aws-sdk-core 3.54.2 → 3.126.0

data/lib/aws-sdk-sts/types.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 
@@ -21,9 +23,17 @@ module Aws::STS
     #         ],
     #         policy: "sessionPolicyDocumentType",
     #         duration_seconds: 1,
+    #         tags: [
+    #           {
+    #             key: "tagKeyType", # required
+    #             value: "tagValueType", # required
+    #           },
+    #         ],
+    #         transitive_tag_keys: ["tagKeyType"],
     #         external_id: "externalIdType",
     #         serial_number: "serialNumberType",
     #         token_code: "tokenCodeType",
+    #         source_identity: "sourceIdentityType",
     #       }
     #
     # @!attribute [rw] role_arn
@@ -40,7 +50,7 @@ module Aws::STS
     #   role session name is also used in the ARN of the assumed role
     #   principal. This means that subsequent cross-account API requests
     #   that use the temporary security credentials will expose the role
-    #   session name to the external account in their AWS CloudTrail logs.
+    #   session name to the external account in their CloudTrail logs.
     #
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
@@ -54,18 +64,18 @@ module Aws::STS
     #   in the same account as the role.
     #
     #   This parameter is optional. You can provide up to 10 managed policy
-    #   ARNs. However, the plain text that you use for both inline and
-    #   managed session policies shouldn't exceed 2048 characters. For more
-    #   information about ARNs, see [Amazon Resource Names (ARNs) and AWS
-    #   Service Namespaces](general/latest/gr/aws-arns-and-namespaces.html)
-    #   in the AWS General Reference.
-    #
-    #   <note markdown="1"> The characters in this parameter count towards the 2048 character
-    #   session policy guideline. However, an AWS conversion compresses the
-    #   session policies into a packed binary format that has a separate
-    #   limit. This is the enforced limit. The `PackedPolicySize` response
-    #   element indicates by percentage how close the policy is to the upper
-    #   size limit.
+    #   ARNs. However, the plaintext that you use for both inline and
+    #   managed session policies can't exceed 2,048 characters. For more
+    #   information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
+    #   Web Services Service Namespaces][1] in the Amazon Web Services
+    #   General Reference.
+    #
+    #   <note markdown="1"> An Amazon Web Services conversion compresses the passed session
+    #   policies and session tags into a packed binary format that has a
+    #   separate limit. Your request can fail for this limit even if your
+    #   plaintext meets the other requirements. The `PackedPolicySize`
+    #   response element indicates by percentage how close the policies and
+    #   tags for your request are to the upper size limit.
     #
     #    </note>
     #
@@ -73,15 +83,16 @@ module Aws::STS
     #   credentials. The resulting session's permissions are the
     #   intersection of the role's identity-based policy and the session
     #   policies. You can use the role's temporary credentials in
-    #   subsequent AWS API calls to access resources in the account that
-    #   owns the role. You cannot use session policies to grant more
-    #   permissions than those allowed by the identity-based policy of the
-    #   role that is being assumed. For more information, see [Session
-    #   Policies][1] in the *IAM User Guide*.
+    #   subsequent Amazon Web Services API calls to access resources in the
+    #   account that owns the role. You cannot use session policies to grant
+    #   more permissions than those allowed by the identity-based policy of
+    #   the role that is being assumed. For more information, see [Session
+    #   Policies][2] in the *IAM User Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+    #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
     #   @return [Array<Types::PolicyDescriptorType>]
     #
     # @!attribute [rw] policy
@@ -92,25 +103,25 @@ module Aws::STS
     #   returns new temporary credentials. The resulting session's
     #   permissions are the intersection of the role's identity-based
     #   policy and the session policies. You can use the role's temporary
-    #   credentials in subsequent AWS API calls to access resources in the
-    #   account that owns the role. You cannot use session policies to grant
-    #   more permissions than those allowed by the identity-based policy of
-    #   the role that is being assumed. For more information, see [Session
-    #   Policies][1] in the *IAM User Guide*.
-    #
-    #   The plain text that you use for both inline and managed session
-    #   policies shouldn't exceed 2048 characters. The JSON policy
-    #   characters can be any ASCII character from the space character to
-    #   the end of the valid character list (\\u0020 through \\u00FF). It
-    #   can also include the tab (\\u0009), linefeed (\\u000A), and carriage
-    #   return (\\u000D) characters.
-    #
-    #   <note markdown="1"> The characters in this parameter count towards the 2048 character
-    #   session policy guideline. However, an AWS conversion compresses the
-    #   session policies into a packed binary format that has a separate
-    #   limit. This is the enforced limit. The `PackedPolicySize` response
-    #   element indicates by percentage how close the policy is to the upper
-    #   size limit.
+    #   credentials in subsequent Amazon Web Services API calls to access
+    #   resources in the account that owns the role. You cannot use session
+    #   policies to grant more permissions than those allowed by the
+    #   identity-based policy of the role that is being assumed. For more
+    #   information, see [Session Policies][1] in the *IAM User Guide*.
+    #
+    #   The plaintext that you use for both inline and managed session
+    #   policies can't exceed 2,048 characters. The JSON policy characters
+    #   can be any ASCII character from the space character to the end of
+    #   the valid character list (\\u0020 through \\u00FF). It can also
+    #   include the tab (\\u0009), linefeed (\\u000A), and carriage return
+    #   (\\u000D) characters.
+    #
+    #   <note markdown="1"> An Amazon Web Services conversion compresses the passed session
+    #   policies and session tags into a packed binary format that has a
+    #   separate limit. Your request can fail for this limit even if your
+    #   plaintext meets the other requirements. The `PackedPolicySize`
+    #   response element indicates by percentage how close the policies and
+    #   tags for your request are to the upper size limit.
     #
     #    </note>
     #
@@ -120,15 +131,26 @@ module Aws::STS
     #   @return [String]
     #
     # @!attribute [rw] duration_seconds
-    #   The duration, in seconds, of the role session. The value can range
-    #   from 900 seconds (15 minutes) up to the maximum session duration
-    #   setting for the role. This setting can have a value from 1 hour to
-    #   12 hours. If you specify a value higher than this setting, the
-    #   operation fails. For example, if you specify a session duration of
-    #   12 hours, but your administrator set the maximum session duration to
-    #   6 hours, your operation fails. To learn how to view the maximum
-    #   value for your role, see [View the Maximum Session Duration Setting
-    #   for a Role][1] in the *IAM User Guide*.
+    #   The duration, in seconds, of the role session. The value specified
+    #   can range from 900 seconds (15 minutes) up to the maximum session
+    #   duration set for the role. The maximum session duration setting can
+    #   have a value from 1 hour to 12 hours. If you specify a value higher
+    #   than this setting or the administrator setting (whichever is lower),
+    #   the operation fails. For example, if you specify a session duration
+    #   of 12 hours, but your administrator set the maximum session duration
+    #   to 6 hours, your operation fails.
+    #
+    #   Role chaining limits your Amazon Web Services CLI or Amazon Web
+    #   Services API role session to a maximum of one hour. When you use the
+    #   `AssumeRole` API operation to assume a role, you can specify the
+    #   duration of your role session with the `DurationSeconds` parameter.
+    #   You can specify a parameter value of up to 43200 seconds (12 hours),
+    #   depending on the maximum session duration setting for your role.
+    #   However, if you assume a role using role chaining and provide a
+    #   `DurationSeconds` parameter value greater than one hour, the
+    #   operation fails. To learn how to view the maximum value for your
+    #   role, see [View the Maximum Session Duration Setting for a Role][1]
+    #   in the *IAM User Guide*.
     #
     #   By default, the value is set to `3600` seconds.
     #
@@ -137,8 +159,8 @@ module Aws::STS
     #   credentials. The request to the federation endpoint for a console
     #   sign-in token takes a `SessionDuration` parameter that specifies the
     #   maximum length of the console session. For more information, see
-    #   [Creating a URL that Enables Federated Users to Access the AWS
-    #   Management Console][2] in the *IAM User Guide*.
+    #   [Creating a URL that Enables Federated Users to Access the Amazon
+    #   Web Services Management Console][2] in the *IAM User Guide*.
     #
     #    </note>
     #
@@ -148,6 +170,70 @@ module Aws::STS
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
     #   @return [Integer]
     #
+    # @!attribute [rw] tags
+    #   A list of session tags that you want to pass. Each session tag
+    #   consists of a key name and an associated value. For more information
+    #   about session tags, see [Tagging Amazon Web Services STS
+    #   Sessions][1] in the *IAM User Guide*.
+    #
+    #   This parameter is optional. You can pass up to 50 session tags. The
+    #   plaintext session tag keys can’t exceed 128 characters, and the
+    #   values can’t exceed 256 characters. For these and additional limits,
+    #   see [IAM and STS Character Limits][2] in the *IAM User Guide*.
+    #
+    #   <note markdown="1"> An Amazon Web Services conversion compresses the passed session
+    #   policies and session tags into a packed binary format that has a
+    #   separate limit. Your request can fail for this limit even if your
+    #   plaintext meets the other requirements. The `PackedPolicySize`
+    #   response element indicates by percentage how close the policies and
+    #   tags for your request are to the upper size limit.
+    #
+    #    </note>
+    #
+    #   You can pass a session tag with the same key as a tag that is
+    #   already attached to the role. When you do, session tags override a
+    #   role tag with the same key.
+    #
+    #   Tag key–value pairs are not case sensitive, but case is preserved.
+    #   This means that you cannot have separate `Department` and
+    #   `department` tag keys. Assume that the role has the
+    #   `Department`=`Marketing` tag and you pass the
+    #   `department`=`engineering` session tag. `Department` and
+    #   `department` are not saved as separate tags, and the session tag
+    #   passed in the request takes precedence over the role tag.
+    #
+    #   Additionally, if you used temporary credentials to perform this
+    #   operation, the new session inherits any transitive session tags from
+    #   the calling session. If you pass a session tag with the same key as
+    #   an inherited tag, the operation fails. To view the inherited tags
+    #   for a session, see the CloudTrail logs. For more information, see
+    #   [Viewing Session Tags in CloudTrail][3] in the *IAM User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+    #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/session-tags.html#id_session-tags_ctlogs
+    #   @return [Array<Types::Tag>]
+    #
+    # @!attribute [rw] transitive_tag_keys
+    #   A list of keys for session tags that you want to set as transitive.
+    #   If you set a tag key as transitive, the corresponding key and value
+    #   passes to subsequent sessions in a role chain. For more information,
+    #   see [Chaining Roles with Session Tags][1] in the *IAM User Guide*.
+    #
+    #   This parameter is optional. When you set session tags as transitive,
+    #   the session policy and session tags packed binary limit is not
+    #   affected.
+    #
+    #   If you choose not to specify a transitive tag key, then no tags are
+    #   passed from this session to any subsequent sessions.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
+    #   @return [Array<String>]
+    #
     # @!attribute [rw] external_id
     #   A unique identifier that might be required when you assume a role in
     #   another account. If the administrator of the account to which the
@@ -159,8 +245,8 @@ module Aws::STS
     #   the administrator of the trusted account. That way, only someone
     #   with the ID can assume the role, rather than everyone in the
     #   account. For more information about the external ID, see [How to Use
-    #   an External ID When Granting Access to Your AWS Resources to a Third
-    #   Party][1] in the *IAM User Guide*.
+    #   an External ID When Granting Access to Your Amazon Web Services
+    #   Resources to a Third Party][1] in the *IAM User Guide*.
     #
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
@@ -189,15 +275,41 @@ module Aws::STS
     #
     # @!attribute [rw] token_code
     #   The value provided by the MFA device, if the trust policy of the
-    #   role being assumed requires MFA (that is, if the policy includes a
-    #   condition that tests for MFA). If the role being assumed requires
-    #   MFA and if the `TokenCode` value is missing or expired, the
+    #   role being assumed requires MFA. (In other words, if the policy
+    #   includes a condition that tests for MFA). If the role being assumed
+    #   requires MFA and if the `TokenCode` value is missing or expired, the
     #   `AssumeRole` call returns an "access denied" error.
     #
     #   The format for this parameter, as described by its regex pattern, is
     #   a sequence of six numeric digits.
     #   @return [String]
     #
+    # @!attribute [rw] source_identity
+    #   The source identity specified by the principal that is calling the
+    #   `AssumeRole` operation.
+    #
+    #   You can require users to specify a source identity when they assume
+    #   a role. You do this by using the `sts:SourceIdentity` condition key
+    #   in a role trust policy. You can use source identity information in
+    #   CloudTrail logs to determine who took actions with a role. You can
+    #   use the `aws:SourceIdentity` condition key to further control access
+    #   to Amazon Web Services resources based on the value of source
+    #   identity. For more information about using source identity, see
+    #   [Monitor and control actions taken with assumed roles][1] in the
+    #   *IAM User Guide*.
+    #
+    #   The regex used to validate this parameter is a string of characters
+    #   consisting of upper- and lower-case alphanumeric characters with no
+    #   spaces. You can also include underscores or any of the following
+    #   characters: =,.@-. You cannot use a value that begins with the text
+    #   `aws:`. This prefix is reserved for Amazon Web Services internal
+    #   use.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleRequest AWS API Documentation
     #
     class AssumeRoleRequest < Struct.new(
@@ -206,14 +318,19 @@ module Aws::STS
       :policy_arns,
       :policy,
       :duration_seconds,
+      :tags,
+      :transitive_tag_keys,
       :external_id,
       :serial_number,
-      :token_code)
+      :token_code,
+      :source_identity)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # Contains the response to a successful AssumeRole request, including
-    # temporary AWS credentials that can be used to make AWS requests.
+    # temporary Amazon Web Services credentials that can be used to make
+    # Amazon Web Services requests.
     #
     # @!attribute [rw] credentials
     #   The temporary security credentials, which include an access key ID,
@@ -236,17 +353,44 @@ module Aws::STS
     #   @return [Types::AssumedRoleUser]
     #
     # @!attribute [rw] packed_policy_size
-    #   A percentage value that indicates the size of the policy in packed
-    #   form. The service rejects any policy with a packed size greater than
-    #   100 percent, which means the policy exceeded the allowed space.
+    #   A percentage value that indicates the packed size of the session
+    #   policies and session tags combined passed in the request. The
+    #   request fails if the packed size is greater than 100 percent, which
+    #   means the policies and tags exceeded the allowed space.
     #   @return [Integer]
     #
+    # @!attribute [rw] source_identity
+    #   The source identity specified by the principal that is calling the
+    #   `AssumeRole` operation.
+    #
+    #   You can require users to specify a source identity when they assume
+    #   a role. You do this by using the `sts:SourceIdentity` condition key
+    #   in a role trust policy. You can use source identity information in
+    #   CloudTrail logs to determine who took actions with a role. You can
+    #   use the `aws:SourceIdentity` condition key to further control access
+    #   to Amazon Web Services resources based on the value of source
+    #   identity. For more information about using source identity, see
+    #   [Monitor and control actions taken with assumed roles][1] in the
+    #   *IAM User Guide*.
+    #
+    #   The regex used to validate this parameter is a string of characters
+    #   consisting of upper- and lower-case alphanumeric characters with no
+    #   spaces. You can also include underscores or any of the following
+    #   characters: =,.@-
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleResponse AWS API Documentation
     #
     class AssumeRoleResponse < Struct.new(
       :credentials,
       :assumed_role_user,
-      :packed_policy_size)
+      :packed_policy_size,
+      :source_identity)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -277,8 +421,7 @@ module Aws::STS
     #   @return [String]
     #
     # @!attribute [rw] saml_assertion
-    #   The base-64 encoded SAML authentication response provided by the
-    #   IdP.
+    #   The base64 encoded SAML authentication response provided by the IdP.
     #
     #   For more information, see [Configuring a Relying Party and Adding
     #   Claims][1] in the *IAM User Guide*.
@@ -294,18 +437,18 @@ module Aws::STS
     #   in the same account as the role.
     #
     #   This parameter is optional. You can provide up to 10 managed policy
-    #   ARNs. However, the plain text that you use for both inline and
-    #   managed session policies shouldn't exceed 2048 characters. For more
-    #   information about ARNs, see [Amazon Resource Names (ARNs) and AWS
-    #   Service Namespaces](general/latest/gr/aws-arns-and-namespaces.html)
-    #   in the AWS General Reference.
-    #
-    #   <note markdown="1"> The characters in this parameter count towards the 2048 character
-    #   session policy guideline. However, an AWS conversion compresses the
-    #   session policies into a packed binary format that has a separate
-    #   limit. This is the enforced limit. The `PackedPolicySize` response
-    #   element indicates by percentage how close the policy is to the upper
-    #   size limit.
+    #   ARNs. However, the plaintext that you use for both inline and
+    #   managed session policies can't exceed 2,048 characters. For more
+    #   information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
+    #   Web Services Service Namespaces][1] in the Amazon Web Services
+    #   General Reference.
+    #
+    #   <note markdown="1"> An Amazon Web Services conversion compresses the passed session
+    #   policies and session tags into a packed binary format that has a
+    #   separate limit. Your request can fail for this limit even if your
+    #   plaintext meets the other requirements. The `PackedPolicySize`
+    #   response element indicates by percentage how close the policies and
+    #   tags for your request are to the upper size limit.
     #
     #    </note>
     #
@@ -313,15 +456,16 @@ module Aws::STS
     #   credentials. The resulting session's permissions are the
     #   intersection of the role's identity-based policy and the session
     #   policies. You can use the role's temporary credentials in
-    #   subsequent AWS API calls to access resources in the account that
-    #   owns the role. You cannot use session policies to grant more
-    #   permissions than those allowed by the identity-based policy of the
-    #   role that is being assumed. For more information, see [Session
-    #   Policies][1] in the *IAM User Guide*.
+    #   subsequent Amazon Web Services API calls to access resources in the
+    #   account that owns the role. You cannot use session policies to grant
+    #   more permissions than those allowed by the identity-based policy of
+    #   the role that is being assumed. For more information, see [Session
+    #   Policies][2] in the *IAM User Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+    #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
     #   @return [Array<Types::PolicyDescriptorType>]
     #
     # @!attribute [rw] policy
@@ -332,25 +476,25 @@ module Aws::STS
     #   returns new temporary credentials. The resulting session's
     #   permissions are the intersection of the role's identity-based
     #   policy and the session policies. You can use the role's temporary
-    #   credentials in subsequent AWS API calls to access resources in the
-    #   account that owns the role. You cannot use session policies to grant
-    #   more permissions than those allowed by the identity-based policy of
-    #   the role that is being assumed. For more information, see [Session
-    #   Policies][1] in the *IAM User Guide*.
-    #
-    #   The plain text that you use for both inline and managed session
-    #   policies shouldn't exceed 2048 characters. The JSON policy
-    #   characters can be any ASCII character from the space character to
-    #   the end of the valid character list (\\u0020 through \\u00FF). It
-    #   can also include the tab (\\u0009), linefeed (\\u000A), and carriage
-    #   return (\\u000D) characters.
-    #
-    #   <note markdown="1"> The characters in this parameter count towards the 2048 character
-    #   session policy guideline. However, an AWS conversion compresses the
-    #   session policies into a packed binary format that has a separate
-    #   limit. This is the enforced limit. The `PackedPolicySize` response
-    #   element indicates by percentage how close the policy is to the upper
-    #   size limit.
+    #   credentials in subsequent Amazon Web Services API calls to access
+    #   resources in the account that owns the role. You cannot use session
+    #   policies to grant more permissions than those allowed by the
+    #   identity-based policy of the role that is being assumed. For more
+    #   information, see [Session Policies][1] in the *IAM User Guide*.
+    #
+    #   The plaintext that you use for both inline and managed session
+    #   policies can't exceed 2,048 characters. The JSON policy characters
+    #   can be any ASCII character from the space character to the end of
+    #   the valid character list (\\u0020 through \\u00FF). It can also
+    #   include the tab (\\u0009), linefeed (\\u000A), and carriage return
+    #   (\\u000D) characters.
+    #
+    #   <note markdown="1"> An Amazon Web Services conversion compresses the passed session
+    #   policies and session tags into a packed binary format that has a
+    #   separate limit. Your request can fail for this limit even if your
+    #   plaintext meets the other requirements. The `PackedPolicySize`
+    #   response element indicates by percentage how close the policies and
+    #   tags for your request are to the upper size limit.
     #
     #    </note>
     #
@@ -381,8 +525,8 @@ module Aws::STS
     #   credentials. The request to the federation endpoint for a console
     #   sign-in token takes a `SessionDuration` parameter that specifies the
     #   maximum length of the console session. For more information, see
-    #   [Creating a URL that Enables Federated Users to Access the AWS
-    #   Management Console][2] in the *IAM User Guide*.
+    #   [Creating a URL that Enables Federated Users to Access the Amazon
+    #   Web Services Management Console][2] in the *IAM User Guide*.
     #
     #    </note>
     #
@@ -401,12 +545,13 @@ module Aws::STS
       :policy_arns,
       :policy,
       :duration_seconds)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # Contains the response to a successful AssumeRoleWithSAML request,
-    # including temporary AWS credentials that can be used to make AWS
-    # requests.
+    # including temporary Amazon Web Services credentials that can be used
+    # to make Amazon Web Services requests.
     #
     # @!attribute [rw] credentials
     #   The temporary security credentials, which include an access key ID,
@@ -425,9 +570,10 @@ module Aws::STS
     #   @return [Types::AssumedRoleUser]
     #
     # @!attribute [rw] packed_policy_size
-    #   A percentage value that indicates the size of the policy in packed
-    #   form. The service rejects any policy with a packed size greater than
-    #   100 percent, which means the policy exceeded the allowed space.
+    #   A percentage value that indicates the packed size of the session
+    #   policies and session tags combined passed in the request. The
+    #   request fails if the packed size is greater than 100 percent, which
+    #   means the policies and tags exceeded the allowed space.
     #   @return [Integer]
     #
     # @!attribute [rw] subject
@@ -457,11 +603,17 @@ module Aws::STS
     #   @return [String]
     #
     # @!attribute [rw] name_qualifier
-    #   A hash value based on the concatenation of the `Issuer` response
-    #   value, the AWS account ID, and the friendly name (the last part of
-    #   the ARN) of the SAML provider in IAM. The combination of
-    #   `NameQualifier` and `Subject` can be used to uniquely identify a
-    #   federated user.
+    #   A hash value based on the concatenation of the following:
+    #
+    #   * The `Issuer` response value.
+    #
+    #   * The Amazon Web Services account ID.
+    #
+    #   * The friendly name (the last part of the ARN) of the SAML provider
+    #     in IAM.
+    #
+    #   The combination of `NameQualifier` and `Subject` can be used to
+    #   uniquely identify a federated user.
     #
     #   The following pseudocode shows how the hash value is calculated:
     #
@@ -469,6 +621,34 @@ module Aws::STS
     #   "/MySAMLIdP" ) )`
     #   @return [String]
     #
+    # @!attribute [rw] source_identity
+    #   The value in the `SourceIdentity` attribute in the SAML assertion.
+    #
+    #   You can require users to set a source identity value when they
+    #   assume a role. You do this by using the `sts:SourceIdentity`
+    #   condition key in a role trust policy. That way, actions that are
+    #   taken with the role are associated with that user. After the source
+    #   identity is set, the value cannot be changed. It is present in the
+    #   request for all actions that are taken by the role and persists
+    #   across [chained role][1] sessions. You can configure your SAML
+    #   identity provider to use an attribute associated with your users,
+    #   like user name or email, as the source identity when calling
+    #   `AssumeRoleWithSAML`. You do this by adding an attribute to the SAML
+    #   assertion. For more information about using source identity, see
+    #   [Monitor and control actions taken with assumed roles][2] in the
+    #   *IAM User Guide*.
+    #
+    #   The regex used to validate this parameter is a string of characters
+    #   consisting of upper- and lower-case alphanumeric characters with no
+    #   spaces. You can also include underscores or any of the following
+    #   characters: =,.@-
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAMLResponse AWS API Documentation
     #
     class AssumeRoleWithSAMLResponse < Struct.new(
@@ -479,7 +659,9 @@ module Aws::STS
       :subject_type,
       :issuer,
       :audience,
-      :name_qualifier)
+      :name_qualifier,
+      :source_identity)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -545,18 +727,18 @@ module Aws::STS
     #   in the same account as the role.
     #
     #   This parameter is optional. You can provide up to 10 managed policy
-    #   ARNs. However, the plain text that you use for both inline and
-    #   managed session policies shouldn't exceed 2048 characters. For more
-    #   information about ARNs, see [Amazon Resource Names (ARNs) and AWS
-    #   Service Namespaces](general/latest/gr/aws-arns-and-namespaces.html)
-    #   in the AWS General Reference.
-    #
-    #   <note markdown="1"> The characters in this parameter count towards the 2048 character
-    #   session policy guideline. However, an AWS conversion compresses the
-    #   session policies into a packed binary format that has a separate
-    #   limit. This is the enforced limit. The `PackedPolicySize` response
-    #   element indicates by percentage how close the policy is to the upper
-    #   size limit.
+    #   ARNs. However, the plaintext that you use for both inline and
+    #   managed session policies can't exceed 2,048 characters. For more
+    #   information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
+    #   Web Services Service Namespaces][1] in the Amazon Web Services
+    #   General Reference.
+    #
+    #   <note markdown="1"> An Amazon Web Services conversion compresses the passed session
+    #   policies and session tags into a packed binary format that has a
+    #   separate limit. Your request can fail for this limit even if your
+    #   plaintext meets the other requirements. The `PackedPolicySize`
+    #   response element indicates by percentage how close the policies and
+    #   tags for your request are to the upper size limit.
     #
     #    </note>
     #
@@ -564,15 +746,16 @@ module Aws::STS
     #   credentials. The resulting session's permissions are the
     #   intersection of the role's identity-based policy and the session
     #   policies. You can use the role's temporary credentials in
-    #   subsequent AWS API calls to access resources in the account that
-    #   owns the role. You cannot use session policies to grant more
-    #   permissions than those allowed by the identity-based policy of the
-    #   role that is being assumed. For more information, see [Session
-    #   Policies][1] in the *IAM User Guide*.
+    #   subsequent Amazon Web Services API calls to access resources in the
+    #   account that owns the role. You cannot use session policies to grant
+    #   more permissions than those allowed by the identity-based policy of
+    #   the role that is being assumed. For more information, see [Session
+    #   Policies][2] in the *IAM User Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+    #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
     #   @return [Array<Types::PolicyDescriptorType>]
     #
     # @!attribute [rw] policy
@@ -583,25 +766,25 @@ module Aws::STS
     #   returns new temporary credentials. The resulting session's
     #   permissions are the intersection of the role's identity-based
     #   policy and the session policies. You can use the role's temporary
-    #   credentials in subsequent AWS API calls to access resources in the
-    #   account that owns the role. You cannot use session policies to grant
-    #   more permissions than those allowed by the identity-based policy of
-    #   the role that is being assumed. For more information, see [Session
-    #   Policies][1] in the *IAM User Guide*.
-    #
-    #   The plain text that you use for both inline and managed session
-    #   policies shouldn't exceed 2048 characters. The JSON policy
-    #   characters can be any ASCII character from the space character to
-    #   the end of the valid character list (\\u0020 through \\u00FF). It
-    #   can also include the tab (\\u0009), linefeed (\\u000A), and carriage
-    #   return (\\u000D) characters.
-    #
-    #   <note markdown="1"> The characters in this parameter count towards the 2048 character
-    #   session policy guideline. However, an AWS conversion compresses the
-    #   session policies into a packed binary format that has a separate
-    #   limit. This is the enforced limit. The `PackedPolicySize` response
-    #   element indicates by percentage how close the policy is to the upper
-    #   size limit.
+    #   credentials in subsequent Amazon Web Services API calls to access
+    #   resources in the account that owns the role. You cannot use session
+    #   policies to grant more permissions than those allowed by the
+    #   identity-based policy of the role that is being assumed. For more
+    #   information, see [Session Policies][1] in the *IAM User Guide*.
+    #
+    #   The plaintext that you use for both inline and managed session
+    #   policies can't exceed 2,048 characters. The JSON policy characters
+    #   can be any ASCII character from the space character to the end of
+    #   the valid character list (\\u0020 through \\u00FF). It can also
+    #   include the tab (\\u0009), linefeed (\\u000A), and carriage return
+    #   (\\u000D) characters.
+    #
+    #   <note markdown="1"> An Amazon Web Services conversion compresses the passed session
+    #   policies and session tags into a packed binary format that has a
+    #   separate limit. Your request can fail for this limit even if your
+    #   plaintext meets the other requirements. The `PackedPolicySize`
+    #   response element indicates by percentage how close the policies and
+    #   tags for your request are to the upper size limit.
     #
     #    </note>
     #
@@ -628,8 +811,8 @@ module Aws::STS
     #   credentials. The request to the federation endpoint for a console
     #   sign-in token takes a `SessionDuration` parameter that specifies the
     #   maximum length of the console session. For more information, see
-    #   [Creating a URL that Enables Federated Users to Access the AWS
-    #   Management Console][2] in the *IAM User Guide*.
+    #   [Creating a URL that Enables Federated Users to Access the Amazon
+    #   Web Services Management Console][2] in the *IAM User Guide*.
     #
     #    </note>
     #
@@ -649,12 +832,13 @@ module Aws::STS
       :policy_arns,
       :policy,
       :duration_seconds)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # Contains the response to a successful AssumeRoleWithWebIdentity
-    # request, including temporary AWS credentials that can be used to make
-    # AWS requests.
+    # request, including temporary Amazon Web Services credentials that can
+    # be used to make Amazon Web Services requests.
     #
     # @!attribute [rw] credentials
     #   The temporary security credentials, which include an access key ID,
@@ -687,9 +871,10 @@ module Aws::STS
     #   @return [Types::AssumedRoleUser]
     #
     # @!attribute [rw] packed_policy_size
-    #   A percentage value that indicates the size of the policy in packed
-    #   form. The service rejects any policy with a packed size greater than
-    #   100 percent, which means the policy exceeded the allowed space.
+    #   A percentage value that indicates the packed size of the session
+    #   policies and session tags combined passed in the request. The
+    #   request fails if the packed size is greater than 100 percent, which
+    #   means the policies and tags exceeded the allowed space.
     #   @return [Integer]
     #
     # @!attribute [rw] provider
@@ -706,6 +891,38 @@ module Aws::STS
     #   application that requested the web identity token.
     #   @return [String]
     #
+    # @!attribute [rw] source_identity
+    #   The value of the source identity that is returned in the JSON web
+    #   token (JWT) from the identity provider.
+    #
+    #   You can require users to set a source identity value when they
+    #   assume a role. You do this by using the `sts:SourceIdentity`
+    #   condition key in a role trust policy. That way, actions that are
+    #   taken with the role are associated with that user. After the source
+    #   identity is set, the value cannot be changed. It is present in the
+    #   request for all actions that are taken by the role and persists
+    #   across [chained role][1] sessions. You can configure your identity
+    #   provider to use an attribute associated with your users, like user
+    #   name or email, as the source identity when calling
+    #   `AssumeRoleWithWebIdentity`. You do this by adding a claim to the
+    #   JSON web token. To learn more about OIDC tokens and claims, see
+    #   [Using Tokens with User Pools][2] in the *Amazon Cognito Developer
+    #   Guide*. For more information about using source identity, see
+    #   [Monitor and control actions taken with assumed roles][3] in the
+    #   *IAM User Guide*.
+    #
+    #   The regex used to validate this parameter is a string of characters
+    #   consisting of upper- and lower-case alphanumeric characters with no
+    #   spaces. You can also include underscores or any of the following
+    #   characters: =,.@-
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
+    #   [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
+    #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentityResponse AWS API Documentation
     #
     class AssumeRoleWithWebIdentityResponse < Struct.new(
@@ -714,7 +931,9 @@ module Aws::STS
       :assumed_role_user,
       :packed_policy_size,
       :provider,
-      :audience)
+      :audience,
+      :source_identity)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -724,13 +943,14 @@ module Aws::STS
     # @!attribute [rw] assumed_role_id
     #   A unique identifier that contains the role ID and the role session
     #   name of the role that is being assumed. The role ID is generated by
-    #   AWS when the role is created.
+    #   Amazon Web Services when the role is created.
     #   @return [String]
     #
     # @!attribute [rw] arn
     #   The ARN of the temporary security credentials that are returned from
     #   the AssumeRole action. For more information about ARNs and how to
-    #   use them in policies, see [IAM Identifiers][1] in *Using IAM*.
+    #   use them in policies, see [IAM Identifiers][1] in the *IAM User
+    #   Guide*.
     #
     #
     #
@@ -742,10 +962,11 @@ module Aws::STS
     class AssumedRoleUser < Struct.new(
       :assumed_role_id,
       :arn)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # AWS credentials for API authentication.
+    # Amazon Web Services credentials for API authentication.
     #
     # @!attribute [rw] access_key_id
     #   The access key ID that identifies the temporary security
@@ -772,6 +993,7 @@ module Aws::STS
       :secret_access_key,
       :session_token,
       :expiration)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -790,21 +1012,23 @@ module Aws::STS
     #
     class DecodeAuthorizationMessageRequest < Struct.new(
       :encoded_message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # A document that contains additional information about the
     # authorization status of a request from an encoded message that is
-    # returned in response to an AWS request.
+    # returned in response to an Amazon Web Services request.
     #
     # @!attribute [rw] decoded_message
-    #   An XML document that contains the decoded message.
+    #   The API returns a response with the decoded message.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessageResponse AWS API Documentation
     #
     class DecodeAuthorizationMessageResponse < Struct.new(
       :decoded_message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -819,6 +1043,7 @@ module Aws::STS
     #
     class ExpiredTokenException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -833,7 +1058,7 @@ module Aws::STS
     # @!attribute [rw] arn
     #   The ARN that specifies the federated user that is associated with
     #   the credentials. For more information about ARNs and how to use them
-    #   in policies, see [IAM Identifiers][1] in *Using IAM*.
+    #   in policies, see [IAM Identifiers][1] in the *IAM User Guide*.
     #
     #
     #
@@ -845,6 +1070,42 @@ module Aws::STS
     class FederatedUser < Struct.new(
       :federated_user_id,
       :arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass GetAccessKeyInfoRequest
+    #   data as a hash:
+    #
+    #       {
+    #         access_key_id: "accessKeyIdType", # required
+    #       }
+    #
+    # @!attribute [rw] access_key_id
+    #   The identifier of an access key.
+    #
+    #   This parameter allows (through its regex pattern) a string of
+    #   characters that can consist of any upper- or lowercase letter or
+    #   digit.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfoRequest AWS API Documentation
+    #
+    class GetAccessKeyInfoRequest < Struct.new(
+      :access_key_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] account
+    #   The number used to identify the Amazon Web Services account.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfoResponse AWS API Documentation
+    #
+    class GetAccessKeyInfoResponse < Struct.new(
+      :account)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -870,12 +1131,12 @@ module Aws::STS
     #   @return [String]
     #
     # @!attribute [rw] account
-    #   The AWS account ID number of the account that owns or contains the
-    #   calling entity.
+    #   The Amazon Web Services account ID number of the account that owns
+    #   or contains the calling entity.
     #   @return [String]
     #
     # @!attribute [rw] arn
-    #   The AWS ARN associated with the calling entity.
+    #   The Amazon Web Services ARN associated with the calling entity.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentityResponse AWS API Documentation
@@ -884,6 +1145,7 @@ module Aws::STS
       :user_id,
       :account,
       :arn)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -899,6 +1161,12 @@ module Aws::STS
     #           },
     #         ],
     #         duration_seconds: 1,
+    #         tags: [
+    #           {
+    #             key: "tagKeyType", # required
+    #             value: "tagValueType", # required
+    #           },
+    #         ],
     #       }
     #
     # @!attribute [rw] name
@@ -924,10 +1192,7 @@ module Aws::STS
     #
     #   This parameter is optional. However, if you do not pass any session
     #   policies, then the resulting federated user session has no
-    #   permissions. The only exception is when the credentials are used to
-    #   access a resource that has a resource-based policy that specifically
-    #   references the federated user session in the `Principal` element of
-    #   the policy.
+    #   permissions.
     #
     #   When you pass session policies, the session permissions are the
     #   intersection of the IAM user policies and the session policies that
@@ -937,19 +1202,26 @@ module Aws::STS
     #   the IAM user. For more information, see [Session Policies][1] in the
     #   *IAM User Guide*.
     #
-    #   The plain text that you use for both inline and managed session
-    #   policies shouldn't exceed 2048 characters. The JSON policy
-    #   characters can be any ASCII character from the space character to
-    #   the end of the valid character list (\\u0020 through \\u00FF). It
-    #   can also include the tab (\\u0009), linefeed (\\u000A), and carriage
-    #   return (\\u000D) characters.
-    #
-    #   <note markdown="1"> The characters in this parameter count towards the 2048 character
-    #   session policy guideline. However, an AWS conversion compresses the
-    #   session policies into a packed binary format that has a separate
-    #   limit. This is the enforced limit. The `PackedPolicySize` response
-    #   element indicates by percentage how close the policy is to the upper
-    #   size limit.
+    #   The resulting credentials can be used to access a resource that has
+    #   a resource-based policy. If that policy specifically references the
+    #   federated user session in the `Principal` element of the policy, the
+    #   session has the permissions allowed by the policy. These permissions
+    #   are granted in addition to the permissions that are granted by the
+    #   session policies.
+    #
+    #   The plaintext that you use for both inline and managed session
+    #   policies can't exceed 2,048 characters. The JSON policy characters
+    #   can be any ASCII character from the space character to the end of
+    #   the valid character list (\\u0020 through \\u00FF). It can also
+    #   include the tab (\\u0009), linefeed (\\u000A), and carriage return
+    #   (\\u000D) characters.
+    #
+    #   <note markdown="1"> An Amazon Web Services conversion compresses the passed session
+    #   policies and session tags into a packed binary format that has a
+    #   separate limit. Your request can fail for this limit even if your
+    #   plaintext meets the other requirements. The `PackedPolicySize`
+    #   response element indicates by percentage how close the policies and
+    #   tags for your request are to the upper size limit.
     #
     #    </note>
     #
@@ -967,20 +1239,16 @@ module Aws::STS
     #   You must pass an inline or managed [session policy][1] to this
     #   operation. You can pass a single JSON policy document to use as an
     #   inline session policy. You can also specify up to 10 managed
-    #   policies to use as managed session policies. The plain text that you
-    #   use for both inline and managed session policies shouldn't exceed
-    #   2048 characters. You can provide up to 10 managed policy ARNs. For
-    #   more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service
-    #   Namespaces](general/latest/gr/aws-arns-and-namespaces.html) in the
-    #   AWS General Reference.
+    #   policies to use as managed session policies. The plaintext that you
+    #   use for both inline and managed session policies can't exceed 2,048
+    #   characters. You can provide up to 10 managed policy ARNs. For more
+    #   information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
+    #   Web Services Service Namespaces][2] in the Amazon Web Services
+    #   General Reference.
     #
     #   This parameter is optional. However, if you do not pass any session
     #   policies, then the resulting federated user session has no
-    #   permissions. The only exception is when the credentials are used to
-    #   access a resource that has a resource-based policy that specifically
-    #   references the federated user session in the `Principal` element of
-    #   the policy.
+    #   permissions.
     #
     #   When you pass session policies, the session permissions are the
     #   intersection of the IAM user policies and the session policies that
@@ -990,43 +1258,91 @@ module Aws::STS
     #   the IAM user. For more information, see [Session Policies][1] in the
     #   *IAM User Guide*.
     #
-    #   <note markdown="1"> The characters in this parameter count towards the 2048 character
-    #   session policy guideline. However, an AWS conversion compresses the
-    #   session policies into a packed binary format that has a separate
-    #   limit. This is the enforced limit. The `PackedPolicySize` response
-    #   element indicates by percentage how close the policy is to the upper
-    #   size limit.
+    #   The resulting credentials can be used to access a resource that has
+    #   a resource-based policy. If that policy specifically references the
+    #   federated user session in the `Principal` element of the policy, the
+    #   session has the permissions allowed by the policy. These permissions
+    #   are granted in addition to the permissions that are granted by the
+    #   session policies.
+    #
+    #   <note markdown="1"> An Amazon Web Services conversion compresses the passed session
+    #   policies and session tags into a packed binary format that has a
+    #   separate limit. Your request can fail for this limit even if your
+    #   plaintext meets the other requirements. The `PackedPolicySize`
+    #   response element indicates by percentage how close the policies and
+    #   tags for your request are to the upper size limit.
     #
     #    </note>
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
     #   @return [Array<Types::PolicyDescriptorType>]
     #
     # @!attribute [rw] duration_seconds
     #   The duration, in seconds, that the session should last. Acceptable
     #   durations for federation sessions range from 900 seconds (15
     #   minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12
-    #   hours) as the default. Sessions obtained using AWS account root user
-    #   credentials are restricted to a maximum of 3,600 seconds (one hour).
-    #   If the specified duration is longer than one hour, the session
-    #   obtained by using root user credentials defaults to one hour.
+    #   hours) as the default. Sessions obtained using Amazon Web Services
+    #   account root user credentials are restricted to a maximum of 3,600
+    #   seconds (one hour). If the specified duration is longer than one
+    #   hour, the session obtained by using root user credentials defaults
+    #   to one hour.
     #   @return [Integer]
     #
+    # @!attribute [rw] tags
+    #   A list of session tags. Each session tag consists of a key name and
+    #   an associated value. For more information about session tags, see
+    #   [Passing Session Tags in STS][1] in the *IAM User Guide*.
+    #
+    #   This parameter is optional. You can pass up to 50 session tags. The
+    #   plaintext session tag keys can’t exceed 128 characters and the
+    #   values can’t exceed 256 characters. For these and additional limits,
+    #   see [IAM and STS Character Limits][2] in the *IAM User Guide*.
+    #
+    #   <note markdown="1"> An Amazon Web Services conversion compresses the passed session
+    #   policies and session tags into a packed binary format that has a
+    #   separate limit. Your request can fail for this limit even if your
+    #   plaintext meets the other requirements. The `PackedPolicySize`
+    #   response element indicates by percentage how close the policies and
+    #   tags for your request are to the upper size limit.
+    #
+    #    </note>
+    #
+    #   You can pass a session tag with the same key as a tag that is
+    #   already attached to the user you are federating. When you do,
+    #   session tags override a user tag with the same key.
+    #
+    #   Tag key–value pairs are not case sensitive, but case is preserved.
+    #   This means that you cannot have separate `Department` and
+    #   `department` tag keys. Assume that the role has the
+    #   `Department`=`Marketing` tag and you pass the
+    #   `department`=`engineering` session tag. `Department` and
+    #   `department` are not saved as separate tags, and the session tag
+    #   passed in the request takes precedence over the role tag.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+    #   @return [Array<Types::Tag>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationTokenRequest AWS API Documentation
     #
     class GetFederationTokenRequest < Struct.new(
       :name,
       :policy,
       :policy_arns,
-      :duration_seconds)
+      :duration_seconds,
+      :tags)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # Contains the response to a successful GetFederationToken request,
-    # including temporary AWS credentials that can be used to make AWS
-    # requests.
+    # including temporary Amazon Web Services credentials that can be used
+    # to make Amazon Web Services requests.
     #
     # @!attribute [rw] credentials
     #   The temporary security credentials, which include an access key ID,
@@ -1047,9 +1363,10 @@ module Aws::STS
     #   @return [Types::FederatedUser]
     #
     # @!attribute [rw] packed_policy_size
-    #   A percentage value indicating the size of the policy in packed form.
-    #   The service rejects policies for which the packed size is greater
-    #   than 100 percent of the allowed value.
+    #   A percentage value that indicates the packed size of the session
+    #   policies and session tags combined passed in the request. The
+    #   request fails if the packed size is greater than 100 percent, which
+    #   means the policies and tags exceeded the allowed space.
     #   @return [Integer]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationTokenResponse AWS API Documentation
@@ -1058,6 +1375,7 @@ module Aws::STS
       :credentials,
       :federated_user,
       :packed_policy_size)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1074,10 +1392,10 @@ module Aws::STS
     #   The duration, in seconds, that the credentials should remain valid.
     #   Acceptable durations for IAM user sessions range from 900 seconds
     #   (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12
-    #   hours) as the default. Sessions for AWS account owners are
-    #   restricted to a maximum of 3,600 seconds (one hour). If the duration
-    #   is longer than one hour, the session for AWS account owners defaults
-    #   to one hour.
+    #   hours) as the default. Sessions for Amazon Web Services account
+    #   owners are restricted to a maximum of 3,600 seconds (one hour). If
+    #   the duration is longer than one hour, the session for Amazon Web
+    #   Services account owners defaults to one hour.
     #   @return [Integer]
     #
     # @!attribute [rw] serial_number
@@ -1087,8 +1405,8 @@ module Aws::STS
     #   The value is either the serial number for a hardware device (such as
     #   `GAHT12345678`) or an Amazon Resource Name (ARN) for a virtual
     #   device (such as `arn:aws:iam::123456789012:mfa/user`). You can find
-    #   the device for an IAM user by going to the AWS Management Console
-    #   and viewing the user's security credentials.
+    #   the device for an IAM user by going to the Amazon Web Services
+    #   Management Console and viewing the user's security credentials.
     #
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
@@ -1114,12 +1432,13 @@ module Aws::STS
       :duration_seconds,
       :serial_number,
       :token_code)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # Contains the response to a successful GetSessionToken request,
-    # including temporary AWS credentials that can be used to make AWS
-    # requests.
+    # including temporary Amazon Web Services credentials that can be used
+    # to make Amazon Web Services requests.
     #
     # @!attribute [rw] credentials
     #   The temporary security credentials, which include an access key ID,
@@ -1136,15 +1455,16 @@ module Aws::STS
     #
     class GetSessionTokenResponse < Struct.new(
       :credentials)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # The request could not be fulfilled because the non-AWS identity
-    # provider (IDP) that was asked to verify the incoming identity token
-    # could not be reached. This is often a transient error caused by
-    # network conditions. Retry the request a limited number of times so
-    # that you don't exceed the request rate. If the error persists, the
-    # non-AWS identity provider might be down or not responding.
+    # The request could not be fulfilled because the identity provider (IDP)
+    # that was asked to verify the incoming identity token could not be
+    # reached. This is often a transient error caused by network conditions.
+    # Retry the request a limited number of times so that you don't exceed
+    # the request rate. If the error persists, the identity provider might
+    # be down or not responding.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -1153,6 +1473,7 @@ module Aws::STS
     #
     class IDPCommunicationErrorException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1170,6 +1491,7 @@ module Aws::STS
     #
     class IDPRejectedClaimException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1184,12 +1506,13 @@ module Aws::STS
     #
     class InvalidAuthorizationMessageException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # The web identity token that was passed could not be validated by AWS.
-    # Get a new identity token from the identity provider and then retry the
-    # request.
+    # The web identity token that was passed could not be validated by
+    # Amazon Web Services. Get a new identity token from the identity
+    # provider and then retry the request.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -1198,6 +1521,7 @@ module Aws::STS
     #
     class InvalidIdentityTokenException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1211,12 +1535,27 @@ module Aws::STS
     #
     class MalformedPolicyDocumentException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # The request was rejected because the policy document was too large.
-    # The error message describes how big the policy document is, in packed
-    # form, as a percentage of what the API allows.
+    # The request was rejected because the total packed size of the session
+    # policies and session tags combined was too large. An Amazon Web
+    # Services conversion compresses the session policy document, session
+    # policy ARNs, and session tags into a packed binary format that has a
+    # separate limit. The error message indicates by percentage how close
+    # the policies and tags are to the upper size limit. For more
+    # information, see [Passing Session Tags in STS][1] in the *IAM User
+    # Guide*.
+    #
+    # You could receive this error even though you meet other defined
+    # session policy and session tag limits. For more information, see [IAM
+    # and STS Entity Character Limits][2] in the *IAM User Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -1225,6 +1564,7 @@ module Aws::STS
     #
     class PackedPolicyTooLargeException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1241,23 +1581,27 @@ module Aws::STS
     # @!attribute [rw] arn
     #   The Amazon Resource Name (ARN) of the IAM managed policy to use as a
     #   session policy for the role. For more information about ARNs, see
-    #   [Amazon Resource Names (ARNs) and AWS Service
-    #   Namespaces](general/latest/gr/aws-arns-and-namespaces.html) in the
-    #   *AWS General Reference*.
+    #   [Amazon Resource Names (ARNs) and Amazon Web Services Service
+    #   Namespaces][1] in the *Amazon Web Services General Reference*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/PolicyDescriptorType AWS API Documentation
     #
     class PolicyDescriptorType < Struct.new(
       :arn)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # STS is not activated in the requested region for the account that is
     # being asked to generate credentials. The account administrator must
     # use the IAM console to activate STS in that region. For more
-    # information, see [Activating and Deactivating AWS STS in an AWS
-    # Region][1] in the *IAM User Guide*.
+    # information, see [Activating and Deactivating Amazon Web Services STS
+    # in an Amazon Web Services Region][1] in the *IAM User Guide*.
     #
     #
     #
@@ -1270,6 +1614,58 @@ module Aws::STS
     #
     class RegionDisabledException < Struct.new(
       :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # You can pass custom key-value pair attributes when you assume a role
+    # or federate a user. These are called session tags. You can then use
+    # the session tags to control access to resources. For more information,
+    # see [Tagging Amazon Web Services STS Sessions][1] in the *IAM User
+    # Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+    #
+    # @note When making an API call, you may pass Tag
+    #   data as a hash:
+    #
+    #       {
+    #         key: "tagKeyType", # required
+    #         value: "tagValueType", # required
+    #       }
+    #
+    # @!attribute [rw] key
+    #   The key for a session tag.
+    #
+    #   You can pass up to 50 session tags. The plain text session tag keys
+    #   can’t exceed 128 characters. For these and additional limits, see
+    #   [IAM and STS Character Limits][1] in the *IAM User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+    #   @return [String]
+    #
+    # @!attribute [rw] value
+    #   The value for a session tag.
+    #
+    #   You can pass up to 50 session tags. The plain text session tag
+    #   values can’t exceed 256 characters. For these and additional limits,
+    #   see [IAM and STS Character Limits][1] in the *IAM User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/Tag AWS API Documentation
+    #
+    class Tag < Struct.new(
+      :key,
+      :value)
+      SENSITIVE = []
       include Aws::Structure
     end