rebase: bump github.com/aws/aws-sdk-go-v2/service/sts

Bumps [github.com/aws/aws-sdk-go-v2/service/sts](https://github.com/aws/aws-sdk-go-v2) from 1.18.10 to 1.19.0.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.18.10...service/s3/v1.19.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/sts
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

go.mod

@@ -5,7 +5,7 @@ go 1.19
 require (
 	github.com/IBM/keyprotect-go-client v0.10.0
 	github.com/aws/aws-sdk-go v1.44.259
-	github.com/aws/aws-sdk-go-v2/service/sts v1.18.10
+	github.com/aws/aws-sdk-go-v2/service/sts v1.19.0
 	github.com/ceph/ceph-csi/api v0.0.0-00010101000000-000000000000
 	// TODO: API for managing subvolume metadata and snapshot metadata requires `ceph_ci_untested` build-tag
 	github.com/ceph/go-ceph v0.21.0

go.sum

@@ -165,8 +165,8 @@ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27 h1:vFQlirhuM8lLlpI7im
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27/go.mod h1:UrHnn3QV/d0pBZ6QBAEQcqFLf8FAzLmoUfPVIueOvoM=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27 h1:0iKliEXAcCa2qVtRs7Ot5hItA2MsufrphbRFlz1Owxo=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27/go.mod h1:EOwBD4J4S5qYszS5/3DpkejfuK+Z5/1uzICfPaZLtqw=
-github.com/aws/aws-sdk-go-v2/service/sts v1.18.10 h1:6UbNM/KJhMBfOI5+lpVcJ/8OA7cBSz0O6OX37SRKlSw=
+github.com/aws/aws-sdk-go-v2/service/sts v1.19.0 h1:2DQLAKDteoEDI8zpCzqBMaZlJuoE9iTYD0gFmXVax9E=
-github.com/aws/aws-sdk-go-v2/service/sts v1.18.10/go.mod h1:BgQOMsg8av8jset59jelyPW7NoZcZXLVpDsXunGDrk8=
+github.com/aws/aws-sdk-go-v2/service/sts v1.19.0/go.mod h1:BgQOMsg8av8jset59jelyPW7NoZcZXLVpDsXunGDrk8=
 github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8=
 github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
 github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc=

vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md

@@ -1,3 +1,11 @@
+# v1.19.0 (2023-05-08)
+
+* **Feature**: Documentation updates for AWS Security Token Service.
+
+# v1.18.11 (2023-05-04)
+
+* No change notes available for this release.
+
 # v1.18.10 (2023-04-24)
 
 * **Dependency Update**: Updated to the latest SDK module versions

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go

@@ -34,19 +34,18 @@ import (
 // the account that owns the role. You cannot use session policies to grant more
 // permissions than those allowed by the identity-based policy of the role that is
 // being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// in the IAM User Guide. When you create a role, you create two policies: A role
+// in the IAM User Guide. When you create a role, you create two policies: a role
-// trust policy that specifies who can assume the role and a permissions policy
+// trust policy that specifies who can assume the role, and a permissions policy
 // that specifies what can be done with the role. You specify the trusted principal
-// who is allowed to assume the role in the role trust policy. To assume a role
+// that is allowed to assume the role in the role trust policy. To assume a role
 // from a different account, your Amazon Web Services account must be trusted by
 // the role. The trust relationship is defined in the role's trust policy when the
 // role is created. That trust policy states which accounts are allowed to delegate
 // that access to users in the account. A user who wants to access a role in a
-// different account must also have permissions that are delegated from the user
+// different account must also have permissions that are delegated from the account
-// account administrator. The administrator must attach a policy that allows the
+// administrator. The administrator must attach a policy that allows the user to
-// user to call AssumeRole for the ARN of the role in the other account. To allow
+// call AssumeRole for the ARN of the role in the other account. To allow a user
-// a user to assume a role in the same account, you can do either of the following:
+// to assume a role in the same account, you can do either of the following:
-//
 //   - Attach a policy to the user that allows the user to call AssumeRole (as long
 //     as the role's trust policy trusts the account).
 //   - Add the user as a principal directly in the role's trust policy.

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go

@@ -229,8 +229,8 @@ type AssumeRoleWithSAMLOutput struct {
 	//   - The Amazon Web Services account ID.
 	//   - The friendly name (the last part of the ARN) of the SAML provider in IAM.
 	// The combination of NameQualifier and Subject can be used to uniquely identify a
-	// federated user. The following pseudocode shows how the hash value is calculated:
+	// user. The following pseudocode shows how the hash value is calculated: BASE64 (
-	// BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )
+	// SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )
 	NameQualifier *string
 
 	// A percentage value that indicates the packed size of the session policies and

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go

@@ -20,19 +20,17 @@ import (
 // and the Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/)
 // to uniquely identify a user. You can also supply the user with a consistent
 // identity throughout the lifetime of an application. To learn more about Amazon
-// Cognito, see Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840)
+// Cognito, see Amazon Cognito identity pools (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html)
-// in Amazon Web Services SDK for Android Developer Guide and Amazon Cognito
+// in Amazon Cognito Developer Guide. Calling AssumeRoleWithWebIdentity does not
-// Overview (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664)
+// require the use of Amazon Web Services security credentials. Therefore, you can
-// in the Amazon Web Services SDK for iOS Developer Guide. Calling
+// distribute an application (for example, on mobile devices) that requests
-// AssumeRoleWithWebIdentity does not require the use of Amazon Web Services
+// temporary security credentials without including long-term Amazon Web Services
-// security credentials. Therefore, you can distribute an application (for example,
+// credentials in the application. You also don't need to deploy server-based proxy
-// on mobile devices) that requests temporary security credentials without
+// services that use long-term Amazon Web Services credentials. Instead, the
-// including long-term Amazon Web Services credentials in the application. You also
+// identity of the caller is validated by using a token from the web identity
-// don't need to deploy server-based proxy services that use long-term Amazon Web
+// provider. For a comparison of AssumeRoleWithWebIdentity with the other API
-// Services credentials. Instead, the identity of the caller is validated by using
+// operations that produce temporary credentials, see Requesting Temporary
-// a token from the web identity provider. For a comparison of
+// Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// AssumeRoleWithWebIdentity with the other API operations that produce temporary
-// credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
 // and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
 // in the IAM User Guide. The temporary security credentials returned by this API
 // consist of an access key ID, a secret access key, and a security token.

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go

@@ -12,11 +12,11 @@ import (
 
 // Returns details about the IAM user or role whose credentials are used to call
 // the operation. No permissions are required to perform this operation. If an
-// administrator adds a policy to your IAM user or role that explicitly denies
+// administrator attaches a policy to your identity that explicitly denies access
-// access to the sts:GetCallerIdentity action, you can still perform this
+// to the sts:GetCallerIdentity action, you can still perform this operation.
-// operation. Permissions are not required because the same information is returned
+// Permissions are not required because the same information is returned when
-// when an IAM user or role is denied access. To view an example response, see I
+// access is denied. To view an example response, see I Am Not Authorized to
-// Am Not Authorized to Perform: iam:DeleteVirtualMFADevice (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa)
+// Perform: iam:DeleteVirtualMFADevice (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa)
 // in the IAM User Guide.
 func (c *Client) GetCallerIdentity(ctx context.Context, params *GetCallerIdentityInput, optFns ...func(*Options)) (*GetCallerIdentityOutput, error) {
 	if params == nil {

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go

@@ -12,34 +12,33 @@ import (
 )
 
