4 files changed, 602 insertions, 280 deletions
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/credentials.go b/vendor/github.com/aws/aws-sdk-go/aws/session/credentials.go
new file mode 100644
index 0000000..ce41518
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go/aws/session/credentials.go
@@ -0,0 +1,258 @@
+package session
+import (
+        "fmt"
+        "os"
+        "github.com/aws/aws-sdk-go/aws"
+        "github.com/aws/aws-sdk-go/aws/awserr"
+        "github.com/aws/aws-sdk-go/aws/credentials"
+        "github.com/aws/aws-sdk-go/aws/credentials/processcreds"
+        "github.com/aws/aws-sdk-go/aws/credentials/stscreds"
+        "github.com/aws/aws-sdk-go/aws/defaults"
+        "github.com/aws/aws-sdk-go/aws/request"
+        "github.com/aws/aws-sdk-go/internal/shareddefaults"
+)
+func resolveCredentials(cfg *aws.Config,
+        envCfg envConfig, sharedCfg sharedConfig,
+        handlers request.Handlers,
+        sessOpts Options,
+) (*credentials.Credentials, error) {
+        switch {
+        case len(envCfg.Profile) != 0:
+                // User explicitly provided an Profile, so load from shared config
+                // first.
+                return resolveCredsFromProfile(cfg, envCfg, sharedCfg, handlers, sessOpts)
+        case envCfg.Creds.HasKeys():
+                // Environment credentials
+                return credentials.NewStaticCredentialsFromCreds(envCfg.Creds), nil
+        case len(envCfg.WebIdentityTokenFilePath) != 0:
+                // Web identity token from environment, RoleARN required to also be
+                // set.
+                return assumeWebIdentity(cfg, handlers,
+                        envCfg.WebIdentityTokenFilePath,
+                        envCfg.RoleARN,
+                        envCfg.RoleSessionName,
+                )
+        default:
+                // Fallback to the "default" credential resolution chain.
+                return resolveCredsFromProfile(cfg, envCfg, sharedCfg, handlers, sessOpts)
+        }
+}
+// WebIdentityEmptyRoleARNErr will occur if 'AWS_WEB_IDENTITY_TOKEN_FILE' was set but
+// 'AWS_IAM_ROLE_ARN' was not set.
+var WebIdentityEmptyRoleARNErr = awserr.New(stscreds.ErrCodeWebIdentity, "role ARN is not set", nil)
+// WebIdentityEmptyTokenFilePathErr will occur if 'AWS_IAM_ROLE_ARN' was set but
+// 'AWS_WEB_IDENTITY_TOKEN_FILE' was not set.
+var WebIdentityEmptyTokenFilePathErr = awserr.New(stscreds.ErrCodeWebIdentity, "token file path is not set", nil)
+func assumeWebIdentity(cfg *aws.Config, handlers request.Handlers,
+        filepath string,
+        roleARN, sessionName string,
+) (*credentials.Credentials, error) {
+        if len(filepath) == 0 {
+                return nil, WebIdentityEmptyTokenFilePathErr
+        }
+        if len(roleARN) == 0 {
+                return nil, WebIdentityEmptyRoleARNErr
+        }
+        creds := stscreds.NewWebIdentityCredentials(
+                &Session{
+                        Config:   cfg,
+                        Handlers: handlers.Copy(),
+                },
+                roleARN,
+                sessionName,
+                filepath,
+        )
+        return creds, nil
+}
+func resolveCredsFromProfile(cfg *aws.Config,
+        envCfg envConfig, sharedCfg sharedConfig,
+        handlers request.Handlers,
+        sessOpts Options,
+) (creds *credentials.Credentials, err error) {
+        switch {
+        case sharedCfg.SourceProfile != nil:
+                // Assume IAM role with credentials source from a different profile.
+                creds, err = resolveCredsFromProfile(cfg, envCfg,
+                        *sharedCfg.SourceProfile, handlers, sessOpts,
+                )
+        case sharedCfg.Creds.HasKeys():
+                // Static Credentials from Shared Config/Credentials file.
+                creds = credentials.NewStaticCredentialsFromCreds(
+                        sharedCfg.Creds,
+                )
+        case len(sharedCfg.CredentialProcess) != 0:
+                // Get credentials from CredentialProcess
+                creds = processcreds.NewCredentials(sharedCfg.CredentialProcess)
+        case len(sharedCfg.CredentialSource) != 0:
+                creds, err = resolveCredsFromSource(cfg, envCfg,
+                        sharedCfg, handlers, sessOpts,
+                )
+        case len(sharedCfg.WebIdentityTokenFile) != 0:
+                // Credentials from Assume Web Identity token require an IAM Role, and
+                // that roll will be assumed. May be wrapped with another assume role
+                // via SourceProfile.
+                return assumeWebIdentity(cfg, handlers,
+                        sharedCfg.WebIdentityTokenFile,
+                        sharedCfg.RoleARN,
+                        sharedCfg.RoleSessionName,
+                )
+        default:
+                // Fallback to default credentials provider, include mock errors for
+                // the credential chain so user can identify why credentials failed to
+                // be retrieved.
+                creds = credentials.NewCredentials(&credentials.ChainProvider{
+                        VerboseErrors: aws.BoolValue(cfg.CredentialsChainVerboseErrors),
+                        Providers: []credentials.Provider{
+                                &credProviderError{
+                                        Err: awserr.New("EnvAccessKeyNotFound",
+                                                "failed to find credentials in the environment.", nil),
+                                },
+                                &credProviderError{
+                                        Err: awserr.New("SharedCredsLoad",
+                                                fmt.Sprintf("failed to load profile, %s.", envCfg.Profile), nil),
+                                },
+                                defaults.RemoteCredProvider(*cfg, handlers),
+                        },
+                })
+        }
+        if err != nil {
+                return nil, err
+        }
+        if len(sharedCfg.RoleARN) > 0 {
+                cfgCp := *cfg
+                cfgCp.Credentials = creds
+                return credsFromAssumeRole(cfgCp, handlers, sharedCfg, sessOpts)
+        }
+        return creds, nil
+}
+// valid credential source values
+const (
+        credSourceEc2Metadata  = "Ec2InstanceMetadata"
+        credSourceEnvironment  = "Environment"
+        credSourceECSContainer = "EcsContainer"
+)
+func resolveCredsFromSource(cfg *aws.Config,
+        envCfg envConfig, sharedCfg sharedConfig,
+        handlers request.Handlers,
+        sessOpts Options,
+) (creds *credentials.Credentials, err error) {
+        switch sharedCfg.CredentialSource {
+        case credSourceEc2Metadata:
+                p := defaults.RemoteCredProvider(*cfg, handlers)
+                creds = credentials.NewCredentials(p)
+        case credSourceEnvironment:
+                creds = credentials.NewStaticCredentialsFromCreds(envCfg.Creds)
+        case credSourceECSContainer:
+                if len(os.Getenv(shareddefaults.ECSCredsProviderEnvVar)) == 0 {
+                        return nil, ErrSharedConfigECSContainerEnvVarEmpty
+                }
+                p := defaults.RemoteCredProvider(*cfg, handlers)
+                creds = credentials.NewCredentials(p)
+        default:
+                return nil, ErrSharedConfigInvalidCredSource
+        }
+        return creds, nil
+}
+func credsFromAssumeRole(cfg aws.Config,
+        handlers request.Handlers,
+        sharedCfg sharedConfig,
+        sessOpts Options,
+) (*credentials.Credentials, error) {
+        if len(sharedCfg.MFASerial) != 0 && sessOpts.AssumeRoleTokenProvider == nil {
+                // AssumeRole Token provider is required if doing Assume Role
+                // with MFA.
+                return nil, AssumeRoleTokenProviderNotSetError{}
+        }
+        return stscreds.NewCredentials(
+                &Session{
+                        Config:   &cfg,
+                        Handlers: handlers.Copy(),
+                },
+                sharedCfg.RoleARN,
+                func(opt *stscreds.AssumeRoleProvider) {
+                        opt.RoleSessionName = sharedCfg.RoleSessionName
+                        opt.Duration = sessOpts.AssumeRoleDuration
+                        // Assume role with external ID
+                        if len(sharedCfg.ExternalID) > 0 {
+                                opt.ExternalID = aws.String(sharedCfg.ExternalID)
+                        }
+                        // Assume role with MFA
+                        if len(sharedCfg.MFASerial) > 0 {
+                                opt.SerialNumber = aws.String(sharedCfg.MFASerial)
+                                opt.TokenProvider = sessOpts.AssumeRoleTokenProvider
+                        }
+                },
+        ), nil
+}
+// AssumeRoleTokenProviderNotSetError is an error returned when creating a
+// session when the MFAToken option is not set when shared config is configured
+// load assume a role with an MFA token.
+type AssumeRoleTokenProviderNotSetError struct{}
+// Code is the short id of the error.
+func (e AssumeRoleTokenProviderNotSetError) Code() string {
+        return "AssumeRoleTokenProviderNotSetError"
+}
+// Message is the description of the error
+func (e AssumeRoleTokenProviderNotSetError) Message() string {
+        return fmt.Sprintf("assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.")
+}
+// OrigErr is the underlying error that caused the failure.
+func (e AssumeRoleTokenProviderNotSetError) OrigErr() error {
+        return nil
+}
+// Error satisfies the error interface.
+func (e AssumeRoleTokenProviderNotSetError) Error() string {
+        return awserr.SprintError(e.Code(), e.Message(), "", nil)
+}
+type credProviderError struct {
+        Err error
+}
+func (c credProviderError) Retrieve() (credentials.Value, error) {
+        return credentials.Value{}, c.Err
+}
+func (c credProviderError) IsExpired() bool {
+        return true
+}
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/env_config.go b/vendor/github.com/aws/aws-sdk-go/aws/session/env_config.go
index e3959b9..3a998d5 100644
--- a/vendor/github.com/aws/aws-sdk-go/aws/session/env_config.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/session/env_config.go
@@ -102,18 +102,38 @@ type envConfig struct {
        CSMEnabled  bool
        CSMPort     string
        CSMClientID string
+        CSMHost     string
-        enableEndpointDiscovery string
        // Enables endpoint discovery via environment variables.
        //
        //      AWS_ENABLE_ENDPOINT_DISCOVERY=true
        EnableEndpointDiscovery *bool
+        enableEndpointDiscovery string
+        // Specifies the WebIdentity token the SDK should use to assume a role
+        // with.
+        //
+        //  AWS_WEB_IDENTITY_TOKEN_FILE=file_path
+        WebIdentityTokenFilePath string
+        // Specifies the IAM role arn to use when assuming an role.
+        //
+        //  AWS_ROLE_ARN=role_arn
+        RoleARN string
+        // Specifies the IAM role session name to use when assuming a role.
+        //
+        //  AWS_ROLE_SESSION_NAME=session_name
+        RoleSessionName string
 }
 var (
        csmEnabledEnvKey = []string{
                "AWS_CSM_ENABLED",
        }
+        csmHostEnvKey = []string{
+                "AWS_CSM_HOST",
+        }
        csmPortEnvKey = []string{
                "AWS_CSM_PORT",
        }
@@ -150,6 +170,15 @@ var (
        sharedConfigFileEnvKey = []string{
                "AWS_CONFIG_FILE",
        }
+        webIdentityTokenFilePathEnvKey = []string{
+                "AWS_WEB_IDENTITY_TOKEN_FILE",
+        }
+        roleARNEnvKey = []string{
+                "AWS_ROLE_ARN",
+        }
+        roleSessionNameEnvKey = []string{
+                "AWS_ROLE_SESSION_NAME",
+        }
 )
 // loadEnvConfig retrieves the SDK's environment configuration.
@@ -178,23 +207,31 @@ func envConfigLoad(enableSharedConfig bool) envConfig {
        cfg.EnableSharedConfig = enableSharedConfig
-        setFromEnvVal(&cfg.Creds.AccessKeyID, credAccessEnvKey)
+        // Static environment credentials
-        setFromEnvVal(&cfg.Creds.SecretAccessKey, credSecretEnvKey)
+        var creds credentials.Value
-        setFromEnvVal(&cfg.Creds.SessionToken, credSessionEnvKey)
+        setFromEnvVal(&creds.AccessKeyID, credAccessEnvKey)
+        setFromEnvVal(&creds.SecretAccessKey, credSecretEnvKey)
+        setFromEnvVal(&creds.SessionToken, credSessionEnvKey)
+        if creds.HasKeys() {
+                // Require logical grouping of credentials
+                creds.ProviderName = EnvProviderName
+                cfg.Creds = creds
+        }
+        // Role Metadata
+        setFromEnvVal(&cfg.RoleARN, roleARNEnvKey)
+        setFromEnvVal(&cfg.RoleSessionName, roleSessionNameEnvKey)
+        // Web identity environment variables
+        setFromEnvVal(&cfg.WebIdentityTokenFilePath, webIdentityTokenFilePathEnvKey)
        // CSM environment variables
        setFromEnvVal(&cfg.csmEnabled, csmEnabledEnvKey)
+        setFromEnvVal(&cfg.CSMHost, csmHostEnvKey)
        setFromEnvVal(&cfg.CSMPort, csmPortEnvKey)
        setFromEnvVal(&cfg.CSMClientID, csmClientIDEnvKey)
        cfg.CSMEnabled = len(cfg.csmEnabled) > 0
-        // Require logical grouping of credentials
-        if len(cfg.Creds.AccessKeyID) == 0 || len(cfg.Creds.SecretAccessKey) == 0 {
-                cfg.Creds = credentials.Value{}
-        } else {
-                cfg.Creds.ProviderName = EnvProviderName
-        }
        regionKeys := regionEnvKeys
        profileKeys := profileEnvKeys
        if !cfg.EnableSharedConfig {
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/session.go b/vendor/github.com/aws/aws-sdk-go/aws/session/session.go
index be4b5f0..3a28da5 100644
--- a/vendor/github.com/aws/aws-sdk-go/aws/session/session.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/session/session.go
@@ -8,19 +8,17 @@ import (
        "io/ioutil"
        "net/http"
        "os"
+        "time"
        "github.com/aws/aws-sdk-go/aws"
        "github.com/aws/aws-sdk-go/aws/awserr"
        "github.com/aws/aws-sdk-go/aws/client"
        "github.com/aws/aws-sdk-go/aws/corehandlers"
        "github.com/aws/aws-sdk-go/aws/credentials"
-        "github.com/aws/aws-sdk-go/aws/credentials/processcreds"
-        "github.com/aws/aws-sdk-go/aws/credentials/stscreds"
        "github.com/aws/aws-sdk-go/aws/csm"
        "github.com/aws/aws-sdk-go/aws/defaults"
        "github.com/aws/aws-sdk-go/aws/endpoints"
        "github.com/aws/aws-sdk-go/aws/request"
-        "github.com/aws/aws-sdk-go/internal/shareddefaults"
 )
 const (
@@ -107,7 +105,15 @@ func New(cfgs ...*aws.Config) *Session {
        s := deprecatedNewSession(cfgs...)
        if envCfg.CSMEnabled {
-                enableCSM(&s.Handlers, envCfg.CSMClientID, envCfg.CSMPort, s.Config.Logger)
+                err := enableCSM(&s.Handlers, envCfg.CSMClientID,
+                        envCfg.CSMHost, envCfg.CSMPort, s.Config.Logger)
+                if err != nil {
+                        err = fmt.Errorf("failed to enable CSM, %v", err)
+                        s.Config.Logger.Log("ERROR:", err.Error())
+                        s.Handlers.Validate.PushBack(func(r *request.Request) {
+                                r.Error = err
+                        })
+                }
        }
        return s
@@ -210,6 +216,12 @@ type Options struct {
        // the config enables assume role wit MFA via the mfa_serial field.
        AssumeRoleTokenProvider func() (string, error)
+        // When the SDK's shared config is configured to assume a role this option
+        // may be provided to set the expiry duration of the STS credentials.
+        // Defaults to 15 minutes if not set as documented in the
+        // stscreds.AssumeRoleProvider.
+        AssumeRoleDuration time.Duration
        // Reader for a custom Credentials Authority (CA) bundle in PEM format that
        // the SDK will use instead of the default system's root CA bundle. Use this
        // only if you want to replace the CA bundle the SDK uses for TLS requests.
@@ -224,6 +236,12 @@ type Options struct {
        // to also enable this feature. CustomCABundle session option field has priority
        // over the AWS_CA_BUNDLE environment variable, and will be used if both are set.
        CustomCABundle io.Reader
+        // The handlers that the session and all API clients will be created with.
+        // This must be a complete set of handlers. Use the defaults.Handlers()
+        // function to initialize this value before changing the handlers to be
+        // used by the SDK.
+        Handlers request.Handlers
 }
 // NewSessionWithOptions returns a new Session created from SDK defaults, config files,
@@ -329,27 +347,36 @@ func deprecatedNewSession(cfgs ...*aws.Config) *Session {
        return s
 }
-func enableCSM(handlers *request.Handlers, clientID string, port string, logger aws.Logger) {
+func enableCSM(handlers *request.Handlers,
-        logger.Log("Enabling CSM")
+        clientID, host, port string,
-        if len(port) == 0 {
+        logger aws.Logger,
-                port = csm.DefaultPort
+) error {
+        if logger != nil {
+                logger.Log("Enabling CSM")
        }
-        r, err := csm.Start(clientID, "127.0.0.1:"+port)
+        r, err := csm.Start(clientID, csm.AddressWithDefaults(host, port))
        if err != nil {
-                return
+                return err
        }
        r.InjectHandlers(handlers)
+        return nil
 }
 func newSession(opts Options, envCfg envConfig, cfgs ...*aws.Config) (*Session, error) {
        cfg := defaults.Config()
-        handlers := defaults.Handlers()
+        handlers := opts.Handlers
+        if handlers.IsEmpty() {
+                handlers = defaults.Handlers()
+        }
        // Get a merged version of the user provided config to determine if
        // credentials were.
        userCfg := &aws.Config{}
        userCfg.MergeIn(cfgs...)
+        cfg.MergeIn(userCfg)
        // Ordered config files will be loaded in with later files overwriting
        // previous config file values.
@@ -366,9 +393,11 @@ func newSession(opts Options, envCfg envConfig, cfgs ...*aws.Config) (*Session,
        }
        // Load additional config from file(s)
-        sharedCfg, err := loadSharedConfig(envCfg.Profile, cfgFiles)
+        sharedCfg, err := loadSharedConfig(envCfg.Profile, cfgFiles, envCfg.EnableSharedConfig)
        if err != nil {
-                return nil, err
+                if _, ok := err.(SharedConfigProfileNotExistsError); !ok {
+                        return nil, err
+                }
        }
        if err := mergeConfigSrcs(cfg, userCfg, envCfg, sharedCfg, handlers, opts); err != nil {
@@ -382,7 +411,11 @@ func newSession(opts Options, envCfg envConfig, cfgs ...*aws.Config) (*Session,
        initHandlers(s)
        if envCfg.CSMEnabled {
-                enableCSM(&s.Handlers, envCfg.CSMClientID, envCfg.CSMPort, s.Config.Logger)
+                err := enableCSM(&s.Handlers, envCfg.CSMClientID,
+                        envCfg.CSMHost, envCfg.CSMPort, s.Config.Logger)
+                if err != nil {
+                        return nil, err
+                }
        }
        // Setup HTTP client with custom cert bundle if enabled
@@ -443,9 +476,11 @@ func loadCertPool(r io.Reader) (*x509.CertPool, error) {
        return p, nil
 }
-func mergeConfigSrcs(cfg, userCfg *aws.Config, envCfg envConfig, sharedCfg sharedConfig, handlers request.Handlers, sessOpts Options) error {
+func mergeConfigSrcs(cfg, userCfg *aws.Config,
-        // Merge in user provided configuration
+        envCfg envConfig, sharedCfg sharedConfig,
-        cfg.MergeIn(userCfg)
+        handlers request.Handlers,
+        sessOpts Options,
+) error {
        // Region if not already set by user
        if len(aws.StringValue(cfg.Region)) == 0 {
@@ -464,164 +499,19 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config, envCfg envConfig, sharedCfg share
                }
        }
-        // Configure credentials if not already set
+        // Configure credentials if not already set by the user when creating the
+        // Session.
        if cfg.Credentials == credentials.AnonymousCredentials && userCfg.Credentials == nil {
+                creds, err := resolveCredentials(cfg, envCfg, sharedCfg, handlers, sessOpts)
-                // inspect the profile to see if a credential source has been specified.
+                if err != nil {
-                if envCfg.EnableSharedConfig && len(sharedCfg.AssumeRole.CredentialSource) > 0 {
+                        return err
-                        // if both credential_source and source_profile have been set, return an error
-                        // as this is undefined behavior.
-                        if len(sharedCfg.AssumeRole.SourceProfile) > 0 {
-                                return ErrSharedConfigSourceCollision
-                        }
-                        // valid credential source values
-                        const (
-                                credSourceEc2Metadata  = "Ec2InstanceMetadata"
-                                credSourceEnvironment  = "Environment"
-                                credSourceECSContainer = "EcsContainer"
-                        )
-                        switch sharedCfg.AssumeRole.CredentialSource {
-                        case credSourceEc2Metadata:
-                                cfgCp := *cfg
-                                p := defaults.RemoteCredProvider(cfgCp, handlers)
-                                cfgCp.Credentials = credentials.NewCredentials(p)
-                                if len(sharedCfg.AssumeRole.MFASerial) > 0 && sessOpts.AssumeRoleTokenProvider == nil {
-                                        // AssumeRole Token provider is required if doing Assume Role
-                                        // with MFA.
-                                        return AssumeRoleTokenProviderNotSetError{}
-                                }
-                                cfg.Credentials = assumeRoleCredentials(cfgCp, handlers, sharedCfg, sessOpts)
-                        case credSourceEnvironment:
-                                cfg.Credentials = credentials.NewStaticCredentialsFromCreds(
-                                        envCfg.Creds,
-                                )
-                        case credSourceECSContainer:
-                                if len(os.Getenv(shareddefaults.ECSCredsProviderEnvVar)) == 0 {
-                                        return ErrSharedConfigECSContainerEnvVarEmpty
-                                }
-                                cfgCp := *cfg
-                                p := defaults.RemoteCredProvider(cfgCp, handlers)
-                                creds := credentials.NewCredentials(p)
-                                cfg.Credentials = creds
-                        default:
-                                return ErrSharedConfigInvalidCredSource
-                        }
-                        return nil
-                }
-                if len(envCfg.Creds.AccessKeyID) > 0 {
-                        cfg.Credentials = credentials.NewStaticCredentialsFromCreds(
-                                envCfg.Creds,
-                        )
-                } else if envCfg.EnableSharedConfig && len(sharedCfg.AssumeRole.RoleARN) > 0 && sharedCfg.AssumeRoleSource != nil {
-                        cfgCp := *cfg
-                        cfgCp.Credentials = credentials.NewStaticCredentialsFromCreds(
-                                sharedCfg.AssumeRoleSource.Creds,
-                        )
-                        if len(sharedCfg.AssumeRole.MFASerial) > 0 && sessOpts.AssumeRoleTokenProvider == nil {
-                                // AssumeRole Token provider is required if doing Assume Role
-                                // with MFA.
-                                return AssumeRoleTokenProviderNotSetError{}
-                        }
-                        cfg.Credentials = assumeRoleCredentials(cfgCp, handlers, sharedCfg, sessOpts)
-                } else if len(sharedCfg.Creds.AccessKeyID) > 0 {
-                        cfg.Credentials = credentials.NewStaticCredentialsFromCreds(
-                                sharedCfg.Creds,
-                        )
-                } else if len(sharedCfg.CredentialProcess) > 0 {
-                        cfg.Credentials = processcreds.NewCredentials(
-                                sharedCfg.CredentialProcess,
-                        )
-                } else {
-                        // Fallback to default credentials provider, include mock errors
-                        // for the credential chain so user can identify why credentials
-                        // failed to be retrieved.
-                        cfg.Credentials = credentials.NewCredentials(&credentials.ChainProvider{
-                                VerboseErrors: aws.BoolValue(cfg.CredentialsChainVerboseErrors),
-                                Providers: []credentials.Provider{
-                                        &credProviderError{Err: awserr.New("EnvAccessKeyNotFound", "failed to find credentials in the environment.", nil)},
-                                        &credProviderError{Err: awserr.New("SharedCredsLoad", fmt.Sprintf("failed to load profile, %s.", envCfg.Profile), nil)},
-                                        defaults.RemoteCredProvider(*cfg, handlers),
-                                },
-                        })
                }
+                cfg.Credentials = creds
        }
        return nil
 }
-func assumeRoleCredentials(cfg aws.Config, handlers request.Handlers, sharedCfg sharedConfig, sessOpts Options) *credentials.Credentials {
-        return stscreds.NewCredentials(
-                &Session{
-                        Config:   &cfg,
-                        Handlers: handlers.Copy(),
-                },
-                sharedCfg.AssumeRole.RoleARN,
-                func(opt *stscreds.AssumeRoleProvider) {
-                        opt.RoleSessionName = sharedCfg.AssumeRole.RoleSessionName
-                        // Assume role with external ID
-                        if len(sharedCfg.AssumeRole.ExternalID) > 0 {
-                                opt.ExternalID = aws.String(sharedCfg.AssumeRole.ExternalID)
-                        }
-                        // Assume role with MFA
-                        if len(sharedCfg.AssumeRole.MFASerial) > 0 {
-                                opt.SerialNumber = aws.String(sharedCfg.AssumeRole.MFASerial)
-                                opt.TokenProvider = sessOpts.AssumeRoleTokenProvider
-                        }
-                },
-        )
-}
-// AssumeRoleTokenProviderNotSetError is an error returned when creating a session when the
-// MFAToken option is not set when shared config is configured load assume a
-// role with an MFA token.
-type AssumeRoleTokenProviderNotSetError struct{}
-// Code is the short id of the error.
-func (e AssumeRoleTokenProviderNotSetError) Code() string {
-        return "AssumeRoleTokenProviderNotSetError"
-}
-// Message is the description of the error
-func (e AssumeRoleTokenProviderNotSetError) Message() string {
-        return fmt.Sprintf("assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.")
-}
-// OrigErr is the underlying error that caused the failure.
-func (e AssumeRoleTokenProviderNotSetError) OrigErr() error {
-        return nil
-}
-// Error satisfies the error interface.
-func (e AssumeRoleTokenProviderNotSetError) Error() string {
-        return awserr.SprintError(e.Code(), e.Message(), "", nil)
-}
-type credProviderError struct {
-        Err error
-}
-var emptyCreds = credentials.Value{}
-func (c credProviderError) Retrieve() (credentials.Value, error) {
-        return credentials.Value{}, c.Err
-}
-func (c credProviderError) IsExpired() bool {
-        return true
-}
 func initHandlers(s *Session) {
        // Add the Validate parameter handler if it is not disabled.
        s.Handlers.Validate.Remove(corehandlers.ValidateParametersHandler)
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/shared_config.go b/vendor/github.com/aws/aws-sdk-go/aws/session/shared_config.go
index 7cb4402..5170b49 100644
--- a/vendor/github.com/aws/aws-sdk-go/aws/session/shared_config.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/session/shared_config.go
@@ -5,7 +5,6 @@ import (
        "github.com/aws/aws-sdk-go/aws/awserr"
        "github.com/aws/aws-sdk-go/aws/credentials"
        "github.com/aws/aws-sdk-go/internal/ini"
 )
@@ -28,8 +27,12 @@ const (
        // endpoint discovery group
        enableEndpointDiscoveryKey = `endpoint_discovery_enabled` // optional
        // External Credential Process
-        credentialProcessKey = `credential_process`
+        credentialProcessKey = `credential_process` // optional
+        // Web Identity Token File
+        webIdentityTokenFileKey = `web_identity_token_file` // optional
        // DefaultSharedConfigProfile is the default profile to be used when
        // loading configuration from the config files if another profile name
@@ -37,36 +40,33 @@ const (
        DefaultSharedConfigProfile = `default`
 )
-type assumeRoleConfig struct {
-        RoleARN          string
-        SourceProfile    string
-        CredentialSource string
-        ExternalID       string
-        MFASerial        string
-        RoleSessionName  string
-}
 // sharedConfig represents the configuration fields of the SDK config files.
 type sharedConfig struct {
-        // Credentials values from the config file. Both aws_access_key_id
+        // Credentials values from the config file. Both aws_access_key_id and
-        // and aws_secret_access_key must be provided together in the same file
+        // aws_secret_access_key must be provided together in the same file to be
-        // to be considered valid. The values will be ignored if not a complete group.
+        // considered valid. The values will be ignored if not a complete group.
-        // aws_session_token is an optional field that can be provided if both of the
+        // aws_session_token is an optional field that can be provided if both of
-        // other two fields are also provided.
+        // the other two fields are also provided.
        //
        //      aws_access_key_id
        //      aws_secret_access_key
        //      aws_session_token
        Creds credentials.Value
-        AssumeRole       assumeRoleConfig
+        CredentialSource     string
-        AssumeRoleSource *sharedConfig
+        CredentialProcess    string
+        WebIdentityTokenFile string
+        RoleARN         string
+        RoleSessionName string
+        ExternalID      string
+        MFASerial       string
-        // An external process to request credentials
+        SourceProfileName string
-        CredentialProcess string
+        SourceProfile     *sharedConfig
-        // Region is the region the SDK should use for looking up AWS service endpoints
+        // Region is the region the SDK should use for looking up AWS service
-        // and signing requests.
+        // endpoints and signing requests.
        //
        //      region
        Region string
@@ -83,17 +83,18 @@ type sharedConfigFile struct {
        IniData  ini.Sections
 }
-// loadSharedConfig retrieves the configuration from the list of files
+// loadSharedConfig retrieves the configuration from the list of files using
-// using the profile provided. The order the files are listed will determine
+// the profile provided. The order the files are listed will determine
 // precedence. Values in subsequent files will overwrite values defined in
 // earlier files.
 //
 // For example, given two files A and B. Both define credentials. If the order
-// of the files are A then B, B's credential values will be used instead of A's.
+// of the files are A then B, B's credential values will be used instead of
+// A's.
 //
 // See sharedConfig.setFromFile for information how the config files
 // will be loaded.
-func loadSharedConfig(profile string, filenames []string) (sharedConfig, error) {
+func loadSharedConfig(profile string, filenames []string, exOpts bool) (sharedConfig, error) {
        if len(profile) == 0 {
                profile = DefaultSharedConfigProfile
        }
@@ -104,16 +105,11 @@ func loadSharedConfig(profile string, filenames []string) (sharedConfig, error)
        }
        cfg := sharedConfig{}
-        if err = cfg.setFromIniFiles(profile, files); err != nil {
+        profiles := map[string]struct{}{}
+        if err = cfg.setFromIniFiles(profiles, profile, files, exOpts); err != nil {
                return sharedConfig{}, err
        }
-        if len(cfg.AssumeRole.SourceProfile) > 0 {
-                if err := cfg.setAssumeRoleSource(profile, files); err != nil {
-                        return sharedConfig{}, err
-                }
-        }
        return cfg, nil
 }
@@ -137,60 +133,88 @@ func loadSharedConfigIniFiles(filenames []string) ([]sharedConfigFile, error) {
        return files, nil
 }
-func (cfg *sharedConfig) setAssumeRoleSource(origProfile string, files []sharedConfigFile) error {
+func (cfg *sharedConfig) setFromIniFiles(profiles map[string]struct{}, profile string, files []sharedConfigFile, exOpts bool) error {
-        var assumeRoleSrc sharedConfig
+        // Trim files from the list that don't exist.
+        var skippedFiles int
-        if len(cfg.AssumeRole.CredentialSource) > 0 {
+        var profileNotFoundErr error
-                // setAssumeRoleSource is only called when source_profile is found.
+        for _, f := range files {
-                // If both source_profile and credential_source are set, then
+                if err := cfg.setFromIniFile(profile, f, exOpts); err != nil {
-                // ErrSharedConfigSourceCollision will be returned
+                        if _, ok := err.(SharedConfigProfileNotExistsError); ok {
-                return ErrSharedConfigSourceCollision
+                                // Ignore profiles not defined in individual files.
+                                profileNotFoundErr = err
+                                skippedFiles++
+                                continue
+                        }
+                        return err
+                }
+        }
+        if skippedFiles == len(files) {
+                // If all files were skipped because the profile is not found, return
+                // the original profile not found error.
+                return profileNotFoundErr
        }
-        // Multiple level assume role chains are not support
+        if _, ok := profiles[profile]; ok {
-        if cfg.AssumeRole.SourceProfile == origProfile {
+                // if this is the second instance of the profile the Assume Role
-                assumeRoleSrc = *cfg
+                // options must be cleared because they are only valid for the
-                assumeRoleSrc.AssumeRole = assumeRoleConfig{}
+                // first reference of a profile. The self linked instance of the
+                // profile only have credential provider options.
+                cfg.clearAssumeRoleOptions()
        } else {
-                err := assumeRoleSrc.setFromIniFiles(cfg.AssumeRole.SourceProfile, files)
+                // First time a profile has been seen, It must either be a assume role
-                if err != nil {
+                // or credentials. Assert if the credential type requires a role ARN,
+                // the ARN is also set.
+                if err := cfg.validateCredentialsRequireARN(profile); err != nil {
                        return err
                }
        }
+        profiles[profile] = struct{}{}
-        if len(assumeRoleSrc.Creds.AccessKeyID) == 0 {
+        if err := cfg.validateCredentialType(); err != nil {
-                return SharedConfigAssumeRoleError{RoleARN: cfg.AssumeRole.RoleARN}
+                return err
        }
-        cfg.AssumeRoleSource = &assumeRoleSrc
+        // Link source profiles for assume roles
+        if len(cfg.SourceProfileName) != 0 {
-        return nil
+                // Linked profile via source_profile ignore credential provider
-}
+                // options, the source profile must provide the credentials.
+                cfg.clearCredentialOptions()
-func (cfg *sharedConfig) setFromIniFiles(profile string, files []sharedConfigFile) error {
+                srcCfg := &sharedConfig{}
-        // Trim files from the list that don't exist.
+                err := srcCfg.setFromIniFiles(profiles, cfg.SourceProfileName, files, exOpts)
-        for _, f := range files {
+                if err != nil {
-                if err := cfg.setFromIniFile(profile, f); err != nil {
+                        // SourceProfile that doesn't exist is an error in configuration.
                        if _, ok := err.(SharedConfigProfileNotExistsError); ok {
-                                // Ignore proviles missings
+                                err = SharedConfigAssumeRoleError{
-                                continue
+                                        RoleARN:       cfg.RoleARN,
+                                        SourceProfile: cfg.SourceProfileName,
+                                }
                        }
                        return err
                }
+                if !srcCfg.hasCredentials() {
+                        return SharedConfigAssumeRoleError{
+                                RoleARN:       cfg.RoleARN,
+                                SourceProfile: cfg.SourceProfileName,
+                        }
+                }
+                cfg.SourceProfile = srcCfg
        }
        return nil
 }
-// setFromFile loads the configuration from the file using
+// setFromFile loads the configuration from the file using the profile
-// the profile provided. A sharedConfig pointer type value is used so that
+// provided. A sharedConfig pointer type value is used so that multiple config
-// multiple config file loadings can be chained.
+// file loadings can be chained.
 //
 // Only loads complete logically grouped values, and will not set fields in cfg
-// for incomplete grouped values in the config. Such as credentials. For example
+// for incomplete grouped values in the config. Such as credentials. For
-// if a config file only includes aws_access_key_id but no aws_secret_access_key
+// example if a config file only includes aws_access_key_id but no
-// the aws_access_key_id will be ignored.
+// aws_secret_access_key the aws_access_key_id will be ignored.
-func (cfg *sharedConfig) setFromIniFile(profile string, file sharedConfigFile) error {
+func (cfg *sharedConfig) setFromIniFile(profile string, file sharedConfigFile, exOpts bool) error {
        section, ok := file.IniData.GetSection(profile)
        if !ok {
                // Fallback to to alternate profile name: profile <name>
@@ -200,42 +224,30 @@ func (cfg *sharedConfig) setFromIniFile(profile string, file sharedConfigFile) e
                }
        }
-        // Shared Credentials
+        if exOpts {
-        akid := section.String(accessKeyIDKey)
+                // Assume Role Parameters
-        secret := section.String(secretAccessKey)
+                updateString(&cfg.RoleARN, section, roleArnKey)
-        if len(akid) > 0 && len(secret) > 0 {
+                updateString(&cfg.ExternalID, section, externalIDKey)
-                cfg.Creds = credentials.Value{
+                updateString(&cfg.MFASerial, section, mfaSerialKey)
-                        AccessKeyID:     akid,
+                updateString(&cfg.RoleSessionName, section, roleSessionNameKey)
-                        SecretAccessKey: secret,
+                updateString(&cfg.SourceProfileName, section, sourceProfileKey)
-                        SessionToken:    section.String(sessionTokenKey),
+                updateString(&cfg.CredentialSource, section, credentialSourceKey)
-                        ProviderName:    fmt.Sprintf("SharedConfigCredentials: %s", file.Filename),
-                }
-        }
-        // Assume Role
+                updateString(&cfg.Region, section, regionKey)
-        roleArn := section.String(roleArnKey)
-        srcProfile := section.String(sourceProfileKey)
-        credentialSource := section.String(credentialSourceKey)
-        hasSource := len(srcProfile) > 0 || len(credentialSource) > 0
-        if len(roleArn) > 0 && hasSource {
-                cfg.AssumeRole = assumeRoleConfig{
-                        RoleARN:          roleArn,
-                        SourceProfile:    srcProfile,
-                        CredentialSource: credentialSource,
-                        ExternalID:       section.String(externalIDKey),
-                        MFASerial:        section.String(mfaSerialKey),
-                        RoleSessionName:  section.String(roleSessionNameKey),
-                }
        }
-        // `credential_process`
+        updateString(&cfg.CredentialProcess, section, credentialProcessKey)
-        if credProc := section.String(credentialProcessKey); len(credProc) > 0 {
+        updateString(&cfg.WebIdentityTokenFile, section, webIdentityTokenFileKey)
-                cfg.CredentialProcess = credProc
-        }
-        // Region
+        // Shared Credentials
-        if v := section.String(regionKey); len(v) > 0 {
+        creds := credentials.Value{
-                cfg.Region = v
+                AccessKeyID:     section.String(accessKeyIDKey),
+                SecretAccessKey: section.String(secretAccessKey),
+                SessionToken:    section.String(sessionTokenKey),
+                ProviderName:    fmt.Sprintf("SharedConfigCredentials: %s", file.Filename),
+        }
+        if creds.HasKeys() {
+                cfg.Creds = creds
        }
        // Endpoint discovery
@@ -247,6 +259,95 @@ func (cfg *sharedConfig) setFromIniFile(profile string, file sharedConfigFile) e
        return nil
 }
+func (cfg *sharedConfig) validateCredentialsRequireARN(profile string) error {
+        var credSource string
+        switch {
+        case len(cfg.SourceProfileName) != 0:
+                credSource = sourceProfileKey
+        case len(cfg.CredentialSource) != 0:
+                credSource = credentialSourceKey
+        case len(cfg.WebIdentityTokenFile) != 0:
+                credSource = webIdentityTokenFileKey
+        }
+        if len(credSource) != 0 && len(cfg.RoleARN) == 0 {
+                return CredentialRequiresARNError{
+                        Type:    credSource,
+                        Profile: profile,
+                }
+        }
+        return nil
+}
+func (cfg *sharedConfig) validateCredentialType() error {
+        // Only one or no credential type can be defined.
+        if !oneOrNone(
+                len(cfg.SourceProfileName) != 0,
+                len(cfg.CredentialSource) != 0,
+                len(cfg.CredentialProcess) != 0,
+                len(cfg.WebIdentityTokenFile) != 0,
+        ) {
+                return ErrSharedConfigSourceCollision
+        }
+        return nil
+}
+func (cfg *sharedConfig) hasCredentials() bool {
+        switch {
+        case len(cfg.SourceProfileName) != 0:
+        case len(cfg.CredentialSource) != 0:
+        case len(cfg.CredentialProcess) != 0:
+        case len(cfg.WebIdentityTokenFile) != 0:
+        case cfg.Creds.HasKeys():
+        default:
+                return false
+        }
+        return true
+}
+func (cfg *sharedConfig) clearCredentialOptions() {
+        cfg.CredentialSource = ""
+        cfg.CredentialProcess = ""
+        cfg.WebIdentityTokenFile = ""
+        cfg.Creds = credentials.Value{}
+}
+func (cfg *sharedConfig) clearAssumeRoleOptions() {
+        cfg.RoleARN = ""
+        cfg.ExternalID = ""
+        cfg.MFASerial = ""
+        cfg.RoleSessionName = ""
+        cfg.SourceProfileName = ""
+}
+func oneOrNone(bs ...bool) bool {
+        var count int
+        for _, b := range bs {
+                if b {
+                        count++
+                        if count > 1 {
+                                return false
+                        }
+                }
+        }
+        return true
+}
+// updateString will only update the dst with the value in the section key, key
+// is present in the section.
+func updateString(dst *string, section ini.Section, key string) {
+        if !section.Has(key) {
+                return
+        }
+        *dst = section.String(key)
+}
 // SharedConfigLoadError is an error for the shared config file failed to load.
 type SharedConfigLoadError struct {
        Filename string
@@ -304,7 +405,8 @@ func (e SharedConfigProfileNotExistsError) Error() string {
 // profile contains assume role information, but that information is invalid
 // or not complete.
 type SharedConfigAssumeRoleError struct {
-        RoleARN string
+        RoleARN       string
+        SourceProfile string
 }
 // Code is the short id of the error.
@@ -314,8 +416,10 @@ func (e SharedConfigAssumeRoleError) Code() string {
 // Message is the description of the error
 func (e SharedConfigAssumeRoleError) Message() string {
-        return fmt.Sprintf("failed to load assume role for %s, source profile has no shared credentials",
+        return fmt.Sprintf(
-                e.RoleARN)
+                "failed to load assume role for %s, source profile %s has no shared credentials",
+                e.RoleARN, e.SourceProfile,
+        )
 }
 // OrigErr is the underlying error that caused the failure.
@@ -327,3 +431,36 @@ func (e SharedConfigAssumeRoleError) OrigErr() error {
 func (e SharedConfigAssumeRoleError) Error() string {
        return awserr.SprintError(e.Code(), e.Message(), "", nil)
 }
+// CredentialRequiresARNError provides the error for shared config credentials
+// that are incorrectly configured in the shared config or credentials file.
+type CredentialRequiresARNError struct {
+        // type of credentials that were configured.
+        Type string
+        // Profile name the credentials were in.
+        Profile string
+}
+// Code is the short id of the error.
+func (e CredentialRequiresARNError) Code() string {
+        return "CredentialRequiresARNError"
+}
+// Message is the description of the error
+func (e CredentialRequiresARNError) Message() string {
+        return fmt.Sprintf(
+                "credential type %s requires role_arn, profile %s",
+                e.Type, e.Profile,
+        )
+}
+// OrigErr is the underlying error that caused the failure.
+func (e CredentialRequiresARNError) OrigErr() error {
+        return nil
+}
+// Error satisfies the error interface.
+func (e CredentialRequiresARNError) Error() string {
+        return awserr.SprintError(e.Code(), e.Message(), "", nil)
+}