aws-sdk-core 3.185.2 → 3.187.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0117f7cb50c068598c310d1623a7d28eed6639c20d168ecd506fdf48040aafda
-  data.tar.gz: 676254d312d5f27b19268fb05ec84e269b76488fe7f71c5244a38468a63bdad8
+  metadata.gz: 8f2de23253ac2be6021ace7db6553c08dcc6a665328f8df555ea525b82fe1c9c
+  data.tar.gz: 76e5cb8b0e6c8b192e0a96e534441c303ae80bc94e74bacb893c6ba66a6f33dd
 SHA512:
-  metadata.gz: '08840b98e2ab9cd7e182f0488055ae2f12d3665b08d54fe255c1b2dca17ea4923a4fd5833d8bdb4f71339e1aab015070c4b1ce14c3e7726d5a54a4f158d41e9d'
-  data.tar.gz: 9e4a2c4e100b241728c930caabf7f1783cdf3d4f99465a0be6f917bcd3de1549ebaf46f023faa271ce892da4e54f2a1d2045b6120de2d4909e8d890c6fbd50a8
+  metadata.gz: cffc38b0fc5169f530ad1b5aed041824b74ec3d0c8892a01aee21a2fc50efafcd377106a9e9540fe5d23c949afb036653c5eeecff0c7ccbe2e3e204274779802
+  data.tar.gz: '092764014b0059eb4c1889b3ead6354304a5c788d2b7f8c0f02366875f7c218c42733da3f8483bf10634ef4a71cb4e2465491faf143ec05681ab62dc7af737a6'

data/CHANGELOG.md

@@ -1,6 +1,18 @@
 Unreleased Changes
 ------------------
 
+3.187.0 (2023-11-17)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+3.186.0 (2023-11-02)
+------------------
+
+* Feature - Support disabling IMDSv1 in `InstanceProfileCredentials` using `ENV['AWS_EC2_METADATA_V1_DISABLED']`, `ec2_metadata_v1_disabled` shared config, or the `disable_imds_v1` credentials option.
+
 3.185.2 (2023-10-31)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-3.185.2
+3.187.0

data/lib/aws-sdk-core/instance_profile_credentials.rb

@@ -53,6 +53,8 @@ module Aws
     # @option options [String] :endpoint_mode ('IPv4') The endpoint mode for
     #   the instance metadata service. This is either 'IPv4' ('169.254.169.254')
     #   or 'IPv6' ('[fd00:ec2::254]').
+    # @option options [Boolean] :disable_imds_v1 (false) Disable the use of the
+    #  legacy EC2 Metadata Service v1.
     # @option options [String] :ip_address ('169.254.169.254') Deprecated. Use
     #   :endpoint instead. The IP address for the endpoint.
     # @option options [Integer] :port (80)
@@ -77,6 +79,9 @@ module Aws
       endpoint_mode = resolve_endpoint_mode(options)
       @endpoint = resolve_endpoint(options, endpoint_mode)
       @port = options[:port] || 80
+      @disable_imds_v1 = resolve_disable_v1(options)
+      # Flag for if v2 flow fails, skip future attempts
+      @imds_v1_fallback = false
       @http_open_timeout = options[:http_open_timeout] || 1
       @http_read_timeout = options[:http_read_timeout] || 1
       @http_debug_output = options[:http_debug_output]
@@ -123,6 +128,16 @@ module Aws
       end
     end
 
+    def resolve_disable_v1(options)
+      value = options[:disable_imds_v1]
+      value ||= ENV['AWS_EC2_METADATA_V1_DISABLED']
+      value ||= Aws.shared_config.ec2_metadata_v1_disabled(
+        profile: options[:profile]
+      )
+      value = value.to_s.downcase if value
+      Aws::Util.str_2_bool(value) || false
+    end
+
     def backoff(backoff)
       case backoff
       when Proc then backoff
@@ -141,7 +156,7 @@ module Aws
       # service is responding but is returning invalid JSON documents
       # in response to the GET profile credentials call.
       begin
-        retry_errors([Aws::Json::ParseError, StandardError], max_retries: 3) do
+        retry_errors([Aws::Json::ParseError], max_retries: 3) do
           c = Aws::Json.load(get_credentials.to_s)
           if empty_credentials?(@credentials)
             @credentials = Credentials.new(
@@ -173,7 +188,6 @@ module Aws
               end
             end
           end
-
         end
       rescue Aws::Json::ParseError
         raise Aws::Errors::MetadataParserError
@@ -191,34 +205,14 @@ module Aws
             open_connection do |conn|
               # attempt to fetch token to start secure flow first
               # and rescue to failover
-              begin
-                retry_errors(NETWORK_ERRORS, max_retries: @retries) do
-                  unless token_set?
-                    created_time = Time.now
-                    token_value, ttl = http_put(
-                      conn, METADATA_TOKEN_PATH, @token_ttl
-                    )
-                    @token = Token.new(token_value, ttl, created_time) if token_value && ttl
-                  end
-                end
-              rescue *NETWORK_ERRORS
-                # token attempt failed, reset token
-                # fallback to non-token mode
-                @token = nil
-              end
-
+              fetch_token(conn) unless @imds_v1_fallback
               token = @token.value if token_set?
 
