# Data Types
<a name="API_Types"></a>

The Amazon Identity and Access Management API contains several data types that various actions use. This section describes each data type in detail.

**Note**  
The order of each element in a data type structure is not guaranteed. Applications should not assume a particular order.

The following data types are supported:
+  [AccessDetail](API_AccessDetail.md) 
+  [AccessKey](API_AccessKey.md) 
+  [AccessKeyLastUsed](API_AccessKeyLastUsed.md) 
+  [AccessKeyMetadata](API_AccessKeyMetadata.md) 
+  [AttachedPermissionsBoundary](API_AttachedPermissionsBoundary.md) 
+  [AttachedPolicy](API_AttachedPolicy.md) 
+  [ContextEntry](API_ContextEntry.md) 
+  [DelegationPermission](API_DelegationPermission.md) 
+  [DelegationRequest](API_DelegationRequest.md) 
+  [DeletionTaskFailureReasonType](API_DeletionTaskFailureReasonType.md) 
+  [EntityDetails](API_EntityDetails.md) 
+  [EntityInfo](API_EntityInfo.md) 
+  [ErrorDetails](API_ErrorDetails.md) 
+  [EvaluationResult](API_EvaluationResult.md) 
+  [Group](API_Group.md) 
+  [GroupDetail](API_GroupDetail.md) 
+  [InstanceProfile](API_InstanceProfile.md) 
+  [ListPoliciesGrantingServiceAccessEntry](API_ListPoliciesGrantingServiceAccessEntry.md) 
+  [LoginProfile](API_LoginProfile.md) 
+  [ManagedPolicyDetail](API_ManagedPolicyDetail.md) 
+  [MFADevice](API_MFADevice.md) 
+  [OpenIDConnectProviderListEntry](API_OpenIDConnectProviderListEntry.md) 
+  [OrganizationsDecisionDetail](API_OrganizationsDecisionDetail.md) 
+  [PasswordPolicy](API_PasswordPolicy.md) 
+  [PermissionsBoundaryDecisionDetail](API_PermissionsBoundaryDecisionDetail.md) 
+  [Policy](API_Policy.md) 
+  [PolicyDetail](API_PolicyDetail.md) 
+  [PolicyGrantingServiceAccess](API_PolicyGrantingServiceAccess.md) 
+  [PolicyGroup](API_PolicyGroup.md) 
+  [PolicyParameter](API_PolicyParameter.md) 
+  [PolicyRole](API_PolicyRole.md) 
+  [PolicyUser](API_PolicyUser.md) 
+  [PolicyVersion](API_PolicyVersion.md) 
+  [Position](API_Position.md) 
+  [ResourceSpecificResult](API_ResourceSpecificResult.md) 
+  [Role](API_Role.md) 
+  [RoleDetail](API_RoleDetail.md) 
+  [RoleLastUsed](API_RoleLastUsed.md) 
+  [RoleUsageType](API_RoleUsageType.md) 
+  [SAMLPrivateKey](API_SAMLPrivateKey.md) 
+  [SAMLProviderListEntry](API_SAMLProviderListEntry.md) 
+  [ServerCertificate](API_ServerCertificate.md) 
+  [ServerCertificateMetadata](API_ServerCertificateMetadata.md) 
+  [ServiceLastAccessed](API_ServiceLastAccessed.md) 
+  [ServiceSpecificCredential](API_ServiceSpecificCredential.md) 
+  [ServiceSpecificCredentialMetadata](API_ServiceSpecificCredentialMetadata.md) 
+  [SigningCertificate](API_SigningCertificate.md) 
+  [SSHPublicKey](API_SSHPublicKey.md) 
+  [SSHPublicKeyMetadata](API_SSHPublicKeyMetadata.md) 
+  [Statement](API_Statement.md) 
+  [Tag](API_Tag.md) 
+  [TrackedActionLastAccessed](API_TrackedActionLastAccessed.md) 
+  [User](API_User.md) 
+  [UserDetail](API_UserDetail.md) 
+  [VirtualMFADevice](API_VirtualMFADevice.md) 

# AccessDetail
<a name="API_AccessDetail"></a>

An object that contains details about when a principal in the reported Amazon Organizations entity last attempted to access an Amazon service. A principal can be an IAM user, an IAM role, or the Amazon Web Services account root user within the reported Organizations entity.

This data type is a response element in the [GetOrganizationsAccessReport](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetOrganizationsAccessReport.html) operation.

## Contents
<a name="API_AccessDetail_Contents"></a>

 ** ServiceName **   
The name of the service in which access was attempted.  
Type: String  
Required: Yes

 ** ServiceNamespace **   
The namespace of the service in which access was attempted.  
To learn the service namespace of a service, see [Actions, resources, and condition keys for Amazon services](https://docs.amazonaws.cn/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference*. Choose the name of the service to view details for that service. In the first paragraph, find the service prefix. For example, `(service prefix: a4b)`. For more information about service namespaces, see [Amazon service namespaces](https://docs.amazonaws.cn/general/latest/gr/aws-arns-and-namespaces.html#genref-aws-service-namespaces) in the * Amazon General Reference*.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 64.  
Pattern: `[\w-]*`   
Required: Yes

 ** EntityPath **   
The path of the Organizations entity (root, organizational unit, or account) from which an authenticated principal last attempted to access the service. Amazon does not report unauthenticated requests.  
This field is null if no principals (IAM users, IAM roles, or root user) in the reported Organizations entity attempted to access the service within the [tracking period](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_access-advisor.html#service-last-accessed-reporting-period).  
Type: String  
Length Constraints: Minimum length of 19. Maximum length of 427.  
Pattern: `^o-[0-9a-z]{10,32}\/r-[0-9a-z]{4,32}[0-9a-z-\/]*`   
Required: No

 ** LastAuthenticatedTime **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when an authenticated principal most recently attempted to access the service. Amazon does not report unauthenticated requests.  
This field is null if no principals in the reported Organizations entity attempted to access the service within the [tracking period](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_access-advisor.html#service-last-accessed-reporting-period).  
Type: Timestamp  
Required: No

 ** Region **   
The Region where the last service access attempt occurred.  
This field is null if no principals in the reported Organizations entity attempted to access the service within the [tracking period](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_access-advisor.html#service-last-accessed-reporting-period).  
Type: String  
Required: No

 ** TotalAuthenticatedEntities **   
The number of accounts with authenticated principals (root user, IAM users, and IAM roles) that attempted to access the service in the tracking period.  
Type: Integer  
Required: No

## See Also
<a name="API_AccessDetail_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/AccessDetail) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/AccessDetail) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/AccessDetail) 

# AccessKey
<a name="API_AccessKey"></a>

Contains information about an Amazon access key.

 This data type is used as a response element in the [CreateAccessKey](https://docs.amazonaws.cn/IAM/latest/APIReference/API_CreateAccessKey.html) and [ListAccessKeys](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListAccessKeys.html) operations. 

**Note**  
The `SecretAccessKey` value is returned only in response to [CreateAccessKey](https://docs.amazonaws.cn/IAM/latest/APIReference/API_CreateAccessKey.html). You can get a secret access key only when you first create an access key; you cannot recover the secret access key later. If you lose a secret access key, you must create a new access key.

## Contents
<a name="API_AccessKey_Contents"></a>

 ** AccessKeyId **   
The ID for this access key.  
Type: String  
Length Constraints: Minimum length of 16. Maximum length of 128.  
Pattern: `[\w]+`   
Required: Yes

 ** SecretAccessKey **   
The secret key used to sign requests.  
Type: String  
Required: Yes

 ** Status **   
The status of the access key. `Active` means that the key is valid for API calls, while `Inactive` means it is not.   
Type: String  
Valid Values: `Active | Inactive | Expired`   
Required: Yes

 ** UserName **   
The name of the IAM user that the access key is associated with.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 64.  
Pattern: `[\w+=,.@-]+`   
Required: Yes

 ** CreateDate **   
The date when the access key was created.  
Type: Timestamp  
Required: No

## See Also
<a name="API_AccessKey_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/AccessKey) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/AccessKey) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/AccessKey) 

# AccessKeyLastUsed
<a name="API_AccessKeyLastUsed"></a>

Contains information about the last time an Amazon access key was used since IAM began tracking this information on April 22, 2015.

This data type is used as a response element in the [GetAccessKeyLastUsed](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetAccessKeyLastUsed.html) operation.

## Contents
<a name="API_AccessKeyLastUsed_Contents"></a>

 ** Region **   
The Amazon Web Services Region where this access key was most recently used. The value for this field is "N/A" in the following situations:  
+ The user does not have an access key.
+ An access key exists but has not been used since IAM began tracking this information.
+ There is no sign-in data associated with the user.
For more information about Amazon Web Services Regions, see [Regions and endpoints](https://docs.amazonaws.cn/general/latest/gr/rande.html) in the Amazon Web Services General Reference.  
Type: String  
Required: Yes

 ** ServiceName **   
The name of the Amazon service with which this access key was most recently used. The value of this field is "N/A" in the following situations:  
+ The user does not have an access key.
+ An access key exists but has not been used since IAM started tracking this information.
+ There is no sign-in data associated with the user.
Type: String  
Required: Yes

 ** LastUsedDate **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when the access key was most recently used. This field is null in the following situations:  
+ The user does not have an access key.
+ An access key exists but has not been used since IAM began tracking this information.
+ There is no sign-in data associated with the user.
Type: Timestamp  
Required: No

## See Also
<a name="API_AccessKeyLastUsed_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/AccessKeyLastUsed) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/AccessKeyLastUsed) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/AccessKeyLastUsed) 

# AccessKeyMetadata
<a name="API_AccessKeyMetadata"></a>

Contains information about an Amazon access key, without its secret key.

This data type is used as a response element in the [ListAccessKeys](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListAccessKeys.html) operation.

## Contents
<a name="API_AccessKeyMetadata_Contents"></a>

 ** AccessKeyId **   
The ID for this access key.  
Type: String  
Length Constraints: Minimum length of 16. Maximum length of 128.  
Pattern: `[\w]+`   
Required: No

 ** CreateDate **   
The date when the access key was created.  
Type: Timestamp  
Required: No

 ** Status **   
The status of the access key. `Active` means that the key is valid for API calls; `Inactive` means it is not.  
Type: String  
Valid Values: `Active | Inactive | Expired`   
Required: No

 ** UserName **   
The name of the IAM user that the key is associated with.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 64.  
Pattern: `[\w+=,.@-]+`   
Required: No

## See Also
<a name="API_AccessKeyMetadata_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/AccessKeyMetadata) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/AccessKeyMetadata) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/AccessKeyMetadata) 

# AttachedPermissionsBoundary
<a name="API_AttachedPermissionsBoundary"></a>

Contains information about an attached permissions boundary.

An attached permissions boundary is a managed policy that has been attached to a user or role to set the permissions boundary.

For more information about permissions boundaries, see [Permissions boundaries for IAM identities ](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.

## Contents
<a name="API_AttachedPermissionsBoundary_Contents"></a>

 ** PermissionsBoundaryArn **   
 The ARN of the policy used to set the permissions boundary for the user or role.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

 ** PermissionsBoundaryType **   
 The permissions boundary usage type that indicates what type of IAM resource is used as the permissions boundary for an entity. This data type can only have a value of `Policy`.  
Type: String  
Valid Values: `PermissionsBoundaryPolicy`   
Required: No

## See Also
<a name="API_AttachedPermissionsBoundary_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/AttachedPermissionsBoundary) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/AttachedPermissionsBoundary) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/AttachedPermissionsBoundary) 

# AttachedPolicy
<a name="API_AttachedPolicy"></a>

Contains information about an attached policy.

