aws-sdk-core 3.46.0 → 3.94.0

data/lib/aws-sdk-core/structure.rb

@@ -29,8 +29,7 @@ module Aws
     def to_h(obj = self)
       case obj
       when Struct
-        obj.members.each.with_object({}) do |member, hash|
-          value = obj[member]
+        obj.each_pair.with_object({}) do |(member, value), hash|
           hash[member] = to_hash(value) unless value.nil?
         end
       when Hash

data/lib/aws-sdk-core/stubbing/protocols/rest.rb

@@ -118,6 +118,25 @@ module Aws
 
         def encode_event(opts, rules, event_data, builder)
           event_ref = rules.shape.member(event_data.delete(:event_type))
+          explicit_payload = false
+          implicit_payload_members = {}
+          event_ref.shape.members.each do |name, ref|
+            if ref.eventpayload
+              explicit_payload = true
+            else
+              implicit_payload_members[name] = ref
+            end
+          end
+
+          if !explicit_payload && !implicit_payload_members.empty?
+            unless implicit_payload_members.size > 1
+              m_name, _ = implicit_payload_members.first
+              value = {}
+              value[m_name] = event_data[m_name]
+              opts[:payload] = StringIO.new(builder.new(event_ref).serialize(value))
+            end
+          end
+
           event_data.each do |k, v|
             member_ref = event_ref.shape.member(k)
             if member_ref.eventheader

data/lib/aws-sdk-core/stubbing/stub_data.rb

@@ -20,17 +20,26 @@ module Aws
       def remove_paging_tokens(stub)
         if @pager
           @pager.instance_variable_get("@tokens").keys.each do |path|
-            key = path.split(/\b/)[0]
-            stub[key] = nil
+            if divide = (path[' || '] || path[' or '])
+              path = path.split(divide)[0]
+            end
+            parts = path.split(/\b/)
+            # if nested struct/expression, EmptyStub auto-pop "string"
+            # currently not support remove "string" for nested/expression
+            # as it requires reverse JMESPATH search
+            stub[parts[0]] = nil if parts.size == 1
           end
           if more_results = @pager.instance_variable_get('@more_results')
-            stub[more_results] = false
+            parts = more_results.split(/\b/)
+            # if nested struct/expression, EmptyStub auto-pop false value
+            # no further work needed
+            stub[parts[0]] = false if parts.size == 1
           end
         end
       end
 
       def apply_data(data, stub)
-        ParamValidator.new(@rules, validate_required:false).validate!(data)
+        ParamValidator.new(@rules, validate_required: false, input: false).validate!(data)
         DataApplicator.new(@rules).apply_data(data, stub)
       end
     end

data/lib/aws-sdk-core/util.rb

@@ -52,6 +52,10 @@ module Aws
         end
       end
 
+      def monotonic_seconds
+        monotonic_milliseconds / 1000.0
+      end
+
       def str_2_bool(str)
         case str.to_s
         when "true" then true

data/lib/aws-sdk-core/waiters/waiter.rb

@@ -50,7 +50,7 @@ module Aws
       #
       # @yieldparam [Integer] attempts The number of attempts made.
       def before_attempt(&block)
-        @before_attempt << Proc.new
+        @before_attempt << block if block_given?
       end
 
       # Register a callback that is invoked after an attempt but before
@@ -81,7 +81,7 @@ module Aws
       # @yieldparam [Seahorse::Client::Response] response The response from
       #   the previous polling attempts.
       def before_wait(&block)
-        @before_wait << Proc.new
+        @before_wait << block if block_given?
       end
 
       # @option options [Client] :client

data/lib/aws-sdk-core/xml/error_handler.rb

@@ -18,20 +18,43 @@ module Aws
         if body.empty?
           code = http_status_error_code(context)
           message = ''
+          data = EmptyStructure.new
         else
-          code, message = extract_error(body, context)
+          code, message, data = extract_error(body, context)
         end
         errors_module = context.client.class.errors_module
-        errors_module.error_class(code).new(context, message)
+        error_class = errors_module.error_class(code).new(context, message, data)
+        error_class
       end
 
       def extract_error(body, context)
+        code = error_code(body, context)
         [
-          error_code(body, context),
+          code,
           error_message(body),
+          error_data(context, code)
         ]
       end
 
+      def error_data(context, code)
+        data = EmptyStructure.new
+        if error_rules = context.operation.errors
+          error_rules.each do |rule|
+            # for modeled shape with error trait
+            # match `code` in the error trait before
+            # match modeled shape name
+            error_shape_code = rule.shape['error']['code'] if rule.shape['error']
+            match = (code == error_shape_code || code == rule.shape.name)
+            if match && rule.shape.members.any?
+              data = Parser.new(rule).parse(context.http_response.body_contents)
+            end
+          end
+        end
+        data
+      rescue Xml::Parser::ParsingError
+        EmptyStructure.new
+      end
+
       def error_code(body, context)
         if matches = body.match(/<Code>(.+?)<\/Code>/)
           remove_prefix(unescape(matches[1]), context)

data/lib/aws-sdk-sts.rb

@@ -22,17 +22,20 @@ require_relative 'aws-sdk-sts/customizations'
 # methods each accept a hash of request parameters and return a response
 # structure.
 #
+#     sts = Aws::STS::Client.new
+#     resp = sts.assume_role(params)
+#
 # See {Client} for more information.
 #
 # # Errors
 #
-# Errors returned from AWS Security Token Service all
-# extend {Errors::ServiceError}.
+# Errors returned from AWS Security Token Service are defined in the
+# {Errors} module and all extend {Errors::ServiceError}.
 #
 #     begin
 #       # do stuff
 #     rescue Aws::STS::Errors::ServiceError
-#       # rescues all service API errors
+#       # rescues all AWS Security Token Service API errors
 #     end
 #
 # See {Errors} for more information.
@@ -40,6 +43,6 @@ require_relative 'aws-sdk-sts/customizations'
 # @service
 module Aws::STS
 
-  GEM_VERSION = '3.46.0'
+  GEM_VERSION = '3.94.0'
 
 end

data/lib/aws-sdk-sts/client.rb

@@ -23,12 +23,26 @@ require 'aws-sdk-core/plugins/idempotency_token.rb'
 require 'aws-sdk-core/plugins/jsonvalue_converter.rb'
 require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
 require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
+require 'aws-sdk-core/plugins/transfer_encoding.rb'
 require 'aws-sdk-core/plugins/signature_v4.rb'
 require 'aws-sdk-core/plugins/protocols/query.rb'
+require 'aws-sdk-sts/plugins/sts_regional_endpoints.rb'
 
 Aws::Plugins::GlobalConfiguration.add_identifier(:sts)
 
 module Aws::STS
+  # An API client for STS.  To construct a client, you need to configure a `:region` and `:credentials`.
+  #
+  #     client = Aws::STS::Client.new(
+  #       region: region_name,
+  #       credentials: credentials,
+  #       # ...
+  #     )
+  #
+  # For details on configuring region and credentials see
+  # the [developer guide](/sdk-for-ruby/v3/developer-guide/setup-config.html).
+  #
+  # See {#initialize} for a full list of supported configuration options.
   class Client < Seahorse::Client::Base
 
     include Aws::ClientStubs
@@ -55,8 +69,10 @@ module Aws::STS
     add_plugin(Aws::Plugins::JsonvalueConverter)
     add_plugin(Aws::Plugins::ClientMetricsPlugin)
     add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
+    add_plugin(Aws::Plugins::TransferEncoding)
     add_plugin(Aws::Plugins::SignatureV4)
     add_plugin(Aws::Plugins::Protocols::Query)
+    add_plugin(Aws::STS::Plugins::STSRegionalEndpoints)
 
     # @overload initialize(options)
     #   @param [Hash] options
@@ -106,6 +122,12 @@ module Aws::STS
     #     When set to `true`, a thread polling for endpoints will be running in
     #     the background every 60 secs (default). Defaults to `false`.
     #
+    #   @option options [Boolean] :adaptive_retry_wait_to_fill (true)
+    #     Used only in `adaptive` retry mode.  When true, the request will sleep
+    #     until there is sufficent client side capacity to retry the request.
+    #     When false, the request will raise a `RetryCapacityNotAvailableError` and will
+    #     not retry instead of sleeping.
+    #
     #   @option options [Boolean] :client_side_monitoring (false)
     #     When `true`, client-side metrics will be collected for all API requests from
     #     this client.
@@ -114,6 +136,10 @@ module Aws::STS
     #     Allows you to provide an identifier for this client which will be attached to
     #     all generated client side metrics. Defaults to an empty string.
     #
+    #   @option options [String] :client_side_monitoring_host ("127.0.0.1")
+    #     Allows you to specify the DNS hostname or IPv4 or IPv6 address that the client
+    #     side monitoring agent is running on, where client metrics will be published via UDP.
+    #
     #   @option options [Integer] :client_side_monitoring_port (31000)
     #     Required for publishing client metrics. The port that the client side monitoring
     #     agent is running on, where client metrics will be published via UDP.
@@ -126,6 +152,10 @@ module Aws::STS
     #     When `true`, an attempt is made to coerce request parameters into
     #     the required types.
     #
+    #   @option options [Boolean] :correct_clock_skew (true)
+    #     Used only in `standard` and adaptive retry modes. Specifies whether to apply
+    #     a clock skew correction and retry requests with skewed client clocks.
+    #
     #   @option options [Boolean] :disable_host_prefix_injection (false)
     #     Set to true to disable SDK automatically adding host prefix
     #     to default service endpoint when available.
@@ -160,15 +190,29 @@ module Aws::STS
     #     The Logger instance to send log messages to.  If this option
     #     is not set, logging will be disabled.
     #
+    #   @option options [Integer] :max_attempts (3)
+    #     An integer representing the maximum number attempts that will be made for
+    #     a single request, including the initial attempt.  For example,
+    #     setting this value to 5 will result in a request being retried up to
+    #     4 times. Used in `standard` and `adaptive` retry modes.
+    #
     #   @option options [String] :profile ("default")
     #     Used when loading credentials from the shared credentials file
     #     at HOME/.aws/credentials.  When not specified, 'default' is used.
     #
+    #   @option options [Proc] :retry_backoff
+    #     A proc or lambda used for backoff. Defaults to 2**retries * retry_base_delay.
+    #     This option is only used in the `legacy` retry mode.
+    #
     #   @option options [Float] :retry_base_delay (0.3)
-    #     The base delay in seconds used by the default backoff function.
+    #     The base delay in seconds used by the default backoff function. This option
+    #     is only used in the `legacy` retry mode.
     #
     #   @option options [Symbol] :retry_jitter (:none)
-    #     A delay randomiser function used by the default backoff function. Some predefined functions can be referenced by name - :none, :equal, :full, otherwise a Proc that takes and returns a number.
+    #     A delay randomiser function used by the default backoff function.
+    #     Some predefined functions can be referenced by name - :none, :equal, :full,
+    #     otherwise a Proc that takes and returns a number. This option is only used
+    #     in the `legacy` retry mode.
     #
     #     @see https://www.awsarchitectureblog.com/2015/03/backoff.html
     #
@@ -176,16 +220,40 @@ module Aws::STS
     #     The maximum number of times to retry failed requests.  Only
     #     ~ 500 level server errors and certain ~ 400 level client errors
     #     are retried.  Generally, these are throttling errors, data
-    #     checksum errors, networking errors, timeout errors and auth
-    #     errors from expired credentials.
+    #     checksum errors, networking errors, timeout errors, auth errors,
+    #     endpoint discovery, and errors from expired credentials.
+    #     This option is only used in the `legacy` retry mode.
     #
     #   @option options [Integer] :retry_max_delay (0)
-    #     The maximum number of seconds to delay between retries (0 for no limit) used by the default backoff function.
+    #     The maximum number of seconds to delay between retries (0 for no limit)
+    #     used by the default backoff function. This option is only used in the
+    #     `legacy` retry mode.
+    #
+    #   @option options [String] :retry_mode ("legacy")
+    #     Specifies which retry algorithm to use. Values are:
+    #
+    #     * `legacy` - The pre-existing retry behavior.  This is default value if
+    #       no retry mode is provided.
+    #
+    #     * `standard` - A standardized set of retry rules across the AWS SDKs.
+    #       This includes support for retry quotas, which limit the number of
+    #       unsuccessful retries a client can make.
+    #
+    #     * `adaptive` - An experimental retry mode that includes all the
+    #       functionality of `standard` mode along with automatic client side
+    #       throttling.  This is a provisional mode that may change behavior
+    #       in the future.
+    #
     #
     #   @option options [String] :secret_access_key
     #
     #   @option options [String] :session_token
     #
+    #   @option options [String] :sts_regional_endpoints ("regional")
+    #     Passing in 'regional' to enable regional endpoint for STS for all supported
+    #     regions (except 'aws-global'). Using 'legacy' mode will force all legacy
+    #     regions to resolve to the STS global endpoint.
+    #
     #   @option options [Boolean] :stub_responses (false)
     #     Causes the client to return stubbed responses. By default
     #     fake responses are generated and returned. You can specify
@@ -199,46 +267,78 @@ module Aws::STS
     #     When `true`, request parameters are validated before
     #     sending the request.
     #
+    #   @option options [URI::HTTP,String] :http_proxy A proxy to send
+    #     requests through.  Formatted like 'http://proxy.com:123'.
+    #
+    #   @option options [Float] :http_open_timeout (15) The number of
+    #     seconds to wait when opening a HTTP session before raising a
+    #     `Timeout::Error`.
+    #
+    #   @option options [Integer] :http_read_timeout (60) The default
+    #     number of seconds to wait for response data.  This value can
+    #     safely be set per-request on the session.
+    #
+    #   @option options [Float] :http_idle_timeout (5) The number of
+    #     seconds a connection is allowed to sit idle before it is
+    #     considered stale.  Stale connections are closed and removed
+    #     from the pool before making a request.
+    #
+    #   @option options [Float] :http_continue_timeout (1) The number of
+    #     seconds to wait for a 100-continue response before sending the
+    #     request body.  This option has no effect unless the request has
+    #     "Expect" header set to "100-continue".  Defaults to `nil` which
+    #     disables this behaviour.  This value can safely be set per
+    #     request on the session.
+    #
+    #   @option options [Boolean] :http_wire_trace (false) When `true`,
+    #     HTTP debug output will be sent to the `:logger`.
+    #
+    #   @option options [Boolean] :ssl_verify_peer (true) When `true`,
+    #     SSL peer certificates are verified when establishing a
+    #     connection.
+    #
+    #   @option options [String] :ssl_ca_bundle Full path to the SSL
+    #     certificate authority bundle file that should be used when
+    #     verifying peer certificates.  If you do not pass
+    #     `:ssl_ca_bundle` or `:ssl_ca_directory` the the system default
+    #     will be used if available.
+    #
+    #   @option options [String] :ssl_ca_directory Full path of the
+    #     directory that contains the unbundled SSL certificate
+    #     authority files for verifying peer certificates.  If you do
+    #     not pass `:ssl_ca_bundle` or `:ssl_ca_directory` the the
+    #     system default will be used if available.
+    #
     def initialize(*args)
       super
     end
 
