update: AWS Go SDK bump to the latest release (#4177)

2023-12-01 11:33:09 +00:00 · 2023-12-01 11:33:09 +00:00 · 8a0c1b754f
commit 8a0c1b754f
parent a2613975a1 6f84e87803
23 changed files with 8582 additions and 2321 deletions
--- a/go.mod
+++ b/go.mod
@ -8,7 +8,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.0.0
-	github.com/aws/aws-sdk-go v1.44.325
+	github.com/aws/aws-sdk-go v1.48.10
 	github.com/bshuster-repo/logrus-logstash-hook v1.0.0
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/distribution/reference v0.5.0
--- a/go.sum
+++ b/go.sum
@ -61,8 +61,8 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
-github.com/aws/aws-sdk-go v1.44.325 h1:jF/L99fJSq/BfiLmUOflO/aM+LwcqBm0Fe/qTK5xxuI=
+github.com/aws/aws-sdk-go v1.48.10 h1:0LIFG3wp2Dt6PsxKWCg1Y1xRrn2vZnW5/gWdgaBalKg=
-github.com/aws/aws-sdk-go v1.44.325/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
+github.com/aws/aws-sdk-go v1.48.10/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@ -319,7 +319,6 @@ github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gt
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
@ -341,7 +340,6 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@ -374,7 +372,6 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB
 golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@ -404,10 +401,7 @@ golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81R
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
 golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@ -427,7 +421,6 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -466,27 +459,19 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@ -532,7 +517,6 @@ golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/vendor/github.com/aws/aws-sdk-go/aws/corehandlers/awsinternal.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/corehandlers/awsinternal.go
@ -0,0 +1,4 @@
 // DO NOT EDIT
 package corehandlers
 const isAwsInternal = ""
--- a/vendor/github.com/aws/aws-sdk-go/aws/corehandlers/user_agent.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/corehandlers/user_agent.go
@ -35,3 +35,13 @@ var AddHostExecEnvUserAgentHander = request.NamedHandler{
 		request.AddToUserAgent(r, execEnvUAKey+"/"+v)
 	},
 }
 var AddAwsInternal = request.NamedHandler{
 	Name: "core.AddAwsInternal",
 	Fn: func(r *request.Request) {
 		if len(isAwsInternal) == 0 {
 			return
 		}
 		request.AddToUserAgent(r, isAwsInternal)
 	},
 }
--- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds/provider.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds/provider.go
@ -31,6 +31,8 @@ package endpointcreds
 import (
 	"encoding/json"
 	"fmt"
 	"strings"
 	"time"
 	"github.com/aws/aws-sdk-go/aws"
@ -69,7 +71,37 @@ type Provider struct {
 	// Optional authorization token value if set will be used as the value of
 	// the Authorization header of the endpoint credential request.
 	//
 	// When constructed from environment, the provider will use the value of
 	// AWS_CONTAINER_AUTHORIZATION_TOKEN environment variable as the token
 	//
 	// Will be overridden if AuthorizationTokenProvider is configured
 	AuthorizationToken string
 	// Optional auth provider func to dynamically load the auth token from a file
 	// everytime a credential is retrieved
 	//
 	// When constructed from environment, the provider will read and use the content
 	// of the file pointed to by AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE environment variable
 	// as the auth token everytime credentials are retrieved
 	//
 	// Will override AuthorizationToken if configured
 	AuthorizationTokenProvider AuthTokenProvider
 }
 // AuthTokenProvider defines an interface to dynamically load a value to be passed
 // for the Authorization header of a credentials request.
 type AuthTokenProvider interface {
 	GetToken() (string, error)
 }
 // TokenProviderFunc is a func type implementing AuthTokenProvider interface
 // and enables customizing token provider behavior
 type TokenProviderFunc func() (string, error)
 // GetToken func retrieves auth token according to TokenProviderFunc implementation
 func (p TokenProviderFunc) GetToken() (string, error) {
 	return p()
 }
 // NewProviderClient returns a credentials Provider for retrieving AWS credentials
@ -164,7 +196,20 @@ func (p *Provider) getCredentials(ctx aws.Context) (*getCredentialsOutput, error
 	req := p.Client.NewRequest(op, nil, out)
 	req.SetContext(ctx)
 	req.HTTPRequest.Header.Set("Accept", "application/json")
-	if authToken := p.AuthorizationToken; len(authToken) != 0 {
+
 	authToken := p.AuthorizationToken
 	var err error
 	if p.AuthorizationTokenProvider != nil {
 		authToken, err = p.AuthorizationTokenProvider.GetToken()
 		if err != nil {
 			return nil, fmt.Errorf("get authorization token: %v", err)
 		}
 	}
 	if strings.ContainsAny(authToken, "\r\n") {
 		return nil, fmt.Errorf("authorization token contains invalid newline sequence")
 	}
 	if len(authToken) != 0 {
 		req.HTTPRequest.Header.Set("Authorization", authToken)
 	}
--- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/token_provider.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/token_provider.go
@ -111,6 +111,15 @@ func (p *SSOTokenProvider) refreshToken(token cachedToken) (cachedToken, error)
 	if err != nil {
 		return cachedToken{}, fmt.Errorf("unable to refresh SSO token, %v", err)
 	}
 	if createResult.ExpiresIn == nil {
 		return cachedToken{}, fmt.Errorf("missing required field ExpiresIn")
 	}
 	if createResult.AccessToken == nil {
 		return cachedToken{}, fmt.Errorf("missing required field AccessToken")
 	}
 	if createResult.RefreshToken == nil {
 		return cachedToken{}, fmt.Errorf("missing required field RefreshToken")
 	}
 	expiresAt := nowTime().Add(time.Duration(*createResult.ExpiresIn) * time.Second)
--- a/vendor/github.com/aws/aws-sdk-go/aws/defaults/defaults.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/defaults/defaults.go
@ -9,6 +9,7 @@ package defaults
 import (
 	"fmt"
 	"io/ioutil"
 	"net"
 	"net/http"
 	"net/url"
@ -74,6 +75,7 @@ func Handlers() request.Handlers {
 	handlers.Validate.PushBackNamed(corehandlers.ValidateEndpointHandler)
 	handlers.Validate.AfterEachFn = request.HandlerListStopOnError
 	handlers.Build.PushBackNamed(corehandlers.SDKVersionUserAgentHandler)
 	handlers.Build.PushBackNamed(corehandlers.AddAwsInternal)
 	handlers.Build.PushBackNamed(corehandlers.AddHostExecEnvUserAgentHander)
 	handlers.Build.AfterEachFn = request.HandlerListStopOnError
 	handlers.Sign.PushBackNamed(corehandlers.BuildContentLengthHandler)
@ -114,9 +116,31 @@ func CredProviders(cfg *aws.Config, handlers request.Handlers) []credentials.Pro
 const (
 	httpProviderAuthorizationEnvVar = "AWS_CONTAINER_AUTHORIZATION_TOKEN"
 	httpProviderAuthFileEnvVar      = "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE"
 	httpProviderEnvVar              = "AWS_CONTAINER_CREDENTIALS_FULL_URI"
 )
 // direct representation of the IPv4 address for the ECS container
 // "169.254.170.2"
 var ecsContainerIPv4 net.IP = []byte{
 	169, 254, 170, 2,
 }
 // direct representation of the IPv4 address for the EKS container
 // "169.254.170.23"
 var eksContainerIPv4 net.IP = []byte{
 	169, 254, 170, 23,
 }
 // direct representation of the IPv6 address for the EKS container
 // "fd00:ec2::23"
 var eksContainerIPv6 net.IP = []byte{
 	0xFD, 0, 0xE, 0xC2,
 	0, 0, 0, 0,
 	0, 0, 0, 0,
 	0, 0, 0, 0x23,
 }
 // RemoteCredProvider returns a credentials provider for the default remote
 // endpoints such as EC2 or ECS Roles.
