rebase: bump github.com/aws/aws-sdk-go-v2/service/sts

Bumps [github.com/aws/aws-sdk-go-v2/service/sts](https://github.com/aws/aws-sdk-go-v2) from 1.18.6 to 1.18.10.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.18.6...config/v1.18.10)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/sts
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

go.mod

@@ -5,7 +5,7 @@ go 1.19
 require (
 	github.com/IBM/keyprotect-go-client v0.10.0
 	github.com/aws/aws-sdk-go v1.44.249
-	github.com/aws/aws-sdk-go-v2/service/sts v1.18.6
+	github.com/aws/aws-sdk-go-v2/service/sts v1.18.10
 	github.com/ceph/ceph-csi/api v0.0.0-00010101000000-000000000000
 	// TODO: API for managing subvolume metadata and snapshot metadata requires `ceph_ci_untested` build-tag
 	github.com/ceph/go-ceph v0.21.0
@@ -50,10 +50,10 @@ require (
 require (
 	github.com/ansel1/merry v1.6.2 // indirect
 	github.com/ansel1/merry/v2 v2.0.1 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.17.6 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.18.0 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.24 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.24 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27 // indirect
 	github.com/aws/smithy-go v1.13.5 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect

go.sum

@@ -157,16 +157,16 @@ github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpi
 github.com/aws/aws-sdk-go v1.25.41/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.44.249 h1:UbUvh/oYHdAD3vZjNi316M0NIupJsrqAcJckVuhaCB8=
 github.com/aws/aws-sdk-go v1.44.249/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
-github.com/aws/aws-sdk-go-v2 v1.17.6 h1:Y773UK7OBqhzi5VDXMi1zVGsoj+CVHs2eaC2bDsLwi0=
+github.com/aws/aws-sdk-go-v2 v1.18.0 h1:882kkTpSFhdgYRKVZ/VCgf7sd0ru57p2JCxz4/oN5RY=
-github.com/aws/aws-sdk-go-v2 v1.17.6/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
+github.com/aws/aws-sdk-go-v2 v1.18.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.30 h1:y+8n9AGDjikyXoMBTRaHHHSaFEB8267ykmvyPodJfys=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33 h1:kG5eQilShqmJbv11XL1VpyDbaEJzWxd4zRiCG30GSn4=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.30/go.mod h1:LUBAO3zNXQjoONBKn/kR1y0Q4cj/D02Ts0uHYjcCQLM=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33/go.mod h1:7i0PF1ME/2eUPFcjkVIwq+DOygHEoK92t5cDqNgYbIw=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.24 h1:r+Kv+SEJquhAZXaJ7G4u44cIwXV3f8K+N482NNAzJZA=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27 h1:vFQlirhuM8lLlpI7imKOMsjdQLuN9CPi+k44F/OFVsk=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.24/go.mod h1:gAuCezX/gob6BSMbItsSlMb6WZGV7K2+fWOvk8xBSto=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27/go.mod h1:UrHnn3QV/d0pBZ6QBAEQcqFLf8FAzLmoUfPVIueOvoM=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.24 h1:c5qGfdbCHav6viBwiyDns3OXqhqAbGjfIB4uVu2ayhk=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27 h1:0iKliEXAcCa2qVtRs7Ot5hItA2MsufrphbRFlz1Owxo=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.24/go.mod h1:HMA4FZG6fyib+NDo5bpIxX1EhYjrAOveZJY2YR0xrNE=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27/go.mod h1:EOwBD4J4S5qYszS5/3DpkejfuK+Z5/1uzICfPaZLtqw=
-github.com/aws/aws-sdk-go-v2/service/sts v1.18.6 h1:rIFn5J3yDoeuKCE9sESXqM5POTAhOP1du3bv/qTL+tE=
+github.com/aws/aws-sdk-go-v2/service/sts v1.18.10 h1:6UbNM/KJhMBfOI5+lpVcJ/8OA7cBSz0O6OX37SRKlSw=
-github.com/aws/aws-sdk-go-v2/service/sts v1.18.6/go.mod h1:48WJ9l3dwP0GSHWGc5sFGGlCkuA82Mc2xnw+T6Q8aDw=
+github.com/aws/aws-sdk-go-v2/service/sts v1.18.10/go.mod h1:BgQOMsg8av8jset59jelyPW7NoZcZXLVpDsXunGDrk8=
 github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8=
 github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
 github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc=

vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go

@@ -3,4 +3,4 @@
 package aws
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.17.6"
+const goModuleVersion = "1.18.0"

vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/recursion_detection.go

@@ -0,0 +1,94 @@
+package middleware
+
+import (
+	"context"
+	"fmt"
+	"github.com/aws/smithy-go/middleware"
+	smithyhttp "github.com/aws/smithy-go/transport/http"
+	"os"
+)
+
+const envAwsLambdaFunctionName = "AWS_LAMBDA_FUNCTION_NAME"
+const envAmznTraceID = "_X_AMZN_TRACE_ID"
+const amznTraceIDHeader = "X-Amzn-Trace-Id"
+
+// AddRecursionDetection adds recursionDetection to the middleware stack
+func AddRecursionDetection(stack *middleware.Stack) error {
+	return stack.Build.Add(&RecursionDetection{}, middleware.After)
+}
+
+// RecursionDetection detects Lambda environment and sets its X-Ray trace ID to request header if absent
+// to avoid recursion invocation in Lambda
+type RecursionDetection struct{}
+
+// ID returns the middleware identifier
+func (m *RecursionDetection) ID() string {
+	return "RecursionDetection"
+}
+
+// HandleBuild detects Lambda environment and adds its trace ID to request header if absent
+func (m *RecursionDetection) HandleBuild(
+	ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler,
+) (
+	out middleware.BuildOutput, metadata middleware.Metadata, err error,
+) {
+	req, ok := in.Request.(*smithyhttp.Request)
+	if !ok {
+		return out, metadata, fmt.Errorf("unknown request type %T", req)
+	}
+
+	_, hasLambdaEnv := os.LookupEnv(envAwsLambdaFunctionName)
+	xAmznTraceID, hasTraceID := os.LookupEnv(envAmznTraceID)
+	value := req.Header.Get(amznTraceIDHeader)
+	// only set the X-Amzn-Trace-Id header when it is not set initially, the
+	// current environment is Lambda and the _X_AMZN_TRACE_ID env variable exists
+	if value != "" || !hasLambdaEnv || !hasTraceID {
+		return next.HandleBuild(ctx, in)
+	}
+
+	req.Header.Set(amznTraceIDHeader, percentEncode(xAmznTraceID))
+	return next.HandleBuild(ctx, in)
+}
+
+func percentEncode(s string) string {
+	upperhex := "0123456789ABCDEF"
+	hexCount := 0
+	for i := 0; i < len(s); i++ {
+		c := s[i]
+		if shouldEncode(c) {
+			hexCount++
+		}
+	}
+
+	if hexCount == 0 {
+		return s
+	}
+
+	required := len(s) + 2*hexCount
+	t := make([]byte, required)
+	j := 0
+	for i := 0; i < len(s); i++ {
+		if c := s[i]; shouldEncode(c) {
+			t[j] = '%'
+			t[j+1] = upperhex[c>>4]
+			t[j+2] = upperhex[c&15]
+			j += 3
+		} else {
+			t[j] = c
+			j++
+		}
+	}
+	return string(t)
+}
+
+func shouldEncode(c byte) bool {
+	if 'a' <= c && c <= 'z' || 'A' <= c && c <= 'Z' || '0' <= c && c <= '9' {
+		return false
+	}
+	switch c {
+	case '-', '=', ';', ':', '+', '&', '[', ']', '{', '}', '"', '\'', ',':
+		return false
+	default:
+		return true
+	}
+}

vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go

@@ -95,8 +95,13 @@ func (r RetryableConnectionError) IsErrorRetryable(err error) aws.Ternary {
 	var timeoutErr interface{ Timeout() bool }
 	var urlErr *url.Error
 	var netOpErr *net.OpError
+	var dnsError *net.DNSError
 
 	switch {
+	case errors.As(err, &dnsError):
+		// NXDOMAIN errors should not be retried
+		retryable = !dnsError.IsNotFound && dnsError.IsTemporary
+
 	case errors.As(err, &conErr) && conErr.ConnectionError():
 		retryable = true
 

vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go

@@ -7,6 +7,7 @@ var IgnoredHeaders = Rules{
 			"Authorization":   struct{}{},
 			"User-Agent":      struct{}{},
 			"X-Amzn-Trace-Id": struct{}{},
+			"Expect":          struct{}{},
 		},
 	},
 }

vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md

@@ -1,3 +1,15 @@
+# v1.1.33 (2023-04-24)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.1.32 (2023-04-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.1.31 (2023-03-21)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.1.30 (2023-03-10)
 
 * **Dependency Update**: Updated to the latest SDK module versions

vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go

@@ -3,4 +3,4 @@
 package configsources
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.1.30"
+const goModuleVersion = "1.1.33"

vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md

@@ -1,3 +1,15 @@
+# v2.4.27 (2023-04-24)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.4.26 (2023-04-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.4.25 (2023-03-21)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v2.4.24 (2023-03-10)
 
 * **Dependency Update**: Updated to the latest SDK module versions

vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go

@@ -3,4 +3,4 @@
 package endpoints
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "2.4.24"
+const goModuleVersion = "2.4.27"

vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md

@@ -1,3 +1,15 @@
+# v1.9.27 (2023-04-24)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.9.26 (2023-04-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.9.25 (2023-03-21)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.9.24 (2023-03-10)
 
 * **Dependency Update**: Updated to the latest SDK module versions

vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go

@@ -3,4 +3,4 @@
 package presignedurl
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.9.24"
+const goModuleVersion = "1.9.27"

vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md

@@ -1,3 +1,19 @@
+# v1.18.10 (2023-04-24)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.18.9 (2023-04-10)
+
+* No change notes available for this release.
+
+# v1.18.8 (2023-04-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.18.7 (2023-03-21)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.18.6 (2023-03-10)
 
 * **Dependency Update**: Updated to the latest SDK module versions

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go

@@ -117,7 +117,7 @@ type Options struct {
 	Retryer aws.Retryer
 
 	// The RuntimeEnvironment configuration, only populated if the DefaultsMode is set
-	// to DefaultsModeAuto and is initialized using config.LoadDefaultConfig. You
+	// to DefaultsModeAuto and is initialized using config.LoadDefaultConfig . You
 	// should not populate this structure programmatically, or rely on the values here
 	// within your applications.
 	RuntimeEnvironment aws.RuntimeEnvironment

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go

@@ -16,16 +16,13 @@ import (
 // key ID, a secret access key, and a security token. Typically, you use AssumeRole
 // within your account or for cross-account access. For a comparison of AssumeRole
 // with other API operations that produce temporary credentials, see Requesting
-// Temporary Security Credentials
+// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
+// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
-// and Comparing the Amazon Web Services STS API operations
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
 // in the IAM User Guide. Permissions The temporary security credentials created by
-// AssumeRole can be used to make API calls to any Amazon Web Services service with
+// AssumeRole can be used to make API calls to any Amazon Web Services service
-// the following exception: You cannot call the Amazon Web Services STS
+// with the following exception: You cannot call the Amazon Web Services STS
 // GetFederationToken or GetSessionToken API operations. (Optional) You can pass
-// inline or managed session policies
+// inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // to this operation. You can pass a single JSON policy document to use as an
 // inline session policy. You can also specify up to 10 managed policy Amazon
 // Resource Names (ARNs) to use as managed session policies. The plaintext that you
@@ -36,8 +33,7 @@ import (
 // credentials in subsequent Amazon Web Services API calls to access resources in
 // the account that owns the role. You cannot use session policies to grant more
 // permissions than those allowed by the identity-based policy of the role that is
-// being assumed. For more information, see Session Policies
+// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // in the IAM User Guide. When you create a role, you create two policies: A role
 // trust policy that specifies who can assume the role and a permissions policy
 // that specifies what can be done with the role. You specify the trusted principal
@@ -48,37 +44,29 @@ import (
 // that access to users in the account. A user who wants to access a role in a
 // different account must also have permissions that are delegated from the user
 // account administrator. The administrator must attach a policy that allows the
-// user to call AssumeRole for the ARN of the role in the other account. To allow a
+// user to call AssumeRole for the ARN of the role in the other account. To allow
-// user to assume a role in the same account, you can do either of the
+// a user to assume a role in the same account, you can do either of the following:
-// following:
 //
-// * Attach a policy to the user that allows the user to call
+//   - Attach a policy to the user that allows the user to call AssumeRole (as long
-// AssumeRole (as long as the role's trust policy trusts the account).
+//     as the role's trust policy trusts the account).
+//   - Add the user as a principal directly in the role's trust policy.
 //
-// * Add the
+// You can do either because the role’s trust policy acts as an IAM resource-based
-// user as a principal directly in the role's trust policy.
+// policy. When a resource-based policy grants access to a principal in the same
-//
+// account, no additional identity-based policy is required. For more information
-// You can do either
+// about trust policies and resource-based policies, see IAM Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
-// because the role’s trust policy acts as an IAM resource-based policy. When a
+// in the IAM User Guide. Tags (Optional) You can pass tag key-value pairs to your
-// resource-based policy grants access to a principal in the same account, no
-// additional identity-based policy is required. For more information about trust
-// policies and resource-based policies, see IAM Policies
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the
-// IAM User Guide. Tags (Optional) You can pass tag key-value pairs to your
 // session. These tags are called session tags. For more information about session
-// tags, see Passing Session Tags in STS
+// tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the
+// in the IAM User Guide. An administrator must grant you the permissions necessary
-// IAM User Guide. An administrator must grant you the permissions necessary to
+// to pass session tags. The administrator can also create granular permissions to
-// pass session tags. The administrator can also create granular permissions to
 // allow you to pass only specific session tags. For more information, see
-// Tutorial: Using Tags for Attribute-Based Access Control
+// Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
 // in the IAM User Guide. You can set the session tags as transitive. Transitive
-// tags persist during role chaining. For more information, see Chaining Roles with
+// tags persist during role chaining. For more information, see Chaining Roles
-// Session Tags
+// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
 // in the IAM User Guide. Using MFA with AssumeRole (Optional) You can include
-// multi-factor authentication (MFA) information when you call AssumeRole. This is
+// multi-factor authentication (MFA) information when you call AssumeRole . This is
 // useful for cross-account scenarios to ensure that the user that assumes the role
 // has been authenticated with an Amazon Web Services MFA device. In that scenario,
 // the trust policy of the role being assumed includes a condition that tests for
@@ -86,12 +74,11 @@ import (
 // request to assume the role is denied. The condition in a trust policy that tests
 // for MFA authentication might look like the following example. "Condition":
 // {"Bool": {"aws:MultiFactorAuthPresent": true}} For more information, see
-// Configuring MFA-Protected API Access
+// Configuring MFA-Protected API Access (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html) in the
+// in the IAM User Guide guide. To use MFA with AssumeRole , you pass values for
-// IAM User Guide guide. To use MFA with AssumeRole, you pass values for the
+// the SerialNumber and TokenCode parameters. The SerialNumber value identifies
-// SerialNumber and TokenCode parameters. The SerialNumber value identifies the
+// the user's hardware or virtual MFA device. The TokenCode is the time-based
-// user's hardware or virtual MFA device. The TokenCode is the time-based one-time
+// one-time password (TOTP) that the MFA device produces.
-// password (TOTP) that the MFA device produces.
 func (c *Client) AssumeRole(ctx context.Context, params *AssumeRoleInput, optFns ...func(*Options)) (*AssumeRoleOutput, error) {
 	if params == nil {
 		params = &AssumeRoleInput{}
@@ -143,16 +130,14 @@ type AssumeRoleInput struct {
 	// maximum session duration setting for your role. However, if you assume a role
 	// using role chaining and provide a DurationSeconds parameter value greater than
 	// one hour, the operation fails. To learn how to view the maximum value for your
-	// role, see View the Maximum Session Duration Setting for a Role
+	// role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
 	// in the IAM User Guide. By default, the value is set to 3600 seconds. The
 	// DurationSeconds parameter is separate from the duration of a console session
 	// that you might request using the returned credentials. The request to the
 	// federation endpoint for a console sign-in token takes a SessionDuration
 	// parameter that specifies the maximum length of the console session. For more
 	// information, see Creating a URL that Enables Federated Users to Access the
-	// Amazon Web Services Management Console
+	// Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
 	// in the IAM User Guide.
 	DurationSeconds *int32
 
@@ -165,8 +150,7 @@ type AssumeRoleInput struct {
 	// administrator of the trusted account. That way, only someone with the ID can
 	// assume the role, rather than everyone in the account. For more information about
 	// the external ID, see How to Use an External ID When Granting Access to Your
-	// Amazon Web Services Resources to a Third Party
+	// Amazon Web Services Resources to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html)
 	// in the IAM User Guide. The regex used to validate this parameter is a string of
 	// characters consisting of upper- and lower-case alphanumeric characters with no
 	// spaces. You can also include underscores or any of the following characters:
@@ -181,8 +165,7 @@ type AssumeRoleInput struct {
 	// access resources in the account that owns the role. You cannot use session
 	// policies to grant more permissions than those allowed by the identity-based
 	// policy of the role that is being assumed. For more information, see Session
-	// Policies
+	// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 	// in the IAM User Guide. The plaintext that you use for both inline and managed
 	// session policies can't exceed 2,048 characters. The JSON policy characters can
 	// be any ASCII character from the space character to the end of the valid
@@ -200,9 +183,8 @@ type AssumeRoleInput struct {
 	// the role. This parameter is optional. You can provide up to 10 managed policy
 	// ARNs. However, the plaintext that you use for both inline and managed session
 	// policies can't exceed 2,048 characters. For more information about ARNs, see
-	// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces
+	// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
-	// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in
+	// in the Amazon Web Services General Reference. An Amazon Web Services conversion
-	// the Amazon Web Services General Reference. An Amazon Web Services conversion
 	// compresses the passed inline session policy, managed policy ARNs, and session
 	// tags into a packed binary format that has a separate limit. Your request can
 	// fail for this limit even if your plaintext meets the other requirements. The
@@ -214,17 +196,16 @@ type AssumeRoleInput struct {
 	// Services API calls to access resources in the account that owns the role. You
 	// cannot use session policies to grant more permissions than those allowed by the
 	// identity-based policy of the role that is being assumed. For more information,
-	// see Session Policies
+	// see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 	// in the IAM User Guide.
 	PolicyArns []types.PolicyDescriptorType
 
-	// The identification number of the MFA device that is associated with the user who
+	// The identification number of the MFA device that is associated with the user
-	// is making the AssumeRole call. Specify this value if the trust policy of the
+	// who is making the AssumeRole call. Specify this value if the trust policy of
-	// role being assumed includes a condition that requires MFA authentication. The
+	// the role being assumed includes a condition that requires MFA authentication.
-	// value is either the serial number for a hardware device (such as GAHT12345678)
+	// The value is either the serial number for a hardware device (such as
-	// or an Amazon Resource Name (ARN) for a virtual device (such as
+	// GAHT12345678 ) or an Amazon Resource Name (ARN) for a virtual device (such as
-	// arn:aws:iam::123456789012:mfa/user). The regex used to validate this parameter
+	// arn:aws:iam::123456789012:mfa/user ). The regex used to validate this parameter
 	// is a string of characters consisting of upper- and lower-case alphanumeric
 	// characters with no spaces. You can also include underscores or any of the
 	// following characters: =,.@-
@@ -237,24 +218,21 @@ type AssumeRoleInput struct {
 	// who took actions with a role. You can use the aws:SourceIdentity condition key
 	// to further control access to Amazon Web Services resources based on the value of
 	// source identity. For more information about using source identity, see Monitor
-	// and control actions taken with assumed roles
+	// and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
 	// in the IAM User Guide. The regex used to validate this parameter is a string of
 	// characters consisting of upper- and lower-case alphanumeric characters with no
 	// spaces. You can also include underscores or any of the following characters:
-	// =,.@-. You cannot use a value that begins with the text aws:. This prefix is
+	// =,.@-. You cannot use a value that begins with the text aws: . This prefix is
 	// reserved for Amazon Web Services internal use.
 	SourceIdentity *string
 
