Updating AWS-SDK-Go to version 1.38.49

This commit is for all the vendor specific code changes introduced by pinning the dependency at 1.38.49 and running update-vendor.sh lint-dependencies.sh shows no issues
2025-11-26 19:35:10 +00:00 · 2021-05-28 16:44:32 -07:00
parent 24b716673c
commit 1b27430b50
43 changed files with 17237 additions and 1655 deletions
--- a/vendor/github.com/aws/aws-sdk-go/service/autoscaling/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/autoscaling/api.go
--- a/vendor/github.com/aws/aws-sdk-go/service/autoscaling/doc.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/autoscaling/doc.go
@@ -5,12 +5,14 @@
 //
 // Amazon EC2 Auto Scaling is designed to automatically launch or terminate
 // EC2 instances based on user-defined scaling policies, scheduled actions,
-// and health checks. Use this service with AWS Auto Scaling, Amazon CloudWatch,
-// and Elastic Load Balancing.
+// and health checks.
 //
-// For more information, including information about granting IAM users required
-// permissions for Amazon EC2 Auto Scaling actions, see the Amazon EC2 Auto
+// For more information about Amazon EC2 Auto Scaling, see the Amazon EC2 Auto
 // Scaling User Guide (https://docs.aws.amazon.com/autoscaling/ec2/userguide/what-is-amazon-ec2-auto-scaling.html).
+// For information about granting IAM users required permissions for calls to
+// Amazon EC2 Auto Scaling, see Granting IAM users required permissions for
+// Amazon EC2 Auto Scaling resources (https://docs.aws.amazon.com/autoscaling/ec2/APIReference/ec2-auto-scaling-api-permissions.html)
+// in the Amazon EC2 Auto Scaling API Reference.
 //
 // See https://docs.aws.amazon.com/goto/WebAPI/autoscaling-2011-01-01 for more information on this service.
 //
--- a/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go
--- a/vendor/github.com/aws/aws-sdk-go/service/ec2/doc.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/ec2/doc.go
@@ -4,8 +4,14 @@
 // requests to Amazon Elastic Compute Cloud.
 //
 // Amazon Elastic Compute Cloud (Amazon EC2) provides secure and resizable computing
-// capacity in the AWS cloud. Using Amazon EC2 eliminates the need to invest
+// capacity in the AWS Cloud. Using Amazon EC2 eliminates the need to invest
 // in hardware up front, so you can develop and deploy applications faster.
+// Amazon Virtual Private Cloud (Amazon VPC) enables you to provision a logically
+// isolated section of the AWS Cloud where you can launch AWS resources in a
+// virtual network that you've defined. Amazon Elastic Block Store (Amazon EBS)
+// provides block level storage volumes for use with EC2 instances. EBS volumes
+// are highly available and reliable storage volumes that can be attached to
+// any running instance and used like a hard drive.
 //
 // To learn more, see the following resources:
 //
@@ -13,7 +19,7 @@
 //    EC2 documentation (http://aws.amazon.com/documentation/ec2)
 //
 //    * Amazon EBS: Amazon EBS product page (http://aws.amazon.com/ebs), Amazon
-//    EBS documentation (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html)
+//    EBS documentation (http://aws.amazon.com/documentation/ebs)
 //
 //    * Amazon VPC: Amazon VPC product page (http://aws.amazon.com/vpc), Amazon
 //    VPC documentation (http://aws.amazon.com/documentation/vpc)
--- a/vendor/github.com/aws/aws-sdk-go/service/ec2/waiters.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/ec2/waiters.go
@@ -982,7 +982,7 @@ func (c *EC2) WaitUntilSecurityGroupExistsWithContext(ctx aws.Context, input *De
 			{
 				State:    request.RetryWaiterState,
 				Matcher:  request.ErrorWaiterMatch,
-				Expected: "InvalidGroupNotFound",
+				Expected: "InvalidGroup.NotFound",
 			},
 		},
 		Logger: c.Config.Logger,
--- a/vendor/github.com/aws/aws-sdk-go/service/ecr/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/ecr/api.go
--- a/vendor/github.com/aws/aws-sdk-go/service/ecr/errors.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/ecr/errors.go
@@ -135,6 +135,12 @@ const (
 	// The manifest list is referencing an image that does not exist.
 	ErrCodeReferencedImagesNotFoundException = "ReferencedImagesNotFoundException"

+	// ErrCodeRegistryPolicyNotFoundException for service response error code
+	// "RegistryPolicyNotFoundException".
+	//
+	// The registry doesn't have an associated registry policy.
+	ErrCodeRegistryPolicyNotFoundException = "RegistryPolicyNotFoundException"
+
 	// ErrCodeRepositoryAlreadyExistsException for service response error code
 	// "RepositoryAlreadyExistsException".
 	//
@@ -194,6 +200,12 @@ const (
 	// The upload could not be found, or the specified upload ID is not valid for
 	// this repository.
 	ErrCodeUploadNotFoundException = "UploadNotFoundException"
+
+	// ErrCodeValidationException for service response error code
+	// "ValidationException".
+	//
+	// There was an exception validating this request.
+	ErrCodeValidationException = "ValidationException"
 )

 var exceptionFromCode = map[string]func(protocol.ResponseMetadata) error{
@@ -216,6 +228,7 @@ var exceptionFromCode = map[string]func(protocol.ResponseMetadata) error{
 	"LifecyclePolicyPreviewNotFoundException":   newErrorLifecyclePolicyPreviewNotFoundException,
 	"LimitExceededException":                    newErrorLimitExceededException,
 	"ReferencedImagesNotFoundException":         newErrorReferencedImagesNotFoundException,
+	"RegistryPolicyNotFoundException":           newErrorRegistryPolicyNotFoundException,
 	"RepositoryAlreadyExistsException":          newErrorRepositoryAlreadyExistsException,
 	"RepositoryNotEmptyException":               newErrorRepositoryNotEmptyException,
 	"RepositoryNotFoundException":               newErrorRepositoryNotFoundException,
@@ -225,4 +238,5 @@ var exceptionFromCode = map[string]func(protocol.ResponseMetadata) error{
 	"TooManyTagsException":                      newErrorTooManyTagsException,
 	"UnsupportedImageTypeException":             newErrorUnsupportedImageTypeException,
 	"UploadNotFoundException":                   newErrorUploadNotFoundException,
+	"ValidationException":                       newErrorValidationException,
 }
--- a/vendor/github.com/aws/aws-sdk-go/service/elbv2/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/elbv2/api.go
--- a/vendor/github.com/aws/aws-sdk-go/service/elbv2/doc.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/elbv2/doc.go
@@ -15,16 +15,18 @@
 // the targets.
 //
 // Elastic Load Balancing supports the following types of load balancers: Application
-// Load Balancers, Network Load Balancers, and Classic Load Balancers. This
-// reference covers Application Load Balancers and Network Load Balancers.
+// Load Balancers, Network Load Balancers, Gateway Load Balancers, and Classic
+// Load Balancers. This reference covers the following load balancer types:
 //
-// An Application Load Balancer makes routing and load balancing decisions at
-// the application layer (HTTP/HTTPS). A Network Load Balancer makes routing
-// and load balancing decisions at the transport layer (TCP/TLS). Both Application
-// Load Balancers and Network Load Balancers can route requests to one or more
-// ports on each EC2 instance or container instance in your virtual private
-// cloud (VPC). For more information, see the Elastic Load Balancing User Guide
-// (https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/).
+//    * Application Load Balancer - Operates at the application layer (layer
+//    7) and supports HTTP and HTTPS.
+//
+//    * Network Load Balancer - Operates at the transport layer (layer 4) and
+//    supports TCP, TLS, and UDP.
+//
+//    * Gateway Load Balancer - Operates at the network layer (layer 3).
+//
+// For more information, see the Elastic Load Balancing User Guide (https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/).
 //
 // All Elastic Load Balancing operations are idempotent, which means that they
 // complete at most one time. If you repeat an operation, it succeeds.
--- a/vendor/github.com/aws/aws-sdk-go/service/kms/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/kms/api.go
--- a/vendor/github.com/aws/aws-sdk-go/service/sso/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/sso/api.go
--- a/vendor/github.com/aws/aws-sdk-go/service/sso/doc.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/sso/doc.go
@@ -0,0 +1,44 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+// Package sso provides the client and types for making API
+// requests to AWS Single Sign-On.
+//
+// AWS Single Sign-On Portal is a web service that makes it easy for you to
+// assign user access to AWS SSO resources such as the user portal. Users can
+// get AWS account applications and roles assigned to them and get federated
+// into the application.
+//
+// For general information about AWS SSO, see What is AWS Single Sign-On? (https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
+// in the AWS SSO User Guide.
+//
+// This API reference guide describes the AWS SSO Portal operations that you
+// can call programatically and includes detailed information on data types
+// and errors.
+//
+// AWS provides SDKs that consist of libraries and sample code for various programming
+// languages and platforms, such as Java, Ruby, .Net, iOS, or Android. The SDKs
+// provide a convenient way to create programmatic access to AWS SSO and other
+// AWS services. For more information about the AWS SDKs, including how to download
+// and install them, see Tools for Amazon Web Services (http://aws.amazon.com/tools/).
+//
+// See https://docs.aws.amazon.com/goto/WebAPI/sso-2019-06-10 for more information on this service.
+//
+// See sso package documentation for more information.
+// https://docs.aws.amazon.com/sdk-for-go/api/service/sso/
+//
+// Using the Client
+//
+// To contact AWS Single Sign-On with the SDK use the New function to create
+// a new service client. With that client you can make API requests to the service.
+// These clients are safe to use concurrently.
+//
+// See the SDK's documentation for more information on how to use the SDK.
+// https://docs.aws.amazon.com/sdk-for-go/api/
+//
+// See aws.Config documentation for more information on configuring SDK clients.
+// https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config
+//
+// See the AWS Single Sign-On client SSO for more
+// information on creating client for this service.
+// https://docs.aws.amazon.com/sdk-for-go/api/service/sso/#New
+package sso
--- a/vendor/github.com/aws/aws-sdk-go/service/sso/errors.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/sso/errors.go
@@ -0,0 +1,44 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+package sso
+
+import (
+	"github.com/aws/aws-sdk-go/private/protocol"
+)
+
+const (
+
+	// ErrCodeInvalidRequestException for service response error code
+	// "InvalidRequestException".
+	//
+	// Indicates that a problem occurred with the input to the request. For example,
+	// a required parameter might be missing or out of range.
+	ErrCodeInvalidRequestException = "InvalidRequestException"
+
+	// ErrCodeResourceNotFoundException for service response error code
+	// "ResourceNotFoundException".
+	//
+	// The specified resource doesn't exist.
+	ErrCodeResourceNotFoundException = "ResourceNotFoundException"
+
+	// ErrCodeTooManyRequestsException for service response error code
+	// "TooManyRequestsException".
+	//
+	// Indicates that the request is being made too frequently and is more than
+	// what the server can handle.
+	ErrCodeTooManyRequestsException = "TooManyRequestsException"
+
+	// ErrCodeUnauthorizedException for service response error code
+	// "UnauthorizedException".
+	//
+	// Indicates that the request is not authorized. This can happen due to an invalid
+	// access token in the request.
+	ErrCodeUnauthorizedException = "UnauthorizedException"
+)
+
+var exceptionFromCode = map[string]func(protocol.ResponseMetadata) error{
+	"InvalidRequestException":   newErrorInvalidRequestException,
+	"ResourceNotFoundException": newErrorResourceNotFoundException,
+	"TooManyRequestsException":  newErrorTooManyRequestsException,
+	"UnauthorizedException":     newErrorUnauthorizedException,
+}
--- a/vendor/github.com/aws/aws-sdk-go/service/sso/service.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/sso/service.go
@@ -0,0 +1,104 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+package sso
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/client"
+	"github.com/aws/aws-sdk-go/aws/client/metadata"
+	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/aws/signer/v4"
+	"github.com/aws/aws-sdk-go/private/protocol"
+	"github.com/aws/aws-sdk-go/private/protocol/restjson"
+)
+
+// SSO provides the API operation methods for making requests to
+// AWS Single Sign-On. See this package's package overview docs
+// for details on the service.
+//
+// SSO methods are safe to use concurrently. It is not safe to
+// modify mutate any of the struct's properties though.
+type SSO struct {
+	*client.Client
+}
+
+// Used for custom client initialization logic
+var initClient func(*client.Client)
+
+// Used for custom request initialization logic
+var initRequest func(*request.Request)
+
+// Service information constants
+const (
+	ServiceName = "SSO"        // Name of service.
+	EndpointsID = "portal.sso" // ID to lookup a service endpoint with.
+	ServiceID   = "SSO"        // ServiceID is a unique identifier of a specific service.
+)
+
+// New creates a new instance of the SSO client with a session.
+// If additional configuration is needed for the client instance use the optional
+// aws.Config parameter to add your extra config.
+//
+// Example:
+//     mySession := session.Must(session.NewSession())
+//
+//     // Create a SSO client from just a session.
+//     svc := sso.New(mySession)
+//
+//     // Create a SSO client with additional configuration
+//     svc := sso.New(mySession, aws.NewConfig().WithRegion("us-west-2"))
+func New(p client.ConfigProvider, cfgs ...*aws.Config) *SSO {
+	c := p.ClientConfig(EndpointsID, cfgs...)
+	if c.SigningNameDerived || len(c.SigningName) == 0 {
+		c.SigningName = "awsssoportal"
+	}
+	return newClient(*c.Config, c.Handlers, c.PartitionID, c.Endpoint, c.SigningRegion, c.SigningName)
+}
+
+// newClient creates, initializes and returns a new service client instance.
+func newClient(cfg aws.Config, handlers request.Handlers, partitionID, endpoint, signingRegion, signingName string) *SSO {
+	svc := &SSO{
+		Client: client.New(
+			cfg,
+			metadata.ClientInfo{
+				ServiceName:   ServiceName,
+				ServiceID:     ServiceID,
+				SigningName:   signingName,
+				SigningRegion: signingRegion,
+				PartitionID:   partitionID,
+				Endpoint:      endpoint,
+				APIVersion:    "2019-06-10",
+			},
+			handlers,
+		),
+	}
+
+	// Handlers
+	svc.Handlers.Sign.PushBackNamed(v4.SignRequestHandler)
+	svc.Handlers.Build.PushBackNamed(restjson.BuildHandler)
+	svc.Handlers.Unmarshal.PushBackNamed(restjson.UnmarshalHandler)
+	svc.Handlers.UnmarshalMeta.PushBackNamed(restjson.UnmarshalMetaHandler)
+	svc.Handlers.UnmarshalError.PushBackNamed(
+		protocol.NewUnmarshalErrorHandler(restjson.NewUnmarshalTypedError(exceptionFromCode)).NamedHandler(),
+	)
+
+	// Run custom client initialization if present
+	if initClient != nil {
+		initClient(svc.Client)
+	}
+
+	return svc
+}
+
+// newRequest creates a new request for a SSO operation and runs any
+// custom request initialization.
+func (c *SSO) newRequest(op *request.Operation, params, data interface{}) *request.Request {
+	req := c.NewRequest(op, params, data)
+
+	// Run custom request initialization if present
+	if initRequest != nil {
+		initRequest(req)
+	}
+
+	return req
+}
--- a/vendor/github.com/aws/aws-sdk-go/service/sso/ssoiface/interface.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/sso/ssoiface/interface.go
@@ -0,0 +1,86 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+// Package ssoiface provides an interface to enable mocking the AWS Single Sign-On service client
+// for testing your code.
+//
+// It is important to note that this interface will have breaking changes
+// when the service model is updated and adds new API operations, paginators,
+// and waiters.
+package ssoiface
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/service/sso"
+)
+
+// SSOAPI provides an interface to enable mocking the
+// sso.SSO service client's API operation,
+// paginators, and waiters. This make unit testing your code that calls out
+// to the SDK's service client's calls easier.
+//
+// The best way to use this interface is so the SDK's service client's calls
+// can be stubbed out for unit testing your code with the SDK without needing
+// to inject custom request handlers into the SDK's request pipeline.
+//
+//    // myFunc uses an SDK service client to make a request to
+//    // AWS Single Sign-On.
+//    func myFunc(svc ssoiface.SSOAPI) bool {
+//        // Make svc.GetRoleCredentials request
+//    }
+//
+//    func main() {
+//        sess := session.New()
+//        svc := sso.New(sess)
+//
+//        myFunc(svc)
+//    }
+//
+// In your _test.go file:
+//
+//    // Define a mock struct to be used in your unit tests of myFunc.
+//    type mockSSOClient struct {
+//        ssoiface.SSOAPI
+//    }
+//    func (m *mockSSOClient) GetRoleCredentials(input *sso.GetRoleCredentialsInput) (*sso.GetRoleCredentialsOutput, error) {
+//        // mock response/functionality
+//    }
+//
+//    func TestMyFunc(t *testing.T) {
+//        // Setup Test
+//        mockSvc := &mockSSOClient{}
+//
+//        myfunc(mockSvc)
+//
+//        // Verify myFunc's functionality
+//    }
+//
+// It is important to note that this interface will have breaking changes
+// when the service model is updated and adds new API operations, paginators,
+// and waiters. Its suggested to use the pattern above for testing, or using
+// tooling to generate mocks to satisfy the interfaces.
+type SSOAPI interface {
+	GetRoleCredentials(*sso.GetRoleCredentialsInput) (*sso.GetRoleCredentialsOutput, error)
+	GetRoleCredentialsWithContext(aws.Context, *sso.GetRoleCredentialsInput, ...request.Option) (*sso.GetRoleCredentialsOutput, error)
+	GetRoleCredentialsRequest(*sso.GetRoleCredentialsInput) (*request.Request, *sso.GetRoleCredentialsOutput)
+
+	ListAccountRoles(*sso.ListAccountRolesInput) (*sso.ListAccountRolesOutput, error)
+	ListAccountRolesWithContext(aws.Context, *sso.ListAccountRolesInput, ...request.Option) (*sso.ListAccountRolesOutput, error)
+	ListAccountRolesRequest(*sso.ListAccountRolesInput) (*request.Request, *sso.ListAccountRolesOutput)
+
+	ListAccountRolesPages(*sso.ListAccountRolesInput, func(*sso.ListAccountRolesOutput, bool) bool) error
+	ListAccountRolesPagesWithContext(aws.Context, *sso.ListAccountRolesInput, func(*sso.ListAccountRolesOutput, bool) bool, ...request.Option) error
+
+	ListAccounts(*sso.ListAccountsInput) (*sso.ListAccountsOutput, error)
+	ListAccountsWithContext(aws.Context, *sso.ListAccountsInput, ...request.Option) (*sso.ListAccountsOutput, error)
+	ListAccountsRequest(*sso.ListAccountsInput) (*request.Request, *sso.ListAccountsOutput)
+
+	ListAccountsPages(*sso.ListAccountsInput, func(*sso.ListAccountsOutput, bool) bool) error
+	ListAccountsPagesWithContext(aws.Context, *sso.ListAccountsInput, func(*sso.ListAccountsOutput, bool) bool, ...request.Option) error
+
+	Logout(*sso.LogoutInput) (*sso.LogoutOutput, error)
+	LogoutWithContext(aws.Context, *sso.LogoutInput, ...request.Option) (*sso.LogoutOutput, error)
+	LogoutRequest(*sso.LogoutInput) (*request.Request, *sso.LogoutOutput)
+}
+
+var _ SSOAPI = (*sso.SSO)(nil)
--- a/vendor/github.com/aws/aws-sdk-go/service/sts/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/sts/api.go
@@ -65,34 +65,6 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
 // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
 // in the IAM User Guide.
 //
-// You cannot use AWS account root user credentials to call AssumeRole. You
-// must use credentials for an IAM user or an IAM role to call AssumeRole.
-//
-// For cross-account access, imagine that you own multiple accounts and need
-// to access resources in each account. You could create long-term credentials
-// in each account to access those resources. However, managing all those credentials
-// and remembering which one can access which account can be time consuming.
-// Instead, you can create one set of long-term credentials in one account.
-// Then use temporary security credentials to access all the other accounts
-// by assuming roles in those accounts. For more information about roles, see
-// IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)
-// in the IAM User Guide.
-//
-// Session Duration
-//
-// By default, the temporary security credentials created by AssumeRole last
-// for one hour. However, you can use the optional DurationSeconds parameter
-// to specify the duration of your session. You can provide a value from 900
-// seconds (15 minutes) up to the maximum session duration setting for the role.
-// This setting can have a value from 1 hour to 12 hours. To learn how to view
-// the maximum value for your role, see View the Maximum Session Duration Setting
-// for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
-// in the IAM User Guide. The maximum session duration limit applies when you
-// use the AssumeRole* API operations or the assume-role* CLI commands. However
-// the limit does not apply when you use those operations to create a console
-// URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
-// in the IAM User Guide.
-//
 // Permissions
 //
 // The temporary security credentials created by AssumeRole can be used to make
@@ -102,7 +74,7 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
 // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // to this operation. You can pass a single JSON policy document to use as an
 // inline session policy. You can also specify up to 10 managed policies to
-// use as managed session policies. The plain text that you use for both inline
+// use as managed session policies. The plaintext that you use for both inline
 // and managed session policies can't exceed 2,048 characters. Passing policies
 // to this operation returns new temporary credentials. The resulting session's
 // permissions are the intersection of the role's identity-based policy and
@@ -308,6 +280,15 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
 // URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
 // in the IAM User Guide.
 //
+// Role chaining (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining)
+// limits your AWS CLI or AWS API role session to a maximum of one hour. When
+// you use the AssumeRole API operation to assume a role, you can specify the
+// duration of your role session with the DurationSeconds parameter. You can
+// specify a parameter value of up to 43200 seconds (12 hours), depending on
+// the maximum session duration setting for your role. However, if you assume
+// a role using role chaining and provide a DurationSeconds parameter value
+// greater than one hour, the operation fails.
+//
 // Permissions
 //
 // The temporary security credentials created by AssumeRoleWithSAML can be used
@@ -317,7 +298,7 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
 // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // to this operation. You can pass a single JSON policy document to use as an
 // inline session policy. You can also specify up to 10 managed policies to
-// use as managed session policies. The plain text that you use for both inline
+// use as managed session policies. The plaintext that you use for both inline
 // and managed session policies can't exceed 2,048 characters. Passing policies
 // to this operation returns new temporary credentials. The resulting session's
 // permissions are the intersection of the role's identity-based policy and
@@ -346,16 +327,16 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
 // in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
 // in the IAM User Guide.
 //
-// You can pass up to 50 session tags. The plain text session tag keys can’t
+// You can pass up to 50 session tags. The plaintext session tag keys can’t
 // exceed 128 characters and the values can’t exceed 256 characters. For these
 // and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
 // in the IAM User Guide.
 //
 // An AWS conversion compresses the passed session policies and session tags
 // into a packed binary format that has a separate limit. Your request can fail
-// for this limit even if your plain text meets the other requirements. The
-// PackedPolicySize response element indicates by percentage how close the policies
-// and tags for your request are to the upper size limit.
+// for this limit even if your plaintext meets the other requirements. The PackedPolicySize
+// response element indicates by percentage how close the policies and tags
+// for your request are to the upper size limit.
 //
 // You can pass a session tag with the same key as a tag that is attached to
 // the role. When you do, session tags override the role's tags with the same
@@ -564,7 +545,7 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
 // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // to this operation. You can pass a single JSON policy document to use as an
 // inline session policy. You can also specify up to 10 managed policies to
-// use as managed session policies. The plain text that you use for both inline
+// use as managed session policies. The plaintext that you use for both inline
 // and managed session policies can't exceed 2,048 characters. Passing policies
 // to this operation returns new temporary credentials. The resulting session's
 // permissions are the intersection of the role's identity-based policy and
@@ -583,16 +564,16 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
 // in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
 // in the IAM User Guide.
 //
-// You can pass up to 50 session tags. The plain text session tag keys can’t
+// You can pass up to 50 session tags. The plaintext session tag keys can’t
 // exceed 128 characters and the values can’t exceed 256 characters. For these
 // and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
 // in the IAM User Guide.
 //
 // An AWS conversion compresses the passed session policies and session tags
 // into a packed binary format that has a separate limit. Your request can fail
-// for this limit even if your plain text meets the other requirements. The
-// PackedPolicySize response element indicates by percentage how close the policies
-// and tags for your request are to the upper size limit.
+// for this limit even if your plaintext meets the other requirements. The PackedPolicySize
+// response element indicates by percentage how close the policies and tags
+// for your request are to the upper size limit.
 //
 // You can pass a session tag with the same key as a tag that is attached to
 // the role. When you do, the session tag overrides the role tag with the same
@@ -619,7 +600,7 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
 //
 // Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail
 // logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims)
-// of the provided Web Identity Token. We recommend that you avoid using any
+// of the provided web identity token. We recommend that you avoid using any
 // personally identifiable information (PII) in this field. For example, you
 // could instead use a GUID or a pairwise identifier, as suggested in the OIDC
 // specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).
@@ -1108,6 +1089,70 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re
 // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // to this operation. You can pass a single JSON policy document to use as an
 // inline session policy. You can also specify up to 10 managed policies to
+// use as managed session policies. The plaintext that you use for both inline
+// and managed session policies can't exceed 2,048 characters.
+//
+// Though the session policy parameters are optional, if you do not pass a policy,
+// then the resulting federated user session has no permissions. When you pass
+// session policies, the session permissions are the intersection of the IAM
+// user policies and the session policies that you pass. This gives you a way
+// to further restrict the permissions for a federated user. You cannot use
+// session policies to grant more permissions than those that are defined in
+// the permissions policy of the IAM user. For more information, see Session
+// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+// in the IAM User Guide. For information about using GetFederationToken to
+// create temporary security credentials, see GetFederationToken—Federation
+// Through a Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken).
+//
+// You can use the credentials to access a resource that has a resource-based
+// policy. If that policy specifically references the federated user session
+// in the Principal element of the policy, the session has the permissions allowed
+// by the policy. These permissions are granted in addition to the permissions
+// granted by the session policies.
+//
+// Tags
+//
+// (Optional) You can pass tag key-value pairs to your session. These are called
+// session tags. For more information about session tags, see Passing Session
+// Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
+// in the IAM User Guide.
+//
+// You can create a mobile-based or browser-based app that can authenticate
+// users using a web identity provider like Login with Amazon, Facebook, Google,
+// or an OpenID Connect-compatible identity provider. In this case, we recommend
+// that you use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity.
+// For more information, see Federation Through a Web-based Identity Provider
+// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
+// in the IAM User Guide.
+//
+// You can also call GetFederationToken using the security credentials of an
+// AWS account root user, but we do not recommend it. Instead, we recommend
+// that you create an IAM user for the purpose of the proxy application. Then
+// attach a policy to the IAM user that limits federated users to only the actions
+// and resources that they need to access. For more information, see IAM Best
+// Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
+// in the IAM User Guide.
+//
+// Session duration
+//
+// The temporary credentials are valid for the specified duration, from 900
+// seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default
+// session duration is 43,200 seconds (12 hours). Temporary credentials that
+// are obtained by using AWS account root user credentials have a maximum duration
+// of 3,600 seconds (1 hour).
+//
+// Permissions
+//
+// You can use the temporary credentials created by GetFederationToken in any
+// AWS service except the following:
+//
+//    * You cannot call any IAM operations using the AWS CLI or the AWS API.
+//
+//    * You cannot call any STS operations except GetCallerIdentity.
+//
+// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+// to this operation. You can pass a single JSON policy document to use as an
+// inline session policy. You can also specify up to 10 managed policies to
 // use as managed session policies. The plain text that you use for both inline
 // and managed session policies can't exceed 2,048 characters.
 //
@@ -1338,14 +1383,15 @@ func (c *STS) GetSessionTokenWithContext(ctx aws.Context, input *GetSessionToken
 type AssumeRoleInput struct {
 	_ struct{} `type:"structure"`

-	// The duration, in seconds, of the role session. The value can range from 900
-	// seconds (15 minutes) up to the maximum session duration setting for the role.
-	// This setting can have a value from 1 hour to 12 hours. If you specify a value
-	// higher than this setting, the operation fails. For example, if you specify
-	// a session duration of 12 hours, but your administrator set the maximum session
-	// duration to 6 hours, your operation fails. To learn how to view the maximum
-	// value for your role, see View the Maximum Session Duration Setting for a
-	// Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
+	// The duration, in seconds, of the role session. The value specified can can
+	// range from 900 seconds (15 minutes) up to the maximum session duration that
+	// is set for the role. The maximum session duration setting can have a value
+	// from 1 hour to 12 hours. If you specify a value higher than this setting
+	// or the administrator setting (whichever is lower), the operation fails. For
+	// example, if you specify a session duration of 12 hours, but your administrator
+	// set the maximum session duration to 6 hours, your operation fails. To learn
+	// how to view the maximum value for your role, see View the Maximum Session
+	// Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
 	// in the IAM User Guide.
 	//
 	// By default, the value is set to 3600 seconds.
@@ -1387,17 +1433,17 @@ type AssumeRoleInput struct {
 	// that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 	// in the IAM User Guide.
 	//
-	// The plain text that you use for both inline and managed session policies
-	// can't exceed 2,048 characters. The JSON policy characters can be any ASCII
-	// character from the space character to the end of the valid character list
-	// (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A),
-	// and carriage return (\u000D) characters.
+	// The plaintext that you use for both inline and managed session policies can't
+	// exceed 2,048 characters. The JSON policy characters can be any ASCII character
+	// from the space character to the end of the valid character list (\u0020 through
+	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
+	// return (\u000D) characters.
 	//
 	// An AWS conversion compresses the passed session policies and session tags
 	// into a packed binary format that has a separate limit. Your request can fail
-	// for this limit even if your plain text meets the other requirements. The
-	// PackedPolicySize response element indicates by percentage how close the policies
-	// and tags for your request are to the upper size limit.
+	// for this limit even if your plaintext meets the other requirements. The PackedPolicySize
+	// response element indicates by percentage how close the policies and tags
+	// for your request are to the upper size limit.
 	Policy *string `min:"1" type:"string"`

 	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
@@ -1405,16 +1451,16 @@ type AssumeRoleInput struct {
 	// as the role.
 	//
 	// This parameter is optional. You can provide up to 10 managed policy ARNs.
-	// However, the plain text that you use for both inline and managed session
-	// policies can't exceed 2,048 characters. For more information about ARNs,
-	// see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
+	// However, the plaintext that you use for both inline and managed session policies
+	// can't exceed 2,048 characters. For more information about ARNs, see Amazon
+	// Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
 	// in the AWS General Reference.
 	//
 	// An AWS conversion compresses the passed session policies and session tags
 	// into a packed binary format that has a separate limit. Your request can fail
-	// for this limit even if your plain text meets the other requirements. The
-	// PackedPolicySize response element indicates by percentage how close the policies
-	// and tags for your request are to the upper size limit.
+	// for this limit even if your plaintext meets the other requirements. The PackedPolicySize
+	// response element indicates by percentage how close the policies and tags
+	// for your request are to the upper size limit.
 	//
 	// Passing policies to this operation returns new temporary credentials. The
 	// resulting session's permissions are the intersection of the role's identity-based
@@ -1459,22 +1505,41 @@ type AssumeRoleInput struct {
 	// also include underscores or any of the following characters: =,.@-
 	SerialNumber *string `min:"9" type:"string"`

+	// The source identity specified by the principal that is calling the AssumeRole
+	// operation.
+	//
+	// You can require users to specify a source identity when they assume a role.
+	// You do this by using the sts:SourceIdentity condition key in a role trust
+	// policy. You can use source identity information in AWS CloudTrail logs to
+	// determine who took actions with a role. You can use the aws:SourceIdentity
+	// condition key to further control access to AWS resources based on the value
+	// of source identity. For more information about using source identity, see
+	// Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
+	// in the IAM User Guide.
+	//
+	// The regex used to validate this parameter is a string of characters consisting
+	// of upper- and lower-case alphanumeric characters with no spaces. You can
+	// also include underscores or any of the following characters: =,.@-. You cannot
+	// use a value that begins with the text aws:. This prefix is reserved for AWS
+	// internal use.
+	SourceIdentity *string `min:"2" type:"string"`
+
 	// A list of session tags that you want to pass. Each session tag consists of
 	// a key name and an associated value. For more information about session tags,
 	// see Tagging AWS STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
 	// in the IAM User Guide.
 	//
-	// This parameter is optional. You can pass up to 50 session tags. The plain
-	// text session tag keys can’t exceed 128 characters, and the values can’t
-	// exceed 256 characters. For these and additional limits, see IAM and STS Character
+	// This parameter is optional. You can pass up to 50 session tags. The plaintext
+	// session tag keys can’t exceed 128 characters, and the values can’t exceed
+	// 256 characters. For these and additional limits, see IAM and STS Character
 	// Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
 	// in the IAM User Guide.
 	//
 	// An AWS conversion compresses the passed session policies and session tags
 	// into a packed binary format that has a separate limit. Your request can fail
-	// for this limit even if your plain text meets the other requirements. The
-	// PackedPolicySize response element indicates by percentage how close the policies
-	// and tags for your request are to the upper size limit.
+	// for this limit even if your plaintext meets the other requirements. The PackedPolicySize
+	// response element indicates by percentage how close the policies and tags
+	// for your request are to the upper size limit.
 	//
 	// You can pass a session tag with the same key as a tag that is already attached
 	// to the role. When you do, session tags override a role tag with the same
@@ -1495,9 +1560,10 @@ type AssumeRoleInput struct {
 	Tags []*Tag `type:"list"`

 	// The value provided by the MFA device, if the trust policy of the role being
-	// assumed requires MFA (that is, if the policy includes a condition that tests
-	// for MFA). If the role being assumed requires MFA and if the TokenCode value
-	// is missing or expired, the AssumeRole call returns an "access denied" error.
+	// assumed requires MFA. (In other words, if the policy includes a condition
+	// that tests for MFA). If the role being assumed requires MFA and if the TokenCode
+	// value is missing or expired, the AssumeRole call returns an "access denied"
+	// error.
 	//
 	// The format for this parameter, as described by its regex pattern, is a sequence
 	// of six numeric digits.
@@ -1554,6 +1620,9 @@ func (s *AssumeRoleInput) Validate() error {
 	if s.SerialNumber != nil && len(*s.SerialNumber) < 9 {
 		invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9))
 	}
+	if s.SourceIdentity != nil && len(*s.SourceIdentity) < 2 {
+		invalidParams.Add(request.NewErrParamMinLen("SourceIdentity", 2))
+	}
 	if s.TokenCode != nil && len(*s.TokenCode) < 6 {
 		invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6))
 	}
@@ -1626,6 +1695,12 @@ func (s *AssumeRoleInput) SetSerialNumber(v string) *AssumeRoleInput {
 	return s
 }

+// SetSourceIdentity sets the SourceIdentity field's value.
+func (s *AssumeRoleInput) SetSourceIdentity(v string) *AssumeRoleInput {
+	s.SourceIdentity = &v
+	return s
+}
+
 // SetTags sets the Tags field's value.
 func (s *AssumeRoleInput) SetTags(v []*Tag) *AssumeRoleInput {
 	s.Tags = v
@@ -1668,6 +1743,23 @@ type AssumeRoleOutput struct {
 	// packed size is greater than 100 percent, which means the policies and tags
 	// exceeded the allowed space.
 	PackedPolicySize *int64 `type:"integer"`
+
+	// The source identity specified by the principal that is calling the AssumeRole
+	// operation.
+	//
+	// You can require users to specify a source identity when they assume a role.
+	// You do this by using the sts:SourceIdentity condition key in a role trust
+	// policy. You can use source identity information in AWS CloudTrail logs to
+	// determine who took actions with a role. You can use the aws:SourceIdentity
+	// condition key to further control access to AWS resources based on the value
+	// of source identity. For more information about using source identity, see
+	// Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
+	// in the IAM User Guide.
+	//
+	// The regex used to validate this parameter is a string of characters consisting
+	// of upper- and lower-case alphanumeric characters with no spaces. You can
+	// also include underscores or any of the following characters: =,.@-
+	SourceIdentity *string `min:"2" type:"string"`
 }

 // String returns the string representation
@@ -1698,6 +1790,12 @@ func (s *AssumeRoleOutput) SetPackedPolicySize(v int64) *AssumeRoleOutput {
 	return s
 }

+// SetSourceIdentity sets the SourceIdentity field's value.
+func (s *AssumeRoleOutput) SetSourceIdentity(v string) *AssumeRoleOutput {
+	s.SourceIdentity = &v
+	return s
+}
+
 type AssumeRoleWithSAMLInput struct {
 	_ struct{} `type:"structure"`

@@ -1736,17 +1834,17 @@ type AssumeRoleWithSAMLInput struct {
 	// that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 	// in the IAM User Guide.
 	//
-	// The plain text that you use for both inline and managed session policies
-	// can't exceed 2,048 characters. The JSON policy characters can be any ASCII
-	// character from the space character to the end of the valid character list
-	// (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A),
-	// and carriage return (\u000D) characters.
+	// The plaintext that you use for both inline and managed session policies can't
+	// exceed 2,048 characters. The JSON policy characters can be any ASCII character
+	// from the space character to the end of the valid character list (\u0020 through
+	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
+	// return (\u000D) characters.
 	//
 	// An AWS conversion compresses the passed session policies and session tags
 	// into a packed binary format that has a separate limit. Your request can fail
-	// for this limit even if your plain text meets the other requirements. The
-	// PackedPolicySize response element indicates by percentage how close the policies
-	// and tags for your request are to the upper size limit.
+	// for this limit even if your plaintext meets the other requirements. The PackedPolicySize
+	// response element indicates by percentage how close the policies and tags
+	// for your request are to the upper size limit.
 	Policy *string `min:"1" type:"string"`

 	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
@@ -1754,16 +1852,16 @@ type AssumeRoleWithSAMLInput struct {
 	// as the role.
 	//
 	// This parameter is optional. You can provide up to 10 managed policy ARNs.
-	// However, the plain text that you use for both inline and managed session
-	// policies can't exceed 2,048 characters. For more information about ARNs,
-	// see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
+	// However, the plaintext that you use for both inline and managed session policies
+	// can't exceed 2,048 characters. For more information about ARNs, see Amazon
+	// Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
 	// in the AWS General Reference.
 	//
 	// An AWS conversion compresses the passed session policies and session tags
 	// into a packed binary format that has a separate limit. Your request can fail
-	// for this limit even if your plain text meets the other requirements. The
-	// PackedPolicySize response element indicates by percentage how close the policies
-	// and tags for your request are to the upper size limit.
+	// for this limit even if your plaintext meets the other requirements. The PackedPolicySize
+	// response element indicates by percentage how close the policies and tags
+	// for your request are to the upper size limit.
 	//
 	// Passing policies to this operation returns new temporary credentials. The
 	// resulting session's permissions are the intersection of the role's identity-based
@@ -1786,7 +1884,7 @@ type AssumeRoleWithSAMLInput struct {
 	// RoleArn is a required field
 	RoleArn *string `min:"20" type:"string" required:"true"`

-	// The base-64 encoded SAML authentication response provided by the IdP.
+	// The base64 encoded SAML authentication response provided by the IdP.
 	//
 	// For more information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
 	// in the IAM User Guide.
@@ -1908,10 +2006,17 @@ type AssumeRoleWithSAMLOutput struct {
 	// The value of the Issuer element of the SAML assertion.
 	Issuer *string `type:"string"`

-	// A hash value based on the concatenation of the Issuer response value, the
-	// AWS account ID, and the friendly name (the last part of the ARN) of the SAML
-	// provider in IAM. The combination of NameQualifier and Subject can be used
-	// to uniquely identify a federated user.
+	// A hash value based on the concatenation of the following:
+	//
+	//    * The Issuer response value.
+	//
+	//    * The AWS account ID.
+	//
+	//    * The friendly name (the last part of the ARN) of the SAML provider in
+	//    IAM.
+	//
+	// The combination of NameQualifier and Subject can be used to uniquely identify
+	// a federated user.
 	//
 	// The following pseudocode shows how the hash value is calculated:
 	//
@@ -1925,6 +2030,26 @@ type AssumeRoleWithSAMLOutput struct {
 	// exceeded the allowed space.
 	PackedPolicySize *int64 `type:"integer"`

+	// The value in the SourceIdentity attribute in the SAML assertion.
+	//
+	// You can require users to set a source identity value when they assume a role.
+	// You do this by using the sts:SourceIdentity condition key in a role trust
+	// policy. That way, actions that are taken with the role are associated with
+	// that user. After the source identity is set, the value cannot be changed.
+	// It is present in the request for all actions that are taken by the role and
+	// persists across chained role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining)
+	// sessions. You can configure your SAML identity provider to use an attribute
+	// associated with your users, like user name or email, as the source identity
+	// when calling AssumeRoleWithSAML. You do this by adding an attribute to the
+	// SAML assertion. For more information about using source identity, see Monitor
+	// and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
+	// in the IAM User Guide.
+	//
+	// The regex used to validate this parameter is a string of characters consisting
+	// of upper- and lower-case alphanumeric characters with no spaces. You can
+	// also include underscores or any of the following characters: =,.@-
+	SourceIdentity *string `min:"2" type:"string"`
+
 	// The value of the NameID element in the Subject element of the SAML assertion.
 	Subject *string `type:"string"`

@@ -1985,6 +2110,12 @@ func (s *AssumeRoleWithSAMLOutput) SetPackedPolicySize(v int64) *AssumeRoleWithS
 	return s
 }

+// SetSourceIdentity sets the SourceIdentity field's value.
+func (s *AssumeRoleWithSAMLOutput) SetSourceIdentity(v string) *AssumeRoleWithSAMLOutput {
+	s.SourceIdentity = &v
+	return s
+}
+
 // SetSubject sets the Subject field's value.
 func (s *AssumeRoleWithSAMLOutput) SetSubject(v string) *AssumeRoleWithSAMLOutput {
 	s.Subject = &v
@@ -2032,17 +2163,17 @@ type AssumeRoleWithWebIdentityInput struct {
 	// that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 	// in the IAM User Guide.
 	//
-	// The plain text that you use for both inline and managed session policies
-	// can't exceed 2,048 characters. The JSON policy characters can be any ASCII
-	// character from the space character to the end of the valid character list
-	// (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A),
-	// and carriage return (\u000D) characters.
+	// The plaintext that you use for both inline and managed session policies can't
+	// exceed 2,048 characters. The JSON policy characters can be any ASCII character
+	// from the space character to the end of the valid character list (\u0020 through
+	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
+	// return (\u000D) characters.
 	//
 	// An AWS conversion compresses the passed session policies and session tags
 	// into a packed binary format that has a separate limit. Your request can fail
-	// for this limit even if your plain text meets the other requirements. The
-	// PackedPolicySize response element indicates by percentage how close the policies
-	// and tags for your request are to the upper size limit.
+	// for this limit even if your plaintext meets the other requirements. The PackedPolicySize
+	// response element indicates by percentage how close the policies and tags
+	// for your request are to the upper size limit.
 	Policy *string `min:"1" type:"string"`

 	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
@@ -2050,16 +2181,16 @@ type AssumeRoleWithWebIdentityInput struct {
 	// as the role.
 	//
 	// This parameter is optional. You can provide up to 10 managed policy ARNs.
-	// However, the plain text that you use for both inline and managed session
-	// policies can't exceed 2,048 characters. For more information about ARNs,
-	// see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
+	// However, the plaintext that you use for both inline and managed session policies
+	// can't exceed 2,048 characters. For more information about ARNs, see Amazon
+	// Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
 	// in the AWS General Reference.
 	//
 	// An AWS conversion compresses the passed session policies and session tags
 	// into a packed binary format that has a separate limit. Your request can fail
-	// for this limit even if your plain text meets the other requirements. The
-	// PackedPolicySize response element indicates by percentage how close the policies
-	// and tags for your request are to the upper size limit.
+	// for this limit even if your plaintext meets the other requirements. The PackedPolicySize
+	// response element indicates by percentage how close the policies and tags
+	// for your request are to the upper size limit.
 	//
 	// Passing policies to this operation returns new temporary credentials. The
 	// resulting session's permissions are the intersection of the role's identity-based
@@ -2242,6 +2373,29 @@ type AssumeRoleWithWebIdentityOutput struct {
 	// in the AssumeRoleWithWebIdentity request.
 	Provider *string `type:"string"`

+	// The value of the source identity that is returned in the JSON web token (JWT)
+	// from the identity provider.
+	//
+	// You can require users to set a source identity value when they assume a role.
+	// You do this by using the sts:SourceIdentity condition key in a role trust
+	// policy. That way, actions that are taken with the role are associated with
+	// that user. After the source identity is set, the value cannot be changed.
+	// It is present in the request for all actions that are taken by the role and
+	// persists across chained role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining)
+	// sessions. You can configure your identity provider to use an attribute associated
+	// with your users, like user name or email, as the source identity when calling
+	// AssumeRoleWithWebIdentity. You do this by adding a claim to the JSON web
+	// token. To learn more about OIDC tokens and claims, see Using Tokens with
+	// User Pools (https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html)
+	// in the Amazon Cognito Developer Guide. For more information about using source
+	// identity, see Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
+	// in the IAM User Guide.
+	//
+	// The regex used to validate this parameter is a string of characters consisting
+	// of upper- and lower-case alphanumeric characters with no spaces. You can
+	// also include underscores or any of the following characters: =,.@-
+	SourceIdentity *string `min:"2" type:"string"`
+
 	// The unique user identifier that is returned by the identity provider. This
 	// identifier is associated with the WebIdentityToken that was submitted with
 	// the AssumeRoleWithWebIdentity call. The identifier is typically unique to
@@ -2291,6 +2445,12 @@ func (s *AssumeRoleWithWebIdentityOutput) SetProvider(v string) *AssumeRoleWithW
 	return s
 }

+// SetSourceIdentity sets the SourceIdentity field's value.
+func (s *AssumeRoleWithWebIdentityOutput) SetSourceIdentity(v string) *AssumeRoleWithWebIdentityOutput {
+	s.SourceIdentity = &v
+	return s
+}
+
 // SetSubjectFromWebIdentityToken sets the SubjectFromWebIdentityToken field's value.
 func (s *AssumeRoleWithWebIdentityOutput) SetSubjectFromWebIdentityToken(v string) *AssumeRoleWithWebIdentityOutput {
 	s.SubjectFromWebIdentityToken = &v
@@ -2682,17 +2842,17 @@ type GetFederationTokenInput struct {
 	// by the policy. These permissions are granted in addition to the permissions
 	// that are granted by the session policies.
 	//
-	// The plain text that you use for both inline and managed session policies
-	// can't exceed 2,048 characters. The JSON policy characters can be any ASCII
-	// character from the space character to the end of the valid character list
-	// (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A),
-	// and carriage return (\u000D) characters.
+	// The plaintext that you use for both inline and managed session policies can't
+	// exceed 2,048 characters. The JSON policy characters can be any ASCII character
+	// from the space character to the end of the valid character list (\u0020 through
+	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
+	// return (\u000D) characters.
 	//
 	// An AWS conversion compresses the passed session policies and session tags
 	// into a packed binary format that has a separate limit. Your request can fail
-	// for this limit even if your plain text meets the other requirements. The
-	// PackedPolicySize response element indicates by percentage how close the policies
-	// and tags for your request are to the upper size limit.
+	// for this limit even if your plaintext meets the other requirements. The PackedPolicySize
+	// response element indicates by percentage how close the policies and tags
+	// for your request are to the upper size limit.
 	Policy *string `min:"1" type:"string"`

 	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
@@ -2702,7 +2862,7 @@ type GetFederationTokenInput struct {
 	// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 	// to this operation. You can pass a single JSON policy document to use as an
 	// inline session policy. You can also specify up to 10 managed policies to
-	// use as managed session policies. The plain text that you use for both inline
+	// use as managed session policies. The plaintext that you use for both inline
 	// and managed session policies can't exceed 2,048 characters. You can provide
 	// up to 10 managed policy ARNs. For more information about ARNs, see Amazon
 	// Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
@@ -2727,9 +2887,9 @@ type GetFederationTokenInput struct {
 	//
 	// An AWS conversion compresses the passed session policies and session tags
 	// into a packed binary format that has a separate limit. Your request can fail
-	// for this limit even if your plain text meets the other requirements. The
-	// PackedPolicySize response element indicates by percentage how close the policies
-	// and tags for your request are to the upper size limit.
+	// for this limit even if your plaintext meets the other requirements. The PackedPolicySize
+	// response element indicates by percentage how close the policies and tags
+	// for your request are to the upper size limit.
 	PolicyArns []*PolicyDescriptorType `type:"list"`

 	// A list of session tags. Each session tag consists of a key name and an associated
@@ -2737,17 +2897,17 @@ type GetFederationTokenInput struct {
 	// in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
 	// in the IAM User Guide.
 	//
-	// This parameter is optional. You can pass up to 50 session tags. The plain
-	// text session tag keys can’t exceed 128 characters and the values can’t
-	// exceed 256 characters. For these and additional limits, see IAM and STS Character
+	// This parameter is optional. You can pass up to 50 session tags. The plaintext
+	// session tag keys can’t exceed 128 characters and the values can’t exceed
+	// 256 characters. For these and additional limits, see IAM and STS Character
 	// Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
 	// in the IAM User Guide.
 	//
 	// An AWS conversion compresses the passed session policies and session tags
 	// into a packed binary format that has a separate limit. Your request can fail
-	// for this limit even if your plain text meets the other requirements. The
-	// PackedPolicySize response element indicates by percentage how close the policies
-	// and tags for your request are to the upper size limit.
+	// for this limit even if your plaintext meets the other requirements. The PackedPolicySize
+	// response element indicates by percentage how close the policies and tags
+	// for your request are to the upper size limit.
 	//
 	// You can pass a session tag with the same key as a tag that is already attached
 	// to the user you are federating. When you do, session tags override a user