AWS CLI Command Reference

[ aws . iam ]

get-delegation-request

Description

Retrieves information about a specific delegation request.

If a delegation request has no owner or owner account, GetDelegationRequest for that delegation request can be called by any account. If the owner account is assigned but there is no owner id, only identities within that owner account can call GetDelegationRequest for the delegation request. Once the delegation request is fully owned, the owner of the request gets a default permission to get that delegation request. For more details, see Managing Permissions for Delegation Requests .

See also: AWS API Documentation

Synopsis

  get-delegation-request
--delegation-request-id <value>
[--delegation-permission-check | --no-delegation-permission-check]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Options

--delegation-request-id (string) [required]

The unique identifier of the delegation request to retrieve.

Constraints:

  • min: 16
  • max: 128
  • pattern: [\w-]+

--delegation-permission-check | --no-delegation-permission-check (boolean)

Specifies whether to perform a permission check for the delegation request.

If set to true, the GetDelegationRequest API call will start a permission check process. This process calculates whether the caller has sufficient permissions to cover the asks from this delegation request.

Setting this parameter to true does not guarantee an answer in the response. See the PermissionCheckStatus and the PermissionCheckResult response attributes for further details.

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command. The generated JSON skeleton is not stable between versions of the AWS CLI and there are no backwards compatibility guarantees in the JSON skeleton generated.

Global Options

--debug (boolean)

Turn on debug logging.

--endpoint-url (string)

Override command’s default URL with the given URL.

--no-verify-ssl (boolean)

By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.

--no-paginate (boolean)

Disable automatic pagination. If automatic pagination is disabled, the AWS CLI will only make one call, for the first page of results.

--output (string)

The formatting style for command output.

  • json
  • text
  • table
  • yaml
  • yaml-stream

--query (string)

A JMESPath query to use in filtering the response data.

--profile (string)

Use a specific profile from your credential file.

--region (string)

The region to use. Overrides config/env settings.

--version (string)

Display the version of this tool.

--color (string)

Turn on/off color output.

  • on
  • off
  • auto

--no-sign-request (boolean)

Do not sign requests. Credentials will not be loaded if this argument is provided.

--ca-bundle (string)

The CA certificate bundle to use when verifying SSL certificates. Overrides config/env settings.

--cli-read-timeout (int)

The maximum socket read time in seconds. If the value is set to 0, the socket read will be blocking and not timeout. The default value is 60 seconds.

--cli-connect-timeout (int)

The maximum socket connect time in seconds. If the value is set to 0, the socket connect will be blocking and not timeout. The default value is 60 seconds.

--cli-binary-format (string)

The formatting style to be used for binary blobs. The default format is base64. The base64 format expects binary blobs to be provided as a base64 encoded string. The raw-in-base64-out format preserves compatibility with AWS CLI V1 behavior and binary values must be passed literally. When providing contents from a file that map to a binary blob fileb:// will always be treated as binary and use the file contents directly regardless of the cli-binary-format setting. When using file:// the file contents will need to properly formatted for the configured cli-binary-format.

  • base64
  • raw-in-base64-out

--no-cli-pager (boolean)

Disable cli pager for output.

--cli-auto-prompt (boolean)

Automatically prompt for CLI input parameters.

--no-cli-auto-prompt (boolean)

Disable automatically prompt for CLI input parameters.

Output

DelegationRequest -> (structure)

The delegation request object containing all details about the request.

DelegationRequestId -> (string)

The unique identifier for the delegation request.

Constraints:

  • min: 16
  • max: 128
  • pattern: [\w-]+

OwnerAccountId -> (string)

Amazon Web Services account ID of the owner of the delegation request.

Constraints:

  • pattern: \d{12}

Description -> (string)

Description of the delegation request. This is a message that is provided by the Amazon Web Services partner that filed the delegation request.

Constraints:

  • max: 1000
  • pattern: [\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]*

RequestMessage -> (string)

A custom message that is added to the delegation request by the partner.

This element is different from the Description element such that this is a request specific message injected by the partner. The Description is typically a generic explanation of what the delegation request is targeted to do.

Constraints:

  • max: 200
  • pattern: [\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]*

Permissions -> (structure)

Contains information about the permissions being delegated in a delegation request.

PolicyTemplateArn -> (string)

This ARN maps to a pre-registered policy content for this partner. See the `partner onboarding documentation to understand how to create a delegation template.

Constraints:

  • min: 20
  • max: 2048

Parameters -> (list)

A list of policy parameters that define the scope and constraints of the delegated permissions.

Constraints:

  • max: 50

(structure)

Contains information about a policy parameter used to customize delegated permissions.

Name -> (string)

The name of the policy parameter.

Constraints:

  • min: 5
  • max: 256
  • pattern: [ -~]+

Values -> (list)

The allowed values for the policy parameter.

(string)

Constraints:

  • pattern: [ -~]+

Type -> (string)

The data type of the policy parameter value.

Possible values:

  • string
  • stringList

PermissionPolicy -> (string)

JSON content of the associated permission policy of this delegation request.

RolePermissionRestrictionArns -> (list)

If the PermissionPolicy includes role creation permissions, this element will include the list of permissions boundary policies associated with the role creation. See Permissions boundaries for IAM entities for more details about IAM permission boundaries.

(string)

The Amazon Resource Name (ARN). ARNs are unique identifiers for Amazon Web Services resources.

For more information about ARNs, go to Amazon Resource Names (ARNs) in the Amazon Web Services General Reference .

Constraints:

  • min: 20
  • max: 2048

OwnerId -> (string)

ARN of the owner of this delegation request.

Constraints:

  • min: 20
  • max: 2048
  • pattern: ^[a-zA-Z0-9:/+=,.@_-]+$

ApproverId -> (string)

The Amazon Resource Name (ARN). ARNs are unique identifiers for Amazon Web Services resources.

For more information about ARNs, go to Amazon Resource Names (ARNs) in the Amazon Web Services General Reference .

Constraints:

  • min: 20
  • max: 2048

State -> (string)

The state of this delegation request.

See the Understanding the Request Lifecycle for an explanation of how these states are transitioned.

Possible values:

  • UNASSIGNED
  • ASSIGNED
  • PENDING_APPROVAL
  • FINALIZED
  • ACCEPTED
  • REJECTED
  • EXPIRED

RequestorId -> (string)

Identity of the requestor of this delegation request. This will be an Amazon Web Services account ID.

Constraints:

  • pattern: \d{12}

RequestorName -> (string)

A friendly name of the requestor.

Constraints:

  • max: 30
  • pattern: [\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]*

CreateDate -> (timestamp)

Creation date (timestamp) of this delegation request.

SessionDuration -> (integer)

The life-time of the requested session credential.

Constraints:

  • min: 300
  • max: 43200

RedirectUrl -> (string)

A URL to be redirected to once the delegation request is approved. Partners provide this URL when creating the delegation request.

Constraints:

  • min: 1
  • max: 255
  • pattern: ^http(s?)://[a-zA-Z0-9._/-]*(\?[a-zA-Z0-9._=&-]*)?(#[a-zA-Z0-9._/-]*)?$

Notes -> (string)

Notes added to this delegation request, if this request was updated via the UpdateDelegationRequest API.

Constraints:

  • max: 500
  • pattern: [\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]*

RejectionReason -> (string)

Reasons for rejecting this delegation request, if this request was rejected. See also RejectDelegationRequest API documentation.

Constraints:

  • max: 500
  • pattern: [\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]*

OnlySendByOwner -> (boolean)

A flag indicating whether the SendDelegationToken must be called by the owner of this delegation request. This is set by the requesting partner.

UpdatedTime -> (timestamp)

Last updated timestamp of the request.

PermissionCheckStatus -> (string)

The status of the permission check for the delegation request.

This value indicates the status of the process to check whether the caller has sufficient permissions to cover the requested actions in the delegation request. Since this is an asynchronous process, there are three potential values:

  • IN_PROGRESS : The permission check process has started.
  • COMPLETED : The permission check process has completed. The PermissionCheckResult will include the result.
  • FAILED : The permission check process has failed.

Possible values:

  • COMPLETE
  • IN_PROGRESS
  • FAILED

PermissionCheckResult -> (string)

The result of the permission check, indicating whether the caller has sufficient permissions to cover the requested permissions. This is an approximate result.

  • ALLOWED : The caller has sufficient permissions cover all the requested permissions.
  • DENIED : The caller does not have sufficient permissions to cover all the requested permissions.
  • UNSURE : It is not possible to determine whether the caller has all the permissions needed. This output is most likely for cases when the caller has permissions with conditions.

Possible values:

  • ALLOWED
  • DENIED
  • UNSURE
© Copyright 2025, Amazon Web Services. Created using Sphinx.