An attached policy is a managed policy that has been attached to a user, group, or role. This data type is used as a response element in the [ListAttachedGroupPolicies](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListAttachedGroupPolicies.html), [ListAttachedRolePolicies](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListAttachedRolePolicies.html), [ListAttachedUserPolicies](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListAttachedUserPolicies.html), and [GetAccountAuthorizationDetails](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetAccountAuthorizationDetails.html) operations. 

For more information about managed policies, refer to [Managed policies and inline policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide*. 

## Contents
<a name="API_AttachedPolicy_Contents"></a>

 ** PolicyArn **   
The Amazon Resource Name (ARN). ARNs are unique identifiers for Amazon resources.  
For more information about ARNs, go to [Amazon Resource Names (ARNs)](https://docs.amazonaws.cn/general/latest/gr/aws-arns-and-namespaces.html) in the * Amazon General Reference*.   
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

 ** PolicyName **   
The friendly name of the attached policy.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+=,.@-]+`   
Required: No

## See Also
<a name="API_AttachedPolicy_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/AttachedPolicy) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/AttachedPolicy) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/AttachedPolicy) 

# ContextEntry
<a name="API_ContextEntry"></a>

Contains information about a condition context key. It includes the name of the key and specifies the value (or values, if the context key supports multiple values) to use in the simulation. This information is used when evaluating the `Condition` elements of the input policies.

This data type is used as an input parameter to [SimulateCustomPolicy](https://docs.amazonaws.cn/IAM/latest/APIReference/API_SimulateCustomPolicy.html) and [SimulatePrincipalPolicy](https://docs.amazonaws.cn/IAM/latest/APIReference/API_SimulatePrincipalPolicy.html).

## Contents
<a name="API_ContextEntry_Contents"></a>

 ** ContextKeyName **   
The full name of a condition context key, including the service prefix. For example, `aws:SourceIp` or `s3:VersionId`.  
Type: String  
Length Constraints: Minimum length of 5. Maximum length of 256.  
Required: No

 ** ContextKeyType **   
The data type of the value (or values) specified in the `ContextKeyValues` parameter.  
Type: String  
Valid Values: `string | stringList | numeric | numericList | boolean | booleanList | ip | ipList | binary | binaryList | date | dateList`   
Required: No

 ** ContextKeyValues.member.N **   
The value (or values, if the condition context key supports multiple values) to provide to the simulation when the key is referenced by a `Condition` element in an input policy.  
Type: Array of strings  
Required: No

## See Also
<a name="API_ContextEntry_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/ContextEntry) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/ContextEntry) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/ContextEntry) 

# DelegationPermission
<a name="API_DelegationPermission"></a>

Contains information about the permissions being delegated in a delegation request.

## Contents
<a name="API_DelegationPermission_Contents"></a>

 ** Parameters.member.N **   
A list of policy parameters that define the scope and constraints of the delegated permissions.  
Type: Array of [PolicyParameter](API_PolicyParameter.md) objects  
Array Members: Maximum number of 50 items.  
Required: No

 ** PolicyTemplateArn **   
This ARN maps to a pre-registered policy content for this partner. See the [partner onboarding documentation]() to understand how to create a delegation template.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

## See Also
<a name="API_DelegationPermission_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/DelegationPermission) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/DelegationPermission) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/DelegationPermission) 

# DelegationRequest
<a name="API_DelegationRequest"></a>

Contains information about a delegation request, including its status, permissions, and associated metadata.

## Contents
<a name="API_DelegationRequest_Contents"></a>

 ** ApproverId **   
The Amazon Resource Name (ARN). ARNs are unique identifiers for Amazon resources.  
For more information about ARNs, go to [Amazon Resource Names (ARNs)](https://docs.amazonaws.cn/general/latest/gr/aws-arns-and-namespaces.html) in the * Amazon General Reference*.   
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

 ** CreateDate **   
Creation date (timestamp) of this delegation request.  
Type: Timestamp  
Required: No

 ** DelegationRequestId **   
The unique identifier for the delegation request.  
Type: String  
Length Constraints: Minimum length of 16. Maximum length of 128.  
Pattern: `[\w-]+`   
Required: No

 ** Description **   
Description of the delegation request. This is a message that is provided by the Amazon partner that filed the delegation request.  
Type: String  
Length Constraints: Maximum length of 1000.  
Pattern: `[\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]*`   
Required: No

 ** ExpirationTime **   
The expiry time of this delegation request  
See the [Understanding the Request Lifecycle](https://docs.amazonaws.cn/IAM/latest/UserGuide/temporary-delegation-building-integration.html#temporary-delegation-request-lifecycle) for details on the life time of a delegation request at each state.  
Type: Timestamp  
Required: No

 ** Notes **   
Notes added to this delegation request, if this request was updated via the [UpdateDelegationRequest](https://docs.amazonaws.cn/IAM/latest/APIReference/API_UpdateDelegationRequest.html) API.  
Type: String  
Length Constraints: Maximum length of 500.  
Pattern: `[\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]*`   
Required: No

 ** OnlySendByOwner **   
A flag indicating whether the [SendDelegationToken](https://docs.amazonaws.cn/IAM/latest/APIReference/API_SendDelegationToken.html) must be called by the owner of this delegation request. This is set by the requesting partner.  
Type: Boolean  
Required: No

 ** OwnerAccountId **   
 Amazon account ID of the owner of the delegation request.  
Type: String  
Pattern: `\d{12}`   
Required: No

 ** OwnerId **   
ARN of the owner of this delegation request.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Pattern: `^[a-zA-Z0-9:/+=,.@_-]+$`   
Required: No

 ** PermissionPolicy **   
JSON content of the associated permission policy of this delegation request.  
Type: String  
Required: No

 ** Permissions **   
Contains information about the permissions being delegated in a delegation request.  
Type: [DelegationPermission](API_DelegationPermission.md) object  
Required: No

 ** RedirectUrl **   
A URL to be redirected to once the delegation request is approved. Partners provide this URL when creating the delegation request.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 255.  
Pattern: `^http(s?)://[a-zA-Z0-9._/-]*(\?[a-zA-Z0-9._=&-]*)?(#[a-zA-Z0-9._/-]*)?$`   
Required: No

 ** RejectionReason **   
Reasons for rejecting this delegation request, if this request was rejected. See also [RejectDelegationRequest](https://docs.amazonaws.cn/IAM/latest/APIReference/API_RejectDelegationRequest.html) API documentation.   
Type: String  
Length Constraints: Maximum length of 500.  
Pattern: `[\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]*`   
Required: No

 ** RequestMessage **   
A custom message that is added to the delegation request by the partner.  
This element is different from the `Description` element such that this is a request specific message injected by the partner. The `Description` is typically a generic explanation of what the delegation request is targeted to do.  
Type: String  
Length Constraints: Maximum length of 200.  
Pattern: `[\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]*`   
Required: No

 ** RequestorId **   
Identity of the requestor of this delegation request. This will be an Amazon account ID.  
Type: String  
Pattern: `\d{12}`   
Required: No

 ** RequestorName **   
A friendly name of the requestor.  
Type: String  
Length Constraints: Maximum length of 30.  
Pattern: `[\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]*`   
Required: No

 ** RolePermissionRestrictionArns.member.N **   
If the `PermissionPolicy` includes role creation permissions, this element will include the list of permissions boundary policies associated with the role creation. See [Permissions boundaries for IAM entities](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_boundaries.html) for more details about IAM permission boundaries.   
Type: Array of strings  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

 ** SessionDuration **   
The life-time of the requested session credential.  
Type: Integer  
Valid Range: Minimum value of 300. Maximum value of 43200.  
Required: No

 ** State **   
The state of this delegation request.  
See the [Understanding the Request Lifecycle](https://docs.amazonaws.cn/IAM/latest/UserGuide/temporary-delegation-building-integration.html#temporary-delegation-request-lifecycle) for an explanation of how these states are transitioned.   
Type: String  
Valid Values: `UNASSIGNED | ASSIGNED | PENDING_APPROVAL | FINALIZED | ACCEPTED | REJECTED | EXPIRED`   
Required: No

 ** UpdatedTime **   
Last updated timestamp of the request.  
Type: Timestamp  
Required: No

## See Also
<a name="API_DelegationRequest_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/DelegationRequest) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/DelegationRequest) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/DelegationRequest) 

# DeletionTaskFailureReasonType
<a name="API_DeletionTaskFailureReasonType"></a>

The reason that the service-linked role deletion failed.

This data type is used as a response element in the [GetServiceLinkedRoleDeletionStatus](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetServiceLinkedRoleDeletionStatus.html) operation.

## Contents
<a name="API_DeletionTaskFailureReasonType_Contents"></a>

 ** Reason **   
A short description of the reason that the service-linked role deletion failed.  
Type: String  
Length Constraints: Maximum length of 1000.  
Required: No

 ** RoleUsageList.member.N **   
A list of objects that contains details about the service-linked role deletion failure, if that information is returned by the service. If the service-linked role has active sessions or if any resources that were used by the role have not been deleted from the linked service, the role can't be deleted. This parameter includes a list of the resources that are associated with the role and the Region in which the resources are being used.  
Type: Array of [RoleUsageType](API_RoleUsageType.md) objects  
Required: No

## See Also
<a name="API_DeletionTaskFailureReasonType_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/DeletionTaskFailureReasonType) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/DeletionTaskFailureReasonType) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/DeletionTaskFailureReasonType) 

# EntityDetails
<a name="API_EntityDetails"></a>

An object that contains details about when the IAM entities (users or roles) were last used in an attempt to access the specified Amazon service.

This data type is a response element in the [GetServiceLastAccessedDetailsWithEntities](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetServiceLastAccessedDetailsWithEntities.html) operation.

## Contents
<a name="API_EntityDetails_Contents"></a>

 ** EntityInfo **   
The `EntityInfo` object that contains details about the entity (user or role).  
Type: [EntityInfo](API_EntityInfo.md) object  
Required: Yes

 ** LastAuthenticated **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when the authenticated entity last attempted to access Amazon. Amazon does not report unauthenticated requests.  
This field is null if no IAM entities attempted to access the service within the [tracking period](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_access-advisor.html#service-last-accessed-reporting-period).  
Type: Timestamp  
Required: No

## See Also
<a name="API_EntityDetails_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/EntityDetails) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/EntityDetails) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/EntityDetails) 

# EntityInfo
<a name="API_EntityInfo"></a>

Contains details about the specified entity (user or role).

This data type is an element of the [EntityDetails](https://docs.amazonaws.cn/IAM/latest/APIReference/API_EntityDetails.html) object.