 // Returns a set of temporary security credentials (consisting of an access key
-// ID, a secret access key, and a security token) for a federated user. A typical
+// ID, a secret access key, and a security token) for a user. A typical use is in a
-// use is in a proxy application that gets temporary security credentials on behalf
+// proxy application that gets temporary security credentials on behalf of
-// of distributed applications inside a corporate network. You must call the
+// distributed applications inside a corporate network. You must call the
 // GetFederationToken operation using the long-term security credentials of an IAM
 // user. As a result, this call is appropriate in contexts where those credentials
-// can be safely stored, usually in a server-based application. For a comparison of
+// can be safeguarded, usually in a server-based application. For a comparison of
 // GetFederationToken with the other API operations that produce temporary
 // credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
 // and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
+// in the IAM User Guide. Although it is possible to call GetFederationToken using
+// the security credentials of an Amazon Web Services account root user rather than
+// an IAM user that you create for the purpose of a proxy application, we do not
+// recommend it. For more information, see Safeguard your root user credentials
+// and don't use them for everyday tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)
 // in the IAM User Guide. You can create a mobile-based or browser-based app that
 // can authenticate users using a web identity provider like Login with Amazon,
 // Facebook, Google, or an OpenID Connect-compatible identity provider. In this
 // case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/)
 // or AssumeRoleWithWebIdentity . For more information, see Federation Through a
 // Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
-// in the IAM User Guide. You can also call GetFederationToken using the security
-// credentials of an Amazon Web Services account root user, but we do not recommend
-// it. Instead, we recommend that you create an IAM user for the purpose of the
-// proxy application. Then attach a policy to the IAM user that limits federated
-// users to only the actions and resources that they need to access. For more
-// information, see IAM Best Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
 // in the IAM User Guide. Session duration The temporary credentials are valid for
 // the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600
 // seconds (36 hours). The default session duration is 43,200 seconds (12 hours).
-// Temporary credentials obtained by using the Amazon Web Services account root
+// Temporary credentials obtained by using the root user credentials have a maximum
-// user credentials have a maximum duration of 3,600 seconds (1 hour). Permissions
+// duration of 3,600 seconds (1 hour). Permissions You can use the temporary
-// You can use the temporary credentials created by GetFederationToken in any
+// credentials created by GetFederationToken in any Amazon Web Services service
-// Amazon Web Services service with the following exceptions:
+// with the following exceptions:
 //   - You cannot call any IAM operations using the CLI or the Amazon Web Services
 //     API. This limitation does not apply to console sessions.
 //   - You cannot call any STS operations except GetCallerIdentity .
@@ -114,10 +113,9 @@ type GetFederationTokenInput struct {
 	// The duration, in seconds, that the session should last. Acceptable durations
 	// for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds
 	// (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained
-	// using Amazon Web Services account root user credentials are restricted to a
+	// using root user credentials are restricted to a maximum of 3,600 seconds (one
-	// maximum of 3,600 seconds (one hour). If the specified duration is longer than
+	// hour). If the specified duration is longer than one hour, the session obtained
-	// one hour, the session obtained by using root user credentials defaults to one
+	// by using root user credentials defaults to one hour.
-	// hour.
 	DurationSeconds *int32
 
 	// An IAM policy in JSON format that you want to use as an inline session policy.

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go

@@ -15,45 +15,42 @@ import (
 // IAM user. The credentials consist of an access key ID, a secret access key, and
 // a security token. Typically, you use GetSessionToken if you want to use MFA to
 // protect programmatic calls to specific Amazon Web Services API operations like
-// Amazon EC2 StopInstances . MFA-enabled IAM users would need to call
+// Amazon EC2 StopInstances . MFA-enabled IAM users must call GetSessionToken and
-// GetSessionToken and submit an MFA code that is associated with their MFA device.
+// submit an MFA code that is associated with their MFA device. Using the temporary
-// Using the temporary security credentials that are returned from the call, IAM
+// security credentials that the call returns, IAM users can then make programmatic
-// users can then make programmatic calls to API operations that require MFA
+// calls to API operations that require MFA authentication. An incorrect MFA code
-// authentication. If you do not supply a correct MFA code, then the API returns an
+// causes the API to return an access denied error. For a comparison of
-// access denied error. For a comparison of GetSessionToken with the other API
+// GetSessionToken with the other API operations that produce temporary
-// operations that produce temporary credentials, see Requesting Temporary
+// credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
 // and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
 // in the IAM User Guide. No permissions are required for users to perform this
 // operation. The purpose of the sts:GetSessionToken operation is to authenticate
 // the user using MFA. You cannot use policies to control authentication
 // operations. For more information, see Permissions for GetSessionToken (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html)
 // in the IAM User Guide. Session Duration The GetSessionToken operation must be
-// called by using the long-term Amazon Web Services security credentials of the
+// called by using the long-term Amazon Web Services security credentials of an IAM
-// Amazon Web Services account root user or an IAM user. Credentials that are
+// user. Credentials that are created by IAM users are valid for the duration that
-// created by IAM users are valid for the duration that you specify. This duration
+// you specify. This duration can range from 900 seconds (15 minutes) up to a
-// can range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
+// maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12
-// hours), with a default of 43,200 seconds (12 hours). Credentials based on
+// hours). Credentials based on account credentials can range from 900 seconds (15
-// account credentials can range from 900 seconds (15 minutes) up to 3,600 seconds
+// minutes) up to 3,600 seconds (1 hour), with a default of 1 hour. Permissions The
-// (1 hour), with a default of 1 hour. Permissions The temporary security
+// temporary security credentials created by GetSessionToken can be used to make
-// credentials created by GetSessionToken can be used to make API calls to any
+// API calls to any Amazon Web Services service with the following exceptions:
-// Amazon Web Services service with the following exceptions:
 //   - You cannot call any IAM API operations unless MFA authentication
 //     information is included in the request.
 //   - You cannot call any STS API except AssumeRole or GetCallerIdentity .
 //
-// We recommend that you do not call GetSessionToken with Amazon Web Services
+// The credentials that GetSessionToken returns are based on permissions
-// account root user credentials. Instead, follow our best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users)
+// associated with the IAM user whose credentials were used to call the operation.
-// by creating one or more IAM users, giving them the necessary permissions, and
+// The temporary credentials have the same permissions as the IAM user. Although it
-// using IAM users for everyday interaction with Amazon Web Services. The
+// is possible to call GetSessionToken using the security credentials of an Amazon
-// credentials that are returned by GetSessionToken are based on permissions
+// Web Services account root user rather than an IAM user, we do not recommend it.
-// associated with the user whose credentials were used to call the operation. If
+// If GetSessionToken is called using root user credentials, the temporary
-// GetSessionToken is called using Amazon Web Services account root user
+// credentials have root user permissions. For more information, see Safeguard
-// credentials, the temporary credentials have root user permissions. Similarly, if
+// your root user credentials and don't use them for everyday tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)
-// GetSessionToken is called using the credentials of an IAM user, the temporary
+// in the IAM User Guide For more information about using GetSessionToken to
-// credentials have the same permissions as the IAM user. For more information
+// create temporary credentials, see Temporary Credentials for Users in Untrusted
-// about using GetSessionToken to create temporary credentials, go to Temporary
+// Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
-// Credentials for Users in Untrusted Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
 // in the IAM User Guide.
 func (c *Client) GetSessionToken(ctx context.Context, params *GetSessionTokenInput, optFns ...func(*Options)) (*GetSessionTokenOutput, error) {
 	if params == nil {

vendor/github.com/aws/aws-sdk-go-v2/service/sts/doc.go

@@ -4,9 +4,8 @@
 // Security Token Service.
 //
 // Security Token Service Security Token Service (STS) enables you to request
-// temporary, limited-privilege credentials for Identity and Access Management
+// temporary, limited-privilege credentials for users. This guide provides
-// (IAM) users or for users that you authenticate (federated users). This guide
+// descriptions of the STS API. For more information about using this service, see
-// provides descriptions of the STS API. For more information about using this
+// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
-// service, see Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
 // .
 package sts

vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go

@@ -3,4 +3,4 @@
 package sts
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.18.10"
+const goModuleVersion = "1.19.0"

vendor/github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints/endpoints.go

@@ -89,6 +89,7 @@ var partitionRegexp = struct {
 	AwsCn    *regexp.Regexp
 	AwsIso   *regexp.Regexp
 	AwsIsoB  *regexp.Regexp
+	AwsIsoE  *regexp.Regexp
 	AwsUsGov *regexp.Regexp
 }{
 
@@ -96,6 +97,7 @@ var partitionRegexp = struct {
 	AwsCn:    regexp.MustCompile("^cn\\-\\w+\\-\\d+$"),
 	AwsIso:   regexp.MustCompile("^us\\-iso\\-\\w+\\-\\d+$"),
 	AwsIsoB:  regexp.MustCompile("^us\\-isob\\-\\w+\\-\\d+$"),
+	AwsIsoE:  regexp.MustCompile("^eu\\-isoe\\-\\w+\\-\\d+$"),
 	AwsUsGov: regexp.MustCompile("^us\\-gov\\-\\w+\\-\\d+$"),
 }
 
@@ -384,6 +386,27 @@ var defaultPartitions = endpoints.Partitions{
 			}: endpoints.Endpoint{},
 		},
 	},
+	{
+		ID: "aws-iso-e",
+		Defaults: map[endpoints.DefaultKey]endpoints.Endpoint{
+			{
+				Variant: endpoints.FIPSVariant,
+			}: {
+				Hostname:          "sts-fips.{region}.cloud.adc-e.uk",
+				Protocols:         []string{"https"},
+				SignatureVersions: []string{"v4"},
+			},
+			{
+				Variant: 0,
+			}: {
+				Hostname:          "sts.{region}.cloud.adc-e.uk",
+				Protocols:         []string{"https"},
+				SignatureVersions: []string{"v4"},
+			},
+		},
+		RegionRegex:    partitionRegexp.AwsIsoE,
+		IsRegionalized: true,
+	},
 	{
 		ID: "aws-us-gov",
 		Defaults: map[endpoints.DefaultKey]endpoints.Endpoint{

vendor/modules.txt

@@ -82,7 +82,7 @@ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2
 # github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27
 ## explicit; go 1.15
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url
-# github.com/aws/aws-sdk-go-v2/service/sts v1.18.10
+# github.com/aws/aws-sdk-go-v2/service/sts v1.19.0
 ## explicit; go 1.15
 github.com/aws/aws-sdk-go-v2/service/sts
 github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints