate, ACM will attempt to issue a public certificate. For more information about private CAs, see the Amazon Web Services Private Certificate Authority user guide. The ARN must have the following form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012

One or more resource tags to associate with the certificate.

Specifies the algorithm of the public and private key pair that your certificate uses to encrypt data. RSA is the default key algorithm for ACM certificates. Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering security comparable to RSA keys but with greater computing efficiency. However, ECDSA is not supported by all network clients. Some Amazon Web Services services may require RSA keys, or only support ECDSA keys of a particular size, while others allow the use of either RSA and ECDSA keys to ensure that compatibility is not broken. Check the requirements for the Amazon Web Services service where you plan to deploy your certificate. For more information about selecting an algorithm, see Key algorithms.

Algorithms supported for an ACM certificate request include:

• RSA_2048

• EC_prime256v1

• EC_secp384r1

Other listed algorithms are for imported certificates only.

When you request a private PKI certificate signed by a CA from Amazon Web Services Private CA, the specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key.

Default: RSA_2048

Identifies the Amazon Web Services service that manages the certificate issued by ACM.

[required] String that contains the ARN of the requested certificate. The certificate ARN is generated and returned by the request_certificate action as soon as the request is made. By default, using this parameter causes email to be sent to all top-level domains you specified in the certificate request. The ARN must be of the form:

arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012

[required] The fully qualified domain name (FQDN) of the certificate that needs to be validated.

[required] The base validation domain that will act as the suffix of the email addresses that are used to send the emails. This must be the same as the Domain value or a superdomain of the Domain value. For example, if you requested a certificate for site.subdomain.example.com and specify a ValidationDomain of subdomain.example.com, ACM sends email to the the following five addresses:

• admin@subdomain.example.com

• administrator@subdomain.example.com

• hostmaster@subdomain.example.com

• postmaster@subdomain.example.com

• webmaster@subdomain.example.com

[required] The Amazon Resource Name (ARN) of the public or private certificate that will be revoked. The ARN must have the following form:

arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012

[required] Specifies why you revoked the certificate.

A filter statement that defines the search criteria. You can combine multiple filters using AND, OR, and NOT logical operators to create complex queries.

The maximum number of results to return in the response. Default is 100.

Use this parameter only when paginating results and only in a subsequent request after you receive a response with truncated results. Set it to the value of NextToken from the response you just received.

Specifies the field to sort results by. Valid values are CREATED_AT, NOT_AFTER, STATUS, RENEWAL_STATUS, EXPORTED, IN_USE, NOT_BEFORE, KEY_ALGORITHM, TYPE, CERTIFICATE_ARN, COMMON_NAME, REVOKED_AT, RENEWAL_ELIGIBILITY, ISSUED_AT, MANAGED_BY, EXPORT_OPTION, VALIDATION_METHOD, and IMPORTED_AT.

Specifies the order of sorted results. Valid values are ASCENDING or DESCENDING.

[required] ARN of the requested certificate to update. This must be of the form:

arn:aws:acm:us-east-1:account:certificate/12345678-1234-1234-1234-123456789012

[required] Use to update the options for your certificate. Currently, you can specify whether to add your certificate to a transparency log or export your certificate. Certificate transparency makes it possible to detect SSL/TLS certificates that have been mistakenly or maliciously issued. Certificates that have not been logged typically produce an error message in a browser.

Optional configuration of credentials, endpoint, and/or region.

• credentials:

  • creds:

    • access_key_id: AWS access key ID

    • secret_access_key: AWS secret access key

    • session_token: AWS temporary session token

  • profile: The name of a profile to use. If not given, then the default profile is used.

  • anonymous: Set anonymous credentials.

• endpoint: The complete URL to use for the constructed client.

• region: The AWS Region used in instantiating the client.

• close_connection: Immediately close all HTTP connections.

• timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.

• s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e. ⁠http://s3.amazonaws.com/BUCKET/KEY⁠.

• sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

Optional credentials shorthand for the config parameter

• creds:

  • access_key_id: AWS access key ID

  • secret_access_key: AWS secret access key

  • session_token: AWS temporary session token

• profile: The name of a profile to use. If not given, then the default profile is used.

• anonymous: Set anonymous credentials.

Optional shorthand for complete URL to use for the constructed client.

Optional shorthand for AWS Region used in instantiating the client.

[required] Name and bit size of the private key algorithm, the name of the signing algorithm, and X.500 certificate subject information.

Contains information to enable support for Online Certificate Status Protocol (OCSP), certificate revocation list (CRL), both protocols, or neither. By default, both certificate validation mechanisms are disabled.

The following requirements apply to revocation configurations.

• A configuration disabling CRLs or OCSP must contain only the Enabled=False parameter, and will fail if other parameters such as CustomCname or ExpirationInDays are included.

• In a CRL configuration, the S3BucketName parameter must conform to Amazon S3 bucket naming rules.

• A configuration containing a custom Canonical Name (CNAME) parameter for CRLs or OCSP must conform to RFC2396 restrictions on the use of special characters in a CNAME.

• In a CRL or OCSP configuration, the value of a CNAME parameter must not include a protocol prefix such as "http://" or "https://".

For more information, see the OcspConfiguration and CrlConfiguration types.

[required] The type of the certificate authority.

Custom string that can be used to distinguish between calls to the CreateCertificateAuthority action. Idempotency tokens for CreateCertificateAuthority time out after five minutes. Therefore, if you call CreateCertificateAuthority multiple times with the same idempotency token within five minutes, Amazon Web Services Private CA recognizes that you are requesting only certificate authority and will issue only one. If you change the idempotency token for each call, Amazon Web Services Private CA recognizes that you are requesting multiple certificate authorities.

Specifies a cryptographic key management compliance standard for handling and protecting CA keys.

