rebase: Bump github.com/aws/aws-sdk-go from 1.44.295 to 1.44.298

Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.44.295 to 1.44.298. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.44.295...v1.44.298) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
2024-09-19 15:09:56 +00:00 · 2023-07-10 21:03:11 +00:00 · 2023-07-10 21:03:11 +00:00 · 7d38757aaa
commit 7d38757aaa
parent d231cde05e
18 changed files with 2917 additions and 80 deletions
--- a/go.mod
+++ b/go.mod
@ -4,7 +4,7 @@ go 1.20

 require (
 	github.com/IBM/keyprotect-go-client v0.10.0
-	github.com/aws/aws-sdk-go v1.44.295
+	github.com/aws/aws-sdk-go v1.44.298
 	github.com/aws/aws-sdk-go-v2/service/sts v1.19.2
 	github.com/ceph/ceph-csi/api v0.0.0-00010101000000-000000000000
 	// TODO: API for managing subvolume metadata and snapshot metadata requires `ceph_ci_untested` build-tag
--- a/go.sum
+++ b/go.sum
@ -154,8 +154,8 @@ github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.25.41/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
-github.com/aws/aws-sdk-go v1.44.295 h1:SGjU1+MqttXfRiWHD6WU0DRhaanJgAFY+xIhEaugV8Y=
-github.com/aws/aws-sdk-go v1.44.295/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
+github.com/aws/aws-sdk-go v1.44.298 h1:5qTxdubgV7PptZJmp/2qDwD2JL187ePL7VOxsSh1i3g=
+github.com/aws/aws-sdk-go v1.44.298/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
 github.com/aws/aws-sdk-go-v2 v1.18.1 h1:+tefE750oAb7ZQGzla6bLkOwfcQCEtC5y2RqoqCeqKo=
 github.com/aws/aws-sdk-go-v2 v1.18.1/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34 h1:A5UqQEmPaCFpedKouS4v+dHCTUo2sKqhoKO9U5kxyWo=
--- a/vendor/github.com/aws/aws-sdk-go/aws/auth/bearer/token.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/auth/bearer/token.go
@ -0,0 +1,50 @@
+package bearer
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"time"
+)
+
+// Token provides a type wrapping a bearer token and expiration metadata.
+type Token struct {
+	Value string
+
+	CanExpire bool
+	Expires   time.Time
+}
+
+// Expired returns if the token's Expires time is before or equal to the time
+// provided. If CanExpire is false, Expired will always return false.
+func (t Token) Expired(now time.Time) bool {
+	if !t.CanExpire {
+		return false
+	}
+	now = now.Round(0)
+	return now.Equal(t.Expires) || now.After(t.Expires)
+}
+
+// TokenProvider provides interface for retrieving bearer tokens.
+type TokenProvider interface {
+	RetrieveBearerToken(aws.Context) (Token, error)
+}
+
+// TokenProviderFunc provides a helper utility to wrap a function as a type
+// that implements the TokenProvider interface.
+type TokenProviderFunc func(aws.Context) (Token, error)
+
+// RetrieveBearerToken calls the wrapped function, returning the Token or
+// error.
+func (fn TokenProviderFunc) RetrieveBearerToken(ctx aws.Context) (Token, error) {
+	return fn(ctx)
+}
+
+// StaticTokenProvider provides a utility for wrapping a static bearer token
+// value within an implementation of a token provider.
+type StaticTokenProvider struct {
+	Token Token
+}
+
+// RetrieveBearerToken returns the static token specified.
+func (s StaticTokenProvider) RetrieveBearerToken(aws.Context) (Token, error) {
+	return s.Token, nil
+}
--- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/provider.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/provider.go
@ -4,13 +4,13 @@ import (
 	"crypto/sha1"
 	"encoding/hex"
 	"encoding/json"
-	"fmt"
 	"io/ioutil"
 	"path/filepath"
 	"strings"
 	"time"

 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/auth/bearer"
 	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/aws/client"
 	"github.com/aws/aws-sdk-go/aws/credentials"
@ -55,6 +55,19 @@ type Provider struct {

 	// The URL that points to the organization's AWS Single Sign-On (AWS SSO) user portal.
 	StartURL string
+
+	// The filepath the cached token will be retrieved from. If unset Provider will
+	// use the startURL to determine the filepath at.
+	//
+	//    ~/.aws/sso/cache/<sha1-hex-encoded-startURL>.json
+	//
+	// If custom cached token filepath is used, the Provider's startUrl
+	// parameter will be ignored.
+	CachedTokenFilepath string
+
+	// Used by the SSOCredentialProvider if a token configuration
+	// profile is used in the shared config
+	TokenProvider bearer.TokenProvider
 }

 // NewCredentials returns a new AWS Single Sign-On (AWS SSO) credential provider. The ConfigProvider is expected to be configured
@ -89,13 +102,31 @@ func (p *Provider) Retrieve() (credentials.Value, error) {
 // RetrieveWithContext retrieves temporary AWS credentials from the configured Amazon Single Sign-On (AWS SSO) user portal
 // by exchanging the accessToken present in ~/.aws/sso/cache.
 func (p *Provider) RetrieveWithContext(ctx credentials.Context) (credentials.Value, error) {
-	tokenFile, err := loadTokenFile(p.StartURL)
-	if err != nil {
-		return credentials.Value{}, err
+	var accessToken *string
+	if p.TokenProvider != nil {
+		token, err := p.TokenProvider.RetrieveBearerToken(ctx)
+		if err != nil {
+			return credentials.Value{}, err
+		}
+		accessToken = &token.Value
+	} else {
+		if p.CachedTokenFilepath == "" {
+			cachedTokenFilePath, err := getCachedFilePath(p.StartURL)
+			if err != nil {
+				return credentials.Value{}, err
+			}
+			p.CachedTokenFilepath = cachedTokenFilePath
+		}
+
+		tokenFile, err := loadTokenFile(p.CachedTokenFilepath)
+		if err != nil {
+			return credentials.Value{}, err
+		}
+		accessToken = &tokenFile.AccessToken
 	}

 	output, err := p.Client.GetRoleCredentialsWithContext(ctx, &sso.GetRoleCredentialsInput{
-		AccessToken: &tokenFile.AccessToken,
+		AccessToken: accessToken,
 		AccountId:   &p.AccountID,
 		RoleName:    &p.RoleName,
 	})
@ -114,32 +145,13 @@ func (p *Provider) RetrieveWithContext(ctx credentials.Context) (credentials.Val
 	}, nil
 }

-func getCacheFileName(url string) (string, error) {
+func getCachedFilePath(startUrl string) (string, error) {
 	hash := sha1.New()
-	_, err := hash.Write([]byte(url))
+	_, err := hash.Write([]byte(startUrl))
 	if err != nil {
 		return "", err
 	}
-	return strings.ToLower(hex.EncodeToString(hash.Sum(nil))) + ".json", nil
-}
-
-type rfc3339 time.Time
-
-func (r *rfc3339) UnmarshalJSON(bytes []byte) error {
-	var value string
-
-	if err := json.Unmarshal(bytes, &value); err != nil {
-		return err
-	}
-
-	parse, err := time.Parse(time.RFC3339, value)
-	if err != nil {
-		return fmt.Errorf("expected RFC3339 timestamp: %v", err)
-	}
-
-	*r = rfc3339(parse)
-
-	return nil
+	return filepath.Join(defaultCacheLocation(), strings.ToLower(hex.EncodeToString(hash.Sum(nil)))+".json"), nil
 }

 type token struct {
@ -153,13 +165,8 @@ func (t token) Expired() bool {
 	return nowTime().Round(0).After(time.Time(t.ExpiresAt))
 }

-func loadTokenFile(startURL string) (t token, err error) {
-	key, err := getCacheFileName(startURL)
-	if err != nil {
-		return token{}, awserr.New(ErrCodeSSOProviderInvalidToken, invalidTokenMessage, err)
-	}
-
-	fileBytes, err := ioutil.ReadFile(filepath.Join(defaultCacheLocation(), key))
+func loadTokenFile(cachedTokenPath string) (t token, err error) {
+	fileBytes, err := ioutil.ReadFile(cachedTokenPath)
 	if err != nil {
 		return token{}, awserr.New(ErrCodeSSOProviderInvalidToken, invalidTokenMessage, err)
 	}
--- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/sso_cached_token.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/sso_cached_token.go
@ -0,0 +1,237 @@
+package ssocreds
+
+import (
+	"crypto/sha1"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"github.com/aws/aws-sdk-go/internal/shareddefaults"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"time"
+)
+
+var resolvedOsUserHomeDir = shareddefaults.UserHomeDir
+
+// StandardCachedTokenFilepath returns the filepath for the cached SSO token file, or
+// error if unable get derive the path. Key that will be used to compute a SHA1
+// value that is hex encoded.
+//
+// Derives the filepath using the Key as:
+//
+//	~/.aws/sso/cache/<sha1-hex-encoded-key>.json
+func StandardCachedTokenFilepath(key string) (string, error) {
+	homeDir := resolvedOsUserHomeDir()
+	if len(homeDir) == 0 {
+		return "", fmt.Errorf("unable to get USER's home directory for cached token")
+	}
+	hash := sha1.New()
+	if _, err := hash.Write([]byte(key)); err != nil {
+		return "", fmt.Errorf("unable to compute cached token filepath key SHA1 hash, %v", err)
+	}
+
+	cacheFilename := strings.ToLower(hex.EncodeToString(hash.Sum(nil))) + ".json"
+
+	return filepath.Join(homeDir, ".aws", "sso", "cache", cacheFilename), nil
+}
+
+type tokenKnownFields struct {
+	AccessToken string   `json:"accessToken,omitempty"`
+	ExpiresAt   *rfc3339 `json:"expiresAt,omitempty"`
+
+	RefreshToken string `json:"refreshToken,omitempty"`
+	ClientID     string `json:"clientId,omitempty"`
+	ClientSecret string `json:"clientSecret,omitempty"`
+}
+
+type cachedToken struct {
+	tokenKnownFields
+	UnknownFields map[string]interface{} `json:"-"`
+}
+
+// MarshalJSON provides custom marshalling because the standard library Go marshaller ignores unknown/unspecified fields
+// when marshalling from a struct: https://pkg.go.dev/encoding/json#Marshal
+// This function adds some extra validation to the known fields and captures unknown fields.
+func (t cachedToken) MarshalJSON() ([]byte, error) {
+	fields := map[string]interface{}{}
+
+	setTokenFieldString(fields, "accessToken", t.AccessToken)
+	setTokenFieldRFC3339(fields, "expiresAt", t.ExpiresAt)
+
+	setTokenFieldString(fields, "refreshToken", t.RefreshToken)
+	setTokenFieldString(fields, "clientId", t.ClientID)
+	setTokenFieldString(fields, "clientSecret", t.ClientSecret)
+
+	for k, v := range t.UnknownFields {
+		if _, ok := fields[k]; ok {
+			return nil, fmt.Errorf("unknown token field %v, duplicates known field", k)
+		}
+		fields[k] = v
+	}
+
+	return json.Marshal(fields)
+}
+
+func setTokenFieldString(fields map[string]interface{}, key, value string) {
+	if value == "" {
+		return
+	}
+	fields[key] = value
+}
+func setTokenFieldRFC3339(fields map[string]interface{}, key string, value *rfc3339) {
+	if value == nil {
+		return
+	}
+	fields[key] = value
+}
+
+// UnmarshalJSON provides custom unmarshalling because the standard library Go unmarshaller ignores unknown/unspecified
+// fields when unmarshalling from a struct: https://pkg.go.dev/encoding/json#Unmarshal
+// This function adds some extra validation to the known fields and captures unknown fields.
+func (t *cachedToken) UnmarshalJSON(b []byte) error {
+	var fields map[string]interface{}
+	if err := json.Unmarshal(b, &fields); err != nil {
+		return nil
+	}
+
+	t.UnknownFields = map[string]interface{}{}
+
+	for k, v := range fields {
+		var err error
+		switch k {
+		case "accessToken":
+			err = getTokenFieldString(v, &t.AccessToken)
+		case "expiresAt":
+			err = getTokenFieldRFC3339(v, &t.ExpiresAt)
+		case "refreshToken":
+			err = getTokenFieldString(v, &t.RefreshToken)
+		case "clientId":
+			err = getTokenFieldString(v, &t.ClientID)
+		case "clientSecret":
+			err = getTokenFieldString(v, &t.ClientSecret)
+		default:
+			t.UnknownFields[k] = v
+		}
+
+		if err != nil {
+			return fmt.Errorf("field %q, %v", k, err)
+		}
+	}
+
+	return nil
+}
+
+func getTokenFieldString(v interface{}, value *string) error {
+	var ok bool
+	*value, ok = v.(string)
+	if !ok {
+		return fmt.Errorf("expect value to be string, got %T", v)
+	}
+	return nil
+}
+
+func getTokenFieldRFC3339(v interface{}, value **rfc3339) error {
+	var stringValue string
+	if err := getTokenFieldString(v, &stringValue); err != nil {
+		return err
+	}
+
+	timeValue, err := parseRFC3339(stringValue)
+	if err != nil {
+		return err
+	}
+
+	*value = &timeValue
+	return nil
+}
+
+func loadCachedToken(filename string) (cachedToken, error) {
+	fileBytes, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return cachedToken{}, fmt.Errorf("failed to read cached SSO token file, %v", err)
+	}
+
+	var t cachedToken
+	if err := json.Unmarshal(fileBytes, &t); err != nil {
+		return cachedToken{}, fmt.Errorf("failed to parse cached SSO token file, %v", err)
+	}
+
+	if len(t.AccessToken) == 0 || t.ExpiresAt == nil || time.Time(*t.ExpiresAt).IsZero() {
+		return cachedToken{}, fmt.Errorf(
+			"cached SSO token must contain accessToken and expiresAt fields")
+	}
+
+	return t, nil
+}
+
+func storeCachedToken(filename string, t cachedToken, fileMode os.FileMode) (err error) {
+	tmpFilename := filename + ".tmp-" + strconv.FormatInt(nowTime().UnixNano(), 10)
+	if err := writeCacheFile(tmpFilename, fileMode, t); err != nil {
+		return err
+	}
+
+	if err := os.Rename(tmpFilename, filename); err != nil {
+		return fmt.Errorf("failed to replace old cached SSO token file, %v", err)
+	}
+
+	return nil
+}
+
+func writeCacheFile(filename string, fileMode os.FileMode, t cachedToken) (err error) {
+	var f *os.File
+	f, err = os.OpenFile(filename, os.O_CREATE|os.O_TRUNC|os.O_RDWR, fileMode)
+	if err != nil {
+		return fmt.Errorf("failed to create cached SSO token file %v", err)
+	}
+
+	defer func() {
+		closeErr := f.Close()
+		if err == nil && closeErr != nil {
+			err = fmt.Errorf("failed to close cached SSO token file, %v", closeErr)
+		}
+	}()
+
+	encoder := json.NewEncoder(f)
+
+	if err = encoder.Encode(t); err != nil {
+		return fmt.Errorf("failed to serialize cached SSO token, %v", err)
+	}
+
+	return nil
+}
+
+type rfc3339 time.Time
+
+// UnmarshalJSON decode rfc3339 from JSON format
+func (r *rfc3339) UnmarshalJSON(bytes []byte) error {
+	var value string
+	var err error
+
+	if err = json.Unmarshal(bytes, &value); err != nil {
+		return err
+	}
+
+	*r, err = parseRFC3339(value)
+	return err
+}
+
+func parseRFC3339(v string) (rfc3339, error) {
+	parsed, err := time.Parse(time.RFC3339, v)
+	if err != nil {
+		return rfc3339{}, fmt.Errorf("expected RFC3339 timestamp: %v", err)
+	}
+
+	return rfc3339(parsed), nil
+}
+
+// MarshalJSON encode rfc3339 to JSON format time
+func (r *rfc3339) MarshalJSON() ([]byte, error) {
+	value := time.Time(*r).Format(time.RFC3339)
+
+	// Use JSON unmarshal to unescape the quoted value making use of JSON's
+	// quoting rules.
+	return json.Marshal(value)
+}
--- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/token_provider.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/token_provider.go
@ -0,0 +1,139 @@
+package ssocreds
+
+import (
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/auth/bearer"
+	"github.com/aws/aws-sdk-go/service/ssooidc"
+)
+
+// CreateTokenAPIClient provides the interface for the SSOTokenProvider's API
+// client for calling CreateToken operation to refresh the SSO token.
+type CreateTokenAPIClient interface {
+	CreateToken(input *ssooidc.CreateTokenInput) (*ssooidc.CreateTokenOutput, error)
+}
+
+// SSOTokenProviderOptions provides the options for configuring the
+// SSOTokenProvider.
+type SSOTokenProviderOptions struct {
+	// Client that can be overridden
+	Client CreateTokenAPIClient
+
+	// The path the file containing the cached SSO token will be read from.
+	// Initialized the NewSSOTokenProvider's cachedTokenFilepath parameter.
+	CachedTokenFilepath string
+}
+
+// SSOTokenProvider provides a utility for refreshing SSO AccessTokens for
+// Bearer Authentication. The SSOTokenProvider can only be used to refresh
+// already cached SSO Tokens. This utility cannot perform the initial SSO
+// create token.
+//
+// The initial SSO create token should be preformed with the AWS CLI before the
+// Go application using the SSOTokenProvider will need to retrieve the SSO
+// token. If the AWS CLI has not created the token cache file, this provider
+// will return an error when attempting to retrieve the cached token.
+//
+// This provider will attempt to refresh the cached SSO token periodically if
+// needed when RetrieveBearerToken is called.
+//
+// A utility such as the AWS CLI must be used to initially create the SSO
+// session and cached token file.
+// https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html
+type SSOTokenProvider struct {
+	options SSOTokenProviderOptions
+}
+
+// NewSSOTokenProvider returns an initialized SSOTokenProvider that will
+// periodically refresh the SSO token cached stored in the cachedTokenFilepath.
+// The cachedTokenFilepath file's content will be rewritten by the token
+// provider when the token is refreshed.
+//
+// The client must be configured for the AWS region the SSO token was created for.
+func NewSSOTokenProvider(client CreateTokenAPIClient, cachedTokenFilepath string, optFns ...func(o *SSOTokenProviderOptions)) *SSOTokenProvider {
+	options := SSOTokenProviderOptions{
+		Client:              client,
+		CachedTokenFilepath: cachedTokenFilepath,
+	}
+	for _, fn := range optFns {
+		fn(&options)
+	}
+
+	provider := &SSOTokenProvider{
+		options: options,
+	}
+
+	return provider
+}
+
+// RetrieveBearerToken returns the SSO token stored in the cachedTokenFilepath
+// the SSOTokenProvider was created with. If the token has expired
+// RetrieveBearerToken will attempt to refresh it. If the token cannot be
+// refreshed or is not present an error will be returned.
+//
+// A utility such as the AWS CLI must be used to initially create the SSO
+// session and cached token file. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html
+func (p *SSOTokenProvider) RetrieveBearerToken(ctx aws.Context) (bearer.Token, error) {
+	cachedToken, err := loadCachedToken(p.options.CachedTokenFilepath)
+	if err != nil {
+		return bearer.Token{}, err
+	}
+
+	if cachedToken.ExpiresAt != nil && nowTime().After(time.Time(*cachedToken.ExpiresAt)) {
+		cachedToken, err = p.refreshToken(cachedToken)
+		if err != nil {
+			return bearer.Token{}, fmt.Errorf("refresh cached SSO token failed, %v", err)
+		}
+	}
+
+	expiresAt := toTime((*time.Time)(cachedToken.ExpiresAt))
+	return bearer.Token{
+		Value:     cachedToken.AccessToken,
+		CanExpire: !expiresAt.IsZero(),
+		Expires:   expiresAt,
+	}, nil
+}
+
+func (p *SSOTokenProvider) refreshToken(token cachedToken) (cachedToken, error) {
+	if token.ClientSecret == "" || token.ClientID == "" || token.RefreshToken == "" {
+		return cachedToken{}, fmt.Errorf("cached SSO token is expired, or not present, and cannot be refreshed")
+	}
+
+	createResult, err := p.options.Client.CreateToken(&ssooidc.CreateTokenInput{
+		ClientId:     &token.ClientID,
+		ClientSecret: &token.ClientSecret,
+		RefreshToken: &token.RefreshToken,
+		GrantType:    aws.String("refresh_token"),
+	})
+	if err != nil {
+		return cachedToken{}, fmt.Errorf("unable to refresh SSO token, %v", err)
+	}
+
+	expiresAt := nowTime().Add(time.Duration(*createResult.ExpiresIn) * time.Second)
+
+	token.AccessToken = *createResult.AccessToken
+	token.ExpiresAt = (*rfc3339)(&expiresAt)
+	token.RefreshToken = *createResult.RefreshToken
+
+	fileInfo, err := os.Stat(p.options.CachedTokenFilepath)
+	if err != nil {
+		return cachedToken{}, fmt.Errorf("failed to stat cached SSO token file %v", err)
+	}
+
+	if err = storeCachedToken(p.options.CachedTokenFilepath, token, fileInfo.Mode()); err != nil {
+		return cachedToken{}, fmt.Errorf("unable to cache refreshed SSO token, %v", err)
+	}
+
+	return token, nil
+}
+
+func toTime(p *time.Time) (v time.Time) {
+	if p == nil {
+		return v
+	}
+
+	return *p
+}
--- a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go
@ -17557,6 +17557,9 @@ var awsPartition = partition{
 		},
 		"mediaconnect": service{
 			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "af-south-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-east-1",
 				}: endpoint{},
@ -17575,6 +17578,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "ap-southeast-2",
 				}: endpoint{},
+				endpointKey{
+					Region: "ca-central-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
@ -19133,6 +19139,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "ap-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region: "ap-south-2",
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-southeast-1",
 				}: endpoint{},
@ -19142,6 +19151,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "ap-southeast-3",
 				}: endpoint{},
+				endpointKey{
+					Region: "ap-southeast-4",
+				}: endpoint{},
 				endpointKey{
 					Region: "ca-central-1",
 				}: endpoint{},
@ -19154,12 +19166,18 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region: "eu-central-2",
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-north-1",
 				}: endpoint{},
 				endpointKey{
 					Region: "eu-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region: "eu-south-2",
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-west-1",
 				}: endpoint{},
--- a/vendor/github.com/aws/aws-sdk-go/aws/session/credentials.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/session/credentials.go
@ -14,6 +14,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/defaults"
 	"github.com/aws/aws-sdk-go/aws/request"
 	"github.com/aws/aws-sdk-go/internal/shareddefaults"
+	"github.com/aws/aws-sdk-go/service/ssooidc"
 	"github.com/aws/aws-sdk-go/service/sts"
 )

@ -23,6 +24,10 @@ type CredentialsProviderOptions struct {
 	// WebIdentityRoleProviderOptions configures a WebIdentityRoleProvider,
 	// such as setting its ExpiryWindow.
 	WebIdentityRoleProviderOptions func(*stscreds.WebIdentityRoleProvider)
+
+	// ProcessProviderOptions configures a ProcessProvider,
+	// such as setting its Timeout.
+	ProcessProviderOptions func(*processcreds.ProcessProvider)
 }

 func resolveCredentials(cfg *aws.Config,
@ -33,7 +38,7 @@ func resolveCredentials(cfg *aws.Config,

 	switch {
 	case len(sessOpts.Profile) != 0:
-		// User explicitly provided an Profile in the session's configuration
+		// User explicitly provided a Profile in the session's configuration
 		// so load that profile from shared config first.
 		// Github(aws/aws-sdk-go#2727)
 		return resolveCredsFromProfile(cfg, envCfg, sharedCfg, handlers, sessOpts)
@ -134,7 +139,11 @@ func resolveCredsFromProfile(cfg *aws.Config,

 	case len(sharedCfg.CredentialProcess) != 0:
 		// Get credentials from CredentialProcess
-		creds = processcreds.NewCredentials(sharedCfg.CredentialProcess)
+		var optFns []func(*processcreds.ProcessProvider)
+		if sessOpts.CredentialsProviderOptions != nil && sessOpts.CredentialsProviderOptions.ProcessProviderOptions != nil {
+			optFns = append(optFns, sessOpts.CredentialsProviderOptions.ProcessProviderOptions)
+		}
+		creds = processcreds.NewCredentials(sharedCfg.CredentialProcess, optFns...)

 	default:
 		// Fallback to default credentials provider, include mock errors for
@ -173,8 +182,25 @@ func resolveSSOCredentials(cfg *aws.Config, sharedCfg sharedConfig, handlers req
 		return nil, err
 	}

+	var optFns []func(provider *ssocreds.Provider)
 	cfgCopy := cfg.Copy()
-	cfgCopy.Region = &sharedCfg.SSORegion
+
+	if sharedCfg.SSOSession != nil {
+		cfgCopy.Region = &sharedCfg.SSOSession.SSORegion
+		cachedPath, err := ssocreds.StandardCachedTokenFilepath(sharedCfg.SSOSession.Name)
+		if err != nil {
+			return nil, err
+		}
+		mySession := Must(NewSession())
+		oidcClient := ssooidc.New(mySession, cfgCopy)
+		tokenProvider := ssocreds.NewSSOTokenProvider(oidcClient, cachedPath)
+		optFns = append(optFns, func(p *ssocreds.Provider) {
+			p.TokenProvider = tokenProvider
+			p.CachedTokenFilepath = cachedPath
+		})
+	} else {
+		cfgCopy.Region = &sharedCfg.SSORegion
+	}

 	return ssocreds.NewCredentials(
 		&Session{
@ -184,6 +210,7 @@ func resolveSSOCredentials(cfg *aws.Config, sharedCfg sharedConfig, handlers req
 		sharedCfg.SSOAccountID,
 		sharedCfg.SSORoleName,
 		sharedCfg.SSOStartURL,
+		optFns...,
 	), nil
 }

--- a/vendor/github.com/aws/aws-sdk-go/aws/session/session.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/session/session.go
@ -37,7 +37,7 @@ const (

 // ErrSharedConfigSourceCollision will be returned if a section contains both
 // source_profile and credential_source
-var ErrSharedConfigSourceCollision = awserr.New(ErrCodeSharedConfig, "only one credential type may be specified per profile: source profile, credential source, credential process, web identity token, or sso", nil)
+var ErrSharedConfigSourceCollision = awserr.New(ErrCodeSharedConfig, "only one credential type may be specified per profile: source profile, credential source, credential process, web identity token", nil)

 // ErrSharedConfigECSContainerEnvVarEmpty will be returned if the environment
 // variables are empty and Environment was set as the credential source
--- a/vendor/github.com/aws/aws-sdk-go/aws/session/shared_config.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/session/shared_config.go
@ -26,6 +26,13 @@ const (
 	roleSessionNameKey     = `role_session_name` // optional
 	roleDurationSecondsKey = "duration_seconds"  // optional

+	// Prefix to be used for SSO sections. These are supposed to only exist in
+	// the shared config file, not the credentials file.
+	ssoSectionPrefix = `sso-session `
+
+	// AWS Single Sign-On (AWS SSO) group
+	ssoSessionNameKey = "sso_session"
+
 	// AWS Single Sign-On (AWS SSO) group
 	ssoAccountIDKey = "sso_account_id"
 	ssoRegionKey    = "sso_region"
@ -99,6 +106,10 @@ type sharedConfig struct {
 	CredentialProcess    string
 	WebIdentityTokenFile string

+	// SSO session options
+	SSOSessionName string
+	SSOSession     *ssoSession
+
 	SSOAccountID string
 	SSORegion    string
 	SSORoleName  string
@ -186,6 +197,20 @@ type sharedConfigFile struct {
 	IniData  ini.Sections
 }

