AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2025-12-10 · Documentation low

File: cli/latest/reference/rolesanywhere/get-profile.md

Summary

Updated validation patterns, restructured profile attribute documentation, added session policy details, and adjusted CLI version reference. Key changes include relaxed regex patterns for UUIDs/ARNs, reordered fields, and enhanced descriptions for certificate mapping rules.

Security assessment

The changes enhance documentation for security-related features like certificate field mappings ('x509Subject', 'x509Issuer') and session policies governing credential trust boundaries. However, there is no explicit evidence of addressing a specific security vulnerability. The pattern relaxations (e.g., adding '.*' wrappers) could impact input validation but lack context about vulnerability mitigation.

Diff

diff --git a/cli/latest/reference/rolesanywhere/get-profile.md b/cli/latest/reference/rolesanywhere/get-profile.md
index c77f9b1c4..eb8cc9f59 100644
--- a//cli/latest/reference/rolesanywhere/get-profile.md
+++ b//cli/latest/reference/rolesanywhere/get-profile.md
@@ -15 +15 @@
-  * [AWS CLI 2.32.11 Command Reference](../../index.html) »
+  * [AWS CLI 2.32.13 Command Reference](../../index.html) »
@@ -102 +102 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
->   * pattern: `[a-f0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}`
+>   * pattern: `.*[a-f0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}.*`
@@ -209,5 +209 @@ profile -> (structure)
-> acceptRoleSessionName -> (boolean)
->
->> Used to determine if a custom role session name will be accepted in a temporary credential request.
-> 
-> attributeMappings -> (list)
+> profileId -> (string)
@@ -215 +211 @@ profile -> (structure)
->> A mapping applied to the authenticating end-entity certificate.
+>> The unique identifier of the profile.
@@ -217 +213,5 @@ profile -> (structure)
->> (structure)
+>> Constraints:
+>> 
+>>   * min: `36`
+>>   * max: `36`
+>>   * pattern: `.*[a-f0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}.*`
@@ -219,31 +218,0 @@ profile -> (structure)
->>> A mapping applied to the authenticating end-entity certificate.
->>> 
->>> certificateField -> (string)
->>>
->>>> Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates.
->>>> 
->>>> Possible values:
->>>> 
->>>>   * `x509Subject`
->>>>   * `x509Issuer`
->>>>   * `x509SAN`
->>>> 
-
->>> 
->>> mappingRules -> (list)
->>>
->>>> A list of mapping entries for every supported specifier or sub-field.
->>>> 
->>>> (structure)
->>>>
->>>>> A single mapping entry for each supported specifier or sub-field.
->>>>> 
->>>>> specifier -> (string) [required]
->>>>>
->>>>>> Specifier within a certificate field, such as CN, OU, or UID from the Subject field.
->>>>>> 
->>>>>> Constraints:
->>>>>> 
->>>>>>   * min: `0`
->>>>>>   * max: `60`
->>>>>> 
@@ -252,17 +221 @@ profile -> (structure)
-> createdAt -> (timestamp)
->
->> The ISO-8601 timestamp when the profile was created.
-> 
-> createdBy -> (string)
->
->> The Amazon Web Services account that created the profile.
-> 
-> durationSeconds -> (integer)
->
->> Used to determine how long sessions vended using this profile are valid for. See the `Expiration` section of the [CreateSession API documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html#credentials-object) page for more details. In requests, if this value is not provided, the default value will be 3600.
-> 
-> enabled -> (boolean)
->
->> Indicates whether the profile is enabled.
-> 
-> managedPolicyArns -> (list)
+> profileArn -> (string)
@@ -270 +223 @@ profile -> (structure)
->> A list of managed policy ARNs that apply to the vended session credentials.
+>> The ARN of the profile.
@@ -274,6 +227,3 @@ profile -> (structure)
->>   * min: `0`
->>   * max: `50`
->> 
-
->> 
->> (string)
+>>   * min: `1`
+>>   * max: `1011`
+>>   * pattern: `arn:aws(-[^:]+)?:rolesanywhere(:.*){2}(:profile.*)`
@@ -281,5 +230,0 @@ profile -> (structure)
->>> Constraints:
->>> 
->>>   * min: `1`
->>>   * max: `200`
->>> 
@@ -296 +241 @@ profile -> (structure)
->>   * pattern: `^[ a-zA-Z0-9-_]*$`
+>>   * pattern: `[ a-zA-Z0-9-_]*`
@@ -300 +245 @@ profile -> (structure)
-> profileArn -> (string)
+> requireInstanceProperties -> (boolean)
@@ -302,9 +247 @@ profile -> (structure)
->> The ARN of the profile.
->> 
->> Constraints:
->> 
->>   * min: `1`
->>   * max: `1011`
->>   * pattern: `^arn:aws(-[^:]+)?:rolesanywhere(:.*){2}(:profile.*)$`
->> 
-
+>> Unused, saved for future use. Will likely specify whether instance properties are required in temporary credential requests with this profile.
@@ -312 +249 @@ profile -> (structure)
-> profileId -> (string)
+> enabled -> (boolean)
@@ -314,9 +251 @@ profile -> (structure)
->> The unique identifier of the profile.
->> 
->> Constraints:
->> 
->>   * min: `36`
->>   * max: `36`
->>   * pattern: `[a-f0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}`
->> 
-
+>> Indicates whether the profile is enabled.
@@ -324 +253,3 @@ profile -> (structure)
-> requireInstanceProperties -> (boolean)
+> createdBy -> (string)
+>
+>> The Amazon Web Services account that created the profile.
@@ -326 +257,3 @@ profile -> (structure)
->> Specifies whether instance properties are required in temporary credential requests with this profile.
+> sessionPolicy -> (string)
+>
+>> A session policy that applies to the trust boundary of the vended session credentials.
@@ -345 +278 @@ profile -> (structure)
->>>   * pattern: `^arn:aws(-[^:]+)?:iam(:.*){2}(:role.*)$`
+>>>   * pattern: `arn:aws(-[^:]+)?:iam(:.*){2}(:role.*)`
@@ -349 +282 @@ profile -> (structure)
-> sessionPolicy -> (string)
+> managedPolicyArns -> (list)
@@ -351 +284,21 @@ profile -> (structure)
->> A session policy that applies to the trust boundary of the vended session credentials.
+>> A list of managed policy ARNs that apply to the vended session credentials.
+>> 
+>> Constraints:
+>> 
+>>   * min: `0`
+>>   * max: `50`
+>> 
+
+>> 
+>> (string)
+>>
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `200`
+>>> 
+
+> 
+> createdAt -> (timestamp)
+>
+>> The ISO-8601 timestamp when the profile was created.
@@ -355,0 +309,47 @@ profile -> (structure)
+> 
+> durationSeconds -> (integer)
+>
+>> Used to determine how long sessions vended using this profile are valid for. See the `Expiration` section of the [CreateSession API documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html#credentials-object) page for more details. In requests, if this value is not provided, the default value will be 3600.
+> 
+> acceptRoleSessionName -> (boolean)
+>
+>> Used to determine if a custom role session name will be accepted in a temporary credential request.
+> 
+> attributeMappings -> (list)
+>
+>> A mapping applied to the authenticating end-entity certificate.
+>> 
+>> (structure)
+>>
+>>> A mapping applied to the authenticating end-entity certificate.
+>>> 
+>>> certificateField -> (string)
+>>>
+>>>> Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates.
+>>>> 
+>>>> Possible values:
+>>>> 
+>>>>   * `x509Subject`
+>>>>   * `x509Issuer`
+>>>>   * `x509SAN`
+>>>> 
+
+>>> 
+>>> mappingRules -> (list)
+>>>
+>>>> A list of mapping entries for every supported specifier or sub-field.