aws-sdk-core 2.11.632 → 3.0.0.rc1

data/lib/aws-sdk-sts/client_api.rb

@@ -0,0 +1,266 @@
+# WARNING ABOUT GENERATED CODE
+#
+# This file is generated. See the contributing for info on making contributions:
+# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+#
+# WARNING ABOUT GENERATED CODE
+
+module Aws
+  module STS
+    # @api private
+    module ClientApi
+
+      include Seahorse::Model
+
+      AssumeRoleRequest = Shapes::StructureShape.new(name: 'AssumeRoleRequest')
+      AssumeRoleResponse = Shapes::StructureShape.new(name: 'AssumeRoleResponse')
+      AssumeRoleWithSAMLRequest = Shapes::StructureShape.new(name: 'AssumeRoleWithSAMLRequest')
+      AssumeRoleWithSAMLResponse = Shapes::StructureShape.new(name: 'AssumeRoleWithSAMLResponse')
+      AssumeRoleWithWebIdentityRequest = Shapes::StructureShape.new(name: 'AssumeRoleWithWebIdentityRequest')
+      AssumeRoleWithWebIdentityResponse = Shapes::StructureShape.new(name: 'AssumeRoleWithWebIdentityResponse')
+      AssumedRoleUser = Shapes::StructureShape.new(name: 'AssumedRoleUser')
+      Audience = Shapes::StringShape.new(name: 'Audience')
+      Credentials = Shapes::StructureShape.new(name: 'Credentials')
+      DecodeAuthorizationMessageRequest = Shapes::StructureShape.new(name: 'DecodeAuthorizationMessageRequest')
+      DecodeAuthorizationMessageResponse = Shapes::StructureShape.new(name: 'DecodeAuthorizationMessageResponse')
+      ExpiredTokenException = Shapes::StructureShape.new(name: 'ExpiredTokenException')
+      FederatedUser = Shapes::StructureShape.new(name: 'FederatedUser')
+      GetCallerIdentityRequest = Shapes::StructureShape.new(name: 'GetCallerIdentityRequest')
+      GetCallerIdentityResponse = Shapes::StructureShape.new(name: 'GetCallerIdentityResponse')
+      GetFederationTokenRequest = Shapes::StructureShape.new(name: 'GetFederationTokenRequest')
+      GetFederationTokenResponse = Shapes::StructureShape.new(name: 'GetFederationTokenResponse')
+      GetSessionTokenRequest = Shapes::StructureShape.new(name: 'GetSessionTokenRequest')
+      GetSessionTokenResponse = Shapes::StructureShape.new(name: 'GetSessionTokenResponse')
+      IDPCommunicationErrorException = Shapes::StructureShape.new(name: 'IDPCommunicationErrorException')
+      IDPRejectedClaimException = Shapes::StructureShape.new(name: 'IDPRejectedClaimException')
+      InvalidAuthorizationMessageException = Shapes::StructureShape.new(name: 'InvalidAuthorizationMessageException')
+      InvalidIdentityTokenException = Shapes::StructureShape.new(name: 'InvalidIdentityTokenException')
+      Issuer = Shapes::StringShape.new(name: 'Issuer')
+      MalformedPolicyDocumentException = Shapes::StructureShape.new(name: 'MalformedPolicyDocumentException')
+      NameQualifier = Shapes::StringShape.new(name: 'NameQualifier')
+      PackedPolicyTooLargeException = Shapes::StructureShape.new(name: 'PackedPolicyTooLargeException')
+      RegionDisabledException = Shapes::StructureShape.new(name: 'RegionDisabledException')
+      SAMLAssertionType = Shapes::StringShape.new(name: 'SAMLAssertionType')
+      Subject = Shapes::StringShape.new(name: 'Subject')
+      SubjectType = Shapes::StringShape.new(name: 'SubjectType')
+      accessKeyIdType = Shapes::StringShape.new(name: 'accessKeyIdType')
+      accessKeySecretType = Shapes::StringShape.new(name: 'accessKeySecretType')
+      accountType = Shapes::StringShape.new(name: 'accountType')
+      arnType = Shapes::StringShape.new(name: 'arnType')
+      assumedRoleIdType = Shapes::StringShape.new(name: 'assumedRoleIdType')
+      clientTokenType = Shapes::StringShape.new(name: 'clientTokenType')
+      dateType = Shapes::TimestampShape.new(name: 'dateType')
+      decodedMessageType = Shapes::StringShape.new(name: 'decodedMessageType')
+      durationSecondsType = Shapes::IntegerShape.new(name: 'durationSecondsType')
+      encodedMessageType = Shapes::StringShape.new(name: 'encodedMessageType')
+      expiredIdentityTokenMessage = Shapes::StringShape.new(name: 'expiredIdentityTokenMessage')
+      externalIdType = Shapes::StringShape.new(name: 'externalIdType')
+      federatedIdType = Shapes::StringShape.new(name: 'federatedIdType')
+      idpCommunicationErrorMessage = Shapes::StringShape.new(name: 'idpCommunicationErrorMessage')
+      idpRejectedClaimMessage = Shapes::StringShape.new(name: 'idpRejectedClaimMessage')
+      invalidAuthorizationMessage = Shapes::StringShape.new(name: 'invalidAuthorizationMessage')
+      invalidIdentityTokenMessage = Shapes::StringShape.new(name: 'invalidIdentityTokenMessage')
+      malformedPolicyDocumentMessage = Shapes::StringShape.new(name: 'malformedPolicyDocumentMessage')
+      nonNegativeIntegerType = Shapes::IntegerShape.new(name: 'nonNegativeIntegerType')
+      packedPolicyTooLargeMessage = Shapes::StringShape.new(name: 'packedPolicyTooLargeMessage')
+      regionDisabledMessage = Shapes::StringShape.new(name: 'regionDisabledMessage')
+      roleDurationSecondsType = Shapes::IntegerShape.new(name: 'roleDurationSecondsType')
+      roleSessionNameType = Shapes::StringShape.new(name: 'roleSessionNameType')
+      serialNumberType = Shapes::StringShape.new(name: 'serialNumberType')
+      sessionPolicyDocumentType = Shapes::StringShape.new(name: 'sessionPolicyDocumentType')
+      tokenCodeType = Shapes::StringShape.new(name: 'tokenCodeType')
+      tokenType = Shapes::StringShape.new(name: 'tokenType')
+      urlType = Shapes::StringShape.new(name: 'urlType')
+      userIdType = Shapes::StringShape.new(name: 'userIdType')
+      userNameType = Shapes::StringShape.new(name: 'userNameType')
+      webIdentitySubjectType = Shapes::StringShape.new(name: 'webIdentitySubjectType')
+
+      AssumeRoleRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
+      AssumeRoleRequest.add_member(:role_session_name, Shapes::ShapeRef.new(shape: roleSessionNameType, required: true, location_name: "RoleSessionName"))
+      AssumeRoleRequest.add_member(:policy, Shapes::ShapeRef.new(shape: sessionPolicyDocumentType, location_name: "Policy"))
+      AssumeRoleRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: roleDurationSecondsType, location_name: "DurationSeconds"))
+      AssumeRoleRequest.add_member(:external_id, Shapes::ShapeRef.new(shape: externalIdType, location_name: "ExternalId"))
+      AssumeRoleRequest.add_member(:serial_number, Shapes::ShapeRef.new(shape: serialNumberType, location_name: "SerialNumber"))
+      AssumeRoleRequest.add_member(:token_code, Shapes::ShapeRef.new(shape: tokenCodeType, location_name: "TokenCode"))
+      AssumeRoleRequest.struct_class = Types::AssumeRoleRequest
+
+      AssumeRoleResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
+      AssumeRoleResponse.add_member(:assumed_role_user, Shapes::ShapeRef.new(shape: AssumedRoleUser, location_name: "AssumedRoleUser"))
+      AssumeRoleResponse.add_member(:packed_policy_size, Shapes::ShapeRef.new(shape: nonNegativeIntegerType, location_name: "PackedPolicySize"))
+      AssumeRoleResponse.struct_class = Types::AssumeRoleResponse
+
+      AssumeRoleWithSAMLRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
+      AssumeRoleWithSAMLRequest.add_member(:principal_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "PrincipalArn"))
+      AssumeRoleWithSAMLRequest.add_member(:saml_assertion, Shapes::ShapeRef.new(shape: SAMLAssertionType, required: true, location_name: "SAMLAssertion"))
+      AssumeRoleWithSAMLRequest.add_member(:policy, Shapes::ShapeRef.new(shape: sessionPolicyDocumentType, location_name: "Policy"))
+      AssumeRoleWithSAMLRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: roleDurationSecondsType, location_name: "DurationSeconds"))
+      AssumeRoleWithSAMLRequest.struct_class = Types::AssumeRoleWithSAMLRequest
+
+      AssumeRoleWithSAMLResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
+      AssumeRoleWithSAMLResponse.add_member(:assumed_role_user, Shapes::ShapeRef.new(shape: AssumedRoleUser, location_name: "AssumedRoleUser"))
+      AssumeRoleWithSAMLResponse.add_member(:packed_policy_size, Shapes::ShapeRef.new(shape: nonNegativeIntegerType, location_name: "PackedPolicySize"))
+      AssumeRoleWithSAMLResponse.add_member(:subject, Shapes::ShapeRef.new(shape: Subject, location_name: "Subject"))
+      AssumeRoleWithSAMLResponse.add_member(:subject_type, Shapes::ShapeRef.new(shape: SubjectType, location_name: "SubjectType"))
+      AssumeRoleWithSAMLResponse.add_member(:issuer, Shapes::ShapeRef.new(shape: Issuer, location_name: "Issuer"))
+      AssumeRoleWithSAMLResponse.add_member(:audience, Shapes::ShapeRef.new(shape: Audience, location_name: "Audience"))
+      AssumeRoleWithSAMLResponse.add_member(:name_qualifier, Shapes::ShapeRef.new(shape: NameQualifier, location_name: "NameQualifier"))
+      AssumeRoleWithSAMLResponse.struct_class = Types::AssumeRoleWithSAMLResponse
+
+      AssumeRoleWithWebIdentityRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
+      AssumeRoleWithWebIdentityRequest.add_member(:role_session_name, Shapes::ShapeRef.new(shape: roleSessionNameType, required: true, location_name: "RoleSessionName"))
+      AssumeRoleWithWebIdentityRequest.add_member(:web_identity_token, Shapes::ShapeRef.new(shape: clientTokenType, required: true, location_name: "WebIdentityToken"))
+      AssumeRoleWithWebIdentityRequest.add_member(:provider_id, Shapes::ShapeRef.new(shape: urlType, location_name: "ProviderId"))
+      AssumeRoleWithWebIdentityRequest.add_member(:policy, Shapes::ShapeRef.new(shape: sessionPolicyDocumentType, location_name: "Policy"))
+      AssumeRoleWithWebIdentityRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: roleDurationSecondsType, location_name: "DurationSeconds"))
+      AssumeRoleWithWebIdentityRequest.struct_class = Types::AssumeRoleWithWebIdentityRequest
+
+      AssumeRoleWithWebIdentityResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
+      AssumeRoleWithWebIdentityResponse.add_member(:subject_from_web_identity_token, Shapes::ShapeRef.new(shape: webIdentitySubjectType, location_name: "SubjectFromWebIdentityToken"))
+      AssumeRoleWithWebIdentityResponse.add_member(:assumed_role_user, Shapes::ShapeRef.new(shape: AssumedRoleUser, location_name: "AssumedRoleUser"))
+      AssumeRoleWithWebIdentityResponse.add_member(:packed_policy_size, Shapes::ShapeRef.new(shape: nonNegativeIntegerType, location_name: "PackedPolicySize"))
+      AssumeRoleWithWebIdentityResponse.add_member(:provider, Shapes::ShapeRef.new(shape: Issuer, location_name: "Provider"))
+      AssumeRoleWithWebIdentityResponse.add_member(:audience, Shapes::ShapeRef.new(shape: Audience, location_name: "Audience"))
+      AssumeRoleWithWebIdentityResponse.struct_class = Types::AssumeRoleWithWebIdentityResponse
+
+      AssumedRoleUser.add_member(:assumed_role_id, Shapes::ShapeRef.new(shape: assumedRoleIdType, required: true, location_name: "AssumedRoleId"))
+      AssumedRoleUser.add_member(:arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "Arn"))
+      AssumedRoleUser.struct_class = Types::AssumedRoleUser
+
+      Credentials.add_member(:access_key_id, Shapes::ShapeRef.new(shape: accessKeyIdType, required: true, location_name: "AccessKeyId"))
+      Credentials.add_member(:secret_access_key, Shapes::ShapeRef.new(shape: accessKeySecretType, required: true, location_name: "SecretAccessKey"))
+      Credentials.add_member(:session_token, Shapes::ShapeRef.new(shape: tokenType, required: true, location_name: "SessionToken"))
+      Credentials.add_member(:expiration, Shapes::ShapeRef.new(shape: dateType, required: true, location_name: "Expiration"))
+      Credentials.struct_class = Types::Credentials
+
+      DecodeAuthorizationMessageRequest.add_member(:encoded_message, Shapes::ShapeRef.new(shape: encodedMessageType, required: true, location_name: "EncodedMessage"))
+      DecodeAuthorizationMessageRequest.struct_class = Types::DecodeAuthorizationMessageRequest
+
+      DecodeAuthorizationMessageResponse.add_member(:decoded_message, Shapes::ShapeRef.new(shape: decodedMessageType, location_name: "DecodedMessage"))
+      DecodeAuthorizationMessageResponse.struct_class = Types::DecodeAuthorizationMessageResponse
+
+      FederatedUser.add_member(:federated_user_id, Shapes::ShapeRef.new(shape: federatedIdType, required: true, location_name: "FederatedUserId"))
+      FederatedUser.add_member(:arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "Arn"))
+      FederatedUser.struct_class = Types::FederatedUser
+
+      GetCallerIdentityRequest.struct_class = Types::GetCallerIdentityRequest
+
+      GetCallerIdentityResponse.add_member(:user_id, Shapes::ShapeRef.new(shape: userIdType, location_name: "UserId"))
+      GetCallerIdentityResponse.add_member(:account, Shapes::ShapeRef.new(shape: accountType, location_name: "Account"))
+      GetCallerIdentityResponse.add_member(:arn, Shapes::ShapeRef.new(shape: arnType, location_name: "Arn"))
+      GetCallerIdentityResponse.struct_class = Types::GetCallerIdentityResponse
+
+      GetFederationTokenRequest.add_member(:name, Shapes::ShapeRef.new(shape: userNameType, required: true, location_name: "Name"))
+      GetFederationTokenRequest.add_member(:policy, Shapes::ShapeRef.new(shape: sessionPolicyDocumentType, location_name: "Policy"))
