aws-sdk-core 3.0.0.rc2 → 3.0.0.rc3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4231d08283aa109096c98fd0229868c31d33c2d2
-  data.tar.gz: 0b2b655f8efc8018152d22ea594b78a98ebfd3f7
+  metadata.gz: 2b367b9513d10af431235298f76327b90144a1fd
+  data.tar.gz: 921ca14ca28f4c5ef0a946eb3b3730bba5355f88
 SHA512:
-  metadata.gz: 756a7b9463f304c0683952010fe8ae32381768c9450f9fb3e95b78d1453b950f75d91c6a6d8264760d4f9423b57128fa29e43a0125e2d5fdb7ca56691ce80748
-  data.tar.gz: 881b851bab028471e49efb823c31bf52016c4564550e8aab4e094b98ccf4490e23efbb6d0395c83934b3babc37be6344781bc53d53c66c17ec2972176d6c7438
+  metadata.gz: 994e0954d23f6130188b8b2087fffaf6c99cb8e0db2c6efd9dabb7ff62f4f4047a3923ce2a9a85270c34d696742cd752ce77b1573901b807d49941e632e8602d
+  data.tar.gz: 113c307ce0841a5bd8218d840c9da85ea26f75b8944f27a98d1820c3d237aac5b87cf8622bd6c31b33571b3a7d07edd4827fb8d97347984792fd6d7fccadd1f9

data/VERSION

@@ -1 +1 @@
-3.0.0.rc2
+3.0.0.rc3

data/lib/aws-sdk-core/log/param_filter.rb

@@ -11,7 +11,7 @@ module Aws
       #
       # @api private
       # begin
-      SENSITIVE = [:access_token, :admin_contact, :artifact_credentials, :auth_code, :base_32_string_seed, :client_id, :client_secret, :copy_source_sse_customer_key, :credentials, :id_token, :local_console_password, :message, :name, :new_password, :old_password, :owner_information, :parameters, :password, :payload, :plaintext, :previous_password, :private_key, :proposed_password, :public_key, :qr_code_png, :refresh_token, :registrant_contact, :secret_access_key, :secret_hash, :shared_secret, :sse_customer_key, :ssekms_key_id, :task_parameters, :tech_contact, :temporary_password, :trust_password, :upload_credentials, :username, :value, :values, :variables, :zip_file]
+      SENSITIVE = [:access_token, :admin_contact, :artifact_credentials, :auth_code, :base_32_string_seed, :client_id, :client_secret, :copy_source_sse_customer_key, :credentials, :id_token, :local_console_password, :message, :name, :new_password, :old_password, :owner_information, :parameters, :password, :payload, :plaintext, :previous_password, :private_key, :proposed_password, :public_key, :qr_code_png, :refresh_token, :registrant_contact, :secret_access_key, :secret_hash, :service_password, :shared_secret, :sse_customer_key, :ssekms_key_id, :task_parameters, :tech_contact, :temporary_password, :trust_password, :upload_credentials, :username, :value, :values, :variables, :zip_file]
       # end
 
       def initialize(options = {})

data/lib/aws-sdk-core/plugins/retry_errors.rb

@@ -35,6 +35,7 @@ errors from expired credentials.
           'ProvisionedThroughputExceededException', # dynamodb
           'RequestLimitExceeded',                   # ec2
           'BandwidthLimitExceeded',                 # cloud search
+          'LimitExceededException',                 # kinesis
         ])
 
         CHECKSUM_ERRORS = Set.new([

data/lib/aws-sdk-core/plugins/signature_v4.rb

@@ -80,7 +80,7 @@ module Aws
               service: cfg.sigv4_name,
               region: cfg.sigv4_region,
               credentials_provider: cfg.credentials,
-              unsigned_headers: ['content-length', 'user-agent']
+              unsigned_headers: ['content-length', 'user-agent', 'x-amzn-trace-id']
             )
           elsif cfg.credentials
             raise Errors::MissingRegionError

data/lib/aws-sdk-core/rest/request/endpoint.rb

@@ -29,7 +29,7 @@ module Aws
 
         def apply_path_params(uri, params)
           path = uri.path.sub(/\/$/, '') + @path_pattern.split('?')[0]
-          uri.path = path.gsub(/{\w+\+?}/) do |placeholder|
+          uri.path = path.gsub(/{.+?}/) do |placeholder|
             param_value_for_placeholder(placeholder, params)
           end
         end

data/lib/aws-sdk-core/version.rb

@@ -1,3 +1,3 @@
 module Aws
-  VERSION = '2.6.28'
+  VERSION = '2.6.44'
 end

data/lib/aws-sdk-sts.rb

@@ -1,6 +1,6 @@
 # WARNING ABOUT GENERATED CODE
 #
-# This file is generated. See the contributing for info on making contributions:
+# This file is generated. See the contributing guide for more information:
 # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE

data/lib/aws-sdk-sts/client.rb

@@ -1,6 +1,6 @@
 # WARNING ABOUT GENERATED CODE
 #
-# This file is generated. See the contributing for info on making contributions:
+# This file is generated. See the contributing guide for more information:
 # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
@@ -23,1177 +23,1238 @@ require 'aws-sdk-core/plugins/protocols/query.rb'
 
 Aws::Plugins::GlobalConfiguration.add_identifier(:sts)
 
-module Aws
-  module STS
-    class Client < Seahorse::Client::Base
+module Aws::STS
+  class Client < Seahorse::Client::Base
 
-      include Aws::ClientStubs
+    include Aws::ClientStubs
 
-      @identifier = :sts
+    @identifier = :sts
 
-      set_api(ClientApi::API)
+    set_api(ClientApi::API)
 
-      add_plugin(Seahorse::Client::Plugins::ContentLength)
-      add_plugin(Aws::Plugins::CredentialsConfiguration)
-      add_plugin(Aws::Plugins::Logging)
-      add_plugin(Aws::Plugins::ParamConverter)
-      add_plugin(Aws::Plugins::ParamValidator)
-      add_plugin(Aws::Plugins::UserAgent)
-      add_plugin(Aws::Plugins::HelpfulSocketErrors)
-      add_plugin(Aws::Plugins::RetryErrors)
-      add_plugin(Aws::Plugins::GlobalConfiguration)
-      add_plugin(Aws::Plugins::RegionalEndpoint)
-      add_plugin(Aws::Plugins::ResponsePaging)
-      add_plugin(Aws::Plugins::StubResponses)
-      add_plugin(Aws::Plugins::IdempotencyToken)
-      add_plugin(Aws::Plugins::SignatureV4)
-      add_plugin(Aws::Plugins::Protocols::Query)
+    add_plugin(Seahorse::Client::Plugins::ContentLength)
+    add_plugin(Aws::Plugins::CredentialsConfiguration)
+    add_plugin(Aws::Plugins::Logging)
+    add_plugin(Aws::Plugins::ParamConverter)
+    add_plugin(Aws::Plugins::ParamValidator)
+    add_plugin(Aws::Plugins::UserAgent)
+    add_plugin(Aws::Plugins::HelpfulSocketErrors)
+    add_plugin(Aws::Plugins::RetryErrors)
+    add_plugin(Aws::Plugins::GlobalConfiguration)
+    add_plugin(Aws::Plugins::RegionalEndpoint)
+    add_plugin(Aws::Plugins::ResponsePaging)
+    add_plugin(Aws::Plugins::StubResponses)
+    add_plugin(Aws::Plugins::IdempotencyToken)
+    add_plugin(Aws::Plugins::SignatureV4)
+    add_plugin(Aws::Plugins::Protocols::Query)
 
-      # @option options [required, Aws::CredentialProvider] :credentials
-      #   Your AWS credentials. This can be an instance of any one of the
-      #   following classes:
-      #
-      #   * `Aws::Credentials` - Used for configuring static, non-refreshing
-      #     credentials.
-      #
-      #   * `Aws::InstanceProfileCredentials` - Used for loading credentials
-      #     from an EC2 IMDS on an EC2 instance.
-      #
-      #   * `Aws::SharedCredentials` - Used for loading credentials from a
-      #     shared file, such as `~/.aws/config`.
-      #
-      #   * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
-      #
-      #   When `:credentials` are not configured directly, the following
-      #   locations will be searched for credentials:
-      #
-      #   * `Aws.config[:credentials]`
-      #   * The `:access_key_id`, `:secret_access_key`, and `:session_token` options.
-      #   * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
-      #   * `~/.aws/credentials`
-      #   * `~/.aws/config`
-      #   * EC2 IMDS instance profile - When used by default, the timeouts are
-      #     very aggressive. Construct and pass an instance of
-      #     `Aws::InstanceProfileCredentails` to enable retries and extended
-      #     timeouts.
-      # @option options [required, String] :region
-      #   The AWS region to connect to.  The configured `:region` is
-      #   used to determine the service `:endpoint`. When not passed,
-      #   a default `:region` is search for in the following locations:
-      #
-      #   * `Aws.config[:region]`
-      #   * `ENV['AWS_REGION']`
-      #   * `ENV['AMAZON_REGION']`
-      #   * `ENV['AWS_DEFAULT_REGION']`
-      #   * `~/.aws/credentials`
-      #   * `~/.aws/config`
-      # @option options [String] :access_key_id
-      # @option options [Boolean] :convert_params (true)
-      #   When `true`, an attempt is made to coerce request parameters into
-      #   the required types.
-      # @option options [String] :endpoint
-      #   The client endpoint is normally constructed from the `:region`
-      #   option. You should only configure an `:endpoint` when connecting
-      #   to test endpoints. This should be avalid HTTP(S) URI.
-      # @option options [Aws::Log::Formatter] :log_formatter (Aws::Log::Formatter.default)
-      #   The log formatter.
-      # @option options [Symbol] :log_level (:info)
-      #   The log level to send messages to the `:logger` at.
-      # @option options [Logger] :logger
-      #   The Logger instance to send log messages to.  If this option
-      #   is not set, logging will be disabled.
-      # @option options [String] :profile ("default")
-      #   Used when loading credentials from the shared credentials file
-      #   at HOME/.aws/credentials.  When not specified, 'default' is used.
-      # @option options [Integer] :retry_limit (3)
-      #   The maximum number of times to retry failed requests.  Only
-      #   ~ 500 level server errors and certain ~ 400 level client errors
-      #   are retried.  Generally, these are throttling errors, data
-      #   checksum errors, networking errors, timeout errors and auth
-      #   errors from expired credentials.
-      # @option options [String] :secret_access_key
-      # @option options [String] :session_token
-      # @option options [Boolean] :stub_responses (false)
-      #   Causes the client to return stubbed responses. By default
-      #   fake responses are generated and returned. You can specify
-      #   the response data to return or errors to raise by calling
-      #   {ClientStubs#stub_responses}. See {ClientStubs} for more information.
-      #
-      #   ** Please note ** When response stubbing is enabled, no HTTP
-      #   requests are made, and retries are disabled.
-      # @option options [Boolean] :validate_params (true)
-      #   When `true`, request parameters are validated before
-      #   sending the request.
-      def initialize(*args)
-        super
-      end
-
-      # @!group API Operations
+    # @option options [required, Aws::CredentialProvider] :credentials
+    #   Your AWS credentials. This can be an instance of any one of the
+    #   following classes:
+    #
+    #   * `Aws::Credentials` - Used for configuring static, non-refreshing
+    #     credentials.
+    #
+    #   * `Aws::InstanceProfileCredentials` - Used for loading credentials
+    #     from an EC2 IMDS on an EC2 instance.
+    #
+    #   * `Aws::SharedCredentials` - Used for loading credentials from a
+    #     shared file, such as `~/.aws/config`.
+    #
+    #   * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
+    #
+    #   When `:credentials` are not configured directly, the following
+    #   locations will be searched for credentials:
+    #
+    #   * `Aws.config[:credentials]`
+    #   * The `:access_key_id`, `:secret_access_key`, and `:session_token` options.
+    #   * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
+    #   * `~/.aws/credentials`
+    #   * `~/.aws/config`
+    #   * EC2 IMDS instance profile - When used by default, the timeouts are
+    #     very aggressive. Construct and pass an instance of
+    #     `Aws::InstanceProfileCredentails` to enable retries and extended
+    #     timeouts.
+    #
+    # @option options [required, String] :region
+    #   The AWS region to connect to.  The configured `:region` is
+    #   used to determine the service `:endpoint`. When not passed,
+    #   a default `:region` is search for in the following locations:
+    #
+    #   * `Aws.config[:region]`
+    #   * `ENV['AWS_REGION']`
+    #   * `ENV['AMAZON_REGION']`
+    #   * `ENV['AWS_DEFAULT_REGION']`
+    #   * `~/.aws/credentials`
+    #   * `~/.aws/config`
+    #
+    # @option options [String] :access_key_id
+    #
+    # @option options [Boolean] :convert_params (true)
+    #   When `true`, an attempt is made to coerce request parameters into
+    #   the required types.
+    #
+    # @option options [String] :endpoint
+    #   The client endpoint is normally constructed from the `:region`
+    #   option. You should only configure an `:endpoint` when connecting
+    #   to test endpoints. This should be avalid HTTP(S) URI.
+    #
+    # @option options [Aws::Log::Formatter] :log_formatter (Aws::Log::Formatter.default)
+    #   The log formatter.
+    #
+    # @option options [Symbol] :log_level (:info)
+    #   The log level to send messages to the `:logger` at.
+    #
+    # @option options [Logger] :logger
+    #   The Logger instance to send log messages to.  If this option
+    #   is not set, logging will be disabled.
+    #
+    # @option options [String] :profile ("default")
+    #   Used when loading credentials from the shared credentials file
+    #   at HOME/.aws/credentials.  When not specified, 'default' is used.
+    #
+    # @option options [Integer] :retry_limit (3)
+    #   The maximum number of times to retry failed requests.  Only
+    #   ~ 500 level server errors and certain ~ 400 level client errors
+    #   are retried.  Generally, these are throttling errors, data
+    #   checksum errors, networking errors, timeout errors and auth
+    #   errors from expired credentials.
+    #
+    # @option options [String] :secret_access_key
+    #
+    # @option options [String] :session_token
+    #
+    # @option options [Boolean] :stub_responses (false)
+    #   Causes the client to return stubbed responses. By default
+    #   fake responses are generated and returned. You can specify
+    #   the response data to return or errors to raise by calling
+    #   {ClientStubs#stub_responses}. See {ClientStubs} for more information.
+    #
+    #   ** Please note ** When response stubbing is enabled, no HTTP
+    #   requests are made, and retries are disabled.
+    #
+    # @option options [Boolean] :validate_params (true)
+    #   When `true`, request parameters are validated before
+    #   sending the request.
+    #
+    def initialize(*args)
+      super
+    end
 
-      # Returns a set of temporary security credentials (consisting of an
-      # access key ID, a secret access key, and a security token) that you can
-      # use to access AWS resources that you might not normally have access
-      # to. Typically, you use `AssumeRole` for cross-account access or
-      # federation. For a comparison of `AssumeRole` with the other APIs that
-      # produce temporary credentials, see [Requesting Temporary Security
-      # Credentials][1] and [Comparing the AWS STS APIs][2] in the *IAM User
-      # Guide*.
-      #
-      # **Important:** You cannot call `AssumeRole` by using AWS root account
-      # credentials; access is denied. You must use credentials for an IAM
-      # user or an IAM role to call `AssumeRole`.
-      #
-      # For cross-account access, imagine that you own multiple accounts and
-      # need to access resources in each account. You could create long-term
-      # credentials in each account to access those resources. However,
-      # managing all those credentials and remembering which one can access
-      # which account can be time consuming. Instead, you can create one set
-      # of long-term credentials in one account and then use temporary
-      # security credentials to access all the other accounts by assuming
-      # roles in those accounts. For more information about roles, see [IAM
-      # Roles (Delegation and Federation)][3] in the *IAM User Guide*.
-      #
-      # For federation, you can, for example, grant single sign-on access to
-      # the AWS Management Console. If you already have an identity and
-      # authentication system in your corporate network, you don't have to
-      # recreate user identities in AWS in order to grant those user
-      # identities access to AWS. Instead, after a user has been
-      # authenticated, you call `AssumeRole` (and specify the role with the
-      # appropriate permissions) to get temporary security credentials for
-      # that user. With those temporary security credentials, you construct a
-      # sign-in URL that users can use to access the console. For more
-      # information, see [Common Scenarios for Temporary Credentials][4] in
-      # the *IAM User Guide*.
-      #
-      # The temporary security credentials are valid for the duration that you
-      # specified when calling `AssumeRole`, which can be from 900 seconds (15
-      # minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour.
-      #
-      # The temporary security credentials created by `AssumeRole` can be used
-      # to make API calls to any AWS service with the following exception: you
-      # cannot call the STS service's `GetFederationToken` or
-      # `GetSessionToken` APIs.
-      #
-      # Optionally, you can pass an IAM access policy to this operation. If
-      # you choose not to pass a policy, the temporary security credentials
-      # that are returned by the operation have the permissions that are
-      # defined in the access policy of the role that is being assumed. If you
-      # pass a policy to this operation, the temporary security credentials
-      # that are returned by the operation have the permissions that are
-      # allowed by both the access policy of the role that is being assumed,
-      # <i> <b>and</b> </i> the policy that you pass. This gives you a way to
-      # further restrict the permissions for the resulting temporary security
-      # credentials. You cannot use the passed policy to grant permissions
-      # that are in excess of those allowed by the access policy of the role
-      # that is being assumed. For more information, see [Permissions for
-      # AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity][5] in
-      # the *IAM User Guide*.
-      #
-      # To assume a role, your AWS account must be trusted by the role. The
-      # trust relationship is defined in the role's trust policy when the
-      # role is created. That trust policy states which accounts are allowed
-      # to delegate access to this account's role.
-      #
-      # The user who wants to access the role must also have permissions
-      # delegated from the role's administrator. If the user is in a
-      # different account than the role, then the user's administrator must
-      # attach a policy that allows the user to call AssumeRole on the ARN of
-      # the role in the other account. If the user is in the same account as
-      # the role, then you can either attach a policy to the user (identical
-      # to the previous different account user), or you can add the user as a
-      # principal directly in the role's trust policy
-      #
-      # **Using MFA with AssumeRole**
-      #
-      # You can optionally include multi-factor authentication (MFA)
-      # information when you call `AssumeRole`. This is useful for
-      # cross-account scenarios in which you want to make sure that the user
-      # who is assuming the role has been authenticated using an AWS MFA
-      # device. In that scenario, the trust policy of the role being assumed
-      # includes a condition that tests for MFA authentication; if the caller
-      # does not include valid MFA information, the request to assume the role
-      # is denied. The condition in a trust policy that tests for MFA
-      # authentication might look like the following example.
-      #
-      # `"Condition": \{"Bool": \{"aws:MultiFactorAuthPresent": true\}\}`
-      #
-      # For more information, see [Configuring MFA-Protected API Access][6] in
-      # the *IAM User Guide* guide.
-      #
-      # To use MFA with `AssumeRole`, you pass values for the `SerialNumber`
-      # and `TokenCode` parameters. The `SerialNumber` value identifies the
-      # user's hardware or virtual MFA device. The `TokenCode` is the
-      # time-based one-time password (TOTP) that the MFA devices produces.
-      #
-      #
-      #
-      # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
-      # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
-      # [3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html
-      # [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction
-      # [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
-      # [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
-      # @option params [required, String] :role_arn
-      #   The Amazon Resource Name (ARN) of the role to assume.
-      # @option params [required, String] :role_session_name
-      #   An identifier for the assumed role session.
-      #
-      #   Use the role session name to uniquely identify a session when the same
-      #   role is assumed by different principals or for different reasons. In
-      #   cross-account scenarios, the role session name is visible to, and can
-      #   be logged by the account that owns the role. The role session name is
-      #   also used in the ARN of the assumed role principal. This means that
-      #   subsequent cross-account API requests using the temporary security
-      #   credentials will expose the role session name to the external account
-      #   in their CloudTrail logs.
-      #
-      #   The format for this parameter, as described by its regex pattern, is a
-      #   string of characters consisting of upper- and lower-case alphanumeric
-      #   characters with no spaces. You can also include underscores or any of
-      #   the following characters: =,.@-
-      # @option params [String] :policy
-      #   An IAM policy in JSON format.
-      #
-      #   This parameter is optional. If you pass a policy, the temporary
-      #   security credentials that are returned by the operation have the
-      #   permissions that are allowed by both (the intersection of) the access
-      #   policy of the role that is being assumed, *and* the policy that you
-      #   pass. This gives you a way to further restrict the permissions for the
-      #   resulting temporary security credentials. You cannot use the passed
-      #   policy to grant permissions that are in excess of those allowed by the
-      #   access policy of the role that is being assumed. For more information,
-      #   see [Permissions for AssumeRole, AssumeRoleWithSAML, and
-      #   AssumeRoleWithWebIdentity][1] in the *IAM User Guide*.
-      #
-      #   The format for this parameter, as described by its regex pattern, is a
-      #   string of characters up to 2048 characters in length. The characters
-      #   can be any ASCII character from the space character to the end of the
-      #   valid character list (\\u0020-\\u00FF). It can also include the tab
-      #   (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
-      #   characters.
-      #
-      #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
-      #   internal conversion compresses it into a packed binary format with a
-      #   separate limit. The PackedPolicySize response element indicates by
-      #   percentage how close to the upper size limit the policy is, with 100%
-      #   equaling the maximum allowed size.
-      #
-      #    </note>
-      #
-      #
-      #
-      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
-      # @option params [Integer] :duration_seconds
-      #   The duration, in seconds, of the role session. The value can range
-      #   from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default,
-      #   the value is set to 3600 seconds.
-      #
-      #   <note markdown="1"> This is separate from the duration of a console session that you might
-      #   request using the returned credentials. The request to the federation
-      #   endpoint for a console sign-in token takes a `SessionDuration`
-      #   parameter that specifies the maximum length of the console session,
-      #   separately from the `DurationSeconds` parameter on this API. For more
-      #   information, see [Creating a URL that Enables Federated Users to
-      #   Access the AWS Management Console][1] in the *IAM User Guide*.
-      #
-      #    </note>
-      #
-      #
-      #
-      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
-      # @option params [String] :external_id
-      #   A unique identifier that is used by third parties when assuming roles
-      #   in their customers' accounts. For each role that the third party can
-      #   assume, they should instruct their customers to ensure the role's
-      #   trust policy checks for the external ID that the third party
-      #   generated. Each time the third party assumes the role, they should
-      #   pass the customer's external ID. The external ID is useful in order
-      #   to help third parties bind a role to the customer who created it. For
-      #   more information about the external ID, see [How to Use an External ID
-      #   When Granting Access to Your AWS Resources to a Third Party][1] in the
-      #   *IAM User Guide*.
-      #
-      #   The format for this parameter, as described by its regex pattern, is a
-      #   string of characters consisting of upper- and lower-case alphanumeric
-      #   characters with no spaces. You can also include underscores or any of
-      #   the following characters: =,.@:\\/-
-      #
-      #
-      #
-      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
-      # @option params [String] :serial_number
-      #   The identification number of the MFA device that is associated with
-      #   the user who is making the `AssumeRole` call. Specify this value if
-      #   the trust policy of the role being assumed includes a condition that
-      #   requires MFA authentication. The value is either the serial number for
-      #   a hardware device (such as `GAHT12345678`) or an Amazon Resource Name
-      #   (ARN) for a virtual device (such as
-      #   `arn:aws:iam::123456789012:mfa/user`).
-      #
-      #   The format for this parameter, as described by its regex pattern, is a
-      #   string of characters consisting of upper- and lower-case alphanumeric
-      #   characters with no spaces. You can also include underscores or any of
-      #   the following characters: =,.@-
-      # @option params [String] :token_code
-      #   The value provided by the MFA device, if the trust policy of the role
-      #   being assumed requires MFA (that is, if the policy includes a
-      #   condition that tests for MFA). If the role being assumed requires MFA
-      #   and if the `TokenCode` value is missing or expired, the `AssumeRole`
-      #   call returns an "access denied" error.
-      #
-      #   The format for this parameter, as described by its regex pattern, is a
-      #   sequence of six numeric digits.
-      # @return [Types::AssumeRoleResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
-      #
-      #   * {Types::AssumeRoleResponse#credentials #Credentials} => Types::Credentials
-      #   * {Types::AssumeRoleResponse#assumed_role_user #AssumedRoleUser} => Types::AssumedRoleUser
-      #   * {Types::AssumeRoleResponse#packed_policy_size #PackedPolicySize} => Integer
-      #
-      # @example Request syntax with placeholder values
-      #   resp = client.assume_role({
-      #     role_arn: "arnType", # required
-      #     role_session_name: "roleSessionNameType", # required
-      #     policy: "sessionPolicyDocumentType",
-      #     duration_seconds: 1,
-      #     external_id: "externalIdType",
-      #     serial_number: "serialNumberType",
-      #     token_code: "tokenCodeType",
-      #   })
-      #
-      # @example Response structure
-      #   resp.credentials.access_key_id #=> String
-      #   resp.credentials.secret_access_key #=> String
-      #   resp.credentials.session_token #=> String
-      #   resp.credentials.expiration #=> Time
-      #   resp.assumed_role_user.assumed_role_id #=> String
-      #   resp.assumed_role_user.arn #=> String
-      #   resp.packed_policy_size #=> Integer
-      # @overload assume_role(params = {})
-      # @param [Hash] params ({})
-      def assume_role(params = {}, options = {})
-        req = build_request(:assume_role, params)
-        req.send_request(options)
-      end
+    # @!group API Operations
 
-      # Returns a set of temporary security credentials for users who have
-      # been authenticated via a SAML authentication response. This operation
-      # provides a mechanism for tying an enterprise identity store or
-      # directory to role-based AWS access without user-specific credentials
-      # or configuration. For a comparison of `AssumeRoleWithSAML` with the
-      # other APIs that produce temporary credentials, see [Requesting
-      # Temporary Security Credentials][1] and [Comparing the AWS STS APIs][2]
-      # in the *IAM User Guide*.
-      #
-      # The temporary security credentials returned by this operation consist
-      # of an access key ID, a secret access key, and a security token.
-      # Applications can use these temporary security credentials to sign
-      # calls to AWS services.
-      #
-      # The temporary security credentials are valid for the duration that you
-      # specified when calling `AssumeRole`, or until the time specified in
-      # the SAML authentication response's `SessionNotOnOrAfter` value,
-      # whichever is shorter. The duration can be from 900 seconds (15
-      # minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour.
-      #
-      # The temporary security credentials created by `AssumeRoleWithSAML` can
-      # be used to make API calls to any AWS service with the following
-      # exception: you cannot call the STS service's `GetFederationToken` or
-      # `GetSessionToken` APIs.
-      #
-      # Optionally, you can pass an IAM access policy to this operation. If
-      # you choose not to pass a policy, the temporary security credentials
-      # that are returned by the operation have the permissions that are
-      # defined in the access policy of the role that is being assumed. If you
-      # pass a policy to this operation, the temporary security credentials
-      # that are returned by the operation have the permissions that are
-      # allowed by the intersection of both the access policy of the role that
-      # is being assumed, <i> <b>and</b> </i> the policy that you pass. This
-      # means that both policies must grant the permission for the action to
-      # be allowed. This gives you a way to further restrict the permissions
-      # for the resulting temporary security credentials. You cannot use the
-      # passed policy to grant permissions that are in excess of those allowed
-      # by the access policy of the role that is being assumed. For more
-      # information, see [Permissions for AssumeRole, AssumeRoleWithSAML, and
-      # AssumeRoleWithWebIdentity][3] in the *IAM User Guide*.
-      #
-      # Before your application can call `AssumeRoleWithSAML`, you must
-      # configure your SAML identity provider (IdP) to issue the claims
-      # required by AWS. Additionally, you must use AWS Identity and Access
-      # Management (IAM) to create a SAML provider entity in your AWS account
-      # that represents your identity provider, and create an IAM role that
-      # specifies this SAML provider in its trust policy.
-      #
-      # Calling `AssumeRoleWithSAML` does not require the use of AWS security
-      # credentials. The identity of the caller is validated by using keys in
-      # the metadata document that is uploaded for the SAML provider entity
-      # for your identity provider.
-      #
-      # Calling `AssumeRoleWithSAML` can result in an entry in your AWS
-      # CloudTrail logs. The entry includes the value in the `NameID` element
-      # of the SAML assertion. We recommend that you use a NameIDType that is
-      # not associated with any personally identifiable information (PII). For
-      # example, you could instead use the Persistent Identifier
-      # (`urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`).
-      #
-      # For more information, see the following resources:
-      #
-      # * [About SAML 2.0-based Federation][4] in the *IAM User Guide*.
-      #
-      # * [Creating SAML Identity Providers][5] in the *IAM User Guide*.
-      #
-      # * [Configuring a Relying Party and Claims][6] in the *IAM User Guide*.
-      #
-      # * [Creating a Role for SAML 2.0 Federation][7] in the *IAM User
-      #   Guide*.
-      #
-      #
-      #
-      # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
-      # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
-      # [3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
-      # [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
-      # [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
-      # [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
-      # [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
-      # @option params [required, String] :role_arn
-      #   The Amazon Resource Name (ARN) of the role that the caller is
-      #   assuming.
-      # @option params [required, String] :principal_arn
-      #   The Amazon Resource Name (ARN) of the SAML provider in IAM that
-      #   describes the IdP.
-      # @option params [required, String] :saml_assertion
-      #   The base-64 encoded SAML authentication response provided by the IdP.
-      #
-      #   For more information, see [Configuring a Relying Party and Adding
-      #   Claims][1] in the *Using IAM* guide.
-      #
-      #
-      #
-      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
-      # @option params [String] :policy
-      #   An IAM policy in JSON format.
-      #
-      #   The policy parameter is optional. If you pass a policy, the temporary
-      #   security credentials that are returned by the operation have the
-      #   permissions that are allowed by both the access policy of the role
-      #   that is being assumed, <i> <b>and</b> </i> the policy that you pass.
-      #   This gives you a way to further restrict the permissions for the
-      #   resulting temporary security credentials. You cannot use the passed
-      #   policy to grant permissions that are in excess of those allowed by the
-      #   access policy of the role that is being assumed. For more information,
-      #   [Permissions for AssumeRole, AssumeRoleWithSAML, and
-      #   AssumeRoleWithWebIdentity][1] in the *IAM User Guide*.
-      #
-      #   The format for this parameter, as described by its regex pattern, is a
-      #   string of characters up to 2048 characters in length. The characters
-      #   can be any ASCII character from the space character to the end of the
-      #   valid character list (\\u0020-\\u00FF). It can also include the tab
-      #   (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
-      #   characters.
-      #
-      #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
-      #   internal conversion compresses it into a packed binary format with a
-      #   separate limit. The PackedPolicySize response element indicates by
-      #   percentage how close to the upper size limit the policy is, with 100%
-      #   equaling the maximum allowed size.
-      #
-      #    </note>
-      #
-      #
-      #
-      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
-      # @option params [Integer] :duration_seconds
-      #   The duration, in seconds, of the role session. The value can range
-      #   from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default,
-      #   the value is set to 3600 seconds. An expiration can also be specified
-      #   in the SAML authentication response's `SessionNotOnOrAfter` value.
-      #   The actual expiration time is whichever value is shorter.
-      #
-      #   <note markdown="1"> This is separate from the duration of a console session that you might
-      #   request using the returned credentials. The request to the federation
-      #   endpoint for a console sign-in token takes a `SessionDuration`
-      #   parameter that specifies the maximum length of the console session,
-      #   separately from the `DurationSeconds` parameter on this API. For more
-      #   information, see [Enabling SAML 2.0 Federated Users to Access the AWS
-      #   Management Console][1] in the *IAM User Guide*.
-      #
-      #    </note>
-      #
-      #
-      #
-      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html
-      # @return [Types::AssumeRoleWithSAMLResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
-      #
-      #   * {Types::AssumeRoleWithSAMLResponse#credentials #Credentials} => Types::Credentials
-      #   * {Types::AssumeRoleWithSAMLResponse#assumed_role_user #AssumedRoleUser} => Types::AssumedRoleUser
-      #   * {Types::AssumeRoleWithSAMLResponse#packed_policy_size #PackedPolicySize} => Integer
-      #   * {Types::AssumeRoleWithSAMLResponse#subject #Subject} => String
-      #   * {Types::AssumeRoleWithSAMLResponse#subject_type #SubjectType} => String
-      #   * {Types::AssumeRoleWithSAMLResponse#issuer #Issuer} => String
-      #   * {Types::AssumeRoleWithSAMLResponse#audience #Audience} => String
-      #   * {Types::AssumeRoleWithSAMLResponse#name_qualifier #NameQualifier} => String
-      #
-      # @example Request syntax with placeholder values
-      #   resp = client.assume_role_with_saml({
-      #     role_arn: "arnType", # required
-      #     principal_arn: "arnType", # required
-      #     saml_assertion: "SAMLAssertionType", # required
-      #     policy: "sessionPolicyDocumentType",
-      #     duration_seconds: 1,
-      #   })
-      #
-      # @example Response structure
-      #   resp.credentials.access_key_id #=> String
-      #   resp.credentials.secret_access_key #=> String
-      #   resp.credentials.session_token #=> String
-      #   resp.credentials.expiration #=> Time
-      #   resp.assumed_role_user.assumed_role_id #=> String
-      #   resp.assumed_role_user.arn #=> String
-      #   resp.packed_policy_size #=> Integer
-      #   resp.subject #=> String
-      #   resp.subject_type #=> String
-      #   resp.issuer #=> String
-      #   resp.audience #=> String
-      #   resp.name_qualifier #=> String
-      # @overload assume_role_with_saml(params = {})
-      # @param [Hash] params ({})
-      def assume_role_with_saml(params = {}, options = {})
-        req = build_request(:assume_role_with_saml, params)
-        req.send_request(options)
-      end
+    # Returns a set of temporary security credentials (consisting of an
+    # access key ID, a secret access key, and a security token) that you can
+    # use to access AWS resources that you might not normally have access
+    # to. Typically, you use `AssumeRole` for cross-account access or
+    # federation. For a comparison of `AssumeRole` with the other APIs that
+    # produce temporary credentials, see [Requesting Temporary Security
+    # Credentials][1] and [Comparing the AWS STS APIs][2] in the *IAM User
+    # Guide*.
+    #
+    # **Important:** You cannot call `AssumeRole` by using AWS root account
+    # credentials; access is denied. You must use credentials for an IAM
+    # user or an IAM role to call `AssumeRole`.
+    #
+    # For cross-account access, imagine that you own multiple accounts and
+    # need to access resources in each account. You could create long-term
+    # credentials in each account to access those resources. However,
+    # managing all those credentials and remembering which one can access
+    # which account can be time consuming. Instead, you can create one set
+    # of long-term credentials in one account and then use temporary
+    # security credentials to access all the other accounts by assuming
+    # roles in those accounts. For more information about roles, see [IAM
+    # Roles (Delegation and Federation)][3] in the *IAM User Guide*.
+    #
+    # For federation, you can, for example, grant single sign-on access to
+    # the AWS Management Console. If you already have an identity and
+    # authentication system in your corporate network, you don't have to
+    # recreate user identities in AWS in order to grant those user
+    # identities access to AWS. Instead, after a user has been
+    # authenticated, you call `AssumeRole` (and specify the role with the
+    # appropriate permissions) to get temporary security credentials for
+    # that user. With those temporary security credentials, you construct a
+    # sign-in URL that users can use to access the console. For more
+    # information, see [Common Scenarios for Temporary Credentials][4] in
+    # the *IAM User Guide*.
+    #
+    # The temporary security credentials are valid for the duration that you
+    # specified when calling `AssumeRole`, which can be from 900 seconds (15
+    # minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour.
+    #
+    # The temporary security credentials created by `AssumeRole` can be used
+    # to make API calls to any AWS service with the following exception: you
+    # cannot call the STS service's `GetFederationToken` or
+    # `GetSessionToken` APIs.
+    #
+    # Optionally, you can pass an IAM access policy to this operation. If
+    # you choose not to pass a policy, the temporary security credentials
+    # that are returned by the operation have the permissions that are
+    # defined in the access policy of the role that is being assumed. If you
+    # pass a policy to this operation, the temporary security credentials
+    # that are returned by the operation have the permissions that are
+    # allowed by both the access policy of the role that is being assumed,
+    # <i> <b>and</b> </i> the policy that you pass. This gives you a way to
+    # further restrict the permissions for the resulting temporary security
+    # credentials. You cannot use the passed policy to grant permissions
+    # that are in excess of those allowed by the access policy of the role
+    # that is being assumed. For more information, see [Permissions for
+    # AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity][5] in
+    # the *IAM User Guide*.
+    #
+    # To assume a role, your AWS account must be trusted by the role. The
+    # trust relationship is defined in the role's trust policy when the
+    # role is created. That trust policy states which accounts are allowed
+    # to delegate access to this account's role.
+    #
+    # The user who wants to access the role must also have permissions
+    # delegated from the role's administrator. If the user is in a
+    # different account than the role, then the user's administrator must
+    # attach a policy that allows the user to call AssumeRole on the ARN of
+    # the role in the other account. If the user is in the same account as
+    # the role, then you can either attach a policy to the user (identical
+    # to the previous different account user), or you can add the user as a
+    # principal directly in the role's trust policy
+    #
+    # **Using MFA with AssumeRole**
+    #
+    # You can optionally include multi-factor authentication (MFA)
+    # information when you call `AssumeRole`. This is useful for
+    # cross-account scenarios in which you want to make sure that the user
+    # who is assuming the role has been authenticated using an AWS MFA
+    # device. In that scenario, the trust policy of the role being assumed
+    # includes a condition that tests for MFA authentication; if the caller
+    # does not include valid MFA information, the request to assume the role
+    # is denied. The condition in a trust policy that tests for MFA
+    # authentication might look like the following example.
+    #
+    # `"Condition": \{"Bool": \{"aws:MultiFactorAuthPresent": true\}\}`
+    #
+    # For more information, see [Configuring MFA-Protected API Access][6] in
+    # the *IAM User Guide* guide.
+    #
+    # To use MFA with `AssumeRole`, you pass values for the `SerialNumber`
+    # and `TokenCode` parameters. The `SerialNumber` value identifies the
+    # user's hardware or virtual MFA device. The `TokenCode` is the
+    # time-based one-time password (TOTP) that the MFA devices produces.
+    #
+    #
+    #
+    # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+    # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+    # [3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html
+    # [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction
+    # [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+    # [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
+    #
+    # @option params [required, String] :role_arn
+    #   The Amazon Resource Name (ARN) of the role to assume.
+    #
+    # @option params [required, String] :role_session_name
+    #   An identifier for the assumed role session.
+    #
+    #   Use the role session name to uniquely identify a session when the same
+    #   role is assumed by different principals or for different reasons. In
+    #   cross-account scenarios, the role session name is visible to, and can
+    #   be logged by the account that owns the role. The role session name is
+    #   also used in the ARN of the assumed role principal. This means that
+    #   subsequent cross-account API requests using the temporary security
+    #   credentials will expose the role session name to the external account
+    #   in their CloudTrail logs.
+    #
+    #   The regex used to validate this parameter is a string of characters
+    #   consisting of upper- and lower-case alphanumeric characters with no
+    #   spaces. You can also include underscores or any of the following
+    #   characters: =,.@-
+    #
+    # @option params [String] :policy
+    #   An IAM policy in JSON format.
+    #
+    #   This parameter is optional. If you pass a policy, the temporary
+    #   security credentials that are returned by the operation have the
+    #   permissions that are allowed by both (the intersection of) the access
+    #   policy of the role that is being assumed, *and* the policy that you
+    #   pass. This gives you a way to further restrict the permissions for the
+    #   resulting temporary security credentials. You cannot use the passed
+    #   policy to grant permissions that are in excess of those allowed by the
+    #   access policy of the role that is being assumed. For more information,
+    #   see [Permissions for AssumeRole, AssumeRoleWithSAML, and
+    #   AssumeRoleWithWebIdentity][1] in the *IAM User Guide*.
+    #
+    #   The format for this parameter, as described by its regex pattern, is a
+    #   string of characters up to 2048 characters in length. The characters
+    #   can be any ASCII character from the space character to the end of the
+    #   valid character list (\\u0020-\\u00FF). It can also include the tab
+    #   (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
+    #   characters.
+    #
+    #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
+    #   internal conversion compresses it into a packed binary format with a
+    #   separate limit. The PackedPolicySize response element indicates by
+    #   percentage how close to the upper size limit the policy is, with 100%
+    #   equaling the maximum allowed size.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+    #
+    # @option params [Integer] :duration_seconds
+    #   The duration, in seconds, of the role session. The value can range
+    #   from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default,
+    #   the value is set to 3600 seconds.
+    #
+    #   <note markdown="1"> This is separate from the duration of a console session that you might
+    #   request using the returned credentials. The request to the federation
+    #   endpoint for a console sign-in token takes a `SessionDuration`
+    #   parameter that specifies the maximum length of the console session,
+    #   separately from the `DurationSeconds` parameter on this API. For more
+    #   information, see [Creating a URL that Enables Federated Users to
+    #   Access the AWS Management Console][1] in the *IAM User Guide*.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
+    #
+    # @option params [String] :external_id
+    #   A unique identifier that is used by third parties when assuming roles
+    #   in their customers' accounts. For each role that the third party can
+    #   assume, they should instruct their customers to ensure the role's
+    #   trust policy checks for the external ID that the third party
+    #   generated. Each time the third party assumes the role, they should
+    #   pass the customer's external ID. The external ID is useful in order
+    #   to help third parties bind a role to the customer who created it. For
+    #   more information about the external ID, see [How to Use an External ID
+    #   When Granting Access to Your AWS Resources to a Third Party][1] in the
+    #   *IAM User Guide*.
+    #
+    #   The regex used to validated this parameter is a string of characters
+    #   consisting of upper- and lower-case alphanumeric characters with no
+    #   spaces. You can also include underscores or any of the following
+    #   characters: =,.@:\\/-
+    #
+    #
+    #
+    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
+    #
+    # @option params [String] :serial_number
+    #   The identification number of the MFA device that is associated with
+    #   the user who is making the `AssumeRole` call. Specify this value if
+    #   the trust policy of the role being assumed includes a condition that
+    #   requires MFA authentication. The value is either the serial number for
+    #   a hardware device (such as `GAHT12345678`) or an Amazon Resource Name
+    #   (ARN) for a virtual device (such as
+    #   `arn:aws:iam::123456789012:mfa/user`).
+    #
+    #   The regex used to validate this parameter is a string of characters
+    #   consisting of upper- and lower-case alphanumeric characters with no
+    #   spaces. You can also include underscores or any of the following
+    #   characters: =,.@-
+    #
+    # @option params [String] :token_code
+    #   The value provided by the MFA device, if the trust policy of the role
+    #   being assumed requires MFA (that is, if the policy includes a
+    #   condition that tests for MFA). If the role being assumed requires MFA
+    #   and if the `TokenCode` value is missing or expired, the `AssumeRole`
+    #   call returns an "access denied" error.
+    #
+    #   The format for this parameter, as described by its regex pattern, is a
+    #   sequence of six numeric digits.
+    #
+    # @return [Types::AssumeRoleResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::AssumeRoleResponse#credentials #credentials} => Types::Credentials
+    #   * {Types::AssumeRoleResponse#assumed_role_user #assumed_role_user} => Types::AssumedRoleUser
+    #   * {Types::AssumeRoleResponse#packed_policy_size #packed_policy_size} => Integer
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.assume_role({
+    #     role_arn: "arnType", # required
+    #     role_session_name: "roleSessionNameType", # required
+    #     policy: "sessionPolicyDocumentType",
+    #     duration_seconds: 1,
+    #     external_id: "externalIdType",
+    #     serial_number: "serialNumberType",
+    #     token_code: "tokenCodeType",
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.credentials.access_key_id #=> String
+    #   resp.credentials.secret_access_key #=> String
+    #   resp.credentials.session_token #=> String
+    #   resp.credentials.expiration #=> Time
+    #   resp.assumed_role_user.assumed_role_id #=> String
+    #   resp.assumed_role_user.arn #=> String
+    #   resp.packed_policy_size #=> Integer
+    #
+    # @overload assume_role(params = {})
+    # @param [Hash] params ({})
+    def assume_role(params = {}, options = {})
+      req = build_request(:assume_role, params)
+      req.send_request(options)
+    end
 
-      # Returns a set of temporary security credentials for users who have
-      # been authenticated in a mobile or web application with a web identity
-      # provider, such as Amazon Cognito, Login with Amazon, Facebook, Google,
-      # or any OpenID Connect-compatible identity provider.
-      #
-      # <note markdown="1"> For mobile applications, we recommend that you use Amazon Cognito. You
-      # can use Amazon Cognito with the [AWS SDK for iOS][1] and the [AWS SDK
-      # for Android][2] to uniquely identify a user and supply the user with a
-      # consistent identity throughout the lifetime of an application.
-      #
-      #  To learn more about Amazon Cognito, see [Amazon Cognito Overview][3]
-      # in the *AWS SDK for Android Developer Guide* guide and [Amazon Cognito
-      # Overview][4] in the *AWS SDK for iOS Developer Guide*.
-      #
-      #  </note>
-      #
-      # Calling `AssumeRoleWithWebIdentity` does not require the use of AWS
-      # security credentials. Therefore, you can distribute an application
-      # (for example, on mobile devices) that requests temporary security
-      # credentials without including long-term AWS credentials in the
-      # application, and without deploying server-based proxy services that
-      # use long-term AWS credentials. Instead, the identity of the caller is
-      # validated by using a token from the web identity provider. For a
-      # comparison of `AssumeRoleWithWebIdentity` with the other APIs that
-      # produce temporary credentials, see [Requesting Temporary Security
-      # Credentials][5] and [Comparing the AWS STS APIs][6] in the *IAM User
-      # Guide*.
-      #
-      # The temporary security credentials returned by this API consist of an
-      # access key ID, a secret access key, and a security token. Applications
-      # can use these temporary security credentials to sign calls to AWS
-      # service APIs.
-      #
-      # The credentials are valid for the duration that you specified when
-      # calling `AssumeRoleWithWebIdentity`, which can be from 900 seconds (15
-      # minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour.
-      #
-      # The temporary security credentials created by
-      # `AssumeRoleWithWebIdentity` can be used to make API calls to any AWS
-      # service with the following exception: you cannot call the STS
-      # service's `GetFederationToken` or `GetSessionToken` APIs.
-      #
-      # Optionally, you can pass an IAM access policy to this operation. If
-      # you choose not to pass a policy, the temporary security credentials
-      # that are returned by the operation have the permissions that are
-      # defined in the access policy of the role that is being assumed. If you
-      # pass a policy to this operation, the temporary security credentials
-      # that are returned by the operation have the permissions that are
-      # allowed by both the access policy of the role that is being assumed,
-      # <i> <b>and</b> </i> the policy that you pass. This gives you a way to
-      # further restrict the permissions for the resulting temporary security
-      # credentials. You cannot use the passed policy to grant permissions
-      # that are in excess of those allowed by the access policy of the role
-      # that is being assumed. For more information, see [Permissions for
-      # AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity][7] in
-      # the *IAM User Guide*.
-      #
-      # Before your application can call `AssumeRoleWithWebIdentity`, you must
-      # have an identity token from a supported identity provider and create a
-      # role that the application can assume. The role that your application
-      # assumes must trust the identity provider that is associated with the
-      # identity token. In other words, the identity provider must be
-      # specified in the role's trust policy.
-      #
-      # Calling `AssumeRoleWithWebIdentity` can result in an entry in your AWS
-      # CloudTrail logs. The entry includes the [Subject][8] of the provided
-      # Web Identity Token. We recommend that you avoid using any personally
-      # identifiable information (PII) in this field. For example, you could
-      # instead use a GUID or a pairwise identifier, as [suggested in the OIDC
-      # specification][9].
-      #
-      # For more information about how to use web identity federation and the
-      # `AssumeRoleWithWebIdentity` API, see the following resources:
-      #
-      # * [Using Web Identity Federation APIs for Mobile Apps][10] and
-      #   [Federation Through a Web-based Identity Provider][11].
-      #
-      # * [ Web Identity Federation Playground][12]. This interactive website
-      #   lets you walk through the process of authenticating via Login with
-      #   Amazon, Facebook, or Google, getting temporary security credentials,
-      #   and then using those credentials to make a request to AWS.
-      #
-      # * [AWS SDK for iOS][1] and [AWS SDK for Android][2]. These toolkits
-      #   contain sample apps that show how to invoke the identity providers,
-      #   and then how to use the information from these providers to get and
-      #   use temporary security credentials.
-      #
-      # * [Web Identity Federation with Mobile Applications][13]. This article
-      #   discusses web identity federation and shows an example of how to use
-      #   web identity federation to get access to content in Amazon S3.
-      #
-      #
-      #
-      # [1]: http://aws.amazon.com/sdkforios/
-      # [2]: http://aws.amazon.com/sdkforandroid/
-      # [3]: http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840
-      # [4]: http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664
-      # [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
-      # [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
-      # [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
-      # [8]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
-      # [9]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
-      # [10]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
-      # [11]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
-      # [12]: https://web-identity-federation-playground.s3.amazonaws.com/index.html
-      # [13]: http://aws.amazon.com/articles/4617974389850313
-      # @option params [required, String] :role_arn
-      #   The Amazon Resource Name (ARN) of the role that the caller is
-      #   assuming.
-      # @option params [required, String] :role_session_name
-      #   An identifier for the assumed role session. Typically, you pass the
-      #   name or identifier that is associated with the user who is using your
-      #   application. That way, the temporary security credentials that your
-      #   application will use are associated with that user. This session name
-      #   is included as part of the ARN and assumed role ID in the
-      #   `AssumedRoleUser` response element.
-      #
-      #   The format for this parameter, as described by its regex pattern, is a
-      #   string of characters consisting of upper- and lower-case alphanumeric
-      #   characters with no spaces. You can also include underscores or any of
-      #   the following characters: =,.@-
-      # @option params [required, String] :web_identity_token
-      #   The OAuth 2.0 access token or OpenID Connect ID token that is provided
-      #   by the identity provider. Your application must get this token by
-      #   authenticating the user who is using your application with a web
-      #   identity provider before the application makes an
-      #   `AssumeRoleWithWebIdentity` call.
-      # @option params [String] :provider_id
-      #   The fully qualified host component of the domain name of the identity
-      #   provider.
-      #
-      #   Specify this value only for OAuth 2.0 access tokens. Currently
-      #   `www.amazon.com` and `graph.facebook.com` are the only supported
-      #   identity providers for OAuth 2.0 access tokens. Do not include URL
-      #   schemes and port numbers.
-      #
-      #   Do not specify this value for OpenID Connect ID tokens.
-      # @option params [String] :policy
-      #   An IAM policy in JSON format.
-      #
-      #   The policy parameter is optional. If you pass a policy, the temporary
-      #   security credentials that are returned by the operation have the
-      #   permissions that are allowed by both the access policy of the role
-      #   that is being assumed, <i> <b>and</b> </i> the policy that you pass.
-      #   This gives you a way to further restrict the permissions for the
-      #   resulting temporary security credentials. You cannot use the passed
-      #   policy to grant permissions that are in excess of those allowed by the
-      #   access policy of the role that is being assumed. For more information,
-      #   see [Permissions for AssumeRoleWithWebIdentity][1] in the *IAM User
-      #   Guide*.
-      #
-      #   The format for this parameter, as described by its regex pattern, is a
-      #   string of characters up to 2048 characters in length. The characters
-      #   can be any ASCII character from the space character to the end of the
-      #   valid character list (\\u0020-\\u00FF). It can also include the tab
-      #   (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
-      #   characters.
-      #
-      #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
-      #   internal conversion compresses it into a packed binary format with a
-      #   separate limit. The PackedPolicySize response element indicates by
-      #   percentage how close to the upper size limit the policy is, with 100%
-      #   equaling the maximum allowed size.
-      #
-      #    </note>
-      #
-      #
-      #
-      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
-      # @option params [Integer] :duration_seconds
-      #   The duration, in seconds, of the role session. The value can range
-      #   from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default,
-      #   the value is set to 3600 seconds.
-      #
-      #   <note markdown="1"> This is separate from the duration of a console session that you might
-      #   request using the returned credentials. The request to the federation
-      #   endpoint for a console sign-in token takes a `SessionDuration`
-      #   parameter that specifies the maximum length of the console session,
-      #   separately from the `DurationSeconds` parameter on this API. For more
-      #   information, see [Creating a URL that Enables Federated Users to
-      #   Access the AWS Management Console][1] in the *IAM User Guide*.
-      #
-      #    </note>
-      #
-      #
-      #
-      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
-      # @return [Types::AssumeRoleWithWebIdentityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
-      #
-      #   * {Types::AssumeRoleWithWebIdentityResponse#credentials #Credentials} => Types::Credentials
-      #   * {Types::AssumeRoleWithWebIdentityResponse#subject_from_web_identity_token #SubjectFromWebIdentityToken} => String
-      #   * {Types::AssumeRoleWithWebIdentityResponse#assumed_role_user #AssumedRoleUser} => Types::AssumedRoleUser
-      #   * {Types::AssumeRoleWithWebIdentityResponse#packed_policy_size #PackedPolicySize} => Integer
-      #   * {Types::AssumeRoleWithWebIdentityResponse#provider #Provider} => String
-      #   * {Types::AssumeRoleWithWebIdentityResponse#audience #Audience} => String
-      #
-      # @example Request syntax with placeholder values
-      #   resp = client.assume_role_with_web_identity({
-      #     role_arn: "arnType", # required
-      #     role_session_name: "roleSessionNameType", # required
-      #     web_identity_token: "clientTokenType", # required
-      #     provider_id: "urlType",
-      #     policy: "sessionPolicyDocumentType",
-      #     duration_seconds: 1,
-      #   })
-      #
-      # @example Response structure
-      #   resp.credentials.access_key_id #=> String
-      #   resp.credentials.secret_access_key #=> String
-      #   resp.credentials.session_token #=> String
-      #   resp.credentials.expiration #=> Time
-      #   resp.subject_from_web_identity_token #=> String
-      #   resp.assumed_role_user.assumed_role_id #=> String
-      #   resp.assumed_role_user.arn #=> String
-      #   resp.packed_policy_size #=> Integer
-      #   resp.provider #=> String
-      #   resp.audience #=> String
-      # @overload assume_role_with_web_identity(params = {})
-      # @param [Hash] params ({})
-      def assume_role_with_web_identity(params = {}, options = {})
-        req = build_request(:assume_role_with_web_identity, params)
-        req.send_request(options)
-      end
+    # Returns a set of temporary security credentials for users who have
+    # been authenticated via a SAML authentication response. This operation
+    # provides a mechanism for tying an enterprise identity store or
+    # directory to role-based AWS access without user-specific credentials
+    # or configuration. For a comparison of `AssumeRoleWithSAML` with the
+    # other APIs that produce temporary credentials, see [Requesting
+    # Temporary Security Credentials][1] and [Comparing the AWS STS APIs][2]
+    # in the *IAM User Guide*.
+    #
+    # The temporary security credentials returned by this operation consist
+    # of an access key ID, a secret access key, and a security token.
+    # Applications can use these temporary security credentials to sign
+    # calls to AWS services.
+    #
+    # The temporary security credentials are valid for the duration that you
+    # specified when calling `AssumeRole`, or until the time specified in
+    # the SAML authentication response's `SessionNotOnOrAfter` value,
+    # whichever is shorter. The duration can be from 900 seconds (15
+    # minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour.
+    #
+    # The temporary security credentials created by `AssumeRoleWithSAML` can
+    # be used to make API calls to any AWS service with the following
+    # exception: you cannot call the STS service's `GetFederationToken` or
+    # `GetSessionToken` APIs.
+    #
+    # Optionally, you can pass an IAM access policy to this operation. If
+    # you choose not to pass a policy, the temporary security credentials
+    # that are returned by the operation have the permissions that are
+    # defined in the access policy of the role that is being assumed. If you
+    # pass a policy to this operation, the temporary security credentials
+    # that are returned by the operation have the permissions that are
+    # allowed by the intersection of both the access policy of the role that
+    # is being assumed, <i> <b>and</b> </i> the policy that you pass. This
+    # means that both policies must grant the permission for the action to
+    # be allowed. This gives you a way to further restrict the permissions
+    # for the resulting temporary security credentials. You cannot use the
+    # passed policy to grant permissions that are in excess of those allowed
+    # by the access policy of the role that is being assumed. For more
+    # information, see [Permissions for AssumeRole, AssumeRoleWithSAML, and
+    # AssumeRoleWithWebIdentity][3] in the *IAM User Guide*.
+    #
+    # Before your application can call `AssumeRoleWithSAML`, you must
+    # configure your SAML identity provider (IdP) to issue the claims
+    # required by AWS. Additionally, you must use AWS Identity and Access
+    # Management (IAM) to create a SAML provider entity in your AWS account
+    # that represents your identity provider, and create an IAM role that
+    # specifies this SAML provider in its trust policy.
+    #
+    # Calling `AssumeRoleWithSAML` does not require the use of AWS security
+    # credentials. The identity of the caller is validated by using keys in
+    # the metadata document that is uploaded for the SAML provider entity
+    # for your identity provider.
+    #
+    # Calling `AssumeRoleWithSAML` can result in an entry in your AWS
+    # CloudTrail logs. The entry includes the value in the `NameID` element
+    # of the SAML assertion. We recommend that you use a NameIDType that is
+    # not associated with any personally identifiable information (PII). For
+    # example, you could instead use the Persistent Identifier
+    # (`urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`).
+    #
+    # For more information, see the following resources:
+    #
+    # * [About SAML 2.0-based Federation][4] in the *IAM User Guide*.
+    #
+    # * [Creating SAML Identity Providers][5] in the *IAM User Guide*.
+    #
+    # * [Configuring a Relying Party and Claims][6] in the *IAM User Guide*.
+    #
+    # * [Creating a Role for SAML 2.0 Federation][7] in the *IAM User
+    #   Guide*.
+    #
+    #
+    #
+    # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+    # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+    # [3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+    # [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
+    # [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
+    # [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
+    # [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
+    #
+    # @option params [required, String] :role_arn
+    #   The Amazon Resource Name (ARN) of the role that the caller is
+    #   assuming.
+    #
+    # @option params [required, String] :principal_arn
+    #   The Amazon Resource Name (ARN) of the SAML provider in IAM that
+    #   describes the IdP.
+    #
+    # @option params [required, String] :saml_assertion
+    #   The base-64 encoded SAML authentication response provided by the IdP.
+    #
+    #   For more information, see [Configuring a Relying Party and Adding
+    #   Claims][1] in the *Using IAM* guide.
+    #
+    #
+    #
+    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
+    #
+    # @option params [String] :policy
+    #   An IAM policy in JSON format.
+    #
+    #   The policy parameter is optional. If you pass a policy, the temporary
+    #   security credentials that are returned by the operation have the
+    #   permissions that are allowed by both the access policy of the role
+    #   that is being assumed, <i> <b>and</b> </i> the policy that you pass.
+    #   This gives you a way to further restrict the permissions for the
+    #   resulting temporary security credentials. You cannot use the passed
+    #   policy to grant permissions that are in excess of those allowed by the
+    #   access policy of the role that is being assumed. For more information,
+    #   [Permissions for AssumeRole, AssumeRoleWithSAML, and
+    #   AssumeRoleWithWebIdentity][1] in the *IAM User Guide*.
+    #
+    #   The format for this parameter, as described by its regex pattern, is a
+    #   string of characters up to 2048 characters in length. The characters
+    #   can be any ASCII character from the space character to the end of the
+    #   valid character list (\\u0020-\\u00FF). It can also include the tab
+    #   (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
+    #   characters.
+    #
+    #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
+    #   internal conversion compresses it into a packed binary format with a
+    #   separate limit. The PackedPolicySize response element indicates by
+    #   percentage how close to the upper size limit the policy is, with 100%
+    #   equaling the maximum allowed size.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+    #
+    # @option params [Integer] :duration_seconds
+    #   The duration, in seconds, of the role session. The value can range
+    #   from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default,
+    #   the value is set to 3600 seconds. An expiration can also be specified
+    #   in the SAML authentication response's `SessionNotOnOrAfter` value.
+    #   The actual expiration time is whichever value is shorter.
+    #
+    #   <note markdown="1"> This is separate from the duration of a console session that you might
+    #   request using the returned credentials. The request to the federation
+    #   endpoint for a console sign-in token takes a `SessionDuration`
+    #   parameter that specifies the maximum length of the console session,
+    #   separately from the `DurationSeconds` parameter on this API. For more
+    #   information, see [Enabling SAML 2.0 Federated Users to Access the AWS
+    #   Management Console][1] in the *IAM User Guide*.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html
+    #
+    # @return [Types::AssumeRoleWithSAMLResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::AssumeRoleWithSAMLResponse#credentials #credentials} => Types::Credentials
+    #   * {Types::AssumeRoleWithSAMLResponse#assumed_role_user #assumed_role_user} => Types::AssumedRoleUser
+    #   * {Types::AssumeRoleWithSAMLResponse#packed_policy_size #packed_policy_size} => Integer
+    #   * {Types::AssumeRoleWithSAMLResponse#subject #subject} => String
+    #   * {Types::AssumeRoleWithSAMLResponse#subject_type #subject_type} => String
+    #   * {Types::AssumeRoleWithSAMLResponse#issuer #issuer} => String
+    #   * {Types::AssumeRoleWithSAMLResponse#audience #audience} => String
+    #   * {Types::AssumeRoleWithSAMLResponse#name_qualifier #name_qualifier} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.assume_role_with_saml({
+    #     role_arn: "arnType", # required
+    #     principal_arn: "arnType", # required
+    #     saml_assertion: "SAMLAssertionType", # required
+    #     policy: "sessionPolicyDocumentType",
+    #     duration_seconds: 1,
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.credentials.access_key_id #=> String
+    #   resp.credentials.secret_access_key #=> String
+    #   resp.credentials.session_token #=> String
+    #   resp.credentials.expiration #=> Time
+    #   resp.assumed_role_user.assumed_role_id #=> String
+    #   resp.assumed_role_user.arn #=> String
+    #   resp.packed_policy_size #=> Integer
+    #   resp.subject #=> String
+    #   resp.subject_type #=> String
+    #   resp.issuer #=> String
+    #   resp.audience #=> String
+    #   resp.name_qualifier #=> String
+    #
+    # @overload assume_role_with_saml(params = {})
+    # @param [Hash] params ({})
+    def assume_role_with_saml(params = {}, options = {})
+      req = build_request(:assume_role_with_saml, params)
+      req.send_request(options)
+    end
 
-      # Decodes additional information about the authorization status of a
-      # request from an encoded message returned in response to an AWS
-      # request.
-      #
-      # For example, if a user is not authorized to perform an action that he
-      # or she has requested, the request returns a
-      # `Client.UnauthorizedOperation` response (an HTTP 403 response). Some
-      # AWS actions additionally return an encoded message that can provide
-      # details about this authorization failure.
-      #
-      # <note markdown="1"> Only certain AWS actions return an encoded authorization message. The
-      # documentation for an individual action indicates whether that action
-      # returns an encoded message in addition to returning an HTTP code.
-      #
-      #  </note>
-      #
-      # The message is encoded because the details of the authorization status
-      # can constitute privileged information that the user who requested the
-      # action should not see. To decode an authorization status message, a
-      # user must be granted permissions via an IAM policy to request the
-      # `DecodeAuthorizationMessage` (`sts:DecodeAuthorizationMessage`)
-      # action.
-      #
-      # The decoded message includes the following type of information:
-      #
-      # * Whether the request was denied due to an explicit deny or due to the
-      #   absence of an explicit allow. For more information, see [Determining
-      #   Whether a Request is Allowed or Denied][1] in the *IAM User Guide*.
-      #
-      # * The principal who made the request.
-      #
-      # * The requested action.
-      #
-      # * The requested resource.
-      #
-      # * The values of condition keys in the context of the user's request.
-      #
-      #
-      #
-      # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
-      # @option params [required, String] :encoded_message
-      #   The encoded message that was returned with the response.
-      # @return [Types::DecodeAuthorizationMessageResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
-      #
-      #   * {Types::DecodeAuthorizationMessageResponse#decoded_message #DecodedMessage} => String
-      #
-      # @example Request syntax with placeholder values
-      #   resp = client.decode_authorization_message({
-      #     encoded_message: "encodedMessageType", # required
-      #   })
-      #
-      # @example Response structure
-      #   resp.decoded_message #=> String
-      # @overload decode_authorization_message(params = {})
-      # @param [Hash] params ({})
-      def decode_authorization_message(params = {}, options = {})
-        req = build_request(:decode_authorization_message, params)
-        req.send_request(options)
-      end
+    # Returns a set of temporary security credentials for users who have
+    # been authenticated in a mobile or web application with a web identity
+    # provider, such as Amazon Cognito, Login with Amazon, Facebook, Google,
+    # or any OpenID Connect-compatible identity provider.
+    #
+    # <note markdown="1"> For mobile applications, we recommend that you use Amazon Cognito. You
+    # can use Amazon Cognito with the [AWS SDK for iOS][1] and the [AWS SDK
+    # for Android][2] to uniquely identify a user and supply the user with a
+    # consistent identity throughout the lifetime of an application.
+    #
+    #  To learn more about Amazon Cognito, see [Amazon Cognito Overview][3]
+    # in the *AWS SDK for Android Developer Guide* guide and [Amazon Cognito
+    # Overview][4] in the *AWS SDK for iOS Developer Guide*.
+    #
+    #  </note>
+    #
+    # Calling `AssumeRoleWithWebIdentity` does not require the use of AWS
+    # security credentials. Therefore, you can distribute an application
+    # (for example, on mobile devices) that requests temporary security
+    # credentials without including long-term AWS credentials in the
+    # application, and without deploying server-based proxy services that
+    # use long-term AWS credentials. Instead, the identity of the caller is
+    # validated by using a token from the web identity provider. For a
+    # comparison of `AssumeRoleWithWebIdentity` with the other APIs that
+    # produce temporary credentials, see [Requesting Temporary Security
+    # Credentials][5] and [Comparing the AWS STS APIs][6] in the *IAM User
+    # Guide*.
+    #
+    # The temporary security credentials returned by this API consist of an
+    # access key ID, a secret access key, and a security token. Applications
+    # can use these temporary security credentials to sign calls to AWS
+    # service APIs.
+    #
+    # The credentials are valid for the duration that you specified when
+    # calling `AssumeRoleWithWebIdentity`, which can be from 900 seconds (15
+    # minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour.
+    #
+    # The temporary security credentials created by
+    # `AssumeRoleWithWebIdentity` can be used to make API calls to any AWS
+    # service with the following exception: you cannot call the STS
+    # service's `GetFederationToken` or `GetSessionToken` APIs.
+    #
+    # Optionally, you can pass an IAM access policy to this operation. If
+    # you choose not to pass a policy, the temporary security credentials
+    # that are returned by the operation have the permissions that are
+    # defined in the access policy of the role that is being assumed. If you
+    # pass a policy to this operation, the temporary security credentials
+    # that are returned by the operation have the permissions that are
+    # allowed by both the access policy of the role that is being assumed,
+    # <i> <b>and</b> </i> the policy that you pass. This gives you a way to
+    # further restrict the permissions for the resulting temporary security
+    # credentials. You cannot use the passed policy to grant permissions
+    # that are in excess of those allowed by the access policy of the role
+    # that is being assumed. For more information, see [Permissions for
+    # AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity][7] in
+    # the *IAM User Guide*.
+    #
+    # Before your application can call `AssumeRoleWithWebIdentity`, you must
+    # have an identity token from a supported identity provider and create a
+    # role that the application can assume. The role that your application
+    # assumes must trust the identity provider that is associated with the
+    # identity token. In other words, the identity provider must be
+    # specified in the role's trust policy.
+    #
+    # Calling `AssumeRoleWithWebIdentity` can result in an entry in your AWS
+    # CloudTrail logs. The entry includes the [Subject][8] of the provided
+    # Web Identity Token. We recommend that you avoid using any personally
+    # identifiable information (PII) in this field. For example, you could
+    # instead use a GUID or a pairwise identifier, as [suggested in the OIDC
+    # specification][9].
+    #
+    # For more information about how to use web identity federation and the
+    # `AssumeRoleWithWebIdentity` API, see the following resources:
+    #
+    # * [Using Web Identity Federation APIs for Mobile Apps][10] and
+    #   [Federation Through a Web-based Identity Provider][11].
+    #
+    # * [ Web Identity Federation Playground][12]. This interactive website
+    #   lets you walk through the process of authenticating via Login with
+    #   Amazon, Facebook, or Google, getting temporary security credentials,
+    #   and then using those credentials to make a request to AWS.
+    #
+    # * [AWS SDK for iOS][1] and [AWS SDK for Android][2]. These toolkits
+    #   contain sample apps that show how to invoke the identity providers,
+    #   and then how to use the information from these providers to get and
+    #   use temporary security credentials.
+    #
+    # * [Web Identity Federation with Mobile Applications][13]. This article
+    #   discusses web identity federation and shows an example of how to use
+    #   web identity federation to get access to content in Amazon S3.
+    #
+    #
+    #
+    # [1]: http://aws.amazon.com/sdkforios/
+    # [2]: http://aws.amazon.com/sdkforandroid/
+    # [3]: http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840
+    # [4]: http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664
+    # [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+    # [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+    # [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+    # [8]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
+    # [9]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
+    # [10]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
+    # [11]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
+    # [12]: https://web-identity-federation-playground.s3.amazonaws.com/index.html
+    # [13]: http://aws.amazon.com/articles/4617974389850313
+    #
+    # @option params [required, String] :role_arn
+    #   The Amazon Resource Name (ARN) of the role that the caller is
+    #   assuming.
+    #
+    # @option params [required, String] :role_session_name
+    #   An identifier for the assumed role session. Typically, you pass the
+    #   name or identifier that is associated with the user who is using your
+    #   application. That way, the temporary security credentials that your
+    #   application will use are associated with that user. This session name
+    #   is included as part of the ARN and assumed role ID in the
+    #   `AssumedRoleUser` response element.
+    #
+    #   The regex used to validate this parameter is a string of characters
+    #   consisting of upper- and lower-case alphanumeric characters with no
+    #   spaces. You can also include underscores or any of the following
+    #   characters: =,.@-
+    #
+    # @option params [required, String] :web_identity_token
+    #   The OAuth 2.0 access token or OpenID Connect ID token that is provided
+    #   by the identity provider. Your application must get this token by
+    #   authenticating the user who is using your application with a web
+    #   identity provider before the application makes an
+    #   `AssumeRoleWithWebIdentity` call.
+    #
+    # @option params [String] :provider_id
+    #   The fully qualified host component of the domain name of the identity
+    #   provider.
+    #
+    #   Specify this value only for OAuth 2.0 access tokens. Currently
+    #   `www.amazon.com` and `graph.facebook.com` are the only supported
+    #   identity providers for OAuth 2.0 access tokens. Do not include URL
+    #   schemes and port numbers.
+    #
+    #   Do not specify this value for OpenID Connect ID tokens.
+    #
+    # @option params [String] :policy
+    #   An IAM policy in JSON format.
+    #
+    #   The policy parameter is optional. If you pass a policy, the temporary
+    #   security credentials that are returned by the operation have the
+    #   permissions that are allowed by both the access policy of the role
+    #   that is being assumed, <i> <b>and</b> </i> the policy that you pass.
+    #   This gives you a way to further restrict the permissions for the
+    #   resulting temporary security credentials. You cannot use the passed
+    #   policy to grant permissions that are in excess of those allowed by the
+    #   access policy of the role that is being assumed. For more information,
+    #   see [Permissions for AssumeRoleWithWebIdentity][1] in the *IAM User
+    #   Guide*.
+    #
+    #   The format for this parameter, as described by its regex pattern, is a
+    #   string of characters up to 2048 characters in length. The characters
+    #   can be any ASCII character from the space character to the end of the
+    #   valid character list (\\u0020-\\u00FF). It can also include the tab
+    #   (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
+    #   characters.
+    #
+    #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
+    #   internal conversion compresses it into a packed binary format with a
+    #   separate limit. The PackedPolicySize response element indicates by
+    #   percentage how close to the upper size limit the policy is, with 100%
+    #   equaling the maximum allowed size.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+    #
+    # @option params [Integer] :duration_seconds
+    #   The duration, in seconds, of the role session. The value can range
+    #   from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default,
+    #   the value is set to 3600 seconds.
+    #
+    #   <note markdown="1"> This is separate from the duration of a console session that you might
+    #   request using the returned credentials. The request to the federation
+    #   endpoint for a console sign-in token takes a `SessionDuration`
+    #   parameter that specifies the maximum length of the console session,
+    #   separately from the `DurationSeconds` parameter on this API. For more
+    #   information, see [Creating a URL that Enables Federated Users to
+    #   Access the AWS Management Console][1] in the *IAM User Guide*.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
+    #
+    # @return [Types::AssumeRoleWithWebIdentityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::AssumeRoleWithWebIdentityResponse#credentials #credentials} => Types::Credentials
+    #   * {Types::AssumeRoleWithWebIdentityResponse#subject_from_web_identity_token #subject_from_web_identity_token} => String
+    #   * {Types::AssumeRoleWithWebIdentityResponse#assumed_role_user #assumed_role_user} => Types::AssumedRoleUser
+    #   * {Types::AssumeRoleWithWebIdentityResponse#packed_policy_size #packed_policy_size} => Integer
+    #   * {Types::AssumeRoleWithWebIdentityResponse#provider #provider} => String
+    #   * {Types::AssumeRoleWithWebIdentityResponse#audience #audience} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.assume_role_with_web_identity({
+    #     role_arn: "arnType", # required
+    #     role_session_name: "roleSessionNameType", # required
+    #     web_identity_token: "clientTokenType", # required
+    #     provider_id: "urlType",
+    #     policy: "sessionPolicyDocumentType",
+    #     duration_seconds: 1,
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.credentials.access_key_id #=> String
+    #   resp.credentials.secret_access_key #=> String
+    #   resp.credentials.session_token #=> String
+    #   resp.credentials.expiration #=> Time
+    #   resp.subject_from_web_identity_token #=> String
+    #   resp.assumed_role_user.assumed_role_id #=> String
+    #   resp.assumed_role_user.arn #=> String
+    #   resp.packed_policy_size #=> Integer
+    #   resp.provider #=> String
+    #   resp.audience #=> String
+    #
+    # @overload assume_role_with_web_identity(params = {})
+    # @param [Hash] params ({})
+    def assume_role_with_web_identity(params = {}, options = {})
+      req = build_request(:assume_role_with_web_identity, params)
+      req.send_request(options)
+    end
 
-      # Returns details about the IAM identity whose credentials are used to
-      # call the API.
-      # @return [Types::GetCallerIdentityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
-      #
-      #   * {Types::GetCallerIdentityResponse#user_id #UserId} => String
-      #   * {Types::GetCallerIdentityResponse#account #Account} => String
-      #   * {Types::GetCallerIdentityResponse#arn #Arn} => String
-      #
-      # @example Request syntax with placeholder values
-      #   resp = client.get_caller_identity()
-      #
-      # @example Response structure
-      #   resp.user_id #=> String
-      #   resp.account #=> String
-      #   resp.arn #=> String
-      # @overload get_caller_identity(params = {})
-      # @param [Hash] params ({})
-      def get_caller_identity(params = {}, options = {})
-        req = build_request(:get_caller_identity, params)
-        req.send_request(options)
-      end
+    # Decodes additional information about the authorization status of a
+    # request from an encoded message returned in response to an AWS
+    # request.
+    #
+    # For example, if a user is not authorized to perform an action that he
+    # or she has requested, the request returns a
+    # `Client.UnauthorizedOperation` response (an HTTP 403 response). Some
+    # AWS actions additionally return an encoded message that can provide
+    # details about this authorization failure.
+    #
+    # <note markdown="1"> Only certain AWS actions return an encoded authorization message. The
+    # documentation for an individual action indicates whether that action
+    # returns an encoded message in addition to returning an HTTP code.
+    #
+    #  </note>
+    #
+    # The message is encoded because the details of the authorization status
+    # can constitute privileged information that the user who requested the
+    # action should not see. To decode an authorization status message, a
+    # user must be granted permissions via an IAM policy to request the
+    # `DecodeAuthorizationMessage` (`sts:DecodeAuthorizationMessage`)
+    # action.
+    #
+    # The decoded message includes the following type of information:
+    #
+    # * Whether the request was denied due to an explicit deny or due to the
+    #   absence of an explicit allow. For more information, see [Determining
+    #   Whether a Request is Allowed or Denied][1] in the *IAM User Guide*.
+    #
+    # * The principal who made the request.
+    #
+    # * The requested action.
+    #
+    # * The requested resource.
+    #
+    # * The values of condition keys in the context of the user's request.
+    #
+    #
+    #
+    # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
+    #
+    # @option params [required, String] :encoded_message
+    #   The encoded message that was returned with the response.
+    #
+    # @return [Types::DecodeAuthorizationMessageResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::DecodeAuthorizationMessageResponse#decoded_message #decoded_message} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.decode_authorization_message({
+    #     encoded_message: "encodedMessageType", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.decoded_message #=> String
+    #
+    # @overload decode_authorization_message(params = {})
+    # @param [Hash] params ({})
+    def decode_authorization_message(params = {}, options = {})
+      req = build_request(:decode_authorization_message, params)
+      req.send_request(options)
+    end
 
