aws-sdk-core 3.46.0 → 3.94.0

data/lib/aws-sdk-sts/client_api.rb

@@ -24,6 +24,8 @@ module Aws::STS
     DecodeAuthorizationMessageResponse = Shapes::StructureShape.new(name: 'DecodeAuthorizationMessageResponse')
     ExpiredTokenException = Shapes::StructureShape.new(name: 'ExpiredTokenException')
     FederatedUser = Shapes::StructureShape.new(name: 'FederatedUser')
+    GetAccessKeyInfoRequest = Shapes::StructureShape.new(name: 'GetAccessKeyInfoRequest')
+    GetAccessKeyInfoResponse = Shapes::StructureShape.new(name: 'GetAccessKeyInfoResponse')
     GetCallerIdentityRequest = Shapes::StructureShape.new(name: 'GetCallerIdentityRequest')
     GetCallerIdentityResponse = Shapes::StructureShape.new(name: 'GetCallerIdentityResponse')
     GetFederationTokenRequest = Shapes::StructureShape.new(name: 'GetFederationTokenRequest')
@@ -38,10 +40,12 @@ module Aws::STS
     MalformedPolicyDocumentException = Shapes::StructureShape.new(name: 'MalformedPolicyDocumentException')
     NameQualifier = Shapes::StringShape.new(name: 'NameQualifier')
     PackedPolicyTooLargeException = Shapes::StructureShape.new(name: 'PackedPolicyTooLargeException')
+    PolicyDescriptorType = Shapes::StructureShape.new(name: 'PolicyDescriptorType')
     RegionDisabledException = Shapes::StructureShape.new(name: 'RegionDisabledException')
     SAMLAssertionType = Shapes::StringShape.new(name: 'SAMLAssertionType')
     Subject = Shapes::StringShape.new(name: 'Subject')
     SubjectType = Shapes::StringShape.new(name: 'SubjectType')
+    Tag = Shapes::StructureShape.new(name: 'Tag')
     accessKeyIdType = Shapes::StringShape.new(name: 'accessKeyIdType')
     accessKeySecretType = Shapes::StringShape.new(name: 'accessKeySecretType')
     accountType = Shapes::StringShape.new(name: 'accountType')
@@ -62,11 +66,16 @@ module Aws::STS
     malformedPolicyDocumentMessage = Shapes::StringShape.new(name: 'malformedPolicyDocumentMessage')
     nonNegativeIntegerType = Shapes::IntegerShape.new(name: 'nonNegativeIntegerType')
     packedPolicyTooLargeMessage = Shapes::StringShape.new(name: 'packedPolicyTooLargeMessage')
+    policyDescriptorListType = Shapes::ListShape.new(name: 'policyDescriptorListType')
     regionDisabledMessage = Shapes::StringShape.new(name: 'regionDisabledMessage')
     roleDurationSecondsType = Shapes::IntegerShape.new(name: 'roleDurationSecondsType')
     roleSessionNameType = Shapes::StringShape.new(name: 'roleSessionNameType')
     serialNumberType = Shapes::StringShape.new(name: 'serialNumberType')
     sessionPolicyDocumentType = Shapes::StringShape.new(name: 'sessionPolicyDocumentType')
+    tagKeyListType = Shapes::ListShape.new(name: 'tagKeyListType')
+    tagKeyType = Shapes::StringShape.new(name: 'tagKeyType')
+    tagListType = Shapes::ListShape.new(name: 'tagListType')
+    tagValueType = Shapes::StringShape.new(name: 'tagValueType')
     tokenCodeType = Shapes::StringShape.new(name: 'tokenCodeType')
     tokenType = Shapes::StringShape.new(name: 'tokenType')
     urlType = Shapes::StringShape.new(name: 'urlType')
@@ -76,8 +85,11 @@ module Aws::STS
 
     AssumeRoleRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
     AssumeRoleRequest.add_member(:role_session_name, Shapes::ShapeRef.new(shape: roleSessionNameType, required: true, location_name: "RoleSessionName"))
+    AssumeRoleRequest.add_member(:policy_arns, Shapes::ShapeRef.new(shape: policyDescriptorListType, location_name: "PolicyArns"))
     AssumeRoleRequest.add_member(:policy, Shapes::ShapeRef.new(shape: sessionPolicyDocumentType, location_name: "Policy"))
     AssumeRoleRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: roleDurationSecondsType, location_name: "DurationSeconds"))
+    AssumeRoleRequest.add_member(:tags, Shapes::ShapeRef.new(shape: tagListType, location_name: "Tags"))
+    AssumeRoleRequest.add_member(:transitive_tag_keys, Shapes::ShapeRef.new(shape: tagKeyListType, location_name: "TransitiveTagKeys"))
     AssumeRoleRequest.add_member(:external_id, Shapes::ShapeRef.new(shape: externalIdType, location_name: "ExternalId"))
     AssumeRoleRequest.add_member(:serial_number, Shapes::ShapeRef.new(shape: serialNumberType, location_name: "SerialNumber"))
     AssumeRoleRequest.add_member(:token_code, Shapes::ShapeRef.new(shape: tokenCodeType, location_name: "TokenCode"))
@@ -91,6 +103,7 @@ module Aws::STS
     AssumeRoleWithSAMLRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
     AssumeRoleWithSAMLRequest.add_member(:principal_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "PrincipalArn"))
     AssumeRoleWithSAMLRequest.add_member(:saml_assertion, Shapes::ShapeRef.new(shape: SAMLAssertionType, required: true, location_name: "SAMLAssertion"))
+    AssumeRoleWithSAMLRequest.add_member(:policy_arns, Shapes::ShapeRef.new(shape: policyDescriptorListType, location_name: "PolicyArns"))
     AssumeRoleWithSAMLRequest.add_member(:policy, Shapes::ShapeRef.new(shape: sessionPolicyDocumentType, location_name: "Policy"))
     AssumeRoleWithSAMLRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: roleDurationSecondsType, location_name: "DurationSeconds"))
     AssumeRoleWithSAMLRequest.struct_class = Types::AssumeRoleWithSAMLRequest
@@ -109,6 +122,7 @@ module Aws::STS
     AssumeRoleWithWebIdentityRequest.add_member(:role_session_name, Shapes::ShapeRef.new(shape: roleSessionNameType, required: true, location_name: "RoleSessionName"))
     AssumeRoleWithWebIdentityRequest.add_member(:web_identity_token, Shapes::ShapeRef.new(shape: clientTokenType, required: true, location_name: "WebIdentityToken"))
     AssumeRoleWithWebIdentityRequest.add_member(:provider_id, Shapes::ShapeRef.new(shape: urlType, location_name: "ProviderId"))
+    AssumeRoleWithWebIdentityRequest.add_member(:policy_arns, Shapes::ShapeRef.new(shape: policyDescriptorListType, location_name: "PolicyArns"))
     AssumeRoleWithWebIdentityRequest.add_member(:policy, Shapes::ShapeRef.new(shape: sessionPolicyDocumentType, location_name: "Policy"))
     AssumeRoleWithWebIdentityRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: roleDurationSecondsType, location_name: "DurationSeconds"))
     AssumeRoleWithWebIdentityRequest.struct_class = Types::AssumeRoleWithWebIdentityRequest
@@ -137,10 +151,19 @@ module Aws::STS
     DecodeAuthorizationMessageResponse.add_member(:decoded_message, Shapes::ShapeRef.new(shape: decodedMessageType, location_name: "DecodedMessage"))
     DecodeAuthorizationMessageResponse.struct_class = Types::DecodeAuthorizationMessageResponse
 
+    ExpiredTokenException.add_member(:message, Shapes::ShapeRef.new(shape: expiredIdentityTokenMessage, location_name: "message"))
+    ExpiredTokenException.struct_class = Types::ExpiredTokenException
+
     FederatedUser.add_member(:federated_user_id, Shapes::ShapeRef.new(shape: federatedIdType, required: true, location_name: "FederatedUserId"))
     FederatedUser.add_member(:arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "Arn"))
     FederatedUser.struct_class = Types::FederatedUser
 
+    GetAccessKeyInfoRequest.add_member(:access_key_id, Shapes::ShapeRef.new(shape: accessKeyIdType, required: true, location_name: "AccessKeyId"))
+    GetAccessKeyInfoRequest.struct_class = Types::GetAccessKeyInfoRequest
+
+    GetAccessKeyInfoResponse.add_member(:account, Shapes::ShapeRef.new(shape: accountType, location_name: "Account"))
+    GetAccessKeyInfoResponse.struct_class = Types::GetAccessKeyInfoResponse
+
     GetCallerIdentityRequest.struct_class = Types::GetCallerIdentityRequest
 
     GetCallerIdentityResponse.add_member(:user_id, Shapes::ShapeRef.new(shape: userIdType, location_name: "UserId"))
@@ -150,7 +173,9 @@ module Aws::STS
 
     GetFederationTokenRequest.add_member(:name, Shapes::ShapeRef.new(shape: userNameType, required: true, location_name: "Name"))
     GetFederationTokenRequest.add_member(:policy, Shapes::ShapeRef.new(shape: sessionPolicyDocumentType, location_name: "Policy"))
+    GetFederationTokenRequest.add_member(:policy_arns, Shapes::ShapeRef.new(shape: policyDescriptorListType, location_name: "PolicyArns"))
     GetFederationTokenRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: durationSecondsType, location_name: "DurationSeconds"))
+    GetFederationTokenRequest.add_member(:tags, Shapes::ShapeRef.new(shape: tagListType, location_name: "Tags"))
     GetFederationTokenRequest.struct_class = Types::GetFederationTokenRequest
 
     GetFederationTokenResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
@@ -166,6 +191,40 @@ module Aws::STS
     GetSessionTokenResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
     GetSessionTokenResponse.struct_class = Types::GetSessionTokenResponse
 
+    IDPCommunicationErrorException.add_member(:message, Shapes::ShapeRef.new(shape: idpCommunicationErrorMessage, location_name: "message"))
+    IDPCommunicationErrorException.struct_class = Types::IDPCommunicationErrorException
+
+    IDPRejectedClaimException.add_member(:message, Shapes::ShapeRef.new(shape: idpRejectedClaimMessage, location_name: "message"))
+    IDPRejectedClaimException.struct_class = Types::IDPRejectedClaimException
+
+    InvalidAuthorizationMessageException.add_member(:message, Shapes::ShapeRef.new(shape: invalidAuthorizationMessage, location_name: "message"))
+    InvalidAuthorizationMessageException.struct_class = Types::InvalidAuthorizationMessageException
+
+    InvalidIdentityTokenException.add_member(:message, Shapes::ShapeRef.new(shape: invalidIdentityTokenMessage, location_name: "message"))
+    InvalidIdentityTokenException.struct_class = Types::InvalidIdentityTokenException
+
+    MalformedPolicyDocumentException.add_member(:message, Shapes::ShapeRef.new(shape: malformedPolicyDocumentMessage, location_name: "message"))
+    MalformedPolicyDocumentException.struct_class = Types::MalformedPolicyDocumentException
+
+    PackedPolicyTooLargeException.add_member(:message, Shapes::ShapeRef.new(shape: packedPolicyTooLargeMessage, location_name: "message"))
+    PackedPolicyTooLargeException.struct_class = Types::PackedPolicyTooLargeException
+
+    PolicyDescriptorType.add_member(:arn, Shapes::ShapeRef.new(shape: arnType, location_name: "arn"))
+    PolicyDescriptorType.struct_class = Types::PolicyDescriptorType
+
+    RegionDisabledException.add_member(:message, Shapes::ShapeRef.new(shape: regionDisabledMessage, location_name: "message"))
+    RegionDisabledException.struct_class = Types::RegionDisabledException
+
+    Tag.add_member(:key, Shapes::ShapeRef.new(shape: tagKeyType, required: true, location_name: "Key"))
+    Tag.add_member(:value, Shapes::ShapeRef.new(shape: tagValueType, required: true, location_name: "Value"))
+    Tag.struct_class = Types::Tag
+
+    policyDescriptorListType.member = Shapes::ShapeRef.new(shape: PolicyDescriptorType)
+
+    tagKeyListType.member = Shapes::ShapeRef.new(shape: tagKeyType)
+
+    tagListType.member = Shapes::ShapeRef.new(shape: Tag)
+
 
     # @api private
     API = Seahorse::Model::Api.new.tap do |api|
@@ -236,6 +295,14 @@ module Aws::STS
         o.errors << Shapes::ShapeRef.new(shape: InvalidAuthorizationMessageException)
       end)
 
+      api.add_operation(:get_access_key_info, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "GetAccessKeyInfo"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: GetAccessKeyInfoRequest)
+        o.output = Shapes::ShapeRef.new(shape: GetAccessKeyInfoResponse)
+      end)
+
       api.add_operation(:get_caller_identity, Seahorse::Model::Operation.new.tap do |o|
         o.name = "GetCallerIdentity"
         o.http_method = "POST"

data/lib/aws-sdk-sts/customizations.rb

@@ -0,0 +1,2 @@
+# utility classes
+require 'aws-sdk-sts/presigner'

data/lib/aws-sdk-sts/errors.rb

@@ -6,9 +6,159 @@
 # WARNING ABOUT GENERATED CODE
 
 module Aws::STS
+
+  # When STS returns an error response, the Ruby SDK constructs and raises an error.
+  # These errors all extend Aws::STS::Errors::ServiceError < {Aws::Errors::ServiceError}
+  #
+  # You can rescue all STS errors using ServiceError:
+  #
+  #     begin
+  #       # do stuff
+  #     rescue Aws::STS::Errors::ServiceError
+  #       # rescues all STS API errors
+  #     end
+  #
+  #
+  # ## Request Context
+  # ServiceError objects have a {Aws::Errors::ServiceError#context #context} method that returns
+  # information about the request that generated the error.
+  # See {Seahorse::Client::RequestContext} for more information.
+  #
+  # ## Error Classes
+  # * {ExpiredTokenException}
+  # * {IDPCommunicationErrorException}
+  # * {IDPRejectedClaimException}
+  # * {InvalidAuthorizationMessageException}
+  # * {InvalidIdentityTokenException}
+  # * {MalformedPolicyDocumentException}
+  # * {PackedPolicyTooLargeException}
+  # * {RegionDisabledException}
+  #
+  # Additionally, error classes are dynamically generated for service errors based on the error code
+  # if they are not defined above.
   module Errors
 
     extend Aws::Errors::DynamicErrors
 
+    class ExpiredTokenException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::STS::Types::ExpiredTokenException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+    end
+
+    class IDPCommunicationErrorException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::STS::Types::IDPCommunicationErrorException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+    end
+
+    class IDPRejectedClaimException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::STS::Types::IDPRejectedClaimException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+    end
+
+    class InvalidAuthorizationMessageException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::STS::Types::InvalidAuthorizationMessageException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+    end
+
+    class InvalidIdentityTokenException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::STS::Types::InvalidIdentityTokenException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+    end
+
+    class MalformedPolicyDocumentException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::STS::Types::MalformedPolicyDocumentException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+    end
+
+    class PackedPolicyTooLargeException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::STS::Types::PackedPolicyTooLargeException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+    end
+
+    class RegionDisabledException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::STS::Types::RegionDisabledException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+    end
+
   end
 end

data/lib/aws-sdk-sts/plugins/sts_regional_endpoints.rb

@@ -0,0 +1,32 @@
+module Aws
+  module STS
+    module Plugins
+
+      class STSRegionalEndpoints < Seahorse::Client::Plugin
+
+        option(:sts_regional_endpoints,
+          default: 'regional',
+          doc_type: String,
+          docstring: <<-DOCS) do |cfg|
+Passing in 'regional' to enable regional endpoint for STS for all supported
+regions (except 'aws-global'). Using 'legacy' mode will force all legacy 
+regions to resolve to the STS global endpoint.
+          DOCS
+          resolve_sts_regional_endpoints(cfg)
+        end
+
+        private
+        
+        def self.resolve_sts_regional_endpoints(cfg)
+          env_mode = ENV['AWS_STS_REGIONAL_ENDPOINTS']
+          env_mode = nil if env_mode == ''
+          cfg_mode = Aws.shared_config.sts_regional_endpoints(
+            profile: cfg.profile)
+          env_mode || cfg_mode || 'regional'
+        end
+
+      end
+
+    end
+  end
+end

data/lib/aws-sdk-sts/presigner.rb

@@ -0,0 +1,67 @@
+require 'aws-sigv4'
+
+module Aws
+  module STS
+    # Allows you to create presigned URLs for STS operations.
+    #
+    # @example
+    #
+    #   signer = Aws::STS::Presigner.new
+    #   url = signer.get_caller_identity_presigned_url(
+    #     headers: {"X-K8s-Aws-Id" => 'my-eks-cluster'}
+    #   )
+    class Presigner
+      # @option options [Client] :client Optionally provide an existing
+      #   STS client
+      def initialize(options = {})
+        @client = options[:client] || Aws::STS::Client.new
+      end
+
+      # Returns a presigned url for get_caller_identity.
+      #
+      # @option options [Hash] :headers
+      #   Headers that should be signed and sent along with the request. All
+      #   x-amz-* headers must be present during signing. Other headers are
+      #   optional.
+      #
+      # @return [String] A presigned url string.
+      #
+      # @example
+      #
+      #   url = signer.get_caller_identity_presigned_url(
+      #     headers: {"X-K8s-Aws-Id" => 'my-eks-cluster'},
+      #   )
+      #
+      # This can be easily converted to a token used by the EKS service:
+      # {https://ruby-doc.org/stdlib-2.3.1/libdoc/base64/rdoc/Base64.html#method-i-encode64}
+      # "k8s-aws-v1." + Base64.urlsafe_encode64(url).chomp("==")
+      def get_caller_identity_presigned_url(options = {})
+        req = @client.build_request(:get_session_token, {})
+
+        param_list = Aws::Query::ParamList.new
+        param_list.set('Action', 'GetCallerIdentity')
+        param_list.set('Version', req.context.config.api.version)
+        Aws::Query::EC2ParamBuilder.new(param_list)
+          .apply(req.context.operation.input, {})
+
+        signer = Aws::Sigv4::Signer.new(
+          service: 'sts',
+          region: req.context.config.region,
+          credentials_provider: req.context.config.credentials
+        )
+
+        url = Aws::Partitions::EndpointProvider.resolve(
+          req.context.config.region, 'sts', 'regional'
+        )
+        url += "/?#{param_list}"
+
+        signer.presign_url(
+          http_method: 'GET',
+          url: url,
+          body: '',
+          headers: options[:headers]
+        ).to_s
+      end
+    end
+  end
+end

