go.mod

@@ -3,7 +3,7 @@ module idun
 go 1.21
 
 require (
-	github.com/aws/aws-sdk-go v1.45.25
+	github.com/aws/aws-sdk-go v1.55.5
 	github.com/pkg/sftp v1.13.6
 	github.com/rs/zerolog v1.31.0
 	github.com/stretchr/testify v1.8.4

go.sum

@@ -1,5 +1,7 @@
 github.com/aws/aws-sdk-go v1.45.25 h1:c4fLlh5sLdK2DCRTY1z0hyuJZU4ygxX8m1FswL6/nF4=
 github.com/aws/aws-sdk-go v1.45.25/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
+github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU=
+github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=

vendor/github.com/aws/aws-sdk-go/aws/config.go

@@ -442,6 +442,17 @@ func (c *Config) WithUseDualStack(enable bool) *Config {
 	return c
 }
 
+// WithUseFIPSEndpoint sets a config UseFIPSEndpoint value returning a Config
+// pointer for chaining.
+func (c *Config) WithUseFIPSEndpoint(enable bool) *Config {
+	if enable {
+		c.UseFIPSEndpoint = endpoints.FIPSEndpointStateEnabled
+	} else {
+		c.UseFIPSEndpoint = endpoints.FIPSEndpointStateDisabled
+	}
+	return c
+}
+
 // WithEC2MetadataDisableTimeoutOverride sets a config EC2MetadataDisableTimeoutOverride value
 // returning a Config pointer for chaining.
 func (c *Config) WithEC2MetadataDisableTimeoutOverride(enable bool) *Config {

vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds/provider.go

@@ -31,6 +31,8 @@ package endpointcreds
 
 import (
 	"encoding/json"
+	"fmt"
+	"strings"
 	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -69,7 +71,37 @@ type Provider struct {
 
 	// Optional authorization token value if set will be used as the value of
 	// the Authorization header of the endpoint credential request.
+	//
+	// When constructed from environment, the provider will use the value of
+	// AWS_CONTAINER_AUTHORIZATION_TOKEN environment variable as the token
+	//
+	// Will be overridden if AuthorizationTokenProvider is configured
 	AuthorizationToken string
+
+	// Optional auth provider func to dynamically load the auth token from a file
+	// everytime a credential is retrieved
+	//
+	// When constructed from environment, the provider will read and use the content
+	// of the file pointed to by AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE environment variable
+	// as the auth token everytime credentials are retrieved
+	//
+	// Will override AuthorizationToken if configured
+	AuthorizationTokenProvider AuthTokenProvider
+}
+
+// AuthTokenProvider defines an interface to dynamically load a value to be passed
+// for the Authorization header of a credentials request.
+type AuthTokenProvider interface {
+	GetToken() (string, error)
+}
+
+// TokenProviderFunc is a func type implementing AuthTokenProvider interface
+// and enables customizing token provider behavior
+type TokenProviderFunc func() (string, error)
+
+// GetToken func retrieves auth token according to TokenProviderFunc implementation
+func (p TokenProviderFunc) GetToken() (string, error) {
+	return p()
 }
 
 // NewProviderClient returns a credentials Provider for retrieving AWS credentials
@@ -164,7 +196,20 @@ func (p *Provider) getCredentials(ctx aws.Context) (*getCredentialsOutput, error
 	req := p.Client.NewRequest(op, nil, out)
 	req.SetContext(ctx)
 	req.HTTPRequest.Header.Set("Accept", "application/json")
-	if authToken := p.AuthorizationToken; len(authToken) != 0 {
+
+	authToken := p.AuthorizationToken
+	var err error
+	if p.AuthorizationTokenProvider != nil {
+		authToken, err = p.AuthorizationTokenProvider.GetToken()
+		if err != nil {
+			return nil, fmt.Errorf("get authorization token: %v", err)
+		}
+	}
+
+	if strings.ContainsAny(authToken, "\r\n") {
+		return nil, fmt.Errorf("authorization token contains invalid newline sequence")
+	}
+	if len(authToken) != 0 {
 		req.HTTPRequest.Header.Set("Authorization", authToken)
 	}
 

vendor/github.com/aws/aws-sdk-go/aws/defaults/defaults.go

@@ -9,6 +9,7 @@ package defaults
 
 import (
 	"fmt"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"net/url"
@@ -115,9 +116,31 @@ func CredProviders(cfg *aws.Config, handlers request.Handlers) []credentials.Pro
 
 const (
 	httpProviderAuthorizationEnvVar = "AWS_CONTAINER_AUTHORIZATION_TOKEN"
+	httpProviderAuthFileEnvVar      = "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE"
 	httpProviderEnvVar              = "AWS_CONTAINER_CREDENTIALS_FULL_URI"
 )
 
+// direct representation of the IPv4 address for the ECS container
+// "169.254.170.2"
+var ecsContainerIPv4 net.IP = []byte{
+	169, 254, 170, 2,
+}
+
+// direct representation of the IPv4 address for the EKS container
+// "169.254.170.23"
+var eksContainerIPv4 net.IP = []byte{
+	169, 254, 170, 23,
+}
+
+// direct representation of the IPv6 address for the EKS container
+// "fd00:ec2::23"
+var eksContainerIPv6 net.IP = []byte{
+	0xFD, 0, 0xE, 0xC2,
+	0, 0, 0, 0,
+	0, 0, 0, 0,
+	0, 0, 0, 0x23,
+}
+
 // RemoteCredProvider returns a credentials provider for the default remote
 // endpoints such as EC2 or ECS Roles.
 func RemoteCredProvider(cfg aws.Config, handlers request.Handlers) credentials.Provider {
@@ -135,19 +158,22 @@ func RemoteCredProvider(cfg aws.Config, handlers request.Handlers) credentials.P
 
 var lookupHostFn = net.LookupHost
 
-func isLoopbackHost(host string) (bool, error) {
-	ip := net.ParseIP(host)
-	if ip != nil {
-		return ip.IsLoopback(), nil
+// isAllowedHost allows host to be loopback or known ECS/EKS container IPs
+//
+// host can either be an IP address OR an unresolved hostname - resolution will
+// be automatically performed in the latter case
+func isAllowedHost(host string) (bool, error) {
+	if ip := net.ParseIP(host); ip != nil {
+		return isIPAllowed(ip), nil
 	}
 
-	// Host is not an ip, perform lookup
 	addrs, err := lookupHostFn(host)
 	if err != nil {
 		return false, err
 	}
+
 	for _, addr := range addrs {
-		if !net.ParseIP(addr).IsLoopback() {
+		if ip := net.ParseIP(addr); ip == nil || !isIPAllowed(ip) {
 			return false, nil
 		}
 	}
@@ -155,6 +181,13 @@ func isLoopbackHost(host string) (bool, error) {
 	return true, nil
 }
 
+func isIPAllowed(ip net.IP) bool {
+	return ip.IsLoopback() ||
+		ip.Equal(ecsContainerIPv4) ||
+		ip.Equal(eksContainerIPv4) ||
+		ip.Equal(eksContainerIPv6)
+}
+
 func localHTTPCredProvider(cfg aws.Config, handlers request.Handlers, u string) credentials.Provider {
 	var errMsg string
 
@@ -165,10 +198,12 @@ func localHTTPCredProvider(cfg aws.Config, handlers request.Handlers, u string)
 		host := aws.URLHostname(parsed)
 		if len(host) == 0 {
 			errMsg = "unable to parse host from local HTTP cred provider URL"
-		} else if isLoopback, loopbackErr := isLoopbackHost(host); loopbackErr != nil {
-			errMsg = fmt.Sprintf("failed to resolve host %q, %v", host, loopbackErr)
-		} else if !isLoopback {
-			errMsg = fmt.Sprintf("invalid endpoint host, %q, only loopback hosts are allowed.", host)
+		} else if parsed.Scheme == "http" {
+			if isAllowedHost, allowHostErr := isAllowedHost(host); allowHostErr != nil {
+				errMsg = fmt.Sprintf("failed to resolve host %q, %v", host, allowHostErr)
+			} else if !isAllowedHost {
+				errMsg = fmt.Sprintf("invalid endpoint host, %q, only loopback/ecs/eks hosts are allowed.", host)
+			}
 		}
 	}
 