     # @!group API Operations
 
-    # Returns a set of temporary security credentials (consisting of an
-    # access key ID, a secret access key, and a security token) that you can
-    # use to access AWS resources that you might not normally have access
-    # to. Typically, you use `AssumeRole` for cross-account access or
-    # federation. For a comparison of `AssumeRole` with the other APIs that
-    # produce temporary credentials, see [Requesting Temporary Security
-    # Credentials][1] and [Comparing the AWS STS APIs][2] in the *IAM User
-    # Guide*.
-    #
-    # **Important:** You cannot call `AssumeRole` by using AWS root account
-    # credentials; access is denied. You must use credentials for an IAM
-    # user or an IAM role to call `AssumeRole`.
+    # Returns a set of temporary security credentials that you can use to
+    # access AWS resources that you might not normally have access to. These
+    # temporary credentials consist of an access key ID, a secret access
+    # key, and a security token. Typically, you use `AssumeRole` within your
+    # account or for cross-account access. For a comparison of `AssumeRole`
+    # with other API operations that produce temporary credentials, see
+    # [Requesting Temporary Security Credentials][1] and [Comparing the AWS
+    # STS API operations][2] in the *IAM User Guide*.
+    #
+    # You cannot use AWS account root user credentials to call `AssumeRole`.
+    # You must use credentials for an IAM user or an IAM role to call
+    # `AssumeRole`.
     #
     # For cross-account access, imagine that you own multiple accounts and
     # need to access resources in each account. You could create long-term
     # credentials in each account to access those resources. However,
     # managing all those credentials and remembering which one can access
     # which account can be time consuming. Instead, you can create one set
-    # of long-term credentials in one account and then use temporary
-    # security credentials to access all the other accounts by assuming
-    # roles in those accounts. For more information about roles, see [IAM
-    # Roles (Delegation and Federation)][3] in the *IAM User Guide*.
-    #
-    # For federation, you can, for example, grant single sign-on access to
-    # the AWS Management Console. If you already have an identity and
-    # authentication system in your corporate network, you don't have to
-    # recreate user identities in AWS in order to grant those user
-    # identities access to AWS. Instead, after a user has been
-    # authenticated, you call `AssumeRole` (and specify the role with the
-    # appropriate permissions) to get temporary security credentials for
-    # that user. With those temporary security credentials, you construct a
-    # sign-in URL that users can use to access the console. For more
-    # information, see [Common Scenarios for Temporary Credentials][4] in
-    # the *IAM User Guide*.
+    # of long-term credentials in one account. Then use temporary security
+    # credentials to access all the other accounts by assuming roles in
+    # those accounts. For more information about roles, see [IAM Roles][3]
+    # in the *IAM User Guide*.
+    #
+    # **Session Duration**
     #
     # By default, the temporary security credentials created by `AssumeRole`
     # last for one hour. However, you can use the optional `DurationSeconds`
@@ -246,85 +346,108 @@ module Aws::STS
     # value from 900 seconds (15 minutes) up to the maximum session duration
     # setting for the role. This setting can have a value from 1 hour to 12
     # hours. To learn how to view the maximum value for your role, see [View
-    # the Maximum Session Duration Setting for a Role][5] in the *IAM User
+    # the Maximum Session Duration Setting for a Role][4] in the *IAM User
     # Guide*. The maximum session duration limit applies when you use the
-    # `AssumeRole*` API operations or the `assume-role*` CLI operations but
-    # does not apply when you use those operations to create a console URL.
-    # For more information, see [Using IAM Roles][6] in the *IAM User
-    # Guide*.
+    # `AssumeRole*` API operations or the `assume-role*` CLI commands.
+    # However the limit does not apply when you use those operations to
+    # create a console URL. For more information, see [Using IAM Roles][5]
+    # in the *IAM User Guide*.
+    #
+    # **Permissions**
     #
     # The temporary security credentials created by `AssumeRole` can be used
-    # to make API calls to any AWS service with the following exception: you
-    # cannot call the STS service's `GetFederationToken` or
-    # `GetSessionToken` APIs.
-    #
-    # Optionally, you can pass an IAM access policy to this operation. If
-    # you choose not to pass a policy, the temporary security credentials
-    # that are returned by the operation have the permissions that are
-    # defined in the access policy of the role that is being assumed. If you
-    # pass a policy to this operation, the temporary security credentials
-    # that are returned by the operation have the permissions that are
-    # allowed by both the access policy of the role that is being assumed,
-    # <i> <b>and</b> </i> the policy that you pass. This gives you a way to
-    # further restrict the permissions for the resulting temporary security
-    # credentials. You cannot use the passed policy to grant permissions
-    # that are in excess of those allowed by the access policy of the role
-    # that is being assumed. For more information, see [Permissions for
-    # AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity][7] in
+    # to make API calls to any AWS service with the following exception: You
+    # cannot call the AWS STS `GetFederationToken` or `GetSessionToken` API
+    # operations.
+    #
+    # (Optional) You can pass inline or managed [session policies][6] to
+    # this operation. You can pass a single JSON policy document to use as
+    # an inline session policy. You can also specify up to 10 managed
+    # policies to use as managed session policies. The plain text that you
+    # use for both inline and managed session policies can't exceed 2,048
+    # characters. Passing policies to this operation returns new temporary
+    # credentials. The resulting session's permissions are the intersection
+    # of the role's identity-based policy and the session policies. You can
+    # use the role's temporary credentials in subsequent AWS API calls to
+    # access resources in the account that owns the role. You cannot use
+    # session policies to grant more permissions than those allowed by the
+    # identity-based policy of the role that is being assumed. For more
+    # information, see [Session Policies][6] in the *IAM User Guide*.
+    #
+    # To assume a role from a different account, your AWS account must be
+    # trusted by the role. The trust relationship is defined in the role's
+    # trust policy when the role is created. That trust policy states which
+    # accounts are allowed to delegate that access to users in the account.
+    #
+    # A user who wants to access a role in a different account must also
+    # have permissions that are delegated from the user account
+    # administrator. The administrator must attach a policy that allows the
+    # user to call `AssumeRole` for the ARN of the role in the other
+    # account. If the user is in the same account as the role, then you can
+    # do either of the following:
+    #
+    # * Attach a policy to the user (identical to the previous user in a
+    #   different account).
+    #
+    # * Add the user as a principal directly in the role's trust policy.
+    #
+    # In this case, the trust policy acts as an IAM resource-based policy.
+    # Users in the same account as the role do not need explicit permission
+    # to assume the role. For more information about trust policies and
+    # resource-based policies, see [IAM Policies][7] in the *IAM User
+    # Guide*.
+    #
+    # **Tags**
+    #
+    # (Optional) You can pass tag key-value pairs to your session. These
+    # tags are called session tags. For more information about session tags,
+    # see [Passing Session Tags in STS][8] in the *IAM User Guide*.
+    #
+    # An administrator must grant you the permissions necessary to pass
+    # session tags. The administrator can also create granular permissions
+    # to allow you to pass only specific session tags. For more information,
+    # see [Tutorial: Using Tags for Attribute-Based Access Control][9] in
     # the *IAM User Guide*.
     #
-    # To assume a role, your AWS account must be trusted by the role. The
-    # trust relationship is defined in the role's trust policy when the
-    # role is created. That trust policy states which accounts are allowed
-    # to delegate access to this account's role.
-    #
-    # The user who wants to access the role must also have permissions
-    # delegated from the role's administrator. If the user is in a
-    # different account than the role, then the user's administrator must
-    # attach a policy that allows the user to call AssumeRole on the ARN of
-    # the role in the other account. If the user is in the same account as
-    # the role, then you can either attach a policy to the user (identical
-    # to the previous different account user), or you can add the user as a
-    # principal directly in the role's trust policy. In this case, the
-    # trust policy acts as the only resource-based policy in IAM, and users
-    # in the same account as the role do not need explicit permission to
-    # assume the role. For more information about trust policies and
-    # resource-based policies, see [IAM Policies][8] in the *IAM User
-    # Guide*.
+    # You can set the session tags as transitive. Transitive tags persist
+    # during role chaining. For more information, see [Chaining Roles with
+    # Session Tags][10] in the *IAM User Guide*.
     #
     # **Using MFA with AssumeRole**
     #
-    # You can optionally include multi-factor authentication (MFA)
+    # (Optional) You can include multi-factor authentication (MFA)
     # information when you call `AssumeRole`. This is useful for
-    # cross-account scenarios in which you want to make sure that the user
-    # who is assuming the role has been authenticated using an AWS MFA
-    # device. In that scenario, the trust policy of the role being assumed
-    # includes a condition that tests for MFA authentication; if the caller
-    # does not include valid MFA information, the request to assume the role
-    # is denied. The condition in a trust policy that tests for MFA
-    # authentication might look like the following example.
+    # cross-account scenarios to ensure that the user that assumes the role
+    # has been authenticated with an AWS MFA device. In that scenario, the
+    # trust policy of the role being assumed includes a condition that tests
+    # for MFA authentication. If the caller does not include valid MFA
+    # information, the request to assume the role is denied. The condition
+    # in a trust policy that tests for MFA authentication might look like
+    # the following example.
     #
     # `"Condition": \{"Bool": \{"aws:MultiFactorAuthPresent": true\}\}`
     #
-    # For more information, see [Configuring MFA-Protected API Access][9] in
-    # the *IAM User Guide* guide.
+    # For more information, see [Configuring MFA-Protected API Access][11]
+    # in the *IAM User Guide* guide.
     #
     # To use MFA with `AssumeRole`, you pass values for the `SerialNumber`
     # and `TokenCode` parameters. The `SerialNumber` value identifies the
     # user's hardware or virtual MFA device. The `TokenCode` is the
-    # time-based one-time password (TOTP) that the MFA devices produces.
+    # time-based one-time password (TOTP) that the MFA device produces.
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
-    # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
-    # [3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html
-    # [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction
-    # [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
-    # [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
-    # [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
-    # [8]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
-    # [9]: http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
+    # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+    # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
+    # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+    # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
+    # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+    # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
+    # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
+    # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
     #
     # @option params [required, String] :role_arn
     #   The Amazon Resource Name (ARN) of the role to assume.
@@ -337,47 +460,82 @@ module Aws::STS
     #   cross-account scenarios, the role session name is visible to, and can
     #   be logged by the account that owns the role. The role session name is
     #   also used in the ARN of the assumed role principal. This means that
-    #   subsequent cross-account API requests using the temporary security
+    #   subsequent cross-account API requests that use the temporary security
     #   credentials will expose the role session name to the external account
-    #   in their CloudTrail logs.
+    #   in their AWS CloudTrail logs.
     #
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
     #   spaces. You can also include underscores or any of the following
     #   characters: =,.@-
     #
-    # @option params [String] :policy
-    #   An IAM policy in JSON format.
-    #
-    #   This parameter is optional. If you pass a policy, the temporary
-    #   security credentials that are returned by the operation have the
-    #   permissions that are allowed by both (the intersection of) the access
-    #   policy of the role that is being assumed, *and* the policy that you
-    #   pass. This gives you a way to further restrict the permissions for the
-    #   resulting temporary security credentials. You cannot use the passed
-    #   policy to grant permissions that are in excess of those allowed by the
-    #   access policy of the role that is being assumed. For more information,
-    #   see [Permissions for AssumeRole, AssumeRoleWithSAML, and
-    #   AssumeRoleWithWebIdentity][1] in the *IAM User Guide*.
+    # @option params [Array<Types::PolicyDescriptorType>] :policy_arns
+    #   The Amazon Resource Names (ARNs) of the IAM managed policies that you
+    #   want to use as managed session policies. The policies must exist in
+    #   the same account as the role.
     #
