diff --git a/README.md b/README.md
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@
 
 ## Version
 
-`1.4.0`
+`1.4.1`
 
 
 ## Description
@@ -40,7 +40,7 @@
 in /Using IAM/. For information about using security tokens with other
 AWS products, go to
 <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html AWS Services That Work with IAM>
-in the /Using IAM/.
+in the /IAM User Guide/.
 
 If you\'re new to AWS and need additional technical information about a
 specific AWS product, you can find the product\'s technical
@@ -50,11 +50,10 @@
 
 The AWS Security Token Service (STS) has a default endpoint of
 https:\/\/sts.amazonaws.com that maps to the US East (N. Virginia)
-region. Additional regions are available, but must first be activated in
-the AWS Management Console before you can use a different region\'s
-endpoint. For more information about activating a region for STS see
-<http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html Activating STS in a New Region>
-in the /Using IAM/.
+region. Additional regions are available and are activated by default.
+For more information, see
+<http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html Activating and Deactivating AWS STS in an AWS Region>
+in the /IAM User Guide/.
 
 For information about STS endpoints, see
 <http://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region Regions and Endpoints>
diff --git a/amazonka-sts.cabal b/amazonka-sts.cabal
--- a/amazonka-sts.cabal
+++ b/amazonka-sts.cabal
@@ -1,5 +1,5 @@
 name:                  amazonka-sts
-version:               1.4.0
+version:               1.4.1
 synopsis:              Amazon Security Token Service SDK.
 homepage:              https://github.com/brendanhay/amazonka
 bug-reports:           https://github.com/brendanhay/amazonka/issues
@@ -40,7 +40,7 @@
     in /Using IAM/. For information about using security tokens with other
     AWS products, go to
     <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html AWS Services That Work with IAM>
-    in the /Using IAM/.
+    in the /IAM User Guide/.
 
     If you\'re new to AWS and need additional technical information about a
     specific AWS product, you can find the product\'s technical
@@ -50,11 +50,10 @@
 
     The AWS Security Token Service (STS) has a default endpoint of
     https:\/\/sts.amazonaws.com that maps to the US East (N. Virginia)
-    region. Additional regions are available, but must first be activated in
-    the AWS Management Console before you can use a different region\'s
-    endpoint. For more information about activating a region for STS see
-    <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html Activating STS in a New Region>
-    in the /Using IAM/.
+    region. Additional regions are available and are activated by default.
+    For more information, see
+    <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html Activating and Deactivating AWS STS in an AWS Region>
+    in the /IAM User Guide/.
 
     For information about STS endpoints, see
     <http://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region Regions and Endpoints>
@@ -100,6 +99,7 @@
         , Network.AWS.STS.AssumeRoleWithSAML
         , Network.AWS.STS.AssumeRoleWithWebIdentity
         , Network.AWS.STS.DecodeAuthorizationMessage
+        , Network.AWS.STS.GetCallerIdentity
         , Network.AWS.STS.GetFederationToken
         , Network.AWS.STS.GetSessionToken
         , Network.AWS.STS.Types
@@ -110,7 +110,7 @@
         , Network.AWS.STS.Types.Sum
 
     build-depends:
-          amazonka-core == 1.4.0.*
+          amazonka-core == 1.4.1.*
         , base          >= 4.7     && < 5
 
 test-suite amazonka-sts-test
@@ -130,9 +130,9 @@
         , Test.AWS.STS.Internal
 
     build-depends:
-          amazonka-core == 1.4.0.*
-        , amazonka-test == 1.4.0.*
-        , amazonka-sts == 1.4.0.*
+          amazonka-core == 1.4.1.*
+        , amazonka-test == 1.4.1.*
+        , amazonka-sts == 1.4.1.*
         , base
         , bytestring
         , tasty
diff --git a/fixture/GetCallerIdentity.yaml b/fixture/GetCallerIdentity.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/GetCallerIdentity.yaml
diff --git a/fixture/GetCallerIdentityResponse.proto b/fixture/GetCallerIdentityResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/GetCallerIdentityResponse.proto
diff --git a/gen/Network/AWS/STS.hs b/gen/Network/AWS/STS.hs
--- a/gen/Network/AWS/STS.hs
+++ b/gen/Network/AWS/STS.hs
@@ -38,7 +38,7 @@
 -- in /Using IAM/. For information about using security tokens with other
 -- AWS products, go to
 -- <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html AWS Services That Work with IAM>
--- in the /Using IAM/.
+-- in the /IAM User Guide/.
 --
 -- If you\'re new to AWS and need additional technical information about a
 -- specific AWS product, you can find the product\'s technical
@@ -48,11 +48,10 @@
 --
 -- The AWS Security Token Service (STS) has a default endpoint of
 -- https:\/\/sts.amazonaws.com that maps to the US East (N. Virginia)
--- region. Additional regions are available, but must first be activated in
--- the AWS Management Console before you can use a different region\'s
--- endpoint. For more information about activating a region for STS see
--- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html Activating STS in a New Region>
--- in the /Using IAM/.
+-- region. Additional regions are available and are activated by default.
+-- For more information, see
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html Activating and Deactivating AWS STS in an AWS Region>
+-- in the /IAM User Guide/.
 --
 -- For information about STS endpoints, see
 -- <http://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region Regions and Endpoints>
@@ -105,6 +104,9 @@
     -- * Operations
     -- $operations
 
+    -- ** GetCallerIdentity
+    , module Network.AWS.STS.GetCallerIdentity
+
     -- ** AssumeRole
     , module Network.AWS.STS.AssumeRole
 