Default: FIPS_140_2_LEVEL_3_OR_HIGHER

Some Amazon Web Services Regions don't support the default value. When you create a CA in these Regions, you must use CCPC_LEVEL_1_OR_HIGHER for the KeyStorageSecurityStandard parameter. If you don't, the operation returns an InvalidArgsException with this message: "A certificate authority cannot be created in this region with the specified security standard."

For information about security standard support in different Amazon Web Services Regions, see Storage and security compliance of Amazon Web Services Private CA private keys.

Key-value pairs that will be attached to the new private CA. You can associate up to 50 tags with a private CA. For information using tags with IAM to manage permissions, see Controlling Access Using IAM Tags.

Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days.

The default value is GENERAL_PURPOSE.

[required] The Amazon Resource Name (ARN) of the CA to be audited. This is of the form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 .

[required] The name of the S3 bucket that will contain the audit report.

[required] The format in which to create the report. This can be either JSON or CSV.

[required] The Amazon Resource Name (ARN) of the CA that grants the permissions. You can find the ARN by calling the list_certificate_authorities action. This must have the following form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 .

[required] The Amazon Web Services service or identity that receives the permission. At this time, the only valid principal is acm.amazonaws.com.

The ID of the calling account.

[required] The actions that the specified Amazon Web Services service principal can use. These include issue_certificate, get_certificate, and list_permissions.

[required] The Amazon Resource Name (ARN) that was returned when you called create_certificate_authority. This must have the following form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 .

The number of days to make a CA restorable after it has been deleted. This can be anywhere from 7 to 30 days, with 30 being the default.

[required] The Amazon Resource Number (ARN) of the private CA that issued the permissions. You can find the CA's ARN by calling the list_certificate_authorities action. This must have the following form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 .

[required] The Amazon Web Services service or identity that will have its CA permissions revoked. At this time, the only valid service principal is acm.amazonaws.com

The Amazon Web Services account that calls this action.

[required] The Amazon Resource Number (ARN) of the private CA that will have its policy deleted. You can find the CA's ARN by calling the list_certificate_authorities action. The ARN value must have the form ⁠arn:aws:acm-pca:region:account:certificate-authority/01234567-89ab-cdef-0123-0123456789ab⁠.

[required] The Amazon Resource Name (ARN) that was returned when you called create_certificate_authority. This must be of the form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 .

[required] The Amazon Resource Name (ARN) of the private CA. This must be of the form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 .

[required] The report ID returned by calling the create_certificate_authority_audit_report action.

[required] The Amazon Resource Name (ARN) that was returned when you called create_certificate_authority. This must be of the form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 .

[required] The ARN of the issued certificate. The ARN contains the certificate serial number and must be in the following form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/286535153982981100925020015808220737245

[required] The Amazon Resource Name (ARN) of your private CA. This is of the form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 .

[required] The Amazon Resource Name (ARN) that was returned when you called the create_certificate_authority action. This must be of the form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012

[required] The Amazon Resource Number (ARN) of the private CA that will have its policy retrieved. You can find the CA's ARN by calling the ListCertificateAuthorities action.

[required] The Amazon Resource Name (ARN) that was returned when you called create_certificate_authority. This must be of the form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012

[required] The PEM-encoded certificate for a private CA. This may be a self-signed certificate in the case of a root CA, or it may be signed by another CA that you control.

A PEM-encoded file that contains all of your certificates, other than the certificate you're importing, chaining up to your root CA. Your Amazon Web Services Private CA-hosted or on-premises root certificate is the last in the chain, and each certificate in the chain signs the one preceding.

This parameter must be supplied when you import a subordinate CA. When you import a root CA, there is no chain.

Specifies X.509 certificate information to be included in the issued certificate. An APIPassthrough or APICSRPassthrough template variant must be selected, or else this parameter is ignored. For more information about using these templates, see Understanding Certificate Templates.

If conflicting or duplicate certificate information is supplied during certificate issuance, Amazon Web Services Private CA applies order of operation rules to determine what information is used.

[required] The Amazon Resource Name (ARN) that was returned when you called create_certificate_authority. This must be of the form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012

[required] The certificate signing request (CSR) for the certificate you want to issue. As an example, you can use the following OpenSSL command to create the CSR and a 2048 bit RSA private key.

⁠openssl req -new -newkey rsa:2048 -days 365 -keyout private/test_cert_priv_key.pem -out csr/test_cert_.csr⁠

If you have a configuration file, you can then use the following OpenSSL command. The usr_cert block in the configuration file contains your X509 version 3 extensions.

⁠openssl req -new -config openssl_rsa.cnf -extensions usr_cert -newkey rsa:2048 -days 365 -keyout private/test_cert_priv_key.pem -out csr/test_cert_.csr⁠

Note: A CSR must provide either a subject name or a subject alternative name or the request will be rejected.

[required] The name of the algorithm that will be used to sign the certificate to be issued.

This parameter should not be confused with the SigningAlgorithm parameter used to sign a CSR in the create_certificate_authority action.

The specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's secret key.

Specifies a custom configuration template to use when issuing a certificate. If this parameter is not provided, Amazon Web Services Private CA defaults to the EndEntityCertificate/V1 template. For CA certificates, you should choose the shortest path length that meets your needs. The path length is indicated by the PathLenN portion of the ARN, where N is the CA depth.

Note: The CA depth configured on a subordinate CA certificate must not exceed the limit set by its parents in the CA hierarchy.

For a list of TemplateArn values supported by Amazon Web Services Private CA, see Understanding Certificate Templates.

[required] Information describing the end of the validity period of the certificate. This parameter sets the “Not After” date for the certificate.

Certificate validity is the period of time during which a certificate is valid. Validity can be expressed as an explicit date and time when the certificate expires, or as a span of time after issuance, stated in days, months, or years. For more information, see Validity in RFC 5280.

This value is unaffected when ValidityNotBefore is also specified. For example, if Validity is set to 20 days in the future, the certificate will expire 20 days from issuance time regardless of the ValidityNotBefore value.

The end of the validity period configured on a certificate must not exceed the limit set on its parents in the CA hierarchy.

Information describing the start of the validity period of the certificate. This parameter sets the “Not Before" date for the certificate.

By default, when issuing a certificate, Amazon Web Services Private CA sets the "Not Before" date to the issuance time minus 60 minutes. This compensates for clock inconsistencies across computer systems. The ValidityNotBefore parameter can be used to customize the “Not Before” value.

Unlike the Validity parameter, the ValidityNotBefore parameter is optional.

The ValidityNotBefore value is expressed as an explicit date and time, using the Validity type value ABSOLUTE. For more information, see Validity in this API reference and Validity in RFC 5280.

Alphanumeric string that can be used to distinguish between calls to the IssueCertificate action. Idempotency tokens for IssueCertificate time out after five minutes. Therefore, if you call IssueCertificate multiple times with the same idempotency token within five minutes, Amazon Web Services Private CA recognizes that you are requesting only one certificate and will issue only one. If you change the idempotency token for each call, Amazon Web Services Private CA recognizes that you are requesting multiple certificates.

Use this parameter when paginating results to specify the maximum number of items to return in the response on each page. If additional items exist beyond the number you specify, the NextToken element is sent in the response. Use this NextToken value in a subsequent request to retrieve additional items.

Although the maximum value is 1000, the action only returns a maximum of 100 items.

Use this parameter when paginating results in a subsequent request after you receive a response with truncated results. Set it to the value of the NextToken parameter from the response you just received.

Use this parameter to filter the returned set of certificate authorities based on their owner. The default is SELF.

When paginating results, use this parameter to specify the maximum number of items to return in the response. If additional items exist beyond the number you specify, the NextToken element is sent in the response. Use this NextToken value in a subsequent request to retrieve additional items.

When paginating results, use this parameter in a subsequent request after you receive a response with truncated results. Set it to the value of NextToken from the response you just received.

[required] The Amazon Resource Number (ARN) of the private CA to inspect. You can find the ARN by calling the list_certificate_authorities action. This must be of the form: arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 You can get a private CA's ARN by running the list_certificate_authorities action.

Use this parameter when paginating results to specify the maximum number of items to return in the response. If additional items exist beyond the number you specify, the NextToken element is sent in the response. Use this NextToken value in a subsequent request to retrieve additional items.

Use this parameter when paginating results in a subsequent request after you receive a response with truncated results. Set it to the value of NextToken from the response you just received.

[required] The Amazon Resource Name (ARN) that was returned when you called the create_certificate_authority action. This must be of the form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012

[required] The Amazon Resource Number (ARN) of the private CA to associate with the policy. The ARN of the CA can be found by calling the list_certificate_authorities action.

[required] The path and file name of a JSON-formatted IAM policy to attach to the specified private CA resource. If this policy does not contain all required statements or if it includes any statement that is not allowed, the put_policy action returns an InvalidPolicyException. For information about IAM policy and statement structure, see Overview of JSON Policies.

[required] The Amazon Resource Name (ARN) that was returned when you called the create_certificate_authority action. This must be of the form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012

[required] Amazon Resource Name (ARN) of the private CA that issued the certificate to be revoked. This must be of the form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012

[required] Serial number of the certificate to be revoked. This must be in hexadecimal format. You can retrieve the serial number by calling get_certificate with the Amazon Resource Name (ARN) of the certificate you want and the ARN of your private CA. The GetCertificate action retrieves the certificate in the PEM format. You can use the following OpenSSL command to list the certificate in text format and copy the hexadecimal serial number.

⁠openssl x509 -in file_path -text -noout⁠

You can also copy the serial number from the console or use the DescribeCertificate action in the Certificate Manager API Reference.

[required] Specifies why you revoked the certificate.

[required] The Amazon Resource Name (ARN) that was returned when you called create_certificate_authority. This must be of the form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012

[required] List of tags to be associated with the CA.

[required] The Amazon Resource Name (ARN) that was returned when you called create_certificate_authority. This must be of the form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012

[required] List of tags to be removed from the CA.

[required] Amazon Resource Name (ARN) of the private CA that issued the certificate to be revoked. This must be of the form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012

Contains information to enable support for Online Certificate Status Protocol (OCSP), certificate revocation list (CRL), both protocols, or neither. If you don't supply this parameter, existing capibilites remain unchanged. For more information, see the OcspConfiguration and CrlConfiguration types.

The following requirements apply to revocation configurations.

• A configuration disabling CRLs or OCSP must contain only the Enabled=False parameter, and will fail if other parameters such as CustomCname or ExpirationInDays are included.

• In a CRL configuration, the S3BucketName parameter must conform to Amazon S3 bucket naming rules.

• A configuration containing a custom Canonical Name (CNAME) parameter for CRLs or OCSP must conform to RFC2396 restrictions on the use of special characters in a CNAME.

• In a CRL or OCSP configuration, the value of a CNAME parameter must not include a protocol prefix such as "http://" or "https://".

If you update the S3BucketName of CrlConfiguration, you can break revocation for existing certificates. In other words, if you call update_certificate_authority to update the CRL configuration's S3 bucket name, Amazon Web Services Private CA only writes CRLs to the new S3 bucket. Certificates issued prior to this point will have the old S3 bucket name in your CRL Distribution Point (CDP) extension, essentially breaking revocation. If you must update the S3 bucket, you'll need to reissue old certificates to keep the revocation working. Alternatively, you can use a CustomCname in your CRL configuration if you might need to change the S3 bucket name in the future.

Status of your private CA.

Optional configuration of credentials, endpoint, and/or region.

• credentials:

  • creds:

    • access_key_id: AWS access key ID

    • secret_access_key: AWS secret access key

    • session_token: AWS temporary session token

  • profile: The name of a profile to use. If not given, then the default profile is used.