## Contents
<a name="API_EntityInfo_Contents"></a>

 ** Arn **   
The Amazon Resource Name (ARN). ARNs are unique identifiers for Amazon resources.  
For more information about ARNs, go to [Amazon Resource Names (ARNs)](https://docs.amazonaws.cn/general/latest/gr/aws-arns-and-namespaces.html) in the * Amazon General Reference*.   
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: Yes

 ** Id **   
The identifier of the entity (user or role).  
Type: String  
Length Constraints: Minimum length of 16. Maximum length of 128.  
Pattern: `[\w]+`   
Required: Yes

 ** Name **   
The name of the entity (user or role).  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 64.  
Pattern: `[\w+=,.@-]+`   
Required: Yes

 ** Type **   
The type of entity (user or role).  
Type: String  
Valid Values: `USER | ROLE | GROUP`   
Required: Yes

 ** Path **   
The path to the entity (user or role). For more information about paths, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.   
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 512.  
Pattern: `(\u002F)|(\u002F[\u0021-\u007E]+\u002F)`   
Required: No

## See Also
<a name="API_EntityInfo_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/EntityInfo) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/EntityInfo) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/EntityInfo) 

# ErrorDetails
<a name="API_ErrorDetails"></a>

Contains information about the reason that the operation failed.

This data type is used as a response element in the [GetOrganizationsAccessReport](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetOrganizationsAccessReport.html), [GetServiceLastAccessedDetails](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetServiceLastAccessedDetails.html), and [GetServiceLastAccessedDetailsWithEntities](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetServiceLastAccessedDetailsWithEntities.html) operations.

## Contents
<a name="API_ErrorDetails_Contents"></a>

 ** Code **   
The error code associated with the operation failure.  
Type: String  
Required: Yes

 ** Message **   
Detailed information about the reason that the operation failed.  
Type: String  
Required: Yes

## See Also
<a name="API_ErrorDetails_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/ErrorDetails) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/ErrorDetails) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/ErrorDetails) 

# EvaluationResult
<a name="API_EvaluationResult"></a>

Contains the results of a simulation.

This data type is used by the return parameter of ` [SimulateCustomPolicy](https://docs.amazonaws.cn/IAM/latest/APIReference/API_SimulateCustomPolicy.html) ` and ` [SimulatePrincipalPolicy](https://docs.amazonaws.cn/IAM/latest/APIReference/API_SimulatePrincipalPolicy.html) `.

## Contents
<a name="API_EvaluationResult_Contents"></a>

 ** EvalActionName **   
The name of the API operation tested on the indicated resource.  
Type: String  
Length Constraints: Minimum length of 3. Maximum length of 128.  
Required: Yes

 ** EvalDecision **   
The result of the simulation.  
Type: String  
Valid Values: `allowed | explicitDeny | implicitDeny`   
Required: Yes

 ** EvalDecisionDetails **  EvalDecisionDetails.entry.N.key (key)  EvalDecisionDetails.entry.N.value (value)   
Additional details about the results of the cross-account evaluation decision. This parameter is populated for only cross-account simulations. It contains a brief summary of how each policy type contributes to the final evaluation decision.  
If the simulation evaluates policies within the same account and includes a resource ARN, then the parameter is present but the response is empty. If the simulation evaluates policies within the same account and specifies all resources (`*`), then the parameter is not returned.  
When you make a cross-account request, Amazon evaluates the request in the trusting account and the trusted account. The request is allowed only if both evaluations return `true`. For more information about how policies are evaluated, see [Evaluating policies within a single account](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-basics).  
If an Amazon Organizations SCP included in the evaluation denies access, the simulation ends. In this case, policy evaluation does not proceed any further and this parameter is not returned.  
Type: String to string map  
Key Length Constraints: Minimum length of 3. Maximum length of 256.  
Valid Values: `allowed | explicitDeny | implicitDeny`   
Required: No

 ** EvalResourceName **   
The ARN of the resource that the indicated API operation was tested on.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 2048.  
Required: No

 ** MatchedStatements.member.N **   
A list of the statements in the input policies that determine the result for this scenario. Remember that even if multiple statements allow the operation on the resource, if only one statement denies that operation, then the explicit deny overrides any allow. In addition, the deny statement is the only entry included in the result.  
Type: Array of [Statement](API_Statement.md) objects  
Required: No

 ** MissingContextValues.member.N **   
A list of context keys that are required by the included input policies but that were not provided by one of the input parameters. This list is used when the resource in a simulation is "\$1", either explicitly, or when the `ResourceArns` parameter blank. If you include a list of resources, then any missing context values are instead included under the `ResourceSpecificResults` section. To discover the context keys used by a set of policies, you can call [GetContextKeysForCustomPolicy](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetContextKeysForCustomPolicy.html) or [GetContextKeysForPrincipalPolicy](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetContextKeysForPrincipalPolicy.html).  
Type: Array of strings  
Length Constraints: Minimum length of 5. Maximum length of 256.  
Required: No

 ** OrganizationsDecisionDetail **   
A structure that details how Organizations and its service control policies affect the results of the simulation. Only applies if the simulated user's account is part of an organization.  
Type: [OrganizationsDecisionDetail](API_OrganizationsDecisionDetail.md) object  
Required: No

 ** PermissionsBoundaryDecisionDetail **   
Contains information about the effect that a permissions boundary has on a policy simulation when the boundary is applied to an IAM entity.  
Type: [PermissionsBoundaryDecisionDetail](API_PermissionsBoundaryDecisionDetail.md) object  
Required: No

 ** ResourceSpecificResults.member.N **   
The individual results of the simulation of the API operation specified in EvalActionName on each resource.  
Type: Array of [ResourceSpecificResult](API_ResourceSpecificResult.md) objects  
Required: No

## See Also
<a name="API_EvaluationResult_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/EvaluationResult) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/EvaluationResult) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/EvaluationResult) 

# Group
<a name="API_Group"></a>

Contains information about an IAM group entity.

This data type is used as a response element in the following operations:
+  [CreateGroup](https://docs.amazonaws.cn/IAM/latest/APIReference/API_CreateGroup.html) 
+  [GetGroup](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetGroup.html) 
+  [ListGroups](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListGroups.html) 

## Contents
<a name="API_Group_Contents"></a>

 ** Arn **   
 The Amazon Resource Name (ARN) specifying the group. For more information about ARNs and how to use them in policies, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.   
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: Yes

 ** CreateDate **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when the group was created.  
Type: Timestamp  
Required: Yes

 ** GroupId **   
 The stable and unique string identifying the group. For more information about IDs, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.   
Type: String  
Length Constraints: Minimum length of 16. Maximum length of 128.  
Pattern: `[\w]+`   
Required: Yes

 ** GroupName **   
The friendly name that identifies the group.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+=,.@-]+`   
Required: Yes

 ** Path **   
The path to the group. For more information about paths, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.   
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 512.  
Pattern: `(\u002F)|(\u002F[\u0021-\u007E]+\u002F)`   
Required: Yes

## See Also
<a name="API_Group_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/Group) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/Group) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/Group) 

# GroupDetail
<a name="API_GroupDetail"></a>

Contains information about an IAM group, including all of the group's policies.

This data type is used as a response element in the [GetAccountAuthorizationDetails](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetAccountAuthorizationDetails.html) operation.

## Contents
<a name="API_GroupDetail_Contents"></a>

 ** Arn **   
The Amazon Resource Name (ARN). ARNs are unique identifiers for Amazon resources.  
For more information about ARNs, go to [Amazon Resource Names (ARNs)](https://docs.amazonaws.cn/general/latest/gr/aws-arns-and-namespaces.html) in the * Amazon General Reference*.   
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

 ** AttachedManagedPolicies.member.N **   
A list of the managed policies attached to the group.  
Type: Array of [AttachedPolicy](API_AttachedPolicy.md) objects  
Required: No

 ** CreateDate **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when the group was created.  
Type: Timestamp  
Required: No

 ** GroupId **   
The stable and unique string identifying the group. For more information about IDs, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.  
Type: String  
Length Constraints: Minimum length of 16. Maximum length of 128.  
Pattern: `[\w]+`   
Required: No

 ** GroupName **   
The friendly name that identifies the group.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+=,.@-]+`   
Required: No

 ** GroupPolicyList.member.N **   
A list of the inline policies embedded in the group.  
Type: Array of [PolicyDetail](API_PolicyDetail.md) objects  
Required: No

 ** Path **   
The path to the group. For more information about paths, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 512.  
Pattern: `(\u002F)|(\u002F[\u0021-\u007E]+\u002F)`   
Required: No

## See Also
<a name="API_GroupDetail_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/GroupDetail) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/GroupDetail) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/GroupDetail) 

# InstanceProfile
<a name="API_InstanceProfile"></a>

Contains information about an instance profile.

This data type is used as a response element in the following operations:
+  [CreateInstanceProfile](https://docs.amazonaws.cn/IAM/latest/APIReference/API_CreateInstanceProfile.html) 
+  [GetInstanceProfile](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetInstanceProfile.html) 
+  [ListInstanceProfiles](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListInstanceProfiles.html) 
+  [ListInstanceProfilesForRole](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListInstanceProfilesForRole.html) 

## Contents
<a name="API_InstanceProfile_Contents"></a>

 ** Arn **   
 The Amazon Resource Name (ARN) specifying the instance profile. For more information about ARNs and how to use them in policies, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.   
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: Yes

 ** CreateDate **   
The date when the instance profile was created.  
Type: Timestamp  
Required: Yes

 ** InstanceProfileId **   
 The stable and unique string identifying the instance profile. For more information about IDs, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.   
Type: String  
Length Constraints: Minimum length of 16. Maximum length of 128.  
Pattern: `[\w]+`   
Required: Yes

 ** InstanceProfileName **   
The name identifying the instance profile.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+=,.@-]+`   
Required: Yes

 ** Path **   
 The path to the instance profile. For more information about paths, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.   
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 512.  
Pattern: `(\u002F)|(\u002F[\u0021-\u007E]+\u002F)`   
Required: Yes

 ** Roles.member.N **   
The role associated with the instance profile.  
Type: Array of [Role](API_Role.md) objects  
Required: Yes

 ** Tags.member.N **   
A list of tags that are attached to the instance profile. For more information about tagging, see [Tagging IAM resources](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.  
Type: Array of [Tag](API_Tag.md) objects  
Array Members: Maximum number of 50 items.  
Required: No

## See Also
<a name="API_InstanceProfile_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/InstanceProfile) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/InstanceProfile) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/InstanceProfile) 

# ListPoliciesGrantingServiceAccessEntry
<a name="API_ListPoliciesGrantingServiceAccessEntry"></a>

Contains details about the permissions policies that are attached to the specified identity (user, group, or role).

This data type is used as a response element in the [ListPoliciesGrantingServiceAccess](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListPoliciesGrantingServiceAccess.html) operation.

## Contents
<a name="API_ListPoliciesGrantingServiceAccessEntry_Contents"></a>

 ** Policies.member.N **   
The `PoliciesGrantingServiceAccess` object that contains details about the policy.  
Type: Array of [PolicyGrantingServiceAccess](API_PolicyGrantingServiceAccess.md) objects  
Required: No

 ** ServiceNamespace **   
The namespace of the service that was accessed.  
To learn the service namespace of a service, see [Actions, resources, and condition keys for Amazon services](https://docs.amazonaws.cn/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference*. Choose the name of the service to view details for that service. In the first paragraph, find the service prefix. For example, `(service prefix: a4b)`. For more information about service namespaces, see [Amazon service namespaces](https://docs.amazonaws.cn/general/latest/gr/aws-arns-and-namespaces.html#genref-aws-service-namespaces) in the * Amazon General Reference*.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 64.  
Pattern: `[\w-]*`   
Required: No

## See Also
<a name="API_ListPoliciesGrantingServiceAccessEntry_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/ListPoliciesGrantingServiceAccessEntry) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/ListPoliciesGrantingServiceAccessEntry) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/ListPoliciesGrantingServiceAccessEntry) 

# LoginProfile
<a name="API_LoginProfile"></a>

Contains the user name and password create date for a user.

 This data type is used as a response element in the [CreateLoginProfile](https://docs.amazonaws.cn/IAM/latest/APIReference/API_CreateLoginProfile.html) and [GetLoginProfile](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetLoginProfile.html) operations. 

## Contents
<a name="API_LoginProfile_Contents"></a>

 ** CreateDate **   
The date when the password for the user was created.  
Type: Timestamp  
Required: Yes

 ** UserName **   
The name of the user, which can be used for signing in to the Amazon Web Services Management Console.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 64.  
Pattern: `[\w+=,.@-]+`   
Required: Yes

 ** PasswordResetRequired **   
Specifies whether the user is required to set a new password on next sign-in.  
Type: Boolean  
Required: No

## See Also
<a name="API_LoginProfile_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/LoginProfile) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/LoginProfile) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/LoginProfile) 

# ManagedPolicyDetail
<a name="API_ManagedPolicyDetail"></a>

Contains information about a managed policy, including the policy's ARN, versions, and the number of principal entities (users, groups, and roles) that the policy is attached to.

This data type is used as a response element in the [GetAccountAuthorizationDetails](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetAccountAuthorizationDetails.html) operation.

For more information about managed policies, see [Managed policies and inline policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide*. 

## Contents
<a name="API_ManagedPolicyDetail_Contents"></a>

 ** Arn **   
The Amazon Resource Name (ARN). ARNs are unique identifiers for Amazon resources.  
For more information about ARNs, go to [Amazon Resource Names (ARNs)](https://docs.amazonaws.cn/general/latest/gr/aws-arns-and-namespaces.html) in the * Amazon General Reference*.   
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

 ** AttachmentCount **   
The number of principal entities (users, groups, and roles) that the policy is attached to.  
Type: Integer  
Required: No

 ** CreateDate **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when the policy was created.  
Type: Timestamp  
Required: No

 ** DefaultVersionId **   
The identifier for the version of the policy that is set as the default (operative) version.  
For more information about policy versions, see [Versioning for managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/policies-managed-versions.html) in the *IAM User Guide*.   
Type: String  
Pattern: `v[1-9][0-9]*(\.[A-Za-z0-9-]*)?`   
Required: No

 ** Description **   
A friendly description of the policy.  
Type: String  
Length Constraints: Maximum length of 1000.  
Required: No

 ** IsAttachable **   
Specifies whether the policy can be attached to an IAM user, group, or role.  
Type: Boolean  
Required: No

 ** Path **   
The path to the policy.  
For more information about paths, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 512.  
Pattern: `((/[A-Za-z0-9\.,\+@=_-]+)*)/`   
Required: No

 ** PermissionsBoundaryUsageCount **   
The number of entities (users and roles) for which the policy is used as the permissions boundary.   
For more information about permissions boundaries, see [Permissions boundaries for IAM identities ](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.  
Type: Integer  
Required: No

 ** PolicyId **   
The stable and unique string identifying the policy.  
For more information about IDs, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.  
Type: String  
Length Constraints: Minimum length of 16. Maximum length of 128.  
Pattern: `[\w]+`   
Required: No

 ** PolicyName **   
The friendly name (not ARN) identifying the policy.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+=,.@-]+`   
Required: No

 ** PolicyVersionList.member.N **   
A list containing information about the versions of the policy.  
Type: Array of [PolicyVersion](API_PolicyVersion.md) objects  
Required: No

 ** UpdateDate **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when the policy was last updated.  
When a policy has only one version, this field contains the date and time when the policy was created. When a policy has more than one version, this field contains the date and time when the most recent policy version was created.  
Type: Timestamp  
Required: No

## See Also
<a name="API_ManagedPolicyDetail_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/ManagedPolicyDetail) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/ManagedPolicyDetail) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/ManagedPolicyDetail) 

# MFADevice
<a name="API_MFADevice"></a>

Contains information about an MFA device.

This data type is used as a response element in the [ListMFADevices](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListMFADevices.html) operation.

## Contents
<a name="API_MFADevice_Contents"></a>

 ** EnableDate **   
The date when the MFA device was enabled for the user.  
Type: Timestamp  
Required: Yes

 ** SerialNumber **   
The serial number that uniquely identifies the MFA device. For virtual MFA devices, the serial number is the device ARN.  
Type: String  
Length Constraints: Minimum length of 9. Maximum length of 256.  
Pattern: `[\w+=/:,.@-]+`   
Required: Yes

 ** UserName **   
The user with whom the MFA device is associated.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 64.  
Pattern: `[\w+=,.@-]+`   
Required: Yes

## See Also
<a name="API_MFADevice_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/MFADevice) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/MFADevice) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/MFADevice) 

# OpenIDConnectProviderListEntry
<a name="API_OpenIDConnectProviderListEntry"></a>

Contains the Amazon Resource Name (ARN) for an IAM OpenID Connect provider.

## Contents
<a name="API_OpenIDConnectProviderListEntry_Contents"></a>

 ** Arn **   
The Amazon Resource Name (ARN). ARNs are unique identifiers for Amazon resources.  
For more information about ARNs, go to [Amazon Resource Names (ARNs)](https://docs.amazonaws.cn/general/latest/gr/aws-arns-and-namespaces.html) in the * Amazon General Reference*.   
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

## See Also
<a name="API_OpenIDConnectProviderListEntry_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/OpenIDConnectProviderListEntry) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/OpenIDConnectProviderListEntry) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/OpenIDConnectProviderListEntry) 

# OrganizationsDecisionDetail
<a name="API_OrganizationsDecisionDetail"></a>

Contains information about the effect that Organizations has on a policy simulation.

## Contents
<a name="API_OrganizationsDecisionDetail_Contents"></a>

 ** AllowedByOrganizations **   
Specifies whether the simulated operation is allowed by the Organizations service control policies that impact the simulated user's account.  
Type: Boolean  
Required: No

## See Also
<a name="API_OrganizationsDecisionDetail_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/OrganizationsDecisionDetail) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/OrganizationsDecisionDetail) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/OrganizationsDecisionDetail) 

# PasswordPolicy
<a name="API_PasswordPolicy"></a>

Contains information about the account password policy.

 This data type is used as a response element in the [GetAccountPasswordPolicy](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetAccountPasswordPolicy.html) operation. 

## Contents
<a name="API_PasswordPolicy_Contents"></a>

 ** AllowUsersToChangePassword **   
Specifies whether IAM users are allowed to change their own password. Gives IAM users permissions to `iam:ChangePassword` for only their user and to the `iam:GetAccountPasswordPolicy` action. This option does not attach a permissions policy to each user, rather the permissions are applied at the account-level for all users by IAM.  
Type: Boolean  
Required: No

 ** ExpirePasswords **   
Indicates whether passwords in the account expire. Returns true if `MaxPasswordAge` contains a value greater than 0. Returns false if MaxPasswordAge is 0 or not present.  
Type: Boolean  
Required: No

 ** HardExpiry **   
Specifies whether IAM users are prevented from setting a new password via the Amazon Web Services Management Console after their password has expired. The IAM user cannot access the console until an administrator resets the password. IAM users with `iam:ChangePassword` permission and active access keys can reset their own expired console password using the Amazon CLI or API.  
Type: Boolean  
Required: No

 ** MaxPasswordAge **   
The number of days that an IAM user password is valid.  
Type: Integer  
Valid Range: Minimum value of 1. Maximum value of 1095.  
Required: No

 ** MinimumPasswordLength **   
Minimum length to require for IAM user passwords.  
Type: Integer  
Valid Range: Minimum value of 6. Maximum value of 128.  
Required: No

 ** PasswordReusePrevention **   
Specifies the number of previous passwords that IAM users are prevented from reusing.  
Type: Integer  
Valid Range: Minimum value of 1. Maximum value of 24.  
Required: No

 ** RequireLowercaseCharacters **   
Specifies whether IAM user passwords must contain at least one lowercase character (a to z).  
Type: Boolean  
Required: No

 ** RequireNumbers **   
Specifies whether IAM user passwords must contain at least one numeric character (0 to 9).  
Type: Boolean  
Required: No

 ** RequireSymbols **   
Specifies whether IAM user passwords must contain at least one of the following symbols:  
\$1 @ \$1 \$1 % ^ & \$1 ( ) \$1 \$1 - = [ ] \$1 \$1 \$1 '  
Type: Boolean  
Required: No

 ** RequireUppercaseCharacters **   
Specifies whether IAM user passwords must contain at least one uppercase character (A to Z).  
Type: Boolean  
Required: No

## See Also
<a name="API_PasswordPolicy_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/PasswordPolicy) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/PasswordPolicy) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/PasswordPolicy) 

# PermissionsBoundaryDecisionDetail
<a name="API_PermissionsBoundaryDecisionDetail"></a>

Contains information about the effect that a permissions boundary has on a policy simulation when the boundary is applied to an IAM entity.

## Contents
<a name="API_PermissionsBoundaryDecisionDetail_Contents"></a>

 ** AllowedByPermissionsBoundary **   
Specifies whether an action is allowed by a permissions boundary that is applied to an IAM entity (user or role). A value of `true` means that the permissions boundary does not deny the action. This means that the policy includes an `Allow` statement that matches the request. In this case, if an identity-based policy also allows the action, the request is allowed. A value of `false` means that either the requested action is not allowed (implicitly denied) or that the action is explicitly denied by the permissions boundary. In both of these cases, the action is not allowed, regardless of the identity-based policy.  
Type: Boolean  
Required: No

## See Also
<a name="API_PermissionsBoundaryDecisionDetail_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/PermissionsBoundaryDecisionDetail) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/PermissionsBoundaryDecisionDetail) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/PermissionsBoundaryDecisionDetail) 

# Policy
<a name="API_Policy"></a>

Contains information about a managed policy.

This data type is used as a response element in the [CreatePolicy](https://docs.amazonaws.cn/IAM/latest/APIReference/API_CreatePolicy.html), [GetPolicy](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetPolicy.html), and [ListPolicies](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListPolicies.html) operations. 

For more information about managed policies, refer to [Managed policies and inline policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide*. 

## Contents
<a name="API_Policy_Contents"></a>

 ** Arn **   
The Amazon Resource Name (ARN). ARNs are unique identifiers for Amazon resources.  
For more information about ARNs, go to [Amazon Resource Names (ARNs)](https://docs.amazonaws.cn/general/latest/gr/aws-arns-and-namespaces.html) in the * Amazon General Reference*.   
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

 ** AttachmentCount **   
The number of entities (users, groups, and roles) that the policy is attached to.  
Type: Integer  
Required: No

 ** CreateDate **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when the policy was created.  
Type: Timestamp  
Required: No

 ** DefaultVersionId **   
The identifier for the version of the policy that is set as the default version.  
Type: String  
Pattern: `v[1-9][0-9]*(\.[A-Za-z0-9-]*)?`   
Required: No

 ** Description **   
A friendly description of the policy.  
This element is included in the response to the [GetPolicy](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetPolicy.html) operation. It is not included in the response to the [ListPolicies](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListPolicies.html) operation.   
Type: String  
Length Constraints: Maximum length of 1000.  
Required: No

 ** IsAttachable **   
Specifies whether the policy can be attached to an IAM user, group, or role.  
Type: Boolean  
Required: No

 ** Path **   
The path to the policy.  
For more information about paths, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 512.  
Pattern: `((/[A-Za-z0-9\.,\+@=_-]+)*)/`   
Required: No

 ** PermissionsBoundaryUsageCount **   
The number of entities (users and roles) for which the policy is used to set the permissions boundary.   
For more information about permissions boundaries, see [Permissions boundaries for IAM identities ](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.  
Type: Integer  
Required: No

 ** PolicyId **   
The stable and unique string identifying the policy.  
For more information about IDs, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.  
Type: String  
Length Constraints: Minimum length of 16. Maximum length of 128.  
Pattern: `[\w]+`   
Required: No

 ** PolicyName **   
The friendly name (not ARN) identifying the policy.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+=,.@-]+`   
Required: No

 ** Tags.member.N **   
A list of tags that are attached to the instance profile. For more information about tagging, see [Tagging IAM resources](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.  
Type: Array of [Tag](API_Tag.md) objects  
Array Members: Maximum number of 50 items.  
Required: No

 ** UpdateDate **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when the policy was last updated.  
When a policy has only one version, this field contains the date and time when the policy was created. When a policy has more than one version, this field contains the date and time when the most recent policy version was created.  
Type: Timestamp  
Required: No

## See Also
<a name="API_Policy_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/Policy) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/Policy) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/Policy) 

# PolicyDetail
<a name="API_PolicyDetail"></a>

Contains information about an IAM policy, including the policy document.

This data type is used as a response element in the [GetAccountAuthorizationDetails](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetAccountAuthorizationDetails.html) operation.

## Contents
<a name="API_PolicyDetail_Contents"></a>

 ** PolicyDocument **   
The policy document.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 131072.  
Pattern: `[\u0009\u000A\u000D\u0020-\u00FF]+`   
Required: No

 ** PolicyName **   
The name of the policy.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+=,.@-]+`   
Required: No

## See Also
<a name="API_PolicyDetail_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/PolicyDetail) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/PolicyDetail) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/PolicyDetail) 

# PolicyGrantingServiceAccess
<a name="API_PolicyGrantingServiceAccess"></a>

Contains details about the permissions policies that are attached to the specified identity (user, group, or role).

This data type is an element of the [ListPoliciesGrantingServiceAccessEntry](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListPoliciesGrantingServiceAccessEntry.html) object.

## Contents
<a name="API_PolicyGrantingServiceAccess_Contents"></a>

 ** PolicyName **   
The policy name.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+=,.@-]+`   
Required: Yes

 ** PolicyType **   
The policy type. For more information about these policy types, see [Managed policies and inline policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html) in the *IAM User Guide*.  
Type: String  
Valid Values: `INLINE | MANAGED`   
Required: Yes

 ** EntityName **   
The name of the entity (user or role) to which the inline policy is attached.  
This field is null for managed policies. For more information about these policy types, see [Managed policies and inline policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html) in the *IAM User Guide*.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+=,.@-]+`   
Required: No

 ** EntityType **   
The type of entity (user or role) that used the policy to access the service to which the inline policy is attached.  
This field is null for managed policies. For more information about these policy types, see [Managed policies and inline policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html) in the *IAM User Guide*.  
Type: String  
Valid Values: `USER | ROLE | GROUP`   
Required: No

 ** PolicyArn **   
The Amazon Resource Name (ARN). ARNs are unique identifiers for Amazon resources.  
For more information about ARNs, go to [Amazon Resource Names (ARNs)](https://docs.amazonaws.cn/general/latest/gr/aws-arns-and-namespaces.html) in the * Amazon General Reference*.   
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

## See Also
<a name="API_PolicyGrantingServiceAccess_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/PolicyGrantingServiceAccess) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/PolicyGrantingServiceAccess) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/PolicyGrantingServiceAccess) 

# PolicyGroup
<a name="API_PolicyGroup"></a>

Contains information about a group that a managed policy is attached to.

This data type is used as a response element in the [ListEntitiesForPolicy](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListEntitiesForPolicy.html) operation. 

For more information about managed policies, refer to [Managed policies and inline policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide*. 

## Contents
<a name="API_PolicyGroup_Contents"></a>

 ** GroupId **   
The stable and unique string identifying the group. For more information about IDs, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_identifiers.html) in the *IAM User Guide*.  
Type: String  
Length Constraints: Minimum length of 16. Maximum length of 128.  
Pattern: `[\w]+`   
Required: No

 ** GroupName **   
The name (friendly name, not ARN) identifying the group.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+=,.@-]+`   
Required: No

## See Also
<a name="API_PolicyGroup_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/PolicyGroup) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/PolicyGroup) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/PolicyGroup) 

# PolicyParameter
<a name="API_PolicyParameter"></a>

Contains information about a policy parameter used to customize delegated permissions.

## Contents
<a name="API_PolicyParameter_Contents"></a>

 ** Name **   
The name of the policy parameter.  
Type: String  
Length Constraints: Minimum length of 5. Maximum length of 256.  
Pattern: `[ -~]+`   
Required: No

 ** Type **   
The data type of the policy parameter value.  
Type: String  
Valid Values: `string | stringList`   
Required: No

 ** Values.member.N **   
The allowed values for the policy parameter.  
Type: Array of strings  
Pattern: `[ -~]+`   
Required: No

## See Also
<a name="API_PolicyParameter_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/PolicyParameter) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/PolicyParameter) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/PolicyParameter) 

# PolicyRole
<a name="API_PolicyRole"></a>

Contains information about a role that a managed policy is attached to.

This data type is used as a response element in the [ListEntitiesForPolicy](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListEntitiesForPolicy.html) operation. 

For more information about managed policies, refer to [Managed policies and inline policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide*. 

## Contents
<a name="API_PolicyRole_Contents"></a>

 ** RoleId **   
The stable and unique string identifying the role. For more information about IDs, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_identifiers.html) in the *IAM User Guide*.  
Type: String  
Length Constraints: Minimum length of 16. Maximum length of 128.  
Pattern: `[\w]+`   
Required: No

 ** RoleName **   
The name (friendly name, not ARN) identifying the role.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 64.  
Pattern: `[\w+=,.@-]+`   
Required: No

## See Also
<a name="API_PolicyRole_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/PolicyRole) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/PolicyRole) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/PolicyRole) 

# PolicyUser
<a name="API_PolicyUser"></a>

Contains information about a user that a managed policy is attached to.

This data type is used as a response element in the [ListEntitiesForPolicy](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListEntitiesForPolicy.html) operation. 

For more information about managed policies, refer to [Managed policies and inline policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide*. 

## Contents
<a name="API_PolicyUser_Contents"></a>

 ** UserId **   
The stable and unique string identifying the user. For more information about IDs, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_identifiers.html) in the *IAM User Guide*.  
Type: String  
Length Constraints: Minimum length of 16. Maximum length of 128.  
Pattern: `[\w]+`   
Required: No

 ** UserName **   
The name (friendly name, not ARN) identifying the user.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 64.  
Pattern: `[\w+=,.@-]+`   
Required: No

## See Also
<a name="API_PolicyUser_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/PolicyUser) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/PolicyUser) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/PolicyUser) 

# PolicyVersion
<a name="API_PolicyVersion"></a>

Contains information about a version of a managed policy.

This data type is used as a response element in the [CreatePolicyVersion](https://docs.amazonaws.cn/IAM/latest/APIReference/API_CreatePolicyVersion.html), [GetPolicyVersion](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetPolicyVersion.html), [ListPolicyVersions](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListPolicyVersions.html), and [GetAccountAuthorizationDetails](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetAccountAuthorizationDetails.html) operations. 

For more information about managed policies, refer to [Managed policies and inline policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide*. 

## Contents
<a name="API_PolicyVersion_Contents"></a>

 ** CreateDate **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when the policy version was created.  
Type: Timestamp  
Required: No

 ** Document **   
The policy document.  
The policy document is returned in the response to the [GetPolicyVersion](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetPolicyVersion.html) and [GetAccountAuthorizationDetails](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetAccountAuthorizationDetails.html) operations. It is not returned in the response to the [CreatePolicyVersion](https://docs.amazonaws.cn/IAM/latest/APIReference/API_CreatePolicyVersion.html) or [ListPolicyVersions](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListPolicyVersions.html) operations.   
The policy document returned in this structure is URL-encoded compliant with [RFC 3986](https://tools.ietf.org/html/rfc3986). You can use a URL decoding method to convert the policy back to plain JSON text. For example, if you use Java, you can use the `decode` method of the `java.net.URLDecoder` utility class in the Java SDK. Other languages and SDKs provide similar functionality.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 131072.  
Pattern: `[\u0009\u000A\u000D\u0020-\u00FF]+`   
Required: No

 ** IsDefaultVersion **   
Specifies whether the policy version is set as the policy's default version.  
Type: Boolean  
Required: No

 ** VersionId **   
The identifier for the policy version.  
Policy version identifiers always begin with `v` (always lowercase). When a policy is created, the first policy version is `v1`.   
Type: String  
Pattern: `v[1-9][0-9]*(\.[A-Za-z0-9-]*)?`   
Required: No

## See Also
<a name="API_PolicyVersion_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/PolicyVersion) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/PolicyVersion) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/PolicyVersion) 

# Position
<a name="API_Position"></a>

Contains the row and column of a location of a `Statement` element in a policy document.

This data type is used as a member of the ` [Statement](https://docs.amazonaws.cn/IAM/latest/APIReference/API_Statement.html) ` type.

## Contents
<a name="API_Position_Contents"></a>

 ** Column **   
The column in the line containing the specified position in the document.  
Type: Integer  
Required: No

 ** Line **   
The line containing the specified position in the document.  
Type: Integer  
Required: No

## See Also
<a name="API_Position_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/Position) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/Position) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/Position) 

# ResourceSpecificResult
<a name="API_ResourceSpecificResult"></a>

Contains the result of the simulation of a single API operation call on a single resource.

This data type is used by a member of the [EvaluationResult](https://docs.amazonaws.cn/IAM/latest/APIReference/API_EvaluationResult.html) data type.

## Contents
<a name="API_ResourceSpecificResult_Contents"></a>

 ** EvalResourceDecision **   
The result of the simulation of the simulated API operation on the resource specified in `EvalResourceName`.  
Type: String  
Valid Values: `allowed | explicitDeny | implicitDeny`   
Required: Yes

 ** EvalResourceName **   
The name of the simulated resource, in Amazon Resource Name (ARN) format.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 2048.  
Required: Yes

 ** EvalDecisionDetails **  EvalDecisionDetails.entry.N.key (key)  EvalDecisionDetails.entry.N.value (value)   
Additional details about the results of the evaluation decision on a single resource. This parameter is returned only for cross-account simulations. This parameter explains how each policy type contributes to the resource-specific evaluation decision.  
Type: String to string map  
Key Length Constraints: Minimum length of 3. Maximum length of 256.  
Valid Values: `allowed | explicitDeny | implicitDeny`   
Required: No

 ** MatchedStatements.member.N **   
A list of the statements in the input policies that determine the result for this part of the simulation. Remember that even if multiple statements allow the operation on the resource, if *any* statement denies that operation, then the explicit deny overrides any allow. In addition, the deny statement is the only entry included in the result.  
Type: Array of [Statement](API_Statement.md) objects  
Required: No

 ** MissingContextValues.member.N **   
A list of context keys that are required by the included input policies but that were not provided by one of the input parameters. This list is used when a list of ARNs is included in the `ResourceArns` parameter instead of "\$1". If you do not specify individual resources, by setting `ResourceArns` to "\$1" or by not including the `ResourceArns` parameter, then any missing context values are instead included under the `EvaluationResults` section. To discover the context keys used by a set of policies, you can call [GetContextKeysForCustomPolicy](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetContextKeysForCustomPolicy.html) or [GetContextKeysForPrincipalPolicy](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetContextKeysForPrincipalPolicy.html).  
Type: Array of strings  
Length Constraints: Minimum length of 5. Maximum length of 256.  
Required: No

 ** PermissionsBoundaryDecisionDetail **   
Contains information about the effect that a permissions boundary has on a policy simulation when that boundary is applied to an IAM entity.  
Type: [PermissionsBoundaryDecisionDetail](API_PermissionsBoundaryDecisionDetail.md) object  
Required: No

## See Also
<a name="API_ResourceSpecificResult_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/ResourceSpecificResult) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/ResourceSpecificResult) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/ResourceSpecificResult) 

# Role
<a name="API_Role"></a>

Contains information about an IAM role. This structure is returned as a response element in several API operations that interact with roles.

