aws-sdk-iam 1.43.0 → 1.48.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 69faa8e74aa28bf5b382819939679b2ab36ac96298748d4506329aa9a10f7e41
-  data.tar.gz: 33c967e48c409ec009177a6d8f53a69935c22e80d335f518003a890d23265aec
+  metadata.gz: a0ae21648f829d7f5c3cbd4fa54b034663de5937f0c73ff5886ed3fd75b8156f
+  data.tar.gz: 541167e8ac55ec219d5fe10cd624c03a2799cb595fa67f00cef6c921f88e163c
 SHA512:
-  metadata.gz: b74f3cdac4e0745d26b1aaf5aef089caa86d1ae299ed7c4e56ea4a4bdac974ce12e3d7ca7320dc780ae26c0f86d3d2423a891e5d55cf79915a79678b69798464
-  data.tar.gz: 18d6e7255cbc23ee57fd513a274ab0fe4a2e652d5da55f4a70e7ffd94eef2943cac9dad63ec4e3c9ef706be0bd5bdac3fdbb2e30fa5ad697b509aed871588d69
+  metadata.gz: b8fdcc7a8c3aeb6d4cc6669a971a8d378d46213bf0796fef6451d9ac4d91a2f38748aaaf559c3e2e45b2ae2c871668db402968772fe8fcd53933679f55583b29
+  data.tar.gz: f889cfb216c6c224b49fc302446cf7049f3bf22d21c07598410b07b91c014c491fece6b996efea241c3ffd23b06417d9e220e821fb46ae19d0524780ff6be99b

data/lib/aws-sdk-iam.rb

@@ -7,6 +7,7 @@
 #
 # WARNING ABOUT GENERATED CODE
 
+
 require 'aws-sdk-core'
 require 'aws-sigv4'
 
@@ -66,9 +67,9 @@ require_relative 'aws-sdk-iam/customizations'
 #
 # See {Errors} for more information.
 #
-# @service
+# @!group service
 module Aws::IAM
 
-  GEM_VERSION = '1.43.0'
+  GEM_VERSION = '1.48.0'
 
 end

data/lib/aws-sdk-iam/account_password_policy.rb

@@ -30,27 +30,31 @@ module Aws::IAM
       data[:minimum_password_length]
     end
 
-    # Specifies whether to require symbols for IAM user passwords.
+    # Specifies whether IAM user passwords must contain at least one of the
+    # following symbols:
+    #
+    # ! @ # $ % ^ & * ( ) \_ + - = \[ \] \\\{ \\} \| '
     # @return [Boolean]
     def require_symbols
       data[:require_symbols]
     end
 
-    # Specifies whether to require numbers for IAM user passwords.
+    # Specifies whether IAM user passwords must contain at least one numeric
+    # character (0 to 9).
     # @return [Boolean]
     def require_numbers
       data[:require_numbers]
     end
 
-    # Specifies whether to require uppercase characters for IAM user
-    # passwords.
+    # Specifies whether IAM user passwords must contain at least one
+    # uppercase character (A to Z).
     # @return [Boolean]
     def require_uppercase_characters
       data[:require_uppercase_characters]
     end
 
-    # Specifies whether to require lowercase characters for IAM user
-    # passwords.
+    # Specifies whether IAM user passwords must contain at least one
+    # lowercase character (a to z).
     # @return [Boolean]
     def require_lowercase_characters
       data[:require_lowercase_characters]
@@ -286,7 +290,7 @@ module Aws::IAM
     # @option options [Boolean] :allow_users_to_change_password
     #   Allows all IAM users in your account to use the AWS Management Console
     #   to change their own passwords. For more information, see [Letting IAM
-    #   Users Change Their Own Passwords][1] in the *IAM User Guide*.
+    #   users change their own passwords][1] in the *IAM User Guide*.
     #
     #   If you do not specify a value for this parameter, then the operation
     #   uses the default value of `false`. The result is that IAM users in the

data/lib/aws-sdk-iam/client.rb

@@ -85,13 +85,28 @@ module Aws::IAM
     #     * `Aws::Credentials` - Used for configuring static, non-refreshing
     #       credentials.
     #
+    #     * `Aws::SharedCredentials` - Used for loading static credentials from a
+    #       shared file, such as `~/.aws/config`.
+    #
+    #     * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
+    #
+    #     * `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
+    #       assume a role after providing credentials via the web.
+    #
+    #     * `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
+    #       access token generated from `aws login`.
+    #
+    #     * `Aws::ProcessCredentials` - Used for loading credentials from a
+    #       process that outputs to stdout.
+    #
     #     * `Aws::InstanceProfileCredentials` - Used for loading credentials
     #       from an EC2 IMDS on an EC2 instance.
     #
-    #     * `Aws::SharedCredentials` - Used for loading credentials from a
-    #       shared file, such as `~/.aws/config`.
+    #     * `Aws::ECSCredentials` - Used for loading credentials from
+    #       instances running in ECS.
     #
-    #     * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
+    #     * `Aws::CognitoIdentityCredentials` - Used for loading credentials
+    #       from the Cognito Identity service.
     #
     #     When `:credentials` are not configured directly, the following
     #     locations will be searched for credentials:
@@ -101,10 +116,10 @@ module Aws::IAM
     #     * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
     #     * `~/.aws/credentials`
     #     * `~/.aws/config`
-    #     * EC2 IMDS instance profile - When used by default, the timeouts are
-    #       very aggressive. Construct and pass an instance of
-    #       `Aws::InstanceProfileCredentails` to enable retries and extended
-    #       timeouts.
+    #     * EC2/ECS IMDS instance profile - When used by default, the timeouts
+    #       are very aggressive. Construct and pass an instance of
+    #       `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
+    #       enable retries and extended timeouts.
     #
     #   @option options [required, String] :region
     #     The AWS region to connect to.  The configured `:region` is
@@ -358,33 +373,30 @@ module Aws::IAM
     end
 
     # Adds the specified IAM role to the specified instance profile. An
-    # instance profile can contain only one role. (The number and size of
-    # IAM resources in an AWS account are limited. For more information, see
-    # [IAM and STS Quotas][1] in the *IAM User Guide*.) You can remove the
-    # existing role and then add a different role to an instance profile.
-    # You must then wait for the change to appear across all of AWS because
-    # of [eventual consistency][2]. To force the change, you must
-    # [disassociate the instance profile][3] and then [associate the
-    # instance profile][4], or you can stop your instance and then restart
-    # it.
-    #
-    # <note markdown="1"> The caller of this API must be granted the `PassRole` permission on
-    # the IAM role by a permissions policy.
+    # instance profile can contain only one role, and this quota cannot be
+    # increased. You can remove the existing role and then add a different
+    # role to an instance profile. You must then wait for the change to
+    # appear across all of AWS because of [eventual consistency][1]. To
+    # force the change, you must [disassociate the instance profile][2] and
+    # then [associate the instance profile][3], or you can stop your
+    # instance and then restart it.
+    #
+    # <note markdown="1"> The caller of this operation must be granted the `PassRole` permission
+    # on the IAM role by a permissions policy.
     #
     #  </note>
     #
-    # For more information about roles, go to [Working with Roles][5]. For
-    # more information about instance profiles, go to [About Instance
-    # Profiles][6].
+    # For more information about roles, see [Working with roles][4]. For
+    # more information about instance profiles, see [About instance
+    # profiles][5].
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html
-    # [2]: https://en.wikipedia.org/wiki/Eventual_consistency
-    # [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateIamInstanceProfile.html
-    # [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateIamInstanceProfile.html
-    # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html
-    # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/AboutInstanceProfiles.html
+    # [1]: https://en.wikipedia.org/wiki/Eventual_consistency
+    # [2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateIamInstanceProfile.html
+    # [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateIamInstanceProfile.html
+    # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html
+    # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/AboutInstanceProfiles.html
     #
     # @option params [required, String] :instance_profile_name
     #   The name of the instance profile to update.
@@ -494,11 +506,11 @@ module Aws::IAM
 
     # Attaches the specified managed policy to the specified IAM group.
     #
-    # You use this API to attach a managed policy to a group. To embed an
-    # inline policy in a group, use PutGroupPolicy.
+    # You use this operation to attach a managed policy to a group. To embed
+    # an inline policy in a group, use PutGroupPolicy.
     #
-    # For more information about policies, see [Managed Policies and Inline
-    # Policies][1] in the *IAM User Guide*.
+    # For more information about policies, see [Managed policies and inline
+    # policies][1] in the *IAM User Guide*.
     #
     #
     #
@@ -520,8 +532,8 @@ module Aws::IAM
     # @option params [required, String] :policy_arn
     #   The Amazon Resource Name (ARN) of the IAM policy you want to attach.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -566,9 +578,9 @@ module Aws::IAM
     #
     #  </note>
     #
-    # Use this API to attach a *managed* policy to a role. To embed an
+    # Use this operation to attach a *managed* policy to a role. To embed an
     # inline policy in a role, use PutRolePolicy. For more information about
-    # policies, see [Managed Policies and Inline Policies][1] in the *IAM
+    # policies, see [Managed policies and inline policies][1] in the *IAM
     # User Guide*.
     #
     #
@@ -590,8 +602,8 @@ module Aws::IAM
     # @option params [required, String] :policy_arn
     #   The Amazon Resource Name (ARN) of the IAM policy you want to attach.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -627,11 +639,11 @@ module Aws::IAM
 
     # Attaches the specified managed policy to the specified user.
     #
-    # You use this API to attach a *managed* policy to a user. To embed an
-    # inline policy in a user, use PutUserPolicy.
+    # You use this operation to attach a *managed* policy to a user. To
+    # embed an inline policy in a user, use PutUserPolicy.
     #
-    # For more information about policies, see [Managed Policies and Inline
-    # Policies][1] in the *IAM User Guide*.
+    # For more information about policies, see [Managed policies and inline
+    # policies][1] in the *IAM User Guide*.
     #
     #
     #
@@ -653,8 +665,8 @@ module Aws::IAM
     # @option params [required, String] :policy_arn
     #   The Amazon Resource Name (ARN) of the IAM policy you want to attach.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -689,11 +701,14 @@ module Aws::IAM
     end
 
     # Changes the password of the IAM user who is calling this operation.
-    # The AWS account root user password is not affected by this operation.
+    # This operation can be performed using the AWS CLI, the AWS API, or the
+    # **My Security Credentials** page in the AWS Management Console. The
+    # AWS account root user password is not affected by this operation.
     #
-    # To change the password for a different user, see UpdateLoginProfile.
-    # For more information about modifying passwords, see [Managing
-    # Passwords][1] in the *IAM User Guide*.
+    # Use UpdateLoginProfile to use the AWS CLI, the AWS API, or the
+    # **Users** page in the IAM console to change the password for any IAM
+    # user. For more information about modifying passwords, see [Managing
+    # passwords][1] in the *IAM User Guide*.
     #
     #
     #
@@ -758,9 +773,8 @@ module Aws::IAM
     # credentials. This is true even if the AWS account has no associated
     # users.
     #
-    # The number and size of IAM resources in an AWS account are limited.
-    # For more information, see [IAM and STS Quotas][1] in the *IAM User
-    # Guide*.
+    # For information about quotas on the number of keys you can create, see
+    # [IAM and STS quotas][1] in the *IAM User Guide*.
     #
     # To ensure the security of your AWS account, the secret access key is
     # accessible only during key and user creation. You must save the key
@@ -832,7 +846,7 @@ module Aws::IAM
     end
 
     # Creates an alias for your AWS account. For information about using an
-    # AWS account alias, see [Using an Alias for Your AWS Account ID][1] in
+    # AWS account alias, see [Using an alias for your AWS account ID][1] in
     # the *IAM User Guide*.
     #
     #
@@ -879,9 +893,8 @@ module Aws::IAM
 
     # Creates a new group.
     #
-    # The number and size of IAM resources in an AWS account are limited.
-    # For more information, see [IAM and STS Quotas][1] in the *IAM User
-    # Guide*.
+    # For information about the number of groups you can create, see [IAM
+    # and STS quotas][1] in the *IAM User Guide*.
     #
     #
     #
@@ -889,7 +902,7 @@ module Aws::IAM
     #
     # @option params [String] :path
     #   The path to the group. For more information about paths, see [IAM
-    #   Identifiers][1] in the *IAM User Guide*.
+    #   identifiers][1] in the *IAM User Guide*.
     #
     #   This parameter is optional. If it is not included, it defaults to a
     #   slash (/).
@@ -963,15 +976,14 @@ module Aws::IAM
     end
 
     # Creates a new instance profile. For information about instance
-    # profiles, go to [About Instance Profiles][1].
+    # profiles, see [About instance profiles][1].
     #
-    # The number and size of IAM resources in an AWS account are limited.
-    # For more information, see [IAM and STS Quotas][2] in the *IAM User
-    # Guide*.
+    # For information about the number of instance profiles you can create,
+    # see [IAM object quotas][2] in the *IAM User Guide*.
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/AboutInstanceProfiles.html
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entities
     # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html
     #
     # @option params [required, String] :instance_profile_name
@@ -1005,6 +1017,22 @@ module Aws::IAM
     #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html
     #   [2]: http://wikipedia.org/wiki/regex
     #
+    # @option params [Array<Types::Tag>] :tags
+    #   A list of tags that you want to attach to the newly created IAM
+    #   instance profile. Each tag consists of a key name and an associated
+    #   value. For more information about tagging, see [Tagging IAM
+    #   resources][1] in the *IAM User Guide*.
+    #
+    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed maximum
+    #   number of tags, then the entire request fails and the resource is not
+    #   created.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
     # @return [Types::CreateInstanceProfileResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateInstanceProfileResponse#instance_profile #instance_profile} => Types::InstanceProfile
@@ -1037,6 +1065,12 @@ module Aws::IAM
     #   resp = client.create_instance_profile({
     #     instance_profile_name: "instanceProfileNameType", # required
     #     path: "pathType",
+    #     tags: [
+    #       {
+    #         key: "tagKeyType", # required
+    #         value: "tagValueType", # required
+    #       },
+    #     ],
     #   })
     #
     # @example Response structure
@@ -1062,6 +1096,9 @@ module Aws::IAM
     #   resp.instance_profile.roles[0].tags[0].value #=> String
     #   resp.instance_profile.roles[0].role_last_used.last_used_date #=> Time
     #   resp.instance_profile.roles[0].role_last_used.region #=> String
+    #   resp.instance_profile.tags #=> Array
+    #   resp.instance_profile.tags[0].key #=> String
+    #   resp.instance_profile.tags[0].value #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/CreateInstanceProfile AWS API Documentation
     #
@@ -1072,10 +1109,16 @@ module Aws::IAM
       req.send_request(options)
     end
 
-    # Creates a password for the specified user, giving the user the ability
-    # to access AWS services through the AWS Management Console. For more
-    # information about managing passwords, see [Managing Passwords][1] in
-    # the *IAM User Guide*.
+    # Creates a password for the specified IAM user. A password allows an
+    # IAM user to access AWS services through the AWS Management Console.
+    #
+    # You can use the AWS CLI, the AWS API, or the **Users** page in the IAM
+    # console to create a password for any IAM user. Use ChangePassword to
+    # update your own existing password in the **My Security Credentials**
+    # page in the AWS Management Console.
+    #
+    # For more information about managing passwords, see [Managing
+    # passwords][1] in the *IAM User Guide*.
     #
     #
     #
@@ -1238,16 +1281,33 @@ module Aws::IAM
     #   certificate used by https://keys.server.example.com.
     #
     #   For more information about obtaining the OIDC provider's thumbprint,
-    #   see [Obtaining the Thumbprint for an OpenID Connect Provider][1] in
+    #   see [Obtaining the thumbprint for an OpenID Connect provider][1] in
     #   the *IAM User Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/identity-providers-oidc-obtain-thumbprint.html
     #
+    # @option params [Array<Types::Tag>] :tags
+    #   A list of tags that you want to attach to the new IAM OpenID Connect
+    #   (OIDC) provider. Each tag consists of a key name and an associated
+    #   value. For more information about tagging, see [Tagging IAM
+    #   resources][1] in the *IAM User Guide*.
+    #
+    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed maximum
+    #   number of tags, then the entire request fails and the resource is not
+    #   created.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
     # @return [Types::CreateOpenIDConnectProviderResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateOpenIDConnectProviderResponse#open_id_connect_provider_arn #open_id_connect_provider_arn} => String
+    #   * {Types::CreateOpenIDConnectProviderResponse#tags #tags} => Array&lt;Types::Tag&gt;
     #
     #
     # @example Example: To create an instance profile
@@ -1276,11 +1336,20 @@ module Aws::IAM
     #     url: "OpenIDConnectProviderUrlType", # required
     #     client_id_list: ["clientIDType"],
     #     thumbprint_list: ["thumbprintType"], # required
+    #     tags: [
+    #       {
+    #         key: "tagKeyType", # required
+    #         value: "tagValueType", # required
+    #       },
+    #     ],
     #   })
     #
     # @example Response structure
     #
     #   resp.open_id_connect_provider_arn #=> String
+    #   resp.tags #=> Array
+    #   resp.tags[0].key #=> String
+    #   resp.tags[0].value #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/CreateOpenIDConnectProvider AWS API Documentation
     #
@@ -1295,11 +1364,11 @@ module Aws::IAM
     #
     # This operation creates a policy version with a version identifier of
     # `v1` and sets v1 as the policy's default version. For more
-    # information about policy versions, see [Versioning for Managed
-    # Policies][1] in the *IAM User Guide*.
+    # information about policy versions, see [Versioning for managed
+    # policies][1] in the *IAM User Guide*.
     #
     # For more information about managed policies in general, see [Managed
-    # Policies and Inline Policies][2] in the *IAM User Guide*.
+    # policies and inline policies][2] in the *IAM User Guide*.
     #
     #
     #
@@ -1316,7 +1385,7 @@ module Aws::IAM
     # @option params [String] :path
     #   The path for the policy.
     #
-    #   For more information about paths, see [IAM Identifiers][1] in the *IAM
+    #   For more information about paths, see [IAM identifiers][1] in the *IAM
     #   User Guide*.
     #
     #   This parameter is optional. If it is not included, it defaults to a
@@ -1369,6 +1438,22 @@ module Aws::IAM
     #   The policy description is immutable. After a value is assigned, it
     #   cannot be changed.
     #
+    # @option params [Array<Types::Tag>] :tags
+    #   A list of tags that you want to attach to the new IAM customer managed
+    #   policy. Each tag consists of a key name and an associated value. For
+    #   more information about tagging, see [Tagging IAM resources][1] in the
+    #   *IAM User Guide*.
+    #
+    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed maximum
+    #   number of tags, then the entire request fails and the resource is not
+    #   created.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
     # @return [Types::CreatePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreatePolicyResponse#policy #policy} => Types::Policy
@@ -1380,6 +1465,12 @@ module Aws::IAM
     #     path: "policyPathType",
     #     policy_document: "policyDocumentType", # required
     #     description: "policyDescriptionType",
+    #     tags: [
+    #       {
+    #         key: "tagKeyType", # required
+    #         value: "tagValueType", # required
+    #       },
+    #     ],
     #   })
     #
     # @example Response structure
@@ -1395,6 +1486,9 @@ module Aws::IAM
     #   resp.policy.description #=> String
     #   resp.policy.create_date #=> Time
     #   resp.policy.update_date #=> Time
+    #   resp.policy.tags #=> Array
+    #   resp.policy.tags[0].key #=> String
+    #   resp.policy.tags[0].value #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/CreatePolicy AWS API Documentation
     #
@@ -1416,7 +1510,7 @@ module Aws::IAM
     # IAM users, groups, and roles to which the policy is attached.
     #
     # For more information about managed policy versions, see [Versioning
-    # for Managed Policies][1] in the *IAM User Guide*.
+    # for managed policies][1] in the *IAM User Guide*.
     #
     #
     #
@@ -1426,8 +1520,8 @@ module Aws::IAM
     #   The Amazon Resource Name (ARN) of the IAM policy to which you want to
     #   add a new version.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -1467,7 +1561,7 @@ module Aws::IAM
     #   for the IAM users, groups, and roles that the policy is attached to.
     #
     #   For more information about managed policy versions, see [Versioning
-    #   for Managed Policies][1] in the *IAM User Guide*.
+    #   for managed policies][1] in the *IAM User Guide*.
     #
     #
     #
@@ -1502,9 +1596,9 @@ module Aws::IAM
     end
 
