Merge pull request #32 from alexgridx/dependabot/go_modules/github.com/aws/aws-sdk-go-v2/config-1.27.16

Bump github.com/aws/aws-sdk-go-v2/config from 1.27.11 to 1.27.16

go.mod

@@ -7,8 +7,8 @@ require (
 	github.com/alicebob/miniredis v2.5.0+incompatible
 	github.com/apex/log v1.9.0
 	github.com/aws/aws-sdk-go-v2 v1.27.0
-	github.com/aws/aws-sdk-go-v2/config v1.27.11
+	github.com/aws/aws-sdk-go-v2/config v1.27.16
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.11
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.16
 	github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.13.14
 	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.32.0
 	github.com/aws/aws-sdk-go-v2/service/kinesis v1.27.4
@@ -23,17 +23,17 @@ require (
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.20.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.9.8 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.20.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.10 // indirect
 	github.com/aws/smithy-go v1.20.2 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect

go.sum

@@ -17,18 +17,18 @@ github.com/aws/aws-sdk-go-v2 v1.27.0 h1:7bZWKoXhzI+mMR/HjdMx8ZCC5+6fY0lS5tr0bbgi
 github.com/aws/aws-sdk-go-v2 v1.27.0/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 h1:x6xsQXGSmW6frevwDA+vi/wqhp1ct18mVXYN08/93to=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2/go.mod h1:lPprDr1e6cJdyYeGXnRaJoP4Md+cDBvi2eOj00BlGmg=
-github.com/aws/aws-sdk-go-v2/config v1.27.11 h1:f47rANd2LQEYHda2ddSCKYId18/8BhSRM4BULGmfgNA=
+github.com/aws/aws-sdk-go-v2/config v1.27.16 h1:knpCuH7laFVGYTNd99Ns5t+8PuRjDn4HnnZK48csipM=
-github.com/aws/aws-sdk-go-v2/config v1.27.11/go.mod h1:SMsV78RIOYdve1vf36z8LmnszlRWkwMQtomCAI0/mIE=
+github.com/aws/aws-sdk-go-v2/config v1.27.16/go.mod h1:vutqgRhDUktwSge3hrC3nkuirzkJ4E/mLj5GvI0BQas=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.11 h1:YuIB1dJNf1Re822rriUOTxopaHHvIq0l/pX3fwO+Tzs=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.16 h1:7d2QxY83uYl0l58ceyiSpxg9bSbStqBC6BeEeHEchwo=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.11/go.mod h1:AQtFPsDH9bI2O+71anW6EKL+NcD7LG3dpKGMV4SShgo=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.16/go.mod h1:Ae6li/6Yc6eMzysRL2BXlPYvnrLLBg3D11/AmOjw50k=
 github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.13.14 h1:MqN3V/VApAVAheStH43Dl3BWuGE712Cp5s97WmCMbYQ=
 github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.13.14/go.mod h1:WwwihVdoE2S7TTziJGvgWaHI8HlOt1DwO6DM338pkzo=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 h1:FVJ0r5XTHSmIHJV6KuDmdYhEpvlHpiSd38RQWhut5J4=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3 h1:dQLK4TjtnlRGb0czOht2CevZ5l6RSyRWAnKeGd7VAFE=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1/go.mod h1:zusuAeqezXzAB24LGuzuekqMAEgWkVYukBec3kr3jUg=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3/go.mod h1:TL79f2P6+8Q7dTsILpiVST+AL9lkF6PPGI167Ny0Cjw=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 h1:aw39xVGeRWlWx9EzGVnhOR4yOjQDHPQ6o6NmBlscyQg=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7 h1:lf/8VTF2cM+N4SLzaYJERKEWAXq8MOMpZfU6wEPWsPk=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5/go.mod h1:FSaRudD0dXiMPK2UjknVwwTYyZMRsHv3TtkabsZih5I=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7/go.mod h1:4SjkU7QiqK2M9oozyMzfZ/23LmUY+h3oFqhdeP5OMiI=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 h1:PG1F3OD1szkuQPzDw3CIQsRIrtTlUC3lP84taWzHlq0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7 h1:4OYVp0705xu8yjdyoWix0r9wPIRXnIzzOoUpQVHIJ/g=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5/go.mod h1:jU1li6RFryMz+so64PpKtudI+QzbKoIEivqdf6LNpOc=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7/go.mod h1:vd7ESTEvI76T2Na050gODNmNU7+OyKrIKroYTu4ABiI=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
 github.com/aws/aws-sdk-go-v2/service/dynamodb v1.32.0 h1:tGV+9T7NwSJNky5tGLh6/i7CoIkd9fPiGWDn9u4PWgI=
@@ -39,17 +39,17 @@ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1x
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
 github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.9.8 h1:yEeIld7Fh/2iM4pYeQw8a3kH6OYcyIn6lwKlUFiVk7Y=
 github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.9.8/go.mod h1:lZJMX2Z5/rQ6OlSbBnW1WWScK6ngLt43xtqM8voMm2w=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 h1:ogRAwT1/gxJBcSWDMZlgyFUM962F51A5CRhDLbxLdmo=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9 h1:Wx0rlZoEJR7JwlSZcHnEa7CNjrSIyVxMFWGAaXy4fJY=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7/go.mod h1:YCsIZhXfRPLFFCl5xxY+1T9RKzOKjCut+28JSX2DnAk=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9/go.mod h1:aVMHdE0aHO3v+f/iw01fmXV/5DbfQ3Bi9nN7nd9bE9Y=
 github.com/aws/aws-sdk-go-v2/service/kinesis v1.6.0/go.mod h1:9O7UG2pELnP0hq35+Gd7XDjOLBkg7tmgRQ0y14ZjoJI=
 github.com/aws/aws-sdk-go-v2/service/kinesis v1.27.4 h1:Oe8awBiS/iitcsRJB5+DHa3iCxoA0KwJJf0JNrYMINY=
 github.com/aws/aws-sdk-go-v2/service/kinesis v1.27.4/go.mod h1:RCZCSFbieSgNG1RKegO26opXV4EXyef/vNBVJsUyHuw=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 h1:vN8hEbpRnL7+Hopy9dzmRle1xmDc7o8tmY0klsr175w=
+github.com/aws/aws-sdk-go-v2/service/sso v1.20.9 h1:aD7AGQhvPuAxlSUfo0CWU7s6FpkbyykMhGYMvlqTjVs=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.5/go.mod h1:qGzynb/msuZIE8I75DVRCUXw3o3ZyBmUvMwQ2t/BrGM=
+github.com/aws/aws-sdk-go-v2/service/sso v1.20.9/go.mod h1:c1qtZUWtygI6ZdvKppzCSXsDOq5I4luJPZ0Ud3juFCA=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 h1:Jux+gDDyi1Lruk+KHF91tK2KCuY61kzoCpvtvJJBtOE=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.3 h1:Pav5q3cA260Zqez42T9UhIlsd9QeypszRPwC9LdSSsQ=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4/go.mod h1:mUYPBhaF2lGiukDEjJX2BLRRKTmoUSitGDUgM4tRxak=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.3/go.mod h1:9lmoVDVLz/yUZwLaQ676TK02fhCu4+PgRSmMaKR1ozk=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 h1:cwIxeBttqPN3qkaAjcEcsh8NYr8n2HZPkcKgPAi1phU=
+github.com/aws/aws-sdk-go-v2/service/sts v1.28.10 h1:69tpbPED7jKPyzMcrwSvhWcJ9bPnZsZs18NT40JwM0g=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.6/go.mod h1:FZf1/nKNEkHdGGJP/cI2MoIMquumuRK6ol3QQJNDxmw=
+github.com/aws/aws-sdk-go-v2/service/sts v1.28.10/go.mod h1:0Aqn1MnEuitqfsCNyKsdKLhDUOr4txD/g19EfiUqgws=
 github.com/aws/smithy-go v1.8.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E=
 github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
 github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=

vendor/github.com/aws/aws-sdk-go-v2/config/CHANGELOG.md

@@ -1,3 +1,23 @@
+# v1.27.16 (2024-05-23)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.27.15 (2024-05-16)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.27.14 (2024-05-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.27.13 (2024-05-10)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.27.12 (2024-05-08)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.27.11 (2024-04-05)
 
 * **Dependency Update**: Updated to the latest SDK module versions

vendor/github.com/aws/aws-sdk-go-v2/config/go_module_metadata.go

@@ -3,4 +3,4 @@
 package config
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.27.11"
+const goModuleVersion = "1.27.16"

vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md

@@ -1,3 +1,23 @@
+# v1.17.16 (2024-05-23)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.15 (2024-05-16)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.14 (2024-05-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.13 (2024-05-10)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.17.12 (2024-05-08)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.17.11 (2024-04-05)
 
 * **Dependency Update**: Updated to the latest SDK module versions

vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go

@@ -3,4 +3,4 @@
 package credentials
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.17.11"
+const goModuleVersion = "1.17.16"

vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/CHANGELOG.md

@@ -1,3 +1,11 @@
+# v1.16.3 (2024-05-16)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.16.2 (2024-05-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.16.1 (2024-03-29)
 
 * **Dependency Update**: Updated to the latest SDK module versions

vendor/github.com/aws/aws-sdk-go-v2/feature/ec2/imds/go_module_metadata.go

@@ -3,4 +3,4 @@
 package imds
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.16.1"
+const goModuleVersion = "1.16.3"

vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md

@@ -1,3 +1,11 @@
+# v1.3.7 (2024-05-16)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.6 (2024-05-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.3.5 (2024-03-29)
 
 * **Dependency Update**: Updated to the latest SDK module versions

vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go

@@ -3,4 +3,4 @@
 package configsources
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.3.5"
+const goModuleVersion = "1.3.7"

vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md

@@ -1,3 +1,11 @@
+# v2.6.7 (2024-05-16)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.6 (2024-05-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v2.6.5 (2024-03-29)
 
 * **Dependency Update**: Updated to the latest SDK module versions

vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go

@@ -3,4 +3,4 @@
 package endpoints
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "2.6.5"
+const goModuleVersion = "2.6.7"

vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md

@@ -1,3 +1,11 @@
+# v1.11.9 (2024-05-16)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.8 (2024-05-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.11.7 (2024-03-29)
 
 * **Dependency Update**: Updated to the latest SDK module versions

vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go

@@ -3,4 +3,4 @@
 package presignedurl
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.11.7"
+const goModuleVersion = "1.11.9"

vendor/github.com/aws/aws-sdk-go-v2/service/sso/CHANGELOG.md

@@ -1,3 +1,19 @@
+# v1.20.9 (2024-05-23)
+
+* No change notes available for this release.
+
+# v1.20.8 (2024-05-16)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.20.7 (2024-05-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.20.6 (2024-05-08)
+
+* **Bug Fix**: GoDoc improvement
+
 # v1.20.5 (2024-04-05)
 
 * No change notes available for this release.

vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_GetRoleCredentials.go

@@ -30,9 +30,10 @@ func (c *Client) GetRoleCredentials(ctx context.Context, params *GetRoleCredenti
 
 type GetRoleCredentialsInput struct {
 
-	// The token issued by the CreateToken API call. For more information, see
+	// The token issued by the CreateToken API call. For more information, see [CreateToken] in the
-	// CreateToken (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html)
+	// IAM Identity Center OIDC API Reference Guide.
-	// in the IAM Identity Center OIDC API Reference Guide.
+	//
+	// [CreateToken]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html
 	//
 	// This member is required.
 	AccessToken *string

vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccountRoles.go

@@ -29,9 +29,10 @@ func (c *Client) ListAccountRoles(ctx context.Context, params *ListAccountRolesI
 
 type ListAccountRolesInput struct {
 
-	// The token issued by the CreateToken API call. For more information, see
+	// The token issued by the CreateToken API call. For more information, see [CreateToken] in the
-	// CreateToken (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html)
+	// IAM Identity Center OIDC API Reference Guide.
-	// in the IAM Identity Center OIDC API Reference Guide.
+	//
+	// [CreateToken]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html
 	//
 	// This member is required.
 	AccessToken *string

vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_ListAccounts.go

@@ -12,9 +12,10 @@ import (
 )
 
 // Lists all AWS accounts assigned to the user. These AWS accounts are assigned by
-// the administrator of the account. For more information, see Assign User Access (https://docs.aws.amazon.com/singlesignon/latest/userguide/useraccess.html#assignusers)
+// the administrator of the account. For more information, see [Assign User Access]in the IAM Identity
-// in the IAM Identity Center User Guide. This operation returns a paginated
+// Center User Guide. This operation returns a paginated response.
-// response.
+//
+// [Assign User Access]: https://docs.aws.amazon.com/singlesignon/latest/userguide/useraccess.html#assignusers
 func (c *Client) ListAccounts(ctx context.Context, params *ListAccountsInput, optFns ...func(*Options)) (*ListAccountsOutput, error) {
 	if params == nil {
 		params = &ListAccountsInput{}
@@ -32,9 +33,10 @@ func (c *Client) ListAccounts(ctx context.Context, params *ListAccountsInput, op
 
 type ListAccountsInput struct {
 
-	// The token issued by the CreateToken API call. For more information, see
+	// The token issued by the CreateToken API call. For more information, see [CreateToken] in the
-	// CreateToken (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html)
+	// IAM Identity Center OIDC API Reference Guide.
-	// in the IAM Identity Center OIDC API Reference Guide.
+	//
+	// [CreateToken]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html
 	//
 	// This member is required.
 	AccessToken *string

vendor/github.com/aws/aws-sdk-go-v2/service/sso/api_op_Logout.go

@@ -12,16 +12,20 @@ import (
 
 // Removes the locally stored SSO tokens from the client-side cache and sends an
 // API call to the IAM Identity Center service to invalidate the corresponding
-// server-side IAM Identity Center sign in session. If a user uses IAM Identity
+// server-side IAM Identity Center sign in session.
-// Center to access the AWS CLI, the user’s IAM Identity Center sign in session is
+//
-// used to obtain an IAM session, as specified in the corresponding IAM Identity
+// If a user uses IAM Identity Center to access the AWS CLI, the user’s IAM
-// Center permission set. More specifically, IAM Identity Center assumes an IAM
+// Identity Center sign in session is used to obtain an IAM session, as specified
-// role in the target account on behalf of the user, and the corresponding
+// in the corresponding IAM Identity Center permission set. More specifically, IAM
-// temporary AWS credentials are returned to the client. After user logout, any
+// Identity Center assumes an IAM role in the target account on behalf of the user,
-// existing IAM role sessions that were created by using IAM Identity Center
+// and the corresponding temporary AWS credentials are returned to the client.
-// permission sets continue based on the duration configured in the permission set.
+//
-// For more information, see User authentications (https://docs.aws.amazon.com/singlesignon/latest/userguide/authconcept.html)
+// After user logout, any existing IAM role sessions that were created by using
-// in the IAM Identity Center User Guide.
+// IAM Identity Center permission sets continue based on the duration configured in
+// the permission set. For more information, see [User authentications]in the IAM Identity Center User
+// Guide.
+//
+// [User authentications]: https://docs.aws.amazon.com/singlesignon/latest/userguide/authconcept.html
 func (c *Client) Logout(ctx context.Context, params *LogoutInput, optFns ...func(*Options)) (*LogoutOutput, error) {
 	if params == nil {
 		params = &LogoutInput{}
@@ -39,9 +43,10 @@ func (c *Client) Logout(ctx context.Context, params *LogoutInput, optFns ...func
 
 type LogoutInput struct {
 
-	// The token issued by the CreateToken API call. For more information, see
+	// The token issued by the CreateToken API call. For more information, see [CreateToken] in the
-	// CreateToken (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html)
+	// IAM Identity Center OIDC API Reference Guide.
-	// in the IAM Identity Center OIDC API Reference Guide.
+	//
+	// [CreateToken]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html
 	//
 	// This member is required.
 	AccessToken *string

vendor/github.com/aws/aws-sdk-go-v2/service/sso/deserializers.go

@@ -13,12 +13,22 @@ import (
 	smithyio "github.com/aws/smithy-go/io"
 	"github.com/aws/smithy-go/middleware"
 	"github.com/aws/smithy-go/ptr"
+	smithytime "github.com/aws/smithy-go/time"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"io"
 	"io/ioutil"
 	"strings"
+	"time"
 )
 
+func deserializeS3Expires(v string) (*time.Time, error) {
+	t, err := smithytime.ParseHTTPDate(v)
+	if err != nil {
+		return nil, nil
+	}
+	return &t, nil
+}
+
 type awsRestjson1_deserializeOpGetRoleCredentials struct {
 }
 

vendor/github.com/aws/aws-sdk-go-v2/service/sso/doc.go

@@ -6,16 +6,22 @@
 // AWS IAM Identity Center (successor to AWS Single Sign-On) Portal is a web
 // service that makes it easy for you to assign user access to IAM Identity Center
 // resources such as the AWS access portal. Users can get AWS account applications
-// and roles assigned to them and get federated into the application. Although AWS
+// and roles assigned to them and get federated into the application.
-// Single Sign-On was renamed, the sso and identitystore API namespaces will
+//
-// continue to retain their original name for backward compatibility purposes. For
+// Although AWS Single Sign-On was renamed, the sso and identitystore API
-// more information, see IAM Identity Center rename (https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html#renamed)
+// namespaces will continue to retain their original name for backward
-// . This reference guide describes the IAM Identity Center Portal operations that
+// compatibility purposes. For more information, see [IAM Identity Center rename].
+//
+// This reference guide describes the IAM Identity Center Portal operations that
 // you can call programatically and includes detailed information on data types and
-// errors. AWS provides SDKs that consist of libraries and sample code for various
+// errors.
+//
+// AWS provides SDKs that consist of libraries and sample code for various
 // programming languages and platforms, such as Java, Ruby, .Net, iOS, or Android.
 // The SDKs provide a convenient way to create programmatic access to IAM Identity
 // Center and other AWS services. For more information about the AWS SDKs,
-// including how to download and install them, see Tools for Amazon Web Services (http://aws.amazon.com/tools/)
+// including how to download and install them, see [Tools for Amazon Web Services].
-// .
+//
+// [Tools for Amazon Web Services]: http://aws.amazon.com/tools/
+// [IAM Identity Center rename]: https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html#renamed
 package sso

vendor/github.com/aws/aws-sdk-go-v2/service/sso/go_module_metadata.go

@@ -3,4 +3,4 @@
 package sso
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.20.5"
+const goModuleVersion = "1.20.9"

vendor/github.com/aws/aws-sdk-go-v2/service/sso/options.go

@@ -50,8 +50,10 @@ type Options struct {
 	// Deprecated: Deprecated: EndpointResolver and WithEndpointResolver. Providing a
 	// value for this field will likely prevent you from using any endpoint-related
 	// service features released after the introduction of EndpointResolverV2 and
-	// BaseEndpoint. To migrate an EndpointResolver implementation that uses a custom
+	// BaseEndpoint.
-	// endpoint, set the client option BaseEndpoint instead.
+	//
+	// To migrate an EndpointResolver implementation that uses a custom endpoint, set
+	// the client option BaseEndpoint instead.
 	EndpointResolver EndpointResolver
 
 	// Resolves the endpoint used for a particular service operation. This should be
@@ -70,17 +72,20 @@ type Options struct {
 	// RetryMaxAttempts specifies the maximum number attempts an API client will call
 	// an operation that fails with a retryable error. A value of 0 is ignored, and
 	// will not be used to configure the API client created default retryer, or modify
-	// per operation call's retry max attempts. If specified in an operation call's
+	// per operation call's retry max attempts.
-	// functional options with a value that is different than the constructed client's
+	//
-	// Options, the Client's Retryer will be wrapped to use the operation's specific
+	// If specified in an operation call's functional options with a value that is
-	// RetryMaxAttempts value.
+	// different than the constructed client's Options, the Client's Retryer will be
+	// wrapped to use the operation's specific RetryMaxAttempts value.
 	RetryMaxAttempts int
 
