aws-sdk-core 3.49.0 → 3.50.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 73058ee6fd337df118ec80e4c3ff72a2d3a1e6da
-  data.tar.gz: a26425fbf3fa6767729b347464974ababc61fd87
+  metadata.gz: d00808ae9ba43d63284f7ffd2573f1fd49a89d30
+  data.tar.gz: 37e62e1a50ac55085d58cd7dd9346c15e8861faf
 SHA512:
-  metadata.gz: 72dc91962aa3b30357d1e5f2c253f9e102831795fa7a5d1c631370eeb419d1f2347d4deabb53c5ccffd05ff185d3bbfcdc66a796b90a9029f698037eafcc967e
-  data.tar.gz: 37d0870e84c91b163ae19abff119955f7aa3fe327d570109cc491043760210ad05b5b39122c376875b7ab432898e437da7faa229919c12711ebfbe3d3eda11cc
+  metadata.gz: 4dc0a4e73a7454ac9e7c871aa7212157c40224a3a1ddf4a8e0b01f719dd6451833c2df2ad1222de6a18f05a80991079d996c4cc77b0e1df1a45cbc0446f086e6
+  data.tar.gz: 415989fbe8d6e4df04863a6a352f4f9d30efdf1b6d7e2a67dbadc3bb8ea872a0b768fa1b9296796ca3524f6e95c9d7cd1435e11c1e77e43dc52fd60af052a510

data/VERSION

@@ -1 +1 @@
-3.49.0
+3.50.0

data/lib/aws-sdk-sts.rb

@@ -40,6 +40,6 @@ require_relative 'aws-sdk-sts/customizations'
 # @service
 module Aws::STS
 
-  GEM_VERSION = '3.49.0'
+  GEM_VERSION = '3.50.0'
 
 end

data/lib/aws-sdk-sts/client.rb

@@ -248,18 +248,18 @@ module Aws::STS
 
     # @!group API Operations
 
-    # Returns a set of temporary security credentials (consisting of an
-    # access key ID, a secret access key, and a security token) that you can
-    # use to access AWS resources that you might not normally have access
-    # to. Typically, you use `AssumeRole` for cross-account access or
-    # federation. For a comparison of `AssumeRole` with the other APIs that
-    # produce temporary credentials, see [Requesting Temporary Security
-    # Credentials][1] and [Comparing the AWS STS APIs][2] in the *IAM User
-    # Guide*.
-    #
-    # **Important:** You cannot call `AssumeRole` by using AWS root account
-    # credentials; access is denied. You must use credentials for an IAM
-    # user or an IAM role to call `AssumeRole`.
+    # Returns a set of temporary security credentials that you can use to
+    # access AWS resources that you might not normally have access to. These
+    # temporary credentials consist of an access key ID, a secret access
+    # key, and a security token. Typically, you use `AssumeRole` for
+    # cross-account access or federation. For a comparison of `AssumeRole`
+    # with other API operations that produce temporary credentials, see
+    # [Requesting Temporary Security Credentials][1] and [Comparing the AWS
+    # STS API operations][2] in the *IAM User Guide*.
+    #
+    # You cannot use AWS account root user credentials to call `AssumeRole`.
+    # You must use credentials for an IAM user or an IAM role to call
+    # `AssumeRole`.
     #
     # For cross-account access, imagine that you own multiple accounts and
     # need to access resources in each account. You could create long-term
@@ -273,15 +273,14 @@ module Aws::STS
     #
     # For federation, you can, for example, grant single sign-on access to
     # the AWS Management Console. If you already have an identity and
-    # authentication system in your corporate network, you don't have to
-    # recreate user identities in AWS in order to grant those user
-    # identities access to AWS. Instead, after a user has been
-    # authenticated, you call `AssumeRole` (and specify the role with the
-    # appropriate permissions) to get temporary security credentials for
-    # that user. With those temporary security credentials, you construct a
-    # sign-in URL that users can use to access the console. For more
-    # information, see [Common Scenarios for Temporary Credentials][4] in
-    # the *IAM User Guide*.
+    # authentication system in your network, you don't have to recreate
+    # identities in AWS in order to grant them access to AWS. Instead, after
+    # a user has been authenticated, you call `AssumeRole` (and specify the
+    # role with the appropriate permissions) to get temporary security
+    # credentials for that user. With those temporary security credentials,
+    # you construct a sign-in URL from which users can access the console.
+    # For more information, see [Common Scenarios for Temporary
+    # Credentials][4] in the *IAM User Guide*.
     #
     # By default, the temporary security credentials created by `AssumeRole`
     # last for one hour. However, you can use the optional `DurationSeconds`
@@ -291,30 +290,26 @@ module Aws::STS
     # hours. To learn how to view the maximum value for your role, see [View
     # the Maximum Session Duration Setting for a Role][5] in the *IAM User
     # Guide*. The maximum session duration limit applies when you use the
-    # `AssumeRole*` API operations or the `assume-role*` CLI operations but
-    # does not apply when you use those operations to create a console URL.
-    # For more information, see [Using IAM Roles][6] in the *IAM User
-    # Guide*.
+    # `AssumeRole*` API operations or the `assume-role*` CLI commands.
+    # However the limit does not apply when you use those operations to
+    # create a console URL. For more information, see [Using IAM Roles][6]
+    # in the *IAM User Guide*.
     #
     # The temporary security credentials created by `AssumeRole` can be used
-    # to make API calls to any AWS service with the following exception: you
-    # cannot call the STS service's `GetFederationToken` or
-    # `GetSessionToken` APIs.
-    #
-    # Optionally, you can pass an IAM access policy to this operation. If
-    # you choose not to pass a policy, the temporary security credentials
-    # that are returned by the operation have the permissions that are
-    # defined in the access policy of the role that is being assumed. If you
-    # pass a policy to this operation, the temporary security credentials
-    # that are returned by the operation have the permissions that are
-    # allowed by both the access policy of the role that is being assumed,
-    # <i> <b>and</b> </i> the policy that you pass. This gives you a way to
-    # further restrict the permissions for the resulting temporary security
-    # credentials. You cannot use the passed policy to grant permissions
-    # that are in excess of those allowed by the access policy of the role
-    # that is being assumed. For more information, see [Permissions for
-    # AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity][7] in
-    # the *IAM User Guide*.
+    # to make API calls to any AWS service with the following exception: You
+    # cannot call the AWS STS service's `GetFederationToken` or
+    # `GetSessionToken` API operations.
+    #
+    # (Optional) You can pass an IAM permissions policy to this operation.
+    # If you pass a policy to this operation, the resulting temporary
+    # credentials have the permissions of the assumed role *and* the policy
+    # that you pass. This gives you a way to further restrict the
+    # permissions for the resulting temporary security credentials. You
+    # cannot use the passed policy to grant permissions that are in excess
+    # of those allowed by the permissions policy of the role that is being
+    # assumed. For more information, see [ Permissions for AssumeRole,
+    # AssumeRoleWithSAML, and AssumeRoleWithWebIdentity ][7] in the *IAM
+    # User Guide*.
     #
     # To assume a role, your AWS account must be trusted by the role. The
     # trust relationship is defined in the role's trust policy when the
@@ -322,27 +317,31 @@ module Aws::STS
     # to delegate access to this account's role.
     #
     # The user who wants to access the role must also have permissions
-    # delegated from the role's administrator. If the user is in a
-    # different account than the role, then the user's administrator must
-    # attach a policy that allows the user to call AssumeRole on the ARN of
-    # the role in the other account. If the user is in the same account as
-    # the role, then you can either attach a policy to the user (identical
-    # to the previous different account user), or you can add the user as a
-    # principal directly in the role's trust policy. In this case, the
-    # trust policy acts as the only resource-based policy in IAM, and users
-    # in the same account as the role do not need explicit permission to
-    # assume the role. For more information about trust policies and
-    # resource-based policies, see [IAM Policies][8] in the *IAM User
-    # Guide*.
+    # delegated from the role's administrator. If the user and the role are
+    # in a different account, then the user's administrator must attach a
+    # policy. That attached policy must allow the user to call `AssumeRole`
+    # for the ARN of the role in the other account. If the user is in the
+    # same account as the role, then you can do either of the following:
+    #
+    # * Attach a policy to the user (identical to the previous user in a
+    #   different account)
+    #
+    # * Add the user as a principal directly in the role's trust policy.
+    #
+    # In this case, the trust policy acts as the only resource-based policy
+    # in IAM. Users in the same account as the role do not need explicit
+    # permission to assume the role. For more information about trust
+    # policies and resource-based policies, see [IAM Policies][8] in the
+    # *IAM User Guide*.
     #
     # **Using MFA with AssumeRole**
     #
-    # You can optionally include multi-factor authentication (MFA)
+    # (Optional) You can include multi-factor authentication (MFA)
     # information when you call `AssumeRole`. This is useful for
     # cross-account scenarios in which you want to make sure that the user
     # who is assuming the role has been authenticated using an AWS MFA
     # device. In that scenario, the trust policy of the role being assumed
-    # includes a condition that tests for MFA authentication; if the caller
+    # includes a condition that tests for MFA authentication. If the caller
     # does not include valid MFA information, the request to assume the role
     # is denied. The condition in a trust policy that tests for MFA
     # authentication might look like the following example.
@@ -355,19 +354,19 @@ module Aws::STS
     # To use MFA with `AssumeRole`, you pass values for the `SerialNumber`
     # and `TokenCode` parameters. The `SerialNumber` value identifies the
     # user's hardware or virtual MFA device. The `TokenCode` is the
-    # time-based one-time password (TOTP) that the MFA devices produces.
+    # time-based one-time password (TOTP) that the MFA device produces.
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
-    # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
-    # [3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html
-    # [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction
-    # [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
-    # [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
-    # [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
-    # [8]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
-    # [9]: http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html
+    # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction
+    # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+    # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
+    # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+    # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
+    # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
     #
     # @option params [required, String] :role_arn
     #   The Amazon Resource Name (ARN) of the role to assume.
@@ -380,9 +379,9 @@ module Aws::STS
     #   cross-account scenarios, the role session name is visible to, and can
     #   be logged by the account that owns the role. The role session name is
     #   also used in the ARN of the assumed role principal. This means that
-    #   subsequent cross-account API requests using the temporary security
+    #   subsequent cross-account API requests that use the temporary security
     #   credentials will expose the role session name to the external account
-    #   in their CloudTrail logs.
+    #   in their AWS CloudTrail logs.
     #
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
@@ -392,16 +391,15 @@ module Aws::STS
     # @option params [String] :policy
     #   An IAM policy in JSON format.
     #
-    #   This parameter is optional. If you pass a policy, the temporary
-    #   security credentials that are returned by the operation have the
-    #   permissions that are allowed by both (the intersection of) the access
-    #   policy of the role that is being assumed, *and* the policy that you
-    #   pass. This gives you a way to further restrict the permissions for the
-    #   resulting temporary security credentials. You cannot use the passed
-    #   policy to grant permissions that are in excess of those allowed by the
-    #   access policy of the role that is being assumed. For more information,
-    #   see [Permissions for AssumeRole, AssumeRoleWithSAML, and
-    #   AssumeRoleWithWebIdentity][1] in the *IAM User Guide*.
+    #   This parameter is optional. If you pass a policy to this operation,
+    #   the resulting temporary credentials have the permissions of the
+    #   assumed role *and* the policy that you pass. This gives you a way to
+    #   further restrict the permissions for the resulting temporary security
+    #   credentials. You cannot use the passed policy to grant permissions
+    #   that are in excess of those allowed by the permissions policy of the
+    #   role that is being assumed. For more information, see [ Permissions
+    #   for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity ][1]
+    #   in the *IAM User Guide*.
     #
     #   The format for this parameter, as described by its regex pattern, is a
     #   string of characters up to 2048 characters in length. The characters
@@ -410,17 +408,17 @@ module Aws::STS
     #   (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
     #   characters.
     #
-    #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
+    #   <note markdown="1"> The policy plaintext must be 2048 bytes or shorter. However, an
     #   internal conversion compresses it into a packed binary format with a
-    #   separate limit. The PackedPolicySize response element indicates by
-    #   percentage how close to the upper size limit the policy is, with 100%
-    #   equaling the maximum allowed size.
+    #   separate limit. The `PackedPolicySize` response element indicates by
+    #   percentage how close to the upper size limit the policy is, where 100
+    #   percent is the maximum allowed size.
     #
     #    </note>
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
     #
     # @option params [Integer] :duration_seconds
     #   The duration, in seconds, of the role session. The value can range
@@ -433,7 +431,7 @@ module Aws::STS
     #   see [View the Maximum Session Duration Setting for a Role][1] in the
     #   *IAM User Guide*.
     #
-    #   By default, the value is set to 3600 seconds.
+    #   By default, the value is set to `3600` seconds.
     #
     #   <note markdown="1"> The `DurationSeconds` parameter is separate from the duration of a
     #   console session that you might request using the returned credentials.
@@ -447,29 +445,30 @@ module Aws::STS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
-    #   [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
     #
     # @option params [String] :external_id
-    #   A unique identifier that is used by third parties when assuming roles
-    #   in their customers' accounts. For each role that the third party can
-    #   assume, they should instruct their customers to ensure the role's
-    #   trust policy checks for the external ID that the third party
-    #   generated. Each time the third party assumes the role, they should
-    #   pass the customer's external ID. The external ID is useful in order
-    #   to help third parties bind a role to the customer who created it. For
-    #   more information about the external ID, see [How to Use an External ID
-    #   When Granting Access to Your AWS Resources to a Third Party][1] in the
-    #   *IAM User Guide*.
+    #   A unique identifier that might be required when you assume a role in
+    #   another account. If the administrator of the account to which the role
+    #   belongs provided you with an external ID, then provide that value in
+    #   the `ExternalId` parameter. This value can be any string, such as a
+    #   passphrase or account number. Because a cross-account role is usually
+    #   set up to trust everyone in an account, the administrator of the
+    #   trusting account might send an external ID to the administrator of the
+    #   trusted account. That way, only someone with the ID can assume the
+    #   role, rather than everyone in the account. For more information about
+    #   the external ID, see [How to Use an External ID When Granting Access
+    #   to Your AWS Resources to a Third Party][1] in the *IAM User Guide*.
     #
-    #   The regex used to validated this parameter is a string of characters
+    #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
     #   spaces. You can also include underscores or any of the following
     #   characters: =,.@:/-
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
     #
     # @option params [String] :serial_number
     #   The identification number of the MFA device that is associated with
@@ -563,9 +562,9 @@ module Aws::STS
     # provides a mechanism for tying an enterprise identity store or
     # directory to role-based AWS access without user-specific credentials
     # or configuration. For a comparison of `AssumeRoleWithSAML` with the
-    # other APIs that produce temporary credentials, see [Requesting
-    # Temporary Security Credentials][1] and [Comparing the AWS STS APIs][2]
-    # in the *IAM User Guide*.
+    # other API operations that produce temporary credentials, see
+    # [Requesting Temporary Security Credentials][1] and [Comparing the AWS
+    # STS API operations][2] in the *IAM User Guide*.
     #
     # The temporary security credentials returned by this operation consist
     # of an access key ID, a secret access key, and a security token.
@@ -584,37 +583,32 @@ module Aws::STS
     # for your role, see [View the Maximum Session Duration Setting for a
     # Role][3] in the *IAM User Guide*. The maximum session duration limit
     # applies when you use the `AssumeRole*` API operations or the
-    # `assume-role*` CLI operations but does not apply when you use those
-    # operations to create a console URL. For more information, see [Using
-    # IAM Roles][4] in the *IAM User Guide*.
+    # `assume-role*` CLI commands. However the limit does not apply when you
+    # use those operations to create a console URL. For more information,
+    # see [Using IAM Roles][4] in the *IAM User Guide*.
     #
     # The temporary security credentials created by `AssumeRoleWithSAML` can
     # be used to make API calls to any AWS service with the following
     # exception: you cannot call the STS service's `GetFederationToken` or
-    # `GetSessionToken` APIs.
-    #
-    # Optionally, you can pass an IAM access policy to this operation. If
-    # you choose not to pass a policy, the temporary security credentials
-    # that are returned by the operation have the permissions that are
-    # defined in the access policy of the role that is being assumed. If you
-    # pass a policy to this operation, the temporary security credentials
-    # that are returned by the operation have the permissions that are
-    # allowed by the intersection of both the access policy of the role that
-    # is being assumed, <i> <b>and</b> </i> the policy that you pass. This
-    # means that both policies must grant the permission for the action to
-    # be allowed. This gives you a way to further restrict the permissions
-    # for the resulting temporary security credentials. You cannot use the
-    # passed policy to grant permissions that are in excess of those allowed
-    # by the access policy of the role that is being assumed. For more
-    # information, see [Permissions for AssumeRole, AssumeRoleWithSAML, and
-    # AssumeRoleWithWebIdentity][5] in the *IAM User Guide*.
+    # `GetSessionToken` API operations.
+    #
+    # Optionally, you can pass an IAM permissions policy to this operation.
+    # If you pass a policy to this operation, the resulting temporary
+    # credentials have the permissions of the assumed role *and* the policy
+    # that you pass. This gives you a way to further restrict the
+    # permissions for the resulting temporary security credentials. You
+    # cannot use the passed policy to grant permissions that are in excess
+    # of those allowed by the permissions policy of the role that is being
+    # assumed. For more information, see [ Permissions for AssumeRole,
+    # AssumeRoleWithSAML, and AssumeRoleWithWebIdentity ][5] in the *IAM
+    # User Guide*.
     #
     # Before your application can call `AssumeRoleWithSAML`, you must
     # configure your SAML identity provider (IdP) to issue the claims
     # required by AWS. Additionally, you must use AWS Identity and Access
     # Management (IAM) to create a SAML provider entity in your AWS account
-    # that represents your identity provider, and create an IAM role that
-    # specifies this SAML provider in its trust policy.
+    # that represents your identity provider. You must also create an IAM
+    # role that specifies this SAML provider in its trust policy.
     #
     # Calling `AssumeRoleWithSAML` does not require the use of AWS security
     # credentials. The identity of the caller is validated by using keys in
@@ -641,15 +635,15 @@ module Aws::STS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
-    # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
-    # [3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
-    # [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
-    # [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
-    # [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
-    # [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
-    # [8]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
-    # [9]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+    # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
+    # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+    # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
+    # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
+    # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
+    # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
     #
     # @option params [required, String] :role_arn
     #   The Amazon Resource Name (ARN) of the role that the caller is
@@ -663,25 +657,24 @@ module Aws::STS
     #   The base-64 encoded SAML authentication response provided by the IdP.
     #
     #   For more information, see [Configuring a Relying Party and Adding
-    #   Claims][1] in the *Using IAM* guide.
+    #   Claims][1] in the *IAM User Guide*.
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
     #
     # @option params [String] :policy
     #   An IAM policy in JSON format.
     #
-    #   The policy parameter is optional. If you pass a policy, the temporary
-    #   security credentials that are returned by the operation have the
-    #   permissions that are allowed by both the access policy of the role
-    #   that is being assumed, <i> <b>and</b> </i> the policy that you pass.
-    #   This gives you a way to further restrict the permissions for the
-    #   resulting temporary security credentials. You cannot use the passed
-    #   policy to grant permissions that are in excess of those allowed by the
-    #   access policy of the role that is being assumed. For more information,
-    #   [Permissions for AssumeRole, AssumeRoleWithSAML, and
-    #   AssumeRoleWithWebIdentity][1] in the *IAM User Guide*.
+    #   The policy parameter is optional. If you pass a policy to this
+    #   operation, the resulting temporary credentials have the permissions of
+    #   the assumed role *and* the policy that you pass. This gives you a way
+    #   to further restrict the permissions for the resulting temporary
+    #   security credentials. You cannot use the passed policy to grant
+    #   permissions that are in excess of those allowed by the permissions
+    #   policy of the role that is being assumed. For more information, see [
+    #   Permissions for AssumeRole, AssumeRoleWithSAML, and
+    #   AssumeRoleWithWebIdentity ][1] in the *IAM User Guide*.
     #
     #   The format for this parameter, as described by its regex pattern, is a
     #   string of characters up to 2048 characters in length. The characters
@@ -690,17 +683,17 @@ module Aws::STS
     #   (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
     #   characters.
     #
-    #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
+    #   <note markdown="1"> The policy plaintext must be 2048 bytes or shorter. However, an
     #   internal conversion compresses it into a packed binary format with a
-    #   separate limit. The PackedPolicySize response element indicates by
-    #   percentage how close to the upper size limit the policy is, with 100%
-    #   equaling the maximum allowed size.
+    #   separate limit. The `PackedPolicySize` response element indicates by
+    #   percentage how close to the upper size limit the policy is, where 100
+    #   percent is the maximum allowed size.
     #
     #    </note>
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
     #
     # @option params [Integer] :duration_seconds
     #   The duration, in seconds, of the role session. Your role session lasts
@@ -716,7 +709,7 @@ module Aws::STS
     #   maximum value for your role, see [View the Maximum Session Duration
     #   Setting for a Role][1] in the *IAM User Guide*.
     #
-    #   By default, the value is set to 3600 seconds.
+    #   By default, the value is set to `3600` seconds.
     #
     #   <note markdown="1"> The `DurationSeconds` parameter is separate from the duration of a
     #   console session that you might request using the returned credentials.
@@ -730,8 +723,8 @@ module Aws::STS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
-    #   [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
     #
     # @return [Types::AssumeRoleWithSAMLResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -780,13 +773,14 @@ module Aws::STS
 
     # Returns a set of temporary security credentials for users who have
     # been authenticated in a mobile or web application with a web identity
-    # provider, such as Amazon Cognito, Login with Amazon, Facebook, Google,
-    # or any OpenID Connect-compatible identity provider.
+    # provider. Example providers include Amazon Cognito, Login with Amazon,
+    # Facebook, Google, or any OpenID Connect-compatible identity provider.
     #
     # <note markdown="1"> For mobile applications, we recommend that you use Amazon Cognito. You
-    # can use Amazon Cognito with the [AWS SDK for iOS][1] and the [AWS SDK
-    # for Android][2] to uniquely identify a user and supply the user with a
-    # consistent identity throughout the lifetime of an application.
+    # can use Amazon Cognito with the [AWS SDK for iOS Developer Guide][1]
+    # and the [AWS SDK for Android Developer Guide][2] to uniquely identify
+    # a user. You can also supply the user with a consistent identity
+    # throughout the lifetime of an application.
     #
     #  To learn more about Amazon Cognito, see [Amazon Cognito Overview][3]
     # in the *AWS SDK for Android Developer Guide* guide and [Amazon Cognito
@@ -798,18 +792,18 @@ module Aws::STS
     # security credentials. Therefore, you can distribute an application
     # (for example, on mobile devices) that requests temporary security
     # credentials without including long-term AWS credentials in the
-    # application, and without deploying server-based proxy services that
-    # use long-term AWS credentials. Instead, the identity of the caller is
-    # validated by using a token from the web identity provider. For a
-    # comparison of `AssumeRoleWithWebIdentity` with the other APIs that
-    # produce temporary credentials, see [Requesting Temporary Security
-    # Credentials][5] and [Comparing the AWS STS APIs][6] in the *IAM User
-    # Guide*.
+    # application. You also don't need to deploy server-based proxy
+    # services that use long-term AWS credentials. Instead, the identity of
+    # the caller is validated by using a token from the web identity
+    # provider. For a comparison of `AssumeRoleWithWebIdentity` with the
+    # other API operations that produce temporary credentials, see
+    # [Requesting Temporary Security Credentials][5] and [Comparing the AWS
+    # STS API operations][6] in the *IAM User Guide*.
     #
     # The temporary security credentials returned by this API consist of an
     # access key ID, a secret access key, and a security token. Applications
     # can use these temporary security credentials to sign calls to AWS
-    # service APIs.
+    # service API operations.
     #
     # By default, the temporary security credentials created by
     # `AssumeRoleWithWebIdentity` last for one hour. However, you can use
@@ -820,29 +814,25 @@ module Aws::STS
     # value for your role, see [View the Maximum Session Duration Setting
     # for a Role][7] in the *IAM User Guide*. The maximum session duration
     # limit applies when you use the `AssumeRole*` API operations or the
-    # `assume-role*` CLI operations but does not apply when you use those
-    # operations to create a console URL. For more information, see [Using
-    # IAM Roles][8] in the *IAM User Guide*.
+    # `assume-role*` CLI commands. However the limit does not apply when you
+    # use those operations to create a console URL. For more information,
+    # see [Using IAM Roles][8] in the *IAM User Guide*.
     #
     # The temporary security credentials created by
     # `AssumeRoleWithWebIdentity` can be used to make API calls to any AWS
     # service with the following exception: you cannot call the STS
-    # service's `GetFederationToken` or `GetSessionToken` APIs.
-    #
-    # Optionally, you can pass an IAM access policy to this operation. If
-    # you choose not to pass a policy, the temporary security credentials
-    # that are returned by the operation have the permissions that are
-    # defined in the access policy of the role that is being assumed. If you
-    # pass a policy to this operation, the temporary security credentials
-    # that are returned by the operation have the permissions that are
-    # allowed by both the access policy of the role that is being assumed,
-    # <i> <b>and</b> </i> the policy that you pass. This gives you a way to
-    # further restrict the permissions for the resulting temporary security
-    # credentials. You cannot use the passed policy to grant permissions
-    # that are in excess of those allowed by the access policy of the role
-    # that is being assumed. For more information, see [Permissions for
-    # AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity][9] in
-    # the *IAM User Guide*.
+    # service's `GetFederationToken` or `GetSessionToken` API operations.
+    #
+    # (Optional) You can pass an IAM permissions policy to this operation.
+    # If you pass a policy to this operation, the resulting temporary
+    # credentials have the permissions of the assumed role *and* the policy
+    # that you pass. This gives you a way to further restrict the
+    # permissions for the resulting temporary security credentials. You
+    # cannot use the passed policy to grant permissions that are in excess
+    # of those allowed by the permissions policy of the role that is being
+    # assumed. For more information, see [ Permissions for AssumeRole,
+    # AssumeRoleWithSAML, and AssumeRoleWithWebIdentity ][9] in the *IAM
+    # User Guide*.
     #
     # Before your application can call `AssumeRoleWithWebIdentity`, you must
     # have an identity token from a supported identity provider and create a
@@ -861,18 +851,19 @@ module Aws::STS
     # For more information about how to use web identity federation and the
     # `AssumeRoleWithWebIdentity` API, see the following resources:
     #
-    # * [Using Web Identity Federation APIs for Mobile Apps][12] and
-    #   [Federation Through a Web-based Identity Provider][13].
+    # * [Using Web Identity Federation API Operations for Mobile Apps][12]
+    #   and [Federation Through a Web-based Identity Provider][13].
     #
-    # * [ Web Identity Federation Playground][14]. This interactive website
-    #   lets you walk through the process of authenticating via Login with
-    #   Amazon, Facebook, or Google, getting temporary security credentials,
-    #   and then using those credentials to make a request to AWS.
+    # * [ Web Identity Federation Playground][14]. Walk through the process
+    #   of authenticating through Login with Amazon, Facebook, or Google,
+    #   getting temporary security credentials, and then using those
+    #   credentials to make a request to AWS.
     #
-    # * [AWS SDK for iOS][1] and [AWS SDK for Android][2]. These toolkits
-    #   contain sample apps that show how to invoke the identity providers,
-    #   and then how to use the information from these providers to get and
-    #   use temporary security credentials.
+    # * [AWS SDK for iOS Developer Guide][1] and [AWS SDK for Android
+    #   Developer Guide][2]. These toolkits contain sample apps that show
+    #   how to invoke the identity providers, and then how to use the
+    #   information from these providers to get and use temporary security
+    #   credentials.
     #
     # * [Web Identity Federation with Mobile Applications][15]. This article
     #   discusses web identity federation and shows an example of how to use
@@ -882,17 +873,17 @@ module Aws::STS
     #
     # [1]: http://aws.amazon.com/sdkforios/
     # [2]: http://aws.amazon.com/sdkforandroid/
-    # [3]: http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840
-    # [4]: http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664
-    # [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
-    # [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
-    # [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
-    # [8]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
-    # [9]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+    # [3]: https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840
+    # [4]: https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664
+    # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+    # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+    # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+    # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
+    # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
     # [10]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
     # [11]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
-    # [12]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
-    # [13]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
+    # [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
+    # [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
     # [14]: https://web-identity-federation-playground.s3.amazonaws.com/index.html
     # [15]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
     #
@@ -934,16 +925,15 @@ module Aws::STS
     # @option params [String] :policy
     #   An IAM policy in JSON format.
     #
-    #   The policy parameter is optional. If you pass a policy, the temporary
-    #   security credentials that are returned by the operation have the
-    #   permissions that are allowed by both the access policy of the role
-    #   that is being assumed, <i> <b>and</b> </i> the policy that you pass.
-    #   This gives you a way to further restrict the permissions for the
-    #   resulting temporary security credentials. You cannot use the passed
-    #   policy to grant permissions that are in excess of those allowed by the
-    #   access policy of the role that is being assumed. For more information,
-    #   see [Permissions for AssumeRoleWithWebIdentity][1] in the *IAM User
-    #   Guide*.
+    #   The policy parameter is optional. If you pass a policy to this
+    #   operation, the resulting temporary credentials have the permissions of
+    #   the assumed role *and* the policy that you pass. This gives you a way
+    #   to further restrict the permissions for the resulting temporary
+    #   security credentials. You cannot use the passed policy to grant
+    #   permissions that are in excess of those allowed by the permissions
+    #   policy of the role that is being assumed. For more information, see [
+    #   Permissions for AssumeRole, AssumeRoleWithSAML, and
+    #   AssumeRoleWithWebIdentity ][1] in the *IAM User Guide*.
     #
     #   The format for this parameter, as described by its regex pattern, is a
     #   string of characters up to 2048 characters in length. The characters
@@ -952,17 +942,17 @@ module Aws::STS
     #   (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
     #   characters.
     #
-    #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
+    #   <note markdown="1"> The policy plaintext must be 2048 bytes or shorter. However, an
     #   internal conversion compresses it into a packed binary format with a
-    #   separate limit. The PackedPolicySize response element indicates by
-    #   percentage how close to the upper size limit the policy is, with 100%
-    #   equaling the maximum allowed size.
+    #   separate limit. The `PackedPolicySize` response element indicates by
+    #   percentage how close to the upper size limit the policy is, where 100
+    #   percent is the maximum allowed size.
     #
     #    </note>
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
     #
     # @option params [Integer] :duration_seconds
     #   The duration, in seconds, of the role session. The value can range
@@ -975,7 +965,7 @@ module Aws::STS
     #   see [View the Maximum Session Duration Setting for a Role][1] in the
     #   *IAM User Guide*.
     #
-    #   By default, the value is set to 3600 seconds.
+    #   By default, the value is set to `3600` seconds.
     #
     #   <note markdown="1"> The `DurationSeconds` parameter is separate from the duration of a
     #   console session that you might request using the returned credentials.
@@ -989,8 +979,8 @@ module Aws::STS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
-    #   [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
     #
     # @return [Types::AssumeRoleWithWebIdentityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1067,21 +1057,22 @@ module Aws::STS
     # request from an encoded message returned in response to an AWS
     # request.
     #
-    # For example, if a user is not authorized to perform an action that he
-    # or she has requested, the request returns a
+    # For example, if a user is not authorized to perform an operation that
+    # he or she has requested, the request returns a
     # `Client.UnauthorizedOperation` response (an HTTP 403 response). Some
-    # AWS actions additionally return an encoded message that can provide
+    # AWS operations additionally return an encoded message that can provide
     # details about this authorization failure.
     #
-    # <note markdown="1"> Only certain AWS actions return an encoded authorization message. The
-    # documentation for an individual action indicates whether that action
-    # returns an encoded message in addition to returning an HTTP code.
+    # <note markdown="1"> Only certain AWS operations return an encoded authorization message.
+    # The documentation for an individual operation indicates whether that
+    # operation returns an encoded message in addition to returning an HTTP
+    # code.
     #
     #  </note>
     #
     # The message is encoded because the details of the authorization status
     # can constitute privileged information that the user who requested the
-    # action should not see. To decode an authorization status message, a
+    # operation should not see. To decode an authorization status message, a
     # user must be granted permissions via an IAM policy to request the
     # `DecodeAuthorizationMessage` (`sts:DecodeAuthorizationMessage`)
     # action.
@@ -1102,7 +1093,7 @@ module Aws::STS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
     #
     # @option params [required, String] :encoded_message
     #   The encoded message that was returned with the response.
@@ -1216,97 +1207,70 @@ module Aws::STS
     # access key ID, a secret access key, and a security token) for a
     # federated user. A typical use is in a proxy application that gets
     # temporary security credentials on behalf of distributed applications
-    # inside a corporate network. Because you must call the
-    # `GetFederationToken` action using the long-term security credentials
-    # of an IAM user, this call is appropriate in contexts where those
-    # credentials can be safely stored, usually in a server-based
-    # application. For a comparison of `GetFederationToken` with the other
-    # APIs that produce temporary credentials, see [Requesting Temporary
-    # Security Credentials][1] and [Comparing the AWS STS APIs][2] in the
+    # inside a corporate network. You must call the `GetFederationToken`
+    # operation using the long-term security credentials of an IAM user. As
+    # a result, this call is appropriate in contexts where those credentials
+    # can be safely stored, usually in a server-based application. For a
+    # comparison of `GetFederationToken` with the other API operations that
+    # produce temporary credentials, see [Requesting Temporary Security
+    # Credentials][1] and [Comparing the AWS STS API operations][2] in the
     # *IAM User Guide*.
     #
-    # <note markdown="1"> If you are creating a mobile-based or browser-based app that can
+    # <note markdown="1"> You can create a mobile-based or browser-based app that can
     # authenticate users using a web identity provider like Login with
     # Amazon, Facebook, Google, or an OpenID Connect-compatible identity
-    # provider, we recommend that you use [Amazon Cognito][3] or
-    # `AssumeRoleWithWebIdentity`. For more information, see [Federation
+    # provider. In this case, we recommend that you use [Amazon Cognito][3]
+    # or `AssumeRoleWithWebIdentity`. For more information, see [Federation
     # Through a Web-based Identity Provider][4].
     #
     #  </note>
     #
-    # The `GetFederationToken` action must be called by using the long-term
-    # AWS security credentials of an IAM user. You can also call
-    # `GetFederationToken` using the security credentials of an AWS root
-    # account, but we do not recommended it. Instead, we recommend that you
-    # create an IAM user for the purpose of the proxy application and then
-    # attach a policy to the IAM user that limits federated users to only
-    # the actions and resources that they need access to. For more
-    # information, see [IAM Best Practices][5] in the *IAM User Guide*.
-    #
-    # The temporary security credentials that are obtained by using the
-    # long-term credentials of an IAM user are valid for the specified
-    # duration, from 900 seconds (15 minutes) up to a maximium of 129600
-    # seconds (36 hours). The default is 43200 seconds (12 hours). Temporary
-    # credentials that are obtained by using AWS root account credentials
-    # have a maximum duration of 3600 seconds (1 hour).
+    # You can also call `GetFederationToken` using the security credentials
+    # of an AWS account root user, but we do not recommend it. Instead, we
+    # recommend that you create an IAM user for the purpose of the proxy
+    # application. Then attach a policy to the IAM user that limits
+    # federated users to only the actions and resources that they need to
+    # access. For more information, see [IAM Best Practices][5] in the *IAM
+    # User Guide*.
+    #
+    # The temporary credentials are valid for the specified duration, from
+    # 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
+    # hours). The default is 43,200 seconds (12 hours). Temporary
+    # credentials that are obtained by using AWS account root user
+    # credentials have a maximum duration of 3,600 seconds (1 hour).
     #
     # The temporary security credentials created by `GetFederationToken` can
     # be used to make API calls to any AWS service with the following
     # exceptions:
     #
-    # * You cannot use these credentials to call any IAM APIs.
+    # * You cannot use these credentials to call any IAM API operations.
     #
-    # * You cannot call any STS APIs except `GetCallerIdentity`.
+    # * You cannot call any STS API operations except `GetCallerIdentity`.
     #
     # **Permissions**
     #
-    # The permissions for the temporary security credentials returned by
-    # `GetFederationToken` are determined by a combination of the following:
-    #
-    # * The policy or policies that are attached to the IAM user whose
-    #   credentials are used to call `GetFederationToken`.
-    #
-    # * The policy that is passed as a parameter in the call.
-    #
-    # The passed policy is attached to the temporary security credentials
-    # that result from the `GetFederationToken` API call--that is, to the
-    # *federated user*. When the federated user makes an AWS request, AWS
-    # evaluates the policy attached to the federated user in combination
-    # with the policy or policies attached to the IAM user whose credentials
-    # were used to call `GetFederationToken`. AWS allows the federated
-    # user's request only when both the federated user <i> <b>and</b> </i>
-    # the IAM user are explicitly allowed to perform the requested action.
-    # The passed policy cannot grant more permissions than those that are
-    # defined in the IAM user policy.
-    #
-    # A typical use case is that the permissions of the IAM user whose
-    # credentials are used to call `GetFederationToken` are designed to
-    # allow access to all the actions and resources that any federated user
-    # will need. Then, for individual users, you pass a policy to the
-    # operation that scopes down the permissions to a level that's
-    # appropriate to that individual user, using a policy that allows only a
-    # subset of permissions that are granted to the IAM user.
-    #
-    # If you do not pass a policy, the resulting temporary security
-    # credentials have no effective permissions. The only exception is when
-    # the temporary security credentials are used to access a resource that
-    # has a resource-based policy that specifically allows the federated
-    # user to access the resource.
-    #
-    # For more information about how permissions work, see [Permissions for
-    # GetFederationToken][6]. For information about using
+    # You must pass an IAM permissions policy to `GetFederationToken`. When
+    # you pass a policy to this operation, the resulting temporary
+    # credentials are defined by the intersection of your IAM user policies
+    # and the passed policy . The passed policy defines the permissions of
+    # the *federated user*. AWS allows the federated user's request only
+    # when both the attached policy and the IAM user policy explicitly allow
+    # the federated user to perform the requested action. The passed policy
+    # cannot grant more permissions than those that are defined in the IAM
+    # user policy. For more information about how permissions work, see
+    # [Permissions for GetFederationToken][6]. For information about using
     # `GetFederationToken` to create temporary security credentials, see
     # [GetFederationToken—Federation Through a Custom Identity Broker][7].
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
-    # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
     # [3]: http://aws.amazon.com/cognito/
-    # [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
-    # [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
-    # [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html
-    # [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
+    # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
+    # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
+    # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html
+    # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
     #
     # @option params [required, String] :name
     #   The name of the federated user. The name is used as an identifier for
@@ -1320,22 +1284,15 @@ module Aws::STS
     #   characters: =,.@-
     #
     # @option params [String] :policy
-    #   An IAM policy in JSON format that is passed with the
-    #   `GetFederationToken` call and evaluated along with the policy or
-    #   policies that are attached to the IAM user whose credentials are used
-    #   to call `GetFederationToken`. The passed policy is used to scope down
-    #   the permissions that are available to the IAM user, by allowing only a
-    #   subset of the permissions that are granted to the IAM user. The passed
-    #   policy cannot grant more permissions than those granted to the IAM
-    #   user. The final permissions for the federated user are the most
-    #   restrictive set based on the intersection of the passed policy and the
-    #   IAM user policy.
-    #
-    #   If you do not pass a policy, the resulting temporary security
-    #   credentials have no effective permissions. The only exception is when
-    #   the temporary security credentials are used to access a resource that
-    #   has a resource-based policy that specifically allows the federated
-    #   user to access the resource.
+    #   An IAM policy in JSON format. You must pass an IAM permissions policy
+    #   to `GetFederationToken`. When you pass a policy to this operation, the
+    #   resulting temporary credentials are defined by the intersection of
+    #   your IAM user policies and the policy that you pass. The passed policy
+    #   defines the permissions of the *federated user*. AWS allows the
+    #   federated user's request only when both the attached policy and the
+    #   IAM user policy explicitly allow the federated user to perform the
+    #   requested action. The passed policy cannot grant more permissions than
+    #   those that are defined in the IAM user policy.
     #
     #   The format for this parameter, as described by its regex pattern, is a
     #   string of characters up to 2048 characters in length. The characters
@@ -1344,11 +1301,11 @@ module Aws::STS
     #   (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
     #   characters.
     #
-    #   <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
+    #   <note markdown="1"> The policy plaintext must be 2048 bytes or shorter. However, an
     #   internal conversion compresses it into a packed binary format with a
-    #   separate limit. The PackedPolicySize response element indicates by
-    #   percentage how close to the upper size limit the policy is, with 100%
-    #   equaling the maximum allowed size.
+    #   separate limit. The `PackedPolicySize` response element indicates by
+    #   percentage how close to the upper size limit the policy is, where 100
+    #   percent is the maximum allowed size.
     #
     #    </note>
     #
@@ -1357,16 +1314,16 @@ module Aws::STS
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html
     #
     # @option params [Integer] :duration_seconds
     #   The duration, in seconds, that the session should last. Acceptable
     #   durations for federation sessions range from 900 seconds (15 minutes)
-    #   to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the
-    #   default. Sessions obtained using AWS account (root) credentials are
-    #   restricted to a maximum of 3600 seconds (one hour). If the specified
-    #   duration is longer than one hour, the session obtained by using AWS
-    #   account (root) credentials defaults to one hour.
+    #   to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the
+    #   default. Sessions obtained using AWS account root user credentials are
+    #   restricted to a maximum of 3,600 seconds (one hour). If the specified
+    #   duration is longer than one hour, the session obtained by using root
+    #   user credentials defaults to one hour.
     #
     # @return [Types::GetFederationTokenResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1428,50 +1385,52 @@ module Aws::STS
     # Returns a set of temporary credentials for an AWS account or IAM user.
     # The credentials consist of an access key ID, a secret access key, and
     # a security token. Typically, you use `GetSessionToken` if you want to
-    # use MFA to protect programmatic calls to specific AWS APIs like Amazon
-    # EC2 `StopInstances`. MFA-enabled IAM users would need to call
-    # `GetSessionToken` and submit an MFA code that is associated with their
-    # MFA device. Using the temporary security credentials that are returned
-    # from the call, IAM users can then make programmatic calls to APIs that
-    # require MFA authentication. If you do not supply a correct MFA code,
-    # then the API returns an access denied error. For a comparison of
-    # `GetSessionToken` with the other APIs that produce temporary
-    # credentials, see [Requesting Temporary Security Credentials][1] and
-    # [Comparing the AWS STS APIs][2] in the *IAM User Guide*.
-    #
-    # The `GetSessionToken` action must be called by using the long-term AWS
-    # security credentials of the AWS account or an IAM user. Credentials
-    # that are created by IAM users are valid for the duration that you
-    # specify, from 900 seconds (15 minutes) up to a maximum of 129600
-    # seconds (36 hours), with a default of 43200 seconds (12 hours);
-    # credentials that are created by using account credentials can range
-    # from 900 seconds (15 minutes) up to a maximum of 3600 seconds (1
-    # hour), with a default of 1 hour.
+    # use MFA to protect programmatic calls to specific AWS API operations
+    # like Amazon EC2 `StopInstances`. MFA-enabled IAM users would need to
+    # call `GetSessionToken` and submit an MFA code that is associated with
+    # their MFA device. Using the temporary security credentials that are
+    # returned from the call, IAM users can then make programmatic calls to
+    # API operations that require MFA authentication. If you do not supply a
+    # correct MFA code, then the API returns an access denied error. For a
+    # comparison of `GetSessionToken` with the other API operations that
+    # produce temporary credentials, see [Requesting Temporary Security
+    # Credentials][1] and [Comparing the AWS STS API operations][2] in the
+    # *IAM User Guide*.
+    #
+    # The `GetSessionToken` operation must be called by using the long-term
+    # AWS security credentials of the AWS account or an IAM user.
+    # Credentials that are created by IAM users are valid for the duration
+    # that you specify. This duration can range from 900 seconds (15
+    # minutes) up to a maximum of 129,600 seconds (36 hours), with a default
+    # of 43,200 seconds (12 hours). Credentials that are created by using
+    # account credentials can range from 900 seconds (15 minutes) up to a
+    # maximum of 3,600 seconds (1 hour), with a default of 1 hour.
     #
     # The temporary security credentials created by `GetSessionToken` can be
     # used to make API calls to any AWS service with the following
     # exceptions:
     #
-    # * You cannot call any IAM APIs unless MFA authentication information
-    #   is included in the request.
+    # * You cannot call any IAM API operations unless MFA authentication
+    #   information is included in the request.
     #
     # * You cannot call any STS API *except* `AssumeRole` or
     #   `GetCallerIdentity`.
     #
-    # <note markdown="1"> We recommend that you do not call `GetSessionToken` with root account
-    # credentials. Instead, follow our [best practices][3] by creating one
-    # or more IAM users, giving them the necessary permissions, and using
-    # IAM users for everyday interaction with AWS.
+    # <note markdown="1"> We recommend that you do not call `GetSessionToken` with AWS account
+    # root user credentials. Instead, follow our [best practices][3] by
+    # creating one or more IAM users, giving them the necessary permissions,
+    # and using IAM users for everyday interaction with AWS.
     #
     #  </note>
     #
     # The permissions associated with the temporary security credentials
     # returned by `GetSessionToken` are based on the permissions associated
     # with account or IAM user whose credentials are used to call the
-    # action. If `GetSessionToken` is called using root account credentials,
-    # the temporary credentials have root account permissions. Similarly, if
-    # `GetSessionToken` is called using the credentials of an IAM user, the
-    # temporary credentials have the same permissions as the IAM user.
+    # operation. If `GetSessionToken` is called using AWS account root user
+    # credentials, the temporary credentials have root user permissions.
+    # Similarly, if `GetSessionToken` is called using the credentials of an
+    # IAM user, the temporary credentials have the same permissions as the
+    # IAM user.
     #
     # For more information about using `GetSessionToken` to create temporary
     # credentials, go to [Temporary Credentials for Users in Untrusted
@@ -1479,18 +1438,18 @@ module Aws::STS
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
-    # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
-    # [3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users
-    # [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users
+    # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
     #
     # @option params [Integer] :duration_seconds
     #   The duration, in seconds, that the credentials should remain valid.
     #   Acceptable durations for IAM user sessions range from 900 seconds (15
-    #   minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours)
+    #   minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours)
     #   as the default. Sessions for AWS account owners are restricted to a
-    #   maximum of 3600 seconds (one hour). If the duration is longer than one
-    #   hour, the session for AWS account owners defaults to one hour.
+    #   maximum of 3,600 seconds (one hour). If the duration is longer than
+    #   one hour, the session for AWS account owners defaults to one hour.
     #
     # @option params [String] :serial_number
     #   The identification number of the MFA device that is associated with
@@ -1502,7 +1461,7 @@ module Aws::STS
     #   device for an IAM user by going to the AWS Management Console and
     #   viewing the user's security credentials.
     #
-    #   The regex used to validated this parameter is a string of characters
+    #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
     #   spaces. You can also include underscores or any of the following
     #   characters: =,.@:/-
@@ -1510,9 +1469,9 @@ module Aws::STS
     # @option params [String] :token_code
     #   The value provided by the MFA device, if MFA is required. If any
     #   policy requires the IAM user to submit an MFA code, specify this
-    #   value. If MFA authentication is required, and the user does not
-    #   provide a code when requesting a set of temporary security
-    #   credentials, the user will receive an "access denied" response when
+    #   value. If MFA authentication is required, the user must provide a code
+    #   when requesting a set of temporary security credentials. A user who
+    #   fails to provide the code receives an "access denied" response when
     #   requesting resources that require MFA authentication.
     #
     #   The format for this parameter, as described by its regex pattern, is a
@@ -1578,7 +1537,7 @@ module Aws::STS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.49.0'
+      context[:gem_version] = '3.50.0'
       Seahorse::Client::Request.new(handlers, context)
     end