+// SSOSession provides the shared configuration parameters of the sso-session
+// section.
+type ssoSession struct {
+	Name        string
+	SSORegion   string
+	SSOStartURL string
+}
+
+func (s *ssoSession) setFromIniSection(section ini.Section) {
+	updateString(&s.Name, section, ssoSessionNameKey)
+	updateString(&s.SSORegion, section, ssoRegionKey)
+	updateString(&s.SSOStartURL, section, ssoStartURL)
+}
+
 // loadSharedConfig retrieves the configuration from the list of files using
 // the profile provided. The order the files are listed will determine
 // precedence. Values in subsequent files will overwrite values defined in
@ -266,13 +291,13 @@ func (cfg *sharedConfig) setFromIniFiles(profiles map[string]struct{}, profile s
 		// profile only have credential provider options.
 		cfg.clearAssumeRoleOptions()
 	} else {
-		// First time a profile has been seen, It must either be a assume role
-		// credentials, or SSO. Assert if the credential type requires a role ARN,
-		// the ARN is also set, or validate that the SSO configuration is complete.
+		// First time a profile has been seen. Assert if the credential type
+		// requires a role ARN, the ARN is also set
 		if err := cfg.validateCredentialsConfig(profile); err != nil {
 			return err
 		}
 	}
+
 	profiles[profile] = struct{}{}

 	if err := cfg.validateCredentialType(); err != nil {
@ -308,6 +333,30 @@ func (cfg *sharedConfig) setFromIniFiles(profiles map[string]struct{}, profile s
 		cfg.SourceProfile = srcCfg
 	}

+	// If the profile contains an SSO session parameter, the session MUST exist
+	// as a section in the config file. Load the SSO session using the name
+	// provided. If the session section is not found or incomplete an error
+	// will be returned.
+	if cfg.hasSSOTokenProviderConfiguration() {
+		skippedFiles = 0
+		for _, f := range files {
+			section, ok := f.IniData.GetSection(fmt.Sprintf(ssoSectionPrefix + strings.TrimSpace(cfg.SSOSessionName)))
+			if ok {
+				var ssoSession ssoSession
+				ssoSession.setFromIniSection(section)
+				ssoSession.Name = cfg.SSOSessionName
+				cfg.SSOSession = &ssoSession
+				break
+			}
+			skippedFiles++
+		}
+		if skippedFiles == len(files) {
+			// If all files were skipped because the sso session section is not found, return
+			// the sso section not found error.
+			return fmt.Errorf("failed to find SSO session section, %v", cfg.SSOSessionName)
+		}
+	}
+
 	return nil
 }

@ -363,6 +412,10 @@ func (cfg *sharedConfig) setFromIniFile(profile string, file sharedConfigFile, e
 			cfg.S3UsEast1RegionalEndpoint = sre
 		}

+		// AWS Single Sign-On (AWS SSO)
+		// SSO session options
+		updateString(&cfg.SSOSessionName, section, ssoSessionNameKey)
+
 		// AWS Single Sign-On (AWS SSO)
 		updateString(&cfg.SSOAccountID, section, ssoAccountIDKey)
 		updateString(&cfg.SSORegion, section, ssoRegionKey)
@ -461,32 +514,20 @@ func (cfg *sharedConfig) validateCredentialType() error {
 }

 func (cfg *sharedConfig) validateSSOConfiguration() error {
-	if !cfg.hasSSOConfiguration() {
+	if cfg.hasSSOTokenProviderConfiguration() {
+		err := cfg.validateSSOTokenProviderConfiguration()
+		if err != nil {
+			return err
+		}
 		return nil
 	}

-	var missing []string
-	if len(cfg.SSOAccountID) == 0 {
-		missing = append(missing, ssoAccountIDKey)
+	if cfg.hasLegacySSOConfiguration() {
+		err := cfg.validateLegacySSOConfiguration()
+		if err != nil {
+			return err
+		}
 	}
-
-	if len(cfg.SSORegion) == 0 {
-		missing = append(missing, ssoRegionKey)
-	}
-
-	if len(cfg.SSORoleName) == 0 {
-		missing = append(missing, ssoRoleNameKey)
-	}
-
-	if len(cfg.SSOStartURL) == 0 {
-		missing = append(missing, ssoStartURL)
-	}
-
-	if len(missing) > 0 {
-		return fmt.Errorf("profile %q is configured to use SSO but is missing required configuration: %s",
-			cfg.Profile, strings.Join(missing, ", "))
-	}
-
 	return nil
 }

@ -525,15 +566,76 @@ func (cfg *sharedConfig) clearAssumeRoleOptions() {
 }

 func (cfg *sharedConfig) hasSSOConfiguration() bool {
-	switch {
-	case len(cfg.SSOAccountID) != 0:
-	case len(cfg.SSORegion) != 0:
-	case len(cfg.SSORoleName) != 0:
-	case len(cfg.SSOStartURL) != 0:
-	default:
-		return false
+	return cfg.hasSSOTokenProviderConfiguration() || cfg.hasLegacySSOConfiguration()
+}
+
+func (c *sharedConfig) hasSSOTokenProviderConfiguration() bool {
+	return len(c.SSOSessionName) > 0
+}
+
+func (c *sharedConfig) hasLegacySSOConfiguration() bool {
+	return len(c.SSORegion) > 0 || len(c.SSOAccountID) > 0 || len(c.SSOStartURL) > 0 || len(c.SSORoleName) > 0
+}
+
+func (c *sharedConfig) validateSSOTokenProviderConfiguration() error {
+	var missing []string
+
+	if len(c.SSOSessionName) == 0 {
+		missing = append(missing, ssoSessionNameKey)
 	}
-	return true
+
+	if c.SSOSession == nil {
+		missing = append(missing, ssoSectionPrefix)
+	} else {
+		if len(c.SSOSession.SSORegion) == 0 {
+			missing = append(missing, ssoRegionKey)
+		}
+
+		if len(c.SSOSession.SSOStartURL) == 0 {
+			missing = append(missing, ssoStartURL)
+		}
+	}
+
+	if len(missing) > 0 {
+		return fmt.Errorf("profile %q is configured to use SSO but is missing required configuration: %s",
+			c.Profile, strings.Join(missing, ", "))
+	}
+
+	if len(c.SSORegion) > 0 && c.SSORegion != c.SSOSession.SSORegion {
+		return fmt.Errorf("%s in profile %q must match %s in %s", ssoRegionKey, c.Profile, ssoRegionKey, ssoSectionPrefix)
+	}
+
+	if len(c.SSOStartURL) > 0 && c.SSOStartURL != c.SSOSession.SSOStartURL {
+		return fmt.Errorf("%s in profile %q must match %s in %s", ssoStartURL, c.Profile, ssoStartURL, ssoSectionPrefix)
+	}
+
+	return nil
+}
+
+func (c *sharedConfig) validateLegacySSOConfiguration() error {
+	var missing []string
+
+	if len(c.SSORegion) == 0 {
+		missing = append(missing, ssoRegionKey)
+	}
+
+	if len(c.SSOStartURL) == 0 {
+		missing = append(missing, ssoStartURL)
+	}
+
+	if len(c.SSOAccountID) == 0 {
+		missing = append(missing, ssoAccountIDKey)
+	}
+
+	if len(c.SSORoleName) == 0 {
+		missing = append(missing, ssoRoleNameKey)
+	}
+
+	if len(missing) > 0 {
+		return fmt.Errorf("profile %q is configured to use SSO but is missing required configuration: %s",
+			c.Profile, strings.Join(missing, ", "))
+	}
+	return nil
 }

 func oneOrNone(bs ...bool) bool {
--- a/vendor/github.com/aws/aws-sdk-go/aws/version.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/version.go
@ -5,4 +5,4 @@ package aws
 const SDKName = "aws-sdk-go"

 // SDKVersion is the version of this SDK
-const SDKVersion = "1.44.295"
+const SDKVersion = "1.44.298"
--- a/vendor/github.com/aws/aws-sdk-go/service/kms/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/kms/api.go
@ -974,6 +974,9 @@ func (c *KMS) CreateGrantRequest(input *CreateGrantInput) (req *request.Request,
 //     exception represents a general failure with many possible causes. To identify
 //     the cause, see the error message that accompanies the exception.
 //
+//   - DryRunOperationException
+//     The request was rejected because the DryRun parameter was specified.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrant
 func (c *KMS) CreateGrant(input *CreateGrantInput) (*CreateGrantOutput, error) {
 	req, out := c.CreateGrantRequest(input)
@ -1563,6 +1566,9 @@ func (c *KMS) DecryptRequest(input *DecryptInput) (req *request.Request, output
 //     exception represents a general failure with many possible causes. To identify
 //     the cause, see the error message that accompanies the exception.
 //
+//   - DryRunOperationException
+//     The request was rejected because the DryRun parameter was specified.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt
 func (c *KMS) Decrypt(input *DecryptInput) (*DecryptOutput, error) {
 	req, out := c.DecryptRequest(input)
@ -3278,6 +3284,9 @@ func (c *KMS) EncryptRequest(input *EncryptInput) (req *request.Request, output
 //     exception represents a general failure with many possible causes. To identify
 //     the cause, see the error message that accompanies the exception.
 //
+//   - DryRunOperationException
+//     The request was rejected because the DryRun parameter was specified.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt
 func (c *KMS) Encrypt(input *EncryptInput) (*EncryptOutput, error) {
 	req, out := c.EncryptRequest(input)
@ -3500,6 +3509,9 @@ func (c *KMS) GenerateDataKeyRequest(input *GenerateDataKeyInput) (req *request.
 //     exception represents a general failure with many possible causes. To identify
 //     the cause, see the error message that accompanies the exception.
 //
+//   - DryRunOperationException
+//     The request was rejected because the DryRun parameter was specified.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey
 func (c *KMS) GenerateDataKey(input *GenerateDataKeyInput) (*GenerateDataKeyOutput, error) {
 	req, out := c.GenerateDataKeyRequest(input)
@ -3716,6 +3728,9 @@ func (c *KMS) GenerateDataKeyPairRequest(input *GenerateDataKeyPairInput) (req *
 //     The request was rejected because a specified parameter is not supported or
 //     a specified resource is not valid for this operation.
 //
+//   - DryRunOperationException
+//     The request was rejected because the DryRun parameter was specified.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPair
 func (c *KMS) GenerateDataKeyPair(input *GenerateDataKeyPairInput) (*GenerateDataKeyPairOutput, error) {
 	req, out := c.GenerateDataKeyPairRequest(input)
@ -3907,6 +3922,9 @@ func (c *KMS) GenerateDataKeyPairWithoutPlaintextRequest(input *GenerateDataKeyP
 //     The request was rejected because a specified parameter is not supported or
 //     a specified resource is not valid for this operation.
 //
+//   - DryRunOperationException
+//     The request was rejected because the DryRun parameter was specified.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintext
 func (c *KMS) GenerateDataKeyPairWithoutPlaintext(input *GenerateDataKeyPairWithoutPlaintextInput) (*GenerateDataKeyPairWithoutPlaintextOutput, error) {
 	req, out := c.GenerateDataKeyPairWithoutPlaintextRequest(input)
@ -4106,6 +4124,9 @@ func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWitho
 //     exception represents a general failure with many possible causes. To identify
 //     the cause, see the error message that accompanies the exception.
 //
+//   - DryRunOperationException
+//     The request was rejected because the DryRun parameter was specified.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintext
 func (c *KMS) GenerateDataKeyWithoutPlaintext(input *GenerateDataKeyWithoutPlaintextInput) (*GenerateDataKeyWithoutPlaintextOutput, error) {
 	req, out := c.GenerateDataKeyWithoutPlaintextRequest(input)
@ -4265,6 +4286,9 @@ func (c *KMS) GenerateMacRequest(input *GenerateMacInput) (req *request.Request,
 //     exception represents a general failure with many possible causes. To identify
 //     the cause, see the error message that accompanies the exception.
 //
+//   - DryRunOperationException
+//     The request was rejected because the DryRun parameter was specified.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMac
 func (c *KMS) GenerateMac(input *GenerateMacInput) (*GenerateMacOutput, error) {
 	req, out := c.GenerateMacRequest(input)
@ -6751,6 +6775,9 @@ func (c *KMS) ReEncryptRequest(input *ReEncryptInput) (req *request.Request, out
 //     exception represents a general failure with many possible causes. To identify
 //     the cause, see the error message that accompanies the exception.
 //
+//   - DryRunOperationException
+//     The request was rejected because the DryRun parameter was specified.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt
 func (c *KMS) ReEncrypt(input *ReEncryptInput) (*ReEncryptOutput, error) {
 	req, out := c.ReEncryptRequest(input)
@ -7107,6 +7134,9 @@ func (c *KMS) RetireGrantRequest(input *RetireGrantInput) (req *request.Request,
 //     exception represents a general failure with many possible causes. To identify
 //     the cause, see the error message that accompanies the exception.
 //
+//   - DryRunOperationException
+//     The request was rejected because the DryRun parameter was specified.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant
 func (c *KMS) RetireGrant(input *RetireGrantInput) (*RetireGrantOutput, error) {
 	req, out := c.RetireGrantRequest(input)
@ -7250,6 +7280,9 @@ func (c *KMS) RevokeGrantRequest(input *RevokeGrantInput) (req *request.Request,
 //     exception represents a general failure with many possible causes. To identify
 //     the cause, see the error message that accompanies the exception.
 //
+//   - DryRunOperationException
+//     The request was rejected because the DryRun parameter was specified.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant
 func (c *KMS) RevokeGrant(input *RevokeGrantInput) (*RevokeGrantOutput, error) {
 	req, out := c.RevokeGrantRequest(input)
@ -7328,9 +7361,8 @@ func (c *KMS) ScheduleKeyDeletionRequest(input *ScheduleKeyDeletionInput) (req *
 // Deleting a KMS key is a destructive and potentially dangerous operation.
 // When a KMS key is deleted, all data that was encrypted under the KMS key
 // is unrecoverable. (The only exception is a multi-Region replica key (kms/latest/developerguide/multi-region-keys-delete.html),
-// or an asymmetric or HMAC KMS key with imported key material[BUGBUG-link to
-// importing-keys-managing.html#import-delete-key.) To prevent the use of a
-// KMS key without deleting it, use DisableKey.
+// or an asymmetric or HMAC KMS key with imported key material (kms/latest/developerguide/importing-keys-managing.html#import-delete-key).)
+// To prevent the use of a KMS key without deleting it, use DisableKey.
 //
 // You can schedule the deletion of a multi-Region primary key and its replica
 // keys at any time. However, KMS will not delete a multi-Region primary key
@ -7598,6 +7630,9 @@ func (c *KMS) SignRequest(input *SignInput) (req *request.Request, output *SignO
 //     exception represents a general failure with many possible causes. To identify
 //     the cause, see the error message that accompanies the exception.
 //
+//   - DryRunOperationException
+//     The request was rejected because the DryRun parameter was specified.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign
 func (c *KMS) Sign(input *SignInput) (*SignOutput, error) {
 	req, out := c.SignRequest(input)
@ -8857,6 +8892,9 @@ func (c *KMS) VerifyRequest(input *VerifyInput) (req *request.Request, output *V
 //     verification fails when it cannot confirm that signature was produced by
 //     signing the specified message with the specified KMS key and signing algorithm.
 //
+//   - DryRunOperationException
+//     The request was rejected because the DryRun parameter was specified.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify
 func (c *KMS) Verify(input *VerifyInput) (*VerifyOutput, error) {
 	req, out := c.VerifyRequest(input)
@ -9015,6 +9053,9 @@ func (c *KMS) VerifyMacRequest(input *VerifyMacInput) (req *request.Request, out
 //     exception represents a general failure with many possible causes. To identify
 //     the cause, see the error message that accompanies the exception.
 //
+//   - DryRunOperationException
+//     The request was rejected because the DryRun parameter was specified.
+//
 // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMac
 func (c *KMS) VerifyMac(input *VerifyMacInput) (*VerifyMacOutput, error) {
 	req, out := c.VerifyMacRequest(input)
@ -10165,6 +10206,13 @@ type CreateGrantInput struct {
 	// in the Key Management Service Developer Guide .
 	Constraints *GrantConstraints `type:"structure"`

+	// Checks if your request will succeed. DryRun is an optional parameter.
+	//
+	// To learn more about how to use this parameter, see Testing your KMS API calls
+	// (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html)
+	// in the Key Management Service Developer Guide.
+	DryRun *bool `type:"boolean"`
+
 	// A list of grant tokens.
 	//
 	// Use a grant token when your permission to call this operation comes from
@ -10303,6 +10351,12 @@ func (s *CreateGrantInput) SetConstraints(v *GrantConstraints) *CreateGrantInput
 	return s
 }

+// SetDryRun sets the DryRun field's value.
+func (s *CreateGrantInput) SetDryRun(v bool) *CreateGrantInput {
+	s.DryRun = &v
+	return s
+}
+
 // SetGrantTokens sets the GrantTokens field's value.
 func (s *CreateGrantInput) SetGrantTokens(v []*string) *CreateGrantInput {
 	s.GrantTokens = v
@ -11333,6 +11387,13 @@ type DecryptInput struct {
 	// CiphertextBlob is a required field
 	CiphertextBlob []byte `min:"1" type:"blob" required:"true"`

+	// Checks if your request will succeed. DryRun is an optional parameter.
+	//
+	// To learn more about how to use this parameter, see Testing your KMS API calls
+	// (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html)
+	// in the Key Management Service Developer Guide.
+	DryRun *bool `type:"boolean"`
+
 	// Specifies the encryption algorithm that will be used to decrypt the ciphertext.
 	// Specify the same algorithm that was used to encrypt the data. If you specify
 	// a different algorithm, the Decrypt operation fails.
@ -11468,6 +11529,12 @@ func (s *DecryptInput) SetCiphertextBlob(v []byte) *DecryptInput {
 	return s
 }

+// SetDryRun sets the DryRun field's value.
+func (s *DecryptInput) SetDryRun(v bool) *DecryptInput {
+	s.DryRun = &v
+	return s
+}
+
 // SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value.
 func (s *DecryptInput) SetEncryptionAlgorithm(v string) *DecryptInput {
 	s.EncryptionAlgorithm = &v
@ -12435,6 +12502,70 @@ func (s DisconnectCustomKeyStoreOutput) GoString() string {
 	return s.String()
 }

+// The request was rejected because the DryRun parameter was specified.
+type DryRunOperationException struct {
+	_            struct{}                  `type:"structure"`
+	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
+
+	Message_ *string `locationName:"message" type:"string"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DryRunOperationException) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DryRunOperationException) GoString() string {
+	return s.String()
+}
+
+func newErrorDryRunOperationException(v protocol.ResponseMetadata) error {
+	return &DryRunOperationException{
+		RespMetadata: v,
+	}
+}
+
+// Code returns the exception type name.
+func (s *DryRunOperationException) Code() string {
+	return "DryRunOperationException"
+}
+
+// Message returns the exception's message.
+func (s *DryRunOperationException) Message() string {
+	if s.Message_ != nil {
+		return *s.Message_
+	}
+	return ""
+}
+
+// OrigErr always returns nil, satisfies awserr.Error interface.
+func (s *DryRunOperationException) OrigErr() error {
+	return nil
+}
+
+func (s *DryRunOperationException) Error() string {
+	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
+}
+
+// Status code returns the HTTP status code for the request's response error.
+func (s *DryRunOperationException) StatusCode() int {
+	return s.RespMetadata.StatusCode
+}
+
+// RequestID returns the service's response RequestID for request.
+func (s *DryRunOperationException) RequestID() string {
+	return s.RespMetadata.RequestID
+}
+
 type EnableKeyInput struct {
 	_ struct{} `type:"structure"`

@ -12607,6 +12738,13 @@ func (s EnableKeyRotationOutput) GoString() string {
 type EncryptInput struct {
 	_ struct{} `type:"structure"`

+	// Checks if your request will succeed. DryRun is an optional parameter.
+	//
+	// To learn more about how to use this parameter, see Testing your KMS API calls
+	// (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html)
+	// in the Key Management Service Developer Guide.
+	DryRun *bool `type:"boolean"`
+
 	// Specifies the encryption algorithm that KMS will use to encrypt the plaintext
 	// message. The algorithm must be compatible with the KMS key that you specify.
 	//
@ -12723,6 +12861,12 @@ func (s *EncryptInput) Validate() error {
 	return nil
 }

+// SetDryRun sets the DryRun field's value.
+func (s *EncryptInput) SetDryRun(v bool) *EncryptInput {
+	s.DryRun = &v
+	return s
+}
+
 // SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value.
 func (s *EncryptInput) SetEncryptionAlgorithm(v string) *EncryptInput {
 	s.EncryptionAlgorithm = &v
@ -12874,6 +13018,13 @@ func (s *ExpiredImportTokenException) RequestID() string {
 type GenerateDataKeyInput struct {
 	_ struct{} `type:"structure"`

+	// Checks if your request will succeed. DryRun is an optional parameter.
+	//
+	// To learn more about how to use this parameter, see Testing your KMS API calls
+	// (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html)
+	// in the Key Management Service Developer Guide.
+	DryRun *bool `type:"boolean"`
+
 	// Specifies the encryption context that will be used when encrypting the data
 	// key.
 	//
@ -13007,6 +13158,12 @@ func (s *GenerateDataKeyInput) Validate() error {
 	return nil
 }

+// SetDryRun sets the DryRun field's value.
+func (s *GenerateDataKeyInput) SetDryRun(v bool) *GenerateDataKeyInput {
+	s.DryRun = &v
+	return s
+}
+
 // SetEncryptionContext sets the EncryptionContext field's value.
 func (s *GenerateDataKeyInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyInput {
 	s.EncryptionContext = v
@ -13129,6 +13286,13 @@ func (s *GenerateDataKeyOutput) SetPlaintext(v []byte) *GenerateDataKeyOutput {
 type GenerateDataKeyPairInput struct {
 	_ struct{} `type:"structure"`

+	// Checks if your request will succeed. DryRun is an optional parameter.
+	//
+	// To learn more about how to use this parameter, see Testing your KMS API calls
+	// (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html)
+	// in the Key Management Service Developer Guide.
+	DryRun *bool `type:"boolean"`
+
 	// Specifies the encryption context that will be used when encrypting the private
 	// key in the data key pair.
 	//
@ -13260,6 +13424,12 @@ func (s *GenerateDataKeyPairInput) Validate() error {
 	return nil
 }

+// SetDryRun sets the DryRun field's value.
+func (s *GenerateDataKeyPairInput) SetDryRun(v bool) *GenerateDataKeyPairInput {
+	s.DryRun = &v
+	return s
+}
+
 // SetEncryptionContext sets the EncryptionContext field's value.
 func (s *GenerateDataKeyPairInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyPairInput {
 	s.EncryptionContext = v
@ -13394,6 +13564,13 @@ func (s *GenerateDataKeyPairOutput) SetPublicKey(v []byte) *GenerateDataKeyPairO
 type GenerateDataKeyPairWithoutPlaintextInput struct {
 	_ struct{} `type:"structure"`

+	// Checks if your request will succeed. DryRun is an optional parameter.
+	//
+	// To learn more about how to use this parameter, see Testing your KMS API calls
+	// (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html)
+	// in the Key Management Service Developer Guide.
+	DryRun *bool `type:"boolean"`
+
 	// Specifies the encryption context that will be used when encrypting the private
 	// key in the data key pair.
 	//
@ -13496,6 +13673,12 @@ func (s *GenerateDataKeyPairWithoutPlaintextInput) Validate() error {
 	return nil
 }

+// SetDryRun sets the DryRun field's value.
+func (s *GenerateDataKeyPairWithoutPlaintextInput) SetDryRun(v bool) *GenerateDataKeyPairWithoutPlaintextInput {
+	s.DryRun = &v
+	return s
+}
+
 // SetEncryptionContext sets the EncryptionContext field's value.
 func (s *GenerateDataKeyPairWithoutPlaintextInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyPairWithoutPlaintextInput {
 	s.EncryptionContext = v
@ -13586,6 +13769,13 @@ func (s *GenerateDataKeyPairWithoutPlaintextOutput) SetPublicKey(v []byte) *Gene
 type GenerateDataKeyWithoutPlaintextInput struct {
 	_ struct{} `type:"structure"`

+	// Checks if your request will succeed. DryRun is an optional parameter.
+	//
+	// To learn more about how to use this parameter, see Testing your KMS API calls
+	// (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html)
+	// in the Key Management Service Developer Guide.
+	DryRun *bool `type:"boolean"`
+
 	// Specifies the encryption context that will be used when encrypting the data
 	// key.
 	//
@ -13686,6 +13876,12 @@ func (s *GenerateDataKeyWithoutPlaintextInput) Validate() error {
 	return nil
 }

+// SetDryRun sets the DryRun field's value.
+func (s *GenerateDataKeyWithoutPlaintextInput) SetDryRun(v bool) *GenerateDataKeyWithoutPlaintextInput {
+	s.DryRun = &v
+	return s
+}
+
 // SetEncryptionContext sets the EncryptionContext field's value.
 func (s *GenerateDataKeyWithoutPlaintextInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyWithoutPlaintextInput {
 	s.EncryptionContext = v
@ -13762,6 +13958,13 @@ func (s *GenerateDataKeyWithoutPlaintextOutput) SetKeyId(v string) *GenerateData
 type GenerateMacInput struct {
 	_ struct{} `type:"structure"`

+	// Checks if your request will succeed. DryRun is an optional parameter.
+	//
+	// To learn more about how to use this parameter, see Testing your KMS API calls
+	// (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html)
+	// in the Key Management Service Developer Guide.
+	DryRun *bool `type:"boolean"`
+
 	// A list of grant tokens.
 	//
 	// Use a grant token when your permission to call this operation comes from
@ -13848,6 +14051,12 @@ func (s *GenerateMacInput) Validate() error {
 	return nil
 }

+// SetDryRun sets the DryRun field's value.
+func (s *GenerateMacInput) SetDryRun(v bool) *GenerateMacInput {
+	s.DryRun = &v
+	return s
+}
+
 // SetGrantTokens sets the GrantTokens field's value.
 func (s *GenerateMacInput) SetGrantTokens(v []*string) *GenerateMacInput {
 	s.GrantTokens = v
@ -17801,6 +18010,13 @@ type ReEncryptInput struct {
 	// DestinationKeyId is a required field
 	DestinationKeyId *string `min:"1" type:"string" required:"true"`

+	// Checks if your request will succeed. DryRun is an optional parameter.
+	//
+	// To learn more about how to use this parameter, see Testing your KMS API calls
+	// (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html)
+	// in the Key Management Service Developer Guide.
+	DryRun *bool `type:"boolean"`
+
 	// A list of grant tokens.
 	//
 	// Use a grant token when your permission to call this operation comes from
@ -17935,6 +18151,12 @@ func (s *ReEncryptInput) SetDestinationKeyId(v string) *ReEncryptInput {
 	return s
 }

+// SetDryRun sets the DryRun field's value.
+func (s *ReEncryptInput) SetDryRun(v bool) *ReEncryptInput {
+	s.DryRun = &v
+	return s
+}
+
 // SetGrantTokens sets the GrantTokens field's value.
 func (s *ReEncryptInput) SetGrantTokens(v []*string) *ReEncryptInput {
 	s.GrantTokens = v
@ -18387,6 +18609,13 @@ func (s *ReplicateKeyOutput) SetReplicaTags(v []*Tag) *ReplicateKeyOutput {
 type RetireGrantInput struct {
 	_ struct{} `type:"structure"`

+	// Checks if your request will succeed. DryRun is an optional parameter.
+	//
+	// To learn more about how to use this parameter, see Testing your KMS API calls
+	// (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html)
+	// in the Key Management Service Developer Guide.
+	DryRun *bool `type:"boolean"`
+
 	// Identifies the grant to retire. To get the grant ID, use CreateGrant, ListGrants,
 	// or ListRetirableGrants.
 	//
@ -18446,6 +18675,12 @@ func (s *RetireGrantInput) Validate() error {
 	return nil
 }

+// SetDryRun sets the DryRun field's value.
+func (s *RetireGrantInput) SetDryRun(v bool) *RetireGrantInput {
+	s.DryRun = &v
+	return s
+}
+
 // SetGrantId sets the GrantId field's value.
 func (s *RetireGrantInput) SetGrantId(v string) *RetireGrantInput {
 	s.GrantId = &v
@ -18489,6 +18724,13 @@ func (s RetireGrantOutput) GoString() string {
 type RevokeGrantInput struct {
 	_ struct{} `type:"structure"`

+	// Checks if your request will succeed. DryRun is an optional parameter.
+	//
+	// To learn more about how to use this parameter, see Testing your KMS API calls
+	// (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html)
+	// in the Key Management Service Developer Guide.
+	DryRun *bool `type:"boolean"`
+
 	// Identifies the grant to revoke. To get the grant ID, use CreateGrant, ListGrants,
 	// or ListRetirableGrants.
 	//
@ -18553,6 +18795,12 @@ func (s *RevokeGrantInput) Validate() error {
 	return nil
 }

+// SetDryRun sets the DryRun field's value.
+func (s *RevokeGrantInput) SetDryRun(v bool) *RevokeGrantInput {
+	s.DryRun = &v
+	return s
+}
+
 // SetGrantId sets the GrantId field's value.
 func (s *RevokeGrantInput) SetGrantId(v string) *RevokeGrantInput {
 	s.GrantId = &v
@ -18614,7 +18862,7 @@ type ScheduleKeyDeletionInput struct {
 	//
 	// This value is optional. If you include a value, it must be between 7 and
 	// 30, inclusive. If you do not include a value, it defaults to 30. You can
-	// use the kms:ScheduleKeyDeletionPendingWindowInDays (https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-pending-deletion-window)
+	// use the kms:ScheduleKeyDeletionPendingWindowInDays (https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-schedule-key-deletion-pending-window-in-days)
 	// condition key to further constrain the values that principals can specify
 	// in the PendingWindowInDays parameter.
 	PendingWindowInDays *int64 `min:"1" type:"integer"`
@ -18743,6 +18991,13 @@ func (s *ScheduleKeyDeletionOutput) SetPendingWindowInDays(v int64) *ScheduleKey
 type SignInput struct {
 	_ struct{} `type:"structure"`

+	// Checks if your request will succeed. DryRun is an optional parameter.
+	//
+	// To learn more about how to use this parameter, see Testing your KMS API calls
+	// (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html)
+	// in the Key Management Service Developer Guide.
+	DryRun *bool `type:"boolean"`
+
 	// A list of grant tokens.
 	//
 	// Use a grant token when your permission to call this operation comes from
@ -18878,6 +19133,12 @@ func (s *SignInput) Validate() error {
 	return nil
 }

+// SetDryRun sets the DryRun field's value.
+func (s *SignInput) SetDryRun(v bool) *SignInput {
+	s.DryRun = &v
+	return s
+}
+
 // SetGrantTokens sets the GrantTokens field's value.
 func (s *SignInput) SetGrantTokens(v []*string) *SignInput {
 	s.GrantTokens = v
@ -19953,6 +20214,13 @@ func (s UpdatePrimaryRegionOutput) GoString() string {
 type VerifyInput struct {
 	_ struct{} `type:"structure"`

+	// Checks if your request will succeed. DryRun is an optional parameter.
+	//
+	// To learn more about how to use this parameter, see Testing your KMS API calls
+	// (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html)
+	// in the Key Management Service Developer Guide.
+	DryRun *bool `type:"boolean"`
+
 	// A list of grant tokens.
 	//
 	// Use a grant token when your permission to call this operation comes from
@ -20099,6 +20367,12 @@ func (s *VerifyInput) Validate() error {
 	return nil
 }

+// SetDryRun sets the DryRun field's value.
+func (s *VerifyInput) SetDryRun(v bool) *VerifyInput {
+	s.DryRun = &v
+	return s
+}
+
 // SetGrantTokens sets the GrantTokens field's value.
 func (s *VerifyInput) SetGrantTokens(v []*string) *VerifyInput {
 	s.GrantTokens = v
@ -20138,6 +20412,13 @@ func (s *VerifyInput) SetSigningAlgorithm(v string) *VerifyInput {
 type VerifyMacInput struct {
 	_ struct{} `type:"structure"`

+	// Checks if your request will succeed. DryRun is an optional parameter.
+	//
+	// To learn more about how to use this parameter, see Testing your KMS API calls
+	// (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html)
+	// in the Key Management Service Developer Guide.
+	DryRun *bool `type:"boolean"`
+
 	// A list of grant tokens.
 	//
 	// Use a grant token when your permission to call this operation comes from
@ -20236,6 +20517,12 @@ func (s *VerifyMacInput) Validate() error {
 	return nil
 }

+// SetDryRun sets the DryRun field's value.
+func (s *VerifyMacInput) SetDryRun(v bool) *VerifyMacInput {
+	s.DryRun = &v
+	return s
+}
+
 // SetGrantTokens sets the GrantTokens field's value.
 func (s *VerifyMacInput) SetGrantTokens(v []*string) *VerifyMacInput {
 	s.GrantTokens = v
--- a/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go
@ -166,6 +166,12 @@ const (
 	// The request was rejected because the specified KMS key is not enabled.
 	ErrCodeDisabledException = "DisabledException"

+	// ErrCodeDryRunOperationException for service response error code
+	// "DryRunOperationException".
+	//
+	// The request was rejected because the DryRun parameter was specified.
+	ErrCodeDryRunOperationException = "DryRunOperationException"
+
 	// ErrCodeExpiredImportTokenException for service response error code
 	// "ExpiredImportTokenException".
 	//
@ -488,6 +494,7 @@ var exceptionFromCode = map[string]func(protocol.ResponseMetadata) error{
 	"CustomKeyStoreNotFoundException":                         newErrorCustomKeyStoreNotFoundException,
 	"DependencyTimeoutException":                              newErrorDependencyTimeoutException,
 	"DisabledException":                                       newErrorDisabledException,
+	"DryRunOperationException":                                newErrorDryRunOperationException,
 	"ExpiredImportTokenException":                             newErrorExpiredImportTokenException,
 	"IncorrectKeyException":                                   newErrorIncorrectKeyException,
 	"IncorrectKeyMaterialException":                           newErrorIncorrectKeyMaterialException,
--- a/vendor/github.com/aws/aws-sdk-go/service/ssooidc/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/ssooidc/api.go
--- a/vendor/github.com/aws/aws-sdk-go/service/ssooidc/doc.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/ssooidc/doc.go
@ -0,0 +1,66 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+// Package ssooidc provides the client and types for making API
+// requests to AWS SSO OIDC.
+//
+// AWS IAM Identity Center (successor to AWS Single Sign-On) OpenID Connect
+// (OIDC) is a web service that enables a client (such as AWS CLI or a native
+// application) to register with IAM Identity Center. The service also enables
+// the client to fetch the user’s access token upon successful authentication
+// and authorization with IAM Identity Center.
+//
+// Although AWS Single Sign-On was renamed, the sso and identitystore API namespaces
+// will continue to retain their original name for backward compatibility purposes.
+// For more information, see IAM Identity Center rename (https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html#renamed).
+//
+// # Considerations for Using This Guide
+//
+// Before you begin using this guide, we recommend that you first review the
+// following important information about how the IAM Identity Center OIDC service
+// works.
+//
+//   - The IAM Identity Center OIDC service currently implements only the portions
+//     of the OAuth 2.0 Device Authorization Grant standard (https://tools.ietf.org/html/rfc8628
+//     (https://tools.ietf.org/html/rfc8628)) that are necessary to enable single
+//     sign-on authentication with the AWS CLI. Support for other OIDC flows
+//     frequently needed for native applications, such as Authorization Code
+//     Flow (+ PKCE), will be addressed in future releases.
+//
+//   - The service emits only OIDC access tokens, such that obtaining a new
+//     token (For example, token refresh) requires explicit user re-authentication.
+//
+//   - The access tokens provided by this service grant access to all AWS account
+//     entitlements assigned to an IAM Identity Center user, not just a particular
+//     application.
+//
+//   - The documentation in this guide does not describe the mechanism to convert
+//     the access token into AWS Auth (“sigv4”) credentials for use with
+//     IAM-protected AWS service endpoints. For more information, see GetRoleCredentials
+//     (https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html)
+//     in the IAM Identity Center Portal API Reference Guide.
+//
+// For general information about IAM Identity Center, see What is IAM Identity
+// Center? (https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
+// in the IAM Identity Center User Guide.
+//
+// See https://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10 for more information on this service.
+//
+// See ssooidc package documentation for more information.
+// https://docs.aws.amazon.com/sdk-for-go/api/service/ssooidc/
+//
+// # Using the Client
+//
+// To contact AWS SSO OIDC with the SDK use the New function to create
+// a new service client. With that client you can make API requests to the service.
+// These clients are safe to use concurrently.
+//
+// See the SDK's documentation for more information on how to use the SDK.
+// https://docs.aws.amazon.com/sdk-for-go/api/
+//
+// See aws.Config documentation for more information on configuring SDK clients.
+// https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config
+//
+// See the AWS SSO OIDC client SSOOIDC for more
+// information on creating client for this service.
+// https://docs.aws.amazon.com/sdk-for-go/api/service/ssooidc/#New
+package ssooidc
--- a/vendor/github.com/aws/aws-sdk-go/service/ssooidc/errors.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/ssooidc/errors.go
@ -0,0 +1,107 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+package ssooidc
+
+import (
+	"github.com/aws/aws-sdk-go/private/protocol"
+)
+
+const (
+
+	// ErrCodeAccessDeniedException for service response error code
+	// "AccessDeniedException".
+	//
+	// You do not have sufficient access to perform this action.
+	ErrCodeAccessDeniedException = "AccessDeniedException"
+
+	// ErrCodeAuthorizationPendingException for service response error code
+	// "AuthorizationPendingException".
+	//
+	// Indicates that a request to authorize a client with an access user session
+	// token is pending.
+	ErrCodeAuthorizationPendingException = "AuthorizationPendingException"
+
+	// ErrCodeExpiredTokenException for service response error code
+	// "ExpiredTokenException".
+	//
+	// Indicates that the token issued by the service is expired and is no longer
+	// valid.
+	ErrCodeExpiredTokenException = "ExpiredTokenException"
+
+	// ErrCodeInternalServerException for service response error code
+	// "InternalServerException".
+	//
+	// Indicates that an error from the service occurred while trying to process
+	// a request.
+	ErrCodeInternalServerException = "InternalServerException"
+
+	// ErrCodeInvalidClientException for service response error code
+	// "InvalidClientException".
+	//
+	// Indicates that the clientId or clientSecret in the request is invalid. For
+	// example, this can occur when a client sends an incorrect clientId or an expired
+	// clientSecret.
+	ErrCodeInvalidClientException = "InvalidClientException"
+
+	// ErrCodeInvalidClientMetadataException for service response error code
+	// "InvalidClientMetadataException".
+	//
+	// Indicates that the client information sent in the request during registration
+	// is invalid.
+	ErrCodeInvalidClientMetadataException = "InvalidClientMetadataException"
+
+	// ErrCodeInvalidGrantException for service response error code
+	// "InvalidGrantException".
+	//
+	// Indicates that a request contains an invalid grant. This can occur if a client
+	// makes a CreateToken request with an invalid grant type.
+	ErrCodeInvalidGrantException = "InvalidGrantException"
+
+	// ErrCodeInvalidRequestException for service response error code
+	// "InvalidRequestException".
+	//
+	// Indicates that something is wrong with the input to the request. For example,
+	// a required parameter might be missing or out of range.
+	ErrCodeInvalidRequestException = "InvalidRequestException"
+
+	// ErrCodeInvalidScopeException for service response error code
+	// "InvalidScopeException".
+	//
+	// Indicates that the scope provided in the request is invalid.
+	ErrCodeInvalidScopeException = "InvalidScopeException"
+
+	// ErrCodeSlowDownException for service response error code
+	// "SlowDownException".
+	//
+	// Indicates that the client is making the request too frequently and is more
+	// than the service can handle.
+	ErrCodeSlowDownException = "SlowDownException"
+
+	// ErrCodeUnauthorizedClientException for service response error code
+	// "UnauthorizedClientException".
+	//
+	// Indicates that the client is not currently authorized to make the request.
+	// This can happen when a clientId is not issued for a public client.
+	ErrCodeUnauthorizedClientException = "UnauthorizedClientException"
+
+	// ErrCodeUnsupportedGrantTypeException for service response error code
+	// "UnsupportedGrantTypeException".
+	//
+	// Indicates that the grant type in the request is not supported by the service.
+	ErrCodeUnsupportedGrantTypeException = "UnsupportedGrantTypeException"
+)
+
+var exceptionFromCode = map[string]func(protocol.ResponseMetadata) error{
+	"AccessDeniedException":          newErrorAccessDeniedException,
+	"AuthorizationPendingException":  newErrorAuthorizationPendingException,
+	"ExpiredTokenException":          newErrorExpiredTokenException,
+	"InternalServerException":        newErrorInternalServerException,
+	"InvalidClientException":         newErrorInvalidClientException,
+	"InvalidClientMetadataException": newErrorInvalidClientMetadataException,
+	"InvalidGrantException":          newErrorInvalidGrantException,
+	"InvalidRequestException":        newErrorInvalidRequestException,
+	"InvalidScopeException":          newErrorInvalidScopeException,
+	"SlowDownException":              newErrorSlowDownException,
+	"UnauthorizedClientException":    newErrorUnauthorizedClientException,
+	"UnsupportedGrantTypeException":  newErrorUnsupportedGrantTypeException,
+}
--- a/vendor/github.com/aws/aws-sdk-go/service/ssooidc/service.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/ssooidc/service.go
@ -0,0 +1,106 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+package ssooidc
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/client"
+	"github.com/aws/aws-sdk-go/aws/client/metadata"
+	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/aws/signer/v4"
+	"github.com/aws/aws-sdk-go/private/protocol"
+	"github.com/aws/aws-sdk-go/private/protocol/restjson"
+)
+
+// SSOOIDC provides the API operation methods for making requests to
+// AWS SSO OIDC. See this package's package overview docs
+// for details on the service.
+//
+// SSOOIDC methods are safe to use concurrently. It is not safe to
+// modify mutate any of the struct's properties though.
+type SSOOIDC struct {
+	*client.Client
+}
+
+// Used for custom client initialization logic
+var initClient func(*client.Client)
+
+// Used for custom request initialization logic
+var initRequest func(*request.Request)
+
+// Service information constants
+const (
+	ServiceName = "SSO OIDC" // Name of service.
+	EndpointsID = "oidc"     // ID to lookup a service endpoint with.
+	ServiceID   = "SSO OIDC" // ServiceID is a unique identifier of a specific service.
+)
+
+// New creates a new instance of the SSOOIDC client with a session.
+// If additional configuration is needed for the client instance use the optional
+// aws.Config parameter to add your extra config.
+//
+// Example:
+//
+//	mySession := session.Must(session.NewSession())
+//
+//	// Create a SSOOIDC client from just a session.
+//	svc := ssooidc.New(mySession)
+//
+//	// Create a SSOOIDC client with additional configuration
+//	svc := ssooidc.New(mySession, aws.NewConfig().WithRegion("us-west-2"))
+func New(p client.ConfigProvider, cfgs ...*aws.Config) *SSOOIDC {
+	c := p.ClientConfig(EndpointsID, cfgs...)
+	if c.SigningNameDerived || len(c.SigningName) == 0 {
+		c.SigningName = "awsssooidc"
+	}
+	return newClient(*c.Config, c.Handlers, c.PartitionID, c.Endpoint, c.SigningRegion, c.SigningName, c.ResolvedRegion)
+}
+
+// newClient creates, initializes and returns a new service client instance.
+func newClient(cfg aws.Config, handlers request.Handlers, partitionID, endpoint, signingRegion, signingName, resolvedRegion string) *SSOOIDC {
+	svc := &SSOOIDC{
+		Client: client.New(
+			cfg,
+			metadata.ClientInfo{
+				ServiceName:    ServiceName,
+				ServiceID:      ServiceID,
+				SigningName:    signingName,
+				SigningRegion:  signingRegion,
+				PartitionID:    partitionID,
+				Endpoint:       endpoint,
+				APIVersion:     "2019-06-10",
+				ResolvedRegion: resolvedRegion,
+			},
+			handlers,
+		),
+	}
+
+	// Handlers
+	svc.Handlers.Sign.PushBackNamed(v4.SignRequestHandler)
+	svc.Handlers.Build.PushBackNamed(restjson.BuildHandler)
+	svc.Handlers.Unmarshal.PushBackNamed(restjson.UnmarshalHandler)
+	svc.Handlers.UnmarshalMeta.PushBackNamed(restjson.UnmarshalMetaHandler)
+	svc.Handlers.UnmarshalError.PushBackNamed(
+		protocol.NewUnmarshalErrorHandler(restjson.NewUnmarshalTypedError(exceptionFromCode)).NamedHandler(),
+	)
+
+	// Run custom client initialization if present
+	if initClient != nil {
+		initClient(svc.Client)
+	}
+
+	return svc
+}
+
+// newRequest creates a new request for a SSOOIDC operation and runs any
+// custom request initialization.
+func (c *SSOOIDC) newRequest(op *request.Operation, params, data interface{}) *request.Request {
+	req := c.NewRequest(op, params, data)
+
+	// Run custom request initialization if present
+	if initRequest != nil {
+		initRequest(req)
+	}
+
+	return req
+}
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -20,9 +20,10 @@ github.com/armon/go-metrics
 # github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a
 ## explicit
 github.com/asaskevich/govalidator
-# github.com/aws/aws-sdk-go v1.44.295
+# github.com/aws/aws-sdk-go v1.44.298
 ## explicit; go 1.11
 github.com/aws/aws-sdk-go/aws
+github.com/aws/aws-sdk-go/aws/auth/bearer
 github.com/aws/aws-sdk-go/aws/awserr
 github.com/aws/aws-sdk-go/aws/awsutil
 github.com/aws/aws-sdk-go/aws/client
@ -61,6 +62,7 @@ github.com/aws/aws-sdk-go/private/protocol/xml/xmlutil
 github.com/aws/aws-sdk-go/service/kms
 github.com/aws/aws-sdk-go/service/sso
 github.com/aws/aws-sdk-go/service/sso/ssoiface
+github.com/aws/aws-sdk-go/service/ssooidc
 github.com/aws/aws-sdk-go/service/sts
 github.com/aws/aws-sdk-go/service/sts/stsiface
 # github.com/aws/aws-sdk-go-v2 v1.18.1