data/lib/aws-sdk-sts/resource.rb

@@ -6,6 +6,7 @@
 # WARNING ABOUT GENERATED CODE
 
 module Aws::STS
+
   class Resource
 
     # @param options ({})

data/lib/aws-sdk-sts/types.rb

@@ -14,8 +14,20 @@ module Aws::STS
     #       {
     #         role_arn: "arnType", # required
     #         role_session_name: "roleSessionNameType", # required
+    #         policy_arns: [
+    #           {
+    #             arn: "arnType",
+    #           },
+    #         ],
     #         policy: "sessionPolicyDocumentType",
     #         duration_seconds: 1,
+    #         tags: [
+    #           {
+    #             key: "tagKeyType", # required
+    #             value: "tagValueType", # required
+    #           },
+    #         ],
+    #         transitive_tag_keys: ["tagKeyType"],
     #         external_id: "externalIdType",
     #         serial_number: "serialNumberType",
     #         token_code: "tokenCodeType",
@@ -34,8 +46,8 @@ module Aws::STS
     #   visible to, and can be logged by the account that owns the role. The
     #   role session name is also used in the ARN of the assumed role
     #   principal. This means that subsequent cross-account API requests
-    #   using the temporary security credentials will expose the role
-    #   session name to the external account in their CloudTrail logs.
+    #   that use the temporary security credentials will expose the role
+    #   session name to the external account in their AWS CloudTrail logs.
     #
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
@@ -43,39 +55,75 @@ module Aws::STS
     #   characters: =,.@-
     #   @return [String]
     #
-    # @!attribute [rw] policy
-    #   An IAM policy in JSON format.
-    #
-    #   This parameter is optional. If you pass a policy, the temporary
-    #   security credentials that are returned by the operation have the
-    #   permissions that are allowed by both (the intersection of) the
-    #   access policy of the role that is being assumed, *and* the policy
-    #   that you pass. This gives you a way to further restrict the
-    #   permissions for the resulting temporary security credentials. You
-    #   cannot use the passed policy to grant permissions that are in excess
-    #   of those allowed by the access policy of the role that is being
-    #   assumed. For more information, see [Permissions for AssumeRole,
-    #   AssumeRoleWithSAML, and AssumeRoleWithWebIdentity][1] in the *IAM
-    #   User Guide*.
+    # @!attribute [rw] policy_arns
+    #   The Amazon Resource Names (ARNs) of the IAM managed policies that
+    #   you want to use as managed session policies. The policies must exist
+    #   in the same account as the role.
     #
-    #   The format for this parameter, as described by its regex pattern, is
-    #   a string of characters up to 2048 characters in length. The
-    #   characters can be any ASCII character from the space character to
-    #   the end of the valid character list (\\u0020-\\u00FF). It can also
+    #   This parameter is optional. You can provide up to 10 managed policy
+    #   ARNs. However, the plain text that you use for both inline and
+    #   managed session policies can't exceed 2,048 characters. For more
+    #   information about ARNs, see [Amazon Resource Names (ARNs) and AWS
+    #   Service Namespaces][1] in the AWS General Reference.
+    #
+    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    #   tags into a packed binary format that has a separate limit. Your
+    #   request can fail for this limit even if your plain text meets the
+    #   other requirements. The `PackedPolicySize` response element
+    #   indicates by percentage how close the policies and tags for your
+    #   request are to the upper size limit.
+    #
+    #    </note>
+    #
+    #   Passing policies to this operation returns new temporary
+    #   credentials. The resulting session's permissions are the
+    #   intersection of the role's identity-based policy and the session
+    #   policies. You can use the role's temporary credentials in
+    #   subsequent AWS API calls to access resources in the account that
+    #   owns the role. You cannot use session policies to grant more
+    #   permissions than those allowed by the identity-based policy of the
+    #   role that is being assumed. For more information, see [Session
+    #   Policies][2] in the *IAM User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+    #   @return [Array<Types::PolicyDescriptorType>]
+    #
+    # @!attribute [rw] policy
+    #   An IAM policy in JSON format that you want to use as an inline
+    #   session policy.
+    #
+    #   This parameter is optional. Passing policies to this operation
+    #   returns new temporary credentials. The resulting session's
+    #   permissions are the intersection of the role's identity-based
+    #   policy and the session policies. You can use the role's temporary
+    #   credentials in subsequent AWS API calls to access resources in the
+    #   account that owns the role. You cannot use session policies to grant
+    #   more permissions than those allowed by the identity-based policy of
+    #   the role that is being assumed. For more information, see [Session
+    #   Policies][1] in the *IAM User Guide*.
+    #
+    #   The plain text that you use for both inline and managed session
+    #   policies can't exceed 2,048 characters. The JSON policy characters
+    #   can be any ASCII character from the space character to the end of
+    #   the valid character list (\\u0020 through \\u00FF). It can also
     #   include the tab (\\u0009), linefeed (\\u000A), and carriage return
     #   (\\u000D) characters.
     #
-    #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
-    #   internal conversion compresses it into a packed binary format with a
-    #   separate limit. The PackedPolicySize response element indicates by
-    #   percentage how close to the upper size limit the policy is, with
-    #   100% equaling the maximum allowed size.
+    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    #   tags into a packed binary format that has a separate limit. Your
+    #   request can fail for this limit even if your plain text meets the
+    #   other requirements. The `PackedPolicySize` response element
+    #   indicates by percentage how close the policies and tags for your
+    #   request are to the upper size limit.
     #
     #    </note>
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
     #   @return [String]
     #
     # @!attribute [rw] duration_seconds
@@ -89,7 +137,7 @@ module Aws::STS
     #   value for your role, see [View the Maximum Session Duration Setting
     #   for a Role][1] in the *IAM User Guide*.
     #
-    #   By default, the value is set to 3600 seconds.
+    #   By default, the value is set to `3600` seconds.
     #
     #   <note markdown="1"> The `DurationSeconds` parameter is separate from the duration of a
     #   console session that you might request using the returned
@@ -103,30 +151,96 @@ module Aws::STS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
-    #   [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
     #   @return [Integer]
     #
+    # @!attribute [rw] tags
+    #   A list of session tags that you want to pass. Each session tag
+    #   consists of a key name and an associated value. For more information
+    #   about session tags, see [Tagging AWS STS Sessions][1] in the *IAM
+    #   User Guide*.
+    #
+    #   This parameter is optional. You can pass up to 50 session tags. The
+    #   plain text session tag keys can’t exceed 128 characters, and the
+    #   values can’t exceed 256 characters. For these and additional limits,
+    #   see [IAM and STS Character Limits][2] in the *IAM User Guide*.
+    #
+    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    #   tags into a packed binary format that has a separate limit. Your
+    #   request can fail for this limit even if your plain text meets the
+    #   other requirements. The `PackedPolicySize` response element
+    #   indicates by percentage how close the policies and tags for your
+    #   request are to the upper size limit.
+    #
+    #    </note>
+    #
+    #   You can pass a session tag with the same key as a tag that is
+    #   already attached to the role. When you do, session tags override a
+    #   role tag with the same key.
+    #
+    #   Tag key–value pairs are not case sensitive, but case is preserved.
+    #   This means that you cannot have separate `Department` and
+    #   `department` tag keys. Assume that the role has the
+    #   `Department`=`Marketing` tag and you pass the
+    #   `department`=`engineering` session tag. `Department` and
+    #   `department` are not saved as separate tags, and the session tag
+    #   passed in the request takes precedence over the role tag.
+    #
+    #   Additionally, if you used temporary credentials to perform this
+    #   operation, the new session inherits any transitive session tags from
+    #   the calling session. If you pass a session tag with the same key as
+    #   an inherited tag, the operation fails. To view the inherited tags
+    #   for a session, see the AWS CloudTrail logs. For more information,
+    #   see [Viewing Session Tags in CloudTrail][3] in the *IAM User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+    #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/session-tags.html#id_session-tags_ctlogs
+    #   @return [Array<Types::Tag>]
+    #
+    # @!attribute [rw] transitive_tag_keys
+    #   A list of keys for session tags that you want to set as transitive.
+    #   If you set a tag key as transitive, the corresponding key and value
+    #   passes to subsequent sessions in a role chain. For more information,
+    #   see [Chaining Roles with Session Tags][1] in the *IAM User Guide*.
+    #
+    #   This parameter is optional. When you set session tags as transitive,
+    #   the session policy and session tags packed binary limit is not
+    #   affected.
+    #
+    #   If you choose not to specify a transitive tag key, then no tags are
+    #   passed from this session to any subsequent sessions.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
+    #   @return [Array<String>]
+    #
     # @!attribute [rw] external_id
-    #   A unique identifier that is used by third parties when assuming
-    #   roles in their customers' accounts. For each role that the third
-    #   party can assume, they should instruct their customers to ensure the
-    #   role's trust policy checks for the external ID that the third party
-    #   generated. Each time the third party assumes the role, they should
-    #   pass the customer's external ID. The external ID is useful in order
-    #   to help third parties bind a role to the customer who created it.
-    #   For more information about the external ID, see [How to Use an
-    #   External ID When Granting Access to Your AWS Resources to a Third
+    #   A unique identifier that might be required when you assume a role in
+    #   another account. If the administrator of the account to which the
+    #   role belongs provided you with an external ID, then provide that
+    #   value in the `ExternalId` parameter. This value can be any string,
+    #   such as a passphrase or account number. A cross-account role is
+    #   usually set up to trust everyone in an account. Therefore, the
+    #   administrator of the trusting account might send an external ID to
+    #   the administrator of the trusted account. That way, only someone
+    #   with the ID can assume the role, rather than everyone in the
+    #   account. For more information about the external ID, see [How to Use
+    #   an External ID When Granting Access to Your AWS Resources to a Third
     #   Party][1] in the *IAM User Guide*.
     #
-    #   The regex used to validated this parameter is a string of characters
+    #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
     #   spaces. You can also include underscores or any of the following
     #   characters: =,.@:/-
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
     #   @return [String]
     #
     # @!attribute [rw] serial_number
@@ -160,8 +274,11 @@ module Aws::STS
     class AssumeRoleRequest < Struct.new(
       :role_arn,
       :role_session_name,
+      :policy_arns,
       :policy,
       :duration_seconds,
+      :tags,
+      :transitive_tag_keys,
       :external_id,
       :serial_number,
       :token_code)
@@ -175,11 +292,11 @@ module Aws::STS
     #   The temporary security credentials, which include an access key ID,
     #   a secret access key, and a security (or session) token.
     #
-    #   **Note:** The size of the security token that STS APIs return is not
+    #   <note markdown="1"> The size of the security token that STS API operations return is not
     #   fixed. We strongly recommend that you make no assumptions about the
-    #   maximum size. As of this writing, the typical size is less than 4096
-    #   bytes, but that can vary. Also, future updates to AWS might require
-    #   larger sizes.
+    #   maximum size.
+    #
+    #    </note>
     #   @return [Types::Credentials]
     #
     # @!attribute [rw] assumed_role_user
@@ -192,9 +309,10 @@ module Aws::STS
     #   @return [Types::AssumedRoleUser]
     #
     # @!attribute [rw] packed_policy_size
-    #   A percentage value that indicates the size of the policy in packed
-    #   form. The service rejects any policy with a packed size greater than
-    #   100 percent, which means the policy exceeded the allowed space.
+    #   A percentage value that indicates the packed size of the session
+    #   policies and session tags combined passed in the request. The
+    #   request fails if the packed size is greater than 100 percent, which
+    #   means the policies and tags exceeded the allowed space.
     #   @return [Integer]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleResponse AWS API Documentation
@@ -213,6 +331,11 @@ module Aws::STS
     #         role_arn: "arnType", # required
     #         principal_arn: "arnType", # required
     #         saml_assertion: "SAMLAssertionType", # required
+    #         policy_arns: [
+    #           {
+    #             arn: "arnType",
+    #           },
+    #         ],
     #         policy: "sessionPolicyDocumentType",
     #         duration_seconds: 1,
     #       }
@@ -232,45 +355,82 @@ module Aws::STS
     #   IdP.
     #
     #   For more information, see [Configuring a Relying Party and Adding
-    #   Claims][1] in the *Using IAM* guide.
+    #   Claims][1] in the *IAM User Guide*.
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
     #   @return [String]
     #
-    # @!attribute [rw] policy
-    #   An IAM policy in JSON format.
+    # @!attribute [rw] policy_arns
+    #   The Amazon Resource Names (ARNs) of the IAM managed policies that
+    #   you want to use as managed session policies. The policies must exist
+    #   in the same account as the role.
     #
-    #   The policy parameter is optional. If you pass a policy, the
-    #   temporary security credentials that are returned by the operation
-    #   have the permissions that are allowed by both the access policy of
-    #   the role that is being assumed, <i> <b>and</b> </i> the policy that
-    #   you pass. This gives you a way to further restrict the permissions
-    #   for the resulting temporary security credentials. You cannot use the
-    #   passed policy to grant permissions that are in excess of those
-    #   allowed by the access policy of the role that is being assumed. For
-    #   more information, [Permissions for AssumeRole, AssumeRoleWithSAML,
-    #   and AssumeRoleWithWebIdentity][1] in the *IAM User Guide*.
+    #   This parameter is optional. You can provide up to 10 managed policy
+    #   ARNs. However, the plain text that you use for both inline and
+    #   managed session policies can't exceed 2,048 characters. For more
+    #   information about ARNs, see [Amazon Resource Names (ARNs) and AWS
+    #   Service Namespaces][1] in the AWS General Reference.
     #
-    #   The format for this parameter, as described by its regex pattern, is
-    #   a string of characters up to 2048 characters in length. The
-    #   characters can be any ASCII character from the space character to
-    #   the end of the valid character list (\\u0020-\\u00FF). It can also
+    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    #   tags into a packed binary format that has a separate limit. Your
+    #   request can fail for this limit even if your plain text meets the
+    #   other requirements. The `PackedPolicySize` response element
+    #   indicates by percentage how close the policies and tags for your
+    #   request are to the upper size limit.
+    #
+    #    </note>
+    #
+    #   Passing policies to this operation returns new temporary
+    #   credentials. The resulting session's permissions are the
+    #   intersection of the role's identity-based policy and the session
+    #   policies. You can use the role's temporary credentials in
+    #   subsequent AWS API calls to access resources in the account that
+    #   owns the role. You cannot use session policies to grant more
+    #   permissions than those allowed by the identity-based policy of the
+    #   role that is being assumed. For more information, see [Session
+    #   Policies][2] in the *IAM User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+    #   @return [Array<Types::PolicyDescriptorType>]
+    #
+    # @!attribute [rw] policy
+    #   An IAM policy in JSON format that you want to use as an inline
+    #   session policy.
+    #
+    #   This parameter is optional. Passing policies to this operation
+    #   returns new temporary credentials. The resulting session's
+    #   permissions are the intersection of the role's identity-based
+    #   policy and the session policies. You can use the role's temporary
+    #   credentials in subsequent AWS API calls to access resources in the
+    #   account that owns the role. You cannot use session policies to grant
+    #   more permissions than those allowed by the identity-based policy of
+    #   the role that is being assumed. For more information, see [Session
+    #   Policies][1] in the *IAM User Guide*.
+    #
+    #   The plain text that you use for both inline and managed session
+    #   policies can't exceed 2,048 characters. The JSON policy characters
+    #   can be any ASCII character from the space character to the end of
+    #   the valid character list (\\u0020 through \\u00FF). It can also
     #   include the tab (\\u0009), linefeed (\\u000A), and carriage return
     #   (\\u000D) characters.
     #
-    #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
-    #   internal conversion compresses it into a packed binary format with a
-    #   separate limit. The PackedPolicySize response element indicates by
-    #   percentage how close to the upper size limit the policy is, with
-    #   100% equaling the maximum allowed size.
+    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    #   tags into a packed binary format that has a separate limit. Your
+    #   request can fail for this limit even if your plain text meets the
+    #   other requirements. The `PackedPolicySize` response element
+    #   indicates by percentage how close the policies and tags for your
+    #   request are to the upper size limit.
     #
     #    </note>
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
     #   @return [String]
     #
     # @!attribute [rw] duration_seconds
@@ -288,7 +448,7 @@ module Aws::STS
     #   Maximum Session Duration Setting for a Role][1] in the *IAM User
     #   Guide*.
     #
-    #   By default, the value is set to 3600 seconds.
+    #   By default, the value is set to `3600` seconds.
     #
     #   <note markdown="1"> The `DurationSeconds` parameter is separate from the duration of a
     #   console session that you might request using the returned
@@ -302,8 +462,8 @@ module Aws::STS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
-    #   [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
     #   @return [Integer]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAMLRequest AWS API Documentation
@@ -312,6 +472,7 @@ module Aws::STS
       :role_arn,
       :principal_arn,
       :saml_assertion,
+      :policy_arns,
       :policy,
       :duration_seconds)
       include Aws::Structure
@@ -325,11 +486,11 @@ module Aws::STS
     #   The temporary security credentials, which include an access key ID,
     #   a secret access key, and a security (or session) token.
     #
-    #   **Note:** The size of the security token that STS APIs return is not
+    #   <note markdown="1"> The size of the security token that STS API operations return is not
     #   fixed. We strongly recommend that you make no assumptions about the
-    #   maximum size. As of this writing, the typical size is less than 4096
-    #   bytes, but that can vary. Also, future updates to AWS might require
-    #   larger sizes.
+    #   maximum size.
+    #
+    #    </note>
     #   @return [Types::Credentials]
     #
     # @!attribute [rw] assumed_role_user
@@ -338,9 +499,10 @@ module Aws::STS
     #   @return [Types::AssumedRoleUser]
     #
     # @!attribute [rw] packed_policy_size
-    #   A percentage value that indicates the size of the policy in packed
-    #   form. The service rejects any policy with a packed size greater than
-    #   100 percent, which means the policy exceeded the allowed space.
+    #   A percentage value that indicates the packed size of the session
+    #   policies and session tags combined passed in the request. The
+    #   request fails if the packed size is greater than 100 percent, which
+    #   means the policies and tags exceeded the allowed space.
     #   @return [Integer]
     #
     # @!attribute [rw] subject
@@ -404,6 +566,11 @@ module Aws::STS
     #         role_session_name: "roleSessionNameType", # required
     #         web_identity_token: "clientTokenType", # required
     #         provider_id: "urlType",
+    #         policy_arns: [
+    #           {
+    #             arn: "arnType",
+    #           },
+    #         ],
     #         policy: "sessionPolicyDocumentType",
     #         duration_seconds: 1,
     #       }
@@ -447,38 +614,75 @@ module Aws::STS
     #   Do not specify this value for OpenID Connect ID tokens.
     #   @return [String]
     #
-    # @!attribute [rw] policy
-    #   An IAM policy in JSON format.
+    # @!attribute [rw] policy_arns
+    #   The Amazon Resource Names (ARNs) of the IAM managed policies that
+    #   you want to use as managed session policies. The policies must exist
+    #   in the same account as the role.
     #
-    #   The policy parameter is optional. If you pass a policy, the
-    #   temporary security credentials that are returned by the operation
-    #   have the permissions that are allowed by both the access policy of
-    #   the role that is being assumed, <i> <b>and</b> </i> the policy that
-    #   you pass. This gives you a way to further restrict the permissions
-    #   for the resulting temporary security credentials. You cannot use the
-    #   passed policy to grant permissions that are in excess of those
-    #   allowed by the access policy of the role that is being assumed. For
-    #   more information, see [Permissions for AssumeRoleWithWebIdentity][1]
-    #   in the *IAM User Guide*.
+    #   This parameter is optional. You can provide up to 10 managed policy
+    #   ARNs. However, the plain text that you use for both inline and
+    #   managed session policies can't exceed 2,048 characters. For more
+    #   information about ARNs, see [Amazon Resource Names (ARNs) and AWS
+    #   Service Namespaces][1] in the AWS General Reference.
     #
-    #   The format for this parameter, as described by its regex pattern, is
-    #   a string of characters up to 2048 characters in length. The
-    #   characters can be any ASCII character from the space character to
-    #   the end of the valid character list (\\u0020-\\u00FF). It can also
+    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    #   tags into a packed binary format that has a separate limit. Your
+    #   request can fail for this limit even if your plain text meets the
+    #   other requirements. The `PackedPolicySize` response element
+    #   indicates by percentage how close the policies and tags for your
+    #   request are to the upper size limit.
+    #
+    #    </note>
+    #
+    #   Passing policies to this operation returns new temporary
+    #   credentials. The resulting session's permissions are the
+    #   intersection of the role's identity-based policy and the session
+    #   policies. You can use the role's temporary credentials in
+    #   subsequent AWS API calls to access resources in the account that
+    #   owns the role. You cannot use session policies to grant more
+    #   permissions than those allowed by the identity-based policy of the
+    #   role that is being assumed. For more information, see [Session
+    #   Policies][2] in the *IAM User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+    #   @return [Array<Types::PolicyDescriptorType>]
+    #
+    # @!attribute [rw] policy
+    #   An IAM policy in JSON format that you want to use as an inline
+    #   session policy.
+    #
+    #   This parameter is optional. Passing policies to this operation
+    #   returns new temporary credentials. The resulting session's
+    #   permissions are the intersection of the role's identity-based
+    #   policy and the session policies. You can use the role's temporary
+    #   credentials in subsequent AWS API calls to access resources in the
+    #   account that owns the role. You cannot use session policies to grant
+    #   more permissions than those allowed by the identity-based policy of
+    #   the role that is being assumed. For more information, see [Session
+    #   Policies][1] in the *IAM User Guide*.
+    #
+    #   The plain text that you use for both inline and managed session
+    #   policies can't exceed 2,048 characters. The JSON policy characters
+    #   can be any ASCII character from the space character to the end of
+    #   the valid character list (\\u0020 through \\u00FF). It can also
     #   include the tab (\\u0009), linefeed (\\u000A), and carriage return
     #   (\\u000D) characters.
     #
-    #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
-    #   internal conversion compresses it into a packed binary format with a
-    #   separate limit. The PackedPolicySize response element indicates by
-    #   percentage how close to the upper size limit the policy is, with
-    #   100% equaling the maximum allowed size.
+    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    #   tags into a packed binary format that has a separate limit. Your
+    #   request can fail for this limit even if your plain text meets the
+    #   other requirements. The `PackedPolicySize` response element
+    #   indicates by percentage how close the policies and tags for your
+    #   request are to the upper size limit.
     #
     #    </note>
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
     #   @return [String]
     #
     # @!attribute [rw] duration_seconds
@@ -492,7 +696,7 @@ module Aws::STS
     #   value for your role, see [View the Maximum Session Duration Setting
     #   for a Role][1] in the *IAM User Guide*.
     #
-    #   By default, the value is set to 3600 seconds.
+    #   By default, the value is set to `3600` seconds.
     #
     #   <note markdown="1"> The `DurationSeconds` parameter is separate from the duration of a
     #   console session that you might request using the returned
@@ -506,8 +710,8 @@ module Aws::STS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
-    #   [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
     #   @return [Integer]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentityRequest AWS API Documentation
@@ -517,6 +721,7 @@ module Aws::STS
       :role_session_name,
       :web_identity_token,
       :provider_id,
+      :policy_arns,
       :policy,
       :duration_seconds)
       include Aws::Structure
@@ -530,11 +735,11 @@ module Aws::STS
     #   The temporary security credentials, which include an access key ID,
     #   a secret access key, and a security token.
     #
-    #   **Note:** The size of the security token that STS APIs return is not
+    #   <note markdown="1"> The size of the security token that STS API operations return is not
     #   fixed. We strongly recommend that you make no assumptions about the
-    #   maximum size. As of this writing, the typical size is less than 4096
-    #   bytes, but that can vary. Also, future updates to AWS might require
-    #   larger sizes.
+    #   maximum size.
+    #
+    #    </note>
     #   @return [Types::Credentials]
     #
     # @!attribute [rw] subject_from_web_identity_token
@@ -557,15 +762,16 @@ module Aws::STS
     #   @return [Types::AssumedRoleUser]
     #
     # @!attribute [rw] packed_policy_size
-    #   A percentage value that indicates the size of the policy in packed
-    #   form. The service rejects any policy with a packed size greater than
-    #   100 percent, which means the policy exceeded the allowed space.
+    #   A percentage value that indicates the packed size of the session
+    #   policies and session tags combined passed in the request. The
+    #   request fails if the packed size is greater than 100 percent, which
+    #   means the policies and tags exceeded the allowed space.
     #   @return [Integer]
     #
     # @!attribute [rw] provider
     #   The issuing authority of the web identity token presented. For
-    #   OpenID Connect ID Tokens this contains the value of the `iss` field.
-    #   For OAuth 2.0 access tokens, this contains the value of the
+    #   OpenID Connect ID tokens, this contains the value of the `iss`
+    #   field. For OAuth 2.0 access tokens, this contains the value of the
     #   `ProviderId` parameter that was passed in the
     #   `AssumeRoleWithWebIdentity` request.
     #   @return [String]
@@ -600,11 +806,12 @@ module Aws::STS
     # @!attribute [rw] arn
     #   The ARN of the temporary security credentials that are returned from
     #   the AssumeRole action. For more information about ARNs and how to
-    #   use them in policies, see [IAM Identifiers][1] in *Using IAM*.
+    #   use them in policies, see [IAM Identifiers][1] in the *IAM User
+    #   Guide*.
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumedRoleUser AWS API Documentation
@@ -678,6 +885,20 @@ module Aws::STS
       include Aws::Structure
     end
 
+    # The web identity token that was passed is expired or is not valid. Get
+    # a new identity token from the identity provider and then retry the
+    # request.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/ExpiredTokenException AWS API Documentation
+    #
+    class ExpiredTokenException < Struct.new(
+      :message)
+      include Aws::Structure
+    end
+
     # Identifiers for the federated user that is associated with the
     # credentials.
     #
@@ -689,11 +910,11 @@ module Aws::STS
     # @!attribute [rw] arn
     #   The ARN that specifies the federated user that is associated with
     #   the credentials. For more information about ARNs and how to use them
-    #   in policies, see [IAM Identifiers][1] in *Using IAM*.
+    #   in policies, see [IAM Identifiers][1] in the *IAM User Guide*.
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/FederatedUser AWS API Documentation
@@ -704,6 +925,39 @@ module Aws::STS
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass GetAccessKeyInfoRequest
+    #   data as a hash:
+    #
+    #       {
+    #         access_key_id: "accessKeyIdType", # required
+    #       }
+    #
+    # @!attribute [rw] access_key_id
+    #   The identifier of an access key.
+    #
+    #   This parameter allows (through its regex pattern) a string of
+    #   characters that can consist of any upper- or lowercase letter or
+    #   digit.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfoRequest AWS API Documentation
+    #
+    class GetAccessKeyInfoRequest < Struct.new(
+      :access_key_id)
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] account
+    #   The number used to identify the AWS account.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfoResponse AWS API Documentation
+    #
+    class GetAccessKeyInfoResponse < Struct.new(
+      :account)
+      include Aws::Structure
+    end
+
     # @api private
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentityRequest AWS API Documentation
@@ -715,14 +969,14 @@ module Aws::STS
     #
     # @!attribute [rw] user_id
     #   The unique identifier of the calling entity. The exact value depends
-    #   on the type of entity making the call. The values returned are those
-    #   listed in the **aws:userid** column in the [Principal table][1]
-    #   found on the **Policy Variables** reference page in the *IAM User
-    #   Guide*.
+    #   on the type of entity that is making the call. The values returned
+    #   are those listed in the **aws:userid** column in the [Principal
+    #   table][1] found on the **Policy Variables** reference page in the
+    #   *IAM User Guide*.
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable
     #   @return [String]
     #
     # @!attribute [rw] account
@@ -749,7 +1003,18 @@ module Aws::STS
     #       {
     #         name: "userNameType", # required
     #         policy: "sessionPolicyDocumentType",
+    #         policy_arns: [
+    #           {
+    #             arn: "arnType",
+    #           },
+    #         ],
     #         duration_seconds: 1,
+    #         tags: [
+    #           {
+    #             key: "tagKeyType", # required
+    #             value: "tagValueType", # required
+    #           },
+    #         ],
     #       }
     #
     # @!attribute [rw] name
@@ -765,63 +1030,158 @@ module Aws::STS
     #   @return [String]
     #
     # @!attribute [rw] policy
-    #   An IAM policy in JSON format that is passed with the
-    #   `GetFederationToken` call and evaluated along with the policy or
-    #   policies that are attached to the IAM user whose credentials are
-    #   used to call `GetFederationToken`. The passed policy is used to
-    #   scope down the permissions that are available to the IAM user, by
-    #   allowing only a subset of the permissions that are granted to the
-    #   IAM user. The passed policy cannot grant more permissions than those
-    #   granted to the IAM user. The final permissions for the federated
-    #   user are the most restrictive set based on the intersection of the
-    #   passed policy and the IAM user policy.
-    #
-    #   If you do not pass a policy, the resulting temporary security
-    #   credentials have no effective permissions. The only exception is
-    #   when the temporary security credentials are used to access a
-    #   resource that has a resource-based policy that specifically allows
-    #   the federated user to access the resource.
+    #   An IAM policy in JSON format that you want to use as an inline
+    #   session policy.
     #
-    #   The format for this parameter, as described by its regex pattern, is
-    #   a string of characters up to 2048 characters in length. The
-    #   characters can be any ASCII character from the space character to
-    #   the end of the valid character list (\\u0020-\\u00FF). It can also
+    #   You must pass an inline or managed [session policy][1] to this
+    #   operation. You can pass a single JSON policy document to use as an
+    #   inline session policy. You can also specify up to 10 managed
+    #   policies to use as managed session policies.
+    #
+    #   This parameter is optional. However, if you do not pass any session
+    #   policies, then the resulting federated user session has no
+    #   permissions.
+    #
+    #   When you pass session policies, the session permissions are the
+    #   intersection of the IAM user policies and the session policies that
+    #   you pass. This gives you a way to further restrict the permissions
+    #   for a federated user. You cannot use session policies to grant more
+    #   permissions than those that are defined in the permissions policy of
+    #   the IAM user. For more information, see [Session Policies][1] in the
+    #   *IAM User Guide*.
+    #
+    #   The resulting credentials can be used to access a resource that has
+    #   a resource-based policy. If that policy specifically references the
+    #   federated user session in the `Principal` element of the policy, the
+    #   session has the permissions allowed by the policy. These permissions
+    #   are granted in addition to the permissions that are granted by the
+    #   session policies.
+    #
+    #   The plain text that you use for both inline and managed session
+    #   policies can't exceed 2,048 characters. The JSON policy characters
+    #   can be any ASCII character from the space character to the end of
+    #   the valid character list (\\u0020 through \\u00FF). It can also
     #   include the tab (\\u0009), linefeed (\\u000A), and carriage return
     #   (\\u000D) characters.
     #
-    #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
-    #   internal conversion compresses it into a packed binary format with a
-    #   separate limit. The PackedPolicySize response element indicates by
-    #   percentage how close to the upper size limit the policy is, with
-    #   100% equaling the maximum allowed size.
+    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    #   tags into a packed binary format that has a separate limit. Your
+    #   request can fail for this limit even if your plain text meets the
+    #   other requirements. The `PackedPolicySize` response element
+    #   indicates by percentage how close the policies and tags for your
+    #   request are to the upper size limit.
     #
     #    </note>
     #
-    #   For more information about how permissions work, see [Permissions
-    #   for GetFederationToken][1].
     #
     #
-    #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
     #   @return [String]
     #
+    # @!attribute [rw] policy_arns
+    #   The Amazon Resource Names (ARNs) of the IAM managed policies that
+    #   you want to use as a managed session policy. The policies must exist
+    #   in the same account as the IAM user that is requesting federated
+    #   access.
+    #
+    #   You must pass an inline or managed [session policy][1] to this
+    #   operation. You can pass a single JSON policy document to use as an
+    #   inline session policy. You can also specify up to 10 managed
+    #   policies to use as managed session policies. The plain text that you
+    #   use for both inline and managed session policies can't exceed 2,048
+    #   characters. You can provide up to 10 managed policy ARNs. For more
+    #   information about ARNs, see [Amazon Resource Names (ARNs) and AWS
+    #   Service Namespaces][2] in the AWS General Reference.
+    #
+    #   This parameter is optional. However, if you do not pass any session
+    #   policies, then the resulting federated user session has no
+    #   permissions.
+    #
+    #   When you pass session policies, the session permissions are the
+    #   intersection of the IAM user policies and the session policies that
+    #   you pass. This gives you a way to further restrict the permissions
+    #   for a federated user. You cannot use session policies to grant more
+    #   permissions than those that are defined in the permissions policy of
+    #   the IAM user. For more information, see [Session Policies][1] in the
+    #   *IAM User Guide*.
+    #
+    #   The resulting credentials can be used to access a resource that has
+    #   a resource-based policy. If that policy specifically references the
+    #   federated user session in the `Principal` element of the policy, the
+    #   session has the permissions allowed by the policy. These permissions
+    #   are granted in addition to the permissions that are granted by the
+    #   session policies.
+    #
+    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    #   tags into a packed binary format that has a separate limit. Your
+    #   request can fail for this limit even if your plain text meets the
+    #   other requirements. The `PackedPolicySize` response element
+    #   indicates by percentage how close the policies and tags for your
+    #   request are to the upper size limit.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   @return [Array<Types::PolicyDescriptorType>]
+    #
     # @!attribute [rw] duration_seconds
     #   The duration, in seconds, that the session should last. Acceptable
     #   durations for federation sessions range from 900 seconds (15
-    #   minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours)
-    #   as the default. Sessions obtained using AWS account (root)
-    #   credentials are restricted to a maximum of 3600 seconds (one hour).
+    #   minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12
+    #   hours) as the default. Sessions obtained using AWS account root user
+    #   credentials are restricted to a maximum of 3,600 seconds (one hour).
     #   If the specified duration is longer than one hour, the session
-    #   obtained by using AWS account (root) credentials defaults to one
-    #   hour.
+    #   obtained by using root user credentials defaults to one hour.
     #   @return [Integer]
     #
+    # @!attribute [rw] tags
+    #   A list of session tags. Each session tag consists of a key name and
+    #   an associated value. For more information about session tags, see
+    #   [Passing Session Tags in STS][1] in the *IAM User Guide*.
+    #
+    #   This parameter is optional. You can pass up to 50 session tags. The
+    #   plain text session tag keys can’t exceed 128 characters and the
+    #   values can’t exceed 256 characters. For these and additional limits,
+    #   see [IAM and STS Character Limits][2] in the *IAM User Guide*.
+    #
+    #   <note markdown="1"> An AWS conversion compresses the passed session policies and session
+    #   tags into a packed binary format that has a separate limit. Your
+    #   request can fail for this limit even if your plain text meets the
+    #   other requirements. The `PackedPolicySize` response element
+    #   indicates by percentage how close the policies and tags for your
+    #   request are to the upper size limit.
+    #
+    #    </note>
+    #
+    #   You can pass a session tag with the same key as a tag that is
+    #   already attached to the user you are federating. When you do,
+    #   session tags override a user tag with the same key.
+    #
+    #   Tag key–value pairs are not case sensitive, but case is preserved.
+    #   This means that you cannot have separate `Department` and
+    #   `department` tag keys. Assume that the role has the
+    #   `Department`=`Marketing` tag and you pass the
+    #   `department`=`engineering` session tag. `Department` and
+    #   `department` are not saved as separate tags, and the session tag
+    #   passed in the request takes precedence over the role tag.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+    #   @return [Array<Types::Tag>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationTokenRequest AWS API Documentation
     #
     class GetFederationTokenRequest < Struct.new(
       :name,
       :policy,
-      :duration_seconds)
+      :policy_arns,
+      :duration_seconds,
+      :tags)
       include Aws::Structure
     end
 
@@ -833,11 +1193,11 @@ module Aws::STS
     #   The temporary security credentials, which include an access key ID,
     #   a secret access key, and a security (or session) token.
     #
-    #   **Note:** The size of the security token that STS APIs return is not
+    #   <note markdown="1"> The size of the security token that STS API operations return is not
     #   fixed. We strongly recommend that you make no assumptions about the
-    #   maximum size. As of this writing, the typical size is less than 4096
-    #   bytes, but that can vary. Also, future updates to AWS might require
-    #   larger sizes.
+    #   maximum size.
+    #
+    #    </note>
     #   @return [Types::Credentials]
     #
     # @!attribute [rw] federated_user
@@ -848,9 +1208,10 @@ module Aws::STS
     #   @return [Types::FederatedUser]
     #
     # @!attribute [rw] packed_policy_size
-    #   A percentage value indicating the size of the policy in packed form.
-    #   The service rejects policies for which the packed size is greater
-    #   than 100 percent of the allowed value.
+    #   A percentage value that indicates the packed size of the session
+    #   policies and session tags combined passed in the request. The
+    #   request fails if the packed size is greater than 100 percent, which
+    #   means the policies and tags exceeded the allowed space.
     #   @return [Integer]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationTokenResponse AWS API Documentation
@@ -874,9 +1235,9 @@ module Aws::STS
     # @!attribute [rw] duration_seconds
     #   The duration, in seconds, that the credentials should remain valid.
     #   Acceptable durations for IAM user sessions range from 900 seconds
-    #   (15 minutes) to 129600 seconds (36 hours), with 43200 seconds (12
+    #   (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12
     #   hours) as the default. Sessions for AWS account owners are
-    #   restricted to a maximum of 3600 seconds (one hour). If the duration
+    #   restricted to a maximum of 3,600 seconds (one hour). If the duration
     #   is longer than one hour, the session for AWS account owners defaults
     #   to one hour.
     #   @return [Integer]
@@ -891,7 +1252,7 @@ module Aws::STS
     #   the device for an IAM user by going to the AWS Management Console
     #   and viewing the user's security credentials.
     #
-    #   The regex used to validated this parameter is a string of characters
+    #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
     #   spaces. You can also include underscores or any of the following
     #   characters: =,.@:/-
@@ -900,9 +1261,9 @@ module Aws::STS
     # @!attribute [rw] token_code
     #   The value provided by the MFA device, if MFA is required. If any
     #   policy requires the IAM user to submit an MFA code, specify this
-    #   value. If MFA authentication is required, and the user does not
-    #   provide a code when requesting a set of temporary security
-    #   credentials, the user will receive an "access denied" response
+    #   value. If MFA authentication is required, the user must provide a
+    #   code when requesting a set of temporary security credentials. A user
+    #   who fails to provide the code receives an "access denied" response
     #   when requesting resources that require MFA authentication.
     #
     #   The format for this parameter, as described by its regex pattern, is
@@ -926,11 +1287,11 @@ module Aws::STS
     #   The temporary security credentials, which include an access key ID,
     #   a secret access key, and a security (or session) token.
     #
-    #   **Note:** The size of the security token that STS APIs return is not
+    #   <note markdown="1"> The size of the security token that STS API operations return is not
     #   fixed. We strongly recommend that you make no assumptions about the
-    #   maximum size. As of this writing, the typical size is less than 4096
-    #   bytes, but that can vary. Also, future updates to AWS might require
-    #   larger sizes.
+    #   maximum size.
+    #
+    #    </note>
     #   @return [Types::Credentials]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionTokenResponse AWS API Documentation
@@ -940,5 +1301,204 @@ module Aws::STS
       include Aws::Structure
     end
 
+    # The request could not be fulfilled because the identity provider (IDP)
+    # that was asked to verify the incoming identity token could not be
+    # reached. This is often a transient error caused by network conditions.
+    # Retry the request a limited number of times so that you don't exceed
+    # the request rate. If the error persists, the identity provider might
+    # be down or not responding.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/IDPCommunicationErrorException AWS API Documentation
+    #
+    class IDPCommunicationErrorException < Struct.new(
+      :message)
+      include Aws::Structure
+    end
+
+    # The identity provider (IdP) reported that authentication failed. This
+    # might be because the claim is invalid.
+    #
+    # If this error is returned for the `AssumeRoleWithWebIdentity`
+    # operation, it can also mean that the claim has expired or has been
+    # explicitly revoked.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/IDPRejectedClaimException AWS API Documentation
+    #
+    class IDPRejectedClaimException < Struct.new(
+      :message)
+      include Aws::Structure
+    end
+
+    # The error returned if the message passed to
+    # `DecodeAuthorizationMessage` was invalid. This can happen if the token
+    # contains invalid characters, such as linebreaks.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/InvalidAuthorizationMessageException AWS API Documentation
+    #
+    class InvalidAuthorizationMessageException < Struct.new(
+      :message)
+      include Aws::Structure
+    end
+
+    # The web identity token that was passed could not be validated by AWS.
+    # Get a new identity token from the identity provider and then retry the
+    # request.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/InvalidIdentityTokenException AWS API Documentation
+    #
+    class InvalidIdentityTokenException < Struct.new(
+      :message)
+      include Aws::Structure
+    end
+
+    # The request was rejected because the policy document was malformed.
+    # The error message describes the specific error.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/MalformedPolicyDocumentException AWS API Documentation
+    #
+    class MalformedPolicyDocumentException < Struct.new(
+      :message)
+      include Aws::Structure
+    end
+
+    # The request was rejected because the total packed size of the session
+    # policies and session tags combined was too large. An AWS conversion
+    # compresses the session policy document, session policy ARNs, and
+    # session tags into a packed binary format that has a separate limit.
+    # The error message indicates by percentage how close the policies and
+    # tags are to the upper size limit. For more information, see [Passing
+    # Session Tags in STS][1] in the *IAM User Guide*.
+    #
+    # You could receive this error even though you meet other defined
+    # session policy and session tag limits. For more information, see [IAM
+    # and STS Entity Character Limits][2] in the *IAM User Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/PackedPolicyTooLargeException AWS API Documentation
+    #
+    class PackedPolicyTooLargeException < Struct.new(
+      :message)
+      include Aws::Structure
+    end
+
+    # A reference to the IAM managed policy that is passed as a session
+    # policy for a role session or a federated user session.
+    #
+    # @note When making an API call, you may pass PolicyDescriptorType
+    #   data as a hash:
+    #
+    #       {
+    #         arn: "arnType",
+    #       }
+    #
+    # @!attribute [rw] arn
+    #   The Amazon Resource Name (ARN) of the IAM managed policy to use as a
+    #   session policy for the role. For more information about ARNs, see
+    #   [Amazon Resource Names (ARNs) and AWS Service Namespaces][1] in the
+    #   *AWS General Reference*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/PolicyDescriptorType AWS API Documentation
+    #
+    class PolicyDescriptorType < Struct.new(
+      :arn)
+      include Aws::Structure
+    end
+
+    # STS is not activated in the requested region for the account that is
+    # being asked to generate credentials. The account administrator must
+    # use the IAM console to activate STS in that region. For more
+    # information, see [Activating and Deactivating AWS STS in an AWS
+    # Region][1] in the *IAM User Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/RegionDisabledException AWS API Documentation
+    #
+    class RegionDisabledException < Struct.new(
+      :message)
+      include Aws::Structure
+    end
+
+    # You can pass custom key-value pair attributes when you assume a role
+    # or federate a user. These are called session tags. You can then use
+    # the session tags to control access to resources. For more information,
+    # see [Tagging AWS STS Sessions][1] in the *IAM User Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+    #
+    # @note When making an API call, you may pass Tag
+    #   data as a hash:
+    #
+    #       {
+    #         key: "tagKeyType", # required
+    #         value: "tagValueType", # required
+    #       }
+    #
+    # @!attribute [rw] key
+    #   The key for a session tag.
+    #
+    #   You can pass up to 50 session tags. The plain text session tag keys
+    #   can’t exceed 128 characters. For these and additional limits, see
+    #   [IAM and STS Character Limits][1] in the *IAM User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+    #   @return [String]
+    #
+    # @!attribute [rw] value
+    #   The value for a session tag.
+    #
+    #   You can pass up to 50 session tags. The plain text session tag
+    #   values can’t exceed 256 characters. For these and additional limits,
+    #   see [IAM and STS Character Limits][1] in the *IAM User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/Tag AWS API Documentation
+    #
+    class Tag < Struct.new(
+      :key,
+      :value)
+      include Aws::Structure
+    end
+
   end
 end