## Contents
<a name="API_Role_Contents"></a>

 ** Arn **   
 The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* guide.   
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: Yes

 ** CreateDate **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when the role was created.  
Type: Timestamp  
Required: Yes

 ** Path **   
 The path to the role. For more information about paths, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.   
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 512.  
Pattern: `(\u002F)|(\u002F[\u0021-\u007E]+\u002F)`   
Required: Yes

 ** RoleId **   
 The stable and unique string identifying the role. For more information about IDs, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.   
Type: String  
Length Constraints: Minimum length of 16. Maximum length of 128.  
Pattern: `[\w]+`   
Required: Yes

 ** RoleName **   
The friendly name that identifies the role.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 64.  
Pattern: `[\w+=,.@-]+`   
Required: Yes

 ** AssumeRolePolicyDocument **   
The policy that grants an entity permission to assume the role.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 131072.  
Pattern: `[\u0009\u000A\u000D\u0020-\u00FF]+`   
Required: No

 ** Description **   
A description of the role that you provide.  
Type: String  
Length Constraints: Maximum length of 1000.  
Pattern: `[\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]*`   
Required: No

 ** MaxSessionDuration **   
The maximum session duration (in seconds) for the specified role. Anyone who uses the Amazon CLI, or API to assume the role can specify the duration using the optional `DurationSeconds` API parameter or `duration-seconds` CLI parameter.  
Type: Integer  
Valid Range: Minimum value of 3600. Maximum value of 43200.  
Required: No

 ** PermissionsBoundary **   
The ARN of the policy used to set the permissions boundary for the role.  
For more information about permissions boundaries, see [Permissions boundaries for IAM identities ](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.  
Type: [AttachedPermissionsBoundary](API_AttachedPermissionsBoundary.md) object  
Required: No

 ** RoleLastUsed **   
Contains information about the last time that an IAM role was used. This includes the date and time and the Region in which the role was last used. Activity is only reported for the trailing 400 days. This period can be shorter if your Region began supporting these features within the last year. The role might have been used more than 400 days ago. For more information, see [Regions where data is tracked](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_access-advisor.html#access-advisor_tracking-period) in the *IAM user Guide*.  
Type: [RoleLastUsed](API_RoleLastUsed.md) object  
Required: No

 ** Tags.member.N **   
A list of tags that are attached to the role. For more information about tagging, see [Tagging IAM resources](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.  
Type: Array of [Tag](API_Tag.md) objects  
Array Members: Maximum number of 50 items.  
Required: No

## See Also
<a name="API_Role_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/Role) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/Role) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/Role) 

# RoleDetail
<a name="API_RoleDetail"></a>

Contains information about an IAM role, including all of the role's policies.

This data type is used as a response element in the [GetAccountAuthorizationDetails](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetAccountAuthorizationDetails.html) operation.

## Contents
<a name="API_RoleDetail_Contents"></a>

 ** Arn **   
The Amazon Resource Name (ARN). ARNs are unique identifiers for Amazon resources.  
For more information about ARNs, go to [Amazon Resource Names (ARNs)](https://docs.amazonaws.cn/general/latest/gr/aws-arns-and-namespaces.html) in the * Amazon General Reference*.   
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

 ** AssumeRolePolicyDocument **   
The trust policy that grants permission to assume the role.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 131072.  
Pattern: `[\u0009\u000A\u000D\u0020-\u00FF]+`   
Required: No

 ** AttachedManagedPolicies.member.N **   
A list of managed policies attached to the role. These policies are the role's access (permissions) policies.  
Type: Array of [AttachedPolicy](API_AttachedPolicy.md) objects  
Required: No

 ** CreateDate **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when the role was created.  
Type: Timestamp  
Required: No

 ** InstanceProfileList.member.N **   
A list of instance profiles that contain this role.  
Type: Array of [InstanceProfile](API_InstanceProfile.md) objects  
Required: No

 ** Path **   
The path to the role. For more information about paths, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 512.  
Pattern: `(\u002F)|(\u002F[\u0021-\u007E]+\u002F)`   
Required: No

 ** PermissionsBoundary **   
The ARN of the policy used to set the permissions boundary for the role.  
For more information about permissions boundaries, see [Permissions boundaries for IAM identities ](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.  
Type: [AttachedPermissionsBoundary](API_AttachedPermissionsBoundary.md) object  
Required: No

 ** RoleId **   
The stable and unique string identifying the role. For more information about IDs, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.  
Type: String  
Length Constraints: Minimum length of 16. Maximum length of 128.  
Pattern: `[\w]+`   
Required: No

 ** RoleLastUsed **   
Contains information about the last time that an IAM role was used. This includes the date and time and the Region in which the role was last used. Activity is only reported for the trailing 400 days. This period can be shorter if your Region began supporting these features within the last year. The role might have been used more than 400 days ago. For more information, see [Regions where data is tracked](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_access-advisor.html#access-advisor_tracking-period) in the *IAM User Guide*.  
Type: [RoleLastUsed](API_RoleLastUsed.md) object  
Required: No

 ** RoleName **   
The friendly name that identifies the role.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 64.  
Pattern: `[\w+=,.@-]+`   
Required: No

 ** RolePolicyList.member.N **   
A list of inline policies embedded in the role. These policies are the role's access (permissions) policies.  
Type: Array of [PolicyDetail](API_PolicyDetail.md) objects  
Required: No

 ** Tags.member.N **   
A list of tags that are attached to the role. For more information about tagging, see [Tagging IAM resources](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.  
Type: Array of [Tag](API_Tag.md) objects  
Array Members: Maximum number of 50 items.  
Required: No

## See Also
<a name="API_RoleDetail_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/RoleDetail) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/RoleDetail) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/RoleDetail) 

# RoleLastUsed
<a name="API_RoleLastUsed"></a>

Contains information about the last time that an IAM role was used. This includes the date and time and the Region in which the role was last used. Activity is only reported for the trailing 400 days. This period can be shorter if your Region began supporting these features within the last year. The role might have been used more than 400 days ago. For more information, see [Regions where data is tracked](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_access-advisor.html#access-advisor_tracking-period) in the *IAM user Guide*.

This data type is returned as a response element in the [GetRole](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetRole.html) and [GetAccountAuthorizationDetails](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetAccountAuthorizationDetails.html) operations.

## Contents
<a name="API_RoleLastUsed_Contents"></a>

 ** LastUsedDate **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601) that the role was last used.  
This field is null if the role has not been used within the IAM tracking period. For more information about the tracking period, see [Regions where data is tracked](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_access-advisor.html#access-advisor_tracking-period) in the *IAM User Guide*.   
Type: Timestamp  
Required: No

 ** Region **   
The name of the Amazon Web Services Region in which the role was last used.  
Type: String  
Required: No

## See Also
<a name="API_RoleLastUsed_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/RoleLastUsed) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/RoleLastUsed) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/RoleLastUsed) 

# RoleUsageType
<a name="API_RoleUsageType"></a>

An object that contains details about how a service-linked role is used, if that information is returned by the service.

This data type is used as a response element in the [GetServiceLinkedRoleDeletionStatus](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetServiceLinkedRoleDeletionStatus.html) operation.

## Contents
<a name="API_RoleUsageType_Contents"></a>

 ** Region **   
The name of the Region where the service-linked role is being used.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 100.  
Required: No

 ** Resources.member.N **   
The name of the resource that is using the service-linked role.  
Type: Array of strings  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

## See Also
<a name="API_RoleUsageType_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/RoleUsageType) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/RoleUsageType) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/RoleUsageType) 

# SAMLPrivateKey
<a name="API_SAMLPrivateKey"></a>

Contains the private keys for the SAML provider.

This data type is used as a response element in the [GetSAMLProvider](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetSAMLProvider.html) operation.

## Contents
<a name="API_SAMLPrivateKey_Contents"></a>

 ** KeyId **   
The unique identifier for the SAML private key.  
Type: String  
Length Constraints: Minimum length of 22. Maximum length of 64.  
Pattern: `[A-Z0-9]+`   
Required: No

 ** Timestamp **   
The date and time, in [ISO 8601 date-time ](http://www.iso.org/iso/iso8601) format, when the private key was uploaded.  
Type: Timestamp  
Required: No

## See Also
<a name="API_SAMLPrivateKey_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/SAMLPrivateKey) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/SAMLPrivateKey) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/SAMLPrivateKey) 

# SAMLProviderListEntry
<a name="API_SAMLProviderListEntry"></a>

Contains the list of SAML providers for this account.

## Contents
<a name="API_SAMLProviderListEntry_Contents"></a>

 ** Arn **   
The Amazon Resource Name (ARN) of the SAML provider.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

 ** CreateDate **   
The date and time when the SAML provider was created.  
Type: Timestamp  
Required: No

 ** ValidUntil **   
The expiration date and time for the SAML provider.  
Type: Timestamp  
Required: No

## See Also
<a name="API_SAMLProviderListEntry_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/SAMLProviderListEntry) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/SAMLProviderListEntry) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/SAMLProviderListEntry) 

# ServerCertificate
<a name="API_ServerCertificate"></a>

Contains information about a server certificate.

 This data type is used as a response element in the [GetServerCertificate](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetServerCertificate.html) operation. 

## Contents
<a name="API_ServerCertificate_Contents"></a>

 ** CertificateBody **   
The contents of the public key certificate.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 16384.  
Pattern: `[\u0009\u000A\u000D\u0020-\u00FF]+`   
Required: Yes

 ** ServerCertificateMetadata **   
The meta information of the server certificate, such as its name, path, ID, and ARN.  
Type: [ServerCertificateMetadata](API_ServerCertificateMetadata.md) object  
Required: Yes

 ** CertificateChain **   
The contents of the public key certificate chain.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 2097152.  
Pattern: `[\u0009\u000A\u000D\u0020-\u00FF]+`   
Required: No

 ** Tags.member.N **   
A list of tags that are attached to the server certificate. For more information about tagging, see [Tagging IAM resources](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.  
Type: Array of [Tag](API_Tag.md) objects  
Array Members: Maximum number of 50 items.  
Required: No

## See Also
<a name="API_ServerCertificate_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/ServerCertificate) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/ServerCertificate) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/ServerCertificate) 

# ServerCertificateMetadata
<a name="API_ServerCertificateMetadata"></a>

Contains information about a server certificate without its certificate body, certificate chain, and private key.

 This data type is used as a response element in the [UploadServerCertificate](https://docs.amazonaws.cn/IAM/latest/APIReference/API_UploadServerCertificate.html) and [ListServerCertificates](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListServerCertificates.html) operations. 

## Contents
<a name="API_ServerCertificateMetadata_Contents"></a>

 ** Arn **   
 The Amazon Resource Name (ARN) specifying the server certificate. For more information about ARNs and how to use them in policies, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.   
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: Yes

 ** Path **   
 The path to the server certificate. For more information about paths, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.   
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 512.  
Pattern: `(\u002F)|(\u002F[\u0021-\u007E]+\u002F)`   
Required: Yes

 ** ServerCertificateId **   
 The stable and unique string identifying the server certificate. For more information about IDs, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.   
Type: String  
Length Constraints: Minimum length of 16. Maximum length of 128.  
Pattern: `[\w]+`   
Required: Yes

 ** ServerCertificateName **   
The name that identifies the server certificate.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+=,.@-]+`   
Required: Yes

 ** Expiration **   
The date on which the certificate is set to expire.  
Type: Timestamp  
Required: No

 ** UploadDate **   
The date when the server certificate was uploaded.  
Type: Timestamp  
Required: No

## See Also
<a name="API_ServerCertificateMetadata_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/ServerCertificateMetadata) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/ServerCertificateMetadata) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/ServerCertificateMetadata) 

# ServiceLastAccessed
<a name="API_ServiceLastAccessed"></a>

Contains details about the most recent attempt to access the service.

This data type is used as a response element in the [GetServiceLastAccessedDetails](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetServiceLastAccessedDetails.html) operation.

## Contents
<a name="API_ServiceLastAccessed_Contents"></a>

 ** ServiceName **   
The name of the service in which access was attempted.  
Type: String  
Required: Yes

 ** ServiceNamespace **   
The namespace of the service in which access was attempted.  
To learn the service namespace of a service, see [Actions, resources, and condition keys for Amazon services](https://docs.amazonaws.cn/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference*. Choose the name of the service to view details for that service. In the first paragraph, find the service prefix. For example, `(service prefix: a4b)`. For more information about service namespaces, see [Amazon Service Namespaces](https://docs.amazonaws.cn/general/latest/gr/aws-arns-and-namespaces.html#genref-aws-service-namespaces) in the * Amazon General Reference*.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 64.  
Pattern: `[\w-]*`   
Required: Yes

 ** LastAuthenticated **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when an authenticated entity most recently attempted to access the service. Amazon does not report unauthenticated requests.  
This field is null if no IAM entities attempted to access the service within the [tracking period](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_access-advisor.html#service-last-accessed-reporting-period).  
Type: Timestamp  
Required: No

 ** LastAuthenticatedEntity **   
The ARN of the authenticated entity (user or role) that last attempted to access the service. Amazon does not report unauthenticated requests.  
This field is null if no IAM entities attempted to access the service within the [tracking period](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_access-advisor.html#service-last-accessed-reporting-period).  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

 ** LastAuthenticatedRegion **   
The Region from which the authenticated entity (user or role) last attempted to access the service. Amazon does not report unauthenticated requests.  
This field is null if no IAM entities attempted to access the service within the [tracking period](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_access-advisor.html#service-last-accessed-reporting-period).  
Type: String  
Required: No

 ** TotalAuthenticatedEntities **   
The total number of authenticated principals (root user, IAM users, or IAM roles) that have attempted to access the service.  
This field is null if no principals attempted to access the service within the [tracking period](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_access-advisor.html#service-last-accessed-reporting-period).  
Type: Integer  
Required: No

 ** TrackedActionsLastAccessed.member.N **   
An object that contains details about the most recent attempt to access a tracked action within the service.  
This field is null if there no tracked actions or if the principal did not use the tracked actions within the [tracking period](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_access-advisor.html#service-last-accessed-reporting-period). This field is also null if the report was generated at the service level and not the action level. For more information, see the `Granularity` field in [GenerateServiceLastAccessedDetails](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GenerateServiceLastAccessedDetails.html).  
Type: Array of [TrackedActionLastAccessed](API_TrackedActionLastAccessed.md) objects  
Required: No

## See Also
<a name="API_ServiceLastAccessed_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/ServiceLastAccessed) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/ServiceLastAccessed) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/ServiceLastAccessed) 

# ServiceSpecificCredential
<a name="API_ServiceSpecificCredential"></a>

Contains the details of a service-specific credential.

## Contents
<a name="API_ServiceSpecificCredential_Contents"></a>

 ** CreateDate **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when the service-specific credential were created.  
Type: Timestamp  
Required: Yes

 ** ServiceName **   
The name of the service associated with the service-specific credential.  
Type: String  
Required: Yes

 ** ServiceSpecificCredentialId **   
The unique identifier for the service-specific credential.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 128.  
Pattern: `[\w]+`   
Required: Yes

 ** Status **   
The status of the service-specific credential. `Active` means that the key is valid for API calls, while `Inactive` means it is not.  
Type: String  
Valid Values: `Active | Inactive | Expired`   
Required: Yes

 ** UserName **   
The name of the IAM user associated with the service-specific credential.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 64.  
Pattern: `[\w+=,.@-]+`   
Required: Yes

 ** ExpirationDate **   
The date and time when the service specific credential expires. This field is only present for Bedrock API keys and CloudWatch Logs API keys that were created with an expiration period.  
Type: Timestamp  
Required: No

 ** ServiceCredentialAlias **   
For Bedrock API keys and CloudWatch Logs API keys, this is the public portion of the credential that includes the IAM user name and a suffix containing version and creation information.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 200.  
Pattern: `[\w+=,.@-]+`   
Required: No

 ** ServiceCredentialSecret **   
For Bedrock API keys and CloudWatch Logs API keys, this is the secret portion of the credential that should be used to authenticate API calls. This value is returned only when the credential is created.  
Type: String  
Required: No

 ** ServicePassword **   
The generated password for the service-specific credential.  
Type: String  
Required: No

 ** ServiceUserName **   
The generated user name for the service-specific credential. This value is generated by combining the IAM user's name combined with the ID number of the Amazon account, as in `jane-at-123456789012`, for example. This value cannot be configured by the user.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 200.  
Pattern: `[\w+=,.@-]*`   
Required: No

## See Also
<a name="API_ServiceSpecificCredential_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/ServiceSpecificCredential) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/ServiceSpecificCredential) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/ServiceSpecificCredential) 

# ServiceSpecificCredentialMetadata
<a name="API_ServiceSpecificCredentialMetadata"></a>

Contains additional details about a service-specific credential.

## Contents
<a name="API_ServiceSpecificCredentialMetadata_Contents"></a>

 ** CreateDate **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when the service-specific credential were created.  
Type: Timestamp  
Required: Yes

 ** ServiceName **   
The name of the service associated with the service-specific credential.  
Type: String  
Required: Yes

 ** ServiceSpecificCredentialId **   
The unique identifier for the service-specific credential.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 128.  
Pattern: `[\w]+`   
Required: Yes

 ** Status **   
The status of the service-specific credential. `Active` means that the key is valid for API calls, while `Inactive` means it is not.  
Type: String  
Valid Values: `Active | Inactive | Expired`   
Required: Yes

 ** UserName **   
The name of the IAM user associated with the service-specific credential.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 64.  
Pattern: `[\w+=,.@-]+`   
Required: Yes

 ** ExpirationDate **   
The date and time when the service specific credential expires. This field is only present for Bedrock API keys and CloudWatch Logs API keys that were created with an expiration period.  
Type: Timestamp  
Required: No

 ** ServiceCredentialAlias **   
For Bedrock API keys and CloudWatch Logs API keys, this is the public portion of the credential that includes the IAM user name and a suffix containing version and creation information.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 200.  
Pattern: `[\w+=,.@-]+`   
Required: No

 ** ServiceUserName **   
The generated user name for the service-specific credential.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 200.  
Pattern: `[\w+=,.@-]*`   
Required: No

## See Also
<a name="API_ServiceSpecificCredentialMetadata_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/ServiceSpecificCredentialMetadata) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/ServiceSpecificCredentialMetadata) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/ServiceSpecificCredentialMetadata) 

# SigningCertificate
<a name="API_SigningCertificate"></a>

Contains information about an X.509 signing certificate.

This data type is used as a response element in the [UploadSigningCertificate](https://docs.amazonaws.cn/IAM/latest/APIReference/API_UploadSigningCertificate.html) and [ListSigningCertificates](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListSigningCertificates.html) operations. 

## Contents
<a name="API_SigningCertificate_Contents"></a>

 ** CertificateBody **   
The contents of the signing certificate.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 16384.  
Pattern: `[\u0009\u000A\u000D\u0020-\u00FF]+`   
Required: Yes

 ** CertificateId **   
The ID for the signing certificate.  
Type: String  
Length Constraints: Minimum length of 24. Maximum length of 128.  
Pattern: `[\w]+`   
Required: Yes

 ** Status **   
The status of the signing certificate. `Active` means that the key is valid for API calls, while `Inactive` means it is not.  
Type: String  
Valid Values: `Active | Inactive | Expired`   
Required: Yes

 ** UserName **   
The name of the user the signing certificate is associated with.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 64.  
Pattern: `[\w+=,.@-]+`   
Required: Yes

 ** UploadDate **   
The date when the signing certificate was uploaded.  
Type: Timestamp  
Required: No

## See Also
<a name="API_SigningCertificate_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/SigningCertificate) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/SigningCertificate) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/SigningCertificate) 

# SSHPublicKey
<a name="API_SSHPublicKey"></a>

Contains information about an SSH public key.

This data type is used as a response element in the [GetSSHPublicKey](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetSSHPublicKey.html) and [UploadSSHPublicKey](https://docs.amazonaws.cn/IAM/latest/APIReference/API_UploadSSHPublicKey.html) operations. 

## Contents
<a name="API_SSHPublicKey_Contents"></a>

 ** Fingerprint **   
The MD5 message digest of the SSH public key.  
Type: String  
Length Constraints: Fixed length of 48.  
Pattern: `[:\w]+`   
Required: Yes

 ** SSHPublicKeyBody **   
The SSH public key.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 16384.  
Pattern: `[\u0009\u000A\u000D\u0020-\u00FF]+`   
Required: Yes

 ** SSHPublicKeyId **   
The unique identifier for the SSH public key.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 128.  
Pattern: `[\w]+`   
Required: Yes

 ** Status **   
The status of the SSH public key. `Active` means that the key can be used for authentication with an CodeCommit repository. `Inactive` means that the key cannot be used.  
Type: String  
Valid Values: `Active | Inactive | Expired`   
Required: Yes

 ** UserName **   
The name of the IAM user associated with the SSH public key.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 64.  
Pattern: `[\w+=,.@-]+`   
Required: Yes

 ** UploadDate **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when the SSH public key was uploaded.  
Type: Timestamp  
Required: No

## See Also
<a name="API_SSHPublicKey_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/SSHPublicKey) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/SSHPublicKey) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/SSHPublicKey) 

# SSHPublicKeyMetadata
<a name="API_SSHPublicKeyMetadata"></a>

Contains information about an SSH public key, without the key's body or fingerprint.

This data type is used as a response element in the [ListSSHPublicKeys](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListSSHPublicKeys.html) operation.

## Contents
<a name="API_SSHPublicKeyMetadata_Contents"></a>

 ** SSHPublicKeyId **   
The unique identifier for the SSH public key.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 128.  
Pattern: `[\w]+`   
Required: Yes

 ** Status **   
The status of the SSH public key. `Active` means that the key can be used for authentication with an CodeCommit repository. `Inactive` means that the key cannot be used.  
Type: String  
Valid Values: `Active | Inactive | Expired`   
Required: Yes

 ** UploadDate **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when the SSH public key was uploaded.  
Type: Timestamp  
Required: Yes

 ** UserName **   
The name of the IAM user associated with the SSH public key.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 64.  
Pattern: `[\w+=,.@-]+`   
Required: Yes

## See Also
<a name="API_SSHPublicKeyMetadata_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/SSHPublicKeyMetadata) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/SSHPublicKeyMetadata) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/SSHPublicKeyMetadata) 

# Statement
<a name="API_Statement"></a>

Contains a reference to a `Statement` element in a policy document that determines the result of the simulation.

This data type is used by the `MatchedStatements` member of the ` [EvaluationResult](https://docs.amazonaws.cn/IAM/latest/APIReference/API_EvaluationResult.html) ` type.

## Contents
<a name="API_Statement_Contents"></a>

 ** EndPosition **   
The row and column of the end of a `Statement` in an IAM policy.  
Type: [Position](API_Position.md) object  
Required: No

 ** SourcePolicyId **   
The identifier of the policy that was provided as an input.  
Type: String  
Required: No

 ** SourcePolicyType **   
The type of the policy.  
Type: String  
Valid Values: `user | group | role | aws-managed | user-managed | resource | none`   
Required: No

 ** StartPosition **   
The row and column of the beginning of the `Statement` in an IAM policy.  
Type: [Position](API_Position.md) object  
Required: No

## See Also
<a name="API_Statement_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/Statement) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/Statement) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/Statement) 

# Tag
<a name="API_Tag"></a>

A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see [Tagging IAM resources](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.

## Contents
<a name="API_Tag_Contents"></a>

 ** Key **   
The key name that can be used to look up or retrieve the associated value. For example, `Department` or `Cost Center` are common choices.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{Z}\p{N}_.:/=+\-@]+`   
Required: Yes

 ** Value **   
The value associated with this tag. For example, tags with a key name of `Department` could have values such as `Human Resources`, `Accounting`, and `Support`. Tags with a key name of `Cost Center` might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 256.  
Pattern: `[\p{L}\p{Z}\p{N}_.:/=+\-@]*`   
Required: Yes

## See Also
<a name="API_Tag_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/Tag) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/Tag) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/Tag) 

# TrackedActionLastAccessed
<a name="API_TrackedActionLastAccessed"></a>

Contains details about the most recent attempt to access an action within the service.

This data type is used as a response element in the [GetServiceLastAccessedDetails](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetServiceLastAccessedDetails.html) operation.

## Contents
<a name="API_TrackedActionLastAccessed_Contents"></a>

 ** ActionName **   
The name of the tracked action to which access was attempted. Tracked actions are actions that report activity to IAM.  
Type: String  
Required: No

 ** LastAccessedEntity **   
The Amazon Resource Name (ARN). ARNs are unique identifiers for Amazon resources.  
For more information about ARNs, go to [Amazon Resource Names (ARNs)](https://docs.amazonaws.cn/general/latest/gr/aws-arns-and-namespaces.html) in the * Amazon General Reference*.   
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

 ** LastAccessedRegion **   
The Region from which the authenticated entity (user or role) last attempted to access the tracked action. Amazon does not report unauthenticated requests.  
This field is null if no IAM entities attempted to access the service within the [tracking period](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_access-advisor.html#service-last-accessed-reporting-period).  
Type: String  
Required: No

 ** LastAccessedTime **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when an authenticated entity most recently attempted to access the tracked service. Amazon does not report unauthenticated requests.  
This field is null if no IAM entities attempted to access the service within the [tracking period](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_access-advisor.html#service-last-accessed-reporting-period).  
Type: Timestamp  
Required: No

## See Also
<a name="API_TrackedActionLastAccessed_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/TrackedActionLastAccessed) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/TrackedActionLastAccessed) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/TrackedActionLastAccessed) 

# User
<a name="API_User"></a>

Contains information about an IAM user entity.

This data type is used as a response element in the following operations:
+  [CreateUser](https://docs.amazonaws.cn/IAM/latest/APIReference/API_CreateUser.html) 
+  [GetUser](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetUser.html) 
+  [ListUsers](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListUsers.html) 

## Contents
<a name="API_User_Contents"></a>

 ** Arn **   
The Amazon Resource Name (ARN) that identifies the user. For more information about ARNs and how to use ARNs in policies, see [IAM Identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.   
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: Yes

 ** CreateDate **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when the user was created.  
Type: Timestamp  
Required: Yes

 ** Path **   
The path to the user. For more information about paths, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.  
The ARN of the policy used to set the permissions boundary for the user.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 512.  
Pattern: `(\u002F)|(\u002F[\u0021-\u007E]+\u002F)`   
Required: Yes

 ** UserId **   
The stable and unique string identifying the user. For more information about IDs, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.  
Type: String  
Length Constraints: Minimum length of 16. Maximum length of 128.  
Pattern: `[\w]+`   
Required: Yes

 ** UserName **   
The friendly name identifying the user.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 64.  
Pattern: `[\w+=,.@-]+`   
Required: Yes

 ** PasswordLastUsed **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when the user's password was last used to sign in to an Amazon website. For a list of Amazon websites that capture a user's last sign-in time, see the [Credential reports](https://docs.amazonaws.cn/IAM/latest/UserGuide/credential-reports.html) topic in the *IAM User Guide*. If a password is used more than once in a five-minute span, only the first use is returned in this field. If the field is null (no value), then it indicates that they never signed in with a password. This can be because:  
+ The user never had a password.
+ A password exists but has not been used since IAM started tracking this information on October 20, 2014.
A null value does not mean that the user *never* had a password. Also, if the user does not currently have a password but had one in the past, then this field contains the date and time the most recent password was used.  
This value is returned only in the [GetUser](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetUser.html) and [ListUsers](https://docs.amazonaws.cn/IAM/latest/APIReference/API_ListUsers.html) operations.   
Type: Timestamp  
Required: No

 ** PermissionsBoundary **   
For more information about permissions boundaries, see [Permissions boundaries for IAM identities ](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.  
Type: [AttachedPermissionsBoundary](API_AttachedPermissionsBoundary.md) object  
Required: No

 ** Tags.member.N **   
A list of tags that are associated with the user. For more information about tagging, see [Tagging IAM resources](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.  
Type: Array of [Tag](API_Tag.md) objects  
Array Members: Maximum number of 50 items.  
Required: No

## See Also
<a name="API_User_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/User) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/User) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/User) 

# UserDetail
<a name="API_UserDetail"></a>

Contains information about an IAM user, including all the user's policies and all the IAM groups the user is in.

This data type is used as a response element in the [GetAccountAuthorizationDetails](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetAccountAuthorizationDetails.html) operation.

## Contents
<a name="API_UserDetail_Contents"></a>

 ** Arn **   
The Amazon Resource Name (ARN). ARNs are unique identifiers for Amazon resources.  
For more information about ARNs, go to [Amazon Resource Names (ARNs)](https://docs.amazonaws.cn/general/latest/gr/aws-arns-and-namespaces.html) in the * Amazon General Reference*.   
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

 ** AttachedManagedPolicies.member.N **   
A list of the managed policies attached to the user.  
Type: Array of [AttachedPolicy](API_AttachedPolicy.md) objects  
Required: No

 ** CreateDate **   
The date and time, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601), when the user was created.  
Type: Timestamp  
Required: No

 ** GroupList.member.N **   
A list of IAM groups that the user is in.  
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+=,.@-]+`   
Required: No

 ** Path **   
The path to the user. For more information about paths, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 512.  
Pattern: `(\u002F)|(\u002F[\u0021-\u007E]+\u002F)`   
Required: No

 ** PermissionsBoundary **   
The ARN of the policy used to set the permissions boundary for the user.  
For more information about permissions boundaries, see [Permissions boundaries for IAM identities ](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.  
Type: [AttachedPermissionsBoundary](API_AttachedPermissionsBoundary.md) object  
Required: No

 ** Tags.member.N **   
A list of tags that are associated with the user. For more information about tagging, see [Tagging IAM resources](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.  
Type: Array of [Tag](API_Tag.md) objects  
Array Members: Maximum number of 50 items.  
Required: No

 ** UserId **   
The stable and unique string identifying the user. For more information about IDs, see [IAM identifiers](https://docs.amazonaws.cn/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide*.  
Type: String  
Length Constraints: Minimum length of 16. Maximum length of 128.  
Pattern: `[\w]+`   
Required: No

 ** UserName **   
The friendly name identifying the user.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 64.  
Pattern: `[\w+=,.@-]+`   
Required: No

 ** UserPolicyList.member.N **   
A list of the inline policies embedded in the user.  
Type: Array of [PolicyDetail](API_PolicyDetail.md) objects  
Required: No

## See Also
<a name="API_UserDetail_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/UserDetail) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/UserDetail) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/UserDetail) 

# VirtualMFADevice
<a name="API_VirtualMFADevice"></a>

Contains information about a virtual MFA device.

## Contents
<a name="API_VirtualMFADevice_Contents"></a>

 ** SerialNumber **   
The serial number associated with `VirtualMFADevice`.  
Type: String  
Length Constraints: Minimum length of 9. Maximum length of 256.  
Pattern: `[\w+=/:,.@-]+`   
Required: Yes

 ** Base32StringSeed **   
 The base32 seed defined as specified in [RFC3548](https://tools.ietf.org/html/rfc3548.txt). The `Base32StringSeed` is base32-encoded.   
Type: Base64-encoded binary data object  
Required: No

 ** EnableDate **   
The date and time on which the virtual MFA device was enabled.  
Type: Timestamp  
Required: No

 ** QRCodePNG **   
 A QR code PNG image that encodes `otpauth://totp/$virtualMFADeviceName@$AccountName?secret=$Base32String` where `$virtualMFADeviceName` is one of the create call arguments. `AccountName` is the user name if set (otherwise, the account ID otherwise), and `Base32String` is the seed in base32 format. The `Base32String` value is base64-encoded.   
Type: Base64-encoded binary data object  
Required: No

 ** Tags.member.N **   
A list of tags that are attached to the virtual MFA device. For more information about tagging, see [Tagging IAM resources](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.  
Type: Array of [Tag](API_Tag.md) objects  
Array Members: Maximum number of 50 items.  
Required: No

 ** User **   
The IAM user associated with this virtual MFA device.  
Type: [User](API_User.md) object  
Required: No

## See Also
<a name="API_VirtualMFADevice_SeeAlso"></a>

For more information about using this API in one of the language-specific Amazon SDKs, see the following:
+  [Amazon SDK for C\$1\$1](https://docs.amazonaws.cn/goto/SdkForCpp/iam-2010-05-08/VirtualMFADevice) 
+  [Amazon SDK for Java V2](https://docs.amazonaws.cn/goto/SdkForJavaV2/iam-2010-05-08/VirtualMFADevice) 
+  [Amazon SDK for Ruby V3](https://docs.amazonaws.cn/goto/SdkForRubyV3/iam-2010-05-08/VirtualMFADevice)