  • anonymous: Set anonymous credentials.

• endpoint: The complete URL to use for the constructed client.

• region: The AWS Region used in instantiating the client.

• close_connection: Immediately close all HTTP connections.

• timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.

• s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e. ⁠http://s3.amazonaws.com/BUCKET/KEY⁠.

• sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

Optional credentials shorthand for the config parameter

• creds:

  • access_key_id: AWS access key ID

  • secret_access_key: AWS secret access key

  • session_token: AWS temporary session token

• profile: The name of a profile to use. If not given, then the default profile is used.

• anonymous: Set anonymous credentials.

Optional shorthand for complete URL to use for the constructed client.

Optional shorthand for AWS Region used in instantiating the client.

[required] The membership ID of the trained model job that you want to cancel.

[required] The Amazon Resource Name (ARN) of the trained model job that you want to cancel.

The version identifier of the trained model to cancel. This parameter allows you to specify which version of the trained model you want to cancel when multiple versions exist.

If versionIdentifier is not specified, the base model will be cancelled.

[required] The membership ID of the trained model inference job that you want to cancel.

[required] The Amazon Resource Name (ARN) of the trained model inference job that you want to cancel.

The start date and time of the training window.

The end date and time of the training window.

[required] The name of the audience model resource.

[required] The Amazon Resource Name (ARN) of the training dataset for this audience model.

The Amazon Resource Name (ARN) of the KMS key. This key is used to encrypt and decrypt customer-owned data in the trained ML model and the associated data.

The optional metadata that you apply to the resource to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define.

The following basic restrictions apply to tags:

• Maximum number of tags per resource - 50.

• For each resource, each tag key must be unique, and each tag key can have only one value.

• Maximum key length - 128 Unicode characters in UTF-8.

• Maximum value length - 256 Unicode characters in UTF-8.

• If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.

• Tag keys and values are case sensitive.

• Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for keys as it is reserved for AWS use. You cannot edit or delete tag keys with this prefix. Values can have this prefix. If a tag value has aws as its prefix but the key does not, then Clean Rooms ML considers it to be a user tag and will count against the limit of 50 tags. Tags with only the key prefix of aws do not count against your tags per resource limit.

The description of the audience model.

[required] The name of the configured audience model.

[required] The Amazon Resource Name (ARN) of the audience model to use for the configured audience model.

[required] Configure the Amazon S3 location and IAM Role for audiences created using this configured audience model. Each audience will have a unique location. The IAM Role must have s3:PutObject permission on the destination Amazon S3 location. If the destination is protected with Amazon S3 KMS-SSE, then the Role must also have the required KMS permissions.

The description of the configured audience model.

[required] Whether audience metrics are shared.

The minimum number of users from the seed audience that must match with users in the training data of the audience model. The default value is 500.

Configure the list of output sizes of audiences that can be created using this configured audience model. A request to start_audience_generation_job that uses this configured audience model must have an audienceSize selected from this list. You can use the ABSOLUTE AudienceSize to configure out audience sizes using the count of identifiers in the output. You can use the Percentage AudienceSize to configure sizes in the range 1-100 percent.

The optional metadata that you apply to the resource to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define.

The following basic restrictions apply to tags:

• Maximum number of tags per resource - 50.

• For each resource, each tag key must be unique, and each tag key can have only one value.

• Maximum key length - 128 Unicode characters in UTF-8.

• Maximum value length - 256 Unicode characters in UTF-8.

• If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.

• Tag keys and values are case sensitive.

• Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for keys as it is reserved for AWS use. You cannot edit or delete tag keys with this prefix. Values can have this prefix. If a tag value has aws as its prefix but the key does not, then Clean Rooms ML considers it to be a user tag and will count against the limit of 50 tags. Tags with only the key prefix of aws do not count against your tags per resource limit.

Configure how the service tags audience generation jobs created using this configured audience model. If you specify NONE, the tags from the start_audience_generation_job request determine the tags of the audience generation job. If you specify FROM_PARENT_RESOURCE, the audience generation job inherits the tags from the configured audience model, by default. Tags in the start_audience_generation_job will override the default.

When the client is in a different account than the configured audience model, the tags from the client are never applied to a resource in the caller's account.

[required] The name of the configured model algorithm.

The description of the configured model algorithm.

[required] The Amazon Resource Name (ARN) of the role that is used to access the repository.

Configuration information for the training container, including entrypoints and arguments.

Configuration information for the inference container that is used when you run an inference job on a configured model algorithm.

The optional metadata that you apply to the resource to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define.

The following basic restrictions apply to tags:

• Maximum number of tags per resource - 50.

• For each resource, each tag key must be unique, and each tag key can have only one value.

• Maximum key length - 128 Unicode characters in UTF-8.

• Maximum value length - 256 Unicode characters in UTF-8.

• If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.

• Tag keys and values are case sensitive.

• Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for keys as it is reserved for AWS use. You cannot edit or delete tag keys with this prefix. Values can have this prefix. If a tag value has aws as its prefix but the key does not, then Clean Rooms ML considers it to be a user tag and will count against the limit of 50 tags. Tags with only the key prefix of aws do not count against your tags per resource limit.

The Amazon Resource Name (ARN) of the KMS key. This key is used to encrypt and decrypt customer-owned data in the configured ML model algorithm and associated data.

[required] The membership ID of the member who is associating this configured model algorithm.

[required] The Amazon Resource Name (ARN) of the configured model algorithm that you want to associate.

[required] The name of the configured model algorithm association.

The description of the configured model algorithm association.

Specifies the privacy configuration information for the configured model algorithm association. This information includes the maximum data size that can be exported.

The optional metadata that you apply to the resource to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define.

The following basic restrictions apply to tags:

• Maximum number of tags per resource - 50.

• For each resource, each tag key must be unique, and each tag key can have only one value.

• Maximum key length - 128 Unicode characters in UTF-8.

• Maximum value length - 256 Unicode characters in UTF-8.

• If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.

• Tag keys and values are case sensitive.

• Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for keys as it is reserved for AWS use. You cannot edit or delete tag keys with this prefix. Values can have this prefix. If a tag value has aws as its prefix but the key does not, then Clean Rooms ML considers it to be a user tag and will count against the limit of 50 tags. Tags with only the key prefix of aws do not count against your tags per resource limit.

[required] The membership ID of the member that is creating the ML input channel.

[required] The associated configured model algorithms that are necessary to create this ML input channel.

[required] The input data that is used to create this ML input channel.

[required] The name of the ML input channel.

[required] The number of days that the data in the ML input channel is retained.

The description of the ML input channel.

The Amazon Resource Name (ARN) of the KMS key that is used to access the input channel.

The optional metadata that you apply to the resource to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define.

The following basic restrictions apply to tags:

• Maximum number of tags per resource - 50.

• For each resource, each tag key must be unique, and each tag key can have only one value.

• Maximum key length - 128 Unicode characters in UTF-8.

• Maximum value length - 256 Unicode characters in UTF-8.

• If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.

• Tag keys and values are case sensitive.

• Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for keys as it is reserved for AWS use. You cannot edit or delete tag keys with this prefix. Values can have this prefix. If a tag value has aws as its prefix but the key does not, then Clean Rooms ML considers it to be a user tag and will count against the limit of 50 tags. Tags with only the key prefix of aws do not count against your tags per resource limit.

The payer configuration for the ML input channel. Determines which member account pays for compute and synthetic data costs.

[required] The membership ID of the member that is creating the trained model.

[required] The name of the trained model.

[required] The associated configured model algorithm used to train this model.

Algorithm-specific parameters that influence the quality of the model. You set hyperparameters before you start the learning process.

The environment variables to set in the Docker container.

[required] Information about the EC2 resources that are used to train this model.

The criteria that is used to stop model training.

Specifies the incremental training data channels for the trained model.

Incremental training allows you to create a new trained model with updates without retraining from scratch. You can specify up to one incremental training data channel that references a previously trained model and its version.

Limit: Maximum of 20 channels total (including both incrementalTrainingDataChannels and dataChannels).

[required] Defines the data channels that are used as input for the trained model request.

Limit: Maximum of 20 channels total (including both dataChannels and incrementalTrainingDataChannels).

The input mode for accessing the training data. This parameter determines how the training data is made available to the training algorithm. Valid values are:

• File - The training data is downloaded to the training instance and made available as files.

• FastFile - The training data is streamed directly from Amazon S3 to the training algorithm, providing faster access for large datasets.

• Pipe - The training data is streamed to the training algorithm using named pipes, which can improve performance for certain algorithms.

The description of the trained model.

The Amazon Resource Name (ARN) of the KMS key. This key is used to encrypt and decrypt customer-owned data in the trained ML model and the associated data.

The optional metadata that you apply to the resource to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define.

The following basic restrictions apply to tags:

• Maximum number of tags per resource - 50.

• For each resource, each tag key must be unique, and each tag key can have only one value.

• Maximum key length - 128 Unicode characters in UTF-8.

• Maximum value length - 256 Unicode characters in UTF-8.

• If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.

• Tag keys and values are case sensitive.

• Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for keys as it is reserved for AWS use. You cannot edit or delete tag keys with this prefix. Values can have this prefix. If a tag value has aws as its prefix but the key does not, then Clean Rooms ML considers it to be a user tag and will count against the limit of 50 tags. Tags with only the key prefix of aws do not count against your tags per resource limit.

The account ID of the member that is responsible for paying for model training costs.

[required] The name of the training dataset. This name must be unique in your account and region.

[required] The ARN of the IAM role that Clean Rooms ML can assume to read the data referred to in the dataSource field of each dataset.

Passing a role across AWS accounts is not allowed. If you pass a role that isn't in your account, you get an AccessDeniedException error.

[required] An array of information that lists the Dataset objects, which specifies the dataset type and details on its location and schema. You must provide a role that has read access to these tables.

The optional metadata that you apply to the resource to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define.

The following basic restrictions apply to tags:

• Maximum number of tags per resource - 50.

• For each resource, each tag key must be unique, and each tag key can have only one value.

• Maximum key length - 128 Unicode characters in UTF-8.

• Maximum value length - 256 Unicode characters in UTF-8.

• If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.

• Tag keys and values are case sensitive.

• Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for keys as it is reserved for AWS use. You cannot edit or delete tag keys with this prefix. Values can have this prefix. If a tag value has aws as its prefix but the key does not, then Clean Rooms ML considers it to be a user tag and will count against the limit of 50 tags. Tags with only the key prefix of aws do not count against your tags per resource limit.

The description of the training dataset.

[required] The Amazon Resource Name (ARN) of the audience generation job that you want to delete.

[required] The Amazon Resource Name (ARN) of the audience model that you want to delete.

[required] The Amazon Resource Name (ARN) of the configured audience model that you want to delete.

[required] The Amazon Resource Name (ARN) of the configured audience model policy that you want to delete.

[required] The Amazon Resource Name (ARN) of the configured model algorithm that you want to delete.

[required] The Amazon Resource Name (ARN) of the configured model algorithm association that you want to delete.

[required] The membership ID of the member that is deleting the configured model algorithm association.

[required] The membership ID of the of the member that is deleting the ML modeling configuration.

[required] The Amazon Resource Name (ARN) of the ML input channel that you want to delete.

[required] The membership ID of the membership that contains the ML input channel you want to delete.

[required] The Amazon Resource Name (ARN) of the trained model whose output you want to delete.

[required] The membership ID of the member that is deleting the trained model output.

The version identifier of the trained model to delete. If not specified, the operation will delete the base version of the trained model. When specified, only the particular version will be deleted.

[required] The Amazon Resource Name (ARN) of the training dataset that you want to delete.

[required] The Amazon Resource Name (ARN) of the audience generation job that you are interested in.

[required] The Amazon Resource Name (ARN) of the audience model that you are interested in.

[required] The Amazon Resource Name (ARN) of the configured model algorithm association that you want to return information about.

[required] The collaboration ID for the collaboration that contains the configured model algorithm association that you want to return information about.

[required] The Amazon Resource Name (ARN) of the ML input channel that you want to get.

[required] The collaboration ID of the collaboration that contains the ML input channel that you want to get.

[required] The Amazon Resource Name (ARN) of the trained model that you want to return information about.

[required] The collaboration ID that contains the trained model that you want to return information about.

The version identifier of the trained model to retrieve. If not specified, the operation returns information about the latest version of the trained model.

[required] The Amazon Resource Name (ARN) of the configured audience model that you are interested in.

[required] The Amazon Resource Name (ARN) of the configured audience model that you are interested in.

[required] The Amazon Resource Name (ARN) of the configured model algorithm that you want to return information about.

[required] The Amazon Resource Name (ARN) of the configured model algorithm association that you want to return information about.

[required] The membership ID of the member that created the configured model algorithm association.

[required] The membership ID of the member that owns the ML configuration you want to return information about.

[required] The Amazon Resource Name (ARN) of the ML input channel that you want to get.

[required] The membership ID of the membership that contains the ML input channel that you want to get.

[required] The Amazon Resource Name (ARN) of the trained model that you are interested in.

[required] The membership ID of the member that created the trained model that you are interested in.

The version identifier of the trained model to retrieve. If not specified, the operation returns information about the latest version of the trained model.

[required] Provides the membership ID of the membership that contains the trained model inference job that you are interested in.

[required] Provides the Amazon Resource Name (ARN) of the trained model inference job that you are interested in.

[required] The Amazon Resource Name (ARN) of the training dataset that you are interested in.

The token value retrieved from a previous call to access the next page of results.

The maximum size of the results that is returned per call.

The Amazon Resource Name (ARN) of the audience generation job that you are interested in.

The token value retrieved from a previous call to access the next page of results.

The maximum size of the results that is returned per call.

The Amazon Resource Name (ARN) of the configured audience model that was used for the audience generation jobs that you are interested in.

The identifier of the collaboration that contains the audience generation jobs that you are interested in.

The token value retrieved from a previous call to access the next page of results.

The maximum size of the results that is returned per call.

The token value retrieved from a previous call to access the next page of results.

The maximum size of the results that is returned per call.

[required] The collaboration ID of the collaboration that contains the configured model algorithm associations that you are interested in.

The token value retrieved from a previous call to access the next page of results.

The maximum number of results to return.

[required] The collaboration ID of the collaboration that contains the ML input channels that you want to list.

The token value retrieved from a previous call to access the next page of results.

The maximum size of the results that is returned per call.

[required] The collaboration ID of the collaboration that contains the trained model export jobs that you are interested in.

[required] The Amazon Resource Name (ARN) of the trained model that was used to create the export jobs that you are interested in.

The version identifier of the trained model to filter export jobs by. When specified, only export jobs for this specific version of the trained model are returned.

The token value retrieved from a previous call to access the next page of results.

The maximum size of the results that is returned per call.

[required] The collaboration ID of the collaboration that contains the trained model inference jobs that you are interested in.

The Amazon Resource Name (ARN) of the trained model that was used to create the trained model inference jobs that you are interested in.

The version identifier of the trained model to filter inference jobs by. When specified, only inference jobs that used this specific version of the trained model are returned.

The token value retrieved from a previous call to access the next page of results.

The maximum size of the results that is returned per call.

[required] The collaboration ID of the collaboration that contains the trained models you are interested in.

The token value retrieved from a previous call to access the next page of results.

The maximum size of the results that is returned per call.

The token value retrieved from a previous call to access the next page of results.

The maximum size of the results that is returned per call.

[required] The membership ID of the member that created the configured model algorithm associations you are interested in.

The token value retrieved from a previous call to access the next page of results.

The maximum size of the results that is returned per call.

The token value retrieved from a previous call to access the next page of results.

The maximum number of ML input channels to return.

[required] The membership ID of the membership that contains the ML input channels that you want to list.

[required] The Amazon Resource Name (ARN) of the resource that you are interested in.

The token value retrieved from a previous call to access the next page of results.

The maximum size of the results that is returned per call.

[required] The membership

The Amazon Resource Name (ARN) of a trained model that was used to create the trained model inference jobs that you are interested in.

The version identifier of the trained model to filter inference jobs by. When specified, only inference jobs that used this specific version of the trained model are returned.

The pagination token from a previous list_trained_model_versions request. Use this token to retrieve the next page of results.

The maximum number of trained model versions to return in a single page. The default value is 10, and the maximum value is 100.

[required] The membership identifier for the collaboration that contains the trained model.

[required] The Amazon Resource Name (ARN) of the trained model for which to list versions.

Filter the results to only include trained model versions with the specified status. Valid values include CREATE_PENDING, CREATE_IN_PROGRESS, ACTIVE, CREATE_FAILED, and others.

The token value retrieved from a previous call to access the next page of results.

The maximum size of the results that is returned per call.

[required] The membership ID of the member that created the trained models you are interested in.

The token value retrieved from a previous call to access the next page of results.

The maximum size of the results that is returned per call.

[required] The Amazon Resource Name (ARN) of the configured audience model that the resource policy will govern.

[required] The IAM resource policy.

A cryptographic hash of the contents of the policy used to prevent unexpected concurrent modification of the policy.

Use this to prevent unexpected concurrent modification of the policy.

[required] The membership ID of the member that is being configured.

[required] The default Amazon S3 location where ML output is stored for the specified member.

[required] The name of the audience export job.