 func RemoteCredProvider(cfg aws.Config, handlers request.Handlers) credentials.Provider {
@ -134,19 +158,22 @@ func RemoteCredProvider(cfg aws.Config, handlers request.Handlers) credentials.P
 var lookupHostFn = net.LookupHost
-func isLoopbackHost(host string) (bool, error) {
+// isAllowedHost allows host to be loopback or known ECS/EKS container IPs
-	ip := net.ParseIP(host)
+//
-	if ip != nil {
+// host can either be an IP address OR an unresolved hostname - resolution will
-		return ip.IsLoopback(), nil
+// be automatically performed in the latter case
 func isAllowedHost(host string) (bool, error) {
 	if ip := net.ParseIP(host); ip != nil {
 		return isIPAllowed(ip), nil
 	}
 	// Host is not an ip, perform lookup
 	addrs, err := lookupHostFn(host)
 	if err != nil {
 		return false, err
 	}
 	for _, addr := range addrs {
-		if !net.ParseIP(addr).IsLoopback() {
+		if ip := net.ParseIP(addr); ip == nil || !isIPAllowed(ip) {
 			return false, nil
 		}
 	}
@ -154,6 +181,13 @@ func isLoopbackHost(host string) (bool, error) {
 	return true, nil
 }
 func isIPAllowed(ip net.IP) bool {
 	return ip.IsLoopback() ||
 		ip.Equal(ecsContainerIPv4) ||
 		ip.Equal(eksContainerIPv4) ||
 		ip.Equal(eksContainerIPv6)
 }
 func localHTTPCredProvider(cfg aws.Config, handlers request.Handlers, u string) credentials.Provider {
 	var errMsg string
@ -164,10 +198,12 @@ func localHTTPCredProvider(cfg aws.Config, handlers request.Handlers, u string)
 		host := aws.URLHostname(parsed)
 		if len(host) == 0 {
 			errMsg = "unable to parse host from local HTTP cred provider URL"
-		} else if isLoopback, loopbackErr := isLoopbackHost(host); loopbackErr != nil {
+		} else if parsed.Scheme == "http" {
-			errMsg = fmt.Sprintf("failed to resolve host %q, %v", host, loopbackErr)
+			if isAllowedHost, allowHostErr := isAllowedHost(host); allowHostErr != nil {
-		} else if !isLoopback {
+				errMsg = fmt.Sprintf("failed to resolve host %q, %v", host, allowHostErr)
-			errMsg = fmt.Sprintf("invalid endpoint host, %q, only loopback hosts are allowed.", host)
+			} else if !isAllowedHost {
 				errMsg = fmt.Sprintf("invalid endpoint host, %q, only loopback/ecs/eks hosts are allowed.", host)
 			}
 		}
 	}
@ -189,6 +225,15 @@ func httpCredProvider(cfg aws.Config, handlers request.Handlers, u string) crede
 		func(p *endpointcreds.Provider) {
 			p.ExpiryWindow = 5 * time.Minute
 			p.AuthorizationToken = os.Getenv(httpProviderAuthorizationEnvVar)
 			if authFilePath := os.Getenv(httpProviderAuthFileEnvVar); authFilePath != "" {
 				p.AuthorizationTokenProvider = endpointcreds.TokenProviderFunc(func() (string, error) {
 					if contents, err := ioutil.ReadFile(authFilePath); err != nil {
 						return "", fmt.Errorf("failed to read authorization token from %v: %v", authFilePath, err)
 					} else {
 						return string(contents), nil
 					}
 				})
 			}
 		},
 	)
 }
--- a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go
--- a/vendor/github.com/aws/aws-sdk-go/aws/session/env_config.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/session/env_config.go
@ -171,6 +171,12 @@ type envConfig struct {
 	// AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE=IPv6
 	EC2IMDSEndpointMode endpoints.EC2IMDSEndpointModeState
 	// Specifies that IMDS clients should not fallback to IMDSv1 if token
 	// requests fail.
 	//
 	// AWS_EC2_METADATA_V1_DISABLED=true
 	EC2IMDSv1Disabled *bool
 	// Specifies that SDK clients must resolve a dual-stack endpoint for
 	// services.
 	//
@ -251,6 +257,9 @@ var (
 	ec2IMDSEndpointModeEnvKey = []string{
 		"AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE",
 	}
 	ec2MetadataV1DisabledEnvKey = []string{
 		"AWS_EC2_METADATA_V1_DISABLED",
 	}
 	useCABundleKey = []string{
 		"AWS_CA_BUNDLE",
 	}
@ -393,6 +402,7 @@ func envConfigLoad(enableSharedConfig bool) (envConfig, error) {
 	if err := setEC2IMDSEndpointMode(&cfg.EC2IMDSEndpointMode, ec2IMDSEndpointModeEnvKey); err != nil {
 		return envConfig{}, err
 	}
 	setBoolPtrFromEnvVal(&cfg.EC2IMDSv1Disabled, ec2MetadataV1DisabledEnvKey)
 	if err := setUseDualStackEndpointFromEnvVal(&cfg.UseDualStackEndpoint, awsUseDualStackEndpoint); err != nil {
 		return cfg, err
@ -414,6 +424,24 @@ func setFromEnvVal(dst *string, keys []string) {
 	}
 }
 func setBoolPtrFromEnvVal(dst **bool, keys []string) {
 	for _, k := range keys {
 		value := os.Getenv(k)
 		if len(value) == 0 {
 			continue
 		}
 		switch {
 		case strings.EqualFold(value, "false"):
 			*dst = new(bool)
 			**dst = false
 		case strings.EqualFold(value, "true"):
 			*dst = new(bool)
 			**dst = true
 		}
 	}
 }
 func setEC2IMDSEndpointMode(mode *endpoints.EC2IMDSEndpointModeState, keys []string) error {
 	for _, k := range keys {
 		value := os.Getenv(k)
--- a/vendor/github.com/aws/aws-sdk-go/aws/session/session.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/session/session.go
@ -779,6 +779,14 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config,
 		cfg.EndpointResolver = wrapEC2IMDSEndpoint(cfg.EndpointResolver, ec2IMDSEndpoint, endpointMode)
 	}
 	cfg.EC2MetadataEnableFallback = userCfg.EC2MetadataEnableFallback
 	if cfg.EC2MetadataEnableFallback == nil && envCfg.EC2IMDSv1Disabled != nil {
 		cfg.EC2MetadataEnableFallback = aws.Bool(!*envCfg.EC2IMDSv1Disabled)
 	}
 	if cfg.EC2MetadataEnableFallback == nil && sharedCfg.EC2IMDSv1Disabled != nil {
 		cfg.EC2MetadataEnableFallback = aws.Bool(!*sharedCfg.EC2IMDSv1Disabled)
 	}
 	cfg.S3UseARNRegion = userCfg.S3UseARNRegion
 	if cfg.S3UseARNRegion == nil {
 		cfg.S3UseARNRegion = &envCfg.S3UseARNRegion
--- a/vendor/github.com/aws/aws-sdk-go/aws/session/shared_config.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/session/shared_config.go
@ -80,6 +80,9 @@ const (
 	// EC2 IMDS Endpoint
 	ec2MetadataServiceEndpointKey = "ec2_metadata_service_endpoint"
 	// ECS IMDSv1 disable fallback
 	ec2MetadataV1DisabledKey = "ec2_metadata_v1_disabled"
 	// Use DualStack Endpoint Resolution
 	useDualStackEndpoint = "use_dualstack_endpoint"
@ -179,6 +182,12 @@ type sharedConfig struct {
 	// ec2_metadata_service_endpoint=http://fd00:ec2::254
 	EC2IMDSEndpoint string
 	// Specifies that IMDS clients should not fallback to IMDSv1 if token
 	// requests fail.
 	//
 	// ec2_metadata_v1_disabled=true
 	EC2IMDSv1Disabled *bool
 	// Specifies that SDK clients must resolve a dual-stack endpoint for
 	// services.
 	//
@ -389,8 +398,15 @@ func (cfg *sharedConfig) setFromIniFile(profile string, file sharedConfigFile, e
 		updateString(&cfg.Region, section, regionKey)
 		updateString(&cfg.CustomCABundle, section, customCABundleKey)
 		// we're retaining a behavioral quirk with this field that existed before
 		// the removal of literal parsing for (aws-sdk-go-v2/#2276):
 		//   - if the key is missing, the config field will not be set
 		//   - if the key is set to a non-numeric, the config field will be set to 0
 		if section.Has(roleDurationSecondsKey) {
-			d := time.Duration(section.Int(roleDurationSecondsKey)) * time.Second
+			var d time.Duration
 			if v, ok := section.Int(roleDurationSecondsKey); ok {
 				d = time.Duration(v) * time.Second
 			}
 			cfg.AssumeRoleDuration = &d
 		}
@ -427,6 +443,7 @@ func (cfg *sharedConfig) setFromIniFile(profile string, file sharedConfigFile, e
 				ec2MetadataServiceEndpointModeKey, file.Filename, err)
 		}
 		updateString(&cfg.EC2IMDSEndpoint, section, ec2MetadataServiceEndpointKey)
 		updateBoolPtr(&cfg.EC2IMDSv1Disabled, section, ec2MetadataV1DisabledKey)
 		updateUseDualStackEndpoint(&cfg.UseDualStackEndpoint, section, useDualStackEndpoint)
@ -668,7 +685,10 @@ func updateBool(dst *bool, section ini.Section, key string) {
 	if !section.Has(key) {
 		return
 	}
-	*dst = section.Bool(key)
+
 	// retains pre-(aws-sdk-go-v2#2276) behavior where non-bool value would resolve to false
 	v, _ := section.Bool(key)
 	*dst = v
 }
 // updateBoolPtr will only update the dst with the value in the section key,
@ -677,8 +697,11 @@ func updateBoolPtr(dst **bool, section ini.Section, key string) {
 	if !section.Has(key) {
 		return
 	}
 	// retains pre-(aws-sdk-go-v2#2276) behavior where non-bool value would resolve to false
 	v, _ := section.Bool(key)
 	*dst = new(bool)
-	**dst = section.Bool(key)
+	**dst = v
 }
 // SharedConfigLoadError is an error for the shared config file failed to load.
@ -805,7 +828,8 @@ func updateUseDualStackEndpoint(dst *endpoints.DualStackEndpointState, section i
 		return
 	}
-	if section.Bool(key) {
+	// retains pre-(aws-sdk-go-v2/#2276) behavior where non-bool value would resolve to false
 	if v, _ := section.Bool(key); v {
 		*dst = endpoints.DualStackEndpointStateEnabled
 	} else {
 		*dst = endpoints.DualStackEndpointStateDisabled
@ -821,7 +845,8 @@ func updateUseFIPSEndpoint(dst *endpoints.FIPSEndpointState, section ini.Section
 		return
 	}
-	if section.Bool(key) {
+	// retains pre-(aws-sdk-go-v2/#2276) behavior where non-bool value would resolve to false
 	if v, _ := section.Bool(key); v {
 		*dst = endpoints.FIPSEndpointStateEnabled
 	} else {
 		*dst = endpoints.FIPSEndpointStateDisabled
--- a/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/v4.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/v4.go
@ -125,6 +125,7 @@ var requiredSignedHeaders = rules{
 			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm": struct{}{},
 			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key":       struct{}{},
 			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-Md5":   struct{}{},
 			"X-Amz-Expected-Bucket-Owner":                                 struct{}{},
 			"X-Amz-Grant-Full-control":                                    struct{}{},
 			"X-Amz-Grant-Read":                                            struct{}{},
 			"X-Amz-Grant-Read-Acp":                                        struct{}{},
@ -135,6 +136,7 @@ var requiredSignedHeaders = rules{
 			"X-Amz-Request-Payer":                                         struct{}{},
 			"X-Amz-Server-Side-Encryption":                                struct{}{},
 			"X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id":                 struct{}{},
 			"X-Amz-Server-Side-Encryption-Context":                        struct{}{},
 			"X-Amz-Server-Side-Encryption-Customer-Algorithm":             struct{}{},
 			"X-Amz-Server-Side-Encryption-Customer-Key":                   struct{}{},
 			"X-Amz-Server-Side-Encryption-Customer-Key-Md5":               struct{}{},
--- a/vendor/github.com/aws/aws-sdk-go/aws/version.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/version.go
@ -5,4 +5,4 @@ package aws
 const SDKName = "aws-sdk-go"
 // SDKVersion is the version of this SDK
-const SDKVersion = "1.44.325"
+const SDKVersion = "1.48.10"
--- a/vendor/github.com/aws/aws-sdk-go/internal/ini/literal_tokens.go
+++ b/vendor/github.com/aws/aws-sdk-go/internal/ini/literal_tokens.go
@ -154,11 +154,11 @@ func (v ValueType) String() string {
 // ValueType enums
 const (
 	NoneType = ValueType(iota)
-	DecimalType
+	DecimalType // deprecated
-	IntegerType
+	IntegerType // deprecated
 	StringType
 	QuotedStringType
-	BoolType
+	BoolType // deprecated
 )
 // Value is a union container
@ -166,9 +166,9 @@ type Value struct {
 	Type ValueType
 	raw  []rune
-	integer int64
+	integer int64 // deprecated
-	decimal float64
+	decimal float64 // deprecated
-	boolean bool
+	boolean bool // deprecated
 	str     string
 }
@ -253,24 +253,6 @@ func newLitToken(b []rune) (Token, int, error) {
 		}
 		token = newToken(TokenLit, b[:n], QuotedStringType)
 	} else if isNumberValue(b) {
 		var base int
 		base, n, err = getNumericalValue(b)
 		if err != nil {
 			return token, 0, err
 		}
 		value := b[:n]
 		vType := IntegerType
 		if contains(value, '.') || hasExponent(value) {
 			vType = DecimalType
 		}
 		token = newToken(TokenLit, value, vType)
 		token.base = base
 	} else if isBoolValue(b) {
 		n, err = getBoolValue(b)
 		token = newToken(TokenLit, b[:n], BoolType)
 	} else {
 		n, err = getValue(b)
 		token = newToken(TokenLit, b[:n], StringType)
@ -280,18 +262,33 @@ func newLitToken(b []rune) (Token, int, error) {
 }
 // IntValue returns an integer value
-func (v Value) IntValue() int64 {
+func (v Value) IntValue() (int64, bool) {
-	return v.integer
+	i, err := strconv.ParseInt(string(v.raw), 0, 64)
 	if err != nil {
 		return 0, false
 	}
 	return i, true
 }
 // FloatValue returns a float value
-func (v Value) FloatValue() float64 {
+func (v Value) FloatValue() (float64, bool) {
-	return v.decimal
+	f, err := strconv.ParseFloat(string(v.raw), 64)
 	if err != nil {
 		return 0, false
 	}
 	return f, true
 }
 // BoolValue returns a bool value
-func (v Value) BoolValue() bool {
+func (v Value) BoolValue() (bool, bool) {
-	return v.boolean
+	// we don't use ParseBool as it recognizes more than what we've
 	// historically supported
 	if isCaselessLitValue(runesTrue, v.raw) {
 		return true, true
 	} else if isCaselessLitValue(runesFalse, v.raw) {
 		return false, true
 	}
 	return false, false
 }
 func isTrimmable(r rune) bool {
--- a/vendor/github.com/aws/aws-sdk-go/internal/ini/visitor.go
+++ b/vendor/github.com/aws/aws-sdk-go/internal/ini/visitor.go
@ -145,17 +145,17 @@ func (t Section) ValueType(k string) (ValueType, bool) {
 }
 // Bool returns a bool value at k
-func (t Section) Bool(k string) bool {
+func (t Section) Bool(k string) (bool, bool) {
 	return t.values[k].BoolValue()
 }
 // Int returns an integer value at k
-func (t Section) Int(k string) int64 {
+func (t Section) Int(k string) (int64, bool) {
 	return t.values[k].IntValue()
 }
 // Float64 returns a float value at k
-func (t Section) Float64(k string) float64 {
+func (t Section) Float64(k string) (float64, bool) {
 	return t.values[k].FloatValue()
 }
--- a/vendor/github.com/aws/aws-sdk-go/service/s3/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/s3/api.go
--- a/vendor/github.com/aws/aws-sdk-go/service/s3/errors.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/s3/errors.go
@ -25,6 +25,15 @@ const (
 	// "InvalidObjectState".
 	//
 	// Object is archived and inaccessible until restored.
 	//
 	// If the object you are retrieving is stored in the S3 Glacier Flexible Retrieval
 	// storage class, the S3 Glacier Deep Archive storage class, the S3 Intelligent-Tiering
 	// Archive Access tier, or the S3 Intelligent-Tiering Deep Archive Access tier,
 	// before you can retrieve the object you must first restore a copy using RestoreObject
 	// (https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html).
 	// Otherwise, this operation returns an InvalidObjectState error. For information
 	// about restoring archived objects, see Restoring Archived Objects (https://docs.aws.amazon.com/AmazonS3/latest/dev/restoring-objects.html)
 	// in the Amazon S3 User Guide.
 	ErrCodeInvalidObjectState = "InvalidObjectState"
 	// ErrCodeNoSuchBucket for service response error code
--- a/vendor/github.com/aws/aws-sdk-go/service/ssooidc/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/ssooidc/api.go
@ -56,9 +56,10 @@ func (c *SSOOIDC) CreateTokenRequest(input *CreateTokenInput) (req *request.Requ
 // CreateToken API operation for AWS SSO OIDC.
 //
-// Creates and returns an access token for the authorized client. The access
+// Creates and returns access and refresh tokens for clients that are authenticated
-// token issued will be used to fetch short-term credentials for the assigned
+// using client secrets. The access token can be used to fetch short-term credentials
-// roles in the AWS account.
+// for the assigned AWS accounts or to access application APIs using bearer
 // authentication.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@ -133,6 +134,131 @@ func (c *SSOOIDC) CreateTokenWithContext(ctx aws.Context, input *CreateTokenInpu
 	return out, req.Send()
 }
 const opCreateTokenWithIAM = "CreateTokenWithIAM"
 // CreateTokenWithIAMRequest generates a "aws/request.Request" representing the
 // client's request for the CreateTokenWithIAM operation. The "output" return
 // value will be populated with the request's response once the request completes
 // successfully.
 //
 // Use "Send" method on the returned Request to send the API call to the service.
 // the "output" return value is not valid until after Send returns without error.
 //
 // See CreateTokenWithIAM for more information on using the CreateTokenWithIAM
 // API call, and error handling.
 //
 // This method is useful when you want to inject custom logic or configuration
 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
 //
 //	// Example sending a request using the CreateTokenWithIAMRequest method.
 //	req, resp := client.CreateTokenWithIAMRequest(params)
 //
 //	err := req.Send()
 //	if err == nil { // resp is now filled
 //	    fmt.Println(resp)
 //	}
 //
 // See also, https://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/CreateTokenWithIAM
 func (c *SSOOIDC) CreateTokenWithIAMRequest(input *CreateTokenWithIAMInput) (req *request.Request, output *CreateTokenWithIAMOutput) {
 	op := &request.Operation{
 		Name:       opCreateTokenWithIAM,
 		HTTPMethod: "POST",
 		HTTPPath:   "/token?aws_iam=t",
 	}
 	if input == nil {
 		input = &CreateTokenWithIAMInput{}
 	}
 	output = &CreateTokenWithIAMOutput{}
 	req = c.newRequest(op, input, output)
 	return
 }
 // CreateTokenWithIAM API operation for AWS SSO OIDC.
 //
 // Creates and returns access and refresh tokens for clients and applications
 // that are authenticated using IAM entities. The access token can be used to
 // fetch short-term credentials for the assigned AWS accounts or to access application
 // APIs using bearer authentication.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
 // the error.
 //
 // See the AWS API reference guide for AWS SSO OIDC's
 // API operation CreateTokenWithIAM for usage and error information.
 //
 // Returned Error Types:
 //
 //   - InvalidRequestException
 //     Indicates that something is wrong with the input to the request. For example,
 //     a required parameter might be missing or out of range.
 //
 //   - InvalidClientException
 //     Indicates that the clientId or clientSecret in the request is invalid. For
 //     example, this can occur when a client sends an incorrect clientId or an expired
 //     clientSecret.
 //
 //   - InvalidGrantException
 //     Indicates that a request contains an invalid grant. This can occur if a client
 //     makes a CreateToken request with an invalid grant type.
 //
 //   - UnauthorizedClientException
 //     Indicates that the client is not currently authorized to make the request.
 //     This can happen when a clientId is not issued for a public client.
 //
 //   - UnsupportedGrantTypeException
 //     Indicates that the grant type in the request is not supported by the service.
 //
 //   - InvalidScopeException
 //     Indicates that the scope provided in the request is invalid.
 //
 //   - AuthorizationPendingException
 //     Indicates that a request to authorize a client with an access user session
 //     token is pending.
 //
 //   - SlowDownException
 //     Indicates that the client is making the request too frequently and is more
 //     than the service can handle.
 //
 //   - AccessDeniedException
 //     You do not have sufficient access to perform this action.
 //
 //   - ExpiredTokenException
 //     Indicates that the token issued by the service is expired and is no longer
 //     valid.
 //
 //   - InternalServerException
 //     Indicates that an error from the service occurred while trying to process
 //     a request.
 //
 //   - InvalidRequestRegionException
 //     Indicates that a token provided as input to the request was issued by and
 //     is only usable by calling IAM Identity Center endpoints in another region.
 //
 // See also, https://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/CreateTokenWithIAM
 func (c *SSOOIDC) CreateTokenWithIAM(input *CreateTokenWithIAMInput) (*CreateTokenWithIAMOutput, error) {
 	req, out := c.CreateTokenWithIAMRequest(input)
 	return out, req.Send()
 }
 // CreateTokenWithIAMWithContext is the same as CreateTokenWithIAM with the addition of
 // the ability to pass a context and additional request options.
 //
 // See CreateTokenWithIAM for details on how to use this API operation.
 //
 // The context must be non-nil and will be used for request cancellation. If
 // the context is nil a panic will occur. In the future the SDK may create
 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
 // for more information on using Contexts.
 func (c *SSOOIDC) CreateTokenWithIAMWithContext(ctx aws.Context, input *CreateTokenWithIAMInput, opts ...request.Option) (*CreateTokenWithIAMOutput, error) {
 	req, out := c.CreateTokenWithIAMRequest(input)
 	req.SetContext(ctx)
 	req.ApplyOptions(opts...)
 	return out, req.Send()
 }
 const opRegisterClient = "RegisterClient"
 // RegisterClientRequest generates a "aws/request.Request" representing the
@ -331,8 +457,11 @@ type AccessDeniedException struct {
 	_            struct{}                  `type:"structure"`
 	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
 	// Single error code. For this exception the value will be access_denied.
 	Error_ *string `locationName:"error" type:"string"`
 	// Human-readable text providing additional information, used to assist the
 	// client developer in understanding the error that occurred.
 	Error_description *string `locationName:"error_description" type:"string"`
 	Message_ *string `locationName:"message" type:"string"`
@ -400,8 +529,11 @@ type AuthorizationPendingException struct {
 	_            struct{}                  `type:"structure"`
 	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
 	// Single error code. For this exception the value will be authorization_pending.
 	Error_ *string `locationName:"error" type:"string"`
 	// Human-readable text providing additional information, used to assist the
 	// client developer in understanding the error that occurred.
 	Error_description *string `locationName:"error_description" type:"string"`
 	Message_ *string `locationName:"message" type:"string"`
@ -466,8 +598,8 @@ func (s *AuthorizationPendingException) RequestID() string {
 type CreateTokenInput struct {
 	_ struct{} `type:"structure"`
-	// The unique identifier string for each client. This value should come from
+	// The unique identifier string for the client or application. This value comes
-	// the persisted result of the RegisterClient API.
+	// from the result of the RegisterClient API.
 	//
 	// ClientId is a required field
 	ClientId *string `locationName:"clientId" type:"string" required:"true"`
@ -475,23 +607,30 @@ type CreateTokenInput struct {
 	// A secret string generated for the client. This value should come from the
 	// persisted result of the RegisterClient API.
 	//
 	// ClientSecret is a sensitive parameter and its value will be
 	// replaced with "sensitive" in string returned by CreateTokenInput's
 	// String and GoString methods.
 	//
 	// ClientSecret is a required field
-	ClientSecret *string `locationName:"clientSecret" type:"string" required:"true"`
+	ClientSecret *string `locationName:"clientSecret" type:"string" required:"true" sensitive:"true"`
-	// The authorization code received from the authorization service. This parameter
+	// Used only when calling this API for the Authorization Code grant type. The
-	// is required to perform an authorization grant request to get access to a
+	// short-term code is used to identify this authorization request. This grant
-	// token.
+	// type is currently unsupported for the CreateToken API.
 	Code *string `locationName:"code" type:"string"`
-	// Used only when calling this API for the device code grant type. This short-term
+	// Used only when calling this API for the Device Code grant type. This short-term
-	// code is used to identify this authentication attempt. This should come from
+	// code is used to identify this authorization request. This comes from the
-	// an in-memory reference to the result of the StartDeviceAuthorization API.
+	// result of the StartDeviceAuthorization API.
 	DeviceCode *string `locationName:"deviceCode" type:"string"`
-	// Supports grant types for the authorization code, refresh token, and device
+	// Supports the following OAuth grant types: Device Code and Refresh Token.
-	// code request. For device code requests, specify the following value:
+	// Specify either of the following values, depending on the grant type that
 	// you want:
 	//
-	// urn:ietf:params:oauth:grant-type:device_code
+	// * Device Code - urn:ietf:params:oauth:grant-type:device_code
 	//
 	// * Refresh Token - refresh_token
 	//
 	// For information about how to obtain the device code, see the StartDeviceAuthorization
 	// topic.
@ -499,21 +638,28 @@ type CreateTokenInput struct {
 	// GrantType is a required field
 	GrantType *string `locationName:"grantType" type:"string" required:"true"`
-	// The location of the application that will receive the authorization code.
+	// Used only when calling this API for the Authorization Code grant type. This
-	// Users authorize the service to send the request to this location.
+	// value specifies the location of the client or application that has registered
 	// to receive the authorization code.
 	RedirectUri *string `locationName:"redirectUri" type:"string"`
-	// Currently, refreshToken is not yet implemented and is not supported. For
+	// Used only when calling this API for the Refresh Token grant type. This token
-	// more information about the features and limitations of the current IAM Identity
+	// is used to refresh short-term tokens, such as the access token, that might
-	// Center OIDC implementation, see Considerations for Using this Guide in the
+	// expire.
 	// IAM Identity Center OIDC API Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html).
 	//
-	// The token used to obtain an access token in the event that the access token
+	// For more information about the features and limitations of the current IAM
-	// is invalid or expired.
+	// Identity Center OIDC implementation, see Considerations for Using this Guide
-	RefreshToken *string `locationName:"refreshToken" type:"string"`
+	// in the IAM Identity Center OIDC API Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html).
 	//
 	// RefreshToken is a sensitive parameter and its value will be
 	// replaced with "sensitive" in string returned by CreateTokenInput's
 	// String and GoString methods.
 	RefreshToken *string `locationName:"refreshToken" type:"string" sensitive:"true"`
-	// The list of scopes that is defined by the client. Upon authorization, this
+	// The list of scopes for which authorization is requested. The access token
-	// list is used to restrict permissions when granting an access token.
+	// that is issued is limited to the scopes that are granted. If this value is
 	// not specified, IAM Identity Center authorizes all scopes that are configured
 	// for the client during the call to RegisterClient.
 	Scope []*string `locationName:"scope" type:"list"`
 }
@ -605,31 +751,43 @@ func (s *CreateTokenInput) SetScope(v []*string) *CreateTokenInput {
 type CreateTokenOutput struct {
 	_ struct{} `type:"structure"`
-	// An opaque token to access IAM Identity Center resources assigned to a user.
+	// A bearer token to access AWS accounts and applications assigned to a user.
-	AccessToken *string `locationName:"accessToken" type:"string"`
+	//
 	// AccessToken is a sensitive parameter and its value will be
 	// replaced with "sensitive" in string returned by CreateTokenOutput's
 	// String and GoString methods.
 	AccessToken *string `locationName:"accessToken" type:"string" sensitive:"true"`
 	// Indicates the time in seconds when an access token will expire.
 	ExpiresIn *int64 `locationName:"expiresIn" type:"integer"`
-	// Currently, idToken is not yet implemented and is not supported. For more
+	// The idToken is not implemented or supported. For more information about the
-	// information about the features and limitations of the current IAM Identity
+	// features and limitations of the current IAM Identity Center OIDC implementation,
-	// Center OIDC implementation, see Considerations for Using this Guide in the
+	// see Considerations for Using this Guide in the IAM Identity Center OIDC API
-	// IAM Identity Center OIDC API Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html).
+	// Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html).
 	//
-	// The identifier of the user that associated with the access token, if present.
+	// A JSON Web Token (JWT) that identifies who is associated with the issued
-	IdToken *string `locationName:"idToken" type:"string"`
+	// access token.
 	//
 	// IdToken is a sensitive parameter and its value will be
 	// replaced with "sensitive" in string returned by CreateTokenOutput's
 	// String and GoString methods.
 	IdToken *string `locationName:"idToken" type:"string" sensitive:"true"`
 	// Currently, refreshToken is not yet implemented and is not supported. For
 	// more information about the features and limitations of the current IAM Identity
 	// Center OIDC implementation, see Considerations for Using this Guide in the
 	// IAM Identity Center OIDC API Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html).
 	//
 	// A token that, if present, can be used to refresh a previously issued access
 	// token that might have expired.
-	RefreshToken *string `locationName:"refreshToken" type:"string"`
+	//
 	// For more information about the features and limitations of the current IAM
 	// Identity Center OIDC implementation, see Considerations for Using this Guide
 	// in the IAM Identity Center OIDC API Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html).
 	//
 	// RefreshToken is a sensitive parameter and its value will be
 	// replaced with "sensitive" in string returned by CreateTokenOutput's
 	// String and GoString methods.
 	RefreshToken *string `locationName:"refreshToken" type:"string" sensitive:"true"`
 	// Used to notify the client that the returned token is an access token. The
-	// supported type is BearerToken.
+	// supported token type is Bearer.
 	TokenType *string `locationName:"tokenType" type:"string"`
 }
@ -681,14 +839,312 @@ func (s *CreateTokenOutput) SetTokenType(v string) *CreateTokenOutput {
 	return s
 }
 type CreateTokenWithIAMInput struct {
 	_ struct{} `type:"structure"`
 	// Used only when calling this API for the JWT Bearer grant type. This value
 	// specifies the JSON Web Token (JWT) issued by a trusted token issuer. To authorize
 	// a trusted token issuer, configure the JWT Bearer GrantOptions for the application.
 	//
 	// Assertion is a sensitive parameter and its value will be
 	// replaced with "sensitive" in string returned by CreateTokenWithIAMInput's
 	// String and GoString methods.
 	Assertion *string `locationName:"assertion" type:"string" sensitive:"true"`
 	// The unique identifier string for the client or application. This value is
 	// an application ARN that has OAuth grants configured.
 	//
 	// ClientId is a required field
 	ClientId *string `locationName:"clientId" type:"string" required:"true"`
 	// Used only when calling this API for the Authorization Code grant type. This
 	// short-term code is used to identify this authorization request. The code
 	// is obtained through a redirect from IAM Identity Center to a redirect URI
 	// persisted in the Authorization Code GrantOptions for the application.
 	Code *string `locationName:"code" type:"string"`
 	// Supports the following OAuth grant types: Authorization Code, Refresh Token,
 	// JWT Bearer, and Token Exchange. Specify one of the following values, depending
 	// on the grant type that you want:
 	//
 	// * Authorization Code - authorization_code
 	//
 	// * Refresh Token - refresh_token
 	//
 	// * JWT Bearer - urn:ietf:params:oauth:grant-type:jwt-bearer
 	//
 	// * Token Exchange - urn:ietf:params:oauth:grant-type:token-exchange
 	//
 	// GrantType is a required field
 	GrantType *string `locationName:"grantType" type:"string" required:"true"`
 	// Used only when calling this API for the Authorization Code grant type. This
 	// value specifies the location of the client or application that has registered
 	// to receive the authorization code.
 	RedirectUri *string `locationName:"redirectUri" type:"string"`
 	// Used only when calling this API for the Refresh Token grant type. This token
 	// is used to refresh short-term tokens, such as the access token, that might
 	// expire.
 	//
 	// For more information about the features and limitations of the current IAM
 	// Identity Center OIDC implementation, see Considerations for Using this Guide
 	// in the IAM Identity Center OIDC API Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html).
 	//
 	// RefreshToken is a sensitive parameter and its value will be
 	// replaced with "sensitive" in string returned by CreateTokenWithIAMInput's
 	// String and GoString methods.
 	RefreshToken *string `locationName:"refreshToken" type:"string" sensitive:"true"`
 	// Used only when calling this API for the Token Exchange grant type. This value
 	// specifies the type of token that the requester can receive. The following
 	// values are supported:
 	//
 	// * Access Token - urn:ietf:params:oauth:token-type:access_token
 	//
 	// * Refresh Token - urn:ietf:params:oauth:token-type:refresh_token
 	RequestedTokenType *string `locationName:"requestedTokenType" type:"string"`
 	// The list of scopes for which authorization is requested. The access token
 	// that is issued is limited to the scopes that are granted. If the value is
 	// not specified, IAM Identity Center authorizes all scopes configured for the
 	// application, including the following default scopes: openid, aws, sts:identity_context.
 	Scope []*string `locationName:"scope" type:"list"`
 	// Used only when calling this API for the Token Exchange grant type. This value
 	// specifies the subject of the exchange. The value of the subject token must
 	// be an access token issued by IAM Identity Center to a different client or
 	// application. The access token must have authorized scopes that indicate the
 	// requested application as a target audience.
 	//
 	// SubjectToken is a sensitive parameter and its value will be
 	// replaced with "sensitive" in string returned by CreateTokenWithIAMInput's
 	// String and GoString methods.
 	SubjectToken *string `locationName:"subjectToken" type:"string" sensitive:"true"`
 	// Used only when calling this API for the Token Exchange grant type. This value
 	// specifies the type of token that is passed as the subject of the exchange.
 	// The following value is supported:
 	//
 	// * Access Token - urn:ietf:params:oauth:token-type:access_token
 	SubjectTokenType *string `locationName:"subjectTokenType" type:"string"`
 }
 // String returns the string representation.
 //
 // API parameter values that are decorated as "sensitive" in the API will not
 // be included in the string output. The member name will be present, but the
 // value will be replaced with "sensitive".
 func (s CreateTokenWithIAMInput) String() string {
 	return awsutil.Prettify(s)
 }
 // GoString returns the string representation.
 //
 // API parameter values that are decorated as "sensitive" in the API will not
 // be included in the string output. The member name will be present, but the
 // value will be replaced with "sensitive".
 func (s CreateTokenWithIAMInput) GoString() string {
 	return s.String()
 }
 // Validate inspects the fields of the type to determine if they are valid.
 func (s *CreateTokenWithIAMInput) Validate() error {
 	invalidParams := request.ErrInvalidParams{Context: "CreateTokenWithIAMInput"}
 	if s.ClientId == nil {
 		invalidParams.Add(request.NewErrParamRequired("ClientId"))
 	}
 	if s.GrantType == nil {
 		invalidParams.Add(request.NewErrParamRequired("GrantType"))
 	}
 	if invalidParams.Len() > 0 {
 		return invalidParams
 	}
 	return nil
 }
 // SetAssertion sets the Assertion field's value.
 func (s *CreateTokenWithIAMInput) SetAssertion(v string) *CreateTokenWithIAMInput {
 	s.Assertion = &v
 	return s
 }
 // SetClientId sets the ClientId field's value.
 func (s *CreateTokenWithIAMInput) SetClientId(v string) *CreateTokenWithIAMInput {
 	s.ClientId = &v
 	return s
 }
 // SetCode sets the Code field's value.
 func (s *CreateTokenWithIAMInput) SetCode(v string) *CreateTokenWithIAMInput {
 	s.Code = &v
 	return s
 }
 // SetGrantType sets the GrantType field's value.
 func (s *CreateTokenWithIAMInput) SetGrantType(v string) *CreateTokenWithIAMInput {
 	s.GrantType = &v
 	return s
 }
 // SetRedirectUri sets the RedirectUri field's value.
 func (s *CreateTokenWithIAMInput) SetRedirectUri(v string) *CreateTokenWithIAMInput {
 	s.RedirectUri = &v
 	return s
 }
 // SetRefreshToken sets the RefreshToken field's value.
 func (s *CreateTokenWithIAMInput) SetRefreshToken(v string) *CreateTokenWithIAMInput {
 	s.RefreshToken = &v
 	return s
 }
 // SetRequestedTokenType sets the RequestedTokenType field's value.
 func (s *CreateTokenWithIAMInput) SetRequestedTokenType(v string) *CreateTokenWithIAMInput {
 	s.RequestedTokenType = &v
 	return s
 }
 // SetScope sets the Scope field's value.
 func (s *CreateTokenWithIAMInput) SetScope(v []*string) *CreateTokenWithIAMInput {
 	s.Scope = v
 	return s
 }
 // SetSubjectToken sets the SubjectToken field's value.
 func (s *CreateTokenWithIAMInput) SetSubjectToken(v string) *CreateTokenWithIAMInput {
 	s.SubjectToken = &v
 	return s
 }
 // SetSubjectTokenType sets the SubjectTokenType field's value.
 func (s *CreateTokenWithIAMInput) SetSubjectTokenType(v string) *CreateTokenWithIAMInput {
 	s.SubjectTokenType = &v
 	return s
 }
 type CreateTokenWithIAMOutput struct {
 	_ struct{} `type:"structure"`
 	// A bearer token to access AWS accounts and applications assigned to a user.
 	//
 	// AccessToken is a sensitive parameter and its value will be
 	// replaced with "sensitive" in string returned by CreateTokenWithIAMOutput's
 	// String and GoString methods.
 	AccessToken *string `locationName:"accessToken" type:"string" sensitive:"true"`
 	// Indicates the time in seconds when an access token will expire.
 	ExpiresIn *int64 `locationName:"expiresIn" type:"integer"`
 	// A JSON Web Token (JWT) that identifies the user associated with the issued
 	// access token.
 	//
 	// IdToken is a sensitive parameter and its value will be
 	// replaced with "sensitive" in string returned by CreateTokenWithIAMOutput's
 	// String and GoString methods.
 	IdToken *string `locationName:"idToken" type:"string" sensitive:"true"`
 	// Indicates the type of tokens that are issued by IAM Identity Center. The
 	// following values are supported:
 	//
 	// * Access Token - urn:ietf:params:oauth:token-type:access_token
 	//
 	// * Refresh Token - urn:ietf:params:oauth:token-type:refresh_token
 	IssuedTokenType *string `locationName:"issuedTokenType" type:"string"`
 	// A token that, if present, can be used to refresh a previously issued access
 	// token that might have expired.
 	//
 	// For more information about the features and limitations of the current IAM
 	// Identity Center OIDC implementation, see Considerations for Using this Guide
 	// in the IAM Identity Center OIDC API Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html).
 	//
 	// RefreshToken is a sensitive parameter and its value will be
 	// replaced with "sensitive" in string returned by CreateTokenWithIAMOutput's
 	// String and GoString methods.
 	RefreshToken *string `locationName:"refreshToken" type:"string" sensitive:"true"`
 	// The list of scopes for which authorization is granted. The access token that
 	// is issued is limited to the scopes that are granted.
 	Scope []*string `locationName:"scope" type:"list"`
 	// Used to notify the requester that the returned token is an access token.
 	// The supported token type is Bearer.
 	TokenType *string `locationName:"tokenType" type:"string"`
 }
 // String returns the string representation.
 //
 // API parameter values that are decorated as "sensitive" in the API will not
 // be included in the string output. The member name will be present, but the
 // value will be replaced with "sensitive".
 func (s CreateTokenWithIAMOutput) String() string {
 	return awsutil.Prettify(s)
 }
 // GoString returns the string representation.
 //
 // API parameter values that are decorated as "sensitive" in the API will not
 // be included in the string output. The member name will be present, but the
 // value will be replaced with "sensitive".
 func (s CreateTokenWithIAMOutput) GoString() string {
 	return s.String()
 }
 // SetAccessToken sets the AccessToken field's value.
 func (s *CreateTokenWithIAMOutput) SetAccessToken(v string) *CreateTokenWithIAMOutput {
 	s.AccessToken = &v
 	return s
 }
 // SetExpiresIn sets the ExpiresIn field's value.
 func (s *CreateTokenWithIAMOutput) SetExpiresIn(v int64) *CreateTokenWithIAMOutput {
 	s.ExpiresIn = &v
 	return s
 }
 // SetIdToken sets the IdToken field's value.
 func (s *CreateTokenWithIAMOutput) SetIdToken(v string) *CreateTokenWithIAMOutput {
 	s.IdToken = &v
 	return s
 }
 // SetIssuedTokenType sets the IssuedTokenType field's value.
 func (s *CreateTokenWithIAMOutput) SetIssuedTokenType(v string) *CreateTokenWithIAMOutput {
 	s.IssuedTokenType = &v
 	return s
 }
 // SetRefreshToken sets the RefreshToken field's value.
 func (s *CreateTokenWithIAMOutput) SetRefreshToken(v string) *CreateTokenWithIAMOutput {
 	s.RefreshToken = &v
 	return s
 }
 // SetScope sets the Scope field's value.
 func (s *CreateTokenWithIAMOutput) SetScope(v []*string) *CreateTokenWithIAMOutput {
 	s.Scope = v
 	return s
 }
 // SetTokenType sets the TokenType field's value.
 func (s *CreateTokenWithIAMOutput) SetTokenType(v string) *CreateTokenWithIAMOutput {
 	s.TokenType = &v
 	return s
 }
 // Indicates that the token issued by the service is expired and is no longer
 // valid.
 type ExpiredTokenException struct {
 	_            struct{}                  `type:"structure"`
 	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
 	// Single error code. For this exception the value will be expired_token.
 	Error_ *string `locationName:"error" type:"string"`
 	// Human-readable text providing additional information, used to assist the
 	// client developer in understanding the error that occurred.
 	Error_description *string `locationName:"error_description" type:"string"`
 	Message_ *string `locationName:"message" type:"string"`
@ -756,8 +1212,11 @@ type InternalServerException struct {
 	_            struct{}                  `type:"structure"`
 	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
 	// Single error code. For this exception the value will be server_error.
 	Error_ *string `locationName:"error" type:"string"`
 	// Human-readable text providing additional information, used to assist the
 	// client developer in understanding the error that occurred.
 	Error_description *string `locationName:"error_description" type:"string"`
 	Message_ *string `locationName:"message" type:"string"`
@ -826,8 +1285,11 @@ type InvalidClientException struct {
 	_            struct{}                  `type:"structure"`
 	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
 	// Single error code. For this exception the value will be invalid_client.
 	Error_ *string `locationName:"error" type:"string"`
 	// Human-readable text providing additional information, used to assist the
 	// client developer in understanding the error that occurred.
 	Error_description *string `locationName:"error_description" type:"string"`
 	Message_ *string `locationName:"message" type:"string"`
@ -895,8 +1357,11 @@ type InvalidClientMetadataException struct {
 	_            struct{}                  `type:"structure"`
 	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
 	// Single error code. For this exception the value will be invalid_client_metadata.
 	Error_ *string `locationName:"error" type:"string"`
 	// Human-readable text providing additional information, used to assist the
 	// client developer in understanding the error that occurred.
 	Error_description *string `locationName:"error_description" type:"string"`
 	Message_ *string `locationName:"message" type:"string"`
@ -964,8 +1429,11 @@ type InvalidGrantException struct {
 	_            struct{}                  `type:"structure"`
 	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
 	// Single error code. For this exception the value will be invalid_grant.
 	Error_ *string `locationName:"error" type:"string"`
 	// Human-readable text providing additional information, used to assist the
 	// client developer in understanding the error that occurred.
 	Error_description *string `locationName:"error_description" type:"string"`
 	Message_ *string `locationName:"message" type:"string"`
@ -1033,8 +1501,11 @@ type InvalidRequestException struct {
 	_            struct{}                  `type:"structure"`
 	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
 	// Single error code. For this exception the value will be invalid_request.
 	Error_ *string `locationName:"error" type:"string"`
 	// Human-readable text providing additional information, used to assist the
 	// client developer in understanding the error that occurred.
 	Error_description *string `locationName:"error_description" type:"string"`
 	Message_ *string `locationName:"message" type:"string"`
@ -1096,13 +1567,95 @@ func (s *InvalidRequestException) RequestID() string {
 	return s.RespMetadata.RequestID
 }
 // Indicates that a token provided as input to the request was issued by and
 // is only usable by calling IAM Identity Center endpoints in another region.
 type InvalidRequestRegionException struct {
 	_            struct{}                  `type:"structure"`
 	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
 	// Indicates the IAM Identity Center endpoint which the requester may call with
 	// this token.
 	Endpoint *string `locationName:"endpoint" type:"string"`
 	// Single error code. For this exception the value will be invalid_request.
 	Error_ *string `locationName:"error" type:"string"`
 	// Human-readable text providing additional information, used to assist the
 	// client developer in understanding the error that occurred.
 	Error_description *string `locationName:"error_description" type:"string"`
 	Message_ *string `locationName:"message" type:"string"`
 	// Indicates the region which the requester may call with this token.
 	Region *string `locationName:"region" type:"string"`
 }
 // String returns the string representation.
 //
 // API parameter values that are decorated as "sensitive" in the API will not
 // be included in the string output. The member name will be present, but the
 // value will be replaced with "sensitive".
 func (s InvalidRequestRegionException) String() string {
 	return awsutil.Prettify(s)
 }
 // GoString returns the string representation.
 //
 // API parameter values that are decorated as "sensitive" in the API will not
 // be included in the string output. The member name will be present, but the
 // value will be replaced with "sensitive".
 func (s InvalidRequestRegionException) GoString() string {
 	return s.String()
 }
 func newErrorInvalidRequestRegionException(v protocol.ResponseMetadata) error {
 	return &InvalidRequestRegionException{
 		RespMetadata: v,
 	}
 }
 // Code returns the exception type name.
 func (s *InvalidRequestRegionException) Code() string {
 	return "InvalidRequestRegionException"
 }
 // Message returns the exception's message.
 func (s *InvalidRequestRegionException) Message() string {
 	if s.Message_ != nil {
 		return *s.Message_
 	}
 	return ""
 }
 // OrigErr always returns nil, satisfies awserr.Error interface.
 func (s *InvalidRequestRegionException) OrigErr() error {
 	return nil
 }
 func (s *InvalidRequestRegionException) Error() string {
 	return fmt.Sprintf("%s: %s\n%s", s.Code(), s.Message(), s.String())
 }
 // Status code returns the HTTP status code for the request's response error.
 func (s *InvalidRequestRegionException) StatusCode() int {
 	return s.RespMetadata.StatusCode
 }
 // RequestID returns the service's response RequestID for request.
 func (s *InvalidRequestRegionException) RequestID() string {
 	return s.RespMetadata.RequestID
 }
 // Indicates that the scope provided in the request is invalid.
 type InvalidScopeException struct {
 	_            struct{}                  `type:"structure"`
 	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
 	// Single error code. For this exception the value will be invalid_scope.
 	Error_ *string `locationName:"error" type:"string"`
 	// Human-readable text providing additional information, used to assist the
 	// client developer in understanding the error that occurred.
 	Error_description *string `locationName:"error_description" type:"string"`
 	Message_ *string `locationName:"message" type:"string"`
@ -1238,7 +1791,7 @@ func (s *RegisterClientInput) SetScopes(v []*string) *RegisterClientInput {
 type RegisterClientOutput struct {
 	_ struct{} `type:"structure"`
-	// The endpoint where the client can request authorization.
+	// An endpoint that the client can use to request authorization.
 	AuthorizationEndpoint *string `locationName:"authorizationEndpoint" type:"string"`
 	// The unique identifier string for each client. This client uses this identifier
@ -1250,12 +1803,16 @@ type RegisterClientOutput struct {
 	// A secret string generated for the client. The client will use this string
 	// to get authenticated by the service in subsequent calls.
-	ClientSecret *string `locationName:"clientSecret" type:"string"`
+	//
 	// ClientSecret is a sensitive parameter and its value will be
 	// replaced with "sensitive" in string returned by RegisterClientOutput's
 	// String and GoString methods.
 	ClientSecret *string `locationName:"clientSecret" type:"string" sensitive:"true"`
 	// Indicates the time at which the clientId and clientSecret will become invalid.
 	ClientSecretExpiresAt *int64 `locationName:"clientSecretExpiresAt" type:"long"`
-	// The endpoint where the client can get an access token.
+	// An endpoint that the client can use to create tokens.
 	TokenEndpoint *string `locationName:"tokenEndpoint" type:"string"`
 }
@ -1319,8 +1876,11 @@ type SlowDownException struct {
 	_            struct{}                  `type:"structure"`
 	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
 	// Single error code. For this exception the value will be slow_down.
 	Error_ *string `locationName:"error" type:"string"`
 	// Human-readable text providing additional information, used to assist the
 	// client developer in understanding the error that occurred.
 	Error_description *string `locationName:"error_description" type:"string"`
 	Message_ *string `locationName:"message" type:"string"`
@ -1395,11 +1955,15 @@ type StartDeviceAuthorizationInput struct {
 	// A secret string that is generated for the client. This value should come
 	// from the persisted result of the RegisterClient API operation.
 	//
 	// ClientSecret is a sensitive parameter and its value will be
 	// replaced with "sensitive" in string returned by StartDeviceAuthorizationInput's
 	// String and GoString methods.
 	//
 	// ClientSecret is a required field
-	ClientSecret *string `locationName:"clientSecret" type:"string" required:"true"`
+	ClientSecret *string `locationName:"clientSecret" type:"string" required:"true" sensitive:"true"`
-	// The URL for the AWS access portal. For more information, see Using the AWS
+	// The URL for the Amazon Web Services access portal. For more information,
-	// access portal (https://docs.aws.amazon.com/singlesignon/latest/userguide/using-the-portal.html)
+	// see Using the Amazon Web Services access portal (https://docs.aws.amazon.com/singlesignon/latest/userguide/using-the-portal.html)
 	// in the IAM Identity Center User Guide.
 	//
 	// StartUrl is a required field
@ -1550,8 +2114,11 @@ type UnauthorizedClientException struct {
 	_            struct{}                  `type:"structure"`
 	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
 	// Single error code. For this exception the value will be unauthorized_client.
 	Error_ *string `locationName:"error" type:"string"`
 	// Human-readable text providing additional information, used to assist the
 	// client developer in understanding the error that occurred.
 	Error_description *string `locationName:"error_description" type:"string"`
 	Message_ *string `locationName:"message" type:"string"`
@ -1618,8 +2185,11 @@ type UnsupportedGrantTypeException struct {
 	_            struct{}                  `type:"structure"`
 	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
 	// Single error code. For this exception the value will be unsupported_grant_type.
 	Error_ *string `locationName:"error" type:"string"`
 	// Human-readable text providing additional information, used to assist the
 	// client developer in understanding the error that occurred.
 	Error_description *string `locationName:"error_description" type:"string"`
 	Message_ *string `locationName:"message" type:"string"`
--- a/vendor/github.com/aws/aws-sdk-go/service/ssooidc/doc.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/ssooidc/doc.go
@ -3,15 +3,13 @@
 // Package ssooidc provides the client and types for making API
 // requests to AWS SSO OIDC.
 //
-// AWS IAM Identity Center (successor to AWS Single Sign-On) OpenID Connect
+// IAM Identity Center OpenID Connect (OIDC) is a web service that enables a
-// (OIDC) is a web service that enables a client (such as AWS CLI or a native
+// client (such as CLI or a native application) to register with IAM Identity
-// application) to register with IAM Identity Center. The service also enables
+// Center. The service also enables the client to fetch the user’s access
-// the client to fetch the user’s access token upon successful authentication
+// token upon successful authentication and authorization with IAM Identity
-// and authorization with IAM Identity Center.
+// Center.
 //
-// Although AWS Single Sign-On was renamed, the sso and identitystore API namespaces
+// IAM Identity Center uses the sso and identitystore API namespaces.
 // will continue to retain their original name for backward compatibility purposes.
 // For more information, see IAM Identity Center rename (https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html#renamed).
 //
 // # Considerations for Using This Guide
 //
@ -22,21 +20,24 @@
 //   - The IAM Identity Center OIDC service currently implements only the portions
 //     of the OAuth 2.0 Device Authorization Grant standard (https://tools.ietf.org/html/rfc8628
 //     (https://tools.ietf.org/html/rfc8628)) that are necessary to enable single
-//     sign-on authentication with the AWS CLI. Support for other OIDC flows
+//     sign-on authentication with the CLI.
 //     frequently needed for native applications, such as Authorization Code
 //     Flow (+ PKCE), will be addressed in future releases.
 //
-//   - The service emits only OIDC access tokens, such that obtaining a new
+//   - With older versions of the CLI, the service only emits OIDC access tokens,
-//     token (For example, token refresh) requires explicit user re-authentication.
+//     so to obtain a new token, users must explicitly re-authenticate. To access
 //     the OIDC flow that supports token refresh and doesn’t require re-authentication,
 //     update to the latest CLI version (1.27.10 for CLI V1 and 2.9.0 for CLI
 //     V2) with support for OIDC token refresh and configurable IAM Identity
 //     Center session durations. For more information, see Configure Amazon Web
 //     Services access portal session duration (https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html).
 //
-//   - The access tokens provided by this service grant access to all AWS account
+//   - The access tokens provided by this service grant access to all Amazon
-//     entitlements assigned to an IAM Identity Center user, not just a particular
+//     Web Services account entitlements assigned to an IAM Identity Center user,
-//     application.
+//     not just a particular application.
 //
 //   - The documentation in this guide does not describe the mechanism to convert
-//     the access token into AWS Auth (“sigv4”) credentials for use with
+//     the access token into Amazon Web Services Auth (“sigv4”) credentials
-//     IAM-protected AWS service endpoints. For more information, see GetRoleCredentials
+//     for use with IAM-protected Amazon Web Services service endpoints. For
-//     (https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html)
+//     more information, see GetRoleCredentials (https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html)
 //     in the IAM Identity Center Portal API Reference Guide.
 //
 // For general information about IAM Identity Center, see What is IAM Identity
--- a/vendor/github.com/aws/aws-sdk-go/service/ssooidc/errors.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/ssooidc/errors.go
@ -64,6 +64,13 @@ const (
 	// a required parameter might be missing or out of range.
 	ErrCodeInvalidRequestException = "InvalidRequestException"
 	// ErrCodeInvalidRequestRegionException for service response error code
 	// "InvalidRequestRegionException".
 	//
 	// Indicates that a token provided as input to the request was issued by and
 	// is only usable by calling IAM Identity Center endpoints in another region.
 	ErrCodeInvalidRequestRegionException = "InvalidRequestRegionException"
 	// ErrCodeInvalidScopeException for service response error code
 	// "InvalidScopeException".
 	//
@ -100,6 +107,7 @@ var exceptionFromCode = map[string]func(protocol.ResponseMetadata) error{
 	"InvalidClientMetadataException": newErrorInvalidClientMetadataException,
 	"InvalidGrantException":          newErrorInvalidGrantException,
 	"InvalidRequestException":        newErrorInvalidRequestException,
 	"InvalidRequestRegionException":  newErrorInvalidRequestRegionException,
 	"InvalidScopeException":          newErrorInvalidScopeException,
 	"SlowDownException":              newErrorSlowDownException,
 	"UnauthorizedClientException":    newErrorUnauthorizedClientException,
--- a/vendor/github.com/aws/aws-sdk-go/service/ssooidc/service.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/ssooidc/service.go
@ -51,7 +51,7 @@ const (
 func New(p client.ConfigProvider, cfgs ...*aws.Config) *SSOOIDC {
 	c := p.ClientConfig(EndpointsID, cfgs...)
 	if c.SigningNameDerived || len(c.SigningName) == 0 {
-		c.SigningName = "awsssooidc"
+		c.SigningName = "sso-oauth"
 	}
 	return newClient(*c.Config, c.Handlers, c.PartitionID, c.Endpoint, c.SigningRegion, c.SigningName, c.ResolvedRegion)
 }
--- a/vendor/github.com/aws/aws-sdk-go/service/sts/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/sts/api.go
@ -1460,7 +1460,15 @@ type AssumeRoleInput struct {
 	// in the IAM User Guide.
 	PolicyArns []*PolicyDescriptorType `type:"list"`
-	// Reserved for future use.
+	// A list of previously acquired trusted context assertions in the format of
 	// a JSON array. The trusted context assertion is signed and encrypted by Amazon
 	// Web Services STS.
 	//
 	// The following is an example of a ProvidedContext value that includes a single
 	// trusted context assertion and the ARN of the context provider from which
 	// the trusted context assertion was generated.
 	//
 	// [{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]
 	ProvidedContexts []*ProvidedContext `type:"list"`
 	// The Amazon Resource Name (ARN) of the role to assume.
@ -3405,14 +3413,18 @@ func (s *PolicyDescriptorType) SetArn(v string) *PolicyDescriptorType {
 	return s
 }
-// Reserved for future use.
+// Contains information about the provided context. This includes the signed
 // and encrypted trusted context assertion and the context provider ARN from
 // which the trusted context assertion was generated.
 type ProvidedContext struct {
 	_ struct{} `type:"structure"`
-	// Reserved for future use.
+	// The signed and encrypted trusted context assertion generated by the context
 	// provider. The trusted context assertion is signed and encrypted by Amazon
 	// Web Services STS.
 	ContextAssertion *string `min:"4" type:"string"`
-	// Reserved for future use.
+	// The context provider ARN from which the trusted context assertion was generated.
 	ProviderArn *string `min:"20" type:"string"`
 }
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -91,8 +91,8 @@ github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/options
 github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/shared
 github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/version
 github.com/AzureAD/microsoft-authentication-library-for-go/apps/public
-# github.com/aws/aws-sdk-go v1.44.325
+# github.com/aws/aws-sdk-go v1.48.10
-## explicit; go 1.11
+## explicit; go 1.19
 github.com/aws/aws-sdk-go/aws
 github.com/aws/aws-sdk-go/aws/arn
 github.com/aws/aws-sdk-go/aws/auth/bearer