aws-sdk-core 3.114.0 → 3.180.2

data/lib/aws-sdk-sts/types.rb

@@ -10,32 +10,6 @@
 module Aws::STS
   module Types
 
-    # @note When making an API call, you may pass AssumeRoleRequest
-    #   data as a hash:
-    #
-    #       {
-    #         role_arn: "arnType", # required
-    #         role_session_name: "roleSessionNameType", # required
-    #         policy_arns: [
-    #           {
-    #             arn: "arnType",
-    #           },
-    #         ],
-    #         policy: "sessionPolicyDocumentType",
-    #         duration_seconds: 1,
-    #         tags: [
-    #           {
-    #             key: "tagKeyType", # required
-    #             value: "tagValueType", # required
-    #           },
-    #         ],
-    #         transitive_tag_keys: ["tagKeyType"],
-    #         external_id: "externalIdType",
-    #         serial_number: "serialNumberType",
-    #         token_code: "tokenCodeType",
-    #         source_identity: "sourceIdentityType",
-    #       }
-    #
     # @!attribute [rw] role_arn
     #   The Amazon Resource Name (ARN) of the role to assume.
     #   @return [String]
@@ -50,7 +24,7 @@ module Aws::STS
     #   role session name is also used in the ARN of the assumed role
     #   principal. This means that subsequent cross-account API requests
     #   that use the temporary security credentials will expose the role
-    #   session name to the external account in their AWS CloudTrail logs.
+    #   session name to the external account in their CloudTrail logs.
     #
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
@@ -66,15 +40,17 @@ module Aws::STS
     #   This parameter is optional. You can provide up to 10 managed policy
     #   ARNs. However, the plaintext that you use for both inline and
     #   managed session policies can't exceed 2,048 characters. For more
-    #   information about ARNs, see [Amazon Resource Names (ARNs) and AWS
-    #   Service Namespaces][1] in the AWS General Reference.
-    #
-    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
-    #   tags into a packed binary format that has a separate limit. Your
-    #   request can fail for this limit even if your plaintext meets the
-    #   other requirements. The `PackedPolicySize` response element
-    #   indicates by percentage how close the policies and tags for your
-    #   request are to the upper size limit.
+    #   information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
+    #   Web Services Service Namespaces][1] in the Amazon Web Services
+    #   General Reference.
+    #
+    #   <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
+    #   session policy, managed policy ARNs, and session tags into a packed
+    #   binary format that has a separate limit. Your request can fail for
+    #   this limit even if your plaintext meets the other requirements. The
+    #   `PackedPolicySize` response element indicates by percentage how
+    #   close the policies and tags for your request are to the upper size
+    #   limit.
     #
     #    </note>
     #
@@ -82,10 +58,10 @@ module Aws::STS
     #   credentials. The resulting session's permissions are the
     #   intersection of the role's identity-based policy and the session
     #   policies. You can use the role's temporary credentials in
-    #   subsequent AWS API calls to access resources in the account that
-    #   owns the role. You cannot use session policies to grant more
-    #   permissions than those allowed by the identity-based policy of the
-    #   role that is being assumed. For more information, see [Session
+    #   subsequent Amazon Web Services API calls to access resources in the
+    #   account that owns the role. You cannot use session policies to grant
+    #   more permissions than those allowed by the identity-based policy of
+    #   the role that is being assumed. For more information, see [Session
     #   Policies][2] in the *IAM User Guide*.
     #
     #
@@ -102,11 +78,11 @@ module Aws::STS
     #   returns new temporary credentials. The resulting session's
     #   permissions are the intersection of the role's identity-based
     #   policy and the session policies. You can use the role's temporary
-    #   credentials in subsequent AWS API calls to access resources in the
-    #   account that owns the role. You cannot use session policies to grant
-    #   more permissions than those allowed by the identity-based policy of
-    #   the role that is being assumed. For more information, see [Session
-    #   Policies][1] in the *IAM User Guide*.
+    #   credentials in subsequent Amazon Web Services API calls to access
+    #   resources in the account that owns the role. You cannot use session
+    #   policies to grant more permissions than those allowed by the
+    #   identity-based policy of the role that is being assumed. For more
+    #   information, see [Session Policies][1] in the *IAM User Guide*.
     #
     #   The plaintext that you use for both inline and managed session
     #   policies can't exceed 2,048 characters. The JSON policy characters
@@ -115,12 +91,13 @@ module Aws::STS
     #   include the tab (\\u0009), linefeed (\\u000A), and carriage return
     #   (\\u000D) characters.
     #
-    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
-    #   tags into a packed binary format that has a separate limit. Your
-    #   request can fail for this limit even if your plaintext meets the
-    #   other requirements. The `PackedPolicySize` response element
-    #   indicates by percentage how close the policies and tags for your
-    #   request are to the upper size limit.
+    #   <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
+    #   session policy, managed policy ARNs, and session tags into a packed
+    #   binary format that has a separate limit. Your request can fail for
+    #   this limit even if your plaintext meets the other requirements. The
+    #   `PackedPolicySize` response element indicates by percentage how
+    #   close the policies and tags for your request are to the upper size
+    #   limit.
