API version '2010-05-08' of the Amazon Identity and Access Management SDK configuration.

The request was rejected because the credential report does not exist. To generate a credential report, use GenerateCredentialReport.

The request was rejected because the credential report is still being generated.

The request was rejected because the policy document was malformed. The error message describes the specific error.

The request was rejected because it attempted to create a resource that already exists.

The request was rejected because the certificate was malformed or expired. The error message describes the specific error.

The request was rejected because the same certificate is associated with an IAM user in the account.

The request was rejected because the most recent credential report has expired. To generate a new credential report, use GenerateCredentialReport. For more information about credential report expiration, see Getting Credential Reports in the Using IAM guide.

The request was rejected because it referenced an entity that does not exist. The error message describes the entity.

The request was rejected because it attempted to delete a resource that has attached subordinate entities. The error message describes these entities.

The request was rejected because the certificate is invalid.

The request was rejected because the public key encoding format is unsupported or unrecognized.

The request was rejected because the type of user for the transaction was incorrect.

The request processing has failed because of an unknown error, exception or failure.

The request was rejected because an invalid or out-of-range value was supplied for an input parameter.

The request was rejected because the public key is malformed or otherwise invalid.

The request was rejected because the authentication code was not recognized. The error message describes the specific error.

The request was rejected because it referenced an entity that is temporarily unmodifiable, such as a user name that was deleted and then recreated. The error indicates that the request is likely to succeed if you try again after waiting several minutes. The error message describes the entity.

The request was rejected because the SSH public key is already associated with the specified IAM user.

The request was rejected because the public key certificate and the private key do not match.

The request was rejected because it attempted to create resources beyond the current AWS account limits. The error message describes the limit exceeded.

The request was rejected because the provided password did not meet the requirements imposed by the account password policy.

Polls GetInstanceProfile every 1 seconds until a successful state is reached. An error is returned after 40 failed checks.

Polls GetUser every 1 seconds until a successful state is reached. An error is returned after 20 failed checks.

Contains information about an AWS access key.

This data type is used as a response element in the CreateAccessKey and ListAccessKeys actions.

The SecretAccessKey value is returned only in response to CreateAccessKey. You can get a secret access key only when you first create an access key; you cannot recover the secret access key later. If you lose a secret access key, you must create a new access key.

See: accessKey smart constructor.

Creates a value of AccessKey with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• akCreateDate
• akUserName
• akAccessKeyId
• akStatus
• akSecretAccessKey

The date when the access key was created.

The name of the IAM user that the access key is associated with.

The ID for this access key.

The status of the access key. Active means the key is valid for API calls, while Inactive means it is not.

The secret key used to sign requests.

Contains information about the last time an AWS access key was used.

This data type is used as a response element in the GetAccessKeyLastUsed action.

See: accessKeyLastUsed smart constructor.

Creates a value of AccessKeyLastUsed with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• akluLastUsedDate
• akluServiceName
• akluRegion

The date and time, in ISO 8601 date-time format, when the access key was most recently used. This field is null when:

• The user does not have an access key.
• An access key exists but has never been used, at least not since IAM started tracking this information on April 22nd, 2015.
• There is no sign-in data associated with the user

The name of the AWS service with which this access key was most recently used. This field is null when:

• The user does not have an access key.
• An access key exists but has never been used, at least not since IAM started tracking this information on April 22nd, 2015.
• There is no sign-in data associated with the user

The AWS region where this access key was most recently used. This field is null when:

• The user does not have an access key.
• An access key exists but has never been used, at least not since IAM started tracking this information on April 22nd, 2015.
• There is no sign-in data associated with the user

For more information about AWS regions, see Regions and Endpoints in the Amazon Web Services General Reference.

Contains information about an AWS access key, without its secret key.

This data type is used as a response element in the ListAccessKeys action.

See: accessKeyMetadata smart constructor.

Creates a value of AccessKeyMetadata with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• akmStatus
• akmCreateDate
• akmUserName
• akmAccessKeyId

The status of the access key. Active means the key is valid for API calls; Inactive means it is not.

The date when the access key was created.

The name of the IAM user that the key is associated with.

The ID for this access key.

Contains information about an attached policy.

An attached policy is a managed policy that has been attached to a user, group, or role. This data type is used as a response element in the ListAttachedGroupPolicies, ListAttachedRolePolicies, ListAttachedUserPolicies, and GetAccountAuthorizationDetails actions.

For more information about managed policies, refer to Managed Policies and Inline Policies in the Using IAM guide.

See: attachedPolicy smart constructor.

Creates a value of AttachedPolicy with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• apPolicyName
• apPolicyARN

The friendly name of the attached policy.

Undocumented member.

Contains information about an IAM group entity.

This data type is used as a response element in the following actions:

• CreateGroup
• GetGroup
• ListGroups

See: group' smart constructor.

Creates a value of Group with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• gPath
• gGroupName
• gGroupId
• gARN
• gCreateDate

The path to the group. For more information about paths, see IAM Identifiers in the Using IAM guide.

The friendly name that identifies the group.

The stable and unique string identifying the group. For more information about IDs, see IAM Identifiers in the Using IAM guide.

The Amazon Resource Name (ARN) specifying the group. For more information about ARNs and how to use them in policies, see IAM Identifiers in the Using IAM guide.

The date and time, in ISO 8601 date-time format, when the group was created.

Contains information about an IAM group, including all of the group's policies.

This data type is used as a response element in the GetAccountAuthorizationDetails action.

See: groupDetail smart constructor.

Creates a value of GroupDetail with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• gdARN
• gdPath
• gdCreateDate
• gdGroupId
• gdGroupPolicyList
• gdGroupName
• gdAttachedManagedPolicies

Undocumented member.

The path to the group. For more information about paths, see IAM Identifiers in the Using IAM guide.

The date and time, in ISO 8601 date-time format, when the group was created.

The stable and unique string identifying the group. For more information about IDs, see IAM Identifiers in the Using IAM guide.

A list of the inline policies embedded in the group.

The friendly name that identifies the group.

A list of the managed policies attached to the group.

Contains information about an instance profile.

This data type is used as a response element in the following actions:

• CreateInstanceProfile
• GetInstanceProfile
• ListInstanceProfiles
• ListInstanceProfilesForRole

See: instanceProfile smart constructor.

Creates a value of InstanceProfile with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• ipPath
• ipInstanceProfileName
• ipInstanceProfileId
• ipARN
• ipCreateDate
• ipRoles

The path to the instance profile. For more information about paths, see IAM Identifiers in the Using IAM guide.

The name identifying the instance profile.

The stable and unique string identifying the instance profile. For more information about IDs, see IAM Identifiers in the Using IAM guide.

The Amazon Resource Name (ARN) specifying the instance profile. For more information about ARNs and how to use them in policies, see IAM Identifiers in the Using IAM guide.

The date when the instance profile was created.

The role associated with the instance profile.

Contains the user name and password create date for a user.

This data type is used as a response element in the CreateLoginProfile and GetLoginProfile actions.

See: loginProfile smart constructor.

Creates a value of LoginProfile with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• lpPasswordResetRequired
• lpUserName
• lpCreateDate

Specifies whether the user is required to set a new password on next sign-in.

The name of the user, which can be used for signing in to the AWS Management Console.

The date when the password for the user was created.

Contains information about an MFA device.

This data type is used as a response element in the ListMFADevices action.

See: mfaDevice smart constructor.

Creates a value of MFADevice with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• mdUserName
• mdSerialNumber
• mdEnableDate

The user with whom the MFA device is associated.

The serial number that uniquely identifies the MFA device. For virtual MFA devices, the serial number is the device ARN.

The date when the MFA device was enabled for the user.

Contains information about a managed policy, including the policy's ARN, versions, and the number of principal entities (users, groups, and roles) that the policy is attached to.

This data type is used as a response element in the GetAccountAuthorizationDetails action.

For more information about managed policies, see Managed Policies and Inline Policies in the Using IAM guide.

See: managedPolicyDetail smart constructor.

Creates a value of ManagedPolicyDetail with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• mpdPolicyName
• mpdARN
• mpdPath
• mpdUpdateDate
• mpdPolicyId
• mpdCreateDate
• mpdPolicyVersionList
• mpdIsAttachable
• mpdDefaultVersionId
• mpdAttachmentCount
• mpdDescription

The friendly name (not ARN) identifying the policy.

Undocumented member.

The path to the policy.

For more information about paths, see IAM Identifiers in the Using IAM guide.

The date and time, in ISO 8601 date-time format, when the policy was last updated.

When a policy has only one version, this field contains the date and time when the policy was created. When a policy has more than one version, this field contains the date and time when the most recent policy version was created.

The stable and unique string identifying the policy.

