aws-sdk-core 3.171.1 → 3.199.0

data/lib/aws-sdk-sts/client_api.rb

@@ -24,7 +24,7 @@ module Aws::STS
     Credentials = Shapes::StructureShape.new(name: 'Credentials')
     DecodeAuthorizationMessageRequest = Shapes::StructureShape.new(name: 'DecodeAuthorizationMessageRequest')
     DecodeAuthorizationMessageResponse = Shapes::StructureShape.new(name: 'DecodeAuthorizationMessageResponse')
-    ExpiredTokenException = Shapes::StructureShape.new(name: 'ExpiredTokenException')
+    ExpiredTokenException = Shapes::StructureShape.new(name: 'ExpiredTokenException', error: {"code"=>"ExpiredTokenException", "httpStatusCode"=>400, "senderFault"=>true})
     FederatedUser = Shapes::StructureShape.new(name: 'FederatedUser')
     GetAccessKeyInfoRequest = Shapes::StructureShape.new(name: 'GetAccessKeyInfoRequest')
     GetAccessKeyInfoResponse = Shapes::StructureShape.new(name: 'GetAccessKeyInfoResponse')
@@ -34,16 +34,18 @@ module Aws::STS
     GetFederationTokenResponse = Shapes::StructureShape.new(name: 'GetFederationTokenResponse')
     GetSessionTokenRequest = Shapes::StructureShape.new(name: 'GetSessionTokenRequest')
     GetSessionTokenResponse = Shapes::StructureShape.new(name: 'GetSessionTokenResponse')
-    IDPCommunicationErrorException = Shapes::StructureShape.new(name: 'IDPCommunicationErrorException')
-    IDPRejectedClaimException = Shapes::StructureShape.new(name: 'IDPRejectedClaimException')
-    InvalidAuthorizationMessageException = Shapes::StructureShape.new(name: 'InvalidAuthorizationMessageException')
-    InvalidIdentityTokenException = Shapes::StructureShape.new(name: 'InvalidIdentityTokenException')
+    IDPCommunicationErrorException = Shapes::StructureShape.new(name: 'IDPCommunicationErrorException', error: {"code"=>"IDPCommunicationError", "httpStatusCode"=>400, "senderFault"=>true})
+    IDPRejectedClaimException = Shapes::StructureShape.new(name: 'IDPRejectedClaimException', error: {"code"=>"IDPRejectedClaim", "httpStatusCode"=>403, "senderFault"=>true})
+    InvalidAuthorizationMessageException = Shapes::StructureShape.new(name: 'InvalidAuthorizationMessageException', error: {"code"=>"InvalidAuthorizationMessageException", "httpStatusCode"=>400, "senderFault"=>true})
+    InvalidIdentityTokenException = Shapes::StructureShape.new(name: 'InvalidIdentityTokenException', error: {"code"=>"InvalidIdentityToken", "httpStatusCode"=>400, "senderFault"=>true})
     Issuer = Shapes::StringShape.new(name: 'Issuer')
-    MalformedPolicyDocumentException = Shapes::StructureShape.new(name: 'MalformedPolicyDocumentException')
+    MalformedPolicyDocumentException = Shapes::StructureShape.new(name: 'MalformedPolicyDocumentException', error: {"code"=>"MalformedPolicyDocument", "httpStatusCode"=>400, "senderFault"=>true})
     NameQualifier = Shapes::StringShape.new(name: 'NameQualifier')
-    PackedPolicyTooLargeException = Shapes::StructureShape.new(name: 'PackedPolicyTooLargeException')
+    PackedPolicyTooLargeException = Shapes::StructureShape.new(name: 'PackedPolicyTooLargeException', error: {"code"=>"PackedPolicyTooLarge", "httpStatusCode"=>400, "senderFault"=>true})
     PolicyDescriptorType = Shapes::StructureShape.new(name: 'PolicyDescriptorType')
-    RegionDisabledException = Shapes::StructureShape.new(name: 'RegionDisabledException')
+    ProvidedContext = Shapes::StructureShape.new(name: 'ProvidedContext')
+    ProvidedContextsListType = Shapes::ListShape.new(name: 'ProvidedContextsListType')
+    RegionDisabledException = Shapes::StructureShape.new(name: 'RegionDisabledException', error: {"code"=>"RegionDisabledException", "httpStatusCode"=>403, "senderFault"=>true})
     SAMLAssertionType = Shapes::StringShape.new(name: 'SAMLAssertionType')
     Subject = Shapes::StringShape.new(name: 'Subject')
     SubjectType = Shapes::StringShape.new(name: 'SubjectType')
@@ -54,6 +56,7 @@ module Aws::STS
     arnType = Shapes::StringShape.new(name: 'arnType')
     assumedRoleIdType = Shapes::StringShape.new(name: 'assumedRoleIdType')
     clientTokenType = Shapes::StringShape.new(name: 'clientTokenType')
+    contextAssertionType = Shapes::StringShape.new(name: 'contextAssertionType')
     dateType = Shapes::TimestampShape.new(name: 'dateType')
     decodedMessageType = Shapes::StringShape.new(name: 'decodedMessageType')
     durationSecondsType = Shapes::IntegerShape.new(name: 'durationSecondsType')
@@ -81,6 +84,7 @@ module Aws::STS
     tagValueType = Shapes::StringShape.new(name: 'tagValueType')
     tokenCodeType = Shapes::StringShape.new(name: 'tokenCodeType')
     tokenType = Shapes::StringShape.new(name: 'tokenType')
+    unrestrictedSessionPolicyDocumentType = Shapes::StringShape.new(name: 'unrestrictedSessionPolicyDocumentType')
     urlType = Shapes::StringShape.new(name: 'urlType')
     userIdType = Shapes::StringShape.new(name: 'userIdType')
     userNameType = Shapes::StringShape.new(name: 'userNameType')
@@ -89,7 +93,7 @@ module Aws::STS
     AssumeRoleRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
     AssumeRoleRequest.add_member(:role_session_name, Shapes::ShapeRef.new(shape: roleSessionNameType, required: true, location_name: "RoleSessionName"))
     AssumeRoleRequest.add_member(:policy_arns, Shapes::ShapeRef.new(shape: policyDescriptorListType, location_name: "PolicyArns"))
-    AssumeRoleRequest.add_member(:policy, Shapes::ShapeRef.new(shape: sessionPolicyDocumentType, location_name: "Policy"))
+    AssumeRoleRequest.add_member(:policy, Shapes::ShapeRef.new(shape: unrestrictedSessionPolicyDocumentType, location_name: "Policy"))
     AssumeRoleRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: roleDurationSecondsType, location_name: "DurationSeconds"))
     AssumeRoleRequest.add_member(:tags, Shapes::ShapeRef.new(shape: tagListType, location_name: "Tags"))
     AssumeRoleRequest.add_member(:transitive_tag_keys, Shapes::ShapeRef.new(shape: tagKeyListType, location_name: "TransitiveTagKeys"))
@@ -97,6 +101,7 @@ module Aws::STS
     AssumeRoleRequest.add_member(:serial_number, Shapes::ShapeRef.new(shape: serialNumberType, location_name: "SerialNumber"))
     AssumeRoleRequest.add_member(:token_code, Shapes::ShapeRef.new(shape: tokenCodeType, location_name: "TokenCode"))
     AssumeRoleRequest.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
+    AssumeRoleRequest.add_member(:provided_contexts, Shapes::ShapeRef.new(shape: ProvidedContextsListType, location_name: "ProvidedContexts"))
     AssumeRoleRequest.struct_class = Types::AssumeRoleRequest
 
     AssumeRoleResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
@@ -219,6 +224,12 @@ module Aws::STS
     PolicyDescriptorType.add_member(:arn, Shapes::ShapeRef.new(shape: arnType, location_name: "arn"))
     PolicyDescriptorType.struct_class = Types::PolicyDescriptorType
 
+    ProvidedContext.add_member(:provider_arn, Shapes::ShapeRef.new(shape: arnType, location_name: "ProviderArn"))
+    ProvidedContext.add_member(:context_assertion, Shapes::ShapeRef.new(shape: contextAssertionType, location_name: "ContextAssertion"))
+    ProvidedContext.struct_class = Types::ProvidedContext
+
+    ProvidedContextsListType.member = Shapes::ShapeRef.new(shape: ProvidedContext)
+
     RegionDisabledException.add_member(:message, Shapes::ShapeRef.new(shape: regionDisabledMessage, location_name: "message"))
     RegionDisabledException.struct_class = Types::RegionDisabledException
 

data/lib/aws-sdk-sts/endpoint_provider.rb

@@ -15,93 +15,96 @@ module Aws::STS
       use_fips = parameters.use_fips
       endpoint = parameters.endpoint
       use_global_endpoint = parameters.use_global_endpoint
-      if (partition_result = Aws::Endpoints::Matchers.aws_partition(region))
-        if Aws::Endpoints::Matchers.boolean_equals?(use_global_endpoint, true) && Aws::Endpoints::Matchers.boolean_equals?(use_fips, false) && Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, false) && Aws::Endpoints::Matchers.not(Aws::Endpoints::Matchers.set?(endpoint))
-          if Aws::Endpoints::Matchers.string_equals?(region, "ap-northeast-1")
-            return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
-          end
-          if Aws::Endpoints::Matchers.string_equals?(region, "ap-south-1")
-            return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
-          end
-          if Aws::Endpoints::Matchers.string_equals?(region, "ap-southeast-1")
-            return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
-          end
-          if Aws::Endpoints::Matchers.string_equals?(region, "ap-southeast-2")
-            return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
-          end
-          if Aws::Endpoints::Matchers.string_equals?(region, "aws-global")
-            return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
-          end
-          if Aws::Endpoints::Matchers.string_equals?(region, "ca-central-1")
-            return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
-          end
-          if Aws::Endpoints::Matchers.string_equals?(region, "eu-central-1")
-            return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
-          end
-          if Aws::Endpoints::Matchers.string_equals?(region, "eu-north-1")
-            return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
-          end
-          if Aws::Endpoints::Matchers.string_equals?(region, "eu-west-1")
-            return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
-          end
-          if Aws::Endpoints::Matchers.string_equals?(region, "eu-west-2")
-            return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
-          end
-          if Aws::Endpoints::Matchers.string_equals?(region, "eu-west-3")
-            return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
-          end
-          if Aws::Endpoints::Matchers.string_equals?(region, "sa-east-1")
-            return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
-          end
-          if Aws::Endpoints::Matchers.string_equals?(region, "us-east-1")
-            return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
-          end
-          if Aws::Endpoints::Matchers.string_equals?(region, "us-east-2")
-            return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
-          end
-          if Aws::Endpoints::Matchers.string_equals?(region, "us-west-1")
-            return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
-          end
-          if Aws::Endpoints::Matchers.string_equals?(region, "us-west-2")
-            return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
-          end
-          return Aws::Endpoints::Endpoint.new(url: "https://sts.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"#{region}", "signingName"=>"sts"}]})
+      if Aws::Endpoints::Matchers.boolean_equals?(use_global_endpoint, true) && Aws::Endpoints::Matchers.not(Aws::Endpoints::Matchers.set?(endpoint)) && Aws::Endpoints::Matchers.set?(region) && (partition_result = Aws::Endpoints::Matchers.aws_partition(region)) && Aws::Endpoints::Matchers.boolean_equals?(use_fips, false) && Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, false)
+        if Aws::Endpoints::Matchers.string_equals?(region, "ap-northeast-1")
+          return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
         end
-        if Aws::Endpoints::Matchers.set?(endpoint) && (url = Aws::Endpoints::Matchers.parse_url(endpoint))
-          if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true)
-            raise ArgumentError, "Invalid Configuration: FIPS and custom endpoint are not supported"
-          end
-          if Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
-            raise ArgumentError, "Invalid Configuration: Dualstack and custom endpoint are not supported"
-          end
-          return Aws::Endpoints::Endpoint.new(url: endpoint, headers: {}, properties: {})
+        if Aws::Endpoints::Matchers.string_equals?(region, "ap-south-1")
+          return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
         end
-        if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true) && Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
-          if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS")) && Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsDualStack"))
-            return Aws::Endpoints::Endpoint.new(url: "https://sts-fips.#{region}.#{partition_result['dualStackDnsSuffix']}", headers: {}, properties: {})
-          end
-          raise ArgumentError, "FIPS and DualStack are enabled, but this partition does not support one or both"
+        if Aws::Endpoints::Matchers.string_equals?(region, "ap-southeast-1")
+          return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
+        end
+        if Aws::Endpoints::Matchers.string_equals?(region, "ap-southeast-2")
+          return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
+        end
+        if Aws::Endpoints::Matchers.string_equals?(region, "aws-global")
+          return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
+        end
+        if Aws::Endpoints::Matchers.string_equals?(region, "ca-central-1")
+          return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
         end
+        if Aws::Endpoints::Matchers.string_equals?(region, "eu-central-1")
+          return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
+        end
+        if Aws::Endpoints::Matchers.string_equals?(region, "eu-north-1")
+          return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
+        end
+        if Aws::Endpoints::Matchers.string_equals?(region, "eu-west-1")
+          return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
+        end
+        if Aws::Endpoints::Matchers.string_equals?(region, "eu-west-2")
+          return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
+        end
+        if Aws::Endpoints::Matchers.string_equals?(region, "eu-west-3")
+          return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
+        end
+        if Aws::Endpoints::Matchers.string_equals?(region, "sa-east-1")
+          return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
+        end
+        if Aws::Endpoints::Matchers.string_equals?(region, "us-east-1")
+          return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
+        end
+        if Aws::Endpoints::Matchers.string_equals?(region, "us-east-2")
+          return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
+        end
+        if Aws::Endpoints::Matchers.string_equals?(region, "us-west-1")
+          return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
+        end
+        if Aws::Endpoints::Matchers.string_equals?(region, "us-west-2")
+          return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
+        end
+        return Aws::Endpoints::Endpoint.new(url: "https://sts.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"#{region}"}]})
+      end
+      if Aws::Endpoints::Matchers.set?(endpoint)
         if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true)
-          if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS"))
-            if Aws::Endpoints::Matchers.string_equals?("aws-us-gov", Aws::Endpoints::Matchers.attr(partition_result, "name"))
-              return Aws::Endpoints::Endpoint.new(url: "https://sts.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
-            end
-            return Aws::Endpoints::Endpoint.new(url: "https://sts-fips.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
-          end
-          raise ArgumentError, "FIPS is enabled but this partition does not support FIPS"
+          raise ArgumentError, "Invalid Configuration: FIPS and custom endpoint are not supported"
         end
         if Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
-          if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsDualStack"))
-            return Aws::Endpoints::Endpoint.new(url: "https://sts.#{region}.#{partition_result['dualStackDnsSuffix']}", headers: {}, properties: {})
-          end
-          raise ArgumentError, "DualStack is enabled but this partition does not support DualStack"
+          raise ArgumentError, "Invalid Configuration: Dualstack and custom endpoint are not supported"
         end
-        if Aws::Endpoints::Matchers.string_equals?(region, "aws-global")
-          return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
+        return Aws::Endpoints::Endpoint.new(url: endpoint, headers: {}, properties: {})
+      end
+      if Aws::Endpoints::Matchers.set?(region)
+        if (partition_result = Aws::Endpoints::Matchers.aws_partition(region))
+          if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true) && Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
+            if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS")) && Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsDualStack"))
+              return Aws::Endpoints::Endpoint.new(url: "https://sts-fips.#{region}.#{partition_result['dualStackDnsSuffix']}", headers: {}, properties: {})
+            end
+            raise ArgumentError, "FIPS and DualStack are enabled, but this partition does not support one or both"
+          end
+          if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true)
+            if Aws::Endpoints::Matchers.boolean_equals?(Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS"), true)
+              if Aws::Endpoints::Matchers.string_equals?(Aws::Endpoints::Matchers.attr(partition_result, "name"), "aws-us-gov")
+                return Aws::Endpoints::Endpoint.new(url: "https://sts.#{region}.amazonaws.com", headers: {}, properties: {})
+              end
+              return Aws::Endpoints::Endpoint.new(url: "https://sts-fips.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
+            end
+            raise ArgumentError, "FIPS is enabled but this partition does not support FIPS"
+          end
+          if Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
+            if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsDualStack"))
+              return Aws::Endpoints::Endpoint.new(url: "https://sts.#{region}.#{partition_result['dualStackDnsSuffix']}", headers: {}, properties: {})
+            end
+            raise ArgumentError, "DualStack is enabled but this partition does not support DualStack"
+          end
+          if Aws::Endpoints::Matchers.string_equals?(region, "aws-global")
+            return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
+          end
+          return Aws::Endpoints::Endpoint.new(url: "https://sts.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
         end
-        return Aws::Endpoints::Endpoint.new(url: "https://sts.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
       end
+      raise ArgumentError, "Invalid Configuration: Missing Region"
       raise ArgumentError, 'No endpoint could be resolved'
 
     end

data/lib/aws-sdk-sts/endpoints.rb

@@ -9,6 +9,7 @@
 
 
 module Aws::STS
+  # @api private
   module Endpoints
 
     class AssumeRole

data/lib/aws-sdk-sts/plugins/endpoints.rb

@@ -14,6 +14,7 @@ module Aws::STS
       option(
         :endpoint_provider,
         doc_type: 'Aws::STS::EndpointProvider',
+        rbs_type: 'untyped',
         docstring: 'The endpoint provider used to resolve endpoints. Any '\
                    'object that responds to `#resolve_endpoint(parameters)` '\
                    'where `parameters` is a Struct similar to '\
@@ -25,16 +26,17 @@ module Aws::STS
       # @api private
       class Handler < Seahorse::Client::Handler
         def call(context)
-          # If endpoint was discovered, do not resolve or apply the endpoint.
           unless context[:discovered_endpoint]
             params = parameters_for_operation(context)
             endpoint = context.config.endpoint_provider.resolve_endpoint(params)
 
             context.http_request.endpoint = endpoint.url
             apply_endpoint_headers(context, endpoint.headers)
+
+            context[:endpoint_params] = params
+            context[:endpoint_properties] = endpoint.properties
           end
 
-          context[:endpoint_params] = params
           context[:auth_scheme] =
             Aws::Endpoints.resolve_auth_scheme(context, endpoint)
 

data/lib/aws-sdk-sts/presigner.rb

@@ -35,7 +35,7 @@ module Aws
       #   )
       #
       # This can be easily converted to a token used by the EKS service:
-      # {https://ruby-doc.org/stdlib-2.3.1/libdoc/base64/rdoc/Base64.html#method-i-encode64}
+      # {https://docs.ruby-lang.org/en/3.2/Base64.html#method-i-encode64}
       # "k8s-aws-v1." + Base64.urlsafe_encode64(url).chomp("==")
       def get_caller_identity_presigned_url(options = {})
         req = @client.build_request(:get_caller_identity, {})

data/lib/aws-sdk-sts/types.rb

@@ -287,6 +287,19 @@ module Aws::STS
     #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
     #   @return [String]
     #
+    # @!attribute [rw] provided_contexts
+    #   A list of previously acquired trusted context assertions in the
+    #   format of a JSON array. The trusted context assertion is signed and
+    #   encrypted by Amazon Web Services STS.
+    #
+    #   The following is an example of a `ProvidedContext` value that
+    #   includes a single trusted context assertion and the ARN of the
+    #   context provider from which the trusted context assertion was
+    #   generated.
+    #
+    #   `[\{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"\}]`
+    #   @return [Array<Types::ProvidedContext>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleRequest AWS API Documentation
     #
     class AssumeRoleRequest < Struct.new(
@@ -300,7 +313,8 @@ module Aws::STS
       :external_id,
       :serial_number,
       :token_code,
-      :source_identity)
+      :source_identity,
+      :provided_contexts)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -508,7 +522,7 @@ module Aws::STS
       :policy_arns,
       :policy,
       :duration_seconds)
-      SENSITIVE = []
+      SENSITIVE = [:saml_assertion]
       include Aws::Structure
     end
 
@@ -576,7 +590,7 @@ module Aws::STS
     #     in IAM.
     #
     #   The combination of `NameQualifier` and `Subject` can be used to
-    #   uniquely identify a federated user.
+    #   uniquely identify a user.
     #
     #   The following pseudocode shows how the hash value is calculated:
     #
@@ -652,7 +666,8 @@ module Aws::STS
     #   provided by the identity provider. Your application must get this
     #   token by authenticating the user who is using your application with
     #   a web identity provider before the application makes an
-    #   `AssumeRoleWithWebIdentity` call.
+    #   `AssumeRoleWithWebIdentity` call. Only tokens with RSA algorithms
+    #   (RS256) are supported.
     #   @return [String]
     #
     # @!attribute [rw] provider_id
@@ -780,7 +795,7 @@ module Aws::STS
       :policy_arns,
       :policy,
       :duration_seconds)
-      SENSITIVE = []
+      SENSITIVE = [:web_identity_token]
       include Aws::Structure
     end
 
@@ -941,7 +956,7 @@ module Aws::STS
       :secret_access_key,
       :session_token,
       :expiration)
-      SENSITIVE = []
+      SENSITIVE = [:secret_access_key]
       include Aws::Structure
     end
 
@@ -1200,11 +1215,10 @@ module Aws::STS
     #   The duration, in seconds, that the session should last. Acceptable
     #   durations for federation sessions range from 900 seconds (15
     #   minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12
-    #   hours) as the default. Sessions obtained using Amazon Web Services
-    #   account root user credentials are restricted to a maximum of 3,600
-    #   seconds (one hour). If the specified duration is longer than one
-    #   hour, the session obtained by using root user credentials defaults
-    #   to one hour.
+    #   hours) as the default. Sessions obtained using root user credentials
+    #   are restricted to a maximum of 3,600 seconds (one hour). If the
+    #   specified duration is longer than one hour, the session obtained by
+    #   using root user credentials defaults to one hour.
     #   @return [Integer]
     #
     # @!attribute [rw] tags
@@ -1498,6 +1512,30 @@ module Aws::STS
       include Aws::Structure
     end
 
+    # Contains information about the provided context. This includes the
+    # signed and encrypted trusted context assertion and the context
+    # provider ARN from which the trusted context assertion was generated.
+    #
+    # @!attribute [rw] provider_arn
+    #   The context provider ARN from which the trusted context assertion
+    #   was generated.
+    #   @return [String]
+    #
+    # @!attribute [rw] context_assertion
+    #   The signed and encrypted trusted context assertion generated by the
+    #   context provider. The trusted context assertion is signed and
+    #   encrypted by Amazon Web Services STS.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/ProvidedContext AWS API Documentation
+    #
+    class ProvidedContext < Struct.new(
+      :provider_arn,
+      :context_assertion)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # STS is not activated in the requested region for the account that is
     # being asked to generate credentials. The account administrator must
     # use the IAM console to activate STS in that region. For more

data/lib/aws-sdk-sts.rb

@@ -54,6 +54,6 @@ require_relative 'aws-sdk-sts/customizations'
 # @!group service
 module Aws::STS
 
-  GEM_VERSION = '3.171.1'
+  GEM_VERSION = '3.199.0'
 
 end

data/lib/seahorse/client/async_base.rb

@@ -5,12 +5,12 @@ module Seahorse
     class AsyncBase < Seahorse::Client::Base
 
       # default H2 plugins
+      # @api private
       @plugins = PluginList.new([
         Plugins::Endpoint,
         Plugins::H2,
         Plugins::ResponseTarget
       ])
-
       def initialize(plugins, options)
         super
         @connection = H2::Connection.new(options)

data/lib/seahorse/client/async_response.rb

@@ -12,24 +12,43 @@ module Seahorse
         @sync_queue = options[:sync_queue]
       end
 
+      # @return [RequestContext]
       def context
         @response.context
       end
 
+      # @return [StandardError, nil]
       def error
         @response.error
       end
 
+      # @overload on(status_code, &block)
+      #   @param [Integer] status_code The block will be
+      #     triggered only for responses with the given status code.
+      #
+      # @overload on(status_code_range, &block)
+      #   @param [Range<Integer>] status_code_range The block will be
+      #     triggered only for responses with a status code that falls
+      #     witin the given range.
+      #
+      # @return [self]
       def on(range, &block)
         @response.on(range, &block)
         self
       end
 
+      # @api private
       def on_complete(&block)
         @response.on_complete(&block)
         self
       end
 
+      # @return [Boolean] Returns `true` if the response is complete with
+      #   no error.
+      def successful?
+        @response.error.nil?
+      end
+
       def wait
         if error && context.config.raise_response_errors
           raise error

data/lib/seahorse/client/base.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require 'thread'
-
 module Seahorse
   module Client
     class Base
@@ -9,6 +7,7 @@ module Seahorse
       include HandlerBuilder
 