-    #   The format for this parameter, as described by its regex pattern, is a
-    #   string of characters up to 2048 characters in length. The characters
+    #   This parameter is optional. You can provide up to 10 managed policy
+    #   ARNs. However, the plain text that you use for both inline and managed
+    #   session policies can't exceed 2,048 characters. For more information
+    #   about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
+    #   Namespaces][1] in the AWS General Reference.
+    #
+    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    #   tags into a packed binary format that has a separate limit. Your
+    #   request can fail for this limit even if your plain text meets the
+    #   other requirements. The `PackedPolicySize` response element indicates
+    #   by percentage how close the policies and tags for your request are to
+    #   the upper size limit.
+    #
+    #    </note>
+    #
+    #   Passing policies to this operation returns new temporary credentials.
+    #   The resulting session's permissions are the intersection of the
+    #   role's identity-based policy and the session policies. You can use
+    #   the role's temporary credentials in subsequent AWS API calls to
+    #   access resources in the account that owns the role. You cannot use
+    #   session policies to grant more permissions than those allowed by the
+    #   identity-based policy of the role that is being assumed. For more
+    #   information, see [Session Policies][2] in the *IAM User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+    #
+    # @option params [String] :policy
+    #   An IAM policy in JSON format that you want to use as an inline session
+    #   policy.
+    #
+    #   This parameter is optional. Passing policies to this operation returns
+    #   new temporary credentials. The resulting session's permissions are
+    #   the intersection of the role's identity-based policy and the session
+    #   policies. You can use the role's temporary credentials in subsequent
+    #   AWS API calls to access resources in the account that owns the role.
+    #   You cannot use session policies to grant more permissions than those
+    #   allowed by the identity-based policy of the role that is being
+    #   assumed. For more information, see [Session Policies][1] in the *IAM
+    #   User Guide*.
+    #
+    #   The plain text that you use for both inline and managed session
+    #   policies can't exceed 2,048 characters. The JSON policy characters
     #   can be any ASCII character from the space character to the end of the
-    #   valid character list (\\u0020-\\u00FF). It can also include the tab
-    #   (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
+    #   valid character list (\\u0020 through \\u00FF). It can also include
+    #   the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
     #   characters.
     #
-    #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
-    #   internal conversion compresses it into a packed binary format with a
-    #   separate limit. The PackedPolicySize response element indicates by
-    #   percentage how close to the upper size limit the policy is, with 100%
-    #   equaling the maximum allowed size.
+    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    #   tags into a packed binary format that has a separate limit. Your
+    #   request can fail for this limit even if your plain text meets the
+    #   other requirements. The `PackedPolicySize` response element indicates
+    #   by percentage how close the policies and tags for your request are to
+    #   the upper size limit.
     #
     #    </note>
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
     #
     # @option params [Integer] :duration_seconds
     #   The duration, in seconds, of the role session. The value can range
@@ -390,7 +548,7 @@ module Aws::STS
     #   see [View the Maximum Session Duration Setting for a Role][1] in the
     #   *IAM User Guide*.
     #
-    #   By default, the value is set to 3600 seconds.
+    #   By default, the value is set to `3600` seconds.
     #
     #   <note markdown="1"> The `DurationSeconds` parameter is separate from the duration of a
     #   console session that you might request using the returned credentials.
@@ -404,29 +562,91 @@ module Aws::STS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
-    #   [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
+    #
+    # @option params [Array<Types::Tag>] :tags
+    #   A list of session tags that you want to pass. Each session tag
+    #   consists of a key name and an associated value. For more information
+    #   about session tags, see [Tagging AWS STS Sessions][1] in the *IAM User
+    #   Guide*.
+    #
+    #   This parameter is optional. You can pass up to 50 session tags. The
+    #   plain text session tag keys can’t exceed 128 characters, and the
+    #   values can’t exceed 256 characters. For these and additional limits,
+    #   see [IAM and STS Character Limits][2] in the *IAM User Guide*.
+    #
+    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    #   tags into a packed binary format that has a separate limit. Your
+    #   request can fail for this limit even if your plain text meets the
+    #   other requirements. The `PackedPolicySize` response element indicates
+    #   by percentage how close the policies and tags for your request are to
+    #   the upper size limit.
+    #
+    #    </note>
+    #
+    #   You can pass a session tag with the same key as a tag that is already
+    #   attached to the role. When you do, session tags override a role tag
+    #   with the same key.
+    #
+    #   Tag key–value pairs are not case sensitive, but case is preserved.
+    #   This means that you cannot have separate `Department` and `department`
+    #   tag keys. Assume that the role has the `Department`=`Marketing` tag
+    #   and you pass the `department`=`engineering` session tag. `Department`
+    #   and `department` are not saved as separate tags, and the session tag
+    #   passed in the request takes precedence over the role tag.
+    #
+    #   Additionally, if you used temporary credentials to perform this
+    #   operation, the new session inherits any transitive session tags from
+    #   the calling session. If you pass a session tag with the same key as an
+    #   inherited tag, the operation fails. To view the inherited tags for a
+    #   session, see the AWS CloudTrail logs. For more information, see
+    #   [Viewing Session Tags in CloudTrail][3] in the *IAM User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+    #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/session-tags.html#id_session-tags_ctlogs
+    #
+    # @option params [Array<String>] :transitive_tag_keys
+    #   A list of keys for session tags that you want to set as transitive. If
+    #   you set a tag key as transitive, the corresponding key and value
+    #   passes to subsequent sessions in a role chain. For more information,
+    #   see [Chaining Roles with Session Tags][1] in the *IAM User Guide*.
+    #
+    #   This parameter is optional. When you set session tags as transitive,
+    #   the session policy and session tags packed binary limit is not
+    #   affected.
+    #
+    #   If you choose not to specify a transitive tag key, then no tags are
+    #   passed from this session to any subsequent sessions.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
     #
     # @option params [String] :external_id
-    #   A unique identifier that is used by third parties when assuming roles
-    #   in their customers' accounts. For each role that the third party can
-    #   assume, they should instruct their customers to ensure the role's
-    #   trust policy checks for the external ID that the third party
-    #   generated. Each time the third party assumes the role, they should
-    #   pass the customer's external ID. The external ID is useful in order
-    #   to help third parties bind a role to the customer who created it. For
-    #   more information about the external ID, see [How to Use an External ID
-    #   When Granting Access to Your AWS Resources to a Third Party][1] in the
-    #   *IAM User Guide*.
+    #   A unique identifier that might be required when you assume a role in
+    #   another account. If the administrator of the account to which the role
+    #   belongs provided you with an external ID, then provide that value in
+    #   the `ExternalId` parameter. This value can be any string, such as a
+    #   passphrase or account number. A cross-account role is usually set up
+    #   to trust everyone in an account. Therefore, the administrator of the
+    #   trusting account might send an external ID to the administrator of the
+    #   trusted account. That way, only someone with the ID can assume the
+    #   role, rather than everyone in the account. For more information about
+    #   the external ID, see [How to Use an External ID When Granting Access
+    #   to Your AWS Resources to a Third Party][1] in the *IAM User Guide*.
     #
-    #   The regex used to validated this parameter is a string of characters
+    #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
     #   spaces. You can also include underscores or any of the following
     #   characters: =,.@:/-
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
     #
     # @option params [String] :serial_number
     #   The identification number of the MFA device that is associated with
@@ -462,11 +682,28 @@ module Aws::STS
     # @example Example: To assume a role
     #
     #   resp = client.assume_role({
-    #     duration_seconds: 3600, 
     #     external_id: "123ABC", 
-    #     policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"*\"}]}", 
+    #     policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}", 
     #     role_arn: "arn:aws:iam::123456789012:role/demo", 
-    #     role_session_name: "Bob", 
+    #     role_session_name: "testAssumeRoleSession", 
+    #     tags: [
+    #       {
+    #         key: "Project", 
+    #         value: "Unicorn", 
+    #       }, 
+    #       {
+    #         key: "Team", 
+    #         value: "Automation", 
+    #       }, 
+    #       {
+    #         key: "Cost-Center", 
+    #         value: "12345", 
+    #       }, 
+    #     ], 
+    #     transitive_tag_keys: [
+    #       "Project", 
+    #       "Cost-Center", 
+    #     ], 
     #   })
     #
     #   resp.to_h outputs the following:
@@ -481,7 +718,7 @@ module Aws::STS
     #       secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY", 
     #       session_token: "AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQWLWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGdQrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==", 
     #     }, 
-    #     packed_policy_size: 6, 
+    #     packed_policy_size: 8, 
     #   }
     #
     # @example Request syntax with placeholder values
@@ -489,8 +726,20 @@ module Aws::STS
     #   resp = client.assume_role({
     #     role_arn: "arnType", # required
     #     role_session_name: "roleSessionNameType", # required
+    #     policy_arns: [
+    #       {
+    #         arn: "arnType",
+    #       },
+    #     ],
     #     policy: "sessionPolicyDocumentType",
     #     duration_seconds: 1,
+    #     tags: [
+    #       {
+    #         key: "tagKeyType", # required
+    #         value: "tagValueType", # required
+    #       },
+    #     ],
+    #     transitive_tag_keys: ["tagKeyType"],
     #     external_id: "externalIdType",
     #     serial_number: "serialNumberType",
     #     token_code: "tokenCodeType",
@@ -520,15 +769,17 @@ module Aws::STS
     # provides a mechanism for tying an enterprise identity store or
     # directory to role-based AWS access without user-specific credentials
     # or configuration. For a comparison of `AssumeRoleWithSAML` with the
-    # other APIs that produce temporary credentials, see [Requesting
-    # Temporary Security Credentials][1] and [Comparing the AWS STS APIs][2]
-    # in the *IAM User Guide*.
+    # other API operations that produce temporary credentials, see
+    # [Requesting Temporary Security Credentials][1] and [Comparing the AWS
+    # STS API operations][2] in the *IAM User Guide*.
     #
     # The temporary security credentials returned by this operation consist
     # of an access key ID, a secret access key, and a security token.
     # Applications can use these temporary security credentials to sign
     # calls to AWS services.
     #
+    # **Session Duration**
+    #
     # By default, the temporary security credentials created by
     # `AssumeRoleWithSAML` last for one hour. However, you can use the
     # optional `DurationSeconds` parameter to specify the duration of your
@@ -541,37 +792,30 @@ module Aws::STS
     # for your role, see [View the Maximum Session Duration Setting for a
     # Role][3] in the *IAM User Guide*. The maximum session duration limit
     # applies when you use the `AssumeRole*` API operations or the
-    # `assume-role*` CLI operations but does not apply when you use those
-    # operations to create a console URL. For more information, see [Using
-    # IAM Roles][4] in the *IAM User Guide*.
+    # `assume-role*` CLI commands. However the limit does not apply when you
+    # use those operations to create a console URL. For more information,
+    # see [Using IAM Roles][4] in the *IAM User Guide*.
+    #
+    # **Permissions**
     #
     # The temporary security credentials created by `AssumeRoleWithSAML` can
     # be used to make API calls to any AWS service with the following
-    # exception: you cannot call the STS service's `GetFederationToken` or
-    # `GetSessionToken` APIs.
-    #
-    # Optionally, you can pass an IAM access policy to this operation. If
-    # you choose not to pass a policy, the temporary security credentials
-    # that are returned by the operation have the permissions that are
-    # defined in the access policy of the role that is being assumed. If you
-    # pass a policy to this operation, the temporary security credentials
-    # that are returned by the operation have the permissions that are
-    # allowed by the intersection of both the access policy of the role that
-    # is being assumed, <i> <b>and</b> </i> the policy that you pass. This
-    # means that both policies must grant the permission for the action to
-    # be allowed. This gives you a way to further restrict the permissions
-    # for the resulting temporary security credentials. You cannot use the
-    # passed policy to grant permissions that are in excess of those allowed
-    # by the access policy of the role that is being assumed. For more
-    # information, see [Permissions for AssumeRole, AssumeRoleWithSAML, and
-    # AssumeRoleWithWebIdentity][5] in the *IAM User Guide*.
-    #