     #
     #    </note>
     #
@@ -131,16 +108,25 @@ module Aws::STS
     #
     # @!attribute [rw] duration_seconds
     #   The duration, in seconds, of the role session. The value specified
-    #   can can range from 900 seconds (15 minutes) up to the maximum
-    #   session duration that is set for the role. The maximum session
-    #   duration setting can have a value from 1 hour to 12 hours. If you
-    #   specify a value higher than this setting or the administrator
-    #   setting (whichever is lower), the operation fails. For example, if
-    #   you specify a session duration of 12 hours, but your administrator
-    #   set the maximum session duration to 6 hours, your operation fails.
-    #   To learn how to view the maximum value for your role, see [View the
-    #   Maximum Session Duration Setting for a Role][1] in the *IAM User
-    #   Guide*.
+    #   can range from 900 seconds (15 minutes) up to the maximum session
+    #   duration set for the role. The maximum session duration setting can
+    #   have a value from 1 hour to 12 hours. If you specify a value higher
+    #   than this setting or the administrator setting (whichever is lower),
+    #   the operation fails. For example, if you specify a session duration
+    #   of 12 hours, but your administrator set the maximum session duration
+    #   to 6 hours, your operation fails.
+    #
+    #   Role chaining limits your Amazon Web Services CLI or Amazon Web
+    #   Services API role session to a maximum of one hour. When you use the
+    #   `AssumeRole` API operation to assume a role, you can specify the
+    #   duration of your role session with the `DurationSeconds` parameter.
+    #   You can specify a parameter value of up to 43200 seconds (12 hours),
+    #   depending on the maximum session duration setting for your role.
+    #   However, if you assume a role using role chaining and provide a
+    #   `DurationSeconds` parameter value greater than one hour, the
+    #   operation fails. To learn how to view the maximum value for your
+    #   role, see [View the Maximum Session Duration Setting for a Role][1]
+    #   in the *IAM User Guide*.
     #
     #   By default, the value is set to `3600` seconds.
     #
@@ -149,8 +135,8 @@ module Aws::STS
     #   credentials. The request to the federation endpoint for a console
     #   sign-in token takes a `SessionDuration` parameter that specifies the
     #   maximum length of the console session. For more information, see
-    #   [Creating a URL that Enables Federated Users to Access the AWS
-    #   Management Console][2] in the *IAM User Guide*.
+    #   [Creating a URL that Enables Federated Users to Access the Amazon
+    #   Web Services Management Console][2] in the *IAM User Guide*.
     #
     #    </note>
     #
@@ -163,20 +149,21 @@ module Aws::STS
     # @!attribute [rw] tags
     #   A list of session tags that you want to pass. Each session tag
     #   consists of a key name and an associated value. For more information
-    #   about session tags, see [Tagging AWS STS Sessions][1] in the *IAM
-    #   User Guide*.
+    #   about session tags, see [Tagging Amazon Web Services STS
+    #   Sessions][1] in the *IAM User Guide*.
     #
     #   This parameter is optional. You can pass up to 50 session tags. The
     #   plaintext session tag keys can’t exceed 128 characters, and the
     #   values can’t exceed 256 characters. For these and additional limits,
     #   see [IAM and STS Character Limits][2] in the *IAM User Guide*.
     #
-    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
-    #   tags into a packed binary format that has a separate limit. Your
-    #   request can fail for this limit even if your plaintext meets the
-    #   other requirements. The `PackedPolicySize` response element
-    #   indicates by percentage how close the policies and tags for your
-    #   request are to the upper size limit.
+    #   <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
+    #   session policy, managed policy ARNs, and session tags into a packed
+    #   binary format that has a separate limit. Your request can fail for
+    #   this limit even if your plaintext meets the other requirements. The
+    #   `PackedPolicySize` response element indicates by percentage how
+    #   close the policies and tags for your request are to the upper size
+    #   limit.
     #
     #    </note>
     #
@@ -196,14 +183,14 @@ module Aws::STS
     #   operation, the new session inherits any transitive session tags from
     #   the calling session. If you pass a session tag with the same key as
     #   an inherited tag, the operation fails. To view the inherited tags
-    #   for a session, see the AWS CloudTrail logs. For more information,
-    #   see [Viewing Session Tags in CloudTrail][3] in the *IAM User Guide*.
+    #   for a session, see the CloudTrail logs. For more information, see
+    #   [Viewing Session Tags in CloudTrail][3] in the *IAM User Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
-    #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/session-tags.html#id_session-tags_ctlogs
+    #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs
     #   @return [Array<Types::Tag>]
     #
     # @!attribute [rw] transitive_tag_keys
@@ -235,8 +222,8 @@ module Aws::STS
     #   the administrator of the trusted account. That way, only someone
     #   with the ID can assume the role, rather than everyone in the
     #   account. For more information about the external ID, see [How to Use
-    #   an External ID When Granting Access to Your AWS Resources to a Third
-    #   Party][1] in the *IAM User Guide*.
+    #   an External ID When Granting Access to Your Amazon Web Services
+    #   Resources to a Third Party][1] in the *IAM User Guide*.
     #
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
@@ -281,24 +268,29 @@ module Aws::STS
     #   You can require users to specify a source identity when they assume
     #   a role. You do this by using the `sts:SourceIdentity` condition key
     #   in a role trust policy. You can use source identity information in
-    #   AWS CloudTrail logs to determine who took actions with a role. You
-    #   can use the `aws:SourceIdentity` condition key to further control
-    #   access to AWS resources based on the value of source identity. For
-    #   more information about using source identity, see [Monitor and
-    #   control actions taken with assumed roles][1] in the *IAM User
-    #   Guide*.
+    #   CloudTrail logs to determine who took actions with a role. You can
+    #   use the `aws:SourceIdentity` condition key to further control access
+    #   to Amazon Web Services resources based on the value of source
+    #   identity. For more information about using source identity, see
+    #   [Monitor and control actions taken with assumed roles][1] in the
+    #   *IAM User Guide*.
     #
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
     #   spaces. You can also include underscores or any of the following
     #   characters: =,.@-. You cannot use a value that begins with the text
-    #   `aws:`. This prefix is reserved for AWS internal use.
+    #   `aws:`. This prefix is reserved for Amazon Web Services internal
+    #   use.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
     #   @return [String]
     #
+    # @!attribute [rw] provided_contexts
+    #   Reserved for future use.
+    #   @return [Array<Types::ProvidedContext>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleRequest AWS API Documentation
     #
     class AssumeRoleRequest < Struct.new(
@@ -312,13 +304,15 @@ module Aws::STS
       :external_id,
       :serial_number,
       :token_code,
-      :source_identity)
+      :source_identity,
+      :provided_contexts)
       SENSITIVE = []
       include Aws::Structure
     end
 
     # Contains the response to a successful AssumeRole request, including
-    # temporary AWS credentials that can be used to make AWS requests.
+    # temporary Amazon Web Services credentials that can be used to make
+    # Amazon Web Services requests.
     #
     # @!attribute [rw] credentials
     #   The temporary security credentials, which include an access key ID,
@@ -354,12 +348,12 @@ module Aws::STS
     #   You can require users to specify a source identity when they assume
     #   a role. You do this by using the `sts:SourceIdentity` condition key
     #   in a role trust policy. You can use source identity information in
-    #   AWS CloudTrail logs to determine who took actions with a role. You
-    #   can use the `aws:SourceIdentity` condition key to further control
-    #   access to AWS resources based on the value of source identity. For
-    #   more information about using source identity, see [Monitor and
-    #   control actions taken with assumed roles][1] in the *IAM User
-    #   Guide*.
+    #   CloudTrail logs to determine who took actions with a role. You can
+    #   use the `aws:SourceIdentity` condition key to further control access
+    #   to Amazon Web Services resources based on the value of source
+    #   identity. For more information about using source identity, see
+    #   [Monitor and control actions taken with assumed roles][1] in the
+    #   *IAM User Guide*.
     #
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
@@ -382,22 +376,6 @@ module Aws::STS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass AssumeRoleWithSAMLRequest
-    #   data as a hash:
-    #
-    #       {
-    #         role_arn: "arnType", # required
-    #         principal_arn: "arnType", # required
-    #         saml_assertion: "SAMLAssertionType", # required
-    #         policy_arns: [
-    #           {
-    #             arn: "arnType",
-    #           },
-    #         ],
-    #         policy: "sessionPolicyDocumentType",
-    #         duration_seconds: 1,
-    #       }
-    #
     # @!attribute [rw] role_arn
     #   The Amazon Resource Name (ARN) of the role that the caller is
     #   assuming.
@@ -427,15 +405,17 @@ module Aws::STS
     #   This parameter is optional. You can provide up to 10 managed policy
     #   ARNs. However, the plaintext that you use for both inline and
     #   managed session policies can't exceed 2,048 characters. For more
-    #   information about ARNs, see [Amazon Resource Names (ARNs) and AWS
-    #   Service Namespaces][1] in the AWS General Reference.
-    #
-    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
-    #   tags into a packed binary format that has a separate limit. Your
-    #   request can fail for this limit even if your plaintext meets the
-    #   other requirements. The `PackedPolicySize` response element
-    #   indicates by percentage how close the policies and tags for your
-    #   request are to the upper size limit.
+    #   information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
+    #   Web Services Service Namespaces][1] in the Amazon Web Services
+    #   General Reference.
+    #
+    #   <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
+    #   session policy, managed policy ARNs, and session tags into a packed
+    #   binary format that has a separate limit. Your request can fail for
+    #   this limit even if your plaintext meets the other requirements. The
+    #   `PackedPolicySize` response element indicates by percentage how
+    #   close the policies and tags for your request are to the upper size
+    #   limit.
     #
     #    </note>
     #
@@ -443,10 +423,10 @@ module Aws::STS
     #   credentials. The resulting session's permissions are the
     #   intersection of the role's identity-based policy and the session
     #   policies. You can use the role's temporary credentials in
-    #   subsequent AWS API calls to access resources in the account that
-    #   owns the role. You cannot use session policies to grant more
-    #   permissions than those allowed by the identity-based policy of the
-    #   role that is being assumed. For more information, see [Session
+    #   subsequent Amazon Web Services API calls to access resources in the
+    #   account that owns the role. You cannot use session policies to grant
+    #   more permissions than those allowed by the identity-based policy of
+    #   the role that is being assumed. For more information, see [Session
     #   Policies][2] in the *IAM User Guide*.
     #
     #
@@ -463,11 +443,11 @@ module Aws::STS
     #   returns new temporary credentials. The resulting session's
     #   permissions are the intersection of the role's identity-based
     #   policy and the session policies. You can use the role's temporary
-    #   credentials in subsequent AWS API calls to access resources in the
-    #   account that owns the role. You cannot use session policies to grant
-    #   more permissions than those allowed by the identity-based policy of
-    #   the role that is being assumed. For more information, see [Session
-    #   Policies][1] in the *IAM User Guide*.
+    #   credentials in subsequent Amazon Web Services API calls to access
+    #   resources in the account that owns the role. You cannot use session
+    #   policies to grant more permissions than those allowed by the
+    #   identity-based policy of the role that is being assumed. For more
+    #   information, see [Session Policies][1] in the *IAM User Guide*.
     #
     #   The plaintext that you use for both inline and managed session
     #   policies can't exceed 2,048 characters. The JSON policy characters
@@ -476,12 +456,13 @@ module Aws::STS
     #   include the tab (\\u0009), linefeed (\\u000A), and carriage return
     #   (\\u000D) characters.
     #
-    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
-    #   tags into a packed binary format that has a separate limit. Your
-    #   request can fail for this limit even if your plaintext meets the
-    #   other requirements. The `PackedPolicySize` response element
-    #   indicates by percentage how close the policies and tags for your
-    #   request are to the upper size limit.
+    #   <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
+    #   session policy, managed policy ARNs, and session tags into a packed
+    #   binary format that has a separate limit. Your request can fail for
+    #   this limit even if your plaintext meets the other requirements. The
+    #   `PackedPolicySize` response element indicates by percentage how
+    #   close the policies and tags for your request are to the upper size
+    #   limit.
     #
     #    </note>
     #
@@ -512,8 +493,8 @@ module Aws::STS
     #   credentials. The request to the federation endpoint for a console
     #   sign-in token takes a `SessionDuration` parameter that specifies the
     #   maximum length of the console session. For more information, see
-    #   [Creating a URL that Enables Federated Users to Access the AWS
-    #   Management Console][2] in the *IAM User Guide*.
+    #   [Creating a URL that Enables Federated Users to Access the Amazon
+    #   Web Services Management Console][2] in the *IAM User Guide*.
     #
     #    </note>
     #
@@ -532,13 +513,13 @@ module Aws::STS
       :policy_arns,
       :policy,
       :duration_seconds)
-      SENSITIVE = []
+      SENSITIVE = [:saml_assertion]
       include Aws::Structure
     end
 
     # Contains the response to a successful AssumeRoleWithSAML request,
-    # including temporary AWS credentials that can be used to make AWS
-    # requests.
+    # including temporary Amazon Web Services credentials that can be used
+    # to make Amazon Web Services requests.
     #
     # @!attribute [rw] credentials
     #   The temporary security credentials, which include an access key ID,
@@ -594,13 +575,13 @@ module Aws::STS
     #
     #   * The `Issuer` response value.
     #
-    #   * The AWS account ID.
+    #   * The Amazon Web Services account ID.
     #
     #   * The friendly name (the last part of the ARN) of the SAML provider
     #     in IAM.
     #
     #   The combination of `NameQualifier` and `Subject` can be used to
-    #   uniquely identify a federated user.
+    #   uniquely identify a user.
     #
     #   The following pseudocode shows how the hash value is calculated:
     #
@@ -652,23 +633,6 @@ module Aws::STS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass AssumeRoleWithWebIdentityRequest
-    #   data as a hash:
-    #
-    #       {
-    #         role_arn: "arnType", # required
-    #         role_session_name: "roleSessionNameType", # required
-    #         web_identity_token: "clientTokenType", # required
-    #         provider_id: "urlType",
-    #         policy_arns: [
-    #           {
-    #             arn: "arnType",
-    #           },
-    #         ],
-    #         policy: "sessionPolicyDocumentType",
-    #         duration_seconds: 1,
-    #       }
-    #
     # @!attribute [rw] role_arn
     #   The Amazon Resource Name (ARN) of the role that the caller is
     #   assuming.
@@ -693,17 +657,18 @@ module Aws::STS
     #   provided by the identity provider. Your application must get this
     #   token by authenticating the user who is using your application with
     #   a web identity provider before the application makes an
-    #   `AssumeRoleWithWebIdentity` call.
+    #   `AssumeRoleWithWebIdentity` call. Only tokens with RSA algorithms
+    #   (RS256) are supported.
     #   @return [String]
     #
     # @!attribute [rw] provider_id
-    #   The fully qualified host component of the domain name of the
-    #   identity provider.
+    #   The fully qualified host component of the domain name of the OAuth
+    #   2.0 identity provider. Do not specify this value for an OpenID
+    #   Connect identity provider.
     #
-    #   Specify this value only for OAuth 2.0 access tokens. Currently
-    #   `www.amazon.com` and `graph.facebook.com` are the only supported
-    #   identity providers for OAuth 2.0 access tokens. Do not include URL
-    #   schemes and port numbers.
+    #   Currently `www.amazon.com` and `graph.facebook.com` are the only
+    #   supported identity providers for OAuth 2.0 access tokens. Do not
+    #   include URL schemes and port numbers.
     #
     #   Do not specify this value for OpenID Connect ID tokens.
     #   @return [String]
@@ -716,15 +681,17 @@ module Aws::STS
     #   This parameter is optional. You can provide up to 10 managed policy
     #   ARNs. However, the plaintext that you use for both inline and
     #   managed session policies can't exceed 2,048 characters. For more
-    #   information about ARNs, see [Amazon Resource Names (ARNs) and AWS
-    #   Service Namespaces][1] in the AWS General Reference.
-    #
-    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
-    #   tags into a packed binary format that has a separate limit. Your
-    #   request can fail for this limit even if your plaintext meets the
-    #   other requirements. The `PackedPolicySize` response element
-    #   indicates by percentage how close the policies and tags for your
-    #   request are to the upper size limit.
+    #   information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
+    #   Web Services Service Namespaces][1] in the Amazon Web Services
+    #   General Reference.
+    #
+    #   <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
+    #   session policy, managed policy ARNs, and session tags into a packed
+    #   binary format that has a separate limit. Your request can fail for
+    #   this limit even if your plaintext meets the other requirements. The
+    #   `PackedPolicySize` response element indicates by percentage how
+    #   close the policies and tags for your request are to the upper size
+    #   limit.
     #
     #    </note>
     #
@@ -732,10 +699,10 @@ module Aws::STS
     #   credentials. The resulting session's permissions are the
     #   intersection of the role's identity-based policy and the session
     #   policies. You can use the role's temporary credentials in
-    #   subsequent AWS API calls to access resources in the account that
-    #   owns the role. You cannot use session policies to grant more
-    #   permissions than those allowed by the identity-based policy of the
-    #   role that is being assumed. For more information, see [Session
+    #   subsequent Amazon Web Services API calls to access resources in the
+    #   account that owns the role. You cannot use session policies to grant
+    #   more permissions than those allowed by the identity-based policy of
+    #   the role that is being assumed. For more information, see [Session
     #   Policies][2] in the *IAM User Guide*.
     #
     #
@@ -752,11 +719,11 @@ module Aws::STS
     #   returns new temporary credentials. The resulting session's
     #   permissions are the intersection of the role's identity-based
     #   policy and the session policies. You can use the role's temporary
-    #   credentials in subsequent AWS API calls to access resources in the
-    #   account that owns the role. You cannot use session policies to grant
-    #   more permissions than those allowed by the identity-based policy of
-    #   the role that is being assumed. For more information, see [Session
-    #   Policies][1] in the *IAM User Guide*.
+    #   credentials in subsequent Amazon Web Services API calls to access
+    #   resources in the account that owns the role. You cannot use session
+    #   policies to grant more permissions than those allowed by the
+    #   identity-based policy of the role that is being assumed. For more
+    #   information, see [Session Policies][1] in the *IAM User Guide*.
     #
     #   The plaintext that you use for both inline and managed session
     #   policies can't exceed 2,048 characters. The JSON policy characters
@@ -765,12 +732,13 @@ module Aws::STS
     #   include the tab (\\u0009), linefeed (\\u000A), and carriage return
     #   (\\u000D) characters.
     #
-    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
-    #   tags into a packed binary format that has a separate limit. Your
-    #   request can fail for this limit even if your plaintext meets the
-    #   other requirements. The `PackedPolicySize` response element
-    #   indicates by percentage how close the policies and tags for your
-    #   request are to the upper size limit.
+    #   <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
+    #   session policy, managed policy ARNs, and session tags into a packed
+    #   binary format that has a separate limit. Your request can fail for
+    #   this limit even if your plaintext meets the other requirements. The
+    #   `PackedPolicySize` response element indicates by percentage how
+    #   close the policies and tags for your request are to the upper size
+    #   limit.
     #
     #    </note>
     #
@@ -797,8 +765,8 @@ module Aws::STS
     #   credentials. The request to the federation endpoint for a console
     #   sign-in token takes a `SessionDuration` parameter that specifies the
     #   maximum length of the console session. For more information, see
-    #   [Creating a URL that Enables Federated Users to Access the AWS
-    #   Management Console][2] in the *IAM User Guide*.
+    #   [Creating a URL that Enables Federated Users to Access the Amazon
+    #   Web Services Management Console][2] in the *IAM User Guide*.
