Update generated code

manifest.json

@@ -1,6 +1,6 @@
 {
     "variables": {
-        "${LATEST}": "3.326.0"
+        "${LATEST}": "3.327.1"
     },
     "endpoints": "https://raw.githubusercontent.com/aws/aws-sdk-php/${LATEST}/src/data/endpoints.json",
     "services": {

src/Core/CHANGELOG.md

@@ -10,6 +10,7 @@
 
 - use strict comparison `null !==` instead of `!`
 - Fix CS
+- AWS enhancement: Documentation updates.
 
 ## 1.22.1
 

src/Core/src/Sts/Exception/RegionDisabledException.php

@@ -7,7 +7,7 @@
 /**
  * STS is not activated in the requested region for the account that is being asked to generate credentials. The account
  * administrator must use the IAM console to activate STS in that region. For more information, see Activating and
- * Deactivating Amazon Web Services STS in an Amazon Web Services Region [^1] in the *IAM User Guide*.
+ * Deactivating STS in an Amazon Web Services Region [^1] in the *IAM User Guide*.
  *
  * [^1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
  */

src/Core/src/Sts/Input/AssumeRoleRequest.php

@@ -30,9 +30,16 @@ final class AssumeRoleRequest extends Input
      * subsequent cross-account API requests that use the temporary security credentials will expose the role session name
      * to the external account in their CloudTrail logs.
      *
+     * For security purposes, administrators can view this field in CloudTrail logs [^1] to help identify who performed an
+     * action in Amazon Web Services. Your administrator might require that you specify your user name as the session name
+     * when you assume the role. For more information, see `sts:RoleSessionName` [^2].
+     *
      * The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric
      * characters with no spaces. You can also include underscores or any of the following characters: =,.@-
      *
+     * [^1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds
+     * [^2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname
+     *
      * @required
      *
      * @var string|null
@@ -83,7 +90,10 @@ final class AssumeRoleRequest extends Input
      * > plaintext meets the other requirements. The `PackedPolicySize` response element indicates by percentage how close
      * > the policies and tags for your request are to the upper size limit.
      *
+     * For more information about role session permissions, see Session policies [^2].
+     *
      * [^1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+     * [^2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
      *
      * @var string|null
      */
@@ -101,7 +111,7 @@ final class AssumeRoleRequest extends Input
      * the `DurationSeconds` parameter. You can specify a parameter value of up to 43200 seconds (12 hours), depending on
      * the maximum session duration setting for your role. However, if you assume a role using role chaining and provide a
      * `DurationSeconds` parameter value greater than one hour, the operation fails. To learn how to view the maximum value
-     * for your role, see View the Maximum Session Duration Setting for a Role [^1] in the *IAM User Guide*.
+     * for your role, see Update the maximum session duration for a role [^1].
      *
      * By default, the value is set to `3600` seconds.
      *
@@ -110,7 +120,7 @@ final class AssumeRoleRequest extends Input
      * > parameter that specifies the maximum length of the console session. For more information, see Creating a URL that
      * > Enables Federated Users to Access the Amazon Web Services Management Console [^2] in the *IAM User Guide*.
      *
-     * [^1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+     * [^1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration
      * [^2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
      *
      * @var int|null
@@ -156,8 +166,7 @@ final class AssumeRoleRequest extends Input
      * corresponding key and value passes to subsequent sessions in a role chain. For more information, see Chaining Roles
      * with Session Tags [^1] in the *IAM User Guide*.
      *
-     * This parameter is optional. When you set session tags as transitive, the session policy and session tags packed
-     * binary limit is not affected.
+     * This parameter is optional. The transitive status of a session tag does not impact its packed binary size.
      *
      * If you choose not to specify a transitive tag key, then no tags are passed from this session to any subsequent
      * sessions.
@@ -211,19 +220,22 @@ final class AssumeRoleRequest extends Input
     private $tokenCode;
 
     /**
-     * The source identity specified by the principal that is calling the `AssumeRole` operation.
+     * The source identity specified by the principal that is calling the `AssumeRole` operation. The source identity value
+     * persists across chained role [^1] sessions.
      *
      * You can require users to specify a source identity when they assume a role. You do this by using the
-     * `sts:SourceIdentity` condition key in a role trust policy. You can use source identity information in CloudTrail logs
-     * to determine who took actions with a role. You can use the `aws:SourceIdentity` condition key to further control
+     * `sts:SourceIdentity` [^2] condition key in a role trust policy. You can use source identity information in CloudTrail
+     * logs to determine who took actions with a role. You can use the `aws:SourceIdentity` condition key to further control
      * access to Amazon Web Services resources based on the value of source identity. For more information about using
-     * source identity, see Monitor and control actions taken with assumed roles [^1] in the *IAM User Guide*.
+     * source identity, see Monitor and control actions taken with assumed roles [^3] in the *IAM User Guide*.
      *
      * The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric
      * characters with no spaces. You can also include underscores or any of the following characters: =,.@-. You cannot use
      * a value that begins with the text `aws:`. This prefix is reserved for Amazon Web Services internal use.
      *
-     * [^1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
+     * [^1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining
+     * [^2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceidentity
+     * [^3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
      *
      * @var string|null
      */

src/Core/src/Sts/Input/AssumeRoleWithWebIdentityRequest.php

@@ -13,6 +13,16 @@ final class AssumeRoleWithWebIdentityRequest extends Input
     /**
      * The Amazon Resource Name (ARN) of the role that the caller is assuming.
      *
+     * > Additional considerations apply to Amazon Cognito identity pools that assume cross-account IAM roles [^1]. The
+     * > trust policies of these roles must accept the `cognito-identity.amazonaws.com` service principal and must contain
+     * > the `cognito-identity.amazonaws.com:aud` condition key to restrict role assumption to users from your intended
+     * > identity pools. A policy that trusts Amazon Cognito identity pools without this condition creates a risk that a
+     * > user from an unintended identity pool can assume the role. For more information, see Trust policies for IAM roles
+     * > in Basic (Classic) authentication [^2] in the *Amazon Cognito Developer Guide*.
+     *
+     * [^1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html
+     * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#trust-policies
+     *
      * @required
      *
      * @var string|null
@@ -25,9 +35,16 @@ final class AssumeRoleWithWebIdentityRequest extends Input
      * associated with that user. This session name is included as part of the ARN and assumed role ID in the
      * `AssumedRoleUser` response element.
      *
+     * For security purposes, administrators can view this field in CloudTrail logs [^1] to help identify who performed an
+     * action in Amazon Web Services. Your administrator might require that you specify your user name as the session name
+     * when you assume the role. For more information, see `sts:RoleSessionName` [^2].
+     *
      * The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric
      * characters with no spaces. You can also include underscores or any of the following characters: =,.@-
      *
+     * [^1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds
+     * [^2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname
+     *
      * @required
      *
      * @var string|null
@@ -37,7 +54,8 @@ final class AssumeRoleWithWebIdentityRequest extends Input
     /**
      * The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity provider. Your application
      * must get this token by authenticating the user who is using your application with a web identity provider before the
-     * application makes an `AssumeRoleWithWebIdentity` call. Only tokens with RSA algorithms (RS256) are supported.
+     * application makes an `AssumeRoleWithWebIdentity` call. Timestamps in the token must be formatted as either an integer
+     * or a long integer. Only tokens with RSA algorithms (RS256) are supported.
      *
      * @required
      *
@@ -97,12 +115,15 @@ final class AssumeRoleWithWebIdentityRequest extends Input
      * policy characters can be any ASCII character from the space character to the end of the valid character list (\u0020
      * through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) characters.
      *
+     * For more information about role session permissions, see Session policies [^2].
+     *
      * > An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session
      * > tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your
      * > plaintext meets the other requirements. The `PackedPolicySize` response element indicates by percentage how close
      * > the policies and tags for your request are to the upper size limit.
      *
      * [^1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+     * [^2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
      *
      * @var string|null
      */

src/Core/src/Sts/Result/AssumeRoleWithWebIdentityResponse.php

@@ -85,7 +85,7 @@ class AssumeRoleWithWebIdentityResponse extends Result
      * The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric
      * characters with no spaces. You can also include underscores or any of the following characters: =,.@-
      *
-     * [^1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
+     * [^1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts
      * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
      * [^3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
      *