@@ -150,6 +152,7 @@
 import           Network.AWS.STS.AssumeRoleWithSAML
 import           Network.AWS.STS.AssumeRoleWithWebIdentity
 import           Network.AWS.STS.DecodeAuthorizationMessage
+import           Network.AWS.STS.GetCallerIdentity
 import           Network.AWS.STS.GetFederationToken
 import           Network.AWS.STS.GetSessionToken
 import           Network.AWS.STS.Types
diff --git a/gen/Network/AWS/STS/AssumeRole.hs b/gen/Network/AWS/STS/AssumeRole.hs
--- a/gen/Network/AWS/STS/AssumeRole.hs
+++ b/gen/Network/AWS/STS/AssumeRole.hs
@@ -22,9 +22,15 @@
 -- key ID, a secret access key, and a security token) that you can use to
 -- access AWS resources that you might not normally have access to.
 -- Typically, you use 'AssumeRole' for cross-account access or federation.
+-- For a comparison of 'AssumeRole' with the other APIs that produce
+-- temporary credentials, see
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Requesting Temporary Security Credentials>
+-- and
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison Comparing the AWS STS APIs>
+-- in the /IAM User Guide/.
 --
--- __Important:__ You cannot call 'AssumeRole' by using AWS account
--- credentials; access will be denied. You must use IAM user credentials or
+-- __Important:__ You cannot call 'AssumeRole' by using AWS root account
+-- credentials; access is denied. You must use IAM user credentials or
 -- temporary security credentials to call 'AssumeRole'.
 --
 -- For cross-account access, imagine that you own multiple accounts and
@@ -36,7 +42,7 @@
 -- to access all the other accounts by assuming roles in those accounts.
 -- For more information about roles, see
 -- <http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html IAM Roles (Delegation and Federation)>
--- in the /Using IAM/.
+-- in the /IAM User Guide/.
 --
 -- For federation, you can, for example, grant single sign-on access to the
 -- AWS Management Console. If you already have an identity and
@@ -48,12 +54,17 @@
 -- security credentials, you construct a sign-in URL that users can use to
 -- access the console. For more information, see
 -- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction Common Scenarios for Temporary Credentials>
--- in the /Using IAM/.
+-- in the /IAM User Guide/.
 --
 -- The temporary security credentials are valid for the duration that you
 -- specified when calling 'AssumeRole', which can be from 900 seconds (15
--- minutes) to 3600 seconds (1 hour). The default is 1 hour.
+-- minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour.
 --
+-- The temporary security credentials created by 'AssumeRole' can be used
+-- to make API calls to any AWS service with the following exception: you
+-- cannot call the STS service\'s 'GetFederationToken' or 'GetSessionToken'
+-- APIs.
+--
 -- Optionally, you can pass an IAM access policy to this operation. If you
 -- choose not to pass a policy, the temporary security credentials that are
 -- returned by the operation have the permissions that are defined in the
@@ -67,13 +78,22 @@
 -- access policy of the role that is being assumed. For more information,
 -- see
 -- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity>
--- in the /Using IAM/.
+-- in the /IAM User Guide/.
 --
 -- To assume a role, your AWS account must be trusted by the role. The
 -- trust relationship is defined in the role\'s trust policy when the role
--- is created. You must also have a policy that allows you to call
--- 'sts:AssumeRole'.
+-- is created. That trust policy states which accounts are allowed to
+-- delegate access to this account\'s role.
 --
+-- The user who wants to access the role must also have permissions
+-- delegated from the role\'s administrator. If the user is in a different
+-- account than the role, then the user\'s administrator must attach a
+-- policy that allows the user to call AssumeRole on the ARN of the role in
+-- the other account. If the user is in the same account as the role, then
+-- you can either attach a policy to the user (identical to the previous
+-- different account user), or you can add the user as a principal directly
+-- in the role\'s trust policy
+--
 -- __Using MFA with AssumeRole__
 --
 -- You can optionally include multi-factor authentication (MFA) information
@@ -90,7 +110,7 @@
 --
 -- For more information, see
 -- <http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html Configuring MFA-Protected API Access>
--- in the /Using IAM/ guide.
+-- in the /IAM User Guide/ guide.
 --
 -- To use MFA with 'AssumeRole', you pass values for the 'SerialNumber' and
 -- 'TokenCode' parameters. The 'SerialNumber' value identifies the user\'s
@@ -175,6 +195,9 @@
 -- that tests for MFA). If the role being assumed requires MFA and if the
 -- 'TokenCode' value is missing or expired, the 'AssumeRole' call returns
 -- an \"access denied\" error.
+--
+-- The format for this parameter, as described by its regex pattern, is a
+-- sequence of six numeric digits.
 arTokenCode :: Lens' AssumeRole (Maybe Text)
 arTokenCode = lens _arTokenCode (\ s a -> s{_arTokenCode = a});
 
@@ -195,8 +218,14 @@
 -- permissions that are in excess of those allowed by the access policy of
 -- the role that is being assumed. For more information, see
 -- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity>
--- in the /Using IAM/.
+-- in the /IAM User Guide/.
 --
+-- The format for this parameter, as described by its regex pattern, is a
+-- string of characters up to 2048 characters in length. The characters can
+-- be any ASCII character from the space character to the end of the valid
+-- character list (\\u0020-\\u00FF). It can also include the tab (\\u0009),
+-- linefeed (\\u000A), and carriage return (\\u000D) characters.
+--
 -- The policy plain text must be 2048 bytes or shorter. However, an
 -- internal conversion compresses it into a packed binary format with a
 -- separate limit. The PackedPolicySize response element indicates by
@@ -214,7 +243,12 @@
 -- bind a role to the customer who created it. For more information about
 -- the external ID, see
 -- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html How to Use an External ID When Granting Access to Your AWS Resources to a Third Party>
--- in the /Using IAM/.
+-- in the /IAM User Guide/.
+--
+-- The format for this parameter, as described by its regex pattern, is a
+-- string of characters consisting of upper- and lower-case alphanumeric
+-- characters with no spaces. You can also include any of the following
+-- characters: =,.\':\\\/-
 arExternalId :: Lens' AssumeRole (Maybe Text)
 arExternalId = lens _arExternalId (\ s a -> s{_arExternalId = a});
 
@@ -225,6 +259,11 @@
 -- hardware device (such as 'GAHT12345678') or an Amazon Resource Name
 -- (ARN) for a virtual device (such as
 -- 'arn:aws:iam::123456789012:mfa\/user').
+--
+-- The format for this parameter, as described by its regex pattern, is a
+-- string of characters consisting of upper- and lower-case alphanumeric
+-- characters with no spaces. You can also include any of the following
+-- characters: =,.\'-
 arSerialNumber :: Lens' AssumeRole (Maybe Text)
 arSerialNumber = lens _arSerialNumber (\ s a -> s{_arSerialNumber = a});
 
@@ -242,6 +281,11 @@
 -- subsequent cross-account API requests using the temporary security
 -- credentials will expose the role session name to the external account in
 -- their CloudTrail logs.
+--
+-- The format for this parameter, as described by its regex pattern, is a
+-- string of characters consisting of upper- and lower-case alphanumeric
+-- characters with no spaces. You can also include any of the following
+-- characters: =,.\'-
 arRoleSessionName :: Lens' AssumeRole Text
 arRoleSessionName = lens _arRoleSessionName (\ s a -> s{_arRoleSessionName = a});
 
@@ -258,6 +302,8 @@
 
 instance Hashable AssumeRole
 
+instance NFData AssumeRole
+
 instance ToHeaders AssumeRole where
         toHeaders = const mempty
 
@@ -338,3 +384,5 @@
 -- | The response status code.
 arrsResponseStatus :: Lens' AssumeRoleResponse Int
 arrsResponseStatus = lens _arrsResponseStatus (\ s a -> s{_arrsResponseStatus = a});
+
+instance NFData AssumeRoleResponse
diff --git a/gen/Network/AWS/STS/AssumeRoleWithSAML.hs b/gen/Network/AWS/STS/AssumeRoleWithSAML.hs
--- a/gen/Network/AWS/STS/AssumeRoleWithSAML.hs
+++ b/gen/Network/AWS/STS/AssumeRoleWithSAML.hs
@@ -22,19 +22,29 @@
 -- authenticated via a SAML authentication response. This operation
 -- provides a mechanism for tying an enterprise identity store or directory
 -- to role-based AWS access without user-specific credentials or
--- configuration.
+-- configuration. For a comparison of 'AssumeRoleWithSAML' with the other
+-- APIs that produce temporary credentials, see
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Requesting Temporary Security Credentials>
+-- and
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison Comparing the AWS STS APIs>
+-- in the /IAM User Guide/.
 --
 -- The temporary security credentials returned by this operation consist of
 -- an access key ID, a secret access key, and a security token.
 -- Applications can use these temporary security credentials to sign calls
--- to AWS services. The credentials are valid for the duration that you
--- specified when calling 'AssumeRoleWithSAML', which can be up to 3600
--- seconds (1 hour) or until the time specified in the SAML authentication
--- response\'s 'SessionNotOnOrAfter' value, whichever is shorter.
+-- to AWS services.
 --
--- The maximum duration for a session is 1 hour, and the minimum duration
--- is 15 minutes, even if values outside this range are specified.
+-- The temporary security credentials are valid for the duration that you
+-- specified when calling 'AssumeRole', or until the time specified in the
+-- SAML authentication response\'s 'SessionNotOnOrAfter' value, whichever
+-- is shorter. The duration can be from 900 seconds (15 minutes) to a
+-- maximum of 3600 seconds (1 hour). The default is 1 hour.
 --
+-- The temporary security credentials created by 'AssumeRoleWithSAML' can
+-- be used to make API calls to any AWS service with the following
+-- exception: you cannot call the STS service\'s 'GetFederationToken' or
+-- 'GetSessionToken' APIs.
+--
 -- Optionally, you can pass an IAM access policy to this operation. If you
 -- choose not to pass a policy, the temporary security credentials that are
 -- returned by the operation have the permissions that are defined in the
@@ -48,7 +58,7 @@
 -- access policy of the role that is being assumed. For more information,
 -- see
 -- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity>
--- in the /Using IAM/.
+-- in the /IAM User Guide/.
 --
 -- Before your application can call 'AssumeRoleWithSAML', you must
 -- configure your SAML identity provider (IdP) to issue the claims required
@@ -62,16 +72,27 @@
 -- the metadata document that is uploaded for the SAML provider entity for
 -- your identity provider.
 --
+-- Calling 'AssumeRoleWithSAML' can result in an entry in your AWS
+-- CloudTrail logs. The entry includes the value in the 'NameID' element of
+-- the SAML assertion. We recommend that you use a NameIDType that is not
+-- associated with any personally identifiable information (PII). For
+-- example, you could instead use the Persistent Identifier
+-- ('urn:oasis:names:tc:SAML:2.0:nameid-format:persistent').
+--
 -- For more information, see the following resources:
 --
 -- -   <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html About SAML 2.0-based Federation>
---     in the /Using IAM/.
+--     in the /IAM User Guide/.
+--
 -- -   <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html Creating SAML Identity Providers>
---     in the /Using IAM/.
+--     in the /IAM User Guide/.
+--
 -- -   <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html Configuring a Relying Party and Claims>
---     in the /Using IAM/.
+--     in the /IAM User Guide/.
+--
 -- -   <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html Creating a Role for SAML 2.0 Federation>
---     in the /Using IAM/.
+--     in the /IAM User Guide/.
+--
 module Network.AWS.STS.AssumeRoleWithSAML
     (
     -- * Creating a Request
@@ -164,8 +185,14 @@
 -- permissions that are in excess of those allowed by the access policy of
 -- the role that is being assumed. For more information,
 -- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity>
--- in the /Using IAM/.
+-- in the /IAM User Guide/.
 --
+-- The format for this parameter, as described by its regex pattern, is a
+-- string of characters up to 2048 characters in length. The characters can
+-- be any ASCII character from the space character to the end of the valid
+-- character list (\\u0020-\\u00FF). It can also include the tab (\\u0009),
+-- linefeed (\\u000A), and carriage return (\\u000D) characters.
+--
 -- The policy plain text must be 2048 bytes or shorter. However, an
 -- internal conversion compresses it into a packed binary format with a
 -- separate limit. The PackedPolicySize response element indicates by
@@ -210,6 +237,8 @@
 
 instance Hashable AssumeRoleWithSAML
 
+instance NFData AssumeRoleWithSAML
+
 instance ToHeaders AssumeRoleWithSAML where
         toHeaders = const mempty
 
@@ -331,7 +360,8 @@
 arwsamlrsNameQualifier :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
 arwsamlrsNameQualifier = lens _arwsamlrsNameQualifier (\ s a -> s{_arwsamlrsNameQualifier = a});
 
--- | Undocumented member.
+-- | The identifiers for the temporary security credentials that the
+-- operation returns.
 arwsamlrsAssumedRoleUser :: Lens' AssumeRoleWithSAMLResponse (Maybe AssumedRoleUser)
 arwsamlrsAssumedRoleUser = lens _arwsamlrsAssumedRoleUser (\ s a -> s{_arwsamlrsAssumedRoleUser = a});
 
@@ -342,3 +372,5 @@
 -- | The response status code.
 arwsamlrsResponseStatus :: Lens' AssumeRoleWithSAMLResponse Int
 arwsamlrsResponseStatus = lens _arwsamlrsResponseStatus (\ s a -> s{_arwsamlrsResponseStatus = a});
+
+instance NFData AssumeRoleWithSAMLResponse
diff --git a/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs b/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs
--- a/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs
+++ b/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs
@@ -42,16 +42,28 @@
 -- without including long-term AWS credentials in the application, and
 -- without deploying server-based proxy services that use long-term AWS
 -- credentials. Instead, the identity of the caller is validated by using a
--- token from the web identity provider.
+-- token from the web identity provider. For a comparison of
+-- 'AssumeRoleWithWebIdentity' with the other APIs that produce temporary
+-- credentials, see
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Requesting Temporary Security Credentials>
+-- and
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison Comparing the AWS STS APIs>
+-- in the /IAM User Guide/.
 --
 -- The temporary security credentials returned by this API consist of an
 -- access key ID, a secret access key, and a security token. Applications
 -- can use these temporary security credentials to sign calls to AWS
--- service APIs. The credentials are valid for the duration that you
--- specified when calling 'AssumeRoleWithWebIdentity', which can be from
--- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the
--- temporary security credentials are valid for 1 hour.
+-- service APIs.
 --
+-- The credentials are valid for the duration that you specified when
+-- calling 'AssumeRoleWithWebIdentity', which can be from 900 seconds (15
+-- minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour.
+--
+-- The temporary security credentials created by
+-- 'AssumeRoleWithWebIdentity' can be used to make API calls to any AWS
+-- service with the following exception: you cannot call the STS service\'s
+-- 'GetFederationToken' or 'GetSessionToken' APIs.
+--
 -- Optionally, you can pass an IAM access policy to this operation. If you
 -- choose not to pass a policy, the temporary security credentials that are
 -- returned by the operation have the permissions that are defined in the
@@ -65,7 +77,7 @@
 -- access policy of the role that is being assumed. For more information,
 -- see
 -- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity>
--- in the /Using IAM/.
+-- in the /IAM User Guide/.
 --
 -- Before your application can call 'AssumeRoleWithWebIdentity', you must
 -- have an identity token from a supported identity provider and create a
@@ -74,26 +86,38 @@
 -- identity token. In other words, the identity provider must be specified
 -- in the role\'s trust policy.
 --
+-- Calling 'AssumeRoleWithWebIdentity' can result in an entry in your AWS
+-- CloudTrail logs. The entry includes the
+-- <http://openid.net/specs/openid-connect-core-1_0.html#Claims Subject> of
+-- the provided Web Identity Token. We recommend that you avoid using any
+-- personally identifiable information (PII) in this field. For example,
+-- you could instead use a GUID or a pairwise identifier, as
+-- <http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes suggested in the OIDC specification>.
+--
 -- For more information about how to use web identity federation and the
 -- 'AssumeRoleWithWebIdentity' API, see the following resources:
 --
 -- -   <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual Using Web Identity Federation APIs for Mobile Apps>
 --     and
 --     <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity Federation Through a Web-based Identity Provider>.
+--
 -- -   <https://web-identity-federation-playground.s3.amazonaws.com/index.html Web Identity Federation Playground>.
 --     This interactive website lets you walk through the process of
 --     authenticating via Login with Amazon, Facebook, or Google, getting
 --     temporary security credentials, and then using those credentials to
 --     make a request to AWS.
+--
 -- -   <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and
 --     <http://aws.amazon.com/sdkforandroid/ AWS SDK for Android>. These
 --     toolkits contain sample apps that show how to invoke the identity
 --     providers, and then how to use the information from these providers
 --     to get and use temporary security credentials.
+--
 -- -   <http://aws.amazon.com/articles/4617974389850313 Web Identity Federation with Mobile Applications>.
 --     This article discusses web identity federation and shows an example
 --     of how to use web identity federation to get access to content in
 --     Amazon S3.
+--
 module Network.AWS.STS.AssumeRoleWithWebIdentity
     (
     -- * Creating a Request
@@ -196,8 +220,14 @@
 -- permissions that are in excess of those allowed by the access policy of
 -- the role that is being assumed. For more information, see
 -- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRoleWithWebIdentity>
--- in the /Using IAM/.
+-- in the /IAM User Guide/.
 --
+-- The format for this parameter, as described by its regex pattern, is a
+-- string of characters up to 2048 characters in length. The characters can
+-- be any ASCII character from the space character to the end of the valid
+-- character list (\\u0020-\\u00FF). It can also include the tab (\\u0009),
+-- linefeed (\\u000A), and carriage return (\\u000D) characters.
+--
 -- The policy plain text must be 2048 bytes or shorter. However, an
 -- internal conversion compresses it into a packed binary format with a
 -- separate limit. The PackedPolicySize response element indicates by
@@ -216,6 +246,11 @@
 -- application will use are associated with that user. This session name is
 -- included as part of the ARN and assumed role ID in the 'AssumedRoleUser'
 -- response element.
+--
+-- The format for this parameter, as described by its regex pattern, is a
+-- string of characters consisting of upper- and lower-case alphanumeric
+-- characters with no spaces. You can also include any of the following
+-- characters: =,.\'-
 arwwiRoleSessionName :: Lens' AssumeRoleWithWebIdentity Text
 arwwiRoleSessionName = lens _arwwiRoleSessionName (\ s a -> s{_arwwiRoleSessionName = a});
 
@@ -245,6 +280,8 @@
 
 instance Hashable AssumeRoleWithWebIdentity
 
+instance NFData AssumeRoleWithWebIdentity
+
 instance ToHeaders AssumeRoleWithWebIdentity where
         toHeaders = const mempty
 
@@ -361,3 +398,5 @@
 -- | The response status code.
 arwwirsResponseStatus :: Lens' AssumeRoleWithWebIdentityResponse Int
 arwwirsResponseStatus = lens _arwwirsResponseStatus (\ s a -> s{_arwwirsResponseStatus = a});
+
+instance NFData AssumeRoleWithWebIdentityResponse
diff --git a/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs b/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs
--- a/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs
+++ b/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs
@@ -42,11 +42,16 @@
 -- -   Whether the request was denied due to an explicit deny or due to the
 --     absence of an explicit allow. For more information, see
 --     <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow Determining Whether a Request is Allowed or Denied>
---     in the /Using IAM/.
+--     in the /IAM User Guide/.
+--
 -- -   The principal who made the request.
+--
 -- -   The requested action.
+--
 -- -   The requested resource.
+--
 -- -   The values of condition keys in the context of the user\'s request.
+--
 module Network.AWS.STS.DecodeAuthorizationMessage
     (
     -- * Creating a Request
@@ -105,6 +110,8 @@
 
 instance Hashable DecodeAuthorizationMessage
 
+instance NFData DecodeAuthorizationMessage
+
 instance ToHeaders DecodeAuthorizationMessage where
         toHeaders = const mempty
 
@@ -145,11 +152,12 @@
     , _damrsResponseStatus = pResponseStatus_
     }
 
--- | An XML document that contains the decoded message. For more information,
--- see 'DecodeAuthorizationMessage'.
+-- | An XML document that contains the decoded message.
 damrsDecodedMessage :: Lens' DecodeAuthorizationMessageResponse (Maybe Text)
 damrsDecodedMessage = lens _damrsDecodedMessage (\ s a -> s{_damrsDecodedMessage = a});
 
 -- | The response status code.
 damrsResponseStatus :: Lens' DecodeAuthorizationMessageResponse Int
 damrsResponseStatus = lens _damrsResponseStatus (\ s a -> s{_damrsResponseStatus = a});
+
+instance NFData DecodeAuthorizationMessageResponse
diff --git a/gen/Network/AWS/STS/GetCallerIdentity.hs b/gen/Network/AWS/STS/GetCallerIdentity.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/STS/GetCallerIdentity.hs
@@ -0,0 +1,140 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.STS.GetCallerIdentity
+-- Copyright   : (c) 2013-2016 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Returns details about the IAM identity whose credentials are used to
+-- call the API.
+module Network.AWS.STS.GetCallerIdentity
+    (
+    -- * Creating a Request
+      getCallerIdentity
+    , GetCallerIdentity
+
+    -- * Destructuring the Response
+    , getCallerIdentityResponse
+    , GetCallerIdentityResponse
+    -- * Response Lenses
+    , gcirsARN
+    , gcirsAccount
+    , gcirsUserId
+    , gcirsResponseStatus
+    ) where
+
+import           Network.AWS.Lens
+import           Network.AWS.Prelude
+import           Network.AWS.Request
+import           Network.AWS.Response
+import           Network.AWS.STS.Types
+import           Network.AWS.STS.Types.Product
+
+-- | /See:/ 'getCallerIdentity' smart constructor.
+data GetCallerIdentity =
+    GetCallerIdentity'
+    deriving (Eq,Read,Show,Data,Typeable,Generic)
+
+-- | Creates a value of 'GetCallerIdentity' with the minimum fields required to make a request.
+--
+getCallerIdentity
+    :: GetCallerIdentity
+getCallerIdentity = GetCallerIdentity'
+
+instance AWSRequest GetCallerIdentity where
+        type Rs GetCallerIdentity = GetCallerIdentityResponse
+        request = postQuery sts
+        response
+          = receiveXMLWrapper "GetCallerIdentityResult"
+              (\ s h x ->
+                 GetCallerIdentityResponse' <$>
+                   (x .@? "Arn") <*> (x .@? "Account") <*>
+                     (x .@? "UserId")
+                     <*> (pure (fromEnum s)))
+
+instance Hashable GetCallerIdentity
+
+instance NFData GetCallerIdentity
+
+instance ToHeaders GetCallerIdentity where
+        toHeaders = const mempty
+
+instance ToPath GetCallerIdentity where
+        toPath = const "/"
+
+instance ToQuery GetCallerIdentity where
+        toQuery
+          = const
+              (mconcat
+                 ["Action" =: ("GetCallerIdentity" :: ByteString),
+                  "Version" =: ("2011-06-15" :: ByteString)])
+
+-- | Contains the response to a successful < GetCallerIdentity> request,
+-- including information about the entity making the request.
+--
+-- /See:/ 'getCallerIdentityResponse' smart constructor.
+data GetCallerIdentityResponse = GetCallerIdentityResponse'
+    { _gcirsARN            :: !(Maybe Text)
+    , _gcirsAccount        :: !(Maybe Text)
+    , _gcirsUserId         :: !(Maybe Text)
+    , _gcirsResponseStatus :: !Int
+    } deriving (Eq,Read,Show,Data,Typeable,Generic)
+
+-- | Creates a value of 'GetCallerIdentityResponse' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'gcirsARN'
+--
+-- * 'gcirsAccount'
+--
+-- * 'gcirsUserId'
+--
+-- * 'gcirsResponseStatus'
+getCallerIdentityResponse
+    :: Int -- ^ 'gcirsResponseStatus'
+    -> GetCallerIdentityResponse
+getCallerIdentityResponse pResponseStatus_ =
+    GetCallerIdentityResponse'
+    { _gcirsARN = Nothing
+    , _gcirsAccount = Nothing
+    , _gcirsUserId = Nothing
+    , _gcirsResponseStatus = pResponseStatus_
+    }
+
+-- | The AWS ARN associated with the calling entity.
+gcirsARN :: Lens' GetCallerIdentityResponse (Maybe Text)
+gcirsARN = lens _gcirsARN (\ s a -> s{_gcirsARN = a});
+
+-- | The AWS account ID number of the account that owns or contains the
+-- calling entity.
+gcirsAccount :: Lens' GetCallerIdentityResponse (Maybe Text)
+gcirsAccount = lens _gcirsAccount (\ s a -> s{_gcirsAccount = a});
+
+-- | The unique identifier of the calling entity. The exact value depends on
+-- the type of entity making the call. The values returned are those listed
+-- in the __aws:userid__ column in the
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable Principal table>
+-- found on the __Policy Variables__ reference page in the /IAM User
+-- Guide/.
+gcirsUserId :: Lens' GetCallerIdentityResponse (Maybe Text)
+gcirsUserId = lens _gcirsUserId (\ s a -> s{_gcirsUserId = a});
+
+-- | The response status code.
+gcirsResponseStatus :: Lens' GetCallerIdentityResponse Int
+gcirsResponseStatus = lens _gcirsResponseStatus (\ s a -> s{_gcirsResponseStatus = a});
+
+instance NFData GetCallerIdentityResponse
diff --git a/gen/Network/AWS/STS/GetFederationToken.hs b/gen/Network/AWS/STS/GetFederationToken.hs
--- a/gen/Network/AWS/STS/GetFederationToken.hs
+++ b/gen/Network/AWS/STS/GetFederationToken.hs
@@ -25,7 +25,12 @@
 -- network. Because you must call the 'GetFederationToken' action using the
 -- long-term security credentials of an IAM user, this call is appropriate
 -- in contexts where those credentials can be safely stored, usually in a
--- server-based application.
+-- server-based application. For a comparison of 'GetFederationToken' with
+-- the other APIs that produce temporary credentials, see
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Requesting Temporary Security Credentials>
+-- and
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison Comparing the AWS STS APIs>
+-- in the /IAM User Guide/.
 --
 -- If you are creating a mobile-based or browser-based app that can
 -- authenticate users using a web identity provider like Login with Amazon,
@@ -36,20 +41,30 @@
 --
 -- The 'GetFederationToken' action must be called by using the long-term
 -- AWS security credentials of an IAM user. You can also call
--- 'GetFederationToken' using the security credentials of an AWS account
--- (root), but this is not recommended. Instead, we recommend that you
+-- 'GetFederationToken' using the security credentials of an AWS root
+-- account, but we do not recommended it. Instead, we recommend that you
 -- create an IAM user for the purpose of the proxy application and then
 -- attach a policy to the IAM user that limits federated users to only the
--- actions and resources they need access to. For more information, see
+-- actions and resources that they need access to. For more information,
+-- see
 -- <http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html IAM Best Practices>
--- in the /Using IAM/.
+-- in the /IAM User Guide/.
 --
 -- The temporary security credentials that are obtained by using the
 -- long-term credentials of an IAM user are valid for the specified
--- duration, between 900 seconds (15 minutes) and 129600 seconds (36
--- hours). Temporary credentials that are obtained by using AWS account
--- (root) credentials have a maximum duration of 3600 seconds (1 hour)
+-- duration, from 900 seconds (15 minutes) up to a maximium of 129600
+-- seconds (36 hours). The default is 43200 seconds (12 hours). Temporary
+-- credentials that are obtained by using AWS root account credentials have
+-- a maximum duration of 3600 seconds (1 hour).
 --
+-- The temporary security credentials created by 'GetFederationToken' can
+-- be used to make API calls to any AWS service with the following
+-- exceptions:
+--
+-- -   You cannot use these credentials to call any IAM APIs.
+--
+-- -   You cannot call any STS APIs.
+--
 -- __Permissions__
 --
 -- The permissions for the temporary security credentials returned by
@@ -57,6 +72,7 @@
 --
 -- -   The policy or policies that are attached to the IAM user whose
 --     credentials are used to call 'GetFederationToken'.
+--
 -- -   The policy that is passed as a parameter in the call.
 --
 -- The passed policy is attached to the temporary security credentials that
@@ -169,6 +185,12 @@
 -- has a resource-based policy that specifically allows the federated user
 -- to access the resource.
 --
+-- The format for this parameter, as described by its regex pattern, is a
+-- string of characters up to 2048 characters in length. The characters can
+-- be any ASCII character from the space character to the end of the valid
+-- character list (\\u0020-\\u00FF). It can also include the tab (\\u0009),
+-- linefeed (\\u000A), and carriage return (\\u000D) characters.
+--
 -- The policy plain text must be 2048 bytes or shorter. However, an
 -- internal conversion compresses it into a packed binary format with a
 -- separate limit. The PackedPolicySize response element indicates by
@@ -184,6 +206,11 @@
 -- the temporary security credentials (such as 'Bob'). For example, you can
 -- reference the federated user name in a resource-based policy, such as in
 -- an Amazon S3 bucket policy.
+--
+-- The format for this parameter, as described by its regex pattern, is a
+-- string of characters consisting of upper- and lower-case alphanumeric
+-- characters with no spaces. You can also include any of the following
+-- characters: =,.\'-
 gftName :: Lens' GetFederationToken Text
 gftName = lens _gftName (\ s a -> s{_gftName = a});
 