 	// RetryMode specifies the retry mode the API client will be created with, if
-	// Retryer option is not also specified. When creating a new API Clients this
+	// Retryer option is not also specified.
-	// member will only be used if the Retryer Options member is nil. This value will
+	//
-	// be ignored if Retryer is not nil. Currently does not support per operation call
+	// When creating a new API Clients this member will only be used if the Retryer
-	// overrides, may in the future.
+	// Options member is nil. This value will be ignored if Retryer is not nil.
+	//
+	// Currently does not support per operation call overrides, may in the future.
 	RetryMode aws.RetryMode
 
 	// Retryer guides how HTTP requests should be retried in case of recoverable
@@ -97,8 +102,9 @@ type Options struct {
 
 	// The initial DefaultsMode used when the client options were constructed. If the
 	// DefaultsMode was set to aws.DefaultsModeAuto this will store what the resolved
-	// value was at that point in time. Currently does not support per operation call
+	// value was at that point in time.
-	// overrides, may in the future.
+	//
+	// Currently does not support per operation call overrides, may in the future.
 	resolvedDefaultsMode aws.DefaultsMode
 
 	// The HTTP client to invoke API calls with. Defaults to client's default HTTP
@@ -143,6 +149,7 @@ func WithAPIOptions(optFns ...func(*middleware.Stack) error) func(*Options) {
 // Deprecated: EndpointResolver and WithEndpointResolver. Providing a value for
 // this field will likely prevent you from using any endpoint-related service
 // features released after the introduction of EndpointResolverV2 and BaseEndpoint.
+//
 // To migrate an EndpointResolver implementation that uses a custom endpoint, set
 // the client option BaseEndpoint instead.
 func WithEndpointResolver(v EndpointResolver) func(*Options) {

vendor/github.com/aws/aws-sdk-go-v2/service/sso/types/types.go

@@ -25,22 +25,24 @@ type AccountInfo struct {
 type RoleCredentials struct {
 
 	// The identifier used for the temporary security credentials. For more
-	// information, see Using Temporary Security Credentials to Request Access to AWS
+	// information, see [Using Temporary Security Credentials to Request Access to AWS Resources]in the AWS IAM User Guide.
-	// Resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html)
+	//
-	// in the AWS IAM User Guide.
+	// [Using Temporary Security Credentials to Request Access to AWS Resources]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
 	AccessKeyId *string
 
 	// The date on which temporary security credentials expire.
 	Expiration int64
 
-	// The key that is used to sign the request. For more information, see Using
+	// The key that is used to sign the request. For more information, see [Using Temporary Security Credentials to Request Access to AWS Resources] in the AWS
-	// Temporary Security Credentials to Request Access to AWS Resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html)
+	// IAM User Guide.
-	// in the AWS IAM User Guide.
+	//
+	// [Using Temporary Security Credentials to Request Access to AWS Resources]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
 	SecretAccessKey *string
 
-	// The token used for temporary credentials. For more information, see Using
+	// The token used for temporary credentials. For more information, see [Using Temporary Security Credentials to Request Access to AWS Resources] in the AWS
-	// Temporary Security Credentials to Request Access to AWS Resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html)
+	// IAM User Guide.
-	// in the AWS IAM User Guide.
+	//
+	// [Using Temporary Security Credentials to Request Access to AWS Resources]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
 	SessionToken *string
 
 	noSmithyDocumentSerde

vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/CHANGELOG.md

@@ -1,3 +1,23 @@
+# v1.24.3 (2024-05-23)
+
+* No change notes available for this release.
+
+# v1.24.2 (2024-05-16)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.24.1 (2024-05-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.24.0 (2024-05-10)
+
+* **Feature**: Updated request parameters for PKCE support.
+
+# v1.23.5 (2024-05-08)
+
+* **Bug Fix**: GoDoc improvement
+
 # v1.23.4 (2024-03-29)
 
 * **Dependency Update**: Updated to the latest SDK module versions

vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateToken.go

@@ -32,34 +32,43 @@ func (c *Client) CreateToken(ctx context.Context, params *CreateTokenInput, optF
 type CreateTokenInput struct {
 
 	// The unique identifier string for the client or application. This value comes
-	// from the result of the RegisterClient API.
+	// from the result of the RegisterClientAPI.
 	//
 	// This member is required.
 	ClientId *string
 
 	// A secret string generated for the client. This value should come from the
-	// persisted result of the RegisterClient API.
+	// persisted result of the RegisterClientAPI.
 	//
 	// This member is required.
 	ClientSecret *string
 
 	// Supports the following OAuth grant types: Device Code and Refresh Token.
 	// Specify either of the following values, depending on the grant type that you
-	// want: * Device Code - urn:ietf:params:oauth:grant-type:device_code * Refresh
+	// want:
-	// Token - refresh_token For information about how to obtain the device code, see
+	//
-	// the StartDeviceAuthorization topic.
+	// * Device Code - urn:ietf:params:oauth:grant-type:device_code
+	//
+	// * Refresh Token - refresh_token
+	//
+	// For information about how to obtain the device code, see the StartDeviceAuthorization topic.
 	//
 	// This member is required.
 	GrantType *string
 
 	// Used only when calling this API for the Authorization Code grant type. The
 	// short-term code is used to identify this authorization request. This grant type
-	// is currently unsupported for the CreateToken API.
+	// is currently unsupported for the CreateTokenAPI.
 	Code *string
 
+	// Used only when calling this API for the Authorization Code grant type. This
+	// value is generated by the client and presented to validate the original code
+	// challenge value the client passed at authorization time.
+	CodeVerifier *string
+
 	// Used only when calling this API for the Device Code grant type. This short-term
 	// code is used to identify this authorization request. This comes from the result
-	// of the StartDeviceAuthorization API.
+	// of the StartDeviceAuthorizationAPI.
 	DeviceCode *string
 
 	// Used only when calling this API for the Authorization Code grant type. This
@@ -69,16 +78,18 @@ type CreateTokenInput struct {
 
 	// Used only when calling this API for the Refresh Token grant type. This token is
 	// used to refresh short-term tokens, such as the access token, that might expire.
+	//
 	// For more information about the features and limitations of the current IAM
 	// Identity Center OIDC implementation, see Considerations for Using this Guide in
-	// the IAM Identity Center OIDC API Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html)
+	// the [IAM Identity Center OIDC API Reference].
-	// .
+	//
+	// [IAM Identity Center OIDC API Reference]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html
 	RefreshToken *string
 
 	// The list of scopes for which authorization is requested. The access token that
 	// is issued is limited to the scopes that are granted. If this value is not
 	// specified, IAM Identity Center authorizes all scopes that are configured for the
-	// client during the call to RegisterClient .
+	// client during the call to RegisterClient.
 	Scope []string
 
 	noSmithyDocumentSerde
@@ -86,7 +97,8 @@ type CreateTokenInput struct {
 
 type CreateTokenOutput struct {
 
-	// A bearer token to access AWS accounts and applications assigned to a user.
+	// A bearer token to access Amazon Web Services accounts and applications assigned
+	// to a user.
 	AccessToken *string
 
 	// Indicates the time in seconds when an access token will expire.
@@ -94,18 +106,22 @@ type CreateTokenOutput struct {
 
 	// The idToken is not implemented or supported. For more information about the
 	// features and limitations of the current IAM Identity Center OIDC implementation,
-	// see Considerations for Using this Guide in the IAM Identity Center OIDC API
+	// see Considerations for Using this Guide in the [IAM Identity Center OIDC API Reference].
-	// Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html)
+	//
-	// . A JSON Web Token (JWT) that identifies who is associated with the issued
+	// A JSON Web Token (JWT) that identifies who is associated with the issued access
-	// access token.
+	// token.
+	//
+	// [IAM Identity Center OIDC API Reference]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html
 	IdToken *string
 
 	// A token that, if present, can be used to refresh a previously issued access
-	// token that might have expired. For more information about the features and
+	// token that might have expired.
-	// limitations of the current IAM Identity Center OIDC implementation, see
+	//
-	// Considerations for Using this Guide in the IAM Identity Center OIDC API
+	// For more information about the features and limitations of the current IAM
-	// Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html)
+	// Identity Center OIDC implementation, see Considerations for Using this Guide in
-	// .
+	// the [IAM Identity Center OIDC API Reference].
+	//
+	// [IAM Identity Center OIDC API Reference]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html
 	RefreshToken *string
 
 	// Used to notify the client that the returned token is an access token. The

vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_CreateTokenWithIAM.go

@@ -12,8 +12,8 @@ import (
 
 // Creates and returns access and refresh tokens for clients and applications that
 // are authenticated using IAM entities. The access token can be used to fetch
-// short-term credentials for the assigned AWS accounts or to access application
+// short-term credentials for the assigned Amazon Web Services accounts or to
-// APIs using bearer authentication.
+// access application APIs using bearer authentication.
 func (c *Client) CreateTokenWithIAM(ctx context.Context, params *CreateTokenWithIAMInput, optFns ...func(*Options)) (*CreateTokenWithIAMOutput, error) {
 	if params == nil {
 		params = &CreateTokenWithIAMInput{}
@@ -39,10 +39,15 @@ type CreateTokenWithIAMInput struct {
 
 	// Supports the following OAuth grant types: Authorization Code, Refresh Token,
 	// JWT Bearer, and Token Exchange. Specify one of the following values, depending
-	// on the grant type that you want: * Authorization Code - authorization_code *
+	// on the grant type that you want:
-	// Refresh Token - refresh_token * JWT Bearer -
+	//
-	// urn:ietf:params:oauth:grant-type:jwt-bearer * Token Exchange -
+	// * Authorization Code - authorization_code
-	// urn:ietf:params:oauth:grant-type:token-exchange
+	//
+	// * Refresh Token - refresh_token
+	//
+	// * JWT Bearer - urn:ietf:params:oauth:grant-type:jwt-bearer
+	//
+	// * Token Exchange - urn:ietf:params:oauth:grant-type:token-exchange
 	//
 	// This member is required.
 	GrantType *string
@@ -59,6 +64,11 @@ type CreateTokenWithIAMInput struct {
 	// in the Authorization Code GrantOptions for the application.
 	Code *string
 
+	// Used only when calling this API for the Authorization Code grant type. This
+	// value is generated by the client and presented to validate the original code
+	// challenge value the client passed at authorization time.
+	CodeVerifier *string
+
 	// Used only when calling this API for the Authorization Code grant type. This
 	// value specifies the location of the client or application that has registered to
 	// receive the authorization code.
@@ -66,16 +76,21 @@ type CreateTokenWithIAMInput struct {
 
 	// Used only when calling this API for the Refresh Token grant type. This token is
 	// used to refresh short-term tokens, such as the access token, that might expire.
+	//
 	// For more information about the features and limitations of the current IAM
 	// Identity Center OIDC implementation, see Considerations for Using this Guide in
-	// the IAM Identity Center OIDC API Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html)
+	// the [IAM Identity Center OIDC API Reference].
-	// .
+	//
+	// [IAM Identity Center OIDC API Reference]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html
 	RefreshToken *string
 
 	// Used only when calling this API for the Token Exchange grant type. This value
 	// specifies the type of token that the requester can receive. The following values
-	// are supported: * Access Token - urn:ietf:params:oauth:token-type:access_token *
+	// are supported:
-	// Refresh Token - urn:ietf:params:oauth:token-type:refresh_token
+	//
+	// * Access Token - urn:ietf:params:oauth:token-type:access_token
+	//
+	// * Refresh Token - urn:ietf:params:oauth:token-type:refresh_token
 	RequestedTokenType *string
 
 	// The list of scopes for which authorization is requested. The access token that
@@ -94,8 +109,9 @@ type CreateTokenWithIAMInput struct {
 
 	// Used only when calling this API for the Token Exchange grant type. This value
 	// specifies the type of token that is passed as the subject of the exchange. The
-	// following value is supported: * Access Token -
+	// following value is supported:
-	// urn:ietf:params:oauth:token-type:access_token
+	//
+	// * Access Token - urn:ietf:params:oauth:token-type:access_token
 	SubjectTokenType *string
 
 	noSmithyDocumentSerde
@@ -103,7 +119,8 @@ type CreateTokenWithIAMInput struct {
 
 type CreateTokenWithIAMOutput struct {
 
-	// A bearer token to access AWS accounts and applications assigned to a user.
+	// A bearer token to access Amazon Web Services accounts and applications assigned
+	// to a user.
 	AccessToken *string
 
 	// Indicates the time in seconds when an access token will expire.
@@ -114,17 +131,21 @@ type CreateTokenWithIAMOutput struct {
 	IdToken *string
 
 	// Indicates the type of tokens that are issued by IAM Identity Center. The
-	// following values are supported: * Access Token -
+	// following values are supported:
-	// urn:ietf:params:oauth:token-type:access_token * Refresh Token -
+	//
-	// urn:ietf:params:oauth:token-type:refresh_token
+	// * Access Token - urn:ietf:params:oauth:token-type:access_token
+	//
+	// * Refresh Token - urn:ietf:params:oauth:token-type:refresh_token
 	IssuedTokenType *string
 
 	// A token that, if present, can be used to refresh a previously issued access
-	// token that might have expired. For more information about the features and
+	// token that might have expired.
-	// limitations of the current IAM Identity Center OIDC implementation, see
+	//
-	// Considerations for Using this Guide in the IAM Identity Center OIDC API
+	// For more information about the features and limitations of the current IAM
-	// Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html)
+	// Identity Center OIDC implementation, see Considerations for Using this Guide in
-	// .
+	// the [IAM Identity Center OIDC API Reference].
+	//
+	// [IAM Identity Center OIDC API Reference]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html
 	RefreshToken *string
 
 	// The list of scopes for which authorization is granted. The access token that is

vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_RegisterClient.go

@@ -41,6 +41,25 @@ type RegisterClientInput struct {
 	// This member is required.
 	ClientType *string
 
+	// This IAM Identity Center application ARN is used to define
+	// administrator-managed configuration for public client access to resources. At
+	// authorization, the scopes, grants, and redirect URI available to this client
+	// will be restricted by this application resource.
+	EntitledApplicationArn *string
+
+	// The list of OAuth 2.0 grant types that are defined by the client. This list is
+	// used to restrict the token granting flows available to the client.
+	GrantTypes []string
+
+	// The IAM Identity Center Issuer URL associated with an instance of IAM Identity
+	// Center. This value is needed for user access to resources through the client.
+	IssuerUrl *string
+
+	// The list of redirect URI that are defined by the client. At completion of
+	// authorization, this list is used to restrict what locations the user agent can
+	// be redirected back to.
+	RedirectUris []string
+
 	// The list of scopes that are defined by the client. Upon authorization, this
 	// list is used to restrict permissions when granting an access token.
 	Scopes []string

vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/api_op_StartDeviceAuthorization.go

@@ -30,22 +30,23 @@ func (c *Client) StartDeviceAuthorization(ctx context.Context, params *StartDevi
 type StartDeviceAuthorizationInput struct {
 
 	// The unique identifier string for the client that is registered with IAM
-	// Identity Center. This value should come from the persisted result of the
+	// Identity Center. This value should come from the persisted result of the RegisterClientAPI
-	// RegisterClient API operation.
+	// operation.
 	//
 	// This member is required.
 	ClientId *string
 
 	// A secret string that is generated for the client. This value should come from
-	// the persisted result of the RegisterClient API operation.
+	// the persisted result of the RegisterClientAPI operation.
 	//
 	// This member is required.
 	ClientSecret *string
 
-	// The URL for the Amazon Web Services access portal. For more information, see
+	// The URL for the Amazon Web Services access portal. For more information, see [Using the Amazon Web Services access portal]
-	// Using the Amazon Web Services access portal (https://docs.aws.amazon.com/singlesignon/latest/userguide/using-the-portal.html)
 	// in the IAM Identity Center User Guide.
 	//
+	// [Using the Amazon Web Services access portal]: https://docs.aws.amazon.com/singlesignon/latest/userguide/using-the-portal.html
+	//
 	// This member is required.
 	StartUrl *string
 

vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/deserializers.go

@@ -13,11 +13,21 @@ import (
 	smithyio "github.com/aws/smithy-go/io"
 	"github.com/aws/smithy-go/middleware"
 	"github.com/aws/smithy-go/ptr"
+	smithytime "github.com/aws/smithy-go/time"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"io"
 	"strings"
+	"time"
 )
 
+func deserializeS3Expires(v string) (*time.Time, error) {
+	t, err := smithytime.ParseHTTPDate(v)
+	if err != nil {
+		return nil, nil
+	}
+	return &t, nil
+}
+
 type awsRestjson1_deserializeOpCreateToken struct {
 }
 
@@ -581,12 +591,18 @@ func awsRestjson1_deserializeOpErrorRegisterClient(response *smithyhttp.Response
 	case strings.EqualFold("InvalidClientMetadataException", errorCode):
 		return awsRestjson1_deserializeErrorInvalidClientMetadataException(response, errorBody)
 
+	case strings.EqualFold("InvalidRedirectUriException", errorCode):
+		return awsRestjson1_deserializeErrorInvalidRedirectUriException(response, errorBody)
+
 	case strings.EqualFold("InvalidRequestException", errorCode):
 		return awsRestjson1_deserializeErrorInvalidRequestException(response, errorBody)
 
 	case strings.EqualFold("InvalidScopeException", errorCode):
 		return awsRestjson1_deserializeErrorInvalidScopeException(response, errorBody)
 
+	case strings.EqualFold("UnsupportedGrantTypeException", errorCode):
+		return awsRestjson1_deserializeErrorUnsupportedGrantTypeException(response, errorBody)
+
 	default:
 		genericError := &smithy.GenericAPIError{
 			Code:    errorCode,
@@ -1158,6 +1174,42 @@ func awsRestjson1_deserializeErrorInvalidGrantException(response *smithyhttp.Res
 	return output
 }
 
+func awsRestjson1_deserializeErrorInvalidRedirectUriException(response *smithyhttp.Response, errorBody *bytes.Reader) error {
+	output := &types.InvalidRedirectUriException{}
+	var buff [1024]byte
+	ringBuffer := smithyio.NewRingBuffer(buff[:])
+
+	body := io.TeeReader(errorBody, ringBuffer)
+	decoder := json.NewDecoder(body)
+	decoder.UseNumber()
+	var shape interface{}
+	if err := decoder.Decode(&shape); err != nil && err != io.EOF {
+		var snapshot bytes.Buffer
+		io.Copy(&snapshot, ringBuffer)
+		err = &smithy.DeserializationError{
+			Err:      fmt.Errorf("failed to decode response body, %w", err),
+			Snapshot: snapshot.Bytes(),
+		}
+		return err
+	}
+
+	err := awsRestjson1_deserializeDocumentInvalidRedirectUriException(&output, shape)
+
+	if err != nil {
+		var snapshot bytes.Buffer
+		io.Copy(&snapshot, ringBuffer)
+		err = &smithy.DeserializationError{
+			Err:      fmt.Errorf("failed to decode response body, %w", err),
+			Snapshot: snapshot.Bytes(),
+		}
+		return err
+	}
+
+	errorBody.Seek(0, io.SeekStart)
+
+	return output
+}
+
 func awsRestjson1_deserializeErrorInvalidRequestException(response *smithyhttp.Response, errorBody *bytes.Reader) error {
 	output := &types.InvalidRequestException{}
 	var buff [1024]byte
@@ -1717,6 +1769,55 @@ func awsRestjson1_deserializeDocumentInvalidGrantException(v **types.InvalidGran
 	return nil
 }
 
+func awsRestjson1_deserializeDocumentInvalidRedirectUriException(v **types.InvalidRedirectUriException, value interface{}) error {
+	if v == nil {
+		return fmt.Errorf("unexpected nil of type %T", v)
+	}
+	if value == nil {
+		return nil
+	}
+
+	shape, ok := value.(map[string]interface{})
+	if !ok {
+		return fmt.Errorf("unexpected JSON type %v", value)
+	}
+
+	var sv *types.InvalidRedirectUriException
+	if *v == nil {
+		sv = &types.InvalidRedirectUriException{}
+	} else {
+		sv = *v
+	}
+
+	for key, value := range shape {
+		switch key {
+		case "error":
+			if value != nil {
+				jtv, ok := value.(string)
+				if !ok {
+					return fmt.Errorf("expected Error to be of type string, got %T instead", value)
+				}
+				sv.Error_ = ptr.String(jtv)
+			}
+
+		case "error_description":
+			if value != nil {
+				jtv, ok := value.(string)
+				if !ok {
+					return fmt.Errorf("expected ErrorDescription to be of type string, got %T instead", value)
+				}
+				sv.Error_description = ptr.String(jtv)
+			}
+
+		default:
+			_, _ = key, value
+
+		}
+	}
+	*v = sv
+	return nil
+}
+
 func awsRestjson1_deserializeDocumentInvalidRequestException(v **types.InvalidRequestException, value interface{}) error {
 	if v == nil {
 		return fmt.Errorf("unexpected nil of type %T", v)

vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/doc.go

@@ -6,33 +6,41 @@
 // IAM Identity Center OpenID Connect (OIDC) is a web service that enables a
 // client (such as CLI or a native application) to register with IAM Identity
 // Center. The service also enables the client to fetch the user’s access token
-// upon successful authentication and authorization with IAM Identity Center. IAM
+// upon successful authentication and authorization with IAM Identity Center.
-// Identity Center uses the sso and identitystore API namespaces. Considerations
+//
-// for Using This Guide Before you begin using this guide, we recommend that you
+// IAM Identity Center uses the sso and identitystore API namespaces.
-// first review the following important information about how the IAM Identity
+//
-// Center OIDC service works.
+// # Considerations for Using This Guide
+//
+// Before you begin using this guide, we recommend that you first review the
+// following important information about how the IAM Identity Center OIDC service
+// works.
+//
 //   - The IAM Identity Center OIDC service currently implements only the portions
-//     of the OAuth 2.0 Device Authorization Grant standard (
+//     of the OAuth 2.0 Device Authorization Grant standard ([https://tools.ietf.org/html/rfc8628] ) that are necessary to
-//     https://tools.ietf.org/html/rfc8628 (https://tools.ietf.org/html/rfc8628) )
+//     enable single sign-on authentication with the CLI.
-//     that are necessary to enable single sign-on authentication with the CLI.
+//
 //   - With older versions of the CLI, the service only emits OIDC access tokens,
 //     so to obtain a new token, users must explicitly re-authenticate. To access the
 //     OIDC flow that supports token refresh and doesn’t require re-authentication,
 //     update to the latest CLI version (1.27.10 for CLI V1 and 2.9.0 for CLI V2) with
 //     support for OIDC token refresh and configurable IAM Identity Center session
-//     durations. For more information, see Configure Amazon Web Services access
+//     durations. For more information, see [Configure Amazon Web Services access portal session duration].
-//     portal session duration  (https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html)
+//
-//     .
 //   - The access tokens provided by this service grant access to all Amazon Web
 //     Services account entitlements assigned to an IAM Identity Center user, not just
 //     a particular application.
+//
 //   - The documentation in this guide does not describe the mechanism to convert
 //     the access token into Amazon Web Services Auth (“sigv4”) credentials for use
 //     with IAM-protected Amazon Web Services service endpoints. For more information,
-//     see GetRoleCredentials (https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html)
+//     see [GetRoleCredentials]in the IAM Identity Center Portal API Reference Guide.
-//     in the IAM Identity Center Portal API Reference Guide.
 //
-// For general information about IAM Identity Center, see What is IAM Identity
+// For general information about IAM Identity Center, see [What is IAM Identity Center?] in the IAM Identity
-// Center? (https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
+// Center User Guide.
-// in the IAM Identity Center User Guide.
+//
+// [Configure Amazon Web Services access portal session duration]: https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html
+// [GetRoleCredentials]: https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html
+// [https://tools.ietf.org/html/rfc8628]: https://tools.ietf.org/html/rfc8628
+// [What is IAM Identity Center?]: https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
 package ssooidc

vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/go_module_metadata.go

@@ -3,4 +3,4 @@
 package ssooidc
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.23.4"
+const goModuleVersion = "1.24.3"

vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/options.go

@@ -50,8 +50,10 @@ type Options struct {
 	// Deprecated: Deprecated: EndpointResolver and WithEndpointResolver. Providing a
 	// value for this field will likely prevent you from using any endpoint-related
 	// service features released after the introduction of EndpointResolverV2 and
-	// BaseEndpoint. To migrate an EndpointResolver implementation that uses a custom
+	// BaseEndpoint.
-	// endpoint, set the client option BaseEndpoint instead.
+	//
+	// To migrate an EndpointResolver implementation that uses a custom endpoint, set
+	// the client option BaseEndpoint instead.
 	EndpointResolver EndpointResolver
 
 	// Resolves the endpoint used for a particular service operation. This should be
@@ -70,17 +72,20 @@ type Options struct {
 	// RetryMaxAttempts specifies the maximum number attempts an API client will call
 	// an operation that fails with a retryable error. A value of 0 is ignored, and
 	// will not be used to configure the API client created default retryer, or modify
-	// per operation call's retry max attempts. If specified in an operation call's
+	// per operation call's retry max attempts.
-	// functional options with a value that is different than the constructed client's
+	//
-	// Options, the Client's Retryer will be wrapped to use the operation's specific
+	// If specified in an operation call's functional options with a value that is
-	// RetryMaxAttempts value.
+	// different than the constructed client's Options, the Client's Retryer will be
+	// wrapped to use the operation's specific RetryMaxAttempts value.
 	RetryMaxAttempts int
 
 	// RetryMode specifies the retry mode the API client will be created with, if
-	// Retryer option is not also specified. When creating a new API Clients this
+	// Retryer option is not also specified.
-	// member will only be used if the Retryer Options member is nil. This value will
+	//
-	// be ignored if Retryer is not nil. Currently does not support per operation call
+	// When creating a new API Clients this member will only be used if the Retryer
-	// overrides, may in the future.
+	// Options member is nil. This value will be ignored if Retryer is not nil.
+	//
+	// Currently does not support per operation call overrides, may in the future.
 	RetryMode aws.RetryMode
 
 	// Retryer guides how HTTP requests should be retried in case of recoverable
@@ -97,8 +102,9 @@ type Options struct {
 
 	// The initial DefaultsMode used when the client options were constructed. If the
 	// DefaultsMode was set to aws.DefaultsModeAuto this will store what the resolved
-	// value was at that point in time. Currently does not support per operation call
+	// value was at that point in time.
-	// overrides, may in the future.
+	//
+	// Currently does not support per operation call overrides, may in the future.
 	resolvedDefaultsMode aws.DefaultsMode
 
 	// The HTTP client to invoke API calls with. Defaults to client's default HTTP
@@ -143,6 +149,7 @@ func WithAPIOptions(optFns ...func(*middleware.Stack) error) func(*Options) {
 // Deprecated: EndpointResolver and WithEndpointResolver. Providing a value for
 // this field will likely prevent you from using any endpoint-related service
 // features released after the introduction of EndpointResolverV2 and BaseEndpoint.
+//
 // To migrate an EndpointResolver implementation that uses a custom endpoint, set
 // the client option BaseEndpoint instead.
 func WithEndpointResolver(v EndpointResolver) func(*Options) {

vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/serializers.go

@@ -95,6 +95,11 @@ func awsRestjson1_serializeOpDocumentCreateTokenInput(v *CreateTokenInput, value
 		ok.String(*v.Code)
 	}
 
+	if v.CodeVerifier != nil {
+		ok := object.Key("codeVerifier")
+		ok.String(*v.CodeVerifier)
+	}
+
 	if v.DeviceCode != nil {
 		ok := object.Key("deviceCode")
 		ok.String(*v.DeviceCode)
@@ -207,6 +212,11 @@ func awsRestjson1_serializeOpDocumentCreateTokenWithIAMInput(v *CreateTokenWithI
 		ok.String(*v.Code)
 	}
 
+	if v.CodeVerifier != nil {
+		ok := object.Key("codeVerifier")
+		ok.String(*v.CodeVerifier)
+	}
+
 	if v.GrantType != nil {
 		ok := object.Key("grantType")
 		ok.String(*v.GrantType)
@@ -324,6 +334,30 @@ func awsRestjson1_serializeOpDocumentRegisterClientInput(v *RegisterClientInput,
 		ok.String(*v.ClientType)
 	}
 
+	if v.EntitledApplicationArn != nil {
+		ok := object.Key("entitledApplicationArn")
+		ok.String(*v.EntitledApplicationArn)
+	}
+
+	if v.GrantTypes != nil {
+		ok := object.Key("grantTypes")
+		if err := awsRestjson1_serializeDocumentGrantTypes(v.GrantTypes, ok); err != nil {
+			return err
+		}
+	}
+
+	if v.IssuerUrl != nil {
+		ok := object.Key("issuerUrl")
+		ok.String(*v.IssuerUrl)
+	}
+
+	if v.RedirectUris != nil {
+		ok := object.Key("redirectUris")
+		if err := awsRestjson1_serializeDocumentRedirectUris(v.RedirectUris, ok); err != nil {
+			return err
+		}
+	}
+
 	if v.Scopes != nil {
 		ok := object.Key("scopes")
 		if err := awsRestjson1_serializeDocumentScopes(v.Scopes, ok); err != nil {
@@ -419,6 +453,28 @@ func awsRestjson1_serializeOpDocumentStartDeviceAuthorizationInput(v *StartDevic
 	return nil
 }
 
+func awsRestjson1_serializeDocumentGrantTypes(v []string, value smithyjson.Value) error {
+	array := value.Array()
+	defer array.Close()
+
+	for i := range v {
+		av := array.Value()
+		av.String(v[i])
+	}
+	return nil
+}
+
+func awsRestjson1_serializeDocumentRedirectUris(v []string, value smithyjson.Value) error {
+	array := value.Array()
+	defer array.Close()
+
+	for i := range v {
+		av := array.Value()
+		av.String(v[i])
+	}
+	return nil
+}
+
 func awsRestjson1_serializeDocumentScopes(v []string, value smithyjson.Value) error {
 	array := value.Array()
 	defer array.Close()

vendor/github.com/aws/aws-sdk-go-v2/service/ssooidc/types/errors.go

@@ -188,7 +188,7 @@ func (e *InvalidClientMetadataException) ErrorCode() string {
 func (e *InvalidClientMetadataException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient }
 
 // Indicates that a request contains an invalid grant. This can occur if a client
-// makes a CreateToken request with an invalid grant type.
+// makes a CreateTokenrequest with an invalid grant type.
 type InvalidGrantException struct {
 	Message *string
 
@@ -217,6 +217,36 @@ func (e *InvalidGrantException) ErrorCode() string {
 }
 func (e *InvalidGrantException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient }
 
+// Indicates that one or more redirect URI in the request is not supported for
+// this operation.
+type InvalidRedirectUriException struct {
+	Message *string
+
+	ErrorCodeOverride *string
+
+	Error_            *string
+	Error_description *string
+
+	noSmithyDocumentSerde
+}
+
+func (e *InvalidRedirectUriException) Error() string {
+	return fmt.Sprintf("%s: %s", e.ErrorCode(), e.ErrorMessage())
+}
+func (e *InvalidRedirectUriException) ErrorMessage() string {
+	if e.Message == nil {
+		return ""
+	}
+	return *e.Message
+}
+func (e *InvalidRedirectUriException) ErrorCode() string {
+	if e == nil || e.ErrorCodeOverride == nil {
+		return "InvalidRedirectUriException"
+	}
+	return *e.ErrorCodeOverride
+}
+func (e *InvalidRedirectUriException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient }
+
 // Indicates that something is wrong with the input to the request. For example, a
 // required parameter might be missing or out of range.
 type InvalidRequestException struct {

vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md

@@ -1,3 +1,19 @@
+# v1.28.10 (2024-05-23)
+
+* No change notes available for this release.
+
+# v1.28.9 (2024-05-16)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.8 (2024-05-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.7 (2024-05-08)
+
+* **Bug Fix**: GoDoc improvement
+
 # v1.28.6 (2024-03-29)
 
 * **Dependency Update**: Updated to the latest SDK module versions

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go

@@ -16,69 +16,99 @@ import (
 // Amazon Web Services resources. These temporary credentials consist of an access
 // key ID, a secret access key, and a security token. Typically, you use AssumeRole
 // within your account or for cross-account access. For a comparison of AssumeRole
-// with other API operations that produce temporary credentials, see Requesting
+// with other API operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the
-// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
+// IAM User Guide.
-// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
+//
-// in the IAM User Guide. Permissions The temporary security credentials created by
+// # Permissions
-// AssumeRole can be used to make API calls to any Amazon Web Services service
+//
-// with the following exception: You cannot call the Amazon Web Services STS
+// The temporary security credentials created by AssumeRole can be used to make
-// GetFederationToken or GetSessionToken API operations. (Optional) You can pass
+// API calls to any Amazon Web Services service with the following exception: You
-// inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+// cannot call the Amazon Web Services STS GetFederationToken or GetSessionToken
-// to this operation. You can pass a single JSON policy document to use as an
+// API operations.
-// inline session policy. You can also specify up to 10 managed policy Amazon
+//
-// Resource Names (ARNs) to use as managed session policies. The plaintext that you
+// (Optional) You can pass inline or managed [session policies] to this operation. You can pass a
-// use for both inline and managed session policies can't exceed 2,048 characters.
+// single JSON policy document to use as an inline session policy. You can also
-// Passing policies to this operation returns new temporary credentials. The
+// specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed
-// resulting session's permissions are the intersection of the role's
+// session policies. The plaintext that you use for both inline and managed session
-// identity-based policy and the session policies. You can use the role's temporary
+// policies can't exceed 2,048 characters. Passing policies to this operation
-// credentials in subsequent Amazon Web Services API calls to access resources in
+// returns new temporary credentials. The resulting session's permissions are the
-// the account that owns the role. You cannot use session policies to grant more
+// intersection of the role's identity-based policy and the session policies. You
-// permissions than those allowed by the identity-based policy of the role that is
+// can use the role's temporary credentials in subsequent Amazon Web Services API
-// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+// calls to access resources in the account that owns the role. You cannot use
-// in the IAM User Guide. When you create a role, you create two policies: a role
+// session policies to grant more permissions than those allowed by the
-// trust policy that specifies who can assume the role, and a permissions policy
+// identity-based policy of the role that is being assumed. For more information,
-// that specifies what can be done with the role. You specify the trusted principal
+// see [Session Policies]in the IAM User Guide.
-// that is allowed to assume the role in the role trust policy. To assume a role
+//
-// from a different account, your Amazon Web Services account must be trusted by
+// When you create a role, you create two policies: a role trust policy that
-// the role. The trust relationship is defined in the role's trust policy when the
+// specifies who can assume the role, and a permissions policy that specifies what
-// role is created. That trust policy states which accounts are allowed to delegate
+// can be done with the role. You specify the trusted principal that is allowed to
-// that access to users in the account. A user who wants to access a role in a
+// assume the role in the role trust policy.
-// different account must also have permissions that are delegated from the account
+//
-// administrator. The administrator must attach a policy that allows the user to
+// To assume a role from a different account, your Amazon Web Services account
-// call AssumeRole for the ARN of the role in the other account. To allow a user
+// must be trusted by the role. The trust relationship is defined in the role's
-// to assume a role in the same account, you can do either of the following:
+// trust policy when the role is created. That trust policy states which accounts
+// are allowed to delegate that access to users in the account.
+//
+// A user who wants to access a role in a different account must also have
+// permissions that are delegated from the account administrator. The administrator
+// must attach a policy that allows the user to call AssumeRole for the ARN of the
+// role in the other account.
+//
+// To allow a user to assume a role in the same account, you can do either of the
+// following:
+//
 //   - Attach a policy to the user that allows the user to call AssumeRole (as long
 //     as the role's trust policy trusts the account).
+//
 //   - Add the user as a principal directly in the role's trust policy.
 //
 // You can do either because the role’s trust policy acts as an IAM resource-based
 // policy. When a resource-based policy grants access to a principal in the same
 // account, no additional identity-based policy is required. For more information
-// about trust policies and resource-based policies, see IAM Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
+// about trust policies and resource-based policies, see [IAM Policies]in the IAM User Guide.
-// in the IAM User Guide. Tags (Optional) You can pass tag key-value pairs to your
+//
-// session. These tags are called session tags. For more information about session
+// # Tags
-// tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
+//
-// in the IAM User Guide. An administrator must grant you the permissions necessary
+// (Optional) You can pass tag key-value pairs to your session. These tags are
-// to pass session tags. The administrator can also create granular permissions to
+// called session tags. For more information about session tags, see [Passing Session Tags in STS]in the IAM
-// allow you to pass only specific session tags. For more information, see
+// User Guide.
-// Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
+//
-// in the IAM User Guide. You can set the session tags as transitive. Transitive
+// An administrator must grant you the permissions necessary to pass session tags.
-// tags persist during role chaining. For more information, see Chaining Roles
+// The administrator can also create granular permissions to allow you to pass only
-// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
+// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
-// in the IAM User Guide. Using MFA with AssumeRole (Optional) You can include
+//
-// multi-factor authentication (MFA) information when you call AssumeRole . This is
+// You can set the session tags as transitive. Transitive tags persist during role
-// useful for cross-account scenarios to ensure that the user that assumes the role
+// chaining. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
-// has been authenticated with an Amazon Web Services MFA device. In that scenario,
+//
-// the trust policy of the role being assumed includes a condition that tests for
+// # Using MFA with AssumeRole
-// MFA authentication. If the caller does not include valid MFA information, the
+//
-// request to assume the role is denied. The condition in a trust policy that tests
+// (Optional) You can include multi-factor authentication (MFA) information when
-// for MFA authentication might look like the following example. "Condition":
+// you call AssumeRole . This is useful for cross-account scenarios to ensure that
-// {"Bool": {"aws:MultiFactorAuthPresent": true}} For more information, see
+// the user that assumes the role has been authenticated with an Amazon Web
-// Configuring MFA-Protected API Access (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html)
+// Services MFA device. In that scenario, the trust policy of the role being
-// in the IAM User Guide guide. To use MFA with AssumeRole , you pass values for
+// assumed includes a condition that tests for MFA authentication. If the caller
-// the SerialNumber and TokenCode parameters. The SerialNumber value identifies
+// does not include valid MFA information, the request to assume the role is
-// the user's hardware or virtual MFA device. The TokenCode is the time-based
+// denied. The condition in a trust policy that tests for MFA authentication might
-// one-time password (TOTP) that the MFA device produces.
+// look like the following example.
+//
+//	"Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
+//
+// For more information, see [Configuring MFA-Protected API Access] in the IAM User Guide guide.
+//
+// To use MFA with AssumeRole , you pass values for the SerialNumber and TokenCode
+// parameters. The SerialNumber value identifies the user's hardware or virtual
+// MFA device. The TokenCode is the time-based one-time password (TOTP) that the
+// MFA device produces.
+//
+// [Configuring MFA-Protected API Access]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
+// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
+// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+// [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [IAM Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
+// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
 func (c *Client) AssumeRole(ctx context.Context, params *AssumeRoleInput, optFns ...func(*Options)) (*AssumeRoleOutput, error) {
 	if params == nil {
 		params = &AssumeRoleInput{}
@@ -101,17 +131,19 @@ type AssumeRoleInput struct {
 	// This member is required.
 	RoleArn *string
 
-	// An identifier for the assumed role session. Use the role session name to
+	// An identifier for the assumed role session.
-	// uniquely identify a session when the same role is assumed by different
+	//
-	// principals or for different reasons. In cross-account scenarios, the role
+	// Use the role session name to uniquely identify a session when the same role is
-	// session name is visible to, and can be logged by the account that owns the role.
+	// assumed by different principals or for different reasons. In cross-account
-	// The role session name is also used in the ARN of the assumed role principal.
+	// scenarios, the role session name is visible to, and can be logged by the account
-	// This means that subsequent cross-account API requests that use the temporary
+	// that owns the role. The role session name is also used in the ARN of the assumed
-	// security credentials will expose the role session name to the external account
+	// role principal. This means that subsequent cross-account API requests that use
-	// in their CloudTrail logs. The regex used to validate this parameter is a string
+	// the temporary security credentials will expose the role session name to the
-	// of characters consisting of upper- and lower-case alphanumeric characters with
+	// external account in their CloudTrail logs.
-	// no spaces. You can also include underscores or any of the following characters:
+	//
-	// =,.@-
+	// The regex used to validate this parameter is a string of characters consisting
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
+	// include underscores or any of the following characters: =,.@-
 	//
 	// This member is required.
 	RoleSessionName *string
@@ -122,23 +154,27 @@ type AssumeRoleInput struct {
 	// hours. If you specify a value higher than this setting or the administrator
 	// setting (whichever is lower), the operation fails. For example, if you specify a
 	// session duration of 12 hours, but your administrator set the maximum session
-	// duration to 6 hours, your operation fails. Role chaining limits your Amazon Web
+	// duration to 6 hours, your operation fails.
-	// Services CLI or Amazon Web Services API role session to a maximum of one hour.
+	//
-	// When you use the AssumeRole API operation to assume a role, you can specify the
+	// Role chaining limits your Amazon Web Services CLI or Amazon Web Services API
-	// duration of your role session with the DurationSeconds parameter. You can
+	// role session to a maximum of one hour. When you use the AssumeRole API
-	// specify a parameter value of up to 43200 seconds (12 hours), depending on the
+	// operation to assume a role, you can specify the duration of your role session
-	// maximum session duration setting for your role. However, if you assume a role
+	// with the DurationSeconds parameter. You can specify a parameter value of up to
-	// using role chaining and provide a DurationSeconds parameter value greater than
+	// 43200 seconds (12 hours), depending on the maximum session duration setting for
-	// one hour, the operation fails. To learn how to view the maximum value for your
+	// your role. However, if you assume a role using role chaining and provide a
-	// role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
+	// DurationSeconds parameter value greater than one hour, the operation fails. To
-	// in the IAM User Guide. By default, the value is set to 3600 seconds. The
+	// learn how to view the maximum value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
-	// DurationSeconds parameter is separate from the duration of a console session
+	//
-	// that you might request using the returned credentials. The request to the
+	// By default, the value is set to 3600 seconds.
-	// federation endpoint for a console sign-in token takes a SessionDuration
+	//
+	// The DurationSeconds parameter is separate from the duration of a console
+	// session that you might request using the returned credentials. The request to
+	// the federation endpoint for a console sign-in token takes a SessionDuration
 	// parameter that specifies the maximum length of the console session. For more
-	// information, see Creating a URL that Enables Federated Users to Access the
+	// information, see [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]in the IAM User Guide.
-	// Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
+	//
-	// in the IAM User Guide.
+	// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+	// [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
 	DurationSeconds *int32
 
 	// A unique identifier that might be required when you assume a role in another
@@ -149,63 +185,79 @@ type AssumeRoleInput struct {
 	// the administrator of the trusting account might send an external ID to the
 	// administrator of the trusted account. That way, only someone with the ID can
 	// assume the role, rather than everyone in the account. For more information about
-	// the external ID, see How to Use an External ID When Granting Access to Your
+	// the external ID, see [How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party]in the IAM User Guide.
-	// Amazon Web Services Resources to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html)
+	//
-	// in the IAM User Guide. The regex used to validate this parameter is a string of
+	// The regex used to validate this parameter is a string of characters consisting
-	// characters consisting of upper- and lower-case alphanumeric characters with no
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
-	// spaces. You can also include underscores or any of the following characters:
+	// include underscores or any of the following characters: =,.@:/-
-	// =,.@:/-
+	//
+	// [How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
 	ExternalId *string
 
 	// An IAM policy in JSON format that you want to use as an inline session policy.
+	//
 	// This parameter is optional. Passing policies to this operation returns new
 	// temporary credentials. The resulting session's permissions are the intersection
 	// of the role's identity-based policy and the session policies. You can use the
 	// role's temporary credentials in subsequent Amazon Web Services API calls to
 	// access resources in the account that owns the role. You cannot use session
 	// policies to grant more permissions than those allowed by the identity-based
-	// policy of the role that is being assumed. For more information, see Session
+	// policy of the role that is being assumed. For more information, see [Session Policies]in the IAM
-	// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+	// User Guide.
-	// in the IAM User Guide. The plaintext that you use for both inline and managed
+	//
-	// session policies can't exceed 2,048 characters. The JSON policy characters can
+	// The plaintext that you use for both inline and managed session policies can't
-	// be any ASCII character from the space character to the end of the valid
+	// exceed 2,048 characters. The JSON policy characters can be any ASCII character
-	// character list (\u0020 through \u00FF). It can also include the tab (\u0009),
+	// from the space character to the end of the valid character list (\u0020 through
-	// linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web
+	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
-	// Services conversion compresses the passed inline session policy, managed policy
+	// return (\u000D) characters.
-	// ARNs, and session tags into a packed binary format that has a separate limit.
+	//
-	// Your request can fail for this limit even if your plaintext meets the other
+	// An Amazon Web Services conversion compresses the passed inline session policy,
-	// requirements. The PackedPolicySize response element indicates by percentage how
+	// managed policy ARNs, and session tags into a packed binary format that has a
-	// close the policies and tags for your request are to the upper size limit.
+	// separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the upper
+	// size limit.
+	//
+	// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
 	Policy *string
 
 	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
 	// use as managed session policies. The policies must exist in the same account as
-	// the role. This parameter is optional. You can provide up to 10 managed policy
+	// the role.
-	// ARNs. However, the plaintext that you use for both inline and managed session
+	//
-	// policies can't exceed 2,048 characters. For more information about ARNs, see
+	// This parameter is optional. You can provide up to 10 managed policy ARNs.
-	// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
+	// However, the plaintext that you use for both inline and managed session policies
-	// in the Amazon Web Services General Reference. An Amazon Web Services conversion
+	// can't exceed 2,048 characters. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the
-	// compresses the passed inline session policy, managed policy ARNs, and session
+	// Amazon Web Services General Reference.
-	// tags into a packed binary format that has a separate limit. Your request can
+	//
-	// fail for this limit even if your plaintext meets the other requirements. The
+	// An Amazon Web Services conversion compresses the passed inline session policy,
-	// PackedPolicySize response element indicates by percentage how close the policies
+	// managed policy ARNs, and session tags into a packed binary format that has a
-	// and tags for your request are to the upper size limit. Passing policies to this
+	// separate limit. Your request can fail for this limit even if your plaintext
-	// operation returns new temporary credentials. The resulting session's permissions
+	// meets the other requirements. The PackedPolicySize response element indicates
-	// are the intersection of the role's identity-based policy and the session
+	// by percentage how close the policies and tags for your request are to the upper
-	// policies. You can use the role's temporary credentials in subsequent Amazon Web
+	// size limit.
-	// Services API calls to access resources in the account that owns the role. You
+	//
-	// cannot use session policies to grant more permissions than those allowed by the
+	// Passing policies to this operation returns new temporary credentials. The
-	// identity-based policy of the role that is being assumed. For more information,
+	// resulting session's permissions are the intersection of the role's
-	// see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+	// identity-based policy and the session policies. You can use the role's temporary
-	// in the IAM User Guide.
+	// credentials in subsequent Amazon Web Services API calls to access resources in
+	// the account that owns the role. You cannot use session policies to grant more
+	// permissions than those allowed by the identity-based policy of the role that is
+	// being assumed. For more information, see [Session Policies]in the IAM User Guide.
+	//
+	// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+	// [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
 	PolicyArns []types.PolicyDescriptorType
 
 	// A list of previously acquired trusted context assertions in the format of a
 	// JSON array. The trusted context assertion is signed and encrypted by Amazon Web
-	// Services STS. The following is an example of a ProvidedContext value that
+	// Services STS.
-	// includes a single trusted context assertion and the ARN of the context provider
+	//
-	// from which the trusted context assertion was generated.
+	// The following is an example of a ProvidedContext value that includes a single
-	// [{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]
+	// trusted context assertion and the ARN of the context provider from which the
+	// trusted context assertion was generated.
+	//
+	//     [{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]
 	ProvidedContexts []types.ProvidedContext
 
 	// The identification number of the MFA device that is associated with the user
@@ -213,79 +265,97 @@ type AssumeRoleInput struct {
 	// the role being assumed includes a condition that requires MFA authentication.
 	// The value is either the serial number for a hardware device (such as
 	// GAHT12345678 ) or an Amazon Resource Name (ARN) for a virtual device (such as
-	// arn:aws:iam::123456789012:mfa/user ). The regex used to validate this parameter
+	// arn:aws:iam::123456789012:mfa/user ).
-	// is a string of characters consisting of upper- and lower-case alphanumeric
+	//
-	// characters with no spaces. You can also include underscores or any of the
+	// The regex used to validate this parameter is a string of characters consisting
-	// following characters: =,.@-
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
+	// include underscores or any of the following characters: =,.@-
 	SerialNumber *string
 
 	// The source identity specified by the principal that is calling the AssumeRole
-	// operation. You can require users to specify a source identity when they assume a
+	// operation.
-	// role. You do this by using the sts:SourceIdentity condition key in a role trust
+	//
-	// policy. You can use source identity information in CloudTrail logs to determine
+	// You can require users to specify a source identity when they assume a role. You
-	// who took actions with a role. You can use the aws:SourceIdentity condition key
+	// do this by using the sts:SourceIdentity condition key in a role trust policy.
-	// to further control access to Amazon Web Services resources based on the value of
+	// You can use source identity information in CloudTrail logs to determine who took
-	// source identity. For more information about using source identity, see Monitor
+	// actions with a role. You can use the aws:SourceIdentity condition key to
-	// and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
+	// further control access to Amazon Web Services resources based on the value of
-	// in the IAM User Guide. The regex used to validate this parameter is a string of
+	// source identity. For more information about using source identity, see [Monitor and control actions taken with assumed roles]in the
-	// characters consisting of upper- and lower-case alphanumeric characters with no
+	// IAM User Guide.
-	// spaces. You can also include underscores or any of the following characters:
+	//
-	// =,.@-. You cannot use a value that begins with the text aws: . This prefix is
+	// The regex used to validate this parameter is a string of characters consisting
-	// reserved for Amazon Web Services internal use.
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
+	// include underscores or any of the following characters: =,.@-. You cannot use a
+	// value that begins with the text aws: . This prefix is reserved for Amazon Web
+	// Services internal use.
+	//
+	// [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
 	SourceIdentity *string
 
 	// A list of session tags that you want to pass. Each session tag consists of a
-	// key name and an associated value. For more information about session tags, see
+	// key name and an associated value. For more information about session tags, see [Tagging Amazon Web Services STS Sessions]
-	// Tagging Amazon Web Services STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-	// in the IAM User Guide. This parameter is optional. You can pass up to 50 session
-	// tags. The plaintext session tag keys can’t exceed 128 characters, and the values
-	// can’t exceed 256 characters. For these and additional limits, see IAM and STS
-	// Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
-	// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
-	// inline session policy, managed policy ARNs, and session tags into a packed
-	// binary format that has a separate limit. Your request can fail for this limit
-	// even if your plaintext meets the other requirements. The PackedPolicySize
-	// response element indicates by percentage how close the policies and tags for
-	// your request are to the upper size limit. You can pass a session tag with the
-	// same key as a tag that is already attached to the role. When you do, session
-	// tags override a role tag with the same key. Tag key–value pairs are not case
-	// sensitive, but case is preserved. This means that you cannot have separate
-	// Department and department tag keys. Assume that the role has the Department =
-	// Marketing tag and you pass the department = engineering session tag. Department
-	// and department are not saved as separate tags, and the session tag passed in
-	// the request takes precedence over the role tag. Additionally, if you used
-	// temporary credentials to perform this operation, the new session inherits any
-	// transitive session tags from the calling session. If you pass a session tag with
-	// the same key as an inherited tag, the operation fails. To view the inherited
-	// tags for a session, see the CloudTrail logs. For more information, see Viewing
-	// Session Tags in CloudTrail (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs)
 	// in the IAM User Guide.
+	//
+	// This parameter is optional. You can pass up to 50 session tags. The plaintext
+	// session tag keys can’t exceed 128 characters, and the values can’t exceed 256
+	// characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
+	//
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has a
+	// separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the upper
+	// size limit.
+	//
+	// You can pass a session tag with the same key as a tag that is already attached
+	// to the role. When you do, session tags override a role tag with the same key.
+	//
+	// Tag key–value pairs are not case sensitive, but case is preserved. This means
+	// that you cannot have separate Department and department tag keys. Assume that
+	// the role has the Department = Marketing tag and you pass the department =
+	// engineering session tag. Department and department are not saved as separate
+	// tags, and the session tag passed in the request takes precedence over the role
+	// tag.
+	//
+	// Additionally, if you used temporary credentials to perform this operation, the
+	// new session inherits any transitive session tags from the calling session. If
+	// you pass a session tag with the same key as an inherited tag, the operation
+	// fails. To view the inherited tags for a session, see the CloudTrail logs. For
+	// more information, see [Viewing Session Tags in CloudTrail]in the IAM User Guide.
+	//
+	// [Tagging Amazon Web Services STS Sessions]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+	// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+	// [Viewing Session Tags in CloudTrail]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs
 	Tags []types.Tag
 
 	// The value provided by the MFA device, if the trust policy of the role being
 	// assumed requires MFA. (In other words, if the policy includes a condition that
 	// tests for MFA). If the role being assumed requires MFA and if the TokenCode
 	// value is missing or expired, the AssumeRole call returns an "access denied"
-	// error. The format for this parameter, as described by its regex pattern, is a
+	// error.
-	// sequence of six numeric digits.
+	//
+	// The format for this parameter, as described by its regex pattern, is a sequence
+	// of six numeric digits.
 	TokenCode *string
 
 	// A list of keys for session tags that you want to set as transitive. If you set
 	// a tag key as transitive, the corresponding key and value passes to subsequent
-	// sessions in a role chain. For more information, see Chaining Roles with Session
+	// sessions in a role chain. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
-	// Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
+	//
-	// in the IAM User Guide. This parameter is optional. When you set session tags as
+	// This parameter is optional. When you set session tags as transitive, the
-	// transitive, the session policy and session tags packed binary limit is not
+	// session policy and session tags packed binary limit is not affected.
-	// affected. If you choose not to specify a transitive tag key, then no tags are
+	//
-	// passed from this session to any subsequent sessions.
+	// If you choose not to specify a transitive tag key, then no tags are passed from
+	// this session to any subsequent sessions.
+	//
+	// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
 	TransitiveTagKeys []string
 
 	noSmithyDocumentSerde
 }
 
-// Contains the response to a successful AssumeRole request, including temporary
+// Contains the response to a successful AssumeRole request, including temporary Amazon Web
-// Amazon Web Services credentials that can be used to make Amazon Web Services
+// Services credentials that can be used to make Amazon Web Services requests.
-// requests.
 type AssumeRoleOutput struct {
 
 	// The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
@@ -296,9 +366,10 @@ type AssumeRoleOutput struct {
 	AssumedRoleUser *types.AssumedRoleUser
 
 	// The temporary security credentials, which include an access key ID, a secret
-	// access key, and a security (or session) token. The size of the security token
+	// access key, and a security (or session) token.
-	// that STS API operations return is not fixed. We strongly recommend that you make
+	//
-	// no assumptions about the maximum size.
+	// The size of the security token that STS API operations return is not fixed. We
+	// strongly recommend that you make no assumptions about the maximum size.
 	Credentials *types.Credentials
 
 	// A percentage value that indicates the packed size of the session policies and
@@ -308,17 +379,21 @@ type AssumeRoleOutput struct {
 	PackedPolicySize *int32
 
 	// The source identity specified by the principal that is calling the AssumeRole
-	// operation. You can require users to specify a source identity when they assume a
+	// operation.
-	// role. You do this by using the sts:SourceIdentity condition key in a role trust
+	//
-	// policy. You can use source identity information in CloudTrail logs to determine
+	// You can require users to specify a source identity when they assume a role. You
-	// who took actions with a role. You can use the aws:SourceIdentity condition key
+	// do this by using the sts:SourceIdentity condition key in a role trust policy.
-	// to further control access to Amazon Web Services resources based on the value of
+	// You can use source identity information in CloudTrail logs to determine who took
-	// source identity. For more information about using source identity, see Monitor
+	// actions with a role. You can use the aws:SourceIdentity condition key to
-	// and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
+	// further control access to Amazon Web Services resources based on the value of
-	// in the IAM User Guide. The regex used to validate this parameter is a string of
+	// source identity. For more information about using source identity, see [Monitor and control actions taken with assumed roles]in the
-	// characters consisting of upper- and lower-case alphanumeric characters with no
+	// IAM User Guide.
-	// spaces. You can also include underscores or any of the following characters:
+	//
-	// =,.@-
+	// The regex used to validate this parameter is a string of characters consisting
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
+	// include underscores or any of the following characters: =,.@-
+	//
+	// [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
 	SourceIdentity *string
 
 	// Metadata pertaining to the operation's result.

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go

@@ -16,92 +16,132 @@ import (
 // mechanism for tying an enterprise identity store or directory to role-based
 // Amazon Web Services access without user-specific credentials or configuration.
 // For a comparison of AssumeRoleWithSAML with the other API operations that
-// produce temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
+// produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
-// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
+//
-// in the IAM User Guide. The temporary security credentials returned by this
+// The temporary security credentials returned by this operation consist of an
-// operation consist of an access key ID, a secret access key, and a security
+// access key ID, a secret access key, and a security token. Applications can use
-// token. Applications can use these temporary security credentials to sign calls
+// these temporary security credentials to sign calls to Amazon Web Services
-// to Amazon Web Services services. Session Duration By default, the temporary
+// services.
-// security credentials created by AssumeRoleWithSAML last for one hour. However,
+//
-// you can use the optional DurationSeconds parameter to specify the duration of
+// # Session Duration
-// your session. Your role session lasts for the duration that you specify, or
+//
-// until the time specified in the SAML authentication response's
+// By default, the temporary security credentials created by AssumeRoleWithSAML
-// SessionNotOnOrAfter value, whichever is shorter. You can provide a
+// last for one hour. However, you can use the optional DurationSeconds parameter
-// DurationSeconds value from 900 seconds (15 minutes) up to the maximum session
+// to specify the duration of your session. Your role session lasts for the
-// duration setting for the role. This setting can have a value from 1 hour to 12
+// duration that you specify, or until the time specified in the SAML
-// hours. To learn how to view the maximum value for your role, see View the
+// authentication response's SessionNotOnOrAfter value, whichever is shorter. You
-// Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
+// can provide a DurationSeconds value from 900 seconds (15 minutes) up to the
-// in the IAM User Guide. The maximum session duration limit applies when you use
+// maximum session duration setting for the role. This setting can have a value
-// the AssumeRole* API operations or the assume-role* CLI commands. However the
+// from 1 hour to 12 hours. To learn how to view the maximum value for your role,
-// limit does not apply when you use those operations to create a console URL. For
+// see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide. The maximum session duration limit applies when you
-// more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
+// use the AssumeRole* API operations or the assume-role* CLI commands. However
-// in the IAM User Guide. Role chaining (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining)
+// the limit does not apply when you use those operations to create a console URL.
-// limits your CLI or Amazon Web Services API role session to a maximum of one
+// For more information, see [Using IAM Roles]in the IAM User Guide.
+//
+// [Role chaining]limits your CLI or Amazon Web Services API role session to a maximum of one
 // hour. When you use the AssumeRole API operation to assume a role, you can
 // specify the duration of your role session with the DurationSeconds parameter.
 // You can specify a parameter value of up to 43200 seconds (12 hours), depending
 // on the maximum session duration setting for your role. However, if you assume a
 // role using role chaining and provide a DurationSeconds parameter value greater
-// than one hour, the operation fails. Permissions The temporary security
+// than one hour, the operation fails.
-// credentials created by AssumeRoleWithSAML can be used to make API calls to any
+//
-// Amazon Web Services service with the following exception: you cannot call the
+// # Permissions
-// STS GetFederationToken or GetSessionToken API operations. (Optional) You can
+//
-// pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+// The temporary security credentials created by AssumeRoleWithSAML can be used to
-// to this operation. You can pass a single JSON policy document to use as an
+// make API calls to any Amazon Web Services service with the following exception:
-// inline session policy. You can also specify up to 10 managed policy Amazon
+// you cannot call the STS GetFederationToken or GetSessionToken API operations.
-// Resource Names (ARNs) to use as managed session policies. The plaintext that you
+//
-// use for both inline and managed session policies can't exceed 2,048 characters.
+// (Optional) You can pass inline or managed [session policies] to this operation. You can pass a
-// Passing policies to this operation returns new temporary credentials. The
+// single JSON policy document to use as an inline session policy. You can also
-// resulting session's permissions are the intersection of the role's
+// specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed
-// identity-based policy and the session policies. You can use the role's temporary
+// session policies. The plaintext that you use for both inline and managed session
-// credentials in subsequent Amazon Web Services API calls to access resources in
+// policies can't exceed 2,048 characters. Passing policies to this operation
-// the account that owns the role. You cannot use session policies to grant more
+// returns new temporary credentials. The resulting session's permissions are the
-// permissions than those allowed by the identity-based policy of the role that is
+// intersection of the role's identity-based policy and the session policies. You
-// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+// can use the role's temporary credentials in subsequent Amazon Web Services API
-// in the IAM User Guide. Calling AssumeRoleWithSAML does not require the use of
+// calls to access resources in the account that owns the role. You cannot use
-// Amazon Web Services security credentials. The identity of the caller is
+// session policies to grant more permissions than those allowed by the
-// validated by using keys in the metadata document that is uploaded for the SAML
+// identity-based policy of the role that is being assumed. For more information,
-// provider entity for your identity provider. Calling AssumeRoleWithSAML can
+// see [Session Policies]in the IAM User Guide.
-// result in an entry in your CloudTrail logs. The entry includes the value in the
+//
-// NameID element of the SAML assertion. We recommend that you use a NameIDType
+// Calling AssumeRoleWithSAML does not require the use of Amazon Web Services
-// that is not associated with any personally identifiable information (PII). For
+// security credentials. The identity of the caller is validated by using keys in
-// example, you could instead use the persistent identifier (
+// the metadata document that is uploaded for the SAML provider entity for your
-// urn:oasis:names:tc:SAML:2.0:nameid-format:persistent ). Tags (Optional) You can
+// identity provider.
-// configure your IdP to pass attributes into your SAML assertion as session tags.
+//
-// Each session tag consists of a key name and an associated value. For more
+// Calling AssumeRoleWithSAML can result in an entry in your CloudTrail logs. The
-// information about session tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
+// entry includes the value in the NameID element of the SAML assertion. We
-// in the IAM User Guide. You can pass up to 50 session tags. The plaintext session
+// recommend that you use a NameIDType that is not associated with any personally
-// tag keys can’t exceed 128 characters and the values can’t exceed 256 characters.
+// identifiable information (PII). For example, you could instead use the
-// For these and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
+// persistent identifier ( urn:oasis:names:tc:SAML:2.0:nameid-format:persistent ).
-// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
+//
-// inline session policy, managed policy ARNs, and session tags into a packed
+// # Tags
-// binary format that has a separate limit. Your request can fail for this limit
+//
-// even if your plaintext meets the other requirements. The PackedPolicySize
+// (Optional) You can configure your IdP to pass attributes into your SAML
-// response element indicates by percentage how close the policies and tags for
+// assertion as session tags. Each session tag consists of a key name and an
-// your request are to the upper size limit. You can pass a session tag with the
+// associated value. For more information about session tags, see [Passing Session Tags in STS]in the IAM User
-// same key as a tag that is attached to the role. When you do, session tags
+// Guide.
-// override the role's tags with the same key. An administrator must grant you the
+//
-// permissions necessary to pass session tags. The administrator can also create
+// You can pass up to 50 session tags. The plaintext session tag keys can’t exceed
-// granular permissions to allow you to pass only specific session tags. For more
+// 128 characters and the values can’t exceed 256 characters. For these and
-// information, see Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
+// additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
-// in the IAM User Guide. You can set the session tags as transitive. Transitive
+//
-// tags persist during role chaining. For more information, see Chaining Roles
+// An Amazon Web Services conversion compresses the passed inline session policy,
-// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
+// managed policy ARNs, and session tags into a packed binary format that has a
-// in the IAM User Guide. SAML Configuration Before your application can call
+// separate limit. Your request can fail for this limit even if your plaintext
-// AssumeRoleWithSAML , you must configure your SAML identity provider (IdP) to
+// meets the other requirements. The PackedPolicySize response element indicates
-// issue the claims required by Amazon Web Services. Additionally, you must use
+// by percentage how close the policies and tags for your request are to the upper
-// Identity and Access Management (IAM) to create a SAML provider entity in your
+// size limit.
-// Amazon Web Services account that represents your identity provider. You must
+//
-// also create an IAM role that specifies this SAML provider in its trust policy.
+// You can pass a session tag with the same key as a tag that is attached to the
+// role. When you do, session tags override the role's tags with the same key.
+//
+// An administrator must grant you the permissions necessary to pass session tags.
+// The administrator can also create granular permissions to allow you to pass only
+// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
+//
+// You can set the session tags as transitive. Transitive tags persist during role
+// chaining. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
+//
+// # SAML Configuration
+//
+// Before your application can call AssumeRoleWithSAML , you must configure your
+// SAML identity provider (IdP) to issue the claims required by Amazon Web
+// Services. Additionally, you must use Identity and Access Management (IAM) to
+// create a SAML provider entity in your Amazon Web Services account that
+// represents your identity provider. You must also create an IAM role that
+// specifies this SAML provider in its trust policy.
+//
 // For more information, see the following resources:
-//   - About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
+//
-//     in the IAM User Guide.
+// [About SAML 2.0-based Federation]
-//   - Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
+//   - in the IAM User Guide.
-//     in the IAM User Guide.
+//
-//   - Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
+// [Creating SAML Identity Providers]
-//     in the IAM User Guide.
+//   - in the IAM User Guide.
-//   - Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
+//
-//     in the IAM User Guide.
+// [Configuring a Relying Party and Claims]
+//   - in the IAM User Guide.
+//
+// [Creating a Role for SAML 2.0 Federation]
+//   - in the IAM User Guide.
+//
+// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+// [Creating a Role for SAML 2.0 Federation]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
+// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+// [Creating SAML Identity Providers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
+// [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
+// [Configuring a Relying Party and Claims]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
+// [Role chaining]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining
+// [Using IAM Roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
+// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+// [About SAML 2.0-based Federation]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
+// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
 func (c *Client) AssumeRoleWithSAML(ctx context.Context, params *AssumeRoleWithSAMLInput, optFns ...func(*Options)) (*AssumeRoleWithSAMLOutput, error) {
 	if params == nil {
 		params = &AssumeRoleWithSAMLInput{}
@@ -130,9 +170,11 @@ type AssumeRoleWithSAMLInput struct {
 	// This member is required.
 	RoleArn *string
 
-	// The base64 encoded SAML authentication response provided by the IdP. For more
+	// The base64 encoded SAML authentication response provided by the IdP.
-	// information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
+	//
-	// in the IAM User Guide.
+	// For more information, see [Configuring a Relying Party and Adding Claims] in the IAM User Guide.
+	//
+	// [Configuring a Relying Party and Adding Claims]: https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
 	//
 	// This member is required.
 	SAMLAssertion *string
@@ -146,92 +188,114 @@ type AssumeRoleWithSAMLInput struct {
 	// than this setting, the operation fails. For example, if you specify a session
 	// duration of 12 hours, but your administrator set the maximum session duration to
 	// 6 hours, your operation fails. To learn how to view the maximum value for your
-	// role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
+	// role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
-	// in the IAM User Guide. By default, the value is set to 3600 seconds. The
+	//
-	// DurationSeconds parameter is separate from the duration of a console session
+	// By default, the value is set to 3600 seconds.
-	// that you might request using the returned credentials. The request to the
+	//
-	// federation endpoint for a console sign-in token takes a SessionDuration
+	// The DurationSeconds parameter is separate from the duration of a console
+	// session that you might request using the returned credentials. The request to
+	// the federation endpoint for a console sign-in token takes a SessionDuration
 	// parameter that specifies the maximum length of the console session. For more
-	// information, see Creating a URL that Enables Federated Users to Access the
+	// information, see [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]in the IAM User Guide.
-	// Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
+	//
-	// in the IAM User Guide.
+	// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+	// [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
 	DurationSeconds *int32
 
 	// An IAM policy in JSON format that you want to use as an inline session policy.
+	//
 	// This parameter is optional. Passing policies to this operation returns new
 	// temporary credentials. The resulting session's permissions are the intersection
 	// of the role's identity-based policy and the session policies. You can use the
 	// role's temporary credentials in subsequent Amazon Web Services API calls to
 	// access resources in the account that owns the role. You cannot use session
 	// policies to grant more permissions than those allowed by the identity-based
-	// policy of the role that is being assumed. For more information, see Session
+	// policy of the role that is being assumed. For more information, see [Session Policies]in the IAM
-	// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+	// User Guide.
-	// in the IAM User Guide. The plaintext that you use for both inline and managed
+	//
-	// session policies can't exceed 2,048 characters. The JSON policy characters can
+	// The plaintext that you use for both inline and managed session policies can't
-	// be any ASCII character from the space character to the end of the valid
+	// exceed 2,048 characters. The JSON policy characters can be any ASCII character
-	// character list (\u0020 through \u00FF). It can also include the tab (\u0009),
+	// from the space character to the end of the valid character list (\u0020 through
-	// linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web
+	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
-	// Services conversion compresses the passed inline session policy, managed policy
+	// return (\u000D) characters.
-	// ARNs, and session tags into a packed binary format that has a separate limit.
+	//
-	// Your request can fail for this limit even if your plaintext meets the other
+	// An Amazon Web Services conversion compresses the passed inline session policy,
-	// requirements. The PackedPolicySize response element indicates by percentage how
+	// managed policy ARNs, and session tags into a packed binary format that has a
-	// close the policies and tags for your request are to the upper size limit.
+	// separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the upper
+	// size limit.
+	//
+	// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
 	Policy *string
 
 	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
 	// use as managed session policies. The policies must exist in the same account as
-	// the role. This parameter is optional. You can provide up to 10 managed policy
+	// the role.
-	// ARNs. However, the plaintext that you use for both inline and managed session
+	//
-	// policies can't exceed 2,048 characters. For more information about ARNs, see
+	// This parameter is optional. You can provide up to 10 managed policy ARNs.
-	// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
+	// However, the plaintext that you use for both inline and managed session policies
-	// in the Amazon Web Services General Reference. An Amazon Web Services conversion
+	// can't exceed 2,048 characters. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the
-	// compresses the passed inline session policy, managed policy ARNs, and session
+	// Amazon Web Services General Reference.
-	// tags into a packed binary format that has a separate limit. Your request can
+	//
-	// fail for this limit even if your plaintext meets the other requirements. The
+	// An Amazon Web Services conversion compresses the passed inline session policy,
-	// PackedPolicySize response element indicates by percentage how close the policies
+	// managed policy ARNs, and session tags into a packed binary format that has a
-	// and tags for your request are to the upper size limit. Passing policies to this
+	// separate limit. Your request can fail for this limit even if your plaintext
-	// operation returns new temporary credentials. The resulting session's permissions
+	// meets the other requirements. The PackedPolicySize response element indicates
-	// are the intersection of the role's identity-based policy and the session
+	// by percentage how close the policies and tags for your request are to the upper
-	// policies. You can use the role's temporary credentials in subsequent Amazon Web
+	// size limit.
-	// Services API calls to access resources in the account that owns the role. You
+	//
-	// cannot use session policies to grant more permissions than those allowed by the
+	// Passing policies to this operation returns new temporary credentials. The
-	// identity-based policy of the role that is being assumed. For more information,
+	// resulting session's permissions are the intersection of the role's
-	// see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+	// identity-based policy and the session policies. You can use the role's temporary
-	// in the IAM User Guide.
+	// credentials in subsequent Amazon Web Services API calls to access resources in
+	// the account that owns the role. You cannot use session policies to grant more
+	// permissions than those allowed by the identity-based policy of the role that is
+	// being assumed. For more information, see [Session Policies]in the IAM User Guide.
+	//
+	// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+	// [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
 	PolicyArns []types.PolicyDescriptorType
 
 	noSmithyDocumentSerde
 }
 
-// Contains the response to a successful AssumeRoleWithSAML request, including
+// Contains the response to a successful AssumeRoleWithSAML request, including temporary Amazon Web
-// temporary Amazon Web Services credentials that can be used to make Amazon Web
+// Services credentials that can be used to make Amazon Web Services requests.
-// Services requests.
 type AssumeRoleWithSAMLOutput struct {
 
 	// The identifiers for the temporary security credentials that the operation
 	// returns.
 	AssumedRoleUser *types.AssumedRoleUser
 
-	// The value of the Recipient attribute of the SubjectConfirmationData element of
+	//  The value of the Recipient attribute of the SubjectConfirmationData element of
 	// the SAML assertion.
 	Audience *string
 
 	// The temporary security credentials, which include an access key ID, a secret
-	// access key, and a security (or session) token. The size of the security token
+	// access key, and a security (or session) token.
-	// that STS API operations return is not fixed. We strongly recommend that you make
+	//
-	// no assumptions about the maximum size.
+	// The size of the security token that STS API operations return is not fixed. We
+	// strongly recommend that you make no assumptions about the maximum size.
 	Credentials *types.Credentials
 
 	// The value of the Issuer element of the SAML assertion.
 	Issuer *string
 
 	// A hash value based on the concatenation of the following:
+	//
 	//   - The Issuer response value.
+	//
 	//   - The Amazon Web Services account ID.
+	//
 	//   - The friendly name (the last part of the ARN) of the SAML provider in IAM.
+	//
 	// The combination of NameQualifier and Subject can be used to uniquely identify a
-	// user. The following pseudocode shows how the hash value is calculated: BASE64 (
+	// user.
-	// SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )
+	//
+	// The following pseudocode shows how the hash value is calculated:
+	//
+	//     BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )
 	NameQualifier *string
 
 	// A percentage value that indicates the packed size of the session policies and
@@ -240,31 +304,36 @@ type AssumeRoleWithSAMLOutput struct {
 	// allowed space.
 	PackedPolicySize *int32
 
-	// The value in the SourceIdentity attribute in the SAML assertion. You can
+	// The value in the SourceIdentity attribute in the SAML assertion.
-	// require users to set a source identity value when they assume a role. You do
+	//
-	// this by using the sts:SourceIdentity condition key in a role trust policy. That
+	// You can require users to set a source identity value when they assume a role.
-	// way, actions that are taken with the role are associated with that user. After
+	// You do this by using the sts:SourceIdentity condition key in a role trust
-	// the source identity is set, the value cannot be changed. It is present in the
+	// policy. That way, actions that are taken with the role are associated with that
-	// request for all actions that are taken by the role and persists across chained
+	// user. After the source identity is set, the value cannot be changed. It is
-	// role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining)
+	// present in the request for all actions that are taken by the role and persists
-	// sessions. You can configure your SAML identity provider to use an attribute
+	// across [chained role]sessions. You can configure your SAML identity provider to use an
-	// associated with your users, like user name or email, as the source identity when
+	// attribute associated with your users, like user name or email, as the source
-	// calling AssumeRoleWithSAML . You do this by adding an attribute to the SAML
+	// identity when calling AssumeRoleWithSAML . You do this by adding an attribute to
-	// assertion. For more information about using source identity, see Monitor and
+	// the SAML assertion. For more information about using source identity, see [Monitor and control actions taken with assumed roles]in
-	// control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
+	// the IAM User Guide.
-	// in the IAM User Guide. The regex used to validate this parameter is a string of
+	//
-	// characters consisting of upper- and lower-case alphanumeric characters with no
+	// The regex used to validate this parameter is a string of characters consisting
-	// spaces. You can also include underscores or any of the following characters:
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
-	// =,.@-
+	// include underscores or any of the following characters: =,.@-
+	//
+	// [chained role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
+	// [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
 	SourceIdentity *string
 
 	// The value of the NameID element in the Subject element of the SAML assertion.
 	Subject *string
 
-	// The format of the name ID, as defined by the Format attribute in the NameID
+	//  The format of the name ID, as defined by the Format attribute in the NameID
 	// element of the SAML assertion. Typical examples of the format are transient or
-	// persistent . If the format includes the prefix
+	// persistent .
-	// urn:oasis:names:tc:SAML:2.0:nameid-format , that prefix is removed. For example,
+	//
+	// If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format ,
+	// that prefix is removed. For example,
 	// urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned as transient .
 	// If the format includes any other prefix, the format is returned with no
 	// modifications.

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go

@@ -14,105 +14,143 @@ import (
 // Returns a set of temporary security credentials for users who have been
 // authenticated in a mobile or web application with a web identity provider.
 // Example providers include the OAuth 2.0 providers Login with Amazon and
-// Facebook, or any OpenID Connect-compatible identity provider such as Google or
+// Facebook, or any OpenID Connect-compatible identity provider such as Google or [Amazon Cognito federated identities].
-// Amazon Cognito federated identities (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html)
+//
-// . For mobile applications, we recommend that you use Amazon Cognito. You can use
+// For mobile applications, we recommend that you use Amazon Cognito. You can use
-// Amazon Cognito with the Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/)
+// Amazon Cognito with the [Amazon Web Services SDK for iOS Developer Guide]and the [Amazon Web Services SDK for Android Developer Guide] to uniquely identify a user. You can also
-// and the Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/)
+// supply the user with a consistent identity throughout the lifetime of an
-// to uniquely identify a user. You can also supply the user with a consistent
+// application.
-// identity throughout the lifetime of an application. To learn more about Amazon
+//
-// Cognito, see Amazon Cognito identity pools (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html)
+// To learn more about Amazon Cognito, see [Amazon Cognito identity pools] in Amazon Cognito Developer Guide.
-// in Amazon Cognito Developer Guide. Calling AssumeRoleWithWebIdentity does not
+//
-// require the use of Amazon Web Services security credentials. Therefore, you can
+// Calling AssumeRoleWithWebIdentity does not require the use of Amazon Web
-// distribute an application (for example, on mobile devices) that requests
+// Services security credentials. Therefore, you can distribute an application (for
-// temporary security credentials without including long-term Amazon Web Services
+// example, on mobile devices) that requests temporary security credentials without
-// credentials in the application. You also don't need to deploy server-based proxy
+// including long-term Amazon Web Services credentials in the application. You also
-// services that use long-term Amazon Web Services credentials. Instead, the
+// don't need to deploy server-based proxy services that use long-term Amazon Web
-// identity of the caller is validated by using a token from the web identity
+// Services credentials. Instead, the identity of the caller is validated by using
-// provider. For a comparison of AssumeRoleWithWebIdentity with the other API
+// a token from the web identity provider. For a comparison of
-// operations that produce temporary credentials, see Requesting Temporary
+// AssumeRoleWithWebIdentity with the other API operations that produce temporary
-// Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
+// credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
-// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
+//
-// in the IAM User Guide. The temporary security credentials returned by this API
+// The temporary security credentials returned by this API consist of an access
-// consist of an access key ID, a secret access key, and a security token.
+// key ID, a secret access key, and a security token. Applications can use these
-// Applications can use these temporary security credentials to sign calls to
+// temporary security credentials to sign calls to Amazon Web Services service API
-// Amazon Web Services service API operations. Session Duration By default, the
+// operations.
-// temporary security credentials created by AssumeRoleWithWebIdentity last for
+//
-// one hour. However, you can use the optional DurationSeconds parameter to
+// # Session Duration
-// specify the duration of your session. You can provide a value from 900 seconds
+//
-// (15 minutes) up to the maximum session duration setting for the role. This
+// By default, the temporary security credentials created by
-// setting can have a value from 1 hour to 12 hours. To learn how to view the
+// AssumeRoleWithWebIdentity last for one hour. However, you can use the optional
-// maximum value for your role, see View the Maximum Session Duration Setting for
+// DurationSeconds parameter to specify the duration of your session. You can
-// a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
+// provide a value from 900 seconds (15 minutes) up to the maximum session duration
-// in the IAM User Guide. The maximum session duration limit applies when you use
+// setting for the role. This setting can have a value from 1 hour to 12 hours. To
-// the AssumeRole* API operations or the assume-role* CLI commands. However the
+// learn how to view the maximum value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
-// limit does not apply when you use those operations to create a console URL. For
+// The maximum session duration limit applies when you use the AssumeRole* API
-// more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
+// operations or the assume-role* CLI commands. However the limit does not apply
-// in the IAM User Guide. Permissions The temporary security credentials created by
+// when you use those operations to create a console URL. For more information, see
-// AssumeRoleWithWebIdentity can be used to make API calls to any Amazon Web
+// [Using IAM Roles]in the IAM User Guide.
-// Services service with the following exception: you cannot call the STS
+//
-// GetFederationToken or GetSessionToken API operations. (Optional) You can pass
+// # Permissions
-// inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+//
-// to this operation. You can pass a single JSON policy document to use as an
+// The temporary security credentials created by AssumeRoleWithWebIdentity can be
-// inline session policy. You can also specify up to 10 managed policy Amazon
+// used to make API calls to any Amazon Web Services service with the following
-// Resource Names (ARNs) to use as managed session policies. The plaintext that you
+// exception: you cannot call the STS GetFederationToken or GetSessionToken API
-// use for both inline and managed session policies can't exceed 2,048 characters.
+// operations.
-// Passing policies to this operation returns new temporary credentials. The
+//
-// resulting session's permissions are the intersection of the role's
+// (Optional) You can pass inline or managed [session policies] to this operation. You can pass a
-// identity-based policy and the session policies. You can use the role's temporary
+// single JSON policy document to use as an inline session policy. You can also
-// credentials in subsequent Amazon Web Services API calls to access resources in
+// specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed
-// the account that owns the role. You cannot use session policies to grant more
+// session policies. The plaintext that you use for both inline and managed session
-// permissions than those allowed by the identity-based policy of the role that is
+// policies can't exceed 2,048 characters. Passing policies to this operation
-// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+// returns new temporary credentials. The resulting session's permissions are the
-// in the IAM User Guide. Tags (Optional) You can configure your IdP to pass
+// intersection of the role's identity-based policy and the session policies. You
-// attributes into your web identity token as session tags. Each session tag
+// can use the role's temporary credentials in subsequent Amazon Web Services API
-// consists of a key name and an associated value. For more information about
+// calls to access resources in the account that owns the role. You cannot use
-// session tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
+// session policies to grant more permissions than those allowed by the
-// in the IAM User Guide. You can pass up to 50 session tags. The plaintext session
+// identity-based policy of the role that is being assumed. For more information,
-// tag keys can’t exceed 128 characters and the values can’t exceed 256 characters.
+// see [Session Policies]in the IAM User Guide.
-// For these and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
+//
-// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
+// # Tags
-// inline session policy, managed policy ARNs, and session tags into a packed
+//
-// binary format that has a separate limit. Your request can fail for this limit
+// (Optional) You can configure your IdP to pass attributes into your web identity
-// even if your plaintext meets the other requirements. The PackedPolicySize
+// token as session tags. Each session tag consists of a key name and an associated
-// response element indicates by percentage how close the policies and tags for
+// value. For more information about session tags, see [Passing Session Tags in STS]in the IAM User Guide.
-// your request are to the upper size limit. You can pass a session tag with the
+//
-// same key as a tag that is attached to the role. When you do, the session tag
+// You can pass up to 50 session tags. The plaintext session tag keys can’t exceed
-// overrides the role tag with the same key. An administrator must grant you the
+// 128 characters and the values can’t exceed 256 characters. For these and
-// permissions necessary to pass session tags. The administrator can also create
+// additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
-// granular permissions to allow you to pass only specific session tags. For more
+//
-// information, see Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
+// An Amazon Web Services conversion compresses the passed inline session policy,
-// in the IAM User Guide. You can set the session tags as transitive. Transitive
+// managed policy ARNs, and session tags into a packed binary format that has a
-// tags persist during role chaining. For more information, see Chaining Roles
+// separate limit. Your request can fail for this limit even if your plaintext
-// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
+// meets the other requirements. The PackedPolicySize response element indicates
-// in the IAM User Guide. Identities Before your application can call
+// by percentage how close the policies and tags for your request are to the upper
-// AssumeRoleWithWebIdentity , you must have an identity token from a supported
+// size limit.
-// identity provider and create a role that the application can assume. The role
+//
-// that your application assumes must trust the identity provider that is
+// You can pass a session tag with the same key as a tag that is attached to the
-// associated with the identity token. In other words, the identity provider must
+// role. When you do, the session tag overrides the role tag with the same key.
-// be specified in the role's trust policy. Calling AssumeRoleWithWebIdentity can
+//
-// result in an entry in your CloudTrail logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims)
+// An administrator must grant you the permissions necessary to pass session tags.
-// of the provided web identity token. We recommend that you avoid using any
+// The administrator can also create granular permissions to allow you to pass only
-// personally identifiable information (PII) in this field. For example, you could
+// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
-// instead use a GUID or a pairwise identifier, as suggested in the OIDC
+//
-// specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes)
+// You can set the session tags as transitive. Transitive tags persist during role
-// . For more information about how to use web identity federation and the
+// chaining. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
+//
+// # Identities
+//
+// Before your application can call AssumeRoleWithWebIdentity , you must have an
+// identity token from a supported identity provider and create a role that the
+// application can assume. The role that your application assumes must trust the
+// identity provider that is associated with the identity token. In other words,
+// the identity provider must be specified in the role's trust policy.
+//
+// Calling AssumeRoleWithWebIdentity can result in an entry in your CloudTrail
+// logs. The entry includes the [Subject]of the provided web identity token. We recommend
+// that you avoid using any personally identifiable information (PII) in this
+// field. For example, you could instead use a GUID or a pairwise identifier, as [suggested in the OIDC specification].
+//
+// For more information about how to use web identity federation and the
 // AssumeRoleWithWebIdentity API, see the following resources:
-//   - Using Web Identity Federation API Operations for Mobile Apps (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html)
+//
-//     and Federation Through a Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
+// [Using Web Identity Federation API Operations for Mobile Apps]
-//     .
+//   - and [Federation Through a Web-based Identity Provider].
-//   - Web Identity Federation Playground (https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/)
+//
-//     . Walk through the process of authenticating through Login with Amazon,
+// [Web Identity Federation Playground]
+//   - . Walk through the process of authenticating through Login with Amazon,
 //     Facebook, or Google, getting temporary security credentials, and then using
 //     those credentials to make a request to Amazon Web Services.
-//   - Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/)
+//
-//     and Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/)
+// [Amazon Web Services SDK for iOS Developer Guide]
-//     . These toolkits contain sample apps that show how to invoke the identity
+//   - and [Amazon Web Services SDK for Android Developer Guide]. These toolkits contain sample apps that show how to invoke the
-//     providers. The toolkits then show how to use the information from these
+//     identity providers. The toolkits then show how to use the information from these
 //     providers to get and use temporary security credentials.
-//   - Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications)
+//
-//     . This article discusses web identity federation and shows an example of how to
+// [Web Identity Federation with Mobile Applications]
-//     use web identity federation to get access to content in Amazon S3.
+//   - . This article discusses web identity federation and shows an example of
+//     how to use web identity federation to get access to content in Amazon S3.
+//
+// [Amazon Web Services SDK for iOS Developer Guide]: http://aws.amazon.com/sdkforios/
+// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+// [Web Identity Federation Playground]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
+// [Amazon Web Services SDK for Android Developer Guide]: http://aws.amazon.com/sdkforandroid/
+// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+// [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+// [Subject]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
+// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
+// [Amazon Cognito identity pools]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
+// [Federation Through a Web-based Identity Provider]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
+// [Using IAM Roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
+// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Amazon Cognito federated identities]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
+// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
+// [Web Identity Federation with Mobile Applications]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
+// [Using Web Identity Federation API Operations for Mobile Apps]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
+// [suggested in the OIDC specification]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
 func (c *Client) AssumeRoleWithWebIdentity(ctx context.Context, params *AssumeRoleWithWebIdentityInput, optFns ...func(*Options)) (*AssumeRoleWithWebIdentityOutput, error) {
 	if params == nil {
 		params = &AssumeRoleWithWebIdentityInput{}
@@ -139,10 +177,11 @@ type AssumeRoleWithWebIdentityInput struct {
 	// identifier that is associated with the user who is using your application. That
 	// way, the temporary security credentials that your application will use are
 	// associated with that user. This session name is included as part of the ARN and
-	// assumed role ID in the AssumedRoleUser response element. The regex used to
+	// assumed role ID in the AssumedRoleUser response element.
-	// validate this parameter is a string of characters consisting of upper- and
+	//
-	// lower-case alphanumeric characters with no spaces. You can also include
+	// The regex used to validate this parameter is a string of characters consisting
-	// underscores or any of the following characters: =,.@-
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
+	// include underscores or any of the following characters: =,.@-
 	//
 	// This member is required.
 	RoleSessionName *string
@@ -162,73 +201,90 @@ type AssumeRoleWithWebIdentityInput struct {
 	// higher than this setting, the operation fails. For example, if you specify a
 	// session duration of 12 hours, but your administrator set the maximum session
 	// duration to 6 hours, your operation fails. To learn how to view the maximum
-	// value for your role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
+	// value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
-	// in the IAM User Guide. By default, the value is set to 3600 seconds. The
+	//
-	// DurationSeconds parameter is separate from the duration of a console session
+	// By default, the value is set to 3600 seconds.
-	// that you might request using the returned credentials. The request to the
+	//
-	// federation endpoint for a console sign-in token takes a SessionDuration
+	// The DurationSeconds parameter is separate from the duration of a console
+	// session that you might request using the returned credentials. The request to
+	// the federation endpoint for a console sign-in token takes a SessionDuration
 	// parameter that specifies the maximum length of the console session. For more
-	// information, see Creating a URL that Enables Federated Users to Access the
+	// information, see [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]in the IAM User Guide.
-	// Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
+	//
-	// in the IAM User Guide.
+	// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+	// [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
 	DurationSeconds *int32
 
 	// An IAM policy in JSON format that you want to use as an inline session policy.
+	//
 	// This parameter is optional. Passing policies to this operation returns new
 	// temporary credentials. The resulting session's permissions are the intersection
 	// of the role's identity-based policy and the session policies. You can use the
 	// role's temporary credentials in subsequent Amazon Web Services API calls to
 	// access resources in the account that owns the role. You cannot use session
 	// policies to grant more permissions than those allowed by the identity-based
-	// policy of the role that is being assumed. For more information, see Session
+	// policy of the role that is being assumed. For more information, see [Session Policies]in the IAM
-	// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+	// User Guide.
-	// in the IAM User Guide. The plaintext that you use for both inline and managed
+	//
-	// session policies can't exceed 2,048 characters. The JSON policy characters can
+	// The plaintext that you use for both inline and managed session policies can't
-	// be any ASCII character from the space character to the end of the valid
+	// exceed 2,048 characters. The JSON policy characters can be any ASCII character
-	// character list (\u0020 through \u00FF). It can also include the tab (\u0009),
+	// from the space character to the end of the valid character list (\u0020 through
-	// linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web
+	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
-	// Services conversion compresses the passed inline session policy, managed policy
+	// return (\u000D) characters.
-	// ARNs, and session tags into a packed binary format that has a separate limit.
+	//
-	// Your request can fail for this limit even if your plaintext meets the other
+	// An Amazon Web Services conversion compresses the passed inline session policy,
-	// requirements. The PackedPolicySize response element indicates by percentage how
+	// managed policy ARNs, and session tags into a packed binary format that has a
-	// close the policies and tags for your request are to the upper size limit.
+	// separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the upper
+	// size limit.
+	//
+	// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
 	Policy *string
 
 	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
 	// use as managed session policies. The policies must exist in the same account as
-	// the role. This parameter is optional. You can provide up to 10 managed policy
+	// the role.
-	// ARNs. However, the plaintext that you use for both inline and managed session
+	//
-	// policies can't exceed 2,048 characters. For more information about ARNs, see
+	// This parameter is optional. You can provide up to 10 managed policy ARNs.
-	// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
+	// However, the plaintext that you use for both inline and managed session policies
-	// in the Amazon Web Services General Reference. An Amazon Web Services conversion
+	// can't exceed 2,048 characters. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the
-	// compresses the passed inline session policy, managed policy ARNs, and session
+	// Amazon Web Services General Reference.
-	// tags into a packed binary format that has a separate limit. Your request can
+	//
-	// fail for this limit even if your plaintext meets the other requirements. The
+	// An Amazon Web Services conversion compresses the passed inline session policy,
-	// PackedPolicySize response element indicates by percentage how close the policies
+	// managed policy ARNs, and session tags into a packed binary format that has a
-	// and tags for your request are to the upper size limit. Passing policies to this
+	// separate limit. Your request can fail for this limit even if your plaintext
-	// operation returns new temporary credentials. The resulting session's permissions
+	// meets the other requirements. The PackedPolicySize response element indicates
-	// are the intersection of the role's identity-based policy and the session
+	// by percentage how close the policies and tags for your request are to the upper
-	// policies. You can use the role's temporary credentials in subsequent Amazon Web
+	// size limit.
-	// Services API calls to access resources in the account that owns the role. You
+	//
-	// cannot use session policies to grant more permissions than those allowed by the
+	// Passing policies to this operation returns new temporary credentials. The
-	// identity-based policy of the role that is being assumed. For more information,
+	// resulting session's permissions are the intersection of the role's
-	// see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+	// identity-based policy and the session policies. You can use the role's temporary
-	// in the IAM User Guide.
+	// credentials in subsequent Amazon Web Services API calls to access resources in
+	// the account that owns the role. You cannot use session policies to grant more
+	// permissions than those allowed by the identity-based policy of the role that is
+	// being assumed. For more information, see [Session Policies]in the IAM User Guide.
+	//
+	// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+	// [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
 	PolicyArns []types.PolicyDescriptorType
 
 	// The fully qualified host component of the domain name of the OAuth 2.0 identity
 	// provider. Do not specify this value for an OpenID Connect identity provider.
+	//
 	// Currently www.amazon.com and graph.facebook.com are the only supported identity
 	// providers for OAuth 2.0 access tokens. Do not include URL schemes and port
-	// numbers. Do not specify this value for OpenID Connect ID tokens.
+	// numbers.
+	//
+	// Do not specify this value for OpenID Connect ID tokens.
 	ProviderId *string
 
 	noSmithyDocumentSerde
 }
 
-// Contains the response to a successful AssumeRoleWithWebIdentity request,
+// Contains the response to a successful AssumeRoleWithWebIdentity request, including temporary Amazon Web
-// including temporary Amazon Web Services credentials that can be used to make
+// Services credentials that can be used to make Amazon Web Services requests.
-// Amazon Web Services requests.
 type AssumeRoleWithWebIdentityOutput struct {
 
 	// The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
@@ -244,9 +300,10 @@ type AssumeRoleWithWebIdentityOutput struct {
 	Audience *string
 
 	// The temporary security credentials, which include an access key ID, a secret
-	// access key, and a security token. The size of the security token that STS API
+	// access key, and a security token.
-	// operations return is not fixed. We strongly recommend that you make no
+	//
-	// assumptions about the maximum size.
+	// The size of the security token that STS API operations return is not fixed. We
+	// strongly recommend that you make no assumptions about the maximum size.
 	Credentials *types.Credentials
 
 	// A percentage value that indicates the packed size of the session policies and
@@ -255,30 +312,34 @@ type AssumeRoleWithWebIdentityOutput struct {
 	// allowed space.
 	PackedPolicySize *int32
 
-	// The issuing authority of the web identity token presented. For OpenID Connect
+	//  The issuing authority of the web identity token presented. For OpenID Connect
 	// ID tokens, this contains the value of the iss field. For OAuth 2.0 access
 	// tokens, this contains the value of the ProviderId parameter that was passed in
 	// the AssumeRoleWithWebIdentity request.
 	Provider *string
 
 	// The value of the source identity that is returned in the JSON web token (JWT)
-	// from the identity provider. You can require users to set a source identity value
+	// from the identity provider.
-	// when they assume a role. You do this by using the sts:SourceIdentity condition
+	//
-	// key in a role trust policy. That way, actions that are taken with the role are
+	// You can require users to set a source identity value when they assume a role.
-	// associated with that user. After the source identity is set, the value cannot be
+	// You do this by using the sts:SourceIdentity condition key in a role trust
-	// changed. It is present in the request for all actions that are taken by the role
+	// policy. That way, actions that are taken with the role are associated with that
-	// and persists across chained role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining)
+	// user. After the source identity is set, the value cannot be changed. It is
-	// sessions. You can configure your identity provider to use an attribute
+	// present in the request for all actions that are taken by the role and persists
+	// across [chained role]sessions. You can configure your identity provider to use an attribute
 	// associated with your users, like user name or email, as the source identity when
 	// calling AssumeRoleWithWebIdentity . You do this by adding a claim to the JSON
-	// web token. To learn more about OIDC tokens and claims, see Using Tokens with
+	// web token. To learn more about OIDC tokens and claims, see [Using Tokens with User Pools]in the Amazon
-	// User Pools (https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html)
+	// Cognito Developer Guide. For more information about using source identity, see [Monitor and control actions taken with assumed roles]
-	// in the Amazon Cognito Developer Guide. For more information about using source
+	// in the IAM User Guide.
-	// identity, see Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
+	//
-	// in the IAM User Guide. The regex used to validate this parameter is a string of
+	// The regex used to validate this parameter is a string of characters consisting
-	// characters consisting of upper- and lower-case alphanumeric characters with no
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
-	// spaces. You can also include underscores or any of the following characters:
+	// include underscores or any of the following characters: =,.@-
-	// =,.@-
+	//
+	// [chained role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
+	// [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
+	// [Using Tokens with User Pools]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
 	SourceIdentity *string
 
 	// The unique user identifier that is returned by the identity provider. This

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go

@@ -11,28 +11,39 @@ import (
 )
 
 // Decodes additional information about the authorization status of a request from
-// an encoded message returned in response to an Amazon Web Services request. For
+// an encoded message returned in response to an Amazon Web Services request.
-// example, if a user is not authorized to perform an operation that he or she has
+//
-// requested, the request returns a Client.UnauthorizedOperation response (an HTTP
+// For example, if a user is not authorized to perform an operation that he or she
-// 403 response). Some Amazon Web Services operations additionally return an
+// has requested, the request returns a Client.UnauthorizedOperation response (an
-// encoded message that can provide details about this authorization failure. Only
+// HTTP 403 response). Some Amazon Web Services operations additionally return an
-// certain Amazon Web Services operations return an encoded authorization message.
+// encoded message that can provide details about this authorization failure.
-// The documentation for an individual operation indicates whether that operation
+//
-// returns an encoded message in addition to returning an HTTP code. The message is
+// Only certain Amazon Web Services operations return an encoded authorization
-// encoded because the details of the authorization status can contain privileged
+// message. The documentation for an individual operation indicates whether that
-// information that the user who requested the operation should not see. To decode
+// operation returns an encoded message in addition to returning an HTTP code.
-// an authorization status message, a user must be granted permissions through an
+//
-// IAM policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
+// The message is encoded because the details of the authorization status can
-// to request the DecodeAuthorizationMessage ( sts:DecodeAuthorizationMessage )
+// contain privileged information that the user who requested the operation should
-// action. The decoded message includes the following type of information:
+// not see. To decode an authorization status message, a user must be granted
+// permissions through an IAM [policy]to request the DecodeAuthorizationMessage (
+// sts:DecodeAuthorizationMessage ) action.
+//
+// The decoded message includes the following type of information:
+//
 //   - Whether the request was denied due to an explicit deny or due to the
-//     absence of an explicit allow. For more information, see Determining Whether a
+//     absence of an explicit allow. For more information, see [Determining Whether a Request is Allowed or Denied]in the IAM User
-//     Request is Allowed or Denied (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
+//     Guide.
-//     in the IAM User Guide.
+//
 //   - The principal who made the request.
+//
 //   - The requested action.
+//
 //   - The requested resource.
+//
 //   - The values of condition keys in the context of the user's request.
+//
+// [Determining Whether a Request is Allowed or Denied]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
+// [policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
 func (c *Client) DecodeAuthorizationMessage(ctx context.Context, params *DecodeAuthorizationMessageInput, optFns ...func(*Options)) (*DecodeAuthorizationMessageOutput, error) {
 	if params == nil {
 		params = &DecodeAuthorizationMessageInput{}

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go

@@ -10,23 +10,31 @@ import (
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 )
 
-// Returns the account identifier for the specified access key ID. Access keys
+// Returns the account identifier for the specified access key ID.
-// consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE ) and
+//
-// a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ).
+// Access keys consist of two parts: an access key ID (for example,
-// For more information about access keys, see Managing Access Keys for IAM Users (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)
+// AKIAIOSFODNN7EXAMPLE ) and a secret access key (for example,
-// in the IAM User Guide. When you pass an access key ID to this operation, it
+// wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ). For more information about access
-// returns the ID of the Amazon Web Services account to which the keys belong.
+// keys, see [Managing Access Keys for IAM Users]in the IAM User Guide.
-// Access key IDs beginning with AKIA are long-term credentials for an IAM user or
+//
-// the Amazon Web Services account root user. Access key IDs beginning with ASIA
+// When you pass an access key ID to this operation, it returns the ID of the
-// are temporary credentials that are created using STS operations. If the account
+// Amazon Web Services account to which the keys belong. Access key IDs beginning
-// in the response belongs to you, you can sign in as the root user and review your
+// with AKIA are long-term credentials for an IAM user or the Amazon Web Services
-// root user access keys. Then, you can pull a credentials report (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html)
+// account root user. Access key IDs beginning with ASIA are temporary credentials
-// to learn which IAM user owns the keys. To learn who requested the temporary
+// that are created using STS operations. If the account in the response belongs to
-// credentials for an ASIA access key, view the STS events in your CloudTrail logs (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html)
+// you, you can sign in as the root user and review your root user access keys.
-// in the IAM User Guide. This operation does not indicate the state of the access
+// Then, you can pull a [credentials report]to learn which IAM user owns the keys. To learn who
-// key. The key might be active, inactive, or deleted. Active keys might not have
+// requested the temporary credentials for an ASIA access key, view the STS events
-// permissions to perform an operation. Providing a deleted access key might return
+// in your [CloudTrail logs]in the IAM User Guide.
-// an error that the key doesn't exist.
+//
+// This operation does not indicate the state of the access key. The key might be
+// active, inactive, or deleted. Active keys might not have permissions to perform
+// an operation. Providing a deleted access key might return an error that the key
+// doesn't exist.
+//
+// [credentials report]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
+// [CloudTrail logs]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html
+// [Managing Access Keys for IAM Users]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
 func (c *Client) GetAccessKeyInfo(ctx context.Context, params *GetAccessKeyInfoInput, optFns ...func(*Options)) (*GetAccessKeyInfoOutput, error) {
 	if params == nil {
 		params = &GetAccessKeyInfoInput{}
@@ -44,9 +52,10 @@ func (c *Client) GetAccessKeyInfo(ctx context.Context, params *GetAccessKeyInfoI
 
 type GetAccessKeyInfoInput struct {
 
-	// The identifier of an access key. This parameter allows (through its regex
+	// The identifier of an access key.
-	// pattern) a string of characters that can consist of any upper- or lowercase
+	//
-	// letter or digit.
+	// This parameter allows (through its regex pattern) a string of characters that
+	// can consist of any upper- or lowercase letter or digit.
 	//
 	// This member is required.
 	AccessKeyId *string

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go

@@ -12,13 +12,15 @@ import (
 )
 
 // Returns details about the IAM user or role whose credentials are used to call
-// the operation. No permissions are required to perform this operation. If an
+// the operation.
-// administrator attaches a policy to your identity that explicitly denies access
+//
-// to the sts:GetCallerIdentity action, you can still perform this operation.
+// No permissions are required to perform this operation. If an administrator
-// Permissions are not required because the same information is returned when
+// attaches a policy to your identity that explicitly denies access to the
-// access is denied. To view an example response, see I Am Not Authorized to
+// sts:GetCallerIdentity action, you can still perform this operation. Permissions
-// Perform: iam:DeleteVirtualMFADevice (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa)
+// are not required because the same information is returned when access is denied.
-// in the IAM User Guide.
+// To view an example response, see [I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice]in the IAM User Guide.
+//
+// [I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa
 func (c *Client) GetCallerIdentity(ctx context.Context, params *GetCallerIdentityInput, optFns ...func(*Options)) (*GetCallerIdentityOutput, error) {
 	if params == nil {
 		params = &GetCallerIdentityInput{}
@@ -38,8 +40,8 @@ type GetCallerIdentityInput struct {
 	noSmithyDocumentSerde
 }
 
-// Contains the response to a successful GetCallerIdentity request, including
+// Contains the response to a successful GetCallerIdentity request, including information about the
-// information about the entity making the request.
+// entity making the request.
 type GetCallerIdentityOutput struct {
 
 	// The Amazon Web Services account ID number of the account that owns or contains
@@ -51,8 +53,10 @@ type GetCallerIdentityOutput struct {
 
 	// The unique identifier of the calling entity. The exact value depends on the
 	// type of entity that is making the call. The values returned are those listed in
-	// the aws:userid column in the Principal table (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable)
+	// the aws:userid column in the [Principal table]found on the Policy Variables reference page in
-	// found on the Policy Variables reference page in the IAM User Guide.
+	// the IAM User Guide.
+	//
+	// [Principal table]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable
 	UserId *string
 
 	// Metadata pertaining to the operation's result.

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go

@@ -14,74 +14,100 @@ import (
 // Returns a set of temporary security credentials (consisting of an access key
 // ID, a secret access key, and a security token) for a user. A typical use is in a
 // proxy application that gets temporary security credentials on behalf of
-// distributed applications inside a corporate network. You must call the
+// distributed applications inside a corporate network.
-// GetFederationToken operation using the long-term security credentials of an IAM
+//
-// user. As a result, this call is appropriate in contexts where those credentials
+// You must call the GetFederationToken operation using the long-term security
-// can be safeguarded, usually in a server-based application. For a comparison of
+// credentials of an IAM user. As a result, this call is appropriate in contexts
-// GetFederationToken with the other API operations that produce temporary
+// where those credentials can be safeguarded, usually in a server-based
-// credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
+// application. For a comparison of GetFederationToken with the other API
-// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
+// operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
-// in the IAM User Guide. Although it is possible to call GetFederationToken using
+//
-// the security credentials of an Amazon Web Services account root user rather than
+// Although it is possible to call GetFederationToken using the security
-// an IAM user that you create for the purpose of a proxy application, we do not
+// credentials of an Amazon Web Services account root user rather than an IAM user
-// recommend it. For more information, see Safeguard your root user credentials
+// that you create for the purpose of a proxy application, we do not recommend it.
-// and don't use them for everyday tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)
+// For more information, see [Safeguard your root user credentials and don't use them for everyday tasks]in the IAM User Guide.
-// in the IAM User Guide. You can create a mobile-based or browser-based app that
+//
-// can authenticate users using a web identity provider like Login with Amazon,
+// You can create a mobile-based or browser-based app that can authenticate users
-// Facebook, Google, or an OpenID Connect-compatible identity provider. In this
+// using a web identity provider like Login with Amazon, Facebook, Google, or an
-// case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/)
+// OpenID Connect-compatible identity provider. In this case, we recommend that you
-// or AssumeRoleWithWebIdentity . For more information, see Federation Through a
+// use [Amazon Cognito]or AssumeRoleWithWebIdentity . For more information, see [Federation Through a Web-based Identity Provider] in the IAM User
-// Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
+// Guide.
-// in the IAM User Guide. Session duration The temporary credentials are valid for
+//
-// the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600
+// # Session duration
-// seconds (36 hours). The default session duration is 43,200 seconds (12 hours).
+//
-// Temporary credentials obtained by using the root user credentials have a maximum
+// The temporary credentials are valid for the specified duration, from 900
-// duration of 3,600 seconds (1 hour). Permissions You can use the temporary
+// seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default
-// credentials created by GetFederationToken in any Amazon Web Services service
+// session duration is 43,200 seconds (12 hours). Temporary credentials obtained by
-// with the following exceptions:
+// using the root user credentials have a maximum duration of 3,600 seconds (1
+// hour).
+//
+// # Permissions
+//
+// You can use the temporary credentials created by GetFederationToken in any
+// Amazon Web Services service with the following exceptions:
+//
 //   - You cannot call any IAM operations using the CLI or the Amazon Web Services
 //     API. This limitation does not apply to console sessions.
+//
 //   - You cannot call any STS operations except GetCallerIdentity .
 //
-// You can use temporary credentials for single sign-on (SSO) to the console. You
+// You can use temporary credentials for single sign-on (SSO) to the console.
-// must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+//
-// to this operation. You can pass a single JSON policy document to use as an
+// You must pass an inline or managed [session policy] to this operation. You can pass a single
-// inline session policy. You can also specify up to 10 managed policy Amazon
+// JSON policy document to use as an inline session policy. You can also specify up
-// Resource Names (ARNs) to use as managed session policies. The plaintext that you
+// to 10 managed policy Amazon Resource Names (ARNs) to use as managed session
-// use for both inline and managed session policies can't exceed 2,048 characters.
+// policies. The plaintext that you use for both inline and managed session
+// policies can't exceed 2,048 characters.
+//
 // Though the session policy parameters are optional, if you do not pass a policy,
 // then the resulting federated user session has no permissions. When you pass
 // session policies, the session permissions are the intersection of the IAM user
 // policies and the session policies that you pass. This gives you a way to further
 // restrict the permissions for a federated user. You cannot use session policies
 // to grant more permissions than those that are defined in the permissions policy
-// of the IAM user. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+// of the IAM user. For more information, see [Session Policies]in the IAM User Guide. For
-// in the IAM User Guide. For information about using GetFederationToken to create
+// information about using GetFederationToken to create temporary security
-// temporary security credentials, see GetFederationToken—Federation Through a
+// credentials, see [GetFederationToken—Federation Through a Custom Identity Broker].
-// Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken)
+//
-// . You can use the credentials to access a resource that has a resource-based
+// You can use the credentials to access a resource that has a resource-based
 // policy. If that policy specifically references the federated user session in the
 // Principal element of the policy, the session has the permissions allowed by the
 // policy. These permissions are granted in addition to the permissions granted by
-// the session policies. Tags (Optional) You can pass tag key-value pairs to your
+// the session policies.
-// session. These are called session tags. For more information about session tags,
+//
-// see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
+// # Tags
-// in the IAM User Guide. You can create a mobile-based or browser-based app that
+//
-// can authenticate users using a web identity provider like Login with Amazon,
+// (Optional) You can pass tag key-value pairs to your session. These are called
-// Facebook, Google, or an OpenID Connect-compatible identity provider. In this
+// session tags. For more information about session tags, see [Passing Session Tags in STS]in the IAM User
-// case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/)
+// Guide.
-// or AssumeRoleWithWebIdentity . For more information, see Federation Through a
+//
-// Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
+// You can create a mobile-based or browser-based app that can authenticate users
-// in the IAM User Guide. An administrator must grant you the permissions necessary
+// using a web identity provider like Login with Amazon, Facebook, Google, or an
-// to pass session tags. The administrator can also create granular permissions to
+// OpenID Connect-compatible identity provider. In this case, we recommend that you
-// allow you to pass only specific session tags. For more information, see
+// use [Amazon Cognito]or AssumeRoleWithWebIdentity . For more information, see [Federation Through a Web-based Identity Provider] in the IAM User
-// Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
+// Guide.
-// in the IAM User Guide. Tag key–value pairs are not case sensitive, but case is
+//
-// preserved. This means that you cannot have separate Department and department
+// An administrator must grant you the permissions necessary to pass session tags.
-// tag keys. Assume that the user that you are federating has the Department =
+// The administrator can also create granular permissions to allow you to pass only
-// Marketing tag and you pass the department = engineering session tag. Department
+// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
-// and department are not saved as separate tags, and the session tag passed in
+//
-// the request takes precedence over the user tag.
+// Tag key–value pairs are not case sensitive, but case is preserved. This means
+// that you cannot have separate Department and department tag keys. Assume that
+// the user that you are federating has the Department = Marketing tag and you
+// pass the department = engineering session tag. Department and department are
+// not saved as separate tags, and the session tag passed in the request takes
+// precedence over the user tag.
+//
+// [Federation Through a Web-based Identity Provider]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
+// [session policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Amazon Cognito]: http://aws.amazon.com/cognito/
+// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+// [GetFederationToken—Federation Through a Custom Identity Broker]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
+// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+// [Safeguard your root user credentials and don't use them for everyday tasks]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
+// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
 func (c *Client) GetFederationToken(ctx context.Context, params *GetFederationTokenInput, optFns ...func(*Options)) (*GetFederationTokenOutput, error) {
 	if params == nil {
 		params = &GetFederationTokenInput{}
@@ -102,10 +128,11 @@ type GetFederationTokenInput struct {
 	// The name of the federated user. The name is used as an identifier for the
 	// temporary security credentials (such as Bob ). For example, you can reference
 	// the federated user name in a resource-based policy, such as in an Amazon S3
-	// bucket policy. The regex used to validate this parameter is a string of
+	// bucket policy.
-	// characters consisting of upper- and lower-case alphanumeric characters with no
+	//
-	// spaces. You can also include underscores or any of the following characters:
+	// The regex used to validate this parameter is a string of characters consisting
-	// =,.@-
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
+	// include underscores or any of the following characters: =,.@-
 	//
 	// This member is required.
 	Name *string
@@ -119,99 +146,127 @@ type GetFederationTokenInput struct {
 	DurationSeconds *int32
 
 	// An IAM policy in JSON format that you want to use as an inline session policy.
-	// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+	//
-	// to this operation. You can pass a single JSON policy document to use as an
+	// You must pass an inline or managed [session policy] to this operation. You can pass a single
-	// inline session policy. You can also specify up to 10 managed policy Amazon
+	// JSON policy document to use as an inline session policy. You can also specify up
-	// Resource Names (ARNs) to use as managed session policies. This parameter is
+	// to 10 managed policy Amazon Resource Names (ARNs) to use as managed session
-	// optional. However, if you do not pass any session policies, then the resulting
+	// policies.
-	// federated user session has no permissions. When you pass session policies, the
+	//
-	// session permissions are the intersection of the IAM user policies and the
+	// This parameter is optional. However, if you do not pass any session policies,
-	// session policies that you pass. This gives you a way to further restrict the
+	// then the resulting federated user session has no permissions.
-	// permissions for a federated user. You cannot use session policies to grant more
+	//
-	// permissions than those that are defined in the permissions policy of the IAM
+	// When you pass session policies, the session permissions are the intersection of
-	// user. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+	// the IAM user policies and the session policies that you pass. This gives you a
-	// in the IAM User Guide. The resulting credentials can be used to access a
+	// way to further restrict the permissions for a federated user. You cannot use
-	// resource that has a resource-based policy. If that policy specifically
+	// session policies to grant more permissions than those that are defined in the
-	// references the federated user session in the Principal element of the policy,
+	// permissions policy of the IAM user. For more information, see [Session Policies]in the IAM User
-	// the session has the permissions allowed by the policy. These permissions are
+	// Guide.
-	// granted in addition to the permissions that are granted by the session policies.
+	//
+	// The resulting credentials can be used to access a resource that has a
+	// resource-based policy. If that policy specifically references the federated user
+	// session in the Principal element of the policy, the session has the permissions
+	// allowed by the policy. These permissions are granted in addition to the
+	// permissions that are granted by the session policies.
+	//
 	// The plaintext that you use for both inline and managed session policies can't
 	// exceed 2,048 characters. The JSON policy characters can be any ASCII character
 	// from the space character to the end of the valid character list (\u0020 through
 	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
-	// return (\u000D) characters. An Amazon Web Services conversion compresses the
+	// return (\u000D) characters.
-	// passed inline session policy, managed policy ARNs, and session tags into a
+	//
-	// packed binary format that has a separate limit. Your request can fail for this
-	// limit even if your plaintext meets the other requirements. The PackedPolicySize
-	// response element indicates by percentage how close the policies and tags for
-	// your request are to the upper size limit.
-	Policy *string
-
-	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
-	// use as a managed session policy. The policies must exist in the same account as
-	// the IAM user that is requesting federated access. You must pass an inline or
-	// managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// to this operation. You can pass a single JSON policy document to use as an
-	// inline session policy. You can also specify up to 10 managed policy Amazon
-	// Resource Names (ARNs) to use as managed session policies. The plaintext that you
-	// use for both inline and managed session policies can't exceed 2,048 characters.
-	// You can provide up to 10 managed policy ARNs. For more information about ARNs,
-	// see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
-	// in the Amazon Web Services General Reference. This parameter is optional.
-	// However, if you do not pass any session policies, then the resulting federated
-	// user session has no permissions. When you pass session policies, the session
-	// permissions are the intersection of the IAM user policies and the session
-	// policies that you pass. This gives you a way to further restrict the permissions
-	// for a federated user. You cannot use session policies to grant more permissions
-	// than those that are defined in the permissions policy of the IAM user. For more
-	// information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// in the IAM User Guide. The resulting credentials can be used to access a
-	// resource that has a resource-based policy. If that policy specifically
-	// references the federated user session in the Principal element of the policy,
-	// the session has the permissions allowed by the policy. These permissions are
-	// granted in addition to the permissions that are granted by the session policies.
 	// An Amazon Web Services conversion compresses the passed inline session policy,
 	// managed policy ARNs, and session tags into a packed binary format that has a
 	// separate limit. Your request can fail for this limit even if your plaintext
 	// meets the other requirements. The PackedPolicySize response element indicates
 	// by percentage how close the policies and tags for your request are to the upper
 	// size limit.
+	//
+	// [session policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+	// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+	Policy *string
+
+	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
+	// use as a managed session policy. The policies must exist in the same account as
+	// the IAM user that is requesting federated access.
+	//
+	// You must pass an inline or managed [session policy] to this operation. You can pass a single
+	// JSON policy document to use as an inline session policy. You can also specify up
+	// to 10 managed policy Amazon Resource Names (ARNs) to use as managed session
+	// policies. The plaintext that you use for both inline and managed session
+	// policies can't exceed 2,048 characters. You can provide up to 10 managed policy
+	// ARNs. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the Amazon Web Services General
+	// Reference.
+	//
+	// This parameter is optional. However, if you do not pass any session policies,
+	// then the resulting federated user session has no permissions.
+	//
+	// When you pass session policies, the session permissions are the intersection of
+	// the IAM user policies and the session policies that you pass. This gives you a
+	// way to further restrict the permissions for a federated user. You cannot use
+	// session policies to grant more permissions than those that are defined in the
+	// permissions policy of the IAM user. For more information, see [Session Policies]in the IAM User
+	// Guide.
+	//
+	// The resulting credentials can be used to access a resource that has a
+	// resource-based policy. If that policy specifically references the federated user
+	// session in the Principal element of the policy, the session has the permissions
+	// allowed by the policy. These permissions are granted in addition to the
+	// permissions that are granted by the session policies.
+	//
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has a
+	// separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the upper
+	// size limit.
+	//
+	// [session policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+	// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+	// [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
 	PolicyArns []types.PolicyDescriptorType
 