-              begin
-                metadata = http_get(conn, METADATA_PATH_BASE, token)
-                profile_name = metadata.lines.first.strip
-                http_get(conn, METADATA_PATH_BASE + profile_name, token)
-              rescue TokenExpiredError
-                # Token has expired, reset it
-                # The next retry should fetch it
-                @token = nil
-                raise Non200Response
-              end
+              # disable insecure flow if we couldn't get token
+              # and imds v1 is disabled
+              raise TokenRetrivalError if token.nil? && @disable_imds_v1
+
+              _get_credentials(conn, token)
             end
           end
         rescue
@@ -227,6 +221,36 @@ module Aws
       end
     end
 
+    def fetch_token(conn)
+      retry_errors(NETWORK_ERRORS, max_retries: @retries) do
+        unless token_set?
+          created_time = Time.now
+          token_value, ttl = http_put(
+            conn, METADATA_TOKEN_PATH, @token_ttl
+          )
+          @token = Token.new(token_value, ttl, created_time) if token_value && ttl
+        end
+      end
+    rescue *NETWORK_ERRORS
+      # token attempt failed, reset token
+      # fallback to non-token mode
+      @token = nil
+      @imds_v1_fallback = true
+    end
+
+    # token is optional - if nil, uses v1 (insecure) flow
+    def _get_credentials(conn, token)
+      metadata = http_get(conn, METADATA_PATH_BASE, token)
+      profile_name = metadata.lines.first.strip
+      http_get(conn, METADATA_PATH_BASE + profile_name, token)
+    rescue TokenExpiredError
+      # Token has expired, reset it
+      # The next retry should fetch it
+      @token = nil
+      @imds_v1_fallback = false
+      raise Non200Response
+    end
+
     def token_set?
       @token && !@token.expired?
     end
@@ -276,8 +300,6 @@ module Aws
         ]
       when 400
         raise TokenRetrivalError
-      when 401
-        raise TokenExpiredError
       else
         raise Non200Response
       end

data/lib/aws-sdk-core/shared_config.rb

@@ -205,6 +205,7 @@ module Aws
       :use_fips_endpoint,
       :ec2_metadata_service_endpoint,
       :ec2_metadata_service_endpoint_mode,
+      :ec2_metadata_v1_disabled,
       :max_attempts,
       :retry_mode,
       :adaptive_retry_wait_to_fill,

data/lib/aws-sdk-sso/client.rb

@@ -605,7 +605,7 @@ module Aws::SSO
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.185.2'
+      context[:gem_version] = '3.187.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sso.rb

@@ -54,6 +54,6 @@ require_relative 'aws-sdk-sso/customizations'
 # @!group service
 module Aws::SSO
 
-  GEM_VERSION = '3.185.2'
+  GEM_VERSION = '3.187.0'
 
 end

data/lib/aws-sdk-ssooidc/client.rb

@@ -388,61 +388,64 @@ module Aws::SSOOIDC
 
     # @!group API Operations
 
-    # Creates and returns an access token for the authorized client. The
-    # access token issued will be used to fetch short-term credentials for
-    # the assigned roles in the AWS account.
+    # Creates and returns access and refresh tokens for clients that are
+    # authenticated using client secrets. The access token can be used to
+    # fetch short-term credentials for the assigned AWS accounts or to
+    # access application APIs using `bearer` authentication.
     #
     # @option params [required, String] :client_id
-    #   The unique identifier string for each client. This value should come
-    #   from the persisted result of the RegisterClient API.
+    #   The unique identifier string for the client or application. This value
+    #   comes from the result of the RegisterClient API.
     #
     # @option params [required, String] :client_secret
     #   A secret string generated for the client. This value should come from
     #   the persisted result of the RegisterClient API.
     #
     # @option params [required, String] :grant_type
-    #   Supports grant types for the authorization code, refresh token, and
-    #   device code request. For device code requests, specify the following
-    #   value:
+    #   Supports the following OAuth grant types: Device Code and Refresh
+    #   Token. Specify either of the following values, depending on the grant
+    #   type that you want:
     #
-    #   `urn:ietf:params:oauth:grant-type:device_code `
+    #   * Device Code - `urn:ietf:params:oauth:grant-type:device_code`
+    #
+    #   * Refresh Token - `refresh_token`
     #
     #   For information about how to obtain the device code, see the
     #   StartDeviceAuthorization topic.
     #
     # @option params [String] :device_code
-    #   Used only when calling this API for the device code grant type. This
-    #   short-term code is used to identify this authentication attempt. This
-    #   should come from an in-memory reference to the result of the
-    #   StartDeviceAuthorization API.
+    #   Used only when calling this API for the Device Code grant type. This
+    #   short-term code is used to identify this authorization request. This
+    #   comes from the result of the StartDeviceAuthorization API.
     #
     # @option params [String] :code
-    #   The authorization code received from the authorization service. This
-    #   parameter is required to perform an authorization grant request to get
-    #   access to a token.
+    #   Used only when calling this API for the Authorization Code grant type.
+    #   The short-term code is used to identify this authorization request.
+    #   This grant type is currently unsupported for the CreateToken API.
     #
     # @option params [String] :refresh_token
-    #   Currently, `refreshToken` is not yet implemented and is not supported.
+    #   Used only when calling this API for the Refresh Token grant type. This
+    #   token is used to refresh short-term tokens, such as the access token,
+    #   that might expire.
+    #
     #   For more information about the features and limitations of the current
     #   IAM Identity Center OIDC implementation, see *Considerations for Using
     #   this Guide* in the [IAM Identity Center OIDC API Reference][1].
     #
-    #   The token used to obtain an access token in the event that the access
-    #   token is invalid or expired.
-    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html
     #
     # @option params [Array<String>] :scope
-    #   The list of scopes that is defined by the client. Upon authorization,
-    #   this list is used to restrict permissions when granting an access
-    #   token.
+    #   The list of scopes for which authorization is requested. The access
+    #   token that is issued is limited to the scopes that are granted. If
+    #   this value is not specified, IAM Identity Center authorizes all scopes
+    #   that are configured for the client during the call to RegisterClient.
     #
     # @option params [String] :redirect_uri
-    #   The location of the application that will receive the authorization
-    #   code. Users authorize the service to send the request to this
-    #   location.
+    #   Used only when calling this API for the Authorization Code grant type.
+    #   This value specifies the location of the client or application that
+    #   has registered to receive the authorization code.
     #
     # @return [Types::CreateTokenResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -452,6 +455,44 @@ module Aws::SSOOIDC
     #   * {Types::CreateTokenResponse#refresh_token #refresh_token} => String
     #   * {Types::CreateTokenResponse#id_token #id_token} => String
     #
+    #
+    # @example Example: Call OAuth/OIDC /token endpoint for Device Code grant with Secret authentication
+    #
+    #   resp = client.create_token({
+    #     client_id: "_yzkThXVzLWVhc3QtMQEXAMPLECLIENTID", 
+    #     client_secret: "VERYLONGSECRETeyJraWQiOiJrZXktMTU2NDAyODA5OSIsImFsZyI6IkhTMzg0In0", 
+    #     device_code: "yJraWQiOiJrZXktMTU2Njk2ODA4OCIsImFsZyI6IkhTMzIn0EXAMPLEDEVICECODE", 
+    #     grant_type: "urn:ietf:params:oauth:grant-type:device-code", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     access_token: "aoal-YigITUDiNX1xZwOMXM5MxOWDL0E0jg9P6_C_jKQPxS_SKCP6f0kh1Up4g7TtvQqkMnD-GJiU_S1gvug6SrggAkc0:MGYCMQD3IatVjV7jAJU91kK3PkS/SfA2wtgWzOgZWDOR7sDGN9t0phCZz5It/aes/3C1Zj0CMQCKWOgRaiz6AIhza3DSXQNMLjRKXC8F8ceCsHlgYLMZ7hZidEXAMPLEACCESSTOKEN", 
+    #     expires_in: 1579729529, 
+    #     refresh_token: "aorvJYubGpU6i91YnH7Mfo-AT2fIVa1zCfA_Rvq9yjVKIP3onFmmykuQ7E93y2I-9Nyj-A_sVvMufaLNL0bqnDRtgAkc0:MGUCMFrRsktMRVlWaOR70XGMFGLL0SlcCw4DiYveIiOVx1uK9BbD0gvAddsW3UTLozXKMgIxAJ3qxUvjpnlLIOaaKOoa/FuNgqJVvr9GMwDtnAtlh9iZzAkEXAMPLEREFRESHTOKEN", 
+    #     token_type: "Bearer", 
+    #   }
+    #
+    # @example Example: Call OAuth/OIDC /token endpoint for Refresh Token grant with Secret authentication
+    #
+    #   resp = client.create_token({
+    #     client_id: "_yzkThXVzLWVhc3QtMQEXAMPLECLIENTID", 
+    #     client_secret: "VERYLONGSECRETeyJraWQiOiJrZXktMTU2NDAyODA5OSIsImFsZyI6IkhTMzg0In0", 
+    #     grant_type: "refresh_token", 
+    #     refresh_token: "aorvJYubGpU6i91YnH7Mfo-AT2fIVa1zCfA_Rvq9yjVKIP3onFmmykuQ7E93y2I-9Nyj-A_sVvMufaLNL0bqnDRtgAkc0:MGUCMFrRsktMRVlWaOR70XGMFGLL0SlcCw4DiYveIiOVx1uK9BbD0gvAddsW3UTLozXKMgIxAJ3qxUvjpnlLIOaaKOoa/FuNgqJVvr9GMwDtnAtlh9iZzAkEXAMPLEREFRESHTOKEN", 
+    #     scope: [
+    #       "codewhisperer:completions", 
+    #     ], 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     access_token: "aoal-YigITUDiNX1xZwOMXM5MxOWDL0E0jg9P6_C_jKQPxS_SKCP6f0kh1Up4g7TtvQqkMnD-GJiU_S1gvug6SrggAkc0:MGYCMQD3IatVjV7jAJU91kK3PkS/SfA2wtgWzOgZWDOR7sDGN9t0phCZz5It/aes/3C1Zj0CMQCKWOgRaiz6AIhza3DSXQNMLjRKXC8F8ceCsHlgYLMZ7hZidEXAMPLEACCESSTOKEN", 
+    #     expires_in: 1579729529, 
+    #     refresh_token: "aorvJYubGpU6i91YnH7Mfo-AT2fIVa1zCfA_Rvq9yjVKIP3onFmmykuQ7E93y2I-9Nyj-A_sVvMufaLNL0bqnDRtgAkc0:MGUCMFrRsktMRVlWaOR70XGMFGLL0SlcCw4DiYveIiOVx1uK9BbD0gvAddsW3UTLozXKMgIxAJ3qxUvjpnlLIOaaKOoa/FuNgqJVvr9GMwDtnAtlh9iZzAkEXAMPLEREFRESHTOKEN", 
+    #     token_type: "Bearer", 
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.create_token({
@@ -482,6 +523,234 @@ module Aws::SSOOIDC
       req.send_request(options)
     end
 
+    # Creates and returns access and refresh tokens for clients and
+    # applications that are authenticated using IAM entities. The access
+    # token can be used to fetch short-term credentials for the assigned AWS
+    # accounts or to access application APIs using `bearer` authentication.
+    #
+    # @option params [required, String] :client_id
+    #   The unique identifier string for the client or application. This value
+    #   is an application ARN that has OAuth grants configured.
+    #
+    # @option params [required, String] :grant_type
+    #   Supports the following OAuth grant types: Authorization Code, Refresh
+    #   Token, JWT Bearer, and Token Exchange. Specify one of the following
+    #   values, depending on the grant type that you want:
+    #
+    #   * Authorization Code - `authorization_code`
+    #
+    #   * Refresh Token - `refresh_token`
+    #
+    #   * JWT Bearer - `urn:ietf:params:oauth:grant-type:jwt-bearer`
+    #
+    #   * Token Exchange - `urn:ietf:params:oauth:grant-type:token-exchange`
+    #
+    # @option params [String] :code
+    #   Used only when calling this API for the Authorization Code grant type.
+    #   This short-term code is used to identify this authorization request.
+    #   The code is obtained through a redirect from IAM Identity Center to a
+    #   redirect URI persisted in the Authorization Code GrantOptions for the
+    #   application.
+    #
+    # @option params [String] :refresh_token
+    #   Used only when calling this API for the Refresh Token grant type. This
+    #   token is used to refresh short-term tokens, such as the access token,
+    #   that might expire.
+    #
+    #   For more information about the features and limitations of the current
+    #   IAM Identity Center OIDC implementation, see *Considerations for Using
+    #   this Guide* in the [IAM Identity Center OIDC API Reference][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html
+    #
+    # @option params [String] :assertion
+    #   Used only when calling this API for the JWT Bearer grant type. This
+    #   value specifies the JSON Web Token (JWT) issued by a trusted token
+    #   issuer. To authorize a trusted token issuer, configure the JWT Bearer
+    #   GrantOptions for the application.
+    #
+    # @option params [Array<String>] :scope
+    #   The list of scopes for which authorization is requested. The access
+    #   token that is issued is limited to the scopes that are granted. If the
+    #   value is not specified, IAM Identity Center authorizes all scopes
+    #   configured for the application, including the following default
+    #   scopes: `openid`, `aws`, `sts:identity_context`.
+    #
+    # @option params [String] :redirect_uri
+    #   Used only when calling this API for the Authorization Code grant type.
+    #   This value specifies the location of the client or application that
+    #   has registered to receive the authorization code.
+    #
+    # @option params [String] :subject_token
+    #   Used only when calling this API for the Token Exchange grant type.
+    #   This value specifies the subject of the exchange. The value of the
+    #   subject token must be an access token issued by IAM Identity Center to
+    #   a different client or application. The access token must have
+    #   authorized scopes that indicate the requested application as a target
+    #   audience.
+    #
+    # @option params [String] :subject_token_type
+    #   Used only when calling this API for the Token Exchange grant type.
+    #   This value specifies the type of token that is passed as the subject
+    #   of the exchange. The following value is supported:
+    #
+    #   * Access Token - `urn:ietf:params:oauth:token-type:access_token`
+    #
+    # @option params [String] :requested_token_type
+    #   Used only when calling this API for the Token Exchange grant type.
+    #   This value specifies the type of token that the requester can receive.
+    #   The following values are supported:
+    #
+    #   * Access Token - `urn:ietf:params:oauth:token-type:access_token`
+    #
+    #   * Refresh Token - `urn:ietf:params:oauth:token-type:refresh_token`
+    #
+    # @return [Types::CreateTokenWithIAMResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::CreateTokenWithIAMResponse#access_token #access_token} => String
+    #   * {Types::CreateTokenWithIAMResponse#token_type #token_type} => String
+    #   * {Types::CreateTokenWithIAMResponse#expires_in #expires_in} => Integer
+    #   * {Types::CreateTokenWithIAMResponse#refresh_token #refresh_token} => String
+    #   * {Types::CreateTokenWithIAMResponse#id_token #id_token} => String
+    #   * {Types::CreateTokenWithIAMResponse#issued_token_type #issued_token_type} => String
+    #   * {Types::CreateTokenWithIAMResponse#scope #scope} => Array&lt;String&gt;
+    #
+    #
+    # @example Example: Call OAuth/OIDC /token endpoint for Authorization Code grant with IAM authentication
+    #
+    #   resp = client.create_token_with_iam({
+    #     client_id: "arn:aws:sso::123456789012:application/ssoins-111111111111/apl-222222222222", 
+    #     code: "yJraWQiOiJrZXktMTU2Njk2ODA4OCIsImFsZyI6IkhTMzg0In0EXAMPLEAUTHCODE", 
+    #     grant_type: "authorization_code", 
+    #     redirect_uri: "https://mywebapp.example/redirect", 
+    #     scope: [
+    #       "openid", 
+    #       "aws", 
+    #       "sts:identity_context", 
+    #     ], 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     access_token: "aoal-YigITUDiNX1xZwOMXM5MxOWDL0E0jg9P6_C_jKQPxS_SKCP6f0kh1Up4g7TtvQqkMnD-GJiU_S1gvug6SrggAkc0:MGYCMQD3IatVjV7jAJU91kK3PkS/SfA2wtgWzOgZWDOR7sDGN9t0phCZz5It/aes/3C1Zj0CMQCKWOgRaiz6AIhza3DSXQNMLjRKXC8F8ceCsHlgYLMZ7hZidEXAMPLEACCESSTOKEN", 
+    #     expires_in: 1579729529, 
+    #     id_token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhd3M6aWRlbnRpdHlfc3RvcmVfaWQiOiJkLTMzMzMzMzMzMzMiLCJzdWIiOiI3MzA0NDhmMi1lMGExLTcwYTctYzk1NC0wMDAwMDAwMDAwMDAiLCJhd3M6aW5zdGFuY2VfYWNjb3VudCI6IjExMTExMTExMTExMSIsInN0czppZGVudGl0eV9jb250ZXh0IjoiRVhBTVBMRUlERU5USVRZQ09OVEVYVCIsInN0czphdWRpdF9jb250ZXh0IjoiRVhBTVBMRUFVRElUQ09OVEVYVCIsImlzcyI6Imh0dHBzOi8vaWRlbnRpdHljZW50ZXIuYW1hem9uYXdzLmNvbS9zc29pbnMtMTExMTExMTExMTExIiwiYXdzOmlkZW50aXR5X3N0b3JlX2FybiI6ImFybjphd3M6aWRlbnRpdHlzdG9yZTo6MTExMTExMTExMTExOmlkZW50aXR5c3RvcmUvZC0zMzMzMzMzMzMzIiwiYXVkIjoiYXJuOmF3czpzc286OjEyMzQ1Njc4OTAxMjphcHBsaWNhdGlvbi9zc29pbnMtMTExMTExMTExMTExL2FwbC0yMjIyMjIyMjIyMjIiLCJhd3M6aW5zdGFuY2VfYXJuIjoiYXJuOmF3czpzc286OjppbnN0YW5jZS9zc29pbnMtMTExMTExMTExMTExIiwiYXdzOmNyZWRlbnRpYWxfaWQiOiJfWlIyTjZhVkJqMjdGUEtheWpfcEtwVjc3QVBERl80MXB4ZXRfWWpJdUpONlVJR2RBdkpFWEFNUExFQ1JFRElEIiwiYXV0aF90aW1lIjoiMjAyMC0wMS0yMlQxMjo0NToyOVoiLCJleHAiOjE1Nzk3Mjk1MjksImlhdCI6MTU3OTcyNTkyOX0.Xyah6qbk78qThzJ41iFU2yfGuRqqtKXHrJYwQ8L9Ip0", 
+    #     issued_token_type: "urn:ietf:params:oauth:token-type:refresh_token", 
+    #     refresh_token: "aorvJYubGpU6i91YnH7Mfo-AT2fIVa1zCfA_Rvq9yjVKIP3onFmmykuQ7E93y2I-9Nyj-A_sVvMufaLNL0bqnDRtgAkc0:MGUCMFrRsktMRVlWaOR70XGMFGLL0SlcCw4DiYveIiOVx1uK9BbD0gvAddsW3UTLozXKMgIxAJ3qxUvjpnlLIOaaKOoa/FuNgqJVvr9GMwDtnAtlh9iZzAkEXAMPLEREFRESHTOKEN", 
+    #     scope: [
+    #       "openid", 
+    #       "aws", 
+    #       "sts:identity_context", 
+    #     ], 
+    #     token_type: "Bearer", 
+    #   }
+    #
+    # @example Example: Call OAuth/OIDC /token endpoint for Refresh Token grant with IAM authentication