@@ -201,6 +228,8 @@
 
 instance Hashable GetFederationToken
 
+instance NFData GetFederationToken
+
 instance ToHeaders GetFederationToken where
         toHeaders = const mempty
 
@@ -276,3 +305,5 @@
 -- | The response status code.
 gftrsResponseStatus :: Lens' GetFederationTokenResponse Int
 gftrsResponseStatus = lens _gftrsResponseStatus (\ s a -> s{_gftrsResponseStatus = a});
+
+instance NFData GetFederationTokenResponse
diff --git a/gen/Network/AWS/STS/GetSessionToken.hs b/gen/Network/AWS/STS/GetSessionToken.hs
--- a/gen/Network/AWS/STS/GetSessionToken.hs
+++ b/gen/Network/AWS/STS/GetSessionToken.hs
@@ -27,15 +27,31 @@
 -- MFA device. Using the temporary security credentials that are returned
 -- from the call, IAM users can then make programmatic calls to APIs that
 -- require MFA authentication. If you do not supply a correct MFA code,
--- then the API returns an access denied error.
+-- then the API returns an access denied error. For a comparison of
+-- 'GetSessionToken' with the other APIs that produce temporary
+-- credentials, see
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Requesting Temporary Security Credentials>
+-- and
+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison Comparing the AWS STS APIs>
+-- in the /IAM User Guide/.
 --
 -- The 'GetSessionToken' action must be called by using the long-term AWS
 -- security credentials of the AWS account or an IAM user. Credentials that
 -- are created by IAM users are valid for the duration that you specify,
--- between 900 seconds (15 minutes) and 129600 seconds (36 hours);
--- credentials that are created by using account credentials have a maximum
--- duration of 3600 seconds (1 hour).
+-- from 900 seconds (15 minutes) up to a maximum of 129600 seconds (36
+-- hours), with a default of 43200 seconds (12 hours); credentials that are
+-- created by using account credentials can range from 900 seconds (15
+-- minutes) up to a maximum of 3600 seconds (1 hour), with a default of 1
+-- hour.
 --
+-- The temporary security credentials created by 'GetSessionToken' can be
+-- used to make API calls to any AWS service with the following exceptions:
+--
+-- -   You cannot call any IAM APIs unless MFA authentication information
+--     is included in the request.
+--
+-- -   You cannot call any STS API /except/ 'AssumeRole'.
+--
 -- We recommend that you do not call 'GetSessionToken' with root account
 -- credentials. Instead, follow our
 -- <http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users best practices>
@@ -53,7 +69,7 @@
 -- For more information about using 'GetSessionToken' to create temporary
 -- credentials, go to
 -- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken Temporary Credentials for Users in Untrusted Environments>
--- in the /Using IAM/.
+-- in the /IAM User Guide/.
 module Network.AWS.STS.GetSessionToken
     (
     -- * Creating a Request
@@ -110,6 +126,9 @@
 -- requesting a set of temporary security credentials, the user will
 -- receive an \"access denied\" response when requesting resources that
 -- require MFA authentication.
+--
+-- The format for this parameter, as described by its regex pattern, is a
+-- sequence of six numeric digits.
 gstTokenCode :: Lens' GetSessionToken (Maybe Text)
 gstTokenCode = lens _gstTokenCode (\ s a -> s{_gstTokenCode = a});
 