       # default plugins
+      # @api private
       @plugins = PluginList.new([
         Plugins::Endpoint,
         Plugins::NetHttp,
@@ -59,6 +58,7 @@ module Seahorse
       def build_config(plugins, options)
         config = Configuration.new
         config.add_option(:api)
+        config.add_option(:plugins)
         plugins.each do |plugin|
           plugin.add_options(config) if plugin.respond_to?(:add_options)
         end
@@ -95,9 +95,9 @@ module Seahorse
       class << self
 
         def new(options = {})
-          plugins = build_plugins
           options = options.dup
-          before_initialize(plugins, options)
+          plugins = build_plugins(self.plugins + options.fetch(:plugins, []))
+          plugins = before_initialize(plugins, options)
           client = allocate
           client.send(:initialize, plugins, options)
           client
@@ -208,17 +208,28 @@ module Seahorse
           include(operations_module)
         end
 
-        def build_plugins
+        def build_plugins(plugins)
           plugins.map { |plugin| plugin.is_a?(Class) ? plugin.new : plugin }
         end
 
         def before_initialize(plugins, options)
-          plugins.each do |plugin|
-            plugin.before_initialize(self, options) if plugin.respond_to?(:before_initialize)
+          queue = Queue.new
+          plugins.each { |plugin| queue.push(plugin) }
+          until queue.empty?
+            plugin = queue.pop
+            next unless plugin.respond_to?(:before_initialize)
+
+            plugins_before = options.fetch(:plugins, [])
+            plugin.before_initialize(self, options)
+            plugins_after = build_plugins(options.fetch(:plugins, []) - plugins_before)
+            # Plugins with before_initialize can add other plugins
+            plugins_after.each { |p| queue.push(p); plugins << p }
           end
+          plugins
         end
 
         def inherited(subclass)
+          super
           subclass.instance_variable_set('@plugins', PluginList.new(@plugins))
         end
 

data/lib/seahorse/client/configuration.rb

@@ -204,10 +204,6 @@ module Seahorse
         def value_at(opt_name)
           value = @struct[opt_name]
           if value.is_a?(Defaults)
-            # Legacy endpoints must continue to exist.
-            if opt_name == :endpoint && @struct.members.include?(:regional_endpoint)
-              @struct[:regional_endpoint] = true
-            end
             resolve_defaults(opt_name, value)
           else
             value

data/lib/seahorse/client/h2/handler.rb

@@ -126,6 +126,7 @@ module Seahorse
         # https://http2.github.io/http2-spec/#rfc.section.8.1.2.3
         def _h2_headers(req)
           headers = {}
+          headers[':authority'] = req.endpoint.host
           headers[':method'] = req.http_method.upcase
           headers[':scheme'] = req.endpoint.scheme
           headers[':path'] = req.endpoint.path.empty? ? '/' : req.endpoint.path

data/lib/seahorse/client/handler.rb

@@ -15,7 +15,7 @@ module Seahorse
       attr_accessor :handler
 
       # @param [RequestContext] context
-      # @return [Response]
+      # @return [Seahorse::Response]
       def call(context)
         @handler.call(context)
       end

data/lib/seahorse/client/net_http/connection_pool.rb

@@ -119,11 +119,7 @@ module Seahorse
         #   pool, not counting those currently in use.
         def size
           @pool_mutex.synchronize do
-            size = 0
-            @pool.each_pair do |endpoint,sessions|
-              size += sessions.size
-            end
-            size
+            @pool.values.flatten.size
           end
         end
 
@@ -142,9 +138,7 @@ module Seahorse
         # @return [nil]
         def empty!
           @pool_mutex.synchronize do
-            @pool.each_pair do |endpoint,sessions|
-              sessions.each(&:finish)
-            end
+            @pool.values.flatten.map(&:finish)
             @pool.clear
           end
           nil
@@ -312,7 +306,7 @@ module Seahorse
         # @note **Must** be called behind a `@pool_mutex` synchronize block.
         def _clean
           now = Aws::Util.monotonic_milliseconds
-          @pool.each_pair do |endpoint,sessions|
+          @pool.values.each do |sessions|
             sessions.delete_if do |session|
               if session.last_used.nil? or now - session.last_used > http_idle_timeout * 1000
                 session.finish