-    # Before your application can call `AssumeRoleWithSAML`, you must
-    # configure your SAML identity provider (IdP) to issue the claims
-    # required by AWS. Additionally, you must use AWS Identity and Access
-    # Management (IAM) to create a SAML provider entity in your AWS account
-    # that represents your identity provider, and create an IAM role that
-    # specifies this SAML provider in its trust policy.
+    # exception: you cannot call the STS `GetFederationToken` or
+    # `GetSessionToken` API operations.
+    #
+    # (Optional) You can pass inline or managed [session policies][5] to
+    # this operation. You can pass a single JSON policy document to use as
+    # an inline session policy. You can also specify up to 10 managed
+    # policies to use as managed session policies. The plain text that you
+    # use for both inline and managed session policies can't exceed 2,048
+    # characters. Passing policies to this operation returns new temporary
+    # credentials. The resulting session's permissions are the intersection
+    # of the role's identity-based policy and the session policies. You can
+    # use the role's temporary credentials in subsequent AWS API calls to
+    # access resources in the account that owns the role. You cannot use
+    # session policies to grant more permissions than those allowed by the
+    # identity-based policy of the role that is being assumed. For more
+    # information, see [Session Policies][5] in the *IAM User Guide*.
     #
     # Calling `AssumeRoleWithSAML` does not require the use of AWS security
     # credentials. The identity of the caller is validated by using keys in
@@ -580,33 +824,82 @@ module Aws::STS
     #
     # Calling `AssumeRoleWithSAML` can result in an entry in your AWS
     # CloudTrail logs. The entry includes the value in the `NameID` element
-    # of the SAML assertion. We recommend that you use a NameIDType that is
-    # not associated with any personally identifiable information (PII). For
-    # example, you could instead use the Persistent Identifier
+    # of the SAML assertion. We recommend that you use a `NameIDType` that
+    # is not associated with any personally identifiable information (PII).
+    # For example, you could instead use the persistent identifier
     # (`urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`).
     #
+    # **Tags**
+    #
+    # (Optional) You can configure your IdP to pass attributes into your
+    # SAML assertion as session tags. Each session tag consists of a key
+    # name and an associated value. For more information about session tags,
+    # see [Passing Session Tags in STS][6] in the *IAM User Guide*.
+    #
+    # You can pass up to 50 session tags. The plain text session tag keys
+    # can’t exceed 128 characters and the values can’t exceed 256
+    # characters. For these and additional limits, see [IAM and STS
+    # Character Limits][7] in the *IAM User Guide*.
+    #
+    # <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    # tags into a packed binary format that has a separate limit. Your
+    # request can fail for this limit even if your plain text meets the
+    # other requirements. The `PackedPolicySize` response element indicates
+    # by percentage how close the policies and tags for your request are to
+    # the upper size limit.
+    #
+    #  </note>
+    #
+    # You can pass a session tag with the same key as a tag that is attached
+    # to the role. When you do, session tags override the role's tags with
+    # the same key.
+    #
+    # An administrator must grant you the permissions necessary to pass
+    # session tags. The administrator can also create granular permissions
+    # to allow you to pass only specific session tags. For more information,
+    # see [Tutorial: Using Tags for Attribute-Based Access Control][8] in
+    # the *IAM User Guide*.
+    #
+    # You can set the session tags as transitive. Transitive tags persist
+    # during role chaining. For more information, see [Chaining Roles with
+    # Session Tags][9] in the *IAM User Guide*.
+    #
+    # **SAML Configuration**
+    #
+    # Before your application can call `AssumeRoleWithSAML`, you must
+    # configure your SAML identity provider (IdP) to issue the claims
+    # required by AWS. Additionally, you must use AWS Identity and Access
+    # Management (IAM) to create a SAML provider entity in your AWS account
+    # that represents your identity provider. You must also create an IAM
+    # role that specifies this SAML provider in its trust policy.
+    #
     # For more information, see the following resources:
     #
-    # * [About SAML 2.0-based Federation][6] in the *IAM User Guide*.
+    # * [About SAML 2.0-based Federation][10] in the *IAM User Guide*.
     #
-    # * [Creating SAML Identity Providers][7] in the *IAM User Guide*.
+    # * [Creating SAML Identity Providers][11] in the *IAM User Guide*.
     #
-    # * [Configuring a Relying Party and Claims][8] in the *IAM User Guide*.
+    # * [Configuring a Relying Party and Claims][12] in the *IAM User
+    #   Guide*.
     #
-    # * [Creating a Role for SAML 2.0 Federation][9] in the *IAM User
+    # * [Creating a Role for SAML 2.0 Federation][13] in the *IAM User
     #   Guide*.
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
-    # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
-    # [3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
-    # [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
-    # [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
-    # [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
-    # [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
-    # [8]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
-    # [9]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+    # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
+    # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+    # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+    # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+    # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
+    # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
+    # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
+    # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
+    # [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
+    # [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
     #
     # @option params [required, String] :role_arn
     #   The Amazon Resource Name (ARN) of the role that the caller is
@@ -620,44 +913,79 @@ module Aws::STS
     #   The base-64 encoded SAML authentication response provided by the IdP.
     #
     #   For more information, see [Configuring a Relying Party and Adding
-    #   Claims][1] in the *Using IAM* guide.
+    #   Claims][1] in the *IAM User Guide*.
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
     #
-    # @option params [String] :policy
-    #   An IAM policy in JSON format.
-    #
-    #   The policy parameter is optional. If you pass a policy, the temporary
-    #   security credentials that are returned by the operation have the
-    #   permissions that are allowed by both the access policy of the role
-    #   that is being assumed, <i> <b>and</b> </i> the policy that you pass.
-    #   This gives you a way to further restrict the permissions for the
-    #   resulting temporary security credentials. You cannot use the passed
-    #   policy to grant permissions that are in excess of those allowed by the
-    #   access policy of the role that is being assumed. For more information,
-    #   [Permissions for AssumeRole, AssumeRoleWithSAML, and
-    #   AssumeRoleWithWebIdentity][1] in the *IAM User Guide*.
+    # @option params [Array<Types::PolicyDescriptorType>] :policy_arns
+    #   The Amazon Resource Names (ARNs) of the IAM managed policies that you
+    #   want to use as managed session policies. The policies must exist in
+    #   the same account as the role.
     #
-    #   The format for this parameter, as described by its regex pattern, is a
-    #   string of characters up to 2048 characters in length. The characters
+    #   This parameter is optional. You can provide up to 10 managed policy
+    #   ARNs. However, the plain text that you use for both inline and managed
+    #   session policies can't exceed 2,048 characters. For more information
+    #   about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
+    #   Namespaces][1] in the AWS General Reference.
+    #
+    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    #   tags into a packed binary format that has a separate limit. Your
+    #   request can fail for this limit even if your plain text meets the
+    #   other requirements. The `PackedPolicySize` response element indicates
+    #   by percentage how close the policies and tags for your request are to
+    #   the upper size limit.
+    #
+    #    </note>
+    #
+    #   Passing policies to this operation returns new temporary credentials.
+    #   The resulting session's permissions are the intersection of the
+    #   role's identity-based policy and the session policies. You can use
+    #   the role's temporary credentials in subsequent AWS API calls to
+    #   access resources in the account that owns the role. You cannot use
+    #   session policies to grant more permissions than those allowed by the
+    #   identity-based policy of the role that is being assumed. For more
+    #   information, see [Session Policies][2] in the *IAM User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+    #
+    # @option params [String] :policy
+    #   An IAM policy in JSON format that you want to use as an inline session
+    #   policy.
+    #
+    #   This parameter is optional. Passing policies to this operation returns
+    #   new temporary credentials. The resulting session's permissions are
+    #   the intersection of the role's identity-based policy and the session
+    #   policies. You can use the role's temporary credentials in subsequent
+    #   AWS API calls to access resources in the account that owns the role.
+    #   You cannot use session policies to grant more permissions than those
+    #   allowed by the identity-based policy of the role that is being
+    #   assumed. For more information, see [Session Policies][1] in the *IAM
+    #   User Guide*.
+    #
+    #   The plain text that you use for both inline and managed session
+    #   policies can't exceed 2,048 characters. The JSON policy characters
     #   can be any ASCII character from the space character to the end of the
-    #   valid character list (\\u0020-\\u00FF). It can also include the tab
-    #   (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
+    #   valid character list (\\u0020 through \\u00FF). It can also include
+    #   the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
     #   characters.
     #
-    #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
-    #   internal conversion compresses it into a packed binary format with a
-    #   separate limit. The PackedPolicySize response element indicates by
-    #   percentage how close to the upper size limit the policy is, with 100%
-    #   equaling the maximum allowed size.
+    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    #   tags into a packed binary format that has a separate limit. Your
+    #   request can fail for this limit even if your plain text meets the
+    #   other requirements. The `PackedPolicySize` response element indicates
+    #   by percentage how close the policies and tags for your request are to
+    #   the upper size limit.
     #
     #    </note>
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
     #
     # @option params [Integer] :duration_seconds
     #   The duration, in seconds, of the role session. Your role session lasts
@@ -673,7 +1001,7 @@ module Aws::STS
     #   maximum value for your role, see [View the Maximum Session Duration
     #   Setting for a Role][1] in the *IAM User Guide*.
     #
-    #   By default, the value is set to 3600 seconds.
+    #   By default, the value is set to `3600` seconds.
     #
     #   <note markdown="1"> The `DurationSeconds` parameter is separate from the duration of a
     #   console session that you might request using the returned credentials.
@@ -687,8 +1015,8 @@ module Aws::STS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
-    #   [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
     #
     # @return [Types::AssumeRoleWithSAMLResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -701,12 +1029,47 @@ module Aws::STS
     #   * {Types::AssumeRoleWithSAMLResponse#audience #audience} => String
     #   * {Types::AssumeRoleWithSAMLResponse#name_qualifier #name_qualifier} => String
     #
+    #
+    # @example Example: To assume a role using a SAML assertion
+    #
+    #   resp = client.assume_role_with_saml({
+    #     duration_seconds: 3600, 
+    #     principal_arn: "arn:aws:iam::123456789012:saml-provider/SAML-test", 
+    #     role_arn: "arn:aws:iam::123456789012:role/TestSaml", 
+    #     saml_assertion: "VERYLONGENCODEDASSERTIONEXAMPLExzYW1sOkF1ZGllbmNlPmJsYW5rPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ij5TYW1sRXhhbXBsZTwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxOS0xMS0wMVQyMDoyNTowNS4xNDVaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc2lnbmluLmF3cy5hbWF6b24uY29tL3NhbWwiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRoPD94bWwgdmpSZXNwb25zZT4=", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     assumed_role_user: {
+    #       arn: "arn:aws:sts::123456789012:assumed-role/TestSaml", 
+    #       assumed_role_id: "ARO456EXAMPLE789:TestSaml", 
+    #     }, 
+    #     audience: "https://signin.aws.amazon.com/saml", 
+    #     credentials: {
+    #       access_key_id: "ASIAV3ZUEFP6EXAMPLE", 
+    #       expiration: Time.parse("2019-11-01T20:26:47Z"), 
+    #       secret_access_key: "8P+SQvWIuLnKhh8d++jpw0nNmQRBZvNEXAMPLEKEY", 
+    #       session_token: "IQoJb3JpZ2luX2VjEOz////////////////////wEXAMPLEtMSJHMEUCIDoKK3JH9uGQE1z0sINr5M4jk+Na8KHDcCYRVjJCZEvOAiEA3OvJGtw1EcViOleS2vhs8VdCKFJQWPQrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==", 
+    #     }, 
+    #     issuer: "https://integ.example.com/idp/shibboleth", 
+    #     name_qualifier: "SbdGOnUkh1i4+EXAMPLExL/jEvs=", 
+    #     packed_policy_size: 6, 
+    #     subject: "SamlExample", 
+    #     subject_type: "transient", 
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.assume_role_with_saml({
     #     role_arn: "arnType", # required
     #     principal_arn: "arnType", # required
     #     saml_assertion: "SAMLAssertionType", # required
+    #     policy_arns: [
+    #       {
+    #         arn: "arnType",
+    #       },
+    #     ],
     #     policy: "sessionPolicyDocumentType",
     #     duration_seconds: 1,
     #   })
@@ -737,16 +1100,17 @@ module Aws::STS
 
     # Returns a set of temporary security credentials for users who have
     # been authenticated in a mobile or web application with a web identity
-    # provider, such as Amazon Cognito, Login with Amazon, Facebook, Google,
-    # or any OpenID Connect-compatible identity provider.
+    # provider. Example providers include Amazon Cognito, Login with Amazon,
+    # Facebook, Google, or any OpenID Connect-compatible identity provider.
     #
     # <note markdown="1"> For mobile applications, we recommend that you use Amazon Cognito. You
-    # can use Amazon Cognito with the [AWS SDK for iOS][1] and the [AWS SDK
-    # for Android][2] to uniquely identify a user and supply the user with a
-    # consistent identity throughout the lifetime of an application.
+    # can use Amazon Cognito with the [AWS SDK for iOS Developer Guide][1]
+    # and the [AWS SDK for Android Developer Guide][2] to uniquely identify
+    # a user. You can also supply the user with a consistent identity
+    # throughout the lifetime of an application.
     #
     #  To learn more about Amazon Cognito, see [Amazon Cognito Overview][3]
-    # in the *AWS SDK for Android Developer Guide* guide and [Amazon Cognito
+    # in *AWS SDK for Android Developer Guide* and [Amazon Cognito
     # Overview][4] in the *AWS SDK for iOS Developer Guide*.
     #
     #  </note>
@@ -755,18 +1119,20 @@ module Aws::STS
     # security credentials. Therefore, you can distribute an application
     # (for example, on mobile devices) that requests temporary security
     # credentials without including long-term AWS credentials in the
-    # application, and without deploying server-based proxy services that
-    # use long-term AWS credentials. Instead, the identity of the caller is
-    # validated by using a token from the web identity provider. For a
-    # comparison of `AssumeRoleWithWebIdentity` with the other APIs that
-    # produce temporary credentials, see [Requesting Temporary Security
-    # Credentials][5] and [Comparing the AWS STS APIs][6] in the *IAM User
-    # Guide*.
+    # application. You also don't need to deploy server-based proxy
+    # services that use long-term AWS credentials. Instead, the identity of
+    # the caller is validated by using a token from the web identity
+    # provider. For a comparison of `AssumeRoleWithWebIdentity` with the
+    # other API operations that produce temporary credentials, see
+    # [Requesting Temporary Security Credentials][5] and [Comparing the AWS
+    # STS API operations][6] in the *IAM User Guide*.
     #
     # The temporary security credentials returned by this API consist of an
     # access key ID, a secret access key, and a security token. Applications
     # can use these temporary security credentials to sign calls to AWS
-    # service APIs.
+    # service API operations.
+    #
+    # **Session Duration**
     #
     # By default, the temporary security credentials created by
     # `AssumeRoleWithWebIdentity` last for one hour. However, you can use
@@ -777,30 +1143,68 @@ module Aws::STS
     # value for your role, see [View the Maximum Session Duration Setting
     # for a Role][7] in the *IAM User Guide*. The maximum session duration
     # limit applies when you use the `AssumeRole*` API operations or the
-    # `assume-role*` CLI operations but does not apply when you use those
-    # operations to create a console URL. For more information, see [Using
-    # IAM Roles][8] in the *IAM User Guide*.
+    # `assume-role*` CLI commands. However the limit does not apply when you
+    # use those operations to create a console URL. For more information,
+    # see [Using IAM Roles][8] in the *IAM User Guide*.
+    #
+    # **Permissions**
     #
     # The temporary security credentials created by
     # `AssumeRoleWithWebIdentity` can be used to make API calls to any AWS
     # service with the following exception: you cannot call the STS
-    # service's `GetFederationToken` or `GetSessionToken` APIs.
-    #
-    # Optionally, you can pass an IAM access policy to this operation. If
-    # you choose not to pass a policy, the temporary security credentials
-    # that are returned by the operation have the permissions that are
-    # defined in the access policy of the role that is being assumed. If you
-    # pass a policy to this operation, the temporary security credentials
-    # that are returned by the operation have the permissions that are
-    # allowed by both the access policy of the role that is being assumed,
-    # <i> <b>and</b> </i> the policy that you pass. This gives you a way to
-    # further restrict the permissions for the resulting temporary security
-    # credentials. You cannot use the passed policy to grant permissions
-    # that are in excess of those allowed by the access policy of the role
-    # that is being assumed. For more information, see [Permissions for
-    # AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity][9] in
+    # `GetFederationToken` or `GetSessionToken` API operations.
+    #
+    # (Optional) You can pass inline or managed [session policies][9] to
+    # this operation. You can pass a single JSON policy document to use as
+    # an inline session policy. You can also specify up to 10 managed
+    # policies to use as managed session policies. The plain text that you
+    # use for both inline and managed session policies can't exceed 2,048
+    # characters. Passing policies to this operation returns new temporary
+    # credentials. The resulting session's permissions are the intersection
+    # of the role's identity-based policy and the session policies. You can
+    # use the role's temporary credentials in subsequent AWS API calls to
+    # access resources in the account that owns the role. You cannot use
+    # session policies to grant more permissions than those allowed by the
+    # identity-based policy of the role that is being assumed. For more
+    # information, see [Session Policies][9] in the *IAM User Guide*.
+    #
+    # **Tags**
+    #
+    # (Optional) You can configure your IdP to pass attributes into your web
+    # identity token as session tags. Each session tag consists of a key
+    # name and an associated value. For more information about session tags,
+    # see [Passing Session Tags in STS][10] in the *IAM User Guide*.
+    #
+    # You can pass up to 50 session tags. The plain text session tag keys
+    # can’t exceed 128 characters and the values can’t exceed 256
+    # characters. For these and additional limits, see [IAM and STS
+    # Character Limits][11] in the *IAM User Guide*.
+    #
+    # <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    # tags into a packed binary format that has a separate limit. Your
+    # request can fail for this limit even if your plain text meets the
+    # other requirements. The `PackedPolicySize` response element indicates
+    # by percentage how close the policies and tags for your request are to
+    # the upper size limit.
+    #
+    #  </note>
+    #
+    # You can pass a session tag with the same key as a tag that is attached
+    # to the role. When you do, the session tag overrides the role tag with
+    # the same key.
+    #
+    # An administrator must grant you the permissions necessary to pass
+    # session tags. The administrator can also create granular permissions
+    # to allow you to pass only specific session tags. For more information,
+    # see [Tutorial: Using Tags for Attribute-Based Access Control][12] in
     # the *IAM User Guide*.
     #
+    # You can set the session tags as transitive. Transitive tags persist
+    # during role chaining. For more information, see [Chaining Roles with
+    # Session Tags][13] in the *IAM User Guide*.
+    #
+    # **Identities**
+    #
     # Before your application can call `AssumeRoleWithWebIdentity`, you must
     # have an identity token from a supported identity provider and create a
     # role that the application can assume. The role that your application
@@ -809,29 +1213,30 @@ module Aws::STS
     # specified in the role's trust policy.
     #
     # Calling `AssumeRoleWithWebIdentity` can result in an entry in your AWS
-    # CloudTrail logs. The entry includes the [Subject][10] of the provided
+    # CloudTrail logs. The entry includes the [Subject][14] of the provided
     # Web Identity Token. We recommend that you avoid using any personally
     # identifiable information (PII) in this field. For example, you could
     # instead use a GUID or a pairwise identifier, as [suggested in the OIDC
-    # specification][11].
+    # specification][15].
     #
     # For more information about how to use web identity federation and the
     # `AssumeRoleWithWebIdentity` API, see the following resources:
     #
-    # * [Using Web Identity Federation APIs for Mobile Apps][12] and
-    #   [Federation Through a Web-based Identity Provider][13].
+    # * [Using Web Identity Federation API Operations for Mobile Apps][16]
+    #   and [Federation Through a Web-based Identity Provider][17].
     #
-    # * [ Web Identity Federation Playground][14]. This interactive website
-    #   lets you walk through the process of authenticating via Login with
-    #   Amazon, Facebook, or Google, getting temporary security credentials,
-    #   and then using those credentials to make a request to AWS.
+    # * [ Web Identity Federation Playground][18]. Walk through the process
+    #   of authenticating through Login with Amazon, Facebook, or Google,
+    #   getting temporary security credentials, and then using those
+    #   credentials to make a request to AWS.
     #
-    # * [AWS SDK for iOS][1] and [AWS SDK for Android][2]. These toolkits
-    #   contain sample apps that show how to invoke the identity providers,
-    #   and then how to use the information from these providers to get and
-    #   use temporary security credentials.
+    # * [AWS SDK for iOS Developer Guide][1] and [AWS SDK for Android
+    #   Developer Guide][2]. These toolkits contain sample apps that show
+    #   how to invoke the identity providers. The toolkits then show how to
+    #   use the information from these providers to get and use temporary
+    #   security credentials.
     #
-    # * [Web Identity Federation with Mobile Applications][15]. This article
+    # * [Web Identity Federation with Mobile Applications][19]. This article
     #   discusses web identity federation and shows an example of how to use
     #   web identity federation to get access to content in Amazon S3.
     #
@@ -839,19 +1244,23 @@ module Aws::STS
     #
     # [1]: http://aws.amazon.com/sdkforios/
