10 files changed, 1362 insertions, 636 deletions

diff --git a/vendor/github.com/aws/aws-sdk-go/service/s3/api.go b/vendor/github.com/aws/aws-sdk-go/service/s3/api.go
index 83a42d2..139c27d 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/s3/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/s3/api.go
@@ -545,6 +545,10 @@ func (c *S3) DeleteBucketAnalyticsConfigurationRequest(input *DeleteBucketAnalyt
 // Deletes an analytics configuration for the bucket (specified by the analytics
 // configuration ID).
 //
+// To use this operation, you must have permissions to perform the s3:PutAnalyticsConfiguration
+// action. The bucket owner has this permission by default. The bucket owner
+// can grant this permission to others.
+//
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
 // the error.
@@ -1071,7 +1075,7 @@ func (c *S3) DeleteBucketReplicationRequest(input *DeleteBucketReplicationInput)
 // DeleteBucketReplication API operation for Amazon Simple Storage Service.
 //
 // Deletes the replication configuration from the bucket. For information about
-// replication configuration, see Cross-Region Replication (CRR) ( https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html)
+// replication configuration, see Cross-Region Replication (CRR) (https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html)
 // in the Amazon S3 Developer Guide.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
@@ -3335,8 +3339,8 @@ func (c *S3) GetObjectLockConfigurationRequest(input *GetObjectLockConfiguration
 
 // GetObjectLockConfiguration API operation for Amazon Simple Storage Service.
 //
-// Gets the Object Lock configuration for a bucket. The rule specified in the
-// Object Lock configuration will be applied by default to every new object
+// Gets the object lock configuration for a bucket. The rule specified in the
+// object lock configuration will be applied by default to every new object
 // placed in the specified bucket.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
@@ -4210,7 +4214,7 @@ func (c *S3) ListMultipartUploadsWithContext(ctx aws.Context, input *ListMultipa
 //    // Example iterating over at most 3 pages of a ListMultipartUploads operation.
 //    pageNum := 0
 //    err := client.ListMultipartUploadsPages(params,
-//        func(page *ListMultipartUploadsOutput, lastPage bool) bool {
+//        func(page *s3.ListMultipartUploadsOutput, lastPage bool) bool {
 //            pageNum++
 //            fmt.Println(page)
 //            return pageNum <= 3
@@ -4340,7 +4344,7 @@ func (c *S3) ListObjectVersionsWithContext(ctx aws.Context, input *ListObjectVer
 //    // Example iterating over at most 3 pages of a ListObjectVersions operation.
 //    pageNum := 0
 //    err := client.ListObjectVersionsPages(params,
-//        func(page *ListObjectVersionsOutput, lastPage bool) bool {
+//        func(page *s3.ListObjectVersionsOutput, lastPage bool) bool {
 //            pageNum++
 //            fmt.Println(page)
 //            return pageNum <= 3
@@ -4477,7 +4481,7 @@ func (c *S3) ListObjectsWithContext(ctx aws.Context, input *ListObjectsInput, op
 //    // Example iterating over at most 3 pages of a ListObjects operation.
 //    pageNum := 0
 //    err := client.ListObjectsPages(params,
-//        func(page *ListObjectsOutput, lastPage bool) bool {
+//        func(page *s3.ListObjectsOutput, lastPage bool) bool {
 //            pageNum++
 //            fmt.Println(page)
 //            return pageNum <= 3
@@ -4615,7 +4619,7 @@ func (c *S3) ListObjectsV2WithContext(ctx aws.Context, input *ListObjectsV2Input
 //    // Example iterating over at most 3 pages of a ListObjectsV2 operation.
 //    pageNum := 0
 //    err := client.ListObjectsV2Pages(params,
-//        func(page *ListObjectsV2Output, lastPage bool) bool {
+//        func(page *s3.ListObjectsV2Output, lastPage bool) bool {
 //            pageNum++
 //            fmt.Println(page)
 //            return pageNum <= 3
@@ -4745,7 +4749,7 @@ func (c *S3) ListPartsWithContext(ctx aws.Context, input *ListPartsInput, opts .
 //    // Example iterating over at most 3 pages of a ListParts operation.
 //    pageNum := 0
 //    err := client.ListPartsPages(params,
-//        func(page *ListPartsOutput, lastPage bool) bool {
+//        func(page *s3.ListPartsOutput, lastPage bool) bool {
 //            pageNum++
 //            fmt.Println(page)
 //            return pageNum <= 3
@@ -5754,8 +5758,7 @@ func (c *S3) PutBucketPolicyRequest(input *PutBucketPolicyInput) (req *request.R
 
 // PutBucketPolicy API operation for Amazon Simple Storage Service.
 //
-// Replaces a policy on a bucket. If the bucket already has a policy, the one
-// in this request completely replaces it.
+// Applies an Amazon S3 bucket policy to an Amazon S3 bucket.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@@ -5831,7 +5834,7 @@ func (c *S3) PutBucketReplicationRequest(input *PutBucketReplicationInput) (req
 // PutBucketReplication API operation for Amazon Simple Storage Service.
 //
 // Creates a replication configuration or replaces an existing one. For more
-// information, see Cross-Region Replication (CRR) ( https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html)
+// information, see Cross-Region Replication (CRR) (https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html)
 // in the Amazon S3 Developer Guide.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
@@ -6439,8 +6442,8 @@ func (c *S3) PutObjectLockConfigurationRequest(input *PutObjectLockConfiguration
 
 // PutObjectLockConfiguration API operation for Amazon Simple Storage Service.
 //
-// Places an Object Lock configuration on the specified bucket. The rule specified
-// in the Object Lock configuration will be applied by default to every new
+// Places an object lock configuration on the specified bucket. The rule specified
+// in the object lock configuration will be applied by default to every new
 // object placed in the specified bucket.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
@@ -7010,13 +7013,16 @@ func (c *S3) UploadPartCopyWithContext(ctx aws.Context, input *UploadPartCopyInp
         return out, req.Send()
 }
 
-// Specifies the days since the initiation of an Incomplete Multipart Upload
-// that Lifecycle will wait before permanently removing all parts of the upload.
+// Specifies the days since the initiation of an incomplete multipart upload
+// that Amazon S3 will wait before permanently removing all parts of the upload.
+// For more information, see Aborting Incomplete Multipart Uploads Using a Bucket
+// Lifecycle Policy (https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html#mpu-abort-incomplete-mpu-lifecycle-config)
+// in the Amazon Simple Storage Service Developer Guide.
 type AbortIncompleteMultipartUpload struct {
         _ struct{} `type:"structure"`
 
-        // Indicates the number of days that must pass since initiation for Lifecycle
-        // to abort an Incomplete Multipart Upload.
+        // Specifies the number of days after which Amazon S3 aborts an incomplete multipart
+        // upload.
         DaysAfterInitiation *int64 `type:"integer"`
 }
 
@@ -7039,9 +7045,13 @@ func (s *AbortIncompleteMultipartUpload) SetDaysAfterInitiation(v int64) *AbortI
 type AbortMultipartUploadInput struct {
         _ struct{} `type:"structure"`
 
+        // Name of the bucket to which the multipart upload was initiated.
+        //
         // Bucket is a required field
         Bucket *string `location:"uri" locationName:"Bucket" type:"string" required:"true"`
 
+        // Key of the object for which the multipart upload was initiated.
+        //
         // Key is a required field
         Key *string `location:"uri" locationName:"Key" min:"1" type:"string" required:"true"`
 
@@ -7051,6 +7061,8 @@ type AbortMultipartUploadInput struct {
         // at http://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html
         RequestPayer *string `location:"header" locationName:"x-amz-request-payer" type:"string" enum:"RequestPayer"`
 
+        // Upload ID that identifies the multipart upload.
+        //
         // UploadId is a required field
         UploadId *string `location:"querystring" locationName:"uploadId" type:"string" required:"true"`
 }
@@ -7145,10 +7157,13 @@ func (s *AbortMultipartUploadOutput) SetRequestCharged(v string) *AbortMultipart
         return s
 }
 
+// Configures the transfer acceleration state for an Amazon S3 bucket. For more
+// information, see Amazon S3 Transfer Acceleration (https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html)
+// in the Amazon Simple Storage Service Developer Guide.
 type AccelerateConfiguration struct {
         _ struct{} `type:"structure"`
 
-        // The accelerate configuration of the bucket.
+        // Specifies the transfer acceleration status of the bucket.
         Status *string `type:"string" enum:"BucketAccelerateStatus"`
 }
 
@@ -7168,12 +7183,14 @@ func (s *AccelerateConfiguration) SetStatus(v string) *AccelerateConfiguration {
         return s
 }
 
+// Contains the elements that set the ACL permissions for an object per grantee.
 type AccessControlPolicy struct {
         _ struct{} `type:"structure"`
 
         // A list of grants.
         Grants []*Grant `locationName:"AccessControlList" locationNameList:"Grant" type:"list"`
 
+        // Container for the bucket owner's display name and ID.
         Owner *Owner `type:"structure"`
 }
 
@@ -7223,7 +7240,9 @@ func (s *AccessControlPolicy) SetOwner(v *Owner) *AccessControlPolicy {
 type AccessControlTranslation struct {
         _ struct{} `type:"structure"`
 
-        // The override value for the owner of the replica object.
+        // Specifies the replica ownership. For default and valid values, see PUT bucket
+        // replication (https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTreplication.html)
+        // in the Amazon Simple Storage Service API Reference.
         //
         // Owner is a required field
         Owner *string `type:"string" required:"true" enum:"OwnerOverride"`
@@ -7258,10 +7277,14 @@ func (s *AccessControlTranslation) SetOwner(v string) *AccessControlTranslation
         return s
 }
 
+// A conjunction (logical AND) of predicates, which is used in evaluating a
+// metrics filter. The operator must have at least two predicates in any combination,
+// and an object must match all of the predicates for the filter to apply.
 type AnalyticsAndOperator struct {
         _ struct{} `type:"structure"`
 
-        // The prefix to use when evaluating an AND predicate.
+        // The prefix to use when evaluating an AND predicate: The prefix that an object
+        // must have to be included in the metrics results.
         Prefix *string `type:"string"`
 
         // The list of tags to use when evaluating an AND predicate.
@@ -7310,6 +7333,11 @@ func (s *AnalyticsAndOperator) SetTags(v []*Tag) *AnalyticsAndOperator {
         return s
 }
 
+// Specifies the configuration and any analyses for the analytics filter of
+// an Amazon S3 bucket.
+//
+// For more information, see GET Bucket analytics (https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETAnalyticsConfig.html)
+// in the Amazon Simple Storage Service API Reference.
 type AnalyticsConfiguration struct {
         _ struct{} `type:"structure"`
 
@@ -7318,13 +7346,13 @@ type AnalyticsConfiguration struct {
         // If no filter is provided, all objects will be considered in any analysis.
         Filter *AnalyticsFilter `type:"structure"`
 
-        // The identifier used to represent an analytics configuration.
+        // The ID that identifies the analytics configuration.
         //
         // Id is a required field
         Id *string `type:"string" required:"true"`
 
-        // If present, it indicates that data related to access patterns will be collected
-        // and made available to analyze the tradeoffs between different storage classes.
+        // Contains data related to access patterns to be collected and made available
+        // to analyze the tradeoffs between different storage classes.
         //
         // StorageClassAnalysis is a required field
         StorageClassAnalysis *StorageClassAnalysis `type:"structure" required:"true"`
@@ -7384,6 +7412,7 @@ func (s *AnalyticsConfiguration) SetStorageClassAnalysis(v *StorageClassAnalysis
         return s
 }
 
+// Where to publish the analytics results.
 type AnalyticsExportDestination struct {
         _ struct{} `type:"structure"`
 
@@ -7492,7 +7521,7 @@ func (s *AnalyticsFilter) SetTag(v *Tag) *AnalyticsFilter {
 type AnalyticsS3BucketDestination struct {
         _ struct{} `type:"structure"`
 
-        // The Amazon resource name (ARN) of the bucket to which data is exported.
+        // The Amazon Resource Name (ARN) of the bucket to which data is exported.
         //
         // Bucket is a required field
         Bucket *string `type:"string" required:"true"`
@@ -7501,13 +7530,12 @@ type AnalyticsS3BucketDestination struct {
         // the owner will not be validated prior to exporting data.
         BucketAccountId *string `type:"string"`
 
-        // The file format used when exporting data to Amazon S3.
+        // Specifies the file format used when exporting data to Amazon S3.
         //
         // Format is a required field
         Format *string `type:"string" required:"true" enum:"AnalyticsS3ExportFileFormat"`
 
-        // The prefix to use when exporting data. The exported data begins with this
-        // prefix.
+        // The prefix to use when exporting data. The prefix is prepended to all results.
         Prefix *string `type:"string"`
 }
 
@@ -7600,9 +7628,14 @@ func (s *Bucket) SetName(v string) *Bucket {
         return s
 }
 
+// Specifies the lifecycle configuration for objects in an Amazon S3 bucket.
+// For more information, see Object Lifecycle Management (https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html)
+// in the Amazon Simple Storage Service Developer Guide.
 type BucketLifecycleConfiguration struct {
         _ struct{} `type:"structure"`
 
+        // A lifecycle rule for individual objects in an Amazon S3 bucket.
+        //
         // Rules is a required field
         Rules []*LifecycleRule `locationName:"Rule" type:"list" flattened:"true" required:"true"`
 }
@@ -7649,9 +7682,10 @@ func (s *BucketLifecycleConfiguration) SetRules(v []*LifecycleRule) *BucketLifec
 type BucketLoggingStatus struct {
         _ struct{} `type:"structure"`
 
-        // Container for logging information. Presence of this element indicates that
-        // logging is enabled. Parameters TargetBucket and TargetPrefix are required
-        // in this case.
+        // Describes where logs are stored and the prefix that Amazon S3 assigns to
+        // all log object keys for a bucket. For more information, see PUT Bucket logging
+        // (https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTlogging.html)
+        // in the Amazon Simple Storage Service API Reference.
         LoggingEnabled *LoggingEnabled `type:"structure"`
 }
 
@@ -7686,9 +7720,15 @@ func (s *BucketLoggingStatus) SetLoggingEnabled(v *LoggingEnabled) *BucketLoggin
         return s
 }
 
+// Describes the cross-origin access configuration for objects in an Amazon
+// S3 bucket. For more information, see Enabling Cross-Origin Resource Sharing
+// (https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html) in the Amazon
+// Simple Storage Service Developer Guide.
 type CORSConfiguration struct {
         _ struct{} `type:"structure"`
 
+        // A set of allowed origins and methods.
+        //
         // CORSRules is a required field
         CORSRules []*CORSRule `locationName:"CORSRule" type:"list" flattened:"true" required:"true"`
 }
@@ -7732,14 +7772,18 @@ func (s *CORSConfiguration) SetCORSRules(v []*CORSRule) *CORSConfiguration {
         return s
 }
 
+// Specifies a cross-origin access rule for an Amazon S3 bucket.
 type CORSRule struct {
         _ struct{} `type:"structure"`
 
-        // Specifies which headers are allowed in a pre-flight OPTIONS request.
+        // Headers that are specified in the Access-Control-Request-Headers header.
+        // These headers are allowed in a preflight OPTIONS request. In response to
+        // any preflight OPTIONS request, Amazon S3 returns any requested headers that
+        // are allowed.
         AllowedHeaders []*string `locationName:"AllowedHeader" type:"list" flattened:"true"`
 
-        // Identifies HTTP methods that the domain/origin specified in the rule is allowed
-        // to execute.
+        // An HTTP method that you allow the origin to execute. Valid values are GET,
+        // PUT, HEAD, POST, and DELETE.
         //
         // AllowedMethods is a required field
         AllowedMethods []*string `locationName:"AllowedMethod" type:"list" flattened:"true" required:"true"`
@@ -8290,6 +8334,7 @@ func (s *CompletedPart) SetPartNumber(v int64) *CompletedPart {
         return s
 }
 
+// Specifies a condition that must be met for a redirect to apply.
 type Condition struct {
         _ struct{} `type:"structure"`
 
@@ -8409,7 +8454,7 @@ type CopyObjectInput struct {
         // Specifies the customer-provided encryption key for Amazon S3 to use to decrypt
         // the source object. The encryption key provided in this header must be one
         // that was used when the source object was created.
-        CopySourceSSECustomerKey *string `location:"header" locationName:"x-amz-copy-source-server-side-encryption-customer-key" type:"string" sensitive:"true"`
+        CopySourceSSECustomerKey *string `marshal-as:"blob" location:"header" locationName:"x-amz-copy-source-server-side-encryption-customer-key" type:"string" sensitive:"true"`
 
         // Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321.
         // Amazon S3 uses this header for a message integrity check to ensure the encryption
@@ -8444,10 +8489,10 @@ type CopyObjectInput struct {
         // Specifies whether you want to apply a Legal Hold to the copied object.
         ObjectLockLegalHoldStatus *string `location:"header" locationName:"x-amz-object-lock-legal-hold" type:"string" enum:"ObjectLockLegalHoldStatus"`
 
-        // The Object Lock mode that you want to apply to the copied object.
+        // The object lock mode that you want to apply to the copied object.
         ObjectLockMode *string `location:"header" locationName:"x-amz-object-lock-mode" type:"string" enum:"ObjectLockMode"`
 
-        // The date and time when you want the copied object's Object Lock to expire.
+        // The date and time when you want the copied object's object lock to expire.
         ObjectLockRetainUntilDate *time.Time `location:"header" locationName:"x-amz-object-lock-retain-until-date" type:"timestamp" timestampFormat:"iso8601"`
 
         // Confirms that the requester knows that she or he will be charged for the
@@ -8464,13 +8509,18 @@ type CopyObjectInput struct {
         // does not store the encryption key. The key must be appropriate for use with
         // the algorithm specified in the x-amz-server-side​-encryption​-customer-algorithm
         // header.
-        SSECustomerKey *string `location:"header" locationName:"x-amz-server-side-encryption-customer-key" type:"string" sensitive:"true"`
+        SSECustomerKey *string `marshal-as:"blob" location:"header" locationName:"x-amz-server-side-encryption-customer-key" type:"string" sensitive:"true"`
 
         // Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321.
         // Amazon S3 uses this header for a message integrity check to ensure the encryption
         // key was transmitted without error.
         SSECustomerKeyMD5 *string `location:"header" locationName:"x-amz-server-side-encryption-customer-key-MD5" type:"string"`
 
+        // Specifies the AWS KMS Encryption Context to use for object encryption. The
+        // value of this header is a base64-encoded UTF-8 string holding JSON with the
+        // encryption context key-value pairs.
+        SSEKMSEncryptionContext *string `location:"header" locationName:"x-amz-server-side-encryption-context" type:"string" sensitive:"true"`
+
         // Specifies the AWS KMS key ID to use for object encryption. All GET and PUT
         // requests for an object protected by AWS KMS will fail if not made via SSL
         // or using SigV4. Documentation on configuring any of the officially supported
@@ -8735,6 +8785,12 @@ func (s *CopyObjectInput) SetSSECustomerKeyMD5(v string) *CopyObjectInput {
         return s
 }
 
+// SetSSEKMSEncryptionContext sets the SSEKMSEncryptionContext field's value.
+func (s *CopyObjectInput) SetSSEKMSEncryptionContext(v string) *CopyObjectInput {
+        s.SSEKMSEncryptionContext = &v
+        return s
+}
+
 // SetSSEKMSKeyId sets the SSEKMSKeyId field's value.
 func (s *CopyObjectInput) SetSSEKMSKeyId(v string) *CopyObjectInput {
         s.SSEKMSKeyId = &v
@@ -8795,6 +8851,11 @@ type CopyObjectOutput struct {
         // verification of the customer-provided encryption key.
         SSECustomerKeyMD5 *string `location:"header" locationName:"x-amz-server-side-encryption-customer-key-MD5" type:"string"`
 
+        // If present, specifies the AWS KMS Encryption Context to use for object encryption.
+        // The value of this header is a base64-encoded UTF-8 string holding JSON with
+        // the encryption context key-value pairs.
+        SSEKMSEncryptionContext *string `location:"header" locationName:"x-amz-server-side-encryption-context" type:"string" sensitive:"true"`
+
         // If present, specifies the ID of the AWS Key Management Service (KMS) master
         // encryption key that was used for the object.
         SSEKMSKeyId *string `location:"header" locationName:"x-amz-server-side-encryption-aws-kms-key-id" type:"string" sensitive:"true"`
@@ -8853,6 +8914,12 @@ func (s *CopyObjectOutput) SetSSECustomerKeyMD5(v string) *CopyObjectOutput {
         return s
 }
 
+// SetSSEKMSEncryptionContext sets the SSEKMSEncryptionContext field's value.
+func (s *CopyObjectOutput) SetSSEKMSEncryptionContext(v string) *CopyObjectOutput {
+        s.SSEKMSEncryptionContext = &v
+        return s
+}
+
 // SetSSEKMSKeyId sets the SSEKMSKeyId field's value.
 func (s *CopyObjectOutput) SetSSEKMSKeyId(v string) *CopyObjectOutput {
         s.SSEKMSKeyId = &v
@@ -8984,7 +9051,8 @@ type CreateBucketInput struct {
         // Allows grantee to write the ACL for the applicable bucket.
         GrantWriteACP *string `location:"header" locationName:"x-amz-grant-write-acp" type:"string"`
 
-        // Specifies whether you want S3 Object Lock to be enabled for the new bucket.
+        // Specifies whether you want Amazon S3 object lock to be enabled for the new
+        // bucket.
         ObjectLockEnabledForBucket *bool `location:"header" locationName:"x-amz-bucket-object-lock-enabled" type:"boolean"`
 }
 
@@ -9147,10 +9215,10 @@ type CreateMultipartUploadInput struct {
         // Specifies whether you want to apply a Legal Hold to the uploaded object.
         ObjectLockLegalHoldStatus *string `location:"header" locationName:"x-amz-object-lock-legal-hold" type:"string" enum:"ObjectLockLegalHoldStatus"`
 
-        // Specifies the Object Lock mode that you want to apply to the uploaded object.
+        // Specifies the object lock mode that you want to apply to the uploaded object.
         ObjectLockMode *string `location:"header" locationName:"x-amz-object-lock-mode" type:"string" enum:"ObjectLockMode"`
 
-        // Specifies the date and time when you want the Object Lock to expire.
+        // Specifies the date and time when you want the object lock to expire.
         ObjectLockRetainUntilDate *time.Time `location:"header" locationName:"x-amz-object-lock-retain-until-date" type:"timestamp" timestampFormat:"iso8601"`
 
         // Confirms that the requester knows that she or he will be charged for the
@@ -9167,13 +9235,18 @@ type CreateMultipartUploadInput struct {
         // does not store the encryption key. The key must be appropriate for use with
         // the algorithm specified in the x-amz-server-side​-encryption​-customer-algorithm
         // header.
-        SSECustomerKey *string `location:"header" locationName:"x-amz-server-side-encryption-customer-key" type:"string" sensitive:"true"`
+        SSECustomerKey *string `marshal-as:"blob" location:"header" locationName:"x-amz-server-side-encryption-customer-key" type:"string" sensitive:"true"`
 
         // Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321.
         // Amazon S3 uses this header for a message integrity check to ensure the encryption
         // key was transmitted without error.
         SSECustomerKeyMD5 *string `location:"header" locationName:"x-amz-server-side-encryption-customer-key-MD5" type:"string"`
 
+        // Specifies the AWS KMS Encryption Context to use for object encryption. The
+        // value of this header is a base64-encoded UTF-8 string holding JSON with the
+        // encryption context key-value pairs.
+        SSEKMSEncryptionContext *string `location:"header" locationName:"x-amz-server-side-encryption-context" type:"string" sensitive:"true"`
+
         // Specifies the AWS KMS key ID to use for object encryption. All GET and PUT
         // requests for an object protected by AWS KMS will fail if not made via SSL
         // or using SigV4. Documentation on configuring any of the officially supported
@@ -9368,6 +9441,12 @@ func (s *CreateMultipartUploadInput) SetSSECustomerKeyMD5(v string) *CreateMulti
         return s
 }
 
+// SetSSEKMSEncryptionContext sets the SSEKMSEncryptionContext field's value.
+func (s *CreateMultipartUploadInput) SetSSEKMSEncryptionContext(v string) *CreateMultipartUploadInput {
+        s.SSEKMSEncryptionContext = &v
+        return s
+}
+
 // SetSSEKMSKeyId sets the SSEKMSKeyId field's value.
 func (s *CreateMultipartUploadInput) SetSSEKMSKeyId(v string) *CreateMultipartUploadInput {
         s.SSEKMSKeyId = &v
@@ -9428,6 +9507,11 @@ type CreateMultipartUploadOutput struct {
         // verification of the customer-provided encryption key.
         SSECustomerKeyMD5 *string `location:"header" locationName:"x-amz-server-side-encryption-customer-key-MD5" type:"string"`
 
+        // If present, specifies the AWS KMS Encryption Context to use for object encryption.
+        // The value of this header is a base64-encoded UTF-8 string holding JSON with
+        // the encryption context key-value pairs.
+        SSEKMSEncryptionContext *string `location:"header" locationName:"x-amz-server-side-encryption-context" type:"string" sensitive:"true"`
+
         // If present, specifies the ID of the AWS Key Management Service (KMS) master
         // encryption key that was used for the object.
         SSEKMSKeyId *string `location:"header" locationName:"x-amz-server-side-encryption-aws-kms-key-id" type:"string" sensitive:"true"`
@@ -9499,6 +9583,12 @@ func (s *CreateMultipartUploadOutput) SetSSECustomerKeyMD5(v string) *CreateMult
         return s
 }
 
+// SetSSEKMSEncryptionContext sets the SSEKMSEncryptionContext field's value.
+func (s *CreateMultipartUploadOutput) SetSSEKMSEncryptionContext(v string) *CreateMultipartUploadOutput {
+        s.SSEKMSEncryptionContext = &v
+        return s
+}
+
 // SetSSEKMSKeyId sets the SSEKMSKeyId field's value.
 func (s *CreateMultipartUploadOutput) SetSSEKMSKeyId(v string) *CreateMultipartUploadOutput {
         s.SSEKMSKeyId = &v
@@ -9517,7 +9607,7 @@ func (s *CreateMultipartUploadOutput) SetUploadId(v string) *CreateMultipartUplo
         return s
 }
 
-// The container element for specifying the default Object Lock retention settings
+// The container element for specifying the default object lock retention settings
 // for new objects placed in the specified bucket.
 type DefaultRetention struct {
         _ struct{} `type:"structure"`
@@ -9525,7 +9615,7 @@ type DefaultRetention struct {
         // The number of days that you want to specify for the default retention period.
         Days *int64 `type:"integer"`
 
-        // The default Object Lock retention mode you want to apply to new objects placed
+        // The default object lock retention mode you want to apply to new objects placed
         // in the specified bucket.
         Mode *string `type:"string" enum:"ObjectLockRetentionMode"`
 
@@ -9625,7 +9715,7 @@ type DeleteBucketAnalyticsConfigurationInput struct {
         // Bucket is a required field
         Bucket *string `location:"uri" locationName:"Bucket" type:"string" required:"true"`
 
-        // The identifier used to represent an analytics configuration.
+        // The ID that identifies the analytics configuration.
         //
         // Id is a required field
         Id *string `location:"querystring" locationName:"id" type:"string" required:"true"`
@@ -10425,7 +10515,7 @@ type DeleteObjectInput struct {
         // Bucket is a required field
         Bucket *string `location:"uri" locationName:"Bucket" type:"string" required:"true"`
 
-        // Indicates whether S3 Object Lock should bypass Governance-mode restrictions
+        // Indicates whether Amazon S3 object lock should bypass governance-mode restrictions
         // to process this operation.
         BypassGovernanceRetention *bool `location:"header" locationName:"x-amz-bypass-governance-retention" type:"boolean"`
 
@@ -10665,7 +10755,7 @@ type DeleteObjectsInput struct {
         Bucket *string `location:"uri" locationName:"Bucket" type:"string" required:"true"`
 
         // Specifies whether you want to delete this object even if it has a Governance-type
-        // Object Lock in place. You must have sufficient permissions to perform this
+        // object lock in place. You must have sufficient permissions to perform this
         // operation.
         BypassGovernanceRetention *bool `location:"header" locationName:"x-amz-bypass-governance-retention" type:"boolean"`
 
@@ -10902,33 +10992,33 @@ func (s *DeletedObject) SetVersionId(v string) *DeletedObject {
         return s
 }
 
-// A container for information about the replication destination.
+// Specifies information about where to publish analysis or configuration results
+// for an Amazon S3 bucket.
 type Destination struct {
         _ struct{} `type:"structure"`
 
-        // A container for information about access control for replicas.
-        //
-        // Use this element only in a cross-account scenario where source and destination
-        // bucket owners are not the same to change replica ownership to the AWS account
-        // that owns the destination bucket. If you don't add this element to the replication
-        // configuration, the replicas are owned by same AWS account that owns the source
-        // object.
+        // Specify this only in a cross-account scenario (where source and destination
+        // bucket owners are not the same), and you want to change replica ownership
+        // to the AWS account that owns the destination bucket. If this is not specified
+        // in the replication configuration, the replicas are owned by same AWS account
+        // that owns the source object.
         AccessControlTranslation *AccessControlTranslation `type:"structure"`
 
-        // The account ID of the destination bucket. Currently, Amazon S3 verifies this
-        // value only if Access Control Translation is enabled.
-        //
-        // In a cross-account scenario, if you change replica ownership to the AWS account
-        // that owns the destination bucket by adding the AccessControlTranslation element,
-        // this is the account ID of the owner of the destination bucket.
+        // Destination bucket owner account ID. In a cross-account scenario, if you
+        // direct Amazon S3 to change replica ownership to the AWS account that owns
+        // the destination bucket by specifying the AccessControlTranslation property,
+        // this is the account ID of the destination bucket owner. For more information,
+        // see Cross-Region Replication Additional Configuration: Change Replica Owner
+        // (https://docs.aws.amazon.com/AmazonS3/latest/dev/crr-change-owner.html) in
+        // the Amazon Simple Storage Service Developer Guide.
         Account *string `type:"string"`
 
         // The Amazon Resource Name (ARN) of the bucket where you want Amazon S3 to
         // store replicas of the object identified by the rule.
         //
-        // If there are multiple rules in your replication configuration, all rules
-        // must specify the same bucket as the destination. A replication configuration
-        // can replicate objects to only one destination bucket.
+        // A replication configuration can replicate objects to only one destination
+        // bucket. If there are multiple rules in your replication configuration, all
+        // rules must specify the same destination bucket.
         //
         // Bucket is a required field
         Bucket *string `type:"string" required:"true"`
@@ -10937,8 +11027,13 @@ type Destination struct {
         // is specified, you must specify this element.
         EncryptionConfiguration *EncryptionConfiguration `type:"structure"`
 
-        // The class of storage used to store the object. By default Amazon S3 uses
-        // storage class of the source object when creating a replica.
+        // The storage class to use when replicating objects, such as standard or reduced
+        // redundancy. By default, Amazon S3 uses the storage class of the source object
+        // to create the object replica.
+        //
+        // For valid values, see the StorageClass element of the PUT Bucket replication
+        // (https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTreplication.html)
+        // action in the Amazon Simple Storage Service API Reference.
         StorageClass *string `type:"string" enum:"StorageClass"`
 }
 
@@ -11068,13 +11163,13 @@ func (s *Encryption) SetKMSKeyId(v string) *Encryption {
         return s
 }
 
-// A container for information about the encryption-based configuration for
-// replicas.
+// Specifies encryption-related information for an Amazon S3 bucket that is
+// a destination for replicated objects.
 type EncryptionConfiguration struct {
         _ struct{} `type:"structure"`
 
-        // The ID of the AWS KMS key for the AWS Region where the destination bucket
-        // resides. Amazon S3 uses this key to encrypt the replica object.
+        // Specifies the AWS KMS Key ID (Key ARN or Alias ARN) for the destination bucket.
+        // Amazon S3 uses this key to encrypt replica objects.
         ReplicaKmsKeyID *string `type:"string"`
 }
 
@@ -11207,18 +11302,19 @@ func (s *ErrorDocument) SetKey(v string) *ErrorDocument {
         return s
 }
 
-// A container for a key value pair that defines the criteria for the filter
-// rule.
+// Specifies the Amazon S3 object key name to filter on and whether to filter
+// on the suffix or prefix of the key name.
 type FilterRule struct {
         _ struct{} `type:"structure"`
 
         // The object key name prefix or suffix identifying one or more objects to which
-        // the filtering rule applies. The maximum prefix length is 1,024 characters.
-        // Overlapping prefixes and suffixes are not supported. For more information,
-        // see Configuring Event Notifications (https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html)
+        // the filtering rule applies. The maximum length is 1,024 characters. Overlapping
+        // prefixes and suffixes are not supported. For more information, see Configuring
+        // Event Notifications (https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html)
         // in the Amazon Simple Storage Service Developer Guide.
         Name *string `type:"string" enum:"FilterRuleName"`
 
+        // The value that the filter searches for in object key names.
         Value *string `type:"string"`
 }
 
@@ -11400,7 +11496,7 @@ type GetBucketAnalyticsConfigurationInput struct {
         // Bucket is a required field
         Bucket *string `location:"uri" locationName:"Bucket" type:"string" required:"true"`
 
-        // The identifier used to represent an analytics configuration.
+        // The ID that identifies the analytics configuration.
         //
         // Id is a required field
         Id *string `location:"querystring" locationName:"id" type:"string" required:"true"`
@@ -11597,8 +11693,7 @@ func (s *GetBucketEncryptionInput) getBucket() (v string) {
 type GetBucketEncryptionOutput struct {
         _ struct{} `type:"structure" payload:"ServerSideEncryptionConfiguration"`
 
-        // Container for server-side encryption configuration rules. Currently S3 supports
-        // one rule only.
+        // Specifies the default server-side-encryption configuration.
         ServerSideEncryptionConfiguration *ServerSideEncryptionConfiguration `type:"structure"`
 }
 
@@ -11956,9 +12051,10 @@ func (s *GetBucketLoggingInput) getBucket() (v string) {
 type GetBucketLoggingOutput struct {
         _ struct{} `type:"structure"`
 
-        // Container for logging information. Presence of this element indicates that
-        // logging is enabled. Parameters TargetBucket and TargetPrefix are required
-        // in this case.
+        // Describes where logs are stored and the prefix that Amazon S3 assigns to
+        // all log object keys for a bucket. For more information, see PUT Bucket logging
+        // (https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTlogging.html)
+        // in the Amazon Simple Storage Service API Reference.
         LoggingEnabled *LoggingEnabled `type:"structure"`
 }
 
@@ -12592,6 +12688,8 @@ type GetBucketWebsiteOutput struct {
 
         IndexDocument *IndexDocument `type:"structure"`
 
+        // Specifies the redirect behavior of all requests to a website endpoint of
+        // an Amazon S3 bucket.
         RedirectAllRequestsTo *RedirectAllRequestsTo `type:"structure"`
 
         RoutingRules []*RoutingRule `locationNameList:"RoutingRule" type:"list"`
@@ -12820,7 +12918,7 @@ type GetObjectInput struct {
         // does not store the encryption key. The key must be appropriate for use with
         // the algorithm specified in the x-amz-server-side​-encryption​-customer-algorithm
         // header.
-        SSECustomerKey *string `location:"header" locationName:"x-amz-server-side-encryption-customer-key" type:"string" sensitive:"true"`
+        SSECustomerKey *string `marshal-as:"blob" location:"header" locationName:"x-amz-server-side-encryption-customer-key" type:"string" sensitive:"true"`
 
         // Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321.
         // Amazon S3 uses this header for a message integrity check to ensure the encryption
@@ -13103,7 +13201,7 @@ func (s *GetObjectLegalHoldOutput) SetLegalHold(v *ObjectLockLegalHold) *GetObje
 type GetObjectLockConfigurationInput struct {
         _ struct{} `type:"structure"`
 
-        // The bucket whose Object Lock configuration you want to retrieve.
+        // The bucket whose object lock configuration you want to retrieve.
         //
         // Bucket is a required field
         Bucket *string `location:"uri" locationName:"Bucket" type:"string" required:"true"`
@@ -13151,7 +13249,7 @@ func (s *GetObjectLockConfigurationInput) getBucket() (v string) {
 type GetObjectLockConfigurationOutput struct {
         _ struct{} `type:"structure" payload:"ObjectLockConfiguration"`
 
-        // The specified bucket's Object Lock configuration.
+        // The specified bucket's object lock configuration.
         ObjectLockConfiguration *ObjectLockConfiguration `type:"structure"`
 }
 
@@ -13235,10 +13333,10 @@ type GetObjectOutput struct {
         // returned if you have permission to view an object's legal hold status.
         ObjectLockLegalHoldStatus *string `location:"header" locationName:"x-amz-object-lock-legal-hold" type:"string" enum:"ObjectLockLegalHoldStatus"`
 
-        // The Object Lock mode currently in place for this object.
+        // The object lock mode currently in place for this object.
         ObjectLockMode *string `location:"header" locationName:"x-amz-object-lock-mode" type:"string" enum:"ObjectLockMode"`
 
-        // The date and time when this object's Object Lock will expire.
+        // The date and time when this object's object lock will expire.
         ObjectLockRetainUntilDate *time.Time `location:"header" locationName:"x-amz-object-lock-retain-until-date" type:"timestamp" timestampFormat:"iso8601"`
 
         // The count of parts this object has.
@@ -14136,7 +14234,7 @@ type HeadObjectInput struct {
         // does not store the encryption key. The key must be appropriate for use with
         // the algorithm specified in the x-amz-server-side​-encryption​-customer-algorithm
         // header.
-        SSECustomerKey *string `location:"header" locationName:"x-amz-server-side-encryption-customer-key" type:"string" sensitive:"true"`
+        SSECustomerKey *string `marshal-as:"blob" location:"header" locationName:"x-amz-server-side-encryption-customer-key" type:"string" sensitive:"true"`
 
         // Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321.
         // Amazon S3 uses this header for a message integrity check to ensure the encryption
@@ -14328,10 +14426,10 @@ type HeadObjectOutput struct {
         // The Legal Hold status for the specified object.
         ObjectLockLegalHoldStatus *string `location:"header" locationName:"x-amz-object-lock-legal-hold" type:"string" enum:"ObjectLockLegalHoldStatus"`
 
-        // The Object Lock mode currently in place for this object.
+        // The object lock mode currently in place for this object.
         ObjectLockMode *string `location:"header" locationName:"x-amz-object-lock-mode" type:"string" enum:"ObjectLockMode"`
 
-        // The date and time when this object's Object Lock will expire.
+        // The date and time when this object's object lock expires.
         ObjectLockRetainUntilDate *time.Time `location:"header" locationName:"x-amz-object-lock-retain-until-date" type:"timestamp" timestampFormat:"iso8601"`
 
         // The count of parts this object has.
@@ -14680,6 +14778,9 @@ func (s *InputSerialization) SetParquet(v *ParquetInput) *InputSerialization {
         return s
 }
 
+// Specifies the inventory configuration for an Amazon S3 bucket. For more information,
+// see GET Bucket inventory (https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETInventoryConfig.html)
+// in the Amazon Simple Storage Service API Reference.
 type InventoryConfiguration struct {
         _ struct{} `type:"structure"`
 
@@ -14697,12 +14798,16 @@ type InventoryConfiguration struct {
         // Id is a required field
         Id *string `type:"string" required:"true"`
 
-        // Specifies which object version(s) to included in the inventory results.
+        // Object versions to include in the inventory list. If set to All, the list
+        // includes all the object versions, which adds the version-related fields VersionId,
+        // IsLatest, and DeleteMarker to the list. If set to Current, the list does
+        // not contain these version-related fields.
         //
         // IncludedObjectVersions is a required field
         IncludedObjectVersions *string `type:"string" required:"true" enum:"InventoryIncludedObjectVersions"`
 
-        // Specifies whether the inventory is enabled or disabled.
+        // Specifies whether the inventory is enabled or disabled. If set to True, an
+        // inventory list is generated. If set to False, no inventory list is generated.
         //
         // IsEnabled is a required field
         IsEnabled *bool `type:"boolean" required:"true"`
@@ -15145,11 +15250,15 @@ func (s *KeyFilter) SetFilterRules(v []*FilterRule) *KeyFilter {
 type LambdaFunctionConfiguration struct {
         _ struct{} `type:"structure"`
 
+        // The Amazon S3 bucket event for which to invoke the AWS Lambda function. For
+        // more information, see Supported Event Types (https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html)
+        // in the Amazon Simple Storage Service Developer Guide.
+        //
         // Events is a required field
         Events []*string `locationName:"Event" type:"list" flattened:"true" required:"true"`
 
-        // A container for object key name filtering rules. For information about key
-        // name filtering, see Configuring Event Notifications (https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html)
+        // Specifies object key name filtering rules. For information about key name
+        // filtering, see Configuring Event Notifications (https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html)
         // in the Amazon Simple Storage Service Developer Guide.
         Filter *NotificationConfigurationFilter `type:"structure"`
 
@@ -15157,8 +15266,8 @@ type LambdaFunctionConfiguration struct {
         // If you don't provide one, Amazon S3 will assign an ID.
         Id *string `type:"string"`
 
-        // The Amazon Resource Name (ARN) of the Lambda cloud function that Amazon S3
-        // can invoke when it detects events of the specified type.
+        // The Amazon Resource Name (ARN) of the AWS Lambda function that Amazon S3
+        // invokes when the specified event type occurs.
         //
         // LambdaFunctionArn is a required field
         LambdaFunctionArn *string `locationName:"CloudFunction" type:"string" required:"true"`
@@ -15309,8 +15418,11 @@ func (s *LifecycleExpiration) SetExpiredObjectDeleteMarker(v bool) *LifecycleExp
 type LifecycleRule struct {
         _ struct{} `type:"structure"`
 
-        // Specifies the days since the initiation of an Incomplete Multipart Upload
-        // that Lifecycle will wait before permanently removing all parts of the upload.
+        // Specifies the days since the initiation of an incomplete multipart upload
+        // that Amazon S3 will wait before permanently removing all parts of the upload.
+        // For more information, see Aborting Incomplete Multipart Uploads Using a Bucket
+        // Lifecycle Policy (https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html#mpu-abort-incomplete-mpu-lifecycle-config)
+        // in the Amazon Simple Storage Service Developer Guide.
         AbortIncompleteMultipartUpload *AbortIncompleteMultipartUpload `type:"structure"`
 
         Expiration *LifecycleExpiration `type:"structure"`
@@ -17267,9 +17379,10 @@ func (s *Location) SetUserMetadata(v []*MetadataEntry) *Location {
         return s
 }
 
-// Container for logging information. Presence of this element indicates that
-// logging is enabled. Parameters TargetBucket and TargetPrefix are required
-// in this case.
+// Describes where logs are stored and the prefix that Amazon S3 assigns to
+// all log object keys for a bucket. For more information, see PUT Bucket logging
+// (https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTlogging.html)
+// in the Amazon Simple Storage Service API Reference.
 type LoggingEnabled struct {
         _ struct{} `type:"structure"`
 
@@ -17285,8 +17398,9 @@ type LoggingEnabled struct {
 
         TargetGrants []*TargetGrant `locationNameList:"Grant" type:"list"`
 
-        // This element lets you specify a prefix for the keys that the log files will
-        // be stored under.
+        // A prefix for all log object keys. If you store log files from multiple Amazon
+        // S3 buckets in a single bucket, you can use a prefix to distinguish which
+        // log files came from which bucket.
         //
         // TargetPrefix is a required field
         TargetPrefix *string `type:"string" required:"true"`
@@ -17429,6 +17543,13 @@ func (s *MetricsAndOperator) SetTags(v []*Tag) *MetricsAndOperator {
         return s
 }
 
+// Specifies a metrics configuration for the CloudWatch request metrics (specified
+// by the metrics configuration ID) from an Amazon S3 bucket. If you're updating
+// an existing metrics configuration, note that this is a full replacement of
+// the existing metrics configuration. If you don't include the elements you
+// want to keep, they are erased. For more information, see PUT Bucket metrics
+// (https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTMetricConfiguration.html)
+// in the Amazon Simple Storage Service API Reference.
 type MetricsConfiguration struct {
         _ struct{} `type:"structure"`
 
@@ -17624,7 +17745,7 @@ type NoncurrentVersionExpiration struct {
         // Specifies the number of days an object is noncurrent before Amazon S3 can
         // perform the associated action. For information about the noncurrent days
         // calculations, see How Amazon S3 Calculates When an Object Became Noncurrent
-        // (https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-access-control.html)
+        // (https://docs.aws.amazon.com/AmazonS3/latest/dev/intro-lifecycle-rules.html#non-current-days-calculations)
         // in the Amazon Simple Storage Service Developer Guide.
         NoncurrentDays *int64 `type:"integer"`
 }
@@ -17646,11 +17767,11 @@ func (s *NoncurrentVersionExpiration) SetNoncurrentDays(v int64) *NoncurrentVers
 }
 
 // Container for the transition rule that describes when noncurrent objects
-// transition to the STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER or
-// DEEP_ARCHIVE storage class. If your bucket is versioning-enabled (or versioning
+// transition to the STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER,
+// or DEEP_ARCHIVE storage class. If your bucket is versioning-enabled (or versioning
 // is suspended), you can set this action to request that Amazon S3 transition
 // noncurrent object versions to the STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING,
-// GLACIER or DEEP_ARCHIVE storage class at a specific period in the object's
+// GLACIER, or DEEP_ARCHIVE storage class at a specific period in the object's
 // lifetime.
 type NoncurrentVersionTransition struct {
         _ struct{} `type:"structure"`
@@ -17693,10 +17814,16 @@ func (s *NoncurrentVersionTransition) SetStorageClass(v string) *NoncurrentVersi
 type NotificationConfiguration struct {
         _ struct{} `type:"structure"`
 
+        // Describes the AWS Lambda functions to invoke and the events for which to
+        // invoke them.
         LambdaFunctionConfigurations []*LambdaFunctionConfiguration `locationName:"CloudFunctionConfiguration" type:"list" flattened:"true"`
 
+        // The Amazon Simple Queue Service queues to publish messages to and the events
+        // for which to publish messages.
         QueueConfigurations []*QueueConfiguration `locationName:"QueueConfiguration" type:"list" flattened:"true"`
 
+        // The topic to which notifications are sent and the events for which notifications
+        // are generated.
         TopicConfigurations []*TopicConfiguration `locationName:"TopicConfiguration" type:"list" flattened:"true"`
 }
 
@@ -17806,8 +17933,8 @@ func (s *NotificationConfigurationDeprecated) SetTopicConfiguration(v *TopicConf
         return s
 }
 
-// A container for object key name filtering rules. For information about key
-// name filtering, see Configuring Event Notifications (https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html)
+// Specifies object key name filtering rules. For information about key name
+// filtering, see Configuring Event Notifications (https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html)
 // in the Amazon Simple Storage Service Developer Guide.
 type NotificationConfigurationFilter struct {
         _ struct{} `type:"structure"`
@@ -17945,14 +18072,14 @@ func (s *ObjectIdentifier) SetVersionId(v string) *ObjectIdentifier {
         return s
 }
 
-// The container element for Object Lock configuration parameters.
+// The container element for object lock configuration parameters.
 type ObjectLockConfiguration struct {
         _ struct{} `type:"structure"`
 
-        // Indicates whether this bucket has an Object Lock configuration enabled.
+        // Indicates whether this bucket has an object lock configuration enabled.
         ObjectLockEnabled *string `type:"string" enum:"ObjectLockEnabled"`
 
-        // The Object Lock rule in place for the specified object.
+        // The object lock rule in place for the specified object.
         Rule *ObjectLockRule `type:"structure"`
 }
 
@@ -18009,7 +18136,7 @@ type ObjectLockRetention struct {
         // Indicates the Retention mode for the specified object.
         Mode *string `type:"string" enum:"ObjectLockRetentionMode"`
 
-        // The date on which this Object Lock Retention will expire.
+        // The date on which this object lock retention expires.
         RetainUntilDate *time.Time `type:"timestamp" timestampFormat:"iso8601"`
 }
 
@@ -18035,7 +18162,7 @@ func (s *ObjectLockRetention) SetRetainUntilDate(v time.Time) *ObjectLockRetenti
         return s
 }
 
-// The container element for an Object Lock rule.
+// The container element for an object lock rule.
 type ObjectLockRule struct {
         _ struct{} `type:"structure"`
 
@@ -18418,6 +18545,7 @@ func (s *ProgressEvent) UnmarshalEvent(
         return nil
 }
 
+// Specifies the Block Public Access configuration for an Amazon S3 bucket.
 type PublicAccessBlockConfiguration struct {
         _ struct{} `type:"structure"`
 
@@ -18575,6 +18703,7 @@ type PutBucketAclInput struct {
         // The canned ACL to apply to the bucket.
         ACL *string `location:"header" locationName:"x-amz-acl" type:"string" enum:"BucketCannedACL"`
 
+        // Contains the elements that set the ACL permissions for an object per grantee.
         AccessControlPolicy *AccessControlPolicy `locationName:"AccessControlPolicy" type:"structure" xmlURI:"http://s3.amazonaws.com/doc/2006-03-01/"`
 
         // Bucket is a required field
@@ -18710,7 +18839,7 @@ type PutBucketAnalyticsConfigurationInput struct {
         // Bucket is a required field
         Bucket *string `location:"uri" locationName:"Bucket" type:"string" required:"true"`
 
-        // The identifier used to represent an analytics configuration.
+        // The ID that identifies the analytics configuration.
         //
         // Id is a required field
         Id *string `location:"querystring" locationName:"id" type:"string" required:"true"`
@@ -18798,6 +18927,11 @@ type PutBucketCorsInput struct {
         // Bucket is a required field
         Bucket *string `location:"uri" locationName:"Bucket" type:"string" required:"true"`
 
+        // Describes the cross-origin access configuration for objects in an Amazon
+        // S3 bucket. For more information, see Enabling Cross-Origin Resource Sharing
+        // (https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html) in the Amazon
+        // Simple Storage Service Developer Guide.
+        //
         // CORSConfiguration is a required field
         CORSConfiguration *CORSConfiguration `locationName:"CORSConfiguration" type:"structure" required:"true" xmlURI:"http://s3.amazonaws.com/doc/2006-03-01/"`
 }
@@ -18872,14 +19006,16 @@ func (s PutBucketCorsOutput) GoString() string {
 type PutBucketEncryptionInput struct {
         _ struct{} `type:"structure" payload:"ServerSideEncryptionConfiguration"`
 
-        // The name of the bucket for which the server-side encryption configuration
-        // is set.
+        // Specifies default encryption for a bucket using server-side encryption with
+        // Amazon S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS). For information
+        // about the Amazon S3 default encryption feature, see Amazon S3 Default Bucket
+        // Encryption (https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html)
+        // in the Amazon Simple Storage Service Developer Guide.
         //
         // Bucket is a required field
         Bucket *string `location:"uri" locationName:"Bucket" type:"string" required:"true"`
 
-        // Container for server-side encryption configuration rules. Currently S3 supports
-        // one rule only.
+        // Specifies the default server-side-encryption configuration.
         //
         // ServerSideEncryptionConfiguration is a required field
         ServerSideEncryptionConfiguration *ServerSideEncryptionConfiguration `locationName:"ServerSideEncryptionConfiguration" type:"structure" required:"true" xmlURI:"http://s3.amazonaws.com/doc/2006-03-01/"`
@@ -19053,6 +19189,9 @@ type PutBucketLifecycleConfigurationInput struct {
         // Bucket is a required field
         Bucket *string `location:"uri" locationName:"Bucket" type:"string" required:"true"`
 
+        // Specifies the lifecycle configuration for objects in an Amazon S3 bucket.
+        // For more information, see Object Lifecycle Management (https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html)
+        // in the Amazon Simple Storage Service Developer Guide.
         LifecycleConfiguration *BucketLifecycleConfiguration `locationName:"LifecycleConfiguration" type:"structure" xmlURI:"http://s3.amazonaws.com/doc/2006-03-01/"`
 }
 
@@ -19612,6 +19751,9 @@ type PutBucketReplicationInput struct {
         //
         // ReplicationConfiguration is a required field
         ReplicationConfiguration *ReplicationConfiguration `locationName:"ReplicationConfiguration" type:"structure" required:"true" xmlURI:"http://s3.amazonaws.com/doc/2006-03-01/"`
+
+        // A token that allows Amazon S3 object lock to be enabled for an existing bucket.
+        Token *string `location:"header" locationName:"x-amz-bucket-object-lock-token" type:"string"`
 }
 
 // String returns the string representation
@@ -19667,6 +19809,12 @@ func (s *PutBucketReplicationInput) SetReplicationConfiguration(v *ReplicationCo
         return s
 }
 
+// SetToken sets the Token field's value.
+func (s *PutBucketReplicationInput) SetToken(v string) *PutBucketReplicationInput {
+        s.Token = &v
+        return s
+}
+
 type PutBucketReplicationOutput struct {
         _ struct{} `type:"structure"`
 }
@@ -19845,6 +19993,10 @@ type PutBucketVersioningInput struct {
         // and the value that is displayed on your authentication device.
         MFA *string `location:"header" locationName:"x-amz-mfa" type:"string"`
 
+        // Describes the versioning state of an Amazon S3 bucket. For more information,
+        // see PUT Bucket versioning (https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTVersioningStatus.html)
+        // in the Amazon Simple Storage Service API Reference.
+        //
         // VersioningConfiguration is a required field
         VersioningConfiguration *VersioningConfiguration `locationName:"VersioningConfiguration" type:"structure" required:"true" xmlURI:"http://s3.amazonaws.com/doc/2006-03-01/"`
 }
@@ -19923,6 +20075,8 @@ type PutBucketWebsiteInput struct {
         // Bucket is a required field
         Bucket *string `location:"uri" locationName:"Bucket" type:"string" required:"true"`
 
+        // Specifies website configuration parameters for an Amazon S3 bucket.
+        //
         // WebsiteConfiguration is a required field
         WebsiteConfiguration *WebsiteConfiguration `locationName:"WebsiteConfiguration" type:"structure" required:"true" xmlURI:"http://s3.amazonaws.com/doc/2006-03-01/"`
 }
@@ -20000,6 +20154,7 @@ type PutObjectAclInput struct {
         // The canned ACL to apply to the object.
         ACL *string `location:"header" locationName:"x-amz-acl" type:"string" enum:"ObjectCannedACL"`
 
+        // Contains the elements that set the ACL permissions for an object per grantee.
         AccessControlPolicy *AccessControlPolicy `locationName:"AccessControlPolicy" type:"structure" xmlURI:"http://s3.amazonaws.com/doc/2006-03-01/"`
 
         // Bucket is a required field
@@ -20201,7 +20356,8 @@ type PutObjectInput struct {
         ContentLength *int64 `location:"header" locationName:"Content-Length" type:"long"`
 
         // The base64-encoded 128-bit MD5 digest of the part data. This parameter is
-        // auto-populated when using the command from the CLI
+        // auto-populated when using the command from the CLI. This parameted is required
+        // if object lock parameters are specified.
         ContentMD5 *string `location:"header" locationName:"Content-MD5" type:"string"`
 
         // A standard MIME type describing the format of the object data.
@@ -20233,10 +20389,10 @@ type PutObjectInput struct {
         // The Legal Hold status that you want to apply to the specified object.
         ObjectLockLegalHoldStatus *string `location:"header" locationName:"x-amz-object-lock-legal-hold" type:"string" enum:"ObjectLockLegalHoldStatus"`
 
-        // The Object Lock mode that you want to apply to this object.
+        // The object lock mode that you want to apply to this object.
         ObjectLockMode *string `location:"header" locationName:"x-amz-object-lock-mode" type:"string" enum:"ObjectLockMode"`
 
-        // The date and time when you want this object's Object Lock to expire.
+        // The date and time when you want this object's object lock to expire.
         ObjectLockRetainUntilDate *time.Time `location:"header" locationName:"x-amz-object-lock-retain-until-date" type:"timestamp" timestampFormat:"iso8601"`
 
         // Confirms that the requester knows that she or he will be charged for the
@@ -20253,13 +20409,18 @@ type PutObjectInput struct {
         // does not store the encryption key. The key must be appropriate for use with
         // the algorithm specified in the x-amz-server-side​-encryption​-customer-algorithm
         // header.
-        SSECustomerKey *string `location:"header" locationName:"x-amz-server-side-encryption-customer-key" type:"string" sensitive:"true"`
+        SSECustomerKey *string `marshal-as:"blob" location:"header" locationName:"x-amz-server-side-encryption-customer-key" type:"string" sensitive:"true"`
 
         // Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321.
         // Amazon S3 uses this header for a message integrity check to ensure the encryption
         // key was transmitted without error.
         SSECustomerKeyMD5 *string `location:"header" locationName:"x-amz-server-side-encryption-customer-key-MD5" type:"string"`
 
+        // Specifies the AWS KMS Encryption Context to use for object encryption. The
+        // value of this header is a base64-encoded UTF-8 string holding JSON with the
+        // encryption context key-value pairs.
+        SSEKMSEncryptionContext *string `location:"header" locationName:"x-amz-server-side-encryption-context" type:"string" sensitive:"true"`
+
         // Specifies the AWS KMS key ID to use for object encryption. All GET and PUT
         // requests for an object protected by AWS KMS will fail if not made via SSL
         // or using SigV4. Documentation on configuring any of the officially supported
@@ -20473,6 +20634,12 @@ func (s *PutObjectInput) SetSSECustomerKeyMD5(v string) *PutObjectInput {
         return s
 }
 
+// SetSSEKMSEncryptionContext sets the SSEKMSEncryptionContext field's value.
+func (s *PutObjectInput) SetSSEKMSEncryptionContext(v string) *PutObjectInput {
+        s.SSEKMSEncryptionContext = &v
+        return s
+}
+
 // SetSSEKMSKeyId sets the SSEKMSKeyId field's value.
 func (s *PutObjectInput) SetSSEKMSKeyId(v string) *PutObjectInput {
         s.SSEKMSKeyId = &v
@@ -20626,12 +20793,12 @@ func (s *PutObjectLegalHoldOutput) SetRequestCharged(v string) *PutObjectLegalHo
 type PutObjectLockConfigurationInput struct {
         _ struct{} `type:"structure" payload:"ObjectLockConfiguration"`
 
-        // The bucket whose Object Lock configuration you want to create or replace.
+        // The bucket whose object lock configuration you want to create or replace.
         //
         // Bucket is a required field
         Bucket *string `location:"uri" locationName:"Bucket" type:"string" required:"true"`
 
-        // The Object Lock configuration that you want to apply to the specified bucket.
+        // The object lock configuration that you want to apply to the specified bucket.
         ObjectLockConfiguration *ObjectLockConfiguration `locationName:"ObjectLockConfiguration" type:"structure" xmlURI:"http://s3.amazonaws.com/doc/2006-03-01/"`
 
         // Confirms that the requester knows that she or he will be charged for the
@@ -20640,7 +20807,7 @@ type PutObjectLockConfigurationInput struct {
         // at http://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html
         RequestPayer *string `location:"header" locationName:"x-amz-request-payer" type:"string" enum:"RequestPayer"`
 
-        // A token to allow Object Lock to be enabled for an existing bucket.
+        // A token to allow Amazon S3 object lock to be enabled for an existing bucket.
         Token *string `location:"header" locationName:"x-amz-bucket-object-lock-token" type:"string"`
 }
 
@@ -20749,6 +20916,11 @@ type PutObjectOutput struct {
         // verification of the customer-provided encryption key.
         SSECustomerKeyMD5 *string `location:"header" locationName:"x-amz-server-side-encryption-customer-key-MD5" type:"string"`
 
+        // If present, specifies the AWS KMS Encryption Context to use for object encryption.
+        // The value of this header is a base64-encoded UTF-8 string holding JSON with
+        // the encryption context key-value pairs.
+        SSEKMSEncryptionContext *string `location:"header" locationName:"x-amz-server-side-encryption-context" type:"string" sensitive:"true"`
+
         // If present, specifies the ID of the AWS Key Management Service (KMS) master
         // encryption key that was used for the object.
         SSEKMSKeyId *string `location:"header" locationName:"x-amz-server-side-encryption-aws-kms-key-id" type:"string" sensitive:"true"`
@@ -20801,6 +20973,12 @@ func (s *PutObjectOutput) SetSSECustomerKeyMD5(v string) *PutObjectOutput {
         return s
 }
 
+// SetSSEKMSEncryptionContext sets the SSEKMSEncryptionContext field's value.
+func (s *PutObjectOutput) SetSSEKMSEncryptionContext(v string) *PutObjectOutput {
+        s.SSEKMSEncryptionContext = &v
+        return s
+}
+
 // SetSSEKMSKeyId sets the SSEKMSKeyId field's value.
 func (s *PutObjectOutput) SetSSEKMSKeyId(v string) *PutObjectOutput {
         s.SSEKMSKeyId = &v
@@ -21139,17 +21317,16 @@ func (s PutPublicAccessBlockOutput) GoString() string {
         return s.String()
 }
 
-// A container for specifying the configuration for publication of messages
-// to an Amazon Simple Queue Service (Amazon SQS) queue.when Amazon S3 detects
-// specified events.
+// Specifies the configuration for publishing messages to an Amazon Simple Queue
+// Service (Amazon SQS) queue when Amazon S3 detects specified events.
 type QueueConfiguration struct {
         _ struct{} `type:"structure"`
 
         // Events is a required field
         Events []*string `locationName:"Event" type:"list" flattened:"true" required:"true"`
 
-        // A container for object key name filtering rules. For information about key
-        // name filtering, see Configuring Event Notifications (https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html)
+        // Specifies object key name filtering rules. For information about key name
+        // filtering, see Configuring Event Notifications (https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html)
         // in the Amazon Simple Storage Service Developer Guide.
         Filter *NotificationConfigurationFilter `type:"structure"`
 
@@ -21158,7 +21335,7 @@ type QueueConfiguration struct {
         Id *string `type:"string"`
 
         // The Amazon Resource Name (ARN) of the Amazon SQS queue to which Amazon S3
-        // will publish a message when it detects events of the specified type.
+        // publishes a message when it detects events of the specified type.
         //
         // QueueArn is a required field
         QueueArn *string `locationName:"Queue" type:"string" required:"true"`
@@ -21304,6 +21481,8 @@ func (s *RecordsEvent) UnmarshalEvent(
         return nil
 }
 
+// Specifies how requests are redirected. In the event of an error, you can
+// specify a different error code to return.
 type Redirect struct {
         _ struct{} `type:"structure"`
 
@@ -21314,8 +21493,8 @@ type Redirect struct {
         // siblings is present.
         HttpRedirectCode *string `type:"string"`
 
-        // Protocol to use (http, https) when redirecting requests. The default is the
-        // protocol that is used in the original request.
+        // Protocol to use when redirecting requests. The default is the protocol that
+        // is used in the original request.
         Protocol *string `type:"string" enum:"Protocol"`
 
         // The object key prefix to use in the redirect request. For example, to redirect
@@ -21327,7 +21506,7 @@ type Redirect struct {
         ReplaceKeyPrefixWith *string `type:"string"`
 
         // The specific object key to use in the redirect request. For example, redirect
-        // request to error.html. Not required if one of the sibling is present. Can
+        // request to error.html. Not required if one of the siblings is present. Can
         // be present only if ReplaceKeyPrefixWith is not provided.
         ReplaceKeyWith *string `type:"string"`
 }
@@ -21372,16 +21551,18 @@ func (s *Redirect) SetReplaceKeyWith(v string) *Redirect {
         return s
 }
 
+// Specifies the redirect behavior of all requests to a website endpoint of
+// an Amazon S3 bucket.
 type RedirectAllRequestsTo struct {
         _ struct{} `type:"structure"`
 
-        // Name of the host where requests will be redirected.
+        // Name of the host where requests are redirected.
         //
         // HostName is a required field
         HostName *string `type:"string" required:"true"`
 
-        // Protocol to use (http, https) when redirecting requests. The default is the
-        // protocol that is used in the original request.
+        // Protocol to use when redirecting requests. The default is the protocol that
+        // is used in the original request.
         Protocol *string `type:"string" enum:"Protocol"`
 }
 
@@ -21426,7 +21607,9 @@ type ReplicationConfiguration struct {
         _ struct{} `type:"structure"`
 
         // The Amazon Resource Name (ARN) of the AWS Identity and Access Management
-        // (IAM) role that Amazon S3 can assume when replicating the objects.
+        // (IAM) role that Amazon S3 assumes when replicating objects. For more information,
+        // see How to Set Up Cross-Region Replication (https://docs.aws.amazon.com/AmazonS3/latest/dev/crr-how-setup.html)
+        // in the Amazon Simple Storage Service Developer Guide.
         //
         // Role is a required field
         Role *string `type:"string" required:"true"`
@@ -21486,7 +21669,7 @@ func (s *ReplicationConfiguration) SetRules(v []*ReplicationRule) *ReplicationCo
         return s
 }
 
-// A container for information about a specific replication rule.
+// Specifies which Amazon S3 objects to replicate and where to store the replicas.
 type ReplicationRule struct {
         _ struct{} `type:"structure"`
 
@@ -21506,7 +21689,8 @@ type ReplicationRule struct {
         ID *string `type:"string"`
 
         // An object keyname prefix that identifies the object or objects to which the
-        // rule applies. The maximum prefix length is 1,024 characters.
+        // rule applies. The maximum prefix length is 1,024 characters. To include all
+        // objects in a bucket, specify an empty string.
         //
         // Deprecated: Prefix has been deprecated
         Prefix *string `deprecated:"true" type:"string"`
@@ -21522,7 +21706,7 @@ type ReplicationRule struct {
         //    * Same object qualify tag based filter criteria specified in multiple
         //    rules
         //
-        // For more information, see Cross-Region Replication (CRR) ( https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html)
+        // For more information, see Cross-Region Replication (CRR) (https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html)
         // in the Amazon S3 Developer Guide.
         Priority *int64 `type:"integer"`
 
@@ -21531,12 +21715,9 @@ type ReplicationRule struct {
         // replication of these objects. Currently, Amazon S3 supports only the filter
         // that you can specify for objects created with server-side encryption using
         // an AWS KMS-Managed Key (SSE-KMS).
-        //
-        // If you want Amazon S3 to replicate objects created with server-side encryption
-        // using AWS KMS-Managed Keys.
         SourceSelectionCriteria *SourceSelectionCriteria `type:"structure"`
 
-        // If status isn't enabled, the rule is ignored.
+        // Specifies whether the rule is enabled.
         //
         // Status is a required field
         Status *string `type:"string" required:"true" enum:"ReplicationRuleStatus"`
@@ -22051,6 +22232,7 @@ func (s *RestoreRequest) SetType(v string) *RestoreRequest {
         return s
 }
 
+// Specifies the redirect behavior and when a redirect is applied.
 type RoutingRule struct {
         _ struct{} `type:"structure"`
 
@@ -22103,16 +22285,22 @@ func (s *RoutingRule) SetRedirect(v *Redirect) *RoutingRule {
         return s
 }
 
+// Specifies lifecycle rules for an Amazon S3 bucket. For more information,
+// see PUT Bucket lifecycle (https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTlifecycle.html)
+// in the Amazon Simple Storage Service API Reference.
 type Rule struct {
         _ struct{} `type:"structure"`
 
-        // Specifies the days since the initiation of an Incomplete Multipart Upload
-        // that Lifecycle will wait before permanently removing all parts of the upload.
+        // Specifies the days since the initiation of an incomplete multipart upload
+        // that Amazon S3 will wait before permanently removing all parts of the upload.
+        // For more information, see Aborting Incomplete Multipart Uploads Using a Bucket
+        // Lifecycle Policy (https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html#mpu-abort-incomplete-mpu-lifecycle-config)
+        // in the Amazon Simple Storage Service Developer Guide.
         AbortIncompleteMultipartUpload *AbortIncompleteMultipartUpload `type:"structure"`
 
         Expiration *LifecycleExpiration `type:"structure"`
 
-        // Unique identifier for the rule. The value cannot be longer than 255 characters.
+        // Unique identifier for the rule. The value can't be longer than 255 characters.
         ID *string `type:"string"`
 
         // Specifies when noncurrent object versions expire. Upon expiration, Amazon
@@ -22123,25 +22311,27 @@ type Rule struct {
         NoncurrentVersionExpiration *NoncurrentVersionExpiration `type:"structure"`
 
         // Container for the transition rule that describes when noncurrent objects
-        // transition to the STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER or
-        // DEEP_ARCHIVE storage class. If your bucket is versioning-enabled (or versioning
+        // transition to the STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER,
+        // or DEEP_ARCHIVE storage class. If your bucket is versioning-enabled (or versioning
         // is suspended), you can set this action to request that Amazon S3 transition
         // noncurrent object versions to the STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING,
-        // GLACIER or DEEP_ARCHIVE storage class at a specific period in the object's
+        // GLACIER, or DEEP_ARCHIVE storage class at a specific period in the object's
         // lifetime.
         NoncurrentVersionTransition *NoncurrentVersionTransition `type:"structure"`
 
-        // Prefix identifying one or more objects to which the rule applies.
+        // Object key prefix that identifies one or more objects to which this rule
+        // applies.
         //
         // Prefix is a required field
         Prefix *string `type:"string" required:"true"`
 
-        // If 'Enabled', the rule is currently being applied. If 'Disabled', the rule
-        // is not currently being applied.
+        // If Enabled, the rule is currently being applied. If Disabled, the rule is
+        // not currently being applied.
         //
         // Status is a required field
         Status *string `type:"string" required:"true" enum:"ExpirationStatus"`
 
+        // Specifies when an object transitions to a specified storage class.
         Transition *Transition `type:"structure"`
 }
 
@@ -22537,15 +22727,15 @@ type SelectObjectContentInput struct {
         // Specifies if periodic request progress information should be enabled.
         RequestProgress *RequestProgress `type:"structure"`
 
-        // The SSE Algorithm used to encrypt the object. For more information, see
-        // Server-Side Encryption (Using Customer-Provided Encryption Keys (https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html).
+        // The SSE Algorithm used to encrypt the object. For more information, see Server-Side
+        // Encryption (Using Customer-Provided Encryption Keys (https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html).
         SSECustomerAlgorithm *string `location:"header" locationName:"x-amz-server-side-encryption-customer-algorithm" type:"string"`
 
-        // The SSE Customer Key. For more information, see  Server-Side Encryption (Using
+        // The SSE Customer Key. For more information, see Server-Side Encryption (Using
         // Customer-Provided Encryption Keys (https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html).
-        SSECustomerKey *string `location:"header" locationName:"x-amz-server-side-encryption-customer-key" type:"string" sensitive:"true"`
+        SSECustomerKey *string `marshal-as:"blob" location:"header" locationName:"x-amz-server-side-encryption-customer-key" type:"string" sensitive:"true"`
 
-        // The SSE Customer Key MD5. For more information, see  Server-Side Encryption
+        // The SSE Customer Key MD5. For more information, see Server-Side Encryption
         // (Using Customer-Provided Encryption Keys (https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html).
         SSECustomerKeyMD5 *string `location:"header" locationName:"x-amz-server-side-encryption-customer-key-MD5" type:"string"`
 }
@@ -22792,13 +22982,15 @@ func (s *SelectParameters) SetOutputSerialization(v *OutputSerialization) *Selec
 }
 
 // Describes the default server-side encryption to apply to new objects in the
-// bucket. If Put Object request does not specify any server-side encryption,
-// this default encryption will be applied.
+// bucket. If a PUT Object request doesn't specify any server-side encryption,
+// this default encryption will be applied. For more information, see PUT Bucket
+// encryption (https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html)
+// in the Amazon Simple Storage Service API Reference.
 type ServerSideEncryptionByDefault struct {
         _ struct{} `type:"structure"`
 
         // KMS master key ID to use for the default encryption. This parameter is allowed
-        // if SSEAlgorithm is aws:kms.
+        // if and only if SSEAlgorithm is set to aws:kms.
         KMSMasterKeyID *string `type:"string" sensitive:"true"`
 
         // Server-side encryption algorithm to use for the default encryption.
@@ -22842,8 +23034,7 @@ func (s *ServerSideEncryptionByDefault) SetSSEAlgorithm(v string) *ServerSideEnc
         return s
 }
 
-// Container for server-side encryption configuration rules. Currently S3 supports
-// one rule only.
+// Specifies the default server-side-encryption configuration.
 type ServerSideEncryptionConfiguration struct {
         _ struct{} `type:"structure"`
 
@@ -22893,13 +23084,12 @@ func (s *ServerSideEncryptionConfiguration) SetRules(v []*ServerSideEncryptionRu
         return s
 }
 
-// Container for information about a particular server-side encryption configuration
-// rule.
+// Specifies the default server-side encryption configuration.
 type ServerSideEncryptionRule struct {
         _ struct{} `type:"structure"`
 
-        // Describes the default server-side encryption to apply to new objects in the
-        // bucket. If Put Object request does not specify any server-side encryption,
+        // Specifies the default server-side encryption to apply to new objects in the
+        // bucket. If a PUT Object request doesn't specify any server-side encryption,
         // this default encryption will be applied.
         ApplyServerSideEncryptionByDefault *ServerSideEncryptionByDefault `type:"structure"`
 }
@@ -22935,13 +23125,17 @@ func (s *ServerSideEncryptionRule) SetApplyServerSideEncryptionByDefault(v *Serv
         return s
 }
 
-// A container for filters that define which source objects should be replicated.
+// A container that describes additional filters for identifying the source
+// objects that you want to replicate. You can choose to enable or disable the
+// replication of these objects. Currently, Amazon S3 supports only the filter
+// that you can specify for objects created with server-side encryption using
+// an AWS KMS-Managed Key (SSE-KMS).
 type SourceSelectionCriteria struct {
         _ struct{} `type:"structure"`
 
-        // A container for filter information for the selection of S3 objects encrypted
-        // with AWS KMS. If you include SourceSelectionCriteria in the replication configuration,
-        // this element is required.
+        // A container for filter information for the selection of Amazon S3 objects
+        // encrypted with AWS KMS. If you include SourceSelectionCriteria in the replication
+        // configuration, this element is required.
         SseKmsEncryptedObjects *SseKmsEncryptedObjects `type:"structure"`
 }
 
@@ -22981,8 +23175,8 @@ func (s *SourceSelectionCriteria) SetSseKmsEncryptedObjects(v *SseKmsEncryptedOb
 type SseKmsEncryptedObjects struct {
         _ struct{} `type:"structure"`
 
-        // If the status is not Enabled, replication for S3 objects encrypted with AWS
-        // KMS is disabled.
+        // Specifies whether Amazon S3 replicates objects created with server-side encryption
+        // using an AWS KMS-managed key.
         //
         // Status is a required field
         Status *string `type:"string" required:"true" enum:"SseKmsEncryptedObjectsStatus"`
@@ -23098,11 +23292,14 @@ func (s *StatsEvent) UnmarshalEvent(
         return nil
 }
 
+// Specifies data related to access patterns to be collected and made available
+// to analyze the tradeoffs between different storage classes for an Amazon
+// S3 bucket.
 type StorageClassAnalysis struct {
         _ struct{} `type:"structure"`
 
-        // A container used to describe how data related to the storage class analysis
-        // should be exported.
+        // Specifies how data related to the storage class analysis for an Amazon S3
+        // bucket should be exported.
         DataExport *StorageClassAnalysisDataExport `type:"structure"`
 }
 
@@ -23342,16 +23539,20 @@ func (s *TargetGrant) SetPermission(v string) *TargetGrant {
 }
 
 // A container for specifying the configuration for publication of messages
-// to an Amazon Simple Notification Service (Amazon SNS) topic.when Amazon S3
+// to an Amazon Simple Notification Service (Amazon SNS) topic when Amazon S3
 // detects specified events.
 type TopicConfiguration struct {
         _ struct{} `type:"structure"`
 
+        // The Amazon S3 bucket event about which to send notifications. For more information,
+        // see Supported Event Types (https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html)
+        // in the Amazon Simple Storage Service Developer Guide.
+        //
         // Events is a required field
         Events []*string `locationName:"Event" type:"list" flattened:"true" required:"true"`
 
-        // A container for object key name filtering rules. For information about key
-        // name filtering, see Configuring Event Notifications (https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html)
+        // Specifies object key name filtering rules. For information about key name
+        // filtering, see Configuring Event Notifications (https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html)
         // in the Amazon Simple Storage Service Developer Guide.
         Filter *NotificationConfigurationFilter `type:"structure"`
 
@@ -23360,7 +23561,7 @@ type TopicConfiguration struct {
         Id *string `type:"string"`
 
         // The Amazon Resource Name (ARN) of the Amazon SNS topic to which Amazon S3
-        // will publish a message when it detects events of the specified type.
+        // publishes a message when it detects events of the specified type.
         //
         // TopicArn is a required field
         TopicArn *string `locationName:"Topic" type:"string" required:"true"`
@@ -23469,18 +23670,19 @@ func (s *TopicConfigurationDeprecated) SetTopic(v string) *TopicConfigurationDep
         return s
 }
 
+// Specifies when an object transitions to a specified storage class.
 type Transition struct {
         _ struct{} `type:"structure"`
 
-        // Indicates at what date the object is to be moved or deleted. Should be in
-        // GMT ISO 8601 Format.
+        // Indicates when objects are transitioned to the specified storage class. The
+        // date value must be in ISO 8601 format. The time is always midnight UTC.
         Date *time.Time `type:"timestamp" timestampFormat:"iso8601"`
 
-        // Indicates the lifetime, in days, of the objects that are subject to the rule.
-        // The value must be a non-zero positive integer.
+        // Indicates the number of days after creation when objects are transitioned
+        // to the specified storage class. The value must be a positive integer.
         Days *int64 `type:"integer"`
 
-        // The class of storage used to store the object.
+        // The storage class to which you want the object to transition.
         StorageClass *string `type:"string" enum:"TransitionStorageClass"`
 }
 
@@ -23550,7 +23752,7 @@ type UploadPartCopyInput struct {
         // Specifies the customer-provided encryption key for Amazon S3 to use to decrypt
         // the source object. The encryption key provided in this header must be one
         // that was used when the source object was created.
-        CopySourceSSECustomerKey *string `location:"header" locationName:"x-amz-copy-source-server-side-encryption-customer-key" type:"string" sensitive:"true"`
+        CopySourceSSECustomerKey *string `marshal-as:"blob" location:"header" locationName:"x-amz-copy-source-server-side-encryption-customer-key" type:"string" sensitive:"true"`
 
         // Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321.
         // Amazon S3 uses this header for a message integrity check to ensure the encryption
@@ -23581,7 +23783,7 @@ type UploadPartCopyInput struct {
         // the algorithm specified in the x-amz-server-side​-encryption​-customer-algorithm
         // header. This must be the same encryption key specified in the initiate multipart
         // upload request.
-        SSECustomerKey *string `location:"header" locationName:"x-amz-server-side-encryption-customer-key" type:"string" sensitive:"true"`
+        SSECustomerKey *string `marshal-as:"blob" location:"header" locationName:"x-amz-server-side-encryption-customer-key" type:"string" sensitive:"true"`
 
         // Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321.
         // Amazon S3 uses this header for a message integrity check to ensure the encryption
@@ -23857,7 +24059,9 @@ type UploadPartInput struct {
         // body cannot be determined automatically.
         ContentLength *int64 `location:"header" locationName:"Content-Length" type:"long"`
 
-        // The base64-encoded 128-bit MD5 digest of the part data.
+        // The base64-encoded 128-bit MD5 digest of the part data. This parameter is
+        // auto-populated when using the command from the CLI. This parameted is required
+        // if object lock parameters are specified.
         ContentMD5 *string `location:"header" locationName:"Content-MD5" type:"string"`
 
         // Object key for which the multipart upload was initiated.
@@ -23886,7 +24090,7 @@ type UploadPartInput struct {
         // the algorithm specified in the x-amz-server-side​-encryption​-customer-algorithm
         // header. This must be the same encryption key specified in the initiate multipart
         // upload request.
-        SSECustomerKey *string `location:"header" locationName:"x-amz-server-side-encryption-customer-key" type:"string" sensitive:"true"`
+        SSECustomerKey *string `marshal-as:"blob" location:"header" locationName:"x-amz-server-side-encryption-customer-key" type:"string" sensitive:"true"`
 
         // Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321.
         // Amazon S3 uses this header for a message integrity check to ensure the encryption
@@ -24092,6 +24296,9 @@ func (s *UploadPartOutput) SetServerSideEncryption(v string) *UploadPartOutput {
         return s
 }
 
+// Describes the versioning state of an Amazon S3 bucket. For more information,
+// see PUT Bucket versioning (https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTVersioningStatus.html)
+// in the Amazon Simple Storage Service API Reference.
 type VersioningConfiguration struct {
         _ struct{} `type:"structure"`
 
@@ -24126,15 +24333,22 @@ func (s *VersioningConfiguration) SetStatus(v string) *VersioningConfiguration {
         return s
 }
 
+// Specifies website configuration parameters for an Amazon S3 bucket.
 type WebsiteConfiguration struct {
         _ struct{} `type:"structure"`
 
+        // The name of the error document for the website.
         ErrorDocument *ErrorDocument `type:"structure"`
 
+        // The name of the index document for the website.
         IndexDocument *IndexDocument `type:"structure"`
 
+        // The redirect behavior for every request to this bucket's website endpoint.
+        //
+        // If you specify this property, you can't specify any other property.
         RedirectAllRequestsTo *RedirectAllRequestsTo `type:"structure"`
 
+        // Rules that define when a redirect is applied and the redirect behavior.
         RoutingRules []*RoutingRule `locationNameList:"RoutingRule" type:"list"`
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go/service/s3/bucket_location.go b/vendor/github.com/aws/aws-sdk-go/service/s3/bucket_location.go
index bc68a46..9ba8a78 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/s3/bucket_location.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/s3/bucket_location.go
@@ -80,7 +80,8 @@ func buildGetBucketLocation(r *request.Request) {
                 out := r.Data.(*GetBucketLocationOutput)
                 b, err := ioutil.ReadAll(r.HTTPResponse.Body)
                 if err != nil {
-                        r.Error = awserr.New("SerializationError", "failed reading response body", err)
+                        r.Error = awserr.New(request.ErrCodeSerialization,
+                                "failed reading response body", err)
                         return
                 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go/service/s3/customizations.go b/vendor/github.com/aws/aws-sdk-go/service/s3/customizations.go
index 95f2456..23d386b 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/s3/customizations.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/s3/customizations.go
@@ -17,7 +17,8 @@ func defaultInitClientFn(c *client.Client) {
 
         // Require SSL when using SSE keys
         c.Handlers.Validate.PushBack(validateSSERequiresSSL)
-        c.Handlers.Build.PushBack(computeSSEKeys)
+        c.Handlers.Build.PushBack(computeSSEKeyMD5)
+        c.Handlers.Build.PushBack(computeCopySourceSSEKeyMD5)
 
         // S3 uses custom error unmarshaling logic
         c.Handlers.UnmarshalError.Clear()
diff --git a/vendor/github.com/aws/aws-sdk-go/service/s3/sse.go b/vendor/github.com/aws/aws-sdk-go/service/s3/sse.go
index 8010c4f..b71c835 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/s3/sse.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/s3/sse.go
@@ -3,6 +3,7 @@ package s3
 import (
         "crypto/md5"
         "encoding/base64"
+        "net/http"
 
         "github.com/aws/aws-sdk-go/aws/awserr"
         "github.com/aws/aws-sdk-go/aws/request"
@@ -30,25 +31,54 @@ func validateSSERequiresSSL(r *request.Request) {
         }
 }
 
-func computeSSEKeys(r *request.Request) {
-        headers := []string{
-                "x-amz-server-side-encryption-customer-key",
-                "x-amz-copy-source-server-side-encryption-customer-key",
+const (
+        sseKeyHeader    = "x-amz-server-side-encryption-customer-key"
+        sseKeyMD5Header = sseKeyHeader + "-md5"
+)
+
+func computeSSEKeyMD5(r *request.Request) {
+        var key string
+        if g, ok := r.Params.(sseCustomerKeyGetter); ok {
+                key = g.getSSECustomerKey()
+        }
+
+        computeKeyMD5(sseKeyHeader, sseKeyMD5Header, key, r.HTTPRequest)
+}
+
+const (
+        copySrcSSEKeyHeader    = "x-amz-copy-source-server-side-encryption-customer-key"
+        copySrcSSEKeyMD5Header = copySrcSSEKeyHeader + "-md5"
+)
+
+func computeCopySourceSSEKeyMD5(r *request.Request) {
+        var key string
+        if g, ok := r.Params.(copySourceSSECustomerKeyGetter); ok {
+                key = g.getCopySourceSSECustomerKey()
         }
 
-        for _, h := range headers {
-                md5h := h + "-md5"
-                if key := r.HTTPRequest.Header.Get(h); key != "" {
-                        // Base64-encode the value
-                        b64v := base64.StdEncoding.EncodeToString([]byte(key))
-                        r.HTTPRequest.Header.Set(h, b64v)
-
-                        // Add MD5 if it wasn't computed
-                        if r.HTTPRequest.Header.Get(md5h) == "" {
-                                sum := md5.Sum([]byte(key))
-                                b64sum := base64.StdEncoding.EncodeToString(sum[:])
-                                r.HTTPRequest.Header.Set(md5h, b64sum)
-                        }
+        computeKeyMD5(copySrcSSEKeyHeader, copySrcSSEKeyMD5Header, key, r.HTTPRequest)
+}
+
+func computeKeyMD5(keyHeader, keyMD5Header, key string, r *http.Request) {
+        if len(key) == 0 {
+                // Backwards compatiablity where user just set the header value instead
+                // of using the API parameter, or setting the header value for an
+                // operation without the parameters modeled.
+                key = r.Header.Get(keyHeader)
+                if len(key) == 0 {
+                        return
                 }
+
+                // In backwards compatiable, the header's value is not base64 encoded,
+                // and needs to be encoded and updated by the SDK's customizations.
+                b64Key := base64.StdEncoding.EncodeToString([]byte(key))
+                r.Header.Set(keyHeader, b64Key)
+        }
+
+        // Only update Key's MD5 if not already set.
+        if len(r.Header.Get(keyMD5Header)) == 0 {
+                sum := md5.Sum([]byte(key))
+                keyMD5 := base64.StdEncoding.EncodeToString(sum[:])
+                r.Header.Set(keyMD5Header, keyMD5)
         }
 }
diff --git a/vendor/github.com/aws/aws-sdk-go/service/s3/statusok_error.go b/vendor/github.com/aws/aws-sdk-go/service/s3/statusok_error.go
index fde3050..f6a69ae 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/s3/statusok_error.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/s3/statusok_error.go
@@ -14,7 +14,7 @@ func copyMultipartStatusOKUnmarhsalError(r *request.Request) {
         b, err := ioutil.ReadAll(r.HTTPResponse.Body)
         if err != nil {
                 r.Error = awserr.NewRequestFailure(
-                        awserr.New("SerializationError", "unable to read response body", err),
+                        awserr.New(request.ErrCodeSerialization, "unable to read response body", err),
                         r.HTTPResponse.StatusCode,
                         r.RequestID,
                 )
@@ -31,7 +31,7 @@ func copyMultipartStatusOKUnmarhsalError(r *request.Request) {
 
         unmarshalError(r)
         if err, ok := r.Error.(awserr.Error); ok && err != nil {
-                if err.Code() == "SerializationError" {
+                if err.Code() == request.ErrCodeSerialization {
                         r.Error = nil
                         return
                 }
diff --git a/vendor/github.com/aws/aws-sdk-go/service/s3/unmarshal_error.go b/vendor/github.com/aws/aws-sdk-go/service/s3/unmarshal_error.go
index 1db7e13..5b63fac 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/s3/unmarshal_error.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/s3/unmarshal_error.go
@@ -11,6 +11,7 @@ import (
         "github.com/aws/aws-sdk-go/aws"
         "github.com/aws/aws-sdk-go/aws/awserr"
         "github.com/aws/aws-sdk-go/aws/request"
+        "github.com/aws/aws-sdk-go/private/protocol/xml/xmlutil"
 )
 
 type xmlErrorResponse struct {
@@ -42,29 +43,34 @@ func unmarshalError(r *request.Request) {
                 return
         }
 
-        var errCode, errMsg string
-
         // Attempt to parse error from body if it is known
-        resp := &xmlErrorResponse{}
-        err := xml.NewDecoder(r.HTTPResponse.Body).Decode(resp)
-        if err != nil && err != io.EOF {
-                errCode = "SerializationError"
-                errMsg = "failed to decode S3 XML error response"
-        } else {
-                errCode = resp.Code
-                errMsg = resp.Message
+        var errResp xmlErrorResponse
+        err := xmlutil.UnmarshalXMLError(&errResp, r.HTTPResponse.Body)
+        if err == io.EOF {
+                // Only capture the error if an unmarshal error occurs that is not EOF,
+                // because S3 might send an error without a error message which causes
+                // the XML unmarshal to fail with EOF.
                 err = nil
         }
+        if err != nil {
+                r.Error = awserr.NewRequestFailure(
+                        awserr.New(request.ErrCodeSerialization,
+                                "failed to unmarshal error message", err),
+                        r.HTTPResponse.StatusCode,
+                        r.RequestID,
+                )
+                return
+        }
 
         // Fallback to status code converted to message if still no error code
-        if len(errCode) == 0 {
+        if len(errResp.Code) == 0 {
                 statusText := http.StatusText(r.HTTPResponse.StatusCode)
-                errCode = strings.Replace(statusText, " ", "", -1)
-                errMsg = statusText
+                errResp.Code = strings.Replace(statusText, " ", "", -1)
+                errResp.Message = statusText
         }
 
         r.Error = awserr.NewRequestFailure(
-                awserr.New(errCode, errMsg, err),
+                awserr.New(errResp.Code, errResp.Message, err),
                 r.HTTPResponse.StatusCode,
                 r.RequestID,
         )
diff --git a/vendor/github.com/aws/aws-sdk-go/service/sts/api.go b/vendor/github.com/aws/aws-sdk-go/service/sts/api.go
index 8113089..d22c38b 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/sts/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/sts/api.go
@@ -3,6 +3,7 @@
 package sts
 
 import (
+        "fmt"
         "time"
 
         "github.com/aws/aws-sdk-go/aws"
@@ -55,38 +56,26 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
 
 // AssumeRole API operation for AWS Security Token Service.
 //
-// Returns a set of temporary security credentials (consisting of an access
-// key ID, a secret access key, and a security token) that you can use to access
-// AWS resources that you might not normally have access to. Typically, you
-// use AssumeRole for cross-account access or federation. For a comparison of
-// AssumeRole with the other APIs that produce temporary credentials, see Requesting
-// Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
+// Returns a set of temporary security credentials that you can use to access
+// AWS resources that you might not normally have access to. These temporary
+// credentials consist of an access key ID, a secret access key, and a security
+// token. Typically, you use AssumeRole within your account or for cross-account
+// access. For a comparison of AssumeRole with other API operations that produce
+// temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
+// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
 // in the IAM User Guide.
 //
-// Important: You cannot call AssumeRole by using AWS root account credentials;
-// access is denied. You must use credentials for an IAM user or an IAM role
-// to call AssumeRole.
+// You cannot use AWS account root user credentials to call AssumeRole. You
+// must use credentials for an IAM user or an IAM role to call AssumeRole.
 //
 // For cross-account access, imagine that you own multiple accounts and need
 // to access resources in each account. You could create long-term credentials
 // in each account to access those resources. However, managing all those credentials
 // and remembering which one can access which account can be time consuming.
-// Instead, you can create one set of long-term credentials in one account and
-// then use temporary security credentials to access all the other accounts
+// Instead, you can create one set of long-term credentials in one account.
+// Then use temporary security credentials to access all the other accounts
 // by assuming roles in those accounts. For more information about roles, see
-// IAM Roles (Delegation and Federation) (http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html)
-// in the IAM User Guide.
-//
-// For federation, you can, for example, grant single sign-on access to the
-// AWS Management Console. If you already have an identity and authentication
-// system in your corporate network, you don't have to recreate user identities
-// in AWS in order to grant those user identities access to AWS. Instead, after
-// a user has been authenticated, you call AssumeRole (and specify the role
-// with the appropriate permissions) to get temporary security credentials for
-// that user. With those temporary security credentials, you construct a sign-in
-// URL that users can use to access the console. For more information, see Common
-// Scenarios for Temporary Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction)
+// IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)
 // in the IAM User Guide.
 //
 // By default, the temporary security credentials created by AssumeRole last
@@ -95,69 +84,73 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
 // seconds (15 minutes) up to the maximum session duration setting for the role.
 // This setting can have a value from 1 hour to 12 hours. To learn how to view
 // the maximum value for your role, see View the Maximum Session Duration Setting
-// for a Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
+// for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
 // in the IAM User Guide. The maximum session duration limit applies when you
-// use the AssumeRole* API operations or the assume-role* CLI operations but
-// does not apply when you use those operations to create a console URL. For
-// more information, see Using IAM Roles (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
+// use the AssumeRole* API operations or the assume-role* CLI commands. However
+// the limit does not apply when you use those operations to create a console
+// URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
 // in the IAM User Guide.
 //
 // The temporary security credentials created by AssumeRole can be used to make
-// API calls to any AWS service with the following exception: you cannot call
-// the STS service's GetFederationToken or GetSessionToken APIs.
-//
-// Optionally, you can pass an IAM access policy to this operation. If you choose
-// not to pass a policy, the temporary security credentials that are returned
-// by the operation have the permissions that are defined in the access policy
-// of the role that is being assumed. If you pass a policy to this operation,
-// the temporary security credentials that are returned by the operation have
-// the permissions that are allowed by both the access policy of the role that
-// is being assumed, and the policy that you pass. This gives you a way to further
-// restrict the permissions for the resulting temporary security credentials.
-// You cannot use the passed policy to grant permissions that are in excess
-// of those allowed by the access policy of the role that is being assumed.
-// For more information, see Permissions for AssumeRole, AssumeRoleWithSAML,
-// and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
+// API calls to any AWS service with the following exception: You cannot call
+// the AWS STS GetFederationToken or GetSessionToken API operations.
+//
+// (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+// to this operation. You can pass a single JSON policy document to use as an
+// inline session policy. You can also specify up to 10 managed policies to
+// use as managed session policies. The plain text that you use for both inline
+// and managed session policies shouldn't exceed 2048 characters. Passing policies
+// to this operation returns new temporary credentials. The resulting session's
+// permissions are the intersection of the role's identity-based policy and
+// the session policies. You can use the role's temporary credentials in subsequent
+// AWS API calls to access resources in the account that owns the role. You
+// cannot use session policies to grant more permissions than those allowed
+// by the identity-based policy of the role that is being assumed. For more
+// information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // in the IAM User Guide.
 //
-// To assume a role, your AWS account must be trusted by the role. The trust
-// relationship is defined in the role's trust policy when the role is created.
-// That trust policy states which accounts are allowed to delegate access to
-// this account's role.
-//
-// The user who wants to access the role must also have permissions delegated
-// from the role's administrator. If the user is in a different account than
-// the role, then the user's administrator must attach a policy that allows
-// the user to call AssumeRole on the ARN of the role in the other account.
-// If the user is in the same account as the role, then you can either attach
-// a policy to the user (identical to the previous different account user),
-// or you can add the user as a principal directly in the role's trust policy.
-// In this case, the trust policy acts as the only resource-based policy in
-// IAM, and users in the same account as the role do not need explicit permission
-// to assume the role. For more information about trust policies and resource-based
-// policies, see IAM Policies (http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
+// To assume a role from a different account, your AWS account must be trusted
+// by the role. The trust relationship is defined in the role's trust policy
+// when the role is created. That trust policy states which accounts are allowed
+// to delegate that access to users in the account.
+//
+// A user who wants to access a role in a different account must also have permissions
+// that are delegated from the user account administrator. The administrator
+// must attach a policy that allows the user to call AssumeRole for the ARN
+// of the role in the other account. If the user is in the same account as the
+// role, then you can do either of the following:
+//
+//    * Attach a policy to the user (identical to the previous user in a different
+//    account).
+//
+//    * Add the user as a principal directly in the role's trust policy.
+//
+// In this case, the trust policy acts as an IAM resource-based policy. Users
+// in the same account as the role do not need explicit permission to assume
+// the role. For more information about trust policies and resource-based policies,
+// see IAM Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
 // in the IAM User Guide.
 //
 // Using MFA with AssumeRole
 //
-// You can optionally include multi-factor authentication (MFA) information
-// when you call AssumeRole. This is useful for cross-account scenarios in which
-// you want to make sure that the user who is assuming the role has been authenticated
-// using an AWS MFA device. In that scenario, the trust policy of the role being
-// assumed includes a condition that tests for MFA authentication; if the caller
-// does not include valid MFA information, the request to assume the role is
-// denied. The condition in a trust policy that tests for MFA authentication
-// might look like the following example.
+// (Optional) You can include multi-factor authentication (MFA) information
+// when you call AssumeRole. This is useful for cross-account scenarios to ensure
+// that the user that assumes the role has been authenticated with an AWS MFA
+// device. In that scenario, the trust policy of the role being assumed includes
+// a condition that tests for MFA authentication. If the caller does not include
+// valid MFA information, the request to assume the role is denied. The condition
+// in a trust policy that tests for MFA authentication might look like the following
+// example.
 //
 // "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
 //
-// For more information, see Configuring MFA-Protected API Access (http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html)
+// For more information, see Configuring MFA-Protected API Access (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html)
 // in the IAM User Guide guide.
 //
 // To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode
 // parameters. The SerialNumber value identifies the user's hardware or virtual
 // MFA device. The TokenCode is the time-based one-time password (TOTP) that
-// the MFA devices produces.
+// the MFA device produces.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@@ -180,7 +173,7 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
 //   STS is not activated in the requested region for the account that is being
 //   asked to generate credentials. The account administrator must use the IAM
 //   console to activate STS in that region. For more information, see Activating
-//   and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
+//   and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
 //   in the IAM User Guide.
 //
 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole
@@ -254,9 +247,9 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
 // via a SAML authentication response. This operation provides a mechanism for
 // tying an enterprise identity store or directory to role-based AWS access
 // without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML
-// with the other APIs that produce temporary credentials, see Requesting Temporary
-// Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
+// with the other API operations that produce temporary credentials, see Requesting
+// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
+// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
 // in the IAM User Guide.
 //
 // The temporary security credentials returned by this operation consist of
@@ -271,37 +264,36 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
 // a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session
 // duration setting for the role. This setting can have a value from 1 hour
 // to 12 hours. To learn how to view the maximum value for your role, see View
-// the Maximum Session Duration Setting for a Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
+// the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
 // in the IAM User Guide. The maximum session duration limit applies when you
-// use the AssumeRole* API operations or the assume-role* CLI operations but
-// does not apply when you use those operations to create a console URL. For
-// more information, see Using IAM Roles (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
+// use the AssumeRole* API operations or the assume-role* CLI commands. However
+// the limit does not apply when you use those operations to create a console
+// URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
 // in the IAM User Guide.
 //
 // The temporary security credentials created by AssumeRoleWithSAML can be used
 // to make API calls to any AWS service with the following exception: you cannot
-// call the STS service's GetFederationToken or GetSessionToken APIs.
-//
-// Optionally, you can pass an IAM access policy to this operation. If you choose
-// not to pass a policy, the temporary security credentials that are returned
-// by the operation have the permissions that are defined in the access policy
-// of the role that is being assumed. If you pass a policy to this operation,
-// the temporary security credentials that are returned by the operation have
-// the permissions that are allowed by the intersection of both the access policy
-// of the role that is being assumed, and the policy that you pass. This means
-// that both policies must grant the permission for the action to be allowed.
-// This gives you a way to further restrict the permissions for the resulting
-// temporary security credentials. You cannot use the passed policy to grant
-// permissions that are in excess of those allowed by the access policy of the
-// role that is being assumed. For more information, see Permissions for AssumeRole,
-// AssumeRoleWithSAML, and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
+// call the STS GetFederationToken or GetSessionToken API operations.
+//
+// (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+// to this operation. You can pass a single JSON policy document to use as an
+// inline session policy. You can also specify up to 10 managed policies to
+// use as managed session policies. The plain text that you use for both inline
+// and managed session policies shouldn't exceed 2048 characters. Passing policies
+// to this operation returns new temporary credentials. The resulting session's
+// permissions are the intersection of the role's identity-based policy and
+// the session policies. You can use the role's temporary credentials in subsequent
+// AWS API calls to access resources in the account that owns the role. You
+// cannot use session policies to grant more permissions than those allowed
+// by the identity-based policy of the role that is being assumed. For more
+// information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // in the IAM User Guide.
 //
 // Before your application can call AssumeRoleWithSAML, you must configure your
 // SAML identity provider (IdP) to issue the claims required by AWS. Additionally,
 // you must use AWS Identity and Access Management (IAM) to create a SAML provider
-// entity in your AWS account that represents your identity provider, and create
-// an IAM role that specifies this SAML provider in its trust policy.
+// entity in your AWS account that represents your identity provider. You must
+// also create an IAM role that specifies this SAML provider in its trust policy.
 //
 // Calling AssumeRoleWithSAML does not require the use of AWS security credentials.
 // The identity of the caller is validated by using keys in the metadata document
@@ -315,16 +307,16 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
 //
 // For more information, see the following resources:
 //
-//    * About SAML 2.0-based Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
+//    * About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
 //    in the IAM User Guide.
 //
-//    * Creating SAML Identity Providers (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
+//    * Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
 //    in the IAM User Guide.
 //
-//    * Configuring a Relying Party and Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
+//    * Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
 //    in the IAM User Guide.
 //
-//    * Creating a Role for SAML 2.0 Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
+//    * Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
 //    in the IAM User Guide.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
@@ -363,7 +355,7 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
 //   STS is not activated in the requested region for the account that is being
 //   asked to generate credentials. The account administrator must use the IAM
 //   console to activate STS in that region. For more information, see Activating
-//   and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
+//   and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
 //   in the IAM User Guide.
 //
 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML
@@ -434,35 +426,35 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
 // AssumeRoleWithWebIdentity API operation for AWS Security Token Service.
 //
 // Returns a set of temporary security credentials for users who have been authenticated
-// in a mobile or web application with a web identity provider, such as Amazon
-// Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible
-// identity provider.
+// in a mobile or web application with a web identity provider. Example providers
+// include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID
+// Connect-compatible identity provider.
 //
 // For mobile applications, we recommend that you use Amazon Cognito. You can
-// use Amazon Cognito with the AWS SDK for iOS (http://aws.amazon.com/sdkforios/)
-// and the AWS SDK for Android (http://aws.amazon.com/sdkforandroid/) to uniquely
-// identify a user and supply the user with a consistent identity throughout
-// the lifetime of an application.
-//
-// To learn more about Amazon Cognito, see Amazon Cognito Overview (http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840)
-// in the AWS SDK for Android Developer Guide guide and Amazon Cognito Overview
-// (http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664)
+// use Amazon Cognito with the AWS SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/)
+// and the AWS SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/)
+// to uniquely identify a user. You can also supply the user with a consistent
+// identity throughout the lifetime of an application.
+//
+// To learn more about Amazon Cognito, see Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840)
+// in AWS SDK for Android Developer Guide and Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664)
 // in the AWS SDK for iOS Developer Guide.
 //
 // Calling AssumeRoleWithWebIdentity does not require the use of AWS security
 // credentials. Therefore, you can distribute an application (for example, on
 // mobile devices) that requests temporary security credentials without including
-// long-term AWS credentials in the application, and without deploying server-based
-// proxy services that use long-term AWS credentials. Instead, the identity
-// of the caller is validated by using a token from the web identity provider.
-// For a comparison of AssumeRoleWithWebIdentity with the other APIs that produce
-// temporary credentials, see Requesting Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
+// long-term AWS credentials in the application. You also don't need to deploy
+// server-based proxy services that use long-term AWS credentials. Instead,
+// the identity of the caller is validated by using a token from the web identity
+// provider. For a comparison of AssumeRoleWithWebIdentity with the other API
+// operations that produce temporary credentials, see Requesting Temporary Security
+// Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
+// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
 // in the IAM User Guide.
 //
 // The temporary security credentials returned by this API consist of an access
 // key ID, a secret access key, and a security token. Applications can use these
-// temporary security credentials to sign calls to AWS service APIs.
+// temporary security credentials to sign calls to AWS service API operations.
 //
 // By default, the temporary security credentials created by AssumeRoleWithWebIdentity
 // last for one hour. However, you can use the optional DurationSeconds parameter
@@ -470,29 +462,29 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
 // seconds (15 minutes) up to the maximum session duration setting for the role.
 // This setting can have a value from 1 hour to 12 hours. To learn how to view
 // the maximum value for your role, see View the Maximum Session Duration Setting
-// for a Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
+// for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
 // in the IAM User Guide. The maximum session duration limit applies when you
-// use the AssumeRole* API operations or the assume-role* CLI operations but
-// does not apply when you use those operations to create a console URL. For
-// more information, see Using IAM Roles (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
+// use the AssumeRole* API operations or the assume-role* CLI commands. However
+// the limit does not apply when you use those operations to create a console
+// URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
 // in the IAM User Guide.
 //
 // The temporary security credentials created by AssumeRoleWithWebIdentity can
 // be used to make API calls to any AWS service with the following exception:
-// you cannot call the STS service's GetFederationToken or GetSessionToken APIs.
-//
-// Optionally, you can pass an IAM access policy to this operation. If you choose
-// not to pass a policy, the temporary security credentials that are returned
-// by the operation have the permissions that are defined in the access policy
-// of the role that is being assumed. If you pass a policy to this operation,
-// the temporary security credentials that are returned by the operation have
-// the permissions that are allowed by both the access policy of the role that
-// is being assumed, and the policy that you pass. This gives you a way to further
-// restrict the permissions for the resulting temporary security credentials.
-// You cannot use the passed policy to grant permissions that are in excess
-// of those allowed by the access policy of the role that is being assumed.
-// For more information, see Permissions for AssumeRole, AssumeRoleWithSAML,
-// and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
+// you cannot call the STS GetFederationToken or GetSessionToken API operations.
+//
+// (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+// to this operation. You can pass a single JSON policy document to use as an
+// inline session policy. You can also specify up to 10 managed policies to
+// use as managed session policies. The plain text that you use for both inline
+// and managed session policies shouldn't exceed 2048 characters. Passing policies
+// to this operation returns new temporary credentials. The resulting session's
+// permissions are the intersection of the role's identity-based policy and
+// the session policies. You can use the role's temporary credentials in subsequent
+// AWS API calls to access resources in the account that owns the role. You
+// cannot use session policies to grant more permissions than those allowed
+// by the identity-based policy of the role that is being assumed. For more
+// information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // in the IAM User Guide.
 //
 // Before your application can call AssumeRoleWithWebIdentity, you must have
@@ -511,21 +503,19 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
 // For more information about how to use web identity federation and the AssumeRoleWithWebIdentity
 // API, see the following resources:
 //
-//    * Using Web Identity Federation APIs for Mobile Apps (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html)
-//    and Federation Through a Web-based Identity Provider (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
+//    * Using Web Identity Federation API Operations for Mobile Apps (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html)
+//    and Federation Through a Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
 //
+//    * Web Identity Federation Playground (https://web-identity-federation-playground.s3.amazonaws.com/index.html).
+//    Walk through the process of authenticating through Login with Amazon,
+//    Facebook, or Google, getting temporary security credentials, and then
+//    using those credentials to make a request to AWS.
 //
-//    *  Web Identity Federation Playground (https://web-identity-federation-playground.s3.amazonaws.com/index.html).
-//    This interactive website lets you walk through the process of authenticating
-//    via Login with Amazon, Facebook, or Google, getting temporary security
-//    credentials, and then using those credentials to make a request to AWS.
-//
-//
-//    * AWS SDK for iOS (http://aws.amazon.com/sdkforios/) and AWS SDK for Android
-//    (http://aws.amazon.com/sdkforandroid/). These toolkits contain sample
-//    apps that show how to invoke the identity providers, and then how to use
-//    the information from these providers to get and use temporary security
-//    credentials.
+//    * AWS SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) and
+//    AWS SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/).
+//    These toolkits contain sample apps that show how to invoke the identity
+//    providers, and then how to use the information from these providers to
+//    get and use temporary security credentials.
 //
 //    * Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications).
 //    This article discusses web identity federation and shows an example of
@@ -575,7 +565,7 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
 //   STS is not activated in the requested region for the account that is being
 //   asked to generate credentials. The account administrator must use the IAM
 //   console to activate STS in that region. For more information, see Activating
-//   and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
+//   and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
 //   in the IAM User Guide.
 //
 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity
@@ -647,17 +637,17 @@ func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessag
 // Decodes additional information about the authorization status of a request
 // from an encoded message returned in response to an AWS request.
 //
-// For example, if a user is not authorized to perform an action that he or
-// she has requested, the request returns a Client.UnauthorizedOperation response
-// (an HTTP 403 response). Some AWS actions additionally return an encoded message
-// that can provide details about this authorization failure.
+// For example, if a user is not authorized to perform an operation that he
+// or she has requested, the request returns a Client.UnauthorizedOperation
+// response (an HTTP 403 response). Some AWS operations additionally return
+// an encoded message that can provide details about this authorization failure.
 //
-// Only certain AWS actions return an encoded authorization message. The documentation
-// for an individual action indicates whether that action returns an encoded
-// message in addition to returning an HTTP code.
+// Only certain AWS operations return an encoded authorization message. The
+// documentation for an individual operation indicates whether that operation
+// returns an encoded message in addition to returning an HTTP code.
 //
 // The message is encoded because the details of the authorization status can
-// constitute privileged information that the user who requested the action
+// constitute privileged information that the user who requested the operation
 // should not see. To decode an authorization status message, a user must be
 // granted permissions via an IAM policy to request the DecodeAuthorizationMessage
 // (sts:DecodeAuthorizationMessage) action.
@@ -666,7 +656,7 @@ func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessag
 //
 //    * Whether the request was denied due to an explicit deny or due to the
 //    absence of an explicit allow. For more information, see Determining Whether
-//    a Request is Allowed or Denied (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
+//    a Request is Allowed or Denied (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
 //    in the IAM User Guide.
 //
 //    * The principal who made the request.
@@ -712,6 +702,102 @@ func (c *STS) DecodeAuthorizationMessageWithContext(ctx aws.Context, input *Deco
         return out, req.Send()
 }
 
+const opGetAccessKeyInfo = "GetAccessKeyInfo"
+
+// GetAccessKeyInfoRequest generates a "aws/request.Request" representing the
+// client's request for the GetAccessKeyInfo operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See GetAccessKeyInfo for more information on using the GetAccessKeyInfo
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//
+//    // Example sending a request using the GetAccessKeyInfoRequest method.
+//    req, resp := client.GetAccessKeyInfoRequest(params)
+//
+//    err := req.Send()
+//    if err == nil { // resp is now filled
+//        fmt.Println(resp)
+//    }
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo
+func (c *STS) GetAccessKeyInfoRequest(input *GetAccessKeyInfoInput) (req *request.Request, output *GetAccessKeyInfoOutput) {
+        op := &request.Operation{
+                Name:       opGetAccessKeyInfo,
+                HTTPMethod: "POST",
+                HTTPPath:   "/",
+        }
+
+        if input == nil {
+                input = &GetAccessKeyInfoInput{}
+        }
+
+        output = &GetAccessKeyInfoOutput{}
+        req = c.newRequest(op, input, output)
+        return
+}
+
+// GetAccessKeyInfo API operation for AWS Security Token Service.
+//
+// Returns the account identifier for the specified access key ID.
+//
+// Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE)
+// and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).
+// For more information about access keys, see Managing Access Keys for IAM
+// Users (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)
+// in the IAM User Guide.
+//
+// When you pass an access key ID to this operation, it returns the ID of the
+// AWS account to which the keys belong. Access key IDs beginning with AKIA
+// are long-term credentials for an IAM user or the AWS account root user. Access
+// key IDs beginning with ASIA are temporary credentials that are created using
+// STS operations. If the account in the response belongs to you, you can sign
+// in as the root user and review your root user access keys. Then, you can
+// pull a credentials report (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report)
+// to learn which IAM user owns the keys. To learn who requested the temporary
+// credentials for an ASIA access key, view the STS events in your CloudTrail
+// logs (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration).
+//
+// This operation does not indicate the state of the access key. The key might
+// be active, inactive, or deleted. Active keys might not have permissions to
+// perform an operation. Providing a deleted keys might return an error that
+// the key doesn't exist.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Security Token Service's
+// API operation GetAccessKeyInfo for usage and error information.
+// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo
+func (c *STS) GetAccessKeyInfo(input *GetAccessKeyInfoInput) (*GetAccessKeyInfoOutput, error) {
+        req, out := c.GetAccessKeyInfoRequest(input)
+        return out, req.Send()
+}
+
+// GetAccessKeyInfoWithContext is the same as GetAccessKeyInfo with the addition of
+// the ability to pass a context and additional request options.
+//
+// See GetAccessKeyInfo for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *STS) GetAccessKeyInfoWithContext(ctx aws.Context, input *GetAccessKeyInfoInput, opts ...request.Option) (*GetAccessKeyInfoOutput, error) {
+        req, out := c.GetAccessKeyInfoRequest(input)
+        req.SetContext(ctx)
+        req.ApplyOptions(opts...)
+        return out, req.Send()
+}
+
 const opGetCallerIdentity = "GetCallerIdentity"
 
 // GetCallerIdentityRequest generates a "aws/request.Request" representing the
@@ -834,81 +920,65 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re
 // Returns a set of temporary security credentials (consisting of an access
 // key ID, a secret access key, and a security token) for a federated user.
 // A typical use is in a proxy application that gets temporary security credentials
-// on behalf of distributed applications inside a corporate network. Because
-// you must call the GetFederationToken action using the long-term security
-// credentials of an IAM user, this call is appropriate in contexts where those
+// on behalf of distributed applications inside a corporate network. You must
+// call the GetFederationToken operation using the long-term security credentials
+// of an IAM user. As a result, this call is appropriate in contexts where those
 // credentials can be safely stored, usually in a server-based application.
-// For a comparison of GetFederationToken with the other APIs that produce temporary
-// credentials, see Requesting Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
+// For a comparison of GetFederationToken with the other API operations that
+// produce temporary credentials, see Requesting Temporary Security Credentials
+// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
+// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
 // in the IAM User Guide.
 //
-// If you are creating a mobile-based or browser-based app that can authenticate
+// You can create a mobile-based or browser-based app that can authenticate
 // users using a web identity provider like Login with Amazon, Facebook, Google,
-// or an OpenID Connect-compatible identity provider, we recommend that you
-// use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity.
+// or an OpenID Connect-compatible identity provider. In this case, we recommend
+// that you use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity.
 // For more information, see Federation Through a Web-based Identity Provider
-// (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
-//
-// The GetFederationToken action must be called by using the long-term AWS security
-// credentials of an IAM user. You can also call GetFederationToken using the
-// security credentials of an AWS root account, but we do not recommended it.
-// Instead, we recommend that you create an IAM user for the purpose of the
-// proxy application and then attach a policy to the IAM user that limits federated
-// users to only the actions and resources that they need access to. For more
-// information, see IAM Best Practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
+// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
+//
+// You can also call GetFederationToken using the security credentials of an
+// AWS account root user, but we do not recommend it. Instead, we recommend
+// that you create an IAM user for the purpose of the proxy application. Then
+// attach a policy to the IAM user that limits federated users to only the actions
+// and resources that they need to access. For more information, see IAM Best
+// Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
 // in the IAM User Guide.
 //
-// The temporary security credentials that are obtained by using the long-term
-// credentials of an IAM user are valid for the specified duration, from 900
-// seconds (15 minutes) up to a maximium of 129600 seconds (36 hours). The default
-// is 43200 seconds (12 hours). Temporary credentials that are obtained by using
-// AWS root account credentials have a maximum duration of 3600 seconds (1 hour).
+// The temporary credentials are valid for the specified duration, from 900
+// seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default
+// is 43,200 seconds (12 hours). Temporary credentials that are obtained by
+// using AWS account root user credentials have a maximum duration of 3,600
+// seconds (1 hour).
 //
 // The temporary security credentials created by GetFederationToken can be used
 // to make API calls to any AWS service with the following exceptions:
 //
-//    * You cannot use these credentials to call any IAM APIs.
+//    * You cannot use these credentials to call any IAM API operations.
 //
-//    * You cannot call any STS APIs except GetCallerIdentity.
+//    * You cannot call any STS API operations except GetCallerIdentity.
 //
 // Permissions
 //
-// The permissions for the temporary security credentials returned by GetFederationToken
-// are determined by a combination of the following:
-//
-//    * The policy or policies that are attached to the IAM user whose credentials
-//    are used to call GetFederationToken.
-//
-//    * The policy that is passed as a parameter in the call.
-//
-// The passed policy is attached to the temporary security credentials that
-// result from the GetFederationToken API call--that is, to the federated user.
-// When the federated user makes an AWS request, AWS evaluates the policy attached
-// to the federated user in combination with the policy or policies attached
-// to the IAM user whose credentials were used to call GetFederationToken. AWS
-// allows the federated user's request only when both the federated user and
-// the IAM user are explicitly allowed to perform the requested action. The
-// passed policy cannot grant more permissions than those that are defined in
-// the IAM user policy.
-//
-// A typical use case is that the permissions of the IAM user whose credentials
-// are used to call GetFederationToken are designed to allow access to all the
-// actions and resources that any federated user will need. Then, for individual
-// users, you pass a policy to the operation that scopes down the permissions
-// to a level that's appropriate to that individual user, using a policy that
-// allows only a subset of permissions that are granted to the IAM user.
-//
-// If you do not pass a policy, the resulting temporary security credentials
-// have no effective permissions. The only exception is when the temporary security
-// credentials are used to access a resource that has a resource-based policy
-// that specifically allows the federated user to access the resource.
-//
-// For more information about how permissions work, see Permissions for GetFederationToken
-// (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html).
-// For information about using GetFederationToken to create temporary security
-// credentials, see GetFederationToken—Federation Through a Custom Identity
-// Broker (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken).
+// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+// to this operation. You can pass a single JSON policy document to use as an
+// inline session policy. You can also specify up to 10 managed policies to
+// use as managed session policies. The plain text that you use for both inline
+// and managed session policies shouldn't exceed 2048 characters.
+//
+// Though the session policy parameters are optional, if you do not pass a policy,
+// then the resulting federated user session has no permissions. The only exception
+// is when the credentials are used to access a resource that has a resource-based
+// policy that specifically references the federated user session in the Principal
+// element of the policy. When you pass session policies, the session permissions
+// are the intersection of the IAM user policies and the session policies that
+// you pass. This gives you a way to further restrict the permissions for a
+// federated user. You cannot use session policies to grant more permissions
+// than those that are defined in the permissions policy of the IAM user. For
+// more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+// in the IAM User Guide. For information about using GetFederationToken to
+// create temporary security credentials, see GetFederationToken—Federation
+// Through a Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken).
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@@ -931,7 +1001,7 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re
 //   STS is not activated in the requested region for the account that is being
 //   asked to generate credentials. The account administrator must use the IAM
 //   console to activate STS in that region. For more information, see Activating
-//   and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
+//   and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
 //   in the IAM User Guide.
 //
 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken
@@ -1003,48 +1073,47 @@ func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.
 // Returns a set of temporary credentials for an AWS account or IAM user. The
 // credentials consist of an access key ID, a secret access key, and a security
 // token. Typically, you use GetSessionToken if you want to use MFA to protect
-// programmatic calls to specific AWS APIs like Amazon EC2 StopInstances. MFA-enabled
-// IAM users would need to call GetSessionToken and submit an MFA code that
-// is associated with their MFA device. Using the temporary security credentials
-// that are returned from the call, IAM users can then make programmatic calls
-// to APIs that require MFA authentication. If you do not supply a correct MFA
-// code, then the API returns an access denied error. For a comparison of GetSessionToken
-// with the other APIs that produce temporary credentials, see Requesting Temporary
-// Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
+// programmatic calls to specific AWS API operations like Amazon EC2 StopInstances.
+// MFA-enabled IAM users would need to call GetSessionToken and submit an MFA
+// code that is associated with their MFA device. Using the temporary security
+// credentials that are returned from the call, IAM users can then make programmatic
+// calls to API operations that require MFA authentication. If you do not supply
+// a correct MFA code, then the API returns an access denied error. For a comparison
+// of GetSessionToken with the other API operations that produce temporary credentials,
+// see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
+// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
 // in the IAM User Guide.
 //
-// The GetSessionToken action must be called by using the long-term AWS security
-// credentials of the AWS account or an IAM user. Credentials that are created
-// by IAM users are valid for the duration that you specify, from 900 seconds
-// (15 minutes) up to a maximum of 129600 seconds (36 hours), with a default
-// of 43200 seconds (12 hours); credentials that are created by using account
-// credentials can range from 900 seconds (15 minutes) up to a maximum of 3600
-// seconds (1 hour), with a default of 1 hour.
+// The GetSessionToken operation must be called by using the long-term AWS security
+// credentials of the AWS account root user or an IAM user. Credentials that
+// are created by IAM users are valid for the duration that you specify. This
+// duration can range from 900 seconds (15 minutes) up to a maximum of 129,600
+// seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials
+// based on account credentials can range from 900 seconds (15 minutes) up to
+// 3,600 seconds (1 hour), with a default of 1 hour.
 //
 // The temporary security credentials created by GetSessionToken can be used
 // to make API calls to any AWS service with the following exceptions:
 //
-//    * You cannot call any IAM APIs unless MFA authentication information is
-//    included in the request.
+//    * You cannot call any IAM API operations unless MFA authentication information
+//    is included in the request.
 //
-//    * You cannot call any STS API exceptAssumeRole or GetCallerIdentity.
+//    * You cannot call any STS API except AssumeRole or GetCallerIdentity.
 //
-// We recommend that you do not call GetSessionToken with root account credentials.
-// Instead, follow our best practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users)
+// We recommend that you do not call GetSessionToken with AWS account root user
+// credentials. Instead, follow our best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users)
 // by creating one or more IAM users, giving them the necessary permissions,
 // and using IAM users for everyday interaction with AWS.
 //
-// The permissions associated with the temporary security credentials returned
-// by GetSessionToken are based on the permissions associated with account or
-// IAM user whose credentials are used to call the action. If GetSessionToken
-// is called using root account credentials, the temporary credentials have
-// root account permissions. Similarly, if GetSessionToken is called using the
-// credentials of an IAM user, the temporary credentials have the same permissions
-// as the IAM user.
+// The credentials that are returned by GetSessionToken are based on permissions
+// associated with the user whose credentials were used to call the operation.
+// If GetSessionToken is called using AWS account root user credentials, the
+// temporary credentials have root user permissions. Similarly, if GetSessionToken
+// is called using the credentials of an IAM user, the temporary credentials
+// have the same permissions as the IAM user.
 //
 // For more information about using GetSessionToken to create temporary credentials,
-// go to Temporary Credentials for Users in Untrusted Environments (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
+// go to Temporary Credentials for Users in Untrusted Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
 // in the IAM User Guide.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
@@ -1059,7 +1128,7 @@ func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.
 //   STS is not activated in the requested region for the account that is being
 //   asked to generate credentials. The account administrator must use the IAM
 //   console to activate STS in that region. For more information, see Activating
-//   and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
+//   and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
 //   in the IAM User Guide.
 //
 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken
@@ -1094,7 +1163,7 @@ type AssumeRoleInput struct {
         // a session duration of 12 hours, but your administrator set the maximum session
         // duration to 6 hours, your operation fails. To learn how to view the maximum
         // value for your role, see View the Maximum Session Duration Setting for a
-        // Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
+        // Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
         // in the IAM User Guide.
         //
         // By default, the value is set to 3600 seconds.
@@ -1104,51 +1173,77 @@ type AssumeRoleInput struct {
         // to the federation endpoint for a console sign-in token takes a SessionDuration
         // parameter that specifies the maximum length of the console session. For more
         // information, see Creating a URL that Enables Federated Users to Access the
-        // AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
+        // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
         // in the IAM User Guide.
         DurationSeconds *int64 `min:"900" type:"integer"`
 
-        // A unique identifier that is used by third parties when assuming roles in
-        // their customers' accounts. For each role that the third party can assume,
-        // they should instruct their customers to ensure the role's trust policy checks
-        // for the external ID that the third party generated. Each time the third party
-        // assumes the role, they should pass the customer's external ID. The external
-        // ID is useful in order to help third parties bind a role to the customer who
-        // created it. For more information about the external ID, see How to Use an
-        // External ID When Granting Access to Your AWS Resources to a Third Party (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html)
+        // A unique identifier that might be required when you assume a role in another
+        // account. If the administrator of the account to which the role belongs provided
+        // you with an external ID, then provide that value in the ExternalId parameter.
+        // This value can be any string, such as a passphrase or account number. A cross-account
+        // role is usually set up to trust everyone in an account. Therefore, the administrator
+        // of the trusting account might send an external ID to the administrator of
+        // the trusted account. That way, only someone with the ID can assume the role,
+        // rather than everyone in the account. For more information about the external
+        // ID, see How to Use an External ID When Granting Access to Your AWS Resources
+        // to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html)
         // in the IAM User Guide.
         //
-        // The regex used to validated this parameter is a string of characters consisting
+        // The regex used to validate this parameter is a string of characters consisting
         // of upper- and lower-case alphanumeric characters with no spaces. You can
         // also include underscores or any of the following characters: =,.@:/-
         ExternalId *string `min:"2" type:"string"`
 
-        // An IAM policy in JSON format.
-        //
-        // This parameter is optional. If you pass a policy, the temporary security
-        // credentials that are returned by the operation have the permissions that
-        // are allowed by both (the intersection of) the access policy of the role that
-        // is being assumed, and the policy that you pass. This gives you a way to further
-        // restrict the permissions for the resulting temporary security credentials.
-        // You cannot use the passed policy to grant permissions that are in excess
-        // of those allowed by the access policy of the role that is being assumed.
-        // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML,
-        // and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
+        // An IAM policy in JSON format that you want to use as an inline session policy.
+        //
+        // This parameter is optional. Passing policies to this operation returns new
+        // temporary credentials. The resulting session's permissions are the intersection
+        // of the role's identity-based policy and the session policies. You can use
+        // the role's temporary credentials in subsequent AWS API calls to access resources
+        // in the account that owns the role. You cannot use session policies to grant
+        // more permissions than those allowed by the identity-based policy of the role
+        // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
         // in the IAM User Guide.
         //
-        // The format for this parameter, as described by its regex pattern, is a string
-        // of characters up to 2048 characters in length. The characters can be any
-        // ASCII character from the space character to the end of the valid character
-        // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
+        // The plain text that you use for both inline and managed session policies
+        // shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII
+        // character from the space character to the end of the valid character list
+        // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A),
         // and carriage return (\u000D) characters.
         //
-        // The policy plain text must be 2048 bytes or shorter. However, an internal
-        // conversion compresses it into a packed binary format with a separate limit.
-        // The PackedPolicySize response element indicates by percentage how close to
-        // the upper size limit the policy is, with 100% equaling the maximum allowed
-        // size.
+        // The characters in this parameter count towards the 2048 character session
+        // policy guideline. However, an AWS conversion compresses the session policies
+        // into a packed binary format that has a separate limit. This is the enforced
+        // limit. The PackedPolicySize response element indicates by percentage how
+        // close the policy is to the upper size limit.
         Policy *string `min:"1" type:"string"`
 
+        // The Amazon Resource Names (ARNs) of the IAM managed policies that you want
+        // to use as managed session policies. The policies must exist in the same account
+        // as the role.
+        //
+        // This parameter is optional. You can provide up to 10 managed policy ARNs.
+        // However, the plain text that you use for both inline and managed session
+        // policies shouldn't exceed 2048 characters. For more information about ARNs,
+        // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
+        // in the AWS General Reference.
+        //
+        // The characters in this parameter count towards the 2048 character session
+        // policy guideline. However, an AWS conversion compresses the session policies
+        // into a packed binary format that has a separate limit. This is the enforced
+        // limit. The PackedPolicySize response element indicates by percentage how
+        // close the policy is to the upper size limit.
+        //
+        // Passing policies to this operation returns new temporary credentials. The
+        // resulting session's permissions are the intersection of the role's identity-based
+        // policy and the session policies. You can use the role's temporary credentials
+        // in subsequent AWS API calls to access resources in the account that owns
+        // the role. You cannot use session policies to grant more permissions than
+        // those allowed by the identity-based policy of the role that is being assumed.
+        // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+        // in the IAM User Guide.
+        PolicyArns []*PolicyDescriptorType `type:"list"`
+
         // The Amazon Resource Name (ARN) of the role to assume.
         //
         // RoleArn is a required field
@@ -1161,8 +1256,8 @@ type AssumeRoleInput struct {
         // scenarios, the role session name is visible to, and can be logged by the
         // account that owns the role. The role session name is also used in the ARN
         // of the assumed role principal. This means that subsequent cross-account API
-        // requests using the temporary security credentials will expose the role session
-        // name to the external account in their CloudTrail logs.
+        // requests that use the temporary security credentials will expose the role
+        // session name to the external account in their AWS CloudTrail logs.
         //
         // The regex used to validate this parameter is a string of characters consisting
         // of upper- and lower-case alphanumeric characters with no spaces. You can
@@ -1232,6 +1327,16 @@ func (s *AssumeRoleInput) Validate() error {
         if s.TokenCode != nil && len(*s.TokenCode) < 6 {
                 invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6))
         }
+        if s.PolicyArns != nil {
+                for i, v := range s.PolicyArns {
+                        if v == nil {
+                                continue
+                        }
+                        if err := v.Validate(); err != nil {
+                                invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams))
+                        }
+                }
+        }
 
         if invalidParams.Len() > 0 {
                 return invalidParams
@@ -1257,6 +1362,12 @@ func (s *AssumeRoleInput) SetPolicy(v string) *AssumeRoleInput {
         return s
 }
 
+// SetPolicyArns sets the PolicyArns field's value.
+func (s *AssumeRoleInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleInput {
+        s.PolicyArns = v
+        return s
+}
+
 // SetRoleArn sets the RoleArn field's value.
 func (s *AssumeRoleInput) SetRoleArn(v string) *AssumeRoleInput {
         s.RoleArn = &v
@@ -1296,10 +1407,8 @@ type AssumeRoleOutput struct {
         // The temporary security credentials, which include an access key ID, a secret
         // access key, and a security (or session) token.
         //
-        // Note: The size of the security token that STS APIs return is not fixed. We
-        // strongly recommend that you make no assumptions about the maximum size. As
-        // of this writing, the typical size is less than 4096 bytes, but that can vary.
-        // Also, future updates to AWS might require larger sizes.
+        // The size of the security token that STS API operations return is not fixed.
+        // We strongly recommend that you make no assumptions about the maximum size.
         Credentials *Credentials `type:"structure"`
 
         // A percentage value that indicates the size of the policy in packed form.
@@ -1349,7 +1458,7 @@ type AssumeRoleWithSAMLInput struct {
         // specify a session duration of 12 hours, but your administrator set the maximum
         // session duration to 6 hours, your operation fails. To learn how to view the
         // maximum value for your role, see View the Maximum Session Duration Setting
-        // for a Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
+        // for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
         // in the IAM User Guide.
         //
         // By default, the value is set to 3600 seconds.
@@ -1359,36 +1468,60 @@ type AssumeRoleWithSAMLInput struct {
         // to the federation endpoint for a console sign-in token takes a SessionDuration
         // parameter that specifies the maximum length of the console session. For more
         // information, see Creating a URL that Enables Federated Users to Access the
-        // AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
+        // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
         // in the IAM User Guide.
         DurationSeconds *int64 `min:"900" type:"integer"`
 
-        // An IAM policy in JSON format.
-        //
-        // The policy parameter is optional. If you pass a policy, the temporary security
-        // credentials that are returned by the operation have the permissions that
-        // are allowed by both the access policy of the role that is being assumed,
-        // and the policy that you pass. This gives you a way to further restrict the
-        // permissions for the resulting temporary security credentials. You cannot
-        // use the passed policy to grant permissions that are in excess of those allowed
-        // by the access policy of the role that is being assumed. For more information,
-        // Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity
-        // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
+        // An IAM policy in JSON format that you want to use as an inline session policy.
+        //
+        // This parameter is optional. Passing policies to this operation returns new
+        // temporary credentials. The resulting session's permissions are the intersection
+        // of the role's identity-based policy and the session policies. You can use
+        // the role's temporary credentials in subsequent AWS API calls to access resources
+        // in the account that owns the role. You cannot use session policies to grant
+        // more permissions than those allowed by the identity-based policy of the role
+        // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
         // in the IAM User Guide.
         //
-        // The format for this parameter, as described by its regex pattern, is a string
-        // of characters up to 2048 characters in length. The characters can be any
-        // ASCII character from the space character to the end of the valid character
-        // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
+        // The plain text that you use for both inline and managed session policies
+        // shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII
+        // character from the space character to the end of the valid character list
+        // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A),
         // and carriage return (\u000D) characters.
         //
-        // The policy plain text must be 2048 bytes or shorter. However, an internal
-        // conversion compresses it into a packed binary format with a separate limit.
-        // The PackedPolicySize response element indicates by percentage how close to
-        // the upper size limit the policy is, with 100% equaling the maximum allowed
-        // size.
+        // The characters in this parameter count towards the 2048 character session
+        // policy guideline. However, an AWS conversion compresses the session policies
+        // into a packed binary format that has a separate limit. This is the enforced
+        // limit. The PackedPolicySize response element indicates by percentage how
+        // close the policy is to the upper size limit.
         Policy *string `min:"1" type:"string"`
 
+        // The Amazon Resource Names (ARNs) of the IAM managed policies that you want
+        // to use as managed session policies. The policies must exist in the same account
+        // as the role.
+        //
+        // This parameter is optional. You can provide up to 10 managed policy ARNs.
+        // However, the plain text that you use for both inline and managed session
+        // policies shouldn't exceed 2048 characters. For more information about ARNs,
+        // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
+        // in the AWS General Reference.
+        //
+        // The characters in this parameter count towards the 2048 character session
+        // policy guideline. However, an AWS conversion compresses the session policies
+        // into a packed binary format that has a separate limit. This is the enforced
+        // limit. The PackedPolicySize response element indicates by percentage how
+        // close the policy is to the upper size limit.
+        //
+        // Passing policies to this operation returns new temporary credentials. The
+        // resulting session's permissions are the intersection of the role's identity-based
+        // policy and the session policies. You can use the role's temporary credentials
+        // in subsequent AWS API calls to access resources in the account that owns
+        // the role. You cannot use session policies to grant more permissions than
+        // those allowed by the identity-based policy of the role that is being assumed.
+        // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+        // in the IAM User Guide.
+        PolicyArns []*PolicyDescriptorType `type:"list"`
+
         // The Amazon Resource Name (ARN) of the SAML provider in IAM that describes
         // the IdP.
         //
@@ -1402,8 +1535,8 @@ type AssumeRoleWithSAMLInput struct {
 
         // The base-64 encoded SAML authentication response provided by the IdP.
         //
-        // For more information, see Configuring a Relying Party and Adding Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
-        // in the Using IAM guide.
+        // For more information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
+        // in the IAM User Guide.
         //
         // SAMLAssertion is a required field
         SAMLAssertion *string `min:"4" type:"string" required:"true"`
@@ -1446,6 +1579,16 @@ func (s *AssumeRoleWithSAMLInput) Validate() error {
         if s.SAMLAssertion != nil && len(*s.SAMLAssertion) < 4 {
                 invalidParams.Add(request.NewErrParamMinLen("SAMLAssertion", 4))
         }
+        if s.PolicyArns != nil {
+                for i, v := range s.PolicyArns {
+                        if v == nil {
+                                continue
+                        }
+                        if err := v.Validate(); err != nil {
+                                invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams))
+                        }
+                }
+        }
 
         if invalidParams.Len() > 0 {
                 return invalidParams
@@ -1465,6 +1608,12 @@ func (s *AssumeRoleWithSAMLInput) SetPolicy(v string) *AssumeRoleWithSAMLInput {
         return s
 }
 
+// SetPolicyArns sets the PolicyArns field's value.
+func (s *AssumeRoleWithSAMLInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleWithSAMLInput {
+        s.PolicyArns = v
+        return s
+}
+
 // SetPrincipalArn sets the PrincipalArn field's value.
 func (s *AssumeRoleWithSAMLInput) SetPrincipalArn(v string) *AssumeRoleWithSAMLInput {
         s.PrincipalArn = &v
@@ -1499,10 +1648,8 @@ type AssumeRoleWithSAMLOutput struct {
         // The temporary security credentials, which include an access key ID, a secret
         // access key, and a security (or session) token.
         //
-        // Note: The size of the security token that STS APIs return is not fixed. We
-        // strongly recommend that you make no assumptions about the maximum size. As
-        // of this writing, the typical size is less than 4096 bytes, but that can vary.
-        // Also, future updates to AWS might require larger sizes.
+        // The size of the security token that STS API operations return is not fixed.
+        // We strongly recommend that you make no assumptions about the maximum size.
         Credentials *Credentials `type:"structure"`
 
         // The value of the Issuer element of the SAML assertion.
@@ -1606,7 +1753,7 @@ type AssumeRoleWithWebIdentityInput struct {
         // a session duration of 12 hours, but your administrator set the maximum session
         // duration to 6 hours, your operation fails. To learn how to view the maximum
         // value for your role, see View the Maximum Session Duration Setting for a
-        // Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
+        // Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
         // in the IAM User Guide.
         //
         // By default, the value is set to 3600 seconds.
@@ -1616,35 +1763,60 @@ type AssumeRoleWithWebIdentityInput struct {
         // to the federation endpoint for a console sign-in token takes a SessionDuration
         // parameter that specifies the maximum length of the console session. For more
         // information, see Creating a URL that Enables Federated Users to Access the
-        // AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
+        // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
         // in the IAM User Guide.
         DurationSeconds *int64 `min:"900" type:"integer"`
 
-        // An IAM policy in JSON format.
+        // An IAM policy in JSON format that you want to use as an inline session policy.
         //
-        // The policy parameter is optional. If you pass a policy, the temporary security
-        // credentials that are returned by the operation have the permissions that
-        // are allowed by both the access policy of the role that is being assumed,
-        // and the policy that you pass. This gives you a way to further restrict the
-        // permissions for the resulting temporary security credentials. You cannot
-        // use the passed policy to grant permissions that are in excess of those allowed
-        // by the access policy of the role that is being assumed. For more information,
-        // see Permissions for AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
+        // This parameter is optional. Passing policies to this operation returns new
+        // temporary credentials. The resulting session's permissions are the intersection
+        // of the role's identity-based policy and the session policies. You can use
+        // the role's temporary credentials in subsequent AWS API calls to access resources
+        // in the account that owns the role. You cannot use session policies to grant
+        // more permissions than those allowed by the identity-based policy of the role
+        // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
         // in the IAM User Guide.
         //
-        // The format for this parameter, as described by its regex pattern, is a string
-        // of characters up to 2048 characters in length. The characters can be any
-        // ASCII character from the space character to the end of the valid character
-        // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
+        // The plain text that you use for both inline and managed session policies
+        // shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII
+        // character from the space character to the end of the valid character list
+        // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A),
         // and carriage return (\u000D) characters.
         //
-        // The policy plain text must be 2048 bytes or shorter. However, an internal
-        // conversion compresses it into a packed binary format with a separate limit.
-        // The PackedPolicySize response element indicates by percentage how close to
-        // the upper size limit the policy is, with 100% equaling the maximum allowed
-        // size.
+        // The characters in this parameter count towards the 2048 character session
+        // policy guideline. However, an AWS conversion compresses the session policies
+        // into a packed binary format that has a separate limit. This is the enforced
+        // limit. The PackedPolicySize response element indicates by percentage how
+        // close the policy is to the upper size limit.
         Policy *string `min:"1" type:"string"`
 
+        // The Amazon Resource Names (ARNs) of the IAM managed policies that you want
+        // to use as managed session policies. The policies must exist in the same account
+        // as the role.
+        //
+        // This parameter is optional. You can provide up to 10 managed policy ARNs.
+        // However, the plain text that you use for both inline and managed session
+        // policies shouldn't exceed 2048 characters. For more information about ARNs,
+        // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
+        // in the AWS General Reference.
+        //
+        // The characters in this parameter count towards the 2048 character session
+        // policy guideline. However, an AWS conversion compresses the session policies
+        // into a packed binary format that has a separate limit. This is the enforced
+        // limit. The PackedPolicySize response element indicates by percentage how
+        // close the policy is to the upper size limit.
+        //
+        // Passing policies to this operation returns new temporary credentials. The
+        // resulting session's permissions are the intersection of the role's identity-based
+        // policy and the session policies. You can use the role's temporary credentials
+        // in subsequent AWS API calls to access resources in the account that owns
+        // the role. You cannot use session policies to grant more permissions than
+        // those allowed by the identity-based policy of the role that is being assumed.
+        // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+        // in the IAM User Guide.
+        PolicyArns []*PolicyDescriptorType `type:"list"`
+
         // The fully qualified host component of the domain name of the identity provider.
         //
         // Specify this value only for OAuth 2.0 access tokens. Currently www.amazon.com
@@ -1721,6 +1893,16 @@ func (s *AssumeRoleWithWebIdentityInput) Validate() error {
         if s.WebIdentityToken != nil && len(*s.WebIdentityToken) < 4 {
                 invalidParams.Add(request.NewErrParamMinLen("WebIdentityToken", 4))
         }
+        if s.PolicyArns != nil {
+                for i, v := range s.PolicyArns {
+                        if v == nil {
+                                continue
+                        }
+                        if err := v.Validate(); err != nil {
+                                invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams))
+                        }
+                }
+        }
 
         if invalidParams.Len() > 0 {
                 return invalidParams
@@ -1740,6 +1922,12 @@ func (s *AssumeRoleWithWebIdentityInput) SetPolicy(v string) *AssumeRoleWithWebI
         return s
 }
 
+// SetPolicyArns sets the PolicyArns field's value.
+func (s *AssumeRoleWithWebIdentityInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleWithWebIdentityInput {
+        s.PolicyArns = v
+        return s
+}
+
 // SetProviderId sets the ProviderId field's value.
 func (s *AssumeRoleWithWebIdentityInput) SetProviderId(v string) *AssumeRoleWithWebIdentityInput {
         s.ProviderId = &v
@@ -1784,10 +1972,8 @@ type AssumeRoleWithWebIdentityOutput struct {
         // The temporary security credentials, which include an access key ID, a secret
         // access key, and a security token.
         //
-        // Note: The size of the security token that STS APIs return is not fixed. We
-        // strongly recommend that you make no assumptions about the maximum size. As
-        // of this writing, the typical size is less than 4096 bytes, but that can vary.
-        // Also, future updates to AWS might require larger sizes.
+        // The size of the security token that STS API operations return is not fixed.
+        // We strongly recommend that you make no assumptions about the maximum size.
         Credentials *Credentials `type:"structure"`
 
         // A percentage value that indicates the size of the policy in packed form.
@@ -1796,7 +1982,7 @@ type AssumeRoleWithWebIdentityOutput struct {
         PackedPolicySize *int64 `type:"integer"`
 
         // The issuing authority of the web identity token presented. For OpenID Connect
-        // ID Tokens this contains the value of the iss field. For OAuth 2.0 access
+        // ID tokens, this contains the value of the iss field. For OAuth 2.0 access
         // tokens, this contains the value of the ProviderId parameter that was passed
         // in the AssumeRoleWithWebIdentity request.
         Provider *string `type:"string"`
@@ -1863,7 +2049,7 @@ type AssumedRoleUser struct {
 
         // The ARN of the temporary security credentials that are returned from the
         // AssumeRole action. For more information about ARNs and how to use them in
-        // policies, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
+        // policies, see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
         // in Using IAM.
         //
         // Arn is a required field
@@ -2031,7 +2217,7 @@ type FederatedUser struct {
 
         // The ARN that specifies the federated user that is associated with the credentials.
         // For more information about ARNs and how to use them in policies, see IAM
-        // Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
+        // Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
         // in Using IAM.
         //
         // Arn is a required field
@@ -2066,6 +2252,73 @@ func (s *FederatedUser) SetFederatedUserId(v string) *FederatedUser {
         return s
 }
 
+type GetAccessKeyInfoInput struct {
+        _ struct{} `type:"structure"`
+
+        // The identifier of an access key.
+        //
+        // This parameter allows (through its regex pattern) a string of characters
+        // that can consist of any upper- or lowercased letter or digit.
+        //
+        // AccessKeyId is a required field
+        AccessKeyId *string `min:"16" type:"string" required:"true"`
+}
+
+// String returns the string representation
+func (s GetAccessKeyInfoInput) String() string {
+        return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetAccessKeyInfoInput) GoString() string {
+        return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *GetAccessKeyInfoInput) Validate() error {
+        invalidParams := request.ErrInvalidParams{Context: "GetAccessKeyInfoInput"}
+        if s.AccessKeyId == nil {
+                invalidParams.Add(request.NewErrParamRequired("AccessKeyId"))
+        }
+        if s.AccessKeyId != nil && len(*s.AccessKeyId) < 16 {
+                invalidParams.Add(request.NewErrParamMinLen("AccessKeyId", 16))
+        }
+
+        if invalidParams.Len() > 0 {
+                return invalidParams
+        }
+        return nil
+}
+
+// SetAccessKeyId sets the AccessKeyId field's value.
+func (s *GetAccessKeyInfoInput) SetAccessKeyId(v string) *GetAccessKeyInfoInput {
+        s.AccessKeyId = &v
+        return s
+}
+
+type GetAccessKeyInfoOutput struct {
+        _ struct{} `type:"structure"`
+
+        // The number used to identify the AWS account.
+        Account *string `type:"string"`
+}
+
+// String returns the string representation
+func (s GetAccessKeyInfoOutput) String() string {
+        return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s GetAccessKeyInfoOutput) GoString() string {
+        return s.String()
+}
+
+// SetAccount sets the Account field's value.
+func (s *GetAccessKeyInfoOutput) SetAccount(v string) *GetAccessKeyInfoOutput {
+        s.Account = &v
+        return s
+}
+
 type GetCallerIdentityInput struct {
         _ struct{} `type:"structure"`
 }
@@ -2093,8 +2346,8 @@ type GetCallerIdentityOutput struct {
         Arn *string `min:"20" type:"string"`
 
         // The unique identifier of the calling entity. The exact value depends on the
-        // type of entity making the call. The values returned are those listed in the
-        // aws:userid column in the Principal table (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable)
+        // type of entity that is making the call. The values returned are those listed
+        // in the aws:userid column in the Principal table (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable)
         // found on the Policy Variables reference page in the IAM User Guide.
         UserId *string `type:"string"`
 }
@@ -2131,12 +2384,11 @@ type GetFederationTokenInput struct {
         _ struct{} `type:"structure"`
 
         // The duration, in seconds, that the session should last. Acceptable durations
-        // for federation sessions range from 900 seconds (15 minutes) to 129600 seconds
-        // (36 hours), with 43200 seconds (12 hours) as the default. Sessions obtained
-        // using AWS account (root) credentials are restricted to a maximum of 3600
+        // for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds
+        // (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained
+        // using AWS account root user credentials are restricted to a maximum of 3,600
         // seconds (one hour). If the specified duration is longer than one hour, the
-        // session obtained by using AWS account (root) credentials defaults to one
-        // hour.
+        // session obtained by using root user credentials defaults to one hour.
         DurationSeconds *int64 `min:"900" type:"integer"`
 
         // The name of the federated user. The name is used as an identifier for the
@@ -2151,36 +2403,73 @@ type GetFederationTokenInput struct {
         // Name is a required field
         Name *string `min:"2" type:"string" required:"true"`
 
-        // An IAM policy in JSON format that is passed with the GetFederationToken call
-        // and evaluated along with the policy or policies that are attached to the
-        // IAM user whose credentials are used to call GetFederationToken. The passed
-        // policy is used to scope down the permissions that are available to the IAM
-        // user, by allowing only a subset of the permissions that are granted to the
-        // IAM user. The passed policy cannot grant more permissions than those granted
-        // to the IAM user. The final permissions for the federated user are the most
-        // restrictive set based on the intersection of the passed policy and the IAM
-        // user policy.
-        //
-        // If you do not pass a policy, the resulting temporary security credentials
-        // have no effective permissions. The only exception is when the temporary security
-        // credentials are used to access a resource that has a resource-based policy
-        // that specifically allows the federated user to access the resource.
-        //
-        // The format for this parameter, as described by its regex pattern, is a string
-        // of characters up to 2048 characters in length. The characters can be any
-        // ASCII character from the space character to the end of the valid character
-        // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
-        // and carriage return (\u000D) characters.
+        // An IAM policy in JSON format that you want to use as an inline session policy.
+        //
+        // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+        // to this operation. You can pass a single JSON policy document to use as an
+        // inline session policy. You can also specify up to 10 managed policies to
+        // use as managed session policies.
         //
-        // The policy plain text must be 2048 bytes or shorter. However, an internal
-        // conversion compresses it into a packed binary format with a separate limit.
-        // The PackedPolicySize response element indicates by percentage how close to
-        // the upper size limit the policy is, with 100% equaling the maximum allowed
-        // size.
+        // This parameter is optional. However, if you do not pass any session policies,
+        // then the resulting federated user session has no permissions. The only exception
+        // is when the credentials are used to access a resource that has a resource-based
+        // policy that specifically references the federated user session in the Principal
+        // element of the policy.
         //
-        // For more information about how permissions work, see Permissions for GetFederationToken
-        // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html).
+        // When you pass session policies, the session permissions are the intersection
+        // of the IAM user policies and the session policies that you pass. This gives
+        // you a way to further restrict the permissions for a federated user. You cannot
+        // use session policies to grant more permissions than those that are defined
+        // in the permissions policy of the IAM user. For more information, see Session
+        // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+        // in the IAM User Guide.
+        //
+        // The plain text that you use for both inline and managed session policies
+        // shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII
+        // character from the space character to the end of the valid character list
+        // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A),
+        // and carriage return (\u000D) characters.
+        //
+        // The characters in this parameter count towards the 2048 character session
+        // policy guideline. However, an AWS conversion compresses the session policies
+        // into a packed binary format that has a separate limit. This is the enforced
+        // limit. The PackedPolicySize response element indicates by percentage how
+        // close the policy is to the upper size limit.
         Policy *string `min:"1" type:"string"`
+
+        // The Amazon Resource Names (ARNs) of the IAM managed policies that you want
+        // to use as a managed session policy. The policies must exist in the same account
+        // as the IAM user that is requesting federated access.
+        //
+        // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+        // to this operation. You can pass a single JSON policy document to use as an
+        // inline session policy. You can also specify up to 10 managed policies to
+        // use as managed session policies. The plain text that you use for both inline
+        // and managed session policies shouldn't exceed 2048 characters. You can provide
+        // up to 10 managed policy ARNs. For more information about ARNs, see Amazon
+        // Resource Names (ARNs) and AWS Service Namespaces (general/latest/gr/aws-arns-and-namespaces.html)
+        // in the AWS General Reference.
+        //
+        // This parameter is optional. However, if you do not pass any session policies,
+        // then the resulting federated user session has no permissions. The only exception
+        // is when the credentials are used to access a resource that has a resource-based
+        // policy that specifically references the federated user session in the Principal
+        // element of the policy.
+        //
+        // When you pass session policies, the session permissions are the intersection
+        // of the IAM user policies and the session policies that you pass. This gives
+        // you a way to further restrict the permissions for a federated user. You cannot
+        // use session policies to grant more permissions than those that are defined
+        // in the permissions policy of the IAM user. For more information, see Session
+        // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
+        // in the IAM User Guide.
+        //
+        // The characters in this parameter count towards the 2048 character session
+        // policy guideline. However, an AWS conversion compresses the session policies
+        // into a packed binary format that has a separate limit. This is the enforced
+        // limit. The PackedPolicySize response element indicates by percentage how
+        // close the policy is to the upper size limit.
+        PolicyArns []*PolicyDescriptorType `type:"list"`
 }
 
 // String returns the string representation
@@ -2208,6 +2497,16 @@ func (s *GetFederationTokenInput) Validate() error {
         if s.Policy != nil && len(*s.Policy) < 1 {
                 invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
         }
+        if s.PolicyArns != nil {
+                for i, v := range s.PolicyArns {
+                        if v == nil {
+                                continue
+                        }
+                        if err := v.Validate(); err != nil {
+                                invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams))
+                        }
+                }
+        }
 
         if invalidParams.Len() > 0 {
                 return invalidParams
@@ -2233,6 +2532,12 @@ func (s *GetFederationTokenInput) SetPolicy(v string) *GetFederationTokenInput {
         return s
 }
 
+// SetPolicyArns sets the PolicyArns field's value.
+func (s *GetFederationTokenInput) SetPolicyArns(v []*PolicyDescriptorType) *GetFederationTokenInput {
+        s.PolicyArns = v
+        return s
+}
+
 // Contains the response to a successful GetFederationToken request, including
 // temporary AWS credentials that can be used to make AWS requests.
 type GetFederationTokenOutput struct {
@@ -2241,10 +2546,8 @@ type GetFederationTokenOutput struct {
         // The temporary security credentials, which include an access key ID, a secret
         // access key, and a security (or session) token.
         //
-        // Note: The size of the security token that STS APIs return is not fixed. We
-        // strongly recommend that you make no assumptions about the maximum size. As
-        // of this writing, the typical size is less than 4096 bytes, but that can vary.
-        // Also, future updates to AWS might require larger sizes.
+        // The size of the security token that STS API operations return is not fixed.
+        // We strongly recommend that you make no assumptions about the maximum size.
         Credentials *Credentials `type:"structure"`
 
         // Identifiers for the federated user associated with the credentials (such
@@ -2291,11 +2594,11 @@ type GetSessionTokenInput struct {
         _ struct{} `type:"structure"`
 
         // The duration, in seconds, that the credentials should remain valid. Acceptable
-        // durations for IAM user sessions range from 900 seconds (15 minutes) to 129600
-        // seconds (36 hours), with 43200 seconds (12 hours) as the default. Sessions
-        // for AWS account owners are restricted to a maximum of 3600 seconds (one hour).
-        // If the duration is longer than one hour, the session for AWS account owners
-        // defaults to one hour.
+        // durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600
+        // seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions
+        // for AWS account owners are restricted to a maximum of 3,600 seconds (one
+        // hour). If the duration is longer than one hour, the session for AWS account
+        // owners defaults to one hour.
         DurationSeconds *int64 `min:"900" type:"integer"`
 
         // The identification number of the MFA device that is associated with the IAM
@@ -2306,16 +2609,16 @@ type GetSessionTokenInput struct {
         // You can find the device for an IAM user by going to the AWS Management Console
         // and viewing the user's security credentials.
         //
-        // The regex used to validated this parameter is a string of characters consisting
+        // The regex used to validate this parameter is a string of characters consisting
         // of upper- and lower-case alphanumeric characters with no spaces. You can
         // also include underscores or any of the following characters: =,.@:/-
         SerialNumber *string `min:"9" type:"string"`
 
         // The value provided by the MFA device, if MFA is required. If any policy requires
         // the IAM user to submit an MFA code, specify this value. If MFA authentication
-        // is required, and the user does not provide a code when requesting a set of
-        // temporary security credentials, the user will receive an "access denied"
-        // response when requesting resources that require MFA authentication.
+        // is required, the user must provide a code when requesting a set of temporary
+        // security credentials. A user who fails to provide the code receives an "access
+        // denied" response when requesting resources that require MFA authentication.
         //
         // The format for this parameter, as described by its regex pattern, is a sequence
         // of six numeric digits.
@@ -2377,10 +2680,8 @@ type GetSessionTokenOutput struct {
         // The temporary security credentials, which include an access key ID, a secret
         // access key, and a security (or session) token.
         //
-        // Note: The size of the security token that STS APIs return is not fixed. We
-        // strongly recommend that you make no assumptions about the maximum size. As
-        // of this writing, the typical size is less than 4096 bytes, but that can vary.
-        // Also, future updates to AWS might require larger sizes.
+        // The size of the security token that STS API operations return is not fixed.
+        // We strongly recommend that you make no assumptions about the maximum size.
         Credentials *Credentials `type:"structure"`
 }
 
@@ -2399,3 +2700,44 @@ func (s *GetSessionTokenOutput) SetCredentials(v *Credentials) *GetSessionTokenO
         s.Credentials = v
         return s
 }
+
+// A reference to the IAM managed policy that is passed as a session policy
+// for a role session or a federated user session.
+type PolicyDescriptorType struct {
+        _ struct{} `type:"structure"`
+
+        // The Amazon Resource Name (ARN) of the IAM managed policy to use as a session
+        // policy for the role. For more information about ARNs, see Amazon Resource
+        // Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
+        // in the AWS General Reference.
+        Arn *string `locationName:"arn" min:"20" type:"string"`
+}
+
+// String returns the string representation
+func (s PolicyDescriptorType) String() string {
+        return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation
+func (s PolicyDescriptorType) GoString() string {
+        return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *PolicyDescriptorType) Validate() error {
+        invalidParams := request.ErrInvalidParams{Context: "PolicyDescriptorType"}
+        if s.Arn != nil && len(*s.Arn) < 20 {
+                invalidParams.Add(request.NewErrParamMinLen("Arn", 20))
+        }
+
+        if invalidParams.Len() > 0 {
+                return invalidParams
+        }
+        return nil
+}
+
+// SetArn sets the Arn field's value.
+func (s *PolicyDescriptorType) SetArn(v string) *PolicyDescriptorType {
+        s.Arn = &v
+        return s
+}
diff --git a/vendor/github.com/aws/aws-sdk-go/service/sts/doc.go b/vendor/github.com/aws/aws-sdk-go/service/sts/doc.go
index ef681ab..fcb720d 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/sts/doc.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/sts/doc.go
@@ -7,22 +7,14 @@
 // request temporary, limited-privilege credentials for AWS Identity and Access
 // Management (IAM) users or for users that you authenticate (federated users).
 // This guide provides descriptions of the STS API. For more detailed information
-// about using this service, go to Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html).
-//
-// As an alternative to using the API, you can use one of the AWS SDKs, which
-// consist of libraries and sample code for various programming languages and
-// platforms (Java, Ruby, .NET, iOS, Android, etc.). The SDKs provide a convenient
-// way to create programmatic access to STS. For example, the SDKs take care
-// of cryptographically signing requests, managing errors, and retrying requests
-// automatically. For information about the AWS SDKs, including how to download
-// and install them, see the Tools for Amazon Web Services page (http://aws.amazon.com/tools/).
+// about using this service, go to Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html).
 //
 // For information about setting up signatures and authorization through the
-// API, go to Signing AWS API Requests (http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html)
+// API, go to Signing AWS API Requests (https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html)
 // in the AWS General Reference. For general information about the Query API,
-// go to Making Query Requests (http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html)
+// go to Making Query Requests (https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html)
 // in Using IAM. For information about using security tokens with other AWS
-// products, go to AWS Services That Work with IAM (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html)
+// products, go to AWS Services That Work with IAM (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html)
 // in the IAM User Guide.
 //
 // If you're new to AWS and need additional technical information about a specific
@@ -31,14 +23,38 @@
 //
 // Endpoints
 //
-// The AWS Security Token Service (STS) has a default endpoint of https://sts.amazonaws.com
-// that maps to the US East (N. Virginia) region. Additional regions are available
-// and are activated by default. For more information, see Activating and Deactivating
-// AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
+// By default, AWS Security Token Service (STS) is available as a global service,
+// and all AWS STS requests go to a single endpoint at https://sts.amazonaws.com.
+// Global requests map to the US East (N. Virginia) region. AWS recommends using
+// Regional AWS STS endpoints instead of the global endpoint to reduce latency,
+// build in redundancy, and increase session token validity. For more information,
+// see Managing AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
+// in the IAM User Guide.
+//
+// Most AWS Regions are enabled for operations in all AWS services by default.
+// Those Regions are automatically activated for use with AWS STS. Some Regions,
+// such as Asia Pacific (Hong Kong), must be manually enabled. To learn more
+// about enabling and disabling AWS Regions, see Managing AWS Regions (https://docs.aws.amazon.com/general/latest/gr/rande-manage.html)
+// in the AWS General Reference. When you enable these AWS Regions, they are
+// automatically activated for use with AWS STS. You cannot activate the STS
+// endpoint for a Region that is disabled. Tokens that are valid in all AWS
+// Regions are longer than tokens that are valid in Regions that are enabled
+// by default. Changing this setting might affect existing systems where you
+// temporarily store tokens. For more information, see Managing Global Endpoint
+// Session Tokens (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-manage-tokens)
 // in the IAM User Guide.
 //
-// For information about STS endpoints, see Regions and Endpoints (http://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region)
-// in the AWS General Reference.
+// After you activate a Region for use with AWS STS, you can direct AWS STS
+// API calls to that Region. AWS STS recommends that you provide both the Region
+// and endpoint when you make calls to a Regional endpoint. You can provide
+// the Region alone for manually enabled Regions, such as Asia Pacific (Hong
+// Kong). In this case, the calls are directed to the STS Regional endpoint.
+// However, if you provide the Region alone for Regions enabled by default,
+// the calls are directed to the global endpoint of https://sts.amazonaws.com.
+//
+// To view the list of AWS STS endpoints and whether they are active by default,
+// see Writing Code to Use AWS STS Regions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#id_credentials_temp_enable-regions_writing_code)
+// in the IAM User Guide.
 //
 // Recording API requests
 //
@@ -46,8 +62,28 @@
 // your AWS account and delivers log files to an Amazon S3 bucket. By using
 // information collected by CloudTrail, you can determine what requests were
 // successfully made to STS, who made the request, when it was made, and so
-// on. To learn more about CloudTrail, including how to turn it on and find
-// your log files, see the AWS CloudTrail User Guide (http://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_top_level.html).
+// on.
+//
+// If you activate AWS STS endpoints in Regions other than the default global
+// endpoint, then you must also turn on CloudTrail logging in those Regions.
+// This is necessary to record any AWS STS API calls that are made in those
+// Regions. For more information, see Turning On CloudTrail in Additional Regions
+// (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/aggregating_logs_regions_turn_on_ct.html)
+// in the AWS CloudTrail User Guide.
+//
+// AWS Security Token Service (STS) is a global service with a single endpoint
+// at https://sts.amazonaws.com. Calls to this endpoint are logged as calls
+// to a global service. However, because this endpoint is physically located
+// in the US East (N. Virginia) Region, your logs list us-east-1 as the event
+// Region. CloudTrail does not write these logs to the US East (Ohio) Region
+// unless you choose to include global service logs in that Region. CloudTrail
+// writes calls to all Regional endpoints to their respective Regions. For example,
+// calls to sts.us-east-2.amazonaws.com are published to the US East (Ohio)
+// Region and calls to sts.eu-central-1.amazonaws.com are published to the EU
+// (Frankfurt) Region.
+//
+// To learn more about CloudTrail, including how to turn it on and find your
+// log files, see the AWS CloudTrail User Guide (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_top_level.html).
 //
 // See https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15 for more information on this service.
 //
diff --git a/vendor/github.com/aws/aws-sdk-go/service/sts/errors.go b/vendor/github.com/aws/aws-sdk-go/service/sts/errors.go
index e24884e..41ea09c 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/sts/errors.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/sts/errors.go
@@ -67,7 +67,7 @@ const (
         // STS is not activated in the requested region for the account that is being
         // asked to generate credentials. The account administrator must use the IAM
         // console to activate STS in that region. For more information, see Activating
-        // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
+        // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
         // in the IAM User Guide.
         ErrCodeRegionDisabledException = "RegionDisabledException"
 )
diff --git a/vendor/github.com/aws/aws-sdk-go/service/sts/stsiface/interface.go b/vendor/github.com/aws/aws-sdk-go/service/sts/stsiface/interface.go
new file mode 100644
index 0000000..e2e1d6e
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go/service/sts/stsiface/interface.go
@@ -0,0 +1,96 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+// Package stsiface provides an interface to enable mocking the AWS Security Token Service service client
+// for testing your code.
+//
+// It is important to note that this interface will have breaking changes
+// when the service model is updated and adds new API operations, paginators,
+// and waiters.
+package stsiface
+
+import (
+        "github.com/aws/aws-sdk-go/aws"
+        "github.com/aws/aws-sdk-go/aws/request"
+        "github.com/aws/aws-sdk-go/service/sts"
+)
+
+// STSAPI provides an interface to enable mocking the
+// sts.STS service client's API operation,
+// paginators, and waiters. This make unit testing your code that calls out
+// to the SDK's service client's calls easier.
+//
+// The best way to use this interface is so the SDK's service client's calls
+// can be stubbed out for unit testing your code with the SDK without needing
+// to inject custom request handlers into the SDK's request pipeline.
+//
+//    // myFunc uses an SDK service client to make a request to
+//    // AWS Security Token Service.
+//    func myFunc(svc stsiface.STSAPI) bool {
+//        // Make svc.AssumeRole request
+//    }
+//
+//    func main() {
+//        sess := session.New()
+//        svc := sts.New(sess)
+//
+//        myFunc(svc)
+//    }
+//
+// In your _test.go file:
+//
+//    // Define a mock struct to be used in your unit tests of myFunc.
+//    type mockSTSClient struct {
+//        stsiface.STSAPI
+//    }
+//    func (m *mockSTSClient) AssumeRole(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error) {
+//        // mock response/functionality
+//    }
+//
+//    func TestMyFunc(t *testing.T) {
+//        // Setup Test
+//        mockSvc := &mockSTSClient{}
+//
+//        myfunc(mockSvc)
+//
+//        // Verify myFunc's functionality
+//    }
+//
+// It is important to note that this interface will have breaking changes
+// when the service model is updated and adds new API operations, paginators,
+// and waiters. Its suggested to use the pattern above for testing, or using
+// tooling to generate mocks to satisfy the interfaces.
+type STSAPI interface {
+        AssumeRole(*sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error)
+        AssumeRoleWithContext(aws.Context, *sts.AssumeRoleInput, ...request.Option) (*sts.AssumeRoleOutput, error)
+        AssumeRoleRequest(*sts.AssumeRoleInput) (*request.Request, *sts.AssumeRoleOutput)
+
+        AssumeRoleWithSAML(*sts.AssumeRoleWithSAMLInput) (*sts.AssumeRoleWithSAMLOutput, error)
+        AssumeRoleWithSAMLWithContext(aws.Context, *sts.AssumeRoleWithSAMLInput, ...request.Option) (*sts.AssumeRoleWithSAMLOutput, error)
+        AssumeRoleWithSAMLRequest(*sts.AssumeRoleWithSAMLInput) (*request.Request, *sts.AssumeRoleWithSAMLOutput)
+
+        AssumeRoleWithWebIdentity(*sts.AssumeRoleWithWebIdentityInput) (*sts.AssumeRoleWithWebIdentityOutput, error)
+        AssumeRoleWithWebIdentityWithContext(aws.Context, *sts.AssumeRoleWithWebIdentityInput, ...request.Option) (*sts.AssumeRoleWithWebIdentityOutput, error)
+        AssumeRoleWithWebIdentityRequest(*sts.AssumeRoleWithWebIdentityInput) (*request.Request, *sts.AssumeRoleWithWebIdentityOutput)
+
+        DecodeAuthorizationMessage(*sts.DecodeAuthorizationMessageInput) (*sts.DecodeAuthorizationMessageOutput, error)
+        DecodeAuthorizationMessageWithContext(aws.Context, *sts.DecodeAuthorizationMessageInput, ...request.Option) (*sts.DecodeAuthorizationMessageOutput, error)
+        DecodeAuthorizationMessageRequest(*sts.DecodeAuthorizationMessageInput) (*request.Request, *sts.DecodeAuthorizationMessageOutput)
+
+        GetAccessKeyInfo(*sts.GetAccessKeyInfoInput) (*sts.GetAccessKeyInfoOutput, error)
+        GetAccessKeyInfoWithContext(aws.Context, *sts.GetAccessKeyInfoInput, ...request.Option) (*sts.GetAccessKeyInfoOutput, error)
+        GetAccessKeyInfoRequest(*sts.GetAccessKeyInfoInput) (*request.Request, *sts.GetAccessKeyInfoOutput)
+
+        GetCallerIdentity(*sts.GetCallerIdentityInput) (*sts.GetCallerIdentityOutput, error)
+        GetCallerIdentityWithContext(aws.Context, *sts.GetCallerIdentityInput, ...request.Option) (*sts.GetCallerIdentityOutput, error)
+        GetCallerIdentityRequest(*sts.GetCallerIdentityInput) (*request.Request, *sts.GetCallerIdentityOutput)
+
+        GetFederationToken(*sts.GetFederationTokenInput) (*sts.GetFederationTokenOutput, error)
+        GetFederationTokenWithContext(aws.Context, *sts.GetFederationTokenInput, ...request.Option) (*sts.GetFederationTokenOutput, error)
+        GetFederationTokenRequest(*sts.GetFederationTokenInput) (*request.Request, *sts.GetFederationTokenOutput)
+
+        GetSessionToken(*sts.GetSessionTokenInput) (*sts.GetSessionTokenOutput, error)
+        GetSessionTokenWithContext(aws.Context, *sts.GetSessionTokenInput, ...request.Option) (*sts.GetSessionTokenOutput, error)
+        GetSessionTokenRequest(*sts.GetSessionTokenInput) (*request.Request, *sts.GetSessionTokenOutput)
+}
+
+var _ STSAPI = (*sts.STS)(nil)