chore(deps): bump github.com/aws/aws-sdk-go from 1.44.24 to 1.44.253 (#2490)

Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.24 to 1.44.253.
- [Release notes](https://github.com/aws/aws-sdk-go/releases)
- [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.24...v1.44.253)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

go.mod

@@ -5,7 +5,7 @@ go 1.17
 require (
 	cloud.google.com/go/storage v1.29.0
 	github.com/Azure/azure-storage-blob-go v0.14.0
-	github.com/aws/aws-sdk-go v1.44.24
+	github.com/aws/aws-sdk-go v1.44.253
 	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220228164355-396b2034c795
 	github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589
 	github.com/containerd/cgroups v1.1.0 // indirect

go.sum

@@ -766,8 +766,8 @@ github.com/aws/aws-sdk-go v1.27.1/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN
 github.com/aws/aws-sdk-go v1.31.6/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
 github.com/aws/aws-sdk-go v1.43.16/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
-github.com/aws/aws-sdk-go v1.44.24 h1:3nOkwJBJLiGBmJKWp3z0utyXuBkxyGkRRwWjrTItJaY=
-github.com/aws/aws-sdk-go v1.44.24/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
+github.com/aws/aws-sdk-go v1.44.253 h1:iqDd0okcH4ShfFexz2zzf4VmeDFf6NOMm07pHnEb8iY=
+github.com/aws/aws-sdk-go v1.44.253/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
 github.com/aws/aws-sdk-go-v2 v1.7.1/go.mod h1:L5LuPC1ZgDr2xQS7AmIec/Jlc7O/Y1u2KxJyNVab250=
 github.com/aws/aws-sdk-go-v2 v1.14.0/go.mod h1:ZA3Y8V0LrlWj63MQAnRHgKf/5QB//LSZCPNWlWrNGLU=
 github.com/aws/aws-sdk-go-v2 v1.16.3 h1:0W1TSJ7O6OzwuEvIXAtJGvOeQ0SGAhcpxPN2/NK5EhM=

vendor/github.com/aws/aws-sdk-go/aws/config.go

@@ -192,6 +192,23 @@ type Config struct {
 	//
 	EC2MetadataDisableTimeoutOverride *bool
 
+	// Set this to `false` to disable EC2Metadata client from falling back to IMDSv1.
+	// By default, EC2 role credentials will fall back to IMDSv1 as needed for backwards compatibility.
+	// You can disable this behavior by explicitly setting this flag to `false`. When false, the EC2Metadata
+	// client will return any errors encountered from attempting to fetch a token instead of silently
+	// using the insecure data flow of IMDSv1.
+	//
+	// Example:
+	//    sess := session.Must(session.NewSession(aws.NewConfig()
+	//       .WithEC2MetadataEnableFallback(false)))
+	//
+	//    svc := s3.New(sess)
+	//
+	// See [configuring IMDS] for more information.
+	//
+	// [configuring IMDS]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
+	EC2MetadataEnableFallback *bool
+
 	// Instructs the endpoint to be generated for a service client to
 	// be the dual stack endpoint. The dual stack endpoint will support
 	// both IPv4 and IPv6 addressing.
@@ -432,6 +449,13 @@ func (c *Config) WithEC2MetadataDisableTimeoutOverride(enable bool) *Config {
 	return c
 }
 
+// WithEC2MetadataEnableFallback sets a config EC2MetadataEnableFallback value
+// returning a Config pointer for chaining.
+func (c *Config) WithEC2MetadataEnableFallback(v bool) *Config {
+	c.EC2MetadataEnableFallback = &v
+	return c
+}
+
 // WithSleepDelay overrides the function used to sleep while waiting for the
 // next retry. Defaults to time.Sleep.
 func (c *Config) WithSleepDelay(fn func(time.Duration)) *Config {
@@ -576,6 +600,10 @@ func mergeInConfig(dst *Config, other *Config) {
 		dst.EC2MetadataDisableTimeoutOverride = other.EC2MetadataDisableTimeoutOverride
 	}
 
+	if other.EC2MetadataEnableFallback != nil {
+		dst.EC2MetadataEnableFallback = other.EC2MetadataEnableFallback
+	}
+
 	if other.SleepDelay != nil {
 		dst.SleepDelay = other.SleepDelay
 	}

vendor/github.com/aws/aws-sdk-go/aws/credentials/processcreds/provider.go

@@ -226,11 +226,23 @@ func NewCredentialsCommand(command *exec.Cmd, options ...func(*ProcessProvider))
 	return credentials.NewCredentials(p)
 }
 
-type credentialProcessResponse struct {
+// A CredentialProcessResponse is the AWS credentials format that must be
+// returned when executing an external credential_process.
+type CredentialProcessResponse struct {
+	// As of this writing, the Version key must be set to 1. This might
+	// increment over time as the structure evolves.
 	Version int
+
+	// The access key ID that identifies the temporary security credentials.
 	AccessKeyID string `json:"AccessKeyId"`
+
+	// The secret access key that can be used to sign requests.
 	SecretAccessKey string
+
+	// The token that users must pass to the service API to use the temporary credentials.
 	SessionToken string
+
+	// The date on which the current credentials expire.
 	Expiration *time.Time
 }
 
@@ -242,7 +254,7 @@ func (p *ProcessProvider) Retrieve() (credentials.Value, error) {
 	}
 
 	// Serialize and validate response
-	resp := &credentialProcessResponse{}
+	resp := &CredentialProcessResponse{}
 	if err = json.Unmarshal(out, resp); err != nil {
 		return credentials.Value{ProviderName: ProviderName}, awserr.New(
 			ErrCodeProcessProviderParse,

vendor/github.com/aws/aws-sdk-go/aws/ec2metadata/service.go

@@ -57,8 +57,8 @@ type EC2Metadata struct {
 // New creates a new instance of the EC2Metadata client with a session.
 // This client is safe to use across multiple goroutines.
 //
-//
 // Example:
+//
 //	// Create a EC2Metadata client from just a session.
 //	svc := ec2metadata.New(mySession)
 //

vendor/github.com/aws/aws-sdk-go/aws/ec2metadata/token_provider.go

@@ -1,6 +1,7 @@
 package ec2metadata
 
 import (
+	"fmt"
 	"net/http"
 	"sync/atomic"
 	"time"
@@ -33,11 +34,15 @@ func newTokenProvider(c *EC2Metadata, duration time.Duration) *tokenProvider {
 	return &tokenProvider{client: c, configuredTTL: duration}
 }
 
+// check if fallback is enabled
+func (t *tokenProvider) fallbackEnabled() bool {
+	return t.client.Config.EC2MetadataEnableFallback == nil || *t.client.Config.EC2MetadataEnableFallback
+}
+
 // fetchTokenHandler fetches token for EC2Metadata service client by default.
 func (t *tokenProvider) fetchTokenHandler(r *request.Request) {
-
 	// short-circuits to insecure data flow if tokenProvider is disabled.
-	if v := atomic.LoadUint32(&t.disabled); v == 1 {
+	if v := atomic.LoadUint32(&t.disabled); v == 1 && t.fallbackEnabled() {
 		return
 	}
 
@@ -49,23 +54,21 @@ func (t *tokenProvider) fetchTokenHandler(r *request.Request) {
 	output, err := t.client.getToken(r.Context(), t.configuredTTL)
 
 	if err != nil {
+		// only attempt fallback to insecure data flow if IMDSv1 is enabled
+		if !t.fallbackEnabled() {
+			r.Error = awserr.New("EC2MetadataError", "failed to get IMDSv2 token and fallback to IMDSv1 is disabled", err)
+			return
+		}
 
-		// change the disabled flag on token provider to true,
-		// when error is request timeout error.
+		// change the disabled flag on token provider to true and fallback
 		if requestFailureError, ok := err.(awserr.RequestFailure); ok {
 			switch requestFailureError.StatusCode() {
 			case http.StatusForbidden, http.StatusNotFound, http.StatusMethodNotAllowed:
 				atomic.StoreUint32(&t.disabled, 1)
+				t.client.Config.Logger.Log(fmt.Sprintf("WARN: failed to get session token, falling back to IMDSv1: %v", requestFailureError))
 			case http.StatusBadRequest:
 				r.Error = requestFailureError
 			}
-
-			// Check if request timed out while waiting for response
-			if e, ok := requestFailureError.OrigErr().(awserr.Error); ok {
-				if e.Code() == request.ErrCodeRequestError {
-					atomic.StoreUint32(&t.disabled, 1)
-				}
-			}
 		}
 		return
 	}

vendor/github.com/aws/aws-sdk-go/aws/endpoints/doc.go

@@ -9,7 +9,7 @@
 // AWS GovCloud (US) (aws-us-gov).
 // .
 //
-// Enumerating Regions and Endpoint Metadata
+// # Enumerating Regions and Endpoint Metadata
 //
 // Casting the Resolver returned by DefaultResolver to a EnumPartitions interface
 // will allow you to get access to the list of underlying Partitions with the
@@ -32,7 +32,7 @@
 //	    }
 //	}
 //
-// Using Custom Endpoints
+// # Using Custom Endpoints
 //
 // The endpoints package also gives you the ability to use your own logic how
 // endpoints are resolved. This is a great way to define a custom endpoint
@@ -47,7 +47,6 @@
 // of Resolver.EndpointFor, converting it to a type that satisfies the
 // Resolver interface.
 //
-//
 //	myCustomResolver := func(service, region string, optFns ...func(*endpoints.Options)) (endpoints.ResolvedEndpoint, error) {
 //	    if service == endpoints.S3ServiceID {
 //	        return endpoints.ResolvedEndpoint{

vendor/github.com/aws/aws-sdk-go/aws/endpoints/endpoints.go

@@ -353,9 +353,11 @@ type EnumPartitions interface {
 // as the second parameter.
 //
 // This example shows how  to get the regions for DynamoDB in the AWS partition.
+//
 //	rs, exists := endpoints.RegionsForService(endpoints.DefaultPartitions(), endpoints.AwsPartitionID, endpoints.DynamodbServiceID)
 //
 // This is equivalent to using the partition directly.
+//
 //	rs := endpoints.AwsPartition().Services()[endpoints.DynamodbServiceID].Regions()
 func RegionsForService(ps []Partition, partitionID, serviceID string) (map[string]Region, bool) {
 	for _, p := range ps {
@@ -423,8 +425,8 @@ func (p Partition) ID() string { return p.id }
 // of new regions and services expansions.
 //
 // Errors that can be returned.
-//   * UnknownServiceError
-//   * UnknownEndpointError
+//   - UnknownServiceError
+//   - UnknownEndpointError
 func (p Partition) EndpointFor(service, region string, opts ...func(*Options)) (ResolvedEndpoint, error) {
 	return p.p.EndpointFor(service, region, opts...)
 }

vendor/github.com/aws/aws-sdk-go/aws/session/session.go

@@ -174,7 +174,6 @@ const (
 
 // Options provides the means to control how a Session is created and what
 // configuration values will be loaded.
-//
 type Options struct {
 	// Provides config values for the SDK to use when creating service clients
 	// and making API requests to services. Any value set in with this field
@@ -224,7 +223,7 @@ type Options struct {
 	// from stdin for the MFA token code.
 	//
 	// This field is only used if the shared configuration is enabled, and
-	// the config enables assume role wit MFA via the mfa_serial field.
+	// the config enables assume role with MFA via the mfa_serial field.
 	AssumeRoleTokenProvider func() (string, error)
 
 	// When the SDK's shared config is configured to assume a role this option
@@ -780,16 +779,6 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config,
 		cfg.EndpointResolver = wrapEC2IMDSEndpoint(cfg.EndpointResolver, ec2IMDSEndpoint, endpointMode)
 	}
 
-	// Configure credentials if not already set by the user when creating the
-	// Session.
-	if cfg.Credentials == credentials.AnonymousCredentials && userCfg.Credentials == nil {
-		creds, err := resolveCredentials(cfg, envCfg, sharedCfg, handlers, sessOpts)
-		if err != nil {
-			return err
-		}
-		cfg.Credentials = creds
-	}
-
 	cfg.S3UseARNRegion = userCfg.S3UseARNRegion
 	if cfg.S3UseARNRegion == nil {
 		cfg.S3UseARNRegion = &envCfg.S3UseARNRegion
@@ -812,6 +801,17 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config,
 		}
 	}
 
+	// Configure credentials if not already set by the user when creating the Session.
+	// Credentials are resolved last such that all _resolved_ config values are propagated to credential providers.
+	// ticket: P83606045
+	if cfg.Credentials == credentials.AnonymousCredentials && userCfg.Credentials == nil {
+		creds, err := resolveCredentials(cfg, envCfg, sharedCfg, handlers, sessOpts)
+		if err != nil {
+			return err
+		}
+		cfg.Credentials = creds
+	}
+
 	return nil
 }
 

vendor/github.com/aws/aws-sdk-go/aws/version.go

@@ -5,4 +5,4 @@ package aws
 const SDKName = "aws-sdk-go"
 
 // SDKVersion is the version of this SDK
-const SDKVersion = "1.44.24"
+const SDKVersion = "1.44.253"

vendor/github.com/aws/aws-sdk-go/internal/shareddefaults/shared_config.go

@@ -1,9 +1,8 @@
 package shareddefaults
 
 import (
-	"os"
+	"os/user"
 	"path/filepath"
-	"runtime"
 )
 
 // SharedCredentialsFilename returns the SDK's default file path
@@ -31,10 +30,17 @@ func SharedConfigFilename() string {
 // UserHomeDir returns the home directory for the user the process is
 // running under.
 func UserHomeDir() string {
-	if runtime.GOOS == "windows" { // Windows
-		return os.Getenv("USERPROFILE")
+	var home string
+
+	home = userHomeDir()
+	if len(home) > 0 {
+		return home
 	}
 
-	// *nix
-	return os.Getenv("HOME")
+	currUser, _ := user.Current()
+	if currUser != nil {
+		home = currUser.HomeDir
+	}
+
+	return home
 }

vendor/github.com/aws/aws-sdk-go/internal/shareddefaults/shared_config_resolve_home.go

@@ -0,0 +1,18 @@
+//go:build !go1.12
+// +build !go1.12
+
+package shareddefaults
+
+import (
+	"os"
+	"runtime"
+)
+
+func userHomeDir() string {
+	if runtime.GOOS == "windows" { // Windows
+		return os.Getenv("USERPROFILE")
+	}
+
+	// *nix
+	return os.Getenv("HOME")
+}

vendor/github.com/aws/aws-sdk-go/internal/shareddefaults/shared_config_resolve_home_go1.12.go

@@ -0,0 +1,13 @@
+//go:build go1.12
+// +build go1.12
+
+package shareddefaults
+
+import (
+	"os"
+)
+
+func userHomeDir() string {
+	home, _ := os.UserHomeDir()
+	return home
+}

vendor/github.com/aws/aws-sdk-go/private/protocol/json/jsonutil/build.go

@@ -4,7 +4,6 @@ package jsonutil
 import (
 	"bytes"
 	"encoding/base64"
-	"encoding/json"
 	"fmt"
 	"math"
 	"reflect"
@@ -16,6 +15,12 @@ import (
 	"github.com/aws/aws-sdk-go/private/protocol"
 )
 
+const (
+	floatNaN    = "NaN"
+	floatInf    = "Infinity"
+	floatNegInf = "-Infinity"
+)
+
 var timeType = reflect.ValueOf(time.Time{}).Type()
 var byteSliceType = reflect.ValueOf([]byte{}).Type()
 
@@ -211,10 +216,16 @@ func buildScalar(v reflect.Value, buf *bytes.Buffer, tag reflect.StructTag) erro
 		buf.Write(strconv.AppendInt(scratch[:0], value.Int(), 10))
 	case reflect.Float64:
 		f := value.Float()
-		if math.IsInf(f, 0) || math.IsNaN(f) {
-			return &json.UnsupportedValueError{Value: v, Str: strconv.FormatFloat(f, 'f', -1, 64)}
-		}
+		switch {
+		case math.IsNaN(f):
+			writeString(floatNaN, buf)
+		case math.IsInf(f, 1):
+			writeString(floatInf, buf)
+		case math.IsInf(f, -1):
+			writeString(floatNegInf, buf)
+		default:
 			buf.Write(strconv.AppendFloat(scratch[:0], f, 'f', -1, 64))
+		}
 	default:
 		switch converted := value.Interface().(type) {
 		case time.Time:

vendor/github.com/aws/aws-sdk-go/private/protocol/json/jsonutil/unmarshal.go

@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"math"
 	"math/big"
 	"reflect"
 	"strings"
@@ -258,6 +259,18 @@ func (u unmarshaler) unmarshalScalar(value reflect.Value, data interface{}, tag
 				return err
 			}
 			value.Set(reflect.ValueOf(v))
+		case *float64:
+			// These are regular strings when parsed by encoding/json's unmarshaler.
+			switch {
+			case strings.EqualFold(d, floatNaN):
+				value.Set(reflect.ValueOf(aws.Float64(math.NaN())))
+			case strings.EqualFold(d, floatInf):
+				value.Set(reflect.ValueOf(aws.Float64(math.Inf(1))))
+			case strings.EqualFold(d, floatNegInf):
+				value.Set(reflect.ValueOf(aws.Float64(math.Inf(-1))))
+			default:
+				return fmt.Errorf("unknown JSON number value: %s", d)
+			}
 		default:
 			return fmt.Errorf("unsupported value: %v (%s)", value.Interface(), value.Type())
 		}

vendor/github.com/aws/aws-sdk-go/private/protocol/jsonrpc/unmarshal_error.go

@@ -13,10 +13,17 @@ import (
 	"github.com/aws/aws-sdk-go/private/protocol/json/jsonutil"
 )
 
+const (
+	awsQueryError = "x-amzn-query-error"
+	// A valid header example - "x-amzn-query-error": "<QueryErrorCode>;<ErrorType>"
+	awsQueryErrorPartsCount = 2
+)
+
 // UnmarshalTypedError provides unmarshaling errors API response errors
 // for both typed and untyped errors.
 type UnmarshalTypedError struct {
 	exceptions      map[string]func(protocol.ResponseMetadata) error
+	queryExceptions map[string]func(protocol.ResponseMetadata, string) error
 }
 
 // NewUnmarshalTypedError returns an UnmarshalTypedError initialized for the
@@ -24,6 +31,28 @@ type UnmarshalTypedError struct {
 func NewUnmarshalTypedError(exceptions map[string]func(protocol.ResponseMetadata) error) *UnmarshalTypedError {
 	return &UnmarshalTypedError{
 		exceptions:      exceptions,
+		queryExceptions: map[string]func(protocol.ResponseMetadata, string) error{},
+	}
+}
+
+// NewUnmarshalTypedErrorWithOptions works similar to NewUnmarshalTypedError applying options to the UnmarshalTypedError
+// before returning it
+func NewUnmarshalTypedErrorWithOptions(exceptions map[string]func(protocol.ResponseMetadata) error, optFns ...func(*UnmarshalTypedError)) *UnmarshalTypedError {
+	unmarshaledError := NewUnmarshalTypedError(exceptions)
+	for _, fn := range optFns {
+		fn(unmarshaledError)
+	}
+	return unmarshaledError
+}
+
+// WithQueryCompatibility is a helper function to construct a functional option for use with NewUnmarshalTypedErrorWithOptions.
+// The queryExceptions given act as an override for unmarshalling errors when query compatible error codes are found.
+// See also [awsQueryCompatible trait]
+//
+// [awsQueryCompatible trait]: https://smithy.io/2.0/aws/protocols/aws-query-protocol.html#aws-protocols-awsquerycompatible-trait
+func WithQueryCompatibility(queryExceptions map[string]func(protocol.ResponseMetadata, string) error) func(*UnmarshalTypedError) {
+	return func(typedError *UnmarshalTypedError) {
+		typedError.queryExceptions = queryExceptions
 	}
 }
 
@@ -50,18 +79,32 @@ func (u *UnmarshalTypedError) UnmarshalError(
 	code := codeParts[len(codeParts)-1]
 	msg := jsonErr.Message
 
+	queryCodeParts := queryCodeParts(resp, u)
+
 	if fn, ok := u.exceptions[code]; ok {
-		// If exception code is know, use associated constructor to get a value
+		// If query-compatible exceptions are found and query-error-header is found,
+		// then use associated constructor to get exception with query error code.
+		//
+		// If exception code is known, use associated constructor to get a value
 		// for the exception that the JSON body can be unmarshaled into.
-		v := fn(respMeta)
+		var v error
+		queryErrFn, queryExceptionsFound := u.queryExceptions[code]
+		if len(queryCodeParts) == awsQueryErrorPartsCount && queryExceptionsFound {
+			v = queryErrFn(respMeta, queryCodeParts[0])
+		} else {
+			v = fn(respMeta)
+		}
 		err := jsonutil.UnmarshalJSONCaseInsensitive(v, body)
 		if err != nil {
 			return nil, err
 		}
-
 		return v, nil
 	}
 
+	if len(queryCodeParts) == awsQueryErrorPartsCount && len(u.queryExceptions) > 0 {
+		code = queryCodeParts[0]
+	}
+
 	// fallback to unmodeled generic exceptions
 	return awserr.NewRequestFailure(
 		awserr.New(code, msg, nil),
@@ -70,6 +113,16 @@ func (u *UnmarshalTypedError) UnmarshalError(
 	), nil
 }
 
+// A valid header example - "x-amzn-query-error": "<QueryErrorCode>;<ErrorType>"
+func queryCodeParts(resp *http.Response, u *UnmarshalTypedError) []string {
+	queryCodeHeader := resp.Header.Get(awsQueryError)
+	var queryCodeParts []string
+	if queryCodeHeader != "" && len(u.queryExceptions) > 0 {
+		queryCodeParts = strings.Split(queryCodeHeader, ";")
+	}
+	return queryCodeParts
+}
+
 // UnmarshalErrorHandler is a named request handler for unmarshaling jsonrpc
 // protocol request errors
 var UnmarshalErrorHandler = request.NamedHandler{

vendor/github.com/aws/aws-sdk-go/private/protocol/query/queryutil/queryutil.go

@@ -3,6 +3,7 @@ package queryutil
 import (
 	"encoding/base64"
 	"fmt"
+	"math"
 	"net/url"
 	"reflect"
 	"sort"
@@ -13,6 +14,12 @@ import (
 	"github.com/aws/aws-sdk-go/private/protocol"
 )
 
+const (
+	floatNaN    = "NaN"
+	floatInf    = "Infinity"
+	floatNegInf = "-Infinity"
+)
+
 // Parse parses an object i and fills a url.Values object. The isEC2 flag
 // indicates if this is the EC2 Query sub-protocol.
 func Parse(body url.Values, i interface{}, isEC2 bool) error {
@@ -228,9 +235,32 @@ func (q *queryParser) parseScalar(v url.Values, r reflect.Value, name string, ta
 	case int:
 		v.Set(name, strconv.Itoa(value))
 	case float64:
-		v.Set(name, strconv.FormatFloat(value, 'f', -1, 64))
+		var str string
+		switch {
+		case math.IsNaN(value):
+			str = floatNaN
+		case math.IsInf(value, 1):
+			str = floatInf
+		case math.IsInf(value, -1):
+			str = floatNegInf
+		default:
+			str = strconv.FormatFloat(value, 'f', -1, 64)
+		}
+		v.Set(name, str)
 	case float32:
-		v.Set(name, strconv.FormatFloat(float64(value), 'f', -1, 32))
+		asFloat64 := float64(value)
+		var str string
+		switch {
+		case math.IsNaN(asFloat64):
+			str = floatNaN
+		case math.IsInf(asFloat64, 1):
+			str = floatInf
+		case math.IsInf(asFloat64, -1):
+			str = floatNegInf
+		default:
+			str = strconv.FormatFloat(asFloat64, 'f', -1, 32)
+		}
+		v.Set(name, str)
 	case time.Time:
 		const ISO8601UTC = "2006-01-02T15:04:05Z"
 		format := tag.Get("timestampFormat")

vendor/github.com/aws/aws-sdk-go/private/protocol/query/unmarshal_error.go

@@ -3,6 +3,7 @@ package query
 import (
 	"encoding/xml"
 	"fmt"
+	"strings"
 
 	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/aws/request"
@@ -62,7 +63,7 @@ func UnmarshalError(r *request.Request) {
 	}
 
 	r.Error = awserr.NewRequestFailure(
-		awserr.New(respErr.Code, respErr.Message, nil),
+		awserr.New(strings.TrimSpace(respErr.Code), strings.TrimSpace(respErr.Message), nil),
 		r.HTTPResponse.StatusCode,
 		reqID,
 	)

vendor/github.com/aws/aws-sdk-go/private/protocol/rest/build.go

@@ -6,6 +6,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"io"
+	"math"
 	"net/http"
 	"net/url"
 	"path"
@@ -20,6 +21,12 @@ import (
 	"github.com/aws/aws-sdk-go/private/protocol"
 )
 
+const (
+	floatNaN    = "NaN"
+	floatInf    = "Infinity"
+	floatNegInf = "-Infinity"
+)
+
 // Whether the byte value can be sent without escaping in AWS URLs
 var noEscape [256]bool
 
@@ -302,7 +309,16 @@ func convertType(v reflect.Value, tag reflect.StructTag) (str string, err error)
 	case int64:
 		str = strconv.FormatInt(value, 10)
 	case float64:
+		switch {
+		case math.IsNaN(value):
+			str = floatNaN
+		case math.IsInf(value, 1):
+			str = floatInf
+		case math.IsInf(value, -1):
+			str = floatNegInf
+		default:
 			str = strconv.FormatFloat(value, 'f', -1, 64)
+		}
 	case time.Time:
 		format := tag.Get("timestampFormat")
 		if len(format) == 0 {

vendor/github.com/aws/aws-sdk-go/private/protocol/rest/unmarshal.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"math"
 	"net/http"
 	"reflect"
 	"strconv"
@@ -231,10 +232,21 @@ func unmarshalHeader(v reflect.Value, header string, tag reflect.StructTag) erro
 		}
 		v.Set(reflect.ValueOf(&i))
 	case *float64:
-		f, err := strconv.ParseFloat(header, 64)
+		var f float64
+		switch {
+		case strings.EqualFold(header, floatNaN):
+			f = math.NaN()
+		case strings.EqualFold(header, floatInf):
+			f = math.Inf(1)
+		case strings.EqualFold(header, floatNegInf):
+			f = math.Inf(-1)
+		default:
+			var err error
+			f, err = strconv.ParseFloat(header, 64)
 			if err != nil {
 				return err
 			}
+		}
 		v.Set(reflect.ValueOf(&f))
 	case *time.Time:
 		format := tag.Get("timestampFormat")

vendor/github.com/aws/aws-sdk-go/private/protocol/restjson/unmarshal_error.go

@@ -45,7 +45,7 @@ func (u *UnmarshalTypedError) UnmarshalError(
 	msg := resp.Header.Get(errorMessageHeader)
 
 	body := resp.Body
-	if len(code) == 0 {
+	if len(code) == 0 || len(msg) == 0 {
 		// If unable to get code from HTTP headers have to parse JSON message
 		// to determine what kind of exception this will be.
 		var buf bytes.Buffer
@@ -57,7 +57,9 @@ func (u *UnmarshalTypedError) UnmarshalError(
 		}
 
 		body = ioutil.NopCloser(&buf)
+		if len(code) == 0 {
 			code = jsonErr.Code
+		}
 		msg = jsonErr.Message
 	}
 

vendor/github.com/aws/aws-sdk-go/private/protocol/xml/xmlutil/build.go

@@ -5,6 +5,7 @@ import (
 	"encoding/base64"
 	"encoding/xml"
 	"fmt"
+	"math"
 	"reflect"
 	"sort"
 	"strconv"
@@ -14,6 +15,12 @@ import (
 	"github.com/aws/aws-sdk-go/private/protocol"
 )
 
+const (
+	floatNaN    = "NaN"
+	floatInf    = "Infinity"
+	floatNegInf = "-Infinity"
+)
+
 // BuildXML will serialize params into an xml.Encoder. Error will be returned
 // if the serialization of any of the params or nested values fails.
 func BuildXML(params interface{}, e *xml.Encoder) error {
@@ -275,6 +282,7 @@ func (b *xmlBuilder) buildMap(value reflect.Value, current *XMLNode, tag reflect
 // Error will be returned if the value type is unsupported.
 func (b *xmlBuilder) buildScalar(value reflect.Value, current *XMLNode, tag reflect.StructTag) error {
 	var str string
+
 	switch converted := value.Interface().(type) {
 	case string:
 		str = converted
@@ -289,9 +297,29 @@ func (b *xmlBuilder) buildScalar(value reflect.Value, current *XMLNode, tag refl
 	case int:
 		str = strconv.Itoa(converted)
 	case float64:
+		switch {
+		case math.IsNaN(converted):
+			str = floatNaN
+		case math.IsInf(converted, 1):
+			str = floatInf
+		case math.IsInf(converted, -1):
+			str = floatNegInf
+		default:
 			str = strconv.FormatFloat(converted, 'f', -1, 64)
+		}
 	case float32:
-		str = strconv.FormatFloat(float64(converted), 'f', -1, 32)
+		// The SDK doesn't render float32 values in types, only float64. This case would never be hit currently.
+		asFloat64 := float64(converted)
+		switch {
+		case math.IsNaN(asFloat64):
+			str = floatNaN
+		case math.IsInf(asFloat64, 1):
+			str = floatInf
+		case math.IsInf(asFloat64, -1):
+			str = floatNegInf
+		default:
+			str = strconv.FormatFloat(asFloat64, 'f', -1, 32)
+		}
 	case time.Time:
 		format := tag.Get("timestampFormat")
 		if len(format) == 0 {

vendor/github.com/aws/aws-sdk-go/private/protocol/xml/xmlutil/unmarshal.go

@@ -6,6 +6,7 @@ import (
 	"encoding/xml"
 	"fmt"
 	"io"
+	"math"
 	"reflect"
 	"strconv"
 	"strings"
@@ -276,10 +277,21 @@ func parseScalar(r reflect.Value, node *XMLNode, tag reflect.StructTag) error {
 		}
 		r.Set(reflect.ValueOf(&v))
 	case *float64:
-		v, err := strconv.ParseFloat(node.Text, 64)
+		var v float64
+		switch {
+		case strings.EqualFold(node.Text, floatNaN):
+			v = math.NaN()
+		case strings.EqualFold(node.Text, floatInf):
+			v = math.Inf(1)
+		case strings.EqualFold(node.Text, floatNegInf):
+			v = math.Inf(-1)
+		default:
+			var err error
+			v, err = strconv.ParseFloat(node.Text, 64)
 			if err != nil {
 				return err
 			}
+		}
 		r.Set(reflect.ValueOf(&v))
 	case *time.Time:
 		format := tag.Get("timestampFormat")

vendor/github.com/aws/aws-sdk-go/service/s3/doc.go

@@ -8,7 +8,7 @@
 // See s3 package documentation for more information.
 // https://docs.aws.amazon.com/sdk-for-go/api/service/s3/
 //
-// Using the Client
+// # Using the Client
 //
 // To contact Amazon Simple Storage Service with the SDK use the New function to create
 // a new service client. With that client you can make API requests to the service.

vendor/github.com/aws/aws-sdk-go/service/s3/doc_custom.go

@@ -31,7 +31,7 @@
 // See the s3manager package's Uploader type documentation for more information.
 // https://docs.aws.amazon.com/sdk-for-go/api/service/s3/s3manager/#Uploader
 //
-// Download Manager
+// # Download Manager
 //
 // The s3manager package's Downloader provides concurrently downloading of Objects
 // from S3. The Downloader will write S3 Object content with an io.WriterAt.
@@ -63,7 +63,7 @@
 // See the s3manager package's Downloader type documentation for more information.
 // https://docs.aws.amazon.com/sdk-for-go/api/service/s3/s3manager/#Downloader
 //
-// Automatic URI cleaning
+// # Automatic URI cleaning
 //
 // Interacting with objects whose keys contain adjacent slashes (e.g. bucketname/foo//bar/objectname)
 // requires setting DisableRestProtocolURICleaning to true in the aws.Config struct
@@ -77,7 +77,7 @@
 //	    	Key: aws.String("//foo//bar//moo"),
 //	})
 //
-// Get Bucket Region
+// # Get Bucket Region
 //
 // GetBucketRegion will attempt to get the region for a bucket using a region
 // hint to determine which AWS partition to perform the query on. Use this utility
@@ -98,7 +98,7 @@
 // See the s3manager package's GetBucketRegion function documentation for more information
 // https://docs.aws.amazon.com/sdk-for-go/api/service/s3/s3manager/#GetBucketRegion
 //
-// S3 Crypto Client
+// # S3 Crypto Client
 //
 // The s3crypto package provides the tools to upload and download encrypted
 // content from S3. The Encryption and Decryption clients can be used concurrently
@@ -106,5 +106,4 @@
 //
 // See the s3crypto package documentation for more information.
 // https://docs.aws.amazon.com/sdk-for-go/api/service/s3/s3crypto/
-//
 package s3

vendor/github.com/aws/aws-sdk-go/service/s3/endpoint.go

@@ -54,7 +54,6 @@ func accessPointResourceParser(a awsarn.ARN) (arn.Resource, error) {
 // Supported Outpost AccessPoint ARN format:
 //   - ARN format: arn:{partition}:s3-outposts:{region}:{accountId}:outpost/{outpostId}/accesspoint/{accesspointName}
 //   - example: arn:aws:s3-outposts:us-west-2:012345678901:outpost/op-1234567890123456/accesspoint/myaccesspoint
-//
 func parseOutpostAccessPointResource(a awsarn.ARN, resParts []string) (arn.OutpostAccessPointARN, error) {
 	// outpost accesspoint arn is only valid if service is s3-outposts
 	if a.Service != "s3-outposts" {

vendor/github.com/aws/aws-sdk-go/service/s3/endpoint_builder.go

@@ -37,7 +37,6 @@ type accessPointEndpointBuilder arn.AccessPointARN
 // - example : myaccesspoint-012345678901.s3-accesspoint.us-west-2.amazonaws.com
 //
 // Access Point Endpoint requests are signed using "s3" as signing name.
-//
 func (a accessPointEndpointBuilder) build(req *request.Request) error {
 	resolveService := arn.AccessPointARN(a).Service
 	resolveRegion := arn.AccessPointARN(a).Region
@@ -92,7 +91,6 @@ type s3ObjectLambdaAccessPointEndpointBuilder arn.S3ObjectLambdaAccessPointARN
 // - example : myaccesspoint-012345678901.s3-object-lambda.us-west-2.amazonaws.com
 //
 // Access Point Endpoint requests are signed using "s3-object-lambda" as signing name.
-//
 func (a s3ObjectLambdaAccessPointEndpointBuilder) build(req *request.Request) error {
 	resolveRegion := arn.S3ObjectLambdaAccessPointARN(a).Region
 
@@ -147,7 +145,6 @@ type outpostAccessPointEndpointBuilder arn.OutpostAccessPointARN
 // - example : myaccesspoint-012345678901.op-01234567890123456.s3-outposts.us-west-2.amazonaws.com
 //
 // Outpost AccessPoint Endpoint request are signed using "s3-outposts" as signing name.
-//
 func (o outpostAccessPointEndpointBuilder) build(req *request.Request) error {
 	resolveRegion := o.Region
 	resolveService := o.Service

vendor/github.com/aws/aws-sdk-go/service/s3/platform_handlers_go1.6.go

@@ -25,5 +25,5 @@ func add100Continue(r *request.Request) {
 		return
 	}
 
-	r.HTTPRequest.Header.Set("Expect", "100-Continue")
+	r.HTTPRequest.Header.Set("Expect", "100-continue")
 }

vendor/github.com/aws/aws-sdk-go/service/s3/s3manager/batch.go

@@ -112,6 +112,7 @@ type BatchDeleteIterator interface {
 // iterate through a list of objects and delete the objects.
 //
 // Example:
+//
 //	iter := &s3manager.DeleteListIterator{
 //		Client: svc,
 //		Input: &s3.ListObjectsInput{
@@ -203,6 +204,7 @@ type BatchDelete struct {
 // objects.
 //
 // Example:
+//
 //	batcher := s3manager.NewBatchDeleteWithClient(client, size)
 //
 //	objects := []BatchDeleteObject{
@@ -236,6 +238,7 @@ func NewBatchDeleteWithClient(client s3iface.S3API, options ...func(*BatchDelete
 // objects.
 //
 // Example:
+//
 //	batcher := s3manager.NewBatchDelete(sess, size)
 //
 //	objects := []BatchDeleteObject{

vendor/github.com/aws/aws-sdk-go/service/s3/s3manager/download.go

@@ -86,6 +86,7 @@ func WithDownloaderRequestOptions(opts ...request.Option) func(*Downloader) {
 // interface.
 //
 // Example:
+//
 //	// The session the S3 Downloader will use
 //	sess := session.Must(session.NewSession())
 //
@@ -120,6 +121,7 @@ func newDownloader(client s3iface.S3API, options ...func(*Downloader)) *Download
 // to make S3 API calls.
 //
 // Example:
+//
 //	// The session the S3 Downloader will use
 //	sess := session.Must(session.NewSession())
 //
@@ -223,6 +225,7 @@ func (d Downloader) DownloadWithContext(ctx aws.Context, w io.WriterAt, input *s
 // to the io.WriterAt specificed in the iterator.
 //
 // Example:
+//
 //	svc := s3manager.NewDownloader(session)
 //
 //	fooFile, err := os.Open("/tmp/foo.file")
@@ -464,7 +467,11 @@ func (d *downloader) tryDownloadChunk(in *s3.GetObjectInput, w io.Writer) (int64
 	}
 	d.setTotalBytes(resp) // Set total if not yet set.
 
-	n, err := io.Copy(w, resp.Body)
+	var src io.Reader = resp.Body
+	if d.cfg.BufferProvider != nil {
+		src = &suppressWriterAt{suppressed: src}
+	}
+	n, err := io.Copy(w, src)
 	resp.Body.Close()
 	if err != nil {
 		return n, &errReadingBody{err: err}

vendor/github.com/aws/aws-sdk-go/service/s3/s3manager/upload.go

@@ -51,7 +51,6 @@ const DefaultUploadConcurrency = 5
 //	        fmt.Println("Error:", err.Error())
 //	    }
 //	}
-//
 type MultiUploadFailure interface {
 	awserr.Error
 
@@ -77,7 +76,7 @@ type multiUploadError struct {
 
 // Error returns the string representation of the error.
 //
-// See apierr.BaseError ErrorWithExtra for output format
+// # See apierr.BaseError ErrorWithExtra for output format
 //
 // Satisfies the error interface.
 func (m multiUploadError) Error() string {
@@ -187,6 +186,7 @@ type Uploader struct {
 // satisfies the client.ConfigProvider interface.
 //
 // Example:
+//
 //	// The session the S3 Uploader will use
 //	sess := session.Must(session.NewSession())
 //
@@ -225,6 +225,7 @@ func newUploader(client s3iface.S3API, options ...func(*Uploader)) *Uploader {
 // a S3 service client to make S3 API calls.
 //
 // Example:
+//
 //	// The session the S3 Uploader will use
 //	sess := session.Must(session.NewSession())
 //
@@ -256,6 +257,7 @@ func NewUploaderWithClient(svc s3iface.S3API, options ...func(*Uploader)) *Uploa
 // It is safe to call this method concurrently across goroutines.
 //
 // Example:
+//
 //	// Upload input parameters
 //	upParams := &s3manager.UploadInput{
 //	    Bucket: &bucketName,
@@ -310,6 +312,7 @@ func (u Uploader) UploadWithContext(ctx aws.Context, input *UploadInput, opts ..
 // allows for custom defined functionality.
 //
 // Example:
+//
 //	svc:= s3manager.NewUploader(sess)
 //
 //	objects := []BatchUploadObject{

vendor/github.com/aws/aws-sdk-go/service/s3/s3manager/writer_read_from.go

@@ -73,3 +73,11 @@ func (p *PooledBufferedReadFromProvider) GetReadFrom(writer io.Writer) (r Writer
 	}
 	return r, cleanup
 }
+
+type suppressWriterAt struct {
+	suppressed io.Reader
+}
+
+func (s *suppressWriterAt) Read(p []byte) (n int, err error) {
+	return s.suppressed.Read(p)
+}

vendor/github.com/aws/aws-sdk-go/service/s3/service.go

@@ -39,6 +39,7 @@ const (
 // aws.Config parameter to add your extra config.
 //
 // Example:
+//
 //	mySession := session.Must(session.NewSession())
 //
 //	// Create a S3 client from just a session.

vendor/github.com/aws/aws-sdk-go/service/sso/api.go

@@ -29,7 +29,6 @@ const opGetRoleCredentials = "GetRoleCredentials"
 // This method is useful when you want to inject custom logic or configuration
 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
 //
-//
 //	// Example sending a request using the GetRoleCredentialsRequest method.
 //	req, resp := client.GetRoleCredentialsRequest(params)
 //
@@ -69,19 +68,20 @@ func (c *SSO) GetRoleCredentialsRequest(input *GetRoleCredentialsInput) (req *re
 // API operation GetRoleCredentials for usage and error information.
 //
 // Returned Error Types:
-//   * InvalidRequestException
+//
+//   - InvalidRequestException
 //     Indicates that a problem occurred with the input to the request. For example,
 //     a required parameter might be missing or out of range.
 //
-//   * UnauthorizedException
+//   - UnauthorizedException
 //     Indicates that the request is not authorized. This can happen due to an invalid
 //     access token in the request.
 //
-//   * TooManyRequestsException
+//   - TooManyRequestsException
 //     Indicates that the request is being made too frequently and is more than
 //     what the server can handle.
 //
-//   * ResourceNotFoundException
+//   - ResourceNotFoundException
 //     The specified resource doesn't exist.
 //
 // See also, https://docs.aws.amazon.com/goto/WebAPI/sso-2019-06-10/GetRoleCredentials
@@ -122,7 +122,6 @@ const opListAccountRoles = "ListAccountRoles"
 // This method is useful when you want to inject custom logic or configuration
 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
 //
-//
 //	// Example sending a request using the ListAccountRolesRequest method.
 //	req, resp := client.ListAccountRolesRequest(params)
 //
@@ -167,19 +166,20 @@ func (c *SSO) ListAccountRolesRequest(input *ListAccountRolesInput) (req *reques
 // API operation ListAccountRoles for usage and error information.
 //
 // Returned Error Types:
-//   * InvalidRequestException
+//
+//   - InvalidRequestException
 //     Indicates that a problem occurred with the input to the request. For example,
 //     a required parameter might be missing or out of range.
 //
-//   * UnauthorizedException
+//   - UnauthorizedException
 //     Indicates that the request is not authorized. This can happen due to an invalid
 //     access token in the request.
 //
-//   * TooManyRequestsException
+//   - TooManyRequestsException
 //     Indicates that the request is being made too frequently and is more than
 //     what the server can handle.
 //
-//   * ResourceNotFoundException
+//   - ResourceNotFoundException
 //     The specified resource doesn't exist.
 //
 // See also, https://docs.aws.amazon.com/goto/WebAPI/sso-2019-06-10/ListAccountRoles
@@ -220,7 +220,6 @@ func (c *SSO) ListAccountRolesWithContext(ctx aws.Context, input *ListAccountRol
 //	        fmt.Println(page)
 //	        return pageNum <= 3
 //	    })
-//
 func (c *SSO) ListAccountRolesPages(input *ListAccountRolesInput, fn func(*ListAccountRolesOutput, bool) bool) error {
 	return c.ListAccountRolesPagesWithContext(aws.BackgroundContext(), input, fn)
 }
@@ -272,7 +271,6 @@ const opListAccounts = "ListAccounts"
 // This method is useful when you want to inject custom logic or configuration
 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
 //
-//
 //	// Example sending a request using the ListAccountsRequest method.
 //	req, resp := client.ListAccountsRequest(params)
 //
@@ -310,7 +308,8 @@ func (c *SSO) ListAccountsRequest(input *ListAccountsInput) (req *request.Reques
 // Lists all AWS accounts assigned to the user. These AWS accounts are assigned
 // by the administrator of the account. For more information, see Assign User
 // Access (https://docs.aws.amazon.com/singlesignon/latest/userguide/useraccess.html#assignusers)
-// in the AWS SSO User Guide. This operation returns a paginated response.
+// in the IAM Identity Center User Guide. This operation returns a paginated
+// response.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@@ -320,19 +319,20 @@ func (c *SSO) ListAccountsRequest(input *ListAccountsInput) (req *request.Reques
 // API operation ListAccounts for usage and error information.
 //
 // Returned Error Types:
-//   * InvalidRequestException
+//
+//   - InvalidRequestException
 //     Indicates that a problem occurred with the input to the request. For example,
 //     a required parameter might be missing or out of range.
 //
-//   * UnauthorizedException
+//   - UnauthorizedException
 //     Indicates that the request is not authorized. This can happen due to an invalid
 //     access token in the request.
 //
-//   * TooManyRequestsException
+//   - TooManyRequestsException
 //     Indicates that the request is being made too frequently and is more than
 //     what the server can handle.
 //
-//   * ResourceNotFoundException
+//   - ResourceNotFoundException
 //     The specified resource doesn't exist.
 //
 // See also, https://docs.aws.amazon.com/goto/WebAPI/sso-2019-06-10/ListAccounts
@@ -373,7 +373,6 @@ func (c *SSO) ListAccountsWithContext(ctx aws.Context, input *ListAccountsInput,
 //	        fmt.Println(page)
 //	        return pageNum <= 3
 //	    })
-//
 func (c *SSO) ListAccountsPages(input *ListAccountsInput, fn func(*ListAccountsOutput, bool) bool) error {
 	return c.ListAccountsPagesWithContext(aws.BackgroundContext(), input, fn)
 }
@@ -425,7 +424,6 @@ const opLogout = "Logout"
 // This method is useful when you want to inject custom logic or configuration
 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
 //
-//
 //	// Example sending a request using the LogoutRequest method.
 //	req, resp := client.LogoutRequest(params)
 //
@@ -455,7 +453,21 @@ func (c *SSO) LogoutRequest(input *LogoutInput) (req *request.Request, output *L
 
 // Logout API operation for AWS Single Sign-On.
 //
-// Removes the client- and server-side session that is associated with the user.
+// Removes the locally stored SSO tokens from the client-side cache and sends
+// an API call to the IAM Identity Center service to invalidate the corresponding
+// server-side IAM Identity Center sign in session.
+//
+// If a user uses IAM Identity Center to access the AWS CLI, the user’s IAM
+// Identity Center sign in session is used to obtain an IAM session, as specified
+// in the corresponding IAM Identity Center permission set. More specifically,
+// IAM Identity Center assumes an IAM role in the target account on behalf of
+// the user, and the corresponding temporary AWS credentials are returned to
+// the client.
+//
+// After user logout, any existing IAM role sessions that were created by using
+// IAM Identity Center permission sets continue based on the duration configured
+// in the permission set. For more information, see User authentications (https://docs.aws.amazon.com/singlesignon/latest/userguide/authconcept.html)
+// in the IAM Identity Center User Guide.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@@ -465,15 +477,16 @@ func (c *SSO) LogoutRequest(input *LogoutInput) (req *request.Request, output *L
 // API operation Logout for usage and error information.
 //
 // Returned Error Types:
-//   * InvalidRequestException
+//
+//   - InvalidRequestException
 //     Indicates that a problem occurred with the input to the request. For example,
 //     a required parameter might be missing or out of range.
 //
-//   * UnauthorizedException
+//   - UnauthorizedException
 //     Indicates that the request is not authorized. This can happen due to an invalid
 //     access token in the request.
 //
-//   * TooManyRequestsException
+//   - TooManyRequestsException
 //     Indicates that the request is being made too frequently and is more than
 //     what the server can handle.
 //
@@ -554,7 +567,7 @@ type GetRoleCredentialsInput struct {
 
 	// The token issued by the CreateToken API call. For more information, see CreateToken
 	// (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html)
-	// in the AWS SSO OIDC API Reference Guide.
+	// in the IAM Identity Center OIDC API Reference Guide.
 	//
 	// AccessToken is a sensitive parameter and its value will be
 	// replaced with "sensitive" in string returned by GetRoleCredentialsInput's
@@ -730,7 +743,7 @@ type ListAccountRolesInput struct {
 
 	// The token issued by the CreateToken API call. For more information, see CreateToken
 	// (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html)
-	// in the AWS SSO OIDC API Reference Guide.
+	// in the IAM Identity Center OIDC API Reference Guide.
 	//
 	// AccessToken is a sensitive parameter and its value will be
 	// replaced with "sensitive" in string returned by ListAccountRolesInput's
@@ -859,7 +872,7 @@ type ListAccountsInput struct {
 
 	// The token issued by the CreateToken API call. For more information, see CreateToken
 	// (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html)
-	// in the AWS SSO OIDC API Reference Guide.
+	// in the IAM Identity Center OIDC API Reference Guide.
 	//
 	// AccessToken is a sensitive parameter and its value will be
 	// replaced with "sensitive" in string returned by ListAccountsInput's
@@ -974,7 +987,7 @@ type LogoutInput struct {
 
 	// The token issued by the CreateToken API call. For more information, see CreateToken
 	// (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/API_CreateToken.html)
-	// in the AWS SSO OIDC API Reference Guide.
+	// in the IAM Identity Center OIDC API Reference Guide.
 	//
 	// AccessToken is a sensitive parameter and its value will be
 	// replaced with "sensitive" in string returned by LogoutInput's

vendor/github.com/aws/aws-sdk-go/service/sso/doc.go

@@ -3,30 +3,31 @@
 // Package sso provides the client and types for making API
 // requests to AWS Single Sign-On.
 //
-// AWS Single Sign-On Portal is a web service that makes it easy for you to
-// assign user access to AWS SSO resources such as the user portal. Users can
-// get AWS account applications and roles assigned to them and get federated
-// into the application.
+// AWS IAM Identity Center (successor to AWS Single Sign-On) Portal is a web
+// service that makes it easy for you to assign user access to IAM Identity
+// Center resources such as the AWS access portal. Users can get AWS account
+// applications and roles assigned to them and get federated into the application.
 //
-// For general information about AWS SSO, see What is AWS Single Sign-On? (https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
-// in the AWS SSO User Guide.
+// Although AWS Single Sign-On was renamed, the sso and identitystore API namespaces
+// will continue to retain their original name for backward compatibility purposes.
+// For more information, see IAM Identity Center rename (https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html#renamed).
 //
-// This API reference guide describes the AWS SSO Portal operations that you
-// can call programatically and includes detailed information on data types
-// and errors.
+// This reference guide describes the IAM Identity Center Portal operations
+// that you can call programatically and includes detailed information on data
+// types and errors.
 //
 // AWS provides SDKs that consist of libraries and sample code for various programming
 // languages and platforms, such as Java, Ruby, .Net, iOS, or Android. The SDKs
-// provide a convenient way to create programmatic access to AWS SSO and other
-// AWS services. For more information about the AWS SDKs, including how to download
-// and install them, see Tools for Amazon Web Services (http://aws.amazon.com/tools/).
+// provide a convenient way to create programmatic access to IAM Identity Center
+// and other AWS services. For more information about the AWS SDKs, including
+// how to download and install them, see Tools for Amazon Web Services (http://aws.amazon.com/tools/).
 //
 // See https://docs.aws.amazon.com/goto/WebAPI/sso-2019-06-10 for more information on this service.
 //
 // See sso package documentation for more information.
 // https://docs.aws.amazon.com/sdk-for-go/api/service/sso/
 //
-// Using the Client
+// # Using the Client
 //
 // To contact AWS Single Sign-On with the SDK use the New function to create
 // a new service client. With that client you can make API requests to the service.

vendor/github.com/aws/aws-sdk-go/service/sso/service.go

@@ -40,6 +40,7 @@ const (
 // aws.Config parameter to add your extra config.
 //
 // Example:
+//
 //	mySession := session.Must(session.NewSession())
 //
 //	// Create a SSO client from just a session.

vendor/github.com/aws/aws-sdk-go/service/sts/api.go

@@ -28,7 +28,6 @@ const opAssumeRole = "AssumeRole"
 // This method is useful when you want to inject custom logic or configuration
 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
 //
-//
 //	// Example sending a request using the AssumeRoleRequest method.
 //	req, resp := client.AssumeRoleRequest(params)
 //
@@ -57,16 +56,15 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
 // AssumeRole API operation for AWS Security Token Service.
 //
 // Returns a set of temporary security credentials that you can use to access
-// Amazon Web Services resources that you might not normally have access to.
-// These temporary credentials consist of an access key ID, a secret access
-// key, and a security token. Typically, you use AssumeRole within your account
-// or for cross-account access. For a comparison of AssumeRole with other API
-// operations that produce temporary credentials, see Requesting Temporary Security
-// Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
+// Amazon Web Services resources. These temporary credentials consist of an
+// access key ID, a secret access key, and a security token. Typically, you
+// use AssumeRole within your account or for cross-account access. For a comparison
+// of AssumeRole with other API operations that produce temporary credentials,
+// see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
 // and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
 // in the IAM User Guide.
 //
-// Permissions
+// # Permissions
 //
 // The temporary security credentials created by AssumeRole can be used to make
 // API calls to any Amazon Web Services service with the following exception:
@@ -75,16 +73,16 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
 //
 // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // to this operation. You can pass a single JSON policy document to use as an
-// inline session policy. You can also specify up to 10 managed policies to
-// use as managed session policies. The plaintext that you use for both inline
-// and managed session policies can't exceed 2,048 characters. Passing policies
-// to this operation returns new temporary credentials. The resulting session's
-// permissions are the intersection of the role's identity-based policy and
-// the session policies. You can use the role's temporary credentials in subsequent
-// Amazon Web Services API calls to access resources in the account that owns
-// the role. You cannot use session policies to grant more permissions than
-// those allowed by the identity-based policy of the role that is being assumed.
-// For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+// inline session policy. You can also specify up to 10 managed policy Amazon
+// Resource Names (ARNs) to use as managed session policies. The plaintext that
+// you use for both inline and managed session policies can't exceed 2,048 characters.
+// Passing policies to this operation returns new temporary credentials. The
+// resulting session's permissions are the intersection of the role's identity-based
+// policy and the session policies. You can use the role's temporary credentials
+// in subsequent Amazon Web Services API calls to access resources in the account
+// that owns the role. You cannot use session policies to grant more permissions
+// than those allowed by the identity-based policy of the role that is being
+// assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // in the IAM User Guide.
 //
 // When you create a role, you create two policies: A role trust policy that
@@ -105,10 +103,10 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
 // To allow a user to assume a role in the same account, you can do either of
 // the following:
 //
-//    * Attach a policy to the user that allows the user to call AssumeRole
+//   - Attach a policy to the user that allows the user to call AssumeRole
 //     (as long as the role's trust policy trusts the account).
 //
-//    * Add the user as a principal directly in the role's trust policy.
+//   - Add the user as a principal directly in the role's trust policy.
 //
 // You can do either because the role’s trust policy acts as an IAM resource-based
 // policy. When a resource-based policy grants access to a principal in the
@@ -116,7 +114,7 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
 // about trust policies and resource-based policies, see IAM Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
 // in the IAM User Guide.
 //
-// Tags
+// # Tags
 //
 // (Optional) You can pass tag key-value pairs to your session. These tags are
 // called session tags. For more information about session tags, see Passing
@@ -134,7 +132,7 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
 // in the IAM User Guide.
 //
-// Using MFA with AssumeRole
+// # Using MFA with AssumeRole
 //
 // (Optional) You can include multi-factor authentication (MFA) information
 // when you call AssumeRole. This is useful for cross-account scenarios to ensure
@@ -163,11 +161,12 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
 // API operation AssumeRole for usage and error information.
 //
 // Returned Error Codes:
-//   * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
+//
+//   - ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
 //     The request was rejected because the policy document was malformed. The error
 //     message describes the specific error.
 //
-//   * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
+//   - ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
 //     The request was rejected because the total packed size of the session policies
 //     and session tags combined was too large. An Amazon Web Services conversion
 //     compresses the session policy document, session policy ARNs, and session
@@ -181,7 +180,7 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
 //     Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length)
 //     in the IAM User Guide.
 //
-//   * ErrCodeRegionDisabledException "RegionDisabledException"
+//   - ErrCodeRegionDisabledException "RegionDisabledException"
 //     STS is not activated in the requested region for the account that is being
 //     asked to generate credentials. The account administrator must use the IAM
 //     console to activate STS in that region. For more information, see Activating
@@ -189,7 +188,7 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
 //     (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
 //     in the IAM User Guide.
 //
-//   * ErrCodeExpiredTokenException "ExpiredTokenException"
+//   - ErrCodeExpiredTokenException "ExpiredTokenException"
 //     The web identity token that was passed is expired or is not valid. Get a
 //     new identity token from the identity provider and then retry the request.
 //
@@ -231,7 +230,6 @@ const opAssumeRoleWithSAML = "AssumeRoleWithSAML"
 // This method is useful when you want to inject custom logic or configuration
 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
 //
-//
 //	// Example sending a request using the AssumeRoleWithSAMLRequest method.
 //	req, resp := client.AssumeRoleWithSAMLRequest(params)
 //
@@ -274,7 +272,7 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
 // can use these temporary security credentials to sign calls to Amazon Web
 // Services services.
 //
-// Session Duration
+// # Session Duration
 //
 // By default, the temporary security credentials created by AssumeRoleWithSAML
 // last for one hour. However, you can use the optional DurationSeconds parameter
@@ -300,7 +298,7 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
 // a role using role chaining and provide a DurationSeconds parameter value
 // greater than one hour, the operation fails.
 //
-// Permissions
+// # Permissions
 //
 // The temporary security credentials created by AssumeRoleWithSAML can be used
 // to make API calls to any Amazon Web Services service with the following exception:
@@ -308,16 +306,16 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
 //
 // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // to this operation. You can pass a single JSON policy document to use as an
-// inline session policy. You can also specify up to 10 managed policies to
-// use as managed session policies. The plaintext that you use for both inline
-// and managed session policies can't exceed 2,048 characters. Passing policies
-// to this operation returns new temporary credentials. The resulting session's
-// permissions are the intersection of the role's identity-based policy and
-// the session policies. You can use the role's temporary credentials in subsequent
-// Amazon Web Services API calls to access resources in the account that owns
-// the role. You cannot use session policies to grant more permissions than
-// those allowed by the identity-based policy of the role that is being assumed.
-// For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+// inline session policy. You can also specify up to 10 managed policy Amazon
+// Resource Names (ARNs) to use as managed session policies. The plaintext that
+// you use for both inline and managed session policies can't exceed 2,048 characters.
+// Passing policies to this operation returns new temporary credentials. The
+// resulting session's permissions are the intersection of the role's identity-based
+// policy and the session policies. You can use the role's temporary credentials
+// in subsequent Amazon Web Services API calls to access resources in the account
+// that owns the role. You cannot use session policies to grant more permissions
+// than those allowed by the identity-based policy of the role that is being
+// assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // in the IAM User Guide.
 //
 // Calling AssumeRoleWithSAML does not require the use of Amazon Web Services
@@ -331,7 +329,7 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
 // identifiable information (PII). For example, you could instead use the persistent
 // identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
 //
-// Tags
+// # Tags
 //
 // (Optional) You can configure your IdP to pass attributes into your SAML assertion
 // as session tags. Each session tag consists of a key name and an associated
@@ -344,11 +342,12 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
 // and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
 // in the IAM User Guide.
 //
-// An Amazon Web Services conversion compresses the passed session policies
-// and session tags into a packed binary format that has a separate limit. Your
-// request can fail for this limit even if your plaintext meets the other requirements.
-// The PackedPolicySize response element indicates by percentage how close the
-// policies and tags for your request are to the upper size limit.
+// An Amazon Web Services conversion compresses the passed inline session policy,
+// managed policy ARNs, and session tags into a packed binary format that has
+// a separate limit. Your request can fail for this limit even if your plaintext
+// meets the other requirements. The PackedPolicySize response element indicates
+// by percentage how close the policies and tags for your request are to the
+// upper size limit.
 //
 // You can pass a session tag with the same key as a tag that is attached to
 // the role. When you do, session tags override the role's tags with the same
@@ -365,7 +364,7 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
 // in the IAM User Guide.
 //
-// SAML Configuration
+// # SAML Configuration
 //
 // Before your application can call AssumeRoleWithSAML, you must configure your
 // SAML identity provider (IdP) to issue the claims required by Amazon Web Services.
@@ -376,16 +375,16 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
 //
 // For more information, see the following resources:
 //
-//    * About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
+//   - About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
 //     in the IAM User Guide.
 //
-//    * Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
+//   - Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
 //     in the IAM User Guide.
 //
-//    * Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
+//   - Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
 //     in the IAM User Guide.
 //
-//    * Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
+//   - Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
 //     in the IAM User Guide.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
@@ -396,11 +395,12 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
 // API operation AssumeRoleWithSAML for usage and error information.
 //
 // Returned Error Codes:
-//   * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
+//
+//   - ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
 //     The request was rejected because the policy document was malformed. The error
 //     message describes the specific error.
 //
-//   * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
+//   - ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
 //     The request was rejected because the total packed size of the session policies
 //     and session tags combined was too large. An Amazon Web Services conversion
 //     compresses the session policy document, session policy ARNs, and session
@@ -414,23 +414,23 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
 //     Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length)
 //     in the IAM User Guide.
 //
-//   * ErrCodeIDPRejectedClaimException "IDPRejectedClaim"
+//   - ErrCodeIDPRejectedClaimException "IDPRejectedClaim"
 //     The identity provider (IdP) reported that authentication failed. This might
 //     be because the claim is invalid.
 //
 //     If this error is returned for the AssumeRoleWithWebIdentity operation, it
 //     can also mean that the claim has expired or has been explicitly revoked.
 //
-//   * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken"
+//   - ErrCodeInvalidIdentityTokenException "InvalidIdentityToken"
 //     The web identity token that was passed could not be validated by Amazon Web
 //     Services. Get a new identity token from the identity provider and then retry
 //     the request.
 //
-//   * ErrCodeExpiredTokenException "ExpiredTokenException"
+//   - ErrCodeExpiredTokenException "ExpiredTokenException"
 //     The web identity token that was passed is expired or is not valid. Get a
 //     new identity token from the identity provider and then retry the request.
 //
-//   * ErrCodeRegionDisabledException "RegionDisabledException"
+//   - ErrCodeRegionDisabledException "RegionDisabledException"
 //     STS is not activated in the requested region for the account that is being
 //     asked to generate credentials. The account administrator must use the IAM
 //     console to activate STS in that region. For more information, see Activating
@@ -476,7 +476,6 @@ const opAssumeRoleWithWebIdentity = "AssumeRoleWithWebIdentity"
 // This method is useful when you want to inject custom logic or configuration
 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
 //
-//
 //	// Example sending a request using the AssumeRoleWithWebIdentityRequest method.
 //	req, resp := client.AssumeRoleWithWebIdentityRequest(params)
 //
@@ -540,7 +539,7 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
 // temporary security credentials to sign calls to Amazon Web Services service
 // API operations.
 //
-// Session Duration
+// # Session Duration
 //
 // By default, the temporary security credentials created by AssumeRoleWithWebIdentity
 // last for one hour. However, you can use the optional DurationSeconds parameter
@@ -555,7 +554,7 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
 // URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
 // in the IAM User Guide.
 //
-// Permissions
+// # Permissions
 //
 // The temporary security credentials created by AssumeRoleWithWebIdentity can
 // be used to make API calls to any Amazon Web Services service with the following
@@ -564,19 +563,19 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
 //
 // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // to this operation. You can pass a single JSON policy document to use as an
-// inline session policy. You can also specify up to 10 managed policies to
-// use as managed session policies. The plaintext that you use for both inline
-// and managed session policies can't exceed 2,048 characters. Passing policies
-// to this operation returns new temporary credentials. The resulting session's
-// permissions are the intersection of the role's identity-based policy and
-// the session policies. You can use the role's temporary credentials in subsequent
-// Amazon Web Services API calls to access resources in the account that owns
-// the role. You cannot use session policies to grant more permissions than
-// those allowed by the identity-based policy of the role that is being assumed.
-// For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+// inline session policy. You can also specify up to 10 managed policy Amazon
+// Resource Names (ARNs) to use as managed session policies. The plaintext that
+// you use for both inline and managed session policies can't exceed 2,048 characters.
+// Passing policies to this operation returns new temporary credentials. The
+// resulting session's permissions are the intersection of the role's identity-based
+// policy and the session policies. You can use the role's temporary credentials
+// in subsequent Amazon Web Services API calls to access resources in the account
+// that owns the role. You cannot use session policies to grant more permissions
+// than those allowed by the identity-based policy of the role that is being
+// assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // in the IAM User Guide.
 //
-// Tags
+// # Tags
 //
 // (Optional) You can configure your IdP to pass attributes into your web identity
 // token as session tags. Each session tag consists of a key name and an associated
@@ -589,11 +588,12 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
 // and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
 // in the IAM User Guide.
 //
-// An Amazon Web Services conversion compresses the passed session policies
-// and session tags into a packed binary format that has a separate limit. Your
-// request can fail for this limit even if your plaintext meets the other requirements.
-// The PackedPolicySize response element indicates by percentage how close the
-// policies and tags for your request are to the upper size limit.
+// An Amazon Web Services conversion compresses the passed inline session policy,
+// managed policy ARNs, and session tags into a packed binary format that has
+// a separate limit. Your request can fail for this limit even if your plaintext
+// meets the other requirements. The PackedPolicySize response element indicates
+// by percentage how close the policies and tags for your request are to the
+// upper size limit.
 //
 // You can pass a session tag with the same key as a tag that is attached to
 // the role. When you do, the session tag overrides the role tag with the same
@@ -610,7 +610,7 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
 // in the IAM User Guide.
 //
-// Identities
+// # Identities
 //
 // Before your application can call AssumeRoleWithWebIdentity, you must have
 // an identity token from a supported identity provider and create a role that
@@ -628,21 +628,21 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
 // For more information about how to use web identity federation and the AssumeRoleWithWebIdentity
 // API, see the following resources:
 //
-//    * Using Web Identity Federation API Operations for Mobile Apps (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html)
+//   - Using Web Identity Federation API Operations for Mobile Apps (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html)
 //     and Federation Through a Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
 //
-//    * Web Identity Federation Playground (https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/).
+//   - Web Identity Federation Playground (https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/).
 //     Walk through the process of authenticating through Login with Amazon,
 //     Facebook, or Google, getting temporary security credentials, and then
 //     using those credentials to make a request to Amazon Web Services.
 //
-//    * Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/)
+//   - Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/)
 //     and Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/).
 //     These toolkits contain sample apps that show how to invoke the identity
 //     providers. The toolkits then show how to use the information from these
 //     providers to get and use temporary security credentials.
 //
-//    * Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications).
+//   - Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications).
 //     This article discusses web identity federation and shows an example of
 //     how to use web identity federation to get access to content in Amazon
 //     S3.
@@ -655,11 +655,12 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
 // API operation AssumeRoleWithWebIdentity for usage and error information.
 //
 // Returned Error Codes:
-//   * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
+//
+//   - ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
 //     The request was rejected because the policy document was malformed. The error
 //     message describes the specific error.
 //
-//   * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
+//   - ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
 //     The request was rejected because the total packed size of the session policies
 //     and session tags combined was too large. An Amazon Web Services conversion
 //     compresses the session policy document, session policy ARNs, and session
@@ -673,30 +674,30 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
 //     Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length)
 //     in the IAM User Guide.
 //
-//   * ErrCodeIDPRejectedClaimException "IDPRejectedClaim"
+//   - ErrCodeIDPRejectedClaimException "IDPRejectedClaim"
 //     The identity provider (IdP) reported that authentication failed. This might
 //     be because the claim is invalid.
 //
 //     If this error is returned for the AssumeRoleWithWebIdentity operation, it
 //     can also mean that the claim has expired or has been explicitly revoked.
 //
-//   * ErrCodeIDPCommunicationErrorException "IDPCommunicationError"
+//   - ErrCodeIDPCommunicationErrorException "IDPCommunicationError"
 //     The request could not be fulfilled because the identity provider (IDP) that
 //     was asked to verify the incoming identity token could not be reached. This
 //     is often a transient error caused by network conditions. Retry the request
 //     a limited number of times so that you don't exceed the request rate. If the
 //     error persists, the identity provider might be down or not responding.
 //
-//   * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken"
+//   - ErrCodeInvalidIdentityTokenException "InvalidIdentityToken"
 //     The web identity token that was passed could not be validated by Amazon Web
 //     Services. Get a new identity token from the identity provider and then retry
 //     the request.
 //
-//   * ErrCodeExpiredTokenException "ExpiredTokenException"
+//   - ErrCodeExpiredTokenException "ExpiredTokenException"
 //     The web identity token that was passed is expired or is not valid. Get a
 //     new identity token from the identity provider and then retry the request.
 //
-//   * ErrCodeRegionDisabledException "RegionDisabledException"
+//   - ErrCodeRegionDisabledException "RegionDisabledException"
 //     STS is not activated in the requested region for the account that is being
 //     asked to generate credentials. The account administrator must use the IAM
 //     console to activate STS in that region. For more information, see Activating
@@ -742,7 +743,6 @@ const opDecodeAuthorizationMessage = "DecodeAuthorizationMessage"
 // This method is useful when you want to inject custom logic or configuration
 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
 //
-//
 //	// Example sending a request using the DecodeAuthorizationMessageRequest method.
 //	req, resp := client.DecodeAuthorizationMessageRequest(params)
 //
@@ -793,18 +793,18 @@ func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessag
 //
 // The decoded message includes the following type of information:
 //
-//    * Whether the request was denied due to an explicit deny or due to the
+//   - Whether the request was denied due to an explicit deny or due to the
 //     absence of an explicit allow. For more information, see Determining Whether
 //     a Request is Allowed or Denied (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
 //     in the IAM User Guide.
 //
-//    * The principal who made the request.
+//   - The principal who made the request.
 //
-//    * The requested action.
+//   - The requested action.
 //
-//    * The requested resource.
+//   - The requested resource.
 //
-//    * The values of condition keys in the context of the user's request.
+//   - The values of condition keys in the context of the user's request.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@@ -814,7 +814,7 @@ func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessag
 // API operation DecodeAuthorizationMessage for usage and error information.
 //
 // Returned Error Codes:
-//   * ErrCodeInvalidAuthorizationMessageException "InvalidAuthorizationMessageException"
+//   - ErrCodeInvalidAuthorizationMessageException "InvalidAuthorizationMessageException"
 //     The error returned if the message passed to DecodeAuthorizationMessage was
 //     invalid. This can happen if the token contains invalid characters, such as
 //     linebreaks.
@@ -857,7 +857,6 @@ const opGetAccessKeyInfo = "GetAccessKeyInfo"
 // This method is useful when you want to inject custom logic or configuration
 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
 //
-//
 //	// Example sending a request using the GetAccessKeyInfoRequest method.
 //	req, resp := client.GetAccessKeyInfoRequest(params)
 //
@@ -954,7 +953,6 @@ const opGetCallerIdentity = "GetCallerIdentity"
 // This method is useful when you want to inject custom logic or configuration
 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
 //
-//
 //	// Example sending a request using the GetCallerIdentityRequest method.
 //	req, resp := client.GetCallerIdentityRequest(params)
 //
@@ -1037,7 +1035,6 @@ const opGetFederationToken = "GetFederationToken"
 // This method is useful when you want to inject custom logic or configuration
 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
 //
-//
 //	// Example sending a request using the GetFederationTokenRequest method.
 //	req, resp := client.GetFederationTokenRequest(params)
 //
@@ -1094,7 +1091,7 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re
 // see IAM Best Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
 // in the IAM User Guide.
 //
-// Session duration
+// # Session duration
 //
 // The temporary credentials are valid for the specified duration, from 900
 // seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default
@@ -1102,21 +1099,23 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re
 // by using the Amazon Web Services account root user credentials have a maximum
 // duration of 3,600 seconds (1 hour).
 //
-// Permissions
+// # Permissions
 //
 // You can use the temporary credentials created by GetFederationToken in any
-// Amazon Web Services service except the following:
+// Amazon Web Services service with the following exceptions:
 //
-//    * You cannot call any IAM operations using the CLI or the Amazon Web Services
-//    API.
+//   - You cannot call any IAM operations using the CLI or the Amazon Web Services
+//     API. This limitation does not apply to console sessions.
 //
-//    * You cannot call any STS operations except GetCallerIdentity.
+//   - You cannot call any STS operations except GetCallerIdentity.
+//
+// You can use temporary credentials for single sign-on (SSO) to the console.
 //
 // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // to this operation. You can pass a single JSON policy document to use as an
-// inline session policy. You can also specify up to 10 managed policies to
-// use as managed session policies. The plaintext that you use for both inline
-// and managed session policies can't exceed 2,048 characters.
+// inline session policy. You can also specify up to 10 managed policy Amazon
+// Resource Names (ARNs) to use as managed session policies. The plaintext that
+// you use for both inline and managed session policies can't exceed 2,048 characters.
 //
 // Though the session policy parameters are optional, if you do not pass a policy,
 // then the resulting federated user session has no permissions. When you pass
@@ -1136,7 +1135,7 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re
 // by the policy. These permissions are granted in addition to the permissions
 // granted by the session policies.
 //
-// Tags
+// # Tags
 //
 // (Optional) You can pass tag key-value pairs to your session. These are called
 // session tags. For more information about session tags, see Passing Session
@@ -1172,11 +1171,12 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re
 // API operation GetFederationToken for usage and error information.
 //
 // Returned Error Codes:
-//   * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
+//
+//   - ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
 //     The request was rejected because the policy document was malformed. The error
 //     message describes the specific error.
 //
-//   * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
+//   - ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
 //     The request was rejected because the total packed size of the session policies
 //     and session tags combined was too large. An Amazon Web Services conversion
 //     compresses the session policy document, session policy ARNs, and session
@@ -1190,7 +1190,7 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re
 //     Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length)
 //     in the IAM User Guide.
 //
-//   * ErrCodeRegionDisabledException "RegionDisabledException"
+//   - ErrCodeRegionDisabledException "RegionDisabledException"
 //     STS is not activated in the requested region for the account that is being
 //     asked to generate credentials. The account administrator must use the IAM
 //     console to activate STS in that region. For more information, see Activating
@@ -1236,7 +1236,6 @@ const opGetSessionToken = "GetSessionToken"
 // This method is useful when you want to inject custom logic or configuration
 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
 //
-//
 //	// Example sending a request using the GetSessionTokenRequest method.
 //	req, resp := client.GetSessionTokenRequest(params)
 //
@@ -1285,7 +1284,7 @@ func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.
 // see Permissions for GetSessionToken (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html)
 // in the IAM User Guide.
 //
-// Session Duration
+// # Session Duration
 //
 // The GetSessionToken operation must be called by using the long-term Amazon
 // Web Services security credentials of the Amazon Web Services account root
@@ -1296,15 +1295,15 @@ func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.
 // range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a
 // default of 1 hour.
 //
-// Permissions
+// # Permissions
 //
 // The temporary security credentials created by GetSessionToken can be used
 // to make API calls to any Amazon Web Services service with the following exceptions:
 //
-//    * You cannot call any IAM API operations unless MFA authentication information
+//   - You cannot call any IAM API operations unless MFA authentication information
 //     is included in the request.
 //
-//    * You cannot call any STS API except AssumeRole or GetCallerIdentity.
+//   - You cannot call any STS API except AssumeRole or GetCallerIdentity.
 //
 // We recommend that you do not call GetSessionToken with Amazon Web Services
 // account root user credentials. Instead, follow our best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users)
@@ -1330,7 +1329,7 @@ func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.
 // API operation GetSessionToken for usage and error information.
 //
 // Returned Error Codes:
-//   * ErrCodeRegionDisabledException "RegionDisabledException"
+//   - ErrCodeRegionDisabledException "RegionDisabledException"
 //     STS is not activated in the requested region for the account that is being
 //     asked to generate credentials. The account administrator must use the IAM
 //     console to activate STS in that region. For more information, see Activating
@@ -1428,11 +1427,12 @@ type AssumeRoleInput struct {
 	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
 	// return (\u000D) characters.
 	//
-	// An Amazon Web Services conversion compresses the passed session policies
-	// and session tags into a packed binary format that has a separate limit. Your
-	// request can fail for this limit even if your plaintext meets the other requirements.
-	// The PackedPolicySize response element indicates by percentage how close the
-	// policies and tags for your request are to the upper size limit.
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has
+	// a separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the
+	// upper size limit.
 	Policy *string `min:"1" type:"string"`
 
 	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
@@ -1445,11 +1445,12 @@ type AssumeRoleInput struct {
 	// Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
 	// in the Amazon Web Services General Reference.
 	//
-	// An Amazon Web Services conversion compresses the passed session policies
-	// and session tags into a packed binary format that has a separate limit. Your
-	// request can fail for this limit even if your plaintext meets the other requirements.
-	// The PackedPolicySize response element indicates by percentage how close the
-	// policies and tags for your request are to the upper size limit.
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has
+	// a separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the
+	// upper size limit.
 	//
 	// Passing policies to this operation returns new temporary credentials. The
 	// resulting session's permissions are the intersection of the role's identity-based
@@ -1524,11 +1525,12 @@ type AssumeRoleInput struct {
 	// Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
 	// in the IAM User Guide.
 	//
-	// An Amazon Web Services conversion compresses the passed session policies
-	// and session tags into a packed binary format that has a separate limit. Your
-	// request can fail for this limit even if your plaintext meets the other requirements.
-	// The PackedPolicySize response element indicates by percentage how close the
-	// policies and tags for your request are to the upper size limit.
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has
+	// a separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the
+	// upper size limit.
 	//
 	// You can pass a session tag with the same key as a tag that is already attached
 	// to the role. When you do, session tags override a role tag with the same
@@ -1847,11 +1849,12 @@ type AssumeRoleWithSAMLInput struct {
 	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
 	// return (\u000D) characters.
 	//
-	// An Amazon Web Services conversion compresses the passed session policies
-	// and session tags into a packed binary format that has a separate limit. Your
-	// request can fail for this limit even if your plaintext meets the other requirements.
-	// The PackedPolicySize response element indicates by percentage how close the
-	// policies and tags for your request are to the upper size limit.
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has
+	// a separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the
+	// upper size limit.
 	Policy *string `min:"1" type:"string"`
 
 	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
@@ -1864,11 +1867,12 @@ type AssumeRoleWithSAMLInput struct {
 	// Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
 	// in the Amazon Web Services General Reference.
 	//
-	// An Amazon Web Services conversion compresses the passed session policies
-	// and session tags into a packed binary format that has a separate limit. Your
-	// request can fail for this limit even if your plaintext meets the other requirements.
-	// The PackedPolicySize response element indicates by percentage how close the
-	// policies and tags for your request are to the upper size limit.
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has
+	// a separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the
+	// upper size limit.
 	//
 	// Passing policies to this operation returns new temporary credentials. The
 	// resulting session's permissions are the intersection of the role's identity-based
@@ -2194,11 +2198,12 @@ type AssumeRoleWithWebIdentityInput struct {
 	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
 	// return (\u000D) characters.
 	//
-	// An Amazon Web Services conversion compresses the passed session policies
-	// and session tags into a packed binary format that has a separate limit. Your
-	// request can fail for this limit even if your plaintext meets the other requirements.
-	// The PackedPolicySize response element indicates by percentage how close the
-	// policies and tags for your request are to the upper size limit.
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has
+	// a separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the
+	// upper size limit.
 	Policy *string `min:"1" type:"string"`
 
 	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
@@ -2211,11 +2216,12 @@ type AssumeRoleWithWebIdentityInput struct {
 	// Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
 	// in the Amazon Web Services General Reference.
 	//
-	// An Amazon Web Services conversion compresses the passed session policies
-	// and session tags into a packed binary format that has a separate limit. Your
-	// request can fail for this limit even if your plaintext meets the other requirements.
-	// The PackedPolicySize response element indicates by percentage how close the
-	// policies and tags for your request are to the upper size limit.
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has
+	// a separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the
+	// upper size limit.
 	//
 	// Passing policies to this operation returns new temporary credentials. The
 	// resulting session's permissions are the intersection of the role's identity-based
@@ -2938,8 +2944,8 @@ type GetFederationTokenInput struct {
 	//
 	// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 	// to this operation. You can pass a single JSON policy document to use as an
-	// inline session policy. You can also specify up to 10 managed policies to
-	// use as managed session policies.
+	// inline session policy. You can also specify up to 10 managed policy Amazon
+	// Resource Names (ARNs) to use as managed session policies.
 	//
 	// This parameter is optional. However, if you do not pass any session policies,
 	// then the resulting federated user session has no permissions.
@@ -2964,11 +2970,12 @@ type GetFederationTokenInput struct {
 	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
 	// return (\u000D) characters.
 	//
-	// An Amazon Web Services conversion compresses the passed session policies
-	// and session tags into a packed binary format that has a separate limit. Your
-	// request can fail for this limit even if your plaintext meets the other requirements.
-	// The PackedPolicySize response element indicates by percentage how close the
-	// policies and tags for your request are to the upper size limit.
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has
+	// a separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the
+	// upper size limit.
 	Policy *string `min:"1" type:"string"`
 
 	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
@@ -2977,11 +2984,12 @@ type GetFederationTokenInput struct {
 	//
 	// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 	// to this operation. You can pass a single JSON policy document to use as an
-	// inline session policy. You can also specify up to 10 managed policies to
-	// use as managed session policies. The plaintext that you use for both inline
-	// and managed session policies can't exceed 2,048 characters. You can provide
-	// up to 10 managed policy ARNs. For more information about ARNs, see Amazon
-	// Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
+	// inline session policy. You can also specify up to 10 managed policy Amazon
+	// Resource Names (ARNs) to use as managed session policies. The plaintext that
+	// you use for both inline and managed session policies can't exceed 2,048 characters.
+	// You can provide up to 10 managed policy ARNs. For more information about
+	// ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces
+	// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
 	// in the Amazon Web Services General Reference.
 	//
 	// This parameter is optional. However, if you do not pass any session policies,
@@ -3001,11 +3009,12 @@ type GetFederationTokenInput struct {
 	// by the policy. These permissions are granted in addition to the permissions
 	// that are granted by the session policies.
 	//
-	// An Amazon Web Services conversion compresses the passed session policies
-	// and session tags into a packed binary format that has a separate limit. Your
-	// request can fail for this limit even if your plaintext meets the other requirements.
-	// The PackedPolicySize response element indicates by percentage how close the
-	// policies and tags for your request are to the upper size limit.
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has
+	// a separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the
+	// upper size limit.
 	PolicyArns []*PolicyDescriptorType `type:"list"`
 
 	// A list of session tags. Each session tag consists of a key name and an associated
@@ -3019,11 +3028,12 @@ type GetFederationTokenInput struct {
 	// Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
 	// in the IAM User Guide.
 	//
-	// An Amazon Web Services conversion compresses the passed session policies
-	// and session tags into a packed binary format that has a separate limit. Your
-	// request can fail for this limit even if your plaintext meets the other requirements.
-	// The PackedPolicySize response element indicates by percentage how close the
-	// policies and tags for your request are to the upper size limit.
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has
+	// a separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the
+	// upper size limit.
 	//
 	// You can pass a session tag with the same key as a tag that is already attached
 	// to the user you are federating. When you do, session tags override a user

vendor/github.com/aws/aws-sdk-go/service/sts/doc.go

@@ -14,7 +14,7 @@
 // See sts package documentation for more information.
 // https://docs.aws.amazon.com/sdk-for-go/api/service/sts/
 //
-// Using the Client
+// # Using the Client
 //
 // To contact AWS Security Token Service with the SDK use the New function to create
 // a new service client. With that client you can make API requests to the service.

vendor/github.com/aws/aws-sdk-go/service/sts/service.go

@@ -39,6 +39,7 @@ const (
 // aws.Config parameter to add your extra config.
 //
 // Example:
+//
 //	mySession := session.Must(session.NewSession())
 //
 //	// Create a STS client from just a session.

vendor/modules.txt

@@ -88,7 +88,7 @@ github.com/acomagu/bufpipe
 # github.com/agext/levenshtein v1.2.3
 ## explicit
 github.com/agext/levenshtein
-# github.com/aws/aws-sdk-go v1.44.24
+# github.com/aws/aws-sdk-go v1.44.253
 ## explicit; go 1.11
 github.com/aws/aws-sdk-go/aws
 github.com/aws/aws-sdk-go/aws/arn