+      GetFederationTokenRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: durationSecondsType, location_name: "DurationSeconds"))
+      GetFederationTokenRequest.struct_class = Types::GetFederationTokenRequest
+
+      GetFederationTokenResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
+      GetFederationTokenResponse.add_member(:federated_user, Shapes::ShapeRef.new(shape: FederatedUser, location_name: "FederatedUser"))
+      GetFederationTokenResponse.add_member(:packed_policy_size, Shapes::ShapeRef.new(shape: nonNegativeIntegerType, location_name: "PackedPolicySize"))
+      GetFederationTokenResponse.struct_class = Types::GetFederationTokenResponse
+
+      GetSessionTokenRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: durationSecondsType, location_name: "DurationSeconds"))
+      GetSessionTokenRequest.add_member(:serial_number, Shapes::ShapeRef.new(shape: serialNumberType, location_name: "SerialNumber"))
+      GetSessionTokenRequest.add_member(:token_code, Shapes::ShapeRef.new(shape: tokenCodeType, location_name: "TokenCode"))
+      GetSessionTokenRequest.struct_class = Types::GetSessionTokenRequest
+
+      GetSessionTokenResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
+      GetSessionTokenResponse.struct_class = Types::GetSessionTokenResponse
+
+
+      # @api private
+      API = Seahorse::Model::Api.new.tap do |api|
+
+        api.version = "2011-06-15"
+
+        api.metadata = {
+          "endpointPrefix" => "sts",
+          "protocol" => "query",
+          "serviceFullName" => "AWS Security Token Service",
+          "signatureVersion" => "v4",
+          "xmlNamespace" => "https://sts.amazonaws.com/doc/2011-06-15/",
+        }
+
+        api.add_operation(:assume_role, Seahorse::Model::Operation.new.tap do |o|
+          o.name = "AssumeRole"
+          o.http_method = "POST"
+          o.http_request_uri = "/"
+          o.input = Shapes::ShapeRef.new(shape: AssumeRoleRequest)
+          o.output = Shapes::ShapeRef.new(shape: AssumeRoleResponse)
+          o.errors << Shapes::ShapeRef.new(shape: MalformedPolicyDocumentException)
+          o.errors << Shapes::ShapeRef.new(shape: PackedPolicyTooLargeException)
+          o.errors << Shapes::ShapeRef.new(shape: RegionDisabledException)
+        end)
+
+        api.add_operation(:assume_role_with_saml, Seahorse::Model::Operation.new.tap do |o|
+          o.name = "AssumeRoleWithSAML"
+          o.http_method = "POST"
+          o.http_request_uri = "/"
+          o['authtype'] = "none"
+          o.input = Shapes::ShapeRef.new(shape: AssumeRoleWithSAMLRequest)
+          o.output = Shapes::ShapeRef.new(shape: AssumeRoleWithSAMLResponse)
+          o.errors << Shapes::ShapeRef.new(shape: MalformedPolicyDocumentException)
+          o.errors << Shapes::ShapeRef.new(shape: PackedPolicyTooLargeException)
+          o.errors << Shapes::ShapeRef.new(shape: IDPRejectedClaimException)
+          o.errors << Shapes::ShapeRef.new(shape: InvalidIdentityTokenException)
+          o.errors << Shapes::ShapeRef.new(shape: ExpiredTokenException)
+          o.errors << Shapes::ShapeRef.new(shape: RegionDisabledException)
+        end)
+
+        api.add_operation(:assume_role_with_web_identity, Seahorse::Model::Operation.new.tap do |o|
+          o.name = "AssumeRoleWithWebIdentity"
+          o.http_method = "POST"
+          o.http_request_uri = "/"
+          o['authtype'] = "none"
+          o.input = Shapes::ShapeRef.new(shape: AssumeRoleWithWebIdentityRequest)
+          o.output = Shapes::ShapeRef.new(shape: AssumeRoleWithWebIdentityResponse)
+          o.errors << Shapes::ShapeRef.new(shape: MalformedPolicyDocumentException)
+          o.errors << Shapes::ShapeRef.new(shape: PackedPolicyTooLargeException)
+          o.errors << Shapes::ShapeRef.new(shape: IDPRejectedClaimException)
+          o.errors << Shapes::ShapeRef.new(shape: IDPCommunicationErrorException)
+          o.errors << Shapes::ShapeRef.new(shape: InvalidIdentityTokenException)
+          o.errors << Shapes::ShapeRef.new(shape: ExpiredTokenException)
+          o.errors << Shapes::ShapeRef.new(shape: RegionDisabledException)
+        end)
+
+        api.add_operation(:decode_authorization_message, Seahorse::Model::Operation.new.tap do |o|
+          o.name = "DecodeAuthorizationMessage"
+          o.http_method = "POST"
+          o.http_request_uri = "/"
+          o.input = Shapes::ShapeRef.new(shape: DecodeAuthorizationMessageRequest)
+          o.output = Shapes::ShapeRef.new(shape: DecodeAuthorizationMessageResponse)
+          o.errors << Shapes::ShapeRef.new(shape: InvalidAuthorizationMessageException)
+        end)
+
+        api.add_operation(:get_caller_identity, Seahorse::Model::Operation.new.tap do |o|
+          o.name = "GetCallerIdentity"
+          o.http_method = "POST"
+          o.http_request_uri = "/"
+          o.input = Shapes::ShapeRef.new(shape: GetCallerIdentityRequest)
+          o.output = Shapes::ShapeRef.new(shape: GetCallerIdentityResponse)
+        end)
+
+        api.add_operation(:get_federation_token, Seahorse::Model::Operation.new.tap do |o|
+          o.name = "GetFederationToken"
+          o.http_method = "POST"
+          o.http_request_uri = "/"
+          o.input = Shapes::ShapeRef.new(shape: GetFederationTokenRequest)
+          o.output = Shapes::ShapeRef.new(shape: GetFederationTokenResponse)
+          o.errors << Shapes::ShapeRef.new(shape: MalformedPolicyDocumentException)
+          o.errors << Shapes::ShapeRef.new(shape: PackedPolicyTooLargeException)
+          o.errors << Shapes::ShapeRef.new(shape: RegionDisabledException)
+        end)
+
+        api.add_operation(:get_session_token, Seahorse::Model::Operation.new.tap do |o|
+          o.name = "GetSessionToken"
+          o.http_method = "POST"
+          o.http_request_uri = "/"
+          o.input = Shapes::ShapeRef.new(shape: GetSessionTokenRequest)
+          o.output = Shapes::ShapeRef.new(shape: GetSessionTokenResponse)
+          o.errors << Shapes::ShapeRef.new(shape: RegionDisabledException)
+        end)
+      end
+
+    end
+  end
+end

data/lib/aws-sdk-sts/errors.rb

@@ -0,0 +1,23 @@
+# WARNING ABOUT GENERATED CODE
+#
+# This file is generated. See the contributing for info on making contributions:
+# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+#
+# WARNING ABOUT GENERATED CODE
+
+module Aws
+  module STS
+    module Errors
+
+      extend Aws::Errors::DynamicErrors
+
+      # Raised when calling #load or #data on a resource class that can not be
+      # loaded.  This can happen when:
+      #
+      # * A resource class has identifiers, but no data attributes.
+      # * Resource data is only available when making an API call that
+      # enumerates all resources of that type.
+      class ResourceNotLoadable < RuntimeError; end
+    end
+  end
+end

data/lib/aws-sdk-sts/resource.rb

@@ -0,0 +1,25 @@
+# WARNING ABOUT GENERATED CODE
+#
+# This file is generated. See the contributing for info on making contributions:
+# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+#
+# WARNING ABOUT GENERATED CODE
+
+module Aws
+  module STS
+    class Resource
+
+      # @param options ({})
+      # @option options [Client] :client
+      def initialize(options = {})
+        @client = options[:client] || Client.new(options)
+      end
+
+      # @return [Client]
+      def client
+        @client
+      end
+
+    end
+  end
+end

data/lib/aws-sdk-sts/types.rb

@@ -0,0 +1,854 @@
+# WARNING ABOUT GENERATED CODE
+#
+# This file is generated. See the contributing for info on making contributions:
+# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+#
+# WARNING ABOUT GENERATED CODE
+
+module Aws
+  module STS
+    module Types
+
+      # @note When making an API call, pass AssumeRoleRequest
+      #   data as a hash:
+      #
+      #       {
+      #         role_arn: "arnType", # required
+      #         role_session_name: "roleSessionNameType", # required
+      #         policy: "sessionPolicyDocumentType",
+      #         duration_seconds: 1,
+      #         external_id: "externalIdType",
+      #         serial_number: "serialNumberType",
+      #         token_code: "tokenCodeType",
+      #       }
+      # @!attribute [rw] role_arn
+      #   The Amazon Resource Name (ARN) of the role to assume.
+      #   @return [String]
+      #
+      # @!attribute [rw] role_session_name
+      #   An identifier for the assumed role session.
+      #
+      #   Use the role session name to uniquely identify a session when the
+      #   same role is assumed by different principals or for different
+      #   reasons. In cross-account scenarios, the role session name is
+      #   visible to, and can be logged by the account that owns the role. The
+      #   role session name is also used in the ARN of the assumed role
+      #   principal. This means that subsequent cross-account API requests
+      #   using the temporary security credentials will expose the role
+      #   session name to the external account in their CloudTrail logs.
+      #
+      #   The format for this parameter, as described by its regex pattern, is
+      #   a string of characters consisting of upper- and lower-case
+      #   alphanumeric characters with no spaces. You can also include
+      #   underscores or any of the following characters: =,.@-
+      #   @return [String]
+      #
+      # @!attribute [rw] policy
+      #   An IAM policy in JSON format.
+      #
+      #   This parameter is optional. If you pass a policy, the temporary
+      #   security credentials that are returned by the operation have the
+      #   permissions that are allowed by both (the intersection of) the
+      #   access policy of the role that is being assumed, *and* the policy
+      #   that you pass. This gives you a way to further restrict the
+      #   permissions for the resulting temporary security credentials. You
+      #   cannot use the passed policy to grant permissions that are in excess
+      #   of those allowed by the access policy of the role that is being
+      #   assumed. For more information, see [Permissions for AssumeRole,
+      #   AssumeRoleWithSAML, and AssumeRoleWithWebIdentity][1] in the *IAM
+      #   User Guide*.
+      #
+      #   The format for this parameter, as described by its regex pattern, is
+      #   a string of characters up to 2048 characters in length. The
+      #   characters can be any ASCII character from the space character to
+      #   the end of the valid character list (\\u0020-\\u00FF). It can also
+      #   include the tab (\\u0009), linefeed (\\u000A), and carriage return
+      #   (\\u000D) characters.
+      #
+      #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
+      #   internal conversion compresses it into a packed binary format with a
+      #   separate limit. The PackedPolicySize response element indicates by
+      #   percentage how close to the upper size limit the policy is, with
+      #   100% equaling the maximum allowed size.
+      #
+      #    </note>
+      #
+      #
+      #
+      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+      #   @return [String]
+      #
+      # @!attribute [rw] duration_seconds
+      #   The duration, in seconds, of the role session. The value can range
+      #   from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default,
+      #   the value is set to 3600 seconds.
+      #
+      #   <note markdown="1"> This is separate from the duration of a console session that you
+      #   might request using the returned credentials. The request to the
+      #   federation endpoint for a console sign-in token takes a
+      #   `SessionDuration` parameter that specifies the maximum length of the
+      #   console session, separately from the `DurationSeconds` parameter on
+      #   this API. For more information, see [Creating a URL that Enables
+      #   Federated Users to Access the AWS Management Console][1] in the *IAM
+      #   User Guide*.
+      #
+      #    </note>
+      #
+      #
+      #
+      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
+      #   @return [Integer]
+      #
+      # @!attribute [rw] external_id
+      #   A unique identifier that is used by third parties when assuming
+      #   roles in their customers' accounts. For each role that the third
+      #   party can assume, they should instruct their customers to ensure the
+      #   role's trust policy checks for the external ID that the third party
+      #   generated. Each time the third party assumes the role, they should
+      #   pass the customer's external ID. The external ID is useful in order
+      #   to help third parties bind a role to the customer who created it.
+      #   For more information about the external ID, see [How to Use an
+      #   External ID When Granting Access to Your AWS Resources to a Third
+      #   Party][1] in the *IAM User Guide*.
+      #
+      #   The format for this parameter, as described by its regex pattern, is
+      #   a string of characters consisting of upper- and lower-case
+      #   alphanumeric characters with no spaces. You can also include
+      #   underscores or any of the following characters: =,.@:\\/-
+      #
+      #
+      #
+      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
+      #   @return [String]
+      #
+      # @!attribute [rw] serial_number
+      #   The identification number of the MFA device that is associated with
+      #   the user who is making the `AssumeRole` call. Specify this value if
+      #   the trust policy of the role being assumed includes a condition that
+      #   requires MFA authentication. The value is either the serial number
+      #   for a hardware device (such as `GAHT12345678`) or an Amazon Resource
+      #   Name (ARN) for a virtual device (such as
+      #   `arn:aws:iam::123456789012:mfa/user`).
+      #
+      #   The format for this parameter, as described by its regex pattern, is
+      #   a string of characters consisting of upper- and lower-case
+      #   alphanumeric characters with no spaces. You can also include
+      #   underscores or any of the following characters: =,.@-
+      #   @return [String]
+      #
+      # @!attribute [rw] token_code
+      #   The value provided by the MFA device, if the trust policy of the
+      #   role being assumed requires MFA (that is, if the policy includes a
+      #   condition that tests for MFA). If the role being assumed requires
+      #   MFA and if the `TokenCode` value is missing or expired, the
+      #   `AssumeRole` call returns an "access denied" error.
+      #
+      #   The format for this parameter, as described by its regex pattern, is
+      #   a sequence of six numeric digits.
+      #   @return [String]
+      class AssumeRoleRequest < Struct.new(
+        :role_arn,
+        :role_session_name,
+        :policy,
+        :duration_seconds,
+        :external_id,
+        :serial_number,
+        :token_code)
+        include Aws::Structure
+      end
+
+      # Contains the response to a successful AssumeRole request, including
+      # temporary AWS credentials that can be used to make AWS requests.
+      # @!attribute [rw] credentials
+      #   The temporary security credentials, which include an access key ID,
+      #   a secret access key, and a security (or session) token.
+      #
+      #   **Note:** The size of the security token that STS APIs return is not
+      #   fixed. We strongly recommend that you make no assumptions about the
+      #   maximum size. As of this writing, the typical size is less than 4096
+      #   bytes, but that can vary. Also, future updates to AWS might require
+      #   larger sizes.
+      #   @return [Types::Credentials]
+      #
+      # @!attribute [rw] assumed_role_user
+      #   The Amazon Resource Name (ARN) and the assumed role ID, which are
+      #   identifiers that you can use to refer to the resulting temporary
+      #   security credentials. For example, you can reference these
+      #   credentials as a principal in a resource-based policy by using the
+      #   ARN or assumed role ID. The ARN and ID include the `RoleSessionName`
+      #   that you specified when you called `AssumeRole`.
+      #   @return [Types::AssumedRoleUser]
+      #
+      # @!attribute [rw] packed_policy_size
+      #   A percentage value that indicates the size of the policy in packed
+      #   form. The service rejects any policy with a packed size greater than
+      #   100 percent, which means the policy exceeded the allowed space.
+      #   @return [Integer]
+      class AssumeRoleResponse < Struct.new(
+        :credentials,
+        :assumed_role_user,
+        :packed_policy_size)
+        include Aws::Structure
+      end
+
+      # @note When making an API call, pass AssumeRoleWithSAMLRequest
+      #   data as a hash:
+      #
+      #       {
+      #         role_arn: "arnType", # required
+      #         principal_arn: "arnType", # required
+      #         saml_assertion: "SAMLAssertionType", # required
+      #         policy: "sessionPolicyDocumentType",
+      #         duration_seconds: 1,
+      #       }
+      # @!attribute [rw] role_arn
+      #   The Amazon Resource Name (ARN) of the role that the caller is
+      #   assuming.
+      #   @return [String]
+      #
+      # @!attribute [rw] principal_arn
+      #   The Amazon Resource Name (ARN) of the SAML provider in IAM that
+      #   describes the IdP.
+      #   @return [String]
+      #
+      # @!attribute [rw] saml_assertion
+      #   The base-64 encoded SAML authentication response provided by the
+      #   IdP.
+      #
+      #   For more information, see [Configuring a Relying Party and Adding
+      #   Claims][1] in the *Using IAM* guide.
+      #
+      #
+      #
+      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
+      #   @return [String]
+      #
+      # @!attribute [rw] policy
+      #   An IAM policy in JSON format.
+      #
+      #   The policy parameter is optional. If you pass a policy, the
+      #   temporary security credentials that are returned by the operation
+      #   have the permissions that are allowed by both the access policy of
+      #   the role that is being assumed, <i> <b>and</b> </i> the policy that
+      #   you pass. This gives you a way to further restrict the permissions
+      #   for the resulting temporary security credentials. You cannot use the
+      #   passed policy to grant permissions that are in excess of those
+      #   allowed by the access policy of the role that is being assumed. For
+      #   more information, [Permissions for AssumeRole, AssumeRoleWithSAML,
+      #   and AssumeRoleWithWebIdentity][1] in the *IAM User Guide*.
+      #
+      #   The format for this parameter, as described by its regex pattern, is
+      #   a string of characters up to 2048 characters in length. The
+      #   characters can be any ASCII character from the space character to
+      #   the end of the valid character list (\\u0020-\\u00FF). It can also
+      #   include the tab (\\u0009), linefeed (\\u000A), and carriage return
+      #   (\\u000D) characters.
+      #
+      #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
+      #   internal conversion compresses it into a packed binary format with a
+      #   separate limit. The PackedPolicySize response element indicates by
+      #   percentage how close to the upper size limit the policy is, with
+      #   100% equaling the maximum allowed size.
+      #
+      #    </note>
+      #
+      #
+      #
+      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+      #   @return [String]
+      #
+      # @!attribute [rw] duration_seconds
+      #   The duration, in seconds, of the role session. The value can range
+      #   from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default,
+      #   the value is set to 3600 seconds. An expiration can also be
+      #   specified in the SAML authentication response's
+      #   `SessionNotOnOrAfter` value. The actual expiration time is whichever
+      #   value is shorter.
+      #
+      #   <note markdown="1"> This is separate from the duration of a console session that you
+      #   might request using the returned credentials. The request to the
+      #   federation endpoint for a console sign-in token takes a
+      #   `SessionDuration` parameter that specifies the maximum length of the
+      #   console session, separately from the `DurationSeconds` parameter on
+      #   this API. For more information, see [Enabling SAML 2.0 Federated
+      #   Users to Access the AWS Management Console][1] in the *IAM User
+      #   Guide*.
+      #
+      #    </note>
+      #
+      #
+      #
+      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html
+      #   @return [Integer]
+      class AssumeRoleWithSAMLRequest < Struct.new(
+        :role_arn,
+        :principal_arn,
+        :saml_assertion,
+        :policy,
+        :duration_seconds)
+        include Aws::Structure
+      end
+
+      # Contains the response to a successful AssumeRoleWithSAML request,
+      # including temporary AWS credentials that can be used to make AWS
+      # requests.
+      # @!attribute [rw] credentials
+      #   The temporary security credentials, which include an access key ID,
+      #   a secret access key, and a security (or session) token.
+      #
+      #   **Note:** The size of the security token that STS APIs return is not
+      #   fixed. We strongly recommend that you make no assumptions about the
+      #   maximum size. As of this writing, the typical size is less than 4096
+      #   bytes, but that can vary. Also, future updates to AWS might require
+      #   larger sizes.
+      #   @return [Types::Credentials]
+      #
+      # @!attribute [rw] assumed_role_user
+      #   The identifiers for the temporary security credentials that the
+      #   operation returns.
+      #   @return [Types::AssumedRoleUser]
+      #
+      # @!attribute [rw] packed_policy_size
+      #   A percentage value that indicates the size of the policy in packed
+      #   form. The service rejects any policy with a packed size greater than
+      #   100 percent, which means the policy exceeded the allowed space.
+      #   @return [Integer]
+      #
+      # @!attribute [rw] subject
+      #   The value of the `NameID` element in the `Subject` element of the
+      #   SAML assertion.
+      #   @return [String]
+      #
+      # @!attribute [rw] subject_type
+      #   The format of the name ID, as defined by the `Format` attribute in
+      #   the `NameID` element of the SAML assertion. Typical examples of the
+      #   format are `transient` or `persistent`.
+      #
+      #   If the format includes the prefix
+      #   `urn:oasis:names:tc:SAML:2.0:nameid-format`, that prefix is removed.
+      #   For example, `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`
+      #   is returned as `transient`. If the format includes any other prefix,
+      #   the format is returned with no modifications.
+      #   @return [String]
+      #
+      # @!attribute [rw] issuer
+      #   The value of the `Issuer` element of the SAML assertion.
+      #   @return [String]
+      #
+      # @!attribute [rw] audience
+      #   The value of the `Recipient` attribute of the
+      #   `SubjectConfirmationData` element of the SAML assertion.
+      #   @return [String]
+      #
+      # @!attribute [rw] name_qualifier
+      #   A hash value based on the concatenation of the `Issuer` response
+      #   value, the AWS account ID, and the friendly name (the last part of
+      #   the ARN) of the SAML provider in IAM. The combination of
+      #   `NameQualifier` and `Subject` can be used to uniquely identify a
+      #   federated user.
+      #
+      #   The following pseudocode shows how the hash value is calculated:
+      #
+      #   `BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" +
+      #   "/MySAMLIdP" ) )`
+      #   @return [String]
+      class AssumeRoleWithSAMLResponse < Struct.new(
+        :credentials,
+        :assumed_role_user,
+        :packed_policy_size,
+        :subject,
+        :subject_type,
+        :issuer,
+        :audience,
+        :name_qualifier)
+        include Aws::Structure
+      end
+
+      # @note When making an API call, pass AssumeRoleWithWebIdentityRequest
+      #   data as a hash:
+      #
+      #       {
+      #         role_arn: "arnType", # required
+      #         role_session_name: "roleSessionNameType", # required
+      #         web_identity_token: "clientTokenType", # required
+      #         provider_id: "urlType",
+      #         policy: "sessionPolicyDocumentType",
+      #         duration_seconds: 1,
+      #       }
+      # @!attribute [rw] role_arn
+      #   The Amazon Resource Name (ARN) of the role that the caller is
+      #   assuming.
+      #   @return [String]
+      #
+      # @!attribute [rw] role_session_name
+      #   An identifier for the assumed role session. Typically, you pass the
+      #   name or identifier that is associated with the user who is using
+      #   your application. That way, the temporary security credentials that
+      #   your application will use are associated with that user. This
+      #   session name is included as part of the ARN and assumed role ID in
+      #   the `AssumedRoleUser` response element.
+      #
+      #   The format for this parameter, as described by its regex pattern, is
+      #   a string of characters consisting of upper- and lower-case
+      #   alphanumeric characters with no spaces. You can also include
+      #   underscores or any of the following characters: =,.@-
+      #   @return [String]
+      #
+      # @!attribute [rw] web_identity_token
+      #   The OAuth 2.0 access token or OpenID Connect ID token that is
+      #   provided by the identity provider. Your application must get this
+      #   token by authenticating the user who is using your application with
+      #   a web identity provider before the application makes an
+      #   `AssumeRoleWithWebIdentity` call.
+      #   @return [String]
+      #
+      # @!attribute [rw] provider_id
+      #   The fully qualified host component of the domain name of the
+      #   identity provider.
+      #
+      #   Specify this value only for OAuth 2.0 access tokens. Currently
+      #   `www.amazon.com` and `graph.facebook.com` are the only supported
+      #   identity providers for OAuth 2.0 access tokens. Do not include URL
+      #   schemes and port numbers.
+      #
+      #   Do not specify this value for OpenID Connect ID tokens.
+      #   @return [String]
+      #
+      # @!attribute [rw] policy
+      #   An IAM policy in JSON format.
+      #
+      #   The policy parameter is optional. If you pass a policy, the
+      #   temporary security credentials that are returned by the operation
+      #   have the permissions that are allowed by both the access policy of
+      #   the role that is being assumed, <i> <b>and</b> </i> the policy that
+      #   you pass. This gives you a way to further restrict the permissions
+      #   for the resulting temporary security credentials. You cannot use the
+      #   passed policy to grant permissions that are in excess of those
+      #   allowed by the access policy of the role that is being assumed. For
+      #   more information, see [Permissions for AssumeRoleWithWebIdentity][1]
+      #   in the *IAM User Guide*.
+      #
+      #   The format for this parameter, as described by its regex pattern, is
+      #   a string of characters up to 2048 characters in length. The
+      #   characters can be any ASCII character from the space character to
+      #   the end of the valid character list (\\u0020-\\u00FF). It can also
+      #   include the tab (\\u0009), linefeed (\\u000A), and carriage return
+      #   (\\u000D) characters.
+      #
+      #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
+      #   internal conversion compresses it into a packed binary format with a
+      #   separate limit. The PackedPolicySize response element indicates by
+      #   percentage how close to the upper size limit the policy is, with
+      #   100% equaling the maximum allowed size.
+      #
+      #    </note>
+      #
+      #
+      #
+      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+      #   @return [String]
+      #
+      # @!attribute [rw] duration_seconds
+      #   The duration, in seconds, of the role session. The value can range
+      #   from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default,
+      #   the value is set to 3600 seconds.
+      #
+      #   <note markdown="1"> This is separate from the duration of a console session that you
+      #   might request using the returned credentials. The request to the
+      #   federation endpoint for a console sign-in token takes a
+      #   `SessionDuration` parameter that specifies the maximum length of the
+      #   console session, separately from the `DurationSeconds` parameter on
+      #   this API. For more information, see [Creating a URL that Enables
+      #   Federated Users to Access the AWS Management Console][1] in the *IAM
+      #   User Guide*.
+      #
+      #    </note>
+      #
+      #
+      #
+      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
+      #   @return [Integer]
+      class AssumeRoleWithWebIdentityRequest < Struct.new(
+        :role_arn,
+        :role_session_name,
+        :web_identity_token,
+        :provider_id,
+        :policy,
+        :duration_seconds)
+        include Aws::Structure
+      end
+
+      # Contains the response to a successful AssumeRoleWithWebIdentity
+      # request, including temporary AWS credentials that can be used to make
+      # AWS requests.
+      # @!attribute [rw] credentials
+      #   The temporary security credentials, which include an access key ID,
+      #   a secret access key, and a security token.
+      #
+      #   **Note:** The size of the security token that STS APIs return is not
+      #   fixed. We strongly recommend that you make no assumptions about the
+      #   maximum size. As of this writing, the typical size is less than 4096
+      #   bytes, but that can vary. Also, future updates to AWS might require
+      #   larger sizes.
+      #   @return [Types::Credentials]
+      #
+      # @!attribute [rw] subject_from_web_identity_token
+      #   The unique user identifier that is returned by the identity
+      #   provider. This identifier is associated with the `WebIdentityToken`
+      #   that was submitted with the `AssumeRoleWithWebIdentity` call. The
+      #   identifier is typically unique to the user and the application that
+      #   acquired the `WebIdentityToken` (pairwise identifier). For OpenID
+      #   Connect ID tokens, this field contains the value returned by the
+      #   identity provider as the token's `sub` (Subject) claim.
+      #   @return [String]
+      #
+      # @!attribute [rw] assumed_role_user
+      #   The Amazon Resource Name (ARN) and the assumed role ID, which are
+      #   identifiers that you can use to refer to the resulting temporary
+      #   security credentials. For example, you can reference these
+      #   credentials as a principal in a resource-based policy by using the
+      #   ARN or assumed role ID. The ARN and ID include the `RoleSessionName`
+      #   that you specified when you called `AssumeRole`.
+      #   @return [Types::AssumedRoleUser]
+      #
+      # @!attribute [rw] packed_policy_size
+      #   A percentage value that indicates the size of the policy in packed
+      #   form. The service rejects any policy with a packed size greater than
+      #   100 percent, which means the policy exceeded the allowed space.
+      #   @return [Integer]
+      #
+      # @!attribute [rw] provider
+      #   The issuing authority of the web identity token presented. For
+      #   OpenID Connect ID Tokens this contains the value of the `iss` field.
+      #   For OAuth 2.0 access tokens, this contains the value of the
+      #   `ProviderId` parameter that was passed in the
+      #   `AssumeRoleWithWebIdentity` request.
+      #   @return [String]
+      #
+      # @!attribute [rw] audience
+      #   The intended audience (also known as client ID) of the web identity
+      #   token. This is traditionally the client identifier issued to the
+      #   application that requested the web identity token.
+      #   @return [String]
+      class AssumeRoleWithWebIdentityResponse < Struct.new(
+        :credentials,
+        :subject_from_web_identity_token,
+        :assumed_role_user,
+        :packed_policy_size,
+        :provider,
+        :audience)
+        include Aws::Structure
+      end
+
+      # The identifiers for the temporary security credentials that the
+      # operation returns.
+      # @!attribute [rw] assumed_role_id
+      #   A unique identifier that contains the role ID and the role session
+      #   name of the role that is being assumed. The role ID is generated by
+      #   AWS when the role is created.
+      #   @return [String]
+      #
+      # @!attribute [rw] arn
+      #   The ARN of the temporary security credentials that are returned from
+      #   the AssumeRole action. For more information about ARNs and how to
+      #   use them in policies, see [IAM Identifiers][1] in *Using IAM*.
+      #
+      #
+      #
+      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html
+      #   @return [String]
+      class AssumedRoleUser < Struct.new(
+        :assumed_role_id,
+        :arn)
+        include Aws::Structure
+      end
+
+      # AWS credentials for API authentication.
+      # @!attribute [rw] access_key_id
+      #   The access key ID that identifies the temporary security
+      #   credentials.
+      #   @return [String]
+      #
+      # @!attribute [rw] secret_access_key
+      #   The secret access key that can be used to sign requests.
+      #   @return [String]
+      #
+      # @!attribute [rw] session_token
+      #   The token that users must pass to the service API to use the
+      #   temporary credentials.
+      #   @return [String]
+      #
+      # @!attribute [rw] expiration
+      #   The date on which the current credentials expire.
+      #   @return [Time]
+      class Credentials < Struct.new(
+        :access_key_id,
+        :secret_access_key,
+        :session_token,
+        :expiration)
+        include Aws::Structure
+      end
+
+      # @note When making an API call, pass DecodeAuthorizationMessageRequest
+      #   data as a hash:
+      #
+      #       {
+      #         encoded_message: "encodedMessageType", # required
+      #       }
+      # @!attribute [rw] encoded_message
+      #   The encoded message that was returned with the response.
+      #   @return [String]
+      class DecodeAuthorizationMessageRequest < Struct.new(
+        :encoded_message)
+        include Aws::Structure
+      end
+
+      # A document that contains additional information about the
+      # authorization status of a request from an encoded message that is
+      # returned in response to an AWS request.
+      # @!attribute [rw] decoded_message
+      #   An XML document that contains the decoded message.
+      #   @return [String]
+      class DecodeAuthorizationMessageResponse < Struct.new(
+        :decoded_message)
+        include Aws::Structure
+      end
+
+      # Identifiers for the federated user that is associated with the
+      # credentials.
+      # @!attribute [rw] federated_user_id
+      #   The string that identifies the federated user associated with the
+      #   credentials, similar to the unique ID of an IAM user.
+      #   @return [String]
+      #
+      # @!attribute [rw] arn
+      #   The ARN that specifies the federated user that is associated with
+      #   the credentials. For more information about ARNs and how to use them
+      #   in policies, see [IAM Identifiers][1] in *Using IAM*.
+      #
+      #
+      #
+      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html
+      #   @return [String]
+      class FederatedUser < Struct.new(
+        :federated_user_id,
+        :arn)
+        include Aws::Structure
+      end
+
+      # @api private
+      class GetCallerIdentityRequest < Aws::EmptyStructure; end
+
+      # Contains the response to a successful GetCallerIdentity request,
+      # including information about the entity making the request.
+      # @!attribute [rw] user_id
+      #   The unique identifier of the calling entity. The exact value depends
+      #   on the type of entity making the call. The values returned are those
+      #   listed in the **aws:userid** column in the [Principal table][1]
+      #   found on the **Policy Variables** reference page in the *IAM User
+      #   Guide*.
+      #
+      #
+      #
+      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable
+      #   @return [String]
+      #
+      # @!attribute [rw] account
+      #   The AWS account ID number of the account that owns or contains the
+      #   calling entity.
+      #   @return [String]
+      #
+      # @!attribute [rw] arn
+      #   The AWS ARN associated with the calling entity.
+      #   @return [String]
+      class GetCallerIdentityResponse < Struct.new(
+        :user_id,
+        :account,
+        :arn)
+        include Aws::Structure
+      end
+
+      # @note When making an API call, pass GetFederationTokenRequest
+      #   data as a hash:
+      #
+      #       {
+      #         name: "userNameType", # required
+      #         policy: "sessionPolicyDocumentType",
+      #         duration_seconds: 1,
+      #       }
+      # @!attribute [rw] name
+      #   The name of the federated user. The name is used as an identifier
+      #   for the temporary security credentials (such as `Bob`). For example,
+      #   you can reference the federated user name in a resource-based
+      #   policy, such as in an Amazon S3 bucket policy.
+      #
+      #   The format for this parameter, as described by its regex pattern, is
+      #   a string of characters consisting of upper- and lower-case
+      #   alphanumeric characters with no spaces. You can also include
+      #   underscores or any of the following characters: =,.@-
+      #   @return [String]
+      #
+      # @!attribute [rw] policy
+      #   An IAM policy in JSON format that is passed with the
+      #   `GetFederationToken` call and evaluated along with the policy or
+      #   policies that are attached to the IAM user whose credentials are
+      #   used to call `GetFederationToken`. The passed policy is used to
+      #   scope down the permissions that are available to the IAM user, by
+      #   allowing only a subset of the permissions that are granted to the
+      #   IAM user. The passed policy cannot grant more permissions than those
+      #   granted to the IAM user. The final permissions for the federated
+      #   user are the most restrictive set based on the intersection of the
+      #   passed policy and the IAM user policy.
+      #
+      #   If you do not pass a policy, the resulting temporary security
+      #   credentials have no effective permissions. The only exception is
+      #   when the temporary security credentials are used to access a
+      #   resource that has a resource-based policy that specifically allows
+      #   the federated user to access the resource.
+      #
+      #   The format for this parameter, as described by its regex pattern, is
+      #   a string of characters up to 2048 characters in length. The
+      #   characters can be any ASCII character from the space character to
+      #   the end of the valid character list (\\u0020-\\u00FF). It can also
+      #   include the tab (\\u0009), linefeed (\\u000A), and carriage return
+      #   (\\u000D) characters.
+      #
+      #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
+      #   internal conversion compresses it into a packed binary format with a
+      #   separate limit. The PackedPolicySize response element indicates by
+      #   percentage how close to the upper size limit the policy is, with
+      #   100% equaling the maximum allowed size.
+      #
+      #    </note>
+      #
+      #   For more information about how permissions work, see [Permissions
+      #   for GetFederationToken][1].
+      #
+      #
+      #
+      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html
+      #   @return [String]
+      #
+      # @!attribute [rw] duration_seconds
+      #   The duration, in seconds, that the session should last. Acceptable
+      #   durations for federation sessions range from 900 seconds (15
+      #   minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours)
+      #   as the default. Sessions obtained using AWS account (root)
+      #   credentials are restricted to a maximum of 3600 seconds (one hour).
+      #   If the specified duration is longer than one hour, the session
+      #   obtained by using AWS account (root) credentials defaults to one
+      #   hour.
+      #   @return [Integer]
+      class GetFederationTokenRequest < Struct.new(
+        :name,
+        :policy,
+        :duration_seconds)
+        include Aws::Structure
+      end
+
+      # Contains the response to a successful GetFederationToken request,
+      # including temporary AWS credentials that can be used to make AWS
+      # requests.
+      # @!attribute [rw] credentials
+      #   The temporary security credentials, which include an access key ID,
+      #   a secret access key, and a security (or session) token.
+      #
+      #   **Note:** The size of the security token that STS APIs return is not
+      #   fixed. We strongly recommend that you make no assumptions about the
+      #   maximum size. As of this writing, the typical size is less than 4096
+      #   bytes, but that can vary. Also, future updates to AWS might require
+      #   larger sizes.
+      #   @return [Types::Credentials]
+      #
+      # @!attribute [rw] federated_user
+      #   Identifiers for the federated user associated with the credentials
+      #   (such as `arn:aws:sts::123456789012:federated-user/Bob` or
+      #   `123456789012:Bob`). You can use the federated user's ARN in your
+      #   resource-based policies, such as an Amazon S3 bucket policy.
+      #   @return [Types::FederatedUser]
+      #
+      # @!attribute [rw] packed_policy_size
+      #   A percentage value indicating the size of the policy in packed form.
+      #   The service rejects policies for which the packed size is greater
+      #   than 100 percent of the allowed value.
+      #   @return [Integer]
+      class GetFederationTokenResponse < Struct.new(
+        :credentials,
+        :federated_user,
+        :packed_policy_size)
+        include Aws::Structure
+      end
+
+      # @note When making an API call, pass GetSessionTokenRequest
+      #   data as a hash:
+      #
+      #       {
+      #         duration_seconds: 1,
+      #         serial_number: "serialNumberType",
+      #         token_code: "tokenCodeType",
+      #       }
+      # @!attribute [rw] duration_seconds
+      #   The duration, in seconds, that the credentials should remain valid.
+      #   Acceptable durations for IAM user sessions range from 900 seconds
+      #   (15 minutes) to 129600 seconds (36 hours), with 43200 seconds (12
+      #   hours) as the default. Sessions for AWS account owners are
+      #   restricted to a maximum of 3600 seconds (one hour). If the duration
+      #   is longer than one hour, the session for AWS account owners defaults
+      #   to one hour.
+      #   @return [Integer]
+      #
+      # @!attribute [rw] serial_number
+      #   The identification number of the MFA device that is associated with
+      #   the IAM user who is making the `GetSessionToken` call. Specify this
+      #   value if the IAM user has a policy that requires MFA authentication.
+      #   The value is either the serial number for a hardware device (such as
+      #   `GAHT12345678`) or an Amazon Resource Name (ARN) for a virtual
+      #   device (such as `arn:aws:iam::123456789012:mfa/user`). You can find
+      #   the device for an IAM user by going to the AWS Management Console
+      #   and viewing the user's security credentials.
+      #
+      #   The format for this parameter, as described by its regex pattern, is
+      #   a string of characters consisting of upper- and lower-case
+      #   alphanumeric characters with no spaces. You can also include
+      #   underscores or any of the following characters: =,.@-
+      #   @return [String]
+      #
+      # @!attribute [rw] token_code
+      #   The value provided by the MFA device, if MFA is required. If any
+      #   policy requires the IAM user to submit an MFA code, specify this
+      #   value. If MFA authentication is required, and the user does not
+      #   provide a code when requesting a set of temporary security
+      #   credentials, the user will receive an "access denied" response
+      #   when requesting resources that require MFA authentication.
+      #
+      #   The format for this parameter, as described by its regex pattern, is
+      #   a sequence of six numeric digits.
+      #   @return [String]
+      class GetSessionTokenRequest < Struct.new(
+        :duration_seconds,
+        :serial_number,
+        :token_code)
+        include Aws::Structure
+      end
+
+      # Contains the response to a successful GetSessionToken request,
+      # including temporary AWS credentials that can be used to make AWS
+      # requests.
+      # @!attribute [rw] credentials
+      #   The temporary security credentials, which include an access key ID,
+      #   a secret access key, and a security (or session) token.
+      #
+      #   **Note:** The size of the security token that STS APIs return is not
+      #   fixed. We strongly recommend that you make no assumptions about the
+      #   maximum size. As of this writing, the typical size is less than 4096
+      #   bytes, but that can vary. Also, future updates to AWS might require
+      #   larger sizes.
+      #   @return [Types::Credentials]
+      class GetSessionTokenResponse < Struct.new(
+        :credentials)
+        include Aws::Structure
+      end
+
+    end
+  end
+end