AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2025-12-10 · Documentation low

File: cli/latest/reference/rolesanywhere/update-profile.md

Summary

Updated AWS CLI version reference from 2.32.11 to 2.32.13. Reordered command parameters, revised parameter constraints, and restructured output field descriptions. Changed patterns for profile-id, name, role-arns, and managed-policy-arns to be more permissive by removing start/end anchors.

Security assessment

The changes improve documentation of security features like session policies, certificate field mappings, and credential constraints. However, there's no evidence of a specific security vulnerability being addressed. The pattern relaxations (removing ^/$ anchors) might increase flexibility but don't indicate a security fix.

Diff

diff --git a/cli/latest/reference/rolesanywhere/update-profile.md b/cli/latest/reference/rolesanywhere/update-profile.md
index 77301b188..9d8210a5f 100644
--- a//cli/latest/reference/rolesanywhere/update-profile.md
+++ b//cli/latest/reference/rolesanywhere/update-profile.md
@@ -15 +15 @@
-  * [AWS CLI 2.32.11 Command Reference](../../index.html) »
+  * [AWS CLI 2.32.13 Command Reference](../../index.html) »
@@ -69,4 +68,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
-    [--accept-role-session-name | --no-accept-role-session-name]
-    [--duration-seconds <value>]
-    [--managed-policy-arns <value>]
-    [--name <value>]
@@ -74 +70 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
-    [--role-arns <value>]
+    [--name <value>]
@@ -75,0 +72,4 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
+    [--role-arns <value>]
+    [--managed-policy-arns <value>]
+    [--duration-seconds <value>]
+    [--accept-role-session-name | --no-accept-role-session-name]
@@ -100 +100 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
-`--accept-role-session-name` | `--no-accept-role-session-name` (boolean)
+`--profile-id` (string) [required]
@@ -102 +102,8 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
-> Used to determine if a custom role session name will be accepted in a temporary credential request.
+> The unique identifier of the profile.
+> 
+> Constraints:
+> 
+>   * min: `36`
+>   * max: `36`
+>   * pattern: `.*[a-f0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}.*`
+> 
@@ -104 +110,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
-`--duration-seconds` (integer)
@@ -106 +112,3 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
-> Used to determine how long sessions vended using this profile are valid for. See the `Expiration` section of the [CreateSession API documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html#credentials-object) page for more details. In requests, if this value is not provided, the default value will be 3600.
+`--name` (string)
+
+> The name of the profile.
@@ -110,2 +118,3 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
->   * min: `900`
->   * max: `43200`
+>   * min: `1`
+>   * max: `255`
+>   * pattern: `[ a-zA-Z0-9-_]*`
@@ -115 +124 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
-`--managed-policy-arns` (list)
+`--session-policy` (string)
@@ -117 +126,12 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
-> A list of managed policy ARNs that apply to the vended session credentials.
+> A session policy that applies to the trust boundary of the vended session credentials.
+> 
+> Constraints:
+> 
+>   * min: `1`
+>   * max: `100000`
+> 
+
+
+`--role-arns` (list)
+
+> A list of IAM roles that this profile can assume in a temporary credential request.
@@ -122 +142 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
->   * max: `50`
+>   * max: `250`
@@ -131 +151,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/rolesa
->>   * max: `200`
+>>   * max: `1011`
+>>   * pattern: `arn:aws(-[^:]+)?:iam(:.*){2}(:role.*)`
@@ -141,25 +162 @@ Syntax:
-`--name` (string)
-
-> The name of the profile.
-> 
