aws-sdk-core 3.219.0 → 3.240.0

data/lib/aws-sdk-sts/client.rb

@@ -97,8 +97,8 @@ module Aws::STS
     #     class name or an instance of a plugin class.
     #
     #   @option options [required, Aws::CredentialProvider] :credentials
-    #     Your AWS credentials. This can be an instance of any one of the
-    #     following classes:
+    #     Your AWS credentials used for authentication. This can be any class that includes and implements
+    #     `Aws::CredentialProvider`, or instance of any one of the following classes:
     #
     #     * `Aws::Credentials` - Used for configuring static, non-refreshing
     #       credentials.
@@ -126,22 +126,24 @@ module Aws::STS
     #     * `Aws::CognitoIdentityCredentials` - Used for loading credentials
     #       from the Cognito Identity service.
     #
-    #     When `:credentials` are not configured directly, the following
-    #     locations will be searched for credentials:
+    #     When `:credentials` are not configured directly, the following locations will be searched for credentials:
     #
     #     * `Aws.config[:credentials]`
+    #
     #     * The `:access_key_id`, `:secret_access_key`, `:session_token`, and
     #       `:account_id` options.
-    #     * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY'],
-    #       ENV['AWS_SESSION_TOKEN'], and ENV['AWS_ACCOUNT_ID']
+    #
+    #     * `ENV['AWS_ACCESS_KEY_ID']`, `ENV['AWS_SECRET_ACCESS_KEY']`,
+    #       `ENV['AWS_SESSION_TOKEN']`, and `ENV['AWS_ACCOUNT_ID']`.
+    #
     #     * `~/.aws/credentials`
+    #
     #     * `~/.aws/config`
-    #     * EC2/ECS IMDS instance profile - When used by default, the timeouts
-    #       are very aggressive. Construct and pass an instance of
-    #       `Aws::InstanceProfileCredentials` or `Aws::ECSCredentials` to
-    #       enable retries and extended timeouts. Instance profile credential
-    #       fetching can be disabled by setting ENV['AWS_EC2_METADATA_DISABLED']
-    #       to true.
+    #
+    #     * EC2/ECS IMDS instance profile - When used by default, the timeouts are very aggressive.
+    #       Construct and pass an instance of `Aws::InstanceProfileCredentials` or `Aws::ECSCredentials` to
+    #       enable retries and extended timeouts. Instance profile credential fetching can be disabled by
+    #       setting `ENV['AWS_EC2_METADATA_DISABLED']` to `true`.
     #
     #   @option options [required, String] :region
     #     The AWS region to connect to.  The configured `:region` is
@@ -169,6 +171,11 @@ module Aws::STS
     #     When false, the request will raise a `RetryCapacityNotAvailableError` and will
     #     not retry instead of sleeping.
     #
+    #   @option options [Array<String>] :auth_scheme_preference
+    #     A list of preferred authentication schemes to use when making a request. Supported values are:
+    #     `sigv4`, `sigv4a`, `httpBearerAuth`, and `noAuth`. When set using `ENV['AWS_AUTH_SCHEME_PREFERENCE']` or in
+    #     shared config as `auth_scheme_preference`, the value should be a comma-separated list.
+    #
     #   @option options [Boolean] :client_side_monitoring (false)
     #     When `true`, client-side metrics will be collected for all API requests from
     #     this client.
@@ -202,8 +209,7 @@ module Aws::STS
     #     accepted modes and the configuration defaults that are included.
     #
     #   @option options [Boolean] :disable_host_prefix_injection (false)
-    #     Set to true to disable SDK automatically adding host prefix
-    #     to default service endpoint when available.
+    #     When `true`, the SDK will not prepend the modeled host prefix to the endpoint.
     #
     #   @option options [Boolean] :disable_request_compression (false)
     #     When set to 'true' the request body will not be compressed
@@ -256,8 +262,8 @@ module Aws::STS
     #     4 times. Used in `standard` and `adaptive` retry modes.
     #
     #   @option options [String] :profile ("default")
-    #     Used when loading credentials from the shared credentials file
-    #     at HOME/.aws/credentials.  When not specified, 'default' is used.
+    #     Used when loading credentials from the shared credentials file at `HOME/.aws/credentials`.
+    #     When not specified, 'default' is used.
     #
     #   @option options [String] :request_checksum_calculation ("when_supported")
     #     Determines when a checksum will be calculated for request payloads. Values are:
@@ -375,8 +381,8 @@ module Aws::STS
     #     `Aws::Telemetry::OTelProvider` for telemetry provider.
     #
     #   @option options [Aws::TokenProvider] :token_provider
-    #     A Bearer Token Provider. This can be an instance of any one of the
-    #     following classes:
+    #     Your Bearer token used for authentication. This can be any class that includes and implements
+    #     `Aws::TokenProvider`, or instance of any one of the following classes:
     #
     #     * `Aws::StaticTokenProvider` - Used for configuring static, non-refreshing
     #       tokens.
@@ -613,7 +619,7 @@ module Aws::STS
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
     #   spaces. You can also include underscores or any of the following
-    #   characters: =,.@-
+    #   characters: +=,.@-
     #
     #
     #
@@ -807,7 +813,7 @@ module Aws::STS
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
     #   spaces. You can also include underscores or any of the following
-    #   characters: =,.@:/-
+    #   characters: +=,.@:\\/-
     #
     #
     #
@@ -825,7 +831,7 @@ module Aws::STS
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
     #   spaces. You can also include underscores or any of the following
-    #   characters: =,.@-
+    #   characters: +=/:,.@-
     #
     # @option params [String] :token_code
     #   The value provided by the MFA device, if the trust policy of the role
@@ -886,7 +892,7 @@ module Aws::STS
     #
     #   resp = client.assume_role({
     #     external_id: "123ABC", 
-    #     policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}", 
+    #     policy: "escaped-JSON-IAM-POLICY", 
     #     role_arn: "arn:aws:iam::123456789012:role/demo", 
     #     role_session_name: "testAssumeRoleSession", 
     #     tags: [
@@ -990,6 +996,11 @@ module Aws::STS
     # Applications can use these temporary security credentials to sign
     # calls to Amazon Web Services services.
     #
+    # <note markdown="1"> AssumeRoleWithSAML will not work on IAM Identity Center managed roles.
+    # These roles' names start with `AWSReservedSSO_`.
+    #
+    #  </note>
+    #
     # **Session Duration**
     #
     # By default, the temporary security credentials created by
@@ -1408,7 +1419,8 @@ module Aws::STS
     # (Optional) You can configure your IdP to pass attributes into your web
     # identity token as session tags. Each session tag consists of a key
     # name and an associated value. For more information about session tags,
-    # see [Passing Session Tags in STS][9] in the *IAM User Guide*.
+    # see [Passing session tags using AssumeRoleWithWebIdentity][9] in the
+    # *IAM User Guide*.
     #
     # You can pass up to 50 session tags. The plaintext session tag keys
     # can’t exceed 128 characters and the values can’t exceed 256
@@ -1476,7 +1488,7 @@ module Aws::STS
     # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration
     # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
     # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
-    # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+    # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_adding-assume-role-idp
     # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
     # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
     # [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
@@ -1667,7 +1679,7 @@ module Aws::STS
     #
     #   resp = client.assume_role_with_web_identity({
     #     duration_seconds: 3600, 
-    #     policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}", 
+    #     policy: "escaped-JSON-IAM-POLICY", 
     #     provider_id: "www.amazon.com", 
     #     role_arn: "arn:aws:iam::123456789012:role/FederatedWebIdentityRole", 
     #     role_session_name: "app1", 
@@ -1732,7 +1744,10 @@ module Aws::STS
     end
 
