Update aws-sdk-go dependency to v1.28.2

vendor/github.com/aws/aws-sdk-go/service/autoscaling/doc.go

@@ -4,11 +4,13 @@
 // requests to Auto Scaling.
 //
 // Amazon EC2 Auto Scaling is designed to automatically launch or terminate
-// EC2 instances based on user-defined policies, schedules, and health checks.
-// Use this service with AWS Auto Scaling, Amazon CloudWatch, and Elastic Load
-// Balancing.
+// EC2 instances based on user-defined scaling policies, scheduled actions,
+// and health checks. Use this service with AWS Auto Scaling, Amazon CloudWatch,
+// and Elastic Load Balancing.
 //
-// For more information, see the Amazon EC2 Auto Scaling User Guide (http://docs.aws.amazon.com/autoscaling/ec2/userguide/what-is-amazon-ec2-auto-scaling.html).
+// For more information, including information about granting IAM users required
+// permissions for Amazon EC2 Auto Scaling actions, see the Amazon EC2 Auto
+// Scaling User Guide (https://docs.aws.amazon.com/autoscaling/ec2/userguide/what-is-amazon-ec2-auto-scaling.html).
 //
 // See https://docs.aws.amazon.com/goto/WebAPI/autoscaling-2011-01-01 for more information on this service.
 //

vendor/github.com/aws/aws-sdk-go/service/autoscaling/errors.go

@@ -20,16 +20,16 @@ const (
 	// ErrCodeLimitExceededFault for service response error code
 	// "LimitExceeded".
 	//
-	// You have already reached a limit for your Auto Scaling resources (for example,
-	// groups, launch configurations, or lifecycle hooks). For more information,
-	// see DescribeAccountLimits.
+	// You have already reached a limit for your Amazon EC2 Auto Scaling resources
+	// (for example, Auto Scaling groups, launch configurations, or lifecycle hooks).
+	// For more information, see DescribeAccountLimits.
 	ErrCodeLimitExceededFault = "LimitExceeded"
 
 	// ErrCodeResourceContentionFault for service response error code
 	// "ResourceContention".
 	//
-	// You already have a pending update to an Auto Scaling resource (for example,
-	// a group, instance, or load balancer).
+	// You already have a pending update to an Amazon EC2 Auto Scaling resource
+	// (for example, an Auto Scaling group, instance, or load balancer).
 	ErrCodeResourceContentionFault = "ResourceContention"
 
 	// ErrCodeResourceInUseFault for service response error code

vendor/github.com/aws/aws-sdk-go/service/autoscaling/service.go

@@ -31,7 +31,7 @@ var initRequest func(*request.Request)
 const (
 	ServiceName = "autoscaling"  // Name of service.
 	EndpointsID = ServiceName    // ID to lookup a service endpoint with.
-	ServiceID   = "Auto Scaling" // ServiceID is a unique identifer of a specific service.
+	ServiceID   = "Auto Scaling" // ServiceID is a unique identifier of a specific service.
 )
 
 // New creates a new instance of the AutoScaling client with a session.
@@ -39,6 +39,8 @@ const (
 // aws.Config parameter to add your extra config.
 //
 // Example:
+//     mySession := session.Must(session.NewSession())
+//
 //     // Create a AutoScaling client from just a session.
 //     svc := autoscaling.New(mySession)
 //
@@ -46,11 +48,11 @@ const (
 //     svc := autoscaling.New(mySession, aws.NewConfig().WithRegion("us-west-2"))
 func New(p client.ConfigProvider, cfgs ...*aws.Config) *AutoScaling {
 	c := p.ClientConfig(EndpointsID, cfgs...)
-	return newClient(*c.Config, c.Handlers, c.Endpoint, c.SigningRegion, c.SigningName)
+	return newClient(*c.Config, c.Handlers, c.PartitionID, c.Endpoint, c.SigningRegion, c.SigningName)
 }
 
 // newClient creates, initializes and returns a new service client instance.
-func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegion, signingName string) *AutoScaling {
+func newClient(cfg aws.Config, handlers request.Handlers, partitionID, endpoint, signingRegion, signingName string) *AutoScaling {
 	svc := &AutoScaling{
 		Client: client.New(
 			cfg,
@@ -59,6 +61,7 @@ func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegio
 				ServiceID:     ServiceID,
 				SigningName:   signingName,
 				SigningRegion: signingRegion,
+				PartitionID:   partitionID,
 				Endpoint:      endpoint,
 				APIVersion:    "2011-01-01",
 			},

vendor/github.com/aws/aws-sdk-go/service/ec2/BUILD

@@ -21,7 +21,6 @@ go_library(
         "//vendor/github.com/aws/aws-sdk-go/aws/endpoints:go_default_library",
         "//vendor/github.com/aws/aws-sdk-go/aws/request:go_default_library",
         "//vendor/github.com/aws/aws-sdk-go/aws/signer/v4:go_default_library",
-        "//vendor/github.com/aws/aws-sdk-go/internal/sdkrand:go_default_library",
         "//vendor/github.com/aws/aws-sdk-go/private/protocol:go_default_library",
         "//vendor/github.com/aws/aws-sdk-go/private/protocol/ec2query:go_default_library",
     ],

vendor/github.com/aws/aws-sdk-go/service/ec2/customizations.go

@@ -8,65 +8,32 @@ import (
 	"github.com/aws/aws-sdk-go/aws/client"
 	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/aws/aws-sdk-go/aws/request"
-	"github.com/aws/aws-sdk-go/internal/sdkrand"
 )
 
-type retryer struct {
-	client.DefaultRetryer
-}
+const (
+	// customRetryerMinRetryDelay sets min retry delay
+	customRetryerMinRetryDelay = 1 * time.Second
 
-func (d retryer) RetryRules(r *request.Request) time.Duration {
-	switch r.Operation.Name {
-	case opModifyNetworkInterfaceAttribute:
-		fallthrough
-	case opAssignPrivateIpAddresses:
-		return customRetryRule(r)
-	default:
-		return d.DefaultRetryer.RetryRules(r)
-	}
-}
-
-func customRetryRule(r *request.Request) time.Duration {
-	retryTimes := []time.Duration{
-		time.Second,
-		3 * time.Second,
-		5 * time.Second,
-	}
-
-	count := r.RetryCount
-	if count >= len(retryTimes) {
-		count = len(retryTimes) - 1
-	}
-
-	minTime := int(retryTimes[count])
-	return time.Duration(sdkrand.SeededRand.Intn(minTime) + minTime)
-}
-
-func setCustomRetryer(c *client.Client) {
-	maxRetries := aws.IntValue(c.Config.MaxRetries)
-	if c.Config.MaxRetries == nil || maxRetries == aws.UseServiceDefaultRetries {
-		maxRetries = 3
-	}
-
-	c.Retryer = retryer{
-		DefaultRetryer: client.DefaultRetryer{
-			NumMaxRetries: maxRetries,
-		},
-	}
-}
+	// customRetryerMaxRetryDelay sets max retry delay
+	customRetryerMaxRetryDelay = 8 * time.Second
+)
 
 func init() {
-	initClient = func(c *client.Client) {
-		if c.Config.Retryer == nil {
-			// Only override the retryer with a custom one if the config
-			// does not already contain a retryer
-			setCustomRetryer(c)
-		}
-	}
 	initRequest = func(r *request.Request) {
 		if r.Operation.Name == opCopySnapshot { // fill the PresignedURL parameter
 			r.Handlers.Build.PushFront(fillPresignedURL)
 		}
+
+		// only set the retryer on request if config doesn't have a retryer
+		if r.Config.Retryer == nil && (r.Operation.Name == opModifyNetworkInterfaceAttribute || r.Operation.Name == opAssignPrivateIpAddresses) {
+			r.Retryer = client.DefaultRetryer{
+				NumMaxRetries:    client.DefaultRetryerMaxNumRetries,
+				MinRetryDelay:    customRetryerMinRetryDelay,
+				MinThrottleDelay: customRetryerMinRetryDelay,
+				MaxRetryDelay:    customRetryerMaxRetryDelay,
+				MaxThrottleDelay: customRetryerMaxRetryDelay,
+			}
+		}
 	}
 }
 

vendor/github.com/aws/aws-sdk-go/service/ec2/doc.go

@@ -7,18 +7,19 @@
 // capacity in the AWS cloud. Using Amazon EC2 eliminates the need to invest
 // in hardware up front, so you can develop and deploy applications faster.
 //
-// To learn more about Amazon EC2, Amazon EBS, and Amazon VPC, see the following
-// resources:
+// To learn more, see the following resources:
 //
-//    * Amazon EC2 product page (http://aws.amazon.com/ec2)
+//    * Amazon EC2: AmazonEC2 product page (http://aws.amazon.com/ec2), Amazon
+//    EC2 documentation (http://aws.amazon.com/documentation/ec2)
 //
-//    * Amazon EC2 documentation (http://aws.amazon.com/documentation/ec2)
+//    * Amazon EBS: Amazon EBS product page (http://aws.amazon.com/ebs), Amazon
+//    EBS documentation (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html)
 //
-//    * Amazon EBS product page (http://aws.amazon.com/ebs)
+//    * Amazon VPC: Amazon VPC product page (http://aws.amazon.com/vpc), Amazon
+//    VPC documentation (http://aws.amazon.com/documentation/vpc)
 //
-//    * Amazon VPC product page (http://aws.amazon.com/vpc)
-//
-//    * Amazon VPC documentation (http://aws.amazon.com/documentation/vpc)
+//    * AWS VPN: AWS VPN product page (http://aws.amazon.com/vpn), AWS VPN documentation
+//    (http://aws.amazon.com/documentation/vpn)
 //
 // See https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15 for more information on this service.
 //

vendor/github.com/aws/aws-sdk-go/service/ec2/service.go

@@ -31,7 +31,7 @@ var initRequest func(*request.Request)
 const (
 	ServiceName = "ec2"       // Name of service.
 	EndpointsID = ServiceName // ID to lookup a service endpoint with.
-	ServiceID   = "EC2"       // ServiceID is a unique identifer of a specific service.
+	ServiceID   = "EC2"       // ServiceID is a unique identifier of a specific service.
 )
 
 // New creates a new instance of the EC2 client with a session.
@@ -39,6 +39,8 @@ const (
 // aws.Config parameter to add your extra config.
 //
 // Example:
+//     mySession := session.Must(session.NewSession())
+//
 //     // Create a EC2 client from just a session.
 //     svc := ec2.New(mySession)
 //
@@ -46,11 +48,11 @@ const (
 //     svc := ec2.New(mySession, aws.NewConfig().WithRegion("us-west-2"))
 func New(p client.ConfigProvider, cfgs ...*aws.Config) *EC2 {
 	c := p.ClientConfig(EndpointsID, cfgs...)
-	return newClient(*c.Config, c.Handlers, c.Endpoint, c.SigningRegion, c.SigningName)
+	return newClient(*c.Config, c.Handlers, c.PartitionID, c.Endpoint, c.SigningRegion, c.SigningName)
 }
 
 // newClient creates, initializes and returns a new service client instance.
-func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegion, signingName string) *EC2 {
+func newClient(cfg aws.Config, handlers request.Handlers, partitionID, endpoint, signingRegion, signingName string) *EC2 {
 	svc := &EC2{
 		Client: client.New(
 			cfg,
@@ -59,6 +61,7 @@ func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegio
 				ServiceID:     ServiceID,
 				SigningName:   signingName,
 				SigningRegion: signingRegion,
+				PartitionID:   partitionID,
 				Endpoint:      endpoint,
 				APIVersion:    "2016-11-15",
 			},

vendor/github.com/aws/aws-sdk-go/service/ec2/waiters.go

@@ -952,6 +952,57 @@ func (c *EC2) WaitUntilPasswordDataAvailableWithContext(ctx aws.Context, input *
 	return w.WaitWithContext(ctx)
 }
 
+// WaitUntilSecurityGroupExists uses the Amazon EC2 API operation
+// DescribeSecurityGroups to wait for a condition to be met before returning.
+// If the condition is not met within the max attempt window, an error will
+// be returned.
+func (c *EC2) WaitUntilSecurityGroupExists(input *DescribeSecurityGroupsInput) error {
+	return c.WaitUntilSecurityGroupExistsWithContext(aws.BackgroundContext(), input)
+}
+
+// WaitUntilSecurityGroupExistsWithContext is an extended version of WaitUntilSecurityGroupExists.
+// With the support for passing in a context and options to configure the
+// Waiter and the underlying request options.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *EC2) WaitUntilSecurityGroupExistsWithContext(ctx aws.Context, input *DescribeSecurityGroupsInput, opts ...request.WaiterOption) error {
+	w := request.Waiter{
+		Name:        "WaitUntilSecurityGroupExists",
+		MaxAttempts: 6,
+		Delay:       request.ConstantWaiterDelay(5 * time.Second),
+		Acceptors: []request.WaiterAcceptor{
+			{
+				State:   request.SuccessWaiterState,
+				Matcher: request.PathWaiterMatch, Argument: "length(SecurityGroups[].GroupId) > `0`",
+				Expected: true,
+			},
+			{
+				State:    request.RetryWaiterState,
+				Matcher:  request.ErrorWaiterMatch,
+				Expected: "InvalidGroupNotFound",
+			},
+		},
+		Logger: c.Config.Logger,
+		NewRequest: func(opts []request.Option) (*request.Request, error) {
+			var inCpy *DescribeSecurityGroupsInput
+			if input != nil {
+				tmp := *input
+				inCpy = &tmp
+			}
+			req, _ := c.DescribeSecurityGroupsRequest(inCpy)
+			req.SetContext(ctx)
+			req.ApplyOptions(opts...)
+			return req, nil
+		},
+	}
+	w.ApplyOptions(opts...)
+
+	return w.WaitWithContext(ctx)
+}
+
 // WaitUntilSnapshotCompleted uses the Amazon EC2 API operation
 // DescribeSnapshots to wait for a condition to be met before returning.
 // If the condition is not met within the max attempt window, an error will

vendor/github.com/aws/aws-sdk-go/service/ecr/BUILD

@@ -7,6 +7,7 @@ go_library(
         "doc.go",
         "errors.go",
         "service.go",
+        "waiters.go",
     ],
     importmap = "k8s.io/kubernetes/vendor/github.com/aws/aws-sdk-go/service/ecr",
     importpath = "github.com/aws/aws-sdk-go/service/ecr",

vendor/github.com/aws/aws-sdk-go/service/ecr/errors.go

@@ -2,6 +2,10 @@
 
 package ecr
 
+import (
+	"github.com/aws/aws-sdk-go/private/protocol"
+)
+
 const (
 
 	// ErrCodeEmptyUploadException for service response error code
@@ -23,6 +27,13 @@ const (
 	// The image requested does not exist in the specified repository.
 	ErrCodeImageNotFoundException = "ImageNotFoundException"
 
+	// ErrCodeImageTagAlreadyExistsException for service response error code
+	// "ImageTagAlreadyExistsException".
+	//
+	// The specified image is tagged with a tag that already exists. The repository
+	// is configured for tag immutability.
+	ErrCodeImageTagAlreadyExistsException = "ImageTagAlreadyExistsException"
+
 	// ErrCodeInvalidLayerException for service response error code
 	// "InvalidLayerException".
 	//
@@ -102,7 +113,7 @@ const (
 	//
 	// The operation did not succeed because it would have exceeded a service limit
 	// for your account. For more information, see Amazon ECR Default Service Limits
-	// (http://docs.aws.amazon.com/AmazonECR/latest/userguide/service_limits.html)
+	// (https://docs.aws.amazon.com/AmazonECR/latest/userguide/service_limits.html)
 	// in the Amazon Elastic Container Registry User Guide.
 	ErrCodeLimitExceededException = "LimitExceededException"
 
@@ -133,6 +144,13 @@ const (
 	// repository policy.
 	ErrCodeRepositoryPolicyNotFoundException = "RepositoryPolicyNotFoundException"
 