     # [2]: http://aws.amazon.com/sdkforandroid/
-    # [3]: http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840
-    # [4]: http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664
-    # [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
-    # [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
-    # [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
-    # [8]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
-    # [9]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
-    # [10]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
-    # [11]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
-    # [12]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
-    # [13]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
-    # [14]: https://web-identity-federation-playground.s3.amazonaws.com/index.html
-    # [15]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
+    # [3]: https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840
+    # [4]: https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664
+    # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+    # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+    # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+    # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
+    # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+    # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+    # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+    # [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
+    # [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
+    # [14]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
+    # [15]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
+    # [16]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
+    # [17]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
+    # [18]: https://web-identity-federation-playground.s3.amazonaws.com/index.html
+    # [19]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
     #
     # @option params [required, String] :role_arn
     #   The Amazon Resource Name (ARN) of the role that the caller is
@@ -888,38 +1297,73 @@ module Aws::STS
     #
     #   Do not specify this value for OpenID Connect ID tokens.
     #
-    # @option params [String] :policy
-    #   An IAM policy in JSON format.
-    #
-    #   The policy parameter is optional. If you pass a policy, the temporary
-    #   security credentials that are returned by the operation have the
-    #   permissions that are allowed by both the access policy of the role
-    #   that is being assumed, <i> <b>and</b> </i> the policy that you pass.
-    #   This gives you a way to further restrict the permissions for the
-    #   resulting temporary security credentials. You cannot use the passed
-    #   policy to grant permissions that are in excess of those allowed by the
-    #   access policy of the role that is being assumed. For more information,
-    #   see [Permissions for AssumeRoleWithWebIdentity][1] in the *IAM User
-    #   Guide*.
+    # @option params [Array<Types::PolicyDescriptorType>] :policy_arns
+    #   The Amazon Resource Names (ARNs) of the IAM managed policies that you
+    #   want to use as managed session policies. The policies must exist in
+    #   the same account as the role.
     #
-    #   The format for this parameter, as described by its regex pattern, is a
-    #   string of characters up to 2048 characters in length. The characters
+    #   This parameter is optional. You can provide up to 10 managed policy
+    #   ARNs. However, the plain text that you use for both inline and managed
+    #   session policies can't exceed 2,048 characters. For more information
+    #   about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
+    #   Namespaces][1] in the AWS General Reference.
+    #
+    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    #   tags into a packed binary format that has a separate limit. Your
+    #   request can fail for this limit even if your plain text meets the
+    #   other requirements. The `PackedPolicySize` response element indicates
+    #   by percentage how close the policies and tags for your request are to
+    #   the upper size limit.
+    #
+    #    </note>
+    #
+    #   Passing policies to this operation returns new temporary credentials.
+    #   The resulting session's permissions are the intersection of the
+    #   role's identity-based policy and the session policies. You can use
+    #   the role's temporary credentials in subsequent AWS API calls to
+    #   access resources in the account that owns the role. You cannot use
+    #   session policies to grant more permissions than those allowed by the
+    #   identity-based policy of the role that is being assumed. For more
+    #   information, see [Session Policies][2] in the *IAM User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+    #
+    # @option params [String] :policy
+    #   An IAM policy in JSON format that you want to use as an inline session
+    #   policy.
+    #
+    #   This parameter is optional. Passing policies to this operation returns
+    #   new temporary credentials. The resulting session's permissions are
+    #   the intersection of the role's identity-based policy and the session
+    #   policies. You can use the role's temporary credentials in subsequent
+    #   AWS API calls to access resources in the account that owns the role.
+    #   You cannot use session policies to grant more permissions than those
+    #   allowed by the identity-based policy of the role that is being
+    #   assumed. For more information, see [Session Policies][1] in the *IAM
+    #   User Guide*.
+    #
+    #   The plain text that you use for both inline and managed session
+    #   policies can't exceed 2,048 characters. The JSON policy characters
     #   can be any ASCII character from the space character to the end of the
-    #   valid character list (\\u0020-\\u00FF). It can also include the tab
-    #   (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
+    #   valid character list (\\u0020 through \\u00FF). It can also include
+    #   the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
     #   characters.
     #
-    #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
-    #   internal conversion compresses it into a packed binary format with a
-    #   separate limit. The PackedPolicySize response element indicates by
-    #   percentage how close to the upper size limit the policy is, with 100%
-    #   equaling the maximum allowed size.
+    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    #   tags into a packed binary format that has a separate limit. Your
+    #   request can fail for this limit even if your plain text meets the
+    #   other requirements. The `PackedPolicySize` response element indicates
+    #   by percentage how close the policies and tags for your request are to
+    #   the upper size limit.
     #
     #    </note>
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
     #
     # @option params [Integer] :duration_seconds
     #   The duration, in seconds, of the role session. The value can range
@@ -932,7 +1376,7 @@ module Aws::STS
     #   see [View the Maximum Session Duration Setting for a Role][1] in the
     #   *IAM User Guide*.
     #
-    #   By default, the value is set to 3600 seconds.
+    #   By default, the value is set to `3600` seconds.
     #
     #   <note markdown="1"> The `DurationSeconds` parameter is separate from the duration of a
     #   console session that you might request using the returned credentials.
@@ -946,8 +1390,8 @@ module Aws::STS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
-    #   [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
     #
     # @return [Types::AssumeRoleWithWebIdentityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -963,6 +1407,7 @@ module Aws::STS
     #
     #   resp = client.assume_role_with_web_identity({
     #     duration_seconds: 3600, 
+    #     policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}", 
     #     provider_id: "www.amazon.com", 
     #     role_arn: "arn:aws:iam::123456789012:role/FederatedWebIdentityRole", 
     #     role_session_name: "app1", 
@@ -994,6 +1439,11 @@ module Aws::STS
     #     role_session_name: "roleSessionNameType", # required
     #     web_identity_token: "clientTokenType", # required
     #     provider_id: "urlType",
+    #     policy_arns: [
+    #       {
+    #         arn: "arnType",
+    #       },
+    #     ],
     #     policy: "sessionPolicyDocumentType",
     #     duration_seconds: 1,
     #   })
@@ -1024,21 +1474,22 @@ module Aws::STS
     # request from an encoded message returned in response to an AWS
     # request.
     #
-    # For example, if a user is not authorized to perform an action that he
-    # or she has requested, the request returns a
+    # For example, if a user is not authorized to perform an operation that
+    # he or she has requested, the request returns a
     # `Client.UnauthorizedOperation` response (an HTTP 403 response). Some
-    # AWS actions additionally return an encoded message that can provide
+    # AWS operations additionally return an encoded message that can provide
     # details about this authorization failure.
     #
-    # <note markdown="1"> Only certain AWS actions return an encoded authorization message. The
-    # documentation for an individual action indicates whether that action
-    # returns an encoded message in addition to returning an HTTP code.
+    # <note markdown="1"> Only certain AWS operations return an encoded authorization message.
+    # The documentation for an individual operation indicates whether that
+    # operation returns an encoded message in addition to returning an HTTP
+    # code.
     #
     #  </note>
     #
     # The message is encoded because the details of the authorization status
     # can constitute privileged information that the user who requested the
-    # action should not see. To decode an authorization status message, a
+    # operation should not see. To decode an authorization status message, a
     # user must be granted permissions via an IAM policy to request the
     # `DecodeAuthorizationMessage` (`sts:DecodeAuthorizationMessage`)
     # action.
@@ -1059,7 +1510,7 @@ module Aws::STS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
     #
     # @option params [required, String] :encoded_message
     #   The encoded message that was returned with the response.
@@ -1099,8 +1550,82 @@ module Aws::STS
       req.send_request(options)
     end
 
