SupportAuthZ / Client / create_support_permit

create_support_permit

SupportAuthZ.Client.create_support_permit(**kwargs)

Creates a support permit that authorizes an AWS support operator to perform specified actions on specified resources. The permit is cryptographically signed using a customer-managed AWS KMS key (ECC_NIST_P384, SIGN_VERIFY) to ensure non-repudiation.

See also: AWS API Documentation

Request Syntax

response = client.create_support_permit(
    permit={
        'actions': {
            'allActions': {}
            ,
            'actions': [
                'string',
            ]
        },
        'resources': {
            'allResourcesInRegion': {}
            ,
            'resources': [
                'string',
            ]
        },
        'conditions': [
            {
                'allowAfter': datetime(2015, 1, 1),
                'allowBefore': datetime(2015, 1, 1)
            },
        ]
    },
    name='string',
    description='string',
    signingKeyInfo={
        'kmsKey': 'string'
    },
    supportCaseDisplayId='string',
    clientToken='string',
    tags={
        'string': 'string'
    }
)
Parameters:
  • permit (dict) –

    [REQUIRED]

    The permit definition specifying the actions, resources, and time-window conditions that the support operator is authorized to use.

    • actions (dict) – [REQUIRED]

      The set of actions that the support operator is authorized to perform.

      Note

      This is a Tagged Union structure. Only one of the following top level keys can be set: allActions, actions.

      • allActions (dict) –

        Authorizes all available support actions.

      • actions (list) –

        A list of specific support actions to authorize. Maximum of 10 actions.

        • (string) –

    • resources (dict) – [REQUIRED]

      The set of resources that the support operator is authorized to act upon.

      Note

      This is a Tagged Union structure. Only one of the following top level keys can be set: allResourcesInRegion, resources.

      • allResourcesInRegion (dict) –

        Authorizes the support operator to act on all resources in the Region.

      • resources (list) –

        A list of specific resource identifiers that the support operator is authorized to act upon. Maximum of 5 resources.

        • (string) –

    • conditions (list) –

      The time-window conditions that constrain when the permit is valid. Maximum of 2 conditions.

      • (dict) –

        A time-window condition that constrains when a support permit is valid.

        Note

        This is a Tagged Union structure. Only one of the following top level keys can be set: allowAfter, allowBefore.

        • allowAfter (datetime) –

          The earliest time at which the permit becomes valid.

        • allowBefore (datetime) –

          The latest time at which the permit remains valid.

  • name (string) –

    [REQUIRED]

    A customer-chosen name for the support permit. Must be between 1 and 256 alphanumeric characters.

  • description (string) – A human-readable description of why this permit is being created. Maximum length of 1024 characters.

  • signingKeyInfo (dict) –

    [REQUIRED]

    The signing key information used to sign the permit. Must reference an AWS KMS key with key usage SIGN_VERIFY and key spec ECC_NIST_P384.

    Note

    This is a Tagged Union structure. Only one of the following top level keys can be set: kmsKey.

    • kmsKey (string) –

      The ARN of the AWS KMS key used to sign the permit. The key must have key spec ECC_NIST_P384 and key usage SIGN_VERIFY.

  • supportCaseDisplayId (string) – The display identifier of the AWS Support case associated with this permit.

  • clientToken (string) –

    A unique, case-sensitive identifier to ensure that the operation completes no more than one time. If this token matches a previous request, the service returns the existing permit without creating a duplicate.

    This field is autopopulated if not provided.

  • tags (dict) –

    The tags to associate with the support permit on creation.

    • (string) –

      • (string) –

Return type:

dict

Returns:

Response Syntax

{
    'name': 'string',
    'arn': 'string',
    'description': 'string',
    'permit': {
        'actions': {
            'allActions': {},
            'actions': [
                'string',
            ]
        },
        'resources': {
            'allResourcesInRegion': {},
            'resources': [
                'string',
            ]
        },
        'conditions': [
            {
                'allowAfter': datetime(2015, 1, 1),
                'allowBefore': datetime(2015, 1, 1)
            },
        ]
    },
    'status': 'ACTIVE'|'INACTIVE'|'DELETING',
    'signingKeyInfo': {
        'kmsKey': 'string'
    },
    'createdAt': datetime(2015, 1, 1),
    'supportCaseDisplayId': 'string',
    'tags': {
        'string': 'string'
    }
}

Response Structure

  • (dict) –

    • name (string) –

      The name of the support permit.

    • arn (string) –

      The Amazon Resource Name (ARN) of the support permit.

    • description (string) –

      The description of the support permit.

    • permit (dict) –

      The permit definition.

      • actions (dict) –

        The set of actions that the support operator is authorized to perform.

        Note

        This is a Tagged Union structure. Only one of the following top level keys will be set: allActions, actions. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:

        'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
        
        • allActions (dict) –

          Authorizes all available support actions.

        • actions (list) –

          A list of specific support actions to authorize. Maximum of 10 actions.

          • (string) –

      • resources (dict) –

        The set of resources that the support operator is authorized to act upon.

        Note

        This is a Tagged Union structure. Only one of the following top level keys will be set: allResourcesInRegion, resources. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:

        'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
        
        • allResourcesInRegion (dict) –

          Authorizes the support operator to act on all resources in the Region.

        • resources (list) –

          A list of specific resource identifiers that the support operator is authorized to act upon. Maximum of 5 resources.

          • (string) –

      • conditions (list) –

        The time-window conditions that constrain when the permit is valid. Maximum of 2 conditions.

        • (dict) –

          A time-window condition that constrains when a support permit is valid.

          Note

          This is a Tagged Union structure. Only one of the following top level keys will be set: allowAfter, allowBefore. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:

          'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
          
          • allowAfter (datetime) –

            The earliest time at which the permit becomes valid.

          • allowBefore (datetime) –

            The latest time at which the permit remains valid.

    • status (string) –

      The current status of the support permit.

    • signingKeyInfo (dict) –

      The signing key information for the permit.

      Note

      This is a Tagged Union structure. Only one of the following top level keys will be set: kmsKey. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:

      'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
      
      • kmsKey (string) –

        The ARN of the AWS KMS key used to sign the permit. The key must have key spec ECC_NIST_P384 and key usage SIGN_VERIFY.

    • createdAt (datetime) –

      The timestamp when the permit was created.

    • supportCaseDisplayId (string) –

      The display identifier of the support case associated with the permit.

    • tags (dict) –

      The tags associated with the support permit.

      • (string) –

        • (string) –

Exceptions