feat(client-iot): This release adds support for Custom Authentication…

… with X.509 Client Certificates, support for Custom Client Certificate validation, and support for selecting application protocol and authentication type without requiring TLS ALPN for customer's AWS IoT Domain Configurations.
aws · Oct 3, 2024 · 795bda9 · 795bda9
1 parent f783a42
commit 795bda9
Show file tree

Hide file tree

Showing 17 changed files with 638 additions and 169 deletions.
diff --git a/clients/client-iot/src/commands/AssociateSbomWithPackageVersionCommand.ts b/clients/client-iot/src/commands/AssociateSbomWithPackageVersionCommand.ts
@@ -33,7 +33,7 @@ export interface AssociateSbomWithPackageVersionCommandOutput
     __MetadataBearer {}
 
 /**
- * <p>Associates a software bill of materials (SBOM) with a specific software package version.</p>
+ * <p>Associates the selected software bill of materials (SBOM) with a specific software package version.</p>
  *          <p>Requires permission to access the <a href="https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions">AssociateSbomWithPackageVersion</a> action.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.

diff --git a/clients/client-iot/src/commands/CreateBillingGroupCommand.ts b/clients/client-iot/src/commands/CreateBillingGroupCommand.ts
@@ -28,7 +28,9 @@ export interface CreateBillingGroupCommandInput extends CreateBillingGroupReques
 export interface CreateBillingGroupCommandOutput extends CreateBillingGroupResponse, __MetadataBearer {}
 
 /**
- * <p>Creates a billing group.</p>
+ * <p>Creates a billing group. If this call is made multiple times using
+ * 			the same billing group name and configuration, the call will succeed. If this call is made with
+ * 			the same billing group name but different configuration a <code>ResourceAlreadyExistsException</code> is thrown.</p>
  *          <p>Requires permission to access the <a href="https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions">CreateBillingGroup</a> action.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.

diff --git a/clients/client-iot/src/commands/CreateDomainConfigurationCommand.ts b/clients/client-iot/src/commands/CreateDomainConfigurationCommand.ts
@@ -60,6 +60,11 @@ export interface CreateDomainConfigurationCommandOutput extends CreateDomainConf
  *   serverCertificateConfig: { // ServerCertificateConfig
  *     enableOCSPCheck: true || false,
  *   },
+ *   authenticationType: "CUSTOM_AUTH_X509" || "CUSTOM_AUTH" || "AWS_X509" || "AWS_SIGV4" || "DEFAULT",
+ *   applicationProtocol: "SECURE_MQTT" || "MQTT_WSS" || "HTTPS" || "DEFAULT",
+ *   clientCertificateConfig: { // ClientCertificateConfig
+ *     clientCertificateCallbackArn: "STRING_VALUE",
+ *   },
  * };
  * const command = new CreateDomainConfigurationCommand(input);
  * const response = await client.send(command);

diff --git a/clients/client-iot/src/commands/CreateRoleAliasCommand.ts b/clients/client-iot/src/commands/CreateRoleAliasCommand.ts
@@ -30,6 +30,14 @@ export interface CreateRoleAliasCommandOutput extends CreateRoleAliasResponse, _
 /**
  * <p>Creates a role alias.</p>
  *          <p>Requires permission to access the <a href="https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions">CreateRoleAlias</a> action.</p>
+ *          <important>
+ *             <p>The value of <a href="https://docs.aws.amazon.com/iot/latest/apireference/API_CreateRoleAlias.html#iot-CreateRoleAlias-request-credentialDurationSeconds">
+ *                   <code>credentialDurationSeconds</code>
+ *                </a> must be less than or equal to the maximum session
+ *             duration of the IAM role that the role alias references. For more information, see
+ *             <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-managingrole-editing-api.html#roles-modify_max-session-duration-api">
+ *                Modifying a role maximum session duration (Amazon Web Services API)</a> from the Amazon Web Services Identity and Access Management User Guide.</p>
+ *          </important>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

diff --git a/clients/client-iot/src/commands/CreateThingTypeCommand.ts b/clients/client-iot/src/commands/CreateThingTypeCommand.ts
@@ -28,7 +28,10 @@ export interface CreateThingTypeCommandInput extends CreateThingTypeRequest {}
 export interface CreateThingTypeCommandOutput extends CreateThingTypeResponse, __MetadataBearer {}
 
 /**
- * <p>Creates a new thing type.</p>
+ * <p>Creates a new thing type. If this call is made multiple times using
+ * 			the same thing type name and configuration, the call will succeed. If this call is made with
+ * 			the same thing type name but different configuration a <code>ResourceAlreadyExistsException</code> is thrown.
+ * 		</p>
  *          <p>Requires permission to access the <a href="https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions">CreateThingType</a> action.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.

diff --git a/clients/client-iot/src/commands/DeleteBillingGroupCommand.ts b/clients/client-iot/src/commands/DeleteBillingGroupCommand.ts
@@ -6,7 +6,7 @@ import { MetadataBearer as __MetadataBearer } from "@smithy/types";
 
 import { commonParams } from "../endpoint/EndpointParameters";
 import { IoTClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IoTClient";
-import { DeleteBillingGroupRequest, DeleteBillingGroupResponse } from "../models/models_0";
+import { DeleteBillingGroupRequest, DeleteBillingGroupResponse } from "../models/models_1";
 import { de_DeleteBillingGroupCommand, se_DeleteBillingGroupCommand } from "../protocols/Aws_restJson1";
 
 /**

diff --git a/clients/client-iot/src/commands/DescribeDomainConfigurationCommand.ts b/clients/client-iot/src/commands/DescribeDomainConfigurationCommand.ts
@@ -71,6 +71,11 @@ export interface DescribeDomainConfigurationCommandOutput
  * //   serverCertificateConfig: { // ServerCertificateConfig
  * //     enableOCSPCheck: true || false,
  * //   },
+ * //   authenticationType: "CUSTOM_AUTH_X509" || "CUSTOM_AUTH" || "AWS_X509" || "AWS_SIGV4" || "DEFAULT",
+ * //   applicationProtocol: "SECURE_MQTT" || "MQTT_WSS" || "HTTPS" || "DEFAULT",
+ * //   clientCertificateConfig: { // ClientCertificateConfig
+ * //     clientCertificateCallbackArn: "STRING_VALUE",
+ * //   },
  * // };
  *
  * ```

diff --git a/clients/client-iot/src/commands/DisassociateSbomFromPackageVersionCommand.ts b/clients/client-iot/src/commands/DisassociateSbomFromPackageVersionCommand.ts
@@ -36,7 +36,7 @@ export interface DisassociateSbomFromPackageVersionCommandOutput
     __MetadataBearer {}
 
 /**
- * <p>Disassociates a software bill of materials (SBOM) from a specific software package version.</p>
+ * <p>Disassociates the selected software bill of materials (SBOM) from a specific software package version.</p>
  *          <p>Requires permission to access the <a href="https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions">DisassociateSbomWithPackageVersion</a> action.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.

diff --git a/clients/client-iot/src/commands/ListManagedJobTemplatesCommand.ts b/clients/client-iot/src/commands/ListManagedJobTemplatesCommand.ts
@@ -6,7 +6,8 @@ import { MetadataBearer as __MetadataBearer } from "@smithy/types";
 
 import { commonParams } from "../endpoint/EndpointParameters";
 import { IoTClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IoTClient";
-import { ListManagedJobTemplatesRequest, ListManagedJobTemplatesResponse } from "../models/models_1";
+import { ListManagedJobTemplatesRequest } from "../models/models_1";
+import { ListManagedJobTemplatesResponse } from "../models/models_2";
 import { de_ListManagedJobTemplatesCommand, se_ListManagedJobTemplatesCommand } from "../protocols/Aws_restJson1";
 
 /**

diff --git a/clients/client-iot/src/commands/ListMetricValuesCommand.ts b/clients/client-iot/src/commands/ListMetricValuesCommand.ts
@@ -6,8 +6,7 @@ import { MetadataBearer as __MetadataBearer } from "@smithy/types";
 
 import { commonParams } from "../endpoint/EndpointParameters";
 import { IoTClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IoTClient";
-import { ListMetricValuesRequest } from "../models/models_1";
-import { ListMetricValuesResponse } from "../models/models_2";
+import { ListMetricValuesRequest, ListMetricValuesResponse } from "../models/models_2";
 import { de_ListMetricValuesCommand, se_ListMetricValuesCommand } from "../protocols/Aws_restJson1";
 
 /**

diff --git a/clients/client-iot/src/commands/UpdateDomainConfigurationCommand.ts b/clients/client-iot/src/commands/UpdateDomainConfigurationCommand.ts
@@ -51,6 +51,11 @@ export interface UpdateDomainConfigurationCommandOutput extends UpdateDomainConf
  *   serverCertificateConfig: { // ServerCertificateConfig
  *     enableOCSPCheck: true || false,
  *   },
+ *   authenticationType: "CUSTOM_AUTH_X509" || "CUSTOM_AUTH" || "AWS_X509" || "AWS_SIGV4" || "DEFAULT",
+ *   applicationProtocol: "SECURE_MQTT" || "MQTT_WSS" || "HTTPS" || "DEFAULT",
+ *   clientCertificateConfig: { // ClientCertificateConfig
+ *     clientCertificateCallbackArn: "STRING_VALUE",
+ *   },
  * };
  * const command = new UpdateDomainConfigurationCommand(input);
  * const response = await client.send(command);

diff --git a/clients/client-iot/src/commands/UpdateRoleAliasCommand.ts b/clients/client-iot/src/commands/UpdateRoleAliasCommand.ts
@@ -30,6 +30,14 @@ export interface UpdateRoleAliasCommandOutput extends UpdateRoleAliasResponse, _
 /**
  * <p>Updates a role alias.</p>
  *          <p>Requires permission to access the <a href="https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions">UpdateRoleAlias</a> action.</p>
+ *          <important>
+ *             <p>The value of <a href="https://docs.aws.amazon.com/iot/latest/apireference/API_UpdateRoleAlias.html#iot-UpdateRoleAlias-request-credentialDurationSeconds">
+ *                   <code>credentialDurationSeconds</code>
+ *                </a> must be less than or equal to the
+ *             maximum session duration of the IAM role that the role alias references. For more
+ *             information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-managingrole-editing-api.html#roles-modify_max-session-duration-api"> Modifying a role maximum session duration (Amazon Web Services API)</a> from the Amazon Web Services
+ *             Identity and Access Management User Guide.</p>
+ *          </important>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

diff --git a/clients/client-iot/src/models/models_0.ts b/clients/client-iot/src/models/models_0.ts
@@ -2301,6 +2301,22 @@ export interface Allowed {
   policies?: Policy[];
 }
 
+/**
+ * @public
+ * @enum
+ */
+export const ApplicationProtocol = {
+  DEFAULT: "DEFAULT",
+  HTTPS: "HTTPS",
+  MQTT_WSS: "MQTT_WSS",
+  SECURE_MQTT: "SECURE_MQTT",
+} as const;
+
+/**
+ * @public
+ */
+export type ApplicationProtocol = (typeof ApplicationProtocol)[keyof typeof ApplicationProtocol];
+
 /**
  * <p>The S3 location.</p>
  * @public
@@ -2326,7 +2342,7 @@ export interface S3Location {
 }
 
 /**
- * <p>The Amazon S3 location for the software bill of materials associated with a software
+ * <p>A specific software bill of matrerials associated with a software
  *          package version.</p>
  * @public
  */
@@ -2355,7 +2371,7 @@ export interface AssociateSbomWithPackageVersionRequest {
   versionName: string | undefined;
 
   /**
-   * <p>The Amazon S3 location for the software bill of materials associated with a software
+   * <p>A specific software bill of matrerials associated with a software
    *          package version.</p>
    * @public
    */
@@ -2400,14 +2416,14 @@ export interface AssociateSbomWithPackageVersionResponse {
   versionName?: string;
 
   /**
-   * <p>The Amazon S3 location for the software bill of materials associated with a software
+   * <p>A specific software bill of matrerials associated with a software
    *          package version.</p>
    * @public
    */
   sbom?: Sbom;
 
   /**
-   * <p>The status of the initial validation for the SBOM against the Software Package Data Exchange (SPDX) and CycloneDX industry standard format.</p>
+   * <p>The status of the initial validation for the software bill of materials against the Software Package Data Exchange (SPDX) and CycloneDX industry standard formats.</p>
    * @public
    */
   sbomValidationStatus?: SbomValidationStatus;
@@ -3414,6 +3430,23 @@ export const AuthDecision = {
  */
 export type AuthDecision = (typeof AuthDecision)[keyof typeof AuthDecision];
 
+/**
+ * @public
+ * @enum
+ */
+export const AuthenticationType = {
+  AWS_SIGV4: "AWS_SIGV4",
+  AWS_X509: "AWS_X509",
+  CUSTOM_AUTH: "CUSTOM_AUTH",
+  CUSTOM_AUTH_X509: "CUSTOM_AUTH_X509",
+  DEFAULT: "DEFAULT",
+} as const;
+
+/**
+ * @public
+ */
+export type AuthenticationType = (typeof AuthenticationType)[keyof typeof AuthenticationType];
+
 /**
  * <p>A collection of authorization information.</p>
  * @public
@@ -4448,6 +4481,18 @@ export class CertificateValidationException extends __BaseException {
   }
 }
 
+/**
+ * <p>An object that speciﬁes the client certificate conﬁguration for a domain.</p>
+ * @public
+ */
+export interface ClientCertificateConfig {
+  /**
+   * <p>The ARN of the Lambda function that IoT invokes after mutual TLS authentication during the connection.</p>
+   * @public
+   */
+  clientCertificateCallbackArn?: string;
+}
+
 /**
  * <p>The server certificate configuration.</p>
  * @public
@@ -4561,6 +4606,82 @@ export interface CreateDomainConfigurationRequest {
    * @public
    */
   serverCertificateConfig?: ServerCertificateConfig;
+
+  /**
+   * <p>An enumerated string that speciﬁes the authentication type.</p>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>CUSTOM_AUTH_X509</code> - Use custom authentication and authorization with additional details from the X.509 client certificate.</p>
+   *             </li>
+   *          </ul>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>CUSTOM_AUTH</code> - Use custom authentication and authorization. For more
+   *                information, see <a href="https://docs.aws.amazon.com/iot/latest/developerguide/custom-authentication.html">Custom authentication and authorization</a>.</p>
+   *             </li>
+   *          </ul>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>AWS_X509</code> - Use X.509 client certificates without custom authentication and authorization. For more information,
+   *                see <a href="https://docs.aws.amazon.com/iot/latest/developerguide/x509-client-certs.html">X.509 client certificates</a>.</p>
+   *             </li>
+   *          </ul>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>AWS_SIGV4</code> - Use Amazon Web Services Signature Version 4. For more information, see <a href="https://docs.aws.amazon.com/iot/latest/developerguide/custom-authentication.html">IAM users, groups, and roles</a>.</p>
+   *             </li>
+   *          </ul>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>DEFAULT</code> - Use a combination of port and Application Layer Protocol Negotiation (ALPN) to specify authentication type.
+   *                For more information, see <a href="https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html">Device communication protocols</a>.</p>
+   *             </li>
+   *          </ul>
+   * @public
+   */
+  authenticationType?: AuthenticationType;
+
+  /**
+   * <p>An enumerated string that speciﬁes the application-layer protocol.</p>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>SECURE_MQTT</code> - MQTT over TLS.</p>
+   *             </li>
+   *          </ul>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>MQTT_WSS</code> - MQTT over WebSocket.</p>
+   *             </li>
+   *          </ul>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>HTTPS</code> - HTTP over TLS.</p>
+   *             </li>
+   *          </ul>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>DEFAULT</code> - Use a combination of port and Application Layer Protocol Negotiation (ALPN) to specify application_layer protocol.
+   *                For more information, see <a href="https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html">Device communication protocols</a>.</p>
+   *             </li>
+   *          </ul>
+   * @public
+   */
+  applicationProtocol?: ApplicationProtocol;
+
+  /**
+   * <p>An object that speciﬁes the client certificate conﬁguration for a domain.</p>
+   * @public
+   */
+  clientCertificateConfig?: ClientCertificateConfig;
 }
 
 /**
@@ -6300,8 +6421,7 @@ export interface CreatePackageResponse {
 }
 
 /**
- * <p>The Amazon S3 location for the artifacts associated with a software package
- *          version.</p>
+ * <p>A specific package version artifact associated with a software package version.</p>
  * @public
  */
 export interface PackageVersionArtifact {
@@ -6350,7 +6470,7 @@ export interface CreatePackageVersionRequest {
 
   /**
    * <p>The inline job document associated with a software package version used for a quick job
-   *          deployment via IoT Jobs.</p>
+   *          deployment.</p>
    * @public
    */
   recipe?: string;
@@ -7710,51 +7830,6 @@ export class DeleteConflictException extends __BaseException {
   }
 }
 
-/**
- * @public
- */
-export interface DeleteBillingGroupRequest {
-  /**
-   * <p>The name of the billing group.</p>
-   * @public
-   */
-  billingGroupName: string | undefined;
-
-  /**
-   * <p>The expected version of the billing group. If the version of the billing group does
-   * 			not match the expected version specified in the request, the
-   * 				<code>DeleteBillingGroup</code> request is rejected with a
-   * 				<code>VersionConflictException</code>.</p>
-   * @public
-   */
-  expectedVersion?: number;
-}
-
-/**
- * @public
- */
-export interface DeleteBillingGroupResponse {}
-
-/**
- * <p>The certificate operation is not allowed.</p>
- * @public
- */
-export class CertificateStateException extends __BaseException {
-  readonly name: "CertificateStateException" = "CertificateStateException";
-  readonly $fault: "client" = "client";
-  /**
-   * @internal
-   */
-  constructor(opts: __ExceptionOptionType<CertificateStateException, __BaseException>) {
-    super({
-      name: "CertificateStateException",
-      $fault: "client",
-      ...opts,
-    });
-    Object.setPrototypeOf(this, CertificateStateException.prototype);
-  }
-}
-
 /**
  * @internal
  */