AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2025-12-10 · Documentation low

File: cli/latest/reference/rolesanywhere/create-profile.md

Summary

Updated CLI version reference, reordered command parameters, adjusted parameter constraints/descriptions (e.g., session duration limits, ARN patterns), and restructured JSON syntax documentation.

Security assessment

Changes primarily involve documentation structure reorganization and parameter description updates. No explicit references to security vulnerabilities or patches. Security-related parameters like 'enabled' and 'session-policy' were moved/rewritten but not fundamentally changed in purpose.

Diff

diff --git a/cli/latest/reference/rolesanywhere/create-profile.md b/cli/latest/reference/rolesanywhere/create-profile.md
index e1988c266..6a2f563e7 100644
--- a//cli/latest/reference/rolesanywhere/create-profile.md
+++ b//cli/latest/reference/rolesanywhere/create-profile.md
@@ -15 +15 @@
-  * [AWS CLI 2.32.11 Command Reference](../../index.html) »
+  * [AWS CLI 2.32.13 Command Reference](../../index.html) »
@@ -69,4 +68,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
-    [--accept-role-session-name | --no-accept-role-session-name]
-    [--duration-seconds <value>]
-    [--enabled | --no-enabled]
-    [--managed-policy-arns <value>]
@@ -75 +70,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
-    --role-arns <value>
@@ -76,0 +72,4 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
+    --role-arns <value>
+    [--managed-policy-arns <value>]
+    [--duration-seconds <value>]
+    [--enabled | --no-enabled]
@@ -77,0 +77 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
+    [--accept-role-session-name | --no-accept-role-session-name]
@@ -102,5 +102 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
-`--accept-role-session-name` | `--no-accept-role-session-name` (boolean)
-
-> Used to determine if a custom role session name will be accepted in a temporary credential request.
-
-`--duration-seconds` (integer)
+`--name` (string) [required]
@@ -108 +104 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
-> Used to determine how long sessions vended using this profile are valid for. See the `Expiration` section of the [CreateSession API documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html#credentials-object) page for more details. In requests, if this value is not provided, the default value will be 3600.
+> The name of the profile.
@@ -112,2 +108,3 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
->   * min: `900`
->   * max: `43200`
+>   * min: `1`
+>   * max: `255`
+>   * pattern: `[ a-zA-Z0-9-_]*`
@@ -117 +114 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
-`--enabled` | `--no-enabled` (boolean)
+`--require-instance-properties` | `--no-require-instance-properties` (boolean)
@@ -119 +116 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
-> Specifies whether the profile is enabled.
+> Unused, saved for future use. Will likely specify whether instance properties are required in temporary credential requests with this profile.
@@ -121 +118 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
-`--managed-policy-arns` (list)
+`--session-policy` (string)
@@ -123 +120,5 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
-> A list of managed policy ARNs that apply to the vended session credentials.
+> A session policy that applies to the trust boundary of the vended session credentials.
+
+`--role-arns` (list) [required]
+
+> A list of IAM roles that this profile can assume in a temporary credential request.
@@ -128 +129 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
->   * max: `50`
+>   * max: `250`
@@ -137 +138,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
->>   * max: `200`
+>>   * max: `1011`
+>>   * pattern: `arn:aws(-[^:]+)?:iam(:.*){2}(:role.*)`
@@ -147,17 +149 @@ Syntax:
-`--name` (string) [required]
-
-> The name of the profile.
-> 
-> Constraints:
-> 
->   * min: `1`
->   * max: `255`
->   * pattern: `^[ a-zA-Z0-9-_]*$`
-> 
-
-
-`--require-instance-properties` | `--no-require-instance-properties` (boolean)
-
-> Specifies whether instance properties are required in temporary credential requests with this profile.
-
-`--role-arns` (list) [required]
+`--managed-policy-arns` (list)
@@ -165 +151 @@ Syntax:
-> A list of IAM roles that this profile can assume in a temporary credential request.
+> A list of managed policy ARNs that apply to the vended session credentials.
@@ -170 +156 @@ Syntax:
->   * max: `250`
+>   * max: `50`
@@ -179,2 +165 @@ Syntax:
->>   * max: `1011`
->>   * pattern: `^arn:aws(-[^:]+)?:iam(:.*){2}(:role.*)$`
+>>   * max: `200`
@@ -190 +175 @@ Syntax:
-`--session-policy` (string)
+`--duration-seconds` (integer)
@@ -192 +177,12 @@ Syntax:
-> A session policy that applies to the trust boundary of the vended session credentials.
+> Used to determine how long sessions vended using this profile are valid for. See the `Expiration` section of the [CreateSession API documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html#credentials-object) page for more details. In requests, if this value is not provided, the default value will be 3600.
+> 
+> Constraints:
+> 
+>   * min: `900`
+>   * max: `43200`
+> 
+
+
+`--enabled` | `--no-enabled` (boolean)
+
+> Specifies whether the profile is enabled.
@@ -217 +213 @@ Syntax:
->>>   * pattern: `^[ a-zA-Z0-9_.:/=+@-]*$`
+>>>   * pattern: `[ a-zA-Z0-9_.:/=+@-]*`
@@ -229 +225 @@ Syntax:
->>>   * pattern: `^[ a-zA-Z0-9_.:/=+@-]*$`
+>>>   * pattern: `[ a-zA-Z0-9_.:/=+@-]*`
@@ -250,0 +247,4 @@ JSON Syntax:
+`--accept-role-session-name` | `--no-accept-role-session-name` (boolean)
+
+> Used to determine if a custom role session name will be accepted in a temporary credential request.
+
@@ -354,5 +354 @@ profile -> (structure)
-> acceptRoleSessionName -> (boolean)
->
->> Used to determine if a custom role session name will be accepted in a temporary credential request.
-> 
-> attributeMappings -> (list)
+> profileId -> (string)
@@ -360 +356 @@ profile -> (structure)
->> A mapping applied to the authenticating end-entity certificate.
+>> The unique identifier of the profile.
@@ -362 +358,5 @@ profile -> (structure)
->> (structure)
+>> Constraints:
+>> 
+>>   * min: `36`
+>>   * max: `36`
+>>   * pattern: `.*[a-f0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}.*`
@@ -364,31 +363,0 @@ profile -> (structure)
->>> A mapping applied to the authenticating end-entity certificate.
->>> 
->>> certificateField -> (string)
->>>
->>>> Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates.
->>>> 
->>>> Possible values:
->>>> 
->>>>   * `x509Subject`
->>>>   * `x509Issuer`
->>>>   * `x509SAN`
->>>> 
-
->>> 
->>> mappingRules -> (list)
->>>
->>>> A list of mapping entries for every supported specifier or sub-field.
->>>> 
->>>> (structure)
->>>>
->>>>> A single mapping entry for each supported specifier or sub-field.
->>>>> 
->>>>> specifier -> (string) [required]
->>>>>
->>>>>> Specifier within a certificate field, such as CN, OU, or UID from the Subject field.
->>>>>> 
->>>>>> Constraints:
->>>>>> 
->>>>>>   * min: `0`
->>>>>>   * max: `60`
->>>>>> 
@@ -397,17 +366 @@ profile -> (structure)
-> createdAt -> (timestamp)
->
->> The ISO-8601 timestamp when the profile was created.
-> 
-> createdBy -> (string)
->
->> The Amazon Web Services account that created the profile.
-> 
-> durationSeconds -> (integer)
->
->> Used to determine how long sessions vended using this profile are valid for. See the `Expiration` section of the [CreateSession API documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html#credentials-object) page for more details. In requests, if this value is not provided, the default value will be 3600.
-> 
-> enabled -> (boolean)
->
->> Indicates whether the profile is enabled.
-> 
-> managedPolicyArns -> (list)
+> profileArn -> (string)
@@ -415 +368 @@ profile -> (structure)
->> A list of managed policy ARNs that apply to the vended session credentials.
+>> The ARN of the profile.
@@ -419,6 +372,3 @@ profile -> (structure)
->>   * min: `0`
->>   * max: `50`
->> 
-
->> 
->> (string)
+>>   * min: `1`
+>>   * max: `1011`
+>>   * pattern: `arn:aws(-[^:]+)?:rolesanywhere(:.*){2}(:profile.*)`
@@ -426,5 +375,0 @@ profile -> (structure)
->>> Constraints: