AWS cli documentation change
Summary
Updated validation patterns, restructured profile attribute documentation, added session policy details, and adjusted CLI version reference. Key changes include relaxed regex patterns for UUIDs/ARNs, reordered fields, and enhanced descriptions for certificate mapping rules.
Security assessment
The changes enhance documentation for security-related features like certificate field mappings ('x509Subject', 'x509Issuer') and session policies governing credential trust boundaries. However, there is no explicit evidence of addressing a specific security vulnerability. The pattern relaxations (e.g., adding '.*' wrappers) could impact input validation but lack context about vulnerability mitigation.
Diff
diff --git a/cli/latest/reference/rolesanywhere/get-profile.md b/cli/latest/reference/rolesanywhere/get-profile.md index c77f9b1c4..eb8cc9f59 100644 --- a//cli/latest/reference/rolesanywhere/get-profile.md +++ b//cli/latest/reference/rolesanywhere/get-profile.md @@ -15 +15 @@ - * [AWS CLI 2.32.11 Command Reference](../../index.html) » + * [AWS CLI 2.32.13 Command Reference](../../index.html) » @@ -102 +102 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa -> * pattern: `[a-f0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}` +> * pattern: `.*[a-f0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}.*` @@ -209,5 +209 @@ profile -> (structure) -> acceptRoleSessionName -> (boolean) -> ->> Used to determine if a custom role session name will be accepted in a temporary credential request. -> -> attributeMappings -> (list) +> profileId -> (string) @@ -215 +211 @@ profile -> (structure) ->> A mapping applied to the authenticating end-entity certificate. +>> The unique identifier of the profile. @@ -217 +213,5 @@ profile -> (structure) ->> (structure) +>> Constraints: +>> +>> * min: `36` +>> * max: `36` +>> * pattern: `.*[a-f0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}.*` @@ -219,31 +218,0 @@ profile -> (structure) ->>> A mapping applied to the authenticating end-entity certificate. ->>> ->>> certificateField -> (string) ->>> ->>>> Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates. ->>>> ->>>> Possible values: ->>>> ->>>> * `x509Subject` ->>>> * `x509Issuer` ->>>> * `x509SAN` ->>>> - ->>> ->>> mappingRules -> (list) ->>> ->>>> A list of mapping entries for every supported specifier or sub-field. ->>>> ->>>> (structure) ->>>> ->>>>> A single mapping entry for each supported specifier or sub-field. ->>>>> ->>>>> specifier -> (string) [required] ->>>>> ->>>>>> Specifier within a certificate field, such as CN, OU, or UID from the Subject field. ->>>>>> ->>>>>> Constraints: ->>>>>> ->>>>>> * min: `0` ->>>>>> * max: `60` ->>>>>> @@ -252,17 +221 @@ profile -> (structure) -> createdAt -> (timestamp) -> ->> The ISO-8601 timestamp when the profile was created. -> -> createdBy -> (string) -> ->> The Amazon Web Services account that created the profile. -> -> durationSeconds -> (integer) -> ->> Used to determine how long sessions vended using this profile are valid for. See the `Expiration` section of the [CreateSession API documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html#credentials-object) page for more details. In requests, if this value is not provided, the default value will be 3600. -> -> enabled -> (boolean) -> ->> Indicates whether the profile is enabled. -> -> managedPolicyArns -> (list) +> profileArn -> (string) @@ -270 +223 @@ profile -> (structure) ->> A list of managed policy ARNs that apply to the vended session credentials. +>> The ARN of the profile. @@ -274,6 +227,3 @@ profile -> (structure) ->> * min: `0` ->> * max: `50` ->> - ->> ->> (string) +>> * min: `1` +>> * max: `1011` +>> * pattern: `arn:aws(-[^:]+)?:rolesanywhere(:.*){2}(:profile.*)` @@ -281,5 +230,0 @@ profile -> (structure) ->>> Constraints: ->>> ->>> * min: `1` ->>> * max: `200` ->>> @@ -296 +241 @@ profile -> (structure) ->> * pattern: `^[ a-zA-Z0-9-_]*$` +>> * pattern: `[ a-zA-Z0-9-_]*` @@ -300 +245 @@ profile -> (structure) -> profileArn -> (string) +> requireInstanceProperties -> (boolean) @@ -302,9 +247 @@ profile -> (structure) ->> The ARN of the profile. ->> ->> Constraints: ->> ->> * min: `1` ->> * max: `1011` ->> * pattern: `^arn:aws(-[^:]+)?:rolesanywhere(:.*){2}(:profile.*)$` ->> - +>> Unused, saved for future use. Will likely specify whether instance properties are required in temporary credential requests with this profile. @@ -312 +249 @@ profile -> (structure) -> profileId -> (string) +> enabled -> (boolean) @@ -314,9 +251 @@ profile -> (structure) ->> The unique identifier of the profile. ->> ->> Constraints: ->> ->> * min: `36` ->> * max: `36` ->> * pattern: `[a-f0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}` ->> - +>> Indicates whether the profile is enabled. @@ -324 +253,3 @@ profile -> (structure) -> requireInstanceProperties -> (boolean) +> createdBy -> (string) +> +>> The Amazon Web Services account that created the profile. @@ -326 +257,3 @@ profile -> (structure) ->> Specifies whether instance properties are required in temporary credential requests with this profile. +> sessionPolicy -> (string) +> +>> A session policy that applies to the trust boundary of the vended session credentials. @@ -345 +278 @@ profile -> (structure) ->>> * pattern: `^arn:aws(-[^:]+)?:iam(:.*){2}(:role.*)$` +>>> * pattern: `arn:aws(-[^:]+)?:iam(:.*){2}(:role.*)` @@ -349 +282 @@ profile -> (structure) -> sessionPolicy -> (string) +> managedPolicyArns -> (list) @@ -351 +284,21 @@ profile -> (structure) ->> A session policy that applies to the trust boundary of the vended session credentials. +>> A list of managed policy ARNs that apply to the vended session credentials. +>> +>> Constraints: +>> +>> * min: `0` +>> * max: `50` +>> + +>> +>> (string) +>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `200` +>>> + +> +> createdAt -> (timestamp) +> +>> The ISO-8601 timestamp when the profile was created. @@ -355,0 +309,47 @@ profile -> (structure) +> +> durationSeconds -> (integer) +> +>> Used to determine how long sessions vended using this profile are valid for. See the `Expiration` section of the [CreateSession API documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html#credentials-object) page for more details. In requests, if this value is not provided, the default value will be 3600. +> +> acceptRoleSessionName -> (boolean) +> +>> Used to determine if a custom role session name will be accepted in a temporary credential request. +> +> attributeMappings -> (list) +> +>> A mapping applied to the authenticating end-entity certificate. +>> +>> (structure) +>> +>>> A mapping applied to the authenticating end-entity certificate. +>>> +>>> certificateField -> (string) +>>> +>>>> Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates. +>>>> +>>>> Possible values: +>>>> +>>>> * `x509Subject` +>>>> * `x509Issuer` +>>>> * `x509SAN` +>>>> + +>>> +>>> mappingRules -> (list) +>>> +>>>> A list of mapping entries for every supported specifier or sub-field.