     # Returns a set of short term credentials you can use to perform
-    # privileged tasks on a member account in your organization.
+    # privileged tasks on a member account in your organization. You must
+    # use credentials from an Organizations management account or a
+    # delegated administrator account for IAM to call `AssumeRoot`. You
+    # cannot use root user credentials to make this call.
     #
     # Before you can launch a privileged session, you must have centralized
     # root access in your organization. For steps to enable this feature,
@@ -1749,19 +1764,29 @@ module Aws::STS
     # were performed in a session. For more information, see [Track
     # privileged tasks in CloudTrail][3] in the *IAM User Guide*.
     #
+    # When granting access to privileged tasks you should only grant the
+    # necessary permissions required to perform that task. For more
+    # information, see [Security best practices in IAM][4]. In addition, you
+    # can use [service control policies][5] (SCPs) to manage and limit
+    # permissions in your organization. See [General examples][6] in the
+    # *Organizations User Guide* for more information on SCPs.
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html
     # [2]: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html#sts-endpoints
     # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-track-privileged-tasks.html
+    # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
+    # [5]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
+    # [6]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html
     #
     # @option params [required, String] :target_principal
     #   The member account principal ARN or account ID.
     #
     # @option params [required, Types::PolicyDescriptorType] :task_policy_arn
     #   The identity based policy that scopes the session to the privileged
-    #   tasks that can be performed. You can use one of following Amazon Web
-    #   Services managed policies to scope root session actions.
+    #   tasks that can be performed. You must use one of following Amazon Web
+    #   Services managed policies to scope root session actions:
     #
     #   * [IAMAuditRootUserCredentials][1]
     #
@@ -2072,6 +2097,46 @@ module Aws::STS
       req.send_request(options)
     end
 