-    # Returns details about the IAM identity whose credentials are used to
-    # call the API.
+    # Returns the account identifier for the specified access key ID.
+    #
+    # Access keys consist of two parts: an access key ID (for example,
+    # `AKIAIOSFODNN7EXAMPLE`) and a secret access key (for example,
+    # `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`). For more information
+    # about access keys, see [Managing Access Keys for IAM Users][1] in the
+    # *IAM User Guide*.
+    #
+    # When you pass an access key ID to this operation, it returns the ID of
+    # the AWS account to which the keys belong. Access key IDs beginning
+    # with `AKIA` are long-term credentials for an IAM user or the AWS
+    # account root user. Access key IDs beginning with `ASIA` are temporary
+    # credentials that are created using STS operations. If the account in
+    # the response belongs to you, you can sign in as the root user and
+    # review your root user access keys. Then, you can pull a [credentials
+    # report][2] to learn which IAM user owns the keys. To learn who
+    # requested the temporary credentials for an `ASIA` access key, view the
+    # STS events in your [CloudTrail logs][3] in the *IAM User Guide*.
+    #
+    # This operation does not indicate the state of the access key. The key
+    # might be active, inactive, or deleted. Active keys might not have
+    # permissions to perform an operation. Providing a deleted access key
+    # might return an error that the key doesn't exist.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html
+    #
+    # @option params [required, String] :access_key_id
+    #   The identifier of an access key.
+    #
+    #   This parameter allows (through its regex pattern) a string of
+    #   characters that can consist of any upper- or lowercase letter or
+    #   digit.
+    #
+    # @return [Types::GetAccessKeyInfoResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetAccessKeyInfoResponse#account #account} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_access_key_info({
+    #     access_key_id: "accessKeyIdType", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.account #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo AWS API Documentation
+    #
+    # @overload get_access_key_info(params = {})
+    # @param [Hash] params ({})
+    def get_access_key_info(params = {}, options = {})
+      req = build_request(:get_access_key_info, params)
+      req.send_request(options)
+    end
+
+    # Returns details about the IAM user or role whose credentials are used
+    # to call the operation.
+    #
+    # <note markdown="1"> No permissions are required to perform this operation. If an
+    # administrator adds a policy to your IAM user or role that explicitly
+    # denies access to the `sts:GetCallerIdentity` action, you can still
+    # perform this operation. Permissions are not required because the same
+    # information is returned when an IAM user or role is denied access. To
+    # view an example response, see [I Am Not Authorized to Perform:
+    # iam:DeleteVirtualMFADevice][1] in the *IAM User Guide*.
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa
     #
     # @return [Types::GetCallerIdentityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1173,97 +1698,106 @@ module Aws::STS
     # access key ID, a secret access key, and a security token) for a
     # federated user. A typical use is in a proxy application that gets
     # temporary security credentials on behalf of distributed applications
-    # inside a corporate network. Because you must call the
-    # `GetFederationToken` action using the long-term security credentials
-    # of an IAM user, this call is appropriate in contexts where those
-    # credentials can be safely stored, usually in a server-based
-    # application. For a comparison of `GetFederationToken` with the other
-    # APIs that produce temporary credentials, see [Requesting Temporary
-    # Security Credentials][1] and [Comparing the AWS STS APIs][2] in the
+    # inside a corporate network. You must call the `GetFederationToken`
+    # operation using the long-term security credentials of an IAM user. As
+    # a result, this call is appropriate in contexts where those credentials
+    # can be safely stored, usually in a server-based application. For a
+    # comparison of `GetFederationToken` with the other API operations that
+    # produce temporary credentials, see [Requesting Temporary Security
+    # Credentials][1] and [Comparing the AWS STS API operations][2] in the
     # *IAM User Guide*.
     #
-    # <note markdown="1"> If you are creating a mobile-based or browser-based app that can
+    # <note markdown="1"> You can create a mobile-based or browser-based app that can
     # authenticate users using a web identity provider like Login with
     # Amazon, Facebook, Google, or an OpenID Connect-compatible identity
-    # provider, we recommend that you use [Amazon Cognito][3] or
-    # `AssumeRoleWithWebIdentity`. For more information, see [Federation
-    # Through a Web-based Identity Provider][4].
+    # provider. In this case, we recommend that you use [Amazon Cognito][3]
+    # or `AssumeRoleWithWebIdentity`. For more information, see [Federation
+    # Through a Web-based Identity Provider][4] in the *IAM User Guide*.
     #
     #  </note>
     #
-    # The `GetFederationToken` action must be called by using the long-term
-    # AWS security credentials of an IAM user. You can also call
-    # `GetFederationToken` using the security credentials of an AWS root
-    # account, but we do not recommended it. Instead, we recommend that you
-    # create an IAM user for the purpose of the proxy application and then
-    # attach a policy to the IAM user that limits federated users to only
-    # the actions and resources that they need access to. For more
-    # information, see [IAM Best Practices][5] in the *IAM User Guide*.
-    #
-    # The temporary security credentials that are obtained by using the
-    # long-term credentials of an IAM user are valid for the specified
-    # duration, from 900 seconds (15 minutes) up to a maximium of 129600
-    # seconds (36 hours). The default is 43200 seconds (12 hours). Temporary
-    # credentials that are obtained by using AWS root account credentials
-    # have a maximum duration of 3600 seconds (1 hour).
-    #
-    # The temporary security credentials created by `GetFederationToken` can
-    # be used to make API calls to any AWS service with the following
-    # exceptions:
+    # You can also call `GetFederationToken` using the security credentials
+    # of an AWS account root user, but we do not recommend it. Instead, we
+    # recommend that you create an IAM user for the purpose of the proxy
+    # application. Then attach a policy to the IAM user that limits
+    # federated users to only the actions and resources that they need to
+    # access. For more information, see [IAM Best Practices][5] in the *IAM
+    # User Guide*.
     #
-    # * You cannot use these credentials to call any IAM APIs.
+    # **Session duration**
     #
-    # * You cannot call any STS APIs except `GetCallerIdentity`.
+    # The temporary credentials are valid for the specified duration, from
+    # 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
+    # hours). The default session duration is 43,200 seconds (12 hours).
+    # Temporary credentials that are obtained by using AWS account root user
+    # credentials have a maximum duration of 3,600 seconds (1 hour).
     #
     # **Permissions**
     #
-    # The permissions for the temporary security credentials returned by
-    # `GetFederationToken` are determined by a combination of the following:
-    #
-    # * The policy or policies that are attached to the IAM user whose
-    #   credentials are used to call `GetFederationToken`.
-    #
-    # * The policy that is passed as a parameter in the call.
-    #
-    # The passed policy is attached to the temporary security credentials
-    # that result from the `GetFederationToken` API call--that is, to the
-    # *federated user*. When the federated user makes an AWS request, AWS
-    # evaluates the policy attached to the federated user in combination
-    # with the policy or policies attached to the IAM user whose credentials
-    # were used to call `GetFederationToken`. AWS allows the federated
-    # user's request only when both the federated user <i> <b>and</b> </i>
-    # the IAM user are explicitly allowed to perform the requested action.
-    # The passed policy cannot grant more permissions than those that are
-    # defined in the IAM user policy.
-    #
-    # A typical use case is that the permissions of the IAM user whose
-    # credentials are used to call `GetFederationToken` are designed to
-    # allow access to all the actions and resources that any federated user
-    # will need. Then, for individual users, you pass a policy to the
-    # operation that scopes down the permissions to a level that's
-    # appropriate to that individual user, using a policy that allows only a
-    # subset of permissions that are granted to the IAM user.
-    #
-    # If you do not pass a policy, the resulting temporary security
-    # credentials have no effective permissions. The only exception is when
-    # the temporary security credentials are used to access a resource that
-    # has a resource-based policy that specifically allows the federated
-    # user to access the resource.
-    #
-    # For more information about how permissions work, see [Permissions for
-    # GetFederationToken][6]. For information about using
+    # You can use the temporary credentials created by `GetFederationToken`
+    # in any AWS service except the following:
+    #
+    # * You cannot call any IAM operations using the AWS CLI or the AWS API.
+    #
+    # * You cannot call any STS operations except `GetCallerIdentity`.
+    #
+    # You must pass an inline or managed [session policy][6] to this
+    # operation. You can pass a single JSON policy document to use as an
+    # inline session policy. You can also specify up to 10 managed policies
+    # to use as managed session policies. The plain text that you use for
+    # both inline and managed session policies can't exceed 2,048
+    # characters.
+    #
+    # Though the session policy parameters are optional, if you do not pass
+    # a policy, then the resulting federated user session has no
+    # permissions. When you pass session policies, the session permissions
+    # are the intersection of the IAM user policies and the session policies
+    # that you pass. This gives you a way to further restrict the
+    # permissions for a federated user. You cannot use session policies to
+    # grant more permissions than those that are defined in the permissions
+    # policy of the IAM user. For more information, see [Session
+    # Policies][6] in the *IAM User Guide*. For information about using
     # `GetFederationToken` to create temporary security credentials, see
     # [GetFederationToken—Federation Through a Custom Identity Broker][7].
     #
+    # You can use the credentials to access a resource that has a
+    # resource-based policy. If that policy specifically references the
+    # federated user session in the `Principal` element of the policy, the
+    # session has the permissions allowed by the policy. These permissions
+    # are granted in addition to the permissions granted by the session
+    # policies.
     #
+    # **Tags**
+    #
+    # (Optional) You can pass tag key-value pairs to your session. These are
+    # called session tags. For more information about session tags, see
+    # [Passing Session Tags in STS][8] in the *IAM User Guide*.
+    #
+    # An administrator must grant you the permissions necessary to pass
+    # session tags. The administrator can also create granular permissions
+    # to allow you to pass only specific session tags. For more information,
+    # see [Tutorial: Using Tags for Attribute-Based Access Control][9] in
+    # the *IAM User Guide*.
     #
-    # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
-    # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+    # Tag key–value pairs are not case sensitive, but case is preserved.
+    # This means that you cannot have separate `Department` and `department`
+    # tag keys. Assume that the user that you are federating has the
+    # `Department`=`Marketing` tag and you pass the
+    # `department`=`engineering` session tag. `Department` and `department`
+    # are not saved as separate tags, and the session tag passed in the
+    # request takes precedence over the user tag.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
     # [3]: http://aws.amazon.com/cognito/
-    # [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
-    # [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
-    # [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html
-    # [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
+    # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
+    # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
+    # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+    # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
+    # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+    # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
     #
     # @option params [required, String] :name
     #   The name of the federated user. The name is used as an identifier for
@@ -1277,53 +1811,143 @@ module Aws::STS
     #   characters: =,.@-
     #
     # @option params [String] :policy
-    #   An IAM policy in JSON format that is passed with the
-    #   `GetFederationToken` call and evaluated along with the policy or
-    #   policies that are attached to the IAM user whose credentials are used
-    #   to call `GetFederationToken`. The passed policy is used to scope down
-    #   the permissions that are available to the IAM user, by allowing only a
-    #   subset of the permissions that are granted to the IAM user. The passed
-    #   policy cannot grant more permissions than those granted to the IAM
-    #   user. The final permissions for the federated user are the most
-    #   restrictive set based on the intersection of the passed policy and the
-    #   IAM user policy.
-    #
-    #   If you do not pass a policy, the resulting temporary security
-    #   credentials have no effective permissions. The only exception is when
-    #   the temporary security credentials are used to access a resource that
-    #   has a resource-based policy that specifically allows the federated
-    #   user to access the resource.
+    #   An IAM policy in JSON format that you want to use as an inline session
+    #   policy.
+    #
+    #   You must pass an inline or managed [session policy][1] to this
+    #   operation. You can pass a single JSON policy document to use as an
+    #   inline session policy. You can also specify up to 10 managed policies
+    #   to use as managed session policies.
+    #
+    #   This parameter is optional. However, if you do not pass any session
+    #   policies, then the resulting federated user session has no
+    #   permissions.
+    #
+    #   When you pass session policies, the session permissions are the
+    #   intersection of the IAM user policies and the session policies that
+    #   you pass. This gives you a way to further restrict the permissions for
+    #   a federated user. You cannot use session policies to grant more
+    #   permissions than those that are defined in the permissions policy of
+    #   the IAM user. For more information, see [Session Policies][1] in the
+    #   *IAM User Guide*.
     #
-    #   The format for this parameter, as described by its regex pattern, is a
-    #   string of characters up to 2048 characters in length. The characters
+    #   The resulting credentials can be used to access a resource that has a
+    #   resource-based policy. If that policy specifically references the
+    #   federated user session in the `Principal` element of the policy, the
+    #   session has the permissions allowed by the policy. These permissions
+    #   are granted in addition to the permissions that are granted by the
+    #   session policies.
+    #
+    #   The plain text that you use for both inline and managed session
+    #   policies can't exceed 2,048 characters. The JSON policy characters
     #   can be any ASCII character from the space character to the end of the
-    #   valid character list (\\u0020-\\u00FF). It can also include the tab
-    #   (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
+    #   valid character list (\\u0020 through \\u00FF). It can also include
+    #   the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
     #   characters.
     #
-    #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
-    #   internal conversion compresses it into a packed binary format with a
-    #   separate limit. The PackedPolicySize response element indicates by
-    #   percentage how close to the upper size limit the policy is, with 100%
-    #   equaling the maximum allowed size.
+    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    #   tags into a packed binary format that has a separate limit. Your
+    #   request can fail for this limit even if your plain text meets the
+    #   other requirements. The `PackedPolicySize` response element indicates
+    #   by percentage how close the policies and tags for your request are to
+    #   the upper size limit.
     #
     #    </note>
     #
-    #   For more information about how permissions work, see [Permissions for
-    #   GetFederationToken][1].
     #
     #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html
+    # @option params [Array<Types::PolicyDescriptorType>] :policy_arns
+    #   The Amazon Resource Names (ARNs) of the IAM managed policies that you
+    #   want to use as a managed session policy. The policies must exist in
+    #   the same account as the IAM user that is requesting federated access.
+    #
+    #   You must pass an inline or managed [session policy][1] to this
+    #   operation. You can pass a single JSON policy document to use as an
+    #   inline session policy. You can also specify up to 10 managed policies
+    #   to use as managed session policies. The plain text that you use for
+    #   both inline and managed session policies can't exceed 2,048
+    #   characters. You can provide up to 10 managed policy ARNs. For more
+    #   information about ARNs, see [Amazon Resource Names (ARNs) and AWS
+    #   Service Namespaces][2] in the AWS General Reference.
+    #
+    #   This parameter is optional. However, if you do not pass any session
+    #   policies, then the resulting federated user session has no
+    #   permissions.
+    #
+    #   When you pass session policies, the session permissions are the
+    #   intersection of the IAM user policies and the session policies that
+    #   you pass. This gives you a way to further restrict the permissions for
+    #   a federated user. You cannot use session policies to grant more
+    #   permissions than those that are defined in the permissions policy of
+    #   the IAM user. For more information, see [Session Policies][1] in the
+    #   *IAM User Guide*.
+    #
+    #   The resulting credentials can be used to access a resource that has a
+    #   resource-based policy. If that policy specifically references the
+    #   federated user session in the `Principal` element of the policy, the
+    #   session has the permissions allowed by the policy. These permissions
+    #   are granted in addition to the permissions that are granted by the
+    #   session policies.
+    #
+    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    #   tags into a packed binary format that has a separate limit. Your
+    #   request can fail for this limit even if your plain text meets the
+    #   other requirements. The `PackedPolicySize` response element indicates
+    #   by percentage how close the policies and tags for your request are to
+    #   the upper size limit.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
     #
     # @option params [Integer] :duration_seconds
     #   The duration, in seconds, that the session should last. Acceptable
     #   durations for federation sessions range from 900 seconds (15 minutes)
-    #   to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the
-    #   default. Sessions obtained using AWS account (root) credentials are
-    #   restricted to a maximum of 3600 seconds (one hour). If the specified
-    #   duration is longer than one hour, the session obtained by using AWS
-    #   account (root) credentials defaults to one hour.
+    #   to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the
+    #   default. Sessions obtained using AWS account root user credentials are
+    #   restricted to a maximum of 3,600 seconds (one hour). If the specified
+    #   duration is longer than one hour, the session obtained by using root
+    #   user credentials defaults to one hour.
+    #
+    # @option params [Array<Types::Tag>] :tags
+    #   A list of session tags. Each session tag consists of a key name and an
+    #   associated value. For more information about session tags, see
+    #   [Passing Session Tags in STS][1] in the *IAM User Guide*.
+    #
+    #   This parameter is optional. You can pass up to 50 session tags. The
+    #   plain text session tag keys can’t exceed 128 characters and the values
+    #   can’t exceed 256 characters. For these and additional limits, see [IAM
+    #   and STS Character Limits][2] in the *IAM User Guide*.
+    #
+    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    #   tags into a packed binary format that has a separate limit. Your
+    #   request can fail for this limit even if your plain text meets the
+    #   other requirements. The `PackedPolicySize` response element indicates
+    #   by percentage how close the policies and tags for your request are to
+    #   the upper size limit.
+    #
+    #    </note>
+    #
+    #   You can pass a session tag with the same key as a tag that is already
+    #   attached to the user you are federating. When you do, session tags
+    #   override a user tag with the same key.
+    #
+    #   Tag key–value pairs are not case sensitive, but case is preserved.
+    #   This means that you cannot have separate `Department` and `department`
+    #   tag keys. Assume that the role has the `Department`=`Marketing` tag
+    #   and you pass the `department`=`engineering` session tag. `Department`
+    #   and `department` are not saved as separate tags, and the session tag
+    #   passed in the request takes precedence over the role tag.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
     #
     # @return [Types::GetFederationTokenResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1336,8 +1960,18 @@ module Aws::STS
     #
     #   resp = client.get_federation_token({
     #     duration_seconds: 3600, 
-    #     name: "Bob", 
-    #     policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"*\"}]}", 
+    #     name: "testFedUserSession", 
+    #     policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}", 
+    #     tags: [
+    #       {
+    #         key: "Project", 
+    #         value: "Pegasus", 
+    #       }, 
+    #       {
+    #         key: "Cost-Center", 
+    #         value: "98765", 
+    #       }, 
+    #     ], 
     #   })
     #
     #   resp.to_h outputs the following:
@@ -1352,7 +1986,7 @@ module Aws::STS
     #       arn: "arn:aws:sts::123456789012:federated-user/Bob", 
     #       federated_user_id: "123456789012:Bob", 
     #     }, 
-    #     packed_policy_size: 6, 
+    #     packed_policy_size: 8, 
     #   }
     #
     # @example Request syntax with placeholder values
@@ -1360,7 +1994,18 @@ module Aws::STS
     #   resp = client.get_federation_token({
     #     name: "userNameType", # required
     #     policy: "sessionPolicyDocumentType",
+    #     policy_arns: [
+    #       {
+    #         arn: "arnType",
+    #       },
+    #     ],
     #     duration_seconds: 1,
+    #     tags: [
+    #       {
+    #         key: "tagKeyType", # required
+    #         value: "tagValueType", # required
+    #       },
+    #     ],
     #   })
     #
     # @example Response structure
@@ -1385,50 +2030,55 @@ module Aws::STS
     # Returns a set of temporary credentials for an AWS account or IAM user.
     # The credentials consist of an access key ID, a secret access key, and
     # a security token. Typically, you use `GetSessionToken` if you want to
-    # use MFA to protect programmatic calls to specific AWS APIs like Amazon
-    # EC2 `StopInstances`. MFA-enabled IAM users would need to call
-    # `GetSessionToken` and submit an MFA code that is associated with their
-    # MFA device. Using the temporary security credentials that are returned
-    # from the call, IAM users can then make programmatic calls to APIs that
-    # require MFA authentication. If you do not supply a correct MFA code,
-    # then the API returns an access denied error. For a comparison of
-    # `GetSessionToken` with the other APIs that produce temporary
-    # credentials, see [Requesting Temporary Security Credentials][1] and
-    # [Comparing the AWS STS APIs][2] in the *IAM User Guide*.
-    #
-    # The `GetSessionToken` action must be called by using the long-term AWS
-    # security credentials of the AWS account or an IAM user. Credentials
-    # that are created by IAM users are valid for the duration that you
-    # specify, from 900 seconds (15 minutes) up to a maximum of 129600
-    # seconds (36 hours), with a default of 43200 seconds (12 hours);
-    # credentials that are created by using account credentials can range
-    # from 900 seconds (15 minutes) up to a maximum of 3600 seconds (1
-    # hour), with a default of 1 hour.
+    # use MFA to protect programmatic calls to specific AWS API operations
+    # like Amazon EC2 `StopInstances`. MFA-enabled IAM users would need to
+    # call `GetSessionToken` and submit an MFA code that is associated with
+    # their MFA device. Using the temporary security credentials that are
+    # returned from the call, IAM users can then make programmatic calls to
+    # API operations that require MFA authentication. If you do not supply a
+    # correct MFA code, then the API returns an access denied error. For a
+    # comparison of `GetSessionToken` with the other API operations that
+    # produce temporary credentials, see [Requesting Temporary Security
+    # Credentials][1] and [Comparing the AWS STS API operations][2] in the
+    # *IAM User Guide*.
+    #
+    # **Session Duration**
+    #
+    # The `GetSessionToken` operation must be called by using the long-term
+    # AWS security credentials of the AWS account root user or an IAM user.
+    # Credentials that are created by IAM users are valid for the duration
+    # that you specify. This duration can range from 900 seconds (15
+    # minutes) up to a maximum of 129,600 seconds (36 hours), with a default
+    # of 43,200 seconds (12 hours). Credentials based on account credentials
+    # can range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour),
+    # with a default of 1 hour.
+    #
+    # **Permissions**
     #
     # The temporary security credentials created by `GetSessionToken` can be
     # used to make API calls to any AWS service with the following
     # exceptions:
     #
-    # * You cannot call any IAM APIs unless MFA authentication information
-    #   is included in the request.
+    # * You cannot call any IAM API operations unless MFA authentication
+    #   information is included in the request.
     #
     # * You cannot call any STS API *except* `AssumeRole` or
     #   `GetCallerIdentity`.
     #
-    # <note markdown="1"> We recommend that you do not call `GetSessionToken` with root account
-    # credentials. Instead, follow our [best practices][3] by creating one
-    # or more IAM users, giving them the necessary permissions, and using
-    # IAM users for everyday interaction with AWS.
+    # <note markdown="1"> We recommend that you do not call `GetSessionToken` with AWS account
+    # root user credentials. Instead, follow our [best practices][3] by
+    # creating one or more IAM users, giving them the necessary permissions,
+    # and using IAM users for everyday interaction with AWS.
     #
     #  </note>
     #
-    # The permissions associated with the temporary security credentials
-    # returned by `GetSessionToken` are based on the permissions associated
-    # with account or IAM user whose credentials are used to call the
-    # action. If `GetSessionToken` is called using root account credentials,
-    # the temporary credentials have root account permissions. Similarly, if
-    # `GetSessionToken` is called using the credentials of an IAM user, the
-    # temporary credentials have the same permissions as the IAM user.
+    # The credentials that are returned by `GetSessionToken` are based on
+    # permissions associated with the user whose credentials were used to
+    # call the operation. If `GetSessionToken` is called using AWS account
+    # root user credentials, the temporary credentials have root user
+    # permissions. Similarly, if `GetSessionToken` is called using the
+    # credentials of an IAM user, the temporary credentials have the same
+    # permissions as the IAM user.
     #
     # For more information about using `GetSessionToken` to create temporary
     # credentials, go to [Temporary Credentials for Users in Untrusted
@@ -1436,18 +2086,18 @@ module Aws::STS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
-    # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
-    # [3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users
-    # [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users
+    # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
     #
     # @option params [Integer] :duration_seconds
     #   The duration, in seconds, that the credentials should remain valid.
     #   Acceptable durations for IAM user sessions range from 900 seconds (15
-    #   minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours)
+    #   minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours)
     #   as the default. Sessions for AWS account owners are restricted to a
-    #   maximum of 3600 seconds (one hour). If the duration is longer than one
-    #   hour, the session for AWS account owners defaults to one hour.
+    #   maximum of 3,600 seconds (one hour). If the duration is longer than
+    #   one hour, the session for AWS account owners defaults to one hour.
     #
     # @option params [String] :serial_number
     #   The identification number of the MFA device that is associated with
@@ -1459,7 +2109,7 @@ module Aws::STS
     #   device for an IAM user by going to the AWS Management Console and
     #   viewing the user's security credentials.
     #
-    #   The regex used to validated this parameter is a string of characters
+    #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
     #   spaces. You can also include underscores or any of the following
     #   characters: =,.@:/-
@@ -1467,9 +2117,9 @@ module Aws::STS
     # @option params [String] :token_code
     #   The value provided by the MFA device, if MFA is required. If any
     #   policy requires the IAM user to submit an MFA code, specify this
-    #   value. If MFA authentication is required, and the user does not
-    #   provide a code when requesting a set of temporary security
-    #   credentials, the user will receive an "access denied" response when
+    #   value. If MFA authentication is required, the user must provide a code
+    #   when requesting a set of temporary security credentials. A user who
+    #   fails to provide the code receives an "access denied" response when
     #   requesting resources that require MFA authentication.
     #
     #   The format for this parameter, as described by its regex pattern, is a
@@ -1535,7 +2185,7 @@ module Aws::STS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.46.0'
+      context[:gem_version] = '3.94.0'
       Seahorse::Client::Request.new(handlers, context)
     end