diff --git a/README.md b/README.md
--- a/README.md
+++ b/README.md
@@ -1,20 +1,86 @@
 # Amazon Security Token Service SDK
 
-> _Warning:_ This is an experimental preview release which is still under heavy development and not intended for public consumption, _caveat emptor_!
-
+* [Version](#version)
 * [Description](#description)
 * [Contribute](#contribute)
 * [Licence](#licence)
 
+
+## Version
+
+`1.0.0`
+
+
 ## Description
 
-The AWS Security Token Service (STS) is a web service that enables you to
-request temporary, limited-privilege credentials for AWS Identity and Access
-Management (IAM) users or for users that you authenticate (federated users).
+AWS Security Token Service
 
+The AWS Security Token Service (STS) is a web service that enables you
+to request temporary, limited-privilege credentials for AWS Identity and
+Access Management (IAM) users or for users that you authenticate
+(federated users). This guide provides descriptions of the STS API. For
+more detailed information about using this service, go to
+<http://docs.aws.amazon.com/STS/latest/UsingSTS/Welcome.html Using Temporary Security Credentials>.
+
+As an alternative to using the API, you can use one of the AWS SDKs,
+which consist of libraries and sample code for various programming
+languages and platforms (Java, Ruby, .NET, iOS, Android, etc.). The SDKs
+provide a convenient way to create programmatic access to STS. For
+example, the SDKs take care of cryptographically signing requests,
+managing errors, and retrying requests automatically. For information
+about the AWS SDKs, including how to download and install them, see the
+<http://aws.amazon.com/tools/ Tools for Amazon Web Services page>.
+
+For information about setting up signatures and authorization through
+the API, go to
+<http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html Signing AWS API Requests>
+in the /AWS General Reference/. For general information about the Query
+API, go to
+<http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html Making Query Requests>
+in /Using IAM/. For information about using security tokens with other
+AWS products, go to
+<http://docs.aws.amazon.com/STS/latest/UsingSTS/UsingTokens.html Using Temporary Security Credentials to Access AWS>
+in /Using Temporary Security Credentials/.
+
+If you\'re new to AWS and need additional technical information about a
+specific AWS product, you can find the product\'s technical
+documentation at <http://aws.amazon.com/documentation/>.
+
+__Endpoints__
+
+The AWS Security Token Service (STS) has a default endpoint of
+https:\/\/sts.amazonaws.com that maps to the US East (N. Virginia)
+region. Additional regions are available, but must first be activated in
+the AWS Management Console before you can use a different region\'s
+endpoint. For more information about activating a region for STS see
+<http://docs.aws.amazon.com/STS/latest/UsingSTS/sts-enableregions.html Activating STS in a New Region>
+in the /Using Temporary Security Credentials/ guide.
+
+For information about STS endpoints, see
+<http://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region Regions and Endpoints>
+in the /AWS General Reference/.
+
+__Recording API requests__
+
+STS supports AWS CloudTrail, which is a service that records AWS calls
+for your AWS account and delivers log files to an Amazon S3 bucket. By
+using information collected by CloudTrail, you can determine what
+requests were successfully made to STS, who made the request, when it
+was made, and so on. To learn more about CloudTrail, including how to
+turn it on and find your log files, see the
+<http://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_top_level.html AWS CloudTrail User Guide>.
+
 Documentation is available via [Hackage](http://hackage.haskell.org/package/amazonka-sts)
 and the [AWS API Reference](http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html).
 
+The types from this library are intended to be used with [amazonka](http://hackage.haskell.org/package/amazonka),
+which provides mechanisms for specifying AuthN/AuthZ information and sending requests.
+
+Use of lenses is required for constructing and manipulating types.
+This is due to the amount of nesting of AWS types and transparency regarding
+de/serialisation into more palatable Haskell values.
+The provided lenses should be compatible with any of the major lens libraries
+[lens](http://hackage.haskell.org/package/lens) or [lens-family-core](http://hackage.haskell.org/package/lens-family-core).
 
 ## Contribute
 
diff --git a/amazonka-sts.cabal b/amazonka-sts.cabal
--- a/amazonka-sts.cabal
+++ b/amazonka-sts.cabal
@@ -1,27 +1,88 @@
 name:                  amazonka-sts
-version:               0.3.6
+version:               1.0.0
 synopsis:              Amazon Security Token Service SDK.
 homepage:              https://github.com/brendanhay/amazonka
 license:               OtherLicense
 license-file:          LICENSE
 author:                Brendan Hay
 maintainer:            Brendan Hay <brendan.g.hay@gmail.com>
-copyright:             Copyright (c) 2013-2014 Brendan Hay
+copyright:             Copyright (c) 2013-2015 Brendan Hay
 category:              Network, AWS, Cloud, Distributed Computing
 build-type:            Simple
 extra-source-files:    README.md
 cabal-version:         >= 1.10
 
 description:
-    The AWS Security Token Service (STS) is a web service that enables you to
-    request temporary, limited-privilege credentials for AWS Identity and Access
-    Management (IAM) users or for users that you authenticate (federated users).
+    AWS Security Token Service
 
+    The AWS Security Token Service (STS) is a web service that enables you
+    to request temporary, limited-privilege credentials for AWS Identity and
+    Access Management (IAM) users or for users that you authenticate
+    (federated users). This guide provides descriptions of the STS API. For
+    more detailed information about using this service, go to
+    <http://docs.aws.amazon.com/STS/latest/UsingSTS/Welcome.html Using Temporary Security Credentials>.
+
+    As an alternative to using the API, you can use one of the AWS SDKs,
+    which consist of libraries and sample code for various programming
+    languages and platforms (Java, Ruby, .NET, iOS, Android, etc.). The SDKs
+    provide a convenient way to create programmatic access to STS. For
+    example, the SDKs take care of cryptographically signing requests,
+    managing errors, and retrying requests automatically. For information
+    about the AWS SDKs, including how to download and install them, see the
+    <http://aws.amazon.com/tools/ Tools for Amazon Web Services page>.
+
+    For information about setting up signatures and authorization through
+    the API, go to
+    <http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html Signing AWS API Requests>
+    in the /AWS General Reference/. For general information about the Query
+    API, go to
+    <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html Making Query Requests>
+    in /Using IAM/. For information about using security tokens with other
+    AWS products, go to
+    <http://docs.aws.amazon.com/STS/latest/UsingSTS/UsingTokens.html Using Temporary Security Credentials to Access AWS>
+    in /Using Temporary Security Credentials/.
+
+    If you\'re new to AWS and need additional technical information about a
+    specific AWS product, you can find the product\'s technical
+    documentation at <http://aws.amazon.com/documentation/>.
+
+    __Endpoints__
+
+    The AWS Security Token Service (STS) has a default endpoint of
+    https:\/\/sts.amazonaws.com that maps to the US East (N. Virginia)
+    region. Additional regions are available, but must first be activated in
+    the AWS Management Console before you can use a different region\'s
+    endpoint. For more information about activating a region for STS see
+    <http://docs.aws.amazon.com/STS/latest/UsingSTS/sts-enableregions.html Activating STS in a New Region>
+    in the /Using Temporary Security Credentials/ guide.
+
+    For information about STS endpoints, see
+    <http://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region Regions and Endpoints>
+    in the /AWS General Reference/.
+
+    __Recording API requests__
+
+    STS supports AWS CloudTrail, which is a service that records AWS calls
+    for your AWS account and delivers log files to an Amazon S3 bucket. By
+    using information collected by CloudTrail, you can determine what
+    requests were successfully made to STS, who made the request, when it
+    was made, and so on. To learn more about CloudTrail, including how to
+    turn it on and find your log files, see the
+    <http://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_top_level.html AWS CloudTrail User Guide>.
     .
-    /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html AWS API Reference>
+    The types from this library are intended to be used with
+    <http://hackage.haskell.org/package/amazonka amazonka>, which provides
+    mechanisms for specifying AuthN/AuthZ information and sending requests.
     .
-    /Warning:/ This is an experimental preview release which is still under
-    heavy development and not intended for public consumption, caveat emptor!
+    Use of lenses is required for constructing and manipulating types.
+    This is due to the amount of nesting of AWS types and transparency regarding
+    de/serialisation into more palatable Haskell values.
+    The provided lenses should be compatible with any of the major lens libraries
+    such as <http://hackage.haskell.org/package/lens lens> or
+    <http://hackage.haskell.org/package/lens-family-core lens-family-core>.
+    .
+    See "Network.AWS.STS" and the <http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html AWS API Reference>
+    to get started.
 
 source-repository head
     type:     git
@@ -42,9 +103,40 @@
         , Network.AWS.STS.GetFederationToken
         , Network.AWS.STS.GetSessionToken
         , Network.AWS.STS.Types
+        , Network.AWS.STS.Waiters
 
     other-modules:
+          Network.AWS.STS.Types.Product
+        , Network.AWS.STS.Types.Sum
 
     build-depends:
-          amazonka-core == 0.3.6.*
+          amazonka-core == 1.0.0.*
         , base          >= 4.7     && < 5
+
+test-suite amazonka-sts-test
+    type:              exitcode-stdio-1.0
+    default-language:  Haskell2010
+    hs-source-dirs:    test
+    main-is:           Main.hs
+
+    ghc-options:       -Wall -threaded
+
+    -- This is not comprehensive if modules have manually been added.
+    -- It exists to ensure cabal 'somewhat' detects test module changes.
+    other-modules:
+          Test.AWS.STS
+        , Test.AWS.Gen.STS
+        , Test.AWS.STS.Internal
+
+    build-depends:
+          amazonka-core == 1.0.0
+        , amazonka-test == 1.0.0
+        , amazonka-sts == 1.0.0
+        , base
+        , bytestring
+        , lens
+        , tasty
+        , tasty-hunit
+        , text
+        , time
+        , unordered-containers
diff --git a/gen/Network/AWS/STS.hs b/gen/Network/AWS/STS.hs
--- a/gen/Network/AWS/STS.hs
+++ b/gen/Network/AWS/STS.hs
@@ -1,32 +1,185 @@
+{-# OPTIONS_GHC -fno-warn-unused-imports    #-}
+{-# OPTIONS_GHC -fno-warn-duplicate-exports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
 -- Module      : Network.AWS.STS
--- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>
--- License     : This Source Code Form is subject to the terms of
---               the Mozilla Public License, v. 2.0.
---               A copy of the MPL can be found in the LICENSE file or
---               you can obtain it at http://mozilla.org/MPL/2.0/.
+-- Copyright   : (c) 2013-2015 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
 -- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : experimental
+-- Stability   : auto-generated
 -- Portability : non-portable (GHC extensions)
 --
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
--- | The AWS Security Token Service (STS) is a web service that enables you to
--- request temporary, limited-privilege credentials for AWS Identity and Access
--- Management (IAM) users or for users that you authenticate (federated users).
+-- AWS Security Token Service
+--
+-- The AWS Security Token Service (STS) is a web service that enables you
+-- to request temporary, limited-privilege credentials for AWS Identity and
+-- Access Management (IAM) users or for users that you authenticate
+-- (federated users). This guide provides descriptions of the STS API. For
+-- more detailed information about using this service, go to
+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/Welcome.html Using Temporary Security Credentials>.
+--
+-- As an alternative to using the API, you can use one of the AWS SDKs,
+-- which consist of libraries and sample code for various programming
+-- languages and platforms (Java, Ruby, .NET, iOS, Android, etc.). The SDKs
+-- provide a convenient way to create programmatic access to STS. For
+-- example, the SDKs take care of cryptographically signing requests,
+-- managing errors, and retrying requests automatically. For information
+-- about the AWS SDKs, including how to download and install them, see the
+-- <http://aws.amazon.com/tools/ Tools for Amazon Web Services page>.
+--
+-- For information about setting up signatures and authorization through
+-- the API, go to
+-- <http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html Signing AWS API Requests>
+-- in the /AWS General Reference/. For general information about the Query
+-- API, go to
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html Making Query Requests>
+-- in /Using IAM/. For information about using security tokens with other
+-- AWS products, go to
+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/UsingTokens.html Using Temporary Security Credentials to Access AWS>
+-- in /Using Temporary Security Credentials/.
+--
+-- If you\'re new to AWS and need additional technical information about a
+-- specific AWS product, you can find the product\'s technical
+-- documentation at <http://aws.amazon.com/documentation/>.
+--
+-- __Endpoints__
+--
+-- The AWS Security Token Service (STS) has a default endpoint of
+-- https:\/\/sts.amazonaws.com that maps to the US East (N. Virginia)
+-- region. Additional regions are available, but must first be activated in
+-- the AWS Management Console before you can use a different region\'s
+-- endpoint. For more information about activating a region for STS see
+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/sts-enableregions.html Activating STS in a New Region>
+-- in the /Using Temporary Security Credentials/ guide.
+--
+-- For information about STS endpoints, see
+-- <http://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region Regions and Endpoints>
+-- in the /AWS General Reference/.
+--
+-- __Recording API requests__
+--
+-- STS supports AWS CloudTrail, which is a service that records AWS calls
+-- for your AWS account and delivers log files to an Amazon S3 bucket. By
+-- using information collected by CloudTrail, you can determine what
+-- requests were successfully made to STS, who made the request, when it
+-- was made, and so on. To learn more about CloudTrail, including how to
+-- turn it on and find your log files, see the
+-- <http://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_top_level.html AWS CloudTrail User Guide>.
+--
+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html AWS API Reference>
 module Network.AWS.STS
-    ( module Network.AWS.STS.AssumeRole
-    , module Network.AWS.STS.AssumeRoleWithSAML
-    , module Network.AWS.STS.AssumeRoleWithWebIdentity
+    (
+    -- * Service
+      STS
+
+    -- * Errors
+    -- $errors
+
+    -- ** MalformedPolicyDocumentException
+    , _MalformedPolicyDocumentException
+
+    -- ** PackedPolicyTooLargeException
+    , _PackedPolicyTooLargeException
+
+    -- ** InvalidAuthorizationMessageException
+    , _InvalidAuthorizationMessageException
+
+    -- ** IdPCommunicationErrorException
+    , _IdPCommunicationErrorException
+
+    -- ** ExpiredTokenException
+    , _ExpiredTokenException
+
+    -- ** InvalidIdentityTokenException
+    , _InvalidIdentityTokenException
+
+    -- ** IdPRejectedClaimException
+    , _IdPRejectedClaimException
+
+    -- * Waiters
+    -- $waiters
+
+    -- * Operations
+    -- $operations
+
+    -- ** AssumeRole
+    , module Network.AWS.STS.AssumeRole
+
+    -- ** DecodeAuthorizationMessage
     , module Network.AWS.STS.DecodeAuthorizationMessage
+
+    -- ** AssumeRoleWithWebIdentity
+    , module Network.AWS.STS.AssumeRoleWithWebIdentity
+
+    -- ** GetFederationToken
     , module Network.AWS.STS.GetFederationToken
+
+    -- ** GetSessionToken
     , module Network.AWS.STS.GetSessionToken
-    , module Network.AWS.STS.Types
+
+    -- ** AssumeRoleWithSAML
+    , module Network.AWS.STS.AssumeRoleWithSAML
+
+    -- * Types
+
+    -- ** AssumedRoleUser
+    , AssumedRoleUser
+    , assumedRoleUser
+    , aruAssumedRoleId
+    , aruARN
+
+    -- ** Credentials
+    , Credentials
+    , credentials
+    , cAccessKeyId
+    , cSecretAccessKey
+    , cSessionToken
+    , cExpiration
+
+    -- ** FederatedUser
+    , FederatedUser
+    , federatedUser
+    , fuFederatedUserId
+    , fuARN
     ) where
 
-import Network.AWS.STS.AssumeRole
-import Network.AWS.STS.AssumeRoleWithSAML
-import Network.AWS.STS.AssumeRoleWithWebIdentity
-import Network.AWS.STS.DecodeAuthorizationMessage
-import Network.AWS.STS.GetFederationToken
-import Network.AWS.STS.GetSessionToken
-import Network.AWS.STS.Types
+import           Network.AWS.STS.AssumeRole
+import           Network.AWS.STS.AssumeRoleWithSAML
+import           Network.AWS.STS.AssumeRoleWithWebIdentity
+import           Network.AWS.STS.DecodeAuthorizationMessage
+import           Network.AWS.STS.GetFederationToken
+import           Network.AWS.STS.GetSessionToken
+import           Network.AWS.STS.Types
+import           Network.AWS.STS.Waiters
+
+{- $errors
+Error matchers are designed for use with the functions provided by
+<http://hackage.haskell.org/package/lens/docs/Control-Exception-Lens.html Control.Exception.Lens>.
+This allows catching (and rethrowing) service specific errors returned
+by 'STS'.
+-}
+
+{- $operations
+Some AWS operations return results that are incomplete and require subsequent
+requests in order to obtain the entire result set. The process of sending
+subsequent requests to continue where a previous request left off is called
+pagination. For example, the 'ListObjects' operation of Amazon S3 returns up to
+1000 objects at a time, and you must send subsequent requests with the
+appropriate Marker in order to retrieve the next page of results.
+
+Operations that have an 'AWSPager' instance can transparently perform subsequent
+requests, correctly setting Markers and other request facets to iterate through
+the entire result set of a truncated API operation. Operations which support
+this have an additional note in the documentation.
+
+Many operations have the ability to filter results on the server side. See the
+individual operation parameters for details.
+-}
+
+{- $waiters
+Waiters poll by repeatedly sending a request until some remote success condition
+configured by the 'Wait' specification is fulfilled. The 'Wait' specification
+determines how many attempts should be made, in addition to delay and retry strategies.
+-}
diff --git a/gen/Network/AWS/STS/AssumeRole.hs b/gen/Network/AWS/STS/AssumeRole.hs
--- a/gen/Network/AWS/STS/AssumeRole.hs
+++ b/gen/Network/AWS/STS/AssumeRole.hs
@@ -1,290 +1,334 @@
-{-# LANGUAGE DataKinds                   #-}
-{-# LANGUAGE DeriveGeneric               #-}
-{-# LANGUAGE FlexibleInstances           #-}
-{-# LANGUAGE GeneralizedNewtypeDeriving  #-}
-{-# LANGUAGE LambdaCase                  #-}
-{-# LANGUAGE NoImplicitPrelude           #-}
-{-# LANGUAGE OverloadedStrings           #-}
-{-# LANGUAGE RecordWildCards             #-}
-{-# LANGUAGE TypeFamilies                #-}
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
 
 {-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
 
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
 -- Module      : Network.AWS.STS.AssumeRole
--- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>
--- License     : This Source Code Form is subject to the terms of
---               the Mozilla Public License, v. 2.0.
---               A copy of the MPL can be found in the LICENSE file or
---               you can obtain it at http://mozilla.org/MPL/2.0/.
+-- Copyright   : (c) 2013-2015 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
 -- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : experimental
+-- Stability   : auto-generated
 -- Portability : non-portable (GHC extensions)
 --
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
--- | Returns a set of temporary security credentials (consisting of an access key
--- ID, a secret access key, and a security token) that you can use to access AWS
--- resources that you might not normally have access to. Typically, you use 'AssumeRole' for cross-account access or federation.
+-- Returns a set of temporary security credentials (consisting of an access
+-- key ID, a secret access key, and a security token) that you can use to
+-- access AWS resources that you might not normally have access to.
+-- Typically, you use 'AssumeRole' for cross-account access or federation.
 --
--- Important: You cannot call 'AssumeRole' by using AWS account credentials;
--- access will be denied. You must use IAM user credentials or temporary
--- security credentials to call 'AssumeRole'.
+-- __Important:__ You cannot call 'AssumeRole' by using AWS account
+-- credentials; access will be denied. You must use IAM user credentials or
+-- temporary security credentials to call 'AssumeRole'.
 --
--- For cross-account access, imagine that you own multiple accounts and need to
--- access resources in each account. You could create long-term credentials in
--- each account to access those resources. However, managing all those
--- credentials and remembering which one can access which account can be time
--- consuming. Instead, you can create one set of long-term credentials in one
--- account and then use temporary security credentials to access all the other
--- accounts by assuming roles in those accounts. For more information about
--- roles, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html Roles> in /Using IAM/.
+-- For cross-account access, imagine that you own multiple accounts and
+-- need to access resources in each account. You could create long-term
+-- credentials in each account to access those resources. However, managing
+-- all those credentials and remembering which one can access which account
+-- can be time consuming. Instead, you can create one set of long-term
+-- credentials in one account and then use temporary security credentials
+-- to access all the other accounts by assuming roles in those accounts.
+-- For more information about roles, see
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html IAM Roles (Delegation and Federation)>
+-- in /Using IAM/.
 --
--- For federation, you can, for example, grant single sign-on access to the AWS
--- Management Console. If you already have an identity and authentication system
--- in your corporate network, you don't have to recreate user identities in AWS
--- in order to grant those user identities access to AWS. Instead, after a user
--- has been authenticated, you call 'AssumeRole' (and specify the role with the
--- appropriate permissions) to get temporary security credentials for that user.
--- With those temporary security credentials, you construct a sign-in URL that
--- users can use to access the console. For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html Scenarios forGranting Temporary Access> in /Using Temporary Security Credentials/.
+-- For federation, you can, for example, grant single sign-on access to the
+-- AWS Management Console. If you already have an identity and
+-- authentication system in your corporate network, you don\'t have to
+-- recreate user identities in AWS in order to grant those user identities
+-- access to AWS. Instead, after a user has been authenticated, you call
+-- 'AssumeRole' (and specify the role with the appropriate permissions) to
+-- get temporary security credentials for that user. With those temporary
+-- security credentials, you construct a sign-in URL that users can use to
+-- access the console. For more information, see
+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html Scenarios for Granting Temporary Access>
+-- in /Using Temporary Security Credentials/.
 --
 -- The temporary security credentials are valid for the duration that you
--- specified when calling 'AssumeRole', which can be from 900 seconds (15 minutes)
--- to 3600 seconds (1 hour). The default is 1 hour.
+-- specified when calling 'AssumeRole', which can be from 900 seconds (15
+-- minutes) to 3600 seconds (1 hour). The default is 1 hour.
 --
 -- Optionally, you can pass an IAM access policy to this operation. If you
 -- choose not to pass a policy, the temporary security credentials that are
--- returned by the operation have the permissions that are defined in the access
--- policy of the role that is being assumed. If you pass a policy to this
--- operation, the temporary security credentials that are returned by the
--- operation have the permissions that are allowed by both the access policy of
--- the role that is being assumed, /and/ the policy that you pass. This gives you
--- a way to further restrict the permissions for the resulting temporary
--- security credentials. You cannot use the passed policy to grant permissions
--- that are in excess of those allowed by the access policy of the role that is
--- being assumed. For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRole> in /UsingTemporary Security Credentials/.
+-- returned by the operation have the permissions that are defined in the
+-- access policy of the role that is being assumed. If you pass a policy to
+-- this operation, the temporary security credentials that are returned by
+-- the operation have the permissions that are allowed by both the access
+-- policy of the role that is being assumed, /__and__/ the policy that you
+-- pass. This gives you a way to further restrict the permissions for the
+-- resulting temporary security credentials. You cannot use the passed
+-- policy to grant permissions that are in excess of those allowed by the
+-- access policy of the role that is being assumed. For more information,
+-- see
+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity>
+-- in /Using Temporary Security Credentials/.
 --
--- To assume a role, your AWS account must be trusted by the role. The trust
--- relationship is defined in the role's trust policy when the role is created.
--- You must also have a policy that allows you to call 'sts:AssumeRole'.
+-- To assume a role, your AWS account must be trusted by the role. The
+-- trust relationship is defined in the role\'s trust policy when the role
+-- is created. You must also have a policy that allows you to call
+-- 'sts:AssumeRole'.
 --
--- Using MFA with AssumeRole
+-- __Using MFA with AssumeRole__
 --
 -- You can optionally include multi-factor authentication (MFA) information
--- when you call 'AssumeRole'. This is useful for cross-account scenarios in which
--- you want to make sure that the user who is assuming the role has been
--- authenticated using an AWS MFA device. In that scenario, the trust policy of
--- the role being assumed includes a condition that tests for MFA
--- authentication; if the caller does not include valid MFA information, the
--- request to assume the role is denied. The condition in a trust policy that
--- tests for MFA authentication might look like the following example.
---
--- '"Condition": {"Null": {"aws:MultiFactorAuthAge": false}}'
---
--- For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html Configuring MFA-Protected API Access> in the /UsingIAM/ guide.
+-- when you call 'AssumeRole'. This is useful for cross-account scenarios
+-- in which you want to make sure that the user who is assuming the role
+-- has been authenticated using an AWS MFA device. In that scenario, the
+-- trust policy of the role being assumed includes a condition that tests
+-- for MFA authentication; if the caller does not include valid MFA
+-- information, the request to assume the role is denied. The condition in
+-- a trust policy that tests for MFA authentication might look like the
+-- following example.
 --
--- To use MFA with 'AssumeRole', you pass values for the 'SerialNumber' and 'TokenCode' parameters. The 'SerialNumber' value identifies the user's hardware or virtual
--- MFA device. The 'TokenCode' is the time-based one-time password (TOTP) that the
--- MFA devices produces.
+-- '\"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}'
 --
+-- For more information, see
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html Configuring MFA-Protected API Access>
+-- in /Using IAM/ guide.
 --
+-- To use MFA with 'AssumeRole', you pass values for the 'SerialNumber' and
+-- 'TokenCode' parameters. The 'SerialNumber' value identifies the user\'s
+-- hardware or virtual MFA device. The 'TokenCode' is the time-based
+-- one-time password (TOTP) that the MFA devices produces.
 --
--- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html>
+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html AWS API Reference> for AssumeRole.
 module Network.AWS.STS.AssumeRole
     (
-    -- * Request
-      AssumeRole
-    -- ** Request constructor
-    , assumeRole
-    -- ** Request lenses
+    -- * Creating a Request
+      assumeRole
+    , AssumeRole
+    -- * Request Lenses
+    , arTokenCode
     , arDurationSeconds
     , arExternalId
     , arPolicy
-    , arRoleArn
-    , arRoleSessionName
     , arSerialNumber
-    , arTokenCode
+    , arRoleARN
+    , arRoleSessionName
 