@@ -130,6 +149,11 @@
 -- 'arn:aws:iam::123456789012:mfa\/user'). You can find the device for an
 -- IAM user by going to the AWS Management Console and viewing the user\'s
 -- security credentials.
+--
+-- The format for this parameter, as described by its regex pattern, is a
+-- string of characters consisting of upper- and lower-case alphanumeric
+-- characters with no spaces. You can also include any of the following
+-- characters: =,.\'-
 gstSerialNumber :: Lens' GetSessionToken (Maybe Text)
 gstSerialNumber = lens _gstSerialNumber (\ s a -> s{_gstSerialNumber = a});
 
@@ -144,6 +168,8 @@
 
 instance Hashable GetSessionToken
 
+instance NFData GetSessionToken
+
 instance ToHeaders GetSessionToken where
         toHeaders = const mempty
 
@@ -199,3 +225,5 @@
 -- | The response status code.
 gstrsResponseStatus :: Lens' GetSessionTokenResponse Int
 gstrsResponseStatus = lens _gstrsResponseStatus (\ s a -> s{_gstrsResponseStatus = a});
+
+instance NFData GetSessionTokenResponse
diff --git a/gen/Network/AWS/STS/Types.hs b/gen/Network/AWS/STS/Types.hs
--- a/gen/Network/AWS/STS/Types.hs
+++ b/gen/Network/AWS/STS/Types.hs
@@ -79,6 +79,8 @@
       | has (hasCode "ThrottlingException" . hasStatus 400) e =
           Just "throttling_exception"
       | has (hasCode "Throttling" . hasStatus 400) e = Just "throttling"
+      | has (hasStatus 504) e = Just "gateway_timeout"
+      | has (hasStatus 502) e = Just "bad_gateway"
       | has (hasStatus 503) e = Just "service_unavailable"
       | has (hasStatus 500) e = Just "general_server_error"
       | has (hasStatus 509) e = Just "limit_exceeded"
@@ -106,11 +108,11 @@
     _ServiceError . hasStatus 400 . hasCode "PackedPolicyTooLarge"
 
 -- | STS is not activated in the requested region for the account that is
--- being asked to create temporary credentials. The account administrator
--- must activate STS in that region using the IAM Console. For more
--- information, see
+-- being asked to generate credentials. The account administrator must use
+-- the IAM console to activate STS in that region. For more information,
+-- see
 -- <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html Activating and Deactivating AWS STS in an AWS Region>
--- in the /Using IAM/.
+-- in the /IAM User Guide/.
 _RegionDisabledException :: AsError a => Getting (First ServiceError) a ServiceError
 _RegionDisabledException =
     _ServiceError . hasStatus 403 . hasCode "RegionDisabledException"
diff --git a/gen/Network/AWS/STS/Types/Product.hs b/gen/Network/AWS/STS/Types/Product.hs
--- a/gen/Network/AWS/STS/Types/Product.hs
+++ b/gen/Network/AWS/STS/Types/Product.hs
@@ -68,6 +68,8 @@
 
 instance Hashable AssumedRoleUser
 
+instance NFData AssumedRoleUser
+
 -- | AWS credentials for API authentication.
 --
 -- /See:/ 'credentials' smart constructor.
@@ -129,6 +131,8 @@
 
 instance Hashable Credentials
 
+instance NFData Credentials
+
 -- | Identifiers for the federated user that is associated with the
 -- credentials.
 --
@@ -174,3 +178,5 @@
               (x .@ "FederatedUserId") <*> (x .@ "Arn")
 
 instance Hashable FederatedUser
+
+instance NFData FederatedUser
diff --git a/test/Test/AWS/Gen/STS.hs b/test/Test/AWS/Gen/STS.hs
--- a/test/Test/AWS/Gen/STS.hs
+++ b/test/Test/AWS/Gen/STS.hs
@@ -28,7 +28,10 @@
 -- fixtures :: TestTree
 -- fixtures =
 --     [ testGroup "request"
---         [ testAssumeRole $
+--         [ testGetCallerIdentity $
+--             getCallerIdentity
+--
+--         , testAssumeRole $
 --             assumeRole
 --
 --         , testDecodeAuthorizationMessage $
@@ -49,7 +52,10 @@
 --           ]
 
 --     , testGroup "response"
---         [ testAssumeRoleResponse $
+--         [ testGetCallerIdentityResponse $
+--             getCallerIdentityResponse
+--
+--         , testAssumeRoleResponse $
 --             assumeRoleResponse
 --
 --         , testDecodeAuthorizationMessageResponse $
@@ -72,6 +78,11 @@
 
 -- Requests
 
+testGetCallerIdentity :: GetCallerIdentity -> TestTree
+testGetCallerIdentity = req
+    "GetCallerIdentity"
+    "fixture/GetCallerIdentity.yaml"
+
 testAssumeRole :: AssumeRole -> TestTree
 testAssumeRole = req
     "AssumeRole"
@@ -103,6 +114,13 @@
     "fixture/AssumeRoleWithSAML.yaml"
 
 -- Responses
+
+testGetCallerIdentityResponse :: GetCallerIdentityResponse -> TestTree
+testGetCallerIdentityResponse = res
+    "GetCallerIdentityResponse"
+    "fixture/GetCallerIdentityResponse.proto"
+    sts
+    (Proxy :: Proxy GetCallerIdentity)
 
 testAssumeRoleResponse :: AssumeRoleResponse -> TestTree
 testAssumeRoleResponse = res