-> Constraints:
-> 
->   * min: `1`
->   * max: `255`
->   * pattern: `^[ a-zA-Z0-9-_]*$`
-> 
-
-
-`--profile-id` (string) [required]
-
-> The unique identifier of the profile.
-> 
-> Constraints:
-> 
->   * min: `36`
->   * max: `36`
->   * pattern: `[a-f0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}`
-> 
-
-
-`--role-arns` (list)
+`--managed-policy-arns` (list)
@@ -167 +164 @@ Syntax:
-> A list of IAM roles that this profile can assume in a temporary credential request.
+> A list of managed policy ARNs that apply to the vended session credentials.
@@ -172 +169 @@ Syntax:
->   * max: `250`
+>   * max: `50`
@@ -181,2 +178 @@ Syntax:
->>   * max: `1011`
->>   * pattern: `^arn:aws(-[^:]+)?:iam(:.*){2}(:role.*)$`
+>>   * max: `200`
@@ -192 +188 @@ Syntax:
-`--session-policy` (string)
+`--duration-seconds` (integer)
@@ -194 +190 @@ Syntax:
-> A session policy that applies to the trust boundary of the vended session credentials.
+> Used to determine how long sessions vended using this profile are valid for. See the `Expiration` section of the [CreateSession API documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html#credentials-object) page for more details. In requests, if this value is not provided, the default value will be 3600.
@@ -198,2 +194,2 @@ Syntax:
->   * min: `1`
->   * max: `100000`
+>   * min: `900`
+>   * max: `43200`
@@ -202,0 +199,4 @@ Syntax:
+`--accept-role-session-name` | `--no-accept-role-session-name` (boolean)
+
+> Used to determine if a custom role session name will be accepted in a temporary credential request.
+
@@ -306,5 +306 @@ profile -> (structure)
-> acceptRoleSessionName -> (boolean)
->
->> Used to determine if a custom role session name will be accepted in a temporary credential request.
-> 
-> attributeMappings -> (list)
+> profileId -> (string)
@@ -312 +308 @@ profile -> (structure)
->> A mapping applied to the authenticating end-entity certificate.
+>> The unique identifier of the profile.
@@ -314 +310,5 @@ profile -> (structure)
->> (structure)
+>> Constraints:
+>> 
+>>   * min: `36`
+>>   * max: `36`
+>>   * pattern: `.*[a-f0-9]{8}-([a-z0-9]{4}-){3}[a-z0-9]{12}.*`
@@ -316,31 +315,0 @@ profile -> (structure)
->>> A mapping applied to the authenticating end-entity certificate.
->>> 
->>> certificateField -> (string)
->>>
->>>> Fields (x509Subject, x509Issuer and x509SAN) within X.509 certificates.
->>>> 
->>>> Possible values:
->>>> 
->>>>   * `x509Subject`
->>>>   * `x509Issuer`
->>>>   * `x509SAN`
->>>> 
-
->>> 
->>> mappingRules -> (list)
->>>
->>>> A list of mapping entries for every supported specifier or sub-field.
->>>> 
->>>> (structure)
->>>>
->>>>> A single mapping entry for each supported specifier or sub-field.
->>>>> 
->>>>> specifier -> (string) [required]
->>>>>
->>>>>> Specifier within a certificate field, such as CN, OU, or UID from the Subject field.
->>>>>> 
->>>>>> Constraints:
->>>>>> 
->>>>>>   * min: `0`
->>>>>>   * max: `60`
->>>>>> 
@@ -349,17 +318 @@ profile -> (structure)
-> createdAt -> (timestamp)
->
->> The ISO-8601 timestamp when the profile was created.
-> 
-> createdBy -> (string)
->
->> The Amazon Web Services account that created the profile.
-> 
-> durationSeconds -> (integer)
->
->> Used to determine how long sessions vended using this profile are valid for. See the `Expiration` section of the [CreateSession API documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-create-session.html#credentials-object) page for more details. In requests, if this value is not provided, the default value will be 3600.
-> 
-> enabled -> (boolean)
->
->> Indicates whether the profile is enabled.
-> 
-> managedPolicyArns -> (list)
+> profileArn -> (string)
@@ -367 +320 @@ profile -> (structure)
->> A list of managed policy ARNs that apply to the vended session credentials.
+>> The ARN of the profile.
@@ -371,6 +324,3 @@ profile -> (structure)
->>   * min: `0`
->>   * max: `50`
->> 
-
->>