     #
     #    </note>
     #
@@ -818,13 +786,13 @@ module Aws::STS
       :policy_arns,
       :policy,
       :duration_seconds)
-      SENSITIVE = []
+      SENSITIVE = [:web_identity_token]
       include Aws::Structure
     end
 
     # Contains the response to a successful AssumeRoleWithWebIdentity
-    # request, including temporary AWS credentials that can be used to make
-    # AWS requests.
+    # request, including temporary Amazon Web Services credentials that can
+    # be used to make Amazon Web Services requests.
     #
     # @!attribute [rw] credentials
     #   The temporary security credentials, which include an access key ID,
@@ -929,7 +897,7 @@ module Aws::STS
     # @!attribute [rw] assumed_role_id
     #   A unique identifier that contains the role ID and the role session
     #   name of the role that is being assumed. The role ID is generated by
-    #   AWS when the role is created.
+    #   Amazon Web Services when the role is created.
     #   @return [String]
     #
     # @!attribute [rw] arn
@@ -952,7 +920,7 @@ module Aws::STS
       include Aws::Structure
     end
 
-    # AWS credentials for API authentication.
+    # Amazon Web Services credentials for API authentication.
     #
     # @!attribute [rw] access_key_id
     #   The access key ID that identifies the temporary security
@@ -979,17 +947,10 @@ module Aws::STS
       :secret_access_key,
       :session_token,
       :expiration)
-      SENSITIVE = []
+      SENSITIVE = [:secret_access_key]
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass DecodeAuthorizationMessageRequest
-    #   data as a hash:
-    #
-    #       {
-    #         encoded_message: "encodedMessageType", # required
-    #       }
-    #
     # @!attribute [rw] encoded_message
     #   The encoded message that was returned with the response.
     #   @return [String]
@@ -1004,10 +965,10 @@ module Aws::STS
 
     # A document that contains additional information about the
     # authorization status of a request from an encoded message that is
-    # returned in response to an AWS request.
+    # returned in response to an Amazon Web Services request.
     #
     # @!attribute [rw] decoded_message
-    #   An XML document that contains the decoded message.
+    #   The API returns a response with the decoded message.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessageResponse AWS API Documentation
@@ -1060,13 +1021,6 @@ module Aws::STS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass GetAccessKeyInfoRequest
-    #   data as a hash:
-    #
-    #       {
-    #         access_key_id: "accessKeyIdType", # required
-    #       }
-    #
     # @!attribute [rw] access_key_id
     #   The identifier of an access key.
     #
@@ -1084,7 +1038,7 @@ module Aws::STS
     end
 
     # @!attribute [rw] account
-    #   The number used to identify the AWS account.
+    #   The number used to identify the Amazon Web Services account.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfoResponse AWS API Documentation
@@ -1117,12 +1071,12 @@ module Aws::STS
     #   @return [String]
     #
     # @!attribute [rw] account
-    #   The AWS account ID number of the account that owns or contains the
-    #   calling entity.
+    #   The Amazon Web Services account ID number of the account that owns
+    #   or contains the calling entity.
     #   @return [String]
     #
     # @!attribute [rw] arn
-    #   The AWS ARN associated with the calling entity.
+    #   The Amazon Web Services ARN associated with the calling entity.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentityResponse AWS API Documentation
@@ -1135,26 +1089,6 @@ module Aws::STS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass GetFederationTokenRequest
-    #   data as a hash:
-    #
-    #       {
-    #         name: "userNameType", # required
-    #         policy: "sessionPolicyDocumentType",
-    #         policy_arns: [
-    #           {
-    #             arn: "arnType",
-    #           },
-    #         ],
-    #         duration_seconds: 1,
-    #         tags: [
-    #           {
-    #             key: "tagKeyType", # required
-    #             value: "tagValueType", # required
-    #           },
-    #         ],
-    #       }
-    #
     # @!attribute [rw] name
     #   The name of the federated user. The name is used as an identifier
     #   for the temporary security credentials (such as `Bob`). For example,
@@ -1173,8 +1107,8 @@ module Aws::STS
     #
     #   You must pass an inline or managed [session policy][1] to this
     #   operation. You can pass a single JSON policy document to use as an
-    #   inline session policy. You can also specify up to 10 managed
-    #   policies to use as managed session policies.
+    #   inline session policy. You can also specify up to 10 managed policy
+    #   Amazon Resource Names (ARNs) to use as managed session policies.
     #
     #   This parameter is optional. However, if you do not pass any session
     #   policies, then the resulting federated user session has no
@@ -1202,12 +1136,13 @@ module Aws::STS
     #   include the tab (\\u0009), linefeed (\\u000A), and carriage return
     #   (\\u000D) characters.
     #
-    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
-    #   tags into a packed binary format that has a separate limit. Your
-    #   request can fail for this limit even if your plaintext meets the
-    #   other requirements. The `PackedPolicySize` response element
-    #   indicates by percentage how close the policies and tags for your
-    #   request are to the upper size limit.
+    #   <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
+    #   session policy, managed policy ARNs, and session tags into a packed
+    #   binary format that has a separate limit. Your request can fail for
+    #   this limit even if your plaintext meets the other requirements. The
+    #   `PackedPolicySize` response element indicates by percentage how
+    #   close the policies and tags for your request are to the upper size
+    #   limit.
     #
     #    </note>
     #
@@ -1224,12 +1159,13 @@ module Aws::STS
     #
     #   You must pass an inline or managed [session policy][1] to this
     #   operation. You can pass a single JSON policy document to use as an
-    #   inline session policy. You can also specify up to 10 managed
-    #   policies to use as managed session policies. The plaintext that you
-    #   use for both inline and managed session policies can't exceed 2,048
-    #   characters. You can provide up to 10 managed policy ARNs. For more
-    #   information about ARNs, see [Amazon Resource Names (ARNs) and AWS
-    #   Service Namespaces][2] in the AWS General Reference.
+    #   inline session policy. You can also specify up to 10 managed policy
+    #   Amazon Resource Names (ARNs) to use as managed session policies. The
+    #   plaintext that you use for both inline and managed session policies
+    #   can't exceed 2,048 characters. You can provide up to 10 managed
+    #   policy ARNs. For more information about ARNs, see [Amazon Resource
+    #   Names (ARNs) and Amazon Web Services Service Namespaces][2] in the
+    #   Amazon Web Services General Reference.
     #
     #   This parameter is optional. However, if you do not pass any session
     #   policies, then the resulting federated user session has no
@@ -1250,12 +1186,13 @@ module Aws::STS
     #   are granted in addition to the permissions that are granted by the
     #   session policies.
     #
-    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
-    #   tags into a packed binary format that has a separate limit. Your
-    #   request can fail for this limit even if your plaintext meets the
-    #   other requirements. The `PackedPolicySize` response element
-    #   indicates by percentage how close the policies and tags for your
-    #   request are to the upper size limit.
+    #   <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
+    #   session policy, managed policy ARNs, and session tags into a packed
+    #   binary format that has a separate limit. Your request can fail for
+    #   this limit even if your plaintext meets the other requirements. The
+    #   `PackedPolicySize` response element indicates by percentage how
+    #   close the policies and tags for your request are to the upper size
+    #   limit.
     #
     #    </note>
     #
@@ -1269,10 +1206,10 @@ module Aws::STS
     #   The duration, in seconds, that the session should last. Acceptable
     #   durations for federation sessions range from 900 seconds (15
     #   minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12
-    #   hours) as the default. Sessions obtained using AWS account root user
-    #   credentials are restricted to a maximum of 3,600 seconds (one hour).
-    #   If the specified duration is longer than one hour, the session
-    #   obtained by using root user credentials defaults to one hour.
+    #   hours) as the default. Sessions obtained using root user credentials
+    #   are restricted to a maximum of 3,600 seconds (one hour). If the
+    #   specified duration is longer than one hour, the session obtained by
+    #   using root user credentials defaults to one hour.
     #   @return [Integer]
     #
     # @!attribute [rw] tags
@@ -1285,12 +1222,13 @@ module Aws::STS
     #   values can’t exceed 256 characters. For these and additional limits,
     #   see [IAM and STS Character Limits][2] in the *IAM User Guide*.
     #
-    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
-    #   tags into a packed binary format that has a separate limit. Your
-    #   request can fail for this limit even if your plaintext meets the
-    #   other requirements. The `PackedPolicySize` response element
-    #   indicates by percentage how close the policies and tags for your
-    #   request are to the upper size limit.
+    #   <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
+    #   session policy, managed policy ARNs, and session tags into a packed
+    #   binary format that has a separate limit. Your request can fail for
+    #   this limit even if your plaintext meets the other requirements. The
+    #   `PackedPolicySize` response element indicates by percentage how
+    #   close the policies and tags for your request are to the upper size
+    #   limit.
     #
     #    </note>
     #
@@ -1325,8 +1263,8 @@ module Aws::STS
     end
 
     # Contains the response to a successful GetFederationToken request,
-    # including temporary AWS credentials that can be used to make AWS
-    # requests.
+    # including temporary Amazon Web Services credentials that can be used
+    # to make Amazon Web Services requests.
     #
     # @!attribute [rw] credentials
     #   The temporary security credentials, which include an access key ID,
@@ -1363,23 +1301,14 @@ module Aws::STS
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass GetSessionTokenRequest
-    #   data as a hash:
-    #
-    #       {
-    #         duration_seconds: 1,
-    #         serial_number: "serialNumberType",
-    #         token_code: "tokenCodeType",
-    #       }
-    #
     # @!attribute [rw] duration_seconds
     #   The duration, in seconds, that the credentials should remain valid.
     #   Acceptable durations for IAM user sessions range from 900 seconds
     #   (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12
-    #   hours) as the default. Sessions for AWS account owners are
-    #   restricted to a maximum of 3,600 seconds (one hour). If the duration
-    #   is longer than one hour, the session for AWS account owners defaults
-    #   to one hour.
+    #   hours) as the default. Sessions for Amazon Web Services account
+    #   owners are restricted to a maximum of 3,600 seconds (one hour). If
+    #   the duration is longer than one hour, the session for Amazon Web
+    #   Services account owners defaults to one hour.
     #   @return [Integer]
     #
     # @!attribute [rw] serial_number
@@ -1389,8 +1318,8 @@ module Aws::STS
     #   The value is either the serial number for a hardware device (such as
     #   `GAHT12345678`) or an Amazon Resource Name (ARN) for a virtual
     #   device (such as `arn:aws:iam::123456789012:mfa/user`). You can find
-    #   the device for an IAM user by going to the AWS Management Console
-    #   and viewing the user's security credentials.
+    #   the device for an IAM user by going to the Amazon Web Services
+    #   Management Console and viewing the user's security credentials.
     #
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
@@ -1421,8 +1350,8 @@ module Aws::STS
     end
 
     # Contains the response to a successful GetSessionToken request,
-    # including temporary AWS credentials that can be used to make AWS
-    # requests.
+    # including temporary Amazon Web Services credentials that can be used
+    # to make Amazon Web Services requests.
     #
     # @!attribute [rw] credentials
     #   The temporary security credentials, which include an access key ID,
@@ -1494,9 +1423,9 @@ module Aws::STS
       include Aws::Structure
     end
 
-    # The web identity token that was passed could not be validated by AWS.
-    # Get a new identity token from the identity provider and then retry the
-    # request.
+    # The web identity token that was passed could not be validated by
+    # Amazon Web Services. Get a new identity token from the identity
+    # provider and then retry the request.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -1524,12 +1453,13 @@ module Aws::STS
     end
 
     # The request was rejected because the total packed size of the session
-    # policies and session tags combined was too large. An AWS conversion
-    # compresses the session policy document, session policy ARNs, and
-    # session tags into a packed binary format that has a separate limit.
-    # The error message indicates by percentage how close the policies and
-    # tags are to the upper size limit. For more information, see [Passing
-    # Session Tags in STS][1] in the *IAM User Guide*.
+    # policies and session tags combined was too large. An Amazon Web
+    # Services conversion compresses the session policy document, session
+    # policy ARNs, and session tags into a packed binary format that has a
+    # separate limit. The error message indicates by percentage how close
+    # the policies and tags are to the upper size limit. For more
+    # information, see [Passing Session Tags in STS][1] in the *IAM User
+    # Guide*.
     #
     # You could receive this error even though you meet other defined
     # session policy and session tag limits. For more information, see [IAM
@@ -1538,7 +1468,7 @@ module Aws::STS
     #
     #
     # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
-    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -1554,18 +1484,11 @@ module Aws::STS
     # A reference to the IAM managed policy that is passed as a session
     # policy for a role session or a federated user session.
     #
-    # @note When making an API call, you may pass PolicyDescriptorType
-    #   data as a hash:
-    #
-    #       {
-    #         arn: "arnType",
-    #       }
-    #
     # @!attribute [rw] arn
     #   The Amazon Resource Name (ARN) of the IAM managed policy to use as a
     #   session policy for the role. For more information about ARNs, see
-    #   [Amazon Resource Names (ARNs) and AWS Service Namespaces][1] in the
-    #   *AWS General Reference*.
+    #   [Amazon Resource Names (ARNs) and Amazon Web Services Service
+    #   Namespaces][1] in the *Amazon Web Services General Reference*.
     #
     #
     #
@@ -1580,11 +1503,30 @@ module Aws::STS
       include Aws::Structure
     end
 
+    # Reserved for future use.
+    #
+    # @!attribute [rw] provider_arn
+    #   Reserved for future use.
+    #   @return [String]
+    #
+    # @!attribute [rw] context_assertion
+    #   Reserved for future use.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/ProvidedContext AWS API Documentation
+    #
+    class ProvidedContext < Struct.new(
+      :provider_arn,
+      :context_assertion)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # STS is not activated in the requested region for the account that is
     # being asked to generate credentials. The account administrator must
     # use the IAM console to activate STS in that region. For more
-    # information, see [Activating and Deactivating AWS STS in an AWS
-    # Region][1] in the *IAM User Guide*.
+    # information, see [Activating and Deactivating Amazon Web Services STS
+    # in an Amazon Web Services Region][1] in the *IAM User Guide*.
     #
     #
     #
@@ -1604,20 +1546,13 @@ module Aws::STS
     # You can pass custom key-value pair attributes when you assume a role
     # or federate a user. These are called session tags. You can then use
     # the session tags to control access to resources. For more information,
-    # see [Tagging AWS STS Sessions][1] in the *IAM User Guide*.
+    # see [Tagging Amazon Web Services STS Sessions][1] in the *IAM User
+    # Guide*.
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
     #
-    # @note When making an API call, you may pass Tag
-    #   data as a hash:
-    #
-    #       {
-    #         key: "tagKeyType", # required
-    #         value: "tagValueType", # required
-    #       }
-    #
     # @!attribute [rw] key
     #   The key for a session tag.
     #