@@ -190,6 +225,15 @@ func httpCredProvider(cfg aws.Config, handlers request.Handlers, u string) crede
 		func(p *endpointcreds.Provider) {
 			p.ExpiryWindow = 5 * time.Minute
 			p.AuthorizationToken = os.Getenv(httpProviderAuthorizationEnvVar)
+			if authFilePath := os.Getenv(httpProviderAuthFileEnvVar); authFilePath != "" {
+				p.AuthorizationTokenProvider = endpointcreds.TokenProviderFunc(func() (string, error) {
+					if contents, err := ioutil.ReadFile(authFilePath); err != nil {
+						return "", fmt.Errorf("failed to read authorization token from %v: %v", authFilePath, err)
+					} else {
+						return string(contents), nil
+					}
+				})
+			}
 		},
 	)
 }

vendor/github.com/aws/aws-sdk-go/aws/ec2metadata/token_provider.go

@@ -2,6 +2,7 @@ package ec2metadata
 
 import (
 	"fmt"
+	"github.com/aws/aws-sdk-go/aws"
 	"net/http"
 	"sync/atomic"
 	"time"
@@ -65,7 +66,9 @@ func (t *tokenProvider) fetchTokenHandler(r *request.Request) {
 			switch requestFailureError.StatusCode() {
 			case http.StatusForbidden, http.StatusNotFound, http.StatusMethodNotAllowed:
 				atomic.StoreUint32(&t.disabled, 1)
-				t.client.Config.Logger.Log(fmt.Sprintf("WARN: failed to get session token, falling back to IMDSv1: %v", requestFailureError))
+				if t.client.Config.LogLevel.Matches(aws.LogDebugWithDeprecated) {
+					t.client.Config.Logger.Log(fmt.Sprintf("WARN: failed to get session token, falling back to IMDSv1: %v", requestFailureError))
+				}
 			case http.StatusBadRequest:
 				r.Error = requestFailureError
 			}

vendor/github.com/aws/aws-sdk-go/aws/request/waiter.go

@@ -256,8 +256,17 @@ func (a *WaiterAcceptor) match(name string, l aws.Logger, req *Request, err erro
 		s := a.Expected.(int)
 		result = s == req.HTTPResponse.StatusCode
 	case ErrorWaiterMatch:
-		if aerr, ok := err.(awserr.Error); ok {
-			result = aerr.Code() == a.Expected.(string)
+		switch ex := a.Expected.(type) {
+		case string:
+			if aerr, ok := err.(awserr.Error); ok {
+				result = aerr.Code() == ex
+			}
+		case bool:
+			if ex {
+				result = err != nil
+			} else {
+				result = err == nil
+			}
 		}
 	default:
 		waiterLogf(l, "WARNING: Waiter %s encountered unexpected matcher: %s",

vendor/github.com/aws/aws-sdk-go/aws/session/env_config.go

@@ -171,6 +171,12 @@ type envConfig struct {
 	// AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE=IPv6
 	EC2IMDSEndpointMode endpoints.EC2IMDSEndpointModeState
 
+	// Specifies that IMDS clients should not fallback to IMDSv1 if token
+	// requests fail.
+	//
+	// AWS_EC2_METADATA_V1_DISABLED=true
+	EC2IMDSv1Disabled *bool
+
 	// Specifies that SDK clients must resolve a dual-stack endpoint for
 	// services.
 	//
@@ -251,6 +257,9 @@ var (
 	ec2IMDSEndpointModeEnvKey = []string{
 		"AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE",
 	}
+	ec2MetadataV1DisabledEnvKey = []string{
+		"AWS_EC2_METADATA_V1_DISABLED",
+	}
 	useCABundleKey = []string{
 		"AWS_CA_BUNDLE",
 	}
@@ -393,6 +402,7 @@ func envConfigLoad(enableSharedConfig bool) (envConfig, error) {
 	if err := setEC2IMDSEndpointMode(&cfg.EC2IMDSEndpointMode, ec2IMDSEndpointModeEnvKey); err != nil {
 		return envConfig{}, err
 	}
+	setBoolPtrFromEnvVal(&cfg.EC2IMDSv1Disabled, ec2MetadataV1DisabledEnvKey)
 
 	if err := setUseDualStackEndpointFromEnvVal(&cfg.UseDualStackEndpoint, awsUseDualStackEndpoint); err != nil {
 		return cfg, err
@@ -414,6 +424,24 @@ func setFromEnvVal(dst *string, keys []string) {
 	}
 }
 
+func setBoolPtrFromEnvVal(dst **bool, keys []string) {
+	for _, k := range keys {
+		value := os.Getenv(k)
+		if len(value) == 0 {
+			continue
+		}
+
+		switch {
+		case strings.EqualFold(value, "false"):
+			*dst = new(bool)
+			**dst = false
+		case strings.EqualFold(value, "true"):
+			*dst = new(bool)
+			**dst = true
+		}
+	}
+}
+
 func setEC2IMDSEndpointMode(mode *endpoints.EC2IMDSEndpointModeState, keys []string) error {
 	for _, k := range keys {
 		value := os.Getenv(k)

vendor/github.com/aws/aws-sdk-go/aws/session/session.go

@@ -779,6 +779,14 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config,
 		cfg.EndpointResolver = wrapEC2IMDSEndpoint(cfg.EndpointResolver, ec2IMDSEndpoint, endpointMode)
 	}
 
+	cfg.EC2MetadataEnableFallback = userCfg.EC2MetadataEnableFallback
+	if cfg.EC2MetadataEnableFallback == nil && envCfg.EC2IMDSv1Disabled != nil {
+		cfg.EC2MetadataEnableFallback = aws.Bool(!*envCfg.EC2IMDSv1Disabled)
+	}
+	if cfg.EC2MetadataEnableFallback == nil && sharedCfg.EC2IMDSv1Disabled != nil {
+		cfg.EC2MetadataEnableFallback = aws.Bool(!*sharedCfg.EC2IMDSv1Disabled)
+	}
+
 	cfg.S3UseARNRegion = userCfg.S3UseARNRegion
 	if cfg.S3UseARNRegion == nil {
 		cfg.S3UseARNRegion = &envCfg.S3UseARNRegion

vendor/github.com/aws/aws-sdk-go/aws/session/shared_config.go

@@ -80,6 +80,9 @@ const (
 	// EC2 IMDS Endpoint
 	ec2MetadataServiceEndpointKey = "ec2_metadata_service_endpoint"
 
+	// ECS IMDSv1 disable fallback
+	ec2MetadataV1DisabledKey = "ec2_metadata_v1_disabled"
+
 	// Use DualStack Endpoint Resolution
 	useDualStackEndpoint = "use_dualstack_endpoint"
 
@@ -179,6 +182,12 @@ type sharedConfig struct {
 	// ec2_metadata_service_endpoint=http://fd00:ec2::254
 	EC2IMDSEndpoint string
 
+	// Specifies that IMDS clients should not fallback to IMDSv1 if token
+	// requests fail.
+	//
+	// ec2_metadata_v1_disabled=true
+	EC2IMDSv1Disabled *bool
+
 	// Specifies that SDK clients must resolve a dual-stack endpoint for
 	// services.
 	//
@@ -434,6 +443,7 @@ func (cfg *sharedConfig) setFromIniFile(profile string, file sharedConfigFile, e
 				ec2MetadataServiceEndpointModeKey, file.Filename, err)
 		}
 		updateString(&cfg.EC2IMDSEndpoint, section, ec2MetadataServiceEndpointKey)
+		updateBoolPtr(&cfg.EC2IMDSv1Disabled, section, ec2MetadataV1DisabledKey)
 
 		updateUseDualStackEndpoint(&cfg.UseDualStackEndpoint, section, useDualStackEndpoint)
 

vendor/github.com/aws/aws-sdk-go/aws/signer/v4/v4.go

@@ -125,6 +125,7 @@ var requiredSignedHeaders = rules{
 			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm": struct{}{},
 			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key":       struct{}{},
 			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-Md5":   struct{}{},
+			"X-Amz-Expected-Bucket-Owner":                                 struct{}{},
 			"X-Amz-Grant-Full-control":                                    struct{}{},
 			"X-Amz-Grant-Read":                                            struct{}{},
 			"X-Amz-Grant-Read-Acp":                                        struct{}{},

vendor/github.com/aws/aws-sdk-go/aws/version.go

@@ -5,4 +5,4 @@ package aws
 const SDKName = "aws-sdk-go"
 
 // SDKVersion is the version of this SDK
-const SDKVersion = "1.45.25"
+const SDKVersion = "1.55.5"

vendor/github.com/aws/aws-sdk-go/private/protocol/query/queryutil/queryutil.go

@@ -122,8 +122,8 @@ func (q *queryParser) parseStruct(v url.Values, value reflect.Value, prefix stri
 }
 
 func (q *queryParser) parseList(v url.Values, value reflect.Value, prefix string, tag reflect.StructTag) error {
-	// If it's empty, generate an empty value
-	if !value.IsNil() && value.Len() == 0 {
+	// If it's empty, and not ec2, generate an empty value
+	if !value.IsNil() && value.Len() == 0 && !q.isEC2 {
 		v.Set(prefix, "")
 		return nil
 	}

vendor/github.com/aws/aws-sdk-go/service/s3/errors.go

@@ -25,6 +25,15 @@ const (
 	// "InvalidObjectState".
 	//
 	// Object is archived and inaccessible until restored.
+	//
+	// If the object you are retrieving is stored in the S3 Glacier Flexible Retrieval
+	// storage class, the S3 Glacier Deep Archive storage class, the S3 Intelligent-Tiering
+	// Archive Access tier, or the S3 Intelligent-Tiering Deep Archive Access tier,
+	// before you can retrieve the object you must first restore a copy using RestoreObject
+	// (https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html).
+	// Otherwise, this operation returns an InvalidObjectState error. For information
+	// about restoring archived objects, see Restoring Archived Objects (https://docs.aws.amazon.com/AmazonS3/latest/dev/restoring-objects.html)
+	// in the Amazon S3 User Guide.
 	ErrCodeInvalidObjectState = "InvalidObjectState"
 
 	// ErrCodeNoSuchBucket for service response error code

vendor/github.com/aws/aws-sdk-go/service/ssooidc/doc.go

@@ -3,15 +3,13 @@
 // Package ssooidc provides the client and types for making API
 // requests to AWS SSO OIDC.
 //
-// AWS IAM Identity Center (successor to AWS Single Sign-On) OpenID Connect
-// (OIDC) is a web service that enables a client (such as AWS CLI or a native
-// application) to register with IAM Identity Center. The service also enables
-// the client to fetch the user’s access token upon successful authentication
-// and authorization with IAM Identity Center.
+// IAM Identity Center OpenID Connect (OIDC) is a web service that enables a
+// client (such as CLI or a native application) to register with IAM Identity
+// Center. The service also enables the client to fetch the user’s access
+// token upon successful authentication and authorization with IAM Identity
+// Center.
 //
-// Although AWS Single Sign-On was renamed, the sso and identitystore API namespaces
-// will continue to retain their original name for backward compatibility purposes.
-// For more information, see IAM Identity Center rename (https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html#renamed).
+// IAM Identity Center uses the sso and identitystore API namespaces.
 //
 // # Considerations for Using This Guide
 //
@@ -22,21 +20,24 @@
 //   - The IAM Identity Center OIDC service currently implements only the portions
 //     of the OAuth 2.0 Device Authorization Grant standard (https://tools.ietf.org/html/rfc8628
 //     (https://tools.ietf.org/html/rfc8628)) that are necessary to enable single
-//     sign-on authentication with the AWS CLI. Support for other OIDC flows
-//     frequently needed for native applications, such as Authorization Code
-//     Flow (+ PKCE), will be addressed in future releases.
+//     sign-on authentication with the CLI.
 //
-//   - The service emits only OIDC access tokens, such that obtaining a new
-//     token (For example, token refresh) requires explicit user re-authentication.
+//   - With older versions of the CLI, the service only emits OIDC access tokens,
+//     so to obtain a new token, users must explicitly re-authenticate. To access
+//     the OIDC flow that supports token refresh and doesn’t require re-authentication,
+//     update to the latest CLI version (1.27.10 for CLI V1 and 2.9.0 for CLI
+//     V2) with support for OIDC token refresh and configurable IAM Identity
+//     Center session durations. For more information, see Configure Amazon Web
+//     Services access portal session duration (https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html).
 //
-//   - The access tokens provided by this service grant access to all AWS account
-//     entitlements assigned to an IAM Identity Center user, not just a particular
-//     application.
+//   - The access tokens provided by this service grant access to all Amazon
+//     Web Services account entitlements assigned to an IAM Identity Center user,
+//     not just a particular application.
 //
 //   - The documentation in this guide does not describe the mechanism to convert
-//     the access token into AWS Auth (“sigv4”) credentials for use with
-//     IAM-protected AWS service endpoints. For more information, see GetRoleCredentials
-//     (https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html)
+//     the access token into Amazon Web Services Auth (“sigv4”) credentials
+//     for use with IAM-protected Amazon Web Services service endpoints. For
+//     more information, see GetRoleCredentials (https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html)
 //     in the IAM Identity Center Portal API Reference Guide.
 //
 // For general information about IAM Identity Center, see What is IAM Identity

vendor/github.com/aws/aws-sdk-go/service/ssooidc/errors.go

@@ -57,6 +57,13 @@ const (
 	// makes a CreateToken request with an invalid grant type.
 	ErrCodeInvalidGrantException = "InvalidGrantException"
 
+	// ErrCodeInvalidRedirectUriException for service response error code
+	// "InvalidRedirectUriException".
+	//
+	// Indicates that one or more redirect URI in the request is not supported for
+	// this operation.
+	ErrCodeInvalidRedirectUriException = "InvalidRedirectUriException"
+
 	// ErrCodeInvalidRequestException for service response error code
 	// "InvalidRequestException".
 	//
@@ -64,6 +71,13 @@ const (
 	// a required parameter might be missing or out of range.
 	ErrCodeInvalidRequestException = "InvalidRequestException"
 
+	// ErrCodeInvalidRequestRegionException for service response error code
+	// "InvalidRequestRegionException".
+	//
+	// Indicates that a token provided as input to the request was issued by and
+	// is only usable by calling IAM Identity Center endpoints in another region.
+	ErrCodeInvalidRequestRegionException = "InvalidRequestRegionException"
+
 	// ErrCodeInvalidScopeException for service response error code
 	// "InvalidScopeException".
 	//
@@ -99,7 +113,9 @@ var exceptionFromCode = map[string]func(protocol.ResponseMetadata) error{
 	"InvalidClientException":         newErrorInvalidClientException,
 	"InvalidClientMetadataException": newErrorInvalidClientMetadataException,
 	"InvalidGrantException":          newErrorInvalidGrantException,
+	"InvalidRedirectUriException":    newErrorInvalidRedirectUriException,
 	"InvalidRequestException":        newErrorInvalidRequestException,
+	"InvalidRequestRegionException":  newErrorInvalidRequestRegionException,
 	"InvalidScopeException":          newErrorInvalidScopeException,
 	"SlowDownException":              newErrorSlowDownException,
 	"UnauthorizedClientException":    newErrorUnauthorizedClientException,

vendor/github.com/aws/aws-sdk-go/service/ssooidc/service.go

@@ -51,7 +51,7 @@ const (
 func New(p client.ConfigProvider, cfgs ...*aws.Config) *SSOOIDC {
 	c := p.ClientConfig(EndpointsID, cfgs...)
 	if c.SigningNameDerived || len(c.SigningName) == 0 {
-		c.SigningName = "awsssooidc"
+		c.SigningName = "sso-oauth"
 	}
 	return newClient(*c.Config, c.Handlers, c.PartitionID, c.Endpoint, c.SigningRegion, c.SigningName, c.ResolvedRegion)
 }

vendor/github.com/aws/aws-sdk-go/service/sts/api.go

@@ -1460,7 +1460,15 @@ type AssumeRoleInput struct {
 	// in the IAM User Guide.
 	PolicyArns []*PolicyDescriptorType `type:"list"`
 
-	// Reserved for future use.
+	// A list of previously acquired trusted context assertions in the format of
+	// a JSON array. The trusted context assertion is signed and encrypted by Amazon
+	// Web Services STS.
+	//
+	// The following is an example of a ProvidedContext value that includes a single
+	// trusted context assertion and the ARN of the context provider from which
+	// the trusted context assertion was generated.
+	//
+	// [{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]
 	ProvidedContexts []*ProvidedContext `type:"list"`
 
 	// The Amazon Resource Name (ARN) of the role to assume.
@@ -3405,14 +3413,18 @@ func (s *PolicyDescriptorType) SetArn(v string) *PolicyDescriptorType {
 	return s
 }
 
-// Reserved for future use.
+// Contains information about the provided context. This includes the signed
+// and encrypted trusted context assertion and the context provider ARN from
+// which the trusted context assertion was generated.
 type ProvidedContext struct {
 	_ struct{} `type:"structure"`
 
-	// Reserved for future use.
+	// The signed and encrypted trusted context assertion generated by the context
+	// provider. The trusted context assertion is signed and encrypted by Amazon
+	// Web Services STS.
 	ContextAssertion *string `min:"4" type:"string"`
 
-	// Reserved for future use.
+	// The context provider ARN from which the trusted context assertion was generated.
 	ProviderArn *string `min:"20" type:"string"`
 }
 

vendor/modules.txt

@@ -1,5 +1,5 @@
-# github.com/aws/aws-sdk-go v1.45.25
-## explicit; go 1.11
+# github.com/aws/aws-sdk-go v1.55.5
+## explicit; go 1.19
 github.com/aws/aws-sdk-go/aws
 github.com/aws/aws-sdk-go/aws/arn
 github.com/aws/aws-sdk-go/aws/auth/bearer