-    -- * Response
-    , AssumeRoleResponse
-    -- ** Response constructor
+    -- * Destructuring the Response
     , assumeRoleResponse
-    -- ** Response lenses
-    , arrAssumedRoleUser
-    , arrCredentials
-    , arrPackedPolicySize
+    , AssumeRoleResponse
+    -- * Response Lenses
+    , arrsPackedPolicySize
+    , arrsCredentials
+    , arrsAssumedRoleUser
+    , arrsStatus
     ) where
 
-import Network.AWS.Prelude
-import Network.AWS.Request.Query
-import Network.AWS.STS.Types
-import qualified GHC.Exts
+import           Network.AWS.Prelude
+import           Network.AWS.Request
+import           Network.AWS.Response
+import           Network.AWS.STS.Types
+import           Network.AWS.STS.Types.Product
 
-data AssumeRole = AssumeRole
-    { _arDurationSeconds :: Maybe Nat
-    , _arExternalId      :: Maybe Text
-    , _arPolicy          :: Maybe Text
-    , _arRoleArn         :: Text
-    , _arRoleSessionName :: Text
-    , _arSerialNumber    :: Maybe Text
-    , _arTokenCode       :: Maybe Text
-    } deriving (Eq, Ord, Read, Show)
+-- | /See:/ 'assumeRole' smart constructor.
+data AssumeRole = AssumeRole'
+    { _arTokenCode       :: !(Maybe Text)
+    , _arDurationSeconds :: !(Maybe Nat)
+    , _arExternalId      :: !(Maybe Text)
+    , _arPolicy          :: !(Maybe Text)
+    , _arSerialNumber    :: !(Maybe Text)
+    , _arRoleARN         :: !Text
+    , _arRoleSessionName :: !Text
+    } deriving (Eq,Read,Show,Data,Typeable,Generic)
 
--- | 'AssumeRole' constructor.
---
--- The fields accessible through corresponding lenses are:
+-- | Creates a value of 'AssumeRole' with the minimum fields required to make a request.
 --
--- * 'arDurationSeconds' @::@ 'Maybe' 'Natural'
+-- Use one of the following lenses to modify other fields as desired:
 --
--- * 'arExternalId' @::@ 'Maybe' 'Text'
+-- * 'arTokenCode'
 --
--- * 'arPolicy' @::@ 'Maybe' 'Text'
+-- * 'arDurationSeconds'
 --
--- * 'arRoleArn' @::@ 'Text'
+-- * 'arExternalId'
 --
--- * 'arRoleSessionName' @::@ 'Text'
+-- * 'arPolicy'
 --
--- * 'arSerialNumber' @::@ 'Maybe' 'Text'
+-- * 'arSerialNumber'
 --
--- * 'arTokenCode' @::@ 'Maybe' 'Text'
+-- * 'arRoleARN'
 --
-assumeRole :: Text -- ^ 'arRoleArn'
-           -> Text -- ^ 'arRoleSessionName'
-           -> AssumeRole
-assumeRole p1 p2 = AssumeRole
-    { _arRoleArn         = p1
-    , _arRoleSessionName = p2
-    , _arPolicy          = Nothing
+-- * 'arRoleSessionName'
+assumeRole
+    :: Text -- ^ 'arRoleARN'
+    -> Text -- ^ 'arRoleSessionName'
+    -> AssumeRole
+assumeRole pRoleARN_ pRoleSessionName_ =
+    AssumeRole'
+    { _arTokenCode = Nothing
     , _arDurationSeconds = Nothing
-    , _arExternalId      = Nothing
-    , _arSerialNumber    = Nothing
-    , _arTokenCode       = Nothing
+    , _arExternalId = Nothing
+    , _arPolicy = Nothing
+    , _arSerialNumber = Nothing
+    , _arRoleARN = pRoleARN_
+    , _arRoleSessionName = pRoleSessionName_
     }
 
--- | The duration, in seconds, of the role session. The value can range from 900
--- seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set
--- to 3600 seconds.
+-- | The value provided by the MFA device, if the trust policy of the role
+-- being assumed requires MFA (that is, if the policy includes a condition
+-- that tests for MFA). If the role being assumed requires MFA and if the
+-- 'TokenCode' value is missing or expired, the 'AssumeRole' call returns
+-- an \"access denied\" error.
+arTokenCode :: Lens' AssumeRole (Maybe Text)
+arTokenCode = lens _arTokenCode (\ s a -> s{_arTokenCode = a});
+
+-- | The duration, in seconds, of the role session. The value can range from
+-- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value
+-- is set to 3600 seconds.
 arDurationSeconds :: Lens' AssumeRole (Maybe Natural)
-arDurationSeconds =
-    lens _arDurationSeconds (\s a -> s { _arDurationSeconds = a })
-        . mapping _Nat
+arDurationSeconds = lens _arDurationSeconds (\ s a -> s{_arDurationSeconds = a}) . mapping _Nat;
 
--- | A unique identifier that is used by third parties to assume a role in their
--- customers' accounts. For each role that the third party can assume, they
--- should instruct their customers to create a role with the external ID that
--- the third party generated. Each time the third party assumes the role, they
--- must pass the customer's external ID. The external ID is useful in order to
--- help third parties bind a role to the customer who created it. For more
--- information about the external ID, see About the External ID in /UsingTemporary Security Credentials/.
+-- | A unique identifier that is used by third parties when assuming roles in
+-- their customers\' accounts. For each role that the third party can
+-- assume, they should instruct their customers to ensure the role\'s trust
+-- policy checks for the external ID that the third party generated. Each
+-- time the third party assumes the role, they should pass the customer\'s
+-- external ID. The external ID is useful in order to help third parties
+-- bind a role to the customer who created it. For more information about
+-- the external ID, see
+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/sts-delegating-externalid.html How to Use External ID When Granting Access to Your AWS Resources>
+-- in /Using Temporary Security Credentials/.
 arExternalId :: Lens' AssumeRole (Maybe Text)
-arExternalId = lens _arExternalId (\s a -> s { _arExternalId = a })
+arExternalId = lens _arExternalId (\ s a -> s{_arExternalId = a});
 
 -- | An IAM policy in JSON format.
 --
--- The policy parameter is optional. If you pass a policy, the temporary
--- security credentials that are returned by the operation have the permissions
--- that are allowed by both the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the
--- permissions for the resulting temporary security credentials. You cannot use
--- the passed policy to grant permissions that are in excess of those allowed by
--- the access policy of the role that is being assumed. For more information,
--- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRole> in /Using Temporary Security Credentials/.
+-- This parameter is optional. If you pass a policy, the temporary security
+-- credentials that are returned by the operation have the permissions that
+-- are allowed by both (the intersection of) the access policy of the role
+-- that is being assumed, /and/ the policy that you pass. This gives you a
+-- way to further restrict the permissions for the resulting temporary
+-- security credentials. You cannot use the passed policy to grant
+-- permissions that are in excess of those allowed by the access policy of
+-- the role that is being assumed. For more information, see
+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity>
+-- in /Using Temporary Security Credentials/.
+--
+-- The policy plain text must be 2048 bytes or shorter. However, an
+-- internal conversion compresses it into a packed binary format with a
+-- separate limit. The PackedPolicySize response element indicates by
+-- percentage how close to the upper size limit the policy is, with 100%
+-- equaling the maximum allowed size.
 arPolicy :: Lens' AssumeRole (Maybe Text)
-arPolicy = lens _arPolicy (\s a -> s { _arPolicy = a })
+arPolicy = lens _arPolicy (\ s a -> s{_arPolicy = a});
 
--- | The Amazon Resource Name (ARN) of the role that the caller is assuming.
-arRoleArn :: Lens' AssumeRole Text
-arRoleArn = lens _arRoleArn (\s a -> s { _arRoleArn = a })
+-- | The identification number of the MFA device that is associated with the
+-- user who is making the 'AssumeRole' call. Specify this value if the
+-- trust policy of the role being assumed includes a condition that
+-- requires MFA authentication. The value is either the serial number for a
+-- hardware device (such as 'GAHT12345678') or an Amazon Resource Name
+-- (ARN) for a virtual device (such as
+-- 'arn:aws:iam::123456789012:mfa\/user').
+arSerialNumber :: Lens' AssumeRole (Maybe Text)
+arSerialNumber = lens _arSerialNumber (\ s a -> s{_arSerialNumber = a});
 
--- | An identifier for the assumed role session. The session name is included as
--- part of the 'AssumedRoleUser'.
+-- | The Amazon Resource Name (ARN) of the role to assume.
+arRoleARN :: Lens' AssumeRole Text
+arRoleARN = lens _arRoleARN (\ s a -> s{_arRoleARN = a});
+
+-- | An identifier for the assumed role session.
+--
+-- Use the role session name to uniquely identity a session when the same
+-- role is assumed by different principals or for different reasons. In
+-- cross-account scenarios, the role session name is visible to, and can be
+-- logged by the account that owns the role. The role session name is also
+-- used in the ARN of the assumed role principal. This means that
+-- subsequent cross-account API requests using the temporary security
+-- credentials will expose the role session name to the external account in
+-- their CloudTrail logs.
 arRoleSessionName :: Lens' AssumeRole Text
-arRoleSessionName =
-    lens _arRoleSessionName (\s a -> s { _arRoleSessionName = a })
+arRoleSessionName = lens _arRoleSessionName (\ s a -> s{_arRoleSessionName = a});
 
--- | The identification number of the MFA device that is associated with the user
--- who is making the 'AssumeRole' call. Specify this value if the trust policy of
--- the role being assumed includes a condition that requires MFA authentication.
--- The value is either the serial number for a hardware device (such as 'GAHT12345678') or an Amazon Resource Name (ARN) for a virtual device (such as 'arn:aws:iam::123456789012:mfa/user').
-arSerialNumber :: Lens' AssumeRole (Maybe Text)
-arSerialNumber = lens _arSerialNumber (\s a -> s { _arSerialNumber = a })
+instance AWSRequest AssumeRole where
+        type Sv AssumeRole = STS
+        type Rs AssumeRole = AssumeRoleResponse
+        request = postQuery
+        response
+          = receiveXMLWrapper "AssumeRoleResult"
+              (\ s h x ->
+                 AssumeRoleResponse' <$>
+                   (x .@? "PackedPolicySize") <*> (x .@? "Credentials")
+                     <*> (x .@? "AssumedRoleUser")
+                     <*> (pure (fromEnum s)))
 
--- | The value provided by the MFA device, if the trust policy of the role being
--- assumed requires MFA (that is, if the policy includes a condition that tests
--- for MFA). If the role being assumed requires MFA and if the 'TokenCode' value
--- is missing or expired, the 'AssumeRole' call returns an "access denied" error.
-arTokenCode :: Lens' AssumeRole (Maybe Text)
-arTokenCode = lens _arTokenCode (\s a -> s { _arTokenCode = a })
+instance ToHeaders AssumeRole where
+        toHeaders = const mempty
 
-data AssumeRoleResponse = AssumeRoleResponse
-    { _arrAssumedRoleUser  :: Maybe AssumedRoleUser
-    , _arrCredentials      :: Maybe Credentials
-    , _arrPackedPolicySize :: Maybe Nat
-    } deriving (Eq, Read, Show)
+instance ToPath AssumeRole where
+        toPath = const "/"
 
--- | 'AssumeRoleResponse' constructor.
+instance ToQuery AssumeRole where
+        toQuery AssumeRole'{..}
+          = mconcat
+              ["Action" =: ("AssumeRole" :: ByteString),
+               "Version" =: ("2011-06-15" :: ByteString),
+               "TokenCode" =: _arTokenCode,
+               "DurationSeconds" =: _arDurationSeconds,
+               "ExternalId" =: _arExternalId, "Policy" =: _arPolicy,
+               "SerialNumber" =: _arSerialNumber,
+               "RoleArn" =: _arRoleARN,
+               "RoleSessionName" =: _arRoleSessionName]
+
+-- | Contains the response to a successful AssumeRole request, including
+-- temporary AWS credentials that can be used to make AWS requests.
 --
--- The fields accessible through corresponding lenses are:
+-- /See:/ 'assumeRoleResponse' smart constructor.
+data AssumeRoleResponse = AssumeRoleResponse'
+    { _arrsPackedPolicySize :: !(Maybe Nat)
+    , _arrsCredentials      :: !(Maybe Credentials)
+    , _arrsAssumedRoleUser  :: !(Maybe AssumedRoleUser)
+    , _arrsStatus           :: !Int
+    } deriving (Eq,Read,Show,Data,Typeable,Generic)
+
+-- | Creates a value of 'AssumeRoleResponse' with the minimum fields required to make a request.
 --
--- * 'arrAssumedRoleUser' @::@ 'Maybe' 'AssumedRoleUser'
+-- Use one of the following lenses to modify other fields as desired:
 --
--- * 'arrCredentials' @::@ 'Maybe' 'Credentials'
+-- * 'arrsPackedPolicySize'
 --
--- * 'arrPackedPolicySize' @::@ 'Maybe' 'Natural'
+-- * 'arrsCredentials'
 --
-assumeRoleResponse :: AssumeRoleResponse
-assumeRoleResponse = AssumeRoleResponse
-    { _arrCredentials      = Nothing
-    , _arrAssumedRoleUser  = Nothing
-    , _arrPackedPolicySize = Nothing
+-- * 'arrsAssumedRoleUser'
+--
+-- * 'arrsStatus'
+assumeRoleResponse
+    :: Int -- ^ 'arrsStatus'
+    -> AssumeRoleResponse
+assumeRoleResponse pStatus_ =
+    AssumeRoleResponse'
+    { _arrsPackedPolicySize = Nothing
+    , _arrsCredentials = Nothing
+    , _arrsAssumedRoleUser = Nothing
+    , _arrsStatus = pStatus_
     }
 
--- | The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
--- that you can use to refer to the resulting temporary security credentials.
--- For example, you can reference these credentials as a principal in a
--- resource-based policy by using the ARN or assumed role ID. The ARN and ID
--- include the 'RoleSessionName' that you specified when you called 'AssumeRole'.
-arrAssumedRoleUser :: Lens' AssumeRoleResponse (Maybe AssumedRoleUser)
-arrAssumedRoleUser =
-    lens _arrAssumedRoleUser (\s a -> s { _arrAssumedRoleUser = a })
-
--- | The temporary security credentials, which include an access key ID, a secret
--- access key, and a security (or session) token.
-arrCredentials :: Lens' AssumeRoleResponse (Maybe Credentials)
-arrCredentials = lens _arrCredentials (\s a -> s { _arrCredentials = a })
-
--- | A percentage value that indicates the size of the policy in packed form. The
--- service rejects any policy with a packed size greater than 100 percent, which
--- means the policy exceeded the allowed space.
-arrPackedPolicySize :: Lens' AssumeRoleResponse (Maybe Natural)
-arrPackedPolicySize =
-    lens _arrPackedPolicySize (\s a -> s { _arrPackedPolicySize = a })
-        . mapping _Nat
-
-instance ToPath AssumeRole where
-    toPath = const "/"
-
-instance ToQuery AssumeRole where
-    toQuery AssumeRole{..} = mconcat
-        [ "DurationSeconds" =? _arDurationSeconds
-        , "ExternalId"      =? _arExternalId
-        , "Policy"          =? _arPolicy
-        , "RoleArn"         =? _arRoleArn
-        , "RoleSessionName" =? _arRoleSessionName
-        , "SerialNumber"    =? _arSerialNumber
-        , "TokenCode"       =? _arTokenCode
-        ]
-
-instance ToHeaders AssumeRole
+-- | A percentage value that indicates the size of the policy in packed form.
+-- The service rejects any policy with a packed size greater than 100
+-- percent, which means the policy exceeded the allowed space.
+arrsPackedPolicySize :: Lens' AssumeRoleResponse (Maybe Natural)
+arrsPackedPolicySize = lens _arrsPackedPolicySize (\ s a -> s{_arrsPackedPolicySize = a}) . mapping _Nat;
 
-instance AWSRequest AssumeRole where
-    type Sv AssumeRole = STS
-    type Rs AssumeRole = AssumeRoleResponse
+-- | The temporary security credentials, which include an access key ID, a
+-- secret access key, and a security (or session) token.
+arrsCredentials :: Lens' AssumeRoleResponse (Maybe Credentials)
+arrsCredentials = lens _arrsCredentials (\ s a -> s{_arrsCredentials = a});
 
-    request  = post "AssumeRole"
-    response = xmlResponse
+-- | The Amazon Resource Name (ARN) and the assumed role ID, which are
+-- identifiers that you can use to refer to the resulting temporary
+-- security credentials. For example, you can reference these credentials
+-- as a principal in a resource-based policy by using the ARN or assumed
+-- role ID. The ARN and ID include the 'RoleSessionName' that you specified
+-- when you called 'AssumeRole'.
+arrsAssumedRoleUser :: Lens' AssumeRoleResponse (Maybe AssumedRoleUser)
+arrsAssumedRoleUser = lens _arrsAssumedRoleUser (\ s a -> s{_arrsAssumedRoleUser = a});
 
-instance FromXML AssumeRoleResponse where
-    parseXML = withElement "AssumeRoleResult" $ \x -> AssumeRoleResponse
-        <$> x .@? "AssumedRoleUser"
-        <*> x .@? "Credentials"
-        <*> x .@? "PackedPolicySize"
+-- | The response status code.
+arrsStatus :: Lens' AssumeRoleResponse Int
+arrsStatus = lens _arrsStatus (\ s a -> s{_arrsStatus = a});
diff --git a/gen/Network/AWS/STS/AssumeRoleWithSAML.hs b/gen/Network/AWS/STS/AssumeRoleWithSAML.hs
--- a/gen/Network/AWS/STS/AssumeRoleWithSAML.hs
+++ b/gen/Network/AWS/STS/AssumeRoleWithSAML.hs
@@ -1,309 +1,336 @@
-{-# LANGUAGE DataKinds                   #-}
-{-# LANGUAGE DeriveGeneric               #-}
-{-# LANGUAGE FlexibleInstances           #-}
-{-# LANGUAGE GeneralizedNewtypeDeriving  #-}
-{-# LANGUAGE LambdaCase                  #-}
-{-# LANGUAGE NoImplicitPrelude           #-}
-{-# LANGUAGE OverloadedStrings           #-}
-{-# LANGUAGE RecordWildCards             #-}
-{-# LANGUAGE TypeFamilies                #-}
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
 
 {-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
 
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
 -- Module      : Network.AWS.STS.AssumeRoleWithSAML
--- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>
--- License     : This Source Code Form is subject to the terms of
---               the Mozilla Public License, v. 2.0.
---               A copy of the MPL can be found in the LICENSE file or
---               you can obtain it at http://mozilla.org/MPL/2.0/.
+-- Copyright   : (c) 2013-2015 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
 -- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : experimental
+-- Stability   : auto-generated
 -- Portability : non-portable (GHC extensions)
 --
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
--- | Returns a set of temporary security credentials for users who have been
--- authenticated via a SAML authentication response. This operation provides a
--- mechanism for tying an enterprise identity store or directory to role-based
--- AWS access without user-specific credentials or configuration.
+-- Returns a set of temporary security credentials for users who have been
+-- authenticated via a SAML authentication response. This operation
+-- provides a mechanism for tying an enterprise identity store or directory
+-- to role-based AWS access without user-specific credentials or
+-- configuration.
 --
--- The temporary security credentials returned by this operation consist of an
--- access key ID, a secret access key, and a security token. Applications can
--- use these temporary security credentials to sign calls to AWS services. The
--- credentials are valid for the duration that you specified when calling 'AssumeRoleWithSAML', which can be up to 3600 seconds (1 hour) or until the time specified in the
--- SAML authentication response's 'SessionNotOnOrAfter' value, whichever is
--- shorter.
+-- The temporary security credentials returned by this operation consist of
+-- an access key ID, a secret access key, and a security token.
+-- Applications can use these temporary security credentials to sign calls
+-- to AWS services. The credentials are valid for the duration that you
+-- specified when calling 'AssumeRoleWithSAML', which can be up to 3600
+-- seconds (1 hour) or until the time specified in the SAML authentication
+-- response\'s 'SessionNotOnOrAfter' value, whichever is shorter.
 --
--- The maximum duration for a session is 1 hour, and the minimum duration is 15
--- minutes, even if values outside this range are specified.  Optionally, you
--- can pass an IAM access policy to this operation. If you choose not to pass a
--- policy, the temporary security credentials that are returned by the operation
--- have the permissions that are defined in the access policy of the role that
--- is being assumed. If you pass a policy to this operation, the temporary
--- security credentials that are returned by the operation have the permissions
--- that are allowed by both the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the
--- permissions for the resulting temporary security credentials. You cannot use
--- the passed policy to grant permissions that are in excess of those allowed by
--- the access policy of the role that is being assumed. For more information,
--- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML> in /Using Temporary Security Credentials/
--- .
+-- The maximum duration for a session is 1 hour, and the minimum duration
+-- is 15 minutes, even if values outside this range are specified.
 --
--- Before your application can call 'AssumeRoleWithSAML', you must configure your
--- SAML identity provider (IdP) to issue the claims required by AWS.
--- Additionally, you must use AWS Identity and Access Management (IAM) to create
--- a SAML provider entity in your AWS account that represents your identity
--- provider, and create an IAM role that specifies this SAML provider in its
--- trust policy.
+-- Optionally, you can pass an IAM access policy to this operation. If you
+-- choose not to pass a policy, the temporary security credentials that are
+-- returned by the operation have the permissions that are defined in the
+-- access policy of the role that is being assumed. If you pass a policy to
+-- this operation, the temporary security credentials that are returned by
+-- the operation have the permissions that are allowed by both the access
+-- policy of the role that is being assumed, /__and__/ the policy that you
+-- pass. This gives you a way to further restrict the permissions for the
+-- resulting temporary security credentials. You cannot use the passed
+-- policy to grant permissions that are in excess of those allowed by the
+-- access policy of the role that is being assumed. For more information,
+-- see
+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML>
+-- in /Using Temporary Security Credentials/.
 --
+-- Before your application can call 'AssumeRoleWithSAML', you must
+-- configure your SAML identity provider (IdP) to issue the claims required
+-- by AWS. Additionally, you must use AWS Identity and Access Management
+-- (IAM) to create a SAML provider entity in your AWS account that
+-- represents your identity provider, and create an IAM role that specifies
+-- this SAML provider in its trust policy.
+--
 -- Calling 'AssumeRoleWithSAML' does not require the use of AWS security
--- credentials. The identity of the caller is validated by using keys in the
--- metadata document that is uploaded for the SAML provider entity for your
--- identity provider.
+-- credentials. The identity of the caller is validated by using keys in
+-- the metadata document that is uploaded for the SAML provider entity for
+-- your identity provider.
 --
 -- For more information, see the following resources:
 --
--- <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSAML.html Creating Temporary Security Credentials for SAML Federation> in /UsingTemporary Security Credentials/.   <http://docs.aws.amazon.com/IAM/latest/UserGuide/idp-managing-identityproviders.html SAML Providers> in /Using IAM/.   <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuringa Relying Party and Claims> in /Using IAM/.   <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml.html Creating a Role for SAML-BasedFederation> in /Using IAM/.
+-- -   <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSAML.html Creating Temporary Security Credentials for SAML Federation>.
+-- -   <http://docs.aws.amazon.com/IAM/latest/UserGuide/idp-managing-identityproviders.html SAML Providers>
+--     in /Using IAM/.
+-- -   <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuring a Relying Party and Claims>
+--     in /Using IAM/.
+-- -   <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml.html Creating a Role for SAML-Based Federation>
+--     in /Using IAM/.
 --
--- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html>
+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html AWS API Reference> for AssumeRoleWithSAML.
 module Network.AWS.STS.AssumeRoleWithSAML
     (
-    -- * Request
-      AssumeRoleWithSAML
-    -- ** Request constructor
-    , assumeRoleWithSAML
-    -- ** Request lenses
+    -- * Creating a Request
+      assumeRoleWithSAML
+    , AssumeRoleWithSAML
+    -- * Request Lenses
     , arwsamlDurationSeconds
     , arwsamlPolicy
-    , arwsamlPrincipalArn
-    , arwsamlRoleArn
+    , arwsamlRoleARN
+    , arwsamlPrincipalARN
     , arwsamlSAMLAssertion
 
-    -- * Response
-    , AssumeRoleWithSAMLResponse
-    -- ** Response constructor
+    -- * Destructuring the Response
     , assumeRoleWithSAMLResponse
-    -- ** Response lenses
-    , arwsamlrAssumedRoleUser
-    , arwsamlrAudience
-    , arwsamlrCredentials
-    , arwsamlrIssuer
-    , arwsamlrNameQualifier
-    , arwsamlrPackedPolicySize
-    , arwsamlrSubject
-    , arwsamlrSubjectType
+    , AssumeRoleWithSAMLResponse
+    -- * Response Lenses
+    , arwsamlrsAudience
+    , arwsamlrsSubject
+    , arwsamlrsPackedPolicySize
+    , arwsamlrsCredentials
+    , arwsamlrsSubjectType
+    , arwsamlrsNameQualifier
+    , arwsamlrsAssumedRoleUser
+    , arwsamlrsIssuer
+    , arwsamlrsStatus
     ) where
 
-import Network.AWS.Prelude
-import Network.AWS.Request.Query
-import Network.AWS.STS.Types
-import qualified GHC.Exts
+import           Network.AWS.Prelude
+import           Network.AWS.Request
+import           Network.AWS.Response
+import           Network.AWS.STS.Types
+import           Network.AWS.STS.Types.Product
 
-data AssumeRoleWithSAML = AssumeRoleWithSAML
-    { _arwsamlDurationSeconds :: Maybe Nat
-    , _arwsamlPolicy          :: Maybe Text
-    , _arwsamlPrincipalArn    :: Text
-    , _arwsamlRoleArn         :: Text
-    , _arwsamlSAMLAssertion   :: Text
-    } deriving (Eq, Ord, Read, Show)
+-- | /See:/ 'assumeRoleWithSAML' smart constructor.
+data AssumeRoleWithSAML = AssumeRoleWithSAML'
+    { _arwsamlDurationSeconds :: !(Maybe Nat)
+    , _arwsamlPolicy          :: !(Maybe Text)
+    , _arwsamlRoleARN         :: !Text
+    , _arwsamlPrincipalARN    :: !Text
+    , _arwsamlSAMLAssertion   :: !Text
+    } deriving (Eq,Read,Show,Data,Typeable,Generic)
 
--- | 'AssumeRoleWithSAML' constructor.
---
--- The fields accessible through corresponding lenses are:
+-- | Creates a value of 'AssumeRoleWithSAML' with the minimum fields required to make a request.
 --
--- * 'arwsamlDurationSeconds' @::@ 'Maybe' 'Natural'
+-- Use one of the following lenses to modify other fields as desired:
 --
--- * 'arwsamlPolicy' @::@ 'Maybe' 'Text'
+-- * 'arwsamlDurationSeconds'
 --
--- * 'arwsamlPrincipalArn' @::@ 'Text'
+-- * 'arwsamlPolicy'
 --
--- * 'arwsamlRoleArn' @::@ 'Text'
+-- * 'arwsamlRoleARN'
 --
--- * 'arwsamlSAMLAssertion' @::@ 'Text'
+-- * 'arwsamlPrincipalARN'
 --
-assumeRoleWithSAML :: Text -- ^ 'arwsamlRoleArn'
-                   -> Text -- ^ 'arwsamlPrincipalArn'
-                   -> Text -- ^ 'arwsamlSAMLAssertion'
-                   -> AssumeRoleWithSAML
-assumeRoleWithSAML p1 p2 p3 = AssumeRoleWithSAML
-    { _arwsamlRoleArn         = p1
-    , _arwsamlPrincipalArn    = p2
-    , _arwsamlSAMLAssertion   = p3
-    , _arwsamlPolicy          = Nothing
-    , _arwsamlDurationSeconds = Nothing
+-- * 'arwsamlSAMLAssertion'
+assumeRoleWithSAML
+    :: Text -- ^ 'arwsamlRoleARN'
+    -> Text -- ^ 'arwsamlPrincipalARN'
+    -> Text -- ^ 'arwsamlSAMLAssertion'
+    -> AssumeRoleWithSAML
+assumeRoleWithSAML pRoleARN_ pPrincipalARN_ pSAMLAssertion_ =
+    AssumeRoleWithSAML'
+    { _arwsamlDurationSeconds = Nothing
+    , _arwsamlPolicy = Nothing
+    , _arwsamlRoleARN = pRoleARN_
+    , _arwsamlPrincipalARN = pPrincipalARN_
+    , _arwsamlSAMLAssertion = pSAMLAssertion_
     }
 
--- | The duration, in seconds, of the role session. The value can range from 900
--- seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set
--- to 3600 seconds. An expiration can also be specified in the SAML
--- authentication response's 'SessionNotOnOrAfter' value. The actual expiration
--- time is whichever value is shorter.
+-- | The duration, in seconds, of the role session. The value can range from
+-- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value
+-- is set to 3600 seconds. An expiration can also be specified in the SAML
+-- authentication response\'s 'SessionNotOnOrAfter' value. The actual
+-- expiration time is whichever value is shorter.
 --
--- The maximum duration for a session is 1 hour, and the minimum duration is 15
--- minutes, even if values outside this range are specified.
+-- The maximum duration for a session is 1 hour, and the minimum duration
+-- is 15 minutes, even if values outside this range are specified.
 arwsamlDurationSeconds :: Lens' AssumeRoleWithSAML (Maybe Natural)
-arwsamlDurationSeconds =
-    lens _arwsamlDurationSeconds (\s a -> s { _arwsamlDurationSeconds = a })
-        . mapping _Nat
+arwsamlDurationSeconds = lens _arwsamlDurationSeconds (\ s a -> s{_arwsamlDurationSeconds = a}) . mapping _Nat;
 
 -- | An IAM policy in JSON format.
 --
 -- The policy parameter is optional. If you pass a policy, the temporary
--- security credentials that are returned by the operation have the permissions
--- that are allowed by both the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the
--- permissions for the resulting temporary security credentials. You cannot use
--- the passed policy to grant permissions that are in excess of those allowed by
--- the access policy of the role that is being assumed. For more information,
--- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML> in /Using Temporary Security Credentials/
--- .
+-- security credentials that are returned by the operation have the
+-- permissions that are allowed by both the access policy of the role that
+-- is being assumed, /__and__/ the policy that you pass. This gives you a
+-- way to further restrict the permissions for the resulting temporary
+-- security credentials. You cannot use the passed policy to grant
+-- permissions that are in excess of those allowed by the access policy of
+-- the role that is being assumed. For more information, see
+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML>
+-- in /Using Temporary Security Credentials/.
 --
--- The policy must be 2048 bytes or shorter, and its packed size must be less
--- than 450 bytes.
+-- The policy plain text must be 2048 bytes or shorter. However, an
+-- internal conversion compresses it into a packed binary format with a
+-- separate limit. The PackedPolicySize response element indicates by
+-- percentage how close to the upper size limit the policy is, with 100%
+-- equaling the maximum allowed size.
 arwsamlPolicy :: Lens' AssumeRoleWithSAML (Maybe Text)
-arwsamlPolicy = lens _arwsamlPolicy (\s a -> s { _arwsamlPolicy = a })
-
--- | The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the
--- IdP.
-arwsamlPrincipalArn :: Lens' AssumeRoleWithSAML Text
-arwsamlPrincipalArn =
-    lens _arwsamlPrincipalArn (\s a -> s { _arwsamlPrincipalArn = a })
+arwsamlPolicy = lens _arwsamlPolicy (\ s a -> s{_arwsamlPolicy = a});
 
 -- | The Amazon Resource Name (ARN) of the role that the caller is assuming.
-arwsamlRoleArn :: Lens' AssumeRoleWithSAML Text
-arwsamlRoleArn = lens _arwsamlRoleArn (\s a -> s { _arwsamlRoleArn = a })
+arwsamlRoleARN :: Lens' AssumeRoleWithSAML Text
+arwsamlRoleARN = lens _arwsamlRoleARN (\ s a -> s{_arwsamlRoleARN = a});
 
+-- | The Amazon Resource Name (ARN) of the SAML provider in IAM that
+-- describes the IdP.
+arwsamlPrincipalARN :: Lens' AssumeRoleWithSAML Text
+arwsamlPrincipalARN = lens _arwsamlPrincipalARN (\ s a -> s{_arwsamlPrincipalARN = a});
+
 -- | The base-64 encoded SAML authentication response provided by the IdP.
 --
--- For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuring a Relying Party and Adding Claims> in
--- the /Using IAM/ guide.
+-- For more information, see
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuring a Relying Party and Adding Claims>
+-- in the /Using IAM/ guide.
 arwsamlSAMLAssertion :: Lens' AssumeRoleWithSAML Text
-arwsamlSAMLAssertion =
-    lens _arwsamlSAMLAssertion (\s a -> s { _arwsamlSAMLAssertion = a })
+arwsamlSAMLAssertion = lens _arwsamlSAMLAssertion (\ s a -> s{_arwsamlSAMLAssertion = a});
 
-data AssumeRoleWithSAMLResponse = AssumeRoleWithSAMLResponse
-    { _arwsamlrAssumedRoleUser  :: Maybe AssumedRoleUser
-    , _arwsamlrAudience         :: Maybe Text
-    , _arwsamlrCredentials      :: Maybe Credentials
-    , _arwsamlrIssuer           :: Maybe Text
-    , _arwsamlrNameQualifier    :: Maybe Text
-    , _arwsamlrPackedPolicySize :: Maybe Nat
-    , _arwsamlrSubject          :: Maybe Text
-    , _arwsamlrSubjectType      :: Maybe Text
-    } deriving (Eq, Read, Show)
+instance AWSRequest AssumeRoleWithSAML where
+        type Sv AssumeRoleWithSAML = STS
+        type Rs AssumeRoleWithSAML =
+             AssumeRoleWithSAMLResponse
+        request = postQuery
+        response
+          = receiveXMLWrapper "AssumeRoleWithSAMLResult"
+              (\ s h x ->
+                 AssumeRoleWithSAMLResponse' <$>
+                   (x .@? "Audience") <*> (x .@? "Subject") <*>
+                     (x .@? "PackedPolicySize")
+                     <*> (x .@? "Credentials")
+                     <*> (x .@? "SubjectType")
+                     <*> (x .@? "NameQualifier")
+                     <*> (x .@? "AssumedRoleUser")
+                     <*> (x .@? "Issuer")
+                     <*> (pure (fromEnum s)))
 
--- | 'AssumeRoleWithSAMLResponse' constructor.
+instance ToHeaders AssumeRoleWithSAML where
+        toHeaders = const mempty
+
+instance ToPath AssumeRoleWithSAML where
+        toPath = const "/"
+
+instance ToQuery AssumeRoleWithSAML where
+        toQuery AssumeRoleWithSAML'{..}
+          = mconcat
+              ["Action" =: ("AssumeRoleWithSAML" :: ByteString),
+               "Version" =: ("2011-06-15" :: ByteString),
+               "DurationSeconds" =: _arwsamlDurationSeconds,
+               "Policy" =: _arwsamlPolicy,
+               "RoleArn" =: _arwsamlRoleARN,
+               "PrincipalArn" =: _arwsamlPrincipalARN,
+               "SAMLAssertion" =: _arwsamlSAMLAssertion]
+
+-- | Contains the response to a successful AssumeRoleWithSAML request,
+-- including temporary AWS credentials that can be used to make AWS
+-- requests.
 --
--- The fields accessible through corresponding lenses are:
+-- /See:/ 'assumeRoleWithSAMLResponse' smart constructor.
+data AssumeRoleWithSAMLResponse = AssumeRoleWithSAMLResponse'
+    { _arwsamlrsAudience         :: !(Maybe Text)
+    , _arwsamlrsSubject          :: !(Maybe Text)
+    , _arwsamlrsPackedPolicySize :: !(Maybe Nat)
+    , _arwsamlrsCredentials      :: !(Maybe Credentials)
+    , _arwsamlrsSubjectType      :: !(Maybe Text)
+    , _arwsamlrsNameQualifier    :: !(Maybe Text)
+    , _arwsamlrsAssumedRoleUser  :: !(Maybe AssumedRoleUser)
+    , _arwsamlrsIssuer           :: !(Maybe Text)
+    , _arwsamlrsStatus           :: !Int
+    } deriving (Eq,Read,Show,Data,Typeable,Generic)
+
+-- | Creates a value of 'AssumeRoleWithSAMLResponse' with the minimum fields required to make a request.
 --
--- * 'arwsamlrAssumedRoleUser' @::@ 'Maybe' 'AssumedRoleUser'
+-- Use one of the following lenses to modify other fields as desired:
 --
--- * 'arwsamlrAudience' @::@ 'Maybe' 'Text'
+-- * 'arwsamlrsAudience'
 --
--- * 'arwsamlrCredentials' @::@ 'Maybe' 'Credentials'
+-- * 'arwsamlrsSubject'
 --
--- * 'arwsamlrIssuer' @::@ 'Maybe' 'Text'
+-- * 'arwsamlrsPackedPolicySize'
 --
--- * 'arwsamlrNameQualifier' @::@ 'Maybe' 'Text'
+-- * 'arwsamlrsCredentials'
 --
--- * 'arwsamlrPackedPolicySize' @::@ 'Maybe' 'Natural'
+-- * 'arwsamlrsSubjectType'
 --
--- * 'arwsamlrSubject' @::@ 'Maybe' 'Text'
+-- * 'arwsamlrsNameQualifier'
 --
--- * 'arwsamlrSubjectType' @::@ 'Maybe' 'Text'
+-- * 'arwsamlrsAssumedRoleUser'
 --
-assumeRoleWithSAMLResponse :: AssumeRoleWithSAMLResponse
-assumeRoleWithSAMLResponse = AssumeRoleWithSAMLResponse
-    { _arwsamlrCredentials      = Nothing
-    , _arwsamlrAssumedRoleUser  = Nothing
-    , _arwsamlrPackedPolicySize = Nothing
-    , _arwsamlrSubject          = Nothing
-    , _arwsamlrSubjectType      = Nothing
-    , _arwsamlrIssuer           = Nothing
-    , _arwsamlrAudience         = Nothing
-    , _arwsamlrNameQualifier    = Nothing
+-- * 'arwsamlrsIssuer'
+--
+-- * 'arwsamlrsStatus'
+assumeRoleWithSAMLResponse
+    :: Int -- ^ 'arwsamlrsStatus'
+    -> AssumeRoleWithSAMLResponse
+assumeRoleWithSAMLResponse pStatus_ =
+    AssumeRoleWithSAMLResponse'
+    { _arwsamlrsAudience = Nothing
+    , _arwsamlrsSubject = Nothing
+    , _arwsamlrsPackedPolicySize = Nothing
+    , _arwsamlrsCredentials = Nothing
+    , _arwsamlrsSubjectType = Nothing
+    , _arwsamlrsNameQualifier = Nothing
+    , _arwsamlrsAssumedRoleUser = Nothing
+    , _arwsamlrsIssuer = Nothing
+    , _arwsamlrsStatus = pStatus_
     }
 
-arwsamlrAssumedRoleUser :: Lens' AssumeRoleWithSAMLResponse (Maybe AssumedRoleUser)
-arwsamlrAssumedRoleUser =
-    lens _arwsamlrAssumedRoleUser (\s a -> s { _arwsamlrAssumedRoleUser = a })
+-- | The value of the 'Recipient' attribute of the 'SubjectConfirmationData'
+-- element of the SAML assertion.
+arwsamlrsAudience :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
+arwsamlrsAudience = lens _arwsamlrsAudience (\ s a -> s{_arwsamlrsAudience = a});
 
--- | The value of the 'Recipient' attribute of the 'SubjectConfirmationData' element
--- of the SAML assertion.
-arwsamlrAudience :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
-arwsamlrAudience = lens _arwsamlrAudience (\s a -> s { _arwsamlrAudience = a })
+-- | The value of the 'NameID' element in the 'Subject' element of the SAML
+-- assertion.
+arwsamlrsSubject :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
+arwsamlrsSubject = lens _arwsamlrsSubject (\ s a -> s{_arwsamlrsSubject = a});
 
-arwsamlrCredentials :: Lens' AssumeRoleWithSAMLResponse (Maybe Credentials)
-arwsamlrCredentials =
-    lens _arwsamlrCredentials (\s a -> s { _arwsamlrCredentials = a })
+-- | A percentage value that indicates the size of the policy in packed form.
+-- The service rejects any policy with a packed size greater than 100
+-- percent, which means the policy exceeded the allowed space.
+arwsamlrsPackedPolicySize :: Lens' AssumeRoleWithSAMLResponse (Maybe Natural)
+arwsamlrsPackedPolicySize = lens _arwsamlrsPackedPolicySize (\ s a -> s{_arwsamlrsPackedPolicySize = a}) . mapping _Nat;
 