[required] The Amazon Resource Name (ARN) of the audience generation job that you want to export.

[required] The size of the generated audience. Must match one of the sizes in the configured audience model.

The description of the audience export job.

[required] The name of the audience generation job.

[required] The Amazon Resource Name (ARN) of the configured audience model that is used for this audience generation job.

[required] The seed audience that is used to generate the audience.

Whether the seed audience is included in the audience generation output.

The identifier of the collaboration that contains the audience generation job.

The description of the audience generation job.

The optional metadata that you apply to the resource to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define.

The following basic restrictions apply to tags:

• Maximum number of tags per resource - 50.

• For each resource, each tag key must be unique, and each tag key can have only one value.

• Maximum key length - 128 Unicode characters in UTF-8.

• Maximum value length - 256 Unicode characters in UTF-8.

• If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.

• Tag keys and values are case sensitive.

• Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for keys as it is reserved for AWS use. You cannot edit or delete tag keys with this prefix. Values can have this prefix. If a tag value has aws as its prefix but the key does not, then Clean Rooms ML considers it to be a user tag and will count against the limit of 50 tags. Tags with only the key prefix of aws do not count against your tags per resource limit.

[required] The name of the trained model export job.

[required] The Amazon Resource Name (ARN) of the trained model that you want to export.

The version identifier of the trained model to export. This specifies which version of the trained model should be exported to the specified destination.

[required] The membership ID of the member that is receiving the exported trained model artifacts.

[required] The output configuration information for the trained model export job.

The description of the trained model export job.

[required] The membership ID of the membership that contains the trained model inference job.

[required] The name of the trained model inference job.

[required] The Amazon Resource Name (ARN) of the trained model that is used for this trained model inference job.

The version identifier of the trained model to use for inference. This specifies which version of the trained model should be used to generate predictions on the input data.

The Amazon Resource Name (ARN) of the configured model algorithm association that is used for this trained model inference job.

[required] Defines the resource configuration for the trained model inference job.

[required] Defines the output configuration information for the trained model inference job.

[required] Defines the data source that is used for the trained model inference job.

The description of the trained model inference job.

The execution parameters for the container.

The environment variables to set in the Docker container.

The Amazon Resource Name (ARN) of the KMS key. This key is used to encrypt and decrypt customer-owned data in the ML inference job and associated data.

The optional metadata that you apply to the resource to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define.

The following basic restrictions apply to tags:

• Maximum number of tags per resource - 50.

• For each resource, each tag key must be unique, and each tag key can have only one value.

• Maximum key length - 128 Unicode characters in UTF-8.

• Maximum value length - 256 Unicode characters in UTF-8.

• If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.

• Tag keys and values are case sensitive.

• Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for keys as it is reserved for AWS use. You cannot edit or delete tag keys with this prefix. Values can have this prefix. If a tag value has aws as its prefix but the key does not, then Clean Rooms ML considers it to be a user tag and will count against the limit of 50 tags. Tags with only the key prefix of aws do not count against your tags per resource limit.

The account ID of the member that is responsible for paying for model inference costs.

[required] The Amazon Resource Name (ARN) of the resource that you want to assign tags.

[required] The optional metadata that you apply to the resource to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define.

The following basic restrictions apply to tags:

• Maximum number of tags per resource - 50.

• For each resource, each tag key must be unique, and each tag key can have only one value.

• Maximum key length - 128 Unicode characters in UTF-8.

• Maximum value length - 256 Unicode characters in UTF-8.

• If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.

• Tag keys and values are case sensitive.

• Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for keys as it is reserved for AWS use. You cannot edit or delete tag keys with this prefix. Values can have this prefix. If a tag value has aws as its prefix but the key does not, then Clean Rooms considers it to be a user tag and will count against the limit of 50 tags. Tags with only the key prefix of aws do not count against your tags per resource limit.

[required] The Amazon Resource Name (ARN) of the resource that you want to remove tags from.

[required] The key values of tags that you want to remove.

[required] The Amazon Resource Name (ARN) of the configured audience model that you want to update.

The new output configuration.

The Amazon Resource Name (ARN) of the new audience model that you want to use.

The new value for whether to share audience metrics.

The minimum number of users from the seed audience that must match with users in the training data of the audience model.

The new audience size configuration.

The new description of the configured audience model.

Optional configuration of credentials, endpoint, and/or region.

• credentials:

  • creds:

    • access_key_id: AWS access key ID

    • secret_access_key: AWS secret access key

    • session_token: AWS temporary session token

  • profile: The name of a profile to use. If not given, then the default profile is used.

  • anonymous: Set anonymous credentials.

• endpoint: The complete URL to use for the constructed client.

• region: The AWS Region used in instantiating the client.

• close_connection: Immediately close all HTTP connections.

• timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.

• s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e. ⁠http://s3.amazonaws.com/BUCKET/KEY⁠.

• sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

Optional credentials shorthand for the config parameter

• creds:

  • access_key_id: AWS access key ID

  • secret_access_key: AWS secret access key

  • session_token: AWS temporary session token

• profile: The name of a profile to use. If not given, then the default profile is used.

• anonymous: Set anonymous credentials.

Optional shorthand for complete URL to use for the constructed client.

Optional shorthand for AWS Region used in instantiating the client.

[required] The Amazon Resource Name (ARN) that is associated with the Directory where the object resides. For more information, see arns.

[required] Identifiers for the facet that you are adding to the object. See SchemaFacet for details.

Attributes on the facet that you are adding to the object.

[required] A reference to the object you are adding the specified facet to.

[required] Published schema Amazon Resource Name (ARN) that needs to be copied. For more information, see arns.

[required] The Amazon Resource Name (ARN) that is associated with the Directory into which the schema is copied. For more information, see arns.

[required] Amazon Resource Name (ARN) that is associated with the Directory where both objects reside. For more information, see arns.

[required] The parent object reference.

[required] The child object reference to be attached to the object.

