AWS cli documentation change
Summary
Updated AWS CLI version reference from 2.32.11 to 2.32.13. Reordered command parameters, revised parameter constraints, and restructured output field descriptions. Changed patterns for profile-id, name, role-arns, and managed-policy-arns to be more permissive by removing start/end anchors.
Security assessment
The changes improve documentation of security features like session policies, certificate field mappings, and credential constraints. However, there's no evidence of a specific security vulnerability being addressed. The pattern relaxations (removing ^/$ anchors) might increase flexibility but don't indicate a security fix.
Diff
diff --git a/cli/latest/reference/rolesanywhere/update-profile.md b/cli/latest/reference/rolesanywhere/update-profile.md index 77301b188..9d8210a5f 100644 --- a//cli/latest/reference/rolesanywhere/update-profile.md +++ b//cli/latest/reference/rolesanywhere/update-profile.md @@ -15 +15 @@ - * [AWS CLI 2.32.11 Command Reference](../../index.html) » + * [AWS CLI 2.32.13 Command Reference](../../index.html) » @@ -69,4 +68,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa - [--accept-role-session-name | --no-accept-role-session-name] - [--duration-seconds <value>] - [--managed-policy-arns <value>] - [--name <value>] @@ -74 +70 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa - [--role-arns <value>] + [--name <value>] @@ -75,0 +72,4 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa + [--role-arns <value>] + [--managed-policy-arns <value>] + [--duration-seconds <value>] + [--accept-role-session-name | --no-accept-role-session-name] @@ -100 +100 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa -`--accept-role-session-name` | `--no-accept-role-session-name` (boolean) +`--profile-id` (string) [required] @@ -102 +102,8 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa -> Used to determine if a custom role session name will be accepted in a temporary credential request. +> The unique identifier of the profile. +> +> Constraints: +> +> * min: `36` +> * max: `36` +> * pattern: `.*[a-f0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}.*` +> @@ -104 +110,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa -`--duration-seconds` (integer) @@ -106 +112,3 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa -> Used to determine how long sessions vended using this profile are valid for. See the `Expiration` section of the [CreateSession API documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html#credentials-object) page for more details. In requests, if this value is not provided, the default value will be 3600. +`--name` (string) + +> The name of the profile. @@ -110,2 +118,3 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa -> * min: `900` -> * max: `43200` +> * min: `1` +> * max: `255` +> * pattern: `[ a-zA-Z0-9-_]*` @@ -115 +124 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa -`--managed-policy-arns` (list) +`--session-policy` (string) @@ -117 +126,12 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa -> A list of managed policy ARNs that apply to the vended session credentials. +> A session policy that applies to the trust boundary of the vended session credentials. +> +> Constraints: +> +> * min: `1` +> * max: `100000` +> + + +`--role-arns` (list) + +> A list of IAM roles that this profile can assume in a temporary credential request. @@ -122 +142 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa -> * max: `50` +> * max: `250` @@ -131 +151,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa ->> * max: `200` +>> * max: `1011` +>> * pattern: `arn:aws(-[^:]+)?:iam(:.*){2}(:role.*)` @@ -141,25 +162 @@ Syntax: -`--name` (string) - -> The name of the profile. -> -> Constraints: -> -> * min: `1` -> * max: `255` -> * pattern: `^[ a-zA-Z0-9-_]*$` -> - - -`--profile-id` (string) [required] - -> The unique identifier of the profile. -> -> Constraints: -> -> * min: `36` -> * max: `36` -> * pattern: `[a-f0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}` -> - - -`--role-arns` (list) +`--managed-policy-arns` (list) @@ -167 +164 @@ Syntax: -> A list of IAM roles that this profile can assume in a temporary credential request. +> A list of managed policy ARNs that apply to the vended session credentials. @@ -172 +169 @@ Syntax: -> * max: `250` +> * max: `50` @@ -181,2 +178 @@ Syntax: ->> * max: `1011` ->> * pattern: `^arn:aws(-[^:]+)?:iam(:.*){2}(:role.*)$` +>> * max: `200` @@ -192 +188 @@ Syntax: -`--session-policy` (string) +`--duration-seconds` (integer) @@ -194 +190 @@ Syntax: -> A session policy that applies to the trust boundary of the vended session credentials. +> Used to determine how long sessions vended using this profile are valid for. See the `Expiration` section of the [CreateSession API documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html#credentials-object) page for more details. In requests, if this value is not provided, the default value will be 3600. @@ -198,2 +194,2 @@ Syntax: -> * min: `1` -> * max: `100000` +> * min: `900` +> * max: `43200` @@ -202,0 +199,4 @@ Syntax: +`--accept-role-session-name` | `--no-accept-role-session-name` (boolean) + +> Used to determine if a custom role session name will be accepted in a temporary credential request. + @@ -306,5 +306 @@ profile -> (structure) -> acceptRoleSessionName -> (boolean) -> ->> Used to determine if a custom role session name will be accepted in a temporary credential request. -> -> attributeMappings -> (list) +> profileId -> (string) @@ -312 +308 @@ profile -> (structure) ->> A mapping applied to the authenticating end-entity certificate. +>> The unique identifier of the profile. @@ -314 +310,5 @@ profile -> (structure) ->> (structure) +>> Constraints: +>> +>> * min: `36` +>> * max: `36` +>> * pattern: `.*[a-f0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}.*` @@ -316,31 +315,0 @@ profile -> (structure) ->>> A mapping applied to the authenticating end-entity certificate. ->>> ->>> certificateField -> (string) ->>> ->>>> Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates. ->>>> ->>>> Possible values: ->>>> ->>>> * `x509Subject` ->>>> * `x509Issuer` ->>>> * `x509SAN` ->>>> - ->>> ->>> mappingRules -> (list) ->>> ->>>> A list of mapping entries for every supported specifier or sub-field. ->>>> ->>>> (structure) ->>>> ->>>>> A single mapping entry for each supported specifier or sub-field. ->>>>> ->>>>> specifier -> (string) [required] ->>>>> ->>>>>> Specifier within a certificate field, such as CN, OU, or UID from the Subject field. ->>>>>> ->>>>>> Constraints: ->>>>>> ->>>>>> * min: `0` ->>>>>> * max: `60` ->>>>>> @@ -349,17 +318 @@ profile -> (structure) -> createdAt -> (timestamp) -> ->> The ISO-8601 timestamp when the profile was created. -> -> createdBy -> (string) -> ->> The Amazon Web Services account that created the profile. -> -> durationSeconds -> (integer) -> ->> Used to determine how long sessions vended using this profile are valid for. See the `Expiration` section of the [CreateSession API documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html#credentials-object) page for more details. In requests, if this value is not provided, the default value will be 3600. -> -> enabled -> (boolean) -> ->> Indicates whether the profile is enabled. -> -> managedPolicyArns -> (list) +> profileArn -> (string) @@ -367 +320 @@ profile -> (structure) ->> A list of managed policy ARNs that apply to the vended session credentials. +>> The ARN of the profile. @@ -371,6 +324,3 @@ profile -> (structure) ->> * min: `0` ->> * max: `50` ->> - ->>