     # Creates a new role for your AWS account. For more information about
-    # roles, go to [IAM Roles][1]. The number and size of IAM resources in
-    # an AWS account are limited. For more information, see [IAM and STS
-    # Quotas][2] in the *IAM User Guide*.
+    # roles, see [IAM roles][1]. For information about quotas for role names
+    # and the number of roles you can create, see [IAM and STS quotas][2] in
+    # the *IAM User Guide*.
     #
     #
     #
@@ -1584,7 +1678,7 @@ module Aws::IAM
     #   for one hour by default. This applies when you use the `AssumeRole*`
     #   API operations or the `assume-role*` CLI operations but does not apply
     #   when you use those operations to create a console URL. For more
-    #   information, see [Using IAM Roles][1] in the *IAM User Guide*.
+    #   information, see [Using IAM roles][1] in the *IAM User Guide*.
     #
     #
     #
@@ -1595,13 +1689,12 @@ module Aws::IAM
     #   the role.
     #
     # @option params [Array<Types::Tag>] :tags
-    #   A list of tags that you want to attach to the newly created role. Each
-    #   tag consists of a key name and an associated value. For more
-    #   information about tagging, see [Tagging IAM Identities][1] in the *IAM
-    #   User Guide*.
+    #   A list of tags that you want to attach to the new role. Each tag
+    #   consists of a key name and an associated value. For more information
+    #   about tagging, see [Tagging IAM resources][1] in the *IAM User Guide*.
     #
-    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed number
-    #   of tags per role, then the entire request fails and the role is not
+    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed maximum
+    #   number of tags, then the entire request fails and the resource is not
     #   created.
     #
     #    </note>
@@ -1703,9 +1796,9 @@ module Aws::IAM
     #
     #  </note>
     #
-    # For more information, see [Enabling SAML 2.0 Federated Users to Access
+    # For more information, see [Enabling SAML 2.0 federated users to access
     # the AWS Management Console][2] and [About SAML 2.0-based
-    # Federation][3] in the *IAM User Guide*.
+    # federation][3] in the *IAM User Guide*.
     #
     #
     #
@@ -1721,7 +1814,7 @@ module Aws::IAM
     #   You must generate the metadata document using the identity management
     #   software that is used as your organization's IdP.
     #
-    #   For more information, see [About SAML 2.0-based Federation][1] in the
+    #   For more information, see [About SAML 2.0-based federation][1] in the
     #   *IAM User Guide*
     #
     #
@@ -1740,20 +1833,46 @@ module Aws::IAM
     #
     #   [1]: http://wikipedia.org/wiki/regex
     #
+    # @option params [Array<Types::Tag>] :tags
+    #   A list of tags that you want to attach to the new IAM SAML provider.
+    #   Each tag consists of a key name and an associated value. For more
+    #   information about tagging, see [Tagging IAM resources][1] in the *IAM
+    #   User Guide*.
+    #
+    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed maximum
+    #   number of tags, then the entire request fails and the resource is not
+    #   created.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
     # @return [Types::CreateSAMLProviderResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateSAMLProviderResponse#saml_provider_arn #saml_provider_arn} => String
+    #   * {Types::CreateSAMLProviderResponse#tags #tags} => Array&lt;Types::Tag&gt;
     #
     # @example Request syntax with placeholder values
     #
     #   resp = client.create_saml_provider({
     #     saml_metadata_document: "SAMLMetadataDocumentType", # required
     #     name: "SAMLProviderNameType", # required
+    #     tags: [
+    #       {
+    #         key: "tagKeyType", # required
+    #         value: "tagValueType", # required
+    #       },
+    #     ],
     #   })
     #
     # @example Response structure
     #
     #   resp.saml_provider_arn #=> String
+    #   resp.tags #=> Array
+    #   resp.tags[0].key #=> String
+    #   resp.tags[0].value #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/CreateSAMLProvider AWS API Documentation
     #
@@ -1771,7 +1890,7 @@ module Aws::IAM
     # resources into an unknown state. Allowing the service to control the
     # role helps improve service stability and proper cleanup when a service
     # and its role are no longer needed. For more information, see [Using
-    # Service-Linked Roles][1] in the *IAM User Guide*.
+    # service-linked roles][1] in the *IAM User Guide*.
     #
     # To attach a policy to this service-linked role, you must make the
     # request using the AWS service that depends on this role.
@@ -1786,8 +1905,8 @@ module Aws::IAM
     #   front. For example: `elasticbeanstalk.amazonaws.com`.
     #
     #   Service principals are unique and case-sensitive. To find the exact
-    #   service principal for your service-linked role, see [AWS Services That
-    #   Work with IAM][1] in the *IAM User Guide*. Look for the services that
+    #   service principal for your service-linked role, see [AWS services that
+    #   work with IAM][1] in the *IAM User Guide*. Look for the services that
     #   have <b>Yes </b>in the **Service-Linked Role** column. Choose the
     #   **Yes** link to view the service-linked role documentation for that
     #   service.
@@ -1857,14 +1976,15 @@ module Aws::IAM
     # You can have a maximum of two sets of service-specific credentials for
     # each supported service per user.
     #
-    # The only supported service at this time is AWS CodeCommit.
+    # You can create service-specific credentials for AWS CodeCommit and
+    # Amazon Keyspaces (for Apache Cassandra).
     #
     # You can reset the password to a new service-generated value by calling
     # ResetServiceSpecificCredential.
     #
     # For more information about service-specific credentials, see [Using
-    # IAM with AWS CodeCommit: Git Credentials, SSH Keys, and AWS Access
-    # Keys][1] in the *IAM User Guide*.
+    # IAM with AWS CodeCommit: Git credentials, SSH keys, and AWS access
+    # keys][1] in the *IAM User Guide*.
     #
     #
     #
@@ -1922,9 +2042,8 @@ module Aws::IAM
 
     # Creates a new IAM user for your AWS account.
     #
-    # The number and size of IAM resources in an AWS account are limited.
-    # For more information, see [IAM and STS Quotas][1] in the *IAM User
-    # Guide*.
+    # For information about quotas for the number of IAM users you can
+    # create, see [IAM and STS quotas][1] in the *IAM User Guide*.
     #
     #
     #
@@ -1932,7 +2051,7 @@ module Aws::IAM
     #
     # @option params [String] :path
     #   The path for the user name. For more information about paths, see [IAM
-    #   Identifiers][1] in the *IAM User Guide*.
+    #   identifiers][1] in the *IAM User Guide*.
     #
     #   This parameter is optional. If it is not included, it defaults to a
     #   slash (/).
@@ -1961,13 +2080,12 @@ module Aws::IAM
     #   the user.
     #
     # @option params [Array<Types::Tag>] :tags
-    #   A list of tags that you want to attach to the newly created user. Each
-    #   tag consists of a key name and an associated value. For more
-    #   information about tagging, see [Tagging IAM Identities][1] in the *IAM
-    #   User Guide*.
+    #   A list of tags that you want to attach to the new user. Each tag
+    #   consists of a key name and an associated value. For more information
+    #   about tagging, see [Tagging IAM resources][1] in the *IAM User Guide*.
     #
-    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed number
-    #   of tags per user, then the entire request fails and the user is not
+    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed maximum
+    #   number of tags, then the entire request fails and the resource is not
     #   created.
     #
     #    </note>
@@ -2040,12 +2158,11 @@ module Aws::IAM
     # Creates a new virtual MFA device for the AWS account. After creating
     # the virtual MFA, use EnableMFADevice to attach the MFA device to an
     # IAM user. For more information about creating and working with virtual
-    # MFA devices, go to [Using a Virtual MFA Device][1] in the *IAM User
+    # MFA devices, see [Using a virtual MFA device][1] in the *IAM User
     # Guide*.
     #
-    # The number and size of IAM resources in an AWS account are limited.
-    # For more information, see [IAM and STS Quotas][2] in the *IAM User
-    # Guide*.
+    # For information about the maximum number of MFA devices you can
+    # create, see [IAM and STS quotas][2] in the *IAM User Guide*.
     #
     # The seed information contained in the QR code and the Base32 string
     # should be treated like any other secret access information. In other
@@ -2060,7 +2177,7 @@ module Aws::IAM
     #
     # @option params [String] :path
     #   The path for the virtual MFA device. For more information about paths,
-    #   see [IAM Identifiers][1] in the *IAM User Guide*.
+    #   see [IAM identifiers][1] in the *IAM User Guide*.
     #
     #   This parameter is optional. If it is not included, it defaults to a
     #   slash (/).
@@ -2090,6 +2207,22 @@ module Aws::IAM
     #
     #   [1]: http://wikipedia.org/wiki/regex
     #
+    # @option params [Array<Types::Tag>] :tags
+    #   A list of tags that you want to attach to the new IAM virtual MFA
+    #   device. Each tag consists of a key name and an associated value. For
+    #   more information about tagging, see [Tagging IAM resources][1] in the
+    #   *IAM User Guide*.
+    #
+    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed maximum
+    #   number of tags, then the entire request fails and the resource is not
+    #   created.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
     # @return [Types::CreateVirtualMFADeviceResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateVirtualMFADeviceResponse#virtual_mfa_device #virtual_mfa_device} => Types::VirtualMFADevice
@@ -2099,6 +2232,12 @@ module Aws::IAM
     #   resp = client.create_virtual_mfa_device({
     #     path: "pathType",
     #     virtual_mfa_device_name: "virtualMFADeviceName", # required
+    #     tags: [
+    #       {
+    #         key: "tagKeyType", # required
+    #         value: "tagValueType", # required
+    #       },
+    #     ],
     #   })
     #
     # @example Response structure
@@ -2118,6 +2257,9 @@ module Aws::IAM
     #   resp.virtual_mfa_device.user.tags[0].key #=> String
     #   resp.virtual_mfa_device.user.tags[0].value #=> String
     #   resp.virtual_mfa_device.enable_date #=> Time
+    #   resp.virtual_mfa_device.tags #=> Array
+    #   resp.virtual_mfa_device.tags[0].key #=> String
+    #   resp.virtual_mfa_device.tags[0].value #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/CreateVirtualMFADevice AWS API Documentation
     #
@@ -2132,8 +2274,8 @@ module Aws::IAM
     # with the user name for which it was originally enabled.
     #
     # For more information about creating and working with virtual MFA
-    # devices, go to [Enabling a Virtual Multi-factor Authentication (MFA)
-    # Device][1] in the *IAM User Guide*.
+    # devices, see [Enabling a virtual multi-factor authentication (MFA)
+    # device][1] in the *IAM User Guide*.
     #
     #
     #
@@ -2243,7 +2385,7 @@ module Aws::IAM
     end
 
     # Deletes the specified AWS account alias. For information about using
-    # an AWS account alias, see [Using an Alias for Your AWS Account ID][1]
+    # an AWS account alias, see [Using an alias for your AWS account ID][1]
     # in the *IAM User Guide*.
     #
     #
@@ -2347,8 +2489,8 @@ module Aws::IAM
     #
     # A group can also have managed policies attached to it. To detach a
     # managed policy from a group, use DetachGroupPolicy. For more
-    # information about policies, refer to [Managed Policies and Inline
-    # Policies][1] in the *IAM User Guide*.
+    # information about policies, refer to [Managed policies and inline
+    # policies][1] in the *IAM User Guide*.
     #
     #
     #
@@ -2415,8 +2557,8 @@ module Aws::IAM
     # instance profile that is associated with a running instance will break
     # any applications running on the instance.
     #
-    # For more information about instance profiles, go to [About Instance
-    # Profiles][1].
+    # For more information about instance profiles, see [About instance
+    # profiles][1].
     #
     #
     #
@@ -2464,6 +2606,11 @@ module Aws::IAM
     # user's ability to access AWS services through the AWS Management
     # Console.
     #
+    # You can use the AWS CLI, the AWS API, or the **Users** page in the IAM
+    # console to delete a password for any IAM user. You can use
+    # ChangePassword to update, but not delete, your own password in the
+    # **My Security Credentials** page in the AWS Management Console.
+    #
     # Deleting a user's password does not prevent a user from accessing AWS
     # through the command line interface or the API. To prevent all user
     # access, you must also either make any access keys inactive or delete
@@ -2549,9 +2696,9 @@ module Aws::IAM
     # steps describe the process for deleting a managed policy:
     #
     # * Detach the policy from all users, groups, and roles that the policy
-    #   is attached to, using the DetachUserPolicy, DetachGroupPolicy, or
-    #   DetachRolePolicy API operations. To list all the users, groups, and
-    #   roles that a policy is attached to, use ListEntitiesForPolicy.
+    #   is attached to, using DetachUserPolicy, DetachGroupPolicy, or
+    #   DetachRolePolicy. To list all the users, groups, and roles that a
+    #   policy is attached to, use ListEntitiesForPolicy.
     #
     # * Delete all versions of the policy using DeletePolicyVersion. To list
     #   the policy's versions, use ListPolicyVersions. You cannot use
@@ -2560,10 +2707,10 @@ module Aws::IAM
     #   next step of the process.
     #
     # * Delete the policy (this automatically deletes the policy's default
-    #   version) using this API.
+    #   version) using this operation.
     #
-    # For information about managed policies, see [Managed Policies and
-    # Inline Policies][1] in the *IAM User Guide*.
+    # For information about managed policies, see [Managed policies and
+    # inline policies][1] in the *IAM User Guide*.
     #
     #
     #
@@ -2572,8 +2719,8 @@ module Aws::IAM
     # @option params [required, String] :policy_arn
     #   The Amazon Resource Name (ARN) of the IAM policy you want to delete.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -2598,13 +2745,13 @@ module Aws::IAM
 
     # Deletes the specified version from the specified managed policy.
     #
-    # You cannot delete the default version from a policy using this API. To
-    # delete the default version from a policy, use DeletePolicy. To find
-    # out which version of a policy is marked as the default version, use
-    # ListPolicyVersions.
+    # You cannot delete the default version from a policy using this
+    # operation. To delete the default version from a policy, use
+    # DeletePolicy. To find out which version of a policy is marked as the
+    # default version, use ListPolicyVersions.
     #
     # For information about versions for managed policies, see [Versioning
-    # for Managed Policies][1] in the *IAM User Guide*.
+    # for managed policies][1] in the *IAM User Guide*.
     #
     #
     #
@@ -2614,8 +2761,8 @@ module Aws::IAM
     #   The Amazon Resource Name (ARN) of the IAM policy from which you want
     #   to delete a version.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -2630,7 +2777,7 @@ module Aws::IAM
     #   of letters and digits.
     #
     #   For more information about managed policy versions, see [Versioning
-    #   for Managed Policies][2] in the *IAM User Guide*.
+    #   for managed policies][2] in the *IAM User Guide*.
     #
     #
     #
@@ -2656,8 +2803,8 @@ module Aws::IAM
     end
 
     # Deletes the specified role. The role must not have any policies
-    # attached. For more information about roles, go to [Working with
-    # Roles][1].
+    # attached. For more information about roles, see [Working with
+    # roles][1].
     #
     # Make sure that you do not have any Amazon EC2 instances running with
     # the role you are about to delete. Deleting a role or instance profile
@@ -2738,7 +2885,7 @@ module Aws::IAM
     #
     # A role can also have managed policies attached to it. To detach a
     # managed policy from a role, use DetachRolePolicy. For more information
-    # about policies, refer to [Managed Policies and Inline Policies][1] in
+    # about policies, refer to [Managed policies and inline policies][1] in
     # the *IAM User Guide*.
     #
     #
@@ -2839,7 +2986,7 @@ module Aws::IAM
     # authenticating the associated IAM user to an AWS CodeCommit
     # repository. For more information about using SSH keys to authenticate
     # to an AWS CodeCommit repository, see [Set up AWS CodeCommit for SSH
-    # Connections][1] in the *AWS CodeCommit User Guide*.
+    # connections][1] in the *AWS CodeCommit User Guide*.
     #
     #
     #
@@ -2889,7 +3036,7 @@ module Aws::IAM
     # Deletes the specified server certificate.
     #
     # For more information about working with server certificates, see
-    # [Working with Server Certificates][1] in the *IAM User Guide*. This
+    # [Working with server certificates][1] in the *IAM User Guide*. This
     # topic also includes a list of AWS services that can use the server
     # certificates that you manage with IAM.
     #
@@ -2900,8 +3047,8 @@ module Aws::IAM
     # cause Elastic Load Balancing to stop accepting traffic. We recommend
     # that you remove the reference to the certificate from Elastic Load
     # Balancing before using this command to delete the certificate. For
-    # more information, go to [DeleteLoadBalancerListeners][2] in the
-    # *Elastic Load Balancing API Reference*.
+    # more information, see [DeleteLoadBalancerListeners][2] in the *Elastic
+    # Load Balancing API Reference*.
     #
     #
     #
@@ -2947,17 +3094,16 @@ module Aws::IAM
     #
     # If you submit a deletion request for a service-linked role whose
     # linked service is still accessing a resource, then the deletion task
-    # fails. If it fails, the GetServiceLinkedRoleDeletionStatus API
-    # operation returns the reason for the failure, usually including the
-    # resources that must be deleted. To delete the service-linked role, you
-    # must first remove those resources from the linked service and then
-    # submit the deletion request again. Resources are specific to the
-    # service that is linked to the role. For more information about
-    # removing resources from a service, see the [AWS documentation][1] for
-    # your service.
+    # fails. If it fails, the GetServiceLinkedRoleDeletionStatus operation
+    # returns the reason for the failure, usually including the resources
+    # that must be deleted. To delete the service-linked role, you must
+    # first remove those resources from the linked service and then submit
+    # the deletion request again. Resources are specific to the service that
+    # is linked to the role. For more information about removing resources
+    # from a service, see the [AWS documentation][1] for your service.
     #
-    # For more information about service-linked roles, see [Roles Terms and
-    # Concepts: AWS Service-Linked Role][2] in the *IAM User Guide*.
+    # For more information about service-linked roles, see [Roles terms and
+    # concepts: AWS service-linked role][2] in the *IAM User Guide*.
     #
     #
     #
@@ -3098,7 +3244,7 @@ module Aws::IAM
     # Deletes the specified IAM user. Unlike the AWS Management Console,
     # when you delete a user programmatically, you must delete the items
     # attached to the user manually, or the deletion fails. For more
-    # information, see [Deleting an IAM User][1]. Before attempting to
+    # information, see [Deleting an IAM user][1]. Before attempting to
     # delete a user, remove the following items:
     #
     # * Password (DeleteLoginProfile)
@@ -3194,7 +3340,7 @@ module Aws::IAM
     #
     # A user can also have managed policies attached to it. To detach a
     # managed policy from a user, use DetachUserPolicy. For more information
-    # about policies, refer to [Managed Policies and Inline Policies][1] in
+    # about policies, refer to [Managed policies and inline policies][1] in
     # the *IAM User Guide*.
     #
     #
@@ -3304,9 +3450,8 @@ module Aws::IAM
     # Removes the specified managed policy from the specified IAM group.
     #
     # A group can also have inline policies embedded with it. To delete an
-    # inline policy, use the DeleteGroupPolicy API. For information about
-    # policies, see [Managed Policies and Inline Policies][1] in the *IAM
-    # User Guide*.
+    # inline policy, use DeleteGroupPolicy. For information about policies,
+    # see [Managed policies and inline policies][1] in the *IAM User Guide*.
     #
     #
     #
@@ -3328,8 +3473,8 @@ module Aws::IAM
     # @option params [required, String] :policy_arn
     #   The Amazon Resource Name (ARN) of the IAM policy you want to detach.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -3356,9 +3501,8 @@ module Aws::IAM
     # Removes the specified managed policy from the specified role.
     #
     # A role can also have inline policies embedded with it. To delete an
-    # inline policy, use the DeleteRolePolicy API. For information about
-    # policies, see [Managed Policies and Inline Policies][1] in the *IAM
-    # User Guide*.
+    # inline policy, use DeleteRolePolicy. For information about policies,
+    # see [Managed policies and inline policies][1] in the *IAM User Guide*.
     #
     #
     #
@@ -3380,8 +3524,8 @@ module Aws::IAM
     # @option params [required, String] :policy_arn
     #   The Amazon Resource Name (ARN) of the IAM policy you want to detach.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -3408,9 +3552,8 @@ module Aws::IAM
     # Removes the specified managed policy from the specified user.
     #
     # A user can also have inline policies embedded with it. To delete an
-    # inline policy, use the DeleteUserPolicy API. For information about
-    # policies, see [Managed Policies and Inline Policies][1] in the *IAM
-    # User Guide*.
+    # inline policy, use DeleteUserPolicy. For information about policies,
+    # see [Managed policies and inline policies][1] in the *IAM User Guide*.
     #
     #
     #
@@ -3432,8 +3575,8 @@ module Aws::IAM
     # @option params [required, String] :policy_arn
     #   The Amazon Resource Name (ARN) of the IAM policy you want to detach.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -3539,8 +3682,8 @@ module Aws::IAM
     end
 
     # Generates a credential report for the AWS account. For more
-    # information about the credential report, see [Getting Credential
-    # Reports][1] in the *IAM User Guide*.
+    # information about the credential report, see [Getting credential
+    # reports][1] in the *IAM User Guide*.
     #
     #
     #
@@ -3571,12 +3714,12 @@ module Aws::IAM
     # your organization.
     #
     # To call this operation, you must be signed in using your AWS
-    # Organizations master account credentials. You can use your long-term
-    # IAM user or root user credentials, or temporary credentials from
-    # assuming an IAM role. SCPs must be enabled for your organization root.
-    # You must have the required IAM and AWS Organizations permissions. For
-    # more information, see [Refining Permissions Using Service Last
-    # Accessed Data][1] in the *IAM User Guide*.
+    # Organizations management account credentials. You can use your
+    # long-term IAM user or root user credentials, or temporary credentials
+    # from assuming an IAM role. SCPs must be enabled for your organization
+    # root. You must have the required IAM and AWS Organizations
+    # permissions. For more information, see [Refining permissions using
+    # service last accessed data][1] in the *IAM User Guide*.
     #
     # You can generate a service last accessed data report for entities by
     # specifying only the entity's path. This data includes a list of
@@ -3592,8 +3735,8 @@ module Aws::IAM
     # recent account activity that the policy allows to account principals
     # in the entity or the entity's children. For important information
     # about the data, reporting period, permissions required,
-    # troubleshooting, and supported Regions see [Reducing Permissions Using
-    # Service Last Accessed Data][1] in the *IAM User Guide*.
+    # troubleshooting, and supported Regions see [Reducing permissions using
+    # service last accessed data][1] in the *IAM User Guide*.
     #
     # The data includes all attempts to access AWS, not just the successful
     # ones. This includes all attempts that were made using the AWS
@@ -3603,7 +3746,7 @@ module Aws::IAM
     # request might have been denied. Refer to your CloudTrail logs as the
     # authoritative source for information about all API calls and whether
     # they were successful or denied access. For more information,
-    # see [Logging IAM Events with CloudTrail][2] in the *IAM User Guide*.
+    # see [Logging IAM events with CloudTrail][2] in the *IAM User Guide*.
     #
     # This operation returns a `JobId`. Use this parameter in the `
     # GetOrganizationsAccessReport ` operation to check the status of the
@@ -3620,20 +3763,20 @@ module Aws::IAM
     # * **Root** – When you specify the organizations root as the entity,
     #   the resulting report lists all of the services allowed by SCPs that
     #   are attached to your root. For each service, the report includes
-    #   data for all accounts in your organization except the master
-    #   account, because the master account is not limited by SCPs.
+    #   data for all accounts in your organization except the management
+    #   account, because the management account is not limited by SCPs.
     #
     # * **OU** – When you specify an organizational unit (OU) as the entity,
     #   the resulting report lists all of the services allowed by SCPs that
     #   are attached to the OU and its parents. For each service, the report
     #   includes data for all accounts in the OU or its children. This data
-    #   excludes the master account, because the master account is not
-    #   limited by SCPs.
+    #   excludes the management account, because the management account is
+    #   not limited by SCPs.
     #
-    # * **Master account** – When you specify the master account, the
-    #   resulting report lists all AWS services, because the master account
-    #   is not limited by SCPs. For each service, the report includes data
-    #   for only the master account.
+    # * **management account** – When you specify the management account,
+    #   the resulting report lists all AWS services, because the management
+    #   account is not limited by SCPs. For each service, the report
+    #   includes data for only the management account.
     #
     # * **Account** – When you specify another account as the entity, the
     #   resulting report lists all of the services allowed by SCPs that are
@@ -3649,26 +3792,26 @@ module Aws::IAM
     #   resulting report lists all of the services that are allowed by the
     #   specified SCP. For each service, the report includes data for all
     #   accounts in your organization to which the SCP applies. This data
-    #   excludes the master account, because the master account is not
-    #   limited by SCPs. If the SCP is not attached to any entities in the
-    #   organization, then the report will return a list of services with no
-    #   data.
+    #   excludes the management account, because the management account is
+    #   not limited by SCPs. If the SCP is not attached to any entities in
+    #   the organization, then the report will return a list of services
+    #   with no data.
     #
     # * **OU** – When you specify an OU entity and a policy ID, the
     #   resulting report lists all of the services that are allowed by the
     #   specified SCP. For each service, the report includes data for all
     #   accounts in the OU or its children to which the SCP applies. This
     #   means that other accounts outside the OU that are affected by the
-    #   SCP might not be included in the data. This data excludes the master
-    #   account, because the master account is not limited by SCPs. If the
-    #   SCP is not attached to the OU or one of its children, the report
-    #   will return a list of services with no data.
+    #   SCP might not be included in the data. This data excludes the
+    #   management account, because the management account is not limited by
+    #   SCPs. If the SCP is not attached to the OU or one of its children,
+    #   the report will return a list of services with no data.
     #
-    # * **Master account** – When you specify the master account, the
-    #   resulting report lists all AWS services, because the master account
-    #   is not limited by SCPs. If you specify a policy ID in the CLI or
-    #   API, the policy is ignored. For each service, the report includes
-    #   data for only the master account.
+    # * **management account** – When you specify the management account,
+    #   the resulting report lists all AWS services, because the management
+    #   account is not limited by SCPs. If you specify a policy ID in the
+    #   CLI or API, the policy is ignored. For each service, the report
+    #   includes data for only the management account.
     #
     # * **Account** – When you specify another account entity and a policy
     #   ID, the resulting report lists all of the services that are allowed
@@ -3683,12 +3826,12 @@ module Aws::IAM
     # policy types include identity-based policies, resource-based policies,
     # access control lists, IAM permissions boundaries, and STS assume role
     # policies. It only applies SCP logic. For more about the evaluation of
-    # policy types, see [Evaluating Policies][3] in the *IAM User Guide*.
+    # policy types, see [Evaluating policies][3] in the *IAM User Guide*.
     #
     #  </note>
     #
     # For more information about service last accessed data, see [Reducing
-    # Policy Scope by Viewing User Activity][1] in the *IAM User Guide*.
+    # policy scope by viewing user activity][1] in the *IAM User Guide*.
     #
     #
     #
@@ -3756,7 +3899,7 @@ module Aws::IAM
     # AWS services. Recent activity usually appears within four hours. IAM
     # reports activity for the last 365 days, or less if your Region began
     # supporting this feature within the last year. For more information,
-    # see [Regions Where Data Is Tracked][1].
+    # see [Regions where data is tracked][1].
     #
     # The service last accessed data includes all attempts to access an AWS
     # API, not just the successful ones. This includes all attempts that
@@ -3766,7 +3909,7 @@ module Aws::IAM
     # compromised, because the request might have been denied. Refer to your
     # CloudTrail logs as the authoritative source for information about all
     # API calls and whether they were successful or denied access. For more
-    # information, see [Logging IAM Events with CloudTrail][2] in the *IAM
+    # information, see [Logging IAM events with CloudTrail][2] in the *IAM
     # User Guide*.
     #
     # The `GenerateServiceLastAccessedDetails` operation returns a `JobId`.
@@ -3802,12 +3945,12 @@ module Aws::IAM
     # AWS Organizations policies, IAM permissions boundaries, and AWS STS
     # assume role policies. It only applies permissions policy logic. For
     # more about the evaluation of policy types, see [Evaluating
-    # Policies][3] in the *IAM User Guide*.
+    # policies][3] in the *IAM User Guide*.
     #
     #  </note>
     #
     # For more information about service and action last accessed data, see
-    # [Reducing Permissions Using Service Last Accessed Data][4] in the *IAM
+    # [Reducing permissions using service last accessed data][4] in the *IAM
     # User Guide*.
     #
     #
@@ -3913,12 +4056,12 @@ module Aws::IAM
 
     # Retrieves information about all IAM users, groups, roles, and policies
     # in your AWS account, including their relationships to one another. Use
-    # this API to obtain a snapshot of the configuration of IAM permissions
-    # (users, groups, roles, and policies) in your account.
+    # this operation to obtain a snapshot of the configuration of IAM
+    # permissions (users, groups, roles, and policies) in your account.
     #
-    # <note markdown="1"> Policies returned by this API are URL-encoded compliant with [RFC
-    # 3986][1]. You can use a URL decoding method to convert the policy back
-    # to plain JSON text. For example, if you use Java, you can use the
+    # <note markdown="1"> Policies returned by this operation are URL-encoded compliant with
+    # [RFC 3986][1]. You can use a URL decoding method to convert the policy
+    # back to plain JSON text. For example, if you use Java, you can use the
     # `decode` method of the `java.net.URLDecoder` utility class in the Java
     # SDK. Other languages and SDKs provide similar functionality.
     #
@@ -4039,6 +4182,9 @@ module Aws::IAM
     #   resp.role_detail_list[0].instance_profile_list[0].roles[0].tags[0].value #=> String
     #   resp.role_detail_list[0].instance_profile_list[0].roles[0].role_last_used.last_used_date #=> Time
     #   resp.role_detail_list[0].instance_profile_list[0].roles[0].role_last_used.region #=> String
+    #   resp.role_detail_list[0].instance_profile_list[0].tags #=> Array
+    #   resp.role_detail_list[0].instance_profile_list[0].tags[0].key #=> String
+    #   resp.role_detail_list[0].instance_profile_list[0].tags[0].value #=> String
     #   resp.role_detail_list[0].role_policy_list #=> Array
     #   resp.role_detail_list[0].role_policy_list[0].policy_name #=> String
     #   resp.role_detail_list[0].role_policy_list[0].policy_document #=> String
@@ -4081,9 +4227,10 @@ module Aws::IAM
       req.send_request(options)
     end
 
-    # Retrieves the password policy for the AWS account. For more
-    # information about using a password policy, go to [Managing an IAM
-    # Password Policy][1].
+    # Retrieves the password policy for the AWS account. This tells you the
+    # complexity requirements and mandatory rotation periods for the IAM
+    # user passwords in your account. For more information about using a
+    # password policy, see [Managing an IAM password policy][1].
     #
     #
     #
@@ -4142,9 +4289,8 @@ module Aws::IAM
     # Retrieves information about IAM entity usage and IAM quotas in the AWS
     # account.
     #
-    # The number and size of IAM resources in an AWS account are limited.
-    # For more information, see [IAM and STS Quotas][1] in the *IAM User
-    # Guide*.
+    # For information about IAM quotas, see [IAM and STS quotas][1] in the
+    # *IAM User Guide*.
     #
     #
     #
@@ -4277,8 +4423,8 @@ module Aws::IAM
     # specified as strings. If you want to include *only* a list of policies
     # by string, use GetContextKeysForCustomPolicy instead.
     #
-    # **Note:** This API discloses information about the permissions granted
-    # to other users. If you do not want users to see other user's
+    # **Note:** This operation discloses information about the permissions
+    # granted to other users. If you do not want users to see other user's
     # permissions, then consider allowing them to use
     # GetContextKeysForCustomPolicy instead.
     #
@@ -4298,8 +4444,8 @@ module Aws::IAM
     #   parameters are shown in unencoded form here for clarity, but must be
     #   URL encoded to be included as a part of a real HTML request.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -4351,8 +4497,8 @@ module Aws::IAM
     end
 
     # Retrieves a credential report for the AWS account. For more
-    # information about the credential report, see [Getting Credential
-    # Reports][1] in the *IAM User Guide*.
+    # information about the credential report, see [Getting credential
+    # reports][1] in the *IAM User Guide*.
     #
     #
     #
@@ -4462,9 +4608,9 @@ module Aws::IAM
     # Retrieves the specified inline policy document that is embedded in the
     # specified IAM group.
     #
-    # <note markdown="1"> Policies returned by this API are URL-encoded compliant with [RFC
-    # 3986][1]. You can use a URL decoding method to convert the policy back
-    # to plain JSON text. For example, if you use Java, you can use the
+    # <note markdown="1"> Policies returned by this operation are URL-encoded compliant with
+    # [RFC 3986][1]. You can use a URL decoding method to convert the policy
+    # back to plain JSON text. For example, if you use Java, you can use the
     # `decode` method of the `java.net.URLDecoder` utility class in the Java
     # SDK. Other languages and SDKs provide similar functionality.
     #
@@ -4475,8 +4621,8 @@ module Aws::IAM
     # GetPolicy to determine the policy's default version, then use
     # GetPolicyVersion to retrieve the policy document.
     #
-    # For more information about policies, see [Managed Policies and Inline
-    # Policies][2] in the *IAM User Guide*.
+    # For more information about policies, see [Managed policies and inline
+    # policies][2] in the *IAM User Guide*.
     #
     #
     #
@@ -4537,7 +4683,7 @@ module Aws::IAM
 
     # Retrieves information about the specified instance profile, including
     # the instance profile's path, GUID, ARN, and role. For more
-    # information about instance profiles, see [About Instance Profiles][1]
+    # information about instance profiles, see [About instance profiles][1]
     # in the *IAM User Guide*.
     #
     #
@@ -4619,6 +4765,9 @@ module Aws::IAM
     #   resp.instance_profile.roles[0].tags[0].value #=> String
     #   resp.instance_profile.roles[0].role_last_used.last_used_date #=> Time
     #   resp.instance_profile.roles[0].role_last_used.region #=> String
+    #   resp.instance_profile.tags #=> Array
+    #   resp.instance_profile.tags[0].key #=> String
+    #   resp.instance_profile.tags[0].value #=> String
     #
     #
     # The following waiters are defined for this operation (see {Client#wait_until} for detailed usage):
@@ -4634,7 +4783,7 @@ module Aws::IAM
       req.send_request(options)
     end
 
-    # Retrieves the user name and password-creation date for the specified
+    # Retrieves the user name and password creation date for the specified
     # IAM user. If the user has not been assigned a password, the operation
     # returns a 404 (`NoSuchEntity`) error.
     #
@@ -4700,8 +4849,8 @@ module Aws::IAM
     #   IAM to get information for. You can get a list of OIDC provider
     #   resource ARNs by using the ListOpenIDConnectProviders operation.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -4713,6 +4862,7 @@ module Aws::IAM
     #   * {Types::GetOpenIDConnectProviderResponse#client_id_list #client_id_list} => Array&lt;String&gt;
     #   * {Types::GetOpenIDConnectProviderResponse#thumbprint_list #thumbprint_list} => Array&lt;String&gt;
     #   * {Types::GetOpenIDConnectProviderResponse#create_date #create_date} => Time
+    #   * {Types::GetOpenIDConnectProviderResponse#tags #tags} => Array&lt;Types::Tag&gt;
     #
     # @example Request syntax with placeholder values
     #
@@ -4728,6 +4878,9 @@ module Aws::IAM
     #   resp.thumbprint_list #=> Array
     #   resp.thumbprint_list[0] #=> String
     #   resp.create_date #=> Time
+    #   resp.tags #=> Array
+    #   resp.tags[0].key #=> String
+    #   resp.tags[0].value #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/GetOpenIDConnectProvider AWS API Documentation
     #
@@ -4747,11 +4900,11 @@ module Aws::IAM
     # report, the data returned could include different information. For
     # details, see GenerateOrganizationsAccessReport.
     #
-    # To call this operation, you must be signed in to the master account in
-    # your organization. SCPs must be enabled for your organization root.
-    # You must have permissions to perform this operation. For more
-    # information, see [Refining Permissions Using Service Last Accessed
-    # Data][1] in the *IAM User Guide*.
+    # To call this operation, you must be signed in to the management
+    # account in your organization. SCPs must be enabled for your
+    # organization root. You must have permissions to perform this
+    # operation. For more information, see [Refining permissions using
+    # service last accessed data][1] in the *IAM User Guide*.
     #
     # For each service that principals in an account (root users, IAM users,
     # or IAM roles) could access using SCPs, the operation returns details
@@ -4887,17 +5040,17 @@ module Aws::IAM
     # the policy's default version and the total number of IAM users,
     # groups, and roles to which the policy is attached. To retrieve the
     # list of the specific users, groups, and roles that the policy is
-    # attached to, use the ListEntitiesForPolicy API. This API returns
+    # attached to, use ListEntitiesForPolicy. This operation returns
     # metadata about the policy. To retrieve the actual policy document for
     # a specific version of the policy, use GetPolicyVersion.
     #
-    # This API retrieves information about managed policies. To retrieve
-    # information about an inline policy that is embedded with an IAM user,
-    # group, or role, use the GetUserPolicy, GetGroupPolicy, or
-    # GetRolePolicy API.
+    # This operation retrieves information about managed policies. To
+    # retrieve information about an inline policy that is embedded with an
+    # IAM user, group, or role, use GetUserPolicy, GetGroupPolicy, or
+    # GetRolePolicy.
     #
-    # For more information about policies, see [Managed Policies and Inline
-    # Policies][1] in the *IAM User Guide*.
+    # For more information about policies, see [Managed policies and inline
+    # policies][1] in the *IAM User Guide*.
     #
     #
     #
@@ -4907,8 +5060,8 @@ module Aws::IAM
     #   The Amazon Resource Name (ARN) of the managed policy that you want
     #   information about.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -4937,6 +5090,9 @@ module Aws::IAM
     #   resp.policy.description #=> String
     #   resp.policy.create_date #=> Time
     #   resp.policy.update_date #=> Time
+    #   resp.policy.tags #=> Array
+    #   resp.policy.tags[0].key #=> String
+    #   resp.policy.tags[0].value #=> String
     #
     #
     # The following waiters are defined for this operation (see {Client#wait_until} for detailed usage):
@@ -4955,9 +5111,9 @@ module Aws::IAM
     # Retrieves information about the specified version of the specified
     # managed policy, including the policy document.
     #
-    # <note markdown="1"> Policies returned by this API are URL-encoded compliant with [RFC
-    # 3986][1]. You can use a URL decoding method to convert the policy back
-    # to plain JSON text. For example, if you use Java, you can use the
+    # <note markdown="1"> Policies returned by this operation are URL-encoded compliant with
+    # [RFC 3986][1]. You can use a URL decoding method to convert the policy
+    # back to plain JSON text. For example, if you use Java, you can use the
     # `decode` method of the `java.net.URLDecoder` utility class in the Java
     # SDK. Other languages and SDKs provide similar functionality.
     #
@@ -4965,15 +5121,16 @@ module Aws::IAM
     #
     # To list the available versions for a policy, use ListPolicyVersions.
     #
-    # This API retrieves information about managed policies. To retrieve
-    # information about an inline policy that is embedded in a user, group,
-    # or role, use the GetUserPolicy, GetGroupPolicy, or GetRolePolicy API.
+    # This operation retrieves information about managed policies. To
+    # retrieve information about an inline policy that is embedded in a
+    # user, group, or role, use GetUserPolicy, GetGroupPolicy, or
+    # GetRolePolicy.
     #
     # For more information about the types of policies, see [Managed
-    # Policies and Inline Policies][2] in the *IAM User Guide*.
+    # policies and inline policies][2] in the *IAM User Guide*.
     #
     # For more information about managed policy versions, see [Versioning
-    # for Managed Policies][3] in the *IAM User Guide*.
+    # for managed policies][3] in the *IAM User Guide*.
     #
     #
     #
@@ -4985,8 +5142,8 @@ module Aws::IAM
     #   The Amazon Resource Name (ARN) of the managed policy that you want
     #   information about.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -5034,11 +5191,11 @@ module Aws::IAM
     # Retrieves information about the specified role, including the role's
     # path, GUID, ARN, and the role's trust policy that grants permission
     # to assume the role. For more information about roles, see [Working
-    # with Roles][1].
+    # with roles][1].
     #
-    # <note markdown="1"> Policies returned by this API are URL-encoded compliant with [RFC
-    # 3986][2]. You can use a URL decoding method to convert the policy back
-    # to plain JSON text. For example, if you use Java, you can use the
+    # <note markdown="1"> Policies returned by this operation are URL-encoded compliant with
+    # [RFC 3986][2]. You can use a URL decoding method to convert the policy
+    # back to plain JSON text. For example, if you use Java, you can use the
     # `decode` method of the `java.net.URLDecoder` utility class in the Java
     # SDK. Other languages and SDKs provide similar functionality.
     #
@@ -5132,9 +5289,9 @@ module Aws::IAM
     # Retrieves the specified inline policy document that is embedded with
     # the specified IAM role.
     #
-    # <note markdown="1"> Policies returned by this API are URL-encoded compliant with [RFC
-    # 3986][1]. You can use a URL decoding method to convert the policy back
-    # to plain JSON text. For example, if you use Java, you can use the
+    # <note markdown="1"> Policies returned by this operation are URL-encoded compliant with
+    # [RFC 3986][1]. You can use a URL decoding method to convert the policy
+    # back to plain JSON text. For example, if you use Java, you can use the
     # `decode` method of the `java.net.URLDecoder` utility class in the Java
     # SDK. Other languages and SDKs provide similar functionality.
     #
@@ -5145,11 +5302,11 @@ module Aws::IAM
     # determine the policy's default version, then use GetPolicyVersion to
     # retrieve the policy document.
     #
-    # For more information about policies, see [Managed Policies and Inline
-    # Policies][2] in the *IAM User Guide*.
+    # For more information about policies, see [Managed policies and inline
+    # policies][2] in the *IAM User Guide*.
     #
-    # For more information about roles, see [Using Roles to Delegate
-    # Permissions and Federate Identities][3].
+    # For more information about roles, see [Using roles to delegate
+    # permissions and federate identities][3].
     #
     #
     #
@@ -5224,8 +5381,8 @@ module Aws::IAM
     #   The Amazon Resource Name (ARN) of the SAML provider resource object in
     #   IAM to get information about.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -5236,6 +5393,7 @@ module Aws::IAM
     #   * {Types::GetSAMLProviderResponse#saml_metadata_document #saml_metadata_document} => String
     #   * {Types::GetSAMLProviderResponse#create_date #create_date} => Time
     #   * {Types::GetSAMLProviderResponse#valid_until #valid_until} => Time
+    #   * {Types::GetSAMLProviderResponse#tags #tags} => Array&lt;Types::Tag&gt;
     #
     # @example Request syntax with placeholder values
     #
@@ -5248,6 +5406,9 @@ module Aws::IAM
     #   resp.saml_metadata_document #=> String
     #   resp.create_date #=> Time
     #   resp.valid_until #=> Time
+    #   resp.tags #=> Array
+    #   resp.tags[0].key #=> String
+    #   resp.tags[0].value #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/GetSAMLProvider AWS API Documentation
     #
@@ -5265,7 +5426,7 @@ module Aws::IAM
     # authenticating the associated IAM user to an AWS CodeCommit
     # repository. For more information about using SSH keys to authenticate
     # to an AWS CodeCommit repository, see [Set up AWS CodeCommit for SSH
-    # Connections][1] in the *AWS CodeCommit User Guide*.
+    # connections][1] in the *AWS CodeCommit User Guide*.
     #
     #
     #
@@ -5333,7 +5494,7 @@ module Aws::IAM
     # IAM.
     #
     # For more information about working with server certificates, see
-    # [Working with Server Certificates][1] in the *IAM User Guide*. This
+    # [Working with server certificates][1] in the *IAM User Guide*. This
     # topic includes a list of AWS services that can use the server
     # certificates that you manage with IAM.
     #
@@ -5374,6 +5535,9 @@ module Aws::IAM
     #   resp.server_certificate.server_certificate_metadata.expiration #=> Time
     #   resp.server_certificate.certificate_body #=> String
     #   resp.server_certificate.certificate_chain #=> String
+    #   resp.server_certificate.tags #=> Array
+    #   resp.server_certificate.tags[0].key #=> String
+    #   resp.server_certificate.tags[0].value #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/GetServerCertificate AWS API Documentation
     #
@@ -5398,7 +5562,7 @@ module Aws::IAM
     # AWS Organizations policies, IAM permissions boundaries, and AWS STS
     # assume role policies. It only applies permissions policy logic. For
     # more about the evaluation of policy types, see [Evaluating
-    # Policies][1] in the *IAM User Guide*.
+    # policies][1] in the *IAM User Guide*.
     #
     #  </note>
     #
@@ -5433,7 +5597,7 @@ module Aws::IAM
     # within a service. Otherwise, this operation returns only service data.
     #
     # For more information about service and action last accessed data, see
-    # [Reducing Permissions Using Service Last Accessed Data][2] in the *IAM
+    # [Reducing permissions using service last accessed data][2] in the *IAM
     # User Guide*.
     #
     #
@@ -5581,17 +5745,16 @@ module Aws::IAM
     #   namespace to learn when the IAM entity last attempted to access the
     #   specified service.
     #
-    #   To learn the service namespace for a service, go to [Actions,
-    #   Resources, and Condition Keys for AWS Services][1] in the *IAM User
-    #   Guide*. Choose the name of the service to view details for that
-    #   service. In the first paragraph, find the service prefix. For example,
-    #   `(service prefix: a4b)`. For more information about service
-    #   namespaces, see [AWS Service Namespaces][2] in the *AWS General
-    #   Reference*.
+    #   To learn the service namespace for a service, see [Actions, resources,
+    #   and condition keys for AWS services][1] in the *IAM User Guide*.
+    #   Choose the name of the service to view details for that service. In
+    #   the first paragraph, find the service prefix. For example, `(service
+    #   prefix: a4b)`. For more information about service namespaces, see [AWS
+    #   service namespaces][2] in the *AWS General Reference*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html
+    #   [1]: https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html
     #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-aws-service-namespaces
     #
     # @option params [Integer] :max_items
@@ -5696,11 +5859,11 @@ module Aws::IAM
     end
 
     # Retrieves the status of your service-linked role deletion. After you
-    # use the DeleteServiceLinkedRole API operation to submit a
-    # service-linked role for deletion, you can use the `DeletionTaskId`
-    # parameter in `GetServiceLinkedRoleDeletionStatus` to check the status
-    # of the deletion. If the deletion fails, this operation returns the
-    # reason that it failed, if that information is returned by the service.
+    # use DeleteServiceLinkedRole to submit a service-linked role for
+    # deletion, you can use the `DeletionTaskId` parameter in
+    # `GetServiceLinkedRoleDeletionStatus` to check the status of the
+    # deletion. If the deletion fails, this operation returns the reason
+    # that it failed, if that information is returned by the service.
     #
     # @option params [required, String] :deletion_task_id
     #   The deletion task identifier. This identifier is returned by the
@@ -5741,7 +5904,7 @@ module Aws::IAM
     #
     # If you do not specify a user name, IAM determines the user name
     # implicitly based on the AWS access key ID used to sign the request to
-    # this API.
+    # this operation.
     #
     # @option params [String] :user_name
     #   The name of the user to get information about.
@@ -5817,9 +5980,9 @@ module Aws::IAM
     # Retrieves the specified inline policy document that is embedded in the
     # specified IAM user.
     #
-    # <note markdown="1"> Policies returned by this API are URL-encoded compliant with [RFC
-    # 3986][1]. You can use a URL decoding method to convert the policy back
-    # to plain JSON text. For example, if you use Java, you can use the
+    # <note markdown="1"> Policies returned by this operation are URL-encoded compliant with
+    # [RFC 3986][1]. You can use a URL decoding method to convert the policy
+    # back to plain JSON text. For example, if you use Java, you can use the
     # `decode` method of the `java.net.URLDecoder` utility class in the Java
     # SDK. Other languages and SDKs provide similar functionality.
     #
@@ -5830,8 +5993,8 @@ module Aws::IAM
     # determine the policy's default version. Then use GetPolicyVersion to
     # retrieve the policy document.
     #
-    # For more information about policies, see [Managed Policies and Inline
-    # Policies][2] in the *IAM User Guide*.
+    # For more information about policies, see [Managed policies and inline
+    # policies][2] in the *IAM User Guide*.
     #
     #
     #
@@ -6001,7 +6164,7 @@ module Aws::IAM
 
     # Lists the account alias associated with the AWS account (Note: you can
     # have only one). For information about using an AWS account alias, see
-    # [Using an Alias for Your AWS Account ID][1] in the *IAM User Guide*.
+    # [Using an alias for your AWS account ID][1] in the *IAM User Guide*.
     #
     #
     #
@@ -6074,9 +6237,9 @@ module Aws::IAM
     # group.
     #
     # An IAM group can also have inline policies embedded with it. To list
-    # the inline policies for a group, use the ListGroupPolicies API. For
-    # information about policies, see [Managed Policies and Inline
-    # Policies][1] in the *IAM User Guide*.
+    # the inline policies for a group, use ListGroupPolicies. For
+    # information about policies, see [Managed policies and inline
+    # policies][1] in the *IAM User Guide*.
     #
     # You can paginate the results using the `MaxItems` and `Marker`
     # parameters. You can use the `PathPrefix` parameter to limit the list
@@ -6172,9 +6335,9 @@ module Aws::IAM
     # role.
     #
     # An IAM role can also have inline policies embedded with it. To list
-    # the inline policies for a role, use the ListRolePolicies API. For
-    # information about policies, see [Managed Policies and Inline
-    # Policies][1] in the *IAM User Guide*.
+    # the inline policies for a role, use ListRolePolicies. For information
+    # about policies, see [Managed policies and inline policies][1] in the
+    # *IAM User Guide*.
     #
     # You can paginate the results using the `MaxItems` and `Marker`
     # parameters. You can use the `PathPrefix` parameter to limit the list
@@ -6270,9 +6433,9 @@ module Aws::IAM
     # user.
     #
     # An IAM user can also have inline policies embedded with it. To list
-    # the inline policies for a user, use the ListUserPolicies API. For
-    # information about policies, see [Managed Policies and Inline
-    # Policies][1] in the *IAM User Guide*.
+    # the inline policies for a user, use ListUserPolicies. For information
+    # about policies, see [Managed policies and inline policies][1] in the
+    # *IAM User Guide*.
     #
     # You can paginate the results using the `MaxItems` and `Marker`
     # parameters. You can use the `PathPrefix` parameter to limit the list
@@ -6379,8 +6542,8 @@ module Aws::IAM
     #   The Amazon Resource Name (ARN) of the IAM policy for which you want
     #   the versions.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -6489,7 +6652,7 @@ module Aws::IAM
     # An IAM group can also have managed policies attached to it. To list
     # the managed policies that are attached to a group, use
     # ListAttachedGroupPolicies. For more information about policies, see
-    # [Managed Policies and Inline Policies][1] in the *IAM User Guide*.
+    # [Managed policies and inline policies][1] in the *IAM User Guide*.
     #
     # You can paginate the results using the `MaxItems` and `Marker`
     # parameters. If there are no inline policies embedded with the
@@ -6786,10 +6949,87 @@ module Aws::IAM
       req.send_request(options)
     end
 
+    # Lists the tags that are attached to the specified IAM instance
+    # profile. The returned list of tags is sorted by tag key. For more
+    # information about tagging, see [Tagging IAM resources][1] in the *IAM
+    # User Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
+    # @option params [required, String] :instance_profile_name
+    #   The name of the IAM instance profile whose tags you want to see.
+    #
+    #   This parameter accepts (through its [regex pattern][1]) a string of
+    #   characters that consist of upper and lowercase alphanumeric characters
+    #   with no spaces. You can also include any of the following characters:
+    #   =,.@-
+    #
+    #
+    #
+    #   [1]: http://wikipedia.org/wiki/regex
+    #
+    # @option params [String] :marker
+    #   Use this parameter only when paginating results and only after you
+    #   receive a response indicating that the results are truncated. Set it
+    #   to the value of the `Marker` element in the response that you received
+    #   to indicate where the next call should start.
+    #
+    # @option params [Integer] :max_items
+    #   (Optional) Use this only when paginating results to indicate the
+    #   maximum number of items that you want in the response. If additional
+    #   items exist beyond the maximum that you specify, the `IsTruncated`
+    #   response element is `true`.
+    #
+    #   If you do not include this parameter, it defaults to 100. Note that
+    #   IAM might return fewer results, even when more results are available.
+    #   In that case, the `IsTruncated` response element returns `true`, and
+    #   `Marker` contains a value to include in the subsequent call that tells
+    #   the service where to continue from.
+    #
+    # @return [Types::ListInstanceProfileTagsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::ListInstanceProfileTagsResponse#tags #tags} => Array&lt;Types::Tag&gt;
+    #   * {Types::ListInstanceProfileTagsResponse#is_truncated #is_truncated} => Boolean
+    #   * {Types::ListInstanceProfileTagsResponse#marker #marker} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.list_instance_profile_tags({
+    #     instance_profile_name: "instanceProfileNameType", # required
+    #     marker: "markerType",
+    #     max_items: 1,
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.tags #=> Array
+    #   resp.tags[0].key #=> String
+    #   resp.tags[0].value #=> String
+    #   resp.is_truncated #=> Boolean
+    #   resp.marker #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/ListInstanceProfileTags AWS API Documentation
+    #
+    # @overload list_instance_profile_tags(params = {})
+    # @param [Hash] params ({})
+    def list_instance_profile_tags(params = {}, options = {})
+      req = build_request(:list_instance_profile_tags, params)
+      req.send_request(options)
+    end
+
     # Lists the instance profiles that have the specified path prefix. If
     # there are none, the operation returns an empty list. For more
-    # information about instance profiles, go to [About Instance
-    # Profiles][1].
+    # information about instance profiles, see [About instance profiles][1].
+    #
+    # <note markdown="1"> IAM resource-listing operations return a subset of the available
+    # attributes for the resource. For example, this operation does not
+    # return tags, even though they are an attribute of the returned object.
+    # To view all of the information for an instance profile, see
+    # GetInstanceProfile.
+    #
+    #  </note>
     #
     # You can paginate the results using the `MaxItems` and `Marker`
     # parameters.
@@ -6873,6 +7113,9 @@ module Aws::IAM
     #   resp.instance_profiles[0].roles[0].tags[0].value #=> String
     #   resp.instance_profiles[0].roles[0].role_last_used.last_used_date #=> Time
     #   resp.instance_profiles[0].roles[0].role_last_used.region #=> String
+    #   resp.instance_profiles[0].tags #=> Array
+    #   resp.instance_profiles[0].tags[0].key #=> String
+    #   resp.instance_profiles[0].tags[0].value #=> String
     #   resp.is_truncated #=> Boolean
     #   resp.marker #=> String
     #
@@ -6887,8 +7130,8 @@ module Aws::IAM
 
     # Lists the instance profiles that have the specified associated IAM
     # role. If there are none, the operation returns an empty list. For more
-    # information about instance profiles, go to [About Instance
-    # Profiles][1].
+    # information about instance profiles, go to [About instance
+    # profiles][1].
     #
     # You can paginate the results using the `MaxItems` and `Marker`
     # parameters.
@@ -6966,6 +7209,9 @@ module Aws::IAM
     #   resp.instance_profiles[0].roles[0].tags[0].value #=> String
     #   resp.instance_profiles[0].roles[0].role_last_used.last_used_date #=> Time
     #   resp.instance_profiles[0].roles[0].role_last_used.region #=> String
+    #   resp.instance_profiles[0].tags #=> Array
+    #   resp.instance_profiles[0].tags[0].key #=> String
+    #   resp.instance_profiles[0].tags[0].value #=> String
     #   resp.is_truncated #=> Boolean
     #   resp.marker #=> String
     #
@@ -6978,11 +7224,83 @@ module Aws::IAM
       req.send_request(options)
     end
 
+    # Lists the tags that are attached to the specified IAM virtual
+    # multi-factor authentication (MFA) device. The returned list of tags is
+    # sorted by tag key. For more information about tagging, see [Tagging
+    # IAM resources][1] in the *IAM User Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
+    # @option params [required, String] :serial_number
+    #   The unique identifier for the IAM virtual MFA device whose tags you
+    #   want to see. For virtual MFA devices, the serial number is the same as
+    #   the ARN.
+    #
+    #   This parameter accepts (through its [regex pattern][1]) a string of
+    #   characters that consist of upper and lowercase alphanumeric characters
+    #   with no spaces. You can also include any of the following characters:
+    #   =,.@-
+    #
+    #
+    #
+    #   [1]: http://wikipedia.org/wiki/regex
+    #
+    # @option params [String] :marker
+    #   Use this parameter only when paginating results and only after you
+    #   receive a response indicating that the results are truncated. Set it
+    #   to the value of the `Marker` element in the response that you received
+    #   to indicate where the next call should start.
+    #
+    # @option params [Integer] :max_items
+    #   (Optional) Use this only when paginating results to indicate the
+    #   maximum number of items that you want in the response. If additional
+    #   items exist beyond the maximum that you specify, the `IsTruncated`
+    #   response element is `true`.
+    #
+    #   If you do not include this parameter, it defaults to 100. Note that
+    #   IAM might return fewer results, even when more results are available.
+    #   In that case, the `IsTruncated` response element returns `true`, and
+    #   `Marker` contains a value to include in the subsequent call that tells
+    #   the service where to continue from.
+    #
+    # @return [Types::ListMFADeviceTagsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::ListMFADeviceTagsResponse#tags #tags} => Array&lt;Types::Tag&gt;
+    #   * {Types::ListMFADeviceTagsResponse#is_truncated #is_truncated} => Boolean
+    #   * {Types::ListMFADeviceTagsResponse#marker #marker} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.list_mfa_device_tags({
+    #     serial_number: "serialNumberType", # required
+    #     marker: "markerType",
+    #     max_items: 1,
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.tags #=> Array
+    #   resp.tags[0].key #=> String
+    #   resp.tags[0].value #=> String
+    #   resp.is_truncated #=> Boolean
+    #   resp.marker #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/ListMFADeviceTags AWS API Documentation
+    #
+    # @overload list_mfa_device_tags(params = {})
+    # @param [Hash] params ({})
+    def list_mfa_device_tags(params = {}, options = {})
+      req = build_request(:list_mfa_device_tags, params)
+      req.send_request(options)
+    end
+
     # Lists the MFA devices for an IAM user. If the request includes a IAM
     # user name, then this operation lists all the MFA devices associated
     # with the specified user. If you do not specify a user name, IAM
     # determines the user name implicitly based on the AWS access key ID
-    # signing the request for this API.
+    # signing the request for this operation.
     #
     # You can paginate the results using the `MaxItems` and `Marker`
     # parameters.
@@ -7050,21 +7368,104 @@ module Aws::IAM
       req.send_request(options)
     end
 
-    # Lists information about the IAM OpenID Connect (OIDC) provider
-    # resource objects defined in the AWS account.
+    # Lists the tags that are attached to the specified OpenID Connect
+    # (OIDC)-compatible identity provider. The returned list of tags is
+    # sorted by tag key. For more information, see [About web identity
+    # federation][1].
     #
-    # @return [Types::ListOpenIDConnectProvidersResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    # For more information about tagging, see [Tagging IAM resources][2] in
+    # the *IAM User Guide*.
     #
-    #   * {Types::ListOpenIDConnectProvidersResponse#open_id_connect_provider_list #open_id_connect_provider_list} => Array&lt;Types::OpenIDConnectProviderListEntry&gt;
     #
-    # @example Response structure
     #
-    #   resp.open_id_connect_provider_list #=> Array
-    #   resp.open_id_connect_provider_list[0].arn #=> String
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/ListOpenIDConnectProviders AWS API Documentation
+    # @option params [required, String] :open_id_connect_provider_arn
+    #   The ARN of the OpenID Connect (OIDC) identity provider whose tags you
+    #   want to see.
     #
-    # @overload list_open_id_connect_providers(params = {})
+    #   This parameter accepts (through its [regex pattern][1]) a string of
+    #   characters that consist of upper and lowercase alphanumeric characters
+    #   with no spaces. You can also include any of the following characters:
+    #   =,.@-
+    #
+    #
+    #
+    #   [1]: http://wikipedia.org/wiki/regex
+    #
+    # @option params [String] :marker
+    #   Use this parameter only when paginating results and only after you
+    #   receive a response indicating that the results are truncated. Set it
+    #   to the value of the `Marker` element in the response that you received
+    #   to indicate where the next call should start.
+    #
+    # @option params [Integer] :max_items
+    #   (Optional) Use this only when paginating results to indicate the
+    #   maximum number of items that you want in the response. If additional
+    #   items exist beyond the maximum that you specify, the `IsTruncated`
+    #   response element is `true`.
+    #
+    #   If you do not include this parameter, it defaults to 100. Note that
+    #   IAM might return fewer results, even when more results are available.
+    #   In that case, the `IsTruncated` response element returns `true`, and
+    #   `Marker` contains a value to include in the subsequent call that tells
+    #   the service where to continue from.
+    #
+    # @return [Types::ListOpenIDConnectProviderTagsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::ListOpenIDConnectProviderTagsResponse#tags #tags} => Array&lt;Types::Tag&gt;
+    #   * {Types::ListOpenIDConnectProviderTagsResponse#is_truncated #is_truncated} => Boolean
+    #   * {Types::ListOpenIDConnectProviderTagsResponse#marker #marker} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.list_open_id_connect_provider_tags({
+    #     open_id_connect_provider_arn: "arnType", # required
+    #     marker: "markerType",
+    #     max_items: 1,
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.tags #=> Array
+    #   resp.tags[0].key #=> String
+    #   resp.tags[0].value #=> String
+    #   resp.is_truncated #=> Boolean
+    #   resp.marker #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/ListOpenIDConnectProviderTags AWS API Documentation
+    #
+    # @overload list_open_id_connect_provider_tags(params = {})
+    # @param [Hash] params ({})
+    def list_open_id_connect_provider_tags(params = {}, options = {})
+      req = build_request(:list_open_id_connect_provider_tags, params)
+      req.send_request(options)
+    end
+
+    # Lists information about the IAM OpenID Connect (OIDC) provider
+    # resource objects defined in the AWS account.
+    #
+    # <note markdown="1"> IAM resource-listing operations return a subset of the available
+    # attributes for the resource. For example, this operation does not
+    # return tags, even though they are an attribute of the returned object.
+    # To view all of the information for an OIDC provider, see
+    # GetOpenIDConnectProvider.
+    #
+    #  </note>
+    #
+    # @return [Types::ListOpenIDConnectProvidersResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::ListOpenIDConnectProvidersResponse#open_id_connect_provider_list #open_id_connect_provider_list} => Array&lt;Types::OpenIDConnectProviderListEntry&gt;
+    #
+    # @example Response structure
+    #
+    #   resp.open_id_connect_provider_list #=> Array
+    #   resp.open_id_connect_provider_list[0].arn #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/ListOpenIDConnectProviders AWS API Documentation
+    #
+    # @overload list_open_id_connect_providers(params = {})
     # @param [Hash] params ({})
     def list_open_id_connect_providers(params = {}, options = {})
       req = build_request(:list_open_id_connect_providers, params)
@@ -7084,8 +7485,16 @@ module Aws::IAM
     # You can paginate the results using the `MaxItems` and `Marker`
     # parameters.
     #
-    # For more information about managed policies, see [Managed Policies and
-    # Inline Policies][1] in the *IAM User Guide*.
+    # For more information about managed policies, see [Managed policies and
+    # inline policies][1] in the *IAM User Guide*.
+    #
+    # <note markdown="1"> IAM resource-listing operations return a subset of the available
+    # attributes for the resource. For example, this operation does not
+    # return tags, even though they are an attribute of the returned object.
+    # To view all of the information for a customer manged policy, see
+    # GetPolicy.
+    #
+    #  </note>
     #
     #
     #
@@ -7184,6 +7593,9 @@ module Aws::IAM
     #   resp.policies[0].description #=> String
     #   resp.policies[0].create_date #=> Time
     #   resp.policies[0].update_date #=> Time
+    #   resp.policies[0].tags #=> Array
+    #   resp.policies[0].tags[0].key #=> String
+    #   resp.policies[0].tags[0].value #=> String
     #   resp.is_truncated #=> Boolean
     #   resp.marker #=> String
     #
@@ -7204,7 +7616,7 @@ module Aws::IAM
     # include resource-based policies, access control lists, AWS
     # Organizations policies, IAM permissions boundaries, and AWS STS assume
     # role policies. It only applies permissions policy logic. For more
-    # about the evaluation of policy types, see [Evaluating Policies][1] in
+    # about the evaluation of policy types, see [Evaluating policies][1] in
     # the *IAM User Guide*.
     #
     #  </note>
@@ -7227,8 +7639,8 @@ module Aws::IAM
     # For each managed policy, this operation returns the ARN and policy
     # name. For each inline policy, it returns the policy name and the
     # entity to which it is attached. Inline policies do not have an ARN.
-    # For more information about these policy types, see [Managed Policies
-    # and Inline Policies][2] in the *IAM User Guide*.
+    # For more information about these policy types, see [Managed policies
+    # and inline policies][2] in the *IAM User Guide*.
     #
     # Policies that are attached to users and roles as permissions
     # boundaries are not returned. To view which managed policy is currently
@@ -7254,17 +7666,16 @@ module Aws::IAM
     #   The service namespace for the AWS services whose policies you want to
     #   list.
     #
-    #   To learn the service namespace for a service, go to [Actions,
-    #   Resources, and Condition Keys for AWS Services][1] in the *IAM User
-    #   Guide*. Choose the name of the service to view details for that
-    #   service. In the first paragraph, find the service prefix. For example,
-    #   `(service prefix: a4b)`. For more information about service
-    #   namespaces, see [AWS Service Namespaces][2] in the *AWS General
-    #   Reference*.
+    #   To learn the service namespace for a service, see [Actions, resources,
+    #   and condition keys for AWS services][1] in the *IAM User Guide*.
+    #   Choose the name of the service to view details for that service. In
+    #   the first paragraph, find the service prefix. For example, `(service
+    #   prefix: a4b)`. For more information about service namespaces, see [AWS
+    #   service namespaces][2] in the *AWS General Reference*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html
+    #   [1]: https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html
     #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-aws-service-namespaces
     #
     # @return [Types::ListPoliciesGrantingServiceAccessResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
@@ -7349,12 +7760,82 @@ module Aws::IAM
       req.send_request(options)
     end
 
+    # Lists the tags that are attached to the specified IAM customer managed
+    # policy. The returned list of tags is sorted by tag key. For more
+    # information about tagging, see [Tagging IAM resources][1] in the *IAM
+    # User Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
+    # @option params [required, String] :policy_arn
+    #   The ARN of the IAM customer managed policy whose tags you want to see.
+    #
+    #   This parameter accepts (through its [regex pattern][1]) a string of
+    #   characters that consist of upper and lowercase alphanumeric characters
+    #   with no spaces. You can also include any of the following characters:
+    #   =,.@-
+    #
+    #
+    #
+    #   [1]: http://wikipedia.org/wiki/regex
+    #
+    # @option params [String] :marker
+    #   Use this parameter only when paginating results and only after you
+    #   receive a response indicating that the results are truncated. Set it
+    #   to the value of the `Marker` element in the response that you received
+    #   to indicate where the next call should start.
+    #
+    # @option params [Integer] :max_items
+    #   (Optional) Use this only when paginating results to indicate the
+    #   maximum number of items that you want in the response. If additional
+    #   items exist beyond the maximum that you specify, the `IsTruncated`
+    #   response element is `true`.
+    #
+    #   If you do not include this parameter, it defaults to 100. Note that
+    #   IAM might return fewer results, even when more results are available.
+    #   In that case, the `IsTruncated` response element returns `true`, and
+    #   `Marker` contains a value to include in the subsequent call that tells
+    #   the service where to continue from.
+    #
+    # @return [Types::ListPolicyTagsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::ListPolicyTagsResponse#tags #tags} => Array&lt;Types::Tag&gt;
+    #   * {Types::ListPolicyTagsResponse#is_truncated #is_truncated} => Boolean
+    #   * {Types::ListPolicyTagsResponse#marker #marker} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.list_policy_tags({
+    #     policy_arn: "arnType", # required
+    #     marker: "markerType",
+    #     max_items: 1,
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.tags #=> Array
+    #   resp.tags[0].key #=> String
+    #   resp.tags[0].value #=> String
+    #   resp.is_truncated #=> Boolean
+    #   resp.marker #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/ListPolicyTags AWS API Documentation
+    #
+    # @overload list_policy_tags(params = {})
+    # @param [Hash] params ({})
+    def list_policy_tags(params = {}, options = {})
+      req = build_request(:list_policy_tags, params)
+      req.send_request(options)
+    end
+
     # Lists information about the versions of the specified managed policy,
     # including the version that is currently set as the policy's default
     # version.
     #
-    # For more information about managed policies, see [Managed Policies and
-    # Inline Policies][1] in the *IAM User Guide*.
+    # For more information about managed policies, see [Managed policies and
+    # inline policies][1] in the *IAM User Guide*.
     #
     #
     #
@@ -7364,8 +7845,8 @@ module Aws::IAM
     #   The Amazon Resource Name (ARN) of the IAM policy for which you want
     #   the versions.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -7429,7 +7910,7 @@ module Aws::IAM
     # An IAM role can also have managed policies attached to it. To list the
     # managed policies that are attached to a role, use
     # ListAttachedRolePolicies. For more information about policies, see
-    # [Managed Policies and Inline Policies][1] in the *IAM User Guide*.
+    # [Managed policies and inline policies][1] in the *IAM User Guide*.
     #
     # You can paginate the results using the `MaxItems` and `Marker`
     # parameters. If there are no inline policies embedded with the
@@ -7502,7 +7983,7 @@ module Aws::IAM
 
     # Lists the tags that are attached to the specified role. The returned
     # list of tags is sorted by tag key. For more information about tagging,
-    # see [Tagging IAM Identities][1] in the *IAM User Guide*.
+    # see [Tagging IAM resources][1] in the *IAM User Guide*.
     #
     #
     #
@@ -7595,7 +8076,14 @@ module Aws::IAM
 
     # Lists the IAM roles that have the specified path prefix. If there are
     # none, the operation returns an empty list. For more information about
-    # roles, go to [Working with Roles][1].
+    # roles, see [Working with roles][1].
+    #
+    # <note markdown="1"> IAM resource-listing operations return a subset of the available
+    # attributes for the resource. For example, this operation does not
+    # return tags, even though they are an attribute of the returned object.
+    # To view all of the information for a role, see GetRole.
+    #
+    #  </note>
     #
     # You can paginate the results using the `MaxItems` and `Marker`
     # parameters.
@@ -7684,12 +8172,89 @@ module Aws::IAM
       req.send_request(options)
     end
 
-    # Lists the SAML provider resource objects defined in IAM in the
-    # account.
+    # Lists the tags that are attached to the specified Security Assertion
+    # Markup Language (SAML) identity provider. The returned list of tags is
+    # sorted by tag key. For more information, see [About SAML 2.0-based
+    # federation][1].
     #
-    # <note markdown="1"> This operation requires [Signature Version 4][1].
+    # For more information about tagging, see [Tagging IAM resources][2] in
+    # the *IAM User Guide*.
     #
-    #  </note>
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
+    # @option params [required, String] :saml_provider_arn
+    #   The ARN of the Security Assertion Markup Language (SAML) identity
+    #   provider whose tags you want to see.
+    #
+    #   This parameter accepts (through its [regex pattern][1]) a string of
+    #   characters that consist of upper and lowercase alphanumeric characters
+    #   with no spaces. You can also include any of the following characters:
+    #   =,.@-
+    #
+    #
+    #
+    #   [1]: http://wikipedia.org/wiki/regex
+    #
+    # @option params [String] :marker
+    #   Use this parameter only when paginating results and only after you
+    #   receive a response indicating that the results are truncated. Set it
+    #   to the value of the `Marker` element in the response that you received
+    #   to indicate where the next call should start.
+    #
+    # @option params [Integer] :max_items
+    #   (Optional) Use this only when paginating results to indicate the
+    #   maximum number of items that you want in the response. If additional
+    #   items exist beyond the maximum that you specify, the `IsTruncated`
+    #   response element is `true`.
+    #
+    #   If you do not include this parameter, it defaults to 100. Note that
+    #   IAM might return fewer results, even when more results are available.
+    #   In that case, the `IsTruncated` response element returns `true`, and
+    #   `Marker` contains a value to include in the subsequent call that tells
+    #   the service where to continue from.
+    #
+    # @return [Types::ListSAMLProviderTagsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::ListSAMLProviderTagsResponse#tags #tags} => Array&lt;Types::Tag&gt;
+    #   * {Types::ListSAMLProviderTagsResponse#is_truncated #is_truncated} => Boolean
+    #   * {Types::ListSAMLProviderTagsResponse#marker #marker} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.list_saml_provider_tags({
+    #     saml_provider_arn: "arnType", # required
+    #     marker: "markerType",
+    #     max_items: 1,
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.tags #=> Array
+    #   resp.tags[0].key #=> String
+    #   resp.tags[0].value #=> String
+    #   resp.is_truncated #=> Boolean
+    #   resp.marker #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/ListSAMLProviderTags AWS API Documentation
+    #
+    # @overload list_saml_provider_tags(params = {})
+    # @param [Hash] params ({})
+    def list_saml_provider_tags(params = {}, options = {})
+      req = build_request(:list_saml_provider_tags, params)
+      req.send_request(options)
+    end
+
+    # Lists the SAML provider resource objects defined in IAM in the
+    # account. IAM resource-listing operations return a subset of the
+    # available attributes for the resource. For example, this operation
+    # does not return tags, even though they are an attribute of the
+    # returned object. To view all of the information for a SAML provider,
+    # see GetSAMLProvider.
+    #
+    # This operation requires [Signature Version 4][1].
     #
     #
     #
@@ -7722,7 +8287,7 @@ module Aws::IAM
     # The SSH public keys returned by this operation are used only for
     # authenticating the IAM user to an AWS CodeCommit repository. For more
     # information about using SSH keys to authenticate to an AWS CodeCommit
-    # repository, see [Set up AWS CodeCommit for SSH Connections][1] in the
+    # repository, see [Set up AWS CodeCommit for SSH connections][1] in the
     # *AWS CodeCommit User Guide*.
     #
     # Although each user is limited to a small number of keys, you can still
@@ -7798,6 +8363,85 @@ module Aws::IAM
       req.send_request(options)
     end
 
+    # Lists the tags that are attached to the specified IAM server
+    # certificate. The returned list of tags is sorted by tag key. For more
+    # information about tagging, see [Tagging IAM resources][1] in the *IAM
+    # User Guide*.
+    #
+    # <note markdown="1"> For certificates in a Region supported by AWS Certificate Manager
+    # (ACM), we recommend that you don't use IAM server certificates.
+    # Instead, use ACM to provision, manage, and deploy your server
+    # certificates. For more information about IAM server certificates,
+    # [Working with server certificates][2] in the *IAM User Guide*.
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html
+    #
+    # @option params [required, String] :server_certificate_name
+    #   The name of the IAM server certificate whose tags you want to see.
+    #
+    #   This parameter accepts (through its [regex pattern][1]) a string of
+    #   characters that consist of upper and lowercase alphanumeric characters
+    #   with no spaces. You can also include any of the following characters:
+    #   =,.@-
+    #
+    #
+    #
+    #   [1]: http://wikipedia.org/wiki/regex
+    #
+    # @option params [String] :marker
+    #   Use this parameter only when paginating results and only after you
+    #   receive a response indicating that the results are truncated. Set it
+    #   to the value of the `Marker` element in the response that you received
+    #   to indicate where the next call should start.
+    #
+    # @option params [Integer] :max_items
+    #   (Optional) Use this only when paginating results to indicate the
+    #   maximum number of items that you want in the response. If additional
+    #   items exist beyond the maximum that you specify, the `IsTruncated`
+    #   response element is `true`.
+    #
+    #   If you do not include this parameter, it defaults to 100. Note that
+    #   IAM might return fewer results, even when more results are available.
+    #   In that case, the `IsTruncated` response element returns `true`, and
+    #   `Marker` contains a value to include in the subsequent call that tells
+    #   the service where to continue from.
+    #
+    # @return [Types::ListServerCertificateTagsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::ListServerCertificateTagsResponse#tags #tags} => Array&lt;Types::Tag&gt;
+    #   * {Types::ListServerCertificateTagsResponse#is_truncated #is_truncated} => Boolean
+    #   * {Types::ListServerCertificateTagsResponse#marker #marker} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.list_server_certificate_tags({
+    #     server_certificate_name: "serverCertificateNameType", # required
+    #     marker: "markerType",
+    #     max_items: 1,
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.tags #=> Array
+    #   resp.tags[0].key #=> String
+    #   resp.tags[0].value #=> String
+    #   resp.is_truncated #=> Boolean
+    #   resp.marker #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/ListServerCertificateTags AWS API Documentation
+    #
+    # @overload list_server_certificate_tags(params = {})
+    # @param [Hash] params ({})
+    def list_server_certificate_tags(params = {}, options = {})
+      req = build_request(:list_server_certificate_tags, params)
+      req.send_request(options)
+    end
+
     # Lists the server certificates stored in IAM that have the specified
     # path prefix. If none exist, the operation returns an empty list.
     #
@@ -7805,10 +8449,18 @@ module Aws::IAM
     # parameters.
     #
     # For more information about working with server certificates, see
-    # [Working with Server Certificates][1] in the *IAM User Guide*. This
+    # [Working with server certificates][1] in the *IAM User Guide*. This
     # topic also includes a list of AWS services that can use the server
     # certificates that you manage with IAM.
     #
+    # <note markdown="1"> IAM resource-listing operations return a subset of the available
+    # attributes for the resource. For example, this operation does not
+    # return tags, even though they are an attribute of the returned object.
+    # To view all of the information for a servercertificate, see
+    # GetServerCertificate.
+    #
+    #  </note>
+    #
     #
     #
     # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html
@@ -7890,7 +8542,7 @@ module Aws::IAM
     # empty list. The service-specific credentials returned by this
     # operation are used only for authenticating the IAM user to a specific
     # service. For more information about using service-specific credentials
-    # to authenticate to an AWS service, see [Set Up service-specific
+    # to authenticate to an AWS service, see [Set up service-specific
     # credentials][1] in the AWS CodeCommit User Guide.
     #
     #
@@ -7956,9 +8608,10 @@ module Aws::IAM
     #
     # If the `UserName` field is not specified, the user name is determined
     # implicitly based on the AWS access key ID used to sign the request for
-    # this API. This operation works for access keys under the AWS account.
-    # Consequently, you can use this operation to manage AWS account root
-    # user credentials even if the AWS account has no associated users.
+    # this operation. This operation works for access keys under the AWS
+    # account. Consequently, you can use this operation to manage AWS
+    # account root user credentials even if the AWS account has no
+    # associated users.
     #
     # @option params [String] :user_name
     #   The name of the IAM user whose signing certificates you want to
@@ -8054,7 +8707,7 @@ module Aws::IAM
     # An IAM user can also have managed policies attached to it. To list the
     # managed policies that are attached to a user, use
     # ListAttachedUserPolicies. For more information about policies, see
-    # [Managed Policies and Inline Policies][1] in the *IAM User Guide*.
+    # [Managed policies and inline policies][1] in the *IAM User Guide*.
     #
     # You can paginate the results using the `MaxItems` and `Marker`
     # parameters. If there are no inline policies embedded with the
@@ -8125,9 +8778,9 @@ module Aws::IAM
       req.send_request(options)
     end
 
-    # Lists the tags that are attached to the specified user. The returned
-    # list of tags is sorted by tag key. For more information about tagging,
-    # see [Tagging IAM Identities][1] in the *IAM User Guide*.
+    # Lists the tags that are attached to the specified IAM user. The
+    # returned list of tags is sorted by tag key. For more information about
+    # tagging, see [Tagging IAM resources][1] in the *IAM User Guide*.
     #
     #
     #
@@ -8222,6 +8875,13 @@ module Aws::IAM
     # prefix is specified, the operation returns all users in the AWS
     # account. If there are none, the operation returns an empty list.
     #
+    # <note markdown="1"> IAM resource-listing operations return a subset of the available
+    # attributes for the resource. For example, this operation does not
+    # return tags, even though they are an attribute of the returned object.
+    # To view all of the information for a user, see GetUser.
+    #
+    #  </note>
+    #
     # You can paginate the results using the `MaxItems` and `Marker`
     # parameters.
     #
@@ -8336,6 +8996,14 @@ module Aws::IAM
     # returns a list of all virtual MFA devices. Assignment status can be
     # `Assigned`, `Unassigned`, or `Any`.
     #
+    # <note markdown="1"> IAM resource-listing operations return a subset of the available
+    # attributes for the resource. For example, this operation does not
+    # return tags, even though they are an attribute of the returned object.
+    # To view all of the information for a virtual MFA device, see
+    # ListVirtualMFADevices.
+    #
+    #  </note>
+    #
     # You can paginate the results using the `MaxItems` and `Marker`
     # parameters.
     #
@@ -8415,6 +9083,9 @@ module Aws::IAM
     #   resp.virtual_mfa_devices[0].user.tags[0].key #=> String
     #   resp.virtual_mfa_devices[0].user.tags[0].value #=> String
     #   resp.virtual_mfa_devices[0].enable_date #=> Time
+    #   resp.virtual_mfa_devices[0].tags #=> Array
+    #   resp.virtual_mfa_devices[0].tags[0].key #=> String
+    #   resp.virtual_mfa_devices[0].tags[0].value #=> String
     #   resp.is_truncated #=> Boolean
     #   resp.marker #=> String
     #
@@ -8433,15 +9104,15 @@ module Aws::IAM
     # A user can also have managed policies attached to it. To attach a
     # managed policy to a group, use AttachGroupPolicy. To create a new
     # managed policy, use CreatePolicy. For information about policies, see
-    # [Managed Policies and Inline Policies][1] in the *IAM User Guide*.
+    # [Managed policies and inline policies][1] in the *IAM User Guide*.
     #
-    # For information about limits on the number of inline policies that you
-    # can embed in a group, see [Limitations on IAM Entities][2] in the *IAM
-    # User Guide*.
+    # For information about the maximum number of inline policies that you
+    # can embed in a group, see [IAM and STS quotas][2] in the *IAM User
+    # Guide*.
     #
     # <note markdown="1"> Because policy documents can be large, you should use POST rather than
     # GET when calling `PutGroupPolicy`. For general information about using
-    # the Query API with IAM, go to [Making Query Requests][3] in the *IAM
+    # the Query API with IAM, see [Making query requests][3] in the *IAM
     # User Guide*.
     #
     #  </note>
@@ -8449,7 +9120,7 @@ module Aws::IAM
     #
     #
     # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html
-    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html
     # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html
     #
     # @option params [required, String] :group_name
@@ -8542,7 +9213,7 @@ module Aws::IAM
     # Policies used as permissions boundaries do not provide permissions.
     # You must also attach a permissions policy to the role. To learn how
     # the effective permissions for a role are evaluated, see [IAM JSON
-    # Policy Evaluation Logic][1] in the IAM User Guide.
+    # policy evaluation logic][1] in the IAM User Guide.
     #
     #
     #
@@ -8581,21 +9252,21 @@ module Aws::IAM
     # as part of the role's access (permissions) policy. The role's trust
     # policy is created at the same time as the role, using CreateRole. You
     # can update a role's trust policy using UpdateAssumeRolePolicy. For
-    # more information about IAM roles, go to [Using Roles to Delegate
-    # Permissions and Federate Identities][1].
+    # more information about IAM roles, see [Using roles to delegate
+    # permissions and federate identities][1].
     #
     # A role can also have a managed policy attached to it. To attach a
     # managed policy to a role, use AttachRolePolicy. To create a new
     # managed policy, use CreatePolicy. For information about policies, see
-    # [Managed Policies and Inline Policies][2] in the *IAM User Guide*.
+    # [Managed policies and inline policies][2] in the *IAM User Guide*.
     #
-    # For information about limits on the number of inline policies that you
-    # can embed with a role, see [Limitations on IAM Entities][3] in the
-    # *IAM User Guide*.
+    # For information about the maximum number of inline policies that you
+    # can embed with a role, see [IAM and STS quotas][3] in the *IAM User
+    # Guide*.
     #
     # <note markdown="1"> Because policy documents can be large, you should use POST rather than
     # GET when calling `PutRolePolicy`. For general information about using
-    # the Query API with IAM, go to [Making Query Requests][4] in the *IAM
+    # the Query API with IAM, see [Making query requests][4] in the *IAM
     # User Guide*.
     #
     #  </note>
@@ -8604,7 +9275,7 @@ module Aws::IAM
     #
     # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html
     # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html
-    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html
     # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html
     #
     # @option params [required, String] :role_name
@@ -8695,7 +9366,7 @@ module Aws::IAM
     # Policies that are used as permissions boundaries do not provide
     # permissions. You must also attach a permissions policy to the user. To
     # learn how the effective permissions for a user are evaluated, see [IAM
-    # JSON Policy Evaluation Logic][1] in the IAM User Guide.
+    # JSON policy evaluation logic][1] in the IAM User Guide.
     #
     #
     #
@@ -8733,15 +9404,15 @@ module Aws::IAM
     # An IAM user can also have a managed policy attached to it. To attach a
     # managed policy to a user, use AttachUserPolicy. To create a new
     # managed policy, use CreatePolicy. For information about policies, see
-    # [Managed Policies and Inline Policies][1] in the *IAM User Guide*.
+    # [Managed policies and inline policies][1] in the *IAM User Guide*.
     #
-    # For information about limits on the number of inline policies that you
-    # can embed in a user, see [Limitations on IAM Entities][2] in the *IAM
-    # User Guide*.
+    # For information about the maximum number of inline policies that you
+    # can embed in a user, see [IAM and STS quotas][2] in the *IAM User
+    # Guide*.
     #
     # <note markdown="1"> Because policy documents can be large, you should use POST rather than
     # GET when calling `PutUserPolicy`. For general information about using
-    # the Query API with IAM, go to [Making Query Requests][3] in the *IAM
+    # the Query API with IAM, see [Making query requests][3] in the *IAM
     # User Guide*.
     #
     #  </note>
@@ -8749,7 +9420,7 @@ module Aws::IAM
     #
     #
     # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html
-    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html
     # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html
     #
     # @option params [required, String] :user_name
@@ -8842,8 +9513,8 @@ module Aws::IAM
     #   remove the client ID from. You can get a list of OIDC provider ARNs by
     #   using the ListOpenIDConnectProviders operation.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -8880,9 +9551,9 @@ module Aws::IAM
     # role from an instance profile that is associated with a running
     # instance might break any applications running on the instance.
     #
-    # For more information about IAM roles, go to [Working with Roles][1].
-    # For more information about instance profiles, go to [About Instance
-    # Profiles][2].
+    # For more information about IAM roles, see [Working with roles][1]. For
+    # more information about instance profiles, see [About instance
+    # profiles][2].
     #
     #
     #
@@ -9059,8 +9730,7 @@ module Aws::IAM
     # the AWS servers.
     #
     # For more information about creating and working with virtual MFA
-    # devices, go to [Using a Virtual MFA Device][1] in the *IAM User
-    # Guide*.
+    # devices, see [Using a virtual MFA device][1] in the *IAM User Guide*.
     #
     #
     #
@@ -9125,10 +9795,10 @@ module Aws::IAM
     #
     # This operation affects all users, groups, and roles that the policy is
     # attached to. To list the users, groups, and roles that the policy is
-    # attached to, use the ListEntitiesForPolicy API.
+    # attached to, use ListEntitiesForPolicy.
     #
-    # For information about managed policies, see [Managed Policies and
-    # Inline Policies][1] in the *IAM User Guide*.
+    # For information about managed policies, see [Managed policies and
+    # inline policies][1] in the *IAM User Guide*.
     #
     #
     #
@@ -9138,8 +9808,8 @@ module Aws::IAM
     #   The Amazon Resource Name (ARN) of the IAM policy whose default version
     #   you want to set.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -9149,7 +9819,7 @@ module Aws::IAM
     #   The version of the policy to set as the default (operative) version.
     #
     #   For more information about managed policy versions, see [Versioning
-    #   for Managed Policies][1] in the *IAM User Guide*.
+    #   for managed policies][1] in the *IAM User Guide*.
     #
     #
     #
@@ -9181,7 +9851,8 @@ module Aws::IAM
     # `https://sts.amazonaws.com`. AWS recommends using Regional STS
     # endpoints to reduce latency, build in redundancy, and increase session
     # token availability. For information about Regional endpoints for STS,
-    # see [AWS Regions and Endpoints][1] in the *AWS General Reference*.
+    # see [AWS AWS Security Token Service endpoints and quotas][1] in the
+    # *AWS General Reference*.
     #
     # If you make an STS call to the global endpoint, the resulting session
     # tokens might be valid in some Regions but not others. It depends on
@@ -9190,8 +9861,8 @@ module Aws::IAM
     # work in manually enabled Regions, such as Asia Pacific (Hong Kong).
     # Version 2 tokens are valid in all Regions. However, version 2 tokens
     # are longer and might affect systems where you temporarily store
-    # tokens. For information, see [Activating and Deactivating STS in an
-    # AWS Region][2] in the *IAM User Guide*.
+    # tokens. For information, see [Activating and deactivating STS in an
+    # AWS region][2] in the *IAM User Guide*.
     #
     # To view the current session token version, see the
     # `GlobalEndpointTokenVersion` entry in the response of the
@@ -9199,7 +9870,7 @@ module Aws::IAM
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region
+    # [1]: https://docs.aws.amazon.com/general/latest/gr/sts.html
     # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
     #
     # @option params [required, String] :global_endpoint_token_version
@@ -9210,8 +9881,8 @@ module Aws::IAM
     #   are longer and might affect systems where you temporarily store
     #   tokens.
     #
-    #   For information, see [Activating and Deactivating STS in an AWS
-    #   Region][1] in the *IAM User Guide*.
+    #   For information, see [Activating and deactivating STS in an AWS
+    #   region][1] in the *IAM User Guide*.
     #
     #
     #
@@ -9250,7 +9921,8 @@ module Aws::IAM
     #
     # The simulation does not perform the API operations; it only checks the
     # authorization to determine if the simulated policies allow or deny the
-    # operations.
+    # operations. You can simulate resources that don't exist in your
+    # account.
     #
     # If you want to simulate existing policies that are attached to an IAM
     # user, group, or role, use SimulatePrincipalPolicy instead.
@@ -9264,6 +9936,14 @@ module Aws::IAM
     # If the output is long, you can use `MaxItems` and `Marker` parameters
     # to paginate the results.
     #
+    # For more information about using the policy simulator, see [Testing
+    # IAM policies with the IAM policy simulator ][1]in the *IAM User
+    # Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html
+    #
     # @option params [required, Array<String>] :policy_input_list
     #   A list of policy documents to include in the simulation. Each document
     #   is specified as a string containing the complete, valid JSON text of
@@ -9298,7 +9978,7 @@ module Aws::IAM
     #   boundary sets the maximum permissions that an IAM entity can have. You
     #   can input only one permissions boundary when you pass a policy to this
     #   operation. For more information about permissions boundaries, see
-    #   [Permissions Boundaries for IAM Entities][1] in the *IAM User Guide*.
+    #   [Permissions boundaries for IAM entities][1] in the *IAM User Guide*.
     #   The policy input is specified as a string that contains the complete,
     #   valid JSON text of a permissions boundary policy.
     #
@@ -9331,7 +10011,8 @@ module Aws::IAM
     #   resources). Each API in the `ActionNames` parameter is evaluated for
     #   each resource in this list. The simulation determines the access
     #   result (allowed or denied) of each combination and reports it in the
-    #   response.
+    #   response. You can simulate resources that don't exist in your
+    #   account.
     #
     #   The simulation does not automatically retrieve policies for the
     #   specified resources. If you want to include a resource policy in the
@@ -9342,8 +10023,8 @@ module Aws::IAM
     #   of the resources included in the simulation or you receive an invalid
     #   input error.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -9419,7 +10100,7 @@ module Aws::IAM
     #   includes VPC, then you must supply the network-interface resource. If
     #   it includes an IP subnet, then you must specify the subnet resource.
     #   For more information on the EC2 scenario options, see [Supported
-    #   Platforms][1] in the *Amazon EC2 User Guide*.
+    #   platforms][1] in the *Amazon EC2 User Guide*.
     #
     #   * **EC2-Classic-InstanceStore**
     #
@@ -9547,7 +10228,8 @@ module Aws::IAM
     # policies' effective permissions. The entity can be an IAM user,
     # group, or role. If you specify a user, then the simulation also
     # includes all of the policies that are attached to groups that the user
-    # belongs to.
+    # belongs to. You can simulate resources that don't exist in your
+    # account.
     #
     # You can optionally include a list of one or more additional policies
     # specified as strings to include in the simulation. If you want to
@@ -9561,8 +10243,8 @@ module Aws::IAM
     # authorization to determine if the simulated policies allow or deny the
     # operations.
     #
-    # **Note:** This API discloses information about the permissions granted
-    # to other users. If you do not want users to see other user's
+    # **Note:** This operation discloses information about the permissions
+    # granted to other users. If you do not want users to see other user's
     # permissions, then consider allowing them to use SimulateCustomPolicy
     # instead.
     #
@@ -9575,6 +10257,14 @@ module Aws::IAM
     # If the output is long, you can use the `MaxItems` and `Marker`
     # parameters to paginate the results.
     #
+    # For more information about using the policy simulator, see [Testing
+    # IAM policies with the IAM policy simulator ][1]in the *IAM User
+    # Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html
+    #
     # @option params [required, String] :policy_source_arn
     #   The Amazon Resource Name (ARN) of a user, group, or role whose
     #   policies you want to include in the simulation. If you specify a user,
@@ -9583,8 +10273,8 @@ module Aws::IAM
     #   also includes all policies that are attached to any groups the user
     #   belongs to.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -9620,7 +10310,7 @@ module Aws::IAM
     #   to an entity and you pass in a different permissions boundary policy
     #   using this parameter, then the new permissions boundary policy is used
     #   for the simulation. For more information about permissions boundaries,
-    #   see [Permissions Boundaries for IAM Entities][1] in the *IAM User
+    #   see [Permissions boundaries for IAM entities][1] in the *IAM User
     #   Guide*. The policy input is specified as a string containing the
     #   complete, valid JSON text of a permissions boundary policy.
     #
@@ -9652,15 +10342,16 @@ module Aws::IAM
     #   resources). Each API in the `ActionNames` parameter is evaluated for
     #   each resource in this list. The simulation determines the access
     #   result (allowed or denied) of each combination and reports it in the
-    #   response.
+    #   response. You can simulate resources that don't exist in your
+    #   account.
     #
     #   The simulation does not automatically retrieve policies for the
     #   specified resources. If you want to include a resource policy in the
     #   simulation, then you must include the policy as a string in the
     #   `ResourcePolicy` parameter.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -9718,8 +10409,8 @@ module Aws::IAM
     #   that the resource-based policy's `Principal` element has a value to
     #   use in evaluating the policy.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -9746,7 +10437,7 @@ module Aws::IAM
     #   includes VPC, then you must supply the network interface resource. If
     #   it includes an IP subnet, then you must specify the subnet resource.
     #   For more information on the EC2 scenario options, see [Supported
-    #   Platforms][1] in the *Amazon EC2 User Guide*.
+    #   platforms][1] in the *Amazon EC2 User Guide*.
     #
     #   * **EC2-Classic-InstanceStore**
     #
@@ -9870,6 +10561,309 @@ module Aws::IAM
       req.send_request(options)
     end
 
+    # Adds one or more tags to an IAM instance profile. If a tag with the
+    # same key name already exists, then that tag is overwritten with the
+    # new value.
+    #
+    # Each tag consists of a key name and an associated value. By assigning
+    # tags to your resources, you can do the following:
+    #
+    # * **Administrative grouping and discovery** - Attach tags to resources
+    #   to aid in organization and search. For example, you could search for
+    #   all resources with the key name *Project* and the value
+    #   *MyImportantProject*. Or search for all resources with the key name
+    #   *Cost Center* and the value *41200*.
+    #
+    # * **Access control** - Include tags in IAM user-based and
+    #   resource-based policies. You can use tags to restrict access to only
+    #   an IAM instance profile that has a specified tag attached. For
+    #   examples of policies that show how to use tags to control access,
+    #   see [Control access using IAM tags][1] in the *IAM User Guide*.
+    #
+    # <note markdown="1"> * If any one of the tags is invalid or if you exceed the allowed
+    #   maximum number of tags, then the entire request fails and the
+    #   resource is not created. For more information about tagging, see
+    #   [Tagging IAM resources][2] in the *IAM User Guide*.
+    #
+    # * AWS always interprets the tag `Value` as a single string. If you
+    #   need to store an array, you can store comma-separated values in the
+    #   string. However, you must interpret the value in your code.
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
+    # @option params [required, String] :instance_profile_name
+    #   The name of the IAM instance profile to which you want to add tags.
+    #
+    #   This parameter accepts (through its [regex pattern][1]) a string of
+    #   characters that consist of upper and lowercase alphanumeric characters
+    #   with no spaces. You can also include any of the following characters:
+    #   =,.@-
+    #
+    #
+    #
+    #   [1]: http://wikipedia.org/wiki/regex
+    #
+    # @option params [required, Array<Types::Tag>] :tags
+    #   The list of tags that you want to attach to the IAM instance profile.
+    #   Each tag consists of a key name and an associated value.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.tag_instance_profile({
+    #     instance_profile_name: "instanceProfileNameType", # required
+    #     tags: [ # required
+    #       {
+    #         key: "tagKeyType", # required
+    #         value: "tagValueType", # required
+    #       },
+    #     ],
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/TagInstanceProfile AWS API Documentation
+    #
+    # @overload tag_instance_profile(params = {})
+    # @param [Hash] params ({})
+    def tag_instance_profile(params = {}, options = {})
+      req = build_request(:tag_instance_profile, params)
+      req.send_request(options)
+    end
+
+    # Adds one or more tags to an IAM virtual multi-factor authentication
+    # (MFA) device. If a tag with the same key name already exists, then
+    # that tag is overwritten with the new value.
+    #
+    # A tag consists of a key name and an associated value. By assigning
+    # tags to your resources, you can do the following:
+    #
+    # * **Administrative grouping and discovery** - Attach tags to resources
+    #   to aid in organization and search. For example, you could search for
+    #   all resources with the key name *Project* and the value
+    #   *MyImportantProject*. Or search for all resources with the key name
+    #   *Cost Center* and the value *41200*.
+    #
+    # * **Access control** - Include tags in IAM user-based and
+    #   resource-based policies. You can use tags to restrict access to only
+    #   an IAM virtual MFA device that has a specified tag attached. For
+    #   examples of policies that show how to use tags to control access,
+    #   see [Control access using IAM tags][1] in the *IAM User Guide*.
+    #
+    # <note markdown="1"> * If any one of the tags is invalid or if you exceed the allowed
+    #   maximum number of tags, then the entire request fails and the
+    #   resource is not created. For more information about tagging, see
+    #   [Tagging IAM resources][2] in the *IAM User Guide*.
+    #
+    # * AWS always interprets the tag `Value` as a single string. If you
+    #   need to store an array, you can store comma-separated values in the
+    #   string. However, you must interpret the value in your code.
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
+    # @option params [required, String] :serial_number
+    #   The unique identifier for the IAM virtual MFA device to which you want
+    #   to add tags. For virtual MFA devices, the serial number is the same as
+    #   the ARN.
+    #
+    #   This parameter accepts (through its [regex pattern][1]) a string of
+    #   characters that consist of upper and lowercase alphanumeric characters
+    #   with no spaces. You can also include any of the following characters:
+    #   =,.@-
+    #
+    #
+    #
+    #   [1]: http://wikipedia.org/wiki/regex
+    #
+    # @option params [required, Array<Types::Tag>] :tags
+    #   The list of tags that you want to attach to the IAM virtual MFA
+    #   device. Each tag consists of a key name and an associated value.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.tag_mfa_device({
+    #     serial_number: "serialNumberType", # required
+    #     tags: [ # required
+    #       {
+    #         key: "tagKeyType", # required
+    #         value: "tagValueType", # required
+    #       },
+    #     ],
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/TagMFADevice AWS API Documentation
+    #
+    # @overload tag_mfa_device(params = {})
+    # @param [Hash] params ({})
+    def tag_mfa_device(params = {}, options = {})
+      req = build_request(:tag_mfa_device, params)
+      req.send_request(options)
+    end
+
+    # Adds one or more tags to an OpenID Connect (OIDC)-compatible identity
+    # provider. For more information about these providers, see [About web
+    # identity federation][1]. If a tag with the same key name already
+    # exists, then that tag is overwritten with the new value.
+    #
+    # A tag consists of a key name and an associated value. By assigning
+    # tags to your resources, you can do the following:
+    #
+    # * **Administrative grouping and discovery** - Attach tags to resources
+    #   to aid in organization and search. For example, you could search for
+    #   all resources with the key name *Project* and the value
+    #   *MyImportantProject*. Or search for all resources with the key name
+    #   *Cost Center* and the value *41200*.
+    #
+    # * **Access control** - Include tags in IAM user-based and
+    #   resource-based policies. You can use tags to restrict access to only
+    #   an OIDC provider that has a specified tag attached. For examples of
+    #   policies that show how to use tags to control access, see [Control
+    #   access using IAM tags][2] in the *IAM User Guide*.
+    #
+    # <note markdown="1"> * If any one of the tags is invalid or if you exceed the allowed
+    #   maximum number of tags, then the entire request fails and the
+    #   resource is not created. For more information about tagging, see
+    #   [Tagging IAM resources][3] in the *IAM User Guide*.
+    #
+    # * AWS always interprets the tag `Value` as a single string. If you
+    #   need to store an array, you can store comma-separated values in the
+    #   string. However, you must interpret the value in your code.
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
+    # @option params [required, String] :open_id_connect_provider_arn
+    #   The ARN of the OIDC identity provider in IAM to which you want to add
+    #   tags.
+    #
+    #   This parameter accepts (through its [regex pattern][1]) a string of
+    #   characters that consist of upper and lowercase alphanumeric characters
+    #   with no spaces. You can also include any of the following characters:
+    #   =,.@-
+    #
+    #
+    #
+    #   [1]: http://wikipedia.org/wiki/regex
+    #
+    # @option params [required, Array<Types::Tag>] :tags
+    #   The list of tags that you want to attach to the OIDC identity provider
+    #   in IAM. Each tag consists of a key name and an associated value.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.tag_open_id_connect_provider({
+    #     open_id_connect_provider_arn: "arnType", # required
+    #     tags: [ # required
+    #       {
+    #         key: "tagKeyType", # required
+    #         value: "tagValueType", # required
+    #       },
+    #     ],
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/TagOpenIDConnectProvider AWS API Documentation
+    #
+    # @overload tag_open_id_connect_provider(params = {})
+    # @param [Hash] params ({})
+    def tag_open_id_connect_provider(params = {}, options = {})
+      req = build_request(:tag_open_id_connect_provider, params)
+      req.send_request(options)
+    end
+
+    # Adds one or more tags to an IAM customer managed policy. If a tag with
+    # the same key name already exists, then that tag is overwritten with
+    # the new value.
+    #
+    # A tag consists of a key name and an associated value. By assigning
+    # tags to your resources, you can do the following:
+    #
+    # * **Administrative grouping and discovery** - Attach tags to resources
+    #   to aid in organization and search. For example, you could search for
+    #   all resources with the key name *Project* and the value
+    #   *MyImportantProject*. Or search for all resources with the key name
+    #   *Cost Center* and the value *41200*.
+    #
+    # * **Access control** - Include tags in IAM user-based and
+    #   resource-based policies. You can use tags to restrict access to only
+    #   an IAM customer managed policy that has a specified tag attached.
+    #   For examples of policies that show how to use tags to control
+    #   access, see [Control access using IAM tags][1] in the *IAM User
+    #   Guide*.
+    #
+    # <note markdown="1"> * If any one of the tags is invalid or if you exceed the allowed
+    #   maximum number of tags, then the entire request fails and the
+    #   resource is not created. For more information about tagging, see
+    #   [Tagging IAM resources][2] in the *IAM User Guide*.
+    #
+    # * AWS always interprets the tag `Value` as a single string. If you
+    #   need to store an array, you can store comma-separated values in the
+    #   string. However, you must interpret the value in your code.
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
+    # @option params [required, String] :policy_arn
+    #   The ARN of the IAM customer managed policy to which you want to add
+    #   tags.
+    #
+    #   This parameter accepts (through its [regex pattern][1]) a string of
+    #   characters that consist of upper and lowercase alphanumeric characters
+    #   with no spaces. You can also include any of the following characters:
+    #   =,.@-
+    #
+    #
+    #
+    #   [1]: http://wikipedia.org/wiki/regex
+    #
+    # @option params [required, Array<Types::Tag>] :tags
+    #   The list of tags that you want to attach to the IAM customer managed
+    #   policy. Each tag consists of a key name and an associated value.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.tag_policy({
+    #     policy_arn: "arnType", # required
+    #     tags: [ # required
+    #       {
+    #         key: "tagKeyType", # required
+    #         value: "tagValueType", # required
+    #       },
+    #     ],
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/TagPolicy AWS API Documentation
+    #
+    # @overload tag_policy(params = {})
+    # @param [Hash] params ({})
+    def tag_policy(params = {}, options = {})
+      req = build_request(:tag_policy, params)
+      req.send_request(options)
+    end
+
     # Adds one or more tags to an IAM role. The role can be a regular role
     # or a service-linked role. If a tag with the same key name already
     # exists, then that tag is overwritten with the new value.
@@ -9883,20 +10877,20 @@ module Aws::IAM
     #   *MyImportantProject*. Or search for all resources with the key name
     #   *Cost Center* and the value *41200*.
     #
-    # * **Access control** - Reference tags in IAM user-based and
+    # * **Access control** - Include tags in IAM user-based and
     #   resource-based policies. You can use tags to restrict access to only
-    #   an IAM user or role that has a specified tag attached. You can also
-    #   restrict access to only those resources that have a certain tag
-    #   attached. For examples of policies that show how to use tags to
-    #   control access, see [Control Access Using IAM Tags][1] in the *IAM
-    #   User Guide*.
+    #   an IAM role that has a specified tag attached. You can also restrict
+    #   access to only those resources that have a certain tag attached. For
+    #   examples of policies that show how to use tags to control access,
+    #   see [Control access using IAM tags][1] in the *IAM User Guide*.
     #
     # * **Cost allocation** - Use tags to help track which individuals and
     #   teams are using which AWS resources.
     #
-    # <note markdown="1"> * Make sure that you have no invalid tags and that you do not exceed
-    #   the allowed number of tags per role. In either case, the entire
-    #   request fails and *no* tags are added to the role.
+    # <note markdown="1"> * If any one of the tags is invalid or if you exceed the allowed
+    #   maximum number of tags, then the entire request fails and the
+    #   resource is not created. For more information about tagging, see
+    #   [Tagging IAM resources][2] in the *IAM User Guide*.
     #
     # * AWS always interprets the tag `Value` as a single string. If you
     #   need to store an array, you can store comma-separated values in the
@@ -9904,7 +10898,7 @@ module Aws::IAM
     #
     #  </note>
     #
-    # For more information about tagging, see [Tagging IAM Identities][2] in
+    # For more information about tagging, see [Tagging IAM identities][2] in
     # the *IAM User Guide*.
     #
     #
@@ -9913,47 +10907,209 @@ module Aws::IAM
     # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
     #
     # @option params [required, String] :role_name
-    #   The name of the role that you want to add tags to.
+    #   The name of the IAM role to which you want to add tags.
+    #
+    #   This parameter accepts (through its [regex pattern][1]) a string of
+    #   characters that consist of upper and lowercase alphanumeric characters
+    #   with no spaces. You can also include any of the following characters:
+    #   \_+=,.@-
+    #
+    #
+    #
+    #   [1]: http://wikipedia.org/wiki/regex
+    #
+    # @option params [required, Array<Types::Tag>] :tags
+    #   The list of tags that you want to attach to the IAM role. Each tag
+    #   consists of a key name and an associated value.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    #
+    # @example Example: To add a tag key and value to an IAM role
+    #
+    #   # The following example shows how to add tags to an existing role.
+    #
+    #   resp = client.tag_role({
+    #     role_name: "taggedrole", 
+    #     tags: [
+    #       {
+    #         key: "Dept", 
+    #         value: "Accounting", 
+    #       }, 
+    #       {
+    #         key: "CostCenter", 
+    #         value: "12345", 
+    #       }, 
+    #     ], 
+    #   })
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.tag_role({
+    #     role_name: "roleNameType", # required
+    #     tags: [ # required
+    #       {
+    #         key: "tagKeyType", # required
+    #         value: "tagValueType", # required
+    #       },
+    #     ],
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/TagRole AWS API Documentation
+    #
+    # @overload tag_role(params = {})
+    # @param [Hash] params ({})
+    def tag_role(params = {}, options = {})
+      req = build_request(:tag_role, params)
+      req.send_request(options)
+    end
+
+    # Adds one or more tags to a Security Assertion Markup Language (SAML)
+    # identity provider. For more information about these providers, see
+    # [About SAML 2.0-based federation ][1]. If a tag with the same key name
+    # already exists, then that tag is overwritten with the new value.
+    #
+    # A tag consists of a key name and an associated value. By assigning
+    # tags to your resources, you can do the following:
+    #
+    # * **Administrative grouping and discovery** - Attach tags to resources
+    #   to aid in organization and search. For example, you could search for
+    #   all resources with the key name *Project* and the value
+    #   *MyImportantProject*. Or search for all resources with the key name
+    #   *Cost Center* and the value *41200*.
+    #
+    # * **Access control** - Include tags in IAM user-based and
+    #   resource-based policies. You can use tags to restrict access to only
+    #   a SAML identity provider that has a specified tag attached. For
+    #   examples of policies that show how to use tags to control access,
+    #   see [Control access using IAM tags][2] in the *IAM User Guide*.
+    #
+    # <note markdown="1"> * If any one of the tags is invalid or if you exceed the allowed
+    #   maximum number of tags, then the entire request fails and the
+    #   resource is not created. For more information about tagging, see
+    #   [Tagging IAM resources][3] in the *IAM User Guide*.
+    #
+    # * AWS always interprets the tag `Value` as a single string. If you
+    #   need to store an array, you can store comma-separated values in the
+    #   string. However, you must interpret the value in your code.
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
+    # @option params [required, String] :saml_provider_arn
+    #   The ARN of the SAML identity provider in IAM to which you want to add
+    #   tags.
+    #
+    #   This parameter accepts (through its [regex pattern][1]) a string of
+    #   characters that consist of upper and lowercase alphanumeric characters
+    #   with no spaces. You can also include any of the following characters:
+    #   =,.@-
+    #
+    #
+    #
+    #   [1]: http://wikipedia.org/wiki/regex
+    #
+    # @option params [required, Array<Types::Tag>] :tags
+    #   The list of tags that you want to attach to the SAML identity provider
+    #   in IAM. Each tag consists of a key name and an associated value.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.tag_saml_provider({
+    #     saml_provider_arn: "arnType", # required
+    #     tags: [ # required
+    #       {
+    #         key: "tagKeyType", # required
+    #         value: "tagValueType", # required
+    #       },
+    #     ],
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/TagSAMLProvider AWS API Documentation
+    #
+    # @overload tag_saml_provider(params = {})
+    # @param [Hash] params ({})
+    def tag_saml_provider(params = {}, options = {})
+      req = build_request(:tag_saml_provider, params)
+      req.send_request(options)
+    end
+
+    # Adds one or more tags to an IAM server certificate. If a tag with the
+    # same key name already exists, then that tag is overwritten with the
+    # new value.
+    #
+    # <note markdown="1"> For certificates in a Region supported by AWS Certificate Manager
+    # (ACM), we recommend that you don't use IAM server certificates.
+    # Instead, use ACM to provision, manage, and deploy your server
+    # certificates. For more information about IAM server certificates,
+    # [Working with server certificates][1] in the *IAM User Guide*.
+    #
+    #  </note>
+    #
+    # A tag consists of a key name and an associated value. By assigning
+    # tags to your resources, you can do the following:
+    #
+    # * **Administrative grouping and discovery** - Attach tags to resources
+    #   to aid in organization and search. For example, you could search for
+    #   all resources with the key name *Project* and the value
+    #   *MyImportantProject*. Or search for all resources with the key name
+    #   *Cost Center* and the value *41200*.
+    #
+    # * **Access control** - Include tags in IAM user-based and
+    #   resource-based policies. You can use tags to restrict access to only
+    #   a server certificate that has a specified tag attached. For examples
+    #   of policies that show how to use tags to control access, see
+    #   [Control access using IAM tags][2] in the *IAM User Guide*.
+    #
+    # * **Cost allocation** - Use tags to help track which individuals and
+    #   teams are using which AWS resources.
+    #
+    # <note markdown="1"> * If any one of the tags is invalid or if you exceed the allowed
+    #   maximum number of tags, then the entire request fails and the
+    #   resource is not created. For more information about tagging, see
+    #   [Tagging IAM resources][3] in the *IAM User Guide*.
+    #
+    # * AWS always interprets the tag `Value` as a single string. If you
+    #   need to store an array, you can store comma-separated values in the
+    #   string. However, you must interpret the value in your code.
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
+    # @option params [required, String] :server_certificate_name
+    #   The name of the IAM server certificate to which you want to add tags.
     #
     #   This parameter accepts (through its [regex pattern][1]) a string of
     #   characters that consist of upper and lowercase alphanumeric characters
     #   with no spaces. You can also include any of the following characters:
-    #   \_+=,.@-
+    #   =,.@-
     #
     #
     #
     #   [1]: http://wikipedia.org/wiki/regex
     #
     # @option params [required, Array<Types::Tag>] :tags
-    #   The list of tags that you want to attach to the role. Each tag
-    #   consists of a key name and an associated value. You can specify this
-    #   with a JSON string.
+    #   The list of tags that you want to attach to the IAM server
+    #   certificate. Each tag consists of a key name and an associated value.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
-    #
-    # @example Example: To add a tag key and value to an IAM role
-    #
-    #   # The following example shows how to add tags to an existing role.
-    #
-    #   resp = client.tag_role({
-    #     role_name: "taggedrole", 
-    #     tags: [
-    #       {
-    #         key: "Dept", 
-    #         value: "Accounting", 
-    #       }, 
-    #       {
-    #         key: "CostCenter", 
-    #         value: "12345", 
-    #       }, 
-    #     ], 
-    #   })
-    #
     # @example Request syntax with placeholder values
     #
-    #   resp = client.tag_role({
-    #     role_name: "roleNameType", # required
+    #   resp = client.tag_server_certificate({
+    #     server_certificate_name: "serverCertificateNameType", # required
     #     tags: [ # required
     #       {
     #         key: "tagKeyType", # required
@@ -9962,12 +11118,12 @@ module Aws::IAM
     #     ],
     #   })
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/TagRole AWS API Documentation
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/TagServerCertificate AWS API Documentation
     #
-    # @overload tag_role(params = {})
+    # @overload tag_server_certificate(params = {})
     # @param [Hash] params ({})
-    def tag_role(params = {}, options = {})
-      req = build_request(:tag_role, params)
+    def tag_server_certificate(params = {}, options = {})
+      req = build_request(:tag_server_certificate, params)
       req.send_request(options)
     end
 
@@ -9983,20 +11139,21 @@ module Aws::IAM
     #   *MyImportantProject*. Or search for all resources with the key name
     #   *Cost Center* and the value *41200*.
     #
-    # * **Access control** - Reference tags in IAM user-based and
+    # * **Access control** - Include tags in IAM user-based and
     #   resource-based policies. You can use tags to restrict access to only
-    #   an IAM requesting user or to a role that has a specified tag
-    #   attached. You can also restrict access to only those resources that
-    #   have a certain tag attached. For examples of policies that show how
-    #   to use tags to control access, see [Control Access Using IAM
-    #   Tags][1] in the *IAM User Guide*.
+    #   an IAM requesting user that has a specified tag attached. You can
+    #   also restrict access to only those resources that have a certain tag
+    #   attached. For examples of policies that show how to use tags to
+    #   control access, see [Control access using IAM tags][1] in the *IAM
+    #   User Guide*.
     #
     # * **Cost allocation** - Use tags to help track which individuals and
     #   teams are using which AWS resources.
     #
-    # <note markdown="1"> * Make sure that you have no invalid tags and that you do not exceed
-    #   the allowed number of tags per role. In either case, the entire
-    #   request fails and *no* tags are added to the role.
+    # <note markdown="1"> * If any one of the tags is invalid or if you exceed the allowed
+    #   maximum number of tags, then the entire request fails and the
+    #   resource is not created. For more information about tagging, see
+    #   [Tagging IAM resources][2] in the *IAM User Guide*.
     #
     # * AWS always interprets the tag `Value` as a single string. If you
     #   need to store an array, you can store comma-separated values in the
@@ -10004,7 +11161,7 @@ module Aws::IAM
     #
     #  </note>
     #
-    # For more information about tagging, see [Tagging IAM Identities][2] in
+    # For more information about tagging, see [Tagging IAM identities][2] in
     # the *IAM User Guide*.
     #
     #
@@ -10013,7 +11170,7 @@ module Aws::IAM
     # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
     #
     # @option params [required, String] :user_name
-    #   The name of the user that you want to add tags to.
+    #   The name of the IAM user to which you want to add tags.
     #
     #   This parameter accepts (through its [regex pattern][1]) a string of
     #   characters that consist of upper and lowercase alphanumeric characters
@@ -10025,7 +11182,7 @@ module Aws::IAM
     #   [1]: http://wikipedia.org/wiki/regex
     #
     # @option params [required, Array<Types::Tag>] :tags
-    #   The list of tags that you want to attach to the user. Each tag
+    #   The list of tags that you want to attach to the IAM user. Each tag
     #   consists of a key name and an associated value.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
@@ -10070,8 +11227,184 @@ module Aws::IAM
       req.send_request(options)
     end
 
+    # Removes the specified tags from the IAM instance profile. For more
+    # information about tagging, see [Tagging IAM resources][1] in the *IAM
+    # User Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
+    # @option params [required, String] :instance_profile_name
+    #   The name of the IAM instance profile from which you want to remove
+    #   tags.
+    #
+    #   This parameter accepts (through its [regex pattern][1]) a string of
+    #   characters that consist of upper and lowercase alphanumeric characters
+    #   with no spaces. You can also include any of the following characters:
+    #   =,.@-
+    #
+    #
+    #
+    #   [1]: http://wikipedia.org/wiki/regex
+    #
+    # @option params [required, Array<String>] :tag_keys
+    #   A list of key names as a simple array of strings. The tags with
+    #   matching keys are removed from the specified instance profile.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.untag_instance_profile({
+    #     instance_profile_name: "instanceProfileNameType", # required
+    #     tag_keys: ["tagKeyType"], # required
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/UntagInstanceProfile AWS API Documentation
+    #
+    # @overload untag_instance_profile(params = {})
+    # @param [Hash] params ({})
+    def untag_instance_profile(params = {}, options = {})
+      req = build_request(:untag_instance_profile, params)
+      req.send_request(options)
+    end
+
+    # Removes the specified tags from the IAM virtual multi-factor
+    # authentication (MFA) device. For more information about tagging, see
+    # [Tagging IAM resources][1] in the *IAM User Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
+    # @option params [required, String] :serial_number
+    #   The unique identifier for the IAM virtual MFA device from which you
+    #   want to remove tags. For virtual MFA devices, the serial number is the
+    #   same as the ARN.
+    #
+    #   This parameter accepts (through its [regex pattern][1]) a string of
+    #   characters that consist of upper and lowercase alphanumeric characters
+    #   with no spaces. You can also include any of the following characters:
+    #   =,.@-
+    #
+    #
+    #
+    #   [1]: http://wikipedia.org/wiki/regex
+    #
+    # @option params [required, Array<String>] :tag_keys
+    #   A list of key names as a simple array of strings. The tags with
+    #   matching keys are removed from the specified instance profile.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.untag_mfa_device({
+    #     serial_number: "serialNumberType", # required
+    #     tag_keys: ["tagKeyType"], # required
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/UntagMFADevice AWS API Documentation
+    #
+    # @overload untag_mfa_device(params = {})
+    # @param [Hash] params ({})
+    def untag_mfa_device(params = {}, options = {})
+      req = build_request(:untag_mfa_device, params)
+      req.send_request(options)
+    end
+
+    # Removes the specified tags from the specified OpenID Connect
+    # (OIDC)-compatible identity provider in IAM. For more information about
+    # OIDC providers, see [About web identity federation][1]. For more
+    # information about tagging, see [Tagging IAM resources][2] in the *IAM
+    # User Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
+    # @option params [required, String] :open_id_connect_provider_arn
+    #   The ARN of the OIDC provider in IAM from which you want to remove
+    #   tags.
+    #
+    #   This parameter accepts (through its [regex pattern][1]) a string of
+    #   characters that consist of upper and lowercase alphanumeric characters
+    #   with no spaces. You can also include any of the following characters:
+    #   =,.@-
+    #
+    #
+    #
+    #   [1]: http://wikipedia.org/wiki/regex
+    #
+    # @option params [required, Array<String>] :tag_keys
+    #   A list of key names as a simple array of strings. The tags with
+    #   matching keys are removed from the specified OIDC provider.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.untag_open_id_connect_provider({
+    #     open_id_connect_provider_arn: "arnType", # required
+    #     tag_keys: ["tagKeyType"], # required
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/UntagOpenIDConnectProvider AWS API Documentation
+    #
+    # @overload untag_open_id_connect_provider(params = {})
+    # @param [Hash] params ({})
+    def untag_open_id_connect_provider(params = {}, options = {})
+      req = build_request(:untag_open_id_connect_provider, params)
+      req.send_request(options)
+    end
+
+    # Removes the specified tags from the customer managed policy. For more
+    # information about tagging, see [Tagging IAM resources][1] in the *IAM
+    # User Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
+    # @option params [required, String] :policy_arn
+    #   The ARN of the IAM customer managed policy from which you want to
+    #   remove tags.
+    #
+    #   This parameter accepts (through its [regex pattern][1]) a string of
+    #   characters that consist of upper and lowercase alphanumeric characters
+    #   with no spaces. You can also include any of the following characters:
+    #   =,.@-
+    #
+    #
+    #
+    #   [1]: http://wikipedia.org/wiki/regex
+    #
+    # @option params [required, Array<String>] :tag_keys
+    #   A list of key names as a simple array of strings. The tags with
+    #   matching keys are removed from the specified policy.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.untag_policy({
+    #     policy_arn: "arnType", # required
+    #     tag_keys: ["tagKeyType"], # required
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/UntagPolicy AWS API Documentation
+    #
+    # @overload untag_policy(params = {})
+    # @param [Hash] params ({})
+    def untag_policy(params = {}, options = {})
+      req = build_request(:untag_policy, params)
+      req.send_request(options)
+    end
+
     # Removes the specified tags from the role. For more information about
-    # tagging, see [Tagging IAM Identities][1] in the *IAM User Guide*.
+    # tagging, see [Tagging IAM resources][1] in the *IAM User Guide*.
     #
     #
     #
@@ -10123,8 +11456,106 @@ module Aws::IAM
       req.send_request(options)
     end
 
+    # Removes the specified tags from the specified Security Assertion
+    # Markup Language (SAML) identity provider in IAM. For more information
+    # about these providers, see [About web identity federation][1]. For
+    # more information about tagging, see [Tagging IAM resources][2] in the
+    # *IAM User Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
+    # @option params [required, String] :saml_provider_arn
+    #   The ARN of the SAML identity provider in IAM from which you want to
+    #   remove tags.
+    #
+    #   This parameter accepts (through its [regex pattern][1]) a string of
+    #   characters that consist of upper and lowercase alphanumeric characters
+    #   with no spaces. You can also include any of the following characters:
+    #   =,.@-
+    #
+    #
+    #
+    #   [1]: http://wikipedia.org/wiki/regex
+    #
+    # @option params [required, Array<String>] :tag_keys
+    #   A list of key names as a simple array of strings. The tags with
+    #   matching keys are removed from the specified SAML identity provider.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.untag_saml_provider({
+    #     saml_provider_arn: "arnType", # required
+    #     tag_keys: ["tagKeyType"], # required
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/UntagSAMLProvider AWS API Documentation
+    #
+    # @overload untag_saml_provider(params = {})
+    # @param [Hash] params ({})
+    def untag_saml_provider(params = {}, options = {})
+      req = build_request(:untag_saml_provider, params)
+      req.send_request(options)
+    end
+
+    # Removes the specified tags from the IAM server certificate. For more
+    # information about tagging, see [Tagging IAM resources][1] in the *IAM
+    # User Guide*.
+    #
+    # <note markdown="1"> For certificates in a Region supported by AWS Certificate Manager
+    # (ACM), we recommend that you don't use IAM server certificates.
+    # Instead, use ACM to provision, manage, and deploy your server
+    # certificates. For more information about IAM server certificates,
+    # [Working with server certificates][2] in the *IAM User Guide*.
+    #
+    #  </note>
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html
+    #
+    # @option params [required, String] :server_certificate_name
+    #   The name of the IAM server certificate from which you want to remove
+    #   tags.
+    #
+    #   This parameter accepts (through its [regex pattern][1]) a string of
+    #   characters that consist of upper and lowercase alphanumeric characters
+    #   with no spaces. You can also include any of the following characters:
+    #   =,.@-
+    #
+    #
+    #
+    #   [1]: http://wikipedia.org/wiki/regex
+    #
+    # @option params [required, Array<String>] :tag_keys
+    #   A list of key names as a simple array of strings. The tags with
+    #   matching keys are removed from the specified IAM server certificate.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.untag_server_certificate({
+    #     server_certificate_name: "serverCertificateNameType", # required
+    #     tag_keys: ["tagKeyType"], # required
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/UntagServerCertificate AWS API Documentation
+    #
+    # @overload untag_server_certificate(params = {})
+    # @param [Hash] params ({})
+    def untag_server_certificate(params = {}, options = {})
+      req = build_request(:untag_server_certificate, params)
+      req.send_request(options)
+    end
+
     # Removes the specified tags from the user. For more information about
-    # tagging, see [Tagging IAM Identities][1] in the *IAM User Guide*.
+    # tagging, see [Tagging IAM resources][1] in the *IAM User Guide*.
     #
     #
     #
@@ -10186,8 +11617,8 @@ module Aws::IAM
     # Consequently, you can use this operation to manage AWS account root
     # user credentials even if the AWS account has no associated users.
     #
-    # For information about rotating keys, see [Managing Keys and
-    # Certificates][1] in the *IAM User Guide*.
+    # For information about rotating keys, see [Managing keys and
+    # certificates][1] in the *IAM User Guide*.
     #
     #
     #
@@ -10218,8 +11649,8 @@ module Aws::IAM
     #
     # @option params [required, String] :status
     #   The status you want to assign to the secret access key. `Active` means
-    #   that the key can be used for API calls to AWS, while `Inactive` means
-    #   that the key cannot be used.
+    #   that the key can be used for programmatic calls to AWS, while
+    #   `Inactive` means that the key cannot be used.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -10267,7 +11698,7 @@ module Aws::IAM
     #  </note>
     #
     # For more information about using a password policy, see [Managing an
-    # IAM Password Policy][1] in the *IAM User Guide*.
+    # IAM password policy][1] in the *IAM User Guide*.
     #
     #
     #
@@ -10316,7 +11747,7 @@ module Aws::IAM
     # @option params [Boolean] :allow_users_to_change_password
     #   Allows all IAM users in your account to use the AWS Management Console
     #   to change their own passwords. For more information, see [Letting IAM
-    #   Users Change Their Own Passwords][1] in the *IAM User Guide*.
+    #   users change their own passwords][1] in the *IAM User Guide*.
     #
     #   If you do not specify a value for this parameter, then the operation
     #   uses the default value of `false`. The result is that IAM users in the
@@ -10390,8 +11821,8 @@ module Aws::IAM
 
     # Updates the policy that grants an IAM entity permission to assume a
     # role. This is typically referred to as the "role trust policy". For
-    # more information about roles, go to [Using Roles to Delegate
-    # Permissions and Federate Identities][1].
+    # more information about roles, see [Using roles to delegate permissions
+    # and federate identities][1].
     #
     #
     #
@@ -10464,7 +11895,7 @@ module Aws::IAM
     # Updates the name and/or the path of the specified IAM group.
     #
     # You should understand the implications of changing a group's path or
-    # name. For more information, see [Renaming Users and Groups][1] in the
+    # name. For more information, see [Renaming users and groups][1] in the
     # *IAM User Guide*.
     #
     # <note markdown="1"> The person making the request (the principal), must have permission to
@@ -10473,7 +11904,7 @@ module Aws::IAM
     # have a policy that allows them to update both groups. If the principal
     # has permission to update the `Managers` group, but not the `MGRs`
     # group, then the update fails. For more information about permissions,
-    # see [Access Management][2].
+    # see [Access management][2].
     #
     #  </note>
     #
@@ -10547,11 +11978,14 @@ module Aws::IAM
       req.send_request(options)
     end
 
-    # Changes the password for the specified IAM user.
+    # Changes the password for the specified IAM user. You can use the AWS
+    # CLI, the AWS API, or the **Users** page in the IAM console to change
+    # the password for any IAM user. Use ChangePassword to change your own
+    # password in the **My Security Credentials** page in the AWS Management
+    # Console.
     #
-    # IAM users can change their own passwords by calling ChangePassword.
     # For more information about modifying passwords, see [Managing
-    # Passwords][1] in the *IAM User Guide*.
+    # passwords][1] in the *IAM User Guide*.
     #
     #
     #
@@ -10651,8 +12085,8 @@ module Aws::IAM
     #   of OIDC provider ARNs by using the ListOpenIDConnectProviders
     #   operation.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -10704,7 +12138,7 @@ module Aws::IAM
     #   for one hour by default. This applies when you use the `AssumeRole*`
     #   API operations or the `assume-role*` CLI operations but does not apply
     #   when you use those operations to create a console URL. For more
-    #   information, see [Using IAM Roles][1] in the *IAM User Guide*.
+    #   information, see [Using IAM roles][1] in the *IAM User Guide*.
     #
     #
     #
@@ -10801,8 +12235,8 @@ module Aws::IAM
     # @option params [required, String] :saml_provider_arn
     #   The Amazon Resource Name (ARN) of the SAML provider to update.
     #
-    #   For more information about ARNs, see [Amazon Resource Names (ARNs) and
-    #   AWS Service Namespaces][1] in the *AWS General Reference*.
+    #   For more information about ARNs, see [Amazon Resource Names (ARNs)][1]
+    #   in the *AWS General Reference*.
     #
     #
     #
@@ -10841,7 +12275,7 @@ module Aws::IAM
     # authenticating the associated IAM user to an AWS CodeCommit
     # repository. For more information about using SSH keys to authenticate
     # to an AWS CodeCommit repository, see [Set up AWS CodeCommit for SSH
-    # Connections][1] in the *AWS CodeCommit User Guide*.
+    # connections][1] in the *AWS CodeCommit User Guide*.
     #
     #
     #
@@ -10898,13 +12332,13 @@ module Aws::IAM
     # stored in IAM.
     #
     # For more information about working with server certificates, see
-    # [Working with Server Certificates][1] in the *IAM User Guide*. This
+    # [Working with server certificates][1] in the *IAM User Guide*. This
     # topic also includes a list of AWS services that can use the server
     # certificates that you manage with IAM.
     #
     # You should understand the implications of changing a server
     # certificate's path or name. For more information, see [Renaming a
-    # Server Certificate][2] in the *IAM User Guide*.
+    # server certificate][2] in the *IAM User Guide*.
     #
     # <note markdown="1"> The person making the request (the principal), must have permission to
     # change the server certificate with the old name and the new name. For
@@ -10913,7 +12347,7 @@ module Aws::IAM
     # update both certificates. If the principal has permission to update
     # the `ProductionCert` group, but not the `ProdCert` certificate, then
     # the update fails. For more information about permissions, see [Access
-    # Management][3] in the *IAM User Guide*.
+    # management][3] in the *IAM User Guide*.
     #
     #  </note>
     #
@@ -11072,8 +12506,8 @@ module Aws::IAM
     #
     # @option params [required, String] :status
     #   The status you want to assign to the certificate. `Active` means that
-    #   the certificate can be used for API calls to AWS `Inactive` means that
-    #   the certificate cannot be used.
+    #   the certificate can be used for programmatic calls to AWS `Inactive`
+    #   means that the certificate cannot be used.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -11108,14 +12542,14 @@ module Aws::IAM
     # Updates the name and/or the path of the specified IAM user.
     #
     # You should understand the implications of changing an IAM user's path
-    # or name. For more information, see [Renaming an IAM User][1] and
-    # [Renaming an IAM Group][2] in the *IAM User Guide*.
+    # or name. For more information, see [Renaming an IAM user][1] and
+    # [Renaming an IAM group][2] in the *IAM User Guide*.
     #
     # <note markdown="1"> To change a user name, the requester must have appropriate permissions
     # on both the source object and the target object. For example, to
     # change Bob to Robert, the entity making the request must have
     # permission on Bob and Robert, or must have permission on all (*). For
-    # more information about permissions, see [Permissions and Policies][3].
+    # more information about permissions, see [Permissions and policies][3].
     #
     #  </note>
     #
@@ -11197,7 +12631,7 @@ module Aws::IAM
     # authenticating the associated IAM user to an AWS CodeCommit
     # repository. For more information about using SSH keys to authenticate
     # to an AWS CodeCommit repository, see [Set up AWS CodeCommit for SSH
-    # Connections][1] in the *AWS CodeCommit User Guide*.
+    # connections][1] in the *AWS CodeCommit User Guide*.
     #
     #
     #
@@ -11278,21 +12712,20 @@ module Aws::IAM
     # User Guide][2].
     #
     # For more information about working with server certificates, see
-    # [Working with Server Certificates][3] in the *IAM User Guide*. This
+    # [Working with server certificates][3] in the *IAM User Guide*. This
     # topic includes a list of AWS services that can use the server
     # certificates that you manage with IAM.
     #
     # For information about the number of server certificates you can
-    # upload, see [Limitations on IAM Entities and Objects][4] in the *IAM
-    # User Guide*.
+    # upload, see [IAM and STS quotas][4] in the *IAM User Guide*.
     #
     # <note markdown="1"> Because the body of the public key certificate, private key, and the
     # certificate chain can be large, you should use POST rather than GET
     # when calling `UploadServerCertificate`. For information about setting
-    # up signatures and authorization through the API, go to [Signing AWS
-    # API Requests][5] in the *AWS General Reference*. For general
-    # information about using the Query API with IAM, go to [Calling the API
-    # by Making HTTP Query Requests][6] in the *IAM User Guide*.
+    # up signatures and authorization through the API, see [Signing AWS API
+    # requests][5] in the *AWS General Reference*. For general information
+    # about using the Query API with IAM, see [Calling the API by making
+    # HTTP query requests][6] in the *IAM User Guide*.
     #
     #  </note>
     #
@@ -11301,13 +12734,13 @@ module Aws::IAM
     # [1]: https://docs.aws.amazon.com/acm/
     # [2]: https://docs.aws.amazon.com/acm/latest/userguide/
     # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html
-    # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html
+    # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html
     # [5]: https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html
     # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/programming.html
     #
     # @option params [String] :path
     #   The path for the server certificate. For more information about paths,
-    #   see [IAM Identifiers][1] in the *IAM User Guide*.
+    #   see [IAM identifiers][1] in the *IAM User Guide*.
     #
     #   This parameter is optional. If it is not included, it defaults to a
     #   slash (/). This parameter allows (through its [regex pattern][2]) a
@@ -11400,9 +12833,26 @@ module Aws::IAM
     #
     #   [1]: http://wikipedia.org/wiki/regex
     #
+    # @option params [Array<Types::Tag>] :tags
+    #   A list of tags that you want to attach to the new IAM server
+    #   certificate resource. Each tag consists of a key name and an
+    #   associated value. For more information about tagging, see [Tagging IAM
+    #   resources][1] in the *IAM User Guide*.
+    #
+    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed maximum
+    #   number of tags, then the entire request fails and the resource is not
+    #   created.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html
+    #
     # @return [Types::UploadServerCertificateResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::UploadServerCertificateResponse#server_certificate_metadata #server_certificate_metadata} => Types::ServerCertificateMetadata
+    #   * {Types::UploadServerCertificateResponse#tags #tags} => Array&lt;Types::Tag&gt;
     #
     #
     # @example Example: To upload a server certificate to your AWS account
@@ -11436,6 +12886,12 @@ module Aws::IAM
     #     certificate_body: "certificateBodyType", # required
     #     private_key: "privateKeyType", # required
     #     certificate_chain: "certificateChainType",
+    #     tags: [
+    #       {
+    #         key: "tagKeyType", # required
+    #         value: "tagValueType", # required
+    #       },
+    #     ],
     #   })
     #
     # @example Response structure
@@ -11446,6 +12902,9 @@ module Aws::IAM
     #   resp.server_certificate_metadata.arn #=> String
     #   resp.server_certificate_metadata.upload_date #=> Time
     #   resp.server_certificate_metadata.expiration #=> Time
+    #   resp.tags #=> Array
+    #   resp.tags[0].key #=> String
+    #   resp.tags[0].value #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/UploadServerCertificate AWS API Documentation
     #
@@ -11457,10 +12916,13 @@ module Aws::IAM
     end
 
     # Uploads an X.509 signing certificate and associates it with the
-    # specified IAM user. Some AWS services use X.509 signing certificates
+    # specified IAM user. Some AWS services require you to use certificates
     # to validate requests that are signed with a corresponding private key.
     # When you upload the certificate, its default status is `Active`.
     #
+    # For information about when you would use an X.509 signing certificate,
+    # see [Managing server certificates in IAM][1] in the *IAM User Guide*.
+    #
     # If the `UserName` is not specified, the IAM user name is determined
     # implicitly based on the AWS access key ID used to sign the request.
     # This operation works for access keys under the AWS account.
@@ -11470,16 +12932,17 @@ module Aws::IAM
     # <note markdown="1"> Because the body of an X.509 certificate can be large, you should use
     # POST rather than GET when calling `UploadSigningCertificate`. For
     # information about setting up signatures and authorization through the
-    # API, go to [Signing AWS API Requests][1] in the *AWS General
-    # Reference*. For general information about using the Query API with
-    # IAM, go to [Making Query Requests][2] in the *IAM User Guide*.
+    # API, see [Signing AWS API requests][2] in the *AWS General Reference*.
+    # For general information about using the Query API with IAM, see
+    # [Making query requests][3] in the *IAM User Guide*.
     #
     #  </note>
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html
-    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html
+    # [2]: https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html
     #
     # @option params [String] :user_name
     #   The name of the user the signing certificate is for.
@@ -11574,7 +13037,7 @@ module Aws::IAM
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-iam'
-      context[:gem_version] = '1.43.0'
+      context[:gem_version] = '1.48.0'
       Seahorse::Client::Request.new(handlers, context)
     end