+    #
+    #   resp = client.create_token_with_iam({
+    #     client_id: "arn:aws:sso::123456789012:application/ssoins-111111111111/apl-222222222222", 
+    #     grant_type: "refresh_token", 
+    #     refresh_token: "aorvJYubGpU6i91YnH7Mfo-AT2fIVa1zCfA_Rvq9yjVKIP3onFmmykuQ7E93y2I-9Nyj-A_sVvMufaLNL0bqnDRtgAkc0:MGUCMFrRsktMRVlWaOR70XGMFGLL0SlcCw4DiYveIiOVx1uK9BbD0gvAddsW3UTLozXKMgIxAJ3qxUvjpnlLIOaaKOoa/FuNgqJVvr9GMwDtnAtlh9iZzAkEXAMPLEREFRESHTOKEN", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     access_token: "aoal-YigITUDiNX1xZwOMXM5MxOWDL0E0jg9P6_C_jKQPxS_SKCP6f0kh1Up4g7TtvQqkMnD-GJiU_S1gvug6SrggAkc0:MGYCMQD3IatVjV7jAJU91kK3PkS/SfA2wtgWzOgZWDOR7sDGN9t0phCZz5It/aes/3C1Zj0CMQCKWOgRaiz6AIhza3DSXQNMLjRKXC8F8ceCsHlgYLMZ7hZidEXAMPLEACCESSTOKEN", 
+    #     expires_in: 1579729529, 
+    #     issued_token_type: "urn:ietf:params:oauth:token-type:refresh_token", 
+    #     refresh_token: "aorvJYubGpU6i91YnH7Mfo-AT2fIVa1zCfA_Rvq9yjVKIP3onFmmykuQ7E93y2I-9Nyj-A_sVvMufaLNL0bqnDRtgAkc0:MGUCMFrRsktMRVlWaOR70XGMFGLL0SlcCw4DiYveIiOVx1uK9BbD0gvAddsW3UTLozXKMgIxAJ3qxUvjpnlLIOaaKOoa/FuNgqJVvr9GMwDtnAtlh9iZzAkEXAMPLEREFRESHTOKEN", 
+    #     scope: [
+    #       "openid", 
+    #       "aws", 
+    #       "sts:identity_context", 
+    #     ], 
+    #     token_type: "Bearer", 
+    #   }
+    #
+    # @example Example: Call OAuth/OIDC /token endpoint for JWT Bearer grant with IAM authentication
+    #
+    #   resp = client.create_token_with_iam({
+    #     assertion: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9.eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTEyMjA0MGQtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFBQUFBQUFJa3pxRlZyU2FTYUZIeTc4MmJidGFRIiwiYXVkIjoiNmNiMDQwMTgtYTNmNS00NmE3LWI5OTUtOTQwYzc4ZjVhZWYzIiwiZXhwIjoxNTM2MzYxNDExLCJpYXQiOjE1MzYyNzQ3MTEsIm5iZiI6MTUzNjI3NDcxMSwibmFtZSI6IkFiZSBMaW5jb2xuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiQWJlTGlAbWljcm9zb2Z0LmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC02NmYzLTMzMzJlY2E3ZWE4MSIsInRpZCI6IjkxMjIwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsIm5vbmNlIjoiMTIzNTIzIiwiYWlvIjoiRGYyVVZYTDFpeCFsTUNXTVNPSkJjRmF0emNHZnZGR2hqS3Y4cTVnMHg3MzJkUjVNQjVCaXN2R1FPN1lXQnlqZDhpUURMcSFlR2JJRGFreXA1bW5PcmNkcUhlWVNubHRlcFFtUnA2QUlaOGpZIn0.1AFWW-Ck5nROwSlltm7GzZvDwUkqvhSQpm55TQsmVo9Y59cLhRXpvB8n-55HCr9Z6G_31_UbeUkoz612I2j_Sm9FFShSDDjoaLQr54CreGIJvjtmS3EkK9a7SJBbcpL1MpUtlfygow39tFjY7EVNW9plWUvRrTgVk7lYLprvfzw-CIqw3gHC-T7IK_m_xkr08INERBtaecwhTeN4chPC4W3jdmw_lIxzC48YoQ0dB1L9-ImX98Egypfrlbm0IBL5spFzL6JDZIRRJOu8vecJvj1mq-IUhGt0MacxX8jdxYLP-KUu2d9MbNKpCKJuZ7p8gwTL5B7NlUdh_dmSviPWrw", 
+    #     client_id: "arn:aws:sso::123456789012:application/ssoins-111111111111/apl-222222222222", 
+    #     grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     access_token: "aoal-YigITUDiNX1xZwOMXM5MxOWDL0E0jg9P6_C_jKQPxS_SKCP6f0kh1Up4g7TtvQqkMnD-GJiU_S1gvug6SrggAkc0:MGYCMQD3IatVjV7jAJU91kK3PkS/SfA2wtgWzOgZWDOR7sDGN9t0phCZz5It/aes/3C1Zj0CMQCKWOgRaiz6AIhza3DSXQNMLjRKXC8F8ceCsHlgYLMZ7hZidEXAMPLEACCESSTOKEN", 
+    #     expires_in: 1579729529, 
+    #     id_token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhd3M6aWRlbnRpdHlfc3RvcmVfaWQiOiJkLTMzMzMzMzMzMzMiLCJzdWIiOiI3MzA0NDhmMi1lMGExLTcwYTctYzk1NC0wMDAwMDAwMDAwMDAiLCJhd3M6aW5zdGFuY2VfYWNjb3VudCI6IjExMTExMTExMTExMSIsInN0czppZGVudGl0eV9jb250ZXh0IjoiRVhBTVBMRUlERU5USVRZQ09OVEVYVCIsInN0czphdWRpdF9jb250ZXh0IjoiRVhBTVBMRUFVRElUQ09OVEVYVCIsImlzcyI6Imh0dHBzOi8vaWRlbnRpdHljZW50ZXIuYW1hem9uYXdzLmNvbS9zc29pbnMtMTExMTExMTExMTExIiwiYXdzOmlkZW50aXR5X3N0b3JlX2FybiI6ImFybjphd3M6aWRlbnRpdHlzdG9yZTo6MTExMTExMTExMTExOmlkZW50aXR5c3RvcmUvZC0zMzMzMzMzMzMzIiwiYXVkIjoiYXJuOmF3czpzc286OjEyMzQ1Njc4OTAxMjphcHBsaWNhdGlvbi9zc29pbnMtMTExMTExMTExMTExL2FwbC0yMjIyMjIyMjIyMjIiLCJhd3M6aW5zdGFuY2VfYXJuIjoiYXJuOmF3czpzc286OjppbnN0YW5jZS9zc29pbnMtMTExMTExMTExMTExIiwiYXdzOmNyZWRlbnRpYWxfaWQiOiJfWlIyTjZhVkJqMjdGUEtheWpfcEtwVjc3QVBERl80MXB4ZXRfWWpJdUpONlVJR2RBdkpFWEFNUExFQ1JFRElEIiwiYXV0aF90aW1lIjoiMjAyMC0wMS0yMlQxMjo0NToyOVoiLCJleHAiOjE1Nzk3Mjk1MjksImlhdCI6MTU3OTcyNTkyOX0.Xyah6qbk78qThzJ41iFU2yfGuRqqtKXHrJYwQ8L9Ip0", 
+    #     issued_token_type: "urn:ietf:params:oauth:token-type:refresh_token", 
+    #     refresh_token: "aorvJYubGpU6i91YnH7Mfo-AT2fIVa1zCfA_Rvq9yjVKIP3onFmmykuQ7E93y2I-9Nyj-A_sVvMufaLNL0bqnDRtgAkc0:MGUCMFrRsktMRVlWaOR70XGMFGLL0SlcCw4DiYveIiOVx1uK9BbD0gvAddsW3UTLozXKMgIxAJ3qxUvjpnlLIOaaKOoa/FuNgqJVvr9GMwDtnAtlh9iZzAkEXAMPLEREFRESHTOKEN", 
+    #     scope: [
+    #       "openid", 
+    #       "aws", 
+    #       "sts:identity_context", 
+    #     ], 
+    #     token_type: "Bearer", 
+    #   }
+    #
+    # @example Example: Call OAuth/OIDC /token endpoint for Token Exchange grant with IAM authentication
+    #
+    #   resp = client.create_token_with_iam({
+    #     client_id: "arn:aws:sso::123456789012:application/ssoins-111111111111/apl-222222222222", 
+    #     grant_type: "urn:ietf:params:oauth:grant-type:token-exchange", 
+    #     requested_token_type: "urn:ietf:params:oauth:token-type:access_token", 
+    #     subject_token: "aoak-Hig8TUDPNX1xZwOMXM5MxOWDL0E0jg9P6_C_jKQPxS_SKCP6f0kh1Up4g7TtvQqkMnD-GJiU_S1gvug6SrggAkc0:MGYCMQD3IatVjV7jAJU91kK3PkS/SfA2wtgWzOgZWDOR7sDGN9t0phCZz5It/aes/3C1Zj0CMQCKWOgRaiz6AIhza3DSXQNMLjRKXC8F8ceCsHlgYLMZ7hZDIFFERENTACCESSTOKEN", 
+    #     subject_token_type: "urn:ietf:params:oauth:token-type:access_token", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     access_token: "aoal-YigITUDiNX1xZwOMXM5MxOWDL0E0jg9P6_C_jKQPxS_SKCP6f0kh1Up4g7TtvQqkMnD-GJiU_S1gvug6SrggAkc0:MGYCMQD3IatVjV7jAJU91kK3PkS/SfA2wtgWzOgZWDOR7sDGN9t0phCZz5It/aes/3C1Zj0CMQCKWOgRaiz6AIhza3DSXQNMLjRKXC8F8ceCsHlgYLMZ7hZidEXAMPLEACCESSTOKEN", 
+    #     expires_in: 1579729529, 
+    #     id_token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhd3M6aWRlbnRpdHlfc3RvcmVfaWQiOiJkLTMzMzMzMzMzMzMiLCJzdWIiOiI3MzA0NDhmMi1lMGExLTcwYTctYzk1NC0wMDAwMDAwMDAwMDAiLCJhd3M6aW5zdGFuY2VfYWNjb3VudCI6IjExMTExMTExMTExMSIsInN0czppZGVudGl0eV9jb250ZXh0IjoiRVhBTVBMRUlERU5USVRZQ09OVEVYVCIsImlzcyI6Imh0dHBzOi8vaWRlbnRpdHljZW50ZXIuYW1hem9uYXdzLmNvbS9zc29pbnMtMTExMTExMTExMTExIiwiYXdzOmlkZW50aXR5X3N0b3JlX2FybiI6ImFybjphd3M6aWRlbnRpdHlzdG9yZTo6MTExMTExMTExMTExOmlkZW50aXR5c3RvcmUvZC0zMzMzMzMzMzMzIiwiYXVkIjoiYXJuOmF3czpzc286OjEyMzQ1Njc4OTAxMjphcHBsaWNhdGlvbi9zc29pbnMtMTExMTExMTExMTExL2FwbC0yMjIyMjIyMjIyMjIiLCJhd3M6aW5zdGFuY2VfYXJuIjoiYXJuOmF3czpzc286OjppbnN0YW5jZS9zc29pbnMtMTExMTExMTExMTExIiwiYXdzOmNyZWRlbnRpYWxfaWQiOiJfWlIyTjZhVkJqMjdGUEtheWpfcEtwVjc3QVBERl80MXB4ZXRfWWpJdUpONlVJR2RBdkpFWEFNUExFQ1JFRElEIiwiYXV0aF90aW1lIjoiMjAyMC0wMS0yMlQxMjo0NToyOVoiLCJleHAiOjE1Nzk3Mjk1MjksImlhdCI6MTU3OTcyNTkyOX0.5SYiW1kMsuUr7nna-l5tlakM0GNbMHvIM2_n0QD23jM", 
+    #     issued_token_type: "urn:ietf:params:oauth:token-type:access_token", 
+    #     scope: [
+    #       "openid", 
+    #       "aws", 
+    #       "sts:identity_context", 
+    #     ], 
+    #     token_type: "Bearer", 
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.create_token_with_iam({
+    #     client_id: "ClientId", # required
+    #     grant_type: "GrantType", # required
+    #     code: "AuthCode",
+    #     refresh_token: "RefreshToken",
+    #     assertion: "Assertion",
+    #     scope: ["Scope"],
+    #     redirect_uri: "URI",
+    #     subject_token: "SubjectToken",
+    #     subject_token_type: "TokenTypeURI",
+    #     requested_token_type: "TokenTypeURI",
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.access_token #=> String
+    #   resp.token_type #=> String
+    #   resp.expires_in #=> Integer
+    #   resp.refresh_token #=> String
+    #   resp.id_token #=> String
+    #   resp.issued_token_type #=> String
+    #   resp.scope #=> Array
+    #   resp.scope[0] #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/CreateTokenWithIAM AWS API Documentation
+    #
+    # @overload create_token_with_iam(params = {})
+    # @param [Hash] params ({})
+    def create_token_with_iam(params = {}, options = {})
+      req = build_request(:create_token_with_iam, params)
+      req.send_request(options)
+    end
+
     # Registers a client with IAM Identity Center. This allows clients to
     # initiate device authorization. The output should be persisted for
     # reuse through many authentication requests.
@@ -507,6 +776,26 @@ module Aws::SSOOIDC
     #   * {Types::RegisterClientResponse#authorization_endpoint #authorization_endpoint} => String
     #   * {Types::RegisterClientResponse#token_endpoint #token_endpoint} => String
     #
+    #
+    # @example Example: Call OAuth/OIDC /register-client endpoint
+    #
+    #   resp = client.register_client({
+    #     client_name: "My IDE Plugin", 
+    #     client_type: "public", 
+    #     scopes: [
+    #       "sso:account:access", 
+    #       "codewhisperer:completions", 
+    #     ], 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     client_id: "_yzkThXVzLWVhc3QtMQEXAMPLECLIENTID", 
+    #     client_id_issued_at: 1579725929, 
+    #     client_secret: "VERYLONGSECRETeyJraWQiOiJrZXktMTU2NDAyODA5OSIsImFsZyI6IkhTMzg0In0", 
+    #     client_secret_expires_at: 1587584729, 
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.register_client({
@@ -546,8 +835,9 @@ module Aws::SSOOIDC
     #   come from the persisted result of the RegisterClient API operation.
     #
     # @option params [required, String] :start_url
-    #   The URL for the AWS access portal. For more information, see [Using
-    #   the AWS access portal][1] in the *IAM Identity Center User Guide*.
+    #   The URL for the Amazon Web Services access portal. For more
+    #   information, see [Using the Amazon Web Services access portal][1] in
+    #   the *IAM Identity Center User Guide*.
     #
     #
     #
@@ -562,6 +852,25 @@ module Aws::SSOOIDC
     #   * {Types::StartDeviceAuthorizationResponse#expires_in #expires_in} => Integer
     #   * {Types::StartDeviceAuthorizationResponse#interval #interval} => Integer
     #
+    #
+    # @example Example: Call OAuth/OIDC /start-device-authorization endpoint
+    #
+    #   resp = client.start_device_authorization({
+    #     client_id: "_yzkThXVzLWVhc3QtMQEXAMPLECLIENTID", 
+    #     client_secret: "VERYLONGSECRETeyJraWQiOiJrZXktMTU2NDAyODA5OSIsImFsZyI6IkhTMzg0In0", 
+    #     start_url: "https://identitycenter.amazonaws.com/ssoins-111111111111", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     device_code: "yJraWQiOiJrZXktMTU2Njk2ODA4OCIsImFsZyI6IkhTMzIn0EXAMPLEDEVICECODE", 
+    #     expires_in: 1579729529, 
+    #     interval: 1, 
+    #     user_code: "makdfsk83yJraWQiOiJrZXktMTU2Njk2sImFsZyI6IkhTMzIn0EXAMPLEUSERCODE", 
+    #     verification_uri: "https://device.sso.us-west-2.amazonaws.com", 
+    #     verification_uri_complete: "https://device.sso.us-west-2.amazonaws.com?user_code=makdfsk83yJraWQiOiJrZXktMTU2Njk2sImFsZyI6IkhTMzIn0EXAMPLEUSERCODE", 
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.start_device_authorization({
@@ -601,7 +910,7 @@ module Aws::SSOOIDC
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.185.2'
+      context[:gem_version] = '3.187.0'
       Seahorse::Client::Request.new(handlers, context)
     end