 	// A list of session tags. Each session tag consists of a key name and an
-	// associated value. For more information about session tags, see Passing Session
+	// associated value. For more information about session tags, see [Passing Session Tags in STS]in the IAM User
-	// Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
+	// Guide.
-	// in the IAM User Guide. This parameter is optional. You can pass up to 50 session
+	//
-	// tags. The plaintext session tag keys can’t exceed 128 characters and the values
+	// This parameter is optional. You can pass up to 50 session tags. The plaintext
-	// can’t exceed 256 characters. For these and additional limits, see IAM and STS
+	// session tag keys can’t exceed 128 characters and the values can’t exceed 256
-	// Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
+	// characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
-	// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
+	//
-	// inline session policy, managed policy ARNs, and session tags into a packed
+	// An Amazon Web Services conversion compresses the passed inline session policy,
-	// binary format that has a separate limit. Your request can fail for this limit
+	// managed policy ARNs, and session tags into a packed binary format that has a
-	// even if your plaintext meets the other requirements. The PackedPolicySize
+	// separate limit. Your request can fail for this limit even if your plaintext
-	// response element indicates by percentage how close the policies and tags for
+	// meets the other requirements. The PackedPolicySize response element indicates
-	// your request are to the upper size limit. You can pass a session tag with the
+	// by percentage how close the policies and tags for your request are to the upper
-	// same key as a tag that is already attached to the user you are federating. When
+	// size limit.
-	// you do, session tags override a user tag with the same key. Tag key–value pairs
+	//
-	// are not case sensitive, but case is preserved. This means that you cannot have
+	// You can pass a session tag with the same key as a tag that is already attached
-	// separate Department and department tag keys. Assume that the role has the
+	// to the user you are federating. When you do, session tags override a user tag
-	// Department = Marketing tag and you pass the department = engineering session
+	// with the same key.
-	// tag. Department and department are not saved as separate tags, and the session
+	//
-	// tag passed in the request takes precedence over the role tag.
+	// Tag key–value pairs are not case sensitive, but case is preserved. This means
+	// that you cannot have separate Department and department tag keys. Assume that
+	// the role has the Department = Marketing tag and you pass the department =
+	// engineering session tag. Department and department are not saved as separate
+	// tags, and the session tag passed in the request takes precedence over the role
+	// tag.
+	//
+	// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+	// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
 	Tags []types.Tag
 
 	noSmithyDocumentSerde
 }
 
-// Contains the response to a successful GetFederationToken request, including
+// Contains the response to a successful GetFederationToken request, including temporary Amazon Web
-// temporary Amazon Web Services credentials that can be used to make Amazon Web
+// Services credentials that can be used to make Amazon Web Services requests.
-// Services requests.
 type GetFederationTokenOutput struct {
 
 	// The temporary security credentials, which include an access key ID, a secret
-	// access key, and a security (or session) token. The size of the security token
+	// access key, and a security (or session) token.
-	// that STS API operations return is not fixed. We strongly recommend that you make
+	//
-	// no assumptions about the maximum size.
+	// The size of the security token that STS API operations return is not fixed. We
+	// strongly recommend that you make no assumptions about the maximum size.
 	Credentials *types.Credentials
 
 	// Identifiers for the federated user associated with the credentials (such as

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go

@@ -15,43 +15,58 @@ import (
 // IAM user. The credentials consist of an access key ID, a secret access key, and
 // a security token. Typically, you use GetSessionToken if you want to use MFA to
 // protect programmatic calls to specific Amazon Web Services API operations like
-// Amazon EC2 StopInstances . MFA-enabled IAM users must call GetSessionToken and
+// Amazon EC2 StopInstances .
-// submit an MFA code that is associated with their MFA device. Using the temporary
+//
-// security credentials that the call returns, IAM users can then make programmatic
+// MFA-enabled IAM users must call GetSessionToken and submit an MFA code that is
-// calls to API operations that require MFA authentication. An incorrect MFA code
+// associated with their MFA device. Using the temporary security credentials that
-// causes the API to return an access denied error. For a comparison of
+// the call returns, IAM users can then make programmatic calls to API operations
-// GetSessionToken with the other API operations that produce temporary
+// that require MFA authentication. An incorrect MFA code causes the API to return
-// credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
+// an access denied error. For a comparison of GetSessionToken with the other API
-// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
+// operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
-// in the IAM User Guide. No permissions are required for users to perform this
+//
-// operation. The purpose of the sts:GetSessionToken operation is to authenticate
+// No permissions are required for users to perform this operation. The purpose of
-// the user using MFA. You cannot use policies to control authentication
+// the sts:GetSessionToken operation is to authenticate the user using MFA. You
-// operations. For more information, see Permissions for GetSessionToken (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html)
+// cannot use policies to control authentication operations. For more information,
-// in the IAM User Guide. Session Duration The GetSessionToken operation must be
+// see [Permissions for GetSessionToken]in the IAM User Guide.
-// called by using the long-term Amazon Web Services security credentials of an IAM
+//
-// user. Credentials that are created by IAM users are valid for the duration that
+// # Session Duration
-// you specify. This duration can range from 900 seconds (15 minutes) up to a
+//
-// maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12
+// The GetSessionToken operation must be called by using the long-term Amazon Web
-// hours). Credentials based on account credentials can range from 900 seconds (15
+// Services security credentials of an IAM user. Credentials that are created by
-// minutes) up to 3,600 seconds (1 hour), with a default of 1 hour. Permissions The
+// IAM users are valid for the duration that you specify. This duration can range
-// temporary security credentials created by GetSessionToken can be used to make
+// from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours),
-// API calls to any Amazon Web Services service with the following exceptions:
+// with a default of 43,200 seconds (12 hours). Credentials based on account
+// credentials can range from 900 seconds (15 minutes) up to 3,600 seconds (1
+// hour), with a default of 1 hour.
+//
+// # Permissions
+//
+// The temporary security credentials created by GetSessionToken can be used to
+// make API calls to any Amazon Web Services service with the following exceptions:
+//
 //   - You cannot call any IAM API operations unless MFA authentication
 //     information is included in the request.
+//
 //   - You cannot call any STS API except AssumeRole or GetCallerIdentity .
 //
 // The credentials that GetSessionToken returns are based on permissions
 // associated with the IAM user whose credentials were used to call the operation.
-// The temporary credentials have the same permissions as the IAM user. Although it
+// The temporary credentials have the same permissions as the IAM user.
-// is possible to call GetSessionToken using the security credentials of an Amazon
+//
-// Web Services account root user rather than an IAM user, we do not recommend it.
+// Although it is possible to call GetSessionToken using the security credentials
-// If GetSessionToken is called using root user credentials, the temporary
+// of an Amazon Web Services account root user rather than an IAM user, we do not
-// credentials have root user permissions. For more information, see Safeguard
+// recommend it. If GetSessionToken is called using root user credentials, the
-// your root user credentials and don't use them for everyday tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)
+// temporary credentials have root user permissions. For more information, see [Safeguard your root user credentials and don't use them for everyday tasks]in
-// in the IAM User Guide For more information about using GetSessionToken to
+// the IAM User Guide
-// create temporary credentials, see Temporary Credentials for Users in Untrusted
+//
-// Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
+// For more information about using GetSessionToken to create temporary
-// in the IAM User Guide.
+// credentials, see [Temporary Credentials for Users in Untrusted Environments]in the IAM User Guide.
+//
+// [Permissions for GetSessionToken]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html
+// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+// [Temporary Credentials for Users in Untrusted Environments]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
+// [Safeguard your root user credentials and don't use them for everyday tasks]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
+// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
 func (c *Client) GetSessionToken(ctx context.Context, params *GetSessionTokenInput, optFns ...func(*Options)) (*GetSessionTokenOutput, error) {
 	if params == nil {
 		params = &GetSessionTokenInput{}
@@ -83,10 +98,11 @@ type GetSessionTokenInput struct {
 	// number for a hardware device (such as GAHT12345678 ) or an Amazon Resource Name
 	// (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user ). You
 	// can find the device for an IAM user by going to the Amazon Web Services
-	// Management Console and viewing the user's security credentials. The regex used
+	// Management Console and viewing the user's security credentials.
-	// to validate this parameter is a string of characters consisting of upper- and
+	//
-	// lower-case alphanumeric characters with no spaces. You can also include
+	// The regex used to validate this parameter is a string of characters consisting
-	// underscores or any of the following characters: =,.@:/-
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
+	// include underscores or any of the following characters: =,.@:/-
 	SerialNumber *string
 
 	// The value provided by the MFA device, if MFA is required. If any policy
@@ -94,22 +110,24 @@ type GetSessionTokenInput struct {
 	// authentication is required, the user must provide a code when requesting a set
 	// of temporary security credentials. A user who fails to provide the code receives
 	// an "access denied" response when requesting resources that require MFA
-	// authentication. The format for this parameter, as described by its regex
+	// authentication.
-	// pattern, is a sequence of six numeric digits.
+	//
+	// The format for this parameter, as described by its regex pattern, is a sequence
+	// of six numeric digits.
 	TokenCode *string
 
 	noSmithyDocumentSerde
 }
 
-// Contains the response to a successful GetSessionToken request, including
+// Contains the response to a successful GetSessionToken request, including temporary Amazon Web
-// temporary Amazon Web Services credentials that can be used to make Amazon Web
+// Services credentials that can be used to make Amazon Web Services requests.
-// Services requests.
 type GetSessionTokenOutput struct {
 
 	// The temporary security credentials, which include an access key ID, a secret
-	// access key, and a security (or session) token. The size of the security token
+	// access key, and a security (or session) token.
-	// that STS API operations return is not fixed. We strongly recommend that you make
+	//
-	// no assumptions about the maximum size.
+	// The size of the security token that STS API operations return is not fixed. We
+	// strongly recommend that you make no assumptions about the maximum size.
 	Credentials *types.Credentials
 
 	// Metadata pertaining to the operation's result.

vendor/github.com/aws/aws-sdk-go-v2/service/sts/deserializers.go

@@ -20,8 +20,17 @@ import (
 	"io"
 	"strconv"
 	"strings"
+	"time"
 )
 
+func deserializeS3Expires(v string) (*time.Time, error) {
+	t, err := smithytime.ParseHTTPDate(v)
+	if err != nil {
+		return nil, nil
+	}
+	return &t, nil
+}
+
 type awsAwsquery_deserializeOpAssumeRole struct {
 }
 

vendor/github.com/aws/aws-sdk-go-v2/service/sts/doc.go

@@ -3,9 +3,11 @@
 // Package sts provides the API client, operations, and parameter types for AWS
 // Security Token Service.
 //
-// Security Token Service Security Token Service (STS) enables you to request
+// # Security Token Service
-// temporary, limited-privilege credentials for users. This guide provides
+//
-// descriptions of the STS API. For more information about using this service, see
+// Security Token Service (STS) enables you to request temporary,
-// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
+// limited-privilege credentials for users. This guide provides descriptions of the
-// .
+// STS API. For more information about using this service, see [Temporary Security Credentials].
+//
+// [Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html
 package sts

vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go

@@ -3,4 +3,4 @@
 package sts
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.28.6"
+const goModuleVersion = "1.28.10"

vendor/github.com/aws/aws-sdk-go-v2/service/sts/options.go

@@ -50,8 +50,10 @@ type Options struct {
 	// Deprecated: Deprecated: EndpointResolver and WithEndpointResolver. Providing a
 	// value for this field will likely prevent you from using any endpoint-related
 	// service features released after the introduction of EndpointResolverV2 and
-	// BaseEndpoint. To migrate an EndpointResolver implementation that uses a custom
+	// BaseEndpoint.
-	// endpoint, set the client option BaseEndpoint instead.
+	//
+	// To migrate an EndpointResolver implementation that uses a custom endpoint, set
+	// the client option BaseEndpoint instead.
 	EndpointResolver EndpointResolver
 
 	// Resolves the endpoint used for a particular service operation. This should be
@@ -70,17 +72,20 @@ type Options struct {
 	// RetryMaxAttempts specifies the maximum number attempts an API client will call
 	// an operation that fails with a retryable error. A value of 0 is ignored, and
 	// will not be used to configure the API client created default retryer, or modify
-	// per operation call's retry max attempts. If specified in an operation call's
+	// per operation call's retry max attempts.
-	// functional options with a value that is different than the constructed client's
+	//
-	// Options, the Client's Retryer will be wrapped to use the operation's specific
+	// If specified in an operation call's functional options with a value that is
-	// RetryMaxAttempts value.
+	// different than the constructed client's Options, the Client's Retryer will be
+	// wrapped to use the operation's specific RetryMaxAttempts value.
 	RetryMaxAttempts int
 
 	// RetryMode specifies the retry mode the API client will be created with, if
-	// Retryer option is not also specified. When creating a new API Clients this
+	// Retryer option is not also specified.
-	// member will only be used if the Retryer Options member is nil. This value will
+	//
-	// be ignored if Retryer is not nil. Currently does not support per operation call
+	// When creating a new API Clients this member will only be used if the Retryer
-	// overrides, may in the future.
+	// Options member is nil. This value will be ignored if Retryer is not nil.
+	//
+	// Currently does not support per operation call overrides, may in the future.
 	RetryMode aws.RetryMode
 
 	// Retryer guides how HTTP requests should be retried in case of recoverable
@@ -97,8 +102,9 @@ type Options struct {
 
 	// The initial DefaultsMode used when the client options were constructed. If the
 	// DefaultsMode was set to aws.DefaultsModeAuto this will store what the resolved
-	// value was at that point in time. Currently does not support per operation call
+	// value was at that point in time.
-	// overrides, may in the future.
+	//
+	// Currently does not support per operation call overrides, may in the future.
 	resolvedDefaultsMode aws.DefaultsMode
 
 	// The HTTP client to invoke API calls with. Defaults to client's default HTTP
@@ -143,6 +149,7 @@ func WithAPIOptions(optFns ...func(*middleware.Stack) error) func(*Options) {
 // Deprecated: EndpointResolver and WithEndpointResolver. Providing a value for
 // this field will likely prevent you from using any endpoint-related service
 // features released after the introduction of EndpointResolverV2 and BaseEndpoint.
+//
 // To migrate an EndpointResolver implementation that uses a custom endpoint, set
 // the client option BaseEndpoint instead.
 func WithEndpointResolver(v EndpointResolver) func(*Options) {

vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/errors.go

@@ -65,9 +65,10 @@ func (e *IDPCommunicationErrorException) ErrorCode() string {
 func (e *IDPCommunicationErrorException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient }
 
 // The identity provider (IdP) reported that authentication failed. This might be
-// because the claim is invalid. If this error is returned for the
+// because the claim is invalid.
-// AssumeRoleWithWebIdentity operation, it can also mean that the claim has expired
+//
-// or has been explicitly revoked.
+// If this error is returned for the AssumeRoleWithWebIdentity operation, it can
+// also mean that the claim has expired or has been explicitly revoked.
 type IDPRejectedClaimException struct {
 	Message *string
 
@@ -183,11 +184,13 @@ func (e *MalformedPolicyDocumentException) ErrorFault() smithy.ErrorFault { retu
 // compresses the session policy document, session policy ARNs, and session tags
 // into a packed binary format that has a separate limit. The error message
 // indicates by percentage how close the policies and tags are to the upper size
-// limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
+// limit. For more information, see [Passing Session Tags in STS]in the IAM User Guide.
-// in the IAM User Guide. You could receive this error even though you meet other
+//
-// defined session policy and session tag limits. For more information, see IAM
+// You could receive this error even though you meet other defined session policy
-// and STS Entity Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length)
+// and session tag limits. For more information, see [IAM and STS Entity Character Limits]in the IAM User Guide.
-// in the IAM User Guide.
+//
+// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+// [IAM and STS Entity Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length
 type PackedPolicyTooLargeException struct {
 	Message *string
 
@@ -215,9 +218,10 @@ func (e *PackedPolicyTooLargeException) ErrorFault() smithy.ErrorFault { return
 
 // STS is not activated in the requested region for the account that is being
 // asked to generate credentials. The account administrator must use the IAM
-// console to activate STS in that region. For more information, see Activating
+// console to activate STS in that region. For more information, see [Activating and Deactivating Amazon Web Services STS in an Amazon Web Services Region]in the IAM
-// and Deactivating Amazon Web Services STS in an Amazon Web Services Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
+// User Guide.
-// in the IAM User Guide.
+//
+// [Activating and Deactivating Amazon Web Services STS in an Amazon Web Services Region]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
 type RegionDisabledException struct {
 	Message *string
 

vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/types.go

@@ -11,10 +11,11 @@ import (
 // returns.
 type AssumedRoleUser struct {
 
-	// The ARN of the temporary security credentials that are returned from the
+	// The ARN of the temporary security credentials that are returned from the AssumeRole
-	// AssumeRole action. For more information about ARNs and how to use them in
+	// action. For more information about ARNs and how to use them in policies, see [IAM Identifiers]in
-	// policies, see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
+	// the IAM User Guide.
-	// in the IAM User Guide.
+	//
+	// [IAM Identifiers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html
 	//
 	// This member is required.
 	Arn *string
@@ -61,8 +62,9 @@ type FederatedUser struct {
 
 	// The ARN that specifies the federated user that is associated with the
 	// credentials. For more information about ARNs and how to use them in policies,
-	// see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
+	// see [IAM Identifiers]in the IAM User Guide.
-	// in the IAM User Guide.
+	//
+	// [IAM Identifiers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html
 	//
 	// This member is required.
 	Arn *string
@@ -81,9 +83,10 @@ type FederatedUser struct {
 type PolicyDescriptorType struct {
 
 	// The Amazon Resource Name (ARN) of the IAM managed policy to use as a session
-	// policy for the role. For more information about ARNs, see Amazon Resource Names
+	// policy for the role. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the Amazon Web
-	// (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
+	// Services General Reference.
-	// in the Amazon Web Services General Reference.
+	//
+	// [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
 	Arn *string
 
 	noSmithyDocumentSerde
@@ -107,23 +110,30 @@ type ProvidedContext struct {
 
 // You can pass custom key-value pair attributes when you assume a role or
 // federate a user. These are called session tags. You can then use the session
-// tags to control access to resources. For more information, see Tagging Amazon
+// tags to control access to resources. For more information, see [Tagging Amazon Web Services STS Sessions]in the IAM User
-// Web Services STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
+// Guide.
-// in the IAM User Guide.
+//
+// [Tagging Amazon Web Services STS Sessions]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
 type Tag struct {
 
-	// The key for a session tag. You can pass up to 50 session tags. The plain text
+	// The key for a session tag.
-	// session tag keys can’t exceed 128 characters. For these and additional limits,
+	//
-	// see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
+	// You can pass up to 50 session tags. The plain text session tag keys can’t
-	// in the IAM User Guide.
+	// exceed 128 characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User
+	// Guide.
+	//
+	// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
 	//
 	// This member is required.
 	Key *string
 
-	// The value for a session tag. You can pass up to 50 session tags. The plain text
+	// The value for a session tag.
-	// session tag values can’t exceed 256 characters. For these and additional limits,
+	//
-	// see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
+	// You can pass up to 50 session tags. The plain text session tag values can’t
-	// in the IAM User Guide.
+	// exceed 256 characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User
+	// Guide.
+	//
+	// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
 	//
 	// This member is required.
 	Value *string

vendor/modules.txt

@@ -46,10 +46,10 @@ github.com/aws/aws-sdk-go-v2/internal/timeconv
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream/eventstreamapi
-# github.com/aws/aws-sdk-go-v2/config v1.27.11
+# github.com/aws/aws-sdk-go-v2/config v1.27.16
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/config
-# github.com/aws/aws-sdk-go-v2/credentials v1.17.11
+# github.com/aws/aws-sdk-go-v2/credentials v1.17.16
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/credentials
 github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds
@@ -61,14 +61,14 @@ github.com/aws/aws-sdk-go-v2/credentials/stscreds
 # github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.13.14
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue
-# github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1
+# github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds/internal/config
-# github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5
+# github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/internal/configsources
-# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5
+# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2
 # github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0
@@ -89,7 +89,7 @@ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding
 # github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.9.8
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery
-# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7
+# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url
 # github.com/aws/aws-sdk-go-v2/service/kinesis v1.27.4
@@ -98,17 +98,17 @@ github.com/aws/aws-sdk-go-v2/service/kinesis
 github.com/aws/aws-sdk-go-v2/service/kinesis/internal/customizations
 github.com/aws/aws-sdk-go-v2/service/kinesis/internal/endpoints
 github.com/aws/aws-sdk-go-v2/service/kinesis/types
-# github.com/aws/aws-sdk-go-v2/service/sso v1.20.5
+# github.com/aws/aws-sdk-go-v2/service/sso v1.20.9
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/service/sso
 github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints
 github.com/aws/aws-sdk-go-v2/service/sso/types
-# github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4
+# github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.3
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/service/ssooidc
 github.com/aws/aws-sdk-go-v2/service/ssooidc/internal/endpoints
 github.com/aws/aws-sdk-go-v2/service/ssooidc/types
-# github.com/aws/aws-sdk-go-v2/service/sts v1.28.6
+# github.com/aws/aws-sdk-go-v2/service/sts v1.28.10
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/service/sts
 github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints