aws-sdk-core 3.237.0 → 3.238.0

data/lib/aws-sdk-signin/types.rb

@@ -0,0 +1,299 @@
+# frozen_string_literal: true
+
+# WARNING ABOUT GENERATED CODE
+#
+# This file is generated. See the contributing guide for more information:
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
+#
+# WARNING ABOUT GENERATED CODE
+
+module Aws::Signin
+  module Types
+
+    # Error thrown for access denied scenarios with flexible HTTP status
+    # mapping
+    #
+    # Runtime HTTP Status Code Mapping:
+    #
+    # * HTTP 401 (Unauthorized): TOKEN\_EXPIRED, AUTHCODE\_EXPIRED
+    # * HTTP 403 (Forbidden): USER\_CREDENTIALS\_CHANGED,
+    #   INSUFFICIENT\_PERMISSIONS
+    #
+    # The specific HTTP status code is determined at runtime based on the
+    # error enum value. Consumers should use the error field to determine
+    # the specific access denial reason.
+    #
+    # @!attribute [rw] error
+    #   OAuth 2.0 error code indicating the specific type of access denial
+    #   Can be TOKEN\_EXPIRED, AUTHCODE\_EXPIRED,
+    #   USER\_CREDENTIALS\_CHANGED, or INSUFFICIENT\_PERMISSIONS
+    #   @return [String]
+    #
+    # @!attribute [rw] message
+    #   Detailed message explaining the access denial Provides specific
+    #   information about why access was denied
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/signin-2023-01-01/AccessDeniedException AWS API Documentation
+    #
+    class AccessDeniedException < Struct.new(
+      :error,
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # AWS credentials structure containing temporary access credentials
+    #
+    # The scoped-down, 15 minute duration AWS credentials. Scoping down will
+    # be based on CLI policy (CLI team needs to create it). Similar to cloud
+    # shell implementation.
+    #
+    # @!attribute [rw] access_key_id
+    #   AWS access key ID for temporary credentials
+    #   @return [String]
+    #
+    # @!attribute [rw] secret_access_key
+    #   AWS secret access key for temporary credentials
+    #   @return [String]
+    #
+    # @!attribute [rw] session_token
+    #   AWS session token for temporary credentials
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/signin-2023-01-01/AccessToken AWS API Documentation
+    #
+    class AccessToken < Struct.new(
+      :access_key_id,
+      :secret_access_key,
+      :session_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Input structure for CreateOAuth2Token operation
+    #
+    # Contains flattened token operation inputs for both authorization code
+    # and refresh token flows. The operation type is determined by the
+    # grant\_type parameter in the request body.
+    #
+    # @!attribute [rw] token_input
+    #   Flattened token operation inputs The specific operation is
+    #   determined by grant\_type in the request body
+    #   @return [Types::CreateOAuth2TokenRequestBody]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/signin-2023-01-01/CreateOAuth2TokenRequest AWS API Documentation
+    #
+    class CreateOAuth2TokenRequest < Struct.new(
+      :token_input)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Request body payload for CreateOAuth2Token operation
+    #
+    # The operation type is determined by the grant\_type parameter:
+    #
+    # * grant\_type=authorization\_code: Requires code, redirect\_uri,
+    #   code\_verifier
+    # * grant\_type=refresh\_token: Requires refresh\_token
+    #
+    # @!attribute [rw] client_id
+    #   The client identifier (ARN) used during Sign-In onboarding Required
+    #   for both authorization code and refresh token flows
+    #   @return [String]
+    #
+    # @!attribute [rw] grant_type
+    #   OAuth 2.0 grant type - determines which flow is used Must be
+    #   "authorization\_code" or "refresh\_token"
+    #   @return [String]
+    #
+    # @!attribute [rw] code
+    #   The authorization code received from /v1/authorize Required only
+    #   when grant\_type=authorization\_code
+    #   @return [String]
+    #
+    # @!attribute [rw] redirect_uri
+    #   The redirect URI that must match the original authorization request
+    #   Required only when grant\_type=authorization\_code
+    #   @return [String]
+    #
+    # @!attribute [rw] code_verifier
+    #   PKCE code verifier to prove possession of the original code
+    #   challenge Required only when grant\_type=authorization\_code
+    #   @return [String]
+    #
+    # @!attribute [rw] refresh_token
+    #   The refresh token returned from auth\_code redemption Required only
+    #   when grant\_type=refresh\_token
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/signin-2023-01-01/CreateOAuth2TokenRequestBody AWS API Documentation
+    #
+    class CreateOAuth2TokenRequestBody < Struct.new(
+      :client_id,
+      :grant_type,
+      :code,
+      :redirect_uri,
+      :code_verifier,
+      :refresh_token)
+      SENSITIVE = [:refresh_token]
+      include Aws::Structure
+    end
+
+    # Output structure for CreateOAuth2Token operation
+    #
+    # Contains flattened token operation outputs for both authorization code
+    # and refresh token flows. The response content depends on the
+    # grant\_type from the original request.
+    #
+    # @!attribute [rw] token_output
+    #   Flattened token operation outputs The specific response fields
+    #   depend on the grant\_type used in the request
+    #   @return [Types::CreateOAuth2TokenResponseBody]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/signin-2023-01-01/CreateOAuth2TokenResponse AWS API Documentation
+    #
+    class CreateOAuth2TokenResponse < Struct.new(
+      :token_output)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Response body payload for CreateOAuth2Token operation
+    #
+    # The response content depends on the grant\_type from the request:
+    #
+    # * grant\_type=authorization\_code: Returns all fields including
+    #   refresh\_token and id\_token
+    # * grant\_type=refresh\_token: Returns access\_token, token\_type,
+    #   expires\_in, refresh\_token (no id\_token)
+    #
+    # @!attribute [rw] access_token
+    #   Scoped-down AWS credentials (15 minute duration) Present for both
+    #   authorization code redemption and token refresh
+    #   @return [Types::AccessToken]
+    #
+    # @!attribute [rw] token_type
+    #   Token type indicating this is AWS SigV4 credentials Value is
+    #   "aws\_sigv4" for both flows
+    #   @return [String]
+    #
+    # @!attribute [rw] expires_in
+    #   Time to expiry in seconds (maximum 900) Present for both
+    #   authorization code redemption and token refresh
+    #   @return [Integer]
+    #
+    # @!attribute [rw] refresh_token
+    #   Encrypted refresh token with cnf.jkt (SHA-256 thumbprint of
+    #   presented jwk) Always present in responses (required for both flows)
+    #   @return [String]
+    #
+    # @!attribute [rw] id_token
+    #   ID token containing user identity information Present only in
+    #   authorization code redemption response
+    #   (grant\_type=authorization\_code) Not included in token refresh
+    #   responses
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/signin-2023-01-01/CreateOAuth2TokenResponseBody AWS API Documentation
+    #
+    class CreateOAuth2TokenResponseBody < Struct.new(
+      :access_token,
+      :token_type,
+      :expires_in,
+      :refresh_token,
+      :id_token)
+      SENSITIVE = [:access_token, :refresh_token]
+      include Aws::Structure
+    end
+
+    # Error thrown when an internal server error occurs
+    #
+    # HTTP Status Code: 500 Internal Server Error
+    #
+    # Used for unexpected server-side errors that prevent request
+    # processing.
+    #
+    # @!attribute [rw] error
+    #   OAuth 2.0 error code indicating server error Will be SERVER\_ERROR
+    #   for internal server errors
+    #   @return [String]
+    #
+    # @!attribute [rw] message
+    #   Detailed message explaining the server error May include error
+    #   details for debugging purposes
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/signin-2023-01-01/InternalServerException AWS API Documentation
+    #
+    class InternalServerException < Struct.new(
+      :error,
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Error thrown when rate limit is exceeded
+    #
+    # HTTP Status Code: 429 Too Many Requests
+    #
+    # Possible OAuth2ErrorCode values:
+    #
+    # * INVALID\_REQUEST: Rate limiting, too many requests, abuse prevention
+    #
+    # Possible causes:
+    #
+    # * Too many token requests from the same client
+    # * Rate limiting based on client\_id or IP address
+    # * Abuse prevention mechanisms triggered
+    # * Service protection against excessive token generation
+    #
+    # @!attribute [rw] error
+    #   OAuth 2.0 error code indicating the specific type of error Will be
+    #   INVALID\_REQUEST for rate limiting scenarios
+    #   @return [String]
+    #
+    # @!attribute [rw] message
+    #   Detailed message about the rate limiting May include retry-after
+    #   information or rate limit details
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/signin-2023-01-01/TooManyRequestsError AWS API Documentation
+    #
+    class TooManyRequestsError < Struct.new(
+      :error,
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Error thrown when request validation fails
+    #
+    # HTTP Status Code: 400 Bad Request
+    #
+    # Used for request validation errors such as malformed parameters,
+    # missing required fields, or invalid parameter values.
+    #
+    # @!attribute [rw] error
+    #   OAuth 2.0 error code indicating validation failure Will be
+    #   INVALID\_REQUEST for validation errors
+    #   @return [String]
+    #
+    # @!attribute [rw] message
+    #   Detailed message explaining the validation failure Provides specific
+    #   information about which validation failed
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/signin-2023-01-01/ValidationException AWS API Documentation
+    #
+    class ValidationException < Struct.new(
+      :error,
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+  end
+end
+

data/lib/aws-sdk-signin.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+# WARNING ABOUT GENERATED CODE
+#
+# This file is generated. See the contributing guide for more information:
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
+#
+# WARNING ABOUT GENERATED CODE
+
+
+unless Module.const_defined?(:Aws)
+  require 'aws-sdk-core'
+  require 'aws-sigv4'
+end
+
+Aws::Plugins::GlobalConfiguration.add_identifier(:signin)
+
+# This module provides support for AWS Sign-In Service. This module is available in the
+# `aws-sdk-signin` gem.
+#
+# # Client
+#
+# The {Client} class provides one method for each API operation. Operation
+# methods each accept a hash of request parameters and return a response
+# structure.
+#
+#     signin = Aws::Signin::Client.new
+#     resp = signin.create_o_auth_2_token(params)
+#
+# See {Client} for more information.
+#
+# # Errors
+#
+# Errors returned from AWS Sign-In Service are defined in the
+# {Errors} module and all extend {Errors::ServiceError}.
+#
+#     begin
+#       # do stuff
+#     rescue Aws::Signin::Errors::ServiceError
+#       # rescues all AWS Sign-In Service API errors
+#     end
+#
+# See {Errors} for more information.
+#
+# @!group service
+module Aws::Signin
+  autoload :Types, 'aws-sdk-signin/types'
+  autoload :ClientApi, 'aws-sdk-signin/client_api'
+  module Plugins
+    autoload :Endpoints, 'aws-sdk-signin/plugins/endpoints.rb'
+  end
+  autoload :Client, 'aws-sdk-signin/client'
+  autoload :Errors, 'aws-sdk-signin/errors'
+  autoload :Resource, 'aws-sdk-signin/resource'
+  autoload :EndpointParameters, 'aws-sdk-signin/endpoint_parameters'
+  autoload :EndpointProvider, 'aws-sdk-signin/endpoint_provider'
+  autoload :Endpoints, 'aws-sdk-signin/endpoints'
+
+  GEM_VERSION = '1.0.0'
+
+end
+
+require_relative 'aws-sdk-signin/customizations'

data/lib/aws-sdk-sso/client.rb

@@ -698,7 +698,7 @@ module Aws::SSO
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.237.0'
+      context[:gem_version] = '3.238.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sso.rb

@@ -56,7 +56,7 @@ module Aws::SSO
   autoload :EndpointProvider, 'aws-sdk-sso/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-sso/endpoints'
 
-  GEM_VERSION = '3.237.0'
+  GEM_VERSION = '3.238.0'
 
 end
 

data/lib/aws-sdk-ssooidc/client.rb

@@ -1081,7 +1081,7 @@ module Aws::SSOOIDC
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.237.0'
+      context[:gem_version] = '3.238.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-ssooidc.rb

@@ -56,7 +56,7 @@ module Aws::SSOOIDC
   autoload :EndpointProvider, 'aws-sdk-ssooidc/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-ssooidc/endpoints'
 
-  GEM_VERSION = '3.237.0'
+  GEM_VERSION = '3.238.0'
 
 end
 

data/lib/aws-sdk-sts/client.rb

@@ -2097,9 +2097,15 @@ module Aws::STS
       req.send_request(options)
     end
 
-    # This API is currently unavailable for general use.
+    # Exchanges a trade-in token for temporary Amazon Web Services
+    # credentials with the permissions associated with the assumed
+    # principal. This operation allows you to obtain credentials for a
+    # specific principal based on a trade-in token, enabling delegation of
+    # access to Amazon Web Services resources.
     #
     # @option params [required, String] :trade_in_token
+    #   The token to exchange for temporary Amazon Web Services credentials.
+    #   This token must be valid and unexpired at the time of the request.
     #
     # @return [Types::GetDelegatedAccessTokenResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -2636,6 +2642,71 @@ module Aws::STS
       req.send_request(options)
     end
 
+    # Returns a signed JSON Web Token (JWT) that represents the calling
+    # Amazon Web Services identity. The returned JWT can be used to
+    # authenticate with external services that support OIDC discovery. The
+    # token is signed by Amazon Web Services STS and can be publicly
+    # verified using the verification keys published at the issuer's JWKS
+    # endpoint.
+    #
+    # @option params [required, Array<String>] :audience
+    #   The intended recipient of the web identity token. This value populates
+    #   the `aud` claim in the JWT and should identify the service or
+    #   application that will validate and use the token. The external service
+    #   should verify this claim to ensure the token was intended for their
+    #   use.
+    #
+    # @option params [Integer] :duration_seconds
+    #   The duration, in seconds, for which the JSON Web Token (JWT) will
+    #   remain valid. The value can range from 60 seconds (1 minute) to 3600
+    #   seconds (1 hour). If not specified, the default duration is 300
+    #   seconds (5 minutes). The token is designed to be short-lived and
+    #   should be used for proof of identity, then exchanged for credentials
+    #   or short-lived tokens in the external service.
+    #
+    # @option params [required, String] :signing_algorithm
+    #   The cryptographic algorithm to use for signing the JSON Web Token
+    #   (JWT). Valid values are RS256 (RSA with SHA-256) and ES384 (ECDSA
+    #   using P-384 curve with SHA-384).
+    #
+    # @option params [Array<Types::Tag>] :tags
+    #   An optional list of tags to include in the JSON Web Token (JWT). These
+    #   tags are added as custom claims to the JWT and can be used by the
+    #   downstream service for authorization decisions.
+    #
+    # @return [Types::GetWebIdentityTokenResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetWebIdentityTokenResponse#web_identity_token #web_identity_token} => String
+    #   * {Types::GetWebIdentityTokenResponse#expiration #expiration} => Time
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_web_identity_token({
+    #     audience: ["webIdentityTokenAudienceStringType"], # required
+    #     duration_seconds: 1,
+    #     signing_algorithm: "jwtAlgorithmType", # required
+    #     tags: [
+    #       {
+    #         key: "tagKeyType", # required
+    #         value: "tagValueType", # required
+    #       },
+    #     ],
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.web_identity_token #=> String
+    #   resp.expiration #=> Time
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetWebIdentityToken AWS API Documentation
+    #
+    # @overload get_web_identity_token(params = {})
+    # @param [Hash] params ({})
+    def get_web_identity_token(params = {}, options = {})
+      req = build_request(:get_web_identity_token, params)
+      req.send_request(options)
+    end
+
     # @!endgroup
 
     # @param params ({})
@@ -2654,7 +2725,7 @@ module Aws::STS
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.237.0'
+      context[:gem_version] = '3.238.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sts/client_api.rb

@@ -40,13 +40,17 @@ module Aws::STS
     GetFederationTokenResponse = Shapes::StructureShape.new(name: 'GetFederationTokenResponse')
     GetSessionTokenRequest = Shapes::StructureShape.new(name: 'GetSessionTokenRequest')
     GetSessionTokenResponse = Shapes::StructureShape.new(name: 'GetSessionTokenResponse')
+    GetWebIdentityTokenRequest = Shapes::StructureShape.new(name: 'GetWebIdentityTokenRequest')
+    GetWebIdentityTokenResponse = Shapes::StructureShape.new(name: 'GetWebIdentityTokenResponse')
     IDPCommunicationErrorException = Shapes::StructureShape.new(name: 'IDPCommunicationErrorException', error: {"code" => "IDPCommunicationError", "httpStatusCode" => 400, "senderFault" => true})
     IDPRejectedClaimException = Shapes::StructureShape.new(name: 'IDPRejectedClaimException', error: {"code" => "IDPRejectedClaim", "httpStatusCode" => 403, "senderFault" => true})
     InvalidAuthorizationMessageException = Shapes::StructureShape.new(name: 'InvalidAuthorizationMessageException', error: {"code" => "InvalidAuthorizationMessageException", "httpStatusCode" => 400, "senderFault" => true})
     InvalidIdentityTokenException = Shapes::StructureShape.new(name: 'InvalidIdentityTokenException', error: {"code" => "InvalidIdentityToken", "httpStatusCode" => 400, "senderFault" => true})
     Issuer = Shapes::StringShape.new(name: 'Issuer')
+    JWTPayloadSizeExceededException = Shapes::StructureShape.new(name: 'JWTPayloadSizeExceededException', error: {"code" => "JWTPayloadSizeExceededException", "httpStatusCode" => 400, "senderFault" => true})
     MalformedPolicyDocumentException = Shapes::StructureShape.new(name: 'MalformedPolicyDocumentException', error: {"code" => "MalformedPolicyDocument", "httpStatusCode" => 400, "senderFault" => true})
     NameQualifier = Shapes::StringShape.new(name: 'NameQualifier')
+    OutboundWebIdentityFederationDisabledException = Shapes::StructureShape.new(name: 'OutboundWebIdentityFederationDisabledException', error: {"code" => "OutboundWebIdentityFederationDisabledException", "httpStatusCode" => 403, "senderFault" => true})
     PackedPolicyTooLargeException = Shapes::StructureShape.new(name: 'PackedPolicyTooLargeException', error: {"code" => "PackedPolicyTooLarge", "httpStatusCode" => 400, "senderFault" => true})
     PolicyDescriptorType = Shapes::StructureShape.new(name: 'PolicyDescriptorType')
     ProvidedContext = Shapes::StructureShape.new(name: 'ProvidedContext')
@@ -54,6 +58,7 @@ module Aws::STS
     RegionDisabledException = Shapes::StructureShape.new(name: 'RegionDisabledException', error: {"code" => "RegionDisabledException", "httpStatusCode" => 403, "senderFault" => true})
     RootDurationSecondsType = Shapes::IntegerShape.new(name: 'RootDurationSecondsType')
     SAMLAssertionType = Shapes::StringShape.new(name: 'SAMLAssertionType')
+    SessionDurationEscalationException = Shapes::StructureShape.new(name: 'SessionDurationEscalationException', error: {"code" => "SessionDurationEscalationException", "httpStatusCode" => 403, "senderFault" => true})
     Subject = Shapes::StringShape.new(name: 'Subject')
     SubjectType = Shapes::StringShape.new(name: 'SubjectType')
     Tag = Shapes::StructureShape.new(name: 'Tag')
@@ -77,14 +82,18 @@ module Aws::STS
     idpRejectedClaimMessage = Shapes::StringShape.new(name: 'idpRejectedClaimMessage')
     invalidAuthorizationMessage = Shapes::StringShape.new(name: 'invalidAuthorizationMessage')
     invalidIdentityTokenMessage = Shapes::StringShape.new(name: 'invalidIdentityTokenMessage')
+    jwtAlgorithmType = Shapes::StringShape.new(name: 'jwtAlgorithmType')
+    jwtPayloadSizeExceededException = Shapes::StringShape.new(name: 'jwtPayloadSizeExceededException')
     malformedPolicyDocumentMessage = Shapes::StringShape.new(name: 'malformedPolicyDocumentMessage')
     nonNegativeIntegerType = Shapes::IntegerShape.new(name: 'nonNegativeIntegerType')
+    outboundWebIdentityFederationDisabledException = Shapes::StringShape.new(name: 'outboundWebIdentityFederationDisabledException')
     packedPolicyTooLargeMessage = Shapes::StringShape.new(name: 'packedPolicyTooLargeMessage')
     policyDescriptorListType = Shapes::ListShape.new(name: 'policyDescriptorListType')
     regionDisabledMessage = Shapes::StringShape.new(name: 'regionDisabledMessage')
     roleDurationSecondsType = Shapes::IntegerShape.new(name: 'roleDurationSecondsType')
     roleSessionNameType = Shapes::StringShape.new(name: 'roleSessionNameType')
     serialNumberType = Shapes::StringShape.new(name: 'serialNumberType')
+    sessionDurationEscalationException = Shapes::StringShape.new(name: 'sessionDurationEscalationException')
     sessionPolicyDocumentType = Shapes::StringShape.new(name: 'sessionPolicyDocumentType')
     sourceIdentityType = Shapes::StringShape.new(name: 'sourceIdentityType')
     tagKeyListType = Shapes::ListShape.new(name: 'tagKeyListType')
@@ -99,6 +108,10 @@ module Aws::STS
     userIdType = Shapes::StringShape.new(name: 'userIdType')
     userNameType = Shapes::StringShape.new(name: 'userNameType')
     webIdentitySubjectType = Shapes::StringShape.new(name: 'webIdentitySubjectType')
+    webIdentityTokenAudienceListType = Shapes::ListShape.new(name: 'webIdentityTokenAudienceListType')
+    webIdentityTokenAudienceStringType = Shapes::StringShape.new(name: 'webIdentityTokenAudienceStringType')
+    webIdentityTokenDurationSecondsType = Shapes::IntegerShape.new(name: 'webIdentityTokenDurationSecondsType')
+    webIdentityTokenType = Shapes::StringShape.new(name: 'webIdentityTokenType')
 
     AssumeRoleRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
     AssumeRoleRequest.add_member(:role_session_name, Shapes::ShapeRef.new(shape: roleSessionNameType, required: true, location_name: "RoleSessionName"))
@@ -233,6 +246,16 @@ module Aws::STS
     GetSessionTokenResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
     GetSessionTokenResponse.struct_class = Types::GetSessionTokenResponse
 
+    GetWebIdentityTokenRequest.add_member(:audience, Shapes::ShapeRef.new(shape: webIdentityTokenAudienceListType, required: true, location_name: "Audience"))
+    GetWebIdentityTokenRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: webIdentityTokenDurationSecondsType, location_name: "DurationSeconds"))
+    GetWebIdentityTokenRequest.add_member(:signing_algorithm, Shapes::ShapeRef.new(shape: jwtAlgorithmType, required: true, location_name: "SigningAlgorithm"))
+    GetWebIdentityTokenRequest.add_member(:tags, Shapes::ShapeRef.new(shape: tagListType, location_name: "Tags"))
+    GetWebIdentityTokenRequest.struct_class = Types::GetWebIdentityTokenRequest
+
+    GetWebIdentityTokenResponse.add_member(:web_identity_token, Shapes::ShapeRef.new(shape: webIdentityTokenType, location_name: "WebIdentityToken"))
+    GetWebIdentityTokenResponse.add_member(:expiration, Shapes::ShapeRef.new(shape: dateType, location_name: "Expiration"))
+    GetWebIdentityTokenResponse.struct_class = Types::GetWebIdentityTokenResponse
+
     IDPCommunicationErrorException.add_member(:message, Shapes::ShapeRef.new(shape: idpCommunicationErrorMessage, location_name: "message"))
     IDPCommunicationErrorException.struct_class = Types::IDPCommunicationErrorException
 
@@ -245,9 +268,15 @@ module Aws::STS
     InvalidIdentityTokenException.add_member(:message, Shapes::ShapeRef.new(shape: invalidIdentityTokenMessage, location_name: "message"))
     InvalidIdentityTokenException.struct_class = Types::InvalidIdentityTokenException
 
+    JWTPayloadSizeExceededException.add_member(:message, Shapes::ShapeRef.new(shape: jwtPayloadSizeExceededException, location_name: "message"))
+    JWTPayloadSizeExceededException.struct_class = Types::JWTPayloadSizeExceededException
+
     MalformedPolicyDocumentException.add_member(:message, Shapes::ShapeRef.new(shape: malformedPolicyDocumentMessage, location_name: "message"))
     MalformedPolicyDocumentException.struct_class = Types::MalformedPolicyDocumentException
 
+    OutboundWebIdentityFederationDisabledException.add_member(:message, Shapes::ShapeRef.new(shape: outboundWebIdentityFederationDisabledException, location_name: "message"))
+    OutboundWebIdentityFederationDisabledException.struct_class = Types::OutboundWebIdentityFederationDisabledException
+
     PackedPolicyTooLargeException.add_member(:message, Shapes::ShapeRef.new(shape: packedPolicyTooLargeMessage, location_name: "message"))
     PackedPolicyTooLargeException.struct_class = Types::PackedPolicyTooLargeException
 
@@ -263,6 +292,9 @@ module Aws::STS
     RegionDisabledException.add_member(:message, Shapes::ShapeRef.new(shape: regionDisabledMessage, location_name: "message"))
     RegionDisabledException.struct_class = Types::RegionDisabledException
 
+    SessionDurationEscalationException.add_member(:message, Shapes::ShapeRef.new(shape: sessionDurationEscalationException, location_name: "message"))
+    SessionDurationEscalationException.struct_class = Types::SessionDurationEscalationException
+
     Tag.add_member(:key, Shapes::ShapeRef.new(shape: tagKeyType, required: true, location_name: "Key"))
     Tag.add_member(:value, Shapes::ShapeRef.new(shape: tagValueType, required: true, location_name: "Value"))
     Tag.struct_class = Types::Tag
@@ -273,6 +305,8 @@ module Aws::STS
 
     tagListType.member = Shapes::ShapeRef.new(shape: Tag)
 
+    webIdentityTokenAudienceListType.member = Shapes::ShapeRef.new(shape: webIdentityTokenAudienceStringType)
+
 
     # @api private
     API = Seahorse::Model::Api.new.tap do |api|
@@ -382,6 +416,7 @@ module Aws::STS
         o.output = Shapes::ShapeRef.new(shape: GetDelegatedAccessTokenResponse)
         o.errors << Shapes::ShapeRef.new(shape: ExpiredTradeInTokenException)
         o.errors << Shapes::ShapeRef.new(shape: RegionDisabledException)
+        o.errors << Shapes::ShapeRef.new(shape: PackedPolicyTooLargeException)
       end)
 
       api.add_operation(:get_federation_token, Seahorse::Model::Operation.new.tap do |o|
@@ -403,6 +438,17 @@ module Aws::STS
         o.output = Shapes::ShapeRef.new(shape: GetSessionTokenResponse)
         o.errors << Shapes::ShapeRef.new(shape: RegionDisabledException)
       end)
+
+      api.add_operation(:get_web_identity_token, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "GetWebIdentityToken"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: GetWebIdentityTokenRequest)
+        o.output = Shapes::ShapeRef.new(shape: GetWebIdentityTokenResponse)
+        o.errors << Shapes::ShapeRef.new(shape: SessionDurationEscalationException)
+        o.errors << Shapes::ShapeRef.new(shape: OutboundWebIdentityFederationDisabledException)
+        o.errors << Shapes::ShapeRef.new(shape: JWTPayloadSizeExceededException)
+      end)
     end
 
   end