-      # Returns a set of temporary security credentials (consisting of an
-      # access key ID, a secret access key, and a security token) for a
-      # federated user. A typical use is in a proxy application that gets
-      # temporary security credentials on behalf of distributed applications
-      # inside a corporate network. Because you must call the
-      # `GetFederationToken` action using the long-term security credentials
-      # of an IAM user, this call is appropriate in contexts where those
-      # credentials can be safely stored, usually in a server-based
-      # application. For a comparison of `GetFederationToken` with the other
-      # APIs that produce temporary credentials, see [Requesting Temporary
-      # Security Credentials][1] and [Comparing the AWS STS APIs][2] in the
-      # *IAM User Guide*.
-      #
-      # <note markdown="1"> If you are creating a mobile-based or browser-based app that can
-      # authenticate users using a web identity provider like Login with
-      # Amazon, Facebook, Google, or an OpenID Connect-compatible identity
-      # provider, we recommend that you use [Amazon Cognito][3] or
-      # `AssumeRoleWithWebIdentity`. For more information, see [Federation
-      # Through a Web-based Identity Provider][4].
-      #
-      #  </note>
-      #
-      # The `GetFederationToken` action must be called by using the long-term
-      # AWS security credentials of an IAM user. You can also call
-      # `GetFederationToken` using the security credentials of an AWS root
-      # account, but we do not recommended it. Instead, we recommend that you
-      # create an IAM user for the purpose of the proxy application and then
-      # attach a policy to the IAM user that limits federated users to only
-      # the actions and resources that they need access to. For more
-      # information, see [IAM Best Practices][5] in the *IAM User Guide*.
-      #
-      # The temporary security credentials that are obtained by using the
-      # long-term credentials of an IAM user are valid for the specified
-      # duration, from 900 seconds (15 minutes) up to a maximium of 129600
-      # seconds (36 hours). The default is 43200 seconds (12 hours). Temporary
-      # credentials that are obtained by using AWS root account credentials
-      # have a maximum duration of 3600 seconds (1 hour).
-      #
-      # The temporary security credentials created by `GetFederationToken` can
-      # be used to make API calls to any AWS service with the following
-      # exceptions:
-      #
-      # * You cannot use these credentials to call any IAM APIs.
-      #
-      # * You cannot call any STS APIs except `GetCallerIdentity`.
-      #
-      # **Permissions**
-      #
-      # The permissions for the temporary security credentials returned by
-      # `GetFederationToken` are determined by a combination of the following:
-      #
-      # * The policy or policies that are attached to the IAM user whose
-      #   credentials are used to call `GetFederationToken`.
-      #
-      # * The policy that is passed as a parameter in the call.
-      #
-      # The passed policy is attached to the temporary security credentials
-      # that result from the `GetFederationToken` API call--that is, to the
-      # *federated user*. When the federated user makes an AWS request, AWS
-      # evaluates the policy attached to the federated user in combination
-      # with the policy or policies attached to the IAM user whose credentials
-      # were used to call `GetFederationToken`. AWS allows the federated
-      # user's request only when both the federated user <i> <b>and</b> </i>
-      # the IAM user are explicitly allowed to perform the requested action.
-      # The passed policy cannot grant more permissions than those that are
-      # defined in the IAM user policy.
-      #
-      # A typical use case is that the permissions of the IAM user whose
-      # credentials are used to call `GetFederationToken` are designed to
-      # allow access to all the actions and resources that any federated user
-      # will need. Then, for individual users, you pass a policy to the
-      # operation that scopes down the permissions to a level that's
-      # appropriate to that individual user, using a policy that allows only a
-      # subset of permissions that are granted to the IAM user.
-      #
-      # If you do not pass a policy, the resulting temporary security
-      # credentials have no effective permissions. The only exception is when
-      # the temporary security credentials are used to access a resource that
-      # has a resource-based policy that specifically allows the federated
-      # user to access the resource.
-      #
-      # For more information about how permissions work, see [Permissions for
-      # GetFederationToken][6]. For information about using
-      # `GetFederationToken` to create temporary security credentials, see
-      # [GetFederationToken—Federation Through a Custom Identity Broker][7].
-      #
-      #
-      #
-      # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
-      # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
-      # [3]: http://aws.amazon.com/cognito/
-      # [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
-      # [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
-      # [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html
-      # [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
-      # @option params [required, String] :name
-      #   The name of the federated user. The name is used as an identifier for
-      #   the temporary security credentials (such as `Bob`). For example, you
-      #   can reference the federated user name in a resource-based policy, such
-      #   as in an Amazon S3 bucket policy.
-      #
-      #   The format for this parameter, as described by its regex pattern, is a
-      #   string of characters consisting of upper- and lower-case alphanumeric
-      #   characters with no spaces. You can also include underscores or any of
-      #   the following characters: =,.@-
-      # @option params [String] :policy
-      #   An IAM policy in JSON format that is passed with the
-      #   `GetFederationToken` call and evaluated along with the policy or
-      #   policies that are attached to the IAM user whose credentials are used
-      #   to call `GetFederationToken`. The passed policy is used to scope down
-      #   the permissions that are available to the IAM user, by allowing only a
-      #   subset of the permissions that are granted to the IAM user. The passed
-      #   policy cannot grant more permissions than those granted to the IAM
-      #   user. The final permissions for the federated user are the most
-      #   restrictive set based on the intersection of the passed policy and the
-      #   IAM user policy.
-      #
-      #   If you do not pass a policy, the resulting temporary security
-      #   credentials have no effective permissions. The only exception is when
-      #   the temporary security credentials are used to access a resource that
-      #   has a resource-based policy that specifically allows the federated
-      #   user to access the resource.
-      #
-      #   The format for this parameter, as described by its regex pattern, is a
-      #   string of characters up to 2048 characters in length. The characters
-      #   can be any ASCII character from the space character to the end of the
-      #   valid character list (\\u0020-\\u00FF). It can also include the tab
-      #   (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
-      #   characters.
-      #
-      #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
-      #   internal conversion compresses it into a packed binary format with a
-      #   separate limit. The PackedPolicySize response element indicates by
-      #   percentage how close to the upper size limit the policy is, with 100%
-      #   equaling the maximum allowed size.
-      #
-      #    </note>
-      #
-      #   For more information about how permissions work, see [Permissions for
-      #   GetFederationToken][1].
-      #
-      #
-      #
-      #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html
-      # @option params [Integer] :duration_seconds
-      #   The duration, in seconds, that the session should last. Acceptable
-      #   durations for federation sessions range from 900 seconds (15 minutes)
-      #   to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the
-      #   default. Sessions obtained using AWS account (root) credentials are
-      #   restricted to a maximum of 3600 seconds (one hour). If the specified
-      #   duration is longer than one hour, the session obtained by using AWS
-      #   account (root) credentials defaults to one hour.
-      # @return [Types::GetFederationTokenResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
-      #
-      #   * {Types::GetFederationTokenResponse#credentials #Credentials} => Types::Credentials
-      #   * {Types::GetFederationTokenResponse#federated_user #FederatedUser} => Types::FederatedUser
-      #   * {Types::GetFederationTokenResponse#packed_policy_size #PackedPolicySize} => Integer
-      #
-      # @example Request syntax with placeholder values
-      #   resp = client.get_federation_token({
-      #     name: "userNameType", # required
-      #     policy: "sessionPolicyDocumentType",
-      #     duration_seconds: 1,
-      #   })
-      #
-      # @example Response structure
-      #   resp.credentials.access_key_id #=> String
-      #   resp.credentials.secret_access_key #=> String
-      #   resp.credentials.session_token #=> String
-      #   resp.credentials.expiration #=> Time
-      #   resp.federated_user.federated_user_id #=> String
-      #   resp.federated_user.arn #=> String
-      #   resp.packed_policy_size #=> Integer
-      # @overload get_federation_token(params = {})
-      # @param [Hash] params ({})
-      def get_federation_token(params = {}, options = {})
-        req = build_request(:get_federation_token, params)
-        req.send_request(options)
-      end
+    # Returns details about the IAM identity whose credentials are used to
+    # call the API.
+    #
+    # @return [Types::GetCallerIdentityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetCallerIdentityResponse#user_id #user_id} => String
+    #   * {Types::GetCallerIdentityResponse#account #account} => String
+    #   * {Types::GetCallerIdentityResponse#arn #arn} => String
+    #
+    # @example Response structure
+    #
+    #   resp.user_id #=> String
+    #   resp.account #=> String
+    #   resp.arn #=> String
+    #
+    # @overload get_caller_identity(params = {})
+    # @param [Hash] params ({})
+    def get_caller_identity(params = {}, options = {})
+      req = build_request(:get_caller_identity, params)
+      req.send_request(options)
+    end
 
-      # Returns a set of temporary credentials for an AWS account or IAM user.
-      # The credentials consist of an access key ID, a secret access key, and
-      # a security token. Typically, you use `GetSessionToken` if you want to
-      # use MFA to protect programmatic calls to specific AWS APIs like Amazon
-      # EC2 `StopInstances`. MFA-enabled IAM users would need to call
-      # `GetSessionToken` and submit an MFA code that is associated with their
-      # MFA device. Using the temporary security credentials that are returned
-      # from the call, IAM users can then make programmatic calls to APIs that
-      # require MFA authentication. If you do not supply a correct MFA code,
-      # then the API returns an access denied error. For a comparison of
-      # `GetSessionToken` with the other APIs that produce temporary
-      # credentials, see [Requesting Temporary Security Credentials][1] and
-      # [Comparing the AWS STS APIs][2] in the *IAM User Guide*.
-      #
-      # The `GetSessionToken` action must be called by using the long-term AWS
-      # security credentials of the AWS account or an IAM user. Credentials
-      # that are created by IAM users are valid for the duration that you
-      # specify, from 900 seconds (15 minutes) up to a maximum of 129600
-      # seconds (36 hours), with a default of 43200 seconds (12 hours);
-      # credentials that are created by using account credentials can range
-      # from 900 seconds (15 minutes) up to a maximum of 3600 seconds (1
-      # hour), with a default of 1 hour.
-      #
-      # The temporary security credentials created by `GetSessionToken` can be
-      # used to make API calls to any AWS service with the following
-      # exceptions:
-      #
-      # * You cannot call any IAM APIs unless MFA authentication information
-      #   is included in the request.
-      #
-      # * You cannot call any STS API *except* `AssumeRole` or
-      #   `GetCallerIdentity`.
-      #
-      # <note markdown="1"> We recommend that you do not call `GetSessionToken` with root account
-      # credentials. Instead, follow our [best practices][3] by creating one
-      # or more IAM users, giving them the necessary permissions, and using
-      # IAM users for everyday interaction with AWS.
-      #
-      #  </note>
-      #
-      # The permissions associated with the temporary security credentials
-      # returned by `GetSessionToken` are based on the permissions associated
-      # with account or IAM user whose credentials are used to call the
-      # action. If `GetSessionToken` is called using root account credentials,
-      # the temporary credentials have root account permissions. Similarly, if
-      # `GetSessionToken` is called using the credentials of an IAM user, the
-      # temporary credentials have the same permissions as the IAM user.
-      #
-      # For more information about using `GetSessionToken` to create temporary
-      # credentials, go to [Temporary Credentials for Users in Untrusted
-      # Environments][4] in the *IAM User Guide*.
-      #
-      #
-      #
-      # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
-      # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
-      # [3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users
-      # [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
-      # @option params [Integer] :duration_seconds
-      #   The duration, in seconds, that the credentials should remain valid.
-      #   Acceptable durations for IAM user sessions range from 900 seconds (15
-      #   minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours)
-      #   as the default. Sessions for AWS account owners are restricted to a
-      #   maximum of 3600 seconds (one hour). If the duration is longer than one
-      #   hour, the session for AWS account owners defaults to one hour.
-      # @option params [String] :serial_number
-      #   The identification number of the MFA device that is associated with
-      #   the IAM user who is making the `GetSessionToken` call. Specify this
-      #   value if the IAM user has a policy that requires MFA authentication.
-      #   The value is either the serial number for a hardware device (such as
-      #   `GAHT12345678`) or an Amazon Resource Name (ARN) for a virtual device
-      #   (such as `arn:aws:iam::123456789012:mfa/user`). You can find the
-      #   device for an IAM user by going to the AWS Management Console and
-      #   viewing the user's security credentials.
-      #
-      #   The format for this parameter, as described by its regex pattern, is a
-      #   string of characters consisting of upper- and lower-case alphanumeric
-      #   characters with no spaces. You can also include underscores or any of
-      #   the following characters: =,.@-
-      # @option params [String] :token_code
-      #   The value provided by the MFA device, if MFA is required. If any
-      #   policy requires the IAM user to submit an MFA code, specify this
-      #   value. If MFA authentication is required, and the user does not
-      #   provide a code when requesting a set of temporary security
-      #   credentials, the user will receive an "access denied" response when
-      #   requesting resources that require MFA authentication.
-      #
-      #   The format for this parameter, as described by its regex pattern, is a
-      #   sequence of six numeric digits.
-      # @return [Types::GetSessionTokenResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
-      #
-      #   * {Types::GetSessionTokenResponse#credentials #Credentials} => Types::Credentials
-      #
-      # @example Request syntax with placeholder values
-      #   resp = client.get_session_token({
-      #     duration_seconds: 1,
-      #     serial_number: "serialNumberType",
-      #     token_code: "tokenCodeType",
-      #   })
-      #
-      # @example Response structure
-      #   resp.credentials.access_key_id #=> String
-      #   resp.credentials.secret_access_key #=> String
-      #   resp.credentials.session_token #=> String
-      #   resp.credentials.expiration #=> Time
-      # @overload get_session_token(params = {})
-      # @param [Hash] params ({})
-      def get_session_token(params = {}, options = {})
-        req = build_request(:get_session_token, params)
-        req.send_request(options)
-      end
+    # Returns a set of temporary security credentials (consisting of an
+    # access key ID, a secret access key, and a security token) for a
+    # federated user. A typical use is in a proxy application that gets
+    # temporary security credentials on behalf of distributed applications
+    # inside a corporate network. Because you must call the
+    # `GetFederationToken` action using the long-term security credentials
+    # of an IAM user, this call is appropriate in contexts where those
+    # credentials can be safely stored, usually in a server-based
+    # application. For a comparison of `GetFederationToken` with the other
+    # APIs that produce temporary credentials, see [Requesting Temporary
+    # Security Credentials][1] and [Comparing the AWS STS APIs][2] in the
+    # *IAM User Guide*.
+    #
+    # <note markdown="1"> If you are creating a mobile-based or browser-based app that can
+    # authenticate users using a web identity provider like Login with
+    # Amazon, Facebook, Google, or an OpenID Connect-compatible identity
+    # provider, we recommend that you use [Amazon Cognito][3] or
+    # `AssumeRoleWithWebIdentity`. For more information, see [Federation
+    # Through a Web-based Identity Provider][4].
+    #
+    #  </note>
+    #
+    # The `GetFederationToken` action must be called by using the long-term
+    # AWS security credentials of an IAM user. You can also call
+    # `GetFederationToken` using the security credentials of an AWS root
+    # account, but we do not recommended it. Instead, we recommend that you
+    # create an IAM user for the purpose of the proxy application and then
+    # attach a policy to the IAM user that limits federated users to only
+    # the actions and resources that they need access to. For more
+    # information, see [IAM Best Practices][5] in the *IAM User Guide*.
+    #
+    # The temporary security credentials that are obtained by using the
+    # long-term credentials of an IAM user are valid for the specified
+    # duration, from 900 seconds (15 minutes) up to a maximium of 129600
+    # seconds (36 hours). The default is 43200 seconds (12 hours). Temporary
+    # credentials that are obtained by using AWS root account credentials
+    # have a maximum duration of 3600 seconds (1 hour).
+    #
+    # The temporary security credentials created by `GetFederationToken` can
+    # be used to make API calls to any AWS service with the following
+    # exceptions:
+    #
+    # * You cannot use these credentials to call any IAM APIs.
+    #
+    # * You cannot call any STS APIs except `GetCallerIdentity`.
+    #
+    # **Permissions**
+    #
+    # The permissions for the temporary security credentials returned by
+    # `GetFederationToken` are determined by a combination of the following:
+    #
+    # * The policy or policies that are attached to the IAM user whose
+    #   credentials are used to call `GetFederationToken`.
+    #
+    # * The policy that is passed as a parameter in the call.
+    #
+    # The passed policy is attached to the temporary security credentials
+    # that result from the `GetFederationToken` API call--that is, to the
+    # *federated user*. When the federated user makes an AWS request, AWS
+    # evaluates the policy attached to the federated user in combination
+    # with the policy or policies attached to the IAM user whose credentials
+    # were used to call `GetFederationToken`. AWS allows the federated
+    # user's request only when both the federated user <i> <b>and</b> </i>
+    # the IAM user are explicitly allowed to perform the requested action.
+    # The passed policy cannot grant more permissions than those that are
+    # defined in the IAM user policy.
+    #
+    # A typical use case is that the permissions of the IAM user whose
+    # credentials are used to call `GetFederationToken` are designed to
+    # allow access to all the actions and resources that any federated user
+    # will need. Then, for individual users, you pass a policy to the
+    # operation that scopes down the permissions to a level that's
+    # appropriate to that individual user, using a policy that allows only a
+    # subset of permissions that are granted to the IAM user.
+    #
+    # If you do not pass a policy, the resulting temporary security
+    # credentials have no effective permissions. The only exception is when
+    # the temporary security credentials are used to access a resource that
+    # has a resource-based policy that specifically allows the federated
+    # user to access the resource.
+    #
+    # For more information about how permissions work, see [Permissions for
+    # GetFederationToken][6]. For information about using
+    # `GetFederationToken` to create temporary security credentials, see
+    # [GetFederationToken—Federation Through a Custom Identity Broker][7].
+    #
+    #
+    #
+    # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+    # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+    # [3]: http://aws.amazon.com/cognito/
+    # [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
+    # [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
+    # [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html
+    # [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
+    #
+    # @option params [required, String] :name
+    #   The name of the federated user. The name is used as an identifier for
+    #   the temporary security credentials (such as `Bob`). For example, you
+    #   can reference the federated user name in a resource-based policy, such
+    #   as in an Amazon S3 bucket policy.
+    #
+    #   The regex used to validate this parameter is a string of characters
+    #   consisting of upper- and lower-case alphanumeric characters with no
+    #   spaces. You can also include underscores or any of the following
+    #   characters: =,.@-
+    #
+    # @option params [String] :policy
+    #   An IAM policy in JSON format that is passed with the
+    #   `GetFederationToken` call and evaluated along with the policy or
+    #   policies that are attached to the IAM user whose credentials are used
+    #   to call `GetFederationToken`. The passed policy is used to scope down
+    #   the permissions that are available to the IAM user, by allowing only a
+    #   subset of the permissions that are granted to the IAM user. The passed
+    #   policy cannot grant more permissions than those granted to the IAM
+    #   user. The final permissions for the federated user are the most
+    #   restrictive set based on the intersection of the passed policy and the
+    #   IAM user policy.
+    #
+    #   If you do not pass a policy, the resulting temporary security
+    #   credentials have no effective permissions. The only exception is when
+    #   the temporary security credentials are used to access a resource that
+    #   has a resource-based policy that specifically allows the federated
+    #   user to access the resource.
+    #
+    #   The format for this parameter, as described by its regex pattern, is a
+    #   string of characters up to 2048 characters in length. The characters
+    #   can be any ASCII character from the space character to the end of the
+    #   valid character list (\\u0020-\\u00FF). It can also include the tab
+    #   (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
+    #   characters.
+    #
+    #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
+    #   internal conversion compresses it into a packed binary format with a
+    #   separate limit. The PackedPolicySize response element indicates by
+    #   percentage how close to the upper size limit the policy is, with 100%
+    #   equaling the maximum allowed size.
+    #
+    #    </note>
+    #
+    #   For more information about how permissions work, see [Permissions for
+    #   GetFederationToken][1].
+    #
+    #
+    #
+    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html
+    #
+    # @option params [Integer] :duration_seconds
+    #   The duration, in seconds, that the session should last. Acceptable
+    #   durations for federation sessions range from 900 seconds (15 minutes)
+    #   to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the
+    #   default. Sessions obtained using AWS account (root) credentials are
+    #   restricted to a maximum of 3600 seconds (one hour). If the specified
+    #   duration is longer than one hour, the session obtained by using AWS
+    #   account (root) credentials defaults to one hour.
+    #
+    # @return [Types::GetFederationTokenResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetFederationTokenResponse#credentials #credentials} => Types::Credentials
+    #   * {Types::GetFederationTokenResponse#federated_user #federated_user} => Types::FederatedUser
+    #   * {Types::GetFederationTokenResponse#packed_policy_size #packed_policy_size} => Integer
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_federation_token({
+    #     name: "userNameType", # required
+    #     policy: "sessionPolicyDocumentType",
+    #     duration_seconds: 1,
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.credentials.access_key_id #=> String
+    #   resp.credentials.secret_access_key #=> String
+    #   resp.credentials.session_token #=> String
+    #   resp.credentials.expiration #=> Time
+    #   resp.federated_user.federated_user_id #=> String
+    #   resp.federated_user.arn #=> String
+    #   resp.packed_policy_size #=> Integer
+    #
+    # @overload get_federation_token(params = {})
+    # @param [Hash] params ({})
+    def get_federation_token(params = {}, options = {})
+      req = build_request(:get_federation_token, params)
+      req.send_request(options)
+    end
 
-      # @!endgroup
+    # Returns a set of temporary credentials for an AWS account or IAM user.
+    # The credentials consist of an access key ID, a secret access key, and
+    # a security token. Typically, you use `GetSessionToken` if you want to
+    # use MFA to protect programmatic calls to specific AWS APIs like Amazon
+    # EC2 `StopInstances`. MFA-enabled IAM users would need to call
+    # `GetSessionToken` and submit an MFA code that is associated with their
+    # MFA device. Using the temporary security credentials that are returned
+    # from the call, IAM users can then make programmatic calls to APIs that
+    # require MFA authentication. If you do not supply a correct MFA code,
+    # then the API returns an access denied error. For a comparison of
+    # `GetSessionToken` with the other APIs that produce temporary
+    # credentials, see [Requesting Temporary Security Credentials][1] and
+    # [Comparing the AWS STS APIs][2] in the *IAM User Guide*.
+    #
+    # The `GetSessionToken` action must be called by using the long-term AWS
+    # security credentials of the AWS account or an IAM user. Credentials
+    # that are created by IAM users are valid for the duration that you
+    # specify, from 900 seconds (15 minutes) up to a maximum of 129600
+    # seconds (36 hours), with a default of 43200 seconds (12 hours);
+    # credentials that are created by using account credentials can range
+    # from 900 seconds (15 minutes) up to a maximum of 3600 seconds (1
+    # hour), with a default of 1 hour.
+    #
+    # The temporary security credentials created by `GetSessionToken` can be
+    # used to make API calls to any AWS service with the following
+    # exceptions:
+    #
+    # * You cannot call any IAM APIs unless MFA authentication information
+    #   is included in the request.
+    #
+    # * You cannot call any STS API *except* `AssumeRole` or
+    #   `GetCallerIdentity`.
+    #
+    # <note markdown="1"> We recommend that you do not call `GetSessionToken` with root account
+    # credentials. Instead, follow our [best practices][3] by creating one
+    # or more IAM users, giving them the necessary permissions, and using
+    # IAM users for everyday interaction with AWS.
+    #
+    #  </note>
+    #
+    # The permissions associated with the temporary security credentials
+    # returned by `GetSessionToken` are based on the permissions associated
+    # with account or IAM user whose credentials are used to call the
+    # action. If `GetSessionToken` is called using root account credentials,
+    # the temporary credentials have root account permissions. Similarly, if
+    # `GetSessionToken` is called using the credentials of an IAM user, the
+    # temporary credentials have the same permissions as the IAM user.
+    #
+    # For more information about using `GetSessionToken` to create temporary
+    # credentials, go to [Temporary Credentials for Users in Untrusted
+    # Environments][4] in the *IAM User Guide*.
+    #
+    #
+    #
+    # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+    # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+    # [3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users
+    # [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
+    #
+    # @option params [Integer] :duration_seconds
+    #   The duration, in seconds, that the credentials should remain valid.
+    #   Acceptable durations for IAM user sessions range from 900 seconds (15
+    #   minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours)
+    #   as the default. Sessions for AWS account owners are restricted to a
+    #   maximum of 3600 seconds (one hour). If the duration is longer than one
+    #   hour, the session for AWS account owners defaults to one hour.
+    #
+    # @option params [String] :serial_number
+    #   The identification number of the MFA device that is associated with
+    #   the IAM user who is making the `GetSessionToken` call. Specify this
+    #   value if the IAM user has a policy that requires MFA authentication.
+    #   The value is either the serial number for a hardware device (such as
+    #   `GAHT12345678`) or an Amazon Resource Name (ARN) for a virtual device
+    #   (such as `arn:aws:iam::123456789012:mfa/user`). You can find the
+    #   device for an IAM user by going to the AWS Management Console and
+    #   viewing the user's security credentials.
+    #
+    #   The regex used to validate this parameter is a string of characters
+    #   consisting of upper- and lower-case alphanumeric characters with no
+    #   spaces. You can also include underscores or any of the following
+    #   characters: =,.@-
+    #
+    # @option params [String] :token_code
+    #   The value provided by the MFA device, if MFA is required. If any
+    #   policy requires the IAM user to submit an MFA code, specify this
+    #   value. If MFA authentication is required, and the user does not
+    #   provide a code when requesting a set of temporary security
+    #   credentials, the user will receive an "access denied" response when
+    #   requesting resources that require MFA authentication.
+    #
+    #   The format for this parameter, as described by its regex pattern, is a
+    #   sequence of six numeric digits.
+    #
+    # @return [Types::GetSessionTokenResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetSessionTokenResponse#credentials #credentials} => Types::Credentials
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_session_token({
+    #     duration_seconds: 1,
+    #     serial_number: "serialNumberType",
+    #     token_code: "tokenCodeType",
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.credentials.access_key_id #=> String
+    #   resp.credentials.secret_access_key #=> String
+    #   resp.credentials.session_token #=> String
+    #   resp.credentials.expiration #=> Time
+    #
+    # @overload get_session_token(params = {})
+    # @param [Hash] params ({})
+    def get_session_token(params = {}, options = {})
+      req = build_request(:get_session_token, params)
+      req.send_request(options)
+    end
 
-      # @param params ({})
-      # @api private
-      def build_request(operation_name, params = {})
-        handlers = @handlers.for(operation_name)
-        context = Seahorse::Client::RequestContext.new(
-          operation_name: operation_name,
-          operation: config.api.operation(operation_name),
-          client: self,
-          params: params,
-          config: config)
-        context[:gem_name] = 'aws-sdk-core'
-        context[:gem_version] = '3.0.0.rc2'
-        Seahorse::Client::Request.new(handlers, context)
-      end
+    # @!endgroup
 
-      # @api private
-      # @deprecated
-      def waiter_names
-        []
-      end
+    # @param params ({})
+    # @api private
+    def build_request(operation_name, params = {})
+      handlers = @handlers.for(operation_name)
+      context = Seahorse::Client::RequestContext.new(
+        operation_name: operation_name,
+        operation: config.api.operation(operation_name),
+        client: self,
+        params: params,
+        config: config)
+      context[:gem_name] = 'aws-sdk-core'
+      context[:gem_version] = '3.0.0.rc2'
+      Seahorse::Client::Request.new(handlers, context)
+    end
 
-      class << self
+    # @api private
+    # @deprecated
+    def waiter_names
+      []
+    end
 
-        # @api private
-        attr_reader :identifier
+    class << self
 
-        # @api private
-        def errors_module
-          Errors
-        end
+      # @api private
+      attr_reader :identifier
 
+      # @api private
+      def errors_module
+        Errors
       end
+
     end
   end
 end