For more information about IDs, see IAM Identifiers in the Using IAM guide.

The date and time, in ISO 8601 date-time format, when the policy was created.

A list containing information about the versions of the policy.

Specifies whether the policy can be attached to an IAM user, group, or role.

The identifier for the version of the policy that is set as the default (operative) version.

For more information about policy versions, see Versioning for Managed Policies in the Using IAM guide.

The number of principal entities (users, groups, and roles) that the policy is attached to.

A friendly description of the policy.

Contains the Amazon Resource Name (ARN) for an IAM OpenID Connect provider.

See: openIdConnectProviderListEntry smart constructor.

Creates a value of OpenIdConnectProviderListEntry with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• oicpleARN

Undocumented member.

Contains information about the account password policy.

This data type is used as a response element in the GetAccountPasswordPolicy action.

See: passwordPolicy smart constructor.

Creates a value of PasswordPolicy with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• ppExpirePasswords
• ppRequireNumbers
• ppMinimumPasswordLength
• ppPasswordReusePrevention
• ppRequireLowercaseCharacters
• ppMaxPasswordAge
• ppHardExpiry
• ppRequireSymbols
• ppRequireUppercaseCharacters
• ppAllowUsersToChangePassword

Specifies whether IAM users are required to change their password after a specified number of days.

Specifies whether to require numbers for IAM user passwords.

Minimum length to require for IAM user passwords.

Specifies the number of previous passwords that IAM users are prevented from reusing.

Specifies whether to require lowercase characters for IAM user passwords.

The number of days that an IAM user password is valid.

Specifies whether IAM users are prevented from setting a new password after their password has expired.

Specifies whether to require symbols for IAM user passwords.

Specifies whether to require uppercase characters for IAM user passwords.

Specifies whether IAM users are allowed to change their own password.

Contains information about a managed policy.

This data type is used as a response element in the CreatePolicy, GetPolicy, and ListPolicies actions.

For more information about managed policies, refer to Managed Policies and Inline Policies in the Using IAM guide.

See: policy smart constructor.

Creates a value of Policy with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• pPolicyName
• pARN
• pPath
• pUpdateDate
• pPolicyId
• pCreateDate
• pIsAttachable
• pDefaultVersionId
• pAttachmentCount
• pDescription

The friendly name (not ARN) identifying the policy.

Undocumented member.

The path to the policy.

For more information about paths, see IAM Identifiers in the Using IAM guide.

The date and time, in ISO 8601 date-time format, when the policy was last updated.

When a policy has only one version, this field contains the date and time when the policy was created. When a policy has more than one version, this field contains the date and time when the most recent policy version was created.

The stable and unique string identifying the policy.

For more information about IDs, see IAM Identifiers in the Using IAM guide.

The date and time, in ISO 8601 date-time format, when the policy was created.

Specifies whether the policy can be attached to an IAM user, group, or role.

The identifier for the version of the policy that is set as the default version.

The number of entities (users, groups, and roles) that the policy is attached to.

A friendly description of the policy.

This element is included in the response to the GetPolicy operation. It is not included in the response to the ListPolicies operation.

Contains information about an IAM policy, including the policy document.

This data type is used as a response element in the GetAccountAuthorizationDetails action.

See: policyDetail smart constructor.

Creates a value of PolicyDetail with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• pdPolicyDocument
• pdPolicyName

The policy document.

The name of the policy.

Contains information about a group that a managed policy is attached to.

This data type is used as a response element in the ListEntitiesForPolicy action.

For more information about managed policies, refer to Managed Policies and Inline Policies in the Using IAM guide.

See: policyGroup smart constructor.

Creates a value of PolicyGroup with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• pgGroupName

The name (friendly name, not ARN) identifying the group.

Contains information about a role that a managed policy is attached to.

This data type is used as a response element in the ListEntitiesForPolicy action.

For more information about managed policies, refer to Managed Policies and Inline Policies in the Using IAM guide.

See: policyRole smart constructor.

Creates a value of PolicyRole with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• prRoleName

The name (friendly name, not ARN) identifying the role.

Contains information about a user that a managed policy is attached to.

This data type is used as a response element in the ListEntitiesForPolicy action.

For more information about managed policies, refer to Managed Policies and Inline Policies in the Using IAM guide.

See: policyUser smart constructor.

Creates a value of PolicyUser with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• puUserName

The name (friendly name, not ARN) identifying the user.

Contains information about a version of a managed policy.

This data type is used as a response element in the CreatePolicyVersion, GetPolicyVersion, ListPolicyVersions, and GetAccountAuthorizationDetails actions.

For more information about managed policies, refer to Managed Policies and Inline Policies in the Using IAM guide.

See: policyVersion smart constructor.

Creates a value of PolicyVersion with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• pvVersionId
• pvCreateDate
• pvDocument
• pvIsDefaultVersion

The identifier for the policy version.

Policy version identifiers always begin with v (always lowercase). When a policy is created, the first policy version is v1.

The date and time, in ISO 8601 date-time format, when the policy version was created.

The policy document.

The policy document is returned in the response to the GetPolicyVersion and GetAccountAuthorizationDetails operations. It is not returned in the response to the CreatePolicyVersion or ListPolicyVersions operations.

Specifies whether the policy version is set as the policy's default version.

Contains information about an IAM role.

This data type is used as a response element in the following actions:

• CreateRole
• GetRole
• ListRoles

See: role smart constructor.

Creates a value of Role with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• rAssumeRolePolicyDocument
• rPath
• rRoleName
• rRoleId
• rARN
• rCreateDate

The policy that grants an entity permission to assume the role.

The path to the role. For more information about paths, see IAM Identifiers in the Using IAM guide.

The friendly name that identifies the role.

The stable and unique string identifying the role. For more information about IDs, see IAM Identifiers in the Using IAM guide.

The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see IAM Identifiers in the Using IAM guide.

The date and time, in ISO 8601 date-time format, when the role was created.

Contains information about an IAM role, including all of the role's policies.

This data type is used as a response element in the GetAccountAuthorizationDetails action.

See: roleDetail smart constructor.

Creates a value of RoleDetail with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• rdAssumeRolePolicyDocument
• rdARN
• rdPath
• rdInstanceProfileList
• rdCreateDate
• rdRoleName
• rdRoleId
• rdRolePolicyList
• rdAttachedManagedPolicies

The trust policy that grants permission to assume the role.

Undocumented member.

The path to the role. For more information about paths, see IAM Identifiers in the Using IAM guide.

Undocumented member.

The date and time, in ISO 8601 date-time format, when the role was created.

The friendly name that identifies the role.

The stable and unique string identifying the role. For more information about IDs, see IAM Identifiers in the Using IAM guide.

A list of inline policies embedded in the role. These policies are the role's access (permissions) policies.

A list of managed policies attached to the role. These policies are the role's access (permissions) policies.

Contains the list of SAML providers for this account.

See: sAMLProviderListEntry smart constructor.

Creates a value of SAMLProviderListEntry with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• samlpleARN
• samlpleCreateDate
• samlpleValidUntil

The Amazon Resource Name (ARN) of the SAML provider.

The date and time when the SAML provider was created.

The expiration date and time for the SAML provider.

Contains information about an SSH public key.

This data type is used as a response element in the GetSSHPublicKey and UploadSSHPublicKey actions.

See: sshPublicKey smart constructor.

Creates a value of SSHPublicKey with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• spkUploadDate
• spkUserName
• spkSSHPublicKeyId
• spkFingerprint
• spkSSHPublicKeyBody
• spkStatus

The date and time, in ISO 8601 date-time format, when the SSH public key was uploaded.

The name of the IAM user associated with the SSH public key.

The unique identifier for the SSH public key.

The MD5 message digest of the SSH public key.

The SSH public key.

The status of the SSH public key. Active means the key can be used for authentication with an AWS CodeCommit repository. Inactive means the key cannot be used.

Contains information about an SSH public key, without the key's body or fingerprint.

This data type is used as a response element in the ListSSHPublicKeys action.

See: sshPublicKeyMetadata smart constructor.

Creates a value of SSHPublicKeyMetadata with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• spkmUserName
• spkmSSHPublicKeyId
• spkmStatus
• spkmUploadDate

The name of the IAM user associated with the SSH public key.

The unique identifier for the SSH public key.

The status of the SSH public key. Active means the key can be used for authentication with an AWS CodeCommit repository. Inactive means the key cannot be used.

The date and time, in ISO 8601 date-time format, when the SSH public key was uploaded.

Contains information about a server certificate.

This data type is used as a response element in the GetServerCertificate action.

See: serverCertificate smart constructor.

Creates a value of ServerCertificate with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• sCertificateChain
• sServerCertificateMetadata
• sCertificateBody

The contents of the public key certificate chain.

The meta information of the server certificate, such as its name, path, ID, and ARN.

The contents of the public key certificate.

Contains information about a server certificate without its certificate body, certificate chain, and private key.

This data type is used as a response element in the UploadServerCertificate and ListServerCertificates actions.

See: serverCertificateMetadata smart constructor.

Creates a value of ServerCertificateMetadata with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• scmUploadDate
• scmExpiration
• scmPath
• scmServerCertificateName
• scmServerCertificateId
• scmARN

The date when the server certificate was uploaded.

The date on which the certificate is set to expire.

The path to the server certificate. For more information about paths, see IAM Identifiers in the Using IAM guide.

The name that identifies the server certificate.

The stable and unique string identifying the server certificate. For more information about IDs, see IAM Identifiers in the Using IAM guide.

The Amazon Resource Name (ARN) specifying the server certificate. For more information about ARNs and how to use them in policies, see IAM Identifiers in the Using IAM guide.

Contains information about an X.509 signing certificate.

This data type is used as a response element in the UploadSigningCertificate and ListSigningCertificates actions.

See: signingCertificate smart constructor.

Creates a value of SigningCertificate with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• scUploadDate
• scUserName
• scCertificateId
• scCertificateBody
• scStatus

The date when the signing certificate was uploaded.

The name of the user the signing certificate is associated with.

The ID for the signing certificate.

The contents of the signing certificate.

The status of the signing certificate. Active means the key is valid for API calls, while Inactive means it is not.

Contains information about an IAM user entity.

This data type is used as a response element in the following actions:

• CreateUser
• GetUser
• ListUsers

See: user smart constructor.

Creates a value of User with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• uPasswordLastUsed
• uPath
• uUserName
• uUserId
• uARN
• uCreateDate

The date and time, in ISO 8601 date-time format, when the user's password was last used to sign in to an AWS website. For a list of AWS websites that capture a user's last sign-in time, see the Credential Reports topic in the Using IAM guide. If a password is used more than once in a five-minute span, only the first use is returned in this field. This field is null (not present) when:

• The user does not have a password
• The password exists but has never been used (at least not since IAM started tracking this information on October 20th, 2014
• there is no sign-in data associated with the user

This value is returned only in the GetUser and ListUsers actions.

The path to the user. For more information about paths, see IAM Identifiers in the Using IAM guide.

The friendly name identifying the user.

The stable and unique string identifying the user. For more information about IDs, see IAM Identifiers in the Using IAM guide.

The Amazon Resource Name (ARN) that identifies the user. For more information about ARNs and how to use ARNs in policies, see IAM Identifiers in the Using IAM guide.

The date and time, in ISO 8601 date-time format, when the user was created.

Contains information about an IAM user, including all the user's policies and all the IAM groups the user is in.

This data type is used as a response element in the GetAccountAuthorizationDetails action.

See: userDetail smart constructor.

Creates a value of UserDetail with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• udARN
• udPath
• udGroupList
• udCreateDate
• udUserName
• udUserId
• udUserPolicyList
• udAttachedManagedPolicies

Undocumented member.

The path to the user. For more information about paths, see IAM Identifiers in the Using IAM guide.

A list of IAM groups that the user is in.

The date and time, in ISO 8601 date-time format, when the user was created.

The friendly name identifying the user.

The stable and unique string identifying the user. For more information about IDs, see IAM Identifiers in the Using IAM guide.

A list of the inline policies embedded in the user.

A list of the managed policies attached to the user.

Contains information about a virtual MFA device.

See: virtualMFADevice smart constructor.

Creates a value of VirtualMFADevice with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• vmdQRCodePNG
• vmdBase32StringSeed
• vmdUser
• vmdEnableDate
• vmdSerialNumber

A QR code PNG image that encodes 'otpauth:\/\/totp\/$virtualMFADeviceName\'$AccountName?secret=$Base32String' where '$virtualMFADeviceName' is one of the create call arguments, AccountName is the user name if set (otherwise, the account ID otherwise), and Base32String is the seed in Base32 format. The Base32String value is Base64-encoded.

Note: This Lens automatically encodes and decodes Base64 data, despite what the AWS documentation might say. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This Lens accepts and returns only raw unencoded data.

The Base32 seed defined as specified in RFC3548. The Base32StringSeed is Base64-encoded.

Note: This Lens automatically encodes and decodes Base64 data, despite what the AWS documentation might say. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This Lens accepts and returns only raw unencoded data.

Undocumented member.