--- | The value of the 'Issuer' element of the SAML assertion.
-arwsamlrIssuer :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
-arwsamlrIssuer = lens _arwsamlrIssuer (\s a -> s { _arwsamlrIssuer = a })
+-- | Undocumented member.
+arwsamlrsCredentials :: Lens' AssumeRoleWithSAMLResponse (Maybe Credentials)
+arwsamlrsCredentials = lens _arwsamlrsCredentials (\ s a -> s{_arwsamlrsCredentials = a});
 
--- | A hash value based on the concatenation of the 'Issuer' response value, the AWS
--- account ID, and the friendly name (the last part of the ARN) of the SAML
--- provider in IAM. The combination of 'NameQualifier' and 'Subject' can be used to
--- uniquely identify a federated user.
---
--- The following pseudocode shows how the hash value is calculated:
+-- | The format of the name ID, as defined by the 'Format' attribute in the
+-- 'NameID' element of the SAML assertion. Typical examples of the format
+-- are 'transient' or 'persistent'.
 --
--- 'BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP") )'
-arwsamlrNameQualifier :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
-arwsamlrNameQualifier =
-    lens _arwsamlrNameQualifier (\s a -> s { _arwsamlrNameQualifier = a })
-
--- | A percentage value that indicates the size of the policy in packed form. The
--- service rejects any policy with a packed size greater than 100 percent, which
--- means the policy exceeded the allowed space.
-arwsamlrPackedPolicySize :: Lens' AssumeRoleWithSAMLResponse (Maybe Natural)
-arwsamlrPackedPolicySize =
-    lens _arwsamlrPackedPolicySize
-        (\s a -> s { _arwsamlrPackedPolicySize = a })
-            . mapping _Nat
-
--- | The value of the 'NameID' element in the 'Subject' element of the SAML assertion.
-arwsamlrSubject :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
-arwsamlrSubject = lens _arwsamlrSubject (\s a -> s { _arwsamlrSubject = a })
+-- If the format includes the prefix
+-- 'urn:oasis:names:tc:SAML:2.0:nameid-format', that prefix is removed. For
+-- example, 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' is
+-- returned as 'transient'. If the format includes any other prefix, the
+-- format is returned with no modifications.
+arwsamlrsSubjectType :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
+arwsamlrsSubjectType = lens _arwsamlrsSubjectType (\ s a -> s{_arwsamlrsSubjectType = a});
 
--- | The format of the name ID, as defined by the 'Format' attribute in the 'NameID'
--- element of the SAML assertion. Typical examples of the format are 'transient'
--- or 'persistent'.
+-- | A hash value based on the concatenation of the 'Issuer' response value,
+-- the AWS account ID, and the friendly name (the last part of the ARN) of
+-- the SAML provider in IAM. The combination of 'NameQualifier' and
+-- 'Subject' can be used to uniquely identify a federated user.
 --
--- If the format includes the prefix 'urn:oasis:names:tc:SAML:2.0:nameid-format', that prefix is removed. For example,
--- 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' is returned as 'transient'.
--- If the format includes any other prefix, the format is returned with no
--- modifications.
-arwsamlrSubjectType :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
-arwsamlrSubjectType =
-    lens _arwsamlrSubjectType (\s a -> s { _arwsamlrSubjectType = a })
-
-instance ToPath AssumeRoleWithSAML where
-    toPath = const "/"
-
-instance ToQuery AssumeRoleWithSAML where
-    toQuery AssumeRoleWithSAML{..} = mconcat
-        [ "DurationSeconds" =? _arwsamlDurationSeconds
-        , "Policy"          =? _arwsamlPolicy
-        , "PrincipalArn"    =? _arwsamlPrincipalArn
-        , "RoleArn"         =? _arwsamlRoleArn
-        , "SAMLAssertion"   =? _arwsamlSAMLAssertion
-        ]
-
-instance ToHeaders AssumeRoleWithSAML
+-- The following pseudocode shows how the hash value is calculated:
+--
+-- 'BASE64 ( SHA1 ( \"https:\/\/example.com\/saml\" + \"123456789012\" + \"\/MySAMLIdP\" ) )'
+arwsamlrsNameQualifier :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
+arwsamlrsNameQualifier = lens _arwsamlrsNameQualifier (\ s a -> s{_arwsamlrsNameQualifier = a});
 
-instance AWSRequest AssumeRoleWithSAML where
-    type Sv AssumeRoleWithSAML = STS
-    type Rs AssumeRoleWithSAML = AssumeRoleWithSAMLResponse
+-- | Undocumented member.
+arwsamlrsAssumedRoleUser :: Lens' AssumeRoleWithSAMLResponse (Maybe AssumedRoleUser)
+arwsamlrsAssumedRoleUser = lens _arwsamlrsAssumedRoleUser (\ s a -> s{_arwsamlrsAssumedRoleUser = a});
 
-    request  = post "AssumeRoleWithSAML"
-    response = xmlResponse
+-- | The value of the 'Issuer' element of the SAML assertion.
+arwsamlrsIssuer :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
+arwsamlrsIssuer = lens _arwsamlrsIssuer (\ s a -> s{_arwsamlrsIssuer = a});
 
-instance FromXML AssumeRoleWithSAMLResponse where
-    parseXML = withElement "AssumeRoleWithSAMLResult" $ \x -> AssumeRoleWithSAMLResponse
-        <$> x .@? "AssumedRoleUser"
-        <*> x .@? "Audience"
-        <*> x .@? "Credentials"
-        <*> x .@? "Issuer"
-        <*> x .@? "NameQualifier"
-        <*> x .@? "PackedPolicySize"
-        <*> x .@? "Subject"
-        <*> x .@? "SubjectType"
+-- | The response status code.
+arwsamlrsStatus :: Lens' AssumeRoleWithSAMLResponse Int
+arwsamlrsStatus = lens _arwsamlrsStatus (\ s a -> s{_arwsamlrsStatus = a});
diff --git a/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs b/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs
--- a/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs
+++ b/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs
@@ -1,315 +1,355 @@
-{-# LANGUAGE DataKinds                   #-}
-{-# LANGUAGE DeriveGeneric               #-}
-{-# LANGUAGE FlexibleInstances           #-}
-{-# LANGUAGE GeneralizedNewtypeDeriving  #-}
-{-# LANGUAGE LambdaCase                  #-}
-{-# LANGUAGE NoImplicitPrelude           #-}
-{-# LANGUAGE OverloadedStrings           #-}
-{-# LANGUAGE RecordWildCards             #-}
-{-# LANGUAGE TypeFamilies                #-}
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
 
 {-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
 
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
 -- Module      : Network.AWS.STS.AssumeRoleWithWebIdentity
--- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>
--- License     : This Source Code Form is subject to the terms of
---               the Mozilla Public License, v. 2.0.
---               A copy of the MPL can be found in the LICENSE file or
---               you can obtain it at http://mozilla.org/MPL/2.0/.
+-- Copyright   : (c) 2013-2015 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
 -- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : experimental
+-- Stability   : auto-generated
 -- Portability : non-portable (GHC extensions)
 --
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
--- | Returns a set of temporary security credentials for users who have been
--- authenticated in a mobile or web application with a web identity provider,
--- such as Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID
--- Connect-compatible identity provider.
+-- Returns a set of temporary security credentials for users who have been
+-- authenticated in a mobile or web application with a web identity
+-- provider, such as Amazon Cognito, Login with Amazon, Facebook, Google,
+-- or any OpenID Connect-compatible identity provider.
 --
--- For mobile applications, we recommend that you use Amazon Cognito. You can
--- use Amazon Cognito with the <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and the <http://aws.amazon.com/sdkforandroid/ AWS SDK for Android> to
--- uniquely identify a user and supply the user with a consistent identity
+-- For mobile applications, we recommend that you use Amazon Cognito. You
+-- can use Amazon Cognito with the
+-- <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and the
+-- <http://aws.amazon.com/sdkforandroid/ AWS SDK for Android> to uniquely
+-- identify a user and supply the user with a consistent identity
 -- throughout the lifetime of an application.
 --
--- To learn more about Amazon Cognito, see <http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840 Amazon Cognito Overview> in the /AWSSDK for Android Developer Guide/ guide and <http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664 Amazon Cognito Overview> in the /AWSSDK for iOS Developer Guide/.
+-- To learn more about Amazon Cognito, see
+-- <http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840 Amazon Cognito Overview>
+-- in the /AWS SDK for Android Developer Guide/ guide and
+-- <http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664 Amazon Cognito Overview>
+-- in the /AWS SDK for iOS Developer Guide/.
 --
--- Calling 'AssumeRoleWithWebIdentity' does not require the use of AWS security
--- credentials. Therefore, you can distribute an application (for example, on
--- mobile devices) that requests temporary security credentials without
--- including long-term AWS credentials in the application, and without deploying
--- server-based proxy services that use long-term AWS credentials. Instead, the
--- identity of the caller is validated by using a token from the web identity
--- provider.
+-- Calling 'AssumeRoleWithWebIdentity' does not require the use of AWS
+-- security credentials. Therefore, you can distribute an application (for
+-- example, on mobile devices) that requests temporary security credentials
+-- without including long-term AWS credentials in the application, and
+-- without deploying server-based proxy services that use long-term AWS
+-- credentials. Instead, the identity of the caller is validated by using a
+-- token from the web identity provider.
 --
--- The temporary security credentials returned by this API consist of an access
--- key ID, a secret access key, and a security token. Applications can use these
--- temporary security credentials to sign calls to AWS service APIs. The
--- credentials are valid for the duration that you specified when calling 'AssumeRoleWithWebIdentity', which can be from 900 seconds (15 minutes) to 3600 seconds (1 hour). By
--- default, the temporary security credentials are valid for 1 hour.
+-- The temporary security credentials returned by this API consist of an
+-- access key ID, a secret access key, and a security token. Applications
+-- can use these temporary security credentials to sign calls to AWS
+-- service APIs. The credentials are valid for the duration that you
+-- specified when calling 'AssumeRoleWithWebIdentity', which can be from
+-- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the
+-- temporary security credentials are valid for 1 hour.
 --
 -- Optionally, you can pass an IAM access policy to this operation. If you
 -- choose not to pass a policy, the temporary security credentials that are
--- returned by the operation have the permissions that are defined in the access
--- policy of the role that is being assumed. If you pass a policy to this
--- operation, the temporary security credentials that are returned by the
--- operation have the permissions that are allowed by both the access policy of
--- the role that is being assumed, /and/ the policy that you pass. This gives you
--- a way to further restrict the permissions for the resulting temporary
--- security credentials. You cannot use the passed policy to grant permissions
--- that are in excess of those allowed by the access policy of the role that is
--- being assumed. For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions forAssumeRoleWithWebIdentity> in /Using Temporary Security Credentials/.
+-- returned by the operation have the permissions that are defined in the
+-- access policy of the role that is being assumed. If you pass a policy to
+-- this operation, the temporary security credentials that are returned by
+-- the operation have the permissions that are allowed by both the access
+-- policy of the role that is being assumed, /__and__/ the policy that you
+-- pass. This gives you a way to further restrict the permissions for the
+-- resulting temporary security credentials. You cannot use the passed
+-- policy to grant permissions that are in excess of those allowed by the
+-- access policy of the role that is being assumed. For more information,
+-- see
+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithWebIdentity>.
 --
--- Before your application can call 'AssumeRoleWithWebIdentity', you must have an
--- identity token from a supported identity provider and create a role that the
--- application can assume. The role that your application assumes must trust the
--- identity provider that is associated with the identity token. In other words,
--- the identity provider must be specified in the role's trust policy.
+-- Before your application can call 'AssumeRoleWithWebIdentity', you must
+-- have an identity token from a supported identity provider and create a
+-- role that the application can assume. The role that your application
+-- assumes must trust the identity provider that is associated with the
+-- identity token. In other words, the identity provider must be specified
+-- in the role\'s trust policy.
 --
--- For more information about how to use web identity federation and the 'AssumeRoleWithWebIdentity' API, see the following resources:
+-- For more information about how to use web identity federation and the
+-- 'AssumeRoleWithWebIdentity' API, see the following resources:
 --
--- <http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#MobileApplication-KnownProvider  Creating a Mobile Application with Third-Party Sign-In> and <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html  CreatingTemporary Security Credentials for Mobile Apps Using Third-Party IdentityProviders> in /Using Temporary Security Credentials/.   <https://web-identity-federation-playground.s3.amazonaws.com/index.html  Web Identity FederationPlayground>. This interactive website lets you walk through the process of
--- authenticating via Login with Amazon, Facebook, or Google, getting temporary
--- security credentials, and then using those credentials to make a request to
--- AWS.   <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and <http://aws.amazon.com/sdkforandroid/ AWS SDK for Android>. These toolkits contain sample
--- apps that show how to invoke the identity providers, and then how to use the
--- information from these providers to get and use temporary security
--- credentials.   <http://aws.amazon.com/articles/4617974389850313 Web Identity Federation with Mobile Applications>. This article
--- discusses web identity federation and shows an example of how to use web
--- identity federation to get access to content in Amazon S3.
+-- -   <http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#MobileApplication-KnownProvider Creating a Mobile Application with Third-Party Sign-In>
+--     and
+--     <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html Creating Temporary Security Credentials for Mobile Apps Using Third-Party Identity Providers>.
+-- -   <https://web-identity-federation-playground.s3.amazonaws.com/index.html Web Identity Federation Playground>.
+--     This interactive website lets you walk through the process of
+--     authenticating via Login with Amazon, Facebook, or Google, getting
+--     temporary security credentials, and then using those credentials to
+--     make a request to AWS.
+-- -   <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and
+--     <http://aws.amazon.com/sdkforandroid/ AWS SDK for Android>. These
+--     toolkits contain sample apps that show how to invoke the identity
+--     providers, and then how to use the information from these providers
+--     to get and use temporary security credentials.
+-- -   <http://aws.amazon.com/articles/4617974389850313 Web Identity Federation with Mobile Applications>.
+--     This article discusses web identity federation and shows an example
+--     of how to use web identity federation to get access to content in
+--     Amazon S3.
 --
--- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html>
+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html AWS API Reference> for AssumeRoleWithWebIdentity.
 module Network.AWS.STS.AssumeRoleWithWebIdentity
     (
-    -- * Request
-      AssumeRoleWithWebIdentity
-    -- ** Request constructor
-    , assumeRoleWithWebIdentity
-    -- ** Request lenses
+    -- * Creating a Request
+      assumeRoleWithWebIdentity
+    , AssumeRoleWithWebIdentity
+    -- * Request Lenses
+    , arwwiProviderId
     , arwwiDurationSeconds
     , arwwiPolicy
-    , arwwiProviderId
-    , arwwiRoleArn
+    , arwwiRoleARN
     , arwwiRoleSessionName
     , arwwiWebIdentityToken
 
-    -- * Response
-    , AssumeRoleWithWebIdentityResponse
-    -- ** Response constructor
+    -- * Destructuring the Response
     , assumeRoleWithWebIdentityResponse
-    -- ** Response lenses
-    , arwwirAssumedRoleUser
-    , arwwirAudience
-    , arwwirCredentials
-    , arwwirPackedPolicySize
-    , arwwirProvider
-    , arwwirSubjectFromWebIdentityToken
+    , AssumeRoleWithWebIdentityResponse
+    -- * Response Lenses
+    , arwwirsAudience
+    , arwwirsSubjectFromWebIdentityToken
+    , arwwirsPackedPolicySize
+    , arwwirsCredentials
+    , arwwirsAssumedRoleUser
+    , arwwirsProvider
+    , arwwirsStatus
     ) where
 
-import Network.AWS.Prelude
-import Network.AWS.Request.Query
-import Network.AWS.STS.Types
-import qualified GHC.Exts
+import           Network.AWS.Prelude
+import           Network.AWS.Request
+import           Network.AWS.Response
+import           Network.AWS.STS.Types
+import           Network.AWS.STS.Types.Product
 
-data AssumeRoleWithWebIdentity = AssumeRoleWithWebIdentity
-    { _arwwiDurationSeconds  :: Maybe Nat
-    , _arwwiPolicy           :: Maybe Text
-    , _arwwiProviderId       :: Maybe Text
-    , _arwwiRoleArn          :: Text
-    , _arwwiRoleSessionName  :: Text
-    , _arwwiWebIdentityToken :: Text
-    } deriving (Eq, Ord, Read, Show)
+-- | /See:/ 'assumeRoleWithWebIdentity' smart constructor.
+data AssumeRoleWithWebIdentity = AssumeRoleWithWebIdentity'
+    { _arwwiProviderId       :: !(Maybe Text)
+    , _arwwiDurationSeconds  :: !(Maybe Nat)
+    , _arwwiPolicy           :: !(Maybe Text)
+    , _arwwiRoleARN          :: !Text
+    , _arwwiRoleSessionName  :: !Text
+    , _arwwiWebIdentityToken :: !Text
+    } deriving (Eq,Read,Show,Data,Typeable,Generic)
 
--- | 'AssumeRoleWithWebIdentity' constructor.
---
--- The fields accessible through corresponding lenses are:
+-- | Creates a value of 'AssumeRoleWithWebIdentity' with the minimum fields required to make a request.
 --
--- * 'arwwiDurationSeconds' @::@ 'Maybe' 'Natural'
+-- Use one of the following lenses to modify other fields as desired:
 --
--- * 'arwwiPolicy' @::@ 'Maybe' 'Text'
+-- * 'arwwiProviderId'
 --
--- * 'arwwiProviderId' @::@ 'Maybe' 'Text'
+-- * 'arwwiDurationSeconds'
 --
--- * 'arwwiRoleArn' @::@ 'Text'
+-- * 'arwwiPolicy'
 --
--- * 'arwwiRoleSessionName' @::@ 'Text'
+-- * 'arwwiRoleARN'
 --
--- * 'arwwiWebIdentityToken' @::@ 'Text'
+-- * 'arwwiRoleSessionName'
 --
-assumeRoleWithWebIdentity :: Text -- ^ 'arwwiRoleArn'
-                          -> Text -- ^ 'arwwiRoleSessionName'
-                          -> Text -- ^ 'arwwiWebIdentityToken'
-                          -> AssumeRoleWithWebIdentity
-assumeRoleWithWebIdentity p1 p2 p3 = AssumeRoleWithWebIdentity
-    { _arwwiRoleArn          = p1
-    , _arwwiRoleSessionName  = p2
-    , _arwwiWebIdentityToken = p3
-    , _arwwiProviderId       = Nothing
-    , _arwwiPolicy           = Nothing
-    , _arwwiDurationSeconds  = Nothing
+-- * 'arwwiWebIdentityToken'
+assumeRoleWithWebIdentity
+    :: Text -- ^ 'arwwiRoleARN'
+    -> Text -- ^ 'arwwiRoleSessionName'
+    -> Text -- ^ 'arwwiWebIdentityToken'
+    -> AssumeRoleWithWebIdentity
+assumeRoleWithWebIdentity pRoleARN_ pRoleSessionName_ pWebIdentityToken_ =
+    AssumeRoleWithWebIdentity'
+    { _arwwiProviderId = Nothing
+    , _arwwiDurationSeconds = Nothing
+    , _arwwiPolicy = Nothing
+    , _arwwiRoleARN = pRoleARN_
+    , _arwwiRoleSessionName = pRoleSessionName_
+    , _arwwiWebIdentityToken = pWebIdentityToken_
     }
 
--- | The duration, in seconds, of the role session. The value can range from 900
--- seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set
--- to 3600 seconds.
-arwwiDurationSeconds :: Lens' AssumeRoleWithWebIdentity (Maybe Natural)
-arwwiDurationSeconds =
-    lens _arwwiDurationSeconds (\s a -> s { _arwwiDurationSeconds = a })
-        . mapping _Nat
-
--- | An IAM policy in JSON format.
---
--- The policy parameter is optional. If you pass a policy, the temporary
--- security credentials that are returned by the operation have the permissions
--- that are allowed by both the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the
--- permissions for the resulting temporary security credentials. You cannot use
--- the passed policy to grant permissions that are in excess of those allowed by
--- the access policy of the role that is being assumed. For more information,
--- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithWebIdentity> in /Using Temporary SecurityCredentials/.
-arwwiPolicy :: Lens' AssumeRoleWithWebIdentity (Maybe Text)
-arwwiPolicy = lens _arwwiPolicy (\s a -> s { _arwwiPolicy = a })
-
 -- | The fully qualified host component of the domain name of the identity
 -- provider.
 --
--- Specify this value only for OAuth 2.0 access tokens. Currently 'www.amazon.com'
--- and 'graph.facebook.com' are the only supported identity providers for OAuth
--- 2.0 access tokens. Do not include URL schemes and port numbers.
+-- Specify this value only for OAuth 2.0 access tokens. Currently
+-- 'www.amazon.com' and 'graph.facebook.com' are the only supported
+-- identity providers for OAuth 2.0 access tokens. Do not include URL
+-- schemes and port numbers.
 --
 -- Do not specify this value for OpenID Connect ID tokens.
 arwwiProviderId :: Lens' AssumeRoleWithWebIdentity (Maybe Text)
-arwwiProviderId = lens _arwwiProviderId (\s a -> s { _arwwiProviderId = a })
+arwwiProviderId = lens _arwwiProviderId (\ s a -> s{_arwwiProviderId = a});
 
+-- | The duration, in seconds, of the role session. The value can range from
+-- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value
+-- is set to 3600 seconds.
+arwwiDurationSeconds :: Lens' AssumeRoleWithWebIdentity (Maybe Natural)
+arwwiDurationSeconds = lens _arwwiDurationSeconds (\ s a -> s{_arwwiDurationSeconds = a}) . mapping _Nat;
+
+-- | An IAM policy in JSON format.
+--
+-- The policy parameter is optional. If you pass a policy, the temporary
+-- security credentials that are returned by the operation have the
+-- permissions that are allowed by both the access policy of the role that
+-- is being assumed, /__and__/ the policy that you pass. This gives you a
+-- way to further restrict the permissions for the resulting temporary
+-- security credentials. You cannot use the passed policy to grant
+-- permissions that are in excess of those allowed by the access policy of
+-- the role that is being assumed. For more information, see
+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithWebIdentity>.
+--
+-- The policy plain text must be 2048 bytes or shorter. However, an
+-- internal conversion compresses it into a packed binary format with a
+-- separate limit. The PackedPolicySize response element indicates by
+-- percentage how close to the upper size limit the policy is, with 100%
+-- equaling the maximum allowed size.
+arwwiPolicy :: Lens' AssumeRoleWithWebIdentity (Maybe Text)
+arwwiPolicy = lens _arwwiPolicy (\ s a -> s{_arwwiPolicy = a});
+
 -- | The Amazon Resource Name (ARN) of the role that the caller is assuming.
-arwwiRoleArn :: Lens' AssumeRoleWithWebIdentity Text
-arwwiRoleArn = lens _arwwiRoleArn (\s a -> s { _arwwiRoleArn = a })
+arwwiRoleARN :: Lens' AssumeRoleWithWebIdentity Text
+arwwiRoleARN = lens _arwwiRoleARN (\ s a -> s{_arwwiRoleARN = a});
 