[required] The link name with which the child object is attached to the parent.

[required] The Amazon Resource Name (ARN) that is associated with the Directory where both objects reside. For more information, see arns.

[required] The reference that is associated with the policy object.

[required] The reference that identifies the object to which the policy will be attached.

[required] The Amazon Resource Name (ARN) of the directory where the object and index exist.

[required] A reference to the index that you are attaching the object to.

[required] A reference to the object that you are attaching to the index.

[required] The Amazon Resource Name (ARN) of the directory where you want to attach the typed link.

[required] Identifies the source object that the typed link will attach to.

[required] Identifies the target object that the typed link will attach to.

[required] Identifies the typed link facet that is associated with the typed link.

[required] A set of attributes that are associated with the typed link.

[required] The Amazon Resource Name (ARN) that is associated with the Directory. For more information, see arns.

[required] A list of operations that are part of the batch.

Represents the manner and timing in which the successful write or update of an object is reflected in a subsequent read operation of that same object.

[required] The Amazon Resource Name (ARN) that is associated with the Directory. For more information, see arns.

[required] A list of operations that are part of the batch.

[required] The name of the Directory. Should be unique per account, per region.

[required] The Amazon Resource Name (ARN) of the published schema that will be copied into the data Directory. For more information, see arns.

[required] The schema ARN in which the new Facet will be created. For more information, see arns.

[required] The name of the Facet, which is unique for a given schema.

The attributes that are associated with the Facet.

Specifies whether a given object created from this facet is of type node, leaf node, policy or index.

• Node: Can have multiple children but one parent.

• Leaf node: Cannot have children but can have multiple parents.

• Policy: Allows you to store a policy document and policy type. For more information, see Policies.

• Index: Can be created with the Index API.

There are two different styles that you can define on any given facet, Static and Dynamic. For static facets, all attributes must be defined in the schema. For dynamic facets, attributes can be defined during data plane operations.

[required] The ARN of the directory where the index should be created.

[required] Specifies the attributes that should be indexed on. Currently only a single attribute is supported.

[required] Indicates whether the attribute that is being indexed has unique values or not.

A reference to the parent object that contains the index object.

The name of the link between the parent object and the index object.

[required] The Amazon Resource Name (ARN) that is associated with the Directory in which the object will be created. For more information, see arns.

[required] A list of schema facets to be associated with the object. Do not provide minor version components. See SchemaFacet for details.

The attribute map whose attribute ARN contains the key and attribute value as the map value.

If specified, the parent reference to which this object will be attached.

The name of link that is used to attach this object to a parent.

[required] The name that is associated with the schema. This is unique to each account and in each region.

[required] The Amazon Resource Name (ARN) that is associated with the schema. For more information, see arns.

[required] Facet structure that is associated with the typed link facet.

[required] The ARN of the directory to delete.

[required] The Amazon Resource Name (ARN) that is associated with the Facet. For more information, see arns.

[required] The name of the facet to delete.

[required] The Amazon Resource Name (ARN) that is associated with the Directory where the object resides. For more information, see arns.

[required] A reference that identifies the object.

[required] The Amazon Resource Name (ARN) of the development schema. For more information, see arns.

[required] The Amazon Resource Name (ARN) that is associated with the schema. For more information, see arns.

[required] The unique name of the typed link facet.

[required] The Amazon Resource Name (ARN) of the directory the index and object exist in.

[required] A reference to the index object.

[required] A reference to the object being detached from the index.

[required] The Amazon Resource Name (ARN) that is associated with the Directory where objects reside. For more information, see arns.

[required] The parent reference from which the object with the specified link name is detached.

[required] The link name associated with the object that needs to be detached.

[required] The Amazon Resource Name (ARN) that is associated with the Directory where both objects reside. For more information, see arns.

[required] Reference that identifies the policy object.

[required] Reference that identifies the object whose policy object will be detached.

[required] The Amazon Resource Name (ARN) of the directory where you want to detach the typed link.

[required] Used to accept a typed link specifier as input.

[required] The ARN of the directory to disable.

[required] The ARN of the directory to enable.

[required] The ARN of the applied schema.

[required] The ARN of the directory.

[required] The Amazon Resource Name (ARN) that is associated with the Facet. For more information, see arns.

[required] The name of the facet to retrieve.

[required] The Amazon Resource Name (ARN) that is associated with the Directory where the typed link resides. For more information, see arns or Typed Links.

[required] Allows a typed link specifier to be accepted as input.

[required] A list of attribute names whose values will be retrieved.

The consistency level at which to retrieve the attributes on a typed link.

[required] The Amazon Resource Name (ARN) that is associated with the Directory where the object resides.

[required] Reference that identifies the object whose attributes will be retrieved.

The consistency level at which to retrieve the attributes on an object.

[required] Identifier for the facet whose attributes will be retrieved. See SchemaFacet for details.

[required] List of attribute names whose values will be retrieved.

[required] The ARN of the directory being retrieved.

[required] A reference to the object.

The consistency level at which to retrieve the object information.

[required] The ARN of the schema to retrieve.

[required] The Amazon Resource Name (ARN) that is associated with the schema. For more information, see arns.

[required] The unique name of the typed link facet.

[required] The ARN of the directory you are listing.

The response for list_applied_schema_arns when this parameter is used will list all minor version ARNs for a major version.

The pagination token.

The maximum number of results to retrieve.

[required] The ARN of the directory.

[required] A reference to the object that has indices attached.

The pagination token.

The maximum number of results to retrieve.

The consistency level to use for this operation.

The pagination token.

The maximum number of results to retrieve.

The pagination token.

The maximum number of results to retrieve.

The state of the directories in the list. Can be either Enabled, Disabled, or Deleted.

[required] The ARN of the schema where the facet resides.

[required] The name of the facet whose attributes will be retrieved.

The pagination token.

The maximum number of results to retrieve.