AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-02-19 · Documentation low

File: cli/latest/reference/grafana/update-workspace-authentication.md

Summary

Restructured authentication parameters, added SAML configuration status field, reordered fields, updated constraints, and adjusted CLI version reference.

Security assessment

The changes primarily reorganize parameters and add a 'status' field to indicate SAML configuration completeness, which improves security visibility but doesn't fix a specific vulnerability. The pattern constraint update for workspace-ID (removing anchors) appears to be a documentation refinement without security impact. No CVE or security advisory is referenced.

Diff

diff --git a/cli/latest/reference/grafana/update-workspace-authentication.md b/cli/latest/reference/grafana/update-workspace-authentication.md
index 4a362dc83..c318f08c2 100644
--- a//cli/latest/reference/grafana/update-workspace-authentication.md
+++ b//cli/latest/reference/grafana/update-workspace-authentication.md
@@ -15 +15 @@
-  * [AWS CLI 2.33.22 Command Reference](../../index.html) »
+  * [AWS CLI 2.33.25 Command Reference](../../index.html) »
@@ -70,0 +71 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/grafan
+    --workspace-id <value>
@@ -73 +73,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/grafan
-    --workspace-id <value>
@@ -97,0 +98,10 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/grafan
+`--workspace-id` (string) [required]
+
+> The ID of the workspace to update the authentication for.
+> 
+> Constraints:
+> 
+>   * pattern: `g-[0-9a-f]{10}`
+> 
+
+
@@ -121 +131 @@ Syntax:
-> allowedOrganizations -> (list)
+> idpMetadata -> (tagged union structure) [required]
@@ -123 +133 @@ Syntax:
->> Lists which organizations defined in the SAML assertion are allowed to use the Amazon Managed Grafana workspace. If this is empty, all organizations in the assertion attribute have access.
+>> A structure containing the identity provider (IdP) metadata used to integrate the identity provider with this workspace.
@@ -125 +135,5 @@ Syntax:
->> (string)
+>> ### Note
+>> 
+>> This is a Tagged Union structure. Only one of the following top level keys can be set: `url`, `xml`.
+>> 
+>> url -> (string)
@@ -126,0 +141,2 @@ Syntax:
+>>> The URL of the location containing the IdP metadata.
+>>> 
@@ -130 +146 @@ Syntax:
->>>   * max: `256`
+>>>   * max: `2048`
@@ -132,0 +149,4 @@ Syntax:
+>> 
+>> xml -> (string)
+>>
+>>> The full IdP metadata, in XML format.
@@ -138,12 +158 @@ Syntax:
->> email -> (string)
->>
->>> The name of the attribute within the SAML assertion to use as the email names for SAML users.
->>> 
->>> Constraints:
->>> 
->>>   * min: `1`
->>>   * max: `256`
->>> 
-
->> 
->> groups -> (string)
+>> name -> (string)
@@ -151 +160 @@ Syntax:
->>> The name of the attribute within the SAML assertion to use as the user full “friendly” names for user groups.
+>>> The name of the attribute within the SAML assertion to use as the user full “friendly” names for SAML users.
@@ -171 +180 @@ Syntax:
->> name -> (string)
+>> email -> (string)
@@ -173 +182 @@ Syntax:
->>> The name of the attribute within the SAML assertion to use as the user full “friendly” names for SAML users.
+>>> The name of the attribute within the SAML assertion to use as the email names for SAML users.
@@ -182 +191 @@ Syntax:
->> org -> (string)
+>> groups -> (string)
@@ -184 +193 @@ Syntax:
->>> The name of the attribute within the SAML assertion to use as the user full “friendly” names for the users’ organizations.
+>>> The name of the attribute within the SAML assertion to use as the user full “friendly” names for user groups.
@@ -203,6 +211,0 @@ Syntax:
-> 
-> idpMetadata -> (tagged union structure) [required]
->
->> A structure containing the identity provider (IdP) metadata used to integrate the identity provider with this workspace.
->> 
->> ### Note
@@ -210,3 +213 @@ Syntax:
->> This is a Tagged Union structure. Only one of the following top level keys can be set: `url`, `xml`.
->> 
->> url -> (string)
+>> org -> (string)
@@ -214 +215 @@ Syntax:
->>> The URL of the location containing the IdP metadata.
+>>> The name of the attribute within the SAML assertion to use as the user full “friendly” names for the users’ organizations.
@@ -219 +220 @@ Syntax:
->>>   * max: `2048`
+>>>   * max: `256`
@@ -222,8 +222,0 @@ Syntax:
->> 
->> xml -> (string)
->>
->>> The full IdP metadata, in XML format.
-> 
-> loginValidityDuration -> (integer)
->
->> How long a sign-on session by a SAML user is valid, before the user has to sign on again.
@@ -235 +228 @@ Syntax:
->> admin -> (list)
+>> editor -> (list)
@@ -237 +230 @@ Syntax:
->>> A list of groups from the SAML assertion attribute to grant the Grafana `Admin` role to.
+>>> A list of groups from the SAML assertion attribute to grant the Grafana `Editor` role to.
@@ -248 +241 @@ Syntax:
->> editor -> (list)
+>> admin -> (list)
@@ -250 +243 @@ Syntax:
->>> A list of groups from the SAML assertion attribute to grant the Grafana `Editor` role to.
+>>> A list of groups from the SAML assertion attribute to grant the Grafana `Admin` role to.
@@ -259,0 +253,17 @@ Syntax:
+> 
+> allowedOrganizations -> (list)
+>
+>> Lists which organizations defined in the SAML assertion are allowed to use the Amazon Managed Grafana workspace. If this is empty, all organizations in the assertion attribute have access.
+>> 
+>> (string)
+>>
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `256`
+>>> 
+
+> 
+> loginValidityDuration -> (integer)
+>
+>> How long a sign-on session by a SAML user is valid, before the user has to sign on again.
@@ -264 +274 @@ Shorthand Syntax:
-    allowedOrganizations=string,string,assertionAttributes={email=string,groups=string,login=string,name=string,org=string,role=string},idpMetadata={url=string,xml=string},loginValidityDuration=integer,roleValues={admin=[string,string],editor=[string,string]}
+    idpMetadata={url=string,xml=string},assertionAttributes={name=string,login=string,email=string,groups=string,role=string,org=string},roleValues={editor=[string,string],admin=[string,string]},allowedOrganizations=string,string,loginValidityDuration=integer
@@ -271,9 +280,0 @@ JSON Syntax:
-      "allowedOrganizations": ["string", ...],
-      "assertionAttributes": {
-        "email": "string",
-        "groups": "string",
-        "login": "string",
-        "name": "string",
-        "org": "string",
-        "role": "string"
-      },
@@ -284 +285,8 @@ JSON Syntax:
-      "loginValidityDuration": integer,
+      "assertionAttributes": {
+        "name": "string",
+        "login": "string",
+        "email": "string",
+        "groups": "string",
+        "role": "string",
+        "org": "string"
+      },
@@ -286,3 +294,5 @@ JSON Syntax:
-        "admin": ["string", ...],
-        "editor": ["string", ...]
-      }
+        "editor": ["string", ...],
+        "admin": ["string", ...]
+      },
+      "allowedOrganizations": ["string", ...],
+      "loginValidityDuration": integer
@@ -292,10 +301,0 @@ JSON Syntax:
-`--workspace-id` (string) [required]
-
-> The ID of the workspace to update the authentication for.
-> 
-> Constraints:
-> 
->   * pattern: `^g-[0-9a-f]{10}$`
-> 
-
-
@@ -405,8 +404,0 @@ authentication -> (structure)
-> awsSso -> (structure)
->
->> A structure containing information about how this workspace works with IAM Identity Center.
->> 
->> ssoClientId -> (string)
->>
->>> The ID of the IAM Identity Center-managed application that is created by Amazon Managed Grafana.
-> 
@@ -428,0 +421,11 @@ authentication -> (structure)
+>> 
+>> status -> (string) [required]
+>>
+>>> Specifies whether the workspace’s SAML configuration is complete.
+>>> 
+>>> Possible values:
+>>> 
+>>>   * `CONFIGURED`
+>>>   * `NOT_CONFIGURED`
+>>> 
+
@@ -434 +437 @@ authentication -> (structure)
->>> allowedOrganizations -> (list)
+>>> idpMetadata -> (tagged union structure) [required]
@@ -436 +439 @@ authentication -> (structure)