--- | An identifier for the assumed role session. Typically, you pass the name or
--- identifier that is associated with the user who is using your application.
--- That way, the temporary security credentials that your application will use
--- are associated with that user. This session name is included as part of the
--- ARN and assumed role ID in the 'AssumedRoleUser' response element.
+-- | An identifier for the assumed role session. Typically, you pass the name
+-- or identifier that is associated with the user who is using your
+-- application. That way, the temporary security credentials that your
+-- application will use are associated with that user. This session name is
+-- included as part of the ARN and assumed role ID in the 'AssumedRoleUser'
+-- response element.
 arwwiRoleSessionName :: Lens' AssumeRoleWithWebIdentity Text
-arwwiRoleSessionName =
-    lens _arwwiRoleSessionName (\s a -> s { _arwwiRoleSessionName = a })
+arwwiRoleSessionName = lens _arwwiRoleSessionName (\ s a -> s{_arwwiRoleSessionName = a});
 
--- | The OAuth 2.0 access token or OpenID Connect ID token that is provided by the
--- identity provider. Your application must get this token by authenticating the
--- user who is using your application with a web identity provider before the
--- application makes an 'AssumeRoleWithWebIdentity' call.
+-- | The OAuth 2.0 access token or OpenID Connect ID token that is provided
+-- by the identity provider. Your application must get this token by
+-- authenticating the user who is using your application with a web
+-- identity provider before the application makes an
+-- 'AssumeRoleWithWebIdentity' call.
 arwwiWebIdentityToken :: Lens' AssumeRoleWithWebIdentity Text
-arwwiWebIdentityToken =
-    lens _arwwiWebIdentityToken (\s a -> s { _arwwiWebIdentityToken = a })
+arwwiWebIdentityToken = lens _arwwiWebIdentityToken (\ s a -> s{_arwwiWebIdentityToken = a});
 
-data AssumeRoleWithWebIdentityResponse = AssumeRoleWithWebIdentityResponse
-    { _arwwirAssumedRoleUser             :: Maybe AssumedRoleUser
-    , _arwwirAudience                    :: Maybe Text
-    , _arwwirCredentials                 :: Maybe Credentials
-    , _arwwirPackedPolicySize            :: Maybe Nat
-    , _arwwirProvider                    :: Maybe Text
-    , _arwwirSubjectFromWebIdentityToken :: Maybe Text
-    } deriving (Eq, Read, Show)
+instance AWSRequest AssumeRoleWithWebIdentity where
+        type Sv AssumeRoleWithWebIdentity = STS
+        type Rs AssumeRoleWithWebIdentity =
+             AssumeRoleWithWebIdentityResponse
+        request = postQuery
+        response
+          = receiveXMLWrapper "AssumeRoleWithWebIdentityResult"
+              (\ s h x ->
+                 AssumeRoleWithWebIdentityResponse' <$>
+                   (x .@? "Audience") <*>
+                     (x .@? "SubjectFromWebIdentityToken")
+                     <*> (x .@? "PackedPolicySize")
+                     <*> (x .@? "Credentials")
+                     <*> (x .@? "AssumedRoleUser")
+                     <*> (x .@? "Provider")
+                     <*> (pure (fromEnum s)))
 
--- | 'AssumeRoleWithWebIdentityResponse' constructor.
+instance ToHeaders AssumeRoleWithWebIdentity where
+        toHeaders = const mempty
+
+instance ToPath AssumeRoleWithWebIdentity where
+        toPath = const "/"
+
+instance ToQuery AssumeRoleWithWebIdentity where
+        toQuery AssumeRoleWithWebIdentity'{..}
+          = mconcat
+              ["Action" =:
+                 ("AssumeRoleWithWebIdentity" :: ByteString),
+               "Version" =: ("2011-06-15" :: ByteString),
+               "ProviderId" =: _arwwiProviderId,
+               "DurationSeconds" =: _arwwiDurationSeconds,
+               "Policy" =: _arwwiPolicy, "RoleArn" =: _arwwiRoleARN,
+               "RoleSessionName" =: _arwwiRoleSessionName,
+               "WebIdentityToken" =: _arwwiWebIdentityToken]
+
+-- | Contains the response to a successful AssumeRoleWithWebIdentity request,
+-- including temporary AWS credentials that can be used to make AWS
+-- requests.
 --
--- The fields accessible through corresponding lenses are:
+-- /See:/ 'assumeRoleWithWebIdentityResponse' smart constructor.
+data AssumeRoleWithWebIdentityResponse = AssumeRoleWithWebIdentityResponse'
+    { _arwwirsAudience                    :: !(Maybe Text)
+    , _arwwirsSubjectFromWebIdentityToken :: !(Maybe Text)
+    , _arwwirsPackedPolicySize            :: !(Maybe Nat)
+    , _arwwirsCredentials                 :: !(Maybe Credentials)
+    , _arwwirsAssumedRoleUser             :: !(Maybe AssumedRoleUser)
+    , _arwwirsProvider                    :: !(Maybe Text)
+    , _arwwirsStatus                      :: !Int
+    } deriving (Eq,Read,Show,Data,Typeable,Generic)
+
+-- | Creates a value of 'AssumeRoleWithWebIdentityResponse' with the minimum fields required to make a request.
 --
--- * 'arwwirAssumedRoleUser' @::@ 'Maybe' 'AssumedRoleUser'
+-- Use one of the following lenses to modify other fields as desired:
 --
--- * 'arwwirAudience' @::@ 'Maybe' 'Text'
+-- * 'arwwirsAudience'
 --
--- * 'arwwirCredentials' @::@ 'Maybe' 'Credentials'
+-- * 'arwwirsSubjectFromWebIdentityToken'
 --
--- * 'arwwirPackedPolicySize' @::@ 'Maybe' 'Natural'
+-- * 'arwwirsPackedPolicySize'
 --
--- * 'arwwirProvider' @::@ 'Maybe' 'Text'
+-- * 'arwwirsCredentials'
 --
--- * 'arwwirSubjectFromWebIdentityToken' @::@ 'Maybe' 'Text'
+-- * 'arwwirsAssumedRoleUser'
 --
-assumeRoleWithWebIdentityResponse :: AssumeRoleWithWebIdentityResponse
-assumeRoleWithWebIdentityResponse = AssumeRoleWithWebIdentityResponse
-    { _arwwirCredentials                 = Nothing
-    , _arwwirSubjectFromWebIdentityToken = Nothing
-    , _arwwirAssumedRoleUser             = Nothing
-    , _arwwirPackedPolicySize            = Nothing
-    , _arwwirProvider                    = Nothing
-    , _arwwirAudience                    = Nothing
+-- * 'arwwirsProvider'
+--
+-- * 'arwwirsStatus'
+assumeRoleWithWebIdentityResponse
+    :: Int -- ^ 'arwwirsStatus'
+    -> AssumeRoleWithWebIdentityResponse
+assumeRoleWithWebIdentityResponse pStatus_ =
+    AssumeRoleWithWebIdentityResponse'
+    { _arwwirsAudience = Nothing
+    , _arwwirsSubjectFromWebIdentityToken = Nothing
+    , _arwwirsPackedPolicySize = Nothing
+    , _arwwirsCredentials = Nothing
+    , _arwwirsAssumedRoleUser = Nothing
+    , _arwwirsProvider = Nothing
+    , _arwwirsStatus = pStatus_
     }
 
--- | The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
--- that you can use to refer to the resulting temporary security credentials.
--- For example, you can reference these credentials as a principal in a
--- resource-based policy by using the ARN or assumed role ID. The ARN and ID
--- include the 'RoleSessionName' that you specified when you called 'AssumeRole'.
-arwwirAssumedRoleUser :: Lens' AssumeRoleWithWebIdentityResponse (Maybe AssumedRoleUser)
-arwwirAssumedRoleUser =
-    lens _arwwirAssumedRoleUser (\s a -> s { _arwwirAssumedRoleUser = a })
-
--- | The intended audience (also known as client ID) of the web identity token.
--- This is traditionally the client identifier issued to the application that
--- requested the web identity token.
-arwwirAudience :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
-arwwirAudience = lens _arwwirAudience (\s a -> s { _arwwirAudience = a })
-
--- | The temporary security credentials, which include an access key ID, a secret
--- access key, and a security token.
-arwwirCredentials :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Credentials)
-arwwirCredentials =
-    lens _arwwirCredentials (\s a -> s { _arwwirCredentials = a })
-
--- | A percentage value that indicates the size of the policy in packed form. The
--- service rejects any policy with a packed size greater than 100 percent, which
--- means the policy exceeded the allowed space.
-arwwirPackedPolicySize :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Natural)
-arwwirPackedPolicySize =
-    lens _arwwirPackedPolicySize (\s a -> s { _arwwirPackedPolicySize = a })
-        . mapping _Nat
-
--- | The issuing authority of the web identity token presented. For OpenID
--- Connect ID Tokens this contains the value of the 'iss' field. For OAuth 2.0
--- access tokens, this contains the value of the 'ProviderId' parameter that was
--- passed in the 'AssumeRoleWithWebIdentity' request.
-arwwirProvider :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
-arwwirProvider = lens _arwwirProvider (\s a -> s { _arwwirProvider = a })
-
--- | The unique user identifier that is returned by the identity provider. This
--- identifier is associated with the 'WebIdentityToken' that was submitted with
--- the 'AssumeRoleWithWebIdentity' call. The identifier is typically unique to the
--- user and the application that acquired the 'WebIdentityToken' (pairwise
--- identifier). For OpenID Connect ID tokens, this field contains the value
--- returned by the identity provider as the token's 'sub' (Subject) claim.
-arwwirSubjectFromWebIdentityToken :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
-arwwirSubjectFromWebIdentityToken =
-    lens _arwwirSubjectFromWebIdentityToken
-        (\s a -> s { _arwwirSubjectFromWebIdentityToken = a })
+-- | The intended audience (also known as client ID) of the web identity
+-- token. This is traditionally the client identifier issued to the
+-- application that requested the web identity token.
+arwwirsAudience :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
+arwwirsAudience = lens _arwwirsAudience (\ s a -> s{_arwwirsAudience = a});
 
-instance ToPath AssumeRoleWithWebIdentity where
-    toPath = const "/"
+-- | The unique user identifier that is returned by the identity provider.
+-- This identifier is associated with the 'WebIdentityToken' that was
+-- submitted with the 'AssumeRoleWithWebIdentity' call. The identifier is
+-- typically unique to the user and the application that acquired the
+-- 'WebIdentityToken' (pairwise identifier). For OpenID Connect ID tokens,
+-- this field contains the value returned by the identity provider as the
+-- token\'s 'sub' (Subject) claim.
+arwwirsSubjectFromWebIdentityToken :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
+arwwirsSubjectFromWebIdentityToken = lens _arwwirsSubjectFromWebIdentityToken (\ s a -> s{_arwwirsSubjectFromWebIdentityToken = a});
 
-instance ToQuery AssumeRoleWithWebIdentity where
-    toQuery AssumeRoleWithWebIdentity{..} = mconcat
-        [ "DurationSeconds"  =? _arwwiDurationSeconds
-        , "Policy"           =? _arwwiPolicy
-        , "ProviderId"       =? _arwwiProviderId
-        , "RoleArn"          =? _arwwiRoleArn
-        , "RoleSessionName"  =? _arwwiRoleSessionName
-        , "WebIdentityToken" =? _arwwiWebIdentityToken
-        ]
+-- | A percentage value that indicates the size of the policy in packed form.
+-- The service rejects any policy with a packed size greater than 100
+-- percent, which means the policy exceeded the allowed space.
+arwwirsPackedPolicySize :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Natural)
+arwwirsPackedPolicySize = lens _arwwirsPackedPolicySize (\ s a -> s{_arwwirsPackedPolicySize = a}) . mapping _Nat;
 
-instance ToHeaders AssumeRoleWithWebIdentity
+-- | The temporary security credentials, which include an access key ID, a
+-- secret access key, and a security token.
+arwwirsCredentials :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Credentials)
+arwwirsCredentials = lens _arwwirsCredentials (\ s a -> s{_arwwirsCredentials = a});
 
-instance AWSRequest AssumeRoleWithWebIdentity where
-    type Sv AssumeRoleWithWebIdentity = STS
-    type Rs AssumeRoleWithWebIdentity = AssumeRoleWithWebIdentityResponse
+-- | The Amazon Resource Name (ARN) and the assumed role ID, which are
+-- identifiers that you can use to refer to the resulting temporary
+-- security credentials. For example, you can reference these credentials
+-- as a principal in a resource-based policy by using the ARN or assumed
+-- role ID. The ARN and ID include the 'RoleSessionName' that you specified
+-- when you called 'AssumeRole'.
+arwwirsAssumedRoleUser :: Lens' AssumeRoleWithWebIdentityResponse (Maybe AssumedRoleUser)
+arwwirsAssumedRoleUser = lens _arwwirsAssumedRoleUser (\ s a -> s{_arwwirsAssumedRoleUser = a});
 
-    request  = post "AssumeRoleWithWebIdentity"
-    response = xmlResponse
+-- | The issuing authority of the web identity token presented. For OpenID
+-- Connect ID Tokens this contains the value of the 'iss' field. For OAuth
+-- 2.0 access tokens, this contains the value of the 'ProviderId' parameter
+-- that was passed in the 'AssumeRoleWithWebIdentity' request.
+arwwirsProvider :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
+arwwirsProvider = lens _arwwirsProvider (\ s a -> s{_arwwirsProvider = a});
 
-instance FromXML AssumeRoleWithWebIdentityResponse where
-    parseXML = withElement "AssumeRoleWithWebIdentityResult" $ \x -> AssumeRoleWithWebIdentityResponse
-        <$> x .@? "AssumedRoleUser"
-        <*> x .@? "Audience"
-        <*> x .@? "Credentials"
-        <*> x .@? "PackedPolicySize"
-        <*> x .@? "Provider"
-        <*> x .@? "SubjectFromWebIdentityToken"
+-- | The response status code.
+arwwirsStatus :: Lens' AssumeRoleWithWebIdentityResponse Int
+arwwirsStatus = lens _arwwirsStatus (\ s a -> s{_arwwirsStatus = a});
diff --git a/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs b/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs
--- a/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs
+++ b/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs
@@ -1,131 +1,155 @@
-{-# LANGUAGE DataKinds                   #-}
-{-# LANGUAGE DeriveGeneric               #-}
-{-# LANGUAGE FlexibleInstances           #-}
-{-# LANGUAGE GeneralizedNewtypeDeriving  #-}
-{-# LANGUAGE LambdaCase                  #-}
-{-# LANGUAGE NoImplicitPrelude           #-}
-{-# LANGUAGE OverloadedStrings           #-}
-{-# LANGUAGE RecordWildCards             #-}
-{-# LANGUAGE TypeFamilies                #-}
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
 
 {-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
 
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
 -- Module      : Network.AWS.STS.DecodeAuthorizationMessage
--- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>
--- License     : This Source Code Form is subject to the terms of
---               the Mozilla Public License, v. 2.0.
---               A copy of the MPL can be found in the LICENSE file or
---               you can obtain it at http://mozilla.org/MPL/2.0/.
+-- Copyright   : (c) 2013-2015 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
 -- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : experimental
+-- Stability   : auto-generated
 -- Portability : non-portable (GHC extensions)
 --
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
--- | Decodes additional information about the authorization status of a request
--- from an encoded message returned in response to an AWS request.
+-- Decodes additional information about the authorization status of a
+-- request from an encoded message returned in response to an AWS request.
 --
--- For example, if a user is not authorized to perform an action that he or she
--- has requested, the request returns a 'Client.UnauthorizedOperation' response
--- (an HTTP 403 response). Some AWS actions additionally return an encoded
--- message that can provide details about this authorization failure.
+-- For example, if a user is not authorized to perform an action that he or
+-- she has requested, the request returns a 'Client.UnauthorizedOperation'
+-- response (an HTTP 403 response). Some AWS actions additionally return an
+-- encoded message that can provide details about this authorization
+-- failure.
 --
 -- Only certain AWS actions return an encoded authorization message. The
--- documentation for an individual action indicates whether that action returns
--- an encoded message in addition to returning an HTTP code.  The message is
--- encoded because the details of the authorization status can constitute
--- privileged information that the user who requested the action should not see.
--- To decode an authorization status message, a user must be granted permissions
--- via an IAM policy to request the 'DecodeAuthorizationMessage' ('sts:DecodeAuthorizationMessage') action.
+-- documentation for an individual action indicates whether that action
+-- returns an encoded message in addition to returning an HTTP code.
 --
+-- The message is encoded because the details of the authorization status
+-- can constitute privileged information that the user who requested the
+-- action should not see. To decode an authorization status message, a user
+-- must be granted permissions via an IAM policy to request the
+-- 'DecodeAuthorizationMessage' ('sts:DecodeAuthorizationMessage') action.
+--
 -- The decoded message includes the following type of information:
 --
--- Whether the request was denied due to an explicit deny or due to the
--- absence of an explicit allow. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_EvaluationLogic.html#policy-eval-denyallow Determining Whether aRequest is Allowed or Denied> in /Using IAM/.  The principal who made the
--- request. The requested action. The requested resource. The values of
--- condition keys in the context of the user's request.
+-- -   Whether the request was denied due to an explicit deny or due to the
+--     absence of an explicit allow. For more information, see
+--     <http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_EvaluationLogic.html#policy-eval-denyallow Determining Whether a Request is Allowed or Denied>
+--     in /Using IAM/.
+-- -   The principal who made the request.
+-- -   The requested action.
+-- -   The requested resource.
+-- -   The values of condition keys in the context of the user\'s request.
 --
--- <http://docs.aws.amazon.com/STS/latest/APIReference/API_DecodeAuthorizationMessage.html>
+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_DecodeAuthorizationMessage.html AWS API Reference> for DecodeAuthorizationMessage.
 module Network.AWS.STS.DecodeAuthorizationMessage
     (
-    -- * Request
-      DecodeAuthorizationMessage
-    -- ** Request constructor
-    , decodeAuthorizationMessage
-    -- ** Request lenses
+    -- * Creating a Request
+      decodeAuthorizationMessage
+    , DecodeAuthorizationMessage
+    -- * Request Lenses
     , damEncodedMessage
 
-    -- * Response
-    , DecodeAuthorizationMessageResponse
-    -- ** Response constructor
+    -- * Destructuring the Response
     , decodeAuthorizationMessageResponse
-    -- ** Response lenses
-    , damrDecodedMessage
+    , DecodeAuthorizationMessageResponse
+    -- * Response Lenses
+    , damrsDecodedMessage
+    , damrsStatus
     ) where
 
-import Network.AWS.Prelude
-import Network.AWS.Request.Query
-import Network.AWS.STS.Types
-import qualified GHC.Exts
+import           Network.AWS.Prelude
+import           Network.AWS.Request
+import           Network.AWS.Response
+import           Network.AWS.STS.Types
+import           Network.AWS.STS.Types.Product
 
-newtype DecodeAuthorizationMessage = DecodeAuthorizationMessage
+-- | /See:/ 'decodeAuthorizationMessage' smart constructor.
+newtype DecodeAuthorizationMessage = DecodeAuthorizationMessage'
     { _damEncodedMessage :: Text
-    } deriving (Eq, Ord, Read, Show, Monoid, IsString)
+    } deriving (Eq,Read,Show,Data,Typeable,Generic)
 
--- | 'DecodeAuthorizationMessage' constructor.
---
--- The fields accessible through corresponding lenses are:
+-- | Creates a value of 'DecodeAuthorizationMessage' with the minimum fields required to make a request.
 --
--- * 'damEncodedMessage' @::@ 'Text'
+-- Use one of the following lenses to modify other fields as desired:
 --
-decodeAuthorizationMessage :: Text -- ^ 'damEncodedMessage'
-                           -> DecodeAuthorizationMessage
-decodeAuthorizationMessage p1 = DecodeAuthorizationMessage
-    { _damEncodedMessage = p1
+-- * 'damEncodedMessage'
+decodeAuthorizationMessage
+    :: Text -- ^ 'damEncodedMessage'
+    -> DecodeAuthorizationMessage
+decodeAuthorizationMessage pEncodedMessage_ =
+    DecodeAuthorizationMessage'
+    { _damEncodedMessage = pEncodedMessage_
     }
 
 -- | The encoded message that was returned with the response.
 damEncodedMessage :: Lens' DecodeAuthorizationMessage Text
-damEncodedMessage =
-    lens _damEncodedMessage (\s a -> s { _damEncodedMessage = a })
-
-newtype DecodeAuthorizationMessageResponse = DecodeAuthorizationMessageResponse
-    { _damrDecodedMessage :: Maybe Text
-    } deriving (Eq, Ord, Read, Show, Monoid)
+damEncodedMessage = lens _damEncodedMessage (\ s a -> s{_damEncodedMessage = a});
 
--- | 'DecodeAuthorizationMessageResponse' constructor.
---
--- The fields accessible through corresponding lenses are:
---
--- * 'damrDecodedMessage' @::@ 'Maybe' 'Text'
---
-decodeAuthorizationMessageResponse :: DecodeAuthorizationMessageResponse
-decodeAuthorizationMessageResponse = DecodeAuthorizationMessageResponse
-    { _damrDecodedMessage = Nothing
-    }
+instance AWSRequest DecodeAuthorizationMessage where
+        type Sv DecodeAuthorizationMessage = STS
+        type Rs DecodeAuthorizationMessage =
+             DecodeAuthorizationMessageResponse
+        request = postQuery
+        response
+          = receiveXMLWrapper
+              "DecodeAuthorizationMessageResult"
+              (\ s h x ->
+                 DecodeAuthorizationMessageResponse' <$>
+                   (x .@? "DecodedMessage") <*> (pure (fromEnum s)))
 
--- | An XML document that contains the decoded message. For more information, see 'DecodeAuthorizationMessage'.
-damrDecodedMessage :: Lens' DecodeAuthorizationMessageResponse (Maybe Text)
-damrDecodedMessage =
-    lens _damrDecodedMessage (\s a -> s { _damrDecodedMessage = a })
+instance ToHeaders DecodeAuthorizationMessage where
+        toHeaders = const mempty
 
 instance ToPath DecodeAuthorizationMessage where
-    toPath = const "/"
+        toPath = const "/"
 
 instance ToQuery DecodeAuthorizationMessage where
-    toQuery DecodeAuthorizationMessage{..} = mconcat
-        [ "EncodedMessage" =? _damEncodedMessage
-        ]
+        toQuery DecodeAuthorizationMessage'{..}
+          = mconcat
+              ["Action" =:
+                 ("DecodeAuthorizationMessage" :: ByteString),
+               "Version" =: ("2011-06-15" :: ByteString),
+               "EncodedMessage" =: _damEncodedMessage]
 
-instance ToHeaders DecodeAuthorizationMessage
+-- | A document that contains additional information about the authorization
+-- status of a request from an encoded message that is returned in response
+-- to an AWS request.
+--
+-- /See:/ 'decodeAuthorizationMessageResponse' smart constructor.
+data DecodeAuthorizationMessageResponse = DecodeAuthorizationMessageResponse'
+    { _damrsDecodedMessage :: !(Maybe Text)
+    , _damrsStatus         :: !Int
+    } deriving (Eq,Read,Show,Data,Typeable,Generic)
 
-instance AWSRequest DecodeAuthorizationMessage where
-    type Sv DecodeAuthorizationMessage = STS
-    type Rs DecodeAuthorizationMessage = DecodeAuthorizationMessageResponse
+-- | Creates a value of 'DecodeAuthorizationMessageResponse' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'damrsDecodedMessage'
+--
+-- * 'damrsStatus'
+decodeAuthorizationMessageResponse
+    :: Int -- ^ 'damrsStatus'
+    -> DecodeAuthorizationMessageResponse
+decodeAuthorizationMessageResponse pStatus_ =
+    DecodeAuthorizationMessageResponse'
+    { _damrsDecodedMessage = Nothing
+    , _damrsStatus = pStatus_
+    }
 
-    request  = post "DecodeAuthorizationMessage"
-    response = xmlResponse
+-- | An XML document that contains the decoded message. For more information,
+-- see 'DecodeAuthorizationMessage'.
+damrsDecodedMessage :: Lens' DecodeAuthorizationMessageResponse (Maybe Text)
+damrsDecodedMessage = lens _damrsDecodedMessage (\ s a -> s{_damrsDecodedMessage = a});
 
-instance FromXML DecodeAuthorizationMessageResponse where
-    parseXML = withElement "DecodeAuthorizationMessageResult" $ \x -> DecodeAuthorizationMessageResponse
-        <$> x .@? "DecodedMessage"
+-- | The response status code.
+damrsStatus :: Lens' DecodeAuthorizationMessageResponse Int
+damrsStatus = lens _damrsStatus (\ s a -> s{_damrsStatus = a});
diff --git a/gen/Network/AWS/STS/GetFederationToken.hs b/gen/Network/AWS/STS/GetFederationToken.hs
--- a/gen/Network/AWS/STS/GetFederationToken.hs
+++ b/gen/Network/AWS/STS/GetFederationToken.hs
@@ -1,234 +1,271 @@
-{-# LANGUAGE DataKinds                   #-}
-{-# LANGUAGE DeriveGeneric               #-}
-{-# LANGUAGE FlexibleInstances           #-}
-{-# LANGUAGE GeneralizedNewtypeDeriving  #-}
-{-# LANGUAGE LambdaCase                  #-}
-{-# LANGUAGE NoImplicitPrelude           #-}
-{-# LANGUAGE OverloadedStrings           #-}
-{-# LANGUAGE RecordWildCards             #-}
-{-# LANGUAGE TypeFamilies                #-}
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
 
 {-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
 
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
 -- Module      : Network.AWS.STS.GetFederationToken
--- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>
--- License     : This Source Code Form is subject to the terms of
---               the Mozilla Public License, v. 2.0.
---               A copy of the MPL can be found in the LICENSE file or
---               you can obtain it at http://mozilla.org/MPL/2.0/.
+-- Copyright   : (c) 2013-2015 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
 -- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : experimental
+-- Stability   : auto-generated
 -- Portability : non-portable (GHC extensions)
 --
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
--- | Returns a set of temporary security credentials (consisting of an access key
--- ID, a secret access key, and a security token) for a federated user. A
--- typical use is in a proxy application that gets temporary security
--- credentials on behalf of distributed applications inside a corporate network.
--- Because you must call the 'GetFederationToken' action using the long-term
--- security credentials of an IAM user, this call is appropriate in contexts
--- where those credentials can be safely stored, usually in a server-based
--- application.
+-- Returns a set of temporary security credentials (consisting of an access
+-- key ID, a secret access key, and a security token) for a federated user.
+-- A typical use is in a proxy application that gets temporary security
+-- credentials on behalf of distributed applications inside a corporate
+-- network. Because you must call the 'GetFederationToken' action using the
+-- long-term security credentials of an IAM user, this call is appropriate
+-- in contexts where those credentials can be safely stored, usually in a
+-- server-based application.
 --
 -- If you are creating a mobile-based or browser-based app that can
 -- authenticate users using a web identity provider like Login with Amazon,
 -- Facebook, Google, or an OpenID Connect-compatible identity provider, we
--- recommend that you use <http://aws.amazon.com/cognito/ Amazon Cognito> or 'AssumeRoleWithWebIdentity'. For more
--- information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html Creating Temporary Security Credentials for Mobile AppsUsing Identity Providers> in /Using Temporary Security Credentials/.
+-- recommend that you use <http://aws.amazon.com/cognito/ Amazon Cognito>
+-- or 'AssumeRoleWithWebIdentity'. For more information, see
+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html Creating Temporary Security Credentials for Mobile Apps Using Identity Providers>.
 --
--- The 'GetFederationToken' action must be called by using the long-term AWS
--- security credentials of an IAM user. You can also call 'GetFederationToken'
--- using the security credentials of an AWS account (root), but this is not
--- recommended. Instead, we recommend that you create an IAM user for the
--- purpose of the proxy application and then attach a policy to the IAM user
--- that limits federated users to only the actions and resources they need
--- access to. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html IAM Best Practices> in /Using IAM/.
+-- The 'GetFederationToken' action must be called by using the long-term
+-- AWS security credentials of an IAM user. You can also call
+-- 'GetFederationToken' using the security credentials of an AWS account
+-- (root), but this is not recommended. Instead, we recommend that you
+-- create an IAM user for the purpose of the proxy application and then
+-- attach a policy to the IAM user that limits federated users to only the
+-- actions and resources they need access to. For more information, see
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html IAM Best Practices>
+-- in /Using IAM/.
 --
--- The temporary security credentials that are obtained by using the long-term
--- credentials of an IAM user are valid for the specified duration, between 900
--- seconds (15 minutes) and 129600 seconds (36 hours). Temporary credentials
--- that are obtained by using AWS account (root) credentials have a maximum
--- duration of 3600 seconds (1 hour)
+-- The temporary security credentials that are obtained by using the
+-- long-term credentials of an IAM user are valid for the specified
+-- duration, between 900 seconds (15 minutes) and 129600 seconds (36
+-- hours). Temporary credentials that are obtained by using AWS account
+-- (root) credentials have a maximum duration of 3600 seconds (1 hour)
 --
--- Permissions
+-- __Permissions__
 --
--- The permissions for the temporary security credentials returned by 'GetFederationToken' are determined by a combination of the following:
+-- The permissions for the temporary security credentials returned by
+-- 'GetFederationToken' are determined by a combination of the following:
 --
--- The policy or policies that are attached to the IAM user whose credentials
--- are used to call 'GetFederationToken'. The policy that is passed as a parameter
--- in the call.  The passed policy is attached to the temporary security
--- credentials that result from the 'GetFederationToken' API call--that is, to the /federated user/. When the federated user makes an AWS request, AWS evaluates
--- the policy attached to the federated user in combination with the policy or
--- policies attached to the IAM user whose credentials were used to call 'GetFederationToken'. AWS allows the federated user's request only when both the federated user /and/ the IAM user are explicitly allowed to perform the requested action. The
--- passed policy cannot grant more permissions than those that are defined in
--- the IAM user policy.
+-- -   The policy or policies that are attached to the IAM user whose
+--     credentials are used to call 'GetFederationToken'.
+-- -   The policy that is passed as a parameter in the call.
 --
--- A typical use case is that the permissions of the IAM user whose credentials
--- are used to call 'GetFederationToken' are designed to allow access to all the
--- actions and resources that any federated user will need. Then, for individual
--- users, you pass a policy to the operation that scopes down the permissions to
--- a level that's appropriate to that individual user, using a policy that
--- allows only a subset of permissions that are granted to the IAM user.
+-- The passed policy is attached to the temporary security credentials that
+-- result from the 'GetFederationToken' API call--that is, to the
+-- /federated user/. When the federated user makes an AWS request, AWS
+-- evaluates the policy attached to the federated user in combination with
+-- the policy or policies attached to the IAM user whose credentials were
+-- used to call 'GetFederationToken'. AWS allows the federated user\'s
+-- request only when both the federated user /__and__/ the IAM user are
+-- explicitly allowed to perform the requested action. The passed policy
+-- cannot grant more permissions than those that are defined in the IAM
+-- user policy.
 --
--- If you do not pass a policy, the resulting temporary security credentials
--- have no effective permissions. The only exception is when the temporary
--- security credentials are used to access a resource that has a resource-based
--- policy that specifically allows the federated user to access the resource.
+-- A typical use case is that the permissions of the IAM user whose
+-- credentials are used to call 'GetFederationToken' are designed to allow
+-- access to all the actions and resources that any federated user will
+-- need. Then, for individual users, you pass a policy to the operation
+-- that scopes down the permissions to a level that\'s appropriate to that
+-- individual user, using a policy that allows only a subset of permissions
+-- that are granted to the IAM user.
 --
--- For more information about how permissions work, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-get-federation-token.html Permissions forGetFederationToken> in /Using Temporary Security Credentials/. For information
--- about using 'GetFederationToken' to create temporary security credentials, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingFedTokens.html Creating Temporary Credentials to Enable Access for Federated Users> in /Using Temporary Security Credentials/.
+-- If you do not pass a policy, the resulting temporary security
+-- credentials have no effective permissions. The only exception is when
+-- the temporary security credentials are used to access a resource that
+-- has a resource-based policy that specifically allows the federated user
+-- to access the resource.
 --
--- <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html>
+-- For more information about how permissions work, see
+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-get-federation-token.html Permissions for GetFederationToken>.
+-- For information about using 'GetFederationToken' to create temporary
+-- security credentials, see
+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingFedTokens.html Creating Temporary Credentials to Enable Access for Federated Users>.
+--
+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html AWS API Reference> for GetFederationToken.
 module Network.AWS.STS.GetFederationToken
     (
-    -- * Request
-      GetFederationToken
-    -- ** Request constructor
-    , getFederationToken
-    -- ** Request lenses
+    -- * Creating a Request
+      getFederationToken
+    , GetFederationToken
+    -- * Request Lenses
     , gftDurationSeconds
-    , gftName
     , gftPolicy
+    , gftName
 
-    -- * Response
-    , GetFederationTokenResponse
-    -- ** Response constructor
+    -- * Destructuring the Response
     , getFederationTokenResponse
-    -- ** Response lenses
-    , gftrCredentials
-    , gftrFederatedUser
-    , gftrPackedPolicySize
+    , GetFederationTokenResponse
+    -- * Response Lenses
+    , gftrsPackedPolicySize
+    , gftrsCredentials
+    , gftrsFederatedUser
+    , gftrsStatus
     ) where
 
-import Network.AWS.Prelude
-import Network.AWS.Request.Query
-import Network.AWS.STS.Types
-import qualified GHC.Exts
+import           Network.AWS.Prelude
+import           Network.AWS.Request
+import           Network.AWS.Response
+import           Network.AWS.STS.Types
+import           Network.AWS.STS.Types.Product
 
-data GetFederationToken = GetFederationToken
-    { _gftDurationSeconds :: Maybe Nat
-    , _gftName            :: Text
-    , _gftPolicy          :: Maybe Text
-    } deriving (Eq, Ord, Read, Show)
+-- | /See:/ 'getFederationToken' smart constructor.
+data GetFederationToken = GetFederationToken'
+    { _gftDurationSeconds :: !(Maybe Nat)
+    , _gftPolicy          :: !(Maybe Text)
+    , _gftName            :: !Text
+    } deriving (Eq,Read,Show,Data,Typeable,Generic)
 
--- | 'GetFederationToken' constructor.
---
--- The fields accessible through corresponding lenses are:
+-- | Creates a value of 'GetFederationToken' with the minimum fields required to make a request.
 --
--- * 'gftDurationSeconds' @::@ 'Maybe' 'Natural'
+-- Use one of the following lenses to modify other fields as desired:
 --
--- * 'gftName' @::@ 'Text'
+-- * 'gftDurationSeconds'
 --
--- * 'gftPolicy' @::@ 'Maybe' 'Text'
+-- * 'gftPolicy'
 --
-getFederationToken :: Text -- ^ 'gftName'
-                   -> GetFederationToken
-getFederationToken p1 = GetFederationToken
-    { _gftName            = p1
-    , _gftPolicy          = Nothing
-    , _gftDurationSeconds = Nothing
+-- * 'gftName'
+getFederationToken
+    :: Text -- ^ 'gftName'
+    -> GetFederationToken
+getFederationToken pName_ =
+    GetFederationToken'
+    { _gftDurationSeconds = Nothing
+    , _gftPolicy = Nothing
+    , _gftName = pName_
     }
 
--- | The duration, in seconds, that the session should last. Acceptable durations
--- for federation sessions range from 900 seconds (15 minutes) to 129600 seconds
--- (36 hours), with 43200 seconds (12 hours) as the default. Sessions obtained
--- using AWS account (root) credentials are restricted to a maximum of 3600
--- seconds (one hour). If the specified duration is longer than one hour, the
--- session obtained by using AWS account (root) credentials defaults to one
--- hour.
+-- | The duration, in seconds, that the session should last. Acceptable
+-- durations for federation sessions range from 900 seconds (15 minutes) to
+-- 129600 seconds (36 hours), with 43200 seconds (12 hours) as the default.
+-- Sessions obtained using AWS account (root) credentials are restricted to
+-- a maximum of 3600 seconds (one hour). If the specified duration is
+-- longer than one hour, the session obtained by using AWS account (root)
+-- credentials defaults to one hour.
 gftDurationSeconds :: Lens' GetFederationToken (Maybe Natural)
-gftDurationSeconds =
-    lens _gftDurationSeconds (\s a -> s { _gftDurationSeconds = a })
-        . mapping _Nat
-
--- | The name of the federated user. The name is used as an identifier for the
--- temporary security credentials (such as 'Bob'). For example, you can reference
--- the federated user name in a resource-based policy, such as in an Amazon S3
--- bucket policy.
-gftName :: Lens' GetFederationToken Text
-gftName = lens _gftName (\s a -> s { _gftName = a })
+gftDurationSeconds = lens _gftDurationSeconds (\ s a -> s{_gftDurationSeconds = a}) . mapping _Nat;
 
--- | An IAM policy in JSON format that is passed with the 'GetFederationToken' call
--- and evaluated along with the policy or policies that are attached to the IAM
--- user whose credentials are used to call 'GetFederationToken'. The passed policy
--- is used to scope down the permissions that are available to the IAM user, by
--- allowing only a subset of the permissions that are granted to the IAM user.
--- The passed policy cannot grant more permissions than those granted to the IAM
--- user. The final permissions for the federated user are the most restrictive
--- set based on the intersection of the passed policy and the IAM user policy.
+-- | An IAM policy in JSON format that is passed with the
+-- 'GetFederationToken' call and evaluated along with the policy or
+-- policies that are attached to the IAM user whose credentials are used to
+-- call 'GetFederationToken'. The passed policy is used to scope down the
+-- permissions that are available to the IAM user, by allowing only a
+-- subset of the permissions that are granted to the IAM user. The passed
+-- policy cannot grant more permissions than those granted to the IAM user.
+-- The final permissions for the federated user are the most restrictive
+-- set based on the intersection of the passed policy and the IAM user
+-- policy.
 --
--- If you do not pass a policy, the resulting temporary security credentials
--- have no effective permissions. The only exception is when the temporary
--- security credentials are used to access a resource that has a resource-based
--- policy that specifically allows the federated user to access the resource.
+-- If you do not pass a policy, the resulting temporary security
+-- credentials have no effective permissions. The only exception is when
+-- the temporary security credentials are used to access a resource that
+-- has a resource-based policy that specifically allows the federated user
+-- to access the resource.
 --
--- For more information about how permissions work, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-get-federation-token.html Permissions forGetFederationToken> in /Using Temporary Security Credentials/.
+-- The policy plain text must be 2048 bytes or shorter. However, an
+-- internal conversion compresses it into a packed binary format with a
+-- separate limit. The PackedPolicySize response element indicates by
+-- percentage how close to the upper size limit the policy is, with 100%
+-- equaling the maximum allowed size.
+--
+-- For more information about how permissions work, see
+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-get-federation-token.html Permissions for GetFederationToken>.
 gftPolicy :: Lens' GetFederationToken (Maybe Text)
-gftPolicy = lens _gftPolicy (\s a -> s { _gftPolicy = a })
+gftPolicy = lens _gftPolicy (\ s a -> s{_gftPolicy = a});
 
-data GetFederationTokenResponse = GetFederationTokenResponse
-    { _gftrCredentials      :: Maybe Credentials
-    , _gftrFederatedUser    :: Maybe FederatedUser
-    , _gftrPackedPolicySize :: Maybe Nat
-    } deriving (Eq, Read, Show)
+-- | The name of the federated user. The name is used as an identifier for
+-- the temporary security credentials (such as 'Bob'). For example, you can
+-- reference the federated user name in a resource-based policy, such as in
+-- an Amazon S3 bucket policy.
+gftName :: Lens' GetFederationToken Text
+gftName = lens _gftName (\ s a -> s{_gftName = a});
 
--- | 'GetFederationTokenResponse' constructor.
+instance AWSRequest GetFederationToken where
+        type Sv GetFederationToken = STS
+        type Rs GetFederationToken =
+             GetFederationTokenResponse
+        request = postQuery
+        response
+          = receiveXMLWrapper "GetFederationTokenResult"
+              (\ s h x ->
+                 GetFederationTokenResponse' <$>
+                   (x .@? "PackedPolicySize") <*> (x .@? "Credentials")
+                     <*> (x .@? "FederatedUser")
+                     <*> (pure (fromEnum s)))
+
+instance ToHeaders GetFederationToken where
+        toHeaders = const mempty
+
+instance ToPath GetFederationToken where
+        toPath = const "/"
+
+instance ToQuery GetFederationToken where
+        toQuery GetFederationToken'{..}
+          = mconcat
+              ["Action" =: ("GetFederationToken" :: ByteString),
+               "Version" =: ("2011-06-15" :: ByteString),
+               "DurationSeconds" =: _gftDurationSeconds,
+               "Policy" =: _gftPolicy, "Name" =: _gftName]
+
+-- | Contains the response to a successful GetFederationToken request,
+-- including temporary AWS credentials that can be used to make AWS
+-- requests.
 --
--- The fields accessible through corresponding lenses are:
+-- /See:/ 'getFederationTokenResponse' smart constructor.
+data GetFederationTokenResponse = GetFederationTokenResponse'
+    { _gftrsPackedPolicySize :: !(Maybe Nat)
+    , _gftrsCredentials      :: !(Maybe Credentials)
+    , _gftrsFederatedUser    :: !(Maybe FederatedUser)
+    , _gftrsStatus           :: !Int
+    } deriving (Eq,Read,Show,Data,Typeable,Generic)
+
+-- | Creates a value of 'GetFederationTokenResponse' with the minimum fields required to make a request.
 --
--- * 'gftrCredentials' @::@ 'Maybe' 'Credentials'
+-- Use one of the following lenses to modify other fields as desired:
 --
--- * 'gftrFederatedUser' @::@ 'Maybe' 'FederatedUser'
+-- * 'gftrsPackedPolicySize'
 --
--- * 'gftrPackedPolicySize' @::@ 'Maybe' 'Natural'
+-- * 'gftrsCredentials'
 --
-getFederationTokenResponse :: GetFederationTokenResponse
-getFederationTokenResponse = GetFederationTokenResponse
-    { _gftrCredentials      = Nothing
-    , _gftrFederatedUser    = Nothing
-    , _gftrPackedPolicySize = Nothing
+-- * 'gftrsFederatedUser'
+--
+-- * 'gftrsStatus'
+getFederationTokenResponse
+    :: Int -- ^ 'gftrsStatus'
+    -> GetFederationTokenResponse
+getFederationTokenResponse pStatus_ =
+    GetFederationTokenResponse'
+    { _gftrsPackedPolicySize = Nothing
+    , _gftrsCredentials = Nothing
+    , _gftrsFederatedUser = Nothing
+    , _gftrsStatus = pStatus_
     }
 
--- | Credentials for the service API authentication.
-gftrCredentials :: Lens' GetFederationTokenResponse (Maybe Credentials)
-gftrCredentials = lens _gftrCredentials (\s a -> s { _gftrCredentials = a })
-
--- | Identifiers for the federated user associated with the credentials (such as 'arn:aws:sts::123456789012:federated-user/Bob' or '123456789012:Bob'). You can use the federated user's ARN in your
--- resource-based policies, such as an Amazon S3 bucket policy.
-gftrFederatedUser :: Lens' GetFederationTokenResponse (Maybe FederatedUser)
-gftrFederatedUser =
-    lens _gftrFederatedUser (\s a -> s { _gftrFederatedUser = a })
-
 -- | A percentage value indicating the size of the policy in packed form. The
 -- service rejects policies for which the packed size is greater than 100
 -- percent of the allowed value.
-gftrPackedPolicySize :: Lens' GetFederationTokenResponse (Maybe Natural)
-gftrPackedPolicySize =
-    lens _gftrPackedPolicySize (\s a -> s { _gftrPackedPolicySize = a })
-        . mapping _Nat
-
-instance ToPath GetFederationToken where
-    toPath = const "/"
-
-instance ToQuery GetFederationToken where
-    toQuery GetFederationToken{..} = mconcat
-        [ "DurationSeconds" =? _gftDurationSeconds
-        , "Name"            =? _gftName
-        , "Policy"          =? _gftPolicy
-        ]
-
-instance ToHeaders GetFederationToken
+gftrsPackedPolicySize :: Lens' GetFederationTokenResponse (Maybe Natural)
+gftrsPackedPolicySize = lens _gftrsPackedPolicySize (\ s a -> s{_gftrsPackedPolicySize = a}) . mapping _Nat;
 
-instance AWSRequest GetFederationToken where
-    type Sv GetFederationToken = STS
-    type Rs GetFederationToken = GetFederationTokenResponse
+-- | Credentials for the service API authentication.
+gftrsCredentials :: Lens' GetFederationTokenResponse (Maybe Credentials)
+gftrsCredentials = lens _gftrsCredentials (\ s a -> s{_gftrsCredentials = a});
 
-    request  = post "GetFederationToken"
-    response = xmlResponse
+-- | Identifiers for the federated user associated with the credentials (such
+-- as 'arn:aws:sts::123456789012:federated-user\/Bob' or
+-- '123456789012:Bob'). You can use the federated user\'s ARN in your
+-- resource-based policies, such as an Amazon S3 bucket policy.
+gftrsFederatedUser :: Lens' GetFederationTokenResponse (Maybe FederatedUser)
+gftrsFederatedUser = lens _gftrsFederatedUser (\ s a -> s{_gftrsFederatedUser = a});
 
-instance FromXML GetFederationTokenResponse where
-    parseXML = withElement "GetFederationTokenResult" $ \x -> GetFederationTokenResponse
-        <$> x .@? "Credentials"
-        <*> x .@? "FederatedUser"
-        <*> x .@? "PackedPolicySize"
+-- | The response status code.
+gftrsStatus :: Lens' GetFederationTokenResponse Int
+gftrsStatus = lens _gftrsStatus (\ s a -> s{_gftrsStatus = a});
diff --git a/gen/Network/AWS/STS/GetSessionToken.hs b/gen/Network/AWS/STS/GetSessionToken.hs
--- a/gen/Network/AWS/STS/GetSessionToken.hs
+++ b/gen/Network/AWS/STS/GetSessionToken.hs
@@ -1,175 +1,191 @@
-{-# LANGUAGE DataKinds                   #-}
-{-# LANGUAGE DeriveGeneric               #-}
-{-# LANGUAGE FlexibleInstances           #-}
-{-# LANGUAGE GeneralizedNewtypeDeriving  #-}
-{-# LANGUAGE LambdaCase                  #-}
-{-# LANGUAGE NoImplicitPrelude           #-}
-{-# LANGUAGE OverloadedStrings           #-}
-{-# LANGUAGE RecordWildCards             #-}
-{-# LANGUAGE TypeFamilies                #-}
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
 
 {-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
 
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
 -- Module      : Network.AWS.STS.GetSessionToken
--- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>
--- License     : This Source Code Form is subject to the terms of
---               the Mozilla Public License, v. 2.0.
---               A copy of the MPL can be found in the LICENSE file or
---               you can obtain it at http://mozilla.org/MPL/2.0/.
+-- Copyright   : (c) 2013-2015 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
 -- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : experimental
+-- Stability   : auto-generated
 -- Portability : non-portable (GHC extensions)
 --
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
--- | Returns a set of temporary credentials for an AWS account or IAM user. The
--- credentials consist of an access key ID, a secret access key, and a security
--- token. Typically, you use 'GetSessionToken' if you want to use MFA to protect
--- programmatic calls to specific AWS APIs like Amazon EC2 'StopInstances'.
--- MFA-enabled IAM users would need to call 'GetSessionToken' and submit an MFA
--- code that is associated with their MFA device. Using the temporary security
--- credentials that are returned from the call, IAM users can then make
--- programmatic calls to APIs that require MFA authentication.
+-- Returns a set of temporary credentials for an AWS account or IAM user.
+-- The credentials consist of an access key ID, a secret access key, and a
+-- security token. Typically, you use 'GetSessionToken' if you want to use
+-- MFA to protect programmatic calls to specific AWS APIs like Amazon EC2
+-- 'StopInstances'. MFA-enabled IAM users would need to call
+-- 'GetSessionToken' and submit an MFA code that is associated with their
+-- MFA device. Using the temporary security credentials that are returned
+-- from the call, IAM users can then make programmatic calls to APIs that
+-- require MFA authentication.
 --
 -- The 'GetSessionToken' action must be called by using the long-term AWS
--- security credentials of the AWS account or an IAM user. Credentials that are
--- created by IAM users are valid for the duration that you specify, between 900
--- seconds (15 minutes) and 129600 seconds (36 hours); credentials that are
--- created by using account credentials have a maximum duration of 3600 seconds
--- (1 hour).
+-- security credentials of the AWS account or an IAM user. Credentials that
+-- are created by IAM users are valid for the duration that you specify,
+-- between 900 seconds (15 minutes) and 129600 seconds (36 hours);
+-- credentials that are created by using account credentials have a maximum
+-- duration of 3600 seconds (1 hour).
 --
 -- We recommend that you do not call 'GetSessionToken' with root account
--- credentials. Instead, follow our <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html#create-iam-users best practices> by creating one or more IAM
--- users, giving them the necessary permissions, and using IAM users for
--- everyday interaction with AWS.
+-- credentials. Instead, follow our
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html#create-iam-users best practices>
+-- by creating one or more IAM users, giving them the necessary
+-- permissions, and using IAM users for everyday interaction with AWS.
 --
--- The permissions associated with the temporary security credentials returned
--- by 'GetSessionToken' are based on the permissions associated with account or
--- IAM user whose credentials are used to call the action. If 'GetSessionToken' is
--- called using root account credentials, the temporary credentials have root
--- account permissions. Similarly, if 'GetSessionToken' is called using the
--- credentials of an IAM user, the temporary credentials have the same
--- permissions as the IAM user.
+-- The permissions associated with the temporary security credentials
+-- returned by 'GetSessionToken' are based on the permissions associated
+-- with account or IAM user whose credentials are used to call the action.
+-- If 'GetSessionToken' is called using root account credentials, the
+-- temporary credentials have root account permissions. Similarly, if
+-- 'GetSessionToken' is called using the credentials of an IAM user, the
+-- temporary credentials have the same permissions as the IAM user.
 --
 -- For more information about using 'GetSessionToken' to create temporary
--- credentials, go to Creating Temporary Credentials to Enable Access for IAM
--- Users in /Using Temporary Security Credentials/.
+-- credentials, go to
+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSessionTokens.html Creating Temporary Credentials to Enable Access for IAM Users>.
 --
--- <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html>
+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html AWS API Reference> for GetSessionToken.
 module Network.AWS.STS.GetSessionToken
     (
-    -- * Request
-      GetSessionToken
-    -- ** Request constructor
-    , getSessionToken
-    -- ** Request lenses
+    -- * Creating a Request
+      getSessionToken
+    , GetSessionToken
+    -- * Request Lenses
+    , gstTokenCode
     , gstDurationSeconds
     , gstSerialNumber
-    , gstTokenCode
 
-    -- * Response
-    , GetSessionTokenResponse
-    -- ** Response constructor
+    -- * Destructuring the Response
     , getSessionTokenResponse
-    -- ** Response lenses
-    , gstrCredentials
+    , GetSessionTokenResponse
+    -- * Response Lenses
+    , gstrsCredentials
+    , gstrsStatus
     ) where
 
-import Network.AWS.Prelude
-import Network.AWS.Request.Query
-import Network.AWS.STS.Types
-import qualified GHC.Exts
+import           Network.AWS.Prelude
+import           Network.AWS.Request
+import           Network.AWS.Response
+import           Network.AWS.STS.Types
+import           Network.AWS.STS.Types.Product
 
-data GetSessionToken = GetSessionToken
-    { _gstDurationSeconds :: Maybe Nat
-    , _gstSerialNumber    :: Maybe Text
-    , _gstTokenCode       :: Maybe Text
-    } deriving (Eq, Ord, Read, Show)
+-- | /See:/ 'getSessionToken' smart constructor.
+data GetSessionToken = GetSessionToken'
+    { _gstTokenCode       :: !(Maybe Text)
+    , _gstDurationSeconds :: !(Maybe Nat)
+    , _gstSerialNumber    :: !(Maybe Text)
+    } deriving (Eq,Read,Show,Data,Typeable,Generic)
 
--- | 'GetSessionToken' constructor.
---
--- The fields accessible through corresponding lenses are:
+-- | Creates a value of 'GetSessionToken' with the minimum fields required to make a request.
 --
--- * 'gstDurationSeconds' @::@ 'Maybe' 'Natural'
+-- Use one of the following lenses to modify other fields as desired:
 --
--- * 'gstSerialNumber' @::@ 'Maybe' 'Text'
+-- * 'gstTokenCode'
 --
--- * 'gstTokenCode' @::@ 'Maybe' 'Text'
+-- * 'gstDurationSeconds'
 --
-getSessionToken :: GetSessionToken
-getSessionToken = GetSessionToken
-    { _gstDurationSeconds = Nothing
-    , _gstSerialNumber    = Nothing
-    , _gstTokenCode       = Nothing
+-- * 'gstSerialNumber'
+getSessionToken
+    :: GetSessionToken
+getSessionToken =
+    GetSessionToken'
+    { _gstTokenCode = Nothing
+    , _gstDurationSeconds = Nothing
+    , _gstSerialNumber = Nothing
     }
 
--- | The duration, in seconds, that the credentials should remain valid.
--- Acceptable durations for IAM user sessions range from 900 seconds (15
--- minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the
--- default. Sessions for AWS account owners are restricted to a maximum of 3600
--- seconds (one hour). If the duration is longer than one hour, the session for
--- AWS account owners defaults to one hour.
-gstDurationSeconds :: Lens' GetSessionToken (Maybe Natural)
-gstDurationSeconds =
-    lens _gstDurationSeconds (\s a -> s { _gstDurationSeconds = a })
-        . mapping _Nat
-
--- | The identification number of the MFA device that is associated with the IAM
--- user who is making the 'GetSessionToken' call. Specify this value if the IAM
--- user has a policy that requires MFA authentication. The value is either the
--- serial number for a hardware device (such as 'GAHT12345678') or an Amazon
--- Resource Name (ARN) for a virtual device (such as 'arn:aws:iam::123456789012:mfa/user'). You can find the device for an IAM user by going to the AWS Management
--- Console and viewing the user's security credentials.
-gstSerialNumber :: Lens' GetSessionToken (Maybe Text)
-gstSerialNumber = lens _gstSerialNumber (\s a -> s { _gstSerialNumber = a })
-
 -- | The value provided by the MFA device, if MFA is required. If any policy
 -- requires the IAM user to submit an MFA code, specify this value. If MFA
 -- authentication is required, and the user does not provide a code when
--- requesting a set of temporary security credentials, the user will receive an
--- "access denied" response when requesting resources that require MFA
--- authentication.
+-- requesting a set of temporary security credentials, the user will
+-- receive an \"access denied\" response when requesting resources that
+-- require MFA authentication.
 gstTokenCode :: Lens' GetSessionToken (Maybe Text)
-gstTokenCode = lens _gstTokenCode (\s a -> s { _gstTokenCode = a })
+gstTokenCode = lens _gstTokenCode (\ s a -> s{_gstTokenCode = a});
 
-newtype GetSessionTokenResponse = GetSessionTokenResponse
-    { _gstrCredentials :: Maybe Credentials
-    } deriving (Eq, Read, Show)
+-- | The duration, in seconds, that the credentials should remain valid.
+-- Acceptable durations for IAM user sessions range from 900 seconds (15
+-- minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as
+-- the default. Sessions for AWS account owners are restricted to a maximum
+-- of 3600 seconds (one hour). If the duration is longer than one hour, the
+-- session for AWS account owners defaults to one hour.
+gstDurationSeconds :: Lens' GetSessionToken (Maybe Natural)
+gstDurationSeconds = lens _gstDurationSeconds (\ s a -> s{_gstDurationSeconds = a}) . mapping _Nat;
 
--- | 'GetSessionTokenResponse' constructor.
---
--- The fields accessible through corresponding lenses are:
---
--- * 'gstrCredentials' @::@ 'Maybe' 'Credentials'
---
-getSessionTokenResponse :: GetSessionTokenResponse
-getSessionTokenResponse = GetSessionTokenResponse
-    { _gstrCredentials = Nothing
-    }
+-- | The identification number of the MFA device that is associated with the
+-- IAM user who is making the 'GetSessionToken' call. Specify this value if
+-- the IAM user has a policy that requires MFA authentication. The value is
+-- either the serial number for a hardware device (such as 'GAHT12345678')
+-- or an Amazon Resource Name (ARN) for a virtual device (such as
+-- 'arn:aws:iam::123456789012:mfa\/user'). You can find the device for an
+-- IAM user by going to the AWS Management Console and viewing the user\'s
+-- security credentials.
+gstSerialNumber :: Lens' GetSessionToken (Maybe Text)
+gstSerialNumber = lens _gstSerialNumber (\ s a -> s{_gstSerialNumber = a});
 
--- | The session credentials for API authentication.
-gstrCredentials :: Lens' GetSessionTokenResponse (Maybe Credentials)
-gstrCredentials = lens _gstrCredentials (\s a -> s { _gstrCredentials = a })
+instance AWSRequest GetSessionToken where
+        type Sv GetSessionToken = STS
+        type Rs GetSessionToken = GetSessionTokenResponse
+        request = postQuery
+        response
+          = receiveXMLWrapper "GetSessionTokenResult"
+              (\ s h x ->
+                 GetSessionTokenResponse' <$>
+                   (x .@? "Credentials") <*> (pure (fromEnum s)))
 
+instance ToHeaders GetSessionToken where
+        toHeaders = const mempty
+
 instance ToPath GetSessionToken where
-    toPath = const "/"
+        toPath = const "/"
 
 instance ToQuery GetSessionToken where
-    toQuery GetSessionToken{..} = mconcat
-        [ "DurationSeconds" =? _gstDurationSeconds
-        , "SerialNumber"    =? _gstSerialNumber
-        , "TokenCode"       =? _gstTokenCode
-        ]
+        toQuery GetSessionToken'{..}
+          = mconcat
+              ["Action" =: ("GetSessionToken" :: ByteString),
+               "Version" =: ("2011-06-15" :: ByteString),
+               "TokenCode" =: _gstTokenCode,
+               "DurationSeconds" =: _gstDurationSeconds,
+               "SerialNumber" =: _gstSerialNumber]
 
-instance ToHeaders GetSessionToken
+-- | Contains the response to a successful GetSessionToken request, including
+-- temporary AWS credentials that can be used to make AWS requests.
+--
+-- /See:/ 'getSessionTokenResponse' smart constructor.
+data GetSessionTokenResponse = GetSessionTokenResponse'
+    { _gstrsCredentials :: !(Maybe Credentials)
+    , _gstrsStatus      :: !Int
+    } deriving (Eq,Read,Show,Data,Typeable,Generic)
 
-instance AWSRequest GetSessionToken where
-    type Sv GetSessionToken = STS
-    type Rs GetSessionToken = GetSessionTokenResponse
+-- | Creates a value of 'GetSessionTokenResponse' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'gstrsCredentials'
+--
+-- * 'gstrsStatus'
+getSessionTokenResponse
+    :: Int -- ^ 'gstrsStatus'
+    -> GetSessionTokenResponse
+getSessionTokenResponse pStatus_ =
+    GetSessionTokenResponse'
+    { _gstrsCredentials = Nothing
+    , _gstrsStatus = pStatus_
+    }
 
-    request  = post "GetSessionToken"
-    response = xmlResponse
+-- | The session credentials for API authentication.
+gstrsCredentials :: Lens' GetSessionTokenResponse (Maybe Credentials)
+gstrsCredentials = lens _gstrsCredentials (\ s a -> s{_gstrsCredentials = a});
 
-instance FromXML GetSessionTokenResponse where
-    parseXML = withElement "GetSessionTokenResult" $ \x -> GetSessionTokenResponse
-        <$> x .@? "Credentials"
+-- | The response status code.
+gstrsStatus :: Lens' GetSessionTokenResponse Int
+gstrsStatus = lens _gstrsStatus (\ s a -> s{_gstrsStatus = a});
diff --git a/gen/Network/AWS/STS/Types.hs b/gen/Network/AWS/STS/Types.hs
--- a/gen/Network/AWS/STS/Types.hs
+++ b/gen/Network/AWS/STS/Types.hs
@@ -1,254 +1,141 @@
-{-# LANGUAGE DataKinds                   #-}
-{-# LANGUAGE DeriveGeneric               #-}
-{-# LANGUAGE FlexibleInstances           #-}
-{-# LANGUAGE GeneralizedNewtypeDeriving  #-}
-{-# LANGUAGE LambdaCase                  #-}
-{-# LANGUAGE NoImplicitPrelude           #-}
-{-# LANGUAGE OverloadedStrings           #-}
-{-# LANGUAGE RecordWildCards             #-}
-{-# LANGUAGE TypeFamilies                #-}
-{-# LANGUAGE ViewPatterns                #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE TypeFamilies      #-}
 
-{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
 
+-- |
 -- Module      : Network.AWS.STS.Types
--- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>
--- License     : This Source Code Form is subject to the terms of
---               the Mozilla Public License, v. 2.0.
---               A copy of the MPL can be found in the LICENSE file or
---               you can obtain it at http://mozilla.org/MPL/2.0/.
+-- Copyright   : (c) 2013-2015 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
 -- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : experimental
+-- Stability   : auto-generated
 -- Portability : non-portable (GHC extensions)
 --
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
 module Network.AWS.STS.Types
     (
     -- * Service
       STS
-    -- ** Error
-    , RESTError
-    -- ** XML
-    , ns
 
+    -- * Errors
+    , _MalformedPolicyDocumentException
+    , _PackedPolicyTooLargeException
+    , _InvalidAuthorizationMessageException
+    , _IdPCommunicationErrorException
+    , _ExpiredTokenException
+    , _InvalidIdentityTokenException
+    , _IdPRejectedClaimException
+
+    -- * AssumedRoleUser
+    , AssumedRoleUser
+    , assumedRoleUser
+    , aruAssumedRoleId
+    , aruARN
+
     -- * Credentials
     , Credentials
     , credentials
     , cAccessKeyId
-    , cExpiration
     , cSecretAccessKey
     , cSessionToken
+    , cExpiration
 
     -- * FederatedUser
     , FederatedUser
     , federatedUser
-    , fuArn
     , fuFederatedUserId
-
-    -- * AssumedRoleUser
-    , AssumedRoleUser
-    , assumedRoleUser
-    , aruArn
-    , aruAssumedRoleId
+    , fuARN
     ) where
 
-import Network.AWS.Prelude
-import Network.AWS.Signing
-import qualified GHC.Exts
+import           Network.AWS.Prelude
+import           Network.AWS.Sign.V4
+import           Network.AWS.STS.Types.Product
+import           Network.AWS.STS.Types.Sum
 
--- | Version @2011-06-15@ of the Amazon Security Token Service service.
+-- | Version @2011-06-15@ of the Amazon Security Token Service SDK.
 data STS
 
 instance AWSService STS where
     type Sg STS = V4
-    type Er STS = RESTError
-
-    service = service'
+    service = const svc
       where
-        service' :: Service STS
-        service' = Service
-            { _svcAbbrev       = "STS"
-            , _svcPrefix       = "sts"
-            , _svcVersion      = "2011-06-15"
-            , _svcTargetPrefix = Nothing
-            , _svcJSONVersion  = Nothing
-            , _svcHandle       = handle
-            , _svcRetry        = retry
+        svc =
+            Service
+            { _svcAbbrev = "STS"
+            , _svcPrefix = "sts"
+            , _svcVersion = "2011-06-15"
+            , _svcEndpoint = defaultEndpoint svc
+            , _svcTimeout = Just 70
+            , _svcStatus = statusSuccess
+            , _svcError = parseXMLError
+            , _svcRetry = retry
             }
-
-        handle :: Status
-               -> Maybe (LazyByteString -> ServiceError RESTError)
-        handle = restError statusSuccess service'
-
-        retry :: Retry STS
-        retry = Exponential
-            { _retryBase     = 0.05
-            , _retryGrowth   = 2
+        retry =
+            Exponential
+            { _retryBase = 5.0e-2
+            , _retryGrowth = 2
             , _retryAttempts = 5
-            , _retryCheck    = check
+            , _retryCheck = check
             }
-
-        check :: Status
-              -> RESTError
-              -> Bool
-        check (statusCode -> s) (awsErrorCode -> e)
-            | s == 400 && (Just "Throttling") == e = True -- Throttling
-            | s == 500  = True -- General Server Error
-            | s == 509  = True -- Limit Exceeded
-            | s == 503  = True -- Service Unavailable
-            | otherwise = False
-
-ns :: Text
-ns = "https://sts.amazonaws.com/doc/2011-06-15/"
-{-# INLINE ns #-}
-
-data Credentials = Credentials
-    { _cAccessKeyId     :: Text
-    , _cExpiration      :: ISO8601
-    , _cSecretAccessKey :: Text
-    , _cSessionToken    :: Text
-    } deriving (Eq, Ord, Read, Show)
-
--- | 'Credentials' constructor.
---
--- The fields accessible through corresponding lenses are:
---
--- * 'cAccessKeyId' @::@ 'Text'
---
--- * 'cExpiration' @::@ 'UTCTime'
---
--- * 'cSecretAccessKey' @::@ 'Text'
---
--- * 'cSessionToken' @::@ 'Text'
---
-credentials :: Text -- ^ 'cAccessKeyId'
-            -> Text -- ^ 'cSecretAccessKey'
-            -> Text -- ^ 'cSessionToken'
-            -> UTCTime -- ^ 'cExpiration'
-            -> Credentials
-credentials p1 p2 p3 p4 = Credentials
-    { _cAccessKeyId     = p1
-    , _cSecretAccessKey = p2
-    , _cSessionToken    = p3
-    , _cExpiration      = withIso _Time (const id) p4
-    }
-
--- | The access key ID that identifies the temporary security credentials.
-cAccessKeyId :: Lens' Credentials Text
-cAccessKeyId = lens _cAccessKeyId (\s a -> s { _cAccessKeyId = a })
-
--- | The date on which the current credentials expire.
-cExpiration :: Lens' Credentials UTCTime
-cExpiration = lens _cExpiration (\s a -> s { _cExpiration = a }) . _Time
-
--- | The secret access key that can be used to sign requests.
-cSecretAccessKey :: Lens' Credentials Text
-cSecretAccessKey = lens _cSecretAccessKey (\s a -> s { _cSecretAccessKey = a })
-
--- | The token that users must pass to the service API to use the temporary
--- credentials.
-cSessionToken :: Lens' Credentials Text
-cSessionToken = lens _cSessionToken (\s a -> s { _cSessionToken = a })
-
-instance FromXML Credentials where
-    parseXML x = Credentials
-        <$> x .@  "AccessKeyId"
-        <*> x .@  "Expiration"
-        <*> x .@  "SecretAccessKey"
-        <*> x .@  "SessionToken"
-
-instance ToQuery Credentials where
-    toQuery Credentials{..} = mconcat
-        [ "AccessKeyId"     =? _cAccessKeyId
-        , "Expiration"      =? _cExpiration
-        , "SecretAccessKey" =? _cSecretAccessKey
-        , "SessionToken"    =? _cSessionToken
-        ]
-
-data FederatedUser = FederatedUser
-    { _fuArn             :: Text
-    , _fuFederatedUserId :: Text
-    } deriving (Eq, Ord, Read, Show)
+        check e
+          | has (hasCode "ThrottlingException" . hasStatus 400) e =
+              Just "throttling_exception"
+          | has (hasCode "Throttling" . hasStatus 400) e = Just "throttling"
+          | has (hasStatus 503) e = Just "service_unavailable"
+          | has (hasStatus 500) e = Just "general_server_error"
+          | has (hasStatus 509) e = Just "limit_exceeded"
+          | otherwise = Nothing
 
--- | 'FederatedUser' constructor.
---
--- The fields accessible through corresponding lenses are:
---
--- * 'fuArn' @::@ 'Text'
---
--- * 'fuFederatedUserId' @::@ 'Text'
---
-federatedUser :: Text -- ^ 'fuFederatedUserId'
-              -> Text -- ^ 'fuArn'
-              -> FederatedUser
-federatedUser p1 p2 = FederatedUser
-    { _fuFederatedUserId = p1
-    , _fuArn             = p2
-    }
+-- | The request was rejected because the policy document was malformed. The
+-- error message describes the specific error.
+_MalformedPolicyDocumentException :: AsError a => Getting (First ServiceError) a ServiceError
+_MalformedPolicyDocumentException =
+    _ServiceError . hasStatus 400 . hasCode "MalformedPolicyDocument"
 
--- | The ARN that specifies the federated user that is associated with the
--- credentials. For more information about ARNs and how to use them in policies,
--- see Identifiers for IAM Entities in /Using IAM/.
-fuArn :: Lens' FederatedUser Text
-fuArn = lens _fuArn (\s a -> s { _fuArn = a })
+-- | The request was rejected because the policy document was too large. The
+-- error message describes how big the policy document is, in packed form,
+-- as a percentage of what the API allows.
+_PackedPolicyTooLargeException :: AsError a => Getting (First ServiceError) a ServiceError
+_PackedPolicyTooLargeException =
+    _ServiceError . hasStatus 400 . hasCode "PackedPolicyTooLarge"
 
--- | The string that identifies the federated user associated with the
--- credentials, similar to the unique ID of an IAM user.
-fuFederatedUserId :: Lens' FederatedUser Text
-fuFederatedUserId =
-    lens _fuFederatedUserId (\s a -> s { _fuFederatedUserId = a })
+-- | The error returned if the message passed to 'DecodeAuthorizationMessage'
+-- was invalid. This can happen if the token contains invalid characters,
+-- such as linebreaks.
+_InvalidAuthorizationMessageException :: AsError a => Getting (First ServiceError) a ServiceError
+_InvalidAuthorizationMessageException =
+    _ServiceError .
+    hasStatus 400 . hasCode "InvalidAuthorizationMessageException"
 
-instance FromXML FederatedUser where
-    parseXML x = FederatedUser
-        <$> x .@  "Arn"
-        <*> x .@  "FederatedUserId"
+-- | The request could not be fulfilled because the non-AWS identity provider
+-- (IDP) that was asked to verify the incoming identity token could not be
+-- reached. This is often a transient error caused by network conditions.
+-- Retry the request a limited number of times so that you don\'t exceed
+-- the request rate. If the error persists, the non-AWS identity provider
+-- might be down or not responding.
+_IdPCommunicationErrorException :: AsError a => Getting (First ServiceError) a ServiceError
+_IdPCommunicationErrorException =
+    _ServiceError . hasStatus 400 . hasCode "IDPCommunicationError"
 
-instance ToQuery FederatedUser where
-    toQuery FederatedUser{..} = mconcat
-        [ "Arn"             =? _fuArn
-        , "FederatedUserId" =? _fuFederatedUserId
-        ]
+-- | The web identity token that was passed is expired or is not valid. Get a
+-- new identity token from the identity provider and then retry the
+-- request.
+_ExpiredTokenException :: AsError a => Getting (First ServiceError) a ServiceError
+_ExpiredTokenException =
+    _ServiceError . hasStatus 400 . hasCode "ExpiredTokenException"
 
-data AssumedRoleUser = AssumedRoleUser
-    { _aruArn           :: Text
-    , _aruAssumedRoleId :: Text
-    } deriving (Eq, Ord, Read, Show)
+-- | The web identity token that was passed could not be validated by AWS.
+-- Get a new identity token from the identity provider and then retry the
+-- request.
+_InvalidIdentityTokenException :: AsError a => Getting (First ServiceError) a ServiceError
+_InvalidIdentityTokenException =
+    _ServiceError . hasStatus 400 . hasCode "InvalidIdentityToken"
 
--- | 'AssumedRoleUser' constructor.
---
--- The fields accessible through corresponding lenses are:
---
--- * 'aruArn' @::@ 'Text'
---
--- * 'aruAssumedRoleId' @::@ 'Text'
+-- | The identity provider (IdP) reported that authentication failed. This
+-- might be because the claim is invalid.
 --
-assumedRoleUser :: Text -- ^ 'aruAssumedRoleId'
-                -> Text -- ^ 'aruArn'
-                -> AssumedRoleUser
-assumedRoleUser p1 p2 = AssumedRoleUser
-    { _aruAssumedRoleId = p1
-    , _aruArn           = p2
-    }
-
--- | The ARN of the temporary security credentials that are returned from the 'AssumeRole' action. For more information about ARNs and how to use them in policies, see
--- Identifiers for IAM Entities  in /Using IAM/.
-aruArn :: Lens' AssumedRoleUser Text
-aruArn = lens _aruArn (\s a -> s { _aruArn = a })
-
--- | A unique identifier that contains the role ID and the role session name of
--- the role that is being assumed. The role ID is generated by AWS when the role
--- is created.
-aruAssumedRoleId :: Lens' AssumedRoleUser Text
-aruAssumedRoleId = lens _aruAssumedRoleId (\s a -> s { _aruAssumedRoleId = a })
-
-instance FromXML AssumedRoleUser where
-    parseXML x = AssumedRoleUser
-        <$> x .@  "Arn"
-        <*> x .@  "AssumedRoleId"
-
-instance ToQuery AssumedRoleUser where
-    toQuery AssumedRoleUser{..} = mconcat
-        [ "Arn"           =? _aruArn
-        , "AssumedRoleId" =? _aruAssumedRoleId
-        ]
+-- If this error is returned for the 'AssumeRoleWithWebIdentity' operation,
+-- it can also mean that the claim has expired or has been explicitly
+-- revoked.
+_IdPRejectedClaimException :: AsError a => Getting (First ServiceError) a ServiceError
+_IdPRejectedClaimException =
+    _ServiceError . hasStatus 403 . hasCode "IDPRejectedClaim"
diff --git a/gen/Network/AWS/STS/Types/Product.hs b/gen/Network/AWS/STS/Types/Product.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/STS/Types/Product.hs
@@ -0,0 +1,170 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.STS.Types.Product
+-- Copyright   : (c) 2013-2015 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+module Network.AWS.STS.Types.Product where
+
+import           Network.AWS.Prelude
+import           Network.AWS.STS.Types.Sum
+
+-- | The identifiers for the temporary security credentials that the
+-- operation returns.
+--
+-- /See:/ 'assumedRoleUser' smart constructor.
+data AssumedRoleUser = AssumedRoleUser'
+    { _aruAssumedRoleId :: !Text
+    , _aruARN           :: !Text
+    } deriving (Eq,Read,Show,Data,Typeable,Generic)
+
+-- | Creates a value of 'AssumedRoleUser' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'aruAssumedRoleId'
+--
+-- * 'aruARN'
+assumedRoleUser
+    :: Text -- ^ 'aruAssumedRoleId'
+    -> Text -- ^ 'aruARN'
+    -> AssumedRoleUser
+assumedRoleUser pAssumedRoleId_ pARN_ =
+    AssumedRoleUser'
+    { _aruAssumedRoleId = pAssumedRoleId_
+    , _aruARN = pARN_
+    }
+
+-- | A unique identifier that contains the role ID and the role session name
+-- of the role that is being assumed. The role ID is generated by AWS when
+-- the role is created.
+aruAssumedRoleId :: Lens' AssumedRoleUser Text
+aruAssumedRoleId = lens _aruAssumedRoleId (\ s a -> s{_aruAssumedRoleId = a});
+
+-- | The ARN of the temporary security credentials that are returned from the
+-- AssumeRole action. For more information about ARNs and how to use them
+-- in policies, see
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html IAM Identifiers>
+-- in /Using IAM/.
+aruARN :: Lens' AssumedRoleUser Text
+aruARN = lens _aruARN (\ s a -> s{_aruARN = a});
+
+instance FromXML AssumedRoleUser where
+        parseXML x
+          = AssumedRoleUser' <$>
+              (x .@ "AssumedRoleId") <*> (x .@ "Arn")
+
+-- | AWS credentials for API authentication.
+--
+-- /See:/ 'credentials' smart constructor.
+data Credentials = Credentials'
+    { _cAccessKeyId     :: !Text
+    , _cSecretAccessKey :: !Text
+    , _cSessionToken    :: !Text
+    , _cExpiration      :: !ISO8601
+    } deriving (Eq,Read,Show,Data,Typeable,Generic)
+
+-- | Creates a value of 'Credentials' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'cAccessKeyId'
+--
+-- * 'cSecretAccessKey'
+--
+-- * 'cSessionToken'
+--
+-- * 'cExpiration'
+credentials
+    :: Text -- ^ 'cAccessKeyId'
+    -> Text -- ^ 'cSecretAccessKey'
+    -> Text -- ^ 'cSessionToken'
+    -> UTCTime -- ^ 'cExpiration'
+    -> Credentials
+credentials pAccessKeyId_ pSecretAccessKey_ pSessionToken_ pExpiration_ =
+    Credentials'
+    { _cAccessKeyId = pAccessKeyId_
+    , _cSecretAccessKey = pSecretAccessKey_
+    , _cSessionToken = pSessionToken_
+    , _cExpiration = _Time # pExpiration_
+    }
+
+-- | The access key ID that identifies the temporary security credentials.
+cAccessKeyId :: Lens' Credentials Text
+cAccessKeyId = lens _cAccessKeyId (\ s a -> s{_cAccessKeyId = a});
+
+-- | The secret access key that can be used to sign requests.
+cSecretAccessKey :: Lens' Credentials Text
+cSecretAccessKey = lens _cSecretAccessKey (\ s a -> s{_cSecretAccessKey = a});
+
+-- | The token that users must pass to the service API to use the temporary
+-- credentials.
+cSessionToken :: Lens' Credentials Text
+cSessionToken = lens _cSessionToken (\ s a -> s{_cSessionToken = a});
+
+-- | The date on which the current credentials expire.
+cExpiration :: Lens' Credentials UTCTime
+cExpiration = lens _cExpiration (\ s a -> s{_cExpiration = a}) . _Time;
+
+instance FromXML Credentials where
+        parseXML x
+          = Credentials' <$>
+              (x .@ "AccessKeyId") <*> (x .@ "SecretAccessKey") <*>
+                (x .@ "SessionToken")
+                <*> (x .@ "Expiration")
+
+-- | Identifiers for the federated user that is associated with the
+-- credentials.
+--
+-- /See:/ 'federatedUser' smart constructor.
+data FederatedUser = FederatedUser'
+    { _fuFederatedUserId :: !Text
+    , _fuARN             :: !Text
+    } deriving (Eq,Read,Show,Data,Typeable,Generic)
+
+-- | Creates a value of 'FederatedUser' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'fuFederatedUserId'
+--
+-- * 'fuARN'
+federatedUser
+    :: Text -- ^ 'fuFederatedUserId'
+    -> Text -- ^ 'fuARN'
+    -> FederatedUser
+federatedUser pFederatedUserId_ pARN_ =
+    FederatedUser'
+    { _fuFederatedUserId = pFederatedUserId_
+    , _fuARN = pARN_
+    }
+
+-- | The string that identifies the federated user associated with the
+-- credentials, similar to the unique ID of an IAM user.
+fuFederatedUserId :: Lens' FederatedUser Text
+fuFederatedUserId = lens _fuFederatedUserId (\ s a -> s{_fuFederatedUserId = a});
+
+-- | The ARN that specifies the federated user that is associated with the
+-- credentials. For more information about ARNs and how to use them in
+-- policies, see
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html IAM Identifiers>
+-- in /Using IAM/.
+fuARN :: Lens' FederatedUser Text
+fuARN = lens _fuARN (\ s a -> s{_fuARN = a});
+
+instance FromXML FederatedUser where
+        parseXML x
+          = FederatedUser' <$>
+              (x .@ "FederatedUserId") <*> (x .@ "Arn")
diff --git a/gen/Network/AWS/STS/Types/Sum.hs b/gen/Network/AWS/STS/Types/Sum.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/STS/Types/Sum.hs
@@ -0,0 +1,20 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE LambdaCase         #-}
+{-# LANGUAGE OverloadedStrings  #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.STS.Types.Sum
+-- Copyright   : (c) 2013-2015 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+module Network.AWS.STS.Types.Sum where
+
+import           Network.AWS.Prelude
diff --git a/gen/Network/AWS/STS/Waiters.hs b/gen/Network/AWS/STS/Waiters.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/STS/Waiters.hs
@@ -0,0 +1,20 @@
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE TypeFamilies      #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.STS.Waiters
+-- Copyright   : (c) 2013-2015 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+module Network.AWS.STS.Waiters where
+
+import           Network.AWS.Prelude
+import           Network.AWS.STS.Types
+import           Network.AWS.Waiter
diff --git a/test/Main.hs b/test/Main.hs
new file mode 100644
--- /dev/null
+++ b/test/Main.hs
@@ -0,0 +1,21 @@
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- |
+-- Module      : Main
+-- Copyright   : (c) 2013-2015 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+module Main (main) where
+
+import Test.Tasty
+import Test.AWS.STS
+import Test.AWS.STS.Internal
+
+main :: IO ()
+main = defaultMain $ testGroup "STS"
+    [ testGroup "tests"    tests
+    , testGroup "fixtures" fixtures
+    ]
diff --git a/test/Test/AWS/Gen/STS.hs b/test/Test/AWS/Gen/STS.hs
new file mode 100644
--- /dev/null
+++ b/test/Test/AWS/Gen/STS.hs
@@ -0,0 +1,141 @@
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-orphans        #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Test.AWS.Gen.STS
+-- Copyright   : (c) 2013-2015 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+module Test.AWS.Gen.STS where
+
+import Data.Proxy
+import Test.AWS.Fixture
+import Test.AWS.Prelude
+import Test.Tasty
+import Network.AWS.STS
+import Test.AWS.STS.Internal
+
+-- Auto-generated: the actual test selection needs to be manually placed into
+-- the top-level so that real test data can be incrementally added.
+--
+-- This commented snippet is what the entire set should look like:
+
+-- fixtures :: TestTree
+-- fixtures =
+--     [ testGroup "request"
+--         [ testAssumeRole $
+--             assumeRole
+--
+--         , testDecodeAuthorizationMessage $
+--             decodeAuthorizationMessage
+--
+--         , testAssumeRoleWithWebIdentity $
+--             assumeRoleWithWebIdentity
+--
+--         , testGetFederationToken $
+--             getFederationToken
+--
+--         , testGetSessionToken $
+--             getSessionToken
+--
+--         , testAssumeRoleWithSAML $
+--             assumeRoleWithSAML
+--
+--           ]
+
+--     , testGroup "response"
+--         [ testAssumeRoleResponse $
+--             assumeRoleResponse
+--
+--         , testDecodeAuthorizationMessageResponse $
+--             decodeAuthorizationMessageResponse
+--
+--         , testAssumeRoleWithWebIdentityResponse $
+--             assumeRoleWithWebIdentityResponse
+--
+--         , testGetFederationTokenResponse $
+--             getFederationTokenResponse
+--
+--         , testGetSessionTokenResponse $
+--             getSessionTokenResponse
+--
+--         , testAssumeRoleWithSAMLResponse $
+--             assumeRoleWithSAMLResponse
+--
+--           ]
+--     ]
+
+-- Requests
+
+testAssumeRole :: AssumeRole -> TestTree
+testAssumeRole = req
+    "AssumeRole"
+    "fixture/AssumeRole"
+
+testDecodeAuthorizationMessage :: DecodeAuthorizationMessage -> TestTree
+testDecodeAuthorizationMessage = req
+    "DecodeAuthorizationMessage"
+    "fixture/DecodeAuthorizationMessage"
+
+testAssumeRoleWithWebIdentity :: AssumeRoleWithWebIdentity -> TestTree
+testAssumeRoleWithWebIdentity = req
+    "AssumeRoleWithWebIdentity"
+    "fixture/AssumeRoleWithWebIdentity"
+
+testGetFederationToken :: GetFederationToken -> TestTree
+testGetFederationToken = req
+    "GetFederationToken"
+    "fixture/GetFederationToken"
+
+testGetSessionToken :: GetSessionToken -> TestTree
+testGetSessionToken = req
+    "GetSessionToken"
+    "fixture/GetSessionToken"
+
+testAssumeRoleWithSAML :: AssumeRoleWithSAML -> TestTree
+testAssumeRoleWithSAML = req
+    "AssumeRoleWithSAML"
+    "fixture/AssumeRoleWithSAML"
+
+-- Responses
+
+testAssumeRoleResponse :: AssumeRoleResponse -> TestTree
+testAssumeRoleResponse = res
+    "AssumeRoleResponse"
+    "fixture/AssumeRoleResponse"
+    (Proxy :: Proxy AssumeRole)
+
+testDecodeAuthorizationMessageResponse :: DecodeAuthorizationMessageResponse -> TestTree
+testDecodeAuthorizationMessageResponse = res
+    "DecodeAuthorizationMessageResponse"
+    "fixture/DecodeAuthorizationMessageResponse"
+    (Proxy :: Proxy DecodeAuthorizationMessage)
+
+testAssumeRoleWithWebIdentityResponse :: AssumeRoleWithWebIdentityResponse -> TestTree
+testAssumeRoleWithWebIdentityResponse = res
+    "AssumeRoleWithWebIdentityResponse"
+    "fixture/AssumeRoleWithWebIdentityResponse"
+    (Proxy :: Proxy AssumeRoleWithWebIdentity)
+
+testGetFederationTokenResponse :: GetFederationTokenResponse -> TestTree
+testGetFederationTokenResponse = res
+    "GetFederationTokenResponse"
+    "fixture/GetFederationTokenResponse"
+    (Proxy :: Proxy GetFederationToken)
+
+testGetSessionTokenResponse :: GetSessionTokenResponse -> TestTree
+testGetSessionTokenResponse = res
+    "GetSessionTokenResponse"
+    "fixture/GetSessionTokenResponse"
+    (Proxy :: Proxy GetSessionToken)
+
+testAssumeRoleWithSAMLResponse :: AssumeRoleWithSAMLResponse -> TestTree
+testAssumeRoleWithSAMLResponse = res
+    "AssumeRoleWithSAMLResponse"
+    "fixture/AssumeRoleWithSAMLResponse"
+    (Proxy :: Proxy AssumeRoleWithSAML)
diff --git a/test/Test/AWS/STS.hs b/test/Test/AWS/STS.hs
new file mode 100644
--- /dev/null
+++ b/test/Test/AWS/STS.hs
@@ -0,0 +1,26 @@
+{-# LANGUAGE OverloadedStrings #-}
+
+-- Module      : Test.AWS.STS
+-- Copyright   : (c) 2013-2015 Brendan Hay
+-- License     : This Source Code Form is subject to the terms of
+--               the Mozilla Public License, v. 2.0.
+--               A copy of the MPL can be found in the LICENSE file or
+--               you can obtain it at http://mozilla.org/MPL/2.0/.
+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
+-- Stability   : experimental
+-- Portability : non-portable (GHC extensions)
+
+module Test.AWS.STS
+    ( tests
+    , fixtures
+    ) where
+
+import           Network.AWS.STS
+import           Test.AWS.Gen.STS
+import           Test.Tasty
+
+tests :: [TestTree]
+tests = []
+
+fixtures :: [TestTree]
+fixtures = []
diff --git a/test/Test/AWS/STS/Internal.hs b/test/Test/AWS/STS/Internal.hs
new file mode 100644
--- /dev/null
+++ b/test/Test/AWS/STS/Internal.hs
@@ -0,0 +1,16 @@
+{-# LANGUAGE OverloadedStrings #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Module      : Test.AWS.STS.Internal
+-- Copyright   : (c) 2013-2015 Brendan Hay
+-- License     : This Source Code Form is subject to the terms of
+--               the Mozilla Public License, v. 2.0.
+--               A copy of the MPL can be found in the LICENSE file or
+--               you can obtain it at http://mozilla.org/MPL/2.0/.
+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
+-- Stability   : experimental
+-- Portability : non-portable (GHC extensions)
+
+module Test.AWS.STS.Internal where
+
+import Test.AWS.Prelude