+    # Exchanges a trade-in token for temporary Amazon Web Services
+    # credentials with the permissions associated with the assumed
+    # principal. This operation allows you to obtain credentials for a
+    # specific principal based on a trade-in token, enabling delegation of
+    # access to Amazon Web Services resources.
+    #
+    # @option params [required, String] :trade_in_token
+    #   The token to exchange for temporary Amazon Web Services credentials.
+    #   This token must be valid and unexpired at the time of the request.
+    #
+    # @return [Types::GetDelegatedAccessTokenResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetDelegatedAccessTokenResponse#credentials #credentials} => Types::Credentials
+    #   * {Types::GetDelegatedAccessTokenResponse#packed_policy_size #packed_policy_size} => Integer
+    #   * {Types::GetDelegatedAccessTokenResponse#assumed_principal #assumed_principal} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_delegated_access_token({
+    #     trade_in_token: "tradeInTokenType", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.credentials.access_key_id #=> String
+    #   resp.credentials.secret_access_key #=> String
+    #   resp.credentials.session_token #=> String
+    #   resp.credentials.expiration #=> Time
+    #   resp.packed_policy_size #=> Integer
+    #   resp.assumed_principal #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetDelegatedAccessToken AWS API Documentation
+    #
+    # @overload get_delegated_access_token(params = {})
+    # @param [Hash] params ({})
+    def get_delegated_access_token(params = {}, options = {})
+      req = build_request(:get_delegated_access_token, params)
+      req.send_request(options)
+    end
+
     # Returns a set of temporary security credentials (consisting of an
     # access key ID, a secret access key, and a security token) for a user.
     # A typical use is in a proxy application that gets temporary security
@@ -2354,7 +2419,7 @@ module Aws::STS
     #   resp = client.get_federation_token({
     #     duration_seconds: 3600, 
     #     name: "testFedUserSession", 
-    #     policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}", 
+    #     policy: "escaped-JSON-IAM-POLICY", 
     #     tags: [
     #       {
     #         key: "Project", 
@@ -2577,6 +2642,71 @@ module Aws::STS
       req.send_request(options)
     end
 
+    # Returns a signed JSON Web Token (JWT) that represents the calling
+    # Amazon Web Services identity. The returned JWT can be used to
+    # authenticate with external services that support OIDC discovery. The
+    # token is signed by Amazon Web Services STS and can be publicly
+    # verified using the verification keys published at the issuer's JWKS
+    # endpoint.
+    #
+    # @option params [required, Array<String>] :audience
+    #   The intended recipient of the web identity token. This value populates
+    #   the `aud` claim in the JWT and should identify the service or
+    #   application that will validate and use the token. The external service
+    #   should verify this claim to ensure the token was intended for their
+    #   use.
+    #
+    # @option params [Integer] :duration_seconds
+    #   The duration, in seconds, for which the JSON Web Token (JWT) will
+    #   remain valid. The value can range from 60 seconds (1 minute) to 3600
+    #   seconds (1 hour). If not specified, the default duration is 300
+    #   seconds (5 minutes). The token is designed to be short-lived and
+    #   should be used for proof of identity, then exchanged for credentials
+    #   or short-lived tokens in the external service.
+    #
+    # @option params [required, String] :signing_algorithm
+    #   The cryptographic algorithm to use for signing the JSON Web Token
+    #   (JWT). Valid values are RS256 (RSA with SHA-256) and ES384 (ECDSA
+    #   using P-384 curve with SHA-384).
+    #
+    # @option params [Array<Types::Tag>] :tags
+    #   An optional list of tags to include in the JSON Web Token (JWT). These
+    #   tags are added as custom claims to the JWT and can be used by the
+    #   downstream service for authorization decisions.
+    #
+    # @return [Types::GetWebIdentityTokenResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetWebIdentityTokenResponse#web_identity_token #web_identity_token} => String
+    #   * {Types::GetWebIdentityTokenResponse#expiration #expiration} => Time
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_web_identity_token({
+    #     audience: ["webIdentityTokenAudienceStringType"], # required
+    #     duration_seconds: 1,
+    #     signing_algorithm: "jwtAlgorithmType", # required
+    #     tags: [
+    #       {
+    #         key: "tagKeyType", # required
+    #         value: "tagValueType", # required
+    #       },
+    #     ],
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.web_identity_token #=> String
+    #   resp.expiration #=> Time
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetWebIdentityToken AWS API Documentation
+    #
+    # @overload get_web_identity_token(params = {})
+    # @param [Hash] params ({})
+    def get_web_identity_token(params = {}, options = {})
+      req = build_request(:get_web_identity_token, params)
+      req.send_request(options)
+    end
+
     # @!endgroup
 
     # @param params ({})
@@ -2595,7 +2725,7 @@ module Aws::STS
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.219.0'
+      context[:gem_version] = '3.240.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sts/client_api.rb

@@ -27,30 +27,38 @@ module Aws::STS
     Credentials = Shapes::StructureShape.new(name: 'Credentials')
     DecodeAuthorizationMessageRequest = Shapes::StructureShape.new(name: 'DecodeAuthorizationMessageRequest')
     DecodeAuthorizationMessageResponse = Shapes::StructureShape.new(name: 'DecodeAuthorizationMessageResponse')
-    ExpiredTokenException = Shapes::StructureShape.new(name: 'ExpiredTokenException', error: {"code"=>"ExpiredTokenException", "httpStatusCode"=>400, "senderFault"=>true})
+    ExpiredTokenException = Shapes::StructureShape.new(name: 'ExpiredTokenException', error: {"code" => "ExpiredTokenException", "httpStatusCode" => 400, "senderFault" => true})
+    ExpiredTradeInTokenException = Shapes::StructureShape.new(name: 'ExpiredTradeInTokenException', error: {"code" => "ExpiredTradeInTokenException", "httpStatusCode" => 400, "senderFault" => true})
     FederatedUser = Shapes::StructureShape.new(name: 'FederatedUser')
     GetAccessKeyInfoRequest = Shapes::StructureShape.new(name: 'GetAccessKeyInfoRequest')
     GetAccessKeyInfoResponse = Shapes::StructureShape.new(name: 'GetAccessKeyInfoResponse')
     GetCallerIdentityRequest = Shapes::StructureShape.new(name: 'GetCallerIdentityRequest')
     GetCallerIdentityResponse = Shapes::StructureShape.new(name: 'GetCallerIdentityResponse')
+    GetDelegatedAccessTokenRequest = Shapes::StructureShape.new(name: 'GetDelegatedAccessTokenRequest')
+    GetDelegatedAccessTokenResponse = Shapes::StructureShape.new(name: 'GetDelegatedAccessTokenResponse')
     GetFederationTokenRequest = Shapes::StructureShape.new(name: 'GetFederationTokenRequest')
     GetFederationTokenResponse = Shapes::StructureShape.new(name: 'GetFederationTokenResponse')
     GetSessionTokenRequest = Shapes::StructureShape.new(name: 'GetSessionTokenRequest')
     GetSessionTokenResponse = Shapes::StructureShape.new(name: 'GetSessionTokenResponse')
-    IDPCommunicationErrorException = Shapes::StructureShape.new(name: 'IDPCommunicationErrorException', error: {"code"=>"IDPCommunicationError", "httpStatusCode"=>400, "senderFault"=>true})
-    IDPRejectedClaimException = Shapes::StructureShape.new(name: 'IDPRejectedClaimException', error: {"code"=>"IDPRejectedClaim", "httpStatusCode"=>403, "senderFault"=>true})
-    InvalidAuthorizationMessageException = Shapes::StructureShape.new(name: 'InvalidAuthorizationMessageException', error: {"code"=>"InvalidAuthorizationMessageException", "httpStatusCode"=>400, "senderFault"=>true})
-    InvalidIdentityTokenException = Shapes::StructureShape.new(name: 'InvalidIdentityTokenException', error: {"code"=>"InvalidIdentityToken", "httpStatusCode"=>400, "senderFault"=>true})
+    GetWebIdentityTokenRequest = Shapes::StructureShape.new(name: 'GetWebIdentityTokenRequest')
+    GetWebIdentityTokenResponse = Shapes::StructureShape.new(name: 'GetWebIdentityTokenResponse')
+    IDPCommunicationErrorException = Shapes::StructureShape.new(name: 'IDPCommunicationErrorException', error: {"code" => "IDPCommunicationError", "httpStatusCode" => 400, "senderFault" => true})
+    IDPRejectedClaimException = Shapes::StructureShape.new(name: 'IDPRejectedClaimException', error: {"code" => "IDPRejectedClaim", "httpStatusCode" => 403, "senderFault" => true})
+    InvalidAuthorizationMessageException = Shapes::StructureShape.new(name: 'InvalidAuthorizationMessageException', error: {"code" => "InvalidAuthorizationMessageException", "httpStatusCode" => 400, "senderFault" => true})
+    InvalidIdentityTokenException = Shapes::StructureShape.new(name: 'InvalidIdentityTokenException', error: {"code" => "InvalidIdentityToken", "httpStatusCode" => 400, "senderFault" => true})
     Issuer = Shapes::StringShape.new(name: 'Issuer')
-    MalformedPolicyDocumentException = Shapes::StructureShape.new(name: 'MalformedPolicyDocumentException', error: {"code"=>"MalformedPolicyDocument", "httpStatusCode"=>400, "senderFault"=>true})
+    JWTPayloadSizeExceededException = Shapes::StructureShape.new(name: 'JWTPayloadSizeExceededException', error: {"code" => "JWTPayloadSizeExceededException", "httpStatusCode" => 400, "senderFault" => true})
+    MalformedPolicyDocumentException = Shapes::StructureShape.new(name: 'MalformedPolicyDocumentException', error: {"code" => "MalformedPolicyDocument", "httpStatusCode" => 400, "senderFault" => true})
     NameQualifier = Shapes::StringShape.new(name: 'NameQualifier')
-    PackedPolicyTooLargeException = Shapes::StructureShape.new(name: 'PackedPolicyTooLargeException', error: {"code"=>"PackedPolicyTooLarge", "httpStatusCode"=>400, "senderFault"=>true})
+    OutboundWebIdentityFederationDisabledException = Shapes::StructureShape.new(name: 'OutboundWebIdentityFederationDisabledException', error: {"code" => "OutboundWebIdentityFederationDisabledException", "httpStatusCode" => 403, "senderFault" => true})
+    PackedPolicyTooLargeException = Shapes::StructureShape.new(name: 'PackedPolicyTooLargeException', error: {"code" => "PackedPolicyTooLarge", "httpStatusCode" => 400, "senderFault" => true})
     PolicyDescriptorType = Shapes::StructureShape.new(name: 'PolicyDescriptorType')
     ProvidedContext = Shapes::StructureShape.new(name: 'ProvidedContext')
     ProvidedContextsListType = Shapes::ListShape.new(name: 'ProvidedContextsListType')
-    RegionDisabledException = Shapes::StructureShape.new(name: 'RegionDisabledException', error: {"code"=>"RegionDisabledException", "httpStatusCode"=>403, "senderFault"=>true})
+    RegionDisabledException = Shapes::StructureShape.new(name: 'RegionDisabledException', error: {"code" => "RegionDisabledException", "httpStatusCode" => 403, "senderFault" => true})
     RootDurationSecondsType = Shapes::IntegerShape.new(name: 'RootDurationSecondsType')
     SAMLAssertionType = Shapes::StringShape.new(name: 'SAMLAssertionType')
+    SessionDurationEscalationException = Shapes::StructureShape.new(name: 'SessionDurationEscalationException', error: {"code" => "SessionDurationEscalationException", "httpStatusCode" => 403, "senderFault" => true})
     Subject = Shapes::StringShape.new(name: 'Subject')
     SubjectType = Shapes::StringShape.new(name: 'SubjectType')
     Tag = Shapes::StructureShape.new(name: 'Tag')
@@ -67,20 +75,25 @@ module Aws::STS
     durationSecondsType = Shapes::IntegerShape.new(name: 'durationSecondsType')
     encodedMessageType = Shapes::StringShape.new(name: 'encodedMessageType')
     expiredIdentityTokenMessage = Shapes::StringShape.new(name: 'expiredIdentityTokenMessage')
+    expiredTradeInTokenExceptionMessage = Shapes::StringShape.new(name: 'expiredTradeInTokenExceptionMessage')
     externalIdType = Shapes::StringShape.new(name: 'externalIdType')
     federatedIdType = Shapes::StringShape.new(name: 'federatedIdType')
     idpCommunicationErrorMessage = Shapes::StringShape.new(name: 'idpCommunicationErrorMessage')
     idpRejectedClaimMessage = Shapes::StringShape.new(name: 'idpRejectedClaimMessage')
     invalidAuthorizationMessage = Shapes::StringShape.new(name: 'invalidAuthorizationMessage')
     invalidIdentityTokenMessage = Shapes::StringShape.new(name: 'invalidIdentityTokenMessage')
+    jwtAlgorithmType = Shapes::StringShape.new(name: 'jwtAlgorithmType')
+    jwtPayloadSizeExceededException = Shapes::StringShape.new(name: 'jwtPayloadSizeExceededException')
     malformedPolicyDocumentMessage = Shapes::StringShape.new(name: 'malformedPolicyDocumentMessage')
     nonNegativeIntegerType = Shapes::IntegerShape.new(name: 'nonNegativeIntegerType')
+    outboundWebIdentityFederationDisabledException = Shapes::StringShape.new(name: 'outboundWebIdentityFederationDisabledException')
     packedPolicyTooLargeMessage = Shapes::StringShape.new(name: 'packedPolicyTooLargeMessage')
     policyDescriptorListType = Shapes::ListShape.new(name: 'policyDescriptorListType')
     regionDisabledMessage = Shapes::StringShape.new(name: 'regionDisabledMessage')
     roleDurationSecondsType = Shapes::IntegerShape.new(name: 'roleDurationSecondsType')
     roleSessionNameType = Shapes::StringShape.new(name: 'roleSessionNameType')
     serialNumberType = Shapes::StringShape.new(name: 'serialNumberType')
+    sessionDurationEscalationException = Shapes::StringShape.new(name: 'sessionDurationEscalationException')
     sessionPolicyDocumentType = Shapes::StringShape.new(name: 'sessionPolicyDocumentType')
     sourceIdentityType = Shapes::StringShape.new(name: 'sourceIdentityType')
     tagKeyListType = Shapes::ListShape.new(name: 'tagKeyListType')
@@ -89,11 +102,16 @@ module Aws::STS
     tagValueType = Shapes::StringShape.new(name: 'tagValueType')
     tokenCodeType = Shapes::StringShape.new(name: 'tokenCodeType')
     tokenType = Shapes::StringShape.new(name: 'tokenType')
+    tradeInTokenType = Shapes::StringShape.new(name: 'tradeInTokenType')
     unrestrictedSessionPolicyDocumentType = Shapes::StringShape.new(name: 'unrestrictedSessionPolicyDocumentType')
     urlType = Shapes::StringShape.new(name: 'urlType')
     userIdType = Shapes::StringShape.new(name: 'userIdType')
     userNameType = Shapes::StringShape.new(name: 'userNameType')
     webIdentitySubjectType = Shapes::StringShape.new(name: 'webIdentitySubjectType')
+    webIdentityTokenAudienceListType = Shapes::ListShape.new(name: 'webIdentityTokenAudienceListType')
+    webIdentityTokenAudienceStringType = Shapes::StringShape.new(name: 'webIdentityTokenAudienceStringType')
+    webIdentityTokenDurationSecondsType = Shapes::IntegerShape.new(name: 'webIdentityTokenDurationSecondsType')
+    webIdentityTokenType = Shapes::StringShape.new(name: 'webIdentityTokenType')
 
     AssumeRoleRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
     AssumeRoleRequest.add_member(:role_session_name, Shapes::ShapeRef.new(shape: roleSessionNameType, required: true, location_name: "RoleSessionName"))
@@ -180,6 +198,9 @@ module Aws::STS
     ExpiredTokenException.add_member(:message, Shapes::ShapeRef.new(shape: expiredIdentityTokenMessage, location_name: "message"))
     ExpiredTokenException.struct_class = Types::ExpiredTokenException
 
+    ExpiredTradeInTokenException.add_member(:message, Shapes::ShapeRef.new(shape: expiredTradeInTokenExceptionMessage, location_name: "message"))
+    ExpiredTradeInTokenException.struct_class = Types::ExpiredTradeInTokenException
+
     FederatedUser.add_member(:federated_user_id, Shapes::ShapeRef.new(shape: federatedIdType, required: true, location_name: "FederatedUserId"))
     FederatedUser.add_member(:arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "Arn"))
     FederatedUser.struct_class = Types::FederatedUser
@@ -197,6 +218,14 @@ module Aws::STS
     GetCallerIdentityResponse.add_member(:arn, Shapes::ShapeRef.new(shape: arnType, location_name: "Arn"))
     GetCallerIdentityResponse.struct_class = Types::GetCallerIdentityResponse
 
+    GetDelegatedAccessTokenRequest.add_member(:trade_in_token, Shapes::ShapeRef.new(shape: tradeInTokenType, required: true, location_name: "TradeInToken"))
+    GetDelegatedAccessTokenRequest.struct_class = Types::GetDelegatedAccessTokenRequest
+
+    GetDelegatedAccessTokenResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
+    GetDelegatedAccessTokenResponse.add_member(:packed_policy_size, Shapes::ShapeRef.new(shape: nonNegativeIntegerType, location_name: "PackedPolicySize"))
+    GetDelegatedAccessTokenResponse.add_member(:assumed_principal, Shapes::ShapeRef.new(shape: arnType, location_name: "AssumedPrincipal"))
+    GetDelegatedAccessTokenResponse.struct_class = Types::GetDelegatedAccessTokenResponse
+
     GetFederationTokenRequest.add_member(:name, Shapes::ShapeRef.new(shape: userNameType, required: true, location_name: "Name"))
     GetFederationTokenRequest.add_member(:policy, Shapes::ShapeRef.new(shape: sessionPolicyDocumentType, location_name: "Policy"))
     GetFederationTokenRequest.add_member(:policy_arns, Shapes::ShapeRef.new(shape: policyDescriptorListType, location_name: "PolicyArns"))
@@ -217,6 +246,16 @@ module Aws::STS
     GetSessionTokenResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
     GetSessionTokenResponse.struct_class = Types::GetSessionTokenResponse
 
+    GetWebIdentityTokenRequest.add_member(:audience, Shapes::ShapeRef.new(shape: webIdentityTokenAudienceListType, required: true, location_name: "Audience"))
+    GetWebIdentityTokenRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: webIdentityTokenDurationSecondsType, location_name: "DurationSeconds"))
+    GetWebIdentityTokenRequest.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: jwtAlgorithmType, required: true, location_name: "SigningAlgorithm"))
+    GetWebIdentityTokenRequest.add_member(:tags, Shapes::ShapeRef.new(shape: tagListType, location_name: "Tags"))
+    GetWebIdentityTokenRequest.struct_class = Types::GetWebIdentityTokenRequest
+
+    GetWebIdentityTokenResponse.add_member(:web_identity_token, Shapes::ShapeRef.new(shape: webIdentityTokenType, location_name: "WebIdentityToken"))
+    GetWebIdentityTokenResponse.add_member(:expiration, Shapes::ShapeRef.new(shape: dateType, location_name: "Expiration"))
+    GetWebIdentityTokenResponse.struct_class = Types::GetWebIdentityTokenResponse
+
     IDPCommunicationErrorException.add_member(:message, Shapes::ShapeRef.new(shape: idpCommunicationErrorMessage, location_name: "message"))
     IDPCommunicationErrorException.struct_class = Types::IDPCommunicationErrorException
 
@@ -229,9 +268,15 @@ module Aws::STS
     InvalidIdentityTokenException.add_member(:message, Shapes::ShapeRef.new(shape: invalidIdentityTokenMessage, location_name: "message"))
     InvalidIdentityTokenException.struct_class = Types::InvalidIdentityTokenException
 
+    JWTPayloadSizeExceededException.add_member(:message, Shapes::ShapeRef.new(shape: jwtPayloadSizeExceededException, location_name: "message"))
+    JWTPayloadSizeExceededException.struct_class = Types::JWTPayloadSizeExceededException
+
     MalformedPolicyDocumentException.add_member(:message, Shapes::ShapeRef.new(shape: malformedPolicyDocumentMessage, location_name: "message"))
     MalformedPolicyDocumentException.struct_class = Types::MalformedPolicyDocumentException
 
+    OutboundWebIdentityFederationDisabledException.add_member(:message, Shapes::ShapeRef.new(shape: outboundWebIdentityFederationDisabledException, location_name: "message"))
+    OutboundWebIdentityFederationDisabledException.struct_class = Types::OutboundWebIdentityFederationDisabledException
+
     PackedPolicyTooLargeException.add_member(:message, Shapes::ShapeRef.new(shape: packedPolicyTooLargeMessage, location_name: "message"))
     PackedPolicyTooLargeException.struct_class = Types::PackedPolicyTooLargeException
 
@@ -247,6 +292,9 @@ module Aws::STS
     RegionDisabledException.add_member(:message, Shapes::ShapeRef.new(shape: regionDisabledMessage, location_name: "message"))
     RegionDisabledException.struct_class = Types::RegionDisabledException
 
+    SessionDurationEscalationException.add_member(:message, Shapes::ShapeRef.new(shape: sessionDurationEscalationException, location_name: "message"))
+    SessionDurationEscalationException.struct_class = Types::SessionDurationEscalationException
+
     Tag.add_member(:key, Shapes::ShapeRef.new(shape: tagKeyType, required: true, location_name: "Key"))
     Tag.add_member(:value, Shapes::ShapeRef.new(shape: tagValueType, required: true, location_name: "Value"))
     Tag.struct_class = Types::Tag
@@ -257,6 +305,8 @@ module Aws::STS
 
     tagListType.member = Shapes::ShapeRef.new(shape: Tag)
 
+    webIdentityTokenAudienceListType.member = Shapes::ShapeRef.new(shape: webIdentityTokenAudienceStringType)
+
 
     # @api private
     API = Seahorse::Model::Api.new.tap do |api|
@@ -294,6 +344,7 @@ module Aws::STS
         o.name = "AssumeRoleWithSAML"
         o.http_method = "POST"
         o.http_request_uri = "/"
+        o['authtype'] = "none"
         o['auth'] = ["smithy.api#noAuth"]
         o.input = Shapes::ShapeRef.new(shape: AssumeRoleWithSAMLRequest)
         o.output = Shapes::ShapeRef.new(shape: AssumeRoleWithSAMLResponse)
@@ -309,6 +360,7 @@ module Aws::STS
         o.name = "AssumeRoleWithWebIdentity"
         o.http_method = "POST"
         o.http_request_uri = "/"
+        o['authtype'] = "none"
         o['auth'] = ["smithy.api#noAuth"]
         o.input = Shapes::ShapeRef.new(shape: AssumeRoleWithWebIdentityRequest)
         o.output = Shapes::ShapeRef.new(shape: AssumeRoleWithWebIdentityResponse)
@@ -356,6 +408,17 @@ module Aws::STS
         o.output = Shapes::ShapeRef.new(shape: GetCallerIdentityResponse)
       end)
 
+      api.add_operation(:get_delegated_access_token, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "GetDelegatedAccessToken"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: GetDelegatedAccessTokenRequest)
+        o.output = Shapes::ShapeRef.new(shape: GetDelegatedAccessTokenResponse)
+        o.errors << Shapes::ShapeRef.new(shape: ExpiredTradeInTokenException)
+        o.errors << Shapes::ShapeRef.new(shape: RegionDisabledException)
+        o.errors << Shapes::ShapeRef.new(shape: PackedPolicyTooLargeException)
+      end)
+
       api.add_operation(:get_federation_token, Seahorse::Model::Operation.new.tap do |o|
         o.name = "GetFederationToken"
         o.http_method = "POST"
@@ -375,6 +438,17 @@ module Aws::STS
         o.output = Shapes::ShapeRef.new(shape: GetSessionTokenResponse)
         o.errors << Shapes::ShapeRef.new(shape: RegionDisabledException)
       end)
+
+      api.add_operation(:get_web_identity_token, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "GetWebIdentityToken"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: GetWebIdentityTokenRequest)
+        o.output = Shapes::ShapeRef.new(shape: GetWebIdentityTokenResponse)
+        o.errors << Shapes::ShapeRef.new(shape: SessionDurationEscalationException)
+        o.errors << Shapes::ShapeRef.new(shape: OutboundWebIdentityFederationDisabledException)
+        o.errors << Shapes::ShapeRef.new(shape: JWTPayloadSizeExceededException)
+      end)
     end
 
   end

data/lib/aws-sdk-sts/customizations.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-# utility classes
 module Aws
   module STS
     autoload :Presigner, 'aws-sdk-sts/presigner'

data/lib/aws-sdk-sts/endpoint_parameters.rb

@@ -13,27 +13,27 @@ module Aws::STS
   # @!attribute region
   #   The AWS region used to dispatch the request.
   #
-  #   @return [String]
+  #   @return [string]
   #
   # @!attribute use_dual_stack
   #   When true, use the dual-stack endpoint. If the configured endpoint does not support dual-stack, dispatching the request MAY return an error.
   #
-  #   @return [Boolean]
+  #   @return [boolean]
   #
   # @!attribute use_fips
   #   When true, send this request to the FIPS-compliant regional endpoint. If the configured endpoint does not have a FIPS compliant endpoint, dispatching the request will return an error.
   #
-  #   @return [Boolean]
+  #   @return [boolean]
   #
   # @!attribute endpoint
   #   Override the endpoint used to send this request
   #
-  #   @return [String]
+  #   @return [string]
   #
   # @!attribute use_global_endpoint
   #   Whether the global endpoint should be used, rather then the regional endpoint for us-east-1.
   #
-  #   @return [Boolean]
+  #   @return [boolean]
   #
   EndpointParameters = Struct.new(
     :region,