+	// ErrCodeScanNotFoundException for service response error code
+	// "ScanNotFoundException".
+	//
+	// The specified image scan could not be found. Ensure that image scanning is
+	// enabled on the repository and try again.
+	ErrCodeScanNotFoundException = "ScanNotFoundException"
+
 	// ErrCodeServerException for service response error code
 	// "ServerException".
 	//
@@ -153,3 +171,30 @@ const (
 	// this repository.
 	ErrCodeUploadNotFoundException = "UploadNotFoundException"
 )
+
+var exceptionFromCode = map[string]func(protocol.ResponseMetadata) error{
+	"EmptyUploadException":                      newErrorEmptyUploadException,
+	"ImageAlreadyExistsException":               newErrorImageAlreadyExistsException,
+	"ImageNotFoundException":                    newErrorImageNotFoundException,
+	"ImageTagAlreadyExistsException":            newErrorImageTagAlreadyExistsException,
+	"InvalidLayerException":                     newErrorInvalidLayerException,
+	"InvalidLayerPartException":                 newErrorInvalidLayerPartException,
+	"InvalidParameterException":                 newErrorInvalidParameterException,
+	"InvalidTagParameterException":              newErrorInvalidTagParameterException,
+	"LayerAlreadyExistsException":               newErrorLayerAlreadyExistsException,
+	"LayerInaccessibleException":                newErrorLayerInaccessibleException,
+	"LayerPartTooSmallException":                newErrorLayerPartTooSmallException,
+	"LayersNotFoundException":                   newErrorLayersNotFoundException,
+	"LifecyclePolicyNotFoundException":          newErrorLifecyclePolicyNotFoundException,
+	"LifecyclePolicyPreviewInProgressException": newErrorLifecyclePolicyPreviewInProgressException,
+	"LifecyclePolicyPreviewNotFoundException":   newErrorLifecyclePolicyPreviewNotFoundException,
+	"LimitExceededException":                    newErrorLimitExceededException,
+	"RepositoryAlreadyExistsException":          newErrorRepositoryAlreadyExistsException,
+	"RepositoryNotEmptyException":               newErrorRepositoryNotEmptyException,
+	"RepositoryNotFoundException":               newErrorRepositoryNotFoundException,
+	"RepositoryPolicyNotFoundException":         newErrorRepositoryPolicyNotFoundException,
+	"ScanNotFoundException":                     newErrorScanNotFoundException,
+	"ServerException":                           newErrorServerException,
+	"TooManyTagsException":                      newErrorTooManyTagsException,
+	"UploadNotFoundException":                   newErrorUploadNotFoundException,
+}

vendor/github.com/aws/aws-sdk-go/service/ecr/service.go

@@ -8,6 +8,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/client/metadata"
 	"github.com/aws/aws-sdk-go/aws/request"
 	"github.com/aws/aws-sdk-go/aws/signer/v4"
+	"github.com/aws/aws-sdk-go/private/protocol"
 	"github.com/aws/aws-sdk-go/private/protocol/jsonrpc"
 )
 
@@ -31,7 +32,7 @@ var initRequest func(*request.Request)
 const (
 	ServiceName = "ecr"     // Name of service.
 	EndpointsID = "api.ecr" // ID to lookup a service endpoint with.
-	ServiceID   = "ECR"     // ServiceID is a unique identifer of a specific service.
+	ServiceID   = "ECR"     // ServiceID is a unique identifier of a specific service.
 )
 
 // New creates a new instance of the ECR client with a session.
@@ -39,6 +40,8 @@ const (
 // aws.Config parameter to add your extra config.
 //
 // Example:
+//     mySession := session.Must(session.NewSession())
+//
 //     // Create a ECR client from just a session.
 //     svc := ecr.New(mySession)
 //
@@ -49,11 +52,11 @@ func New(p client.ConfigProvider, cfgs ...*aws.Config) *ECR {
 	if c.SigningNameDerived || len(c.SigningName) == 0 {
 		c.SigningName = "ecr"
 	}
-	return newClient(*c.Config, c.Handlers, c.Endpoint, c.SigningRegion, c.SigningName)
+	return newClient(*c.Config, c.Handlers, c.PartitionID, c.Endpoint, c.SigningRegion, c.SigningName)
 }
 
 // newClient creates, initializes and returns a new service client instance.
-func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegion, signingName string) *ECR {
+func newClient(cfg aws.Config, handlers request.Handlers, partitionID, endpoint, signingRegion, signingName string) *ECR {
 	svc := &ECR{
 		Client: client.New(
 			cfg,
@@ -62,6 +65,7 @@ func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegio
 				ServiceID:     ServiceID,
 				SigningName:   signingName,
 				SigningRegion: signingRegion,
+				PartitionID:   partitionID,
 				Endpoint:      endpoint,
 				APIVersion:    "2015-09-21",
 				JSONVersion:   "1.1",
@@ -76,7 +80,9 @@ func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegio
 	svc.Handlers.Build.PushBackNamed(jsonrpc.BuildHandler)
 	svc.Handlers.Unmarshal.PushBackNamed(jsonrpc.UnmarshalHandler)
 	svc.Handlers.UnmarshalMeta.PushBackNamed(jsonrpc.UnmarshalMetaHandler)
-	svc.Handlers.UnmarshalError.PushBackNamed(jsonrpc.UnmarshalErrorHandler)
+	svc.Handlers.UnmarshalError.PushBackNamed(
+		protocol.NewUnmarshalErrorHandler(jsonrpc.NewUnmarshalTypedError(exceptionFromCode)).NamedHandler(),
+	)
 
 	// Run custom client initialization if present
 	if initClient != nil {

vendor/github.com/aws/aws-sdk-go/service/ecr/waiters.go

@@ -0,0 +1,112 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+package ecr
+
+import (
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/request"
+)
+
+// WaitUntilImageScanComplete uses the Amazon ECR API operation
+// DescribeImageScanFindings to wait for a condition to be met before returning.
+// If the condition is not met within the max attempt window, an error will
+// be returned.
+func (c *ECR) WaitUntilImageScanComplete(input *DescribeImageScanFindingsInput) error {
+	return c.WaitUntilImageScanCompleteWithContext(aws.BackgroundContext(), input)
+}
+
+// WaitUntilImageScanCompleteWithContext is an extended version of WaitUntilImageScanComplete.
+// With the support for passing in a context and options to configure the
+// Waiter and the underlying request options.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *ECR) WaitUntilImageScanCompleteWithContext(ctx aws.Context, input *DescribeImageScanFindingsInput, opts ...request.WaiterOption) error {
+	w := request.Waiter{
+		Name:        "WaitUntilImageScanComplete",
+		MaxAttempts: 60,
+		Delay:       request.ConstantWaiterDelay(5 * time.Second),
+		Acceptors: []request.WaiterAcceptor{
+			{
+				State:   request.SuccessWaiterState,
+				Matcher: request.PathWaiterMatch, Argument: "imageScanStatus.status",
+				Expected: "COMPLETE",
+			},
+			{
+				State:   request.FailureWaiterState,
+				Matcher: request.PathWaiterMatch, Argument: "imageScanStatus.status",
+				Expected: "FAILED",
+			},
+		},
+		Logger: c.Config.Logger,
+		NewRequest: func(opts []request.Option) (*request.Request, error) {
+			var inCpy *DescribeImageScanFindingsInput
+			if input != nil {
+				tmp := *input
+				inCpy = &tmp
+			}
+			req, _ := c.DescribeImageScanFindingsRequest(inCpy)
+			req.SetContext(ctx)
+			req.ApplyOptions(opts...)
+			return req, nil
+		},
+	}
+	w.ApplyOptions(opts...)
+
+	return w.WaitWithContext(ctx)
+}
+
+// WaitUntilLifecyclePolicyPreviewComplete uses the Amazon ECR API operation
+// GetLifecyclePolicyPreview to wait for a condition to be met before returning.
+// If the condition is not met within the max attempt window, an error will
+// be returned.
+func (c *ECR) WaitUntilLifecyclePolicyPreviewComplete(input *GetLifecyclePolicyPreviewInput) error {
+	return c.WaitUntilLifecyclePolicyPreviewCompleteWithContext(aws.BackgroundContext(), input)
+}
+
+// WaitUntilLifecyclePolicyPreviewCompleteWithContext is an extended version of WaitUntilLifecyclePolicyPreviewComplete.
+// With the support for passing in a context and options to configure the
+// Waiter and the underlying request options.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *ECR) WaitUntilLifecyclePolicyPreviewCompleteWithContext(ctx aws.Context, input *GetLifecyclePolicyPreviewInput, opts ...request.WaiterOption) error {
+	w := request.Waiter{
+		Name:        "WaitUntilLifecyclePolicyPreviewComplete",
+		MaxAttempts: 20,
+		Delay:       request.ConstantWaiterDelay(5 * time.Second),
+		Acceptors: []request.WaiterAcceptor{
+			{
+				State:   request.SuccessWaiterState,
+				Matcher: request.PathWaiterMatch, Argument: "status",
+				Expected: "COMPLETE",
+			},
+			{
+				State:   request.FailureWaiterState,
+				Matcher: request.PathWaiterMatch, Argument: "status",
+				Expected: "FAILED",
+			},
+		},
+		Logger: c.Config.Logger,
+		NewRequest: func(opts []request.Option) (*request.Request, error) {
+			var inCpy *GetLifecyclePolicyPreviewInput
+			if input != nil {
+				tmp := *input
+				inCpy = &tmp
+			}
+			req, _ := c.GetLifecyclePolicyPreviewRequest(inCpy)
+			req.SetContext(ctx)
+			req.ApplyOptions(opts...)
+			return req, nil
+		},
+	}
+	w.ApplyOptions(opts...)
+
+	return w.WaitWithContext(ctx)
+}

vendor/github.com/aws/aws-sdk-go/service/elb/api.go

@@ -1775,7 +1775,7 @@ func (c *ELB) DescribeLoadBalancersWithContext(ctx aws.Context, input *DescribeL
 //    // Example iterating over at most 3 pages of a DescribeLoadBalancers operation.
 //    pageNum := 0
 //    err := client.DescribeLoadBalancersPages(params,
-//        func(page *DescribeLoadBalancersOutput, lastPage bool) bool {
+//        func(page *elb.DescribeLoadBalancersOutput, lastPage bool) bool {
 //            pageNum++
 //            fmt.Println(page)
 //            return pageNum <= 3
@@ -1807,10 +1807,12 @@ func (c *ELB) DescribeLoadBalancersPagesWithContext(ctx aws.Context, input *Desc
 		},
 	}
 
-	cont := true
-	for p.Next() && cont {
-		cont = fn(p.Page().(*DescribeLoadBalancersOutput), !p.HasNextPage())
+	for p.Next() {
+		if !fn(p.Page().(*DescribeLoadBalancersOutput), !p.HasNextPage()) {
+			break
+		}
 	}
+
 	return p.Err()
 }
 

vendor/github.com/aws/aws-sdk-go/service/elb/service.go

@@ -31,7 +31,7 @@ var initRequest func(*request.Request)
 const (
 	ServiceName = "elasticloadbalancing"   // Name of service.
 	EndpointsID = ServiceName              // ID to lookup a service endpoint with.
-	ServiceID   = "Elastic Load Balancing" // ServiceID is a unique identifer of a specific service.
+	ServiceID   = "Elastic Load Balancing" // ServiceID is a unique identifier of a specific service.
 )
 
 // New creates a new instance of the ELB client with a session.
@@ -39,6 +39,8 @@ const (
 // aws.Config parameter to add your extra config.
 //
 // Example:
+//     mySession := session.Must(session.NewSession())
+//
 //     // Create a ELB client from just a session.
 //     svc := elb.New(mySession)
 //
@@ -46,11 +48,11 @@ const (
 //     svc := elb.New(mySession, aws.NewConfig().WithRegion("us-west-2"))
 func New(p client.ConfigProvider, cfgs ...*aws.Config) *ELB {
 	c := p.ClientConfig(EndpointsID, cfgs...)
-	return newClient(*c.Config, c.Handlers, c.Endpoint, c.SigningRegion, c.SigningName)
+	return newClient(*c.Config, c.Handlers, c.PartitionID, c.Endpoint, c.SigningRegion, c.SigningName)
 }
 
 // newClient creates, initializes and returns a new service client instance.
-func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegion, signingName string) *ELB {
+func newClient(cfg aws.Config, handlers request.Handlers, partitionID, endpoint, signingRegion, signingName string) *ELB {
 	svc := &ELB{
 		Client: client.New(
 			cfg,
@@ -59,6 +61,7 @@ func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegio
 				ServiceID:     ServiceID,
 				SigningName:   signingName,
 				SigningRegion: signingRegion,
+				PartitionID:   partitionID,
 				Endpoint:      endpoint,
 				APIVersion:    "2012-06-01",
 			},

vendor/github.com/aws/aws-sdk-go/service/elbv2/doc.go

@@ -15,40 +15,16 @@
 // the targets.
 //
 // Elastic Load Balancing supports the following types of load balancers: Application
-// Load Balancers, Network Load Balancers, and Classic Load Balancers.
+// Load Balancers, Network Load Balancers, and Classic Load Balancers. This
+// reference covers Application Load Balancers and Network Load Balancers.
 //
 // An Application Load Balancer makes routing and load balancing decisions at
 // the application layer (HTTP/HTTPS). A Network Load Balancer makes routing
 // and load balancing decisions at the transport layer (TCP/TLS). Both Application
 // Load Balancers and Network Load Balancers can route requests to one or more
 // ports on each EC2 instance or container instance in your virtual private
-// cloud (VPC).
-//
-// A Classic Load Balancer makes routing and load balancing decisions either
-// at the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS), and
-// supports either EC2-Classic or a VPC. For more information, see the Elastic
-// Load Balancing User Guide (http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/).
-//
-// This reference covers the 2015-12-01 API, which supports Application Load
-// Balancers and Network Load Balancers. The 2012-06-01 API supports Classic
-// Load Balancers.
-//
-// To get started, complete the following tasks:
-//
-// Create a load balancer using CreateLoadBalancer.
-//
-// Create a target group using CreateTargetGroup.
-//
-// Register targets for the target group using RegisterTargets.
-//
-// Create one or more listeners for your load balancer using CreateListener.
-//
-// To delete a load balancer and its related resources, complete the following
-// tasks:
-//
-// Delete the load balancer using DeleteLoadBalancer.
-//
-// Delete the target group using DeleteTargetGroup.
+// cloud (VPC). For more information, see the Elastic Load Balancing User Guide
+// (https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/).
 //
 // All Elastic Load Balancing operations are idempotent, which means that they
 // complete at most one time. If you repeat an operation, it succeeds.

vendor/github.com/aws/aws-sdk-go/service/elbv2/errors.go

@@ -211,6 +211,14 @@ const (
 	// You've reached the limit on the number of targets.
 	ErrCodeTooManyTargetsException = "TooManyTargets"
 
+	// ErrCodeTooManyUniqueTargetGroupsPerLoadBalancerException for service response error code
+	// "TooManyUniqueTargetGroupsPerLoadBalancer".
+	//
+	// You've reached the limit on the number of unique target groups per load balancer
+	// across all listeners. If a target group is used by multiple actions for a
+	// load balancer, it is counted as only one use.
+	ErrCodeTooManyUniqueTargetGroupsPerLoadBalancerException = "TooManyUniqueTargetGroupsPerLoadBalancer"
+
 	// ErrCodeUnsupportedProtocolException for service response error code
 	// "UnsupportedProtocol".
 	//

vendor/github.com/aws/aws-sdk-go/service/elbv2/service.go

@@ -31,7 +31,7 @@ var initRequest func(*request.Request)
 const (
 	ServiceName = "elasticloadbalancing"      // Name of service.
 	EndpointsID = ServiceName                 // ID to lookup a service endpoint with.
-	ServiceID   = "Elastic Load Balancing v2" // ServiceID is a unique identifer of a specific service.
+	ServiceID   = "Elastic Load Balancing v2" // ServiceID is a unique identifier of a specific service.
 )
 
 // New creates a new instance of the ELBV2 client with a session.
@@ -39,6 +39,8 @@ const (
 // aws.Config parameter to add your extra config.
 //
 // Example:
+//     mySession := session.Must(session.NewSession())
+//
 //     // Create a ELBV2 client from just a session.
 //     svc := elbv2.New(mySession)
 //
@@ -46,11 +48,11 @@ const (
 //     svc := elbv2.New(mySession, aws.NewConfig().WithRegion("us-west-2"))
 func New(p client.ConfigProvider, cfgs ...*aws.Config) *ELBV2 {
 	c := p.ClientConfig(EndpointsID, cfgs...)
-	return newClient(*c.Config, c.Handlers, c.Endpoint, c.SigningRegion, c.SigningName)
+	return newClient(*c.Config, c.Handlers, c.PartitionID, c.Endpoint, c.SigningRegion, c.SigningName)
 }
 
 // newClient creates, initializes and returns a new service client instance.
-func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegion, signingName string) *ELBV2 {
+func newClient(cfg aws.Config, handlers request.Handlers, partitionID, endpoint, signingRegion, signingName string) *ELBV2 {
 	svc := &ELBV2{
 		Client: client.New(
 			cfg,
@@ -59,6 +61,7 @@ func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegio
 				ServiceID:     ServiceID,
 				SigningName:   signingName,
 				SigningRegion: signingRegion,
+				PartitionID:   partitionID,
 				Endpoint:      endpoint,
 				APIVersion:    "2015-12-01",
 			},

vendor/github.com/aws/aws-sdk-go/service/kms/doc.go

@@ -6,7 +6,7 @@
 // AWS Key Management Service (AWS KMS) is an encryption and key management
 // web service. This guide describes the AWS KMS operations that you can call
 // programmatically. For general information about AWS KMS, see the AWS Key
-// Management Service Developer Guide (http://docs.aws.amazon.com/kms/latest/developerguide/).
+// Management Service Developer Guide (https://docs.aws.amazon.com/kms/latest/developerguide/).
 //
 // AWS provides SDKs that consist of libraries and sample code for various programming
 // languages and platforms (Java, Ruby, .Net, macOS, Android, etc.). The SDKs
@@ -30,11 +30,11 @@
 // Requests must be signed by using an access key ID and a secret access key.
 // We strongly recommend that you do not use your AWS account (root) access
 // key ID and secret key for everyday work with AWS KMS. Instead, use the access
-// key ID and secret access key for an IAM user, or you can use the AWS Security
+// key ID and secret access key for an IAM user. You can also use the AWS Security
 // Token Service to generate temporary security credentials that you can use
 // to sign requests.
 //
-// All AWS KMS operations require Signature Version 4 (http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html).
+// All AWS KMS operations require Signature Version 4 (https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html).
 //
 // Logging API Requests
 //
@@ -43,29 +43,29 @@
 // you specify. By using the information collected by CloudTrail, you can determine
 // what requests were made to AWS KMS, who made the request, when it was made,
 // and so on. To learn more about CloudTrail, including how to turn it on and
-// find your log files, see the AWS CloudTrail User Guide (http://docs.aws.amazon.com/awscloudtrail/latest/userguide/).
+// find your log files, see the AWS CloudTrail User Guide (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/).
 //
 // Additional Resources
 //
 // For more information about credentials and request signing, see the following:
 //
-//    * AWS Security Credentials (http://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html)
-//    - This topic provides general information about the of credentials used
-//    for accessing AWS.
+//    * AWS Security Credentials (https://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html)
+//    - This topic provides general information about the types of credentials
+//    used for accessing AWS.
 //
-//    * Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
+//    * Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
 //    - This section of the IAM User Guide describes how to create and use temporary
 //    security credentials.
 //
-//    * Signature Version 4 Signing Process (http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html)
+//    * Signature Version 4 Signing Process (https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html)
 //    - This set of topics walks you through the process of signing a request
 //    using an access key ID and a secret access key.
 //
-// Commonly Used APIs
+// Commonly Used API Operations
 //
-// Of the APIs discussed in this guide, the following will prove the most useful
-// for most applications. You will likely perform actions other than these,
-// such as creating keys and assigning policies, by using the console.
+// Of the API operations discussed in this guide, the following will prove the
+// most useful for most applications. You will likely perform operations other
+// than these, such as creating keys and assigning policies, by using the console.
 //
 //    * Encrypt
 //

vendor/github.com/aws/aws-sdk-go/service/kms/errors.go

@@ -2,6 +2,10 @@
 
 package kms
 
+import (
+	"github.com/aws/aws-sdk-go/private/protocol"
+)
+
 const (
 
 	// ErrCodeAlreadyExistsException for service response error code
@@ -20,7 +24,7 @@ const (
 	// associated with a different AWS CloudHSM cluster.
 	//
 	// Clusters that share a backup history have the same cluster certificate. To
-	// view the cluster certificate of a cluster, use the DescribeClusters (http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
+	// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
 	// operation.
 	ErrCodeCloudHsmClusterInUseException = "CloudHsmClusterInUseException"
 
@@ -28,21 +32,35 @@ const (
 	// "CloudHsmClusterInvalidConfigurationException".
 	//
 	// The request was rejected because the associated AWS CloudHSM cluster did
-	// not meet the configuration requirements for a custom key store. The cluster
-	// must be configured with private subnets in at least two different Availability
-	// Zones in the Region. Also, it must contain at least as many HSMs as the operation
-	// requires.
+	// not meet the configuration requirements for a custom key store.
 	//
-	// For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations,
-	// the AWS CloudHSM cluster must have at least two active HSMs, each in a different
-	// Availability Zone. For the ConnectCustomKeyStore operation, the AWS CloudHSM
-	// must contain at least one active HSM.
+	//    * The cluster must be configured with private subnets in at least two
+	//    different Availability Zones in the Region.
 	//
-	// For information about creating a private subnet for a AWS CloudHSM cluster,
-	// see Create a Private Subnet (http://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html)
-	// in the AWS CloudHSM User Guide. To add HSMs, use the AWS CloudHSM CreateHsm
-	// (http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
-	// operation.
+	//    * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
+	//    (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
+	//    rules that allow TCP traffic on ports 2223-2225. The Source in the inbound
+	//    rules and the Destination in the outbound rules must match the security
+	//    group ID. These rules are set by default when you create the cluster.
+	//    Do not delete or change them. To get information about a particular security
+	//    group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
+	//    operation.
+	//
+	//    * The cluster must contain at least as many HSMs as the operation requires.
+	//    To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
+	//    operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
+	//    operations, the AWS CloudHSM cluster must have at least two active HSMs,
+	//    each in a different Availability Zone. For the ConnectCustomKeyStore operation,
+	//    the AWS CloudHSM must contain at least one active HSM.
+	//
+	// For information about the requirements for an AWS CloudHSM cluster that is
+	// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
+	// in the AWS Key Management Service Developer Guide. For information about
+	// creating a private subnet for an AWS CloudHSM cluster, see Create a Private
+	// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html)
+	// in the AWS CloudHSM User Guide. For information about cluster security groups,
+	// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
+	// in the AWS CloudHSM User Guide .
 	ErrCodeCloudHsmClusterInvalidConfigurationException = "CloudHsmClusterInvalidConfigurationException"
 
 	// ErrCodeCloudHsmClusterNotActiveException for service response error code
@@ -51,7 +69,7 @@ const (
 	// The request was rejected because the AWS CloudHSM cluster that is associated
 	// with the custom key store is not active. Initialize and activate the cluster
 	// and try the command again. For detailed instructions, see Getting Started
-	// (http://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
+	// (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
 	// in the AWS CloudHSM User Guide.
 	ErrCodeCloudHsmClusterNotActiveException = "CloudHsmClusterNotActiveException"
 
@@ -76,7 +94,7 @@ const (
 	// cluster.
 	//
 	// Clusters that share a backup history have the same cluster certificate. To
-	// view the cluster certificate of a cluster, use the DescribeClusters (http://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
+	// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
 	// operation.
 	ErrCodeCloudHsmClusterNotRelatedException = "CloudHsmClusterNotRelatedException"
 
@@ -142,17 +160,25 @@ const (
 	// ErrCodeExpiredImportTokenException for service response error code
 	// "ExpiredImportTokenException".
 	//
-	// The request was rejected because the provided import token is expired. Use
+	// The request was rejected because the specified import token is expired. Use
 	// GetParametersForImport to get a new import token and public key, use the
 	// new public key to encrypt the key material, and then try the request again.
 	ErrCodeExpiredImportTokenException = "ExpiredImportTokenException"
 
+	// ErrCodeIncorrectKeyException for service response error code
+	// "IncorrectKeyException".
+	//
+	// The request was rejected because the specified CMK cannot decrypt the data.
+	// The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request
+	// must identify the same CMK that was used to encrypt the ciphertext.
+	ErrCodeIncorrectKeyException = "IncorrectKeyException"
+
 	// ErrCodeIncorrectKeyMaterialException for service response error code
 	// "IncorrectKeyMaterialException".
 	//
-	// The request was rejected because the provided key material is invalid or
-	// is not the same key material that was previously imported into this customer
-	// master key (CMK).
+	// The request was rejected because the key material in the request is, expired,
+	// invalid, or is not the same key material that was previously imported into
+	// this customer master key (CMK).
 	ErrCodeIncorrectKeyMaterialException = "IncorrectKeyMaterialException"
 
 	// ErrCodeIncorrectTrustAnchorException for service response error code
@@ -161,7 +187,7 @@ const (
 	// The request was rejected because the trust anchor certificate in the request
 	// is not the trust anchor certificate for the specified AWS CloudHSM cluster.
 	//
-	// When you initialize the cluster (http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr),
+	// When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr),
 	// you create the trust anchor certificate and save it in the customerCA.crt
 	// file.
 	ErrCodeIncorrectTrustAnchorException = "IncorrectTrustAnchorException"
@@ -182,15 +208,20 @@ const (
 	// ErrCodeInvalidArnException for service response error code
 	// "InvalidArnException".
 	//
-	// The request was rejected because a specified ARN was not valid.
+	// The request was rejected because a specified ARN, or an ARN in a key policy,
+	// is not valid.
 	ErrCodeInvalidArnException = "InvalidArnException"
 
 	// ErrCodeInvalidCiphertextException for service response error code
 	// "InvalidCiphertextException".
 	//
-	// The request was rejected because the specified ciphertext, or additional
-	// authenticated data incorporated into the ciphertext, such as the encryption
-	// context, is corrupted, missing, or otherwise invalid.
+	// From the Decrypt or ReEncrypt operation, the request was rejected because
+	// the specified ciphertext, or additional authenticated data incorporated into
+	// the ciphertext, such as the encryption context, is corrupted, missing, or
+	// otherwise invalid.
+	//
+	// From the ImportKeyMaterial operation, the request was rejected because AWS
+	// KMS could not decrypt the encrypted (wrapped) key material.
 	ErrCodeInvalidCiphertextException = "InvalidCiphertextException"
 
 	// ErrCodeInvalidGrantIdException for service response error code
@@ -215,7 +246,19 @@ const (
 	// ErrCodeInvalidKeyUsageException for service response error code
 	// "InvalidKeyUsageException".
 	//
-	// The request was rejected because the specified KeySpec value is not valid.
+	// The request was rejected for one of the following reasons:
+	//
+	//    * The KeyUsage value of the CMK is incompatible with the API operation.
+	//
+	//    * The encryption algorithm or signing algorithm specified for the operation
+	//    is incompatible with the type of key material in the CMK (CustomerMasterKeySpec).
+	//
+	// For encrypting, decrypting, re-encrypting, and generating data keys, the
+	// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage
+	// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation.
+	//
+	// To find the encryption or signing algorithms supported for a particular CMK,
+	// use the DescribeKey operation.
 	ErrCodeInvalidKeyUsageException = "InvalidKeyUsageException"
 
 	// ErrCodeInvalidMarkerException for service response error code
@@ -232,22 +275,30 @@ const (
 	// valid for this request.
 	//
 	// For more information about how key state affects the use of a CMK, see How
-	// Key State Affects Use of a Customer Master Key (http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
-	// in the AWS Key Management Service Developer Guide.
+	// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+	// in the AWS Key Management Service Developer Guide .
 	ErrCodeInvalidStateException = "KMSInvalidStateException"
 
+	// ErrCodeKMSInvalidSignatureException for service response error code
+	// "KMSInvalidSignatureException".
+	//
+	// The request was rejected because the signature verification failed. Signature
+	// verification fails when it cannot confirm that signature was produced by
+	// signing the specified message with the specified CMK and signing algorithm.
+	ErrCodeKMSInvalidSignatureException = "KMSInvalidSignatureException"
+
 	// ErrCodeKeyUnavailableException for service response error code
 	// "KeyUnavailableException".
 	//
-	// The request was rejected because the specified CMK was not available. The
-	// request can be retried.
+	// The request was rejected because the specified CMK was not available. You
+	// can retry the request.
 	ErrCodeKeyUnavailableException = "KeyUnavailableException"
 
 	// ErrCodeLimitExceededException for service response error code
 	// "LimitExceededException".
 	//
 	// The request was rejected because a limit was exceeded. For more information,
-	// see Limits (http://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
+	// see Limits (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
 	// in the AWS Key Management Service Developer Guide.
 	ErrCodeLimitExceededException = "LimitExceededException"
 
@@ -278,3 +329,39 @@ const (
 	// a specified resource is not valid for this operation.
 	ErrCodeUnsupportedOperationException = "UnsupportedOperationException"
 )
+
+var exceptionFromCode = map[string]func(protocol.ResponseMetadata) error{
+	"AlreadyExistsException":                       newErrorAlreadyExistsException,
+	"CloudHsmClusterInUseException":                newErrorCloudHsmClusterInUseException,
+	"CloudHsmClusterInvalidConfigurationException": newErrorCloudHsmClusterInvalidConfigurationException,
+	"CloudHsmClusterNotActiveException":            newErrorCloudHsmClusterNotActiveException,
+	"CloudHsmClusterNotFoundException":             newErrorCloudHsmClusterNotFoundException,
+	"CloudHsmClusterNotRelatedException":           newErrorCloudHsmClusterNotRelatedException,
+	"CustomKeyStoreHasCMKsException":               newErrorCustomKeyStoreHasCMKsException,
+	"CustomKeyStoreInvalidStateException":          newErrorCustomKeyStoreInvalidStateException,
+	"CustomKeyStoreNameInUseException":             newErrorCustomKeyStoreNameInUseException,
+	"CustomKeyStoreNotFoundException":              newErrorCustomKeyStoreNotFoundException,
+	"DependencyTimeoutException":                   newErrorDependencyTimeoutException,
+	"DisabledException":                            newErrorDisabledException,
+	"ExpiredImportTokenException":                  newErrorExpiredImportTokenException,
+	"IncorrectKeyException":                        newErrorIncorrectKeyException,
+	"IncorrectKeyMaterialException":                newErrorIncorrectKeyMaterialException,
+	"IncorrectTrustAnchorException":                newErrorIncorrectTrustAnchorException,
+	"KMSInternalException":                         newErrorInternalException,
+	"InvalidAliasNameException":                    newErrorInvalidAliasNameException,
+	"InvalidArnException":                          newErrorInvalidArnException,
+	"InvalidCiphertextException":                   newErrorInvalidCiphertextException,
+	"InvalidGrantIdException":                      newErrorInvalidGrantIdException,
+	"InvalidGrantTokenException":                   newErrorInvalidGrantTokenException,
+	"InvalidImportTokenException":                  newErrorInvalidImportTokenException,
+	"InvalidKeyUsageException":                     newErrorInvalidKeyUsageException,
+	"InvalidMarkerException":                       newErrorInvalidMarkerException,
+	"KMSInvalidStateException":                     newErrorInvalidStateException,
+	"KMSInvalidSignatureException":                 newErrorKMSInvalidSignatureException,
+	"KeyUnavailableException":                      newErrorKeyUnavailableException,
+	"LimitExceededException":                       newErrorLimitExceededException,
+	"MalformedPolicyDocumentException":             newErrorMalformedPolicyDocumentException,
+	"NotFoundException":                            newErrorNotFoundException,
+	"TagException":                                 newErrorTagException,
+	"UnsupportedOperationException":                newErrorUnsupportedOperationException,
+}

vendor/github.com/aws/aws-sdk-go/service/kms/service.go

@@ -8,6 +8,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/client/metadata"
 	"github.com/aws/aws-sdk-go/aws/request"
 	"github.com/aws/aws-sdk-go/aws/signer/v4"
+	"github.com/aws/aws-sdk-go/private/protocol"
 	"github.com/aws/aws-sdk-go/private/protocol/jsonrpc"
 )
 
@@ -31,7 +32,7 @@ var initRequest func(*request.Request)
 const (
 	ServiceName = "kms"       // Name of service.
 	EndpointsID = ServiceName // ID to lookup a service endpoint with.
-	ServiceID   = "KMS"       // ServiceID is a unique identifer of a specific service.
+	ServiceID   = "KMS"       // ServiceID is a unique identifier of a specific service.
 )
 
 // New creates a new instance of the KMS client with a session.
@@ -39,6 +40,8 @@ const (
 // aws.Config parameter to add your extra config.
 //
 // Example:
+//     mySession := session.Must(session.NewSession())
+//
 //     // Create a KMS client from just a session.
 //     svc := kms.New(mySession)
 //
@@ -46,11 +49,11 @@ const (
 //     svc := kms.New(mySession, aws.NewConfig().WithRegion("us-west-2"))
 func New(p client.ConfigProvider, cfgs ...*aws.Config) *KMS {
 	c := p.ClientConfig(EndpointsID, cfgs...)
-	return newClient(*c.Config, c.Handlers, c.Endpoint, c.SigningRegion, c.SigningName)
+	return newClient(*c.Config, c.Handlers, c.PartitionID, c.Endpoint, c.SigningRegion, c.SigningName)
 }
 
 // newClient creates, initializes and returns a new service client instance.
-func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegion, signingName string) *KMS {
+func newClient(cfg aws.Config, handlers request.Handlers, partitionID, endpoint, signingRegion, signingName string) *KMS {
 	svc := &KMS{
 		Client: client.New(
 			cfg,
@@ -59,6 +62,7 @@ func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegio
 				ServiceID:     ServiceID,
 				SigningName:   signingName,
 				SigningRegion: signingRegion,
+				PartitionID:   partitionID,
 				Endpoint:      endpoint,
 				APIVersion:    "2014-11-01",
 				JSONVersion:   "1.1",
@@ -73,7 +77,9 @@ func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegio
 	svc.Handlers.Build.PushBackNamed(jsonrpc.BuildHandler)
 	svc.Handlers.Unmarshal.PushBackNamed(jsonrpc.UnmarshalHandler)
 	svc.Handlers.UnmarshalMeta.PushBackNamed(jsonrpc.UnmarshalMetaHandler)
-	svc.Handlers.UnmarshalError.PushBackNamed(jsonrpc.UnmarshalErrorHandler)
+	svc.Handlers.UnmarshalError.PushBackNamed(
+		protocol.NewUnmarshalErrorHandler(jsonrpc.NewUnmarshalTypedError(exceptionFromCode)).NamedHandler(),
+	)
 
 	// Run custom client initialization if present
 	if initClient != nil {

vendor/github.com/aws/aws-sdk-go/service/sts/BUILD

@@ -17,6 +17,7 @@ go_library(
         "//vendor/github.com/aws/aws-sdk-go/aws/awsutil:go_default_library",
         "//vendor/github.com/aws/aws-sdk-go/aws/client:go_default_library",
         "//vendor/github.com/aws/aws-sdk-go/aws/client/metadata:go_default_library",
+        "//vendor/github.com/aws/aws-sdk-go/aws/credentials:go_default_library",
         "//vendor/github.com/aws/aws-sdk-go/aws/request:go_default_library",
         "//vendor/github.com/aws/aws-sdk-go/aws/signer/v4:go_default_library",
         "//vendor/github.com/aws/aws-sdk-go/private/protocol/query:go_default_library",
@@ -32,7 +33,10 @@ filegroup(
 
 filegroup(
     name = "all-srcs",
-    srcs = [":package-srcs"],
+    srcs = [
+        ":package-srcs",
+        "//vendor/github.com/aws/aws-sdk-go/service/sts/stsiface:all-srcs",
+    ],
     tags = ["automanaged"],
     visibility = ["//visibility:public"],
 )

vendor/github.com/aws/aws-sdk-go/service/sts/customizations.go

@@ -3,10 +3,9 @@ package sts
 import "github.com/aws/aws-sdk-go/aws/request"
 
 func init() {
-	initRequest = func(r *request.Request) {
-		switch r.Operation.Name {
-		case opAssumeRoleWithSAML, opAssumeRoleWithWebIdentity:
-			r.Handlers.Sign.Clear() // these operations are unsigned
-		}
-	}
+	initRequest = customizeRequest
+}
+
+func customizeRequest(r *request.Request) {
+	r.RetryErrorCodes = append(r.RetryErrorCodes, ErrCodeIDPCommunicationErrorException)
 }

vendor/github.com/aws/aws-sdk-go/service/sts/doc.go

@@ -7,22 +7,14 @@
 // request temporary, limited-privilege credentials for AWS Identity and Access
 // Management (IAM) users or for users that you authenticate (federated users).
 // This guide provides descriptions of the STS API. For more detailed information
-// about using this service, go to Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html).
-//
-// As an alternative to using the API, you can use one of the AWS SDKs, which
-// consist of libraries and sample code for various programming languages and
-// platforms (Java, Ruby, .NET, iOS, Android, etc.). The SDKs provide a convenient
-// way to create programmatic access to STS. For example, the SDKs take care
-// of cryptographically signing requests, managing errors, and retrying requests
-// automatically. For information about the AWS SDKs, including how to download
-// and install them, see the Tools for Amazon Web Services page (http://aws.amazon.com/tools/).
+// about using this service, go to Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html).
 //
 // For information about setting up signatures and authorization through the
-// API, go to Signing AWS API Requests (http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html)
+// API, go to Signing AWS API Requests (https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html)
 // in the AWS General Reference. For general information about the Query API,
-// go to Making Query Requests (http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html)
+// go to Making Query Requests (https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html)
 // in Using IAM. For information about using security tokens with other AWS
-// products, go to AWS Services That Work with IAM (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html)
+// products, go to AWS Services That Work with IAM (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html)
 // in the IAM User Guide.
 //
 // If you're new to AWS and need additional technical information about a specific
@@ -31,14 +23,38 @@
 //
 // Endpoints
 //
-// The AWS Security Token Service (STS) has a default endpoint of https://sts.amazonaws.com
-// that maps to the US East (N. Virginia) region. Additional regions are available
-// and are activated by default. For more information, see Activating and Deactivating
-// AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
+// By default, AWS Security Token Service (STS) is available as a global service,
+// and all AWS STS requests go to a single endpoint at https://sts.amazonaws.com.
+// Global requests map to the US East (N. Virginia) region. AWS recommends using
+// Regional AWS STS endpoints instead of the global endpoint to reduce latency,
+// build in redundancy, and increase session token validity. For more information,
+// see Managing AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
 // in the IAM User Guide.
 //
-// For information about STS endpoints, see Regions and Endpoints (http://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region)
-// in the AWS General Reference.
+// Most AWS Regions are enabled for operations in all AWS services by default.
+// Those Regions are automatically activated for use with AWS STS. Some Regions,
+// such as Asia Pacific (Hong Kong), must be manually enabled. To learn more
+// about enabling and disabling AWS Regions, see Managing AWS Regions (https://docs.aws.amazon.com/general/latest/gr/rande-manage.html)
+// in the AWS General Reference. When you enable these AWS Regions, they are
+// automatically activated for use with AWS STS. You cannot activate the STS
+// endpoint for a Region that is disabled. Tokens that are valid in all AWS
+// Regions are longer than tokens that are valid in Regions that are enabled
+// by default. Changing this setting might affect existing systems where you
+// temporarily store tokens. For more information, see Managing Global Endpoint
+// Session Tokens (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-manage-tokens)
+// in the IAM User Guide.
+//
+// After you activate a Region for use with AWS STS, you can direct AWS STS
+// API calls to that Region. AWS STS recommends that you provide both the Region
+// and endpoint when you make calls to a Regional endpoint. You can provide
+// the Region alone for manually enabled Regions, such as Asia Pacific (Hong
+// Kong). In this case, the calls are directed to the STS Regional endpoint.
+// However, if you provide the Region alone for Regions enabled by default,
+// the calls are directed to the global endpoint of https://sts.amazonaws.com.
+//
+// To view the list of AWS STS endpoints and whether they are active by default,
+// see Writing Code to Use AWS STS Regions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#id_credentials_temp_enable-regions_writing_code)
+// in the IAM User Guide.
 //
 // Recording API requests
 //
@@ -46,8 +62,28 @@
 // your AWS account and delivers log files to an Amazon S3 bucket. By using
 // information collected by CloudTrail, you can determine what requests were
 // successfully made to STS, who made the request, when it was made, and so
-// on. To learn more about CloudTrail, including how to turn it on and find
-// your log files, see the AWS CloudTrail User Guide (http://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_top_level.html).
+// on.
+//
+// If you activate AWS STS endpoints in Regions other than the default global
+// endpoint, then you must also turn on CloudTrail logging in those Regions.
+// This is necessary to record any AWS STS API calls that are made in those
+// Regions. For more information, see Turning On CloudTrail in Additional Regions
+// (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/aggregating_logs_regions_turn_on_ct.html)
+// in the AWS CloudTrail User Guide.
+//
+// AWS Security Token Service (STS) is a global service with a single endpoint
+// at https://sts.amazonaws.com. Calls to this endpoint are logged as calls
+// to a global service. However, because this endpoint is physically located
+// in the US East (N. Virginia) Region, your logs list us-east-1 as the event
+// Region. CloudTrail does not write these logs to the US East (Ohio) Region
+// unless you choose to include global service logs in that Region. CloudTrail
+// writes calls to all Regional endpoints to their respective Regions. For example,
+// calls to sts.us-east-2.amazonaws.com are published to the US East (Ohio)
+// Region and calls to sts.eu-central-1.amazonaws.com are published to the EU
+// (Frankfurt) Region.
+//
+// To learn more about CloudTrail, including how to turn it on and find your
+// log files, see the AWS CloudTrail User Guide (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_top_level.html).
 //
 // See https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15 for more information on this service.
 //

vendor/github.com/aws/aws-sdk-go/service/sts/errors.go

@@ -14,11 +14,11 @@ const (
 	// ErrCodeIDPCommunicationErrorException for service response error code
 	// "IDPCommunicationError".
 	//
-	// The request could not be fulfilled because the non-AWS identity provider
-	// (IDP) that was asked to verify the incoming identity token could not be reached.
-	// This is often a transient error caused by network conditions. Retry the request
+	// The request could not be fulfilled because the identity provider (IDP) that
+	// was asked to verify the incoming identity token could not be reached. This
+	// is often a transient error caused by network conditions. Retry the request
 	// a limited number of times so that you don't exceed the request rate. If the
-	// error persists, the non-AWS identity provider might be down or not responding.
+	// error persists, the identity provider might be down or not responding.
 	ErrCodeIDPCommunicationErrorException = "IDPCommunicationError"
 
 	// ErrCodeIDPRejectedClaimException for service response error code
@@ -56,9 +56,18 @@ const (
 	// ErrCodePackedPolicyTooLargeException for service response error code
 	// "PackedPolicyTooLarge".
 	//
-	// The request was rejected because the policy document was too large. The error
-	// message describes how big the policy document is, in packed form, as a percentage
-	// of what the API allows.
+	// The request was rejected because the total packed size of the session policies
+	// and session tags combined was too large. An AWS conversion compresses the
+	// session policy document, session policy ARNs, and session tags into a packed
+	// binary format that has a separate limit. The error message indicates by percentage
+	// how close the policies and tags are to the upper size limit. For more information,
+	// see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
+	// in the IAM User Guide.
+	//
+	// You could receive this error even though you meet other defined session policy
+	// and session tag limits. For more information, see IAM and STS Entity Character
+	// Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
+	// in the IAM User Guide.
 	ErrCodePackedPolicyTooLargeException = "PackedPolicyTooLarge"
 
 	// ErrCodeRegionDisabledException for service response error code
@@ -67,7 +76,7 @@ const (
 	// STS is not activated in the requested region for the account that is being
 	// asked to generate credentials. The account administrator must use the IAM
 	// console to activate STS in that region. For more information, see Activating
-	// and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
+	// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
 	// in the IAM User Guide.
 	ErrCodeRegionDisabledException = "RegionDisabledException"
 )

vendor/github.com/aws/aws-sdk-go/service/sts/service.go

@@ -31,7 +31,7 @@ var initRequest func(*request.Request)
 const (
 	ServiceName = "sts"       // Name of service.
 	EndpointsID = ServiceName // ID to lookup a service endpoint with.
-	ServiceID   = "STS"       // ServiceID is a unique identifer of a specific service.
+	ServiceID   = "STS"       // ServiceID is a unique identifier of a specific service.
 )
 
 // New creates a new instance of the STS client with a session.
@@ -39,6 +39,8 @@ const (
 // aws.Config parameter to add your extra config.
 //
 // Example:
+//     mySession := session.Must(session.NewSession())
+//
 //     // Create a STS client from just a session.
 //     svc := sts.New(mySession)
 //
@@ -46,11 +48,11 @@ const (
 //     svc := sts.New(mySession, aws.NewConfig().WithRegion("us-west-2"))
 func New(p client.ConfigProvider, cfgs ...*aws.Config) *STS {
 	c := p.ClientConfig(EndpointsID, cfgs...)
-	return newClient(*c.Config, c.Handlers, c.Endpoint, c.SigningRegion, c.SigningName)
+	return newClient(*c.Config, c.Handlers, c.PartitionID, c.Endpoint, c.SigningRegion, c.SigningName)
 }
 
 // newClient creates, initializes and returns a new service client instance.
-func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegion, signingName string) *STS {
+func newClient(cfg aws.Config, handlers request.Handlers, partitionID, endpoint, signingRegion, signingName string) *STS {
 	svc := &STS{
 		Client: client.New(
 			cfg,
@@ -59,6 +61,7 @@ func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegio
 				ServiceID:     ServiceID,
 				SigningName:   signingName,
 				SigningRegion: signingRegion,
+				PartitionID:   partitionID,
 				Endpoint:      endpoint,
 				APIVersion:    "2011-06-15",
 			},

vendor/github.com/aws/aws-sdk-go/service/sts/stsiface/BUILD

@@ -0,0 +1,28 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["interface.go"],
+    importmap = "k8s.io/kubernetes/vendor/github.com/aws/aws-sdk-go/service/sts/stsiface",
+    importpath = "github.com/aws/aws-sdk-go/service/sts/stsiface",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//vendor/github.com/aws/aws-sdk-go/aws:go_default_library",
+        "//vendor/github.com/aws/aws-sdk-go/aws/request:go_default_library",
+        "//vendor/github.com/aws/aws-sdk-go/service/sts:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)

vendor/github.com/aws/aws-sdk-go/service/sts/stsiface/interface.go

@@ -0,0 +1,96 @@
+// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
+
+// Package stsiface provides an interface to enable mocking the AWS Security Token Service service client
+// for testing your code.
+//
+// It is important to note that this interface will have breaking changes
+// when the service model is updated and adds new API operations, paginators,
+// and waiters.
+package stsiface
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/service/sts"
+)
+
+// STSAPI provides an interface to enable mocking the
+// sts.STS service client's API operation,
+// paginators, and waiters. This make unit testing your code that calls out
+// to the SDK's service client's calls easier.
+//
+// The best way to use this interface is so the SDK's service client's calls
+// can be stubbed out for unit testing your code with the SDK without needing
+// to inject custom request handlers into the SDK's request pipeline.
+//
+//    // myFunc uses an SDK service client to make a request to
+//    // AWS Security Token Service.
+//    func myFunc(svc stsiface.STSAPI) bool {
+//        // Make svc.AssumeRole request
+//    }
+//
+//    func main() {
+//        sess := session.New()
+//        svc := sts.New(sess)
+//
+//        myFunc(svc)
+//    }
+//
+// In your _test.go file:
+//
+//    // Define a mock struct to be used in your unit tests of myFunc.
+//    type mockSTSClient struct {
+//        stsiface.STSAPI
+//    }
+//    func (m *mockSTSClient) AssumeRole(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error) {
+//        // mock response/functionality
+//    }
+//
+//    func TestMyFunc(t *testing.T) {
+//        // Setup Test
+//        mockSvc := &mockSTSClient{}
+//
+//        myfunc(mockSvc)
+//
+//        // Verify myFunc's functionality
+//    }
+//
+// It is important to note that this interface will have breaking changes
+// when the service model is updated and adds new API operations, paginators,
+// and waiters. Its suggested to use the pattern above for testing, or using
+// tooling to generate mocks to satisfy the interfaces.
+type STSAPI interface {
+	AssumeRole(*sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error)
+	AssumeRoleWithContext(aws.Context, *sts.AssumeRoleInput, ...request.Option) (*sts.AssumeRoleOutput, error)
+	AssumeRoleRequest(*sts.AssumeRoleInput) (*request.Request, *sts.AssumeRoleOutput)
+
+	AssumeRoleWithSAML(*sts.AssumeRoleWithSAMLInput) (*sts.AssumeRoleWithSAMLOutput, error)
+	AssumeRoleWithSAMLWithContext(aws.Context, *sts.AssumeRoleWithSAMLInput, ...request.Option) (*sts.AssumeRoleWithSAMLOutput, error)
+	AssumeRoleWithSAMLRequest(*sts.AssumeRoleWithSAMLInput) (*request.Request, *sts.AssumeRoleWithSAMLOutput)
+
+	AssumeRoleWithWebIdentity(*sts.AssumeRoleWithWebIdentityInput) (*sts.AssumeRoleWithWebIdentityOutput, error)
+	AssumeRoleWithWebIdentityWithContext(aws.Context, *sts.AssumeRoleWithWebIdentityInput, ...request.Option) (*sts.AssumeRoleWithWebIdentityOutput, error)
+	AssumeRoleWithWebIdentityRequest(*sts.AssumeRoleWithWebIdentityInput) (*request.Request, *sts.AssumeRoleWithWebIdentityOutput)
+
+	DecodeAuthorizationMessage(*sts.DecodeAuthorizationMessageInput) (*sts.DecodeAuthorizationMessageOutput, error)
+	DecodeAuthorizationMessageWithContext(aws.Context, *sts.DecodeAuthorizationMessageInput, ...request.Option) (*sts.DecodeAuthorizationMessageOutput, error)
+	DecodeAuthorizationMessageRequest(*sts.DecodeAuthorizationMessageInput) (*request.Request, *sts.DecodeAuthorizationMessageOutput)
+
+	GetAccessKeyInfo(*sts.GetAccessKeyInfoInput) (*sts.GetAccessKeyInfoOutput, error)
+	GetAccessKeyInfoWithContext(aws.Context, *sts.GetAccessKeyInfoInput, ...request.Option) (*sts.GetAccessKeyInfoOutput, error)
+	GetAccessKeyInfoRequest(*sts.GetAccessKeyInfoInput) (*request.Request, *sts.GetAccessKeyInfoOutput)
+
+	GetCallerIdentity(*sts.GetCallerIdentityInput) (*sts.GetCallerIdentityOutput, error)
+	GetCallerIdentityWithContext(aws.Context, *sts.GetCallerIdentityInput, ...request.Option) (*sts.GetCallerIdentityOutput, error)
+	GetCallerIdentityRequest(*sts.GetCallerIdentityInput) (*request.Request, *sts.GetCallerIdentityOutput)
+
+	GetFederationToken(*sts.GetFederationTokenInput) (*sts.GetFederationTokenOutput, error)
+	GetFederationTokenWithContext(aws.Context, *sts.GetFederationTokenInput, ...request.Option) (*sts.GetFederationTokenOutput, error)
+	GetFederationTokenRequest(*sts.GetFederationTokenInput) (*request.Request, *sts.GetFederationTokenOutput)
+
+	GetSessionToken(*sts.GetSessionTokenInput) (*sts.GetSessionTokenOutput, error)
+	GetSessionTokenWithContext(aws.Context, *sts.GetSessionTokenInput, ...request.Option) (*sts.GetSessionTokenOutput, error)
+	GetSessionTokenRequest(*sts.GetSessionTokenInput) (*request.Request, *sts.GetSessionTokenOutput)
+}
+
+var _ STSAPI = (*sts.STS)(nil)