-	// A list of session tags that you want to pass. Each session tag consists of a key
+	// A list of session tags that you want to pass. Each session tag consists of a
-	// name and an associated value. For more information about session tags, see
+	// key name and an associated value. For more information about session tags, see
-	// Tagging Amazon Web Services STS Sessions
+	// Tagging Amazon Web Services STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the
+	// in the IAM User Guide. This parameter is optional. You can pass up to 50 session
-	// IAM User Guide. This parameter is optional. You can pass up to 50 session tags.
+	// tags. The plaintext session tag keys can’t exceed 128 characters, and the values
-	// The plaintext session tag keys can’t exceed 128 characters, and the values can’t
+	// can’t exceed 256 characters. For these and additional limits, see IAM and STS
-	// exceed 256 characters. For these and additional limits, see IAM and STS
+	// Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
-	// Character Limits
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
 	// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
 	// inline session policy, managed policy ARNs, and session tags into a packed
 	// binary format that has a separate limit. Your request can fail for this limit
@@ -264,16 +242,15 @@ type AssumeRoleInput struct {
 	// same key as a tag that is already attached to the role. When you do, session
 	// tags override a role tag with the same key. Tag key–value pairs are not case
 	// sensitive, but case is preserved. This means that you cannot have separate
-	// Department and department tag keys. Assume that the role has the
+	// Department and department tag keys. Assume that the role has the Department =
-	// Department=Marketing tag and you pass the department=engineering session tag.
+	// Marketing tag and you pass the department = engineering session tag. Department
-	// Department and department are not saved as separate tags, and the session tag
+	// and department are not saved as separate tags, and the session tag passed in
-	// passed in the request takes precedence over the role tag. Additionally, if you
+	// the request takes precedence over the role tag. Additionally, if you used
-	// used temporary credentials to perform this operation, the new session inherits
+	// temporary credentials to perform this operation, the new session inherits any
-	// any transitive session tags from the calling session. If you pass a session tag
+	// transitive session tags from the calling session. If you pass a session tag with
-	// with the same key as an inherited tag, the operation fails. To view the
+	// the same key as an inherited tag, the operation fails. To view the inherited
-	// inherited tags for a session, see the CloudTrail logs. For more information, see
+	// tags for a session, see the CloudTrail logs. For more information, see Viewing
-	// Viewing Session Tags in CloudTrail
+	// Session Tags in CloudTrail (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs)
 	// in the IAM User Guide.
 	Tags []types.Tag
 
@@ -285,11 +262,10 @@ type AssumeRoleInput struct {
 	// sequence of six numeric digits.
 	TokenCode *string
 
-	// A list of keys for session tags that you want to set as transitive. If you set a
+	// A list of keys for session tags that you want to set as transitive. If you set
-	// tag key as transitive, the corresponding key and value passes to subsequent
+	// a tag key as transitive, the corresponding key and value passes to subsequent
 	// sessions in a role chain. For more information, see Chaining Roles with Session
-	// Tags
+	// Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
 	// in the IAM User Guide. This parameter is optional. When you set session tags as
 	// transitive, the session policy and session tags packed binary limit is not
 	// affected. If you choose not to specify a transitive tag key, then no tags are
@@ -308,7 +284,7 @@ type AssumeRoleOutput struct {
 	// that you can use to refer to the resulting temporary security credentials. For
 	// example, you can reference these credentials as a principal in a resource-based
 	// policy by using the ARN or assumed role ID. The ARN and ID include the
-	// RoleSessionName that you specified when you called AssumeRole.
+	// RoleSessionName that you specified when you called AssumeRole .
 	AssumedRoleUser *types.AssumedRoleUser
 
 	// The temporary security credentials, which include an access key ID, a secret
@@ -330,8 +306,7 @@ type AssumeRoleOutput struct {
 	// who took actions with a role. You can use the aws:SourceIdentity condition key
 	// to further control access to Amazon Web Services resources based on the value of
 	// source identity. For more information about using source identity, see Monitor
-	// and control actions taken with assumed roles
+	// and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
 	// in the IAM User Guide. The regex used to validate this parameter is a string of
 	// characters consisting of upper- and lower-case alphanumeric characters with no
 	// spaces. You can also include underscores or any of the following characters:
@@ -395,6 +370,9 @@ func (c *Client) addOperationAssumeRoleMiddlewares(stack *middleware.Stack, opti
 	if err = stack.Initialize.Add(newServiceMetadataMiddleware_opAssumeRole(options.Region), middleware.Before); err != nil {
 		return err
 	}
+	if err = awsmiddleware.AddRecursionDetection(stack); err != nil {
+		return err
+	}
 	if err = addRequestIDRetrieverMiddleware(stack); err != nil {
 		return err
 	}

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go

@@ -15,10 +15,8 @@ import (
 // mechanism for tying an enterprise identity store or directory to role-based
 // Amazon Web Services access without user-specific credentials or configuration.
 // For a comparison of AssumeRoleWithSAML with the other API operations that
-// produce temporary credentials, see Requesting Temporary Security Credentials
+// produce temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
+// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
-// and Comparing the Amazon Web Services STS API operations
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
 // in the IAM User Guide. The temporary security credentials returned by this
 // operation consist of an access key ID, a secret access key, and a security
 // token. Applications can use these temporary security credentials to sign calls
@@ -31,15 +29,12 @@ import (
 // DurationSeconds value from 900 seconds (15 minutes) up to the maximum session
 // duration setting for the role. This setting can have a value from 1 hour to 12
 // hours. To learn how to view the maximum value for your role, see View the
-// Maximum Session Duration Setting for a Role
+// Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
 // in the IAM User Guide. The maximum session duration limit applies when you use
 // the AssumeRole* API operations or the assume-role* CLI commands. However the
 // limit does not apply when you use those operations to create a console URL. For
-// more information, see Using IAM Roles
+// more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the IAM
+// in the IAM User Guide. Role chaining (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining)
-// User Guide. Role chaining
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining)
 // limits your CLI or Amazon Web Services API role session to a maximum of one
 // hour. When you use the AssumeRole API operation to assume a role, you can
 // specify the duration of your role session with the DurationSeconds parameter.
@@ -50,8 +45,7 @@ import (
 // credentials created by AssumeRoleWithSAML can be used to make API calls to any
 // Amazon Web Services service with the following exception: you cannot call the
 // STS GetFederationToken or GetSessionToken API operations. (Optional) You can
-// pass inline or managed session policies
+// pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // to this operation. You can pass a single JSON policy document to use as an
 // inline session policy. You can also specify up to 10 managed policy Amazon
 // Resource Names (ARNs) to use as managed session policies. The plaintext that you
@@ -62,8 +56,7 @@ import (
 // credentials in subsequent Amazon Web Services API calls to access resources in
 // the account that owns the role. You cannot use session policies to grant more
 // permissions than those allowed by the identity-based policy of the role that is
-// being assumed. For more information, see Session Policies
+// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // in the IAM User Guide. Calling AssumeRoleWithSAML does not require the use of
 // Amazon Web Services security credentials. The identity of the caller is
 // validated by using keys in the metadata document that is uploaded for the SAML
@@ -71,16 +64,14 @@ import (
 // result in an entry in your CloudTrail logs. The entry includes the value in the
 // NameID element of the SAML assertion. We recommend that you use a NameIDType
 // that is not associated with any personally identifiable information (PII). For
-// example, you could instead use the persistent identifier
+// example, you could instead use the persistent identifier (
-// (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent). Tags (Optional) You can
+// urn:oasis:names:tc:SAML:2.0:nameid-format:persistent ). Tags (Optional) You can
 // configure your IdP to pass attributes into your SAML assertion as session tags.
 // Each session tag consists of a key name and an associated value. For more
-// information about session tags, see Passing Session Tags in STS
+// information about session tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the
+// in the IAM User Guide. You can pass up to 50 session tags. The plaintext session
-// IAM User Guide. You can pass up to 50 session tags. The plaintext session tag
+// tag keys can’t exceed 128 characters and the values can’t exceed 256 characters.
-// keys can’t exceed 128 characters and the values can’t exceed 256 characters. For
+// For these and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
-// these and additional limits, see IAM and STS Character Limits
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
 // in the IAM User Guide. An Amazon Web Services conversion compresses the passed
 // inline session policy, managed policy ARNs, and session tags into a packed
 // binary format that has a separate limit. Your request can fail for this limit
@@ -91,36 +82,25 @@ import (
 // override the role's tags with the same key. An administrator must grant you the
 // permissions necessary to pass session tags. The administrator can also create
 // granular permissions to allow you to pass only specific session tags. For more
-// information, see Tutorial: Using Tags for Attribute-Based Access Control
+// information, see Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
 // in the IAM User Guide. You can set the session tags as transitive. Transitive
-// tags persist during role chaining. For more information, see Chaining Roles with
+// tags persist during role chaining. For more information, see Chaining Roles
-// Session Tags
+// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
 // in the IAM User Guide. SAML Configuration Before your application can call
-// AssumeRoleWithSAML, you must configure your SAML identity provider (IdP) to
+// AssumeRoleWithSAML , you must configure your SAML identity provider (IdP) to
 // issue the claims required by Amazon Web Services. Additionally, you must use
 // Identity and Access Management (IAM) to create a SAML provider entity in your
 // Amazon Web Services account that represents your identity provider. You must
 // also create an IAM role that specifies this SAML provider in its trust policy.
 // For more information, see the following resources:
-//
+//   - About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
-// * About SAML 2.0-based
+//     in the IAM User Guide.
-// Federation
+//   - Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
+//     in the IAM User Guide.
-// in the IAM User Guide.
+//   - Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
-//
+//     in the IAM User Guide.
-// * Creating SAML Identity Providers
+//   - Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
+//     in the IAM User Guide.
-// in the IAM User Guide.
-//
-// * Configuring a Relying Party and Claims
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
-// in the IAM User Guide.
-//
-// * Creating a Role for SAML 2.0 Federation
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
-// in the IAM User Guide.
 func (c *Client) AssumeRoleWithSAML(ctx context.Context, params *AssumeRoleWithSAMLInput, optFns ...func(*Options)) (*AssumeRoleWithSAMLOutput, error) {
 	if params == nil {
 		params = &AssumeRoleWithSAMLInput{}
@@ -150,8 +130,7 @@ type AssumeRoleWithSAMLInput struct {
 	RoleArn *string
 
 	// The base64 encoded SAML authentication response provided by the IdP. For more
-	// information, see Configuring a Relying Party and Adding Claims
+	// information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
 	// in the IAM User Guide.
 	//
 	// This member is required.
@@ -166,16 +145,14 @@ type AssumeRoleWithSAMLInput struct {
 	// than this setting, the operation fails. For example, if you specify a session
 	// duration of 12 hours, but your administrator set the maximum session duration to
 	// 6 hours, your operation fails. To learn how to view the maximum value for your
-	// role, see View the Maximum Session Duration Setting for a Role
+	// role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
 	// in the IAM User Guide. By default, the value is set to 3600 seconds. The
 	// DurationSeconds parameter is separate from the duration of a console session
 	// that you might request using the returned credentials. The request to the
 	// federation endpoint for a console sign-in token takes a SessionDuration
 	// parameter that specifies the maximum length of the console session. For more
 	// information, see Creating a URL that Enables Federated Users to Access the
-	// Amazon Web Services Management Console
+	// Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
 	// in the IAM User Guide.
 	DurationSeconds *int32
 
@@ -187,8 +164,7 @@ type AssumeRoleWithSAMLInput struct {
 	// access resources in the account that owns the role. You cannot use session
 	// policies to grant more permissions than those allowed by the identity-based
 	// policy of the role that is being assumed. For more information, see Session
-	// Policies
+	// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 	// in the IAM User Guide. The plaintext that you use for both inline and managed
 	// session policies can't exceed 2,048 characters. The JSON policy characters can
 	// be any ASCII character from the space character to the end of the valid
@@ -206,9 +182,8 @@ type AssumeRoleWithSAMLInput struct {
 	// the role. This parameter is optional. You can provide up to 10 managed policy
 	// ARNs. However, the plaintext that you use for both inline and managed session
 	// policies can't exceed 2,048 characters. For more information about ARNs, see
-	// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces
+	// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
-	// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in
+	// in the Amazon Web Services General Reference. An Amazon Web Services conversion
-	// the Amazon Web Services General Reference. An Amazon Web Services conversion
 	// compresses the passed inline session policy, managed policy ARNs, and session
 	// tags into a packed binary format that has a separate limit. Your request can
 	// fail for this limit even if your plaintext meets the other requirements. The
@@ -220,8 +195,7 @@ type AssumeRoleWithSAMLInput struct {
 	// Services API calls to access resources in the account that owns the role. You
 	// cannot use session policies to grant more permissions than those allowed by the
 	// identity-based policy of the role that is being assumed. For more information,
-	// see Session Policies
+	// see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 	// in the IAM User Guide.
 	PolicyArns []types.PolicyDescriptorType
 
@@ -251,19 +225,12 @@ type AssumeRoleWithSAMLOutput struct {
 	Issuer *string
 
 	// A hash value based on the concatenation of the following:
-	//
+	//   - The Issuer response value.
-	// * The Issuer response
+	//   - The Amazon Web Services account ID.
-	// value.
+	//   - The friendly name (the last part of the ARN) of the SAML provider in IAM.
-	//
+	// The combination of NameQualifier and Subject can be used to uniquely identify a
-	// * The Amazon Web Services account ID.
+	// federated user. The following pseudocode shows how the hash value is calculated:
-	//
+	// BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )
-	// * The friendly name (the last
-	// part of the ARN) of the SAML provider in IAM.
-	//
-	// The combination of NameQualifier
-	// and Subject can be used to uniquely identify a federated user. The following
-	// pseudocode shows how the hash value is calculated: BASE64 ( SHA1 (
-	// "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )
 	NameQualifier *string
 
 	// A percentage value that indicates the packed size of the session policies and
@@ -272,20 +239,18 @@ type AssumeRoleWithSAMLOutput struct {
 	// allowed space.
 	PackedPolicySize *int32
 
-	// The value in the SourceIdentity attribute in the SAML assertion. You can require
+	// The value in the SourceIdentity attribute in the SAML assertion. You can
-	// users to set a source identity value when they assume a role. You do this by
+	// require users to set a source identity value when they assume a role. You do
-	// using the sts:SourceIdentity condition key in a role trust policy. That way,
+	// this by using the sts:SourceIdentity condition key in a role trust policy. That
-	// actions that are taken with the role are associated with that user. After the
+	// way, actions that are taken with the role are associated with that user. After
-	// source identity is set, the value cannot be changed. It is present in the
+	// the source identity is set, the value cannot be changed. It is present in the
 	// request for all actions that are taken by the role and persists across chained
-	// role
+	// role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining)
 	// sessions. You can configure your SAML identity provider to use an attribute
 	// associated with your users, like user name or email, as the source identity when
-	// calling AssumeRoleWithSAML. You do this by adding an attribute to the SAML
+	// calling AssumeRoleWithSAML . You do this by adding an attribute to the SAML
 	// assertion. For more information about using source identity, see Monitor and
-	// control actions taken with assumed roles
+	// control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
 	// in the IAM User Guide. The regex used to validate this parameter is a string of
 	// characters consisting of upper- and lower-case alphanumeric characters with no
 	// spaces. You can also include underscores or any of the following characters:
@@ -297,10 +262,10 @@ type AssumeRoleWithSAMLOutput struct {
 
 	// The format of the name ID, as defined by the Format attribute in the NameID
 	// element of the SAML assertion. Typical examples of the format are transient or
-	// persistent. If the format includes the prefix
+	// persistent . If the format includes the prefix
-	// urn:oasis:names:tc:SAML:2.0:nameid-format, that prefix is removed. For example,
+	// urn:oasis:names:tc:SAML:2.0:nameid-format , that prefix is removed. For example,
-	// urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned as transient. If
+	// urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned as transient .
-	// the format includes any other prefix, the format is returned with no
+	// If the format includes any other prefix, the format is returned with no
 	// modifications.
 	SubjectType *string
 
@@ -355,6 +320,9 @@ func (c *Client) addOperationAssumeRoleWithSAMLMiddlewares(stack *middleware.Sta
 	if err = stack.Initialize.Add(newServiceMetadataMiddleware_opAssumeRoleWithSAML(options.Region), middleware.Before); err != nil {
 		return err
 	}
+	if err = awsmiddleware.AddRecursionDetection(stack); err != nil {
+		return err
+	}
 	if err = addRequestIDRetrieverMiddleware(stack); err != nil {
 		return err
 	}

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go

@@ -14,19 +14,15 @@ import (
 // authenticated in a mobile or web application with a web identity provider.
 // Example providers include the OAuth 2.0 providers Login with Amazon and
 // Facebook, or any OpenID Connect-compatible identity provider such as Google or
-// Amazon Cognito federated identities
+// Amazon Cognito federated identities (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html)
-// (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html).
+// . For mobile applications, we recommend that you use Amazon Cognito. You can use
-// For mobile applications, we recommend that you use Amazon Cognito. You can use
+// Amazon Cognito with the Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/)
-// Amazon Cognito with the Amazon Web Services SDK for iOS Developer Guide
+// and the Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/)
-// (http://aws.amazon.com/sdkforios/) and the Amazon Web Services SDK for Android
+// to uniquely identify a user. You can also supply the user with a consistent
-// Developer Guide (http://aws.amazon.com/sdkforandroid/) to uniquely identify a
+// identity throughout the lifetime of an application. To learn more about Amazon
-// user. You can also supply the user with a consistent identity throughout the
+// Cognito, see Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840)
-// lifetime of an application. To learn more about Amazon Cognito, see Amazon
-// Cognito Overview
-// (https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840)
 // in Amazon Web Services SDK for Android Developer Guide and Amazon Cognito
-// Overview
+// Overview (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664)
-// (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664)
 // in the Amazon Web Services SDK for iOS Developer Guide. Calling
 // AssumeRoleWithWebIdentity does not require the use of Amazon Web Services
 // security credentials. Therefore, you can distribute an application (for example,
@@ -36,32 +32,28 @@ import (
 // Services credentials. Instead, the identity of the caller is validated by using
 // a token from the web identity provider. For a comparison of
 // AssumeRoleWithWebIdentity with the other API operations that produce temporary
-// credentials, see Requesting Temporary Security Credentials
+// credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
+// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
-// and Comparing the Amazon Web Services STS API operations
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
 // in the IAM User Guide. The temporary security credentials returned by this API
 // consist of an access key ID, a secret access key, and a security token.
 // Applications can use these temporary security credentials to sign calls to
 // Amazon Web Services service API operations. Session Duration By default, the
-// temporary security credentials created by AssumeRoleWithWebIdentity last for one
+// temporary security credentials created by AssumeRoleWithWebIdentity last for
-// hour. However, you can use the optional DurationSeconds parameter to specify the
+// one hour. However, you can use the optional DurationSeconds parameter to
-// duration of your session. You can provide a value from 900 seconds (15 minutes)
+// specify the duration of your session. You can provide a value from 900 seconds
-// up to the maximum session duration setting for the role. This setting can have a
+// (15 minutes) up to the maximum session duration setting for the role. This
-// value from 1 hour to 12 hours. To learn how to view the maximum value for your
+// setting can have a value from 1 hour to 12 hours. To learn how to view the
-// role, see View the Maximum Session Duration Setting for a Role
+// maximum value for your role, see View the Maximum Session Duration Setting for
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
+// a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
 // in the IAM User Guide. The maximum session duration limit applies when you use
 // the AssumeRole* API operations or the assume-role* CLI commands. However the
 // limit does not apply when you use those operations to create a console URL. For
-// more information, see Using IAM Roles
+// more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the IAM
+// in the IAM User Guide. Permissions The temporary security credentials created by
-// User Guide. Permissions The temporary security credentials created by
 // AssumeRoleWithWebIdentity can be used to make API calls to any Amazon Web
 // Services service with the following exception: you cannot call the STS
 // GetFederationToken or GetSessionToken API operations. (Optional) You can pass
-// inline or managed session policies
+// inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // to this operation. You can pass a single JSON policy document to use as an
 // inline session policy. You can also specify up to 10 managed policy Amazon
 // Resource Names (ARNs) to use as managed session policies. The plaintext that you
@@ -72,17 +64,14 @@ import (
 // credentials in subsequent Amazon Web Services API calls to access resources in
 // the account that owns the role. You cannot use session policies to grant more
 // permissions than those allowed by the identity-based policy of the role that is
-// being assumed. For more information, see Session Policies
+// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // in the IAM User Guide. Tags (Optional) You can configure your IdP to pass
 // attributes into your web identity token as session tags. Each session tag
 // consists of a key name and an associated value. For more information about
-// session tags, see Passing Session Tags in STS
+// session tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the
+// in the IAM User Guide. You can pass up to 50 session tags. The plaintext session
-// IAM User Guide. You can pass up to 50 session tags. The plaintext session tag
+// tag keys can’t exceed 128 characters and the values can’t exceed 256 characters.
-// keys can’t exceed 128 characters and the values can’t exceed 256 characters. For
+// For these and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
-// these and additional limits, see IAM and STS Character Limits
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
 // in the IAM User Guide. An Amazon Web Services conversion compresses the passed
 // inline session policy, managed policy ARNs, and session tags into a packed
 // binary format that has a separate limit. Your request can fail for this limit
@@ -93,52 +82,38 @@ import (
 // overrides the role tag with the same key. An administrator must grant you the
 // permissions necessary to pass session tags. The administrator can also create
 // granular permissions to allow you to pass only specific session tags. For more
-// information, see Tutorial: Using Tags for Attribute-Based Access Control
+// information, see Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
 // in the IAM User Guide. You can set the session tags as transitive. Transitive
-// tags persist during role chaining. For more information, see Chaining Roles with
+// tags persist during role chaining. For more information, see Chaining Roles
-// Session Tags
+// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
 // in the IAM User Guide. Identities Before your application can call
-// AssumeRoleWithWebIdentity, you must have an identity token from a supported
+// AssumeRoleWithWebIdentity , you must have an identity token from a supported
 // identity provider and create a role that the application can assume. The role
 // that your application assumes must trust the identity provider that is
 // associated with the identity token. In other words, the identity provider must
 // be specified in the role's trust policy. Calling AssumeRoleWithWebIdentity can
-// result in an entry in your CloudTrail logs. The entry includes the Subject
+// result in an entry in your CloudTrail logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims)
-// (http://openid.net/specs/openid-connect-core-1_0.html#Claims) of the provided
+// of the provided web identity token. We recommend that you avoid using any
-// web identity token. We recommend that you avoid using any personally
+// personally identifiable information (PII) in this field. For example, you could
-// identifiable information (PII) in this field. For example, you could instead use
+// instead use a GUID or a pairwise identifier, as suggested in the OIDC
-// a GUID or a pairwise identifier, as suggested in the OIDC specification
+// specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes)
-// (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes). For more
+// . For more information about how to use web identity federation and the
-// information about how to use web identity federation and the
 // AssumeRoleWithWebIdentity API, see the following resources:
-//
+//   - Using Web Identity Federation API Operations for Mobile Apps (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html)
-// * Using Web
+//     and Federation Through a Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
-// Identity Federation API Operations for Mobile Apps
+//     .
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html)
+//   - Web Identity Federation Playground (https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/)
-// and Federation Through a Web-based Identity Provider
+//     . Walk through the process of authenticating through Login with Amazon,
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
+//     Facebook, or Google, getting temporary security credentials, and then using
-//
+//     those credentials to make a request to Amazon Web Services.
-// *
+//   - Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/)
-// Web Identity Federation Playground
+//     and Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/)
-// (https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/).
+//     . These toolkits contain sample apps that show how to invoke the identity
-// Walk through the process of authenticating through Login with Amazon, Facebook,
+//     providers. The toolkits then show how to use the information from these
-// or Google, getting temporary security credentials, and then using those
+//     providers to get and use temporary security credentials.
-// credentials to make a request to Amazon Web Services.
+//   - Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications)
-//
+//     . This article discusses web identity federation and shows an example of how to
-// * Amazon Web Services SDK
+//     use web identity federation to get access to content in Amazon S3.
-// for iOS Developer Guide (http://aws.amazon.com/sdkforios/) and Amazon Web
-// Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/).
-// These toolkits contain sample apps that show how to invoke the identity
-// providers. The toolkits then show how to use the information from these
-// providers to get and use temporary security credentials.
-//
-// * Web Identity
-// Federation with Mobile Applications
-// (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications).
-// This article discusses web identity federation and shows an example of how to
-// use web identity federation to get access to content in Amazon S3.
 func (c *Client) AssumeRoleWithWebIdentity(ctx context.Context, params *AssumeRoleWithWebIdentityInput, optFns ...func(*Options)) (*AssumeRoleWithWebIdentityOutput, error) {
 	if params == nil {
 		params = &AssumeRoleWithWebIdentityInput{}
@@ -187,16 +162,14 @@ type AssumeRoleWithWebIdentityInput struct {
 	// higher than this setting, the operation fails. For example, if you specify a
 	// session duration of 12 hours, but your administrator set the maximum session
 	// duration to 6 hours, your operation fails. To learn how to view the maximum
-	// value for your role, see View the Maximum Session Duration Setting for a Role
+	// value for your role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
 	// in the IAM User Guide. By default, the value is set to 3600 seconds. The
 	// DurationSeconds parameter is separate from the duration of a console session
 	// that you might request using the returned credentials. The request to the
 	// federation endpoint for a console sign-in token takes a SessionDuration
 	// parameter that specifies the maximum length of the console session. For more
 	// information, see Creating a URL that Enables Federated Users to Access the
-	// Amazon Web Services Management Console
+	// Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
 	// in the IAM User Guide.
 	DurationSeconds *int32
 
@@ -208,8 +181,7 @@ type AssumeRoleWithWebIdentityInput struct {
 	// access resources in the account that owns the role. You cannot use session
 	// policies to grant more permissions than those allowed by the identity-based
 	// policy of the role that is being assumed. For more information, see Session
-	// Policies
+	// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 	// in the IAM User Guide. The plaintext that you use for both inline and managed
 	// session policies can't exceed 2,048 characters. The JSON policy characters can
 	// be any ASCII character from the space character to the end of the valid
@@ -227,9 +199,8 @@ type AssumeRoleWithWebIdentityInput struct {
 	// the role. This parameter is optional. You can provide up to 10 managed policy
 	// ARNs. However, the plaintext that you use for both inline and managed session
 	// policies can't exceed 2,048 characters. For more information about ARNs, see
-	// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces
+	// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
-	// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in
+	// in the Amazon Web Services General Reference. An Amazon Web Services conversion
-	// the Amazon Web Services General Reference. An Amazon Web Services conversion
 	// compresses the passed inline session policy, managed policy ARNs, and session
 	// tags into a packed binary format that has a separate limit. Your request can
 	// fail for this limit even if your plaintext meets the other requirements. The
@@ -241,8 +212,7 @@ type AssumeRoleWithWebIdentityInput struct {
 	// Services API calls to access resources in the account that owns the role. You
 	// cannot use session policies to grant more permissions than those allowed by the
 	// identity-based policy of the role that is being assumed. For more information,
-	// see Session Policies
+	// see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 	// in the IAM User Guide.
 	PolicyArns []types.PolicyDescriptorType
 
@@ -265,7 +235,7 @@ type AssumeRoleWithWebIdentityOutput struct {
 	// that you can use to refer to the resulting temporary security credentials. For
 	// example, you can reference these credentials as a principal in a resource-based
 	// policy by using the ARN or assumed role ID. The ARN and ID include the
-	// RoleSessionName that you specified when you called AssumeRole.
+	// RoleSessionName that you specified when you called AssumeRole .
 	AssumedRoleUser *types.AssumedRoleUser
 
 	// The intended audience (also known as client ID) of the web identity token. This
@@ -285,10 +255,10 @@ type AssumeRoleWithWebIdentityOutput struct {
 	// allowed space.
 	PackedPolicySize *int32
 
-	// The issuing authority of the web identity token presented. For OpenID Connect ID
+	// The issuing authority of the web identity token presented. For OpenID Connect
-	// tokens, this contains the value of the iss field. For OAuth 2.0 access tokens,
+	// ID tokens, this contains the value of the iss field. For OAuth 2.0 access
-	// this contains the value of the ProviderId parameter that was passed in the
+	// tokens, this contains the value of the ProviderId parameter that was passed in
-	// AssumeRoleWithWebIdentity request.
+	// the AssumeRoleWithWebIdentity request.
 	Provider *string
 
 	// The value of the source identity that is returned in the JSON web token (JWT)
@@ -297,17 +267,14 @@ type AssumeRoleWithWebIdentityOutput struct {
 	// key in a role trust policy. That way, actions that are taken with the role are
 	// associated with that user. After the source identity is set, the value cannot be
 	// changed. It is present in the request for all actions that are taken by the role
-	// and persists across chained role
+	// and persists across chained role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining)
 	// sessions. You can configure your identity provider to use an attribute
 	// associated with your users, like user name or email, as the source identity when
-	// calling AssumeRoleWithWebIdentity. You do this by adding a claim to the JSON web
+	// calling AssumeRoleWithWebIdentity . You do this by adding a claim to the JSON
-	// token. To learn more about OIDC tokens and claims, see Using Tokens with User
+	// web token. To learn more about OIDC tokens and claims, see Using Tokens with
-	// Pools
+	// User Pools (https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html)
-	// (https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html)
 	// in the Amazon Cognito Developer Guide. For more information about using source
-	// identity, see Monitor and control actions taken with assumed roles
+	// identity, see Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
 	// in the IAM User Guide. The regex used to validate this parameter is a string of
 	// characters consisting of upper- and lower-case alphanumeric characters with no
 	// spaces. You can also include underscores or any of the following characters:
@@ -373,6 +340,9 @@ func (c *Client) addOperationAssumeRoleWithWebIdentityMiddlewares(stack *middlew
 	if err = stack.Initialize.Add(newServiceMetadataMiddleware_opAssumeRoleWithWebIdentity(options.Region), middleware.Before); err != nil {
 		return err
 	}
+	if err = awsmiddleware.AddRecursionDetection(stack); err != nil {
+		return err
+	}
 	if err = addRequestIDRetrieverMiddleware(stack); err != nil {
 		return err
 	}

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go

@@ -22,27 +22,17 @@ import (
 // encoded because the details of the authorization status can contain privileged
 // information that the user who requested the operation should not see. To decode
 // an authorization status message, a user must be granted permissions through an
-// IAM policy
+// IAM policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) to
+// to request the DecodeAuthorizationMessage ( sts:DecodeAuthorizationMessage )
-// request the DecodeAuthorizationMessage (sts:DecodeAuthorizationMessage) action.
+// action. The decoded message includes the following type of information:
-// The decoded message includes the following type of information:
+//   - Whether the request was denied due to an explicit deny or due to the
-//
+//     absence of an explicit allow. For more information, see Determining Whether a
-// * Whether the
+//     Request is Allowed or Denied (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
-// request was denied due to an explicit deny or due to the absence of an explicit
+//     in the IAM User Guide.
-// allow. For more information, see Determining Whether a Request is Allowed or
+//   - The principal who made the request.
-// Denied
+//   - The requested action.
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
+//   - The requested resource.
-// in the IAM User Guide.
+//   - The values of condition keys in the context of the user's request.
-//
-// * The principal who made the request.
-//
-// * The requested
-// action.
-//
-// * The requested resource.
-//
-// * The values of condition keys in the
-// context of the user's request.
 func (c *Client) DecodeAuthorizationMessage(ctx context.Context, params *DecodeAuthorizationMessageInput, optFns ...func(*Options)) (*DecodeAuthorizationMessageOutput, error) {
 	if params == nil {
 		params = &DecodeAuthorizationMessageInput{}
@@ -133,6 +123,9 @@ func (c *Client) addOperationDecodeAuthorizationMessageMiddlewares(stack *middle
 	if err = stack.Initialize.Add(newServiceMetadataMiddleware_opDecodeAuthorizationMessage(options.Region), middleware.Before); err != nil {
 		return err
 	}
+	if err = awsmiddleware.AddRecursionDetection(stack); err != nil {
+		return err
+	}
 	if err = addRequestIDRetrieverMiddleware(stack); err != nil {
 		return err
 	}

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go

@@ -11,21 +11,18 @@ import (
 )
 
 // Returns the account identifier for the specified access key ID. Access keys
-// consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a
+// consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE ) and
-// secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). For
+// a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ).
-// more information about access keys, see Managing Access Keys for IAM Users
+// For more information about access keys, see Managing Access Keys for IAM Users (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)
 // in the IAM User Guide. When you pass an access key ID to this operation, it
 // returns the ID of the Amazon Web Services account to which the keys belong.
 // Access key IDs beginning with AKIA are long-term credentials for an IAM user or
 // the Amazon Web Services account root user. Access key IDs beginning with ASIA
 // are temporary credentials that are created using STS operations. If the account
 // in the response belongs to you, you can sign in as the root user and review your
-// root user access keys. Then, you can pull a credentials report
+// root user access keys. Then, you can pull a credentials report (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html)
 // to learn which IAM user owns the keys. To learn who requested the temporary
-// credentials for an ASIA access key, view the STS events in your CloudTrail logs
+// credentials for an ASIA access key, view the STS events in your CloudTrail logs (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html)
 // in the IAM User Guide. This operation does not indicate the state of the access
 // key. The key might be active, inactive, or deleted. Active keys might not have
 // permissions to perform an operation. Providing a deleted access key might return
@@ -119,6 +116,9 @@ func (c *Client) addOperationGetAccessKeyInfoMiddlewares(stack *middleware.Stack
 	if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetAccessKeyInfo(options.Region), middleware.Before); err != nil {
 		return err
 	}
+	if err = awsmiddleware.AddRecursionDetection(stack); err != nil {
+		return err
+	}
 	if err = addRequestIDRetrieverMiddleware(stack); err != nil {
 		return err
 	}

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go

@@ -15,9 +15,8 @@ import (
 // administrator adds a policy to your IAM user or role that explicitly denies
 // access to the sts:GetCallerIdentity action, you can still perform this
 // operation. Permissions are not required because the same information is returned
-// when an IAM user or role is denied access. To view an example response, see I Am
+// when an IAM user or role is denied access. To view an example response, see I
-// Not Authorized to Perform: iam:DeleteVirtualMFADevice
+// Am Not Authorized to Perform: iam:DeleteVirtualMFADevice (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa)
 // in the IAM User Guide.
 func (c *Client) GetCallerIdentity(ctx context.Context, params *GetCallerIdentityInput, optFns ...func(*Options)) (*GetCallerIdentityOutput, error) {
 	if params == nil {
@@ -49,10 +48,9 @@ type GetCallerIdentityOutput struct {
 	// The Amazon Web Services ARN associated with the calling entity.
 	Arn *string
 
-	// The unique identifier of the calling entity. The exact value depends on the type
+	// The unique identifier of the calling entity. The exact value depends on the
-	// of entity that is making the call. The values returned are those listed in the
+	// type of entity that is making the call. The values returned are those listed in
-	// aws:userid column in the Principal table
+	// the aws:userid column in the Principal table (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable)
 	// found on the Policy Variables reference page in the IAM User Guide.
 	UserId *string
 
@@ -110,6 +108,9 @@ func (c *Client) addOperationGetCallerIdentityMiddlewares(stack *middleware.Stac
 	if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetCallerIdentity(options.Region), middleware.Before); err != nil {
 		return err
 	}
+	if err = awsmiddleware.AddRecursionDetection(stack); err != nil {
+		return err
+	}
 	if err = addRequestIDRetrieverMiddleware(stack); err != nil {
 		return err
 	}

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go

@@ -11,50 +11,41 @@ import (
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 )
 
-// Returns a set of temporary security credentials (consisting of an access key ID,
+// Returns a set of temporary security credentials (consisting of an access key
-// a secret access key, and a security token) for a federated user. A typical use
+// ID, a secret access key, and a security token) for a federated user. A typical
-// is in a proxy application that gets temporary security credentials on behalf of
+// use is in a proxy application that gets temporary security credentials on behalf
-// distributed applications inside a corporate network. You must call the
+// of distributed applications inside a corporate network. You must call the
 // GetFederationToken operation using the long-term security credentials of an IAM
 // user. As a result, this call is appropriate in contexts where those credentials
 // can be safely stored, usually in a server-based application. For a comparison of
 // GetFederationToken with the other API operations that produce temporary
-// credentials, see Requesting Temporary Security Credentials
+// credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
+// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
-// and Comparing the Amazon Web Services STS API operations
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
 // in the IAM User Guide. You can create a mobile-based or browser-based app that
 // can authenticate users using a web identity provider like Login with Amazon,
 // Facebook, Google, or an OpenID Connect-compatible identity provider. In this
 // case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/)
-// or AssumeRoleWithWebIdentity. For more information, see Federation Through a
+// or AssumeRoleWithWebIdentity . For more information, see Federation Through a
-// Web-based Identity Provider
+// Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
 // in the IAM User Guide. You can also call GetFederationToken using the security
 // credentials of an Amazon Web Services account root user, but we do not recommend
 // it. Instead, we recommend that you create an IAM user for the purpose of the
 // proxy application. Then attach a policy to the IAM user that limits federated
 // users to only the actions and resources that they need to access. For more
-// information, see IAM Best Practices
+// information, see IAM Best Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the
+// in the IAM User Guide. Session duration The temporary credentials are valid for
-// IAM User Guide. Session duration The temporary credentials are valid for the
+// the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600
-// specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600
 // seconds (36 hours). The default session duration is 43,200 seconds (12 hours).
 // Temporary credentials obtained by using the Amazon Web Services account root
 // user credentials have a maximum duration of 3,600 seconds (1 hour). Permissions
 // You can use the temporary credentials created by GetFederationToken in any
 // Amazon Web Services service with the following exceptions:
+//   - You cannot call any IAM operations using the CLI or the Amazon Web Services
+//     API. This limitation does not apply to console sessions.
+//   - You cannot call any STS operations except GetCallerIdentity .
 //
-// * You cannot call
+// You can use temporary credentials for single sign-on (SSO) to the console. You
-// any IAM operations using the CLI or the Amazon Web Services API. This limitation
+// must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// does not apply to console sessions.
-//
-// * You cannot call any STS operations except
-// GetCallerIdentity.
-//
-// You can use temporary credentials for single sign-on (SSO)
-// to the console. You must pass an inline or managed session policy
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // to this operation. You can pass a single JSON policy document to use as an
 // inline session policy. You can also specify up to 10 managed policy Amazon
 // Resource Names (ARNs) to use as managed session policies. The plaintext that you
@@ -65,38 +56,33 @@ import (
 // policies and the session policies that you pass. This gives you a way to further
 // restrict the permissions for a federated user. You cannot use session policies
 // to grant more permissions than those that are defined in the permissions policy
-// of the IAM user. For more information, see Session Policies
+// of the IAM user. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 // in the IAM User Guide. For information about using GetFederationToken to create
 // temporary security credentials, see GetFederationToken—Federation Through a
-// Custom Identity Broker
+// Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken).
+// . You can use the credentials to access a resource that has a resource-based
-// You can use the credentials to access a resource that has a resource-based
 // policy. If that policy specifically references the federated user session in the
 // Principal element of the policy, the session has the permissions allowed by the
 // policy. These permissions are granted in addition to the permissions granted by
 // the session policies. Tags (Optional) You can pass tag key-value pairs to your
 // session. These are called session tags. For more information about session tags,
-// see Passing Session Tags in STS
+// see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the
+// in the IAM User Guide. You can create a mobile-based or browser-based app that
-// IAM User Guide. You can create a mobile-based or browser-based app that can
+// can authenticate users using a web identity provider like Login with Amazon,
-// authenticate users using a web identity provider like Login with Amazon,
 // Facebook, Google, or an OpenID Connect-compatible identity provider. In this
 // case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/)
-// or AssumeRoleWithWebIdentity. For more information, see Federation Through a
+// or AssumeRoleWithWebIdentity . For more information, see Federation Through a
-// Web-based Identity Provider
+// Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
 // in the IAM User Guide. An administrator must grant you the permissions necessary
 // to pass session tags. The administrator can also create granular permissions to
 // allow you to pass only specific session tags. For more information, see
-// Tutorial: Using Tags for Attribute-Based Access Control
+// Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
 // in the IAM User Guide. Tag key–value pairs are not case sensitive, but case is
 // preserved. This means that you cannot have separate Department and department
-// tag keys. Assume that the user that you are federating has the
+// tag keys. Assume that the user that you are federating has the Department =
-// Department=Marketing tag and you pass the department=engineering session tag.
+// Marketing tag and you pass the department = engineering session tag. Department
-// Department and department are not saved as separate tags, and the session tag
+// and department are not saved as separate tags, and the session tag passed in
-// passed in the request takes precedence over the user tag.
+// the request takes precedence over the user tag.
 func (c *Client) GetFederationToken(ctx context.Context, params *GetFederationTokenInput, optFns ...func(*Options)) (*GetFederationTokenOutput, error) {
 	if params == nil {
 		params = &GetFederationTokenInput{}
@@ -115,26 +101,27 @@ func (c *Client) GetFederationToken(ctx context.Context, params *GetFederationTo
 type GetFederationTokenInput struct {
 
 	// The name of the federated user. The name is used as an identifier for the
-	// temporary security credentials (such as Bob). For example, you can reference the
+	// temporary security credentials (such as Bob ). For example, you can reference
-	// federated user name in a resource-based policy, such as in an Amazon S3 bucket
+	// the federated user name in a resource-based policy, such as in an Amazon S3
-	// policy. The regex used to validate this parameter is a string of characters
+	// bucket policy. The regex used to validate this parameter is a string of
-	// consisting of upper- and lower-case alphanumeric characters with no spaces. You
+	// characters consisting of upper- and lower-case alphanumeric characters with no
-	// can also include underscores or any of the following characters: =,.@-
+	// spaces. You can also include underscores or any of the following characters:
+	// =,.@-
 	//
 	// This member is required.
 	Name *string
 
-	// The duration, in seconds, that the session should last. Acceptable durations for
+	// The duration, in seconds, that the session should last. Acceptable durations
-	// federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36
+	// for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds
-	// hours), with 43,200 seconds (12 hours) as the default. Sessions obtained using
+	// (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained
-	// Amazon Web Services account root user credentials are restricted to a maximum of
+	// using Amazon Web Services account root user credentials are restricted to a
-	// 3,600 seconds (one hour). If the specified duration is longer than one hour, the
+	// maximum of 3,600 seconds (one hour). If the specified duration is longer than
-	// session obtained by using root user credentials defaults to one hour.
+	// one hour, the session obtained by using root user credentials defaults to one
+	// hour.
 	DurationSeconds *int32
 
 	// An IAM policy in JSON format that you want to use as an inline session policy.
-	// You must pass an inline or managed session policy
+	// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 	// to this operation. You can pass a single JSON policy document to use as an
 	// inline session policy. You can also specify up to 10 managed policy Amazon
 	// Resource Names (ARNs) to use as managed session policies. This parameter is
@@ -144,8 +131,7 @@ type GetFederationTokenInput struct {
 	// session policies that you pass. This gives you a way to further restrict the
 	// permissions for a federated user. You cannot use session policies to grant more
 	// permissions than those that are defined in the permissions policy of the IAM
-	// user. For more information, see Session Policies
+	// user. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 	// in the IAM User Guide. The resulting credentials can be used to access a
 	// resource that has a resource-based policy. If that policy specifically
 	// references the federated user session in the Principal element of the policy,
@@ -166,24 +152,21 @@ type GetFederationTokenInput struct {
 	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
 	// use as a managed session policy. The policies must exist in the same account as
 	// the IAM user that is requesting federated access. You must pass an inline or
-	// managed session policy
+	// managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 	// to this operation. You can pass a single JSON policy document to use as an
 	// inline session policy. You can also specify up to 10 managed policy Amazon
 	// Resource Names (ARNs) to use as managed session policies. The plaintext that you
 	// use for both inline and managed session policies can't exceed 2,048 characters.
 	// You can provide up to 10 managed policy ARNs. For more information about ARNs,
-	// see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces
+	// see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
-	// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in
+	// in the Amazon Web Services General Reference. This parameter is optional.
-	// the Amazon Web Services General Reference. This parameter is optional. However,
+	// However, if you do not pass any session policies, then the resulting federated
-	// if you do not pass any session policies, then the resulting federated user
+	// user session has no permissions. When you pass session policies, the session
-	// session has no permissions. When you pass session policies, the session
 	// permissions are the intersection of the IAM user policies and the session
 	// policies that you pass. This gives you a way to further restrict the permissions
 	// for a federated user. You cannot use session policies to grant more permissions
 	// than those that are defined in the permissions policy of the IAM user. For more
-	// information, see Session Policies
+	// information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
 	// in the IAM User Guide. The resulting credentials can be used to access a
 	// resource that has a resource-based policy. If that policy specifically
 	// references the federated user session in the Principal element of the policy,
@@ -192,20 +175,18 @@ type GetFederationTokenInput struct {
 	// An Amazon Web Services conversion compresses the passed inline session policy,
 	// managed policy ARNs, and session tags into a packed binary format that has a
 	// separate limit. Your request can fail for this limit even if your plaintext
-	// meets the other requirements. The PackedPolicySize response element indicates by
+	// meets the other requirements. The PackedPolicySize response element indicates
-	// percentage how close the policies and tags for your request are to the upper
+	// by percentage how close the policies and tags for your request are to the upper
 	// size limit.
 	PolicyArns []types.PolicyDescriptorType
 
 	// A list of session tags. Each session tag consists of a key name and an
 	// associated value. For more information about session tags, see Passing Session
-	// Tags in STS
+	// Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the
+	// in the IAM User Guide. This parameter is optional. You can pass up to 50 session
-	// IAM User Guide. This parameter is optional. You can pass up to 50 session tags.
+	// tags. The plaintext session tag keys can’t exceed 128 characters and the values
-	// The plaintext session tag keys can’t exceed 128 characters and the values can’t
+	// can’t exceed 256 characters. For these and additional limits, see IAM and STS
-	// exceed 256 characters. For these and additional limits, see IAM and STS
+	// Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
-	// Character Limits
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
 	// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
 	// inline session policy, managed policy ARNs, and session tags into a packed
 	// binary format that has a separate limit. Your request can fail for this limit
@@ -216,9 +197,9 @@ type GetFederationTokenInput struct {
 	// you do, session tags override a user tag with the same key. Tag key–value pairs
 	// are not case sensitive, but case is preserved. This means that you cannot have
 	// separate Department and department tag keys. Assume that the role has the
-	// Department=Marketing tag and you pass the department=engineering session tag.
+	// Department = Marketing tag and you pass the department = engineering session
-	// Department and department are not saved as separate tags, and the session tag
+	// tag. Department and department are not saved as separate tags, and the session
-	// passed in the request takes precedence over the role tag.
+	// tag passed in the request takes precedence over the role tag.
 	Tags []types.Tag
 
 	noSmithyDocumentSerde
@@ -236,7 +217,7 @@ type GetFederationTokenOutput struct {
 	Credentials *types.Credentials
 
 	// Identifiers for the federated user associated with the credentials (such as
-	// arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You can use
+	// arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob ). You can use
 	// the federated user's ARN in your resource-based policies, such as an Amazon S3
 	// bucket policy.
 	FederatedUser *types.FederatedUser
@@ -304,6 +285,9 @@ func (c *Client) addOperationGetFederationTokenMiddlewares(stack *middleware.Sta
 	if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetFederationToken(options.Region), middleware.Before); err != nil {
 		return err
 	}
+	if err = awsmiddleware.AddRecursionDetection(stack); err != nil {
+		return err
+	}
 	if err = addRequestIDRetrieverMiddleware(stack); err != nil {
 		return err
 	}

vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go

@@ -11,26 +11,23 @@ import (
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 )
 
-// Returns a set of temporary credentials for an Amazon Web Services account or IAM
+// Returns a set of temporary credentials for an Amazon Web Services account or
-// user. The credentials consist of an access key ID, a secret access key, and a
+// IAM user. The credentials consist of an access key ID, a secret access key, and
-// security token. Typically, you use GetSessionToken if you want to use MFA to
+// a security token. Typically, you use GetSessionToken if you want to use MFA to
 // protect programmatic calls to specific Amazon Web Services API operations like
-// Amazon EC2 StopInstances. MFA-enabled IAM users would need to call
+// Amazon EC2 StopInstances . MFA-enabled IAM users would need to call
 // GetSessionToken and submit an MFA code that is associated with their MFA device.
 // Using the temporary security credentials that are returned from the call, IAM
 // users can then make programmatic calls to API operations that require MFA
 // authentication. If you do not supply a correct MFA code, then the API returns an
 // access denied error. For a comparison of GetSessionToken with the other API
-// operations that produce temporary credentials, see Requesting Temporary Security
+// operations that produce temporary credentials, see Requesting Temporary
-// Credentials
+// Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
+// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
-// and Comparing the Amazon Web Services STS API operations
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
 // in the IAM User Guide. No permissions are required for users to perform this
 // operation. The purpose of the sts:GetSessionToken operation is to authenticate
 // the user using MFA. You cannot use policies to control authentication
-// operations. For more information, see Permissions for GetSessionToken
+// operations. For more information, see Permissions for GetSessionToken (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html)
 // in the IAM User Guide. Session Duration The GetSessionToken operation must be
 // called by using the long-term Amazon Web Services security credentials of the
 // Amazon Web Services account root user or an IAM user. Credentials that are
@@ -41,18 +38,12 @@ import (
 // (1 hour), with a default of 1 hour. Permissions The temporary security
 // credentials created by GetSessionToken can be used to make API calls to any
 // Amazon Web Services service with the following exceptions:
+//   - You cannot call any IAM API operations unless MFA authentication
+//     information is included in the request.
+//   - You cannot call any STS API except AssumeRole or GetCallerIdentity .
 //
-// * You cannot call
+// We recommend that you do not call GetSessionToken with Amazon Web Services
-// any IAM API operations unless MFA authentication information is included in the
+// account root user credentials. Instead, follow our best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users)
-// request.
-//
-// * You cannot call any STS API except AssumeRole or
-// GetCallerIdentity.
-//
-// We recommend that you do not call GetSessionToken with
-// Amazon Web Services account root user credentials. Instead, follow our best
-// practices
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users)
 // by creating one or more IAM users, giving them the necessary permissions, and
 // using IAM users for everyday interaction with Amazon Web Services. The
 // credentials that are returned by GetSessionToken are based on permissions
@@ -62,8 +53,7 @@ import (
 // GetSessionToken is called using the credentials of an IAM user, the temporary
 // credentials have the same permissions as the IAM user. For more information
 // about using GetSessionToken to create temporary credentials, go to Temporary
-// Credentials for Users in Untrusted Environments
+// Credentials for Users in Untrusted Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
 // in the IAM User Guide.
 func (c *Client) GetSessionToken(ctx context.Context, params *GetSessionTokenInput, optFns ...func(*Options)) (*GetSessionTokenOutput, error) {
 	if params == nil {
@@ -90,25 +80,25 @@ type GetSessionTokenInput struct {
 	// Services account owners defaults to one hour.
 	DurationSeconds *int32
 
-	// The identification number of the MFA device that is associated with the IAM user
+	// The identification number of the MFA device that is associated with the IAM
-	// who is making the GetSessionToken call. Specify this value if the IAM user has a
+	// user who is making the GetSessionToken call. Specify this value if the IAM user
-	// policy that requires MFA authentication. The value is either the serial number
+	// has a policy that requires MFA authentication. The value is either the serial
-	// for a hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN)
+	// number for a hardware device (such as GAHT12345678 ) or an Amazon Resource Name
-	// for a virtual device (such as arn:aws:iam::123456789012:mfa/user). You can find
+	// (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user ). You
-	// the device for an IAM user by going to the Amazon Web Services Management
+	// can find the device for an IAM user by going to the Amazon Web Services
-	// Console and viewing the user's security credentials. The regex used to validate
+	// Management Console and viewing the user's security credentials. The regex used
-	// this parameter is a string of characters consisting of upper- and lower-case
+	// to validate this parameter is a string of characters consisting of upper- and
-	// alphanumeric characters with no spaces. You can also include underscores or any
+	// lower-case alphanumeric characters with no spaces. You can also include
-	// of the following characters: =,.@:/-
+	// underscores or any of the following characters: =,.@:/-
 	SerialNumber *string
 
-	// The value provided by the MFA device, if MFA is required. If any policy requires
+	// The value provided by the MFA device, if MFA is required. If any policy
-	// the IAM user to submit an MFA code, specify this value. If MFA authentication is
+	// requires the IAM user to submit an MFA code, specify this value. If MFA
-	// required, the user must provide a code when requesting a set of temporary
+	// authentication is required, the user must provide a code when requesting a set
-	// security credentials. A user who fails to provide the code receives an "access
+	// of temporary security credentials. A user who fails to provide the code receives
-	// denied" response when requesting resources that require MFA authentication. The
+	// an "access denied" response when requesting resources that require MFA
-	// format for this parameter, as described by its regex pattern, is a sequence of
+	// authentication. The format for this parameter, as described by its regex
-	// six numeric digits.
+	// pattern, is a sequence of six numeric digits.
 	TokenCode *string
 
 	noSmithyDocumentSerde
@@ -179,6 +169,9 @@ func (c *Client) addOperationGetSessionTokenMiddlewares(stack *middleware.Stack,
 	if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetSessionToken(options.Region), middleware.Before); err != nil {
 		return err
 	}
+	if err = awsmiddleware.AddRecursionDetection(stack); err != nil {
+		return err
+	}
 	if err = addRequestIDRetrieverMiddleware(stack); err != nil {
 		return err
 	}

vendor/github.com/aws/aws-sdk-go-v2/service/sts/doc.go

@@ -7,6 +7,6 @@
 // temporary, limited-privilege credentials for Identity and Access Management
 // (IAM) users or for users that you authenticate (federated users). This guide
 // provides descriptions of the STS API. For more information about using this
-// service, see Temporary Security Credentials
+// service, see Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html).
+// .
 package sts

vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go

@@ -3,4 +3,4 @@
 package sts
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.18.6"
+const goModuleVersion = "1.18.10"

vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/errors.go

@@ -183,12 +183,10 @@ func (e *MalformedPolicyDocumentException) ErrorFault() smithy.ErrorFault { retu
 // compresses the session policy document, session policy ARNs, and session tags
 // into a packed binary format that has a separate limit. The error message
 // indicates by percentage how close the policies and tags are to the upper size
-// limit. For more information, see Passing Session Tags in STS
+// limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the
+// in the IAM User Guide. You could receive this error even though you meet other
-// IAM User Guide. You could receive this error even though you meet other defined
+// defined session policy and session tag limits. For more information, see IAM
-// session policy and session tag limits. For more information, see IAM and STS
+// and STS Entity Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length)
-// Entity Character Limits
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length)
 // in the IAM User Guide.
 type PackedPolicyTooLargeException struct {
 	Message *string
@@ -215,11 +213,10 @@ func (e *PackedPolicyTooLargeException) ErrorCode() string {
 }
 func (e *PackedPolicyTooLargeException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient }
 
-// STS is not activated in the requested region for the account that is being asked
+// STS is not activated in the requested region for the account that is being
-// to generate credentials. The account administrator must use the IAM console to
+// asked to generate credentials. The account administrator must use the IAM
-// activate STS in that region. For more information, see Activating and
+// console to activate STS in that region. For more information, see Activating
-// Deactivating Amazon Web Services STS in an Amazon Web Services Region
+// and Deactivating Amazon Web Services STS in an Amazon Web Services Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
 // in the IAM User Guide.
 type RegionDisabledException struct {
 	Message *string

vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/types.go

@@ -13,9 +13,8 @@ type AssumedRoleUser struct {
 
 	// The ARN of the temporary security credentials that are returned from the
 	// AssumeRole action. For more information about ARNs and how to use them in
-	// policies, see IAM Identifiers
+	// policies, see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) in
+	// in the IAM User Guide.
-	// the IAM User Guide.
 	//
 	// This member is required.
 	Arn *string
@@ -62,9 +61,8 @@ type FederatedUser struct {
 
 	// The ARN that specifies the federated user that is associated with the
 	// credentials. For more information about ARNs and how to use them in policies,
-	// see IAM Identifiers
+	// see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) in
+	// in the IAM User Guide.
-	// the IAM User Guide.
 	//
 	// This member is required.
 	Arn *string
@@ -84,26 +82,23 @@ type PolicyDescriptorType struct {
 
 	// The Amazon Resource Name (ARN) of the IAM managed policy to use as a session
 	// policy for the role. For more information about ARNs, see Amazon Resource Names
-	// (ARNs) and Amazon Web Services Service Namespaces
+	// (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
-	// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in
+	// in the Amazon Web Services General Reference.
-	// the Amazon Web Services General Reference.
 	Arn *string
 
 	noSmithyDocumentSerde
 }
 
-// You can pass custom key-value pair attributes when you assume a role or federate
+// You can pass custom key-value pair attributes when you assume a role or
-// a user. These are called session tags. You can then use the session tags to
+// federate a user. These are called session tags. You can then use the session
-// control access to resources. For more information, see Tagging Amazon Web
+// tags to control access to resources. For more information, see Tagging Amazon
-// Services STS Sessions
+// Web Services STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the
+// in the IAM User Guide.
-// IAM User Guide.
 type Tag struct {
 
 	// The key for a session tag. You can pass up to 50 session tags. The plain text
 	// session tag keys can’t exceed 128 characters. For these and additional limits,
-	// see IAM and STS Character Limits
+	// see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
 	// in the IAM User Guide.
 	//
 	// This member is required.
@@ -111,8 +106,7 @@ type Tag struct {
 
 	// The value for a session tag. You can pass up to 50 session tags. The plain text
 	// session tag values can’t exceed 256 characters. For these and additional limits,
-	// see IAM and STS Character Limits
+	// see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
-	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
 	// in the IAM User Guide.
 	//
 	// This member is required.

vendor/modules.txt

@@ -53,7 +53,7 @@ github.com/aws/aws-sdk-go/service/sso
 github.com/aws/aws-sdk-go/service/sso/ssoiface
 github.com/aws/aws-sdk-go/service/sts
 github.com/aws/aws-sdk-go/service/sts/stsiface
-# github.com/aws/aws-sdk-go-v2 v1.17.6
+# github.com/aws/aws-sdk-go-v2 v1.18.0
 ## explicit; go 1.15
 github.com/aws/aws-sdk-go-v2/aws
 github.com/aws/aws-sdk-go-v2/aws/defaults
@@ -70,16 +70,16 @@ github.com/aws/aws-sdk-go-v2/internal/sdk
 github.com/aws/aws-sdk-go-v2/internal/strings
 github.com/aws/aws-sdk-go-v2/internal/sync/singleflight
 github.com/aws/aws-sdk-go-v2/internal/timeconv
-# github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.30
+# github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33
 ## explicit; go 1.15
 github.com/aws/aws-sdk-go-v2/internal/configsources
-# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.24
+# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27
 ## explicit; go 1.15
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2
-# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.24
+# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27
 ## explicit; go 1.15
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url
-# github.com/aws/aws-sdk-go-v2/service/sts v1.18.6
+# github.com/aws/aws-sdk-go-v2/service/sts v1.18.10
 ## explicit; go 1.15
 github.com/aws/aws-sdk-go-v2/service/sts
 github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints