update dependencies (#6267)

Signed-off-by: hongming <coder.scala@gmail.com>

vendor/github.com/aws/aws-sdk-go/service/s3/errors.go

@@ -25,6 +25,15 @@ const (
 	// "InvalidObjectState".
 	//
 	// Object is archived and inaccessible until restored.
+	//
+	// If the object you are retrieving is stored in the S3 Glacier Flexible Retrieval
+	// storage class, the S3 Glacier Deep Archive storage class, the S3 Intelligent-Tiering
+	// Archive Access tier, or the S3 Intelligent-Tiering Deep Archive Access tier,
+	// before you can retrieve the object you must first restore a copy using RestoreObject
+	// (https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html).
+	// Otherwise, this operation returns an InvalidObjectState error. For information
+	// about restoring archived objects, see Restoring Archived Objects (https://docs.aws.amazon.com/AmazonS3/latest/dev/restoring-objects.html)
+	// in the Amazon S3 User Guide.
 	ErrCodeInvalidObjectState = "InvalidObjectState"
 
 	// ErrCodeNoSuchBucket for service response error code

vendor/github.com/aws/aws-sdk-go/service/s3/platform_handlers_go1.6.go

@@ -25,5 +25,5 @@ func add100Continue(r *request.Request) {
 		return
 	}
 
-	r.HTTPRequest.Header.Set("Expect", "100-Continue")
+	r.HTTPRequest.Header.Set("Expect", "100-continue")
 }

vendor/github.com/aws/aws-sdk-go/service/s3/s3iface/interface.go

@@ -80,6 +80,10 @@ type S3API interface {
 	CreateMultipartUploadWithContext(aws.Context, *s3.CreateMultipartUploadInput, ...request.Option) (*s3.CreateMultipartUploadOutput, error)
 	CreateMultipartUploadRequest(*s3.CreateMultipartUploadInput) (*request.Request, *s3.CreateMultipartUploadOutput)
 
+	CreateSession(*s3.CreateSessionInput) (*s3.CreateSessionOutput, error)
+	CreateSessionWithContext(aws.Context, *s3.CreateSessionInput, ...request.Option) (*s3.CreateSessionOutput, error)
+	CreateSessionRequest(*s3.CreateSessionInput) (*request.Request, *s3.CreateSessionOutput)
+
 	DeleteBucket(*s3.DeleteBucketInput) (*s3.DeleteBucketOutput, error)
 	DeleteBucketWithContext(aws.Context, *s3.DeleteBucketInput, ...request.Option) (*s3.DeleteBucketOutput, error)
 	DeleteBucketRequest(*s3.DeleteBucketInput) (*request.Request, *s3.DeleteBucketOutput)
@@ -300,6 +304,13 @@ type S3API interface {
 	ListBucketsWithContext(aws.Context, *s3.ListBucketsInput, ...request.Option) (*s3.ListBucketsOutput, error)
 	ListBucketsRequest(*s3.ListBucketsInput) (*request.Request, *s3.ListBucketsOutput)
 
+	ListDirectoryBuckets(*s3.ListDirectoryBucketsInput) (*s3.ListDirectoryBucketsOutput, error)
+	ListDirectoryBucketsWithContext(aws.Context, *s3.ListDirectoryBucketsInput, ...request.Option) (*s3.ListDirectoryBucketsOutput, error)
+	ListDirectoryBucketsRequest(*s3.ListDirectoryBucketsInput) (*request.Request, *s3.ListDirectoryBucketsOutput)
+
+	ListDirectoryBucketsPages(*s3.ListDirectoryBucketsInput, func(*s3.ListDirectoryBucketsOutput, bool) bool) error
+	ListDirectoryBucketsPagesWithContext(aws.Context, *s3.ListDirectoryBucketsInput, func(*s3.ListDirectoryBucketsOutput, bool) bool, ...request.Option) error
+
 	ListMultipartUploads(*s3.ListMultipartUploadsInput) (*s3.ListMultipartUploadsOutput, error)
 	ListMultipartUploadsWithContext(aws.Context, *s3.ListMultipartUploadsInput, ...request.Option) (*s3.ListMultipartUploadsOutput, error)
 	ListMultipartUploadsRequest(*s3.ListMultipartUploadsInput) (*request.Request, *s3.ListMultipartUploadsOutput)

vendor/github.com/aws/aws-sdk-go/service/s3/s3manager/upload_input.go

@@ -23,9 +23,32 @@ type UploadInput struct {
 	_ struct{} `locationName:"PutObjectRequest" type:"structure" payload:"Body"`
 
 	// The canned ACL to apply to the object. For more information, see Canned ACL
-	// (https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#CannedACL).
+	// (https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#CannedACL)
+	// in the Amazon S3 User Guide.
 	//
-	// This action is not supported by Amazon S3 on Outposts.
+	// When adding a new object, you can use headers to grant ACL-based permissions
+	// to individual Amazon Web Services accounts or to predefined groups defined
+	// by Amazon S3. These permissions are then added to the ACL on the object.
+	// By default, all objects are private. Only the owner has full access control.
+	// For more information, see Access Control List (ACL) Overview (https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html)
+	// and Managing ACLs Using the REST API (https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-using-rest-api.html)
+	// in the Amazon S3 User Guide.
+	//
+	// If the bucket that you're uploading objects to uses the bucket owner enforced
+	// setting for S3 Object Ownership, ACLs are disabled and no longer affect permissions.
+	// Buckets that use this setting only accept PUT requests that don't specify
+	// an ACL or PUT requests that specify bucket owner full control ACLs, such
+	// as the bucket-owner-full-control canned ACL or an equivalent form of this
+	// ACL expressed in the XML format. PUT requests that contain other ACLs (for
+	// example, custom grants to certain Amazon Web Services accounts) fail and
+	// return a 400 error with the error code AccessControlListNotSupported. For
+	// more information, see Controlling ownership of objects and disabling ACLs
+	// (https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html)
+	// in the Amazon S3 User Guide.
+	//
+	//    * This functionality is not supported for directory buckets.
+	//
+	//    * This functionality is not supported for Amazon S3 on Outposts.
 	ACL *string `location:"header" locationName:"x-amz-acl" type:"string" enum:"ObjectCannedACL"`
 
 	// The readable body payload to send to S3.
@@ -33,31 +56,47 @@ type UploadInput struct {
 
 	// The bucket name to which the PUT action was initiated.
 	//
-	// When using this action with an access point, you must direct requests to
-	// the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com.
+	// Directory buckets - When you use this operation with a directory bucket,
+	// you must use virtual-hosted-style requests in the format Bucket_name.s3express-az_id.region.amazonaws.com.
+	// Path-style requests are not supported. Directory bucket names must be unique
+	// in the chosen Availability Zone. Bucket names must follow the format bucket_base_name--az-id--x-s3
+	// (for example, DOC-EXAMPLE-BUCKET--usw2-az1--x-s3). For information about
+	// bucket naming restrictions, see Directory bucket naming rules (https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html)
+	// in the Amazon S3 User Guide.
+	//
+	// Access points - When you use this action with an access point, you must provide
+	// the alias of the access point in place of the bucket name or specify the
+	// access point ARN. When using the access point ARN, you must direct requests
+	// to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com.
 	// When using this action with an access point through the Amazon Web Services
 	// SDKs, you provide the access point ARN in place of the bucket name. For more
 	// information about access point ARNs, see Using access points (https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-access-points.html)
 	// in the Amazon S3 User Guide.
 	//
-	// When using this action with Amazon S3 on Outposts, you must direct requests
-	// to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form
-	// AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When
-	// using this action with S3 on Outposts through the Amazon Web Services SDKs,
-	// you provide the Outposts bucket ARN in place of the bucket name. For more
-	// information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts (https://docs.aws.amazon.com/AmazonS3/latest/userguide/S3onOutposts.html)
+	// Access points and Object Lambda access points are not supported by directory
+	// buckets.
+	//
+	// S3 on Outposts - When you use this action with Amazon S3 on Outposts, you
+	// must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname
+	// takes the form AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com.
+	// When you use this action with S3 on Outposts through the Amazon Web Services
+	// SDKs, you provide the Outposts access point ARN in place of the bucket name.
+	// For more information about S3 on Outposts ARNs, see What is S3 on Outposts?
+	// (https://docs.aws.amazon.com/AmazonS3/latest/userguide/S3onOutposts.html)
 	// in the Amazon S3 User Guide.
 	//
 	// Bucket is a required field
 	Bucket *string `location:"uri" locationName:"Bucket" type:"string" required:"true"`
 
 	// Specifies whether Amazon S3 should use an S3 Bucket Key for object encryption
-	// with server-side encryption using AWS KMS (SSE-KMS). Setting this header
-	// to true causes Amazon S3 to use an S3 Bucket Key for object encryption with
-	// SSE-KMS.
+	// with server-side encryption using Key Management Service (KMS) keys (SSE-KMS).
+	// Setting this header to true causes Amazon S3 to use an S3 Bucket Key for
+	// object encryption with SSE-KMS.
 	//
 	// Specifying this header with a PUT action doesn’t affect bucket-level settings
 	// for S3 Bucket Key.
+	//
+	// This functionality is not supported for directory buckets.
 	BucketKeyEnabled *bool `location:"header" locationName:"x-amz-server-side-encryption-bucket-key-enabled" type:"boolean"`
 
 	// Can be used to specify caching behavior along the request/reply chain. For
@@ -65,16 +104,33 @@ type UploadInput struct {
 	// (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9).
 	CacheControl *string `location:"header" locationName:"Cache-Control" type:"string"`
 
-	// Indicates the algorithm used to create the checksum for the object when using
-	// the SDK. This header will not provide any additional functionality if not
-	// using the SDK. When sending this header, there must be a corresponding x-amz-checksum
-	// or x-amz-trailer header sent. Otherwise, Amazon S3 fails the request with
-	// the HTTP status code 400 Bad Request. For more information, see Checking
-	// object integrity (https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html)
+	// Indicates the algorithm used to create the checksum for the object when you
+	// use the SDK. This header will not provide any additional functionality if
+	// you don't use the SDK. When you send this header, there must be a corresponding
+	// x-amz-checksum-algorithm or x-amz-trailer header sent. Otherwise, Amazon
+	// S3 fails the request with the HTTP status code 400 Bad Request.
+	//
+	// For the x-amz-checksum-algorithm header, replace algorithm with the supported
+	// algorithm from the following list:
+	//
+	//    * CRC32
+	//
+	//    * CRC32C
+	//
+	//    * SHA1
+	//
+	//    * SHA256
+	//
+	// For more information, see Checking object integrity (https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html)
 	// in the Amazon S3 User Guide.
 	//
-	// If you provide an individual checksum, Amazon S3 ignores any provided ChecksumAlgorithm
-	// parameter.
+	// If the individual checksum value you provide through x-amz-checksum-algorithm
+	// doesn't match the checksum algorithm you set through x-amz-sdk-checksum-algorithm,
+	// Amazon S3 ignores any provided ChecksumAlgorithm parameter and uses the checksum
+	// algorithm that matches the provided value in x-amz-checksum-algorithm .
+	//
+	// For directory buckets, when you use Amazon Web Services SDKs, CRC32 is the
+	// default checksum algorithm that's used for performance.
 	//
 	// The AWS SDK for Go v1 does not support automatic computing request payload
 	// checksum. This feature is available in the AWS SDK for Go v2. If a value
@@ -111,13 +167,13 @@ type UploadInput struct {
 	ChecksumSHA256 *string `location:"header" locationName:"x-amz-checksum-sha256" type:"string"`
 
 	// Specifies presentational information for the object. For more information,
-	// see http://www.w3.org/Protocols/rfc2616/rfc2616-sec19.html#sec19.5.1 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec19.html#sec19.5.1).
+	// see https://www.rfc-editor.org/rfc/rfc6266#section-4 (https://www.rfc-editor.org/rfc/rfc6266#section-4).
 	ContentDisposition *string `location:"header" locationName:"Content-Disposition" type:"string"`
 
 	// Specifies what content encodings have been applied to the object and thus
 	// what decoding mechanisms must be applied to obtain the media-type referenced
-	// by the Content-Type header field. For more information, see http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11
-	// (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11).
+	// by the Content-Type header field. For more information, see https://www.rfc-editor.org/rfc/rfc9110.html#field.content-encoding
+	// (https://www.rfc-editor.org/rfc/rfc9110.html#field.content-encoding).
 	ContentEncoding *string `location:"header" locationName:"Content-Encoding" type:"string"`
 
 	// The language the content is in.
@@ -130,41 +186,56 @@ type UploadInput struct {
 	// integrity check. For more information about REST request authentication,
 	// see REST Authentication (https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html).
 	//
+	// The Content-MD5 header is required for any request to upload an object with
+	// a retention period configured using Amazon S3 Object Lock. For more information
+	// about Amazon S3 Object Lock, see Amazon S3 Object Lock Overview (https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-overview.html)
+	// in the Amazon S3 User Guide.
+	//
+	// This functionality is not supported for directory buckets.
+	//
 	// If the ContentMD5 is provided for a multipart upload, it will be ignored.
 	// Objects that will be uploaded in a single part, the ContentMD5 will be used.
 	ContentMD5 *string `location:"header" locationName:"Content-MD5" type:"string"`
 
 	// A standard MIME type describing the format of the contents. For more information,
-	// see http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.17 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.17).
+	// see https://www.rfc-editor.org/rfc/rfc9110.html#name-content-type (https://www.rfc-editor.org/rfc/rfc9110.html#name-content-type).
 	ContentType *string `location:"header" locationName:"Content-Type" type:"string"`
 
-	// The account ID of the expected bucket owner. If the bucket is owned by a
-	// different account, the request fails with the HTTP status code 403 Forbidden
-	// (access denied).
+	// The account ID of the expected bucket owner. If the account ID that you provide
+	// does not match the actual owner of the bucket, the request fails with the
+	// HTTP status code 403 Forbidden (access denied).
 	ExpectedBucketOwner *string `location:"header" locationName:"x-amz-expected-bucket-owner" type:"string"`
 
 	// The date and time at which the object is no longer cacheable. For more information,
-	// see http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.21 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.21).
+	// see https://www.rfc-editor.org/rfc/rfc7234#section-5.3 (https://www.rfc-editor.org/rfc/rfc7234#section-5.3).
 	Expires *time.Time `location:"header" locationName:"Expires" type:"timestamp"`
 
 	// Gives the grantee READ, READ_ACP, and WRITE_ACP permissions on the object.
 	//
-	// This action is not supported by Amazon S3 on Outposts.
+	//    * This functionality is not supported for directory buckets.
+	//
+	//    * This functionality is not supported for Amazon S3 on Outposts.
 	GrantFullControl *string `location:"header" locationName:"x-amz-grant-full-control" type:"string"`
 
 	// Allows grantee to read the object data and its metadata.
 	//
-	// This action is not supported by Amazon S3 on Outposts.
+	//    * This functionality is not supported for directory buckets.
+	//
+	//    * This functionality is not supported for Amazon S3 on Outposts.
 	GrantRead *string `location:"header" locationName:"x-amz-grant-read" type:"string"`
 
 	// Allows grantee to read the object ACL.
 	//
-	// This action is not supported by Amazon S3 on Outposts.
+	//    * This functionality is not supported for directory buckets.
+	//
+	//    * This functionality is not supported for Amazon S3 on Outposts.
 	GrantReadACP *string `location:"header" locationName:"x-amz-grant-read-acp" type:"string"`
 
 	// Allows grantee to write the ACL for the applicable object.
 	//
-	// This action is not supported by Amazon S3 on Outposts.
+	//    * This functionality is not supported for directory buckets.
+	//
+	//    * This functionality is not supported for Amazon S3 on Outposts.
 	GrantWriteACP *string `location:"header" locationName:"x-amz-grant-write-acp" type:"string"`
 
 	// Object key for which the PUT action was initiated.
@@ -176,25 +247,37 @@ type UploadInput struct {
 	Metadata map[string]*string `location:"headers" locationName:"x-amz-meta-" type:"map"`
 
 	// Specifies whether a legal hold will be applied to this object. For more information
-	// about S3 Object Lock, see Object Lock (https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html).
+	// about S3 Object Lock, see Object Lock (https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html)
+	// in the Amazon S3 User Guide.
+	//
+	// This functionality is not supported for directory buckets.
 	ObjectLockLegalHoldStatus *string `location:"header" locationName:"x-amz-object-lock-legal-hold" type:"string" enum:"ObjectLockLegalHoldStatus"`
 
 	// The Object Lock mode that you want to apply to this object.
+	//
+	// This functionality is not supported for directory buckets.
 	ObjectLockMode *string `location:"header" locationName:"x-amz-object-lock-mode" type:"string" enum:"ObjectLockMode"`
 
 	// The date and time when you want this object's Object Lock to expire. Must
 	// be formatted as a timestamp parameter.
+	//
+	// This functionality is not supported for directory buckets.
 	ObjectLockRetainUntilDate *time.Time `location:"header" locationName:"x-amz-object-lock-retain-until-date" type:"timestamp" timestampFormat:"iso8601"`
 
 	// Confirms that the requester knows that they will be charged for the request.
-	// Bucket owners need not specify this parameter in their requests. For information
-	// about downloading objects from Requester Pays buckets, see Downloading Objects
+	// Bucket owners need not specify this parameter in their requests. If either
+	// the source or destination S3 bucket has Requester Pays enabled, the requester
+	// will pay for corresponding charges to copy the object. For information about
+	// downloading objects from Requester Pays buckets, see Downloading Objects
 	// in Requester Pays Buckets (https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html)
 	// in the Amazon S3 User Guide.
+	//
+	// This functionality is not supported for directory buckets.
 	RequestPayer *string `location:"header" locationName:"x-amz-request-payer" type:"string" enum:"RequestPayer"`
 
-	// Specifies the algorithm to use to when encrypting the object (for example,
-	// AES256).
+	// Specifies the algorithm to use when encrypting the object (for example, AES256).
+	//
+	// This functionality is not supported for directory buckets.
 	SSECustomerAlgorithm *string `location:"header" locationName:"x-amz-server-side-encryption-customer-algorithm" type:"string"`
 
 	// Specifies the customer-provided encryption key for Amazon S3 to use in encrypting
@@ -202,48 +285,80 @@ type UploadInput struct {
 	// S3 does not store the encryption key. The key must be appropriate for use
 	// with the algorithm specified in the x-amz-server-side-encryption-customer-algorithm
 	// header.
+	//
+	// This functionality is not supported for directory buckets.
 	SSECustomerKey *string `marshal-as:"blob" location:"header" locationName:"x-amz-server-side-encryption-customer-key" type:"string" sensitive:"true"`
 
 	// Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321.
 	// Amazon S3 uses this header for a message integrity check to ensure that the
 	// encryption key was transmitted without error.
+	//
+	// This functionality is not supported for directory buckets.
 	SSECustomerKeyMD5 *string `location:"header" locationName:"x-amz-server-side-encryption-customer-key-MD5" type:"string"`
 
 	// Specifies the Amazon Web Services KMS Encryption Context to use for object
 	// encryption. The value of this header is a base64-encoded UTF-8 string holding
-	// JSON with the encryption context key-value pairs.
+	// JSON with the encryption context key-value pairs. This value is stored as
+	// object metadata and automatically gets passed on to Amazon Web Services KMS
+	// for future GetObject or CopyObject operations on this object. This value
+	// must be explicitly added during CopyObject operations.
+	//
+	// This functionality is not supported for directory buckets.
 	SSEKMSEncryptionContext *string `location:"header" locationName:"x-amz-server-side-encryption-context" type:"string" sensitive:"true"`
 
-	// If x-amz-server-side-encryption is present and has the value of aws:kms,
-	// this header specifies the ID of the Amazon Web Services Key Management Service
-	// (Amazon Web Services KMS) symmetrical customer managed key that was used
-	// for the object. If you specify x-amz-server-side-encryption:aws:kms, but
-	// do not providex-amz-server-side-encryption-aws-kms-key-id, Amazon S3 uses
-	// the Amazon Web Services managed key to protect the data. If the KMS key does
-	// not exist in the same account issuing the command, you must use the full
-	// ARN and not just the ID.
+	// If x-amz-server-side-encryption has a valid value of aws:kms or aws:kms:dsse,
+	// this header specifies the ID (Key ID, Key ARN, or Key Alias) of the Key Management
+	// Service (KMS) symmetric encryption customer managed key that was used for
+	// the object. If you specify x-amz-server-side-encryption:aws:kms or x-amz-server-side-encryption:aws:kms:dsse,
+	// but do not providex-amz-server-side-encryption-aws-kms-key-id, Amazon S3
+	// uses the Amazon Web Services managed key (aws/s3) to protect the data. If
+	// the KMS key does not exist in the same account that's issuing the command,
+	// you must use the full ARN and not just the ID.
+	//
+	// This functionality is not supported for directory buckets.
 	SSEKMSKeyId *string `location:"header" locationName:"x-amz-server-side-encryption-aws-kms-key-id" type:"string" sensitive:"true"`
 
-	// The server-side encryption algorithm used when storing this object in Amazon
-	// S3 (for example, AES256, aws:kms).
+	// The server-side encryption algorithm that was used when you store this object
+	// in Amazon S3 (for example, AES256, aws:kms, aws:kms:dsse).
+	//
+	// General purpose buckets - You have four mutually exclusive options to protect
+	// data using server-side encryption in Amazon S3, depending on how you choose
+	// to manage the encryption keys. Specifically, the encryption key options are
+	// Amazon S3 managed keys (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or
+	// DSSE-KMS), and customer-provided keys (SSE-C). Amazon S3 encrypts data with
+	// server-side encryption by using Amazon S3 managed keys (SSE-S3) by default.
+	// You can optionally tell Amazon S3 to encrypt data at rest by using server-side
+	// encryption with other key options. For more information, see Using Server-Side
+	// Encryption (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html)
+	// in the Amazon S3 User Guide.
+	//
+	// Directory buckets - For directory buckets, only the server-side encryption
+	// with Amazon S3 managed keys (SSE-S3) (AES256) value is supported.
 	ServerSideEncryption *string `location:"header" locationName:"x-amz-server-side-encryption" type:"string" enum:"ServerSideEncryption"`
 
 	// By default, Amazon S3 uses the STANDARD Storage Class to store newly created
 	// objects. The STANDARD storage class provides high durability and high availability.
 	// Depending on performance needs, you can specify a different Storage Class.
-	// Amazon S3 on Outposts only uses the OUTPOSTS Storage Class. For more information,
-	// see Storage Classes (https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html)
+	// For more information, see Storage Classes (https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html)
 	// in the Amazon S3 User Guide.
+	//
+	//    * For directory buckets, only the S3 Express One Zone storage class is
+	//    supported to store newly created objects.
+	//
+	//    * Amazon S3 on Outposts only uses the OUTPOSTS Storage Class.
 	StorageClass *string `location:"header" locationName:"x-amz-storage-class" type:"string" enum:"StorageClass"`
 
 	// The tag-set for the object. The tag-set must be encoded as URL Query parameters.
 	// (For example, "Key1=Value1")
+	//
+	// This functionality is not supported for directory buckets.
 	Tagging *string `location:"header" locationName:"x-amz-tagging" type:"string"`
 
 	// If the bucket is configured as a website, redirects requests for this object
 	// to another object in the same bucket or to an external URL. Amazon S3 stores
 	// the value of this header in the object metadata. For information about object
-	// metadata, see Object Key and Metadata (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html).
+	// metadata, see Object Key and Metadata (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html)
+	// in the Amazon S3 User Guide.
 	//
 	// In the following example, the request header sets the redirect to an object
 	// (anotherPage.html) in the same bucket:
@@ -257,6 +372,9 @@ type UploadInput struct {
 	//
 	// For more information about website hosting in Amazon S3, see Hosting Websites
 	// on Amazon S3 (https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html)
-	// and How to Configure Website Page Redirects (https://docs.aws.amazon.com/AmazonS3/latest/dev/how-to-page-redirect.html).
+	// and How to Configure Website Page Redirects (https://docs.aws.amazon.com/AmazonS3/latest/dev/how-to-page-redirect.html)
+	// in the Amazon S3 User Guide.
+	//
+	// This functionality is not supported for directory buckets.
 	WebsiteRedirectLocation *string `location:"header" locationName:"x-amz-website-redirect-location" type:"string"`
 }

vendor/github.com/aws/aws-sdk-go/service/ssooidc/doc.go

@@ -0,0 +1,67 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+// Package ssooidc provides the client and types for making API
+// requests to AWS SSO OIDC.
+//
+// IAM Identity Center OpenID Connect (OIDC) is a web service that enables a
+// client (such as CLI or a native application) to register with IAM Identity
+// Center. The service also enables the client to fetch the user’s access
+// token upon successful authentication and authorization with IAM Identity
+// Center.
+//
+// IAM Identity Center uses the sso and identitystore API namespaces.
+//
+// # Considerations for Using This Guide
+//
+// Before you begin using this guide, we recommend that you first review the
+// following important information about how the IAM Identity Center OIDC service
+// works.
+//
+//   - The IAM Identity Center OIDC service currently implements only the portions
+//     of the OAuth 2.0 Device Authorization Grant standard (https://tools.ietf.org/html/rfc8628
+//     (https://tools.ietf.org/html/rfc8628)) that are necessary to enable single
+//     sign-on authentication with the CLI.
+//
+//   - With older versions of the CLI, the service only emits OIDC access tokens,
+//     so to obtain a new token, users must explicitly re-authenticate. To access
+//     the OIDC flow that supports token refresh and doesn’t require re-authentication,
+//     update to the latest CLI version (1.27.10 for CLI V1 and 2.9.0 for CLI
+//     V2) with support for OIDC token refresh and configurable IAM Identity
+//     Center session durations. For more information, see Configure Amazon Web
+//     Services access portal session duration (https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html).
+//
+//   - The access tokens provided by this service grant access to all Amazon
+//     Web Services account entitlements assigned to an IAM Identity Center user,
+//     not just a particular application.
+//
+//   - The documentation in this guide does not describe the mechanism to convert
+//     the access token into Amazon Web Services Auth (“sigv4”) credentials
+//     for use with IAM-protected Amazon Web Services service endpoints. For
+//     more information, see GetRoleCredentials (https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html)
+//     in the IAM Identity Center Portal API Reference Guide.
+//
+// For general information about IAM Identity Center, see What is IAM Identity
+// Center? (https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
+// in the IAM Identity Center User Guide.
+//
+// See https://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10 for more information on this service.
+//
+// See ssooidc package documentation for more information.
+// https://docs.aws.amazon.com/sdk-for-go/api/service/ssooidc/
+//
+// # Using the Client
+//
+// To contact AWS SSO OIDC with the SDK use the New function to create
+// a new service client. With that client you can make API requests to the service.
+// These clients are safe to use concurrently.
+//
+// See the SDK's documentation for more information on how to use the SDK.
+// https://docs.aws.amazon.com/sdk-for-go/api/
+//
+// See aws.Config documentation for more information on configuring SDK clients.
+// https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config
+//
+// See the AWS SSO OIDC client SSOOIDC for more
+// information on creating client for this service.
+// https://docs.aws.amazon.com/sdk-for-go/api/service/ssooidc/#New
+package ssooidc

vendor/github.com/aws/aws-sdk-go/service/ssooidc/errors.go

@@ -0,0 +1,123 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+package ssooidc
+
+import (
+	"github.com/aws/aws-sdk-go/private/protocol"
+)
+
+const (
+
+	// ErrCodeAccessDeniedException for service response error code
+	// "AccessDeniedException".
+	//
+	// You do not have sufficient access to perform this action.
+	ErrCodeAccessDeniedException = "AccessDeniedException"
+
+	// ErrCodeAuthorizationPendingException for service response error code
+	// "AuthorizationPendingException".
+	//
+	// Indicates that a request to authorize a client with an access user session
+	// token is pending.
+	ErrCodeAuthorizationPendingException = "AuthorizationPendingException"
+
+	// ErrCodeExpiredTokenException for service response error code
+	// "ExpiredTokenException".
+	//
+	// Indicates that the token issued by the service is expired and is no longer
+	// valid.
+	ErrCodeExpiredTokenException = "ExpiredTokenException"
+
+	// ErrCodeInternalServerException for service response error code
+	// "InternalServerException".
+	//
+	// Indicates that an error from the service occurred while trying to process
+	// a request.
+	ErrCodeInternalServerException = "InternalServerException"
+
+	// ErrCodeInvalidClientException for service response error code
+	// "InvalidClientException".
+	//
+	// Indicates that the clientId or clientSecret in the request is invalid. For
+	// example, this can occur when a client sends an incorrect clientId or an expired
+	// clientSecret.
+	ErrCodeInvalidClientException = "InvalidClientException"
+
+	// ErrCodeInvalidClientMetadataException for service response error code
+	// "InvalidClientMetadataException".
+	//
+	// Indicates that the client information sent in the request during registration
+	// is invalid.
+	ErrCodeInvalidClientMetadataException = "InvalidClientMetadataException"
+
+	// ErrCodeInvalidGrantException for service response error code
+	// "InvalidGrantException".
+	//
+	// Indicates that a request contains an invalid grant. This can occur if a client
+	// makes a CreateToken request with an invalid grant type.
+	ErrCodeInvalidGrantException = "InvalidGrantException"
+
+	// ErrCodeInvalidRedirectUriException for service response error code
+	// "InvalidRedirectUriException".
+	//
+	// Indicates that one or more redirect URI in the request is not supported for
+	// this operation.
+	ErrCodeInvalidRedirectUriException = "InvalidRedirectUriException"
+
+	// ErrCodeInvalidRequestException for service response error code
+	// "InvalidRequestException".
+	//
+	// Indicates that something is wrong with the input to the request. For example,
+	// a required parameter might be missing or out of range.
+	ErrCodeInvalidRequestException = "InvalidRequestException"
+
+	// ErrCodeInvalidRequestRegionException for service response error code
+	// "InvalidRequestRegionException".
+	//
+	// Indicates that a token provided as input to the request was issued by and
+	// is only usable by calling IAM Identity Center endpoints in another region.
+	ErrCodeInvalidRequestRegionException = "InvalidRequestRegionException"
+
+	// ErrCodeInvalidScopeException for service response error code
+	// "InvalidScopeException".
+	//
+	// Indicates that the scope provided in the request is invalid.
+	ErrCodeInvalidScopeException = "InvalidScopeException"
+
+	// ErrCodeSlowDownException for service response error code
+	// "SlowDownException".
+	//
+	// Indicates that the client is making the request too frequently and is more
+	// than the service can handle.
+	ErrCodeSlowDownException = "SlowDownException"
+
+	// ErrCodeUnauthorizedClientException for service response error code
+	// "UnauthorizedClientException".
+	//
+	// Indicates that the client is not currently authorized to make the request.
+	// This can happen when a clientId is not issued for a public client.
+	ErrCodeUnauthorizedClientException = "UnauthorizedClientException"
+
+	// ErrCodeUnsupportedGrantTypeException for service response error code
+	// "UnsupportedGrantTypeException".
+	//
+	// Indicates that the grant type in the request is not supported by the service.
+	ErrCodeUnsupportedGrantTypeException = "UnsupportedGrantTypeException"
+)
+
+var exceptionFromCode = map[string]func(protocol.ResponseMetadata) error{
+	"AccessDeniedException":          newErrorAccessDeniedException,
+	"AuthorizationPendingException":  newErrorAuthorizationPendingException,
+	"ExpiredTokenException":          newErrorExpiredTokenException,
+	"InternalServerException":        newErrorInternalServerException,
+	"InvalidClientException":         newErrorInvalidClientException,
+	"InvalidClientMetadataException": newErrorInvalidClientMetadataException,
+	"InvalidGrantException":          newErrorInvalidGrantException,
+	"InvalidRedirectUriException":    newErrorInvalidRedirectUriException,
+	"InvalidRequestException":        newErrorInvalidRequestException,
+	"InvalidRequestRegionException":  newErrorInvalidRequestRegionException,
+	"InvalidScopeException":          newErrorInvalidScopeException,
+	"SlowDownException":              newErrorSlowDownException,
+	"UnauthorizedClientException":    newErrorUnauthorizedClientException,
+	"UnsupportedGrantTypeException":  newErrorUnsupportedGrantTypeException,
+}

vendor/github.com/aws/aws-sdk-go/service/ssooidc/service.go

@@ -0,0 +1,106 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+package ssooidc
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/client"
+	"github.com/aws/aws-sdk-go/aws/client/metadata"
+	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/aws/signer/v4"
+	"github.com/aws/aws-sdk-go/private/protocol"
+	"github.com/aws/aws-sdk-go/private/protocol/restjson"
+)
+
+// SSOOIDC provides the API operation methods for making requests to
+// AWS SSO OIDC. See this package's package overview docs
+// for details on the service.
+//
+// SSOOIDC methods are safe to use concurrently. It is not safe to
+// modify mutate any of the struct's properties though.
+type SSOOIDC struct {
+	*client.Client
+}
+
+// Used for custom client initialization logic
+var initClient func(*client.Client)
+
+// Used for custom request initialization logic
+var initRequest func(*request.Request)
+
+// Service information constants
+const (
+	ServiceName = "SSO OIDC" // Name of service.
+	EndpointsID = "oidc"     // ID to lookup a service endpoint with.
+	ServiceID   = "SSO OIDC" // ServiceID is a unique identifier of a specific service.
+)
+
+// New creates a new instance of the SSOOIDC client with a session.
+// If additional configuration is needed for the client instance use the optional
+// aws.Config parameter to add your extra config.
+//
+// Example:
+//
+//	mySession := session.Must(session.NewSession())
+//
+//	// Create a SSOOIDC client from just a session.
+//	svc := ssooidc.New(mySession)
+//
+//	// Create a SSOOIDC client with additional configuration
+//	svc := ssooidc.New(mySession, aws.NewConfig().WithRegion("us-west-2"))
+func New(p client.ConfigProvider, cfgs ...*aws.Config) *SSOOIDC {
+	c := p.ClientConfig(EndpointsID, cfgs...)
+	if c.SigningNameDerived || len(c.SigningName) == 0 {
+		c.SigningName = "sso-oauth"
+	}
+	return newClient(*c.Config, c.Handlers, c.PartitionID, c.Endpoint, c.SigningRegion, c.SigningName, c.ResolvedRegion)
+}
+
+// newClient creates, initializes and returns a new service client instance.
+func newClient(cfg aws.Config, handlers request.Handlers, partitionID, endpoint, signingRegion, signingName, resolvedRegion string) *SSOOIDC {
+	svc := &SSOOIDC{
+		Client: client.New(
+			cfg,
+			metadata.ClientInfo{
+				ServiceName:    ServiceName,
+				ServiceID:      ServiceID,
+				SigningName:    signingName,
+				SigningRegion:  signingRegion,
+				PartitionID:    partitionID,
+				Endpoint:       endpoint,
+				APIVersion:     "2019-06-10",
+				ResolvedRegion: resolvedRegion,
+			},
+			handlers,
+		),
+	}
+
+	// Handlers
+	svc.Handlers.Sign.PushBackNamed(v4.SignRequestHandler)
+	svc.Handlers.Build.PushBackNamed(restjson.BuildHandler)
+	svc.Handlers.Unmarshal.PushBackNamed(restjson.UnmarshalHandler)
+	svc.Handlers.UnmarshalMeta.PushBackNamed(restjson.UnmarshalMetaHandler)
+	svc.Handlers.UnmarshalError.PushBackNamed(
+		protocol.NewUnmarshalErrorHandler(restjson.NewUnmarshalTypedError(exceptionFromCode)).NamedHandler(),
+	)
+
+	// Run custom client initialization if present
+	if initClient != nil {
+		initClient(svc.Client)
+	}
+
+	return svc
+}
+
+// newRequest creates a new request for a SSOOIDC operation and runs any
+// custom request initialization.
+func (c *SSOOIDC) newRequest(op *request.Operation, params, data interface{}) *request.Request {
+	req := c.NewRequest(op, params, data)
+
+	// Run custom request initialization if present
+	if initRequest != nil {
+		initRequest(req)
+	}
+
+	return req
+}

vendor/github.com/aws/aws-sdk-go/service/sts/api.go

@@ -85,9 +85,9 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
 // assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // in the IAM User Guide.
 //
-// When you create a role, you create two policies: A role trust policy that
-// specifies who can assume the role and a permissions policy that specifies
-// what can be done with the role. You specify the trusted principal who is
+// When you create a role, you create two policies: a role trust policy that
+// specifies who can assume the role, and a permissions policy that specifies
+// what can be done with the role. You specify the trusted principal that is
 // allowed to assume the role in the role trust policy.
 //
 // To assume a role from a different account, your Amazon Web Services account
@@ -96,9 +96,9 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
 // are allowed to delegate that access to users in the account.
 //
 // A user who wants to access a role in a different account must also have permissions
-// that are delegated from the user account administrator. The administrator
-// must attach a policy that allows the user to call AssumeRole for the ARN
-// of the role in the other account.
+// that are delegated from the account administrator. The administrator must
+// attach a policy that allows the user to call AssumeRole for the ARN of the
+// role in the other account.
 //
 // To allow a user to assume a role in the same account, you can do either of
 // the following:
@@ -517,10 +517,8 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
 // a user. You can also supply the user with a consistent identity throughout
 // the lifetime of an application.
 //
-// To learn more about Amazon Cognito, see Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840)
-// in Amazon Web Services SDK for Android Developer Guide and Amazon Cognito
-// Overview (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664)
-// in the Amazon Web Services SDK for iOS Developer Guide.
+// To learn more about Amazon Cognito, see Amazon Cognito identity pools (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html)
+// in Amazon Cognito Developer Guide.
 //
 // Calling AssumeRoleWithWebIdentity does not require the use of Amazon Web
 // Services security credentials. Therefore, you can distribute an application
@@ -984,11 +982,11 @@ func (c *STS) GetCallerIdentityRequest(input *GetCallerIdentityInput) (req *requ
 // call the operation.
 //
 // No permissions are required to perform this operation. If an administrator
-// adds a policy to your IAM user or role that explicitly denies access to the
-// sts:GetCallerIdentity action, you can still perform this operation. Permissions
-// are not required because the same information is returned when an IAM user
-// or role is denied access. To view an example response, see I Am Not Authorized
-// to Perform: iam:DeleteVirtualMFADevice (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa)
+// attaches a policy to your identity that explicitly denies access to the sts:GetCallerIdentity
+// action, you can still perform this operation. Permissions are not required
+// because the same information is returned when access is denied. To view an
+// example response, see I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice
+// (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa)
 // in the IAM User Guide.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
@@ -1063,18 +1061,26 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re
 // GetFederationToken API operation for AWS Security Token Service.
 //
 // Returns a set of temporary security credentials (consisting of an access
-// key ID, a secret access key, and a security token) for a federated user.
-// A typical use is in a proxy application that gets temporary security credentials
-// on behalf of distributed applications inside a corporate network. You must
-// call the GetFederationToken operation using the long-term security credentials
-// of an IAM user. As a result, this call is appropriate in contexts where those
-// credentials can be safely stored, usually in a server-based application.
+// key ID, a secret access key, and a security token) for a user. A typical
+// use is in a proxy application that gets temporary security credentials on
+// behalf of distributed applications inside a corporate network.
+//
+// You must call the GetFederationToken operation using the long-term security
+// credentials of an IAM user. As a result, this call is appropriate in contexts
+// where those credentials can be safeguarded, usually in a server-based application.
 // For a comparison of GetFederationToken with the other API operations that
 // produce temporary credentials, see Requesting Temporary Security Credentials
 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
 // and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
 // in the IAM User Guide.
 //
+// Although it is possible to call GetFederationToken using the security credentials
+// of an Amazon Web Services account root user rather than an IAM user that
+// you create for the purpose of a proxy application, we do not recommend it.
+// For more information, see Safeguard your root user credentials and don't
+// use them for everyday tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)
+// in the IAM User Guide.
+//
 // You can create a mobile-based or browser-based app that can authenticate
 // users using a web identity provider like Login with Amazon, Facebook, Google,
 // or an OpenID Connect-compatible identity provider. In this case, we recommend
@@ -1083,21 +1089,13 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re
 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
 // in the IAM User Guide.
 //
-// You can also call GetFederationToken using the security credentials of an
-// Amazon Web Services account root user, but we do not recommend it. Instead,
-// we recommend that you create an IAM user for the purpose of the proxy application.
-// Then attach a policy to the IAM user that limits federated users to only
-// the actions and resources that they need to access. For more information,
-// see IAM Best Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
-// in the IAM User Guide.
-//
 // # Session duration
 //
 // The temporary credentials are valid for the specified duration, from 900
 // seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default
 // session duration is 43,200 seconds (12 hours). Temporary credentials obtained
-// by using the Amazon Web Services account root user credentials have a maximum
-// duration of 3,600 seconds (1 hour).
+// by using the root user credentials have a maximum duration of 3,600 seconds
+// (1 hour).
 //
 // # Permissions
 //
@@ -1267,12 +1265,13 @@ func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.
 // or IAM user. The credentials consist of an access key ID, a secret access
 // key, and a security token. Typically, you use GetSessionToken if you want
 // to use MFA to protect programmatic calls to specific Amazon Web Services
-// API operations like Amazon EC2 StopInstances. MFA-enabled IAM users would
-// need to call GetSessionToken and submit an MFA code that is associated with
-// their MFA device. Using the temporary security credentials that are returned
-// from the call, IAM users can then make programmatic calls to API operations
-// that require MFA authentication. If you do not supply a correct MFA code,
-// then the API returns an access denied error. For a comparison of GetSessionToken
+// API operations like Amazon EC2 StopInstances.
+//
+// MFA-enabled IAM users must call GetSessionToken and submit an MFA code that
+// is associated with their MFA device. Using the temporary security credentials
+// that the call returns, IAM users can then make programmatic calls to API
+// operations that require MFA authentication. An incorrect MFA code causes
+// the API to return an access denied error. For a comparison of GetSessionToken
 // with the other API operations that produce temporary credentials, see Requesting
 // Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
 // and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
@@ -1287,13 +1286,12 @@ func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.
 // # Session Duration
 //
 // The GetSessionToken operation must be called by using the long-term Amazon
-// Web Services security credentials of the Amazon Web Services account root
-// user or an IAM user. Credentials that are created by IAM users are valid
-// for the duration that you specify. This duration can range from 900 seconds
-// (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default
-// of 43,200 seconds (12 hours). Credentials based on account credentials can
-// range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a
-// default of 1 hour.
+// Web Services security credentials of an IAM user. Credentials that are created
+// by IAM users are valid for the duration that you specify. This duration can
+// range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
+// hours), with a default of 43,200 seconds (12 hours). Credentials based on
+// account credentials can range from 900 seconds (15 minutes) up to 3,600 seconds
+// (1 hour), with a default of 1 hour.
 //
 // # Permissions
 //
@@ -1305,20 +1303,20 @@ func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.
 //
 //   - You cannot call any STS API except AssumeRole or GetCallerIdentity.
 //
-// We recommend that you do not call GetSessionToken with Amazon Web Services
-// account root user credentials. Instead, follow our best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users)
-// by creating one or more IAM users, giving them the necessary permissions,
-// and using IAM users for everyday interaction with Amazon Web Services.
+// The credentials that GetSessionToken returns are based on permissions associated
+// with the IAM user whose credentials were used to call the operation. The
+// temporary credentials have the same permissions as the IAM user.
 //
-// The credentials that are returned by GetSessionToken are based on permissions
-// associated with the user whose credentials were used to call the operation.
-// If GetSessionToken is called using Amazon Web Services account root user
-// credentials, the temporary credentials have root user permissions. Similarly,
-// if GetSessionToken is called using the credentials of an IAM user, the temporary
-// credentials have the same permissions as the IAM user.
+// Although it is possible to call GetSessionToken using the security credentials
+// of an Amazon Web Services account root user rather than an IAM user, we do
+// not recommend it. If GetSessionToken is called using root user credentials,
+// the temporary credentials have root user permissions. For more information,
+// see Safeguard your root user credentials and don't use them for everyday
+// tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)
+// in the IAM User Guide
 //
 // For more information about using GetSessionToken to create temporary credentials,
-// go to Temporary Credentials for Users in Untrusted Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
+// see Temporary Credentials for Users in Untrusted Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
 // in the IAM User Guide.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
@@ -1462,6 +1460,17 @@ type AssumeRoleInput struct {
 	// in the IAM User Guide.
 	PolicyArns []*PolicyDescriptorType `type:"list"`
 
+	// A list of previously acquired trusted context assertions in the format of
+	// a JSON array. The trusted context assertion is signed and encrypted by Amazon
+	// Web Services STS.
+	//
+	// The following is an example of a ProvidedContext value that includes a single
+	// trusted context assertion and the ARN of the context provider from which
+	// the trusted context assertion was generated.
+	//
+	// [{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]
+	ProvidedContexts []*ProvidedContext `type:"list"`
+
 	// The Amazon Resource Name (ARN) of the role to assume.
 	//
 	// RoleArn is a required field
@@ -1635,6 +1644,16 @@ func (s *AssumeRoleInput) Validate() error {
 			}
 		}
 	}
+	if s.ProvidedContexts != nil {
+		for i, v := range s.ProvidedContexts {
+			if v == nil {
+				continue
+			}
+			if err := v.Validate(); err != nil {
+				invalidParams.AddNested(fmt.Sprintf("%s[%v]", "ProvidedContexts", i), err.(request.ErrInvalidParams))
+			}
+		}
+	}
 	if s.Tags != nil {
 		for i, v := range s.Tags {
 			if v == nil {
@@ -1676,6 +1695,12 @@ func (s *AssumeRoleInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleIn
 	return s
 }
 
+// SetProvidedContexts sets the ProvidedContexts field's value.
+func (s *AssumeRoleInput) SetProvidedContexts(v []*ProvidedContext) *AssumeRoleInput {
+	s.ProvidedContexts = v
+	return s
+}
+
 // SetRoleArn sets the RoleArn field's value.
 func (s *AssumeRoleInput) SetRoleArn(v string) *AssumeRoleInput {
 	s.RoleArn = &v
@@ -1900,8 +1925,12 @@ type AssumeRoleWithSAMLInput struct {
 	// For more information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
 	// in the IAM User Guide.
 	//
+	// SAMLAssertion is a sensitive parameter and its value will be
+	// replaced with "sensitive" in string returned by AssumeRoleWithSAMLInput's
+	// String and GoString methods.
+	//
 	// SAMLAssertion is a required field
-	SAMLAssertion *string `min:"4" type:"string" required:"true"`
+	SAMLAssertion *string `min:"4" type:"string" required:"true" sensitive:"true"`
 }
 
 // String returns the string representation.
@@ -2036,7 +2065,7 @@ type AssumeRoleWithSAMLOutput struct {
 	//    IAM.
 	//
 	// The combination of NameQualifier and Subject can be used to uniquely identify
-	// a federated user.
+	// a user.
 	//
 	// The following pseudocode shows how the hash value is calculated:
 	//
@@ -2264,10 +2293,15 @@ type AssumeRoleWithWebIdentityInput struct {
 	// The OAuth 2.0 access token or OpenID Connect ID token that is provided by
 	// the identity provider. Your application must get this token by authenticating
 	// the user who is using your application with a web identity provider before
-	// the application makes an AssumeRoleWithWebIdentity call.
+	// the application makes an AssumeRoleWithWebIdentity call. Only tokens with
+	// RSA algorithms (RS256) are supported.
+	//
+	// WebIdentityToken is a sensitive parameter and its value will be
+	// replaced with "sensitive" in string returned by AssumeRoleWithWebIdentityInput's
+	// String and GoString methods.
 	//
 	// WebIdentityToken is a required field
-	WebIdentityToken *string `min:"4" type:"string" required:"true"`
+	WebIdentityToken *string `min:"4" type:"string" required:"true" sensitive:"true"`
 }
 
 // String returns the string representation.
@@ -2573,8 +2607,12 @@ type Credentials struct {
 
 	// The secret access key that can be used to sign requests.
 	//
+	// SecretAccessKey is a sensitive parameter and its value will be
+	// replaced with "sensitive" in string returned by Credentials's
+	// String and GoString methods.
+	//
 	// SecretAccessKey is a required field
-	SecretAccessKey *string `type:"string" required:"true"`
+	SecretAccessKey *string `type:"string" required:"true" sensitive:"true"`
 
 	// The token that users must pass to the service API to use the temporary credentials.
 	//
@@ -2922,10 +2960,9 @@ type GetFederationTokenInput struct {
 	// The duration, in seconds, that the session should last. Acceptable durations
 	// for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds
 	// (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained
-	// using Amazon Web Services account root user credentials are restricted to
-	// a maximum of 3,600 seconds (one hour). If the specified duration is longer
-	// than one hour, the session obtained by using root user credentials defaults
-	// to one hour.
+	// using root user credentials are restricted to a maximum of 3,600 seconds
+	// (one hour). If the specified duration is longer than one hour, the session
+	// obtained by using root user credentials defaults to one hour.
 	DurationSeconds *int64 `min:"900" type:"integer"`
 
 	// The name of the federated user. The name is used as an identifier for the
@@ -3376,6 +3413,67 @@ func (s *PolicyDescriptorType) SetArn(v string) *PolicyDescriptorType {
 	return s
 }
 
+// Contains information about the provided context. This includes the signed
+// and encrypted trusted context assertion and the context provider ARN from
+// which the trusted context assertion was generated.
+type ProvidedContext struct {
+	_ struct{} `type:"structure"`
+
+	// The signed and encrypted trusted context assertion generated by the context
+	// provider. The trusted context assertion is signed and encrypted by Amazon
+	// Web Services STS.
+	ContextAssertion *string `min:"4" type:"string"`
+
+	// The context provider ARN from which the trusted context assertion was generated.
+	ProviderArn *string `min:"20" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ProvidedContext) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s ProvidedContext) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *ProvidedContext) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "ProvidedContext"}
+	if s.ContextAssertion != nil && len(*s.ContextAssertion) < 4 {
+		invalidParams.Add(request.NewErrParamMinLen("ContextAssertion", 4))
+	}
+	if s.ProviderArn != nil && len(*s.ProviderArn) < 20 {
+		invalidParams.Add(request.NewErrParamMinLen("ProviderArn", 20))
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetContextAssertion sets the ContextAssertion field's value.
+func (s *ProvidedContext) SetContextAssertion(v string) *ProvidedContext {
+	s.ContextAssertion = &v
+	return s
+}
+
+// SetProviderArn sets the ProviderArn field's value.
+func (s *ProvidedContext) SetProviderArn(v string) *ProvidedContext {
+	s.ProviderArn = &v
+	return s
+}
+
 // You can pass custom key-value pair attributes when you assume a role or federate
 // a user. These are called session tags. You can then use the session tags
 // to control access to resources. For more information, see Tagging Amazon

vendor/github.com/aws/aws-sdk-go/service/sts/doc.go

@@ -4,10 +4,9 @@
 // requests to AWS Security Token Service.
 //
 // Security Token Service (STS) enables you to request temporary, limited-privilege
-// credentials for Identity and Access Management (IAM) users or for users that
-// you authenticate (federated users). This guide provides descriptions of the
-// STS API. For more information about using this service, see Temporary Security
-// Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html).
+// credentials for users. This guide provides descriptions of the STS API. For
+// more information about using this service, see Temporary Security Credentials
+// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html).